security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2022-07-25 20:54:13 +00:00
parent e935cc7fe5
commit 5ec9b7c317
6 changed files with 85 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Indexes-CSV/index.csv
+1
View File
@@ -642,6 +642,7 @@ execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a6
execution,T1569.002,Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt
execution,T1569.002,Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt
execution,T1569.002,Service Execution,3,psexec.py (Impacket),edbcd8c9-3639-4844-afad-455c91e95a35,bash
execution,T1569.002,Service Execution,4,BlackCat pre-encryption cmds with Lateral Movement,31eb7828-97d7-4067-9c1e-c6feb85edc4b,powershell
execution,T1053.002,At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
execution,T1053.002,At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
persistence,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
642 execution T1569.002 Service Execution 1 Execute a Command as a Service 2382dee2-a75f-49aa-9378-f52df6ed3fb1 command_prompt
643 execution T1569.002 Service Execution 2 Use PsExec to execute a command on a remote host 873106b7-cfed-454b-8680-fa9f6400431c command_prompt
644 execution T1569.002 Service Execution 3 psexec.py (Impacket) edbcd8c9-3639-4844-afad-455c91e95a35 bash
645 execution T1569.002 Service Execution 4 BlackCat pre-encryption cmds with Lateral Movement 31eb7828-97d7-4067-9c1e-c6feb85edc4b powershell
646 execution T1053.002 At 1 At.exe Scheduled task 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 command_prompt
647 execution T1053.002 At 2 At - Schedule a job 7266d898-ac82-4ec0-97c7-436075d0d08e sh
648 persistence T1053.005 Scheduled Task 1 Scheduled Task Startup Script fec27f65-db86-4c2d-b66c-61945aee87c2 command_prompt
atomics/Indexes/Indexes-CSV/windows-index.csv
+1
View File
@@ -474,6 +474,7 @@ execution,T1059.005,Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6
execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell
execution,T1569.002,Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt
execution,T1569.002,Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt
execution,T1569.002,Service Execution,4,BlackCat pre-encryption cmds with Lateral Movement,31eb7828-97d7-4067-9c1e-c6feb85edc4b,powershell
execution,T1053.002,At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
persistence,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
persistence,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
474 execution T1059.005 Visual Basic 3 Extract Memory via VBA 8faff437-a114-4547-9a60-749652a03df6 powershell
475 execution T1569.002 Service Execution 1 Execute a Command as a Service 2382dee2-a75f-49aa-9378-f52df6ed3fb1 command_prompt
476 execution T1569.002 Service Execution 2 Use PsExec to execute a command on a remote host 873106b7-cfed-454b-8680-fa9f6400431c command_prompt
477 execution T1569.002 Service Execution 4 BlackCat pre-encryption cmds with Lateral Movement 31eb7828-97d7-4067-9c1e-c6feb85edc4b powershell
478 execution T1053.002 At 1 At.exe Scheduled task 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 command_prompt
479 persistence T1053.005 Scheduled Task 1 Scheduled Task Startup Script fec27f65-db86-4c2d-b66c-61945aee87c2 command_prompt
480 persistence T1053.005 Scheduled Task 2 Scheduled task Local 42f53695-ad4a-4546-abb6-7d837f644a71 command_prompt
atomics/Indexes/Indexes-Markdown/index.md
+1
View File
@@ -1041,6 +1041,7 @@
- Atomic Test #1: Execute a Command as a Service [windows]
- Atomic Test #2: Use PsExec to execute a command on a remote host [windows]
- Atomic Test #3: psexec.py (Impacket) [linux]
- Atomic Test #4: BlackCat pre-encryption cmds with Lateral Movement [windows]
- [T1053.002 At](../../T1053.002/T1053.002.md)
- Atomic Test #1: At.exe Scheduled task [windows]
- Atomic Test #2: At - Schedule a job [linux]
atomics/Indexes/Indexes-Markdown/windows-index.md
+1
View File
@@ -766,6 +766,7 @@
- [T1569.002 Service Execution](../../T1569.002/T1569.002.md)
- Atomic Test #1: Execute a Command as a Service [windows]
- Atomic Test #2: Use PsExec to execute a command on a remote host [windows]
- Atomic Test #4: BlackCat pre-encryption cmds with Lateral Movement [windows]
- [T1053.002 At](../../T1053.002/T1053.002.md)
- Atomic Test #1: At.exe Scheduled task [windows]
- T1035 Service Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/index.yaml
+31 -4
View File
@@ -46030,10 +46030,12 @@ execution:
atomic_tests:
- name: Execute a Command as a Service
auto_generated_guid: 2382dee2-a75f-49aa-9378-f52df6ed3fb1
description: |
Creates a service specifying an arbitrary command and executes it. When executing commands such as PowerShell, the service will report that it did not start correctly even when code executes properly.
