From e4ce60f9f2c4c62d478477671024f97fd3f17601 Mon Sep 17 00:00:00 2001 From: Michael Haag Date: Thu, 19 Mar 2020 21:23:10 -0600 Subject: [PATCH] Updated Descriptions (#897) * Updated Descriptions Updated descriptions with what to expect from successful execution. * Update T1028.yaml * Update T1028.yaml * Generate docs from job=validate_atomics_generate_docs branch=description-updates * move text to description * Generate docs from job=validate_atomics_generate_docs branch=description-updates * typo fix * Generate docs from job=validate_atomics_generate_docs branch=description-updates Co-authored-by: CircleCI Atomic Red Team doc generator Co-authored-by: Carrie Roberts --- atomics/T1004/T1004.md | 6 + atomics/T1004/T1004.yaml | 6 + atomics/T1005/T1005.md | 2 + atomics/T1005/T1005.yaml | 2 + atomics/T1007/T1007.md | 6 +- atomics/T1007/T1007.yaml | 6 +- atomics/T1009/T1009.md | 4 +- atomics/T1009/T1009.yaml | 4 +- atomics/T1010/T1010.md | 2 + atomics/T1010/T1010.yaml | 2 + atomics/T1012/T1012.md | 7 +- atomics/T1012/T1012.yaml | 7 +- atomics/T1015/T1015.md | 2 + atomics/T1015/T1015.yaml | 2 + atomics/T1016/T1016.md | 16 +- atomics/T1016/T1016.yaml | 17 ++- atomics/T1018/T1018.md | 28 +++- atomics/T1018/T1018.yaml | 29 +++- atomics/T1027/T1027.md | 8 +- atomics/T1027/T1027.yaml | 9 +- atomics/T1028/T1028.md | 40 ++++- atomics/T1028/T1028.yaml | 40 ++++- atomics/T1031/T1031.md | 2 + atomics/T1031/T1031.yaml | 2 + atomics/T1032/T1032.md | 2 + atomics/T1032/T1032.yaml | 3 + atomics/T1033/T1033.md | 9 +- atomics/T1033/T1033.yaml | 9 +- atomics/T1035/T1035.md | 6 +- atomics/T1035/T1035.yaml | 7 +- atomics/T1036/T1036.md | 12 ++ atomics/T1036/T1036.yaml | 13 ++ atomics/index.md | 2 +- atomics/index.yaml | 309 ++++++++++++++++++++++----------------- atomics/windows-index.md | 2 +- 35 files changed, 438 insertions(+), 185 deletions(-) diff --git a/atomics/T1004/T1004.md b/atomics/T1004/T1004.md index ba8ed0f5..27df95f3 100644 --- a/atomics/T1004/T1004.md +++ b/atomics/T1004/T1004.md @@ -24,6 +24,8 @@ Adversaries may take advantage of these features to repeatedly execute malicious ## Atomic Test #1 - Winlogon Shell Key Persistence - PowerShell PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe. +Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff. + **Supported Platforms:** Windows @@ -57,6 +59,8 @@ Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Wi ## Atomic Test #2 - Winlogon Userinit Key Persistence - PowerShell PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe. +Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff. + **Supported Platforms:** Windows @@ -90,6 +94,8 @@ Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Wi ## Atomic Test #3 - Winlogon Notify Key Logon Persistence - PowerShell PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon. +Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon/logoff. + **Supported Platforms:** Windows diff --git a/atomics/T1004/T1004.yaml b/atomics/T1004/T1004.yaml index 61e5af7a..37d5eb9b 100644 --- a/atomics/T1004/T1004.yaml +++ b/atomics/T1004/T1004.yaml @@ -7,6 +7,8 @@ atomic_tests: description: | PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe. + Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff. + supported_platforms: - windows @@ -28,6 +30,8 @@ atomic_tests: description: | PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe. + Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff. + supported_platforms: - windows @@ -49,6 +53,8 @@ atomic_tests: description: | PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon. + Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon/logoff. + supported_platforms: - windows diff --git a/atomics/T1005/T1005.md b/atomics/T1005/T1005.md index 21b3e6d6..82b5e651 100644 --- a/atomics/T1005/T1005.md +++ b/atomics/T1005/T1005.md @@ -15,6 +15,8 @@ Adversaries will often search the file system on computers they have compromised ## Atomic Test #1 - Search macOS Safari Cookies This test uses `grep` to search a macOS Safari binaryCookies file for specified values. This was used by CookieMiner malware. +Upon successful execution, MacOS shell will cd to `~/Libraries/Cookies` and grep for `Cookies.binarycookies`. + **Supported Platforms:** macOS diff --git a/atomics/T1005/T1005.yaml b/atomics/T1005/T1005.yaml index 2d9e98a9..667bdc02 100644 --- a/atomics/T1005/T1005.yaml +++ b/atomics/T1005/T1005.yaml @@ -7,6 +7,8 @@ atomic_tests: description: | This test uses `grep` to search a macOS Safari binaryCookies file for specified values. This was used by CookieMiner malware. + Upon successful execution, MacOS shell will cd to `~/Libraries/Cookies` and grep for `Cookies.binarycookies`. + supported_platforms: - macos diff --git a/atomics/T1007/T1007.md b/atomics/T1007/T1007.md index d0ca194a..0655cf80 100644 --- a/atomics/T1007/T1007.md +++ b/atomics/T1007/T1007.md @@ -12,7 +12,9 @@
## Atomic Test #1 - System Service Discovery -Identify system services +Identify system services. + +Upon successful execution, cmd.exe will execute service commands with expected result to stdout. **Supported Platforms:** Windows @@ -40,6 +42,8 @@ sc query state= all ## Atomic Test #2 - System Service Discovery - net.exe Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors. +Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in c:\Windows\Temp\service-list.txt.s + **Supported Platforms:** Windows diff --git a/atomics/T1007/T1007.yaml b/atomics/T1007/T1007.yaml index f8aa3079..b78b76ef 100644 --- a/atomics/T1007/T1007.yaml +++ b/atomics/T1007/T1007.yaml @@ -5,7 +5,9 @@ display_name: System Service Discovery atomic_tests: - name: System Service Discovery description: | - Identify system services + Identify system services. + + Upon successful execution, cmd.exe will execute service commands with expected result to stdout. supported_platforms: - windows @@ -21,6 +23,8 @@ atomic_tests: - name: System Service Discovery - net.exe description: | Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors. + + Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in c:\Windows\Temp\service-list.txt.s supported_platforms: - windows input_arguments: diff --git a/atomics/T1009/T1009.md b/atomics/T1009/T1009.md index 1541c047..35b1f67c 100644 --- a/atomics/T1009/T1009.md +++ b/atomics/T1009/T1009.md @@ -13,7 +13,9 @@ Binary padding effectively changes the checksum of the file and can also be used
## Atomic Test #1 - Pad Binary to Change Hash - Linux/macOS dd -Uses dd to add a zero to the binary to change the hash +Uses dd to add a zero to the binary to change the hash. + +Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change. **Supported Platforms:** macOS, Linux diff --git a/atomics/T1009/T1009.yaml b/atomics/T1009/T1009.yaml index 135d5b65..31431263 100644 --- a/atomics/T1009/T1009.yaml +++ b/atomics/T1009/T1009.yaml @@ -5,7 +5,9 @@ display_name: Binary Padding atomic_tests: - name: Pad Binary to Change Hash - Linux/macOS dd description: | - Uses dd to add a zero to the binary to change the hash + Uses dd to add a zero to the binary to change the hash. + + Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change. supported_platforms: - macos diff --git a/atomics/T1010/T1010.md b/atomics/T1010/T1010.md index 3e095015..4e4ac075 100644 --- a/atomics/T1010/T1010.md +++ b/atomics/T1010/T1010.md @@ -14,6 +14,8 @@ In Mac, this can be done natively with a small [AppleScript](https://attack.mitr ## Atomic Test #1 - List Process Main Windows - C# .NET Compiles and executes C# code to list main window titles associated with each process. +Upon successful execution, powershell will download the .cs from the Atomic Red Team repo, and cmd.exe will compile and execute T1010.exe. Upon T1010.exe execution, expected output will be via stdout. + **Supported Platforms:** Windows diff --git a/atomics/T1010/T1010.yaml b/atomics/T1010/T1010.yaml index cbacd202..14ed5e78 100644 --- a/atomics/T1010/T1010.yaml +++ b/atomics/T1010/T1010.yaml @@ -7,6 +7,8 @@ atomic_tests: description: | Compiles and executes C# code to list main window titles associated with each process. + Upon successful execution, powershell will download the .cs from the Atomic Red Team repo, and cmd.exe will compile and execute T1010.exe. Upon T1010.exe execution, expected output will be via stdout. + supported_platforms: - windows diff --git a/atomics/T1012/T1012.md b/atomics/T1012/T1012.md index c2010f07..e9a5b9fe 100644 --- a/atomics/T1012/T1012.md +++ b/atomics/T1012/T1012.md @@ -12,15 +12,16 @@ The Registry contains a significant amount of information about the operating sy
## Atomic Test #1 - Query Registry -Query Windows Registry +Query Windows Registry. + +Upon successful execution, cmd.exe will perform multiple reg queries. Some will succeed and others will fail (dependent upon OS). + References: https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services -References: - http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_Find_Chart.en_us.pdf