From eb9f0fbcd6d3d2746c2cddc981143b9219c6a47a Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Sat, 9 Nov 2019 02:14:44 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/T1036/T1036.md | 60 ++++++++++++++++++++++++++++++++++++++++ atomics/index.md | 2 ++ atomics/index.yaml | 50 +++++++++++++++++++++++++++++++++ atomics/windows-index.md | 2 ++ 4 files changed, 114 insertions(+) diff --git a/atomics/T1036/T1036.md b/atomics/T1036/T1036.md index 5b856e9f..4913e783 100644 --- a/atomics/T1036/T1036.md +++ b/atomics/T1036/T1036.md @@ -30,6 +30,10 @@ An example of abuse of trusted locations in Linux would be the /bin @@ -132,3 +136,59 @@ del /Q /F %APPDATA%\taskhostw.exe ```
+
+ +## Atomic Test #6 - Masquerading - non-windows exe running as windows exe +Copies an exe, renames it as a windows exe, and launches it to masquerade as a real windows exe + +**Supported Platforms:** Windows + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| inputfile | path of file to copy | path | $PathToAtomicsFolder\T1036\bin\t1036.exe| +| outputfile | path of file to execute | path | ($env:SystemRoot + "\Temp\scvhost.exe")| + +#### Run it with `powershell`! +``` +copy #{inputfile} #{outputfile} +$myT1036 = (Start-Process -PassThru -FilePath #{outputfile}).Id +Stop-Process -ID $myT1036 +``` + + +#### Cleanup Commands: +``` +del #{outputfile} +``` + +
+
+ +## Atomic Test #7 - Masquerading - windows exe running as different windows exe +Copies a windows exe, renames it as another windows exe, and launches it to masquerade as second windows exe + +**Supported Platforms:** Windows + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| inputfile | path of file to copy | path | $env:ComSpec| +| outputfile | path of file to execute | path | ($env:SystemRoot + "\Temp\scvhost.exe")| + +#### Run it with `powershell`! +``` +copy #{inputfile} #{outputfile} +$myT1036 = (Start-Process -PassThru -FilePath #{outputfile}).Id +Stop-Process -ID $myT1036 +``` + + +#### Cleanup Commands: +``` +del #{outputfile} +``` + +
diff --git a/atomics/index.md b/atomics/index.md index 2be43da7..39d72cbe 100644 --- a/atomics/index.md +++ b/atomics/index.md @@ -289,6 +289,8 @@ - Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows] - Atomic Test #4: Masquerading - wscript.exe running as svchost.exe [windows] - Atomic Test #5: Masquerading - powershell.exe running as taskhostw.exe [windows] + - Atomic Test #6: Masquerading - non-windows exe running as windows exe [windows] + - Atomic Test #7: Masquerading - windows exe running as different windows exe [windows] - [T1112 Modify Registry](./T1112/T1112.md) - Atomic Test #1: Modify Registry of Current User Profile - cmd [windows] - Atomic Test #2: Modify Registry of Local Machine - cmd [windows] diff --git a/atomics/index.yaml b/atomics/index.yaml index de56d014..9c80634f 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -8540,6 +8540,56 @@ defense-evasion: cleanup_command: 'del /Q /F %APPDATA%\taskhostw.exe ' + - name: Masquerading - non-windows exe running as windows exe + description: 'Copies an exe, renames it as a windows exe, and launches it to + masquerade as a real windows exe + +' + supported_platforms: + - windows + input_arguments: + inputfile: + description: path of file to copy + type: path + default: "$PathToAtomicsFolder\\T1036\\bin\\t1036.exe" + outputfile: + description: path of file to execute + type: path + default: ($env:SystemRoot + "\Temp\scvhost.exe") + executor: + name: powershell + elevation_required: false + command: | + copy #{inputfile} #{outputfile} + $myT1036 = (Start-Process -PassThru -FilePath #{outputfile}).Id + Stop-Process -ID $myT1036 + cleanup_command: 'del #{outputfile} + +' + - name: Masquerading - windows exe running as different windows exe + description: 'Copies a windows exe, renames it as another windows exe, and launches + it to masquerade as second windows exe + +' + supported_platforms: + - windows + input_arguments: + inputfile: + description: path of file to copy + type: path + default: "$env:ComSpec" + outputfile: + description: path of file to execute + type: path + default: ($env:SystemRoot + "\Temp\scvhost.exe") + executor: + name: powershell + elevation_required: false + command: | + copy #{inputfile} #{outputfile} + $myT1036 = (Start-Process -PassThru -FilePath #{outputfile}).Id + Stop-Process -ID $myT1036 + cleanup_command: 'del #{outputfile}' T1112: technique: x_mitre_data_sources: diff --git a/atomics/windows-index.md b/atomics/windows-index.md index 181ee513..fd2237fb 100644 --- a/atomics/windows-index.md +++ b/atomics/windows-index.md @@ -89,6 +89,8 @@ - Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows] - Atomic Test #4: Masquerading - wscript.exe running as svchost.exe [windows] - Atomic Test #5: Masquerading - powershell.exe running as taskhostw.exe [windows] + - Atomic Test #6: Masquerading - non-windows exe running as windows exe [windows] + - Atomic Test #7: Masquerading - windows exe running as different windows exe [windows] - [T1112 Modify Registry](./T1112/T1112.md) - Atomic Test #1: Modify Registry of Current User Profile - cmd [windows] - Atomic Test #2: Modify Registry of Local Machine - cmd [windows]