Hare Sudhan
83 lines
3.8 KiB
YAML
83 lines
3.8 KiB
YAML
attack_technique: T1071.001
|
|
display_name: 'Application Layer Protocol: Web Protocols'
|
|
atomic_tests:
|
|
- name: Malicious User Agents - Powershell
|
|
auto_generated_guid: 81c13829-f6c9-45b8-85a6-053366d55297
|
|
description: |
|
|
This test simulates an infected host beaconing to command and control. Upon execution, no output will be displayed.
|
|
Use an application such as Wireshark to record the session and observe user agent strings and responses.
|
|
|
|
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
domain:
|
|
description: Default domain to simulate against
|
|
type: string
|
|
default: www.google.com
|
|
executor:
|
|
command: |
|
|
Invoke-WebRequest #{domain} -UserAgent "HttpBrowser/1.0" | out-null
|
|
Invoke-WebRequest #{domain} -UserAgent "Wget/1.9+cvs-stable (Red Hat modified)" | out-null
|
|
Invoke-WebRequest #{domain} -UserAgent "Opera/8.81 (Windows NT 6.0; U; en)" | out-null
|
|
Invoke-WebRequest #{domain} -UserAgent "*<|>*" | out-null
|
|
name: powershell
|
|
- name: Malicious User Agents - CMD
|
|
auto_generated_guid: dc3488b0-08c7-4fea-b585-905c83b48180
|
|
description: |
|
|
This test simulates an infected host beaconing to command and control. Upon execution, no out put will be displayed.
|
|
Use an application such as Wireshark to record the session and observe user agent strings and responses.
|
|
|
|
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
domain:
|
|
description: Default domain to simulate against
|
|
type: string
|
|
default: www.google.com
|
|
curl_path:
|
|
description: path to curl.exe
|
|
type: path
|
|
default: C:\Windows\System32\Curl.exe
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
Curl must be installed on system
|
|
prereq_command: |
|
|
if (Test-Path #{curl_path}) {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
|
Invoke-WebRequest "https://curl.haxx.se/windows/dl-7.71.1/curl-7.71.1-win32-mingw.zip" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
|
|
Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\curl.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\curl"
|
|
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\curl\curl-7.71.1-win32-mingw\bin\curl.exe" #{curl_path}
|
|
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl"
|
|
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
|
|
executor:
|
|
command: |
|
|
#{curl_path} -s -A "HttpBrowser/1.0" -m3 #{domain} >nul 2>&1
|
|
#{curl_path} -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain} >nul 2>&1
|
|
#{curl_path} -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain} >nul 2>&1
|
|
#{curl_path} -s -A "*<|>*" -m3 #{domain} >nul 2>&1
|
|
name: command_prompt
|
|
- name: Malicious User Agents - Nix
|
|
auto_generated_guid: 2d7c471a-e887-4b78-b0dc-b0df1f2e0658
|
|
description: |
|
|
This test simulates an infected host beaconing to command and control.
|
|
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
input_arguments:
|
|
domain:
|
|
description: Default domain to simulate against
|
|
type: string
|
|
default: www.google.com
|
|
executor:
|
|
command: |
|
|
curl -s -A "HttpBrowser/1.0" -m3 #{domain}
|
|
curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain}
|
|
curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain}
|
|
curl -s -A "*<|>*" -m3 #{domain}
|
|
name: sh
|