security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
markdown_changes
atomic-red-team/atomics/T1129/T1129.yaml
T
BlueTeamOps 9ba4043595 ESXi ART Tests Batch 1 (#2635) 
* ESXi Tests Batch 1

* remove duplicate key

* Update T1082.yaml

Updated the binary location to ExternalPayloads folder and also added the folder creation in GetPreReqs

* Update T1083.yaml

Added External Payloads and included folder creation in GetPreReqs

* Update T1129.yaml

Added ExternalPayloads refence. 
Added folder creation in GetPreReqs
Move the reference of the vib to src

* Update T1529.yaml

Added External Payloads folder and added folder creation step to GetPreReqs

* Update T1529.yaml

987c9b4d-a637-42db-b1cb-e9e242c3991b - added external payloads

* Update T1562.010.yaml

Added External Payloads reference and folder creation to GetPreReqs

* Moved the vib to src

* Delete atomics/T1129/bin directory

* Delete atomics/T1082/bin directory

* Delete atomics/T1083/bin directory

* Delete atomics/T1562.010/bin directory

---------

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
2023-12-14 08:27:13 -07:00

63 lines
2.6 KiB
YAML
Raw Permalink Blame History

attack_technique: T1129
display_name: 'Server Software Component'
atomic_tests:
- name: ESXi - Install a custom VIB on an ESXi host
auto_generated_guid: 7f843046-abf2-443f-b880-07a83cf968ec
description: |
An adversary can maintain persistence within an ESXi host by installing malicious vSphere Installation Bundles (VIBs).
[Reference](https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence)
supported_platforms:
- windows
input_arguments:
vm_host:
description: Specify the host name of the ESXi Server
type: string
default: atomic.local
vm_user:
description: Specify the privilege user account on ESXi Server
type: string
default: root
vm_pass:
description: Specify the privilege user password on ESXi Server
type: string
default: pass
plink_file:
description: Path to plink
type: path
default: 'PathToAtomicsFolder\..\ExternalPayloads\plink.exe'
pscp_file:
description: Path to Pscp
type: path
default: 'PathToAtomicsFolder\..\ExternalPayloads\pscp.exe'
vib_install:
description: Path to script with commands to install the vib
type: path
default: PathToAtomicsFolder\..\atomics\T1129\src\esxi_vibinstall.txt
vib_remove:
description: Path to script with commands to remove the vib
type: path
default: PathToAtomicsFolder\..\atomics\T1129\src\esxi_vibremove.txt
vib_file:
description: Path to the dummy vib
type: path
default: PathToAtomicsFolder\..\atomics\T1129\src\atomicvibes.vib
dependency_executor_name: powershell
dependencies:
- description: |
Check if plink and pscp are available.
prereq_command: |
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
if (Test-Path "#{pscp_file}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\plink.exe"
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/pscp.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\pscp.exe"
executor:
command: |
#{pscp_file} -pw #{vm_pass} #{vib_file} #{vm_user}@#{vm_host}:/tmp
echo "" | "#{plink_file}" "#{vm_host}" -ssh -l "#{vm_user}" -pw "#{vm_pass}" -m "#{vib_install}"
cleanup_command: |
echo "" | "#{plink_file}" "#{vm_host}" -ssh -l "#{vm_user}" -pw "#{vm_pass}" -m "#{vib_remove}"
name: command_prompt
elevation_required: false
Reference in New Issue View Git Blame Copy Permalink