security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Updated Descriptions (#897)

Browse Source 
* Updated Descriptions

Updated descriptions with what to expect from successful execution.

* Update T1028.yaml

* Update T1028.yaml

* Generate docs from job=validate_atomics_generate_docs branch=description-updates

* move text to description

* Generate docs from job=validate_atomics_generate_docs branch=description-updates

* typo fix

* Generate docs from job=validate_atomics_generate_docs branch=description-updates

Co-authored-by: CircleCI Atomic Red Team doc generator <email>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
Michael Haag
2020-03-19 21:23:10 -06:00
committed by GitHub
parent 94f2071b59
commit e4ce60f9f2
35 changed files with 438 additions and 185 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1004/T1004.md
+6
View File
@@ -24,6 +24,8 @@ Adversaries may take advantage of these features to repeatedly execute malicious
## Atomic Test #1 - Winlogon Shell Key Persistence - PowerShell
PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe.
Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
**Supported Platforms:** Windows
@@ -57,6 +59,8 @@ Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Wi
## Atomic Test #2 - Winlogon Userinit Key Persistence - PowerShell
PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe.
Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
**Supported Platforms:** Windows
@@ -90,6 +94,8 @@ Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Wi
## Atomic Test #3 - Winlogon Notify Key Logon Persistence - PowerShell
PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon.
Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon/logoff.
**Supported Platforms:** Windows
atomics/T1004/T1004.yaml
+6
View File
@@ -7,6 +7,8 @@ atomic_tests:
description: |
PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe.
Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
supported_platforms:
- windows
@@ -28,6 +30,8 @@ atomic_tests:
description: |
PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe.
Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
supported_platforms:
- windows
@@ -49,6 +53,8 @@ atomic_tests:
description: |
PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon.
Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon/logoff.
supported_platforms:
- windows
atomics/T1005/T1005.md
+2
View File
@@ -15,6 +15,8 @@ Adversaries will often search the file system on computers they have compromised
## Atomic Test #1 - Search macOS Safari Cookies
This test uses `grep` to search a macOS Safari binaryCookies file for specified values. This was used by CookieMiner malware.
Upon successful execution, MacOS shell will cd to `~/Libraries/Cookies` and grep for `Cookies.binarycookies`.
**Supported Platforms:** macOS
atomics/T1005/T1005.yaml
+2
View File
@@ -7,6 +7,8 @@ atomic_tests:
description: |
This test uses `grep` to search a macOS Safari binaryCookies file for specified values. This was used by CookieMiner malware.
Upon successful execution, MacOS shell will cd to `~/Libraries/Cookies` and grep for `Cookies.binarycookies`.
supported_platforms:
- macos
atomics/T1007/T1007.md
+5 -1
View File
@@ -12,7 +12,9 @@
<br/>
## Atomic Test #1 - System Service Discovery
Identify system services
Identify system services.
Upon successful execution, cmd.exe will execute service commands with expected result to stdout.
**Supported Platforms:** Windows
@@ -40,6 +42,8 @@ sc query state= all
## Atomic Test #2 - System Service Discovery - net.exe
Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors.
Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in c:\Windows\Temp\service-list.txt.s
**Supported Platforms:** Windows
atomics/T1007/T1007.yaml
+5 -1
View File
@@ -5,7 +5,9 @@ display_name: System Service Discovery
atomic_tests:
- name: System Service Discovery
description: |
Identify system services
Identify system services.
Upon successful execution, cmd.exe will execute service commands with expected result to stdout.
supported_platforms:
- windows
@@ -21,6 +23,8 @@ atomic_tests:
- name: System Service Discovery - net.exe
description: |
Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors.
Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in c:\Windows\Temp\service-list.txt.s
supported_platforms:
- windows
input_arguments:
atomics/T1009/T1009.md
+3 -1
View File
@@ -13,7 +13,9 @@ Binary padding effectively changes the checksum of the file and can also be used
<br/>
## Atomic Test #1 - Pad Binary to Change Hash - Linux/macOS dd
Uses dd to add a zero to the binary to change the hash
Uses dd to add a zero to the binary to change the hash.
Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change.
**Supported Platforms:** macOS, Linux
atomics/T1009/T1009.yaml
+3 -1
View File
@@ -5,7 +5,9 @@ display_name: Binary Padding
atomic_tests:
- name: Pad Binary to Change Hash - Linux/macOS dd
description: |
Uses dd to add a zero to the binary to change the hash
Uses dd to add a zero to the binary to change the hash.
Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change.
supported_platforms:
- macos
atomics/T1010/T1010.md
+2
View File
@@ -14,6 +14,8 @@ In Mac, this can be done natively with a small [AppleScript](https://attack.mitr
## Atomic Test #1 - List Process Main Windows - C# .NET
Compiles and executes C# code to list main window titles associated with each process.
Upon successful execution, powershell will download the .cs from the Atomic Red Team repo, and cmd.exe will compile and execute T1010.exe. Upon T1010.exe execution, expected output will be via stdout.
**Supported Platforms:** Windows
atomics/T1010/T1010.yaml
+2
View File
@@ -7,6 +7,8 @@ atomic_tests:
description: |
Compiles and executes C# code to list main window titles associated with each process.
Upon successful execution, powershell will download the .cs from the Atomic Red Team repo, and cmd.exe will compile and execute T1010.exe. Upon T1010.exe execution, expected output will be via stdout.
supported_platforms:
- windows
atomics/T1012/T1012.md
+4 -3
View File
@@ -12,15 +12,16 @@ The Registry contains a significant amount of information about the operating sy
<br/>
## Atomic Test #1 - Query Registry
Query Windows Registry
Query Windows Registry.
Upon successful execution, cmd.exe will perform multiple reg queries. Some will succeed and others will fail (dependent upon OS).
References:
https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order
https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services
References:
http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf
https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_Find_Chart.en_us.pdf
atomics/T1012/T1012.yaml
+4 -3
View File
@@ -5,15 +5,16 @@ display_name: Query Registry
atomic_tests:
- name: Query Registry
description: |
Query Windows Registry
Query Windows Registry.
Upon successful execution, cmd.exe will perform multiple reg queries. Some will succeed and others will fail (dependent upon OS).
References:
https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order
https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services
References:
http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf
https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_Find_Chart.en_us.pdf
atomics/T1015/T1015.md
+2
View File
@@ -28,6 +28,8 @@ Other accessibility features exist that may also be leveraged in a similar fashi
## Atomic Test #1 - Attaches Command Prompt as a Debugger to a List of Target Processes
Attaches cmd.exe to a list of processes. Configure your own Input arguments to a different executable or list of executables.
Upon successful execution, powershell will modify the registry and swap osk.exe with cmd.exe.
**Supported Platforms:** Windows
atomics/T1015/T1015.yaml
+2
View File
@@ -6,6 +6,8 @@ atomic_tests:
- name: Attaches Command Prompt as a Debugger to a List of Target Processes
description: |
Attaches cmd.exe to a list of processes. Configure your own Input arguments to a different executable or list of executables.
