Generated docs from job=generate-docs branch=master [ci skip]

2023-08-15 01:05:57 +00:00
parent b472e5f639
commit ca7374abdb
9 changed files with 148 additions and 2 deletions
@@ -65,6 +65,7 @@ defense-evasion,T1564,Hide Artifacts,1,Extract binary files via VBA,6afe288a-8a8
 defense-evasion,T1564,Hide Artifacts,2,"Create a Hidden User Called ""$""",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt
 defense-evasion,T1564,Hide Artifacts,3,"Create an ""Administrator "" user (with a space on the end)",5bb20389-39a5-4e99-9264-aeb92a55a85c,powershell
 defense-evasion,T1564,Hide Artifacts,4,Create and Hide a Service with sc.exe,333c7de0-6fbe-42aa-ac2b-c7e40b18246a,command_prompt
+defense-evasion,T1564,Hide Artifacts,5,Command Execution with NirCmd,2748ab4a-1e0b-4cf2-a2b0-8ef765bec7be,powershell
 defense-evasion,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
 defense-evasion,T1562.009,Impair Defenses: Safe Boot Mode,1,Safe Mode Boot,2a78362e-b79a-4482-8e24-be397bce4d85,command_prompt
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
@@ -44,6 +44,7 @@ defense-evasion,T1564,Hide Artifacts,1,Extract binary files via VBA,6afe288a-8a8
 defense-evasion,T1564,Hide Artifacts,2,"Create a Hidden User Called ""$""",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt
 defense-evasion,T1564,Hide Artifacts,3,"Create an ""Administrator "" user (with a space on the end)",5bb20389-39a5-4e99-9264-aeb92a55a85c,powershell
 defense-evasion,T1564,Hide Artifacts,4,Create and Hide a Service with sc.exe,333c7de0-6fbe-42aa-ac2b-c7e40b18246a,command_prompt
+defense-evasion,T1564,Hide Artifacts,5,Command Execution with NirCmd,2748ab4a-1e0b-4cf2-a2b0-8ef765bec7be,powershell
 defense-evasion,T1562.009,Impair Defenses: Safe Boot Mode,1,Safe Mode Boot,2a78362e-b79a-4482-8e24-be397bce4d85,command_prompt
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows),4a41089a-48e0-47aa-82cb-5b81a463bc78,powershell
@@ -100,6 +100,7 @@
  - Atomic Test #2: Create a Hidden User Called "$" [windows]
  - Atomic Test #3: Create an "Administrator " user (with a space on the end) [windows]
  - Atomic Test #4: Create and Hide a Service with sc.exe [windows]
+  - Atomic Test #5: Command Execution with NirCmd [windows]
 - [T1484.002 Domain Trust Modification](../../T1484.002/T1484.002.md)
  - Atomic Test #1: Add Federation to Azure AD [azure-ad]
 - T1527 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -71,6 +71,7 @@
  - Atomic Test #2: Create a Hidden User Called "$" [windows]
  - Atomic Test #3: Create an "Administrator " user (with a space on the end) [windows]
  - Atomic Test #4: Create and Hide a Service with sc.exe [windows]
+  - Atomic Test #5: Command Execution with NirCmd [windows]
 - T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1562.009 Impair Defenses: Safe Boot Mode](../../T1562.009/T1562.009.md)
  - Atomic Test #1: Safe Mode Boot [windows]
@@ -3981,6 +3981,49 @@ defense-evasion:
          sc.exe delete #{service_name}
        name: command_prompt
        elevation_required: true
+    - name: Command Execution with NirCmd
+      auto_generated_guid: 2748ab4a-1e0b-4cf2-a2b0-8ef765bec7be
+      description: |
+        NirCmd is used by threat actors to execute commands, which can include recon and privilege escalation via running commands via the SYSTEM account
+        See https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis
+      supported_platforms:
+      - windows
+      input_arguments:
+        nircmd_location:
+          description: Location of nircmd executable
+          type: Path
+          default: PathToAtomicsFolder\..\ExternalPayloads\nircmd.exe
+        command_to_execute:
+          description: Command for nircmd to execute
+          type: Path
+          default: win child class "Shell_TrayWnd" hide class "TrayClockWClass"
+        cleanup_command_to_execute:
+          description: Cleanup command to undo the arbitrary command ran by nircmd
+          type: Path
+          default: win child class "Shell_TrayWnd" show class "TrayClockWClass"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The Nircmd executable must exist at (#{nircmd_location})
+
+          '
+        prereq_command: 'if (Test-Path #{nircmd_location}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\"
+          -ErrorAction Ignore -Force | Out-Null\ninvoke-webrequest \"https://www.nirsoft.net/utils/nircmd-x64.zip\"
+          -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\nircmd.zip\" \nexpand-archive
+          -path \"PathToAtomicsFolder\\..\\ExternalPayloads\\nircmd.zip\" -destinationpath
+          PathToAtomicsFolder\\..\\ExternalPayloads\\\n"
+      executor:
+        command: 'cmd /c #{nircmd_location} #{command_to_execute}
+
+          '
+        cleanup_command: 'cmd /c #{nircmd_location} #{cleanup_command_to_execute}
+          -erroraction silentlycontinue | out-null
+
+          '
+        name: powershell
+        elevation_required: false
  T1484.002:
    technique:
      modified: '2022-10-21T16:09:14.555Z'
@@ -3367,6 +3367,49 @@ defense-evasion:
          sc.exe delete #{service_name}
        name: command_prompt
        elevation_required: true
+    - name: Command Execution with NirCmd
+      auto_generated_guid: 2748ab4a-1e0b-4cf2-a2b0-8ef765bec7be
+      description: |
+        NirCmd is used by threat actors to execute commands, which can include recon and privilege escalation via running commands via the SYSTEM account
+        See https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis
+      supported_platforms:
+      - windows
+      input_arguments:
+        nircmd_location:
+          description: Location of nircmd executable
+          type: Path
+          default: PathToAtomicsFolder\..\ExternalPayloads\nircmd.exe
+        command_to_execute:
+          description: Command for nircmd to execute
+          type: Path
+          default: win child class "Shell_TrayWnd" hide class "TrayClockWClass"
+        cleanup_command_to_execute:
+          description: Cleanup command to undo the arbitrary command ran by nircmd
+          type: Path
+          default: win child class "Shell_TrayWnd" show class "TrayClockWClass"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The Nircmd executable must exist at (#{nircmd_location})
+
+          '
+        prereq_command: 'if (Test-Path #{nircmd_location}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\"
+          -ErrorAction Ignore -Force | Out-Null\ninvoke-webrequest \"https://www.nirsoft.net/utils/nircmd-x64.zip\"
+          -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\nircmd.zip\" \nexpand-archive
+          -path \"PathToAtomicsFolder\\..\\ExternalPayloads\\nircmd.zip\" -destinationpath
+          PathToAtomicsFolder\\..\\ExternalPayloads\\\n"
+      executor:
+        command: 'cmd /c #{nircmd_location} #{command_to_execute}
+
+          '
+        cleanup_command: 'cmd /c #{nircmd_location} #{cleanup_command_to_execute}
+          -erroraction silentlycontinue | out-null
+
+          '
+        name: powershell
+        elevation_required: false
  T1484.002:
    technique:
      modified: '2022-10-21T16:09:14.555Z'
@@ -14,6 +14,8 @@ Adversaries may also attempt to hide artifacts associated with malicious behavio

