Skip to content

Commit

Permalink
Update windows tests (#3)
Browse files Browse the repository at this point in the history
Signed-off-by: frack113 <[email protected]>
  • Loading branch information
frack113 authored Jul 22, 2023
1 parent 54fc808 commit 4fb5489
Show file tree
Hide file tree
Showing 9 changed files with 102 additions and 12 deletions.
16 changes: 16 additions & 0 deletions .vscode/launch.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
{
// Use IntelliSense to learn about possible attributes.
// Hover to view descriptions of existing attributes.
// For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
"version": "0.2.0",
"configurations": [
{
"name": "Python: Current File",
"type": "python",
"request": "launch",
"program": "${file}",
"console": "integratedTerminal",
"justMyCode": true
}
]
}
8 changes: 4 additions & 4 deletions Full_tests.csv
Original file line number Diff line number Diff line change
Expand Up @@ -803,9 +803,9 @@ execution;T1059.004;bash;['linux'];Change login shell;c7ac59cb-13cc-4622-81dc-6d
execution;T1059.004;bash;['linux'];Environment variable scripts;bdaebd56-368b-4970-a523-f905ff4a8a51;False;11
execution;T1059.004;bash;['linux'];Detecting pipe-to-shell;fca246a8-a585-4f28-a2df-6495973976a1;False;12
execution;T1559;command_prompt;['windows'];Cobalt Strike Artifact Kit pipe;bd13b9fc-b758-496a-b81a-397462f82c72;True;1
execution;T1559;command_prompt;['windows'];Cobalt Strike Lateral Movement (psexec_psh) pipe;830c8b6c-7a70-4f40-b975-8bbe74558acd;False;2
execution;T1559;command_prompt;['windows'];Cobalt Strike SSH (postex_ssh) pipe;d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6;False;3
execution;T1559;command_prompt;['windows'];Cobalt Strike post-exploitation pipe (4.2 and later);7a48f482-246f-4aeb-9837-21c271ebf244;False;4
execution;T1559;command_prompt;['windows'];Cobalt Strike Lateral Movement (psexec_psh) pipe;830c8b6c-7a70-4f40-b975-8bbe74558acd;True;2
execution;T1559;command_prompt;['windows'];Cobalt Strike SSH (postex_ssh) pipe;d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6;True;3
execution;T1559;command_prompt;['windows'];Cobalt Strike post-exploitation pipe (4.2 and later);7a48f482-246f-4aeb-9837-21c271ebf244;True;4
execution;T1559;command_prompt;['windows'];Cobalt Strike post-exploitation pipe (before 4.2);8dbfc15c-527b-4ab0-a272-019f469d367f;False;5
execution;T1204.003;powershell;['windows'];Malicious Execution from Mounted ISO Image;e9795c8d-42aa-4ed4-ad80-551ed793d006;False;1
execution;T1059.006;sh;['linux'];Execute shell script via python's command mode arguement;3a95cdb2-c6ea-4761-b24e-02b71889b8bb;False;1
Expand Down Expand Up @@ -1266,7 +1266,7 @@ credential-access;T1552.004;powershell;['windows'];ADFS token signing and encryp
credential-access;T1552.004;powershell;['windows'];CertUtil ExportPFX;336b25bf-4514-4684-8924-474974f28137;True;8
credential-access;T1552.004;powershell;['windows'];Export Root Certificate with Export-PFXCertificate;7617f689-bbd8-44bc-adcd-6f8968897848;True;9
credential-access;T1552.004;powershell;['windows'];Export Root Certificate with Export-Certificate;78b274f8-acb0-428b-b1f7-7b0d0e73330a;True;10
credential-access;T1552.004;command_prompt;['windows'];Export Certificates with Mimikatz;290df60e-4b5d-4a5e-b0c7-dc5348ea0c86;False;11
credential-access;T1552.004;command_prompt;['windows'];Export Certificates with Mimikatz;290df60e-4b5d-4a5e-b0c7-dc5348ea0c86;True;11
credential-access;T1557.001;powershell;['windows'];LLMNR Poisoning with Inveigh (PowerShell);deecd55f-afe0-4a62-9fba-4d1ba2deb321;True;1
credential-access;T1003.001;command_prompt;['windows'];Dump LSASS.exe Memory using ProcDump;0be2230c-9ab3-4ac2-8826-3199b9a0ebf8;True;1
credential-access;T1003.001;powershell;['windows'];Dump LSASS.exe Memory using comsvcs.dll;2536dee2-12fb-459a-8c37-971844fa73be;True;2
Expand Down
1 change: 1 addition & 0 deletions missing_tests.csv
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ defense-evasion;T1553.002;win_security_susp_sdelete.yml
defense-evasion;T1599.001;driver_load_win_windivert.yml
defense-evasion;T1550;aws_sts_assumerole_misuse.yml,aws_sts_getsessiontoken_misuse.yml,aws_susp_saml_activity.yml
defense-evasion;T1553.003;registry_set_sip_persistence.yml
defense-evasion;T1222;posh_ps_set_acl.yml,posh_ps_set_acl_susp_location.yml
defense-evasion;T1548;aws_sts_assumerole_misuse.yml,aws_sts_getsessiontoken_misuse.yml,aws_susp_saml_activity.yml,azure_aad_secops_ca_policy_removedby_bad_actor.yml,azure_aad_secops_ca_policy_updatedby_bad_actor.yml,azure_aad_secops_new_ca_policy_addedby_bad_actor.yml,azure_group_user_addition_ca_modification.yml,azure_group_user_removal_ca_modification.yml,lnx_auditd_capabilities_discovery.yml,file_event_lnx_doas_conf_creation.yml,proc_creation_lnx_doas_execution.yml,win_security_scm_database_privileged_operation.yml,win_system_vul_cve_2020_1472.yml,proc_access_win_svchost_cred_dump.yml,proc_creation_win_regedit_trustedinstaller.yml,proc_creation_win_susp_abusing_debug_privilege.yml,proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml,registry_set_comhijack_sdclt.yml
defense-evasion;T1578.003;azure_aadhybridhealth_adfs_service_delete.yml
defense-evasion;T1574.005;proc_creation_win_hktl_sharpup.yml
Expand Down
60 changes: 60 additions & 0 deletions powershell/runtest.ps1
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
write-host " _________________________ " -ForegroundColor red
write-host "(( ))" -ForegroundColor red
write-host " )) Frack113 tests script (( " -ForegroundColor red
write-host "(( ))" -ForegroundColor red
write-host " ------------------------- " -ForegroundColor red
write-host " for the best of my knowledge "