Upon successful execution, powershell will modify the registry and swap osk.exe with cmd.exe.
supported_platforms:
- windows
input_arguments:
atomics/T1016/T1016.md
+13 -3
View File
@@ -12,7 +12,7 @@ Adversaries may use the information from [System Network Configuration Discovery
- [Atomic Test #3 - System Network Configuration Discovery](#atomic-test-3---system-network-configuration-discovery)
- [Atomic Test #4 - System Network Configuration Discovery (Trickbot Style)](#atomic-test-4---system-network-configuration-discovery-trickbot-style)
- [Atomic Test #4 - System Network Configuration Discovery (TrickBot Style)](#atomic-test-4---system-network-configuration-discovery-trickbot-style)
- [Atomic Test #5 - List Open Egress Ports](#atomic-test-5---list-open-egress-ports)
@@ -22,6 +22,8 @@ Adversaries may use the information from [System Network Configuration Discovery
## Atomic Test #1 - System Network Configuration Discovery
Identify network configuration information
Upon successful execution, cmd.exe will spawn multiple commands to list network configuration settings. Output will be via stdout.
**Supported Platforms:** Windows
@@ -50,6 +52,8 @@ net config
## Atomic Test #2 - List Windows Firewall Rules
Enumerates Windows Firewall Rules using netsh.
Upon successful execution, cmd.exe will spawn netsh.exe to list firewall rules. Output will be via stdout.
**Supported Platforms:** Windows
@@ -72,7 +76,9 @@ netsh advfirewall firewall show rule name=all
<br/>
## Atomic Test #3 - System Network Configuration Discovery
Identify network configuration information
Identify network configuration information.
Upon successful execution, sh will spawn multiple commands and output will be via stdout.
**Supported Platforms:** macOS, Linux
@@ -97,9 +103,11 @@ ifconfig
<br/>
<br/>
## Atomic Test #4 - System Network Configuration Discovery (Trickbot Style)
## Atomic Test #4 - System Network Configuration Discovery (TrickBot Style)
Identify network configuration information as seen by Trickbot and described here https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/
Upon successful execution, cmd.exe will spawn `ipconfig /all`, `net config workstation`, `net view /all /domain`, `nltest /domain_trusts`. Output will be via stdout.
**Supported Platforms:** Windows
@@ -128,6 +136,8 @@ nltest /domain_trusts
This is to test for what ports are open outbound. The technique used was taken from the following blog:
https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/
Upon successful execution, powershell will read top-128.txt (ports) and contact each port to confirm if open or not. Output will be to Desktop\open-ports.txt.
**Supported Platforms:** Windows
atomics/T1016/T1016.yaml
+14 -3
View File
@@ -7,6 +7,8 @@ atomic_tests:
description: |
Identify network configuration information
Upon successful execution, cmd.exe will spawn multiple commands to list network configuration settings. Output will be via stdout.
supported_platforms:
- windows
@@ -24,6 +26,8 @@ atomic_tests:
description: |
Enumerates Windows Firewall Rules using netsh.
Upon successful execution, cmd.exe will spawn netsh.exe to list firewall rules. Output will be via stdout.
supported_platforms:
- windows
@@ -35,7 +39,9 @@ atomic_tests:
- name: System Network Configuration Discovery
description: |
Identify network configuration information
Identify network configuration information.
Upon successful execution, sh will spawn multiple commands and output will be via stdout.
supported_platforms:
- macos
@@ -49,9 +55,12 @@ atomic_tests:
netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c
ifconfig
- name: System Network Configuration Discovery (Trickbot Style)
- name: System Network Configuration Discovery (TrickBot Style)
description: |
Identify network configuration information as seen by Trickbot and described here https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/
Upon successful execution, cmd.exe will spawn `ipconfig /all`, `net config workstation`, `net view /all /domain`, `nltest /domain_trusts`. Output will be via stdout.
supported_platforms:
- windows
executor:
@@ -67,6 +76,8 @@ atomic_tests:
description: |
This is to test for what ports are open outbound. The technique used was taken from the following blog:
https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/
Upon successful execution, powershell will read top-128.txt (ports) and contact each port to confirm if open or not. Output will be to Desktop\open-ports.txt.
supported_platforms:
- windows
input_arguments:
@@ -125,4 +136,4 @@ atomic_tests:
$results | Out-File -Encoding ASCII -append $file
Write-Host $results
cleanup_command: |
Remove-Item -ErrorAction ignore "#{output_file}"
Remove-Item -ErrorAction ignore "#{output_file}"
atomics/T1018/T1018.md
+22 -6
View File
@@ -41,7 +41,9 @@ In cloud environments, the above techniques may be used to discover remote syste
<br/>
## Atomic Test #1 - Remote System Discovery - net
Identify remote systems with net.exe
Identify remote systems with net.exe.
Upon successful execution, cmd.exe will execute `net.exe view` and display results of local systems on the network that have file and print sharing enabled.
**Supported Platforms:** Windows
@@ -68,6 +70,8 @@ net view
## Atomic Test #2 - Remote System Discovery - net group Domain Computers
Identify remote systems with net.exe querying the Active Directory Domain Computers group.
Upon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the "Domain Computers" group. Output will be via stdout.
**Supported Platforms:** Windows
@@ -92,6 +96,8 @@ net group "Domain Computers" /domain
## Atomic Test #3 - Remote System Discovery - nltest
Identify domain controllers for specified domain.
Upon successful execution, cmd.exe will execute nltest.exe against a target domain to retrieve a list of domain controllers. Output will be via stdout.
**Supported Platforms:** Windows
@@ -119,7 +125,9 @@ nltest.exe /dclist:#{target_domain}
<br/>
## Atomic Test #4 - Remote System Discovery - ping sweep
Identify remote systems via ping sweep
Identify remote systems via ping sweep.
Upon successful execution, cmd.exe will perform a for loop against the 192.168.1.1/24 network. Output will be via stdout.
**Supported Platforms:** Windows
@@ -143,7 +151,9 @@ for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
<br/>
## Atomic Test #5 - Remote System Discovery - arp
Identify remote systems via arp
Identify remote systems via arp.
Upon successful execution, cmd.exe will execute arp to list out the arp cache. Output will be via stdout.
**Supported Platforms:** Windows
@@ -167,7 +177,9 @@ arp -a
<br/>
## Atomic Test #6 - Remote System Discovery - arp nix
Identify remote systems via arp
Identify remote systems via arp.
Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout.
**Supported Platforms:** Linux, macOS
@@ -191,7 +203,9 @@ arp -a | grep -v '^?'
<br/>
## Atomic Test #7 - Remote System Discovery - sweep
Identify remote systems via ping sweep
Identify remote systems via ping sweep.
Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active.
**Supported Platforms:** Linux, macOS
@@ -215,7 +229,9 @@ for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip; [ $? -eq 0 ] && echo "192.16
<br/>
## Atomic Test #8 - Remote System Discovery - nslookup
Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig
Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig.
Upon successful execution, powershell will identify the ip range (via ipconfig) and perform a for loop and execute nslookup against that IP range. Output will be via stdout.
**Supported Platforms:** Windows
atomics/T1018/T1018.yaml
+23 -6
View File
@@ -5,7 +5,9 @@ display_name: Remote System Discovery
atomic_tests:
- name: Remote System Discovery - net
description: |
Identify remote systems with net.exe
Identify remote systems with net.exe.
