Merge branch 'master' into T1059.004_four_tests

2023-01-28 17:19:31 +00:00
parent d15214994a a2ccd19c37
commit eed9c5b08d
12 changed files with 100 additions and 5 deletions
@@ -1238,6 +1238,7 @@ discovery,T1082,System Information Discovery,21,WinPwn - PowerSharpPack - Sharpu
 discovery,T1082,System Information Discovery,22,WinPwn - PowerSharpPack - Seatbelt,5c16ceb4-ba3a-43d7-b848-a13c1f216d95,powershell
 discovery,T1082,System Information Discovery,23,Azure Security Scan with SkyArk,26a18d3d-f8bc-486b-9a33-d6df5d78a594,powershell
 discovery,T1082,System Information Discovery,24,Linux List Kernel Modules,034fe21c-3186-49dd-8d5d-128b35f181c7,sh
+discovery,T1082,System Information Discovery,25,System Information Discovery with WMIC,8851b73a-3624-4bf7-8704-aa312411565c,command_prompt
 discovery,T1010,Application Window Discovery,1,List Process Main Windows - C# .NET,fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4,command_prompt
 discovery,T1217,Browser Bookmark Discovery,1,List Mozilla Firefox Bookmark Database Files on Linux,3a41f169-a5ab-407f-9269-abafdb5da6c2,sh
 discovery,T1217,Browser Bookmark Discovery,2,List Mozilla Firefox Bookmark Database Files on macOS,1ca1f9c7-44bc-46bb-8c85-c50e2e94267b,sh
@@ -890,6 +890,7 @@ discovery,T1082,System Information Discovery,19,WinPwn - RBCD-Check,dec6a0d8-bca
 discovery,T1082,System Information Discovery,20,WinPwn - PowerSharpPack - Watson searching for missing windows patches,07b18a66-6304-47d2-bad0-ef421eb2e107,powershell
 discovery,T1082,System Information Discovery,21,WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors,efb79454-1101-4224-a4d0-30c9c8b29ffc,powershell
 discovery,T1082,System Information Discovery,22,WinPwn - PowerSharpPack - Seatbelt,5c16ceb4-ba3a-43d7-b848-a13c1f216d95,powershell
+discovery,T1082,System Information Discovery,25,System Information Discovery with WMIC,8851b73a-3624-4bf7-8704-aa312411565c,command_prompt
 discovery,T1010,Application Window Discovery,1,List Process Main Windows - C# .NET,fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4,command_prompt
 discovery,T1217,Browser Bookmark Discovery,4,List Google Chrome / Opera Bookmarks on Windows with powershell,faab755e-4299-48ec-8202-fc7885eb6545,powershell
 discovery,T1217,Browser Bookmark Discovery,5,List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt,76f71e2f-480e-4bed-b61e-398fe17499d5,command_prompt
@@ -1969,6 +1969,7 @@
  - Atomic Test #22: WinPwn - PowerSharpPack - Seatbelt [windows]
  - Atomic Test #23: Azure Security Scan with SkyArk [azure-ad]
  - Atomic Test #24: Linux List Kernel Modules [linux]
+  - Atomic Test #25: System Information Discovery with WMIC [windows]
 - [T1010 Application Window Discovery](../../T1010/T1010.md)
  - Atomic Test #1: List Process Main Windows - C# .NET [windows]
 - T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1436,6 +1436,7 @@
  - Atomic Test #20: WinPwn - PowerSharpPack - Watson searching for missing windows patches [windows]
  - Atomic Test #21: WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors [windows]
  - Atomic Test #22: WinPwn - PowerSharpPack - Seatbelt [windows]
+  - Atomic Test #25: System Information Discovery with WMIC [windows]
 - [T1010 Application Window Discovery](../../T1010/T1010.md)
  - Atomic Test #1: List Process Main Windows - C# .NET [windows]
 - T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -68715,7 +68715,7 @@ collection:
      executor:
        name: bash
        elevation_required: false
-        command: '$which_python -c "import bz2;input_file=open(''#{path_to_input_file}'',''rb'');content=input_file.read();input_file.close();bz2content=bz2.compress(content,compresslevel=9);output_file=open(''#{path_to_output_file}'',''w+'');output_file.write(bz2content);output_file.close();"
+        command: '$which_python -c "import bz2;input_file=open(''#{path_to_input_file}'',''rb'');content=input_file.read();input_file.close();bz2content=bz2.compress(content,compresslevel=9);output_file=open(''#{path_to_output_file}'',''w+'');output_file.write(str(bz2content));output_file.close();"

