From dbb75a50e11a45e69f157a4ebc2473f16e2e8d50 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 5 Dec 2019 20:17:37 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/T1053/T1053.md | 28 +++++++++++++++++++++ atomics/index.md | 3 +++ atomics/index.yaml | 54 ++++++++++++++++++++++++++++++++++++++++ atomics/windows-index.md | 3 +++ 4 files changed, 88 insertions(+) diff --git a/atomics/T1053/T1053.md b/atomics/T1053/T1053.md index 2f3edb38..e26b2f51 100644 --- a/atomics/T1053/T1053.md +++ b/atomics/T1053/T1053.md @@ -12,6 +12,8 @@ An adversary may use task scheduling to execute programs at system startup or on - [Atomic Test #3 - Scheduled task Remote](#atomic-test-3---scheduled-task-remote) +- [Atomic Test #4 - Powershell Cmdlet Scheduled Task](#atomic-test-4---powershell-cmdlet-scheduled-task) +
@@ -75,4 +77,30 @@ SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" +
+
+ +## Atomic Test #4 - Powershell Cmdlet Scheduled Task +Create an atomic scheduled task that leverages native powershell cmdlets. +These could be concidered "fileless" scheduled task creation. + +**Supported Platforms:** Windows + + +#### Run it with `powershell`! +``` +$Action = New-ScheduledTaskAction -Execute "calc.exe" +$Trigger = New-ScheduledTaskTrigger -AtLogon +$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest +$Set = New-ScheduledTaskSettingsSet +$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set +Register-ScheduledTask AtomicTask -InputObject $object +``` + + +#### Cleanup Commands: +``` +Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false +``` +
diff --git a/atomics/index.md b/atomics/index.md index 1b19ad84..685e1d01 100644 --- a/atomics/index.md +++ b/atomics/index.md @@ -118,6 +118,7 @@ - Atomic Test #1: At.exe Scheduled task [windows] - Atomic Test #2: Scheduled task Local [windows] - Atomic Test #3: Scheduled task Remote [windows] + - Atomic Test #4: Powershell Cmdlet Scheduled Task [windows] - [T1180 Screensaver](./T1180/T1180.md) - Atomic Test #1: Set Arbitrary Binary as Screensaver [windows] - [T1101 Security Support Provider](./T1101/T1101.md) @@ -467,6 +468,7 @@ - Atomic Test #1: At.exe Scheduled task [windows] - Atomic Test #2: Scheduled task Local [windows] - Atomic Test #3: Scheduled task Remote [windows] + - Atomic Test #4: Powershell Cmdlet Scheduled Task [windows] - [T1058 Service Registry Permissions Weakness](./T1058/T1058.md) - Atomic Test #1: Service Registry Permissions Weakness [windows] - [T1166 Setuid and Setgid](./T1166/T1166.md) @@ -765,6 +767,7 @@ - Atomic Test #1: At.exe Scheduled task [windows] - Atomic Test #2: Scheduled task Local [windows] - Atomic Test #3: Scheduled task Remote [windows] + - Atomic Test #4: Powershell Cmdlet Scheduled Task [windows] - [T1064 Scripting](./T1064/T1064.md) - Atomic Test #1: Create and Execute Bash Shell Script [macos, linux] - Atomic Test #2: Create and Execute Batch Script [windows] diff --git a/atomics/index.yaml b/atomics/index.yaml index 4fe8e94b..4c6ab4e5 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -4018,6 +4018,24 @@ persistence: command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time} +' + - name: Powershell Cmdlet Scheduled Task + description: "Create an atomic scheduled task that leverages native powershell + cmdlets. \nThese could be concidered \"fileless\" scheduled task creation.\n" + supported_platforms: + - windows + executor: + name: powershell + elevation_required: false + command: | + $Action = New-ScheduledTaskAction -Execute "calc.exe" + $Trigger = New-ScheduledTaskTrigger -AtLogon + $User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest + $Set = New-ScheduledTaskSettingsSet + $object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set + Register-ScheduledTask AtomicTask -InputObject $object + cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false + ' T1180: technique: @@ -14370,6 +14388,24 @@ privilege-escalation: command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time} +' + - name: Powershell Cmdlet Scheduled Task + description: "Create an atomic scheduled task that leverages native powershell + cmdlets. \nThese could be concidered \"fileless\" scheduled task creation.\n" + supported_platforms: + - windows + executor: + name: powershell + elevation_required: false + command: | + $Action = New-ScheduledTaskAction -Execute "calc.exe" + $Trigger = New-ScheduledTaskTrigger -AtLogon + $User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest + $Set = New-ScheduledTaskSettingsSet + $object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set + Register-ScheduledTask AtomicTask -InputObject $object + cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false + ' T1058: technique: @@ -22099,6 +22135,24 @@ execution: command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time} +' + - name: Powershell Cmdlet Scheduled Task + description: "Create an atomic scheduled task that leverages native powershell + cmdlets. \nThese could be concidered \"fileless\" scheduled task creation.\n" + supported_platforms: + - windows + executor: + name: powershell + elevation_required: false + command: | + $Action = New-ScheduledTaskAction -Execute "calc.exe" + $Trigger = New-ScheduledTaskTrigger -AtLogon + $User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest + $Set = New-ScheduledTaskSettingsSet + $object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set + Register-ScheduledTask AtomicTask -InputObject $object + cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false + ' T1064: technique: diff --git a/atomics/windows-index.md b/atomics/windows-index.md index d320e983..e6a5b668 100644 --- a/atomics/windows-index.md +++ b/atomics/windows-index.md @@ -237,6 +237,7 @@ - Atomic Test #1: At.exe Scheduled task [windows] - Atomic Test #2: Scheduled task Local [windows] - Atomic Test #3: Scheduled task Remote [windows] + - Atomic Test #4: Powershell Cmdlet Scheduled Task [windows] - [T1058 Service Registry Permissions Weakness](./T1058/T1058.md) - Atomic Test #1: Service Registry Permissions Weakness [windows] - T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -325,6 +326,7 @@ - Atomic Test #1: At.exe Scheduled task [windows] - Atomic Test #2: Scheduled task Local [windows] - Atomic Test #3: Scheduled task Remote [windows] + - Atomic Test #4: Powershell Cmdlet Scheduled Task [windows] - [T1180 Screensaver](./T1180/T1180.md) - Atomic Test #1: Set Arbitrary Binary as Screensaver [windows] - [T1101 Security Support Provider](./T1101/T1101.md) @@ -641,6 +643,7 @@ - Atomic Test #1: At.exe Scheduled task [windows] - Atomic Test #2: Scheduled task Local [windows] - Atomic Test #3: Scheduled task Remote [windows] + - Atomic Test #4: Powershell Cmdlet Scheduled Task [windows] - [T1064 Scripting](./T1064/T1064.md) - Atomic Test #2: Create and Execute Batch Script [windows] - [T1035 Service Execution](./T1035/T1035.md)