Merge branch 'master' into atomics_T1562_008

2022-08-01 14:29:02 -07:00
parent 614a715da8 423d25021b
commit e482e532bf
11 changed files with 136 additions and 36 deletions
@@ -844,7 +844,7 @@ lateral-movement,T1021.002,SMB/Windows Admin Shares,2,Map Admin Share PowerShell
 lateral-movement,T1021.002,SMB/Windows Admin Shares,3,Copy and Execute File with PsExec,0eb03d41-79e4-4393-8e57-6344856be1cf,command_prompt
 lateral-movement,T1021.002,SMB/Windows Admin Shares,4,Execute command writing output to local Admin Share,d41aaab5-bdfe-431d-a3d5-c29e9136ff46,command_prompt
 lateral-movement,T1021.006,Windows Remote Management,1,Enable Windows Remote Management,9059e8de-3d7d-4954-a322-46161880b9cf,powershell
-lateral-movement,T1021.006,Windows Remote Management,2,Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
+lateral-movement,T1021.006,Windows Remote Management,2,Remote Code Execution with PS Credentials Using Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
 lateral-movement,T1021.006,Windows Remote Management,3,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell
 lateral-movement,T1021.003,Distributed Component Object Model,1,PowerShell Lateral Movement using MMC20,6dc74eb1-c9d6-4c53-b3b5-6f50ae339673,powershell
 lateral-movement,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
@@ -1253,6 +1253,7 @@ command-and-control,T1105,Ingress Tool Transfer,22,Printer Migration Command-Lin
 command-and-control,T1105,Ingress Tool Transfer,23,Lolbas replace.exe use to copy file,54782d65-12f0-47a5-b4c1-b70ee23de6df,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,24,Lolbas replace.exe use to copy UNC file,ed0335ac-0354-400c-8148-f6151d20035a,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,25,certreq download,6fdaae87-c05b-42f8-842e-991a74e8376b,command_prompt
+command-and-control,T1105,Ingress Tool Transfer,26,Download a file using wscript,97116a3f-efac-4b26-8336-b9cb18c45188,command_prompt
 command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
 command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
 command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
@@ -604,7 +604,7 @@ lateral-movement,T1021.002,SMB/Windows Admin Shares,2,Map Admin Share PowerShell
 lateral-movement,T1021.002,SMB/Windows Admin Shares,3,Copy and Execute File with PsExec,0eb03d41-79e4-4393-8e57-6344856be1cf,command_prompt
 lateral-movement,T1021.002,SMB/Windows Admin Shares,4,Execute command writing output to local Admin Share,d41aaab5-bdfe-431d-a3d5-c29e9136ff46,command_prompt
 lateral-movement,T1021.006,Windows Remote Management,1,Enable Windows Remote Management,9059e8de-3d7d-4954-a322-46161880b9cf,powershell
-lateral-movement,T1021.006,Windows Remote Management,2,Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
+lateral-movement,T1021.006,Windows Remote Management,2,Remote Code Execution with PS Credentials Using Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
 lateral-movement,T1021.006,Windows Remote Management,3,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell
 lateral-movement,T1021.003,Distributed Component Object Model,1,PowerShell Lateral Movement using MMC20,6dc74eb1-c9d6-4c53-b3b5-6f50ae339673,powershell
 lateral-movement,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
@@ -909,6 +909,7 @@ command-and-control,T1105,Ingress Tool Transfer,22,Printer Migration Command-Lin
 command-and-control,T1105,Ingress Tool Transfer,23,Lolbas replace.exe use to copy file,54782d65-12f0-47a5-b4c1-b70ee23de6df,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,24,Lolbas replace.exe use to copy UNC file,ed0335ac-0354-400c-8148-f6151d20035a,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,25,certreq download,6fdaae87-c05b-42f8-842e-991a74e8376b,command_prompt
+command-and-control,T1105,Ingress Tool Transfer,26,Download a file using wscript,97116a3f-efac-4b26-8336-b9cb18c45188,command_prompt
 command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
 impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21dfb440-830d-4c86-a3e5-2a491d5a8d04,command_prompt
 impact,T1489,Service Stop,2,Windows - Stop service using net.exe,41274289-ec9c-4213-bea4-e43c4aa57954,command_prompt
@@ -1465,7 +1465,7 @@
 - T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1021.006 Windows Remote Management](../../T1021.006/T1021.006.md)
  - Atomic Test #1: Enable Windows Remote Management [windows]
-  - Atomic Test #2: Invoke-Command [windows]
+  - Atomic Test #2: Remote Code Execution with PS Credentials Using Invoke-Command [windows]
  - Atomic Test #3: WinRM Access with Evil-WinRM [windows]
 - [T1021.003 Distributed Component Object Model](../../T1021.003/T1021.003.md)
  - Atomic Test #1: PowerShell Lateral Movement using MMC20 [windows]
@@ -2095,6 +2095,7 @@
  - Atomic Test #23: Lolbas replace.exe use to copy file [windows]
  - Atomic Test #24: Lolbas replace.exe use to copy UNC file [windows]
  - Atomic Test #25: certreq download [windows]
+  - Atomic Test #26: Download a file using wscript [windows]
 - T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
@@ -1060,7 +1060,7 @@
 - T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1021.006 Windows Remote Management](../../T1021.006/T1021.006.md)
  - Atomic Test #1: Enable Windows Remote Management [windows]
-  - Atomic Test #2: Invoke-Command [windows]
+  - Atomic Test #2: Remote Code Execution with PS Credentials Using Invoke-Command [windows]
  - Atomic Test #3: WinRM Access with Evil-WinRM [windows]
 - [T1021.003 Distributed Component Object Model](../../T1021.003/T1021.003.md)
  - Atomic Test #1: PowerShell Lateral Movement using MMC20 [windows]
@@ -1521,6 +1521,7 @@
  - Atomic Test #23: Lolbas replace.exe use to copy file [windows]
  - Atomic Test #24: Lolbas replace.exe use to copy UNC file [windows]
  - Atomic Test #25: certreq download [windows]
+  - Atomic Test #26: Download a file using wscript [windows]
 - T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
@@ -67595,27 +67595,34 @@ lateral-movement:
          '
        name: powershell
        elevation_required: true
-    - name: Invoke-Command
+    - name: Remote Code Execution with PS Credentials Using Invoke-Command
      auto_generated_guid: 5295bd61-bd7e-4744-9d52-85962a4cf2d6
      description: |
        Execute Invoke-command on remote host.

