Hare Sudhan
136 lines
5.1 KiB
YAML
136 lines
5.1 KiB
YAML
attack_technique: T1027.004
|
|
display_name: 'Obfuscated Files or Information: Compile After Delivery'
|
|
atomic_tests:
|
|
- name: Compile After Delivery using csc.exe
|
|
auto_generated_guid: ffcdbd6a-b0e8-487d-927a-09127fe9a206
|
|
description: |
|
|
Compile C# code using csc.exe binary used by .NET
|
|
Upon execution an exe named T1027.004.exe will be placed in the temp folder
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
output_file:
|
|
description: Output compiled binary
|
|
type: path
|
|
default: C:\Windows\Temp\T1027.004.exe
|
|
input_file:
|
|
description: C# code that launches calc.exe from a hidden cmd.exe Window
|
|
type: path
|
|
default: PathToAtomicsFolder\T1027.004\src\calc.cs
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
C# file must exist on disk at specified location (#{input_file})
|
|
prereq_command: |
|
|
if (Test-Path "#{input_file}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "#{input_file}") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/calc.cs" -OutFile "#{input_file}"
|
|
executor:
|
|
command: |
|
|
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:#{output_file} "#{input_file}"
|
|
cleanup_command: |
|
|
del #{output_file} >nul 2>&1
|
|
name: command_prompt
|
|
- name: Dynamic C# Compile
|
|
auto_generated_guid: 453614d8-3ba6-4147-acc0-7ec4b3e1faef
|
|
description: |
|
|
When C# is compiled dynamically, a .cmdline file will be created as a part of the process.
|
|
Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can be used to unpack a payload for execution.
|
|
The exe file that will be executed is named as T1027.004_DynamicCompile.exe is contained in the 'bin' folder of this atomic, and the source code to the file is in the 'src' folder.
|
|
Upon execution, the exe will print 'T1027.004 Dynamic Compile'.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
input_file:
|
|
description: exe program containing dynamically compiled C# code
|
|
type: path
|
|
default: PathToAtomicsFolder\T1027.004\bin\T1027.004_DynamicCompile.exe
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
exe file must exist on disk at specified location (#{input_file})
|
|
prereq_command: |
|
|
if (Test-Path "#{input_file}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/bin/T1027.004_DynamicCompile.exe -OutFile "#{input_file}"
|
|
executor:
|
|
command: |
|
|
Invoke-Expression "#{input_file}"
|
|
name: powershell
|
|
|
|
- name: C compile
|
|
auto_generated_guid: d0377aa6-850a-42b2-95f0-de558d80be57
|
|
description: |
|
|
Compile a c file with either gcc or clang on FreeBSD, Linux or Macos.
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
input_arguments:
|
|
input_file:
|
|
description: source file
|
|
type: path
|
|
default: PathToAtomicsFolder/T1027.004/src/T1027-004-test.c
|
|
dependency_executor_name: sh
|
|
dependencies:
|
|
- description: |
|
|
the source file must exist on disk at specified location (#{input_file})
|
|
prereq_command: |
|
|
if [ -e #{input_file} ]; then exit 0; else exit 1; fi
|
|
get_prereq_command: |
|
|
wget https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/T1027-004-test.c -O "#{input_file}"
|
|
executor:
|
|
command: |
|
|
gcc #{input_file} && ./a.out
|
|
clang #{input_file} && ./a.out
|
|
name: sh
|
|
- name: CC compile
|
|
auto_generated_guid: da97bb11-d6d0-4fc1-b445-e443d1346efe
|
|
description: |
|
|
Compile a c file with either gcc or clang on FreeBSD, Linux or Macos.
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
input_arguments:
|
|
input_file:
|
|
description: source file
|
|
type: path
|
|
default: PathToAtomicsFolder/T1027.004/src/T1027-004-test.cc
|
|
dependency_executor_name: sh
|
|
dependencies:
|
|
- description: |
|
|
the source file must exist on disk at specified location (#{input_file})
|
|
prereq_command: |
|
|
if [ -e #{input_file} ]; then exit 0; else exit 1; fi
|
|
get_prereq_command: |
|
|
wget https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/T1027-004-test.cc -O #{input_file}
|
|
executor:
|
|
command: |
|
|
g++ #{input_file} && ./a.out
|
|
clang++ #{input_file} && ./a.out
|
|
name: sh
|
|
- name: Go compile
|
|
auto_generated_guid: 78bd3fa7-773c-449e-a978-dc1f1500bc52
|
|
description: |
|
|
Compile a go file with golang on FreeBSD, Linux or Macos.
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
input_arguments:
|
|
input_file:
|
|
description: source file
|
|
type: path
|
|
default: PathToAtomicsFolder/T1027.004/src/T1027-004-test.go
|
|
dependency_executor_name: sh
|
|
dependencies:
|
|
- description: |
|
|
the source file must exist on disk at specified location (#{input_file})
|
|
prereq_command: |
|
|
if [ -e #{input_file} ]; then exit 0; else exit 1; fi
|
|
get_prereq_command: |
|
|
wget https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/T1027-004-test.go -O #{input_file}
|
|
executor:
|
|
command: |
|
|
go run #{input_file}
|
|
name: sh
|