From b9b3b42742741a580d78d5452a67ce4ff4312703 Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Thu, 2 Jul 2020 17:17:02 -0600 Subject: [PATCH 1/4] typo fix --- atomics/T1574.010/T1574.010.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/atomics/T1574.010/T1574.010.yaml b/atomics/T1574.010/T1574.010.yaml index 4e5c43a2..369ef9e0 100644 --- a/atomics/T1574.010/T1574.010.yaml +++ b/atomics/T1574.010/T1574.010.yaml @@ -8,8 +8,8 @@ atomic_tests: powershell -c "Get-WmiObject win32_service | select PathName" (check service file location) and copy /Y C:\temp\payload.exe C:\ProgramData\folder\Update\weakpermissionfile.exe ( replace weak permission file with malicious file ) - Upon execution, open the weak permission file at %temp%\ T1574.010_weak_permission_file.txt and verify that it's contents read " T1574.010 Malicious file". To verify - the weak file permissions, open File Explorer to%temp%\ T1574.010_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled. + Upon execution, open the weak permission file at %temp%\T1574.010_weak_permission_file.txt and verify that it's contents read " T1574.010 Malicious file". To verify + the weak file permissions, open File Explorer to%temp%\T1574.010_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled. supported_platforms: - windows input_arguments: @@ -20,7 +20,7 @@ atomic_tests: weak_permission_file: description: check weak files permission type: path - default: $env:TEMP\ T1574.010_weak_permission_file.txt + default: $env:TEMP\T1574.010_weak_permission_file.txt dependency_executor_name: powershell dependencies: - description: | @@ -45,4 +45,4 @@ atomic_tests: cleanup_command: | Remove-Item #{weak_permission_file} -Force -ErrorAction Ignore Remove-Item -Recurse (Split-Path #{malicious_file}) -Force -ErrorAction Ignore - name: powershell \ No newline at end of file + name: powershell From 06ea87f94fece51232b2b1bd3cdb9f918c585557 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 2 Jul 2020 23:17:39 +0000 Subject: [PATCH 2/4] Generate docs from job=validate_atomics_generate_docs branch=clr2of8-patch-3 --- atomics/Indexes/index.yaml | 18 +++++++++--------- atomics/T1574.010/T1574.010.md | 6 +++--- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index b5837c12..5e3d65fa 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -6269,8 +6269,8 @@ privilege-escalation: powershell -c "Get-WmiObject win32_service | select PathName" (check service file location) and copy /Y C:\temp\payload.exe C:\ProgramData\folder\Update\weakpermissionfile.exe ( replace weak permission file with malicious file ) - Upon execution, open the weak permission file at %temp%\ T1574.010_weak_permission_file.txt and verify that it's contents read " T1574.010 Malicious file". To verify - the weak file permissions, open File Explorer to%temp%\ T1574.010_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled. + Upon execution, open the weak permission file at %temp%\T1574.010_weak_permission_file.txt and verify that it's contents read " T1574.010 Malicious file". To verify + the weak file permissions, open File Explorer to%temp%\T1574.010_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled. supported_platforms: - windows input_arguments: @@ -6281,7 +6281,7 @@ privilege-escalation: weak_permission_file: description: check weak files permission type: path - default: "$env:TEMP\\ T1574.010_weak_permission_file.txt" + default: "$env:TEMP\\T1574.010_weak_permission_file.txt" dependency_executor_name: powershell dependencies: - description: A file must exist on disk at specified location (#{weak_permission_file}) @@ -14327,8 +14327,8 @@ persistence: powershell -c "Get-WmiObject win32_service | select PathName" (check service file location) and copy /Y C:\temp\payload.exe C:\ProgramData\folder\Update\weakpermissionfile.exe ( replace weak permission file with malicious file ) - Upon execution, open the weak permission file at %temp%\ T1574.010_weak_permission_file.txt and verify that it's contents read " T1574.010 Malicious file". To verify - the weak file permissions, open File Explorer to%temp%\ T1574.010_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled. + Upon execution, open