security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1039/T1039.yaml
T
KillrBunn3 65294196d0 Spelling adjustments (#2448) 
Looking over the YAMLs mostly, only changes for readability or accuracy
2023-05-31 15:50:22 -05:00

88 lines
3.0 KiB
YAML
Raw Permalink Blame History

attack_technique: T1039
display_name: Data from Network Shared Drive
atomic_tests:
- name: Copy a sensitive File over Administrative share with copy
auto_generated_guid: 6ed67921-1774-44ba-bac6-adb51ed60660
description: |-
Copy from sensitive File from the c$ of another LAN computer with copy cmd
https://twitter.com/SBousseaden/status/1211636381086339073
supported_platforms:
- windows
input_arguments:
remote:
description: Remote server name
type: string
default: '127.0.0.1'
share_file:
description: Remote Path to the file
type: path
default: Windows\temp\Easter_Bunny.password
local_file:
description: Local name
type: string
default: 'Easter_egg.password'
dependency_executor_name: powershell
dependencies:
- description: |
Administrative share must exist on #{remote}
prereq_command: |
if (Test-Path "\\#{remote}\C$") {exit 0} else {exit 1}
get_prereq_command: |
Write-Host 'Please Enable "C$" share on #{remote}'
- description: |
"\\#{remote}\C$\#{share_file}" must exist on #{remote}
prereq_command: |
if (Test-Path "\\#{remote}\C$\#{share_file}") {exit 0} else {exit 1}
get_prereq_command: |
Out-File -FilePath "\\#{remote}\C$\#{share_file}"
executor:
command: |-
copy \\#{remote}\C$\#{share_file} %TEMP%\#{local_file}
cleanup_command: |-
del \\#{remote}\C$\#{share_file}
del %TEMP%\#{local_file}
name: command_prompt
elevation_required: true
- name: Copy a sensitive File over Administrative share with Powershell
auto_generated_guid: 7762e120-5879-44ff-97f8-008b401b9a98
description: |-
Copy from sensitive File from the c$ of another LAN computer with powershell
https://twitter.com/SBousseaden/status/1211636381086339073
supported_platforms:
- windows
input_arguments:
remote:
description: Remote server name
type: string
default: '127.0.0.1'
share_file:
description: Remote Path to the file
type: path
default: Windows\temp\Easter_Bunny.password
local_file:
description: Local name
type: string
default: 'Easter_egg.password'
dependency_executor_name: powershell
dependencies:
- description: |
Administrative share must exist on #{remote}
prereq_command: |
if (Test-Path "\\#{remote}\C$") {exit 0} else {exit 1}
get_prereq_command: |
Write-Host 'Please Enable "C$" share on #{remote}'
- description: |
"\\#{remote}\C$\#{share_file}" must exist on #{remote}
prereq_command: |
if (Test-Path "\\#{remote}\C$\#{share_file}") {exit 0} else {exit 1}
get_prereq_command: |
Out-File -FilePath "\\#{remote}\C$\#{share_file}"
executor:
command: |-
copy-item -Path "\\#{remote}\C$\#{share_file}" -Destination "$Env:TEMP\#{local_file}"
cleanup_command: |-
Remove-Item -Path "\\#{remote}\C$\#{share_file}"
Remove-Item -Path "$Env:TEMP\#{local_file}"
name: powershell
elevation_required: true
Reference in New Issue View Git Blame Copy Permalink