Upon successful execution, cmd.exe creates a new service using sc.exe that will start powershell.exe to create a new file `art-marker.txt`
description: "Creates a service specifying an arbitrary command and executes
it. When executing commands such as PowerShell, the service will report that
it did not start correctly even when code executes properly.\n\nUpon successful
execution, cmd.exe creates a new service using sc.exe that will start powershell.exe
to create a new file `art-marker.txt`\n\n[BlackCat Ransomware (ALPHV)](https://www.varonis.com/blog/blackcat-ransomware)
\ \n[Cybereason vs. BlackCat Ransomware](https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware)\n"
supported_platforms:
- windows
input_arguments:
@@ -46148,6 +46150,31 @@ execution:
'
name: bash
- name: BlackCat pre-encryption cmds with Lateral Movement
auto_generated_guid: 31eb7828-97d7-4067-9c1e-c6feb85edc4b
description: This atomic attempts to emulate the unique behavior of BlackCat
ransomware prior to encryption and during Lateral Movement attempts via PsExec
on Windows. Uses bundled PsExec like BlackCat
supported_platforms:
- windows
input_arguments:
targethost:
description: Target hostname to attempt psexec connection to for emulation
of lateral movement.
type: string
default: "$ENV:COMPUTERNAME"
executor:
command: "cmd.exe /c \"wmic \tcsproduct \tget UUID\" \ncmd.exe /c \"fsutil
behavior \tset SymlinkEvaluation R2L:1\" \ncmd.exe /c \"fsutil behavior
set \tSymlinkEvaluation R2R:1\"\nreg add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters
\ /v MaxMpxCt /d 65535 /t REG_DWORD /f \ncopy $pathtoatomicsfolder\\T1569.002\\bin\\PsExec.exe
$env:temp\ncmd.exe /c \"$env:temp\\psexec.exe -accepteula \\\\#{targethost}
cmd.exe /c echo \"--access-token\"\"\n"
cleanup_command: "reg delete HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters
/v MaxMpxCt /f\ncmd.exe /c \"fsutil behavior set SymlinkEvaluation R2L:0\"
\ncmd.exe /c \"fsutil behavior set SymlinkEvaluation R2R:0\"\nrm $env:temp\\psexec.exe\n"
name: powershell
elevation_required: true
T1053.002:
technique:
x_mitre_platforms:
atomics/T1569.002/T1569.002.md
+50
View File
@@ -14,6 +14,8 @@ Adversaries may leverage these mechanisms to execute malicious content. This can
- [Atomic Test #3 - psexec.py (Impacket)](#atomic-test-3---psexecpy-impacket)
- [Atomic Test #4 - BlackCat pre-encryption cmds with Lateral Movement](#atomic-test-4---blackcat-pre-encryption-cmds-with-lateral-movement)
<br/>
@@ -22,6 +24,9 @@ Creates a service specifying an arbitrary command and executes it. When executin
Upon successful execution, cmd.exe creates a new service using sc.exe that will start powershell.exe to create a new file `art-marker.txt`
[BlackCat Ransomware (ALPHV)](https://www.varonis.com/blog/blackcat-ransomware)
[Cybereason vs. BlackCat Ransomware](https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware)
**Supported Platforms:** Windows
@@ -159,4 +164,49 @@ sudo pip3 install impacket
<br/>
<br/>
## Atomic Test #4 - BlackCat pre-encryption cmds with Lateral Movement
This atomic attempts to emulate the unique behavior of BlackCat ransomware prior to encryption and during Lateral Movement attempts via PsExec on Windows. Uses bundled PsExec like BlackCat
**Supported Platforms:** Windows
**auto_generated_guid:** 31eb7828-97d7-4067-9c1e-c6feb85edc4b
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| targethost | Target hostname to attempt psexec connection to for emulation of lateral movement. | string | $ENV:COMPUTERNAME|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
cmd.exe /c "wmic csproduct get UUID"
cmd.exe /c "fsutil behavior set SymlinkEvaluation R2L:1"
cmd.exe /c "fsutil behavior set SymlinkEvaluation R2R:1"
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f
copy $pathtoatomicsfolder\T1569.002\bin\PsExec.exe $env:temp
cmd.exe /c "$env:temp\psexec.exe -accepteula \\#{targethost} cmd.exe /c echo "--access-token""
```
#### Cleanup Commands:
```powershell
reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /f
cmd.exe /c "fsutil behavior set SymlinkEvaluation R2L:0"
cmd.exe /c "fsutil behavior set SymlinkEvaluation R2R:0"
rm $env:temp\psexec.exe
```
<br/>