Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

2022-02-12 20:02:51 +00:00
parent 8ef1fbdcf9
commit 40da3cb699
10 changed files with 158 additions and 7 deletions
@@ -537,6 +537,7 @@ defense-evasion,T1036.003,Rename System Utilities,9,File Extension Masquerading,
 defense-evasion,T1207,Rogue Domain Controller,1,DCShadow (Active Directory),0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell
 defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh
 defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f10f-444a-bf02-62eb0e48db6f,sh
+defense-evasion,T1564.006,Run Virtual Instance,1,Register Portable Virtualbox,c59f246a-34f8-4e4d-9276-c295ef9ba0dd,command_prompt
 defense-evasion,T1218.011,Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be,command_prompt
 defense-evasion,T1218.011,Rundll32,2,Rundll32 execute VBscript command,638730e7-7aed-43dc-bf8c-8117f805f5bb,command_prompt
 defense-evasion,T1218.011,Rundll32,3,Rundll32 advpack.dll Execution,d91cae26-7fc1-457b-a854-34c8aad48c89,command_prompt
@@ -363,6 +363,7 @@ defense-evasion,T1036.003,Rename System Utilities,7,Masquerading - windows exe r
 defense-evasion,T1036.003,Rename System Utilities,8,Malicious process Masquerading as LSM.exe,83810c46-f45e-4485-9ab6-8ed0e9e6ed7f,command_prompt
 defense-evasion,T1036.003,Rename System Utilities,9,File Extension Masquerading,c7fa0c3b-b57f-4cba-9118-863bf4e653fc,command_prompt
 defense-evasion,T1207,Rogue Domain Controller,1,DCShadow (Active Directory),0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell
+defense-evasion,T1564.006,Run Virtual Instance,1,Register Portable Virtualbox,c59f246a-34f8-4e4d-9276-c295ef9ba0dd,command_prompt
 defense-evasion,T1218.011,Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be,command_prompt
 defense-evasion,T1218.011,Rundll32,2,Rundll32 execute VBscript command,638730e7-7aed-43dc-bf8c-8117f805f5bb,command_prompt
 defense-evasion,T1218.011,Rundll32,3,Rundll32 advpack.dll Execution,d91cae26-7fc1-457b-a854-34c8aad48c89,command_prompt
@@ -850,7 +850,8 @@
 - [T1014 Rootkit](../../T1014/T1014.md)
  - Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
  - Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
- T1564.006 Run Virtual Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1564.006 Run Virtual Instance](../../T1564.006/T1564.006.md)
+  - Atomic Test #1: Register Portable Virtualbox [windows]
 - [T1218.011 Rundll32](../../T1218.011/T1218.011.md)
  - Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
  - Atomic Test #2: Rundll32 execute VBscript command [windows]
@@ -602,7 +602,8 @@
 - [T1207 Rogue Domain Controller](../../T1207/T1207.md)
  - Atomic Test #1: DCShadow (Active Directory) [windows]
 - T1014 Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564.006 Run Virtual Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1564.006 Run Virtual Instance](../../T1564.006/T1564.006.md)
+  - Atomic Test #1: Register Portable Virtualbox [windows]
 - [T1218.011 Rundll32](../../T1218.011/T1218.011.md)
  - Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
  - Atomic Test #2: Rundll32 execute VBscript command [windows]
@@ -121,7 +121,7 @@
 |  |  |  |  | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Rogue Domain Controller](../../T1207/T1207.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [Rootkit](../../T1014/T1014.md) |  |  |  |  |  |  |  |
-|  |  |  |  | Run Virtual Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [Run Virtual Instance](../../T1564.006/T1564.006.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [Rundll32](../../T1218.011/T1218.011.md) |  |  |  |  |  |  |  |
 |  |  |  |  | SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
@@ -90,7 +90,7 @@
 |  |  |  |  | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Rogue Domain Controller](../../T1207/T1207.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  |  |  | Run Virtual Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [Run Virtual Instance](../../T1564.006/T1564.006.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [Rundll32](../../T1218.011/T1218.011.md) |  |  |  |  |  |  |  |
 |  |  |  |  | SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
@@ -36204,7 +36204,65 @@ defense-evasion:
      - Linux
      - macOS
      - Windows
-    atomic_tests: []
+      identifier: T1564.006
+    atomic_tests:
+    - name: Register Portable Virtualbox
+      auto_generated_guid: c59f246a-34f8-4e4d-9276-c295ef9ba0dd
+      description: "ransomware payloads via virtual machines (VM). \n[Maze ransomware](https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/)\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        msi_file_path:
