From 4ed14355ed575696397e757c364dd22f929cebd3 Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Thu, 2 Jul 2020 17:37:28 -0600 Subject: [PATCH 1/4] add -Force to avoid error when redownloading --- atomics/T1027/T1027.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1027/T1027.yaml b/atomics/T1027/T1027.yaml index 6c232bc0..6c63a3a8 100644 --- a/atomics/T1027/T1027.yaml +++ b/atomics/T1027/T1027.yaml @@ -94,7 +94,7 @@ atomic_tests: if (Test-Path #{exe_payload}) {exit 0} else {exit 1} get_prereq_command: | Invoke-WebRequest "#{url_path}" -OutFile "$env:temp\T1027.zip" - Expand-Archive -path "$env:temp\T1027.zip" -DestinationPath "$env:temp\temp_T1027.zip\" + Expand-Archive -path "$env:temp\T1027.zip" -DestinationPath "$env:temp\temp_T1027.zip\" -Force executor: command: | "#{exe_payload}" From 157b6288a869503e31f733f20eda6bca52202b48 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 2 Jul 2020 23:37:48 +0000 Subject: [PATCH 2/4] Generate docs from job=validate_atomics_generate_docs branch=clr2of8-patch-4 --- atomics/Indexes/index.yaml | 2 +- atomics/T1027/T1027.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index b5837c12..5ef6b103 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -27391,7 +27391,7 @@ defense-evasion: prereq_command: 'if (Test-Path #{exe_payload}) {exit 0} else {exit 1}' get_prereq_command: |- Invoke-WebRequest "#{url_path}" -OutFile "$env:temp\T1027.zip" - Expand-Archive -path "$env:temp\T1027.zip" -DestinationPath "$env:temp\temp_T1027.zip\" + Expand-Archive -path "$env:temp\T1027.zip" -DestinationPath "$env:temp\temp_T1027.zip\" -Force executor: command: '"#{exe_payload}" diff --git a/atomics/T1027/T1027.md b/atomics/T1027/T1027.md index b344cad1..038c2f2c 100644 --- a/atomics/T1027/T1027.md +++ b/atomics/T1027/T1027.md @@ -168,7 +168,7 @@ if (Test-Path #{exe_payload}) {exit 0} else {exit 1} ##### Get Prereq Commands: ```powershell Invoke-WebRequest "#{url_path}" -OutFile "$env:temp\T1027.zip" -Expand-Archive -path "$env:temp\T1027.zip" -DestinationPath "$env:temp\temp_T1027.zip\" +Expand-Archive -path "$env:temp\T1027.zip" -DestinationPath "$env:temp\temp_T1027.zip\" -Force ``` From 3fb8f3acfa817b45776d5271eae3c61ae5ebb268 Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Fri, 3 Jul 2020 09:53:36 -0600 Subject: [PATCH 3/4] remove essentially duplicated test --- atomics/T1040/T1040.yaml | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/atomics/T1040/T1040.yaml b/atomics/T1040/T1040.yaml index 419e537e..aaa93867 100644 --- a/atomics/T1040/T1040.yaml +++ b/atomics/T1040/T1040.yaml @@ -75,24 +75,3 @@ atomic_tests: c:\windump.exe name: command_prompt elevation_required: true -- name: Packet Capture PowerShell - auto_generated_guid: 2bf62970-013a-4c74-b0a8-64030874e89a - description: | - Perform a packet capture using PowerShell with windump or tshark. This will require a host that has Wireshark/Tshark - installed, along with WinPCAP. Windump will require the windump executable. - - Upon successful execution, tshark will spawn from powershell and capture 5 packets on interface Ethernet0. - supported_platforms: - - windows - input_arguments: - interface: - description: Specify interface to perform PCAP on. - type: String - default: Ethernet0 - executor: - command: | - & "c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5 - & c:\windump.exe - name: powershell - elevation_required: true - From eb69c4972bbf5b282fcafa6e3441ad771da833e4 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 3 Jul 2020 15:53:59 +0000 Subject: [PATCH 4/4] Generate docs from job=validate_atomics_generate_docs branch=clr2of8-patch-5 --- atomics/Indexes/Indexes-CSV/index.csv | 2 - atomics/Indexes/Indexes-CSV/windows-index.csv | 2 - atomics/Indexes/Indexes-Markdown/index.md | 2 - .../Indexes/Indexes-Markdown/windows-index.md | 2 - atomics/Indexes/index.yaml | 40 ------------------- atomics/T1040/T1040.md | 35 ---------------- 6 files changed, 83 deletions(-) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index a5209f37..13a93281 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -182,7 +182,6 @@ credential-access,T1003.003,NTDS,6,Create Symlink to Volume Shadow Copy,21748c28 credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash credential-access,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt -credential-access,T1040,Network Sniffing,4,Packet Capture PowerShell,2bf62970-013a-4c74-b0a8-64030874e89a,powershell credential-access,T1003,OS Credential Dumping,1,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell credential-access,T1003,OS Credential Dumping,2,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt credential-access,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell @@ -466,7 +465,6 @@ discovery,T1135,Network Share Discovery,5,Share Discovery with PowerView,b1636f0 discovery,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash discovery,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash discovery,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt -discovery,T1040,Network Sniffing,4,Packet Capture PowerShell,2bf62970-013a-4c74-b0a8-64030874e89a,powershell discovery,T1201,Password Policy Discovery,1,Examine password complexity policy - Ubuntu,085fe567-ac84-47c7-ac4c-2688ce28265b,bash discovery,T1201,Password Policy Discovery,2,Examine password complexity policy - CentOS/RHEL 7.x,78a12e65-efff-4617-bc01-88f17d71315d,bash discovery,T1201,Password Policy Discovery,3,Examine password complexity policy - CentOS/RHEL 6.x,6ce12552-0adb-4f56-89ff-95ce268f6358,bash diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index ddd04a85..4d90fd8a 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -280,7 +280,6 @@ discovery,T1135,Network Share Discovery,3,Network Share Discovery PowerShell,1b0 discovery,T1135,Network Share Discovery,4,View available share drives,ab39a04f-0c93-4540-9ff2-83f862c385ae,command_prompt discovery,T1135,Network Share Discovery,5,Share Discovery with PowerView,b1636f0a-ba82-435c-b699-0d78794d8bfd,powershell discovery,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt -discovery,T1040,Network Sniffing,4,Packet Capture PowerShell,2bf62970-013a-4c74-b0a8-64030874e89a,powershell discovery,T1201,Password Policy Discovery,5,Examine local password policy - Windows,4588d243-f24e-4549-b2e3-e627acc089f6,command_prompt discovery,T1201,Password Policy Discovery,6,Examine domain password policy - Windows,46c2c362-2679-4ef5-aec9-0e958e135be4,command_prompt discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4900-980b-c7ec004e9908,command_prompt @@ -412,7 +411,6 @@ credential-access,T1003.003,NTDS,4,Create Volume Shadow Copy with WMI,224f7de0-8 credential-access,T1003.003,NTDS,5,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell credential-access,T1003.003,NTDS,6,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt -credential-access,T1040,Network Sniffing,4,Packet Capture PowerShell,2bf62970-013a-4c74-b0a8-64030874e89a,powershell credential-access,T1003,OS Credential Dumping,1,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell credential-access,T1003,OS Credential Dumping,2,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt credential-access,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 45438c98..1f6fe73f 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -397,7 +397,6 @@ - Atomic Test #1: Packet Capture Linux [linux] - Atomic Test #2: Packet Capture macOS [macos] - Atomic Test #3: Packet Capture Windows Command Prompt [windows] - - Atomic Test #4: Packet Capture PowerShell [windows] - [T1003 OS Credential Dumping](../../T1003/T1003.md) - Atomic Test #1: Powershell Mimikatz [windows] - Atomic Test #2: Gsecdump [windows] @@ -874,7 +873,6 @@ - Atomic Test #1: Packet Capture Linux [linux] - Atomic Test #2: Packet Capture macOS [macos] - Atomic Test #3: Packet Capture Windows Command Prompt [windows] - - Atomic Test #4: Packet Capture PowerShell [windows] - [T1201 Password Policy Discovery](../../T1201/T1201.md) - Atomic Test #1: Examine password complexity policy - Ubuntu [linux] - Atomic Test #2: Examine password complexity policy - CentOS/RHEL 7.x [linux] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index