Pattharadanai Sanitjairak
aa236952ec
* Adding T1059 and T1071 * Update T1071.md * Delete atomics/T1071/src directory * Add files via upload * change localhost to 127.0.0.1 in T1070.yaml * Update T1071.md * Update T1071.md --------- Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
39 lines
1.6 KiB
YAML
39 lines
1.6 KiB
YAML
attack_technique: T1059
|
|
display_name: 'Command and Scripting Interpreter'
|
|
atomic_tests:
|
|
- name: AutoIt Script Execution
|
|
auto_generated_guid: a9b93f17-31cb-435d-a462-5e838a2a6026
|
|
description: |
|
|
An adversary may attempt to execute suspicious or malicious script using AutoIt software instead of regular terminal like powershell or cmd. Calculator will popup when the script is executed successfully.
|
|
supported_platforms:
|
|
- windows
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
AutoIt executable file must exist on disk at the specified location (#{autoit_path})
|
|
prereq_command: |
|
|
if(Test-Path "#{autoit_path}") {
|
|
exit 0
|
|
} else {
|
|
exit 1
|
|
}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
|
$AutoItURL = "https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe"
|
|
$InstallerPath = "$PathToAtomicsFolder\..\ExternalPayloads\autoit-v3-setup.exe"
|
|
Invoke-WebRequest -Uri $AutoItURL -OutFile $InstallerPath
|
|
Start-Process -FilePath $InstallerPath -ArgumentList "/S" -Wait
|
|
input_arguments:
|
|
script_path:
|
|
description: AutoIt Script Path
|
|
type: path
|
|
default: PathToAtomicsFolder\T1059\src\calc.au3
|
|
autoit_path:
|
|
description: AutoIt Executable File Path
|
|
type: path
|
|
default: C:\Program Files (x86)\AutoIt3\AutoIt3.exe
|
|
executor:
|
|
command: |
|
|
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
|
|
name: powershell
|