Josh Rickard
a5dd0813cd
* fix: Updating atomics YAML file structure to align with the new JSON schema definition. This also fixes some white space issues and general line formatting across all impacted atomics. * fix: One additional change needed --------- Co-authored-by: MSAdministrator <MSAdministrator@users.noreply.github.com> Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
20 lines
1.1 KiB
YAML
20 lines
1.1 KiB
YAML
attack_technique: T1574.008
|
|
display_name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
|
|
atomic_tests:
|
|
- name: powerShell Persistence via hijacking default modules - Get-Variable.exe
|
|
auto_generated_guid: 1561de08-0b4b-498e-8261-e922f3494aae
|
|
description: |
|
|
Colibri leverages PowerShell in a unique way to maintain persistence after a reboot. Depending on the Windows version, Colibri drops its copy in %APPDATA%\Local\Microsoft\WindowsApps and
|
|
names it Get-Variable.exe for Windows 10 and above.
|
|
https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:"$env:localappdata\Microsoft\WindowsApps\Get-Variable.exe" "PathToAtomicsFolder\T1574.008\bin\calc.cs"
|
|
Powershell -noprofile
|
|
cleanup_command: |
|
|
Remove-Item "$env:localappdata\Microsoft\WindowsApps\Get-Variable.exe" -ErrorAction Ignore
|
|
Stop-Process -Name "calculator"
|
|
name: powershell
|