the weak permission file at %temp%\T1574.010_weak_permission_file.txt and verify that it's contents read " T1574.010 Malicious file". To verify + the weak file permissions, open File Explorer to%temp%\T1574.010_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled. supported_platforms: - windows input_arguments: @@ -14339,7 +14339,7 @@ persistence: weak_permission_file: description: check weak files permission type: path - default: "$env:TEMP\\ T1574.010_weak_permission_file.txt" + default: "$env:TEMP\\T1574.010_weak_permission_file.txt" dependency_executor_name: powershell dependencies: - description: A file must exist on disk at specified location (#{weak_permission_file}) @@ -30291,8 +30291,8 @@ defense-evasion: powershell -c "Get-WmiObject win32_service | select PathName" (check service file location) and copy /Y C:\temp\payload.exe C:\ProgramData\folder\Update\weakpermissionfile.exe ( replace weak permission file with malicious file ) - Upon execution, open the weak permission file at %temp%\ T1574.010_weak_permission_file.txt and verify that it's contents read " T1574.010 Malicious file". To verify - the weak file permissions, open File Explorer to%temp%\ T1574.010_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled. + Upon execution, open the weak permission file at %temp%\T1574.010_weak_permission_file.txt and verify that it's contents read " T1574.010 Malicious file". To verify + the weak file permissions, open File Explorer to%temp%\T1574.010_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled. supported_platforms: - windows input_arguments: @@ -30303,7 +30303,7 @@ defense-evasion: weak_permission_file: description: check weak files permission type: path - default: "$env:TEMP\\ T1574.010_weak_permission_file.txt" + default: "$env:TEMP\\T1574.010_weak_permission_file.txt" dependency_executor_name: powershell dependencies: - description: A file must exist on disk at specified location (#{weak_permission_file}) diff --git a/atomics/T1574.010/T1574.010.md b/atomics/T1574.010/T1574.010.md index c30331e1..be813ba4 100644 --- a/atomics/T1574.010/T1574.010.md +++ b/atomics/T1574.010/T1574.010.md @@ -16,8 +16,8 @@ This test to show checking file system permissions weakness and which can lead t powershell -c "Get-WmiObject win32_service | select PathName" (check service file location) and copy /Y C:\temp\payload.exe C:\ProgramData\folder\Update\weakpermissionfile.exe ( replace weak permission file with malicious file ) -Upon execution, open the weak permission file at %temp%\ T1574.010_weak_permission_file.txt and verify that it's contents read " T1574.010 Malicious file". To verify -the weak file permissions, open File Explorer to%temp%\ T1574.010_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled. +Upon execution, open the weak permission file at %temp%\T1574.010_weak_permission_file.txt and verify that it's contents read " T1574.010 Malicious file". To verify +the weak file permissions, open File Explorer to%temp%\T1574.010_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled. **Supported Platforms:** Windows @@ -28,7 +28,7 @@ the weak file permissions, open File Explorer to%temp%\ T1574.010_weak_permissio | Name | Description | Type | Default Value | |------|-------------|------|---------------| | malicious_file | File to replace weak permission file with | path | $env:TEMP\ T1574.010\ T1574.010_malicious_file.txt| -| weak_permission_file | check weak files permission | path | $env:TEMP\ T1574.010_weak_permission_file.txt| +| weak_permission_file | check weak files permission | path | $env:TEMP\T1574.010_weak_permission_file.txt| #### Attack Commands: Run with `powershell`! From 0450aa2edd9f5c8c2f23a0820d22d7279bbba121 Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Thu, 2 Jul 2020 17:19:33 -0600 Subject: [PATCH 3/4] typo fix --- atomics/T1574.010/T1574.010.