 - [Atomic Test #4 - Create and Hide a Service with sc.exe](#atomic-test-4---create-and-hide-a-service-with-scexe)

+- [Atomic Test #5 - Command Execution with NirCmd](#atomic-test-5---command-execution-with-nircmd)
+

 <br/>

@@ -185,4 +187,58 @@ sc.exe delete #{service_name}



+<br/>
+<br/>
+
+## Atomic Test #5 - Command Execution with NirCmd
+NirCmd is used by threat actors to execute commands, which can include recon and privilege escalation via running commands via the SYSTEM account
+See https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 2748ab4a-1e0b-4cf2-a2b0-8ef765bec7be
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| nircmd_location | Location of nircmd executable | Path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;nircmd.exe|
+| command_to_execute | Command for nircmd to execute | Path | win child class "Shell_TrayWnd" hide class "TrayClockWClass"|
+| cleanup_command_to_execute | Cleanup command to undo the arbitrary command ran by nircmd | Path | win child class "Shell_TrayWnd" show class "TrayClockWClass"|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+cmd /c #{nircmd_location} #{command_to_execute}
+```
+
+#### Cleanup Commands:
+```powershell
+cmd /c #{nircmd_location} #{cleanup_command_to_execute} -erroraction silentlycontinue | out-null
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The Nircmd executable must exist at (#{nircmd_location})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{nircmd_location}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+invoke-webrequest "https://www.nirsoft.net/utils/nircmd-x64.zip" -outfile "PathToAtomicsFolder\..\ExternalPayloads\nircmd.zip" 
+expand-archive -path "PathToAtomicsFolder\..\ExternalPayloads\nircmd.zip" -destinationpath PathToAtomicsFolder\..\ExternalPayloads\
+```
+
+
+
+
 <br/>