diff --git a/.vscode/launch.json b/.vscode/launch.json new file mode 100644 index 00000000..948a2368 --- /dev/null +++ b/.vscode/launch.json @@ -0,0 +1,16 @@ +{ + // Use IntelliSense to learn about possible attributes. + // Hover to view descriptions of existing attributes. + // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387 + "version": "0.2.0", + "configurations": [ + { + "name": "Python: Current File", + "type": "python", + "request": "launch", + "program": "${file}", + "console": "integratedTerminal", + "justMyCode": true + } + ] +} \ No newline at end of file diff --git a/Full_tests.csv b/Full_tests.csv index 70a1dd27..2f7c7e27 100644 --- a/Full_tests.csv +++ b/Full_tests.csv @@ -807,9 +807,9 @@ execution;T1059.004;bash;['linux'];Change login shell;c7ac59cb-13cc-4622-81dc-6d execution;T1059.004;bash;['linux'];Environment variable scripts;bdaebd56-368b-4970-a523-f905ff4a8a51;False;11 execution;T1059.004;bash;['linux'];Detecting pipe-to-shell;fca246a8-a585-4f28-a2df-6495973976a1;False;12 execution;T1559;command_prompt;['windows'];Cobalt Strike Artifact Kit pipe;bd13b9fc-b758-496a-b81a-397462f82c72;True;1 -execution;T1559;command_prompt;['windows'];Cobalt Strike Lateral Movement (psexec_psh) pipe;830c8b6c-7a70-4f40-b975-8bbe74558acd;False;2 -execution;T1559;command_prompt;['windows'];Cobalt Strike SSH (postex_ssh) pipe;d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6;False;3 -execution;T1559;command_prompt;['windows'];Cobalt Strike post-exploitation pipe (4.2 and later);7a48f482-246f-4aeb-9837-21c271ebf244;False;4 +execution;T1559;command_prompt;['windows'];Cobalt Strike Lateral Movement (psexec_psh) pipe;830c8b6c-7a70-4f40-b975-8bbe74558acd;True;2 +execution;T1559;command_prompt;['windows'];Cobalt Strike SSH (postex_ssh) pipe;d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6;True;3 +execution;T1559;command_prompt;['windows'];Cobalt Strike post-exploitation pipe (4.2 and later);7a48f482-246f-4aeb-9837-21c271ebf244;True;4 execution;T1559;command_prompt;['windows'];Cobalt Strike post-exploitation pipe (before 4.2);8dbfc15c-527b-4ab0-a272-019f469d367f;False;5 execution;T1204.003;powershell;['windows'];Malicious Execution from Mounted ISO Image;e9795c8d-42aa-4ed4-ad80-551ed793d006;True;1 execution;T1059.006;sh;['linux'];Execute shell script via python's command mode arguement;3a95cdb2-c6ea-4761-b24e-02b71889b8bb;False;1 @@ -1274,7 +1274,7 @@ credential-access;T1552.004;powershell;['windows'];ADFS token signing and encryp credential-access;T1552.004;powershell;['windows'];CertUtil ExportPFX;336b25bf-4514-4684-8924-474974f28137;True;8 credential-access;T1552.004;powershell;['windows'];Export Root Certificate with Export-PFXCertificate;7617f689-bbd8-44bc-adcd-6f8968897848;True;9 credential-access;T1552.004;powershell;['windows'];Export Root Certificate with Export-Certificate;78b274f8-acb0-428b-b1f7-7b0d0e73330a;True;10 -credential-access;T1552.004;command_prompt;['windows'];Export Certificates with Mimikatz;290df60e-4b5d-4a5e-b0c7-dc5348ea0c86;False;11 +credential-access;T1552.004;command_prompt;['windows'];Export Certificates with Mimikatz;290df60e-4b5d-4a5e-b0c7-dc5348ea0c86;True;11 credential-access;T1557.001;powershell;['windows'];LLMNR Poisoning with Inveigh (PowerShell);deecd55f-afe0-4a62-9fba-4d1ba2deb321;True;1 credential-access;T1003.001;command_prompt;['windows'];Dump LSASS.exe Memory using ProcDump;0be2230c-9ab3-4ac2-8826-3199b9a0ebf8;True;1 credential-access;T1003.001;powershell;['windows'];Dump LSASS.exe Memory using comsvcs.dll;2536dee2-12fb-459a-8c37-971844fa73be;True;2 diff --git a/powershell/runtest.ps1 b/powershell/runtest.ps1 new file mode 100644 index 00000000..823bcb47 --- /dev/null +++ b/powershell/runtest.ps1 @@ -0,0 +1,60 @@ +write-host " _________________________ " -ForegroundColor red +write-host "(( ))" -ForegroundColor red +write-host " )) Frack113 tests script (( " -ForegroundColor red +write-host "(( ))" -ForegroundColor red +write-host " ------------------------- " -ForegroundColor red +write-host " for the best of my knowledge " + +write-host "Import module" +Import-Module .\Export-WinEvents +Import-Module C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psm1 + +write-host " Open csv" +$csv = Import-Csv -Path .