From e70987c4391cb9818fafb6f0fa53b9feda24f40e Mon Sep 17 00:00:00 2001 From: tlor89 <60741301+tlor89@users.noreply.github.com> Date: Wed, 9 Jun 2021 22:44:21 -0500 Subject: [PATCH] T1553.005 (#1509) Co-authored-by: Toua Lor --- atomics/T1553.005/T1553.005.yaml | 36 +++++++++++++++++-- atomics/T1553.005/bin/FeelTheBurn.iso | Bin 0 -> 1179648 bytes atomics/T1553.005/{src => bin}/T1553.005.iso | Bin 3 files changed, 33 insertions(+), 3 deletions(-) create mode 100644 atomics/T1553.005/bin/FeelTheBurn.iso rename atomics/T1553.005/{src => bin}/T1553.005.iso (100%) diff --git a/atomics/T1553.005/T1553.005.yaml b/atomics/T1553.005/T1553.005.yaml index 000674c5..63f1ffe5 100644 --- a/atomics/T1553.005/T1553.005.yaml +++ b/atomics/T1553.005/T1553.005.yaml @@ -11,7 +11,7 @@ atomic_tests: path_of_iso: description: Path to ISO file type: path - default: PathToAtomicsFolder\T1553.005\src\T1553.005.iso + default: PathToAtomicsFolder\T1553.005\bin\T1553.005.iso dependency_executor_name: powershell dependencies: - description: | @@ -20,11 +20,41 @@ atomic_tests: if (Test-Path #{path_of_iso}) {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null - Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/src/T1553.005.iso -OutFile "#{path_of_iso}" + Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/T1553.005.iso -OutFile "#{path_of_iso}" executor: command: | Mount-DiskImage -ImagePath "#{path_of_iso}" cleanup_command: | - Dismount-DiskImage -ImagePath "#{path_of_iso}" + Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null name: powershell +- name: Mount an ISO image and run executable from the ISO + description: |- + Mounts an ISO image downloaded from internet to evade Mark-of-the-Web and run hello.exe executable from the ISO. + Upon successful execution, powershell will download the .iso from the Atomic Red Team repo, mount the image, and run the executable from the ISO image that will open command prompt echoing "Hello, World!". + ISO provided by:https://twitter.com/mattifestation/status/1398323532988399620 