From 1427393485a5a4f98fbbf8b2ef2f610b703f211d Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Mon, 17 Aug 2020 16:10:14 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 59 ++++++++++++++ atomics/T1098/T1098.md | 79 +++++++++++++++++++ atomics/T1098/T1098.yaml | 1 + atomics/used_guids.txt | 1 + 8 files changed, 144 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 76477b2f..cdc465b8 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -82,6 +82,7 @@ persistence,T1546.004,.bash_profile and .bashrc,1,Add command to .bash_profile,9 persistence,T1546.004,.bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh persistence,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell +persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell persistence,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt persistence,T1546.011,Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt persistence,T1546.011,Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index e6b9267c..c21a6702 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -193,6 +193,7 @@ defense-evasion,T1220,XSL Script Processing,3,WMIC bypass using local XSL file,1 defense-evasion,T1220,XSL Script Processing,4,WMIC bypass using remote XSL file,7f5be499-33be-4129-a560-66021f379b9b,command_prompt persistence,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell +persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell persistence,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt persistence,T1546.011,Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt persistence,T1546.011,Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index addbc85e..7c83286b 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -176,6 +176,7 @@ - Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows] - [T1098 Account Manipulation](../../T1098/T1098.md) - Atomic Test #1: Admin Account Manipulate [windows] + - Atomic Test #2: Domain Account and Group Manipulate [windows] - T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1098.001 Additional Azure Service Principal Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 9b2fe722..a81fc672 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -374,6 +374,7 @@ - Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows] - [T1098 Account Manipulation](../../T1098/T1098.md) - Atomic Test #1: Admin Account Manipulate [windows] + - Atomic Test #2: Domain Account and Group Manipulate [windows] - T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1546.009 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1546.010 AppInit DLLs](../../T1546.010/T1546.010.md) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index f910c7a2..1b7c1f46 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -8461,6 +8461,65 @@ persistence: } name: powershell elevation_required: true + - name: Domain Account and Group Manipulate + auto_generated_guid: a55a22e9-a3d3-42ce-bd48-2653adb8f7a9 + description: "Create a random atr-nnnnnnnn account and add it to a domain group + (by default, Domain Admins). \n\nThe quickest way to run it is against a domain + controller, using `-Session` of `Invoke-AtomicTest`. Alternatively,\nyou need + to install PS Module ActiveDirectory (in prereqs) and run the script with + appropriare AD privileges to \ncreate the user and alter the group. Automatic + installation of the dependency requires an elevated session, \nand is unlikely + to work with Powershell Core (untested).\n\nIf you consider running this test + against a production Active Directory, the good practise is to create a dedicated\nservice + account whose delegation is given onto a dedicated OU for user creation and + deletion, as well as delegated\nas group manager of the target group.\n\nExample: + `Invoke-AtomicTest -Session $session 'T1098' -TestNames \"Domain Account and + Group Manipulate\" -InputArgs @{\"group\" = \"DNSAdmins\" }`\n" + supported_platforms: + - windows + input_arguments: + account_prefix: + description: | + Prefix string of the random username (by default, atr-). Because the cleanup deletes such account based on + a match `(&(samaccountname=#{account_prefix}-*)(givenName=Test))`, if you are to change it, be careful. + type: String + default: atr- + group: + description: Name of the group to alter + type: String + default: Domain Admins + create_args: + description: Additional string appended to New-ADUser call + type: String + default: '' + dependencies: + - description: 'PS Module ActiveDirectory + +' + prereq_command: "Try {\n Import-Module ActiveDirectory -ErrorAction Stop + | Out-Null\n exit 0\n} \nCatch {\n