          '
        cleanup_command: 'rm #{path_to_output_file}
@@ -86368,6 +86368,29 @@ discovery:
          kmod list
          grep vmw /proc/modules
        name: sh
+    - name: System Information Discovery with WMIC
+      auto_generated_guid: 8851b73a-3624-4bf7-8704-aa312411565c
+      description: |
+        Identify system information with the WMI command-line (WMIC) utility. Upon execution, various system information will be displayed, including: OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions.
+        https://nwgat.ninja/getting-system-information-with-wmic-on-windows/
+        Elements of this test were observed in the wild used by Aurora Stealer in late 2022 and early 2023, as highlighted in public reporting:
+        https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar
+        https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          wmic cpu get name
+          wmic MEMPHYSICAL get MaxCapacity
+          wmic baseboard get product
+          wmic baseboard get version
+          wmic bios get SMBIOSBIOSVersion
+          wmic path win32_VideoController get name
+          wmic path win32_VideoController get DriverVersion
+          wmic path win32_VideoController get VideoModeDescription
+          wmic OS get Caption,OSArchitecture,Version
+          wmic DISKDRIVE get Caption
+        name: command_prompt
  T1010:
    technique:
      x_mitre_platforms:
@@ -56,6 +56,8 @@ Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure a

 - [Atomic Test #24 - Linux List Kernel Modules](#atomic-test-24---linux-list-kernel-modules)

+- [Atomic Test #25 - System Information Discovery with WMIC](#atomic-test-25---system-information-discovery-with-wmic)
+

 <br/>

@@ -853,4 +855,45 @@ grep vmw /proc/modules



+<br/>
+<br/>
+
+## Atomic Test #25 - System Information Discovery with WMIC
+Identify system information with the WMI command-line (WMIC) utility. Upon execution, various system information will be displayed, including: OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions.
+https://nwgat.ninja/getting-system-information-with-wmic-on-windows/
+Elements of this test were observed in the wild used by Aurora Stealer in late 2022 and early 2023, as highlighted in public reporting:
+https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar
+https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 8851b73a-3624-4bf7-8704-aa312411565c
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+wmic cpu get name
+wmic MEMPHYSICAL get MaxCapacity
+wmic baseboard get product
+wmic baseboard get version
+wmic bios get SMBIOSBIOSVersion
+wmic path win32_VideoController get name
+wmic path win32_VideoController get DriverVersion
+wmic path win32_VideoController get VideoModeDescription
+wmic OS get Caption,OSArchitecture,Version
+wmic DISKDRIVE get Caption
+```
+
+
+
+
+
+
 <br/>
@@ -346,3 +346,27 @@ atomic_tests:
      kmod list
      grep vmw /proc/modules
    name: sh
+- name: System Information Discovery with WMIC
+  auto_generated_guid: 8851b73a-3624-4bf7-8704-aa312411565c
+  description: |
+    Identify system information with the WMI command-line (WMIC) utility. Upon execution, various system information will be displayed, including: OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions.
+    https://nwgat.ninja/getting-system-information-with-wmic-on-windows/
+    Elements of this test were observed in the wild used by Aurora Stealer in late 2022 and early 2023, as highlighted in public reporting:
+    https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar
+    https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      wmic cpu get name
+      wmic MEMPHYSICAL get MaxCapacity
+      wmic baseboard get product
+      wmic baseboard get version
+      wmic bios get SMBIOSBIOSVersion
+      wmic path win32_VideoController get name
+      wmic path win32_VideoController get DriverVersion
+      wmic path win32_VideoController get VideoModeDescription
+      wmic OS get Caption,OSArchitecture,Version
+      wmic DISKDRIVE get Caption
+    name: command_prompt
+    
@@ -90,7 +90,7 @@ Uses bz2 from Python to compress files


 ```bash
-$which_python -c "import bz2;input_file=open('#{path_to_input_file}','rb');content=input_file.read();input_file.close();bz2content=bz2.compress(content,compresslevel=9);output_file=open('#{path_to_output_file}','w+');output_file.write(bz2content);output_file.close();"
+$which_python -c "import bz2;input_file=open('#{path_to_input_file}','rb');content=input_file.read();input_file.close();bz2content=bz2.compress(content,compresslevel=9);output_file=open('#{path_to_output_file}','w+');output_file.write(str(bz2content));output_file.close();"
 ```

 #### Cleanup Commands:
@@ -57,7 +57,7 @@ atomic_tests:
    name: bash
    elevation_required: false
    command: |
-      $which_python -c "import bz2;input_file=open('#{path_to_input_file}','rb');content=input_file.read();input_file.close();bz2content=bz2.compress(content,compresslevel=9);output_file=open('#{path_to_output_file}','w+');output_file.write(bz2content);output_file.close();"
+      $which_python -c "import bz2;input_file=open('#{path_to_input_file}','rb');content=input_file.read();input_file.close();bz2content=bz2.compress(content,compresslevel=9);output_file=open('#{path_to_output_file}','w+');output_file.write(str(bz2content));output_file.close();"
    cleanup_command: |
      rm #{path_to_output_file}
 - name: Compressing data using zipfile in Python (Linux)
@@ -1216,3 +1216,4 @@ c6952f41-6cf0-450a-b352-2ca8dae7c178
 0709945e-4fec-4c49-9faf-c3c292a74484
 15330820-d405-450b-bd08-16b5be5be9f4
 8cd1947b-4a54-41fb-b5ea-07d0ace04f81
+8851b73a-3624-4bf7-8704-aa312411565c