Generated docs from job=generate-docs branch=master [ci skip]

2022-05-25 04:12:17 +00:00
parent a8f00eb241
commit a888e0e7c9
7 changed files with 215 additions and 0 deletions
@@ -681,6 +681,7 @@ defense-evasion,T1218,Signed Binary Proxy Execution,9,DiskShadow Command Executi
 defense-evasion,T1218,Signed Binary Proxy Execution,10,Load Arbitrary DLL via Wuauclt (Windows Update Client),49fbd548-49e9-4bb7-94a6-3769613912b8,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,11,Lolbin Gpscript logon option,5bcda9cd-8e85-48fa-861d-b5a85d91d48c,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,12,Lolbin Gpscript startup option,f8da74bb-21b8-4af9-8d84-f2c8e4a220e3,command_prompt
+defense-evasion,T1218,Signed Binary Proxy Execution,13,Lolbas ie4uinit.exe use as proxy,13c0804e-615e-43ad-b223-2dfbacd0b0b3,command_prompt
 defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt
 defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
 defense-evasion,T1027.002,Software Packing,1,Binary simply packed by UPX (linux),11c46cd8-e471-450e-acb8-52a1216ae6a4,sh
@@ -1208,6 +1209,8 @@ command-and-control,T1105,Ingress Tool Transfer,19,Curl Upload File,635c9a38-6cb
 command-and-control,T1105,Ingress Tool Transfer,20,Download a file with Microsoft Connection Manager Auto-Download,d239772b-88e2-4a2e-8473-897503401bcc,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,21,MAZE Propagation Script,70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf,powershell
 command-and-control,T1105,Ingress Tool Transfer,22,Printer Migration Command-Line Tool UNC share folder into a zip file,49845fc1-7961-4590-a0f0-3dbcf065ae7e,command_prompt
+command-and-control,T1105,Ingress Tool Transfer,23,Lolbas replace.exe use to copy file,54782d65-12f0-47a5-b4c1-b70ee23de6df,command_prompt
+command-and-control,T1105,Ingress Tool Transfer,24,Lolbas replace.exe use to copy UNC file,ed0335ac-0354-400c-8148-f6151d20035a,command_prompt
 command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
 command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
 command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
@@ -495,6 +495,7 @@ defense-evasion,T1218,Signed Binary Proxy Execution,9,DiskShadow Command Executi
 defense-evasion,T1218,Signed Binary Proxy Execution,10,Load Arbitrary DLL via Wuauclt (Windows Update Client),49fbd548-49e9-4bb7-94a6-3769613912b8,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,11,Lolbin Gpscript logon option,5bcda9cd-8e85-48fa-861d-b5a85d91d48c,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,12,Lolbin Gpscript startup option,f8da74bb-21b8-4af9-8d84-f2c8e4a220e3,command_prompt
+defense-evasion,T1218,Signed Binary Proxy Execution,13,Lolbas ie4uinit.exe use as proxy,13c0804e-615e-43ad-b223-2dfbacd0b0b3,command_prompt
 defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt
 defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
 defense-evasion,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
@@ -784,6 +785,8 @@ command-and-control,T1105,Ingress Tool Transfer,19,Curl Upload File,635c9a38-6cb
 command-and-control,T1105,Ingress Tool Transfer,20,Download a file with Microsoft Connection Manager Auto-Download,d239772b-88e2-4a2e-8473-897503401bcc,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,21,MAZE Propagation Script,70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf,powershell
 command-and-control,T1105,Ingress Tool Transfer,22,Printer Migration Command-Line Tool UNC share folder into a zip file,49845fc1-7961-4590-a0f0-3dbcf065ae7e,command_prompt
+command-and-control,T1105,Ingress Tool Transfer,23,Lolbas replace.exe use to copy file,54782d65-12f0-47a5-b4c1-b70ee23de6df,command_prompt
+command-and-control,T1105,Ingress Tool Transfer,24,Lolbas replace.exe use to copy UNC file,ed0335ac-0354-400c-8148-f6151d20035a,command_prompt
 command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
 command-and-control,T1090.003,Multi-hop Proxy,1,Psiphon,14d55ca0-920e-4b44-8425-37eedd72b173,powershell
 command-and-control,T1090.003,Multi-hop Proxy,2,Tor Proxy Usage - Windows,7b9d85e5-c4ce-4434-8060-d3de83595e69,powershell
@@ -1014,6 +1014,7 @@
  - Atomic Test #10: Load Arbitrary DLL via Wuauclt (Windows Update Client) [windows]
  - Atomic Test #11: Lolbin Gpscript logon option [windows]
  - Atomic Test #12: Lolbin Gpscript startup option [windows]
+  - Atomic Test #13: Lolbas ie4uinit.exe use as proxy [windows]
 - [T1216 Signed Script Proxy Execution](../../T1216/T1216.md)
  - Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
  - Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows]
@@ -1923,6 +1924,8 @@
  - Atomic Test #20: Download a file with Microsoft Connection Manager Auto-Download [windows]
  - Atomic Test #21: MAZE Propagation Script [windows]
  - Atomic Test #22: Printer Migration Command-Line Tool UNC share folder into a zip file [windows]
+  - Atomic Test #23: Lolbas replace.exe use to copy file [windows]
+  - Atomic Test #24: Lolbas replace.exe use to copy UNC file [windows]
 - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
  - Atomic Test #1: Connection Proxy [macos, linux]
  - Atomic Test #2: Connection Proxy for macOS UI [macos]
@@ -751,6 +751,7 @@
  - Atomic Test #10: Load Arbitrary DLL via Wuauclt (Windows Update Client) [windows]
  - Atomic Test #11: Lolbin Gpscript logon option [windows]
  - Atomic Test #12: Lolbin Gpscript startup option [windows]
+  - Atomic Test #13: Lolbas ie4uinit.exe use as proxy [windows]
 - [T1216 Signed Script Proxy Execution](../../T1216/T1216.md)
  - Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
  - Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows]
@@ -1228,6 +1229,8 @@
  - Atomic Test #20: Download a file with Microsoft Connection Manager Auto-Download [windows]
  - Atomic Test #21: MAZE Propagation Script [windows]
  - Atomic Test #22: Printer Migration Command-Line Tool UNC share folder into a zip file [windows]
+  - Atomic Test #23: Lolbas replace.exe use to copy file [windows]
+  - Atomic Test #24: Lolbas replace.exe use to copy UNC file [windows]
 - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
  - Atomic Test #3: portproxy reg key [windows]
 - T1001.001 Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -41336,6 +41336,32 @@ defense-evasion:

