attack_technique: T1072 display_name: Software Deployment Tools atomic_tests: - name: Radmin Viewer Utility auto_generated_guid: b4988cad-6ed2-434d-ace5-ea2670782129 description: | An adversary may use Radmin Viewer Utility to remotely control Windows device, this will start the radmin console. supported_platforms: - windows input_arguments: radmin_installer: description: Radmin Viewer installer type: path default: 'RadminViewer.msi' radmin_exe: description: The radmin.exe executable from RadminViewer.msi type: path default: 'Radmin Viewer 3/Radmin.exe' dependency_executor_name: powershell dependencies: - description: | Radmin Viewer Utility must be installed at specified location (#{radmin_exe}) prereq_command: | if (Test-Path "${env:ProgramFiles(x86)}/#{radmin_exe}") {exit 0} else {exit 1} get_prereq_command: | Write-Host Downloading radmin installer New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null Invoke-WebRequest "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\#{radmin_installer}" Write-Host Install Radmin Start-Process msiexec -Wait -ArgumentList /i , "PathToAtomicsFolder\..\ExternalPayloads\#{radmin_installer}", /qn executor: name: command_prompt elevation_required: true command: | "%PROGRAMFILES(x86)%/#{radmin_exe}" - name: PDQ Deploy RAT auto_generated_guid: e447b83b-a698-4feb-bed1-a7aaf45c3443 description: | An adversary may use PDQ Deploy Software to deploy the Remote Adminstartion Tool, this will start the PDQ console. supported_platforms: - windows input_arguments: PDQ_Deploy_installer: description: PDQ Deploy Install type: path default: 'PDQDeploysetup.exe' PDQ_Deploy_exe: description: The PDQDeployConsole.exe executable from PDQDeploysetup.exe type: path default: 'Admin Arsenal/PDQ Deploy/PDQDeployConsole.exe' dependency_executor_name: powershell dependencies: - description: | PDQ Deploy will be installed at specified location (#{PDQ_Deploy_exe}) prereq_command: | if (Test-Path "${env:ProgramFiles(x86)}/#{PDQ_Deploy_exe}") {exit 0} else {exit 1} get_prereq_command: | Write-Host Downloading PDQ Deploy installer New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null Invoke-WebRequest "https://download.pdq.com/release/19/Deploy_19.3.350.0.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\#{PDQ_Deploy_installer}" Write-Host Install PDQ Deploy Start-Process "PathToAtomicsFolder\..\ExternalPayloads\#{PDQ_Deploy_installer}" -Wait -ArgumentList "/s" executor: name: command_prompt elevation_required: true command: | "%PROGRAMFILES(x86)%/#{PDQ_Deploy_exe}" - name: Deploy 7-Zip Using Chocolatey auto_generated_guid: 2169e8b0-2ee7-44cb-8a6e-d816a5db7d8a description: | An adversary may use Chocolatey to remotely deploy the 7-Zip file archiver utility. supported_platforms: - windows dependency_executor_name: powershell dependencies: - description: | Chocolatey must be installed to deploy 7-Zip. prereq_command: | if (Test-Path "${env:ProgramFiles(x86)}\Chocolatey\choco.exe") {exit 0} else {exit 1} get_prereq_command: | Write-Host Downloading Chocolatey installer Invoke-WebRequest -Uri "https://chocolatey.org/install.ps1" -OutFile "chocolatey-install.ps1" Write-Host Installing Chocolatey Start-Process -FilePath "powershell.exe" -ArgumentList "-NoProfile -ExecutionPolicy Bypass -File chocolatey-install.ps1" -Wait executor: name: powershell elevation_required: false command: | # Deploy 7-Zip using Chocolatey choco install -y 7zip