exit 1\n}\n" + get_prereq_command: | + if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) { + Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online + } else { + Install-WindowsFeature RSAT-AD-PowerShell + } + executor: + command: | + $x = Get-Random -Minimum 2 -Maximum 99 + $y = Get-Random -Minimum 2 -Maximum 99 + $z = Get-Random -Minimum 2 -Maximum 99 + $w = Get-Random -Minimum 2 -Maximum 99 + + Import-Module ActiveDirectory + $account = "#{account_prefix}-$x$y$z" + New-ADUser -Name $account -GivenName "Test" -DisplayName $account -SamAccountName $account -Surname $account -Enabled:$False #{create_args} + Add-ADGroupMember "#{group}" $account + cleanup_command: 'Get-ADUser -LDAPFilter "(&(samaccountname=#{account_prefix}-*)(givenName=Test))" + | Remove-ADUser -Confirm:$False + +' + name: powershell T1098.003: technique: external_references: diff --git a/atomics/T1098/T1098.md b/atomics/T1098/T1098.md index 10ff8ce7..0fc6af21 100644 --- a/atomics/T1098/T1098.md +++ b/atomics/T1098/T1098.md @@ -6,6 +6,8 @@ - [Atomic Test #1 - Admin Account Manipulate](#atomic-test-1---admin-account-manipulate) +- [Atomic Test #2 - Domain Account and Group Manipulate](#atomic-test-2---domain-account-and-group-manipulate) +
@@ -45,4 +47,81 @@ foreach($member in $fmm) { +
+
+ +## Atomic Test #2 - Domain Account and Group Manipulate +Create a random atr-nnnnnnnn account and add it to a domain group (by default, Domain Admins). + +The quickest way to run it is against a domain controller, using `-Session` of `Invoke-AtomicTest`. Alternatively, +you need to install PS Module ActiveDirectory (in prereqs) and run the script with appropriare AD privileges to +create the user and alter the group. Automatic installation of the dependency requires an elevated session, +and is unlikely to work with Powershell Core (untested). + +If you consider running this test against a production Active Directory, the good practise is to create a dedicated +service account whose delegation is given onto a dedicated OU for user creation and deletion, as well as delegated +as group manager of the target group. + +Example: `Invoke-AtomicTest -Session $session 'T1098' -TestNames "Domain Account and Group Manipulate" -InputArgs @{"group" = "DNSAdmins" }` + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| account_prefix | Prefix string of the random username (by default, atr-). Because the cleanup deletes such account based on +a match `(&(samaccountname=#{account_prefix}-*)(givenName=Test))`, if you are to change it, be careful. | String | atr-| +| group | Name of the group to alter | String | Domain Admins| +| create_args | Additional string appended to New-ADUser call | String | | + + +#### Attack Commands: Run with `powershell`! + + +```powershell +$x = Get-Random -Minimum 2 -Maximum 99 +$y = Get-Random -Minimum 2 -Maximum 99 +$z = Get-Random -Minimum 2 -Maximum 99 +$w = Get-Random -Minimum 2 -Maximum 99 + +Import-Module ActiveDirectory +$account = "#{account_prefix}-$x$y$z" +New-ADUser -Name $account -GivenName "Test" -DisplayName $account -SamAccountName $account -Surname $account -Enabled:$False #{create_args} +Add-ADGroupMember "#{group}" $account +``` + +#### Cleanup Commands: +```powershell +Get-ADUser -LDAPFilter "(&(samaccountname=#{account_prefix}-*)(givenName=Test))" | Remove-ADUser -Confirm:$False +``` + + + +#### Dependencies: Run with `powershell`! +##### Description: PS Module ActiveDirectory +##### Check Prereq Commands: +```powershell +Try { + Import-Module ActiveDirectory -ErrorAction Stop | Out-Null + exit 0 +} +Catch { + exit 1 +} +``` +##### Get Prereq Commands: +```powershell +if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) { + Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online +} else { + Install-WindowsFeature RSAT-AD-PowerShell +} +``` + + + +
diff --git a/atomics/T1098/T1098.yaml b/atomics/T1098/T1098.yaml index 75aa110d..73a14391 100644 --- a/atomics/T1098/T1098.yaml +++ b/atomics/T1098/T1098.yaml @@ -29,6 +29,7 @@ atomic_tests: elevation_required: true - name: Domain Account and Group Manipulate + auto_generated_guid: a55a22e9-a3d3-42ce-bd48-2653adb8f7a9 description: | Create a random atr-nnnnnnnn account and add it to a domain group (by default, Domain Admins). diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 1b91ea58..a25259c9 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -565,3 +565,4 @@ b5656f67-d67f-4de8-8e62-b5581630f528 1620de42-160a-4fe5-bbaf-d3fef0181ce9 db020456-125b-4c8b-a4a7-487df8afb5a2 804f28fc-68fc-40da-b5a2-e9d0bce5c193 +a55a22e9-a3d3-42ce-bd48-2653adb8f7a9