          '
        name: command_prompt
+    - name: Lolbas ie4uinit.exe use as proxy
+      auto_generated_guid: 13c0804e-615e-43ad-b223-2dfbacd0b0b3
+      description: |
+        Executes commands from a specially prepared ie4uinit.inf file.
+        Poc from : https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
+        Reference: https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/
+      supported_platforms:
+      - windows
+      input_arguments:
+        Path_inf:
+          description: Path to the cab file
+          type: Path
+          default: PathToAtomicsFolder\T1218\src\ieuinit.inf
+        Path_ie4uinit:
+          description: Path to ie4uinit.exe
+          type: Path
+          default: c:\windows\system32\ie4uinit.exe
+      executor:
+        command: |
+          copy #{Path_ie4uinit} %TEMP%\ie4uinit.exe
+          copy #{Path_inf} %TEMP%\ieuinit.inf
+          %TEMP%\ie4uinit.exe -BaseSettings
+        cleanup_command: |
+          del %TEMP%\ie4uinit.exe >nul 2>&1
+          del %TEMP%\ieuinit.inf >nul 2>&1
+        name: command_prompt
  T1216:
    technique:
      object_marking_refs:
@@ -76771,6 +76797,54 @@ command-and-control:
          \ -f %TEMP%\\PrintBrm.zip -O FORCE\n"
        cleanup_command: 'del %TEMP%\PrintBrm.zip >nul 2>&1

+          '
+        name: command_prompt
+    - name: Lolbas replace.exe use to copy file
+      auto_generated_guid: 54782d65-12f0-47a5-b4c1-b70ee23de6df
+      description: |
+        Copy file.cab to destination
+        Reference: https://lolbas-project.github.io/lolbas/Binaries/Replace/
+      supported_platforms:
+      - windows
+      input_arguments:
+        replace_cab:
+          description: Path to the cab file
+          type: Path
+          default: PathToAtomicsFolder\T1105\src\redcanary.cab
+        Path_replace:
+          description: Path to replace.exe
+          type: Path
+          default: C:\Windows\System32\replace.exe
+      executor:
+        command: |
+          del %TEMP%\redcanary.cab >nul 2>&1
+          #{Path_replace} #{replace_cab} %TEMP% /A
+        cleanup_command: 'del %TEMP%\redcanary.cab >nul 2>&1
+
+          '
+        name: command_prompt
+    - name: Lolbas replace.exe use to copy UNC file
+      auto_generated_guid: ed0335ac-0354-400c-8148-f6151d20035a
+      description: |
+        Copy UNC file to destination
+        Reference: https://lolbas-project.github.io/lolbas/Binaries/Replace/
+      supported_platforms:
+      - windows
+      input_arguments:
+        replace_cab:
+          description: UNC Path to the cab file
+          type: Path
+          default: "\\\\127.0.0.1\\c$\\AtomicRedTeam\\atomics\\T1105\\src\\redcanary.cab"
+        Path_replace:
+          description: Path to replace.exe
+          type: Path
+          default: C:\Windows\System32\replace.exe
+      executor:
+        command: |
+          del %TEMP%\redcanary.cab >nul 2>&1
+          #{Path_replace} #{replace_cab} %TEMP% /A
+        cleanup_command: 'del %TEMP%\redcanary.cab >nul 2>&1
+
          '
        name: command_prompt
  T1090.001:
@@ -48,6 +48,10 @@