write-host "Import module"
Import-Module .\Export-WinEvents
Import-Module C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psm1

write-host " Open csv"
$csv = Import-Csv -Path .\Full_tests.csv -Delimiter ';'

$list_channel = ('Application','Security','System','Microsoft-Windows-Sysmon/Operational','Microsoft-Windows-PowerShell/Operational')

foreach ($info in $csv)
{
$technique = $info.technique
$nmr = $info.nmr_test
$valid = $info.sigma
$name = $info.name
if ($info.os -like '*windows*'){
if ($info.executor -ne 'manual'){
if ($valid -eq 'False') {
write-host "Test $name - $technique test : $nmr"
write-host "Disable Realtime Monitoring"
Set-MpPreference -DisableRealtimeMonitoring 1
write-host "Make environnement"
Invoke-AtomicTest $technique -TestNumbers $nmr -Cleanup -NoExecutionLog
Invoke-AtomicTest $technique -TestNumbers $nmr -GetPrereqs -TimeoutSeconds 120 -NoExecutionLog
$list_channel | Clear-WinEvents -Verbose
Start-Sleep -s 10

write-host "Start Aurora"
Start-Process C:\aurora\aurora-agent-64.exe -WorkingDirectory C:\aurora -ArgumentList "-c agent-config-standard.yml","--minimum-level low","--json","-l c:\Tests\$($technique)_test_$($nmr)_aurora.json"
Start-Sleep -s 30

write-host "Start test"
Invoke-AtomicTest $technique -TestNumbers $nmr -TimeoutSeconds 120 -NoExecutionLog
Start-Sleep -s 10

write-host "Stop Aurora"
Stop-Process -name aurora-agent-64

Start-Sleep -s 10
foreach ($channel in $list_channel){
$name = $channel.replace("/","_")
Export-WinEvents -TimeBucket 'Last 5 Minutes' -OutputPath "c:\Tests\$($technique)_test_$($nmr)_channel_$name.json" -Channel $channel
}

write-host "Cleanup"
Invoke-AtomicTest $technique -TestNumbers $nmr -Cleanup -NoExecutionLog
Start-Sleep -s 10