Upon successful execution, cmd.exe will execute `net.exe view` and display results of local systems on the network that have file and print sharing enabled.
supported_platforms:
- windows
@@ -21,6 +23,8 @@ atomic_tests:
description: |
Identify remote systems with net.exe querying the Active Directory Domain Computers group.
Upon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the "Domain Computers" group. Output will be via stdout.
supported_platforms:
- windows
@@ -34,6 +38,8 @@ atomic_tests:
description: |
Identify domain controllers for specified domain.
Upon successful execution, cmd.exe will execute nltest.exe against a target domain to retrieve a list of domain controllers. Output will be via stdout.
supported_platforms:
- windows
@@ -51,7 +57,9 @@ atomic_tests:
- name: Remote System Discovery - ping sweep
description: |
Identify remote systems via ping sweep
Identify remote systems via ping sweep.
Upon successful execution, cmd.exe will perform a for loop against the 192.168.1.1/24 network. Output will be via stdout.
supported_platforms:
- windows
@@ -64,7 +72,9 @@ atomic_tests:
- name: Remote System Discovery - arp
description: |
Identify remote systems via arp
Identify remote systems via arp.
Upon successful execution, cmd.exe will execute arp to list out the arp cache. Output will be via stdout.
supported_platforms:
- windows
@@ -77,7 +87,9 @@ atomic_tests:
- name: Remote System Discovery - arp nix
description: |
Identify remote systems via arp
Identify remote systems via arp.
Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout.
supported_platforms:
- linux
@@ -91,7 +103,9 @@ atomic_tests:
- name: Remote System Discovery - sweep
description: |
Identify remote systems via ping sweep
Identify remote systems via ping sweep.
Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active.
supported_platforms:
- linux
@@ -105,7 +119,10 @@ atomic_tests:
- name: Remote System Discovery - nslookup
description: |
Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig
Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig.
Upon successful execution, powershell will identify the ip range (via ipconfig) and perform a for loop and execute nslookup against that IP range. Output will be via stdout.
supported_platforms:
- windows
executor:
atomics/T1027/T1027.md
+6 -2
View File
@@ -24,6 +24,8 @@ Another example of obfuscation is through the use of steganography, a technique
## Atomic Test #1 - Decode base64 Data into Script
Creates a base64-encoded data file and decodes it into an executable shell script
Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that stdouts `echo Hello from the Atomic Red Team`.
**Supported Platforms:** macOS, Linux
@@ -50,7 +52,8 @@ chmod +x /tmp/art.sh
## Atomic Test #2 - Execute base64-encoded PowerShell
Creates base64-encoded PowerShell code and executes it. This is used by numerous adversaries and malicious tools.
Upon execution the test will print "Hey, Atomic!" to the PowerShell session
Upon successful execution, powershell will execute an encoded command and stdout default is "Write-Host "Hey, Atomic!"
**Supported Platforms:** Windows
@@ -84,7 +87,8 @@ powershell.exe -EncodedCommand $EncodedCommand
## Atomic Test #3 - Execute base64-encoded PowerShell from Windows Registry
Stores base64-encoded PowerShell code in the Windows Registry and deobfuscates it for execution. This is used by numerous adversaries and malicious tools.
Upon execution "Hey, Atomic!" will be printed to the powershell session
Upon successful execution, powershell will execute encoded command and read/write from the registry.
**Supported Platforms:** Windows
atomics/T1027/T1027.yaml
+7 -2
View File
@@ -7,6 +7,8 @@ atomic_tests:
description: |
Creates a base64-encoded data file and decodes it into an executable shell script
Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that stdouts `echo Hello from the Atomic Red Team`.
supported_platforms:
- macos
- linux
@@ -23,7 +25,8 @@ atomic_tests:
- name: Execute base64-encoded PowerShell
description: |
Creates base64-encoded PowerShell code and executes it. This is used by numerous adversaries and malicious tools.
Upon execution the test will print "Hey, Atomic!" to the PowerShell session
Upon successful execution, powershell will execute an encoded command and stdout default is "Write-Host "Hey, Atomic!"
supported_platforms:
- windows
input_arguments:
@@ -44,7 +47,9 @@ atomic_tests:
- name: Execute base64-encoded PowerShell from Windows Registry
description: |
Stores base64-encoded PowerShell code in the Windows Registry and deobfuscates it for execution. This is used by numerous adversaries and malicious tools.
Upon execution "Hey, Atomic!" will be printed to the powershell session
Upon successful execution, powershell will execute encoded command and read/write from the registry.
supported_platforms:
- windows
input_arguments:
atomics/T1028/T1028.md
+33 -7
View File
@@ -20,6 +20,8 @@
## Atomic Test #1 - Enable Windows Remote Management
Powershell Enable WinRM
Upon successful execution, powershell will "Enable-PSRemoting" allowing for remote PS access.
**Supported Platforms:** Windows
@@ -42,12 +44,14 @@ Enable-PSRemoting -Force
<br/>
## Atomic Test #2 - PowerShell Lateral Movement
Powershell lateral movement using the mmc20 application com object
Powershell lateral movement using the mmc20 application com object.
Reference:
https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/
Upon successful execution, cmd will spawn calc.exe on a remote computer.
**Supported Platforms:** Windows
@@ -75,7 +79,9 @@ powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.appl
<br/>
## Atomic Test #3 - WMIC Process Call Create
Utilize WMIC to start remote process
Utilize WMIC to start remote process.
Upon successful execution, cmd will utilize wmic.exe to modify the registry on a remote endpoint to swap osk.exe with cmd.exe.
**Supported Platforms:** Windows
@@ -106,7 +112,9 @@ wmic /user:#{user_name} /password:#{password} /node:#{computer_name} process cal
<br/>
## Atomic Test #4 - Psexec
Utilize psexec to start remote process
Utilize psexec to start remote process.
Upon successful execution, cmd will utilize psexec.exe to spawn cmd.exe on a remote system.
**Supported Platforms:** Windows
@@ -118,26 +126,44 @@ Utilize psexec to start remote process
|------|-------------|------|---------------|
| user_name | Username | String | DOMAIN&#92;Administrator|
| password | Password | String | P@ssw0rd1|
| computer_name | Target Computer Name | String | Target|
| computer_name | Target Computer Name | String | localhost|
| psexec_exe | Path to PsExec | string | C:&#92;PSTools&#92;PsExec.exe|
#### Attack Commands: Run with `command_prompt`!
```cmd
psexec \\#{computer_name} -u #{user_name} -p #{password} -s cmd.exe
#{psexec_exe} \\#{computer_name} -u #{user_name} -p #{password} -s cmd.exe
```
#### Dependencies: Run with `command_prompt`!
##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe})
##### Check Prereq Commands:
```cmd
if (Test-Path "#{psexec_exe}"") { exit 0} else { exit 1}
```
##### Get Prereq Commands:
```cmd
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
New-Item -ItemType Directory ("#{psexec_exe}") -Force | Out-Null
Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_exe}" -Force
```
<br/>
<br/>
## Atomic Test #5 - Invoke-Command
Execute Invoke-command on remote host
Execute Invoke-command on remote host.
Upon successful execution, powershell will execute ipconfig on localhost using `invoke-command`.
