From b2658be59029c6acbd706602161c25e5b1f2eccb Mon Sep 17 00:00:00 2001 From: Leo Verlod <96517806+Leomon5@users.noreply.github.com> Date: Fri, 10 May 2024 12:54:10 -0500 Subject: [PATCH] Update T1219.yaml (#2763) Co-authored-by: Carrie Roberts --- atomics/T1219/T1219.yaml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/atomics/T1219/T1219.yaml b/atomics/T1219/T1219.yaml index 6fdad83750..24918b9004 100644 --- a/atomics/T1219/T1219.yaml +++ b/atomics/T1219/T1219.yaml @@ -281,3 +281,33 @@ atomic_tests: $file = Join-Path $env:USERPROFILE "Desktop\rustdesk-1.2.3-1-x86_64.exe" Remove-Item $file1 -ErrorAction Ignore name: powershell +- name: Splashtop Execution + description: | + An adversary may attempt to trick the user into downloading Splashtop for use as a C2 channel. + Upon successful execution, Splashtop will be executed. + supported_platforms: + - windows + input_arguments: + Splashtop_Path: + description: Path of Splashtop executable + type: path + default: '${env:programfiles(x86)}\Splashtop\Splashtop Remote\Client for STP\strwinclt.exe' + dependency_executor_name: powershell + dependencies: + - description: | + Splashtop must exist at "#{Splashtop_Path}" + prereq_command: | + if (Test-Path "#{Splashtop_Path}") {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\splashtop_install.exe" "https://download.splashtop.com/winclient/STP/Splashtop_Personal_Win_v3.6.6.0.exe" + start-sleep 30 + start-process "PathToAtomicsFolder\..\ExternalPayloads\splashtop_install.exe" /S + start-sleep 30 + executor: + command: | + Start-Process "#{Splashtop_Path}" + cleanup_command: | + Stop-Process -Name "strwinclt" -force -erroraction silentlycontinue + name: powershell + elevation_required: true