From e029a0734df1e4ed14f3e1850adeaafdb57413c7 Mon Sep 17 00:00:00 2001 From: lucasRiley <70220074+lucasRiley@users.noreply.github.com> Date: Mon, 7 Feb 2022 09:04:43 -0600 Subject: [PATCH] T1036 (#1763) * T1036 * Update T1036.yaml * updated description * correct outfile param * Add -force to avoid error msg * update zip url Co-authored-by: Riley Co-authored-by: Carrie Roberts --- atomics/T1036/T1036.yaml | 28 ++++++++++++++++++++++++++-- atomics/T1036/bin/T1036.zip | Bin 0 -> 4612 bytes 2 files changed, 26 insertions(+), 2 deletions(-) create mode 100644 atomics/T1036/bin/T1036.zip diff --git a/atomics/T1036/T1036.yaml b/atomics/T1036/T1036.yaml index 8f9029d1..b089475f 100644 --- a/atomics/T1036/T1036.yaml +++ b/atomics/T1036/T1036.yaml @@ -2,7 +2,7 @@ attack_technique: T1036 display_name: "Masquerading" atomic_tests: - name: System File Copied to Unusual Location - auto_generated_guid: 51005ac7-52e2-45e0-bdab-d17c6d4916cd + auto_generated_guid: 51005ac7-52e2-45e0-bdab-d17c6d4916cd description: It may be suspicious seeing a file copy of an EXE in System32 or SysWOW64 to a non-system directory or executing from a non-system directory. supported_platforms: - windows @@ -11,4 +11,28 @@ atomic_tests: copy %WINDIR%\System32\cmd.exe /Y %ALLUSERSPROFILE%\cmd.exe start %ALLUSERSPROFILE%\cmd.exe cleanup_command: del %ALLUSERSPROFILE%\cmd.exe >nul 2>&1 - name: command_prompt \ No newline at end of file + name: command_prompt +- name: Malware Masquerading and Execution from Zip File + description: When the file is unzipped and the README.cmd file opened, it executes and changes the .pdf to .dll and executes the dll. This is a BazaLoader technique [as reported here](https://twitter.com/ffforward/status/1481672378639912960) + supported_platforms: + - windows + input_arguments: + url: + description: Location of zip file + type: Url + default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036/bin/T1036.zip + dependencies: + - description: Zip file must be present. + prereq_command: | + if (Test-Path $env:userprofile\Downloads\T1036.zip) {exit 0} else {exit 1} + get_prereq_command: | + Invoke-WebRequest -OutFile "$env:userprofile\Downloads\T1036.zip" #{url} + executor: + command: |- + Expand-Archive -Path $env:userprofile\Downloads\T1036.zip -DestinationPath $env:userprofile\Downloads\T1036 -Force + cd $env:userprofile\Downloads\T1036 + cmd /c $env:userprofile\Downloads\T1036\README.cmd >$null 2>$null + cleanup_command: |- + taskkill /IM Calculator.exe /f >$null 2>$null + Remove-Item $env:userprofile\Downloads\T1036 -recurse -ErrorAction Ignore + name: powershell diff --git a/atomics/T1036/bin/T1036.zip b/atomics/T1036/bin/T1036.zip new file mode 100644 index 0000000000000000000000000000000000000000..878c01bfb0bc1df77ef9e2fab87d11c63ca52aaa GIT binary patch literal 4612 zcmZ{oWmFV^v*>}9X6Xh+x>*{QT9)ocxB=^LPAQAMTwQ}76EZ#7Z5=ZmRO{_ z%j^H1ciwv+?wvU^bLLE(`7ob;2HJo})L2+p1XzerWfL*<4vLcEU&@1ph5Ijv3i&y^ z?pwx08k^?#Yo1P5dutE@^X+c3khHBOND~1FA8*UeP78TO>@e9(R^N1;_nWA&!67se zm5lO@WcT;FNqn2(Yn=@a1UdpVEjGL4;>W4zp4UVN*55w7U687UZ1}wA626m2iV| zV!SXasX9l@N+#Y=fh|!=^Fc@fO_n$$+Hbh=!90a5>FNfK3LdjD+4IbK2vw+764xn=!<949f(ac_3lE&s4J1)uPJ}nnzBsjbH%Eot@RyhC6{n zser;gsFt-dH?DR<#sW_gs|NqfabaTb74hd$VJ>Y;LSAUWcvqLL4DPve&lCNW@W&Q9 zc}??zfXO1o`B>rNCYR8yHY1PI3Hy)m6NUt8C85du(}8|1E;SFNu#l3sDyA7@lt;m( z@n;K#@#)o?H0D+PfQ9m2`+*Ui%;Dq?P6B*abK~bT3(s4k3}AQRymV)Ex3N`8DMvhM z#Qp-x9fe4J@oI5=V&aw|HgGr`M7gFuF$1?@Z*5=nS<1CZZ+tP2enbL*hBq2Z8c(%95Xhv!vKN~9;bo`@%d>VaGx0X1fa@e5($ zpg0SUwN}tnJjLjN$zg)~$No4|lS3>q4%a*St50JU8%#S()-SmA4|jK@whO#7VR>gq znG3NS){;-5U_Oo~=wiy!H!tbtw8yM^lY|Ojh75)Z$(+03$IXb4y)x)nW#_>xlE97o zt=qA7QZmz{#9QqYW1Ir%nDXWAAx$zm&kRv}zUPz!*rW5Q{P=T5%h<*ryJO()PNw>= z;e3qsuRN2?f#R0Hpo1Cn%kj5Gl9p~b(5+}GZJ1VLcE7W z-$pxh!RNj}=?~Z#LF~s)vxEL3$qzUDx`5({XH7u=xhS2$I(`*=*$VI+?b>n!Y-Dhl zmTEBSD?CBkAfrcx>Wrb^AaIMzx=(`kg%|jeybC=JMo;0x0JkiDqkL#KrTB;dyc_WJ zG4<>GZr}tFow|nKUx{?h@Yp`_$038e1B15s9fR&(IY2*H&?gWXQ#4N^(;sOM(gKpN z0)39XzKoAQq)rI~2kORzp(5rf>MUM_1!lTMzZ@hOk$`+8GYW?p36(QjvIKa&bWUqF z9iZv#kF7tAWL@5@i(?fB%Ra*OD9(k7rxDYV6;cS~c4w}h92GgS)wl!v5gq%u)-o#z zyVExh>t=-CaN8a&Ir+iKZ9o3HgpN?PJGJPHI}Mbp3{!iwNIXaC#&gllN4r8sp9Gni!aMgZ@M-W! zLW;_%-b?1PQulqCul_Xa*KlLZ!z^rIIvb~G=V@=qod>RVvzq#Rl&MAagQZESq38=> zb4WVsS8`Wa9jbADA@z?ISF9x8TM>i72PPwspZG8Rj2MR$8dUjH9&TJ0#lSmc{HeFU