**Supported Platforms:** Windows
@@ -147,7 +173,7 @@ Execute Invoke-command on remote host
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| host_name | Remote Windows Host Name | String | Test|
| host_name | Remote Windows Host Name | String | localhost|
| remote_command | Command to execute on remote Host | String | ipconfig|
atomics/T1028/T1028.yaml
+33 -7
View File
@@ -7,6 +7,8 @@ atomic_tests:
description: |
Powershell Enable WinRM
Upon successful execution, powershell will "Enable-PSRemoting" allowing for remote PS access.
supported_platforms:
- windows
@@ -18,12 +20,14 @@ atomic_tests:
- name: PowerShell Lateral Movement
description: |
Powershell lateral movement using the mmc20 application com object
Powershell lateral movement using the mmc20 application com object.
Reference:
https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/
Upon successful execution, cmd will spawn calc.exe on a remote computer.
supported_platforms:
- windows
@@ -40,7 +44,9 @@ atomic_tests:
- name: WMIC Process Call Create
description: |
Utilize WMIC to start remote process
Utilize WMIC to start remote process.
Upon successful execution, cmd will utilize wmic.exe to modify the registry on a remote endpoint to swap osk.exe with cmd.exe.
supported_platforms:
- windows
@@ -66,7 +72,9 @@ atomic_tests:
- name: Psexec
description: |
Utilize psexec to start remote process
Utilize psexec to start remote process.
Upon successful execution, cmd will utilize psexec.exe to spawn cmd.exe on a remote system.
supported_platforms:
- windows
@@ -83,23 +91,41 @@ atomic_tests:
computer_name:
description: Target Computer Name
type: String
default: Target
default: localhost
psexec_exe:
description: Path to PsExec
type: string
default: "C:\\PSTools\\PsExec.exe"
dependencies:
- description: |
PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe})
prereq_command: |
if (Test-Path "#{psexec_exe}"") { exit 0} else { exit 1}
get_prereq_command: |
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
New-Item -ItemType Directory ("#{psexec_exe}") -Force | Out-Null
Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_exe}" -Force
executor:
name: command_prompt
command: |
psexec \\#{computer_name} -u #{user_name} -p #{password} -s cmd.exe
#{psexec_exe} \\#{computer_name} -u #{user_name} -p #{password} -s cmd.exe
- name: Invoke-Command
description: |
Execute Invoke-command on remote host
Execute Invoke-command on remote host.
Upon successful execution, powershell will execute ipconfig on localhost using `invoke-command`.
supported_platforms:
- windows
input_arguments:
host_name:
description: Remote Windows Host Name
type: String
default: Test
default: localhost
remote_command:
description: Command to execute on remote Host
type: String
atomics/T1031/T1031.md
+2
View File
@@ -17,6 +17,8 @@ Adversaries may also intentionally corrupt or kill services to execute malicious
This test will temporarily modify the service Fax by changing the binPath to PowerShell
and will then revert the binPath change, restoring Fax to its original state.
Upon successful execution, cmd will modify the binpath for `Fax` to spawn powershell. Powershell will then spawn.
**Supported Platforms:** Windows
atomics/T1031/T1031.yaml
+2
View File
@@ -8,6 +8,8 @@ atomic_tests:
This test will temporarily modify the service Fax by changing the binPath to PowerShell
and will then revert the binPath change, restoring Fax to its original state.
Upon successful execution, cmd will modify the binpath for `Fax` to spawn powershell. Powershell will then spawn.
supported_platforms:
- windows
atomics/T1032/T1032.md
+2
View File
@@ -15,6 +15,8 @@ This is to test to see if a C2 session can be established using an SSL socket.
More information about this technique, including how to set up the listener, can be found here:
https://medium.com/walmartlabs/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926
Upon successful execution, powershell will make a network connection to 127.0.0.1 over 443.
**Supported Platforms:** Windows
atomics/T1032/T1032.yaml
+3
View File
@@ -9,6 +9,9 @@ atomic_tests:
This is to test to see if a C2 session can be established using an SSL socket.
More information about this technique, including how to set up the listener, can be found here:
https://medium.com/walmartlabs/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926
Upon successful execution, powershell will make a network connection to 127.0.0.1 over 443.
supported_platforms:
- windows
input_arguments:
atomics/T1033/T1033.md
+7 -2
View File
@@ -22,7 +22,10 @@ On Linux, the currently logged in user can be identified with <code>w</code> and
<br/>
## Atomic Test #1 - System Owner/User Discovery
Identify System owner or users on an endpoint
Identify System owner or users on an endpoint.
Upon successful execution, cmd.exe will spawn multiple commands against a target host to identify usernames. Output will be via stdout.
Additionally, two files will be written to disk - computers.txt and usernames.txt.
**Supported Platforms:** Windows
@@ -32,7 +35,7 @@ Identify System owner or users on an endpoint
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| computer_name | Name of remote computer | string | computer1|
| computer_name | Name of remote computer | string | localhost|
#### Attack Commands: Run with `command_prompt`!
@@ -60,6 +63,8 @@ for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active
## Atomic Test #2 - System Owner/User Discovery
Identify System owner or users on an endpoint
Upon successful execution, sh will stdout list of usernames.
**Supported Platforms:** Linux, macOS
atomics/T1033/T1033.yaml
+7 -2
View File
@@ -5,7 +5,10 @@ display_name: System Owner/User Discovery
atomic_tests:
- name: System Owner/User Discovery
description: |
Identify System owner or users on an endpoint
Identify System owner or users on an endpoint.
Upon successful execution, cmd.exe will spawn multiple commands against a target host to identify usernames. Output will be via stdout.
Additionally, two files will be written to disk - computers.txt and usernames.txt.
supported_platforms:
- windows
@@ -14,7 +17,7 @@ atomic_tests:
computer_name:
description: Name of remote computer
type: string
default: computer1
default: localhost
executor:
name: command_prompt
@@ -33,6 +36,8 @@ atomic_tests:
description: |
Identify System owner or users on an endpoint
Upon successful execution, sh will stdout list of usernames.
supported_platforms:
- linux
- macos
atomics/T1035/T1035.md
+5 -1
View File
@@ -14,6 +14,8 @@
## Atomic Test #1 - Execute a Command as a Service
Creates a service specifying an aribrary command and executes it. When executing commands such as PowerShell, the service will report that it did not start correctly even when code executes properly.
Upon successful execution, cmd.exe create a new service using sc.exe create that will start powershell.exe to create a new file `art-marker.txt`
**Supported Platforms:** Windows
@@ -45,7 +47,9 @@ sc.exe delete #{service_name}
## Atomic Test #2 - Use PsExec to execute a command on a remote host
Requires having Sysinternals installed, path to sysinternals is one of the input input_arguments
Will run a command on a remote host
Will run a command on a remote host.
Upon successful execution, powershell will download psexec.exe and spawn calc.exe on a remote endpoint (default:localhost).
**Supported Platforms:** Windows
atomics/T1035/T1035.yaml
+6 -1
View File
@@ -6,6 +6,9 @@ atomic_tests:
- name: Execute a Command as a Service
description: |
Creates a service specifying an aribrary command and executes it. When executing commands such as PowerShell, the service will report that it did not start correctly even when code executes properly.
