security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
atomic-red-team/atomics/T1614/T1614.yaml
T
Atomic Red Team doc generator c52d0023e3 Generated docs from job=generate-docs branch=master [ci skip]
2024-08-13 17:34:09 +00:00

52 lines
2.4 KiB
YAML
Raw Permalink Blame History

attack_technique: T1614
display_name: System Location Discovery
atomic_tests:
- name: Get geolocation info through IP-Lookup services using curl Windows
auto_generated_guid: fe53e878-10a3-477b-963e-4367348f5af5
description: |
Get geolocation info through IP-Lookup services using curl Windows. The default URL of the IP-Lookup service is https://ipinfo.io/. References: https://securelist.com/transparent-tribe-part-1/98127/ and https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
supported_platforms:
- windows
input_arguments:
ip_lookup_url:
description: URL of the IP-Lookup service
type: url
default: https://ipinfo.io/
curl_path:
description: path to curl.exe
type: path
default: C:\Windows\System32\Curl.exe
dependency_executor_name: powershell
dependencies:
- description: |
Curl must be installed on system.
prereq_command: |
if (Test-Path #{curl_path}) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://curl.se/windows/dl-8.4.0_6/curl-8.4.0_6-win64-mingw.zip" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\curl.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\curl"
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\curl\curl-8.4.0_6-win64-mingw\bin\curl.exe" C:\Windows\System32\Curl.exe
executor:
name: command_prompt
elevation_required: false
command: |
#{curl_path} -k #{ip_lookup_url}
- name: Get geolocation info through IP-Lookup services using curl freebsd, linux or macos
auto_generated_guid: 552b4db3-8850-412c-abce-ab5cc8a86604
description: |
Get geolocation info through IP-Lookup services using curl Windows. The default URL of the IP-Lookup service is https://ipinfo.io/. References: https://securelist.com/transparent-tribe-part-1/98127/ and https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
supported_platforms:
- macos
- linux
input_arguments:
ip_lookup_url:
description: URL of the IP-Lookup service
type: url
default: https://ipinfo.io/
executor:
name: bash
elevation_required: false
command: |
curl -k #{ip_lookup_url}
Reference in New Issue View Git Blame Copy Permalink