diff --git a/atomics/T1012/T1012.yaml b/atomics/T1012/T1012.yaml index 255a7d8f..e1941173 100644 --- a/atomics/T1012/T1012.yaml +++ b/atomics/T1012/T1012.yaml @@ -5,15 +5,16 @@ display_name: Query Registry atomic_tests: - name: Query Registry description: | - Query Windows Registry + Query Windows Registry. + + Upon successful execution, cmd.exe will perform multiple reg queries. Some will succeed and others will fail (dependent upon OS). + References: https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services - References: - http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_Find_Chart.en_us.pdf diff --git a/atomics/T1015/T1015.md b/atomics/T1015/T1015.md index c064ebea..0cbed157 100644 --- a/atomics/T1015/T1015.md +++ b/atomics/T1015/T1015.md @@ -28,6 +28,8 @@ Other accessibility features exist that may also be leveraged in a similar fashi ## Atomic Test #1 - Attaches Command Prompt as a Debugger to a List of Target Processes Attaches cmd.exe to a list of processes. Configure your own Input arguments to a different executable or list of executables. +Upon successful execution, powershell will modify the registry and swap osk.exe with cmd.exe. + **Supported Platforms:** Windows diff --git a/atomics/T1015/T1015.yaml b/atomics/T1015/T1015.yaml index 6a24e2ea..600cd1bd 100644 --- a/atomics/T1015/T1015.yaml +++ b/atomics/T1015/T1015.yaml @@ -6,6 +6,8 @@ atomic_tests: - name: Attaches Command Prompt as a Debugger to a List of Target Processes description: | Attaches cmd.exe to a list of processes. Configure your own Input arguments to a different executable or list of executables. + + Upon successful execution, powershell will modify the registry and swap osk.exe with cmd.exe. supported_platforms: - windows input_arguments: diff --git a/atomics/T1016/T1016.md b/atomics/T1016/T1016.md index 1464751d..5fd7d098 100644 --- a/atomics/T1016/T1016.md +++ b/atomics/T1016/T1016.md @@ -12,7 +12,7 @@ Adversaries may use the information from [System Network Configuration Discovery - [Atomic Test #3 - System Network Configuration Discovery](#atomic-test-3---system-network-configuration-discovery) -- [Atomic Test #4 - System Network Configuration Discovery (Trickbot Style)](#atomic-test-4---system-network-configuration-discovery-trickbot-style) +- [Atomic Test #4 - System Network Configuration Discovery (TrickBot Style)](#atomic-test-4---system-network-configuration-discovery-trickbot-style) - [Atomic Test #5 - List Open Egress Ports](#atomic-test-5---list-open-egress-ports) @@ -22,6 +22,8 @@ Adversaries may use the information from [System Network Configuration Discovery ## Atomic Test #1 - System Network Configuration Discovery Identify network configuration information +Upon successful execution, cmd.exe will spawn multiple commands to list network configuration settings. Output will be via stdout. + **Supported Platforms:** Windows @@ -50,6 +52,8 @@ net config ## Atomic Test #2 - List Windows Firewall Rules Enumerates Windows Firewall Rules using netsh. +Upon successful execution, cmd.exe will spawn netsh.exe to list firewall rules. Output will be via stdout. + **Supported Platforms:** Windows @@ -72,7 +76,9 @@ netsh advfirewall firewall show rule name=all
## Atomic Test #3 - System Network Configuration Discovery -Identify network configuration information +Identify network configuration information. + +Upon successful execution, sh will spawn multiple commands and output will be via stdout. **Supported Platforms:** macOS, Linux @@ -97,9 +103,11 @@ ifconfig

-## Atomic Test #4 - System Network Configuration Discovery (Trickbot Style) +## Atomic Test #4 - System Network Configuration Discovery (TrickBot Style) Identify network configuration information as seen by Trickbot and described here https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/ +Upon successful execution, cmd.exe will spawn `ipconfig /all`, `net config workstation`, `net view /all /domain`, `nltest /domain_trusts`. Output will be via stdout. + **Supported Platforms:** Windows @@ -128,6 +136,8 @@ nltest /domain_trusts This is to test for what ports are open outbound. The technique used was taken from the following blog: https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/ +Upon successful execution, powershell will read top-128.txt (ports) and contact each port to confirm if open or not. Output will be to Desktop\open-ports.txt. + **Supported Platforms:** Windows diff --git a/atomics/T1016/T1016.yaml b/atomics/T1016/T1016.yaml index b7eea598..b0a9a875 100644 --- a/atomics/T1016/T1016.yaml +++ b/atomics/T1016/T1016.yaml @@ -7,6 +7,8 @@ atomic_tests: description: | Identify network configuration information + Upon successful execution, cmd.exe will spawn multiple commands to list network configuration settings. Output will be via stdout. + supported_platforms: - windows @@ -24,6 +26,8 @@ atomic_tests: description: | Enumerates Windows Firewall Rules using netsh. + Upon successful execution, cmd.exe will spawn netsh.exe to list firewall rules. Output will be via stdout. + supported_platforms: - windows @@ -35,7 +39,9 @@ atomic_tests: - name: System Network Configuration Discovery description: | - Identify network configuration information + Identify network configuration information. + + Upon successful execution, sh will spawn multiple commands and output will be via stdout. supported_platforms: - macos @@ -49,9 +55,12 @@ atomic_tests: netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c ifconfig -- name: System Network Configuration Discovery (Trickbot Style) +- name: System Network Configuration Discovery (TrickBot Style) description: | Identify network configuration information as seen by Trickbot and described here https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/ + + Upon successful execution, cmd.exe will spawn `ipconfig /all`, `net config workstation`, `net view /all /domain`, `nltest /domain_trusts`. Output will be via stdout. + supported_platforms: - windows executor: @@ -67,6 +76,8 @@ atomic_tests: description: | This is to test for what ports are open outbound. The technique used was taken from the following blog: https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/ + + Upon successful execution, powershell will read top-128.txt (ports) and contact each port to confirm if open or not. Output will be to Desktop\open-ports.txt. supported_platforms: - windows input_arguments: @@ -125,4 +136,4 @@ atomic_tests: $results | Out-File -Encoding ASCII -append $file Write-Host $results cleanup_command: | - Remove-Item -ErrorAction ignore "#{output_file}" \ No newline at end of file + Remove-Item -ErrorAction ignore "#{output_file}" diff --git a/atomics/T1018/T1018.md b/atomics/T1018/T1018.md index af617a07..8ddf3733 100644 --- a/atomics/T1018/T1018.md +++ b/atomics/T1018/T1018.md @@ -41,7 +41,9 @@ In cloud environments, the above techniques may be used to discover remote syste
## Atomic Test #1 - Remote System Discovery - net -Identify remote systems with net.exe +Identify remote systems with net.exe. + +Upon successful execution, cmd.exe will execute `net.exe view` and display results of local systems on the network that have file and print sharing enabled. **Supported Platforms:** Windows @@ -68,6 +70,8 @@ net view ## Atomic Test #2 - Remote System Discovery - net group Domain Computers Identify remote systems with net.exe querying the Active Directory Domain Computers group. +Upon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the "Domain Computers" group. Output will be via stdout. + **Supported Platforms:** Windows @@ -92,6 +96,8 @@ net group "Domain Computers" /domain ## Atomic Test #3 - Remote System Discovery - nltest Identify domain controllers for specified domain. +Upon successful execution, cmd.exe will execute nltest.exe against a target domain to retrieve a list of domain controllers. Output will be via stdout. + **Supported Platforms:** Windows @@ -119,7 +125,9 @@ nltest.exe /dclist:#{target_domain}
## Atomic Test #4 - Remote System Discovery - ping sweep -Identify remote systems via ping sweep +Identify remote systems via ping sweep. + +Upon successful execution, cmd.exe will perform a for loop against the 192.168.1.1/24 network. Output will be via stdout. **Supported Platforms:** Windows @@ -143,7 +151,9 @@ for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
## Atomic Test #5 - Remote System Discovery - arp -Identify remote systems via arp +Identify remote systems via arp. + +Upon successful execution, cmd.exe will execute arp to list out the arp cache. Output will be via stdout. **Supported Platforms:** Windows @@ -167,7 +177,9 @@ arp -a
## Atomic Test #6 - Remote System Discovery - arp nix -Identify remote systems via arp +Identify remote systems via arp. + +Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout. **Supported Platforms:** Linux, macOS @@ -191,7 +203,9 @@ arp -a | grep -v '^?'