Upon successful execution, cmd.exe create a new service using sc.exe create that will start powershell.exe to create a new file `art-marker.txt`
supported_platforms:
- windows
input_arguments:
@@ -28,7 +31,9 @@ atomic_tests:
- name: Use PsExec to execute a command on a remote host
description: |
Requires having Sysinternals installed, path to sysinternals is one of the input input_arguments
Will run a command on a remote host
Will run a command on a remote host.
Upon successful execution, powershell will download psexec.exe and spawn calc.exe on a remote endpoint (default:localhost).
supported_platforms:
- windows
input_arguments:
atomics/T1036/T1036.md
+12
View File
@@ -41,6 +41,7 @@ An example of abuse of trusted locations in Linux would be the <code>/bin</code
## Atomic Test #1 - Masquerading as Windows LSASS process
Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe.
Upon execution, cmd will be launched by powershell. If using Invoke-AtomicTest, The test will hang until the 120 second timeout cancels the session
**Supported Platforms:** Windows
@@ -72,6 +73,8 @@ del /Q /F %SystemRoot%\Temp\lsass.exe >nul 2>&1
## Atomic Test #2 - Masquerading as Linux crond process.
Copies sh process, renames it as crond, and executes it to masquerade as the cron daemon.
Upon successful execution, sh is renamed to `crond` and executed.
**Supported Platforms:** Linux
@@ -97,6 +100,8 @@ cp /bin/sh /tmp/crond
## Atomic Test #3 - Masquerading - cscript.exe running as notepad.exe
Copies cscript.exe, renames it, and launches it to masquerade as an instance of notepad.exe.
Upon successful execution, cscript.exe is renamed as notepad.exe and executed from non-standard path.
**Supported Platforms:** Windows
@@ -125,6 +130,7 @@ del /Q /F %APPDATA%\notepad.exe >nul 2>&1
## Atomic Test #4 - Masquerading - wscript.exe running as svchost.exe
Copies wscript.exe, renames it, and launches it to masquerade as an instance of svchost.exe.
Upon execution, no windows will remain open but wscript will have been renamed to svchost and ran out of the temp folder
**Supported Platforms:** Windows
@@ -156,6 +162,8 @@ del /Q /F %APPDATA%\svchost.exe >nul 2>&1
## Atomic Test #5 - Masquerading - powershell.exe running as taskhostw.exe
Copies powershell.exe, renames it, and launches it to masquerade as an instance of taskhostw.exe.
Upon successful execution, powershell.exe is renamed as taskhostw.exe and executed from non-standard path.
**Supported Platforms:** Windows
@@ -185,6 +193,8 @@ del /Q /F %APPDATA%\taskhostw.exe >nul 2>&1
## Atomic Test #6 - Masquerading - non-windows exe running as windows exe
Copies an exe, renames it as a windows exe, and launches it to masquerade as a real windows exe
Upon successful execution, powershell will execute T1036.exe as svchost.exe from on a non-standard path.
**Supported Platforms:** Windows
@@ -271,6 +281,8 @@ Remove-Item #{outputfile} -Force -ErrorAction Ignore
Detect LSM running from an incorrect directory and an incorrect service account
This works by copying cmd.exe to a file, naming it lsm.exe, then copying a file to the C:\ folder.
Upon successful execution, cmd.exe will be renamed as lsm.exe and executed from non-standard path.
**Supported Platforms:** Windows
atomics/T1036/T1036.yaml
+13
View File
@@ -6,6 +6,7 @@ atomic_tests:
- name: Masquerading as Windows LSASS process
description: |
Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe.
Upon execution, cmd will be launched by powershell. If using Invoke-AtomicTest, The test will hang until the 120 second timeout cancels the session
supported_platforms:
- windows
@@ -23,6 +24,8 @@ atomic_tests:
description: |
Copies sh process, renames it as crond, and executes it to masquerade as the cron daemon.
Upon successful execution, sh is renamed to `crond` and executed.
supported_platforms:
- linux
@@ -36,6 +39,9 @@ atomic_tests:
- name: Masquerading - cscript.exe running as notepad.exe
description: |
Copies cscript.exe, renames it, and launches it to masquerade as an instance of notepad.exe.
Upon successful execution, cscript.exe is renamed as notepad.exe and executed from non-standard path.
supported_platforms:
- windows
executor:
@@ -50,6 +56,7 @@ atomic_tests:
- name: Masquerading - wscript.exe running as svchost.exe
description: |
Copies wscript.exe, renames it, and launches it to masquerade as an instance of svchost.exe.
Upon execution, no windows will remain open but wscript will have been renamed to svchost and ran out of the temp folder
supported_platforms:
- windows
@@ -67,6 +74,8 @@ atomic_tests:
description: |
Copies powershell.exe, renames it, and launches it to masquerade as an instance of taskhostw.exe.
Upon successful execution, powershell.exe is renamed as taskhostw.exe and executed from non-standard path.
supported_platforms:
- windows
@@ -83,6 +92,8 @@ atomic_tests:
description: |
Copies an exe, renames it as a windows exe, and launches it to masquerade as a real windows exe
Upon successful execution, powershell will execute T1036.exe as svchost.exe from on a non-standard path.
supported_platforms:
- windows
@@ -147,6 +158,8 @@ atomic_tests:
description: |
Detect LSM running from an incorrect directory and an incorrect service account
This works by copying cmd.exe to a file, naming it lsm.exe, then copying a file to the C:\ folder.
Upon successful execution, cmd.exe will be renamed as lsm.exe and executed from non-standard path.
supported_platforms:
- windows
atomics/index.md
+1 -1
View File
@@ -629,7 +629,7 @@
- Atomic Test #1: System Network Configuration Discovery [windows]
- Atomic Test #2: List Windows Firewall Rules [windows]
- Atomic Test #3: System Network Configuration Discovery [macos, linux]
- Atomic Test #4: System Network Configuration Discovery (Trickbot Style) [windows]
- Atomic Test #4: System Network Configuration Discovery (TrickBot Style) [windows]
- Atomic Test #5: List Open Egress Ports [windows]
- [T1049 System Network Connections Discovery](./T1049/T1049.md)
- Atomic Test #1: System Network Connections Discovery [windows]
atomics/index.yaml
+178 -131
View File
@@ -167,10 +167,10 @@ persistence:
identifier: T1015
atomic_tests:
- name: Attaches Command Prompt as a Debugger to a List of Target Processes
description: 'Attaches cmd.exe to a list of processes. Configure your own Input
arguments to a different executable or list of executables.
description: |
Attaches cmd.exe to a list of processes. Configure your own Input arguments to a different executable or list of executables.
'
Upon successful execution, powershell will modify the registry and swap osk.exe with cmd.exe.
supported_platforms:
- windows
input_arguments:
@@ -2930,6 +2930,8 @@ persistence:
description: |
This test will temporarily modify the service Fax by changing the binPath to PowerShell
and will then revert the binPath change, restoring Fax to its original state.
Upon successful execution, cmd will modify the binpath for `Fax` to spawn powershell. Powershell will then spawn.
supported_platforms:
- windows
executor:
@@ -5132,10 +5134,10 @@ persistence:
identifier: T1004
atomic_tests:
- name: Winlogon Shell Key Persistence - PowerShell
description: 'PowerShell code to set Winlogon shell key to execute a binary
at logon along with explorer.exe.
description: |
PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe.
