Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 Hare Sudhan
|
825d8a23e4 |
@@ -193,10 +193,11 @@ atomic_tests:
|
||||
fsutil file createnew C:\Users\Public\Downloads\exfil.zip 20485760
|
||||
- description: 'Check if rclone zip exists'
|
||||
prereq_command: |
|
||||
if (Test-Path C:\Users\Public\Downloads\rclone-current-windows-amd64.zip) {exit 0} else {exit 1}
|
||||
if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\rclone-current-windows-amd64.zip) {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
Invoke-WebRequest -Uri "https://downloads.rclone.org/rclone-current-windows-amd64.zip" -OutFile "C:\Users\Public\Downloads\rclone-current-windows-amd64.zip"
|
||||
Expand-Archive C:\Users\Public\Downloads\rclone-current-windows-amd64.zip -DestinationPath C:\Users\Public\Downloads\
|
||||
New-Item -Path PathToAtomicsFolder\..\ExternalPayloads -ItemType Directory -Force | Out-Null
|
||||
Invoke-WebRequest -Uri "https://downloads.rclone.org/rclone-current-windows-amd64.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\rclone-current-windows-amd64.zip"
|
||||
Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\rclone-current-windows-amd64.zip -DestinationPath PathToAtomicsFolder\..\ExternalPayloads\
|
||||
executor:
|
||||
command: |-
|
||||
$rclone_bin = Get-ChildItem C:\Users\Public\Downloads\ -Recurse -Include "rclone.exe" | Select-Object -ExpandProperty FullName
|
||||
|
||||
@@ -103,10 +103,10 @@ atomic_tests:
|
||||
if (Test-Path "c:\Program Files\Process Hacker 2\#{processhacker_exe}") {exit 0} else {exit 1}
|
||||
get_prereq_command: |-
|
||||
Write-Host Downloading Process Hacker
|
||||
New-Item -Type Directory "C:\Temp\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||||
Invoke-WebRequest "https://versaweb.dl.sourceforge.net/project/processhacker/processhacker2/processhacker-2.39-setup.exe" -OutFile "C:\Temp\ExternalPayloads\processhacker-2.39-setup.exe"
|
||||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||||
Invoke-WebRequest "https://versaweb.dl.sourceforge.net/project/processhacker/processhacker2/processhacker-2.39-setup.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\processhacker-2.39-setup.exe"
|
||||
Write-Host Installing Process Hacker
|
||||
Start-Process "c:\Temp\ExternalPayloads\processhacker-2.39-setup.exe" -Wait -ArgumentList "/s"
|
||||
Start-Process "PathToAtomicsFolder\..\ExternalPayloads\processhacker-2.39-setup.exe" -Wait -ArgumentList "/s"
|
||||
executor:
|
||||
command: Start-Process -FilePath "$Env:ProgramFiles\Process Hacker 2\#{processhacker_exe}"
|
||||
name: powershell
|
||||
@@ -125,15 +125,15 @@ atomic_tests:
|
||||
dependencies:
|
||||
- description: PCHunter must be present in device
|
||||
prereq_command: |
|
||||
if (Get-ChildItem -Path C:\ -Include *PCHunter64* -File -Recurse -ErrorAction SilentlyContinue) {exit 0} else {exit 1}
|
||||
if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\PCHunter_free\#{pchunter64_exe}) {exit 0} else {exit 1}
|
||||
get_prereq_command: |-
|
||||
Write-Host Downloading PC Hunter
|
||||
New-Item -Type Directory "C:\Temp\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||||
Invoke-WebRequest "https://www.snapfiles.com/directdl/PCHunter_free.zip" -OutFile "C:\Temp\ExternalPayloads\PCHunter_free.zip"
|
||||
Expand-Archive -LiteralPath 'C:\Temp\ExternalPayloads\PCHunter_free.zip' -DestinationPath C:\Temp\ExternalPayloads
|
||||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||||
Invoke-WebRequest "https://www.snapfiles.com/directdl/PCHunter_free.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PCHunter_free.zip"
|
||||
Expand-Archive -LiteralPath 'PathToAtomicsFolder\..\ExternalPayloads\PCHunter_free.zip' -DestinationPath PathToAtomicsFolder\..\ExternalPayloads
|
||||
Write-Host Unzipping Installing Process Hunter
|
||||
executor:
|
||||
