Carrie Roberts
d4709021fb
* updating atomics count in README.md [ci skip] * wip * handle spaces in path * update readme * fix typo --------- Co-authored-by: publish bot <opensource@redcanary.com>
29 lines
1.1 KiB
YAML
29 lines
1.1 KiB
YAML
attack_technique: T1218.002
|
|
display_name: 'Signed Binary Proxy Execution: Control Panel'
|
|
atomic_tests:
|
|
- name: Control Panel Items
|
|
auto_generated_guid: 037e9d8a-9e46-4255-8b33-2ae3b545ca6f
|
|
description: |
|
|
This test simulates an adversary leveraging control.exe
|
|
Upon execution calc.exe will be launched
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
cpl_file_path:
|
|
description: path to cpl file
|
|
type: path
|
|
default: PathToAtomicsFolder\T1218.002\bin\calc.cpl
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
Cpl file must exist on disk at specified location (#{cpl_file_path})
|
|
prereq_command: |
|
|
if (Test-Path "#{cpl_file_path}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "#{cpl_file_path}") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.002/bin/calc.cpl" -OutFile "#{cpl_file_path}"
|
|
executor:
|
|
command: |
|
|
control.exe "#{cpl_file_path}"
|
|
name: command_prompt
|