'
Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
supported_platforms:
- windows
input_arguments:
@@ -5155,10 +5157,10 @@ persistence:
'
- name: Winlogon Userinit Key Persistence - PowerShell
description: 'PowerShell code to set Winlogon userinit key to execute a binary
at logon along with userinit.exe.
description: |
PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe.
'
Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
supported_platforms:
- windows
input_arguments:
@@ -5178,10 +5180,10 @@ persistence:
'
- name: Winlogon Notify Key Logon Persistence - PowerShell
description: 'PowerShell code to set Winlogon Notify key to execute a notification
package DLL at logon.
description: |
PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon.
'
Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon/logoff.
supported_platforms:
- windows
input_arguments:
@@ -5484,9 +5486,10 @@ defense-evasion:
identifier: T1009
atomic_tests:
- name: Pad Binary to Change Hash - Linux/macOS dd
description: 'Uses dd to add a zero to the binary to change the hash
description: |
Uses dd to add a zero to the binary to change the hash.
'
Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change.
supported_platforms:
- macos
- linux
@@ -9668,6 +9671,7 @@ defense-evasion:
- name: Masquerading as Windows LSASS process
description: |
Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe.
Upon execution, cmd will be launched by powershell. If using Invoke-AtomicTest, The test will hang until the 120 second timeout cancels the session
supported_platforms:
- windows
@@ -9681,10 +9685,10 @@ defense-evasion:
'
- name: Masquerading as Linux crond process.
description: 'Copies sh process, renames it as crond, and executes it to masquerade
as the cron daemon.
description: |
Copies sh process, renames it as crond, and executes it to masquerade as the cron daemon.
'
Upon successful execution, sh is renamed to `crond` and executed.
supported_platforms:
- linux
executor:
@@ -9694,10 +9698,10 @@ defense-evasion:
cp /bin/sh /tmp/crond
/tmp/crond
- name: Masquerading - cscript.exe running as notepad.exe
description: 'Copies cscript.exe, renames it, and launches it to masquerade
as an instance of notepad.exe.
description: |
Copies cscript.exe, renames it, and launches it to masquerade as an instance of notepad.exe.
'
Upon successful execution, cscript.exe is renamed as notepad.exe and executed from non-standard path.
supported_platforms:
- windows
executor:
@@ -9712,6 +9716,7 @@ defense-evasion:
- name: Masquerading - wscript.exe running as svchost.exe
description: |
Copies wscript.exe, renames it, and launches it to masquerade as an instance of svchost.exe.
Upon execution, no windows will remain open but wscript will have been renamed to svchost and ran out of the temp folder
supported_platforms:
- windows
@@ -9725,10 +9730,10 @@ defense-evasion:
'
- name: Masquerading - powershell.exe running as taskhostw.exe
description: 'Copies powershell.exe, renames it, and launches it to masquerade
as an instance of taskhostw.exe.
description: |
Copies powershell.exe, renames it, and launches it to masquerade as an instance of taskhostw.exe.
'
Upon successful execution, powershell.exe is renamed as taskhostw.exe and executed from non-standard path.
supported_platforms:
- windows
executor:
@@ -9741,10 +9746,10 @@ defense-evasion:
'
- name: Masquerading - non-windows exe running as windows exe
description: 'Copies an exe, renames it as a windows exe, and launches it to
masquerade as a real windows exe
description: |
Copies an exe, renames it as a windows exe, and launches it to masquerade as a real windows exe
'
Upon successful execution, powershell will execute T1036.exe as svchost.exe from on a non-standard path.
supported_platforms:
- windows
input_arguments:
@@ -9803,6 +9808,8 @@ defense-evasion:
description: |
Detect LSM running from an incorrect directory and an incorrect service account
This works by copying cmd.exe to a file, naming it lsm.exe, then copying a file to the C:\ folder.
Upon successful execution, cmd.exe will be renamed as lsm.exe and executed from non-standard path.
supported_platforms:
- windows
executor:
@@ -10593,10 +10600,10 @@ defense-evasion:
identifier: T1027
atomic_tests:
- name: Decode base64 Data into Script
description: 'Creates a base64-encoded data file and decodes it into an executable
shell script
description: |
Creates a base64-encoded data file and decodes it into an executable shell script
'
Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that stdouts `echo Hello from the Atomic Red Team`.
supported_platforms:
- macos
- linux
@@ -10611,7 +10618,8 @@ defense-evasion:
- name: Execute base64-encoded PowerShell
description: |
Creates base64-encoded PowerShell code and executes it. This is used by numerous adversaries and malicious tools.
Upon execution the test will print "Hey, Atomic!" to the PowerShell session
Upon successful execution, powershell will execute an encoded command and stdout default is "Write-Host "Hey, Atomic!"
supported_platforms:
- windows
input_arguments:
@@ -10631,7 +10639,8 @@ defense-evasion:
- name: Execute base64-encoded PowerShell from Windows Registry
description: |
Stores base64-encoded PowerShell code in the Windows Registry and deobfuscates it for execution. This is used by numerous adversaries and malicious tools.
Upon execution "Hey, Atomic!" will be printed to the powershell session
Upon successful execution, powershell will execute encoded command and read/write from the registry.
supported_platforms:
- windows
input_arguments:
@@ -13210,10 +13219,10 @@ privilege-escalation:
identifier: T1015
atomic_tests:
- name: Attaches Command Prompt as a Debugger to a List of Target Processes
description: 'Attaches cmd.exe to a list of processes. Configure your own Input
arguments to a different executable or list of executables.
description: |
Attaches cmd.exe to a list of processes. Configure your own Input arguments to a different executable or list of executables.
'
Upon successful execution, powershell will modify the registry and swap osk.exe with cmd.exe.
supported_platforms:
- windows
input_arguments:
@@ -16912,10 +16921,10 @@ discovery:
identifier: T1010
atomic_tests:
- name: List Process Main Windows - C# .NET
description: 'Compiles and executes C# code to list main window titles associated
with each process.
description: |
Compiles and executes C# code to list main window titles associated with each process.
'
Upon successful execution, powershell will download the .cs from the Atomic Red Team repo, and cmd.exe will compile and execute T1010.exe. Upon T1010.exe execution, expected output will be via stdout.
supported_platforms:
- windows
input_arguments:
@@ -18167,15 +18176,16 @@ discovery:
atomic_tests:
- name: Query Registry
description: |
Query Windows Registry
Query Windows Registry.
Upon successful execution, cmd.exe will perform multiple reg queries. Some will succeed and others will fail (dependent upon OS).
References:
https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order
https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services
References:
http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf
https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_Find_Chart.en_us.pdf
@@ -18281,9 +18291,10 @@ discovery:
identifier: T1018
atomic_tests:
- name: Remote System Discovery - net
description: 'Identify remote systems with net.exe
description: |
Identify remote systems with net.exe.
'
Upon successful execution, cmd.exe will execute `net.exe view` and display results of local systems on the network that have file and print sharing enabled.
supported_platforms:
- windows
executor:
@@ -18293,10 +18304,10 @@ discovery:
net view /domain
net view
- name: Remote System Discovery - net group Domain Computers
description: 'Identify remote systems with net.exe querying the Active Directory
Domain Computers group.
description: |
Identify remote systems with net.exe querying the Active Directory Domain Computers group.