Reference:https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/, + supported_platforms: + - windows + input_arguments: + path_of_iso: + description: Path to ISO file + type: path + default: PathToAtomicsFolder\T1553.005\bin\FeelTheBurn.iso + dependency_executor_name: powershell + dependencies: + - description: | + FeelTheBurn.iso must exist on disk at specified location (#{path_of_iso}) + prereq_command: | + if (Test-Path #{path_of_iso}) {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null + Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/FeelTheBurn.iso -OutFile "#{path_of_iso}" + executor: + command: | + $keep = Mount-DiskImage -ImagePath "#{path_of_iso}" -StorageType ISO -Access ReadOnly + $driveLetter = ($keep | Get-Volume).DriveLetter + invoke-item "$($driveLetter):\hello.exe" + cleanup_command: | + Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null + Stop-process -name "hello" -Force -ErrorAction ignore + name: powershell \ No newline at end of file diff --git a/atomics/T1553.005/bin/FeelTheBurn.iso b/atomics/T1553.005/bin/FeelTheBurn.iso new file mode 100644 index 0000000000000000000000000000000000000000..491da79f9c138c767fe4bc93daa6746dda18a040 GIT binary patch literal 1179648 zcmeI*37p(zdBE}iEFml?7>goaI0TRo$g(*Mpg|HsfYpSgNdRxzY$mX}N8H^+qNuU0 zwzjsl7uwc(w6(Q|R;#U6rE06Kt+lncz3G8%?P1#5%UbF4%1Zp+Y$_LAiTgXgs4crIGK zda!-@=B=C7ZQs6OYkU3XEzjIKbj6k1+e_A;(_S$+xN2FvxuCsiX#LjB+csamy%L7I z9izG1)uUQmF}Py+;OfDPmS41L<>2zc!DjGImm|32;Lq{dpVHnEAVA>$66l-jf734f zv%Tpw)6GmX6mKVc?4286zW-;Pzu|62ieCm>`Qz~ZFNr&5FRgR({o-b6_ny|$n`ZC6 z>CXLcO0TLk)q{O~sM*x4YqrFxtZ3TJl4f}`&+-lY)r>d8 zacd^-n~M9^$9=n-eQ|xXxxTrfyKhO{n~z=*&obDoYL?AiyCCk{6#GVE_hk2Hz^?B8 z2ZLX{^zuJPuq9OVfA(KQZwU~nLE!fJ{?{;!83+&{K!5;&BNMoE!@B(bzY75Z1PBly z@HHfG)wZpJEA;^Nk-`<&?8JeCv?5@MF z_P3gR0iEb#ifJGSFXPM#~uD0U&-r>n$6p`uWPTL9N#_FnV#Xz524t+Z(TG4^8Yk{1bq_)?AV9Wh)Dx zTO8plzsKA9@9`t=$pf|ho~U^Y0RjXFe3bSpz82r#G;8yO&58N(e2sk{srxVl2oNApi@ErXeZ009C72oShSf&S=!ySsXzb=F<(vOs_U0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1ddMN_@=LUZ#?8Vuix9O&4(_!?YM=}+?mf_IT5)B6)3oDVzF(HNT?h~$K!