 - [Atomic Test #22 - Printer Migration Command-Line Tool UNC share folder into a zip file](#atomic-test-22---printer-migration-command-line-tool-unc-share-folder-into-a-zip-file)

+- [Atomic Test #23 - Lolbas replace.exe use to copy file](#atomic-test-23---lolbas-replaceexe-use-to-copy-file)
+
+- [Atomic Test #24 - Lolbas replace.exe use to copy UNC file](#atomic-test-24---lolbas-replaceexe-use-to-copy-unc-file)
+

 <br/>

@@ -1004,4 +1008,84 @@ del %TEMP%\PrintBrm.zip >nul 2>&1



+<br/>
+<br/>
+
+## Atomic Test #23 - Lolbas replace.exe use to copy file
+Copy file.cab to destination
+Reference: https://lolbas-project.github.io/lolbas/Binaries/Replace/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 54782d65-12f0-47a5-b4c1-b70ee23de6df
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| replace_cab | Path to the cab file | Path | PathToAtomicsFolder&#92;T1105&#92;src&#92;redcanary.cab|
+| Path_replace | Path to replace.exe | Path | C:&#92;Windows&#92;System32&#92;replace.exe|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+del %TEMP%\redcanary.cab >nul 2>&1
+#{Path_replace} #{replace_cab} %TEMP% /A
+```
+
+#### Cleanup Commands:
+```cmd
+del %TEMP%\redcanary.cab >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #24 - Lolbas replace.exe use to copy UNC file
+Copy UNC file to destination
+Reference: https://lolbas-project.github.io/lolbas/Binaries/Replace/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** ed0335ac-0354-400c-8148-f6151d20035a
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| replace_cab | UNC Path to the cab file | Path | &#92;&#92;127.0.0.1&#92;c$&#92;AtomicRedTeam&#92;atomics&#92;T1105&#92;src&#92;redcanary.cab|
+| Path_replace | Path to replace.exe | Path | C:&#92;Windows&#92;System32&#92;replace.exe|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+del %TEMP%\redcanary.cab >nul 2>&1
+#{Path_replace} #{replace_cab} %TEMP% /A
+```
+
+#### Cleanup Commands:
+```cmd
+del %TEMP%\redcanary.cab >nul 2>&1
+```
+
+
+
+
+
 <br/>
@@ -28,6 +28,8 @@

 - [Atomic Test #12 - Lolbin Gpscript startup option](#atomic-test-12---lolbin-gpscript-startup-option)

+- [Atomic Test #13 - Lolbas ie4uinit.exe use as proxy](#atomic-test-13---lolbas-ie4uinitexe-use-as-proxy)
+

 <br/>

@@ -567,4 +569,47 @@ Gpscript /startup



+<br/>
+<br/>
+
+## Atomic Test #13 - Lolbas ie4uinit.exe use as proxy
+Executes commands from a specially prepared ie4uinit.inf file.
+Poc from : https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
+Reference: https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 13c0804e-615e-43ad-b223-2dfbacd0b0b3
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| Path_inf | Path to the cab file | Path | PathToAtomicsFolder&#92;T1218&#92;src&#92;ieuinit.inf|
+| Path_ie4uinit | Path to ie4uinit.exe | Path | c:&#92;windows&#92;system32&#92;ie4uinit.exe|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+copy #{Path_ie4uinit} %TEMP%\ie4uinit.exe
+copy #{Path_inf} %TEMP%\ieuinit.inf
+%TEMP%\ie4uinit.exe -BaseSettings
+```
+
+#### Cleanup Commands:
+```cmd
+del %TEMP%\ie4uinit.exe >nul 2>&1
+del %TEMP%\ieuinit.inf >nul 2>&1
+```
+
+
+
+
+
 <br/>