From d39dc66fa1c0aceb147e61e650c6444c27a33a2b Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 23 Dec 2021 19:00:45 +0000 Subject: [PATCH] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 2 + atomics/Indexes/Indexes-CSV/windows-index.csv | 2 + atomics/Indexes/Indexes-Markdown/index.md | 2 + .../Indexes/Indexes-Markdown/windows-index.md | 2 + atomics/Indexes/index.yaml | 37 +++++++++ atomics/T1070.005/T1070.005.md | 79 +++++++++++++++++++ 6 files changed, 124 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 89f9040e..4d7ca8c2 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -473,6 +473,8 @@ defense-evasion,T1564.004,NTFS File Attributes,4,Create ADS PowerShell,0045ea16- defense-evasion,T1070.005,Network Share Connection Removal,1,Add Network Share,14c38f32-6509-46d8-ab43-d53e32d2b131,command_prompt defense-evasion,T1070.005,Network Share Connection Removal,2,Remove Network Share,09210ad5-1ef2-4077-9ad3-7351e13e9222,command_prompt defense-evasion,T1070.005,Network Share Connection Removal,3,Remove Network Share PowerShell,0512d214-9512-4d22-bde7-f37e058259b3,powershell +defense-evasion,T1070.005,Network Share Connection Removal,4,Disable Administrative Share Creation at Startup,99c657aa-ebeb-4179-a665-69288fdd12b8,command_prompt +defense-evasion,T1070.005,Network Share Connection Removal,5,Remove Administrative Shares,4299eff5-90f1-4446-b2f3-7f4f5cfd5d62,command_prompt defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded PowerShell from Windows Registry,450e7218-7915-4be4-8b9b-464a49eafcec,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 3256d751..e620f48b 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -308,6 +308,8 @@ defense-evasion,T1564.004,NTFS File Attributes,4,Create ADS PowerShell,0045ea16- defense-evasion,T1070.005,Network Share Connection Removal,1,Add Network Share,14c38f32-6509-46d8-ab43-d53e32d2b131,command_prompt defense-evasion,T1070.005,Network Share Connection Removal,2,Remove Network Share,09210ad5-1ef2-4077-9ad3-7351e13e9222,command_prompt defense-evasion,T1070.005,Network Share Connection Removal,3,Remove Network Share PowerShell,0512d214-9512-4d22-bde7-f37e058259b3,powershell +defense-evasion,T1070.005,Network Share Connection Removal,4,Disable Administrative Share Creation at Startup,99c657aa-ebeb-4179-a665-69288fdd12b8,command_prompt +defense-evasion,T1070.005,Network Share Connection Removal,5,Remove Administrative Shares,4299eff5-90f1-4446-b2f3-7f4f5cfd5d62,command_prompt defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded PowerShell from Windows Registry,450e7218-7915-4be4-8b9b-464a49eafcec,powershell defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compressed File,f8c8a909-5f29-49ac-9244-413936ce6d1f,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 6fde9130..74f55a72 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -756,6 +756,8 @@ - Atomic Test #1: Add Network Share [windows] - Atomic Test #2: Remove Network Share [windows] - Atomic Test #3: Remove Network Share PowerShell [windows] + - Atomic Test #4: Disable Administrative Share Creation at Startup [windows] + - Atomic Test #5: Remove Administrative Shares [windows] - [T1027 Obfuscated Files or Information](../../T1027/T1027.md) - Atomic Test #1: Decode base64 Data into Script [macos, linux] - Atomic Test #2: Execute base64-encoded PowerShell [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 1c7184a1..02f13f7d 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -524,6 +524,8 @@ - Atomic Test #1: Add Network Share [windows] - Atomic Test #2: Remove Network Share [windows] - Atomic Test #3: Remove Network Share PowerShell [windows] + - Atomic Test #4: Disable Administrative Share Creation at Startup [windows] + - Atomic Test #5: Remove Administrative Shares [windows] - [T1027 Obfuscated Files or Information](../../T1027/T1027.md) - Atomic Test #2: Execute base64-encoded PowerShell [windows] - Atomic Test #3: Execute base64-encoded PowerShell from Windows Registry [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index f2cc766a..36dec120 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -31945,6 +31945,43 @@ defense-evasion: Remove-SmbShare -Name #{share_name} Remove-FileShare -Name #{share_name} name: powershell + - name: Disable Administrative Share Creation at Startup + auto_generated_guid: 99c657aa-ebeb-4179-a665-69288fdd12b8 + description: "Administrative shares are hidden network shares created by Microsoft’s + Windows NT operating systems that grant system administrators \nremote access + to every disk volume on a network-connected system. These shares are automatically + created at started unless they have been\npurposefully disabled and is done + in this Atomic test. As Microsoft puts it, \"Missing administrative shares + typically \nindicate that the computer in question has been compromised by + malicious software.