Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows Atomic Tests to TTP #10 #136

Closed
wants to merge 3 commits into from
Closed

Windows Atomic Tests to TTP #10 #136

wants to merge 3 commits into from

Conversation

jazzyle
Copy link
Contributor

@jazzyle jazzyle commented Sep 16, 2024

Summary:
Converting atomics to ttps in Windows Atomic Red Team Tests
This ttp was 10/10 and it performs the follow function:

Executes the Uninstall Method, No Admin Rights Required. Upon execution, "I shouldn't really execute either." will be displayed.

Derived from: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md#t1218009---signed-binary-proxy-execution-regsvcsregasm

Reviewed By: godlovepenn

Differential Revision: D62655872

@jazzyle @facebook-github-bot
Windows Atomic Tests to TTP facebookincubator#8 (facebookincubator#135)
e976696 
Summary:

Converting atomics to ttps in Windows Atomic Red Team Tests
This ttp was 8/10 and it performs the follow function:
Create and start VirtualBox virtual machine
Take a screen capture of the desktop through a call to the [Graphics.CopyFromScreen] .NET API.
Graphics.CopyFromScreen]

Reviewed By: godlovepenn

Differential Revision: D62651150
@jazzyle @facebook-github-bot
Windows Atomic Tests to TTP facebookincubator#9
dc14864 
Summary:
Converting atomics to ttps in Windows Atomic Red Team Tests
This ttp was 9/10 and it performs the follow function:
Uses PowerShell and Empire's [GetSystem module](https://github.com/BC-SECURITY/Empire/blob/v3.4.0/data/module_source/privesc/Get-System.ps1).
  The script uses `SeDebugPrivilege` to obtain, duplicate and impersonate the token of a another process.
  When executed successfully, the test displays the domain and name of the account it's impersonating (local SYSTEM).

Differential Revision: D62652075
@jazzyle @facebook-github-bot
Windows Atomic Tests to TTP facebookincubator#10
cc0647b 
Summary:
Converting atomics to ttps in Windows Atomic Red Team Tests
This ttp was 10/10 and it performs the follow function:

Executes the Uninstall Method, No Admin Rights Required. Upon execution, "I shouldn't really execute either." will be displayed.

Derived from: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md#t1218009---signed-binary-proxy-execution-regsvcsregasm

Reviewed By: godlovepenn

Differential Revision: D62655872
@facebook-github-bot
Copy link
Contributor

This pull request was exported from Phabricator. Differential Revision: D62655872

@facebook-github-bot
Copy link
Contributor

This pull request has been merged in e15c7f7.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@d3sch41n d3sch41n Awaiting requested review from d3sch41n d3sch41n is a code owner

@cedowens cedowens Awaiting requested review from cedowens cedowens is a code owner

@d0n601 d0n601 Awaiting requested review from d0n601 d0n601 is a code owner

@CrimsonK1ng CrimsonK1ng Awaiting requested review from CrimsonK1ng CrimsonK1ng is a code owner

Assignees
No one assigned
Labels
cla signed fb-exported Merged
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jazzyle @facebook-github-bot