## Atomic Test #7 - Remote System Discovery - sweep -Identify remote systems via ping sweep +Identify remote systems via ping sweep. + +Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active. **Supported Platforms:** Linux, macOS @@ -215,7 +229,9 @@ for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip; [ $? -eq 0 ] && echo "192.16
## Atomic Test #8 - Remote System Discovery - nslookup -Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig +Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig. + +Upon successful execution, powershell will identify the ip range (via ipconfig) and perform a for loop and execute nslookup against that IP range. Output will be via stdout. **Supported Platforms:** Windows diff --git a/atomics/T1018/T1018.yaml b/atomics/T1018/T1018.yaml index c4bcb57e..0cc72222 100644 --- a/atomics/T1018/T1018.yaml +++ b/atomics/T1018/T1018.yaml @@ -5,7 +5,9 @@ display_name: Remote System Discovery atomic_tests: - name: Remote System Discovery - net description: | - Identify remote systems with net.exe + Identify remote systems with net.exe. + + Upon successful execution, cmd.exe will execute `net.exe view` and display results of local systems on the network that have file and print sharing enabled. supported_platforms: - windows @@ -21,6 +23,8 @@ atomic_tests: description: | Identify remote systems with net.exe querying the Active Directory Domain Computers group. + Upon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the "Domain Computers" group. Output will be via stdout. + supported_platforms: - windows @@ -34,6 +38,8 @@ atomic_tests: description: | Identify domain controllers for specified domain. + Upon successful execution, cmd.exe will execute nltest.exe against a target domain to retrieve a list of domain controllers. Output will be via stdout. + supported_platforms: - windows @@ -51,7 +57,9 @@ atomic_tests: - name: Remote System Discovery - ping sweep description: | - Identify remote systems via ping sweep + Identify remote systems via ping sweep. + + Upon successful execution, cmd.exe will perform a for loop against the 192.168.1.1/24 network. Output will be via stdout. supported_platforms: - windows @@ -64,7 +72,9 @@ atomic_tests: - name: Remote System Discovery - arp description: | - Identify remote systems via arp + Identify remote systems via arp. + + Upon successful execution, cmd.exe will execute arp to list out the arp cache. Output will be via stdout. supported_platforms: - windows @@ -77,7 +87,9 @@ atomic_tests: - name: Remote System Discovery - arp nix description: | - Identify remote systems via arp + Identify remote systems via arp. + + Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout. supported_platforms: - linux @@ -91,7 +103,9 @@ atomic_tests: - name: Remote System Discovery - sweep description: | - Identify remote systems via ping sweep + Identify remote systems via ping sweep. + + Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active. supported_platforms: - linux @@ -105,7 +119,10 @@ atomic_tests: - name: Remote System Discovery - nslookup description: | - Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig + Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig. + + Upon successful execution, powershell will identify the ip range (via ipconfig) and perform a for loop and execute nslookup against that IP range. Output will be via stdout. + supported_platforms: - windows executor: diff --git a/atomics/T1027/T1027.md b/atomics/T1027/T1027.md index 54a7bbf4..c4d5759b 100644 --- a/atomics/T1027/T1027.md +++ b/atomics/T1027/T1027.md @@ -24,6 +24,8 @@ Another example of obfuscation is through the use of steganography, a technique ## Atomic Test #1 - Decode base64 Data into Script Creates a base64-encoded data file and decodes it into an executable shell script +Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that stdouts `echo Hello from the Atomic Red Team`. + **Supported Platforms:** macOS, Linux @@ -50,7 +52,8 @@ chmod +x /tmp/art.sh ## Atomic Test #2 - Execute base64-encoded PowerShell Creates base64-encoded PowerShell code and executes it. This is used by numerous adversaries and malicious tools. -Upon execution the test will print "Hey, Atomic!" to the PowerShell session + +Upon successful execution, powershell will execute an encoded command and stdout default is "Write-Host "Hey, Atomic!" **Supported Platforms:** Windows @@ -84,7 +87,8 @@ powershell.exe -EncodedCommand $EncodedCommand ## Atomic Test #3 - Execute base64-encoded PowerShell from Windows Registry Stores base64-encoded PowerShell code in the Windows Registry and deobfuscates it for execution. This is used by numerous adversaries and malicious tools. -Upon execution "Hey, Atomic!" will be printed to the powershell session + +Upon successful execution, powershell will execute encoded command and read/write from the registry. **Supported Platforms:** Windows diff --git a/atomics/T1027/T1027.yaml b/atomics/T1027/T1027.yaml index e379afde..39e2c483 100644 --- a/atomics/T1027/T1027.yaml +++ b/atomics/T1027/T1027.yaml @@ -7,6 +7,8 @@ atomic_tests: description: | Creates a base64-encoded data file and decodes it into an executable shell script + Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that stdouts `echo Hello from the Atomic Red Team`. + supported_platforms: - macos - linux @@ -23,7 +25,8 @@ atomic_tests: - name: Execute base64-encoded PowerShell description: | Creates base64-encoded PowerShell code and executes it. This is used by numerous adversaries and malicious tools. - Upon execution the test will print "Hey, Atomic!" to the PowerShell session + + Upon successful execution, powershell will execute an encoded command and stdout default is "Write-Host "Hey, Atomic!" supported_platforms: - windows input_arguments: @@ -44,7 +47,9 @@ atomic_tests: - name: Execute base64-encoded PowerShell from Windows Registry description: | Stores base64-encoded PowerShell code in the Windows Registry and deobfuscates it for execution. This is used by numerous adversaries and malicious tools. - Upon execution "Hey, Atomic!" will be printed to the powershell session + + Upon successful execution, powershell will execute encoded command and read/write from the registry. + supported_platforms: - windows input_arguments: diff --git a/atomics/T1028/T1028.md b/atomics/T1028/T1028.md index c8176a25..d77820b7 100644 --- a/atomics/T1028/T1028.md +++ b/atomics/T1028/T1028.md @@ -20,6 +20,8 @@ ## Atomic Test #1 - Enable Windows Remote Management Powershell Enable WinRM +Upon successful execution, powershell will "Enable-PSRemoting" allowing for remote PS access. + **Supported Platforms:** Windows @@ -42,12 +44,14 @@ Enable-PSRemoting -Force
## Atomic Test #2 - PowerShell Lateral Movement -Powershell lateral movement using the mmc20 application com object +Powershell lateral movement using the mmc20 application com object. Reference: https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/ +Upon successful execution, cmd will spawn calc.exe on a remote computer. + **Supported Platforms:** Windows @@ -75,7 +79,9 @@ powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.appl
## Atomic Test #3 - WMIC Process Call Create -Utilize WMIC to start remote process +Utilize WMIC to start remote process. + +Upon successful execution, cmd will utilize wmic.exe to modify the registry on a remote endpoint to swap osk.exe with cmd.exe. **Supported Platforms:** Windows @@ -106,7 +112,9 @@ wmic /user:#{user_name} /password:#{password} /node:#{computer_name} process cal
## Atomic Test #4 - Psexec -Utilize psexec to start remote process +Utilize psexec to start remote process. + +Upon successful execution, cmd will utilize psexec.exe to spawn cmd.exe on a remote system. **Supported Platforms:** Windows @@ -118,26 +126,44 @@ Utilize psexec to start remote process |------|-------------|------|---------------| | user_name | Username | String | DOMAIN\Administrator| | password | Password | String | P@ssw0rd1| -| computer_name | Target Computer Name | String | Target| +| computer_name | Target Computer Name | String | localhost| +| psexec_exe | Path to PsExec | string | C:\PSTools\PsExec.exe| #### Attack Commands: Run with `command_prompt`! ```cmd -psexec \\#{computer_name} -u #{user_name} -p #{password} -s