zLb*7&_oiX*ixW51^JIlJ0(s9LWk@w=S^DmE*Dgwoa{rL{{x(gQZ2r(EquSoi%SVOXH}HKbL{qXZwj0xwx{UWzB{XzO1Bx; zSBB)L=QQ+&4GkP~(=To*7C}3&5;yKSl_q(gBA#~i@>+yiYf#HF(e?4Z<+-Gh6x@4z zlE)bazSku-rc^<&V}@B`#RfFh(x0sCaAZEsBh&N26E`XYF|>kLBA(rMGt0>j2II=E zq+y6w0+*yp_9ueexte=}Mf@}lEf!i%UwGjxG2=mT%OUC^me#8CWh*$1FCv54wO}8~ z;FNEsWaaG!#6zq#{5#qNJ{^uZFlmAP114GTh)n(hB}JF-iqv;*^j0}xa`>0grzxA} zj%sBO6wx{aL#MyEB1=eLP6&Nora6NPki@tD&$N*OnByVbbAxu?{x_M~5NEoRNFW2fUN z1$;Fk`7!=W6>FGkRV@im*fRsRwW;%mkQkDcG(QQu{3P(ZxS-*l==a?2))OcT-hHF6 zbI5Sxb-iP7`U@5&G-KMrp!=d3{H(h*9Ha6(BRfkVcy9md%2tHB)=ZC|{lIBF0tm!S zXp0Jx6~a??bQ;?5;*lm5EZ)g$4n=cYzDpE=leZU@%U?Y;uUqgib_HZlcv>OU*rw{z zpXy*ptsf{GobQJ9R8>ccONp6gO=dycH2C=SFsuAGF>m;)vUt;>7%RG%QHaR1)33O z5Bl4o<#OG9s&7FkRNXqK%|UzyMTy;q^#=Z%1xR}D%6>^j|N1=(H$1IX_Px`<3d7i} z%QC%4ieN(I&a<(c=3UV#cezNzQz@69gLG`iu>lgZrgnx>an{*=8RO7zfi{aieDJB_ z{tTP`>SJqAy}3pINh)m4CiMDwnZRGVL-xN4`{V6=r~_@fIy)Mg4_i07Z#pz>S%9Ne zu^qOQ?5kVh*0txqPe1*Hlgp~cm{h&~rm?8ji%1Rs`jHyi7vio>)t7V7wsQ!ZY#{%( zUplxUDhHcTy}$+wB79F|SW8j^Wwl-cmxG$`J39eMMtOL=3aX^sdRTQW!; zU1@y2D!AKN*HUg^G1;;d8b&uQuOSnT(2MQ-ia6o z`~2=|^=8*ecri7%n6nYv+?dhUE}zz(-`4Ia2TvT|pIj5^lpoj~i0(dDcfH^5F>-c^ zRJK!5^R`mG<#+NOl9|$7}#dd%?d}txT22si?YBCiexX=j5h1F8c8a3QxtfL zgjRnKot3Gi1{pr%LLO%FGokxj8$`p?yj&eUC)g#C?WQy;qBnYe^PE{^+b2wM2aINI zIubb_e@Kd&7DYBli+-dz_tTk**P(3C_MNiVxV3ONV|0UbR^HPK;5o*nJCBKF%Z*cy zyGwMPiFA@YqiTF+mD2icuN56Rm?^qXHvHZ@$;y5ZK>}0*h=iXH>}%rD#ne$lj@TvE=X{+8L4?*#s-~+Aqk>a%$3` zRMxFd8ErOZ%I<_F{R`hc>SKLt1qxTD9C%Fu$-P51c?^d+il#nPn*I}kMnEDp@%W%n z~>FjBrmU{hZAk~Q^w8sotqsC!$#$b$xRv~HD4YkBu1WcQmOl}|_Hu~3 zlUCSCc;oE|Ng780V`Vt2z;E^&|2kXE*YD$cs&Ad%w~X*>?K^y&U?Cb1u+K-{Ak5mA z=hb{3k9u!ssl+e|j}ru#`J{exG$W?35h7xz&SonCr&n&;Ej;pJjU~D!eO+U_M8DXg znJdcPnXTu8)^Go7G$RU{E;LU$CYwt3Jz6+fU*AkW`wLmvCokUL^TFWW1&&3;aQt}*_Ouu&2d=70(gg6$LbaBu$IuVvdqZ( z*u*1X3vi2ZATP(lPB2!pWEmK00;8DPIlGOmE~ZbHR)xU;J_$=^-;TmcG7F~NRkR72 ztXR=-Ru&$YD}p7lVC>$)+Uf{5|8vB_ z<@gVG)Y?IVUbI+b*dT+Em1O(0>DROh#STIGUnW*hcVzMEOG~JTHKC2aR1}$v@T#2+QfX9w+A(ki_5{*^24x0vom)*2il{R_BfAWw0 zavv?ON`4NH^qrrT67`0zGCJMm=*itG7+q%U(Ue{&*z`>`>(5^%=lWDZ^3PTb{x38U z3sW|M)!h1U{eva^|BUFL8L2{5bXA3%yq)>A5Zd2$O@*iVH8cTlc)?&I4