'
Upon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the "Domain Computers" group. Output will be via stdout.
supported_platforms:
- windows
executor:
@@ -18306,9 +18317,10 @@ discovery:
'
- name: Remote System Discovery - nltest
description: 'Identify domain controllers for specified domain.
description: |
Identify domain controllers for specified domain.
'
Upon successful execution, cmd.exe will execute nltest.exe against a target domain to retrieve a list of domain controllers. Output will be via stdout.
supported_platforms:
- windows
input_arguments:
@@ -18323,9 +18335,10 @@ discovery:
'
- name: Remote System Discovery - ping sweep
description: 'Identify remote systems via ping sweep
description: |
Identify remote systems via ping sweep.
'
Upon successful execution, cmd.exe will perform a for loop against the 192.168.1.1/24 network. Output will be via stdout.
supported_platforms:
- windows
executor:
@@ -18335,9 +18348,8 @@ discovery:
'
- name: Remote System Discovery - arp
description: 'Identify remote systems via arp
'
description: "Identify remote systems via arp. \n\nUpon successful execution,
cmd.exe will execute arp to list out the arp cache. Output will be via stdout.\n"
supported_platforms:
- windows
executor:
@@ -18347,9 +18359,10 @@ discovery:
'
- name: Remote System Discovery - arp nix
description: 'Identify remote systems via arp
description: |
Identify remote systems via arp.
'
Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout.
supported_platforms:
- linux
- macos
@@ -18360,9 +18373,9 @@ discovery:
'
- name: Remote System Discovery - sweep
description: 'Identify remote systems via ping sweep
'
description: "Identify remote systems via ping sweep.\n\nUpon successful execution,
sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if
an IP is active. \n"
supported_platforms:
- linux
- macos
@@ -18374,10 +18387,11 @@ discovery:
'
- name: Remote System Discovery - nslookup
description: 'Powershell script that runs nslookup on cmd.exe against the local
/24 network of the first network adaptor listed in ipconfig
'
description: "Powershell script that runs nslookup on cmd.exe against the local
/24 network of the first network adaptor listed in ipconfig.\n\nUpon successful
execution, powershell will identify the ip range (via ipconfig) and perform
a for loop and execute nslookup against that IP range. Output will be via
stdout. \n"
supported_platforms:
- windows
executor:
@@ -18804,9 +18818,10 @@ discovery:
identifier: T1016
atomic_tests:
- name: System Network Configuration Discovery
description: 'Identify network configuration information
description: |
Identify network configuration information
'
Upon successful execution, cmd.exe will spawn multiple commands to list network configuration settings. Output will be via stdout.
supported_platforms:
- windows
executor:
@@ -18819,9 +18834,10 @@ discovery:
nbtstat -n
net config
- name: List Windows Firewall Rules
description: 'Enumerates Windows Firewall Rules using netsh.
description: |
Enumerates Windows Firewall Rules using netsh.
'
Upon successful execution, cmd.exe will spawn netsh.exe to list firewall rules. Output will be via stdout.
supported_platforms:
- windows
executor:
@@ -18831,9 +18847,10 @@ discovery:
'
- name: System Network Configuration Discovery
description: 'Identify network configuration information
description: |
Identify network configuration information.
'
Upon successful execution, sh will spawn multiple commands and output will be via stdout.
supported_platforms:
- macos
- linux
@@ -18844,11 +18861,11 @@ discovery:
arp -a
netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c
ifconfig
- name: System Network Configuration Discovery (Trickbot Style)
description: 'Identify network configuration information as seen by Trickbot
and described here https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/
- name: System Network Configuration Discovery (TrickBot Style)
description: |
Identify network configuration information as seen by Trickbot and described here https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/
'
Upon successful execution, cmd.exe will spawn `ipconfig /all`, `net config workstation`, `net view /all /domain`, `nltest /domain_trusts`. Output will be via stdout.
supported_platforms:
- windows
executor:
@@ -18863,6 +18880,8 @@ discovery:
description: |
This is to test for what ports are open outbound. The technique used was taken from the following blog:
https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/
Upon successful execution, powershell will read top-128.txt (ports) and contact each port to confirm if open or not. Output will be to Desktop\open-ports.txt.
supported_platforms:
- windows
input_arguments:
@@ -18901,7 +18920,9 @@ discovery:
| Out-File -Encoding ASCII -append $file\n }\n}\n$results = \"There were
a total of $totalopen open ports out of $totalports ports tested.\"\n$results
| Out-File -Encoding ASCII -append $file\nWrite-Host $results\n"
cleanup_command: Remove-Item -ErrorAction ignore "#{output_file}"
cleanup_command: 'Remove-Item -ErrorAction ignore "#{output_file}"
'
T1049:
technique:
x_mitre_permissions_required:
@@ -19058,16 +19079,17 @@ discovery:
identifier: T1033
atomic_tests:
- name: System Owner/User Discovery
description: 'Identify System owner or users on an endpoint
'
description: "Identify System owner or users on an endpoint.\n\nUpon successful
execution, cmd.exe will spawn multiple commands against a target host to identify
usernames. Output will be via stdout. \nAdditionally, two files will be written
to disk - computers.txt and usernames.txt.\n"
supported_platforms:
- windows
input_arguments:
computer_name:
description: Name of remote computer
type: string
default: computer1
default: localhost
executor:
name: command_prompt
elevation_required: false
@@ -19081,9 +19103,10 @@ discovery:
for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt
@FOR /F %n in (computers.txt) DO @FOR /F "tokens=1,2" %i in ('qwinsta /server:%n ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt
- name: System Owner/User Discovery
description: 'Identify System owner or users on an endpoint
description: |
Identify System owner or users on an endpoint
'
Upon successful execution, sh will stdout list of usernames.
supported_platforms:
- linux
- macos
@@ -19139,9 +19162,10 @@ discovery:
identifier: T1007
atomic_tests:
- name: System Service Discovery
description: 'Identify system services
description: |
Identify system services.
'
Upon successful execution, cmd.exe will execute service commands with expected result to stdout.
supported_platforms:
- windows
executor:
@@ -19152,10 +19176,10 @@ discovery:
sc query
sc query state= all
- name: System Service Discovery - net.exe
description: 'Enumerates started system services using net.exe and writes them
to a file. This technique has been used by multiple threat actors.
description: |
Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors.
'
Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in c:\Windows\Temp\service-list.txt.s
supported_platforms:
- windows
input_arguments:
@@ -24072,11 +24096,10 @@ execution:
identifier: T1035
atomic_tests:
- name: Execute a Command as a Service
description: 'Creates a service specifying an aribrary command and executes
it. When executing commands such as PowerShell, the service will report that
it did not start correctly even when code executes properly.
description: |
Creates a service specifying an aribrary command and executes it. When executing commands such as PowerShell, the service will report that it did not start correctly even when code executes properly.
'
Upon successful execution, cmd.exe create a new service using sc.exe create that will start powershell.exe to create a new file `art-marker.txt`
supported_platforms:
- windows
input_arguments:
@@ -24099,7 +24122,9 @@ execution:
- name: Use PsExec to execute a command on a remote host
description: |
Requires having Sysinternals installed, path to sysinternals is one of the input input_arguments
Will run a command on a remote host
Will run a command on a remote host.
