diff --git a/atomics/T1012/T1012.md b/atomics/T1012/T1012.md index 272ee9ac..a4c22fb7 100644 --- a/atomics/T1012/T1012.md +++ b/atomics/T1012/T1012.md @@ -8,6 +8,8 @@ The Registry contains a significant amount of information about the operating sy - [Atomic Test #1 - Query Registry](#atomic-test-1---query-registry) +- [Atomic Test #2 - Enumerate COM Objects in Registry with Powershell](#atomic-test-2---enumerate-com-objects-in-registry-with-powershell) +
@@ -60,4 +62,52 @@ reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run +
+
+ +## Atomic Test #2 - Enumerate COM Objects in Registry with Powershell +This test is designed to enumerate the COM objects listed in HKCR, then output their methods and CLSIDs to a text file. +An adversary could then use this information to identify COM objects that might be vulnerable to abuse, such as using them to spawn arbitrary processes. +See: https://www.mandiant.com/resources/hunting-com-objects + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 0d80d088-a84c-4353-af1a-fc8b439f1564 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| output_file | File to output list of COM objects to | String | $env:temp\T1592.002Test1.txt| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR +Get-ChildItem -Path HKCR:\CLSID -Name | Select -Skip 1 > $env:temp\clsids.txt +ForEach($CLSID in Get-Content "$env:temp\clsids.txt") +{try{write-output "$($Position)-$($CLSID)" +write-output "------------"| out-file #{output_file} -append +write-output $($CLSID)| out-file #{output_file} -append +$handle=[activator]::CreateInstance([type]::GetTypeFromCLSID($CLSID)) +$handle | get-member -erroraction silentlycontinue | out-file #{output_file} -append +$position += 1} catch{}} +``` + +#### Cleanup Commands: +```powershell +remove-item #{output_file} -force -erroraction silentlycontinue +remove-item $env:temp\clsids.txt -force -erroraction silentlycontinue +``` + + + + +
diff --git a/atomics/T1012/T1012.yaml b/atomics/T1012/T1012.yaml index 952e5b28..d2d87354 100644 --- a/atomics/T1012/T1012.yaml +++ b/atomics/T1012/T1012.yaml @@ -36,4 +36,31 @@ atomic_tests: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run name: command_prompt elevation_required: true - +- name: Enumerate COM Objects in Registry with Powershell + auto_generated_guid: 0d80d088-a84c-4353-af1a-fc8b439f1564 + description: |- + This test is designed to enumerate the COM objects listed in HKCR, then output their methods and CLSIDs to a text file. + An adversary could then use this information to identify COM objects that might be vulnerable to abuse, such as using them to spawn arbitrary processes. + See: https://www.mandiant.com/resources/hunting-com-objects + supported_platforms: + - windows + input_arguments: + output_file: + description: File to output list of COM objects to + type: String + default: $env:temp\T1592.002Test1.txt + executor: + command: | + New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR + Get-ChildItem -Path HKCR:\CLSID -Name | Select -Skip 1 > $env:temp\clsids.txt + ForEach($CLSID in Get-Content "$env:temp\clsids.txt") + {try{write-output "$($Position)-$($CLSID)" + write-output "------------"| out-file #{output_file} -append + write-output $($CLSID)| out-file #{output_file} -append + $handle=[activator]::CreateInstance([type]::GetTypeFromCLSID($CLSID)) + $handle | get-member -erroraction silentlycontinue | out-file #{output_file} -append + $position += 1} catch{}} + cleanup_command: | + remove-item #{output_file} -force -erroraction silentlycontinue + remove-item $env:temp\clsids.txt -force -erroraction silentlycontinue + name: powershell diff --git a/atomics/T1592.002/T1592.002.md b/atomics/T1592.002/T1592.002.md deleted file mode 100644 index e7ed825a..00000000 --- a/atomics/T1592.002/T1592.002.md +++ /dev/null @@ -1,59 +0,0 @@ -# T1592.002 - Software -## [Description from ATT&CK](https://attack.mitre.org/techniques/T1592/002) -
Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.). - -Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the installed software may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or for initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
- -## Atomic Tests - -- [Atomic Test #1 - Enumerate COM Objects with Powershell](#atomic-test-1---enumerate-com-objects-with-powershell) - - -
- -## Atomic Test #1 - Enumerate COM Objects with Powershell -This test is designed to enumerate the COM objects listed in HKCR, then output their methods and CLSIDs to a text file. -An adversary could then use this information to identify COM objects that might be vulnerable to abuse, such as using them to spawn arbitrary processes. -See: https://www.mandiant.com/resources/hunting-com-objects - -**Supported Platforms:** Windows - - -**auto_generated_guid:** 0d80d088-a84c-4353-af1a-fc8b439f1564 - - - - - -#### Inputs: -| Name | Description | Type | Default Value | -|------|-------------|------|---------------| -| output_file | File to output list of COM objects to | String | $env:temp\T1592.002Test1.txt| - - -#### Attack Commands: Run with `powershell`! - - -```powershell -New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR -Get-ChildItem -Path HKCR:\CLSID -Name | Select -Skip 1 > $env:temp\clsids.txt -ForEach($CLSID in Get-Content "$env:temp\clsids.txt") -{try{write-output "$($Position)-$($CLSID)" -write-output "------------"| out-file #{output_file} -append -write-output $($CLSID)| out-file #{output_file} -append -$handle=[activator]::CreateInstance([type]::GetTypeFromCLSID($CLSID)) -$handle | get-member -erroraction silentlycontinue | out-file #{output_file} -append -$position += 1} catch{}} -``` - -#### Cleanup Commands: -```powershell -remove-item #{output_file} -force -erroraction silentlycontinue -remove-item $env:temp\clsids.txt -force -erroraction silentlycontinue -``` - - - - - -
diff --git a/atomics/T1592.002/T1592.002.yaml b/atomics/T1592.002/T1592.002.yaml deleted file mode 100644 index a79fec5f..00000000 --- a/atomics/T1592.002/T1592.002.yaml +++ /dev/null @@ -1,31 +0,0 @@ -attack_technique: T1592.002 -display_name: 'Gather Victim Host Information: Software' -atomic_tests: -- name: Enumerate COM Objects with Powershell - auto_generated_guid: 0d80d088-a84c-4353-af1a-fc8b439f1564 - description: |- - This test is designed to enumerate the COM objects listed in HKCR, then output their methods and CLSIDs to a text file. - An adversary could then use this information to identify COM objects that might be vulnerable to abuse, such as using them to spawn arbitrary processes. - See: https://www.mandiant.com/resources/hunting-com-objects - supported_platforms: - - windows - input_arguments: - output_file: - description: File to output list of COM objects to - type: String - default: $env:temp\T1592.002Test1.txt - executor: - command: | - New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR - Get-ChildItem -Path HKCR:\CLSID -Name | Select -Skip 1 > $env:temp\clsids.txt - ForEach($CLSID in Get-Content "$env:temp\clsids.txt") - {try{write-output "$($Position)-$($CLSID)" - write-output "------------"| out-file #{output_file} -append - write-output $($CLSID)| out-file #{output_file} -append - $handle=[activator]::CreateInstance([type]::GetTypeFromCLSID($CLSID)) - $handle | get-member -erroraction silentlycontinue | out-file #{output_file} -append - $position += 1} catch{}} - cleanup_command: | - remove-item #{output_file} -force -erroraction silentlycontinue - remove-item $env:temp\clsids.txt -force -erroraction silentlycontinue - name: powershell