cmd.exe +#{psexec_exe} \\#{computer_name} -u #{user_name} -p #{password} -s cmd.exe ``` +#### Dependencies: Run with `command_prompt`! +##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe}) +##### Check Prereq Commands: +```cmd +if (Test-Path "#{psexec_exe}"") { exit 0} else { exit 1} +``` +##### Get Prereq Commands: +```cmd +Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" +Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force +New-Item -ItemType Directory ("#{psexec_exe}") -Force | Out-Null +Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_exe}" -Force +``` + +

## Atomic Test #5 - Invoke-Command -Execute Invoke-command on remote host +Execute Invoke-command on remote host. + +Upon successful execution, powershell will execute ipconfig on localhost using `invoke-command`. **Supported Platforms:** Windows @@ -147,7 +173,7 @@ Execute Invoke-command on remote host #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| host_name | Remote Windows Host Name | String | Test| +| host_name | Remote Windows Host Name | String | localhost| | remote_command | Command to execute on remote Host | String | ipconfig| diff --git a/atomics/T1028/T1028.yaml b/atomics/T1028/T1028.yaml index cbf7cfda..fa76b9a4 100644 --- a/atomics/T1028/T1028.yaml +++ b/atomics/T1028/T1028.yaml @@ -7,6 +7,8 @@ atomic_tests: description: | Powershell Enable WinRM + Upon successful execution, powershell will "Enable-PSRemoting" allowing for remote PS access. + supported_platforms: - windows @@ -18,12 +20,14 @@ atomic_tests: - name: PowerShell Lateral Movement description: | - Powershell lateral movement using the mmc20 application com object + Powershell lateral movement using the mmc20 application com object. Reference: https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/ + Upon successful execution, cmd will spawn calc.exe on a remote computer. + supported_platforms: - windows @@ -40,7 +44,9 @@ atomic_tests: - name: WMIC Process Call Create description: | - Utilize WMIC to start remote process + Utilize WMIC to start remote process. + + Upon successful execution, cmd will utilize wmic.exe to modify the registry on a remote endpoint to swap osk.exe with cmd.exe. supported_platforms: - windows @@ -66,7 +72,9 @@ atomic_tests: - name: Psexec description: | - Utilize psexec to start remote process + Utilize psexec to start remote process. + + Upon successful execution, cmd will utilize psexec.exe to spawn cmd.exe on a remote system. supported_platforms: - windows @@ -83,23 +91,41 @@ atomic_tests: computer_name: description: Target Computer Name type: String - default: Target + default: localhost + psexec_exe: + description: Path to PsExec + type: string + default: "C:\\PSTools\\PsExec.exe" + + dependencies: + - description: | + PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe}) + prereq_command: | + if (Test-Path "#{psexec_exe}"") { exit 0} else { exit 1} + get_prereq_command: | + Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" + Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force + New-Item -ItemType Directory ("#{psexec_exe}") -Force | Out-Null + Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_exe}" -Force executor: name: command_prompt command: | - psexec \\#{computer_name} -u #{user_name} -p #{password} -s cmd.exe + #{psexec_exe} \\#{computer_name} -u #{user_name} -p #{password} -s cmd.exe - name: Invoke-Command description: | - Execute Invoke-command on remote host + Execute Invoke-command on remote host. + + Upon successful execution, powershell will execute ipconfig on localhost using `invoke-command`. + supported_platforms: - windows input_arguments: host_name: description: Remote Windows Host Name type: String - default: Test + default: localhost remote_command: description: Command to execute on remote Host type: String diff --git a/atomics/T1031/T1031.md b/atomics/T1031/T1031.md index 82bef2fe..075da461 100644 --- a/atomics/T1031/T1031.md +++ b/atomics/T1031/T1031.md @@ -17,6 +17,8 @@ Adversaries may also intentionally corrupt or kill services to execute malicious This test will temporarily modify the service Fax by changing the binPath to PowerShell and will then revert the binPath change, restoring Fax to its original state. +Upon successful execution, cmd will modify the binpath for `Fax` to spawn powershell. Powershell will then spawn. + **Supported Platforms:** Windows diff --git a/atomics/T1031/T1031.yaml b/atomics/T1031/T1031.yaml index e75b89e7..dba8a12e 100644 --- a/atomics/T1031/T1031.yaml +++ b/atomics/T1031/T1031.yaml @@ -8,6 +8,8 @@ atomic_tests: This test will temporarily modify the service Fax by changing the binPath to PowerShell and will then revert the binPath change, restoring Fax to its original state. + Upon successful execution, cmd will modify the binpath for `Fax` to spawn powershell. Powershell will then spawn. + supported_platforms: - windows diff --git a/atomics/T1032/T1032.md b/atomics/T1032/T1032.md index 07f8c7ac..5fa35b0f 100644 --- a/atomics/T1032/T1032.md +++ b/atomics/T1032/T1032.md @@ -15,6 +15,8 @@ This is to test to see if a C2 session can be established using an SSL socket. More information about this technique, including how to set up the listener, can be found here: https://medium.com/walmartlabs/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926 +Upon successful execution, powershell will make a network connection to 127.0.0.1 over 443. + **Supported Platforms:** Windows diff --git a/atomics/T1032/T1032.yaml b/atomics/T1032/T1032.yaml index 2a64f37e..f238ca06 100644 --- a/atomics/T1032/T1032.yaml +++ b/atomics/T1032/T1032.yaml @@ -9,6 +9,9 @@ atomic_tests: This is to test to see if a C2 session can be established using an SSL socket. More information about this technique, including how to set up the listener, can be found here: https://medium.com/walmartlabs/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926 + + Upon successful execution, powershell will make a network connection to 127.0.0.1 over 443. + supported_platforms: - windows input_arguments: diff --git a/atomics/T1033/T1033.md b/atomics/T1033/T1033.md index 442a4f50..276e9ab1 100644 --- a/atomics/T1033/T1033.md +++ b/atomics/T1033/T1033.md @@ -22,7 +22,10 @@ On Linux, the currently logged in user can be identified with w and
## Atomic Test #1 - System Owner/User Discovery -Identify System owner or users on an endpoint +Identify System owner or users on an endpoint. + +Upon successful execution, cmd.exe will spawn multiple commands against a target host to identify usernames. Output will be via stdout. +Additionally, two files will be written to disk - computers.txt and usernames.txt. **Supported Platforms:** Windows @@ -32,7 +35,7 @@ Identify System owner or users on an endpoint #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| computer_name | Name of remote computer | string | computer1| +| computer_name | Name of remote computer | string | localhost| #### Attack Commands: Run with `command_prompt`! @@ -60,6 +63,8 @@ for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active ## Atomic Test #2 - System Owner/User Discovery Identify System owner or users on an endpoint +Upon successful execution, sh will stdout list of usernames. + **Supported Platforms:** Linux, macOS diff --git a/atomics/T1033/T1033.yaml b/atomics/T1033/T1033.yaml index c6a6952a..4e6ad784 100644 --- a/atomics/T1033/T1033.yaml +++ b/atomics/T1033/T1033.yaml @@ -5,7 +5,10 @@ display_name: System Owner/User Discovery atomic_tests: - name: System Owner/User Discovery description: | - Identify System owner or users on an endpoint + Identify System owner or users on an endpoint. + + Upon successful execution, cmd.exe will spawn multiple commands against a target host to identify usernames. Output will be via stdout. + Additionally, two files will be written to disk - computers.txt and usernames.txt. supported_platforms: - windows @@ -14,7 +17,7 @@ atomic_tests: computer_name: description: Name of remote computer type: string - default: computer1 + default: localhost executor: name: command_prompt @@ -33,6 +36,8 @@ atomic_tests: description: | Identify System owner or users on an endpoint + Upon successful execution, sh will stdout list of usernames. + supported_platforms: - linux - macos diff --git