Move T1592.002 to T1012 (#2142)
Co-authored-by: Swapnil <swapnil@fourcore.vision> Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
Swapnil
@@ -8,6 +8,8 @@ The Registry contains a significant amount of information about the operating sy
|
||||
|
||||
- [Atomic Test #1 - Query Registry](#atomic-test-1---query-registry)
|
||||
|
||||
- [Atomic Test #2 - Enumerate COM Objects in Registry with Powershell](#atomic-test-2---enumerate-com-objects-in-registry-with-powershell)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -60,4 +62,52 @@ reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #2 - Enumerate COM Objects in Registry with Powershell
|
||||
This test is designed to enumerate the COM objects listed in HKCR, then output their methods and CLSIDs to a text file.
|
||||
An adversary could then use this information to identify COM objects that might be vulnerable to abuse, such as using them to spawn arbitrary processes.
|
||||
See: https://www.mandiant.com/resources/hunting-com-objects
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
**auto_generated_guid:** 0d80d088-a84c-4353-af1a-fc8b439f1564
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Inputs:
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| output_file | File to output list of COM objects to | String | $env:temp\T1592.002Test1.txt|
|
||||
|
||||
|
||||
#### Attack Commands: Run with `powershell`!
|
||||
|
||||
|
||||
```powershell
|
||||
New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR
|
||||
Get-ChildItem -Path HKCR:\CLSID -Name | Select -Skip 1 > $env:temp\clsids.txt
|
||||
ForEach($CLSID in Get-Content "$env:temp\clsids.txt")
|
||||
{try{write-output "$($Position)-$($CLSID)"
|
||||
write-output "------------"| out-file #{output_file} -append
|
||||
write-output $($CLSID)| out-file #{output_file} -append
|
||||
$handle=[activator]::CreateInstance([type]::GetTypeFromCLSID($CLSID))
|
||||
$handle | get-member -erroraction silentlycontinue | out-file #{output_file} -append
|
||||
$position += 1} catch{}}
|
||||
```
|
||||
|
||||
#### Cleanup Commands:
|
||||
```powershell
|
||||
remove-item #{output_file} -force -erroraction silentlycontinue
|
||||
remove-item $env:temp\clsids.txt -force -erroraction silentlycontinue
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -36,4 +36,31 @@ atomic_tests:
|
||||
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
|
||||
- name: Enumerate COM Objects in Registry with Powershell
|
||||
auto_generated_guid: 0d80d088-a84c-4353-af1a-fc8b439f1564
|
||||
description: |-
|
||||
This test is designed to enumerate the COM objects listed in HKCR, then output their methods and CLSIDs to a text file.
|
||||
An adversary could then use this information to identify COM objects that might be vulnerable to abuse, such as using them to spawn arbitrary processes.
|
||||
See: https://www.mandiant.com/resources/hunting-com-objects
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
output_file:
|
||||
description: File to output list of COM objects to
|
||||
type: String
|
||||
default: $env:temp\T1592.002Test1.txt
|
||||
executor:
|
||||
command: |
|
||||
New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR
|
||||
Get-ChildItem -Path HKCR:\CLSID -Name | Select -Skip 1 > $env:temp\clsids.txt
|
||||
ForEach($CLSID in Get-Content "$env:temp\clsids.txt")
|
||||
{try{write-output "$($Position)-$($CLSID)"
|
||||
write-output "------------"| out-file #{output_file} -append
|
||||
write-output $($CLSID)| out-file #{output_file} -append
|
||||
$handle=[activator]::CreateInstance([type]::GetTypeFromCLSID($CLSID))
|
||||
$handle | get-member -erroraction silentlycontinue | out-file #{output_file} -append
|
||||
$position += 1} catch{}}
|
||||
cleanup_command: |
|
||||
remove-item #{output_file} -force -erroraction silentlycontinue
|
||||
remove-item $env:temp\clsids.txt -force -erroraction silentlycontinue
|
||||
name: powershell
|
||||
|
||||
@@ -1,59 +0,0 @@
|
||||
# T1592.002 - Software
|
||||
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1592/002)
|
||||
<blockquote>Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).