command: Start-Process -FilePath "C:\Temp\ExternalPayloads\PCHunter_free\#{pchunter64_exe}"
|
||||
command: Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\PCHunter_free\#{pchunter64_exe}"
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: Launch Taskmgr from cmd to View running processes
|
||||
|
||||
@@ -52,7 +52,7 @@ atomic_tests:
|
||||
autosuid:
|
||||
description: Path to the autosuid shell script
|
||||
type: path
|
||||
default: PathToAtomicsFolder/T1059.004/src/AutoSUID.sh
|
||||
default: PathToAtomicsFolder/../ExternalPayloads/AutoSUID.sh
|
||||
autosuid_url:
|
||||
description: Path to download autosuid shell script
|
||||
type: url
|
||||
@@ -82,7 +82,7 @@ atomic_tests:
|
||||
linenum:
|
||||
description: Path to the LinEnum shell script
|
||||
type: path
|
||||
default: PathToAtomicsFolder/T1059.004/src/LinEnum.sh
|
||||
default: PathToAtomicsFolder/../ExternalPayloads/LinEnum.sh
|
||||
linenum_url:
|
||||
description: Path to download LinEnum shell script
|
||||
type: url
|
||||
|
||||
@@ -8,15 +8,16 @@ atomic_tests:
|
||||
- windows
|
||||
executor:
|
||||
command: |-
|
||||
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.003/src/qbot-test.iso" -OutFile "$env:TEMP\qbot-test.iso")
|
||||
Mount-DiskImage -ImagePath "$env:TEMP\qbot-test.iso"
|
||||
$mountedpath = (Get-DiskImage -ImagePath "$env:TEMP\qbot-test.iso" | Get-Volume).DriveLetter
|
||||
New-Item -Path PathToAtomicsFolder\..\ExternalPayloads -ItemType Directory -Force | Out-Null
|
||||
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.003/src/qbot-test.iso" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\qbot-test.iso")
|
||||
Mount-DiskImage -ImagePath "PathToAtomicsFolder\..\ExternalPayloads\qbot-test.iso"
|
||||
$mountedpath = (Get-DiskImage -ImagePath "PathToAtomicsFolder\..\ExternalPayloads\qbot-test.iso" | Get-Volume).DriveLetter
|
||||
$finalpath = $mountedpath + ":\"
|
||||
cd $finalpath
|
||||
.\calc.exe.lnk
|
||||
cleanup_command: |-
|
||||
start-sleep -s 5
|
||||
stop-process -Name "Calculatorapp" -Force
|
||||
dismount-diskimage -ImagePath "$env:TEMP\qbot-test.iso"
|
||||
dismount-diskimage -ImagePath "PathToAtomicsFolder\..\ExternalPayloads\qbot-test.iso"
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
@@ -333,10 +333,10 @@ atomic_tests:
|
||||
if (Test-Path "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\#{srserver_exe}") {exit 0} else {exit 1}
|
||||
get_prereq_command: |-
|
||||
Write-Host Downloading Splashtop Streamer
|
||||
New-Item -Type Directory "C:\Temp\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||||
Invoke-WebRequest "https://download.splashtop.com/win/Splashtop_Streamer_Win_INSTALLER_v3.6.4.1.exe" -OutFile "C:\Temp\ExternalPayloads\Splashtop.exe"
|
||||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||||
Invoke-WebRequest "https://download.splashtop.com/win/Splashtop_Streamer_Win_INSTALLER_v3.6.4.1.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Splashtop.exe"
|
||||
Write-Host Installing Splashtop Streamer
|
||||
Start-Process "c:\Temp\ExternalPayloads\Splashtop.exe" -Wait -ArgumentList "/s"
|
||||
Start-Process "PathToAtomicsFolder\..\ExternalPayloads\Splashtop.exe" -Wait -ArgumentList "/s"
|
||||
executor:
|
||||
command: |-
|
||||
Start-Process -FilePath "C:Program Files (x86)\Splashtop\Splashtop Remote\Server\#{srserver_exe}"
|
||||
|
||||
@@ -158,9 +158,9 @@ atomic_tests:
|
||||
prereq_command: |
|
||||
if (Test-Path "Test-Path C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe") {exit 0} else {exit 1}
|
||||
get_prereq_command: |-
|
||||
New-Item -Path C:\Users\Public\SubInAcl -ItemType Directory | Out-Null
|
||||
Invoke-WebRequest #{SubInAclDownloadPath} -OutFile C:\Users\Public\SubInAcl\SubInAcl.msi
|
||||
msiexec.exe /i "C:\Users\Public\SubInAcl\SubInAcl.msi" /qn
|
||||
New-Item -Path PathToAtomicsFolder\..\ExternalPayloads -ItemType Directory -Force | Out-Null
|
||||