Upon successful execution, powershell will download psexec.exe and spawn calc.exe on a remote endpoint (default:localhost).
supported_platforms:
- windows
input_arguments:
@@ -25297,9 +25322,8 @@ execution:
identifier: T1028
atomic_tests:
- name: Enable Windows Remote Management
description: 'Powershell Enable WinRM
'
description: "Powershell Enable WinRM\n\nUpon successful execution, powershell
will \"Enable-PSRemoting\" allowing for remote PS access. \n"
supported_platforms:
- windows
executor:
@@ -25309,12 +25333,8 @@ execution:
'
- name: PowerShell Lateral Movement
description: |
Powershell lateral movement using the mmc20 application com object
Reference:
https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/
description: "Powershell lateral movement using the mmc20 application com object.\n\nReference:\n\nhttps://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/\n\nUpon
successful execution, cmd will spawn calc.exe on a remote computer. \n"
supported_platforms:
- windows
input_arguments:
@@ -25329,9 +25349,10 @@ execution:
'
- name: WMIC Process Call Create
description: 'Utilize WMIC to start remote process
description: |
Utilize WMIC to start remote process.
'
Upon successful execution, cmd will utilize wmic.exe to modify the registry on a remote endpoint to swap osk.exe with cmd.exe.
supported_platforms:
- windows
input_arguments:
@@ -25356,9 +25377,10 @@ execution:
'
- name: Psexec
description: 'Utilize psexec to start remote process
description: |
Utilize psexec to start remote process.
'
Upon successful execution, cmd will utilize psexec.exe to spawn cmd.exe on a remote system.
supported_platforms:
- windows
input_arguments:
@@ -25373,23 +25395,36 @@ execution:
computer_name:
description: Target Computer Name
type: String
default: Target
default: localhost
psexec_exe:
description: Path to PsExec
type: string
default: C:\PSTools\PsExec.exe
dependencies:
- description: PsExec tool from Sysinternals must exist on disk at specified
location (#{psexec_exe})
prereq_command: if (Test-Path "#{psexec_exe}"") { exit 0} else { exit 1}
get_prereq_command: |-
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
New-Item -ItemType Directory ("#{psexec_exe}") -Force | Out-Null
Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_exe}" -Force
executor:
name: command_prompt
command: 'psexec \\#{computer_name} -u #{user_name} -p #{password} -s cmd.exe
'
command: "#{psexec_exe} \\\\#{computer_name} -u #{user_name} -p #{password}
-s cmd.exe\n"
- name: Invoke-Command
description: 'Execute Invoke-command on remote host
description: |
Execute Invoke-command on remote host.
'
Upon successful execution, powershell will execute ipconfig on localhost using `invoke-command`.
supported_platforms:
- windows
input_arguments:
host_name:
description: Remote Windows Host Name
type: String
default: Test
default: localhost
remote_command:
description: Command to execute on remote Host
type: String
@@ -26787,9 +26822,8 @@ lateral-movement:
identifier: T1028
atomic_tests:
- name: Enable Windows Remote Management
description: 'Powershell Enable WinRM
'
description: "Powershell Enable WinRM\n\nUpon successful execution, powershell
will \"Enable-PSRemoting\" allowing for remote PS access. \n"
supported_platforms:
- windows
executor:
@@ -26799,12 +26833,8 @@ lateral-movement:
'
- name: PowerShell Lateral Movement
description: |
Powershell lateral movement using the mmc20 application com object
Reference:
https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/
description: "Powershell lateral movement using the mmc20 application com object.\n\nReference:\n\nhttps://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/\n\nUpon
successful execution, cmd will spawn calc.exe on a remote computer. \n"
supported_platforms:
- windows
input_arguments:
@@ -26819,9 +26849,10 @@ lateral-movement:
'
- name: WMIC Process Call Create
description: 'Utilize WMIC to start remote process
description: |
Utilize WMIC to start remote process.
'
Upon successful execution, cmd will utilize wmic.exe to modify the registry on a remote endpoint to swap osk.exe with cmd.exe.
supported_platforms:
- windows
input_arguments:
@@ -26846,9 +26877,10 @@ lateral-movement:
'
- name: Psexec
description: 'Utilize psexec to start remote process
description: |
Utilize psexec to start remote process.
'
Upon successful execution, cmd will utilize psexec.exe to spawn cmd.exe on a remote system.
supported_platforms:
- windows
input_arguments:
@@ -26863,23 +26895,36 @@ lateral-movement:
computer_name:
description: Target Computer Name
type: String
default: Target
default: localhost
psexec_exe:
description: Path to PsExec
type: string
default: C:\PSTools\PsExec.exe
dependencies:
- description: PsExec tool from Sysinternals must exist on disk at specified
location (#{psexec_exe})
prereq_command: if (Test-Path "#{psexec_exe}"") { exit 0} else { exit 1}
get_prereq_command: |-
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
New-Item -ItemType Directory ("#{psexec_exe}") -Force | Out-Null
Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_exe}" -Force
executor:
name: command_prompt
command: 'psexec \\#{computer_name} -u #{user_name} -p #{password} -s cmd.exe
'
command: "#{psexec_exe} \\\\#{computer_name} -u #{user_name} -p #{password}
-s cmd.exe\n"
- name: Invoke-Command
description: 'Execute Invoke-command on remote host
description: |
Execute Invoke-command on remote host.
'
Upon successful execution, powershell will execute ipconfig on localhost using `invoke-command`.
supported_platforms:
- windows
input_arguments:
host_name:
description: Remote Windows Host Name
type: String
default: Test
default: localhost
remote_command:
description: Command to execute on remote Host
type: String
@@ -27308,10 +27353,10 @@ collection:
identifier: T1005
atomic_tests:
- name: Search macOS Safari Cookies
description: 'This test uses `grep` to search a macOS Safari binaryCookies file
for specified values. This was used by CookieMiner malware.
description: |
This test uses `grep` to search a macOS Safari binaryCookies file for specified values. This was used by CookieMiner malware.
'
Upon successful execution, MacOS shell will cd to `~/Libraries/Cookies` and grep for `Cookies.binarycookies`.
supported_platforms:
- macos
input_arguments:
@@ -29237,6 +29282,8 @@ command-and-control:
This is to test to see if a C2 session can be established using an SSL socket.
More information about this technique, including how to set up the listener, can be found here:
https://medium.com/walmartlabs/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926
Upon successful execution, powershell will make a network connection to 127.0.0.1 over 443.
supported_platforms:
- windows
input_arguments:
atomics/windows-index.md
+1 -1
View File
@@ -448,7 +448,7 @@
- [T1016 System Network Configuration Discovery](./T1016/T1016.md)
- Atomic Test #1: System Network Configuration Discovery [windows]
- Atomic Test #2: List Windows Firewall Rules [windows]
- Atomic Test #4: System Network Configuration Discovery (Trickbot Style) [windows]
- Atomic Test #4: System Network Configuration Discovery (TrickBot Style) [windows]
- Atomic Test #5: List Open Egress Ports [windows]
- [T1049 System Network Connections Discovery](./T1049/T1049.md)
- Atomic Test #1: System Network Connections Discovery [windows]