security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

T1053.005_update (#2155)

Browse Source 
* T1053.005_update

* Update T1053.005.yaml

Co-authored-by: Toua Lor <tlor@nti.local>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
tlor89
2022-09-23 12:30:15 -05:00
committed by GitHub
parent c03a9e0299
commit f24823b04f
1 changed files with 30 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1053.005/T1053.005.yaml
+30 -2
View File
@@ -133,11 +133,25 @@ atomic_tests:
Create an scheduled task that executes notepad.exe after user login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing as Register-ScheduledTask cmdlet behind the scenes.
supported_platforms:
- windows
input_arguments:
xml_path:
description: path of vbs to use when creating masquerading files
type: Path
default: PathToAtomicsFolder\T1053.005\src\T1053_005_WMI.xml
dependency_executor_name: powershell
dependencies:
- description: |
File to copy must exist on disk at specified location (#{xml_path})
prereq_command: |
if (Test-Path #{xml_path}) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path #{xml_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_005_WMI.xml" -OutFile "#{xml_path}"
executor:
name: powershell
elevation_required: true
command: |
$xml = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1053.005\src\T1053_005_WMI.xml")
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
cleanup_command: |
Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false >$null 2>&1
@@ -171,11 +185,25 @@ atomic_tests:
This technique was seen several times in tricbot malware and also with the targetted attack campaigne the industroyer2.
supported_platforms:
- windows
input_arguments:
xml_path:
description: path of vbs to use when creating masquerading files
type: Path
default: PathToAtomicsFolder\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml
dependency_executor_name: powershell
dependencies:
- description: |
File to copy must exist on disk at specified location (#{xml_path})
prereq_command: |
if (Test-Path #{xml_path}) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path #{xml_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_05_SCTASK_HIDDEN_ATTRIB.xml" -OutFile "#{xml_path}"
executor:
name: powershell
elevation_required: true
command: |
$xml = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml")
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
cleanup_command: |
Unregister-ScheduledTask -TaskName "atomic red team" -confirm:$false >$null 2>&1