|
||||
|
||||
Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the installed software may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or for initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).</blockquote>
|
||||
|
||||
## Atomic Tests
|
||||
|
||||
- [Atomic Test #1 - Enumerate COM Objects with Powershell](#atomic-test-1---enumerate-com-objects-with-powershell)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
## Atomic Test #1 - Enumerate COM Objects with Powershell
|
||||
This test is designed to enumerate the COM objects listed in HKCR, then output their methods and CLSIDs to a text file.
|
||||
An adversary could then use this information to identify COM objects that might be vulnerable to abuse, such as using them to spawn arbitrary processes.
|
||||
See: https://www.mandiant.com/resources/hunting-com-objects
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
**auto_generated_guid:** 0d80d088-a84c-4353-af1a-fc8b439f1564
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Inputs:
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| output_file | File to output list of COM objects to | String | $env:temp\T1592.002Test1.txt|
|
||||
|
||||
|
||||
#### Attack Commands: Run with `powershell`!
|
||||
|
||||
|
||||
```powershell
|
||||
New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR
|
||||
Get-ChildItem -Path HKCR:\CLSID -Name | Select -Skip 1 > $env:temp\clsids.txt
|
||||
ForEach($CLSID in Get-Content "$env:temp\clsids.txt")
|
||||
{try{write-output "$($Position)-$($CLSID)"
|
||||
write-output "------------"| out-file #{output_file} -append
|
||||
write-output $($CLSID)| out-file #{output_file} -append
|
||||
$handle=[activator]::CreateInstance([type]::GetTypeFromCLSID($CLSID))
|
||||
$handle | get-member -erroraction silentlycontinue | out-file #{output_file} -append
|
||||
$position += 1} catch{}}
|
||||
```
|
||||
|
||||
#### Cleanup Commands:
|
||||
```powershell
|
||||
remove-item #{output_file} -force -erroraction silentlycontinue
|
||||
remove-item $env:temp\clsids.txt -force -erroraction silentlycontinue
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
@@ -1,31 +0,0 @@
|
||||
attack_technique: T1592.002
|
||||
display_name: 'Gather Victim Host Information: Software'
|
||||
atomic_tests:
|
||||
- name: Enumerate COM Objects with Powershell
|
||||
auto_generated_guid: 0d80d088-a84c-4353-af1a-fc8b439f1564
|
||||
description: |-
|
||||
This test is designed to enumerate the COM objects listed in HKCR, then output their methods and CLSIDs to a text file.
|
||||
An adversary could then use this information to identify COM objects that might be vulnerable to abuse, such as using them to spawn arbitrary processes.
|
||||
See: https://www.mandiant.com/resources/hunting-com-objects
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
output_file:
|
||||
description: File to output list of COM objects to
|
||||
type: String
|
||||
default: $env:temp\T1592.002Test1.txt
|
||||
executor:
|
||||
command: |
|
||||
New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR
|
||||
Get-ChildItem -Path HKCR:\CLSID -Name | Select -Skip 1 > $env:temp\clsids.txt
|
||||
ForEach($CLSID in Get-Content "$env:temp\clsids.txt")
|
||||
{try{write-output "$($Position)-$($CLSID)"
|
||||
write-output "------------"| out-file #{output_file} -append
|
||||
write-output $($CLSID)| out-file #{output_file} -append
|
||||
$handle=[activator]::CreateInstance([type]::GetTypeFromCLSID($CLSID))
|
||||
$handle | get-member -erroraction silentlycontinue | out-file #{output_file} -append
|
||||
$position += 1} catch{}}
|
||||
cleanup_command: |
|
||||
remove-item #{output_file} -force -erroraction silentlycontinue
|
||||
remove-item $env:temp\clsids.txt -force -erroraction silentlycontinue
|
||||
name: powershell
|
||||
Reference in New Issue
Block a user