From f24823b04ffce282928bfa7f14b1b7628ce4e45c Mon Sep 17 00:00:00 2001 From: tlor89 <60741301+tlor89@users.noreply.github.com> Date: Fri, 23 Sep 2022 12:30:15 -0500 Subject: [PATCH] T1053.005_update (#2155) * T1053.005_update * Update T1053.005.yaml Co-authored-by: Toua Lor Co-authored-by: Carrie Roberts --- atomics/T1053.005/T1053.005.yaml | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/atomics/T1053.005/T1053.005.yaml b/atomics/T1053.005/T1053.005.yaml index 799538f4..87c10cf3 100644 --- a/atomics/T1053.005/T1053.005.yaml +++ b/atomics/T1053.005/T1053.005.yaml @@ -133,11 +133,25 @@ atomic_tests: Create an scheduled task that executes notepad.exe after user login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing as Register-ScheduledTask cmdlet behind the scenes. supported_platforms: - windows + input_arguments: + xml_path: + description: path of vbs to use when creating masquerading files + type: Path + default: PathToAtomicsFolder\T1053.005\src\T1053_005_WMI.xml + dependency_executor_name: powershell + dependencies: + - description: | + File to copy must exist on disk at specified location (#{xml_path}) + prereq_command: | + if (Test-Path #{xml_path}) {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Type Directory (split-path #{xml_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_005_WMI.xml" -OutFile "#{xml_path}" executor: name: powershell elevation_required: true command: | - $xml = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1053.005\src\T1053_005_WMI.xml") + $xml = [System.IO.File]::ReadAllText("#{xml_path}") Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; } cleanup_command: | Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false >$null 2>&1 @@ -171,11 +185,25 @@ atomic_tests: This technique was seen several times in tricbot malware and also with the targetted attack campaigne the industroyer2. supported_platforms: - windows + input_arguments: + xml_path: + description: path of vbs to use when creating masquerading files + type: Path + default: PathToAtomicsFolder\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml + dependency_executor_name: powershell + dependencies: + - description: | + File to copy must exist on disk at specified location (#{xml_path}) + prereq_command: | + if (Test-Path #{xml_path}) {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Type Directory (split-path #{xml_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_05_SCTASK_HIDDEN_ATTRIB.xml" -OutFile "#{xml_path}" executor: name: powershell elevation_required: true command: | - $xml = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml") + $xml = [System.IO.File]::ReadAllText("#{xml_path}") Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; } cleanup_command: | Unregister-ScheduledTask -TaskName "atomic red team" -confirm:$false >$null 2>&1