Josh Rickard
1513717eb2
* Updated format of input_argument types for Url * Updated type for input_arguments to Url (missed) * Updating Path type for input_arguments * Updated String type for input_arguments * Missed a few Strings and Url types * Updated default values for input_arguments to align with their types * Updated Integer type for input_arguments * Updated formatting and spacing of atomics
145 lines
4.8 KiB
YAML
145 lines
4.8 KiB
YAML
attack_technique: T1113
|
|
display_name: Screen Capture
|
|
atomic_tests:
|
|
- name: Screencapture
|
|
auto_generated_guid: 0f47ceb1-720f-4275-96b8-21f0562217ac
|
|
description: |
|
|
Use screencapture command to collect a full desktop screenshot
|
|
supported_platforms:
|
|
- macos
|
|
input_arguments:
|
|
output_file:
|
|
description: Output file path
|
|
type: Path
|
|
default: /tmp/T1113_desktop.png
|
|
executor:
|
|
command: |
|
|
screencapture #{output_file}
|
|
cleanup_command: |
|
|
rm #{output_file}
|
|
name: bash
|
|
- name: Screencapture (silent)
|
|
auto_generated_guid: deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4
|
|
description: |
|
|
Use screencapture command to collect a full desktop screenshot
|
|
supported_platforms:
|
|
- macos
|
|
input_arguments:
|
|
output_file:
|
|
description: Output file path
|
|
type: Path
|
|
default: /tmp/T1113_desktop.png
|
|
executor:
|
|
command: |
|
|
screencapture -x #{output_file}
|
|
cleanup_command: |
|
|
rm #{output_file}
|
|
name: bash
|
|
- name: X Windows Capture
|
|
auto_generated_guid: 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac
|
|
description: |
|
|
Use xwd command to collect a full desktop screenshot and review file with xwud
|
|
supported_platforms:
|
|
- linux
|
|
input_arguments:
|
|
output_file:
|
|
description: Output file path
|
|
type: Path
|
|
default: /tmp/T1113_desktop.xwd
|
|
package_checker:
|
|
description: Package checking command for linux. Debian system command- dpkg -s x11-apps
|
|
type: String
|
|
default: rpm -q xorg-x11-apps
|
|
package_installer:
|
|
description: Package installer command for linux. Debian system command- apt-get install x11-apps
|
|
type: String
|
|
default: yum install -y xorg-x11-apps
|
|
dependency_executor_name: bash
|
|
dependencies:
|
|
- description: |
|
|
Package with XWD and XWUD must exist on device
|
|
prereq_command: |
|
|
if #{package_checker} > /dev/null; then exit 0; else exit 1; fi
|
|
get_prereq_command: |
|
|
sudo #{package_installer}
|
|
executor:
|
|
command: |
|
|
xwd -root -out #{output_file}
|
|
xwud -in #{output_file}
|
|
cleanup_command: |
|
|
rm #{output_file}
|
|
name: bash
|
|
- name: Capture Linux Desktop using Import Tool
|
|
auto_generated_guid: 9cd1cccb-91e4-4550-9139-e20a586fcea1
|
|
description: |
|
|
Use import command from ImageMagick to collect a full desktop screenshot
|
|
supported_platforms:
|
|
- linux
|
|
input_arguments:
|
|
output_file:
|
|
description: Output file path
|
|
type: Path
|
|
default: /tmp/T1113_desktop.png
|
|
dependencies:
|
|
- description: |
|
|
ImageMagick must be installed
|
|
prereq_command: |
|
|
if import -help > /dev/null 2>&1; then exit 0; else exit 1; fi
|
|
get_prereq_command: |
|
|
sudo apt-get -y install graphicsmagick-imagemagick-compat
|
|
executor:
|
|
command: |
|
|
import -window root #{output_file}
|
|
cleanup_command: |
|
|
rm #{output_file}
|
|
name: bash
|
|
- name: Windows Screencapture
|
|
auto_generated_guid: 3c898f62-626c-47d5-aad2-6de873d69153
|
|
description: |
|
|
Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
output_file:
|
|
description: Output file path
|
|
type: Path
|
|
default: c:\temp\T1113_desktop.zip
|
|
recording_time:
|
|
description: Time to take screenshots
|
|
type: String
|
|
default: 5
|
|
executor:
|
|
name: powershell
|
|
elevation_required: false
|
|
command: |
|
|
cmd /c start /b psr.exe /start /output #{output_file} /sc 1 /gui 0 /stopevent 12
|
|
Add-Type -MemberDefinition '[DllImport("user32.dll")] public static extern void mouse_event(int flags, int dx, int dy, int cButtons, int info);' -Name U32 -Namespace W;
|
|
[W.U32]::mouse_event(0x02 -bor 0x04 -bor 0x01, 0, 0, 0, 0);
|
|
cmd /c "timeout #{recording_time} > NULL && psr.exe /stop"
|
|
cleanup_command: |
|
|
rm #{output_file} -ErrorAction Ignore
|
|
- name: Windows Screen Capture (CopyFromScreen)
|
|
auto_generated_guid: e9313014-985a-48ef-80d9-cde604ffc187
|
|
description: |
|
|
Take a screen capture of the desktop through a call to the [Graphics.CopyFromScreen] .NET API.
|
|
|
|
[Graphics.CopyFromScreen]: https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
output_file:
|
|
description: Path where captured results will be placed
|
|
type: Path
|
|
default: $env:TEMP\T1113.png
|
|
executor:
|
|
command: |
|
|
Add-Type -AssemblyName System.Windows.Forms
|
|
$screen = [Windows.Forms.SystemInformation]::VirtualScreen
|
|
$bitmap = New-Object Drawing.Bitmap $screen.Width, $screen.Height
|
|
$graphic = [Drawing.Graphics]::FromImage($bitmap)
|
|
$graphic.CopyFromScreen($screen.Left, $screen.Top, 0, 0, $bitmap.Size)
|
|
$bitmap.Save("#{output_file}")
|
|
cleanup_command: |
|
|
Remove-Item #{output_file} -ErrorAction Ignore
|
|
name: powershell
|