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZ;A=ym)z`c#COze)2U^{M7u|N;!sAaqH*Xvh|K$7Gh3;z8Y~HqgU3>lH`0lCB z^mJ!u`|63&k;$E%xz*yk{_UOVnW5>);>NGehW@Ye>+iqUFFT&0@9-yC+6BM*vdg>Z zW23_pGr8Os=jK9y009C7?x{e3)aFaw2OntNq4W3j2|bPg0RjXF5O}}~92;Lpz9(Mg zmUqAX;MbiC;&yy4kng&e+vhItc+#Qo1?-$#JNP-nVc$1s?&A8vy>pN4zS}f9GBr6p zxof69v}xUzp%v}r1B0=!@bEoz*Yk_({J6*TSaTNv0t5&UAaLXYt?2(JV*3?4PVIKJ z)tt~Ycm5u9tmnRu#rx^g&YRoUoSggSKS@~B{g8{A8=6it7XM5(199!f_~Al;009C7 z2t3dP^6UQ#;zbQy{q}<`&!)%M>c`H%*7>jhU%UL!*Z<8)v#SUHEA(A_&42j!0`AGz z|FfT0%zmu=`aeJJLuPM!OMn0Y0t5)$LxEOvc4WC{neX8$7HBm~Gtu|=%kc3D5FkK+ z0D=2ZAj{uc>JxzbklcqNK!5-N0{6SX;_lb~`8mK%v#;f*|Ns5}{0_n0>}XwB`2PPX zJ$_f80{c{p)k3eL9>^bQPA2_Lb z@A02H{r#)31_s#ye5%=fim}c#(nkIe+VfQx?&cC0#IlHA<5YKyUUSHcZpFa2`bBp=z zx~6&PVK?kIZeMxWg9m0hH|8JYyEFeVqgd+>F!#FSR`=45k3KLpJv9=y zy02|*T**He=}vz*Qrx|EV5&1V85_H=^}5)T&vmC49{Vnhd+%^rd&ca|d~JR4TRz9y zP4k9$Y<|iYKkoFAX7}FR+smioQM;GKR3|J6&J&)v^t8Su@jFRRSQ;OE+tV&>b)R|m zrR`lcFgUPsaOLug@)_e}$J;N&k278#gU8c+D6emunHrtAembr;kBisU&ik(3)~t!^ zd8}t#arMw;@qT06-k7&99h=+{@ADFOwXS$%(;S~SzIfKk=9JmF@|a_-`y)O~_cyxc z?Yy2p;?>T*U)U^d&Ip9zW?j5}W%upd;-0+B?#y{w@k$;M_Z-{3zNMY3H^=9<`7ArS zw_bhf>ew^;G1fE>Z&t_tN5|Vm&FRfM;@auW`=+-@%vjB$J>*ebDIVGn>$_J z9JdeuY1(QYb7;q!O_MwKjCG#c+|U^tn;hue*lDiJYt8ud$mG=6=#FOFzUi6Hc(ZxO z3pyh+&8FeeiDqDAW^$@oHxp2Ow5dqcLwrL`5qnXOl|8-?HwKIOgFQ449|>C zPHgRr4d2+kHoa~pj%df8nNBnJz}yx~J4VMwXZ9Uh?Y^jZj*02Xu}*XC)aXoS@ zsx!Q^X&!s!!9O|Vyr$i}IQ|5YsrVVOGi>tmh-=^VrjI;o{nKxmzUBJWw?2GN)BnDg zJm;E6ue$X$q27A@NyoIC)`E7c)xRKao)ka*`ukgRzjmCKC$zoqlxwGkcV9I*vEjy% z&h8vx`wdf*FP@HLJa6_uyC3JOyx#6!{eN%f|6RG`!t>WpPHnic)3xk6cRB+*$MWZL z{EB*3(_Y)X_TYHa7eD{H`|tR=XaDWpau@gC(BuAm{GFa8?g{j`ye@vc zWo^^_cR6q8<l-P>#WR>k{knr+SV$!dwDst$wzIE)#12z zI@X7qnb+$n0enn^<+<#eo z^yy}#`#ihv@NwF)cQAf3AKH6O?463;hhEEI{EBhtN7Jn8{_2y{%yjoo#A_c5ui<7q zZZ|!?B5#@{-Pf}**01mGULTY0ZuWIw(e?3&>{Y&&HQndlJa>OiozFcln78iwW31}V zu_Ycm8UJqYiFs$@T<eT@s}1vS1w+B_4dn`UAVYCJu^J9b9iiWqI2=$eVysWmpt{v z6V?pJ-*7O#V{BhLo?v47;>CNWCZ0S!azkf)czW6R{GVI6Y-Do$$-~p*1ACV*ZjTR7 zjP8oR;ozFXKUzFhyM6GiPzcLxn*i}Z~P*E zeP{XzpLON@v$o@M=y~Foz>z)q%j(9?