Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows Atomic Tests to TTP #10 #136

Closed
wants to merge 3 commits into from
Closed

Windows Atomic Tests to TTP #10 #136

wants to merge 3 commits into from

Commits on Sep 16, 2024

  1. Windows Atomic Tests to TTP facebookincubator#8 (facebookincubator#135) 

    Summary:

Converting atomics to ttps in Windows Atomic Red Team Tests
This ttp was 8/10 and it performs the follow function:
Create and start VirtualBox virtual machine
Take a screen capture of the desktop through a call to the [Graphics.CopyFromScreen] .NET API.
Graphics.CopyFromScreen]

Reviewed By: godlovepenn

Differential Revision: D62651150
    @jazzyle @facebook-github-bot
    jazzyle authored and facebook-github-bot committed Sep 16, 2024
    Configuration menu
    Copy the full SHA
    e976696 View commit details
    Browse the repository at this point in the history

  2. Windows Atomic Tests to TTP facebookincubator#9 

    Summary:
Converting atomics to ttps in Windows Atomic Red Team Tests
This ttp was 9/10 and it performs the follow function:
Uses PowerShell and Empire's [GetSystem module](https://github.com/BC-SECURITY/Empire/blob/v3.4.0/data/module_source/privesc/Get-System.ps1).
  The script uses `SeDebugPrivilege` to obtain, duplicate and impersonate the token of a another process.
  When executed successfully, the test displays the domain and name of the account it's impersonating (local SYSTEM).

Differential Revision: D62652075
    @jazzyle @facebook-github-bot
    jazzyle authored and facebook-github-bot committed Sep 16, 2024
    Configuration menu
    Copy the full SHA
    dc14864 View commit details
    Browse the repository at this point in the history

  3. Windows Atomic Tests to TTP facebookincubator#10 

    Summary:
Converting atomics to ttps in Windows Atomic Red Team Tests
This ttp was 10/10 and it performs the follow function:

Executes the Uninstall Method, No Admin Rights Required. Upon execution, "I shouldn't really execute either." will be displayed.

Derived from: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md#t1218009---signed-binary-proxy-execution-regsvcsregasm

Reviewed By: godlovepenn

Differential Revision: D62655872
    @jazzyle @facebook-github-bot
    jazzyle authored and facebook-github-bot committed Sep 16, 2024
    Configuration menu
    Copy the full SHA
    cc0647b View commit details
    Browse the repository at this point in the history