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/atomics/T1574.010/T1574.010.yaml b/atomics/T1574.010/T1574.010.yaml index 369ef9e0..6c701cfb 100644 --- a/atomics/T1574.010/T1574.010.yaml +++ b/atomics/T1574.010/T1574.010.yaml @@ -8,7 +8,7 @@ atomic_tests: powershell -c "Get-WmiObject win32_service | select PathName" (check service file location) and copy /Y C:\temp\payload.exe C:\ProgramData\folder\Update\weakpermissionfile.exe ( replace weak permission file with malicious file ) - Upon execution, open the weak permission file at %temp%\T1574.010_weak_permission_file.txt and verify that it's contents read " T1574.010 Malicious file". To verify + Upon execution, open the weak permission file at %temp%\T1574.010_weak_permission_file.txt and verify that it's contents read "T1574.010 Malicious file". To verify the weak file permissions, open File Explorer to%temp%\T1574.010_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled. supported_platforms: - windows @@ -16,7 +16,7 @@ atomic_tests: malicious_file: description: File to replace weak permission file with type: path - default: $env:TEMP\ T1574.010\ T1574.010_malicious_file.txt + default: $env:TEMP\T1574.010\T1574.010_malicious_file.txt weak_permission_file: description: check weak files permission type: path @@ -35,7 +35,7 @@ atomic_tests: prereq_command: | if (Test-Path #{malicious_file}) {exit 0} else {exit 1} get_prereq_command: | - New-Item -Type Directory -Path $env:TEMP\ T1574.010\ -Force | Out-Null + New-Item -Type Directory -Path $env:TEMP\T1574.010\ -Force | Out-Null New-Item #{malicious_file} -Force | Out-Null Set-Content -Path #{malicious_file} -Value " T1574.010 Malicious file" executor: From ea304302e33776d74f35335f1e468352bdfca91a Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 2 Jul 2020 23:20:18 +0000 Subject: [PATCH 4/4] Generate docs from job=validate_atomics_generate_docs branch=clr2of8-patch-3 --- atomics/Indexes/index.yaml | 18 +++++++++--------- atomics/T1574.010/T1574.010.md | 6 +++--- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 5e3d65fa..c4961198 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -6269,7 +6269,7 @@ privilege-escalation: powershell -c "Get-WmiObject win32_service | select PathName" (check service file location) and copy /Y C:\temp\payload.exe C:\ProgramData\folder\Update\weakpermissionfile.exe ( replace weak permission file with malicious file ) - Upon execution, open the weak permission file at %temp%\T1574.010_weak_permission_file.txt and verify that it's contents read " T1574.010 Malicious file". To verify + Upon execution, open the weak permission file at %temp%\T1574.010_weak_permission_file.txt and verify that it's contents read "T1574.010 Malicious file". To verify the weak file permissions, open File Explorer to%temp%\T1574.010_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled. supported_platforms: - windows @@ -6277,7 +6277,7 @@ privilege-escalation: malicious_file: description: File to replace weak permission file with type: path - default: "$env:TEMP\\ T1574.010\\ T1574.010_malicious_file.txt" + default: "$env:TEMP\\T1574.010\\T1574.010_malicious_file.txt" weak_permission_file: description: check weak files permission type: path @@ -6294,7 +6294,7 @@ privilege-escalation: this would be the malicious file gaining extra privileges prereq_command: 'if (Test-Path #{malicious_file}) {exit 0} else {exit 1}' get_prereq_command: |- - New-Item -Type Directory -Path $env:TEMP\ T1574.010\ -Force | Out-Null + New-Item -Type Directory -Path $env:TEMP\T1574.010\ -Force | Out-Null New-Item #{malicious_file} -Force | Out-Null Set-Content -Path #{malicious_file} -Value " T1574.010 Malicious file" executor: @@ -14327,7 +14327,7 @@ persistence: powershell -c "Get-WmiObject win32_service | select PathName" (check service file location) and copy /Y C:\temp\payload.exe C:\ProgramData\folder\Update\weakpermissionfile.exe ( replace weak permission file with malicious file ) - Upon execution, open the weak permission file at %temp%\T1574.010_weak_permission_file.txt and verify that it's contents read " T1574.010 Malicious file". To verify + Upon execution, open the weak permission file at %temp%\T1574.010_weak_permission_file.txt and verify that it's contents read "T1574.010 Malicious file". To verify the weak file permissions, open File Explorer to%temp%\T1574.010_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled. supported_platforms: - windows @@ -14335,7 +14335,7 @@ persistence: