security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1564.003/T1564.003.yaml
T
Atomic Red Team doc generator 1157183f0a Generated docs from job=generate-docs branch=master [ci skip]
2024-08-03 01:32:44 +00:00

58 lines
2.2 KiB
YAML
Raw Permalink Blame History

attack_technique: T1564.003
display_name: 'Hide Artifacts: Hidden Window'
atomic_tests:
- name: Hidden Window
auto_generated_guid: f151ee37-9e2b-47e6-80e4-550b9f999b7a
description: |
Launch PowerShell with the "-WindowStyle Hidden" argument to conceal PowerShell windows by setting the WindowStyle parameter to hidden.
Upon execution a hidden PowerShell window will launch calc.exe
supported_platforms:
- windows
input_arguments:
powershell_command:
description: Command to launch calc.exe from a hidden PowerShell Window
type: string
default: powershell.exe -WindowStyle hidden calc.exe
executor:
command: |
Start-Process #{powershell_command}
name: powershell
- name: Headless Browser Accessing Mockbin
auto_generated_guid: 0ad9ab92-c48c-4f08-9b20-9633277c4646
description: |
The following Atomic Red Team test leverages the Chrome headless browser to access a mockbin site. Create your own Mockbin.org site and replace the BIN in the inputs.
The default Mockbin ID forwards to google.com and you may view the details here https://mockbin.org/bin/f6b9a876-a826-4ac0-83b8-639d6ad516ec/view.
Reference: https://cert.gov.ua/article/5702579
supported_platforms:
- windows
input_arguments:
bin_id:
description: Mockbin.org BIN ID
type: string
default: f6b9a876-a826-4ac0-83b8-639d6ad516ec
browser:
description: Browser to use (msedge, chrome, firefox)
type: string
default: chrome
executor:
command: |
start "" #{browser} --headless --disable-gpu https://mockbin.org/bin/#{bin_id}
cleanup_command: |
taskkill /im #{browser} /f
name: command_prompt
- name: Hidden Window-Conhost Execution
auto_generated_guid: 5510d22f-2595-4911-8456-4d630c978616
description: |
Launch conhost.exe in "headless" mode, it means that no visible window will pop up on the victim's machine.
This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity.
conhost.exe can be used as proxy the execution of arbitrary commands
supported_platforms:
- windows
executor:
command: |
conhost.exe --headless calc.exe
cleanup_command: |
Stop-Process -Name calc*
name: powershell
elevation_required: true
Reference in New Issue View Git Blame Copy Permalink