From 5cc2b5a88dbd8ddb47609f4acbb8ebdbfc15be4d Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 7 Jan 2021 16:43:14 +0000 Subject: [PATCH] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 17 ++++++++++ atomics/T1047/T1047.md | 32 +++++++++++++++++++ 6 files changed, 53 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 734f83b2..41599715 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -729,6 +729,7 @@ execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software execution,T1047,Windows Management Instrumentation,4,WMI Reconnaissance List Remote Services,0fd48ef7-d890-4e93-a533-f7dedd5191d3,command_prompt execution,T1047,Windows Management Instrumentation,5,WMI Execute Local Process,b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3,command_prompt execution,T1047,Windows Management Instrumentation,6,WMI Execute Remote Process,9c8ef159-c666-472f-9874-90c8d60d136b,command_prompt +execution,T1047,Windows Management Instrumentation,7,Create a Process using WMI Query and an Encoded Command,7db7a7f9-9531-4840-9b30-46220135441c,command_prompt lateral-movement,T1021.003,Distributed Component Object Model,1,PowerShell Lateral Movement using MMC20,6dc74eb1-c9d6-4c53-b3b5-6f50ae339673,powershell lateral-movement,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt lateral-movement,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index c8f13317..0027bea2 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -546,6 +546,7 @@ execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software execution,T1047,Windows Management Instrumentation,4,WMI Reconnaissance List Remote Services,0fd48ef7-d890-4e93-a533-f7dedd5191d3,command_prompt execution,T1047,Windows Management Instrumentation,5,WMI Execute Local Process,b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3,command_prompt execution,T1047,Windows Management Instrumentation,6,WMI Execute Remote Process,9c8ef159-c666-472f-9874-90c8d60d136b,command_prompt +execution,T1047,Windows Management Instrumentation,7,Create a Process using WMI Query and an Encoded Command,7db7a7f9-9531-4840-9b30-46220135441c,command_prompt exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell lateral-movement,T1021.003,Distributed Component Object Model,1,PowerShell Lateral Movement using MMC20,6dc74eb1-c9d6-4c53-b3b5-6f50ae339673,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index a595ee04..0873dfef 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -1343,6 +1343,7 @@ - Atomic Test #4: WMI Reconnaissance List Remote Services [windows] - Atomic Test #5: WMI Execute Local Process [windows] - Atomic Test #6: WMI Execute Remote Process [windows] + - Atomic Test #7: Create a Process using WMI Query and an Encoded Command [windows] # lateral-movement - T1550.001 Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 715edd28..a3481b43 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -1007,6 +1007,7 @@ - Atomic Test #4: WMI Reconnaissance List Remote Services [windows] - Atomic Test #5: WMI Execute Local Process [windows] - Atomic Test #6: WMI Execute Remote Process [windows] + - Atomic Test #7: Create a Process using WMI Query and an Encoded Command [windows] # exfiltration - [T1020 Automated Exfiltration](../../T1020/T1020.md) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index b338dc3a..1496a8c8 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -55193,6 +55193,23 @@ execution: cleanup_command: 'wmic /user:#{user_name} /password:#{password} /node:"#{node}" process where name=''#{process_to_execute}'' delete >nul 2>&1 +' + name: command_prompt + - name: Create a Process using WMI Query and an Encoded Command + auto_generated_guid: 7db7a7f9-9531-4840-9b30-46220135441c + description: | + Solarigate persistence is achieved via backdoors deployed via various techniques including using PowerShell with an EncodedCommand + Powershell -nop -exec bypass -EncodedCommand + Where the –EncodedCommand, once decoded, would resemble: + Invoke-WMIMethod win32_process -name create -argumentlist ‘rundll32 c:\windows\idmu\common\ypprop.dll _XInitImageFuncPtrs’ -ComputerName WORKSTATION + The EncodedCommand in this atomic is the following: Invoke-WmiMethod -Path win32_process -Name create -ArgumentList notepad.exe + You should expect to see notepad.exe running after execution of this test. + [Solarigate Analysis from Microsoft](https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/) + supported_platforms: + - windows + executor: + command: 'powershell -exec bypass -e SQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AUABhAHQAaAAgAHcAaQBuADMAMgBfAHAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIABjAHIAZQBhAHQAZQAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABuAG8AdABlAHAAYQBkAC4AZQB4AGUA + ' name: command_prompt lateral-movement: diff --git a/atomics/T1047/T1047.md b/atomics/T1047/T1047.md index 7f800193..e5fdd283 100644 --- a/atomics/T1047/T1047.md +++ b/atomics/T1047/T1047.md @@ -18,6 +18,8 @@ An adversary can use WMI to interact with local and remote systems and use it as - [Atomic Test #6 - WMI Execute Remote Process](#atomic-test-6---wmi-execute-remote-process) +- [Atomic Test #7 - Create a Process using WMI Query and an Encoded Command](#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command) +
@@ -199,4 +201,34 @@ wmic /user:#{user_name} /password:#{password} /node:"#{node}" process where name +
+
+ +## Atomic Test #7 - Create a Process using WMI Query and an Encoded Command +Solarigate persistence is achieved via backdoors deployed via various techniques including using PowerShell with an EncodedCommand + Powershell -nop -exec bypass -EncodedCommand +Where the –EncodedCommand, once decoded, would resemble: + Invoke-WMIMethod win32_process -name create -argumentlist ‘rundll32 c:\windows\idmu\common\ypprop.dll _XInitImageFuncPtrs’ -ComputerName WORKSTATION +The EncodedCommand in this atomic is the following: Invoke-WmiMethod -Path win32_process -Name create -ArgumentList notepad.exe +You should expect to see notepad.exe running after execution of this test. +[Solarigate Analysis from Microsoft](https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/) + +**Supported Platforms:** Windows + + + + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +powershell -exec bypass -e SQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AUABhAHQAaAAgAHcAaQBuADMAMgBfAHAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIABjAHIAZQBhAHQAZQAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABuAG8AdABlAHAAYQBkAC4AZQB4AGUA +``` + + + + + +