Josh Rickard
a5dd0813cd
* fix: Updating atomics YAML file structure to align with the new JSON schema definition. This also fixes some white space issues and general line formatting across all impacted atomics. * fix: One additional change needed --------- Co-authored-by: MSAdministrator <MSAdministrator@users.noreply.github.com> Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
36 lines
1.2 KiB
YAML
36 lines
1.2 KiB
YAML
attack_technique: T1546.013
|
|
display_name: 'Event Triggered Execution: PowerShell Profile'
|
|
atomic_tests:
|
|
- name: Append malicious start-process cmdlet
|
|
auto_generated_guid: 090e5aa5-32b6-473b-a49b-21e843a56896
|
|
description: |
|
|
Appends a start process cmdlet to the current user's powershell profile pofile that points to a malicious executable. Upon execution, calc.exe will be launched.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
exe_path:
|
|
description: Path the malicious executable
|
|
type: path
|
|
default: calc.exe
|
|
ps_profile:
|
|
description: Powershell profile to use
|
|
type: string
|
|
default: $profile
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
Ensure a powershell profile exists for the current user
|
|
prereq_command: |
|
|
if (Test-Path #{ps_profile}) {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Path #{ps_profile} -Type File -Force
|
|
executor:
|
|
command: |
|
|
Add-Content #{ps_profile} -Value ""
|
|
Add-Content #{ps_profile} -Value "Start-Process #{exe_path}"
|
|
powershell -Command exit
|
|
cleanup_command: |
|
|
$oldprofile = cat $profile | Select-Object -skiplast 1
|
|
Set-Content $profile -Value $oldprofile
|
|
name: powershell
|