security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

T1553.005 (#1509)

Browse Source 
Co-authored-by: Toua Lor <tlor@nti.local>
This commit is contained in:
tlor89
2021-06-09 22:44:21 -05:00
committed by GitHub
parent 22f3da4960
commit e70987c439
3 changed files with 33 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1553.005/T1553.005.yaml
+33 -3
View File
@@ -11,7 +11,7 @@ atomic_tests:
path_of_iso:
description: Path to ISO file
type: path
default: PathToAtomicsFolder\T1553.005\src\T1553.005.iso
default: PathToAtomicsFolder\T1553.005\bin\T1553.005.iso
dependency_executor_name: powershell
dependencies:
- description: |
@@ -20,11 +20,41 @@ atomic_tests:
if (Test-Path #{path_of_iso}) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null
Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/src/T1553.005.iso -OutFile "#{path_of_iso}"
Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/T1553.005.iso -OutFile "#{path_of_iso}"
executor:
command: |
Mount-DiskImage -ImagePath "#{path_of_iso}"
cleanup_command: |
Dismount-DiskImage -ImagePath "#{path_of_iso}"
Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null
name: powershell
- name: Mount an ISO image and run executable from the ISO
description: |-
Mounts an ISO image downloaded from internet to evade Mark-of-the-Web and run hello.exe executable from the ISO.
Upon successful execution, powershell will download the .iso from the Atomic Red Team repo, mount the image, and run the executable from the ISO image that will open command prompt echoing "Hello, World!".
ISO provided by:https://twitter.com/mattifestation/status/1398323532988399620 Reference:https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/,
supported_platforms:
- windows
input_arguments:
path_of_iso:
description: Path to ISO file
type: path
default: PathToAtomicsFolder\T1553.005\bin\FeelTheBurn.iso
dependency_executor_name: powershell
dependencies:
- description: |
FeelTheBurn.iso must exist on disk at specified location (#{path_of_iso})
prereq_command: |
if (Test-Path #{path_of_iso}) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null
Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/FeelTheBurn.iso -OutFile "#{path_of_iso}"
executor:
command: |
$keep = Mount-DiskImage -ImagePath "#{path_of_iso}" -StorageType ISO -Access ReadOnly
$driveLetter = ($keep | Get-Volume).DriveLetter
invoke-item "$($driveLetter):\hello.exe"
cleanup_command: |
Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null
Stop-process -name "hello" -Force -ErrorAction ignore
name: powershell
atomics/T1553.005/bin/FeelTheBurn.iso
BIN
View File
Binary file not shown.
atomics/T1553.005/src/T1553.005.iso → atomics/T1553.005/bin/T1553.005.iso
View File