atomics/T1129/T1129.yaml

attack_technique: T1129
display_name: 'Server Software Component'
atomic_tests:
- name: ESXi - Install a custom VIB on an ESXi host 
  auto_generated_guid: 7f843046-abf2-443f-b880-07a83cf968ec
  description: |
    An adversary can maintain persistence within an ESXi host by installing malicious vSphere Installation Bundles (VIBs).
    [Reference](https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence)
  supported_platforms:
  - windows
  input_arguments:
    vm_host:
      description: Specify the host name of the ESXi Server
      type: string
      default: atomic.local
    vm_user:
      description: Specify the privilege user account on ESXi Server
      type: string
      default: root
    vm_pass:
      description: Specify the privilege user password on ESXi Server
      type: string
      default: pass
    plink_file:
      description: Path to plink
      type: path
      default: 'PathToAtomicsFolder\..\ExternalPayloads\plink.exe'
    pscp_file:
      description: Path to Pscp
      type: path
      default: 'PathToAtomicsFolder\..\ExternalPayloads\pscp.exe'
    vib_install:
      description: Path to script with commands to install the vib
      type: path
      default: PathToAtomicsFolder\..\atomics\T1129\src\esxi_vibinstall.txt
    vib_remove:
      description: Path to script with commands to remove the vib
      type: path
      default: PathToAtomicsFolder\..\atomics\T1129\src\esxi_vibremove.txt
    vib_file:
      description: Path to the dummy vib
      type: path
      default: PathToAtomicsFolder\..\atomics\T1129\src\atomicvibes.vib
  dependency_executor_name: powershell
  dependencies:
  - description: |
      Check if plink and pscp are available.
    prereq_command: |
      if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
      if (Test-Path "#{pscp_file}") {exit 0} else {exit 1}
    get_prereq_command: |
      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
      Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\plink.exe"
      Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/pscp.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\pscp.exe"
  executor:
    command: |
       #{pscp_file} -pw #{vm_pass} #{vib_file} #{vm_user}@#{vm_host}:/tmp
       echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{vib_install}"
    cleanup_command: |
       echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{vib_remove}"
    name: command_prompt
    elevation_required: false
ESXi ART Tests Batch 1 (#2635 ) 2023-12-14 07:27:13 -08:00			`attack_technique: T1129`
			`display_name: 'Server Software Component'`
			`atomic_tests:`
			`- name: ESXi - Install a custom VIB on an ESXi host`
			`auto_generated_guid: 7f843046-abf2-443f-b880-07a83cf968ec`
			`description: \|`
			`An adversary can maintain persistence within an ESXi host by installing malicious vSphere Installation Bundles (VIBs).`
			`[Reference](https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence)`
			`supported_platforms:`
			`- windows`
			`input_arguments:`
			`vm_host:`
			`description: Specify the host name of the ESXi Server`
			`type: string`
			`default: atomic.local`
			`vm_user:`
			`description: Specify the privilege user account on ESXi Server`
			`type: string`
			`default: root`
			`vm_pass:`
			`description: Specify the privilege user password on ESXi Server`
			`type: string`
			`default: pass`
			`plink_file:`
			`description: Path to plink`
			`type: path`
			`default: 'PathToAtomicsFolder\..\ExternalPayloads\plink.exe'`
			`pscp_file:`
			`description: Path to Pscp`
			`type: path`
			`default: 'PathToAtomicsFolder\..\ExternalPayloads\pscp.exe'`
			`vib_install:`
			`description: Path to script with commands to install the vib`
			`type: path`
			`default: PathToAtomicsFolder\..\atomics\T1129\src\esxi_vibinstall.txt`
			`vib_remove:`
			`description: Path to script with commands to remove the vib`
			`type: path`
			`default: PathToAtomicsFolder\..\atomics\T1129\src\esxi_vibremove.txt`
			`vib_file:`
			`description: Path to the dummy vib`
			`type: path`
			`default: PathToAtomicsFolder\..\atomics\T1129\src\atomicvibes.vib`
			`dependency_executor_name: powershell`
			`dependencies:`
			`- description: \|`
			`Check if plink and pscp are available.`
			`prereq_command: \|`
			`if (Test-Path "#{plink_file}") {exit 0} else {exit 1}`
			`if (Test-Path "#{pscp_file}") {exit 0} else {exit 1}`
			`get_prereq_command: \|`
			`New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force \| Out-Null`
			`Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\plink.exe"`
			`Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/pscp.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\pscp.exe"`
			`executor:`
			`command: \|`
			`#{pscp_file} -pw #{vm_pass} #{vib_file} #{vm_user}@#{vm_host}:/tmp`
			`echo "" \| "#{plink_file}" "#{vm_host}" -ssh -l "#{vm_user}" -pw "#{vm_pass}" -m "#{vib_install}"`
			`cleanup_command: \|`
			`echo "" \| "#{plink_file}" "#{vm_host}" -ssh -l "#{vm_user}" -pw "#{vm_pass}" -m "#{vib_remove}"`
			`name: command_prompt`
			`elevation_required: false`