security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

T1012 input args and cleanup (#804)

Browse Source 
* T1012 input args and cleanup

* Removed file write functionality

* fixed missing > in command

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
Andras32
2020-01-27 17:27:27 -06:00
committed by Carrie Roberts
parent 4fc6a89bcf
commit f2074e94b2
2 changed files with 14 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1012/T1012.yaml
-6
View File
@@ -25,7 +25,6 @@ atomic_tests:
name: command_prompt
elevation_required: true
command: |
powershell.exe New-Item -ItemType Directory -Name ART1012 -Path $env:USERPROFILE\AppData\Local\Temp\
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
@@ -45,8 +44,3 @@ atomic_tests:
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
reg query HKLM\system\currentcontrolset\services /s | findstr ImagePath 2>nul | findstr /Ri ".*\.sys$"
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg save HKLM\Security $env:USERPROFILE\AppData\Local\Temp\ART1012\security.hive"
reg save HKLM\System $env:USERPROFILE\AppData\Local\Temp\ART1012\system.hive"
reg save HKLM\SAM $env:USERPROFILE\AppData\Local\Temp\ART1012\sam.hive"
cleanup_command: |
rmdir /q /s $env:USERPROFILE\AppData\Local\Temp\ART1012\
atomics/T1016/T1016.yaml
+14
View File
@@ -75,10 +75,24 @@ atomic_tests:
The path to a text file containing ports to be scanned, one port per line. The default list uses the top 128 ports as defined by Nmap.
type: Path
default: PathToAtomicsFolder\T1016\src\top-128.txt
portfile_url:
description: URL to top-128.txt
type: Url
default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1016/src/top-128.txt
output_file:
description: Path of file to write port scan results
type: Path
default: $env:USERPROFILE\Desktop\open-ports.txt
dependency_executor_name: powershell
dependencies:
- description: |
Test requires #{port_file} to exist
prereq_command: |
if (Test-Path "#{port_file}") {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest "#{portfile_url}" -OutFile "#{port_file}"
executor:
name: powershell
elevation_required: false