security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update T1083 to add new test (#2071)

Browse Source 
* Update T1083 to add new test

* typo fix

* Update T1083.yaml

- Have a prereq to fetch the tool from the releases page of the original author
- remove the cleanup command that deletes the tool

* some updates

Modified the name and description. Updated the prereq commands to handle error cases or missing /bin folder

* Delete DirLister.exe.config

* Delete DirLister.Core.dll

* Delete DirLister.exe

Co-authored-by: anupama ramesh <aramesh@nti.local>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
arames13
2022-08-09 20:05:43 -05:00
committed by GitHub
parent e4608f8be2
commit fb03ba8f32
1 changed files with 31 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1083/T1083.yaml
+31
View File
@@ -117,3 +117,34 @@ atomic_tests:
cleanup_command: |
remove-item #{File_to_output} -ErrorAction SilentlyContinue
name: powershell
- name: Launch DirLister Executable
description: |-
Launches the DirLister executable for a short period of time and then exits.
Recently seen used by [BlackCat ransomware](https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/) to create a list of accessible directories and files.
supported_platforms:
- windows
input_arguments:
dirlister_path:
description: 'Path to the DirLister executable '
type: String
default: PathToAtomicsFolder\T1083\bin\DirLister.exe
dependency_executor_name: powershell
dependencies:
- description: |
DirLister.exe must exist in the specified path #{dirlister_path}
prereq_command: |
if (Test-Path #{dirlister_path}) {exit 0} else {exit 1}
get_prereq_command: |
$parentpath = Split-Path "#{dirlister_path}"
Invoke-WebRequest https://github.com/SanderSade/DirLister/releases/download/v2.beta4/DirLister.v2.beta4.zip -OutFile $env:TEMP\TDirLister.v2.beta4.zip
New-Item -ItemType Directory -Force -Path $parentpath | Out-Null
Expand-Archive -Path $env:TEMP\TDirLister.v2.beta4.zip -DestinationPath $env:TEMP\TDirLister.v2.beta4 -Force
Copy-Item $env:TEMP\TDirLister.v2.beta4\* $parentpath -Recurse
Remove-Item $env:TEMP\TDirLister.v2.beta4.zip,$env:TEMP\TDirLister.v2.beta4 -Recurse -ErrorAction Ignore
executor:
command: |
Start-Process #{dirlister_path}
Start-Sleep -Second 4
Stop-Process -Name "DirLister"
name: powershell