-p*KiEZ<(dczAkfV(;V&J5!6>dq&rdL_~sd z*YMbMXKtwOlbqk<)y%*2^Y8H5*PMS4AvUZzfBuBxMxM6IQ46$ZKNq`h0tAj;U}5zC!|||}J^P)l^P~TL`4kWK zzUTilQ2Kjw7v-RbF8P^F_uC&2^j`08nzi{_7asP_nz-#kfB*pk1dc}F*eL#vc)+4_ z4zva%De-^K%y#hHtF~<&TyZo{b)W9d`nBWDiTP0<=*_-QWqdFK1PBlyP!>3D?(6^Y zhxIqhqo?_QJh~7dK!5-N0(A@YNB;-9BOYk2$S{bKS18)LVy4P0t5)uA&~ulVT_XfU#0(b9I7b@5FkK+KtUk;pMO?W z_Ww!xU(m8lfB*pk1nLmT{*T8f+5gr0U&o=Ef&c*m1PBxavj6#~8E5}5(Eoy#WdZ~U z5Fk*8K=wcXjKA#vh5BE|p_+mK0RjXF6a=#WyJJuG|04Y_XjvvefB*pkbqHktUlgNc z|DUY?bsVZG2oNAZfIvYY`#%+Xvj0!f|ALlf0t5&UAW(-u_J2A?$^Ng=|2huU6a)wm zAV8oXko}*DJ=y<@^}nEHnE(L-1PIh2kp15iqh$Y|s{eHyswoH%AV7dXK_L6TH}+)z zFVX*kmSqA22oNAphd}oK#W70uf35!4aj2#sK!5-N0tJEW|BbOH`@c^A3tE;55FkK+ zKpg_v|9vq^_Wx4-uj5cnL4W`O0t5;I+5eZsp6vg6{V!-)CP07y0RnXhWdC0pqh$Xt z)BidS)f5B>5FkLHAdvmPDfVRlH|T#s%Q6811PBnQLm>PAvKS@%f4TnGaj2#sK!5-N z0tJEW|I1@f_Wug~FKAgNK!5-N0(A&v|6dWKWdEJZ5Oe`Ac2{oknnbsVZG2oNAZfIvYY`~OX`C;Pui{|j1{2@oJafIuAr+5cC?DB1t3 z^uLZnH3b0z1PBl)2xR|X9ec9>oAtk-Wtjj00t5)uA&~w5<`^aWzeWG+I8;**AV7cs zfr3Ex|65{D_W$ekzo2EA009C72-G2v{eMl2lKtPR|8*RyDF_fCK!89&Ap8HVu_yb# zP5%p8mI)9bK!89U0@?p>i&3)w+x5SWLp22f0t5&UCwiJZG64bv2oR`4Ap8G4F-rFTIr?A6p_+mK0RjXF6a=#W-y3_f z|IgL`f|g|h1PBlyP=`SF|NCN;?Emxhzm7vS1pxvC2oNX;WdCoDJ=y=~>wiJZG64bv z2oR`4Ap8IN7$y6Eo&MKxsHPx5fB*pk1%d4U8)8rPe^~zuT9yeAAV7dX9Rk_^?~hTk z|2y=*jzcvC0RjXF5GV*_|9>F%WdBF>zo2EA009C72-G2v{r|xjCHucq|LZtZQxG6P zfB=DlK=%KQu_ycA(f@*$WdZ~U5Fk*8K=%KKVwCLvF8#0LP)$LA009C73If^xH^rXp z|MmJ`(6UT`009C7>JZ5Ozd1(9{@pn|ALlf0t5&U zAW(-u_W!LhO7{N+`d`PPnt}iU0t5&Y1hW4>9DB0=FVz2nmSqA22oNAphd}oKM`D!h z|Cs*Qaj2#sK!5-N0tJEW|BuF=?Ekp_7ql!BAV7csfjR`T|8I*?vi}qMU&o=Ef&c*m z1PBxavj0C8d$RwN`d`qpOn?9Z0tD(1$o~I$jFSD|t^ai#swoH%AV7dXK_L78_SlpC zf06zdv@8=KK!5;&Is~%+KM|v3|EKi7jzcvC0RjXF5GV*_|9>*}WdEo2zo2EA009C7 z2-G2v{r{;LCHp_4|8*RyDF_fCK!89&Ap8H*u_yb#NB;|2mI)9bK!89U0@?p}#3W)f5B>5FkLHAdvn4`Ph^Fe}(=Rv@8=KK!5;&Is~%+?~75g z|NHg7jzcvC0RjXF5GV*_|KA^bvj4Bt|ALlf0t5&UAW(-u_Wu`Rl5FkLHAdvn4rP!1G|2F+EXjvvefB*pkbqHkte>q0U{=ZiL>o`7(*J^% zWdZ~U5Fk*8K=%LFVwCLvck6#0hiVD}1PBlyP!P!e|9b4n{(q1D7ql!BAV7csfjR`T z|DTLevj5+!