Josh Rickard
a5dd0813cd
* fix: Updating atomics YAML file structure to align with the new JSON schema definition. This also fixes some white space issues and general line formatting across all impacted atomics. * fix: One additional change needed --------- Co-authored-by: MSAdministrator <MSAdministrator@users.noreply.github.com> Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
69 lines
3.1 KiB
YAML
69 lines
3.1 KiB
YAML
attack_technique: T1547.015
|
|
display_name: 'Boot or Logon Autostart Execution: Login Items'
|
|
atomic_tests:
|
|
- name: Persistence by modifying Windows Terminal profile
|
|
auto_generated_guid: ec5d76ef-82fe-48da-b931-bdb25a62bc65
|
|
description: Modify Windows Terminal settings.json file to gain persistence. [Twitter Post](https://twitter.com/nas_bench/status/1550836225652686848)
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
calculator:
|
|
description: Test program used to imitate a maliciously called program.
|
|
type: string
|
|
default: calculator.exe
|
|
settings_json_def:
|
|
description: Default file for Windows Terminal to replace the default profile with a backdoor to call another program.
|
|
type: path
|
|
default: ~\AppData\Local\Packages\Microsoft.WindowsTerminal_8wekyb3d8bbwe\LocalState\settings.json
|
|
settings_json_tmp:
|
|
description: Temp file for Windows Terminal.
|
|
type: path
|
|
default: ~\AppData\Local\Temp\settings.json
|
|
wt_exe:
|
|
description: Windows Terminal executable.
|
|
type: path
|
|
default: ~\AppData\Local\Microsoft\WindowsApps\Microsoft.WindowsTerminal_8wekyb3d8bbwe\wt.exe
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
Windows Terminal must be installed
|
|
prereq_command: |
|
|
if (Test-Path #{wt_exe}) {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
$(rm ~\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\StoreEdgeFD\installed.db -ErrorAction Ignore; Write-Output ""; $?) -and $(winget install --id=Microsoft.WindowsTerminal)
|
|
executor:
|
|
command: |
|
|
mv #{settings_json_def} #{settings_json_tmp}
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/src/settings.json?raw=true" -OutFile "#{settings_json_def}"
|
|
wt.exe
|
|
cleanup_command: |
|
|
mv -Force #{settings_json_tmp} #{settings_json_def}
|
|
taskkill /F /IM "#{calculator}" > $null
|
|
name: powershell
|
|
- name: Add macOS LoginItem using Applescript
|
|
auto_generated_guid: 716e756a-607b-41f3-8204-b214baf37c1d
|
|
description: |
|
|
Runs osascript on a file to create new LoginItem for current user.
|
|
NOTE: Will popup dialog prompting user to Allow or Deny Terminal.app to control "System Events"
|
|
Therefore, it can't be automated until the TCC is granted.
|
|
The login item launches Safari.app when user logs in, but there is a cleanup script to remove it as well.
|
|
In addition to the `osascript` Process Events, file modification events to
|
|
`/Users/*/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm` should be seen.
|
|
supported_platforms:
|
|
- macos
|
|
input_arguments:
|
|
scriptfile:
|
|
description: path to Applescript source to add Safari LoginItem.
|
|
type: string
|
|
default: PathToAtomicsFolder/T1547.015/src/add_login_item.osa
|
|
cleanup_script:
|
|
description: path to Applescript source to delete Safari LoginItem.
|
|
type: string
|
|
default: PathToAtomicsFolder/T1547.015/src/remove_login_item.osa
|
|
executor:
|
|
command: |
|
|
osascript #{scriptfile}
|
|
cleanup_command: |
|
|
osascript #{cleanup_script}
|
|
name: bash
|