From ee7deb22fd2ac8a4968d002c629b73abd58aff3a Mon Sep 17 00:00:00 2001 From: bbucao <57825239+bbucao@users.noreply.github.com> Date: Thu, 20 Aug 2020 15:21:07 -0500 Subject: [PATCH] Update to T1040.yaml test 3 "Packet capture windows command prompt" (#1208) --- atomics/T1040/T1040.yaml | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/atomics/T1040/T1040.yaml b/atomics/T1040/T1040.yaml index ba0df937..9105fe8b 100644 --- a/atomics/T1040/T1040.yaml +++ b/atomics/T1040/T1040.yaml @@ -59,20 +59,36 @@ atomic_tests: auto_generated_guid: a5b2f6a0-24b4-493e-9590-c699f75723ca description: | Perform a packet capture using the windows command prompt. This will require a host that has Wireshark/Tshark - installed, along with WinPCAP. Windump will require the windump executable. + installed. - Upon successful execution, tshark will execute and capture 5 packets on interface Ethernet0. + Upon successful execution, tshark will execute and capture 5 packets on interface "Ethernet". supported_platforms: - windows input_arguments: interface: description: Specify interface to perform PCAP on. type: String - default: Ethernet0 + default: Ethernet + wireshark_url: + description: wireshark installer download URL + type: url + default: https://2.na.dl.wireshark.org/win64/Wireshark-win64-3.2.6.exe + tshark_path: + description: path to tshark.exe + type: path + default: c:\program files\wireshark\tshark.exe + dependency_executor_name: powershell + dependencies: + - description: | + tshark must be installed and in the default path of "c:\Program Files\Wireshark\Tshark.exe". + prereq_command: + if (test-path "#{tshark_path}") {exit 0} else {exit 1} + get_prereq_command: | + Invoke-WebRequest -OutFile $env:temp\wireshark_installer.exe #{wireshark_url} + Start-Process $env:temp\wireshark_installer.exe /S executor: command: | "c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5 - c:\windump.exe name: command_prompt elevation_required: true