-
Notifications
You must be signed in to change notification settings - Fork 2.8k
/
T1056.yaml
27 lines (25 loc) · 936 Bytes
/
T1056.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
---
attack_technique: T1056
display_name: Input Capture
atomic_tests:
- name: Input Capture
description: |
Utilize PowerShell and external resource to capture keystrokes
[Payload](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/src/Get-Keystrokes.ps1)
Provided by [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-Keystrokes.ps1)
Upon successful execution, Powershell will execute `Get-Keystrokes.ps1` and output to key.log.
supported_platforms:
- windows
input_arguments:
filepath:
description: Name of the local file, include path.
type: Path
default: $env:TEMP\key.log
executor:
name: powershell
elevation_required: true
command: |
Set-Location $PathToAtomicsFolder
.\T1056\src\Get-Keystrokes.ps1 -LogPath #{filepath}
cleanup_command: |
Remove-Item $env:TEMP\key.log -ErrorAction Ignore