From a888e0e7c971c2ed63c0bd2ad996613ff1dab883 Mon Sep 17 00:00:00 2001 From: Atomic Red Team doc generator Date: Wed, 25 May 2022 04:12:17 +0000 Subject: [PATCH] Generated docs from job=generate-docs branch=master [ci skip] --- atomics/Indexes/Indexes-CSV/index.csv | 3 + atomics/Indexes/Indexes-CSV/windows-index.csv | 3 + atomics/Indexes/Indexes-Markdown/index.md | 3 + .../Indexes/Indexes-Markdown/windows-index.md | 3 + atomics/Indexes/index.yaml | 74 ++++++++++++++++ atomics/T1105/T1105.md | 84 +++++++++++++++++++ atomics/T1218/T1218.md | 45 ++++++++++ 7 files changed, 215 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 36664a1c..66f1e57f 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -681,6 +681,7 @@ defense-evasion,T1218,Signed Binary Proxy Execution,9,DiskShadow Command Executi defense-evasion,T1218,Signed Binary Proxy Execution,10,Load Arbitrary DLL via Wuauclt (Windows Update Client),49fbd548-49e9-4bb7-94a6-3769613912b8,command_prompt defense-evasion,T1218,Signed Binary Proxy Execution,11,Lolbin Gpscript logon option,5bcda9cd-8e85-48fa-861d-b5a85d91d48c,command_prompt defense-evasion,T1218,Signed Binary Proxy Execution,12,Lolbin Gpscript startup option,f8da74bb-21b8-4af9-8d84-f2c8e4a220e3,command_prompt +defense-evasion,T1218,Signed Binary Proxy Execution,13,Lolbas ie4uinit.exe use as proxy,13c0804e-615e-43ad-b223-2dfbacd0b0b3,command_prompt defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt defense-evasion,T1027.002,Software Packing,1,Binary simply packed by UPX (linux),11c46cd8-e471-450e-acb8-52a1216ae6a4,sh @@ -1208,6 +1209,8 @@ command-and-control,T1105,Ingress Tool Transfer,19,Curl Upload File,635c9a38-6cb command-and-control,T1105,Ingress Tool Transfer,20,Download a file with Microsoft Connection Manager Auto-Download,d239772b-88e2-4a2e-8473-897503401bcc,command_prompt command-and-control,T1105,Ingress Tool Transfer,21,MAZE Propagation Script,70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf,powershell command-and-control,T1105,Ingress Tool Transfer,22,Printer Migration Command-Line Tool UNC share folder into a zip file,49845fc1-7961-4590-a0f0-3dbcf065ae7e,command_prompt +command-and-control,T1105,Ingress Tool Transfer,23,Lolbas replace.exe use to copy file,54782d65-12f0-47a5-b4c1-b70ee23de6df,command_prompt +command-and-control,T1105,Ingress Tool Transfer,24,Lolbas replace.exe use to copy UNC file,ed0335ac-0354-400c-8148-f6151d20035a,command_prompt command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 5aded5c6..de8fceb1 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -495,6 +495,7 @@ defense-evasion,T1218,Signed Binary Proxy Execution,9,DiskShadow Command Executi defense-evasion,T1218,Signed Binary Proxy Execution,10,Load Arbitrary DLL via Wuauclt (Windows Update Client),49fbd548-49e9-4bb7-94a6-3769613912b8,command_prompt defense-evasion,T1218,Signed Binary Proxy Execution,11,Lolbin Gpscript logon option,5bcda9cd-8e85-48fa-861d-b5a85d91d48c,command_prompt defense-evasion,T1218,Signed Binary Proxy Execution,12,Lolbin Gpscript startup option,f8da74bb-21b8-4af9-8d84-f2c8e4a220e3,command_prompt +defense-evasion,T1218,Signed Binary Proxy Execution,13,Lolbas ie4uinit.exe use as proxy,13c0804e-615e-43ad-b223-2dfbacd0b0b3,command_prompt defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt defense-evasion,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell @@ -784,6 +785,8 @@ command-and-control,T1105,Ingress Tool Transfer,19,Curl Upload File,635c9a38-6cb command-and-control,T1105,Ingress Tool Transfer,20,Download a file with Microsoft Connection Manager Auto-Download,d239772b-88e2-4a2e-8473-897503401bcc,command_prompt command-and-control,T1105,Ingress Tool Transfer,21,MAZE Propagation Script,70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf,powershell command-and-control,T1105,Ingress Tool Transfer,22,Printer Migration Command-Line Tool UNC share folder into a zip file,49845fc1-7961-4590-a0f0-3dbcf065ae7e,command_prompt +command-and-control,T1105,Ingress Tool Transfer,23,Lolbas replace.exe use to copy file,54782d65-12f0-47a5-b4c1-b70ee23de6df,command_prompt +command-and-control,T1105,Ingress Tool Transfer,24,Lolbas replace.exe use to copy UNC file,ed0335ac-0354-400c-8148-f6151d20035a,command_prompt command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell command-and-control,T1090.003,Multi-hop Proxy,1,Psiphon,14d55ca0-920e-4b44-8425-37eedd72b173,powershell command-and-control,T1090.003,Multi-hop Proxy,2,Tor Proxy Usage - Windows,7b9d85e5-c4ce-4434-8060-d3de83595e69,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index d794df54..c5ee8aa6 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -1014,6 +1014,7 @@ - Atomic Test #10: Load Arbitrary DLL via Wuauclt (Windows Update Client) [windows] - Atomic Test #11: Lolbin Gpscript logon option [windows] - Atomic Test #12: Lolbin Gpscript startup option [windows] + - Atomic Test #13: Lolbas ie4uinit.exe use as proxy [windows] - [T1216 Signed Script Proxy Execution](../../T1216/T1216.md) - Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows] - Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows] @@ -1923,6 +1924,8 @@ - Atomic Test #20: Download a file with Microsoft Connection Manager Auto-Download [windows] - Atomic Test #21: MAZE Propagation Script [windows] - Atomic Test #22: Printer Migration Command-Line Tool UNC share folder into a zip file [windows] + - Atomic Test #23: Lolbas replace.exe use to copy file [windows] + - Atomic Test #24: Lolbas replace.exe use to copy UNC file [windows] - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md) - Atomic Test #1: Connection Proxy [macos, linux] - Atomic Test #2: Connection Proxy for macOS UI [macos] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index f651925e..a50ee73e 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -751,6 +751,7 @@ - Atomic Test #10: Load Arbitrary DLL via Wuauclt (Windows Update Client) [windows] - Atomic Test #11: Lolbin Gpscript logon option [windows] - Atomic Test #12: Lolbin Gpscript startup option [windows] + - Atomic Test #13: Lolbas ie4uinit.exe use as proxy [windows] - [T1216 Signed Script Proxy Execution](../../T1216/T1216.md) - Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows] - Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows] @@ -1228,6 +1229,8 @@ - Atomic Test #20: Download a file with Microsoft Connection Manager Auto-Download [windows] - Atomic Test #21: MAZE Propagation Script [windows] - Atomic Test #22: Printer Migration Command-Line Tool UNC share folder into a zip file [windows] + - Atomic Test #23: Lolbas replace.exe use to copy file [windows] + - Atomic Test #24: Lolbas replace.exe use to copy UNC file [windows] - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md) - Atomic Test #3: portproxy reg key [windows] - T1001.001 Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 850dc374..125146df 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -41336,6 +41336,32 @@ defense-evasion: ' name: command_prompt + - name: Lolbas ie4uinit.exe use as proxy + auto_generated_guid: 13c0804e-615e-43ad-b223-2dfbacd0b0b3 + description: | + Executes commands from a specially prepared ie4uinit.inf file. + Poc from : https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ + Reference: https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/ + supported_platforms: + - windows + input_arguments: + Path_inf: + description: Path to the cab file + type: Path + default: PathToAtomicsFolder\T1218\src\ieuinit.inf + Path_ie4uinit: + description: Path to ie4uinit.exe + type: Path + default: c:\windows\system32\ie4uinit.exe + executor: + command: | + copy #{Path_ie4uinit} %TEMP%\ie4uinit.exe + copy #{Path_inf} %TEMP%\ieuinit.inf + %TEMP%\ie4uinit.exe -BaseSettings + cleanup_command: | + del %TEMP%\ie4uinit.exe >nul 2>&1 + del %TEMP%\ieuinit.inf >nul 2>&1 + name: command_prompt T1216: technique: object_marking_refs: @@ -76771,6 +76797,54 @@ command-and-control: \ -f %TEMP%\\PrintBrm.zip -O FORCE\n" cleanup_command: 'del %TEMP%\PrintBrm.zip >nul 2>&1 + ' + name: command_prompt + - name: Lolbas replace.exe use to copy file + auto_generated_guid: 54782d65-12f0-47a5-b4c1-b70ee23de6df + description: | + Copy file.cab to destination + Reference: https://lolbas-project.github.io/lolbas/Binaries/Replace/ + supported_platforms: + - windows + input_arguments: + replace_cab: + description: Path to the cab file + type: Path + default: PathToAtomicsFolder\T1105\src\redcanary.cab + Path_replace: + description: Path to replace.exe + type: Path + default: C:\Windows\System32\replace.exe + executor: + command: | + del %TEMP%\redcanary.cab >nul 2>&1 + #{Path_replace} #{replace_cab} %TEMP% /A + cleanup_command: 'del %TEMP%\redcanary.cab >nul 2>&1 + + ' + name: command_prompt + - name: Lolbas replace.exe use to copy UNC file + auto_generated_guid: ed0335ac-0354-400c-8148-f6151d20035a + description: | + Copy UNC file to destination + Reference: https://lolbas-project.github.io/lolbas/Binaries/Replace/ + supported_platforms: + - windows + input_arguments: + replace_cab: + description: UNC Path to the cab file + type: Path + default: "\\\\127.0.0.1\\c$\\AtomicRedTeam\\atomics\\T1105\\src\\redcanary.cab" + Path_replace: + description: Path to replace.exe + type: Path + default: C:\Windows\System32\replace.exe + executor: + command: | + del %TEMP%\redcanary.cab >nul 2>&1 + #{Path_replace} #{replace_cab} %TEMP% /A + cleanup_command: 'del %TEMP%\redcanary.cab >nul 2>&1 + ' name: command_prompt T1090.001: diff --git a/atomics/T1105/T1105.md b/atomics/T1105/T1105.md index 42f976f8..3b803c1d 100644 --- a/atomics/T1105/T1105.md +++ b/atomics/T1105/T1105.md @@ -48,6 +48,10 @@ - [Atomic Test #22 - Printer Migration Command-Line Tool UNC share folder into a zip file](#atomic-test-22---printer-migration-command-line-tool-unc-share-folder-into-a-zip-file) +- [Atomic Test #23 - Lolbas replace.exe use to copy file](#atomic-test-23---lolbas-replaceexe-use-to-copy-file) + +- [Atomic Test #24 - Lolbas replace.exe use to copy UNC file](#atomic-test-24---lolbas-replaceexe-use-to-copy-unc-file) +
@@ -1004,4 +1008,84 @@ del %TEMP%\PrintBrm.zip >nul 2>&1 +
+
+ +## Atomic Test #23 - Lolbas replace.exe use to copy file +Copy file.cab to destination +Reference: https://lolbas-project.github.io/lolbas/Binaries/Replace/ + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 54782d65-12f0-47a5-b4c1-b70ee23de6df + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| replace_cab | Path to the cab file | Path | PathToAtomicsFolder\T1105\src\redcanary.cab| +| Path_replace | Path to replace.exe | Path | C:\Windows\System32\replace.exe| + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +del %TEMP%\redcanary.cab >nul 2>&1 +#{Path_replace} #{replace_cab} %TEMP% /A +``` + +#### Cleanup Commands: +```cmd +del %TEMP%\redcanary.cab >nul 2>&1 +``` + + + + + +
+
+ +## Atomic Test #24 - Lolbas replace.exe use to copy UNC file +Copy UNC file to destination +Reference: https://lolbas-project.github.io/lolbas/Binaries/Replace/ + +**Supported Platforms:** Windows + + +**auto_generated_guid:** ed0335ac-0354-400c-8148-f6151d20035a + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| replace_cab | UNC Path to the cab file | Path | \\127.0.0.1\c$\AtomicRedTeam\atomics\T1105\src\redcanary.cab| +| Path_replace | Path to replace.exe | Path | C:\Windows\System32\replace.exe| + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +del %TEMP%\redcanary.cab >nul 2>&1 +#{Path_replace} #{replace_cab} %TEMP% /A +``` + +#### Cleanup Commands: +```cmd +del %TEMP%\redcanary.cab >nul 2>&1 +``` + + + + +
diff --git a/atomics/T1218/T1218.md b/atomics/T1218/T1218.md index db3da414..c7de377d 100644 --- a/atomics/T1218/T1218.md +++ b/atomics/T1218/T1218.md @@ -28,6 +28,8 @@ - [Atomic Test #12 - Lolbin Gpscript startup option](#atomic-test-12---lolbin-gpscript-startup-option) +- [Atomic Test #13 - Lolbas ie4uinit.exe use as proxy](#atomic-test-13---lolbas-ie4uinitexe-use-as-proxy) +
@@ -567,4 +569,47 @@ Gpscript /startup +
+
+ +## Atomic Test #13 - Lolbas ie4uinit.exe use as proxy +Executes commands from a specially prepared ie4uinit.inf file. +Poc from : https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ +Reference: https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/ + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 13c0804e-615e-43ad-b223-2dfbacd0b0b3 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| Path_inf | Path to the cab file | Path | PathToAtomicsFolder\T1218\src\ieuinit.inf| +| Path_ie4uinit | Path to ie4uinit.exe | Path | c:\windows\system32\ie4uinit.exe| + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +copy #{Path_ie4uinit} %TEMP%\ie4uinit.exe +copy #{Path_inf} %TEMP%\ieuinit.inf +%TEMP%\ie4uinit.exe -BaseSettings +``` + +#### Cleanup Commands: +```cmd +del %TEMP%\ie4uinit.exe >nul 2>&1 +del %TEMP%\ieuinit.inf >nul 2>&1 +``` + + + + +