a/atomics/T1035/T1035.md b/atomics/T1035/T1035.md index 9dc150f3..574699b1 100644 --- a/atomics/T1035/T1035.md +++ b/atomics/T1035/T1035.md @@ -14,6 +14,8 @@ ## Atomic Test #1 - Execute a Command as a Service Creates a service specifying an aribrary command and executes it. When executing commands such as PowerShell, the service will report that it did not start correctly even when code executes properly. +Upon successful execution, cmd.exe create a new service using sc.exe create that will start powershell.exe to create a new file `art-marker.txt` + **Supported Platforms:** Windows @@ -45,7 +47,9 @@ sc.exe delete #{service_name} ## Atomic Test #2 - Use PsExec to execute a command on a remote host Requires having Sysinternals installed, path to sysinternals is one of the input input_arguments -Will run a command on a remote host +Will run a command on a remote host. + +Upon successful execution, powershell will download psexec.exe and spawn calc.exe on a remote endpoint (default:localhost). **Supported Platforms:** Windows diff --git a/atomics/T1035/T1035.yaml b/atomics/T1035/T1035.yaml index 47376548..8157ecb8 100644 --- a/atomics/T1035/T1035.yaml +++ b/atomics/T1035/T1035.yaml @@ -6,6 +6,9 @@ atomic_tests: - name: Execute a Command as a Service description: | Creates a service specifying an aribrary command and executes it. When executing commands such as PowerShell, the service will report that it did not start correctly even when code executes properly. + + Upon successful execution, cmd.exe create a new service using sc.exe create that will start powershell.exe to create a new file `art-marker.txt` + supported_platforms: - windows input_arguments: @@ -28,7 +31,9 @@ atomic_tests: - name: Use PsExec to execute a command on a remote host description: | Requires having Sysinternals installed, path to sysinternals is one of the input input_arguments - Will run a command on a remote host + Will run a command on a remote host. + + Upon successful execution, powershell will download psexec.exe and spawn calc.exe on a remote endpoint (default:localhost). supported_platforms: - windows input_arguments: diff --git a/atomics/T1036/T1036.md b/atomics/T1036/T1036.md index f213f712..9aed0704 100644 --- a/atomics/T1036/T1036.md +++ b/atomics/T1036/T1036.md @@ -41,6 +41,7 @@ An example of abuse of trusted locations in Linux would be the /binnul 2>&1 ## Atomic Test #2 - Masquerading as Linux crond process. Copies sh process, renames it as crond, and executes it to masquerade as the cron daemon. +Upon successful execution, sh is renamed to `crond` and executed. + **Supported Platforms:** Linux @@ -97,6 +100,8 @@ cp /bin/sh /tmp/crond ## Atomic Test #3 - Masquerading - cscript.exe running as notepad.exe Copies cscript.exe, renames it, and launches it to masquerade as an instance of notepad.exe. +Upon successful execution, cscript.exe is renamed as notepad.exe and executed from non-standard path. + **Supported Platforms:** Windows @@ -125,6 +130,7 @@ del /Q /F %APPDATA%\notepad.exe >nul 2>&1 ## Atomic Test #4 - Masquerading - wscript.exe running as svchost.exe Copies wscript.exe, renames it, and launches it to masquerade as an instance of svchost.exe. + Upon execution, no windows will remain open but wscript will have been renamed to svchost and ran out of the temp folder **Supported Platforms:** Windows @@ -156,6 +162,8 @@ del /Q /F %APPDATA%\svchost.exe >nul 2>&1 ## Atomic Test #5 - Masquerading - powershell.exe running as taskhostw.exe Copies powershell.exe, renames it, and launches it to masquerade as an instance of taskhostw.exe. +Upon successful execution, powershell.exe is renamed as taskhostw.exe and executed from non-standard path. + **Supported Platforms:** Windows @@ -185,6 +193,8 @@ del /Q /F %APPDATA%\taskhostw.exe >nul 2>&1 ## Atomic Test #6 - Masquerading - non-windows exe running as windows exe Copies an exe, renames it as a windows exe, and launches it to masquerade as a real windows exe +Upon successful execution, powershell will execute T1036.exe as svchost.exe from on a non-standard path. + **Supported Platforms:** Windows @@ -271,6 +281,8 @@ Remove-Item #{outputfile} -Force -ErrorAction Ignore Detect LSM running from an incorrect directory and an incorrect service account This works by copying cmd.exe to a file, naming it lsm.exe, then copying a file to the C:\ folder. +Upon successful execution, cmd.exe will be renamed as lsm.exe and executed from non-standard path. + **Supported Platforms:** Windows diff --git a/atomics/T1036/T1036.yaml b/atomics/T1036/T1036.yaml index c122dbaa..710701ee 100644 --- a/atomics/T1036/T1036.yaml +++ b/atomics/T1036/T1036.yaml @@ -6,6 +6,7 @@ atomic_tests: - name: Masquerading as Windows LSASS process description: | Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe. + Upon execution, cmd will be launched by powershell. If using Invoke-AtomicTest, The test will hang until the 120 second timeout cancels the session supported_platforms: - windows @@ -23,6 +24,8 @@ atomic_tests: description: | Copies sh process, renames it as crond, and executes it to masquerade as the cron daemon. + Upon successful execution, sh is renamed to `crond` and executed. + supported_platforms: - linux @@ -36,6 +39,9 @@ atomic_tests: - name: Masquerading - cscript.exe running as notepad.exe description: | Copies cscript.exe, renames it, and launches it to masquerade as an instance of notepad.exe. + + Upon successful execution, cscript.exe is renamed as notepad.exe and executed from non-standard path. + supported_platforms: - windows executor: @@ -50,6 +56,7 @@ atomic_tests: - name: Masquerading - wscript.exe running as svchost.exe description: | Copies wscript.exe, renames it, and launches it to masquerade as an instance of svchost.exe. + Upon execution, no windows will remain open but wscript will have been renamed to svchost and ran out of the temp folder supported_platforms: - windows @@ -67,6 +74,8 @@ atomic_tests: description: | Copies powershell.exe, renames it, and launches it to masquerade as an instance of taskhostw.exe. + Upon successful execution, powershell.exe is renamed as taskhostw.exe and executed from non-standard path. + supported_platforms: - windows @@ -83,6 +92,8 @@ atomic_tests: description: | Copies an exe, renames it as a windows exe, and launches it to masquerade as a real windows exe + Upon successful execution, powershell will execute T1036.exe as svchost.exe from on a non-standard path. + supported_platforms: - windows @@ -147,6 +158,8 @@ atomic_tests: description: | Detect LSM running from an incorrect directory and an incorrect service account This works by copying cmd.exe to a file, naming it lsm.exe, then copying a file to the C:\ folder. + + Upon successful execution, cmd.exe will be renamed as lsm.exe and executed from non-standard path. supported_platforms: - windows diff --git a/atomics/index.md b/atomics/index.md index c898d465..608b4255 100644 --- a/atomics/index.md +++ b/atomics/index.md @@ -629,7 +629,7 @@ - Atomic Test #1: System Network Configuration Discovery [windows] - Atomic Test #2: List Windows Firewall Rules [windows] - Atomic Test #3: System Network Configuration Discovery [macos, linux] - - Atomic Test #4: System Network Configuration Discovery (Trickbot Style) [windows] + - Atomic Test #4: System Network Configuration Discovery (TrickBot Style) [windows] - Atomic Test #5: List Open Egress Ports [windows] - [T1049 System Network Connections Discovery](./T1049/T1049.md) - Atomic Test #1: System Network Connections Discovery [windows] diff --git a/atomics/index.yaml b/atomics/index.yaml index 16e35875..d61544a1 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -167,10 +167,10 @@ persistence: identifier: T1015 atomic_tests: - name: Attaches Command Prompt as a Debugger to a List of Target Processes - description: 'Attaches cmd.exe to a list of processes. Configure your own Input - arguments to a different executable or list of executables. + description: | + Attaches cmd.exe to a list of processes. Configure your own Input arguments to a different executable or list of executables. -' + Upon successful execution, powershell will modify the registry and swap osk.exe with cmd.exe. supported_platforms: - windows input_arguments: @@ -2930,6 +2930,8 @@ persistence: description: | This test will temporarily modify the service Fax by changing the binPath to PowerShell and will then revert the binPath change, restoring Fax to its original state. + + Upon successful execution, cmd will modify the binpath for `Fax` to spawn powershell. Powershell will then spawn. supported_platforms: - windows executor: @@ -5132,10 +5134,10 @@ persistence: identifier: T1004 atomic_tests: - name: Winlogon Shell Key Persistence - PowerShell - description: 'PowerShell code to set Winlogon shell key to execute a binary - at logon along with explorer.exe. + description: | + PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe. -' + Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff. supported_platforms: - windows input_arguments: @@ -5155,10 +5157,10 @@ persistence: ' - name: Winlogon Userinit Key Persistence - PowerShell - description: 'PowerShell code to set Winlogon userinit key to execute a binary - at logon along with userinit.exe. + description: | + PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe. -' + Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff. supported_platforms: - windows input_arguments: @@ -5178,10 +5180,10 @@ persistence: ' - name: Winlogon Notify Key Logon Persistence - PowerShell - description: 'PowerShell code to set Winlogon Notify key to execute a notification - package DLL at logon. + description: | + PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon. -' + Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon/logoff. supported_platforms: - windows input_arguments: @@ -5484,9 +5486,10 @@ defense-evasion: identifier: T1009 atomic_tests: - name: Pad Binary to Change Hash - Linux/macOS dd - description: 'Uses dd to add a zero to the binary to change the hash + description: | + Uses dd to add a zero to the binary to change the hash. -' + Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change. supported_platforms: - macos - linux @@ -9668,6 +9671,7 @@ defense-evasion: - name: Masquerading as Windows LSASS process description: | Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe. + Upon execution, cmd will be launched by powershell. If using Invoke-AtomicTest, The test will hang until the 120 second timeout cancels the session supported_platforms: - windows @@ -9681,10 +9685,10 @@ defense-evasion: ' - name: Masquerading as Linux crond process. - description: 'Copies sh process, renames it as crond, and executes it to masquerade - as the cron daemon. + description: | + Copies sh process, renames it as crond, and executes it to masquerade as the cron daemon. -' + Upon successful execution, sh is renamed to `crond` and executed. supported_platforms: - linux executor: @@ -9694,10 +9698,10 @@ defense-evasion: cp /bin/sh /tmp/crond /tmp/crond - name: Masquerading - cscript.exe running as notepad.exe - description: 'Copies cscript.exe, renames it, and launches it to masquerade - as an instance of notepad.exe. + description: | + Copies cscript.exe, renames it, and launches it to masquerade as an instance of notepad.exe. -' + Upon successful execution, cscript.exe is renamed as notepad.exe and executed from non-standard path. supported_platforms: - windows executor: @@ -9712,6 +9716,7 @@ defense-evasion: - name: Masquerading - wscript.exe running as svchost.exe description: | Copies wscript.exe, renames it, and launches it to masquerade as an instance of svchost.exe. + Upon execution, no windows will remain open but wscript will have been renamed to svchost and ran out of the temp folder supported_platforms: - windows @@ -9725,10 +9730,10 @@ defense-evasion: ' - name: Masquerading - powershell.exe running as taskhostw.exe - description: 'Copies powershell.exe, renames it, and launches it to masquerade - as an instance of taskhostw.exe. + description: | + Copies powershell.exe, renames it, and launches it to masquerade as an instance of taskhostw.exe. -' + Upon successful execution, powershell.exe is renamed as taskhostw.exe and executed from non-standard path. supported_platforms: - windows executor: @@ -9741,10 +9746,10 @@ defense-evasion: ' - name: Masquerading - non-windows exe running as windows exe - description: 'Copies an exe, renames it as a windows exe, and launches it to - masquerade as a real windows exe + description: | + Copies an exe, renames it as a windows exe, and launches it to masquerade as a real windows exe -' + Upon successful execution, powershell will execute T1036.exe as svchost.exe from on a non-standard path. supported_platforms: - windows input_arguments: @@ -9803,6 +9808,8 @@ defense-evasion: description: | Detect LSM running from an incorrect directory and an incorrect service account This works by copying cmd.exe to a file, naming it lsm.exe, then copying a file to the C:\ folder. + + Upon successful execution, cmd.exe will be renamed as lsm.exe and executed from non-standard path. supported_platforms: - windows executor: @@ -10593,10 +10600,10 @@ defense-evasion: identifier: T1027 atomic_tests: - name: Decode base64 Data into Script - description: 'Creates a base64-encoded data file and decodes it into an executable - shell script + description: | + Creates a base64-encoded data file and decodes it into an executable shell script -' + Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that stdouts `echo Hello from the Atomic Red Team`. supported_platforms: - macos - linux @@ -10611,7 +10618,8 @@ defense-evasion: - name: Execute base64-encoded PowerShell description: | Creates base64-encoded PowerShell code and executes it. This is used by numerous adversaries and malicious tools. - Upon execution the test will print "Hey, Atomic!" to the PowerShell session + + Upon successful execution, powershell will execute an encoded command and stdout default is "Write-Host "Hey, Atomic!" supported_platforms: - windows input_arguments: @@ -10631,7 +10639,8 @@ defense-evasion: - name: Execute base64-encoded PowerShell from Windows Registry description: | Stores base64-encoded PowerShell code in the Windows Registry and deobfuscates it for execution. This is used by numerous adversaries and malicious tools. - Upon execution "Hey, Atomic!" will be printed to the powershell session + + Upon successful execution, powershell will execute encoded command and read/write from the registry. supported_platforms: - windows input_arguments: @@ -13210,10 +13219,10 @@ privilege-escalation: identifier: T1015 atomic_tests: - name: Attaches Command Prompt as a Debugger to a List of Target Processes - description: 'Attaches cmd.exe to a list of processes. Configure your own Input - arguments to a different executable or list of executables. + description: | + Attaches cmd.exe to a list of processes. Configure your own Input arguments to a different executable or list of executables. -' + Upon successful execution, powershell will modify the registry and swap osk.exe with cmd.exe. supported_platforms: - windows input_arguments: @@ -16912,10 +16921,10 @@ discovery: identifier: T1010 atomic_tests: - name: List Process Main Windows - C# .NET - description: 'Compiles and executes C# code to list main window titles associated - with each process. + description: | + Compiles and executes C# code to list main window titles associated with each process. -' + Upon successful execution, powershell will download the .cs from the Atomic Red Team repo, and cmd.exe will compile and execute T1010.exe. Upon T1010.exe execution, expected output will be via stdout. supported_platforms: - windows input_arguments: @@ -18167,15 +18176,16 @@ discovery: atomic_tests: - name: Query Registry description: | - Query Windows Registry + Query Windows Registry. + + Upon successful execution, cmd.exe will perform multiple reg queries. Some will succeed and others will fail (dependent upon OS). + References: https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services - References: - http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_Find_Chart.en_us.pdf @@ -18281,9 +18291,10 @@ discovery: identifier: T1018 atomic_tests: - name: Remote System Discovery - net - description: 'Identify remote systems with net.exe + description: | + Identify remote systems with net.exe. -' + Upon successful execution, cmd.exe will execute `net.exe view` and display