Michael Haag
0c3e47f7be
* Technique - T1071 First commit of T1071 - Standard Application Layer Protocols. Specifically using powershell & Curl to simulate malicious user agents. * Web Shell Simple test of copying webshells from atomic dir to a path on the file system. * typo * Generate docs from job=validate_atomics_generate_docs branch=web
27 lines
747 B
YAML
27 lines
747 B
YAML
---
|
|
attack_technique: T1100
|
|
display_name: Web Shell
|
|
|
|
atomic_tests:
|
|
- name: Web Shell Written to Disk
|
|
description: |
|
|
This test simulates an adversary leveraging Web Shells by simulating the file modification to disk.
|
|
Idea from APTSimulator.
|
|
cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx
|
|
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
web_shell_path:
|
|
description: The path to drop the web shell
|
|
type: string
|
|
default: C:\inetpub\wwwroot
|
|
web_shells:
|
|
description: Path of Web Shell
|
|
type: path
|
|
default: C:\AtomicRedTeam\atomics\T1100\shells\
|
|
executor:
|
|
name: command_prompt
|
|
command: |
|
|
xcopy #{web_shells} #{web_shell_path}
|