+          description: Path to the MSI file
+          type: Path
+          default: PathToAtomicsFolder\T1564.006\bin\Virtualbox_52.msi
+        cab_file_path:
+          description: Path to the CAB file
+          type: Path
+          default: PathToAtomicsFolder\T1564.006\bin\common.cab
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'MSI file must exist on disk at specified location (#{msi_file_path})
+
+'
+        prereq_command: 'if (Test-Path #{msi_file_path}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{msi_file_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/Virtualbox_52.msi" -OutFile "#{msi_file_path}"
+      - description: 'CAB file must exist on disk at specified location (#{cab_file_path})
+
+'
+        prereq_command: 'if (Test-Path #{cab_file_path}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: "New-Item -Type Directory (split-path #{cab_file_path})
+          -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/common.cab\"
+          -OutFile \"#{cab_file_path}\" \n"
+      - description: 'Old version of Virtualbox must be installed
+
+'
+        prereq_command: 'if (Test-Path "C:\Program Files\Oracle\VirtualBox\VboxC.dll")
+          {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'msiexec /i #{msi_file_path} /qn
+
+'
+      executor:
+        command: |
+          "C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe" /reregserver
+          regsvr32 /S "C:\Program Files\Oracle\VirtualBox\VboxC.dll"
+          rundll32 "C:\Program Files\Oracle\VirtualBox\VBoxRT.dll,RTR3Init"
+          sc create VBoxDRV binpath= "C:\Program Files\Oracle\VirtualBox\drivers\VboxDrv.sys" type= kernel start= auto error= normal displayname= PortableVBoxDRV
+          sc start VBoxDRV
+        cleanup_command: |
+          sc stop VBoxDRV
+          sc delete VBoxDRV
+          regsvr32 /u /S "C:\Program Files\Oracle\VirtualBox\VboxC.dll"
+          msiexec /x #{msi_file_path} /qn
+        name: command_prompt
  T1218.011:
    technique:
      id: attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5
@@ -0,0 +1,89 @@
+# T1564.006 - Run Virtual Instance
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1564/006)
+<blockquote>Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)
+
+Adversaries may utilize native support for virtualization (ex: Hyper-V) or drop the necessary files to run a virtual instance (ex: VirtualBox binaries). After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.(Citation: Sophos Ragnar May 2020)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Register Portable Virtualbox](#atomic-test-1---register-portable-virtualbox)
+
+
+<br/>
+
+## Atomic Test #1 - Register Portable Virtualbox
+ransomware payloads via virtual machines (VM). 
+[Maze ransomware](https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** c59f246a-34f8-4e4d-9276-c295ef9ba0dd
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| msi_file_path | Path to the MSI file | Path | PathToAtomicsFolder&#92;T1564.006&#92;bin&#92;Virtualbox_52.msi|
+| cab_file_path | Path to the CAB file | Path | PathToAtomicsFolder&#92;T1564.006&#92;bin&#92;common.cab|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+"C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe" /reregserver
+regsvr32 /S "C:\Program Files\Oracle\VirtualBox\VboxC.dll"
+rundll32 "C:\Program Files\Oracle\VirtualBox\VBoxRT.dll,RTR3Init"
+sc create VBoxDRV binpath= "C:\Program Files\Oracle\VirtualBox\drivers\VboxDrv.sys" type= kernel start= auto error= normal displayname= PortableVBoxDRV
+sc start VBoxDRV
+```
+
+#### Cleanup Commands:
+```cmd
+sc stop VBoxDRV
+sc delete VBoxDRV
+regsvr32 /u /S "C:\Program Files\Oracle\VirtualBox\VboxC.dll"
+msiexec /x #{msi_file_path} /qn
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: MSI file must exist on disk at specified location (#{msi_file_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{msi_file_path}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path #{msi_file_path}) -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/Virtualbox_52.msi" -OutFile "#{msi_file_path}"
+```
+##### Description: CAB file must exist on disk at specified location (#{cab_file_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{cab_file_path}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path #{cab_file_path}) -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/common.cab" -OutFile "#{cab_file_path}"
+```
+##### Description: Old version of Virtualbox must be installed
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "C:\Program Files\Oracle\VirtualBox\VboxC.dll") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+msiexec /i #{msi_file_path} /qn
+```
+
+
+
+
+<br/>