results of local systems on the network that have file and print sharing enabled. supported_platforms: - windows executor: @@ -18293,10 +18304,10 @@ discovery: net view /domain net view - name: Remote System Discovery - net group Domain Computers - description: 'Identify remote systems with net.exe querying the Active Directory - Domain Computers group. + description: | + Identify remote systems with net.exe querying the Active Directory Domain Computers group. -' + Upon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the "Domain Computers" group. Output will be via stdout. supported_platforms: - windows executor: @@ -18306,9 +18317,10 @@ discovery: ' - name: Remote System Discovery - nltest - description: 'Identify domain controllers for specified domain. + description: | + Identify domain controllers for specified domain. -' + Upon successful execution, cmd.exe will execute nltest.exe against a target domain to retrieve a list of domain controllers. Output will be via stdout. supported_platforms: - windows input_arguments: @@ -18323,9 +18335,10 @@ discovery: ' - name: Remote System Discovery - ping sweep - description: 'Identify remote systems via ping sweep + description: | + Identify remote systems via ping sweep. -' + Upon successful execution, cmd.exe will perform a for loop against the 192.168.1.1/24 network. Output will be via stdout. supported_platforms: - windows executor: @@ -18335,9 +18348,8 @@ discovery: ' - name: Remote System Discovery - arp - description: 'Identify remote systems via arp - -' + description: "Identify remote systems via arp. \n\nUpon successful execution, + cmd.exe will execute arp to list out the arp cache. Output will be via stdout.\n" supported_platforms: - windows executor: @@ -18347,9 +18359,10 @@ discovery: ' - name: Remote System Discovery - arp nix - description: 'Identify remote systems via arp + description: | + Identify remote systems via arp. -' + Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout. supported_platforms: - linux - macos @@ -18360,9 +18373,9 @@ discovery: ' - name: Remote System Discovery - sweep - description: 'Identify remote systems via ping sweep - -' + description: "Identify remote systems via ping sweep.\n\nUpon successful execution, + sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if + an IP is active. \n" supported_platforms: - linux - macos @@ -18374,10 +18387,11 @@ discovery: ' - name: Remote System Discovery - nslookup - description: 'Powershell script that runs nslookup on cmd.exe against the local - /24 network of the first network adaptor listed in ipconfig - -' + description: "Powershell script that runs nslookup on cmd.exe against the local + /24 network of the first network adaptor listed in ipconfig.\n\nUpon successful + execution, powershell will identify the ip range (via ipconfig) and perform + a for loop and execute nslookup against that IP range. Output will be via + stdout. \n" supported_platforms: - windows executor: @@ -18804,9 +18818,10 @@ discovery: identifier: T1016 atomic_tests: - name: System Network Configuration Discovery - description: 'Identify network configuration information + description: | + Identify network configuration information -' + Upon successful execution, cmd.exe will spawn multiple commands to list network configuration settings. Output will be via stdout. supported_platforms: - windows executor: @@ -18819,9 +18834,10 @@ discovery: nbtstat -n net config - name: List Windows Firewall Rules - description: 'Enumerates Windows Firewall Rules using netsh. + description: | + Enumerates Windows Firewall Rules using netsh. -' + Upon successful execution, cmd.exe will spawn netsh.exe to list firewall rules. Output will be via stdout. supported_platforms: - windows executor: @@ -18831,9 +18847,10 @@ discovery: ' - name: System Network Configuration Discovery - description: 'Identify network configuration information + description: | + Identify network configuration information. -' + Upon successful execution, sh will spawn multiple commands and output will be via stdout. supported_platforms: - macos - linux @@ -18844,11 +18861,11 @@ discovery: arp -a netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c ifconfig - - name: System Network Configuration Discovery (Trickbot Style) - description: 'Identify network configuration information as seen by Trickbot - and described here https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/ + - name: System Network Configuration Discovery (TrickBot Style) + description: | + Identify network configuration information as seen by Trickbot and described here https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/ -' + Upon successful execution, cmd.exe will spawn `ipconfig /all`, `net config workstation`, `net view /all /domain`, `nltest /domain_trusts`. Output will be via stdout. supported_platforms: - windows executor: @@ -18863,6 +18880,8 @@ discovery: description: | This is to test for what ports are open outbound. The technique used was taken from the following blog: https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/ + + Upon successful execution, powershell will read top-128.txt (ports) and contact each port to confirm if open or not. Output will be to Desktop\open-ports.txt. supported_platforms: - windows input_arguments: @@ -18901,7 +18920,9 @@ discovery: | Out-File -Encoding ASCII -append $file\n }\n}\n$results = \"There were a total of $totalopen open ports out of $totalports ports tested.\"\n$results | Out-File -Encoding ASCII -append $file\nWrite-Host $results\n" - cleanup_command: Remove-Item -ErrorAction ignore "#{output_file}" + cleanup_command: 'Remove-Item -ErrorAction ignore "#{output_file}" + +' T1049: technique: x_mitre_permissions_required: @@ -19058,16 +19079,17 @@ discovery: identifier: T1033 atomic_tests: - name: System Owner/User Discovery - description: 'Identify System owner or users on an endpoint - -' + description: "Identify System owner or users on an endpoint.\n\nUpon successful + execution, cmd.exe will spawn multiple commands against a target host to identify + usernames. Output will be via stdout. \nAdditionally, two files will be written + to disk - computers.txt and usernames.txt.\n" supported_platforms: - windows input_arguments: computer_name: description: Name of remote computer type: string - default: computer1 + default: localhost executor: name: command_prompt elevation_required: false @@ -19081,9 +19103,10 @@ discovery: for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt @FOR /F %n in (computers.txt) DO @FOR /F "tokens=1,2" %i in ('qwinsta /server:%n ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt - name: System Owner/User Discovery - description: 'Identify System owner or users on an endpoint + description: | + Identify System owner or users on an endpoint -' + Upon successful execution, sh will stdout list of usernames. supported_platforms: - linux - macos @@ -19139,9 +19162,10 @@ discovery: identifier: T1007 atomic_tests: - name: System Service Discovery - description: 'Identify system services + description: | + Identify system services. -' + Upon successful execution, cmd.exe will execute service commands with expected result to stdout. supported_platforms: - windows executor: @@ -19152,10 +19176,10 @@ discovery: sc query sc query state= all - name: System Service Discovery - net.exe - description: 'Enumerates started system services using net.exe and writes them - to a file. This technique has been used by multiple threat actors. + description: | + Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors. -' + Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in c:\Windows\Temp\service-list.txt.s supported_platforms: - windows input_arguments: @@ -24072,11 +24096,10 @@ execution: identifier: T1035 atomic_tests: - name: Execute a Command as a Service - description: 'Creates a service specifying an aribrary command and executes - it. When executing commands such as PowerShell, the service will report that - it did not start correctly even when code executes properly. + description: | + Creates a service specifying an aribrary command and executes it. When executing commands such as PowerShell, the service will report that it did not start correctly even when code executes