Josh Rickard
a5dd0813cd
* fix: Updating atomics YAML file structure to align with the new JSON schema definition. This also fixes some white space issues and general line formatting across all impacted atomics. * fix: One additional change needed --------- Co-authored-by: MSAdministrator <MSAdministrator@users.noreply.github.com> Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
34 lines
1.4 KiB
YAML
34 lines
1.4 KiB
YAML
attack_technique: T1195
|
|
display_name: Supply Chain Compromise
|
|
atomic_tests:
|
|
- name: Octopus Scanner Malware Open Source Supply Chain
|
|
auto_generated_guid: 82a9f001-94c5-495e-9ed5-f530dbded5e2
|
|
description: |
|
|
This test simulates an adversary Octopus drop the RAT dropper ExplorerSync.db
|
|
[octopus-scanner-malware-open-source-supply-chain](https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain/)
|
|
[the-supreme-backdoor-factory](https://www.dfir.it/blog/2019/02/26/the-supreme-backdoor-factory/)
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
rat_payload:
|
|
description: RAT dropper ExplorerSync.db
|
|
type: path
|
|
default: $env:TEMP\ExplorerSync.db
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
ExplorerSync.db must exist on disk at specified location (#{rat_payload})
|
|
prereq_command: |
|
|
if (Test-Path #{rat_payload}) {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
Out-File -FilePath "#{rat_payload}"
|
|
executor:
|
|
command: |
|
|
copy %temp%\ExplorerSync.db %temp%\..\Microsoft\ExplorerSync.db
|
|
schtasks /create /tn ExplorerSync /tr "javaw -jar %temp%\..\Microsoft\ExplorerSync.db" /sc MINUTE /f
|
|
cleanup_command: |
|
|
schtasks /delete /tn ExplorerSync /F 2>null
|
|
del %temp%\..\Microsoft\ExplorerSync.db 2>null
|
|
del %temp%\ExplorerSync.db 2>null
|
|
name: command_prompt
|