\Full_tests.csv -Delimiter ';' + +$list_channel = ('Application','Security','System','Microsoft-Windows-Sysmon/Operational','Microsoft-Windows-PowerShell/Operational') + +foreach ($info in $csv) +{ + $technique = $info.technique + $nmr = $info.nmr_test + $valid = $info.sigma + $name = $info.name + if ($info.os -like '*windows*'){ + if ($info.executor -ne 'manual'){ + if ($valid -eq 'False') { + write-host "Test $name - $technique test : $nmr" + write-host "Disable Realtime Monitoring" + Set-MpPreference -DisableRealtimeMonitoring 1 + write-host "Make environnement" + Invoke-AtomicTest $technique -TestNumbers $nmr -Cleanup -NoExecutionLog + Invoke-AtomicTest $technique -TestNumbers $nmr -GetPrereqs -TimeoutSeconds 120 -NoExecutionLog + $list_channel | Clear-WinEvents -Verbose + Start-Sleep -s 10 + + write-host "Start Aurora" + Start-Process C:\aurora\aurora-agent-64.exe -WorkingDirectory C:\aurora -ArgumentList "-c agent-config-standard.yml","--minimum-level low","--json","-l c:\Tests\$($technique)_test_$($nmr)_aurora.json" + Start-Sleep -s 30 + + write-host "Start test" + Invoke-AtomicTest $technique -TestNumbers $nmr -TimeoutSeconds 120 -NoExecutionLog + Start-Sleep -s 10 + + write-host "Stop Aurora" + Stop-Process -name aurora-agent-64 + + Start-Sleep -s 10 + foreach ($channel in $list_channel){ + $name = $channel.replace("/","_") + Export-WinEvents -TimeBucket 'Last 5 Minutes' -OutputPath "c:\Tests\$($technique)_test_$($nmr)_channel_$name.json" -Channel $channel + } + + write-host "Cleanup" + Invoke-AtomicTest $technique -TestNumbers $nmr -Cleanup -NoExecutionLog + Start-Sleep -s 10 + + } Else { write-host "$name / $technique test: $nmr / OK" -ForegroundColor green } + } Else { write-host "$name / $technique test: $nmr / manual test :)" -ForegroundColor DarkRed } + } Else { write-host "$name / $technique test: $nmr / not windows :)" -ForegroundColor DarkRed } +} +write-host "Good Hunt..." -ForegroundColor green \ No newline at end of file diff --git a/yml/290df60e-4b5d-4a5e-b0c7-dc5348ea0c86.yml b/yml/290df60e-4b5d-4a5e-b0c7-dc5348ea0c86.yml index c954e8e1..c23ddd25 100644 --- a/yml/290df60e-4b5d-4a5e-b0c7-dc5348ea0c86.yml +++ b/yml/290df60e-4b5d-4a5e-b0c7-dc5348ea0c86.yml @@ -20,5 +20,7 @@ description: | The following Atomic test will utilize Mimikatz to extract the certificates from the local system My store. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands. A successful attempt will stdout the certificates and write multiple .pfx and .der files to disk. executor: command_prompt -sigma: false -sigma_rule: [] +sigma: true +sigma_rule: + - id: a642964e-bead-4bed-8910-1bb4d63e3b4d + name: proc_creation_win_hktl_mimikatz_command_line.yml diff --git a/yml/7a48f482-246f-4aeb-9837-21c271ebf244.yml b/yml/7a48f482-246f-4aeb-9837-21c271ebf244.yml index 2b2ef554..f13ff1cf 100644 --- a/yml/7a48f482-246f-4aeb-9837-21c271ebf244.yml +++ b/yml/7a48f482-246f-4aeb-9837-21c271ebf244.yml @@ -19,5 +19,7 @@ description: | The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe. executor: command_prompt -sigma: false -sigma_rule: [] +sigma: true +sigma_rule: + - id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 + name: pipe_created_mal_cobaltstrike.yml diff --git a/yml/830c8b6c-7a70-4f40-b975-8bbe74558acd.yml b/yml/830c8b6c-7a70-4f40-b975-8bbe74558acd.yml index ef79d560..aa52d8b8 100644 --- a/yml/830c8b6c-7a70-4f40-b975-8bbe74558acd.yml +++ b/yml/830c8b6c-7a70-4f40-b975-8bbe74558acd.yml @@ -19,5 +19,7 @@ description: | The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe. executor: command_prompt -sigma: false -sigma_rule: [] +sigma: true +sigma_rule: + - id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 + name: pipe_created_mal_cobaltstrike.yml diff --git a/yml/d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6.yml b/yml/d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6.yml index 77dd29b6..c5da327f 100644 --- a/yml/d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6.yml +++ b/yml/d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6.yml @@ -19,5 +19,7 @@ description: | The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe. executor: command_prompt -sigma: false -sigma_rule: [] +sigma: true +sigma_rule: + - id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 + name: pipe_created_mal_cobaltstrike.yml