|8*RyDF_fCK!89&Ap8Ftu_ycgefnR}vP^&g0RjZ-5Xk<2Dn`lv->m<2 z9I7b@5FkK+KtUk;|C_NV`~Q0VFKAgNK!5-N0(A&v|9>k+$^O4V|LZtZQxG6PfB=Dl zK=%LBu_ycg{rX?fvP^&g0RjZ-5Xk=jc8rq!{{j84<4{dOfB*pk1PTJ#|KEu{+5aEZ z|ALlf0t5&UAW(-u_WyTdlo`(049I7b@5FkK+KtUk;e{1Z?{{Mvj7ql!BAV7csfjR`T|9=^y zWdDCs|LZtZQxG6PfB=DlK=%KyVo&z}r}V#|Wtjj00t5)uA&~w5>lh{b|I_+k$Dx{n z009C72owae|9=yEvj6YU|ALlf0t5&UAW(-u_W!mRCHwzQ{jcLtO+kPF0RjXH0@?r1 z#-8l|&**PAw=qig|6TfD$Dx{n009C72owae|9=;Ivj6Ya|ALlf z0t5&UAW(-u_W$o=lVF-FY6=1b2oNAp5Xk<2F7{;q-=qHpEz1N55FkLH4uS0d zKg1~6|M%*D9fxWP0t5&UAW#s<{{Lg_$^QSG{ui_?6Cgl<0D(FLvj6`Sqh$YoUjOSj zR8tTjK!5;&fJZ5Oe?CUZ{=Z-U>o`{ui_?6Cgl<0D(FLvj6`Qqh$X-p#OCoswoH%AV7dXK_L78udyfl|3UpP zXjvvefB*pkbqHkt|1Czz{(ngS>o`JZ5O|7VPn{r`ym z*Kw$(AV7cs0Rjbq?Einop6vfe^}nEHnE(L-1PIh2kp2Jf7$y7vOZs2Op_+mK0RjXF z6a=#WUyME3|6kVsf|g|h1PBlyP=`SF|9@hX?ElB~zm7vS1pxvC2oNX;WdFYud$Ru@ z*Z+c+WdZ~U5Fk*8K=%KCW0dUwujqdrhiVD}1PBlyP!P!ee>wJK|9@5g3tE;55FkK+ zKpg_v|J!4f?Efe9zm7vS1pxvC2oNX;WdHM${r@%nFKAgNK!5-N0(A&v|1@{{=0}1PBlyK%fqRtp71FO7{OZ^uLZnH3b0z1PBl) z2xR{k#GdT`r}V#|Wtjj00t5)uA&~t)Hb%+*|EB)eaj2#sK!5-N0tJEW|H9al{r@ff zFKAgNK!5-N0(A&v|Bs7Nvj3mf|2huU6a)wmAV8oXkp1tEJ=y=?*8hT*WdZ~U5Fk*8 zK=%Lm7$y7vJNjS8p_+mK0RjXF6a=#WC&ZrY|L^L5LCZ1$0t5&Us6!z8|Bx6Z`~Q3T zU&o=Ef&c*m1PBxavi}c_J=y=?*Z+c+WdZ~U5Fk*8K=%K{7$y7v2l`*fp_+mK0RjXF z6a=#WC&ixZ{~zjqLCZ1$0t5&Us6!z8|F9S(`~MmJuj5cnL4W`O0t5;I+5bhcC;R_L z`d`qpOn?9Z0tD(1$o@Y(M#=vFvHsU_sHPx5fB*pk1%d4U*TtUf|DWi8LCZ1$0t5&U zs6!z8e{zhH{r^+_uj5cnL4W`O0t5;I+5bnxp6vgh>3>1XG64bv2oR`4Ap8Hw7$y7v z=lWmAp_+mK0RjXF6a=#Wr^KG@|6k~TLCZ1$0t5&Us6!z8|EL%x`+uwc*Kw$(AV7cs z0Rjbq?Ek5;C;R`G`d`qpOn?9Z0tD(1$o@Y%M#=vFmHyXpsHPx5fB*pk1%d4UV`5MC z|F8AGpko`3=UG_YojKfB=E&1hW5E#8lb;hv|QH=W8GW z1PBly&`Tiue`PFW{}<_hFCzC5AV7csf$9XZ|3fiV_W$AfU)}i{hyVcs1PJsJ$o@Yq z7P9|er~kc(+(&=_0RjZ76UhEQJ*LY3pRE7Yov(oi5FkK+Kreyp|HfFz{y#$hdl9*h z009C72vjGK{ofQ*W&a3?5xI{50RjXFR40)AAC0N9|I78iy7M&<0RjXF5a=b4{eM9$WdB#_ ze=j2U5gwk6UYajvy2oNC9OCbBdHx{!0Pu2fkMD8O%fB*pk d)d^((UmR0q|1Z)1>dx0d1PBlyK%kev{{g8hV