Invoke-WebRequest #{SubInAclDownloadPath} -OutFile PathToAtomicsFolder\..\ExternalPayloads\SubInAcl.msi
|
||||
msiexec.exe /i "PathToAtomicsFolder\..\ExternalPayloads\SubInAcl.msi" /qn
|
||||
executor:
|
||||
command: '"C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe"'
|
||||
name: command_prompt
|
||||
|
||||
@@ -13,7 +13,7 @@ atomic_tests:
|
||||
stratus_path:
|
||||
description: Path of stratus binary
|
||||
type: path
|
||||
default: $PathToAtomicsFolder/T1552/src
|
||||
default: $PathToAtomicsFolder/../ExternalPayloads
|
||||
aws_region:
|
||||
description: AWS region to detonate
|
||||
type: string
|
||||
@@ -25,6 +25,7 @@ atomic_tests:
|
||||
prereq_command: |
|
||||
if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi;
|
||||
get_prereq_command: |
|
||||
mkdir -p #{stratus_path}
|
||||
if [ "$(uname)" == "Darwin" ]
|
||||
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
|
||||
tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
|
||||
|
||||
@@ -173,7 +173,7 @@ atomic_tests:
|
||||
stratus_path:
|
||||
description: Path of stratus binary
|
||||
type: path
|
||||
default: $PathToAtomicsFolder/T1562.008/src
|
||||
default: $PathToAtomicsFolder/../ExternalPayloads
|
||||
aws_region:
|
||||
description: AWS region to detonate
|
||||
type: string
|
||||
@@ -185,6 +185,7 @@ atomic_tests:
|
||||
prereq_command: |
|
||||
if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi;
|
||||
get_prereq_command: |
|
||||
mkdir -p #{stratus_path}
|
||||
if [ "$(uname)" == "Darwin" ]
|
||||
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
|
||||
tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
|
||||
@@ -228,7 +229,7 @@ atomic_tests:
|
||||
stratus_path:
|
||||
description: Path of stratus binary
|
||||
type: path
|
||||
default: $PathToAtomicsFolder/T1562.008/src
|
||||
default: $PathToAtomicsFolder/../ExternalPayloads
|
||||
aws_region:
|
||||
description: AWS region to detonate
|
||||
type: string
|
||||
@@ -240,6 +241,7 @@ atomic_tests:
|
||||
prereq_command: |
|
||||
if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi;
|
||||
get_prereq_command: |
|
||||
mkdir -p #{stratus_path}
|
||||
if [ "$(uname)" == "Darwin" ]
|
||||
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
|
||||
tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
|
||||
@@ -282,7 +284,7 @@ atomic_tests:
|
||||
stratus_path:
|
||||
description: Path of stratus binary
|
||||
type: path
|
||||
default: $PathToAtomicsFolder/T1562.008/src
|
||||
default: $PathToAtomicsFolder/../ExternalPayloads
|
||||
aws_region:
|
||||
description: AWS region to detonate
|
||||
type: string
|
||||
@@ -294,6 +296,7 @@ atomic_tests:
|
||||
prereq_command: |
|
||||
if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi;
|
||||
get_prereq_command: |
|
||||
mkdir -p #{stratus_path}
|
||||
if [ "$(uname)" == "Darwin" ]
|
||||
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
|
||||
tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
|
||||
|
||||
@@ -12,10 +12,11 @@ atomic_tests:
|
||||
command: |
|
||||
$url = 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1566.001/bin/PhishingAttachment.xlsm'
|
||||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||||
Invoke-WebRequest -Uri $url -OutFile $env:TEMP\PhishingAttachment.xlsm
|
||||
New-Item -Path PathToAtomicsFolder\..\ExternalPayloads -ItemType Directory -Force | Out-Null
|
||||
Invoke-WebRequest -Uri $url -OutFile PathToAtomicsFolder\..\ExternalPayloads\PhishingAttachment.xlsm
|
||||
name: powershell
|
||||
cleanup_command: |
|
||||
Remove-Item $env:TEMP\PhishingAttachment.xlsm -ErrorAction Ignore
|
||||
Remove-Item PathToAtomicsFolder\..\ExternalPayloads\PhishingAttachment.xlsm -ErrorAction Ignore
|
||||
|
||||
- name: Word spawned a command shell and used an IP address in the command line
|
||||
auto_generated_guid: cbb6799a-425c-4f83-9194-5447a909d67f