a79c0166..1129b046 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -564,7 +564,6 @@ - Atomic Test #5: Share Discovery with PowerView [windows] - [T1040 Network Sniffing](../../T1040/T1040.md) - Atomic Test #3: Packet Capture Windows Command Prompt [windows] - - Atomic Test #4: Packet Capture PowerShell [windows] - [T1201 Password Policy Discovery](../../T1201/T1201.md) - Atomic Test #5: Examine local password policy - Windows [windows] - Atomic Test #6: Examine domain password policy - Windows [windows] @@ -850,7 +849,6 @@ - Atomic Test #6: Create Symlink to Volume Shadow Copy [windows] - [T1040 Network Sniffing](../../T1040/T1040.md) - Atomic Test #3: Packet Capture Windows Command Prompt [windows] - - Atomic Test #4: Packet Capture PowerShell [windows] - [T1003 OS Credential Dumping](../../T1003/T1003.md) - Atomic Test #1: Powershell Mimikatz [windows] - Atomic Test #2: Gsecdump [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index b5837c12..0cc06140 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -18442,26 +18442,6 @@ credential-access: c:\windump.exe name: command_prompt elevation_required: true - - name: Packet Capture PowerShell - auto_generated_guid: 2bf62970-013a-4c74-b0a8-64030874e89a - description: | - Perform a packet capture using PowerShell with windump or tshark. This will require a host that has Wireshark/Tshark - installed, along with WinPCAP. Windump will require the windump executable. - - Upon successful execution, tshark will spawn from powershell and capture 5 packets on interface Ethernet0. - supported_platforms: - - windows - input_arguments: - interface: - description: Specify interface to perform PCAP on. - type: String - default: Ethernet0 - executor: - command: | - & "c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5 - & c:\windump.exe - name: powershell - elevation_required: true T1003: technique: id: attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22 @@ -36660,26 +36640,6 @@ discovery: c:\windump.exe name: command_prompt elevation_required: true - - name: Packet Capture PowerShell - auto_generated_guid: 2bf62970-013a-4c74-b0a8-64030874e89a - description: | - Perform a packet capture using PowerShell with windump or tshark. This will require a host that has Wireshark/Tshark - installed, along with WinPCAP. Windump will require the windump executable. - - Upon successful execution, tshark will spawn from powershell and capture 5 packets on interface Ethernet0. - supported_platforms: - - windows - input_arguments: - interface: - description: Specify interface to perform PCAP on. - type: String - default: Ethernet0 - executor: - command: | - & "c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5 - & c:\windump.exe - name: powershell - elevation_required: true T1201: technique: id: attack-pattern--b6075259-dba3-44e9-87c7-e954f37ec0d5 diff --git a/atomics/T1040/T1040.md b/atomics/T1040/T1040.md index ad9c9693..28fae95f 100644 --- a/atomics/T1040/T1040.md +++ b/atomics/T1040/T1040.md @@ -14,8 +14,6 @@ Network sniffing may also reveal configuration details, such as running services - [Atomic Test #3 - Packet Capture Windows Command Prompt](#atomic-test-3---packet-capture-windows-command-prompt) -- [Atomic Test #4 - Packet Capture PowerShell](#atomic-test-4---packet-capture-powershell) -
@@ -137,37 +135,4 @@ c:\windump.exe -
-
- -## Atomic Test #4 - Packet Capture PowerShell -Perform a packet capture using PowerShell with windump or tshark. This will require a host that has Wireshark/Tshark -installed, along with WinPCAP. Windump will require the windump executable. - -Upon successful execution, tshark will spawn from powershell and capture 5 packets on interface Ethernet0. - -**Supported Platforms:** Windows - - - - -#### Inputs: -| Name | Description | Type | Default Value | -|------|-------------|------|---------------| -| interface | Specify interface to perform PCAP on. | String | Ethernet0| - - -#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) - - -```powershell -& "c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5 -& c:\windump.exe -``` - - - - - -