-        Upon successful execution, powershell will execute ipconfig on localhost using `invoke-command`.
+        Upon successful execution, powershell will execute whoami on specified remote host using `invoke-command`.
      supported_platforms:
      - windows
      input_arguments:
-        host_name:
-          description: Remote Windows Host Name
-          type: String
-          default: localhost
-        remote_command:
-          description: Command to execute on remote Host
-          type: String
-          default: ipconfig
+        username:
+          description: The username running the powershell command
+          type: string
+          default: "$env:USERNAME"
+        remotehost:
+          description: The remote hostname of the machine you are running the powershell
+            command on.
+          type: string
+          default: "$env:COMPUTERNAME"
+        password:
+          description: The password to be used with the user provided in the previous
+            input argument.
+          type: string
+          default: test12345
      executor:
-        command: 'invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}}
-
-          '
+        command: |-
+          $SecPassword = ConvertTo-SecureString "#{password}" -AsPlainText -Force
+          $Cred = New-Object System.Management.Automation.PSCredential("#{username}", $SecPassword)
+          Invoke-Command -ComputerName "#{remotehost}" -Credential $Cred -ScriptBlock {whoami}
        name: powershell
    - name: WinRM Access with Evil-WinRM
      auto_generated_guid: efe86d95-44c4-4509-ae42-7bfd9d1f5b3d
@@ -91410,6 +91417,21 @@ command-and-control:
        command: 'certreq.exe -Post -config #{remote_file} c:\windows\win.ini #{local_path}'
        cleanup_command: 'del #{local_path} >nul 2>&1'
        name: command_prompt
+    - name: Download a file using wscript
+      auto_generated_guid: 97116a3f-efac-4b26-8336-b9cb18c45188
+      description: Use wscript to run a local VisualBasic file to download a remote
+        file
+      supported_platforms:
+      - windows
+      input_arguments:
+        vbscript_file:
+          description: Full path to the VisualBasic downloading the file
+          type: String
+          default: PathToAtomicsFolder\T1105\src\T1105-download-file.vbs
+      executor:
+        command: 'wscript.exe #{vbscript_file}'
+        cleanup_command: del Atomic-License.txt >nul 2>&1
+        name: command_prompt
  T1001.002:
    technique:
      x_mitre_platforms:
@@ -8,7 +8,7 @@ WinRM is the name of both a Windows service and a protocol that allows a user to

 - [Atomic Test #1 - Enable Windows Remote Management](#atomic-test-1---enable-windows-remote-management)

- [Atomic Test #2 - Invoke-Command](#atomic-test-2---invoke-command)
+- [Atomic Test #2 - Remote Code Execution with PS Credentials Using Invoke-Command](#atomic-test-2---remote-code-execution-with-ps-credentials-using-invoke-command)

 - [Atomic Test #3 - WinRM Access with Evil-WinRM](#atomic-test-3---winrm-access-with-evil-winrm)

@@ -45,10 +45,10 @@ Enable-PSRemoting -Force
 <br/>
 <br/>

-## Atomic Test #2 - Invoke-Command
+## Atomic Test #2 - Remote Code Execution with PS Credentials Using Invoke-Command
 Execute Invoke-command on remote host.

-Upon successful execution, powershell will execute ipconfig on localhost using `invoke-command`.
+Upon successful execution, powershell will execute whoami on specified remote host using `invoke-command`.