|
||||
|
||||
@@ -216,16 +216,15 @@ atomic_tests:
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: |
|
||||
PsExec tool from Sysinternals must exist in the '\Users\Public\Temp\' directory
|
||||
PsExec tool from Sysinternals must exist in the ExternalPayloads directory
|
||||
prereq_command: |
|
||||
if (Get-ChildItem -Path C:\ -Include *psexec* -File -Recurse -ErrorAction SilentlyContinue) {exit 0} else {exit 1}
|
||||
if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe) {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory "C:\Users\Public\Temp\" -ErrorAction Ignore -Force | Out-Null
|
||||
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "C:\Users\Public\Temp\PSTools.zip"
|
||||
Expand-Archive "C:\Users\Public\Temp\PsTools.zip" "C:\Users\Public\Temp\" -Force
|
||||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||||
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PSTools.zip"
|
||||
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip" "PathToAtomicsFolder\..\ExternalPayloads\" -Force
|
||||
executor:
|
||||
command: |-
|
||||
cd C:\Users\Public\Temp\
|
||||
.\PsExec.exe -i -s cmd -accepteula
|
||||
PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe -i -s cmd -accepteula
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
|
||||
@@ -131,19 +131,19 @@ atomic_tests:
|
||||
- description: |
|
||||
Download ngrok
|
||||
prereq_command: |
|
||||
if (Test-Path C:\Users\Public\ngrok) {exit 0} else {exit 1}
|
||||
if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\ngrok) {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
New-Item -Path C:\Users\Public\ngrok -ItemType Directory | Out-Null
|
||||
Invoke-WebRequest #{download} -OutFile C:\Users\Public\ngrok\ngrok-v3-stable-windows-amd64.zip
|
||||
Expand-Archive C:\Users\Public\ngrok\ngrok-v3-stable-windows-amd64.zip -DestinationPath C:\Users\Public\ngrok
|
||||
New-Item -Path PathToAtomicsFolder\..\ExternalPayloads\ngrok -ItemType Directory -Force | Out-Null
|
||||
Invoke-WebRequest #{download} -OutFile PathToAtomicsFolder\..\ExternalPayloads\ngrok\ngrok-v3-stable-windows-amd64.zip
|
||||
Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\ngrok\ngrok-v3-stable-windows-amd64.zip -DestinationPath PathToAtomicsFolder\..\ExternalPayloads\ngrok
|
||||
executor:
|
||||
command: |
|
||||
C:\Users\Public\ngrok\ngrok.exe config add-authtoken #{api_token} | Out-Null
|
||||
Start-Job -ScriptBlock { C:\Users\Public\ngrok\ngrok.exe tcp #{port_num} } | Out-Null
|
||||
PathToAtomicsFolder\..\ExternalPayloads\ngrok\ngrok.exe config add-authtoken #{api_token} | Out-Null
|
||||
Start-Job -ScriptBlock { PathToAtomicsFolder\..\ExternalPayloads\ngrok\ngrok.exe tcp #{port_num} } | Out-Null
|
||||
Start-Sleep -s 5
|
||||
Stop-Job -Name Job1 | Out-Null
|
||||
cleanup_command: |
|
||||
Remove-Item C:\Users\Public\ngrok -Recurse -ErrorAction Ignore
|
||||
Remove-Item PathToAtomicsFolder\..\ExternalPayloads\ngrok -Recurse -ErrorAction Ignore
|
||||
Remove-Item C:\%userprofile%\AppData\Local\ngrok -ErrorAction Ignore
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
|
||||
@@ -13,7 +13,7 @@ atomic_tests:
|
||||
stratus_path:
|
||||
description: Path of stratus binary
|
||||
type: path
|
||||
default: $PathToAtomicsFolder/T1580/src
|
||||
default: $PathToAtomicsFolder/../ExternalPayloads
|
||||
aws_region:
|
||||
description: AWS region to detonate
|
||||
type: string
|
||||
@@ -25,6 +25,7 @@ atomic_tests:
|
||||
prereq_command: |
|
||||
if test -f "#{stratus_path}/stratus"; then exit 0; else exit 1; fi
|
||||
get_prereq_command: |
|
||||
mkdir -p #{stratus_path}
|
||||
if [ "$(uname)" = "Darwin" ]
|
||||
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep -i Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
|
||||
tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
|
||||
|
||||
Reference in New Issue
Block a user