malicious_file: description: File to replace weak permission file with type: path - default: "$env:TEMP\\ T1574.010\\ T1574.010_malicious_file.txt" + default: "$env:TEMP\\T1574.010\\T1574.010_malicious_file.txt" weak_permission_file: description: check weak files permission type: path @@ -14352,7 +14352,7 @@ persistence: this would be the malicious file gaining extra privileges prereq_command: 'if (Test-Path #{malicious_file}) {exit 0} else {exit 1}' get_prereq_command: |- - New-Item -Type Directory -Path $env:TEMP\ T1574.010\ -Force | Out-Null + New-Item -Type Directory -Path $env:TEMP\T1574.010\ -Force | Out-Null New-Item #{malicious_file} -Force | Out-Null Set-Content -Path #{malicious_file} -Value " T1574.010 Malicious file" executor: @@ -30291,7 +30291,7 @@ defense-evasion: powershell -c "Get-WmiObject win32_service | select PathName" (check service file location) and copy /Y C:\temp\payload.exe C:\ProgramData\folder\Update\weakpermissionfile.exe ( replace weak permission file with malicious file ) - Upon execution, open the weak permission file at %temp%\T1574.010_weak_permission_file.txt and verify that it's contents read " T1574.010 Malicious file". To verify + Upon execution, open the weak permission file at %temp%\T1574.010_weak_permission_file.txt and verify that it's contents read "T1574.010 Malicious file". To verify the weak file permissions, open File Explorer to%temp%\T1574.010_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled. supported_platforms: - windows @@ -30299,7 +30299,7 @@ defense-evasion: malicious_file: description: File to replace weak permission file with type: path - default: "$env:TEMP\\ T1574.010\\ T1574.010_malicious_file.txt" + default: "$env:TEMP\\T1574.010\\T1574.010_malicious_file.txt" weak_permission_file: description: check weak files permission type: path @@ -30316,7 +30316,7 @@ defense-evasion: this would be the malicious file gaining extra privileges prereq_command: 'if (Test-Path #{malicious_file}) {exit 0} else {exit 1}' get_prereq_command: |- - New-Item -Type Directory -Path $env:TEMP\ T1574.010\ -Force | Out-Null + New-Item -Type Directory -Path $env:TEMP\T1574.010\ -Force | Out-Null New-Item #{malicious_file} -Force | Out-Null Set-Content -Path #{malicious_file} -Value " T1574.010 Malicious file" executor: diff --git a/atomics/T1574.010/T1574.010.md b/atomics/T1574.010/T1574.010.md index be813ba4..918215a2 100644 --- a/atomics/T1574.010/T1574.010.md +++ b/atomics/T1574.010/T1574.010.md @@ -16,7 +16,7 @@ This test to show checking file system permissions weakness and which can lead t powershell -c "Get-WmiObject win32_service | select PathName" (check service file location) and copy /Y C:\temp\payload.exe C:\ProgramData\folder\Update\weakpermissionfile.exe ( replace weak permission file with malicious file ) -Upon execution, open the weak permission file at %temp%\T1574.010_weak_permission_file.txt and verify that it's contents read " T1574.010 Malicious file". To verify +Upon execution, open the weak permission file at %temp%\T1574.010_weak_permission_file.txt and verify that it's contents read "T1574.010 Malicious file". To verify the weak file permissions, open File Explorer to%temp%\T1574.010_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled. **Supported Platforms:** Windows @@ -27,7 +27,7 @@ the weak file permissions, open File Explorer to%temp%\T1574.010_weak_permission #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| malicious_file | File to replace weak permission file with | path | $env:TEMP\ T1574.010\ T1574.010_malicious_file.txt| +| malicious_file | File to replace weak permission file with | path | $env:TEMP\T1574.010\T1574.010_malicious_file.txt| | weak_permission_file | check weak files permission | path | $env:TEMP\T1574.010_weak_permission_file.txt| @@ -65,7 +65,7 @@ if (Test-Path #{malicious_file}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell -New-Item -Type Directory -Path $env:TEMP\ T1574.010\ -Force | Out-Null +New-Item -Type Directory -Path $env:TEMP\T1574.010\ -Force | Out-Null New-Item #{malicious_file} -Force | Out-Null Set-Content -Path #{malicious_file} -Value " T1574.010 Malicious file" ```