diff --git a/atomics/T1502/T1502.yaml b/atomics/T1502/T1502.yaml index 99bbde93..8d627cf1 100644 --- a/atomics/T1502/T1502.yaml +++ b/atomics/T1502/T1502.yaml @@ -6,8 +6,10 @@ atomic_tests: - name: Parent PID Spoofing using PowerShell description: | This test uses PowerShell to replicates how Cobalt Strike does ppid spoofing and masquerade a spawned process. - Credit to In Ming Loh (https://github.com/countercept/ppid-spoofing/blob/master/PPID-Spoof.ps1) + Upon execution, "Process C:\Program Files\Internet Explorer\iexplore.exe is spawned with pid ####" will be displayed and + calc.exe will be launched. + Credit to In Ming Loh (https://github.com/countercept/ppid-spoofing/blob/master/PPID-Spoof.ps1) supported_platforms: - windows @@ -53,4 +55,3 @@ atomic_tests: cleanup_command: | Stop-Process -Name "#{dll_process_name}" -ErrorAction Ignore Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore - \ No newline at end of file diff --git a/atomics/T1504/T1504.yaml b/atomics/T1504/T1504.yaml index 7e8ce431..fc8272fb 100644 --- a/atomics/T1504/T1504.yaml +++ b/atomics/T1504/T1504.yaml @@ -3,12 +3,12 @@ attack_technique: T1504 display_name: PowerShell Profile atomic_tests: -- name: Append malicious start-process cmdlet +- name: Append malicious start-process cmdlet description: | - Appends a start process cmdlet to the current user's powershell profile pofile that points to a malicious executable + Appends a start process cmdlet to the current user's powershell profile pofile that points to a malicious executable. Upon execution, calc.exe will be launched. supported_platforms: - windows - + input_arguments: exe_path: description: Path the malicious executable @@ -20,18 +20,22 @@ atomic_tests: type: String default: $profile + dependency_executor_name: powershell + dependencies: + - description: | + Ensure a powershell profile exists for the current user + prereq_command: | + if (Test-Path #{ps_profile}) {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Path #{ps_profile} -Type File -Force + executor: name: powershell elevation_required: false - command: | - if(Test-Path #{ps_profile}){ - } - else{ - New-Item -Path #{ps_profile} -Type File -Force - } - $malicious = "Start-Process #{exe_path}" - Add-Content #{ps_profile} -Value $malicious - powershell -command exit - cleanup_command: | + command: | + Add-Content #{ps_profile} -Value "" + Add-Content #{ps_profile} -Value "Start-Process #{exe_path}" + powershell -Command exit + cleanup_command: | $oldprofile = cat $profile | Select-Object -skiplast 1 - Set-Content $profile -Value $oldprofile \ No newline at end of file + Set-Content $profile -Value $oldprofile diff --git a/atomics/T1518/T1518.yaml b/atomics/T1518/T1518.yaml index 43f3e7b5..f66e0e38 100644 --- a/atomics/T1518/T1518.yaml +++ b/atomics/T1518/T1518.yaml @@ -5,23 +5,25 @@ display_name: Software Discovery atomic_tests: - name: Find and Display Internet Explorer Browser Version description: | - Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors + Query the registry to determine the version of internet explorer installed on the system. + Upon execution, version information about internet explorer will be displayed. supported_platforms: - windows executor: name: command_prompt - elevation_required: false # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false - command: | # these are the actaul attack commands, at least one command must be provided + elevation_required: false + command: | reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion - name: Applications Installed description: | - Adversaries may attempt to get a listing of all software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors + Query the registry to determine software and versions installed on the system. Upon execution a table of + software name and version information will be displayed. supported_platforms: - windows executor: name: powershell - elevation_required: false # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false - command: | # these are the actual attack commands, at least one command must be provided + elevation_required: false + command: | Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize diff --git a/atomics/T1529/T1529.yaml b/atomics/T1529/T1529.yaml index a94bb56f..93b403a7 100644 --- a/atomics/T1529/T1529.yaml +++ b/atomics/T1529/T1529.yaml @@ -18,8 +18,8 @@ atomic_tests: executor: name: command_prompt - elevation_required: true # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false - command: | # these are the actaul attack commands, at least one command must be provided + elevation_required: true + command: | shutdown /s /t #{timeout} - name: Restart System - Windows @@ -37,8 +37,8 @@ atomic_tests: executor: name: command_prompt - elevation_required: true # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false - command: | # these are the actaul attack commands, at least one command must be provided + elevation_required: true + command: | shutdown /r /t #{timeout} - name: Restart System via `shutdown` - macOS/Linux @@ -80,7 +80,7 @@ atomic_tests: elevation_required: true # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false command: | # these are the actual attack commands, at least one command must be provided shutdown -h #{timeout} - + - name: Restart System via `reboot` - macOS/Linux description: | @@ -107,7 +107,7 @@ atomic_tests: name: bash elevation_required: true # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false command: | # these are the actual attack commands, at least one command must be provided - halt -p + halt -p - name: Reboot System via `halt` - Linux description: | @@ -120,7 +120,7 @@ atomic_tests: name: bash elevation_required: true # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false command: | # these are the actual attack commands, at least one command must be provided - halt --reboot + halt --reboot - name: Shutdown System via `poweroff` - Linux description: | @@ -133,7 +133,7 @@ atomic_tests: name: bash elevation_required: true # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false command: | # these are the actual attack commands, at least one command must be provided - poweroff + poweroff - name: Reboot System via `poweroff` - Linux description: | @@ -146,4 +146,4 @@ atomic_tests: name: bash elevation_required: true # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false command: | # these are the actual attack commands, at least one command must be provided - poweroff --reboot \ No newline at end of file + poweroff --reboot diff --git a/atomics/T1531/T1531.yaml b/atomics/T1531/T1531.yaml index 437a8253..fa74d471 100644 --- a/atomics/T1531/T1531.yaml +++ b/atomics/T1531/T1531.yaml @@ -5,7 +5,8 @@ display_name: Account Access Removal atomic_tests: - name: Change User Password - Windows description: | - Changes the user password to hinder access attempts. Seen in use by LockerGoga. + Changes the user password to hinder access attempts. Seen in use by LockerGoga. Upon execution, log into the user account "AtomicAdministrator" with + the password "HuHuHUHoHo283283". supported_platforms: - windows @@ -34,16 +35,15 @@ atomic_tests: executor: name: command_prompt - elevation_required: true # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false - command: | # these are the actaul attack commands, at least one command must be provided + elevation_required: true + command: | net.exe user #{user_account} #{new_password} cleanup_command: | net.exe user #{user_account} /delete - name: Delete User - Windows description: | - Deletes a user account to prevent access. - + Deletes a user account to prevent access. Upon execution, run the command "net user" to verify that the new "AtomicUser" account was deleted. supported_platforms: - windows @@ -67,6 +67,6 @@ atomic_tests: executor: name: command_prompt - elevation_required: true # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false - command: | # these are the actaul attack commands, at least one command must be provided - net.exe user #{user_account} /delete \ No newline at end of file + elevation_required: true + command: | + net.exe user #{user_account} /delete