} Else { write-host "$name / $technique test: $nmr / OK" -ForegroundColor green }
} Else { write-host "$name / $technique test: $nmr / manual test :)" -ForegroundColor DarkRed }
} Else { write-host "$name / $technique test: $nmr / not windows :)" -ForegroundColor DarkRed }
}
write-host "Good Hunt..." -ForegroundColor green
5 changes: 5 additions & 0 deletions sigma_rule.csv
Original file line number Diff line number Diff line change
Expand Up @@ -1037,6 +1037,7 @@ file_event_win_susp_system_interactive_powershell.yml;False
file_event_win_susp_task_write.yml;False
file_event_win_susp_teamviewer_remote_session.yml;False
file_event_win_susp_vscode_powershell_profile.yml;False
file_event_win_susp_windows_terminal_profile.yml;False
file_event_win_susp_winsxs_binary_creation.yml;False
file_event_win_sysinternals_livekd_default_dump_name.yml;False
file_event_win_sysinternals_livekd_driver.yml;False
Expand Down Expand Up @@ -1345,6 +1346,8 @@ posh_ps_script_with_upload_capabilities.yml;True
posh_ps_security_software_discovery.yml;True
posh_ps_send_mailmessage.yml;True
posh_ps_sensitive_file_discovery.yml;False
posh_ps_set_acl.yml;False
posh_ps_set_acl_susp_location.yml;False
posh_ps_set_policies_to_unsecure_level.yml;True
posh_ps_shellcode_b64.yml;False
posh_ps_shellintel_malicious_commandlets.yml;True
Expand Down Expand Up @@ -1955,6 +1958,8 @@ proc_creation_win_powershell_run_script_from_input_stream.yml;False
proc_creation_win_powershell_sam_access.yml;True
proc_creation_win_powershell_script_engine_parent.yml;True
proc_creation_win_powershell_service_dacl_modification_set_service.yml;False
proc_creation_win_powershell_set_acl.yml;False
proc_creation_win_powershell_set_acl_susp_location.yml;False
proc_creation_win_powershell_set_policies_to_unsecure_level.yml;True
proc_creation_win_powershell_set_service_disabled.yml;False
proc_creation_win_powershell_shadowcopy_deletion.yml;False
Expand Down
6 changes: 4 additions & 2 deletions yml/290df60e-4b5d-4a5e-b0c7-dc5348ea0c86.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,5 +20,7 @@ description: |
The following Atomic test will utilize Mimikatz to extract the certificates from the local system My store. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands.
A successful attempt will stdout the certificates and write multiple .pfx and .der files to disk.
executor: command_prompt
sigma: false
sigma_rule: []
sigma: true
sigma_rule:
- id: a642964e-bead-4bed-8910-1bb4d63e3b4d
name: proc_creation_win_hktl_mimikatz_command_line.yml
6 changes: 4 additions & 2 deletions yml/7a48f482-246f-4aeb-9837-21c271ebf244.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,7 @@ description: |
The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
executor: command_prompt
sigma: false
sigma_rule: []
sigma: true
sigma_rule:
- id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2
name: pipe_created_mal_cobaltstrike.yml
6 changes: 4 additions & 2 deletions yml/830c8b6c-7a70-4f40-b975-8bbe74558acd.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,7 @@ description: |
The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
executor: command_prompt
sigma: false
sigma_rule: []
sigma: true
sigma_rule:
- id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2
name: pipe_created_mal_cobaltstrike.yml
6 changes: 4 additions & 2 deletions yml/d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,7 @@ description: |
The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
executor: command_prompt
sigma: false
sigma_rule: []
sigma: true
sigma_rule:
- id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2
name: pipe_created_mal_cobaltstrike.yml

0 comments on commit 4fb5489

Please sign in to comment.