Carrie Roberts
d4709021fb
* updating atomics count in README.md [ci skip] * wip * handle spaces in path * update readme * fix typo --------- Co-authored-by: publish bot <opensource@redcanary.com>
27 lines
1.4 KiB
YAML
27 lines
1.4 KiB
YAML
attack_technique: T1027.006
|
|
display_name: HTML Smuggling
|
|
atomic_tests:
|
|
|
|
- name: HTML Smuggling Remote Payload
|
|
auto_generated_guid: 30cbeda4-08d9-42f1-8685-197fad677734
|
|
description: |
|
|
The HTML file will download an ISO file from [T1553.005](https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1553.005/bin/FeelTheBurn.iso) without user interaction.
|
|
The HTML file is based off of the work from [Stan Hegt](https://outflank.nl/blog/2018/08/14/html-smuggling-explained/)
|
|
supported_platforms:
|
|
- windows
|
|
dependencies:
|
|
- description: |
|
|
T1027_006_remote.html must exist on disk at specified at PathToAtomicsFolder\T1027.006\bin\T1027_006_Remote.html
|
|
prereq_command: |
|
|
if (Test-Path "PathToAtomicsFolder\T1027.006\bin\T1027_006_Remote.html") { exit 0} else { exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory "PathToAtomicsFolder\T1027.006\bin\" -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.006/bin/T1027_006_Remote.html" -OutFile "PathToAtomicsFolder\T1027.006\bin\T1027_006_Remote.html"
|
|
executor:
|
|
command: |
|
|
& "PathToAtomicsFolder\T1027.006\bin\T1027_006_remote.html"
|
|
cleanup_command:
|
|
$user = [System.Environment]::UserName;
|
|
Remove-Item -Path C:\Users\$user\Downloads\FeelTheBurn.iso -ErrorAction Ignore
|
|
name: powershell
|
|
elevation_required: false |