security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1663bf7d524b6fc8a9a39104feb2949b36368dfc
atomic-red-team/atomics/T1036/T1036.yaml
T
JimmyAstle eab43d92fb Update to T1036 (#562) 
Adding in 3 new techniques realted to popular command interpreter renaming  / running from non-std paths.
2019-09-13 09:42:01 -06:00

75 lines
2.0 KiB
YAML
Raw Blame History

---
attack_technique: T1036
display_name: Masquerading
atomic_tests:
- name: Masquerading as Windows LSASS process
description: |
Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe.
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: false
command: |
cmd.exe /c copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
cmd.exe /c %SystemRoot%\Temp\lsass.exe
- name: Masquerading as Linux crond process.
description: |
Copies sh process, renames it as crond, and executes it to masquerade as the cron daemon.
supported_platforms:
- linux
executor:
name: sh
elevation_required: false
command: |
cp /bin/sh /tmp/crond
/tmp/crond
- name: Masquerading - cscript.exe running as notepad.exe
description: |
Copies cscript.exe, renames it, and launches it to masquerade as an instance of notepad.exe.
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: false
command: |
copy %SystemRoot%\System32\cscript.exe %APPDATA%\notepad.exe /Y
cmd.exe /c %APPDATA%\notepad.exe /B
- name: Masquerading - wscript.exe running as svchost.exe
description: |
Copies wscript.exe, renames it, and launches it to masquerade as an instance of svchost.exe.
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: false
command: |
copy %SystemRoot%\System32\wscript.exe %APPDATA%\svchost.exe /Y
cmd.exe /c %APPDATA%\svchost.exe /B
- name: Masquerading - powershell.exe running as taskhostw.exe
description: |
Copies powershell.exe, renames it, and launches it to masquerade as an instance of taskhostw.exe.
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: false
command: |
copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\taskhostw.exe /Y
cmd.exe /K %APPDATA%\taskhostw.exe
Reference in New Issue View Git Blame Copy Permalink