properly. -' + Upon successful execution, cmd.exe create a new service using sc.exe create that will start powershell.exe to create a new file `art-marker.txt` supported_platforms: - windows input_arguments: @@ -24099,7 +24122,9 @@ execution: - name: Use PsExec to execute a command on a remote host description: | Requires having Sysinternals installed, path to sysinternals is one of the input input_arguments - Will run a command on a remote host + Will run a command on a remote host. + + Upon successful execution, powershell will download psexec.exe and spawn calc.exe on a remote endpoint (default:localhost). supported_platforms: - windows input_arguments: @@ -25297,9 +25322,8 @@ execution: identifier: T1028 atomic_tests: - name: Enable Windows Remote Management - description: 'Powershell Enable WinRM - -' + description: "Powershell Enable WinRM\n\nUpon successful execution, powershell + will \"Enable-PSRemoting\" allowing for remote PS access. \n" supported_platforms: - windows executor: @@ -25309,12 +25333,8 @@ execution: ' - name: PowerShell Lateral Movement - description: | - Powershell lateral movement using the mmc20 application com object - - Reference: - - https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/ + description: "Powershell lateral movement using the mmc20 application com object.\n\nReference:\n\nhttps://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/\n\nUpon + successful execution, cmd will spawn calc.exe on a remote computer. \n" supported_platforms: - windows input_arguments: @@ -25329,9 +25349,10 @@ execution: ' - name: WMIC Process Call Create - description: 'Utilize WMIC to start remote process + description: | + Utilize WMIC to start remote process. -' + Upon successful execution, cmd will utilize wmic.exe to modify the registry on a remote endpoint to swap osk.exe with cmd.exe. supported_platforms: - windows input_arguments: @@ -25356,9 +25377,10 @@ execution: ' - name: Psexec - description: 'Utilize psexec to start remote process + description: | + Utilize psexec to start remote process. -' + Upon successful execution, cmd will utilize psexec.exe to spawn cmd.exe on a remote system. supported_platforms: - windows input_arguments: @@ -25373,23 +25395,36 @@ execution: computer_name: description: Target Computer Name type: String - default: Target + default: localhost + psexec_exe: + description: Path to PsExec + type: string + default: C:\PSTools\PsExec.exe + dependencies: + - description: PsExec tool from Sysinternals must exist on disk at specified + location (#{psexec_exe}) + prereq_command: if (Test-Path "#{psexec_exe}"") { exit 0} else { exit 1} + get_prereq_command: |- + Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" + Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force + New-Item -ItemType Directory ("#{psexec_exe}") -Force | Out-Null + Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_exe}" -Force executor: name: command_prompt - command: 'psexec \\#{computer_name} -u #{user_name} -p #{password} -s cmd.exe - -' + command: "#{psexec_exe} \\\\#{computer_name} -u #{user_name} -p #{password} + -s cmd.exe\n" - name: Invoke-Command - description: 'Execute Invoke-command on remote host + description: | + Execute Invoke-command on remote host. -' + Upon successful execution, powershell will execute ipconfig on localhost using `invoke-command`. supported_platforms: - windows input_arguments: host_name: description: Remote Windows Host Name type: String - default: Test + default: localhost remote_command: description: Command to execute on remote Host type: String @@ -26787,9 +26822,8 @@ lateral-movement: identifier: T1028 atomic_tests: - name: Enable Windows Remote Management - description: 'Powershell Enable WinRM - -' + description: "Powershell Enable WinRM\n\nUpon successful execution, powershell + will \"Enable-PSRemoting\" allowing for remote PS access. \n" supported_platforms: - windows executor: @@ -26799,12 +26833,8 @@ lateral-movement: ' - name: PowerShell Lateral Movement - description: | - Powershell lateral movement using the mmc20 application com object - - Reference: - - https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/ + description: "Powershell lateral movement using the mmc20 application com object.\n\nReference:\n\nhttps://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/\n\nUpon + successful execution, cmd will spawn calc.exe on a remote computer. \n" supported_platforms: - windows input_arguments: @@ -26819,9 +26849,10 @@ lateral-movement: ' - name: WMIC Process Call Create - description: 'Utilize WMIC to start remote process + description: | + Utilize WMIC to start remote process. -' + Upon successful execution, cmd will utilize wmic.exe to modify the registry on a remote endpoint to swap osk.exe with cmd.exe. supported_platforms: - windows input_arguments: @@ -26846,9 +26877,10 @@ lateral-movement: ' - name: Psexec - description: 'Utilize psexec to start remote process + description: | + Utilize psexec to start remote process. -' + Upon successful execution, cmd will utilize psexec.exe to spawn cmd.exe on a remote system. supported_platforms: - windows input_arguments: @@ -26863,23 +26895,36 @@ lateral-movement: computer_name: description: Target Computer Name type: String - default: Target + default: localhost + psexec_exe: + description: Path to PsExec + type: string + default: C:\PSTools\PsExec.exe + dependencies: + - description: PsExec tool from Sysinternals must exist on disk at specified + location (#{psexec_exe}) + prereq_command: if (Test-Path "#{psexec_exe}"") { exit 0} else { exit 1} + get_prereq_command: |- + Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" + Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force + New-Item -ItemType Directory ("#{psexec_exe}") -Force | Out-Null + Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_exe}" -Force executor: name: command_prompt - command: 'psexec \\#{computer_name} -u #{user_name} -p #{password} -s cmd.exe - -' + command: "#{psexec_exe} \\\\#{computer_name} -u #{user_name} -p #{password} + -s cmd.exe\n" - name: Invoke-Command - description: 'Execute Invoke-command on remote host + description: | + Execute Invoke-command on remote host. -' + Upon successful execution, powershell will execute ipconfig on localhost using `invoke-command`. supported_platforms: - windows input_arguments: host_name: description: Remote Windows Host Name type: String - default: Test + default: localhost remote_command: description: Command to execute on remote Host type: String @@ -27308,10 +27353,10 @@ collection: identifier: T1005 atomic_tests: - name: Search macOS Safari Cookies - description: 'This test uses `grep` to search a macOS Safari binaryCookies file - for specified values. This was used by CookieMiner malware. + description: | + This test uses `grep` to search a macOS Safari binaryCookies file for specified values. This was used by CookieMiner malware. -' + Upon successful execution, MacOS shell will cd to `~/Libraries/Cookies` and grep for `Cookies.binarycookies`. supported_platforms: - macos input_arguments: @@ -29237,6 +29282,8 @@ command-and-control: This is to test to see if a C2 session can be established using an SSL socket. More information about this technique, including how to set up the listener, can be found here: https://medium.com/walmartlabs/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926 + + Upon successful execution, powershell will make a network connection to 127.0.0.1 over 443. supported_platforms: - windows input_arguments: diff --git a/atomics/windows-index.md b/atomics/windows-index.md index 3e15c4fe..24147212 100644 --- a/atomics/windows-index.md +++ b/atomics/windows-index.md @@ -448,7 +448,7 @@ - [T1016 System Network Configuration Discovery](./T1016/T1016.md) - Atomic Test #1: System Network Configuration Discovery [windows] - Atomic Test #2: List Windows Firewall Rules [windows] - - Atomic Test #4: System Network Configuration Discovery (Trickbot Style) [windows] + - Atomic Test #4: System Network Configuration Discovery (TrickBot Style) [windows] - Atomic Test #5: List Open Egress Ports [windows] - [T1049 System Network Connections Discovery](./T1049/T1049.md) - Atomic Test #1: System Network Connections Discovery [windows]