security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
AutoSUID_linux
atomic-red-team/atomics/T1072/T1072.md
T
CircleCI Atomic Red Team doc generator 36d49de4c8 Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]
2021-06-24 17:04:33 +00:00

2.4 KiB
Raw Permalink Blame History

T1072 - Software Deployment Tools

Description from ATT&CK

Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.).

Access to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.

The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.

Atomic Tests


Atomic Test #1 - Radmin Viewer Utility

An adversary may use Radmin Viewer Utility to remotely control Windows device, this will start the radmin console.

Supported Platforms: Windows

auto_generated_guid: b4988cad-6ed2-434d-ace5-ea2670782129

Inputs:

Name Description Type Default Value
radmin_installer Radmin Viewer installer Path %TEMP%\RadminViewer.msi
radmin_exe The radmin.exe executable from RadminViewer.msi Path %PROGRAMFILES(x86)%/Radmin Viewer 3/Radmin.exe

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

"#{radmin_exe}"

Dependencies: Run with command_prompt!

Description: Radmin Viewer Utility must be installed at specified location (#{radmin_exe})
Check Prereq Commands:
if not exist "#{radmin_exe}" (exit /b 1)
Get Prereq Commands:
echo Downloading radmin installer
bitsadmin /transfer myDownloadJob /download /priority normal "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" #{radmin_installer}
msiexec /i "#{radmin_installer}" /qn

Reference in New Issue View Git Blame Copy Permalink