Austin Robertson
5cb3fed680
* Fix string interpolation from ${foo} to #{foo} across all atomics
* remove non-ASCII characters from atomics YAML
* fix erroneous input_arguments
58 lines
1.6 KiB
YAML
58 lines
1.6 KiB
YAML
---
|
|
attack_technique: T1202
|
|
display_name: Indirect Command Execution
|
|
|
|
atomic_tests:
|
|
- name: Indirect Command Execution - pcalua.exe
|
|
description: |
|
|
The Program Compatibility Assistant (pcalua.exe) may invoke the execution of programs and commands from a Command-Line Interface.
|
|
|
|
[Reference](https://twitter.com/KyleHanslovan/status/912659279806640128)
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
input_arguments:
|
|
process:
|
|
description: Process to execute
|
|
type: string
|
|
default: calc.exe
|
|
payload_path:
|
|
description: Path to payload
|
|
type: path
|
|
default: c:\temp\payload.dll
|
|
payload_cpl_path:
|
|
description: Path to payload
|
|
type: path
|
|
default: C:\Windows\system32\javacpl.cpl -c Java
|
|
|
|
executor:
|
|
name: command_prompt
|
|
command: |
|
|
pcalua.exe -a #{process}
|
|
pcalua.exe -a #{payload_path}
|
|
pcalua.exe -a #{payload_cpl_path}
|
|
|
|
- name: Indirect Command Execution - forfiles.exe
|
|
description: |
|
|
forfiles.exe may invoke the execution of programs and commands from a Command-Line Interface.
|
|
|
|
[Reference](https://github.com/api0cradle/LOLBAS/blob/master/OSBinaries/Forfiles.md)
|
|
|
|
"This is basically saying for each occurrence of notepad.exe in c:\windows\system32 run calc.exe"
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
input_arguments:
|
|
process:
|
|
description: Process to execute
|
|
type: string
|
|
default: calc.exe
|
|
|
|
executor:
|
|
name: command_prompt
|
|
command: |
|
|
forfiles /p c:\windows\system32 /m notepad.exe /c #{process}
|
|
forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"
|