From 38b2b2f2d34264fe7bb3a923addd1f1cddfc5bb2 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Mon, 30 Aug 2021 19:52:44 +0000 Subject: [PATCH] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 34 ++++++++++++ atomics/T1553.005/T1553.005.md | 54 +++++++++++++++++++ 6 files changed, 92 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 44028ad9..87308655 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -406,6 +406,7 @@ defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742 defense-evasion,T1127.001,MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt defense-evasion,T1553.005,Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell defense-evasion,T1553.005,Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell +defense-evasion,T1553.005,Mark-of-the-Web Bypass,3,Remove the Zone.Identifier alternate data stream,64b12afc-18b8-4d3f-9eab-7f6cae7c73f9,powershell defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 001c9054..2b3b08c0 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -252,6 +252,7 @@ defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742 defense-evasion,T1127.001,MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt defense-evasion,T1553.005,Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell defense-evasion,T1553.005,Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell +defense-evasion,T1553.005,Mark-of-the-Web Bypass,3,Remove the Zone.Identifier alternate data stream,64b12afc-18b8-4d3f-9eab-7f6cae7c73f9,powershell defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 0ab7a8b7..aa51a5a9 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -675,6 +675,7 @@ - [T1553.005 Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) - Atomic Test #1: Mount ISO image [windows] - Atomic Test #2: Mount an ISO image and run executable from the ISO [windows] + - Atomic Test #3: Remove the Zone.Identifier alternate data stream [windows] - [T1036.004 Masquerade Task or Service](../../T1036.004/T1036.004.md) - Atomic Test #1: Creating W32Time similar named service using schtasks [windows] - Atomic Test #2: Creating W32Time similar named service using sc [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 26e561fb..6d89884e 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -459,6 +459,7 @@ - [T1553.005 Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) - Atomic Test #1: Mount ISO image [windows] - Atomic Test #2: Mount an ISO image and run executable from the ISO [windows] + - Atomic Test #3: Remove the Zone.Identifier alternate data stream [windows] - [T1036.004 Masquerade Task or Service](../../T1036.004/T1036.004.md) - Atomic Test #1: Creating W32Time similar named service using schtasks [windows] - Atomic Test #2: Creating W32Time similar named service using sc [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 37676f1b..e934a554 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -29002,6 +29002,40 @@ defense-evasion: Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null Stop-process -name "hello" -Force -ErrorAction ignore name: powershell + - name: Remove the Zone.Identifier alternate data stream + auto_generated_guid: 64b12afc-18b8-4d3f-9eab-7f6cae7c73f9 + description: | + Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet. + Removing this allows more freedom in executing scripts in PowerShell and avoids opening files in protected view. + supported_platforms: + - windows + input_arguments: + file_to_download: + description: File that will be downloaded to test against. + type: url + default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/README.md + file_path: + description: File to have the Zone.Identifier removed. + type: String + default: "$env:tmp\\ReadMe.md" + dependency_executor_name: powershell + dependencies: + - description: A test file with the Zone.Identifier attribute must be present. + prereq_command: 'if (Test-Path #{file_path}) { EXIT 0 } else { EXIT 1 } + +' + get_prereq_command: | + Invoke-WebRequest #{file_to_download} -OutFile #{file_path} + Set-Content -Path #{file_path} -Stream Zone.Identifier -Value '[ZoneTransfer]','ZoneId=3' + executor: + command: 'Unblock-File -Path #{file_path} + +' + cleanup_command: 'Set-Content -Path #{file_path} -Stream Zone.Identifier -Value + ''[ZoneTransfer]'',''ZoneId=3'' + +' + name: powershell T1036.004: technique: external_references: diff --git a/atomics/T1553.005/T1553.005.md b/atomics/T1553.005/T1553.005.md index 805a501a..402a42ae 100644 --- a/atomics/T1553.005/T1553.005.md +++ b/atomics/T1553.005/T1553.005.md @@ -10,6 +10,8 @@ Adversaries may abuse container files such as compressed/archive (.arj, .gzip) a - [Atomic Test #2 - Mount an ISO image and run executable from the ISO](#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso) +- [Atomic Test #3 - Remove the Zone.Identifier alternate data stream](#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream) +
@@ -115,4 +117,56 @@ Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/ +
+
+ +## Atomic Test #3 - Remove the Zone.Identifier alternate data stream +Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet. +Removing this allows more freedom in executing scripts in PowerShell and avoids opening files in protected view. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 64b12afc-18b8-4d3f-9eab-7f6cae7c73f9 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| file_to_download | File that will be downloaded to test against. | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/README.md| +| file_path | File to have the Zone.Identifier removed. | String | $env:tmp\ReadMe.md| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +Unblock-File -Path #{file_path} +``` + +#### Cleanup Commands: +```powershell +Set-Content -Path #{file_path} -Stream Zone.Identifier -Value '[ZoneTransfer]','ZoneId=3' +``` + + + +#### Dependencies: Run with `powershell`! +##### Description: A test file with the Zone.Identifier attribute must be present. +##### Check Prereq Commands: +```powershell +if (Test-Path #{file_path}) { EXIT 0 } else { EXIT 1 } +``` +##### Get Prereq Commands: +```powershell +Invoke-WebRequest #{file_to_download} -OutFile #{file_path} +Set-Content -Path #{file_path} -Stream Zone.Identifier -Value '[ZoneTransfer]','ZoneId=3' +``` + + + +