Generate docs from job=validate_atomics_generate_docs branch=master

2019-02-14 06:10:46 +00:00
parent 02dc3e41ab
commit a1c83527fb
5 changed files with 146 additions and 2 deletions
@@ -18,6 +18,10 @@ Adversaries may also copy files laterally between internal victim systems to sup

 - [Atomic Test #6 - sftp remote file copy (pull)](#atomic-test-6---sftp-remote-file-copy-pull)

+- [Atomic Test #7 - certutil download (urlcache)](#atomic-test-7---certutil-download-urlcache)
+
+- [Atomic Test #8 - certutil download (verifyctl)](#atomic-test-8---certutil-download-verifyctl)
+

 <br/>

@@ -145,3 +149,45 @@ Utilize sftp to perform a remote file copy (pull)
 sftp #{username}@#{remote_host}:#{remote_file} #{local_path}
 ```
 <br/>
+<br/>
+
+## Atomic Test #7 - certutil download (urlcache)
+Use certutil -urlcache argument to download a file from the web. Note - /urlcache also works!
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
+| local_path | Local path to place file | Path | Atomic-license.txt|
+
+#### Run it with `command_prompt`!
+```
+cmd /c certutil -urlcache -split -f #{remote_file} #{local_path}
+```
+<br/>
+<br/>
+
+## Atomic Test #8 - certutil download (verifyctl)
+Use certutil -verifyctl argument to download a file from the web. Note - /verifyctl also works!
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
+| local_path | Local path to place file | Path | Atomic-license.txt|
+
+#### Run it with `powershell`!
+```
+$datePath = "certutil-$(Get-Date -format yyyy_MM_dd_HH_mm)"
+New-Item -Path $datePath -ItemType Directory
+Set-Location $datePath
+certutil -verifyctl -split -f #{remote_file}
+Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-Item $_.Name -Destination #{local_path} }
+```
+<br/>
@@ -50,6 +50,6 @@ Rename certutil and decode a file. This is in reference to latest research by Fi
 #### Run it with `command_prompt`!
 ```
 cmd.exe /c copy %windir%\\system32\\certutil.exe %temp%tcm.tmp
-cmd.exe /c %temp%tcm.tmp -decode #{executable}
+cmd.exe /c %temp%tcm.tmp -decode #{executable} file.txt
 ```
 <br/>
@@ -638,6 +638,8 @@
  - Atomic Test #4: scp remote file copy (pull) [linux, macos]
  - Atomic Test #5: sftp remote file copy (push) [linux, macos]
  - Atomic Test #6: sftp remote file copy (pull) [linux, macos]
+  - Atomic Test #7: certutil download (urlcache) [windows]
+  - Atomic Test #8: certutil download (verifyctl) [windows]
 - T1021 Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1184 SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -729,6 +731,8 @@
  - Atomic Test #4: scp remote file copy (pull) [linux, macos]
  - Atomic Test #5: sftp remote file copy (push) [linux, macos]
  - Atomic Test #6: sftp remote file copy (pull) [linux, macos]
+  - Atomic Test #7: certutil download (urlcache) [windows]
+  - Atomic Test #8: certutil download (verifyctl) [windows]
 - T1071 Standard Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1095 Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -5032,7 +5032,7 @@ defense-evasion:
        name: command_prompt
        command: |
          cmd.exe /c copy %windir%\\system32\\certutil.exe %temp%tcm.tmp
-          cmd.exe /c %temp%tcm.tmp -decode #{executable}
+          cmd.exe /c %temp%tcm.tmp -decode #{executable} file.txt
  T1089:
    technique:
      id: attack-pattern--2e0dd10b-676d-4964-acd0-8a404c92b044
@@ -17764,6 +17764,51 @@ lateral-movement:
        command: 'sftp #{username}@#{remote_host}:#{remote_file} #{local_path}

 '
+    - name: certutil download (urlcache)
+      description: 'Use certutil -urlcache argument to download a file from the web.
+        Note - /urlcache also works!
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        remote_file:
+          description: URL of file to copy
+          type: Url
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
+        local_path:
+          description: Local path to place file
+          type: Path
+          default: Atomic-license.txt
+      executor:
+        name: command_prompt
+        command: 'cmd /c certutil -urlcache -split -f #{remote_file} #{local_path}
+
+'
+    - name: certutil download (verifyctl)
+      description: 'Use certutil -verifyctl argument to download a file from the web.
+        Note - /verifyctl also works!
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        remote_file:
+          description: URL of file to copy
+          type: Url
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
+        local_path:
+          description: Local path to place file
+          type: Path
+          default: Atomic-license.txt
+      executor:
+        name: powershell
+        command: |
+          $datePath = "certutil-$(Get-Date -format yyyy_MM_dd_HH_mm)"
+          New-Item -Path $datePath -ItemType Directory
+          Set-Location $datePath
+          certutil -verifyctl -split -f #{remote_file}
+          Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-Item $_.Name -Destination #{local_path} }
  T1077:
    technique:
      id: attack-pattern--ffe742ed-9100-4686-9e00-c331da544787
@@ -19561,6 +19606,51 @@ command-and-control:
        command: 'sftp #{username}@#{remote_host}:#{remote_file} #{local_path}

 '
+    - name: certutil download (urlcache)
+      description: 'Use certutil -urlcache argument to download a file from the web.
+        Note - /urlcache also works!
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        remote_file:
+          description: URL of file to copy
+          type: Url
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
+        local_path:
+          description: Local path to place file
+          type: Path
+          default: Atomic-license.txt
+      executor:
+        name: command_prompt
+        command: 'cmd /c certutil -urlcache -split -f #{remote_file} #{local_path}
+
+'
+    - name: certutil download (verifyctl)
+      description: 'Use certutil -verifyctl argument to download a file from the web.
+        Note - /verifyctl also works!
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        remote_file:
+          description: URL of file to copy
+          type: Url
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
+        local_path:
+          description: Local path to place file
+          type: Path
+          default: Atomic-license.txt
+      executor:
+        name: powershell
+        command: |
+          $datePath = "certutil-$(Get-Date -format yyyy_MM_dd_HH_mm)"
+          New-Item -Path $datePath -ItemType Directory
+          Set-Location $datePath
+          certutil -verifyctl -split -f #{remote_file}
+          Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-Item $_.Name -Destination #{local_path} }
  T1065:
    technique:
      id: attack-pattern--c848fcf7-6b62-4bde-8216-b6c157d48da0
@@ -364,6 +364,8 @@
 - [T1076 Remote Desktop Protocol](./T1076/T1076.md)
  - Atomic Test #1: RDP [windows]
 - [T1105 Remote File Copy](./T1105/T1105.md)
+  - Atomic Test #7: certutil download (urlcache) [windows]
+  - Atomic Test #8: certutil download (verifyctl) [windows]
 - T1021 Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1051 Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -505,6 +507,8 @@
 - T1079 Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1219 Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1105 Remote File Copy](./T1105/T1105.md)
+  - Atomic Test #7: certutil download (urlcache) [windows]
+  - Atomic Test #8: certutil download (verifyctl) [windows]
 - T1071 Standard Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1095 Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)