\"\nhttps://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/\n" + supported_platforms: + - windows + executor: + command: | + reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /t REG_DWORD /d 0 /f + reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /t REG_DWORD /d 0 /f + cleanup_command: | + reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /f + reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /f + name: command_prompt + elevation_required: true + - name: Remove Administrative Shares + auto_generated_guid: 4299eff5-90f1-4446-b2f3-7f4f5cfd5d62 + description: "Administrative shares are hidden network shares created by Microsoft’s + Windows NT operating systems that grant system administrators \nremote access + to every disk volume on a network-connected system. As Microsoft puts it, + “Missing administrative shares typically \nindicate that the computer in question + has been compromised by malicious software.\nhttps://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/\n" + supported_platforms: + - windows + executor: + command: for %i in (C$ IPC$ ADMIN$) do net share %i /delete + cleanup_command: | + net share ADMIN$ /UNLIMITED >nul 2>&1 + net share C$=C:\ >nul 2>&1 + net share IPC$ >nul 2>&1 + name: command_prompt + elevation_required: true T1027: technique: object_marking_refs: diff --git a/atomics/T1070.005/T1070.005.md b/atomics/T1070.005/T1070.005.md index db0b7daa..dbdde905 100644 --- a/atomics/T1070.005/T1070.005.md +++ b/atomics/T1070.005/T1070.005.md @@ -10,6 +10,10 @@ - [Atomic Test #3 - Remove Network Share PowerShell](#atomic-test-3---remove-network-share-powershell) +- [Atomic Test #4 - Disable Administrative Share Creation at Startup](#atomic-test-4---disable-administrative-share-creation-at-startup) + +- [Atomic Test #5 - Remove Administrative Shares](#atomic-test-5---remove-administrative-shares) +
@@ -111,4 +115,79 @@ Remove-FileShare -Name #{share_name} +
+
+ +## Atomic Test #4 - Disable Administrative Share Creation at Startup +Administrative shares are hidden network shares created by Microsoft’s Windows NT operating systems that grant system administrators +remote access to every disk volume on a network-connected system. These shares are automatically created at started unless they have been +purposefully disabled and is done in this Atomic test. As Microsoft puts it, "Missing administrative shares typically +indicate that the computer in question has been compromised by malicious software." +https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/ + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 99c657aa-ebeb-4179-a665-69288fdd12b8 + + + + + + +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) + + +```cmd +reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /t REG_DWORD /d 0 /f +reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /t REG_DWORD /d 0 /f +``` + +#### Cleanup Commands: +```cmd +reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /f +reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /f +``` + + + + + +
+
+ +## Atomic Test #5 - Remove Administrative Shares +Administrative shares are hidden network shares created by Microsoft’s Windows NT operating systems that grant system administrators +remote access to every disk volume on a network-connected system. As Microsoft puts it, “Missing administrative shares typically +indicate that the computer in question has been compromised by malicious software. +https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/ + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 4299eff5-90f1-4446-b2f3-7f4f5cfd5d62 + + + + + + +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) + + +```cmd +for %i in (C$ IPC$ ADMIN$) do net share %i /delete +``` + +#### Cleanup Commands: +```cmd +net share ADMIN$ /UNLIMITED >nul 2>&1 +net share C$=C:\ >nul 2>&1 +net share IPC$ >nul 2>&1 +``` + + + + +