 **Supported Platforms:** Windows

@@ -62,15 +62,18 @@ Upon successful execution, powershell will execute ipconfig on localhost using `
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| host_name | Remote Windows Host Name | String | localhost|
-| remote_command | Command to execute on remote Host | String | ipconfig|
+| username | The username running the powershell command | string | $env:USERNAME|
+| remotehost | The remote hostname of the machine you are running the powershell command on. | string | $env:COMPUTERNAME|
+| password | The password to be used with the user provided in the previous input argument. | string | test12345|


 #### Attack Commands: Run with `powershell`! 


 ```powershell
-invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}}
+$SecPassword = ConvertTo-SecureString "#{password}" -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential("#{username}", $SecPassword)
+Invoke-Command -ComputerName "#{remotehost}" -Credential $Cred -ScriptBlock {whoami}
 ```


@@ -14,27 +14,34 @@ atomic_tests:
      Enable-PSRemoting -Force
    name: powershell
    elevation_required: true
- name: Invoke-Command
+- name: Remote Code Execution with PS Credentials Using Invoke-Command
  auto_generated_guid: 5295bd61-bd7e-4744-9d52-85962a4cf2d6
  description: |
    Execute Invoke-command on remote host.

-    Upon successful execution, powershell will execute ipconfig on localhost using `invoke-command`.
+    Upon successful execution, powershell will execute whoami on specified remote host using `invoke-command`.
  supported_platforms:
  - windows
  input_arguments:
-    host_name:
-      description: Remote Windows Host Name
-      type: String
-      default: localhost
-    remote_command:
-      description: Command to execute on remote Host
-      type: String
-      default: ipconfig
+    username:
+      description: The username running the powershell command
+      type: string
+      default: $env:USERNAME
+    remotehost:
+      description: The remote hostname of the machine you are running the powershell command on.
+      type: string
+      default: $env:COMPUTERNAME
+    password:
+      description: The password to be used with the user provided in the previous input argument.
+      type: string
+      default: test12345
  executor:
-    command: |
-      invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}}
+    command: |-
+      $SecPassword = ConvertTo-SecureString "#{password}" -AsPlainText -Force
+      $Cred = New-Object System.Management.Automation.PSCredential("#{username}", $SecPassword)
+      Invoke-Command -ComputerName "#{remotehost}" -Credential $Cred -ScriptBlock {whoami}
    name: powershell
+    
 - name: WinRM Access with Evil-WinRM
  auto_generated_guid: efe86d95-44c4-4509-ae42-7bfd9d1f5b3d
  description: An adversary may attempt to use Evil-WinRM with a valid account to interact with remote systems that have WinRM enabled
@@ -58,6 +58,8 @@ On Windows, adversaries may use various utilities to download tools, such as `co

 - [Atomic Test #25 - certreq download](#atomic-test-25---certreq-download)

+- [Atomic Test #26 - Download a file using wscript](#atomic-test-26---download-a-file-using-wscript)
+

 <br/>

@@ -1132,4 +1134,41 @@ del #{local_path} >nul 2>&1



+<br/>
+<br/>
+
+## Atomic Test #26 - Download a file using wscript
+Use wscript to run a local VisualBasic file to download a remote file
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 97116a3f-efac-4b26-8336-b9cb18c45188
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| vbscript_file | Full path to the VisualBasic downloading the file | String | PathToAtomicsFolder&#92;T1105&#92;src&#92;T1105-download-file.vbs|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+wscript.exe #{vbscript_file}
+```
+
+#### Cleanup Commands:
+```cmd
+del Atomic-License.txt >nul 2>&1
+```
+
+
+
+
+
 <br/>
@@ -700,4 +700,18 @@ atomic_tests:
    command: 'certreq.exe -Post -config #{remote_file} c:\windows\win.ini #{local_path}'
    cleanup_command: 'del #{local_path} >nul 2>&1'
    name: command_prompt
-  
+
+- name: Download a file using wscript
+  auto_generated_guid: 97116a3f-efac-4b26-8336-b9cb18c45188
+  description: Use wscript to run a local VisualBasic file to download a remote file
+  supported_platforms:
+  - windows
+  input_arguments:
+    vbscript_file:
+      description: Full path to the VisualBasic downloading the file
+      type: String
+      default: PathToAtomicsFolder\T1105\src\T1105-download-file.vbs
+  executor:
+    command: 'wscript.exe #{vbscript_file}'
+    cleanup_command: del Atomic-License.txt >nul 2>&1
+    name: command_prompt
@@ -0,0 +1,10 @@
+Set objWinHttp = CreateObject("WinHttp.WinHttpRequest.5.1") 
+URL = "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt" 
+objWinHttp.open "GET", URL, False 
+objWinHttp.send ""
+Dim BinaryStream
+Set BinaryStream = CreateObject("ADODB.Stream")
+BinaryStream.Type = 1
+BinaryStream.Open
+BinaryStream.Write objWinHttp.responseBody
+BinaryStream.SaveToFile "Atomic-License.txt", 2
@@ -1100,3 +1100,4 @@ a27418de-bdce-4ebd-b655-38f11142bf0c
 33eacead-f117-4863-8eb0-5c6304fbfaa9
 3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4
 57ba4ce9-ee7a-4f27-9928-3c70c489b59d
+97116a3f-efac-4b26-8336-b9cb18c45188