BlueTeamOps
03d7d6ba13
* Create T1222.yaml * Update T1070.004.yaml Added clear of recycle bin using rd * Update T1057.yaml added taskmgr.exe based process viewing * Update T1012.yaml Added SIL status lookup via registry * Update T1057.yaml Fixed up the name ,description for Taskmgr.exe test * Update T1057.yaml Fixed the UUID
151 lines
6.2 KiB
YAML
151 lines
6.2 KiB
YAML
attack_technique: T1057
|
|
display_name: Process Discovery
|
|
atomic_tests:
|
|
- name: Process Discovery - ps
|
|
auto_generated_guid: 4ff64f0b-aaf2-4866-b39d-38d9791407cc
|
|
description: |
|
|
Utilize ps to identify processes.
|
|
|
|
Upon successful execution, sh will execute ps and output to /tmp/loot.txt.
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
input_arguments:
|
|
output_file:
|
|
description: path of output file
|
|
type: path
|
|
default: /tmp/loot.txt
|
|
executor:
|
|
command: |
|
|
ps >> #{output_file}
|
|
ps aux >> #{output_file}
|
|
cleanup_command: |
|
|
rm #{output_file}
|
|
name: sh
|
|
- name: Process Discovery - tasklist
|
|
auto_generated_guid: c5806a4f-62b8-4900-980b-c7ec004e9908
|
|
description: |
|
|
Utilize tasklist to identify processes.
|
|
|
|
Upon successful execution, cmd.exe will execute tasklist.exe to list processes. Output will be via stdout.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
tasklist
|
|
name: command_prompt
|
|
- name: Process Discovery - Get-Process
|
|
auto_generated_guid: 3b3809b6-a54b-4f5b-8aff-cb51f2e97b34
|
|
description: |
|
|
Utilize Get-Process PowerShell cmdlet to identify processes.
|
|
|
|
Upon successful execution, powershell.exe will execute Get-Process to list processes. Output will be via stdout.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
Get-Process
|
|
name: powershell
|
|
- name: Process Discovery - get-wmiObject
|
|
auto_generated_guid: b51239b4-0129-474f-a2b4-70f855b9f2c2
|
|
description: |
|
|
Utilize get-wmiObject PowerShell cmdlet to identify processes.
|
|
|
|
Upon successful execution, powershell.exe will execute get-wmiObject to list processes. Output will be via stdout.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
get-wmiObject -class Win32_Process
|
|
name: powershell
|
|
- name: Process Discovery - wmic process
|
|
auto_generated_guid: 640cbf6d-659b-498b-ba53-f6dd1a1cc02c
|
|
description: |
|
|
Utilize windows management instrumentation to identify processes.
|
|
|
|
Upon successful execution, WMIC will execute process to list processes. Output will be via stdout.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
wmic process get /format:list
|
|
name: command_prompt
|
|
- name: Discover Specific Process - tasklist
|
|
auto_generated_guid: 11ba69ee-902e-4a0f-b3b6-418aed7d7ddb
|
|
description: |
|
|
Adversaries may use command line tools to discover specific processes in preparation of further attacks.
|
|
Examples of this could be discovering the PID of lsass.exe to dump its memory or discovering whether specific security processes (e.g. AV or EDR) are running.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
process_to_enumerate:
|
|
description: Process name string to search for.
|
|
type: string
|
|
default: 'lsass'
|
|
executor:
|
|
command: |
|
|
tasklist | findstr #{process_to_enumerate}
|
|
name: command_prompt
|
|
- name: Process Discovery - Process Hacker
|
|
auto_generated_guid: 966f4c16-1925-4d9b-8ce0-01334ee0867d
|
|
description: Process Hacker can be exploited to infiltrate system processes, identify weak points, or achieve unauthorized control over systems. However, its malicious use can often be flagged by security defenses, rendering it a perilous tool for illegitimate purposes.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
processhacker_exe:
|
|
description: Process hacker installation executables.
|
|
type: string
|
|
default: ProcessHacker.exe
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: Process Hacker must be installed in the location
|
|
prereq_command: |
|
|
if (Test-Path "c:\Program Files\Process Hacker 2\#{processhacker_exe}") {exit 0} else {exit 1}
|
|
get_prereq_command: |-
|
|
Write-Host Downloading Process Hacker
|
|
New-Item -Type Directory "C:\Temp\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
|
Invoke-WebRequest "https://versaweb.dl.sourceforge.net/project/processhacker/processhacker2/processhacker-2.39-setup.exe" -OutFile "C:\Temp\ExternalPayloads\processhacker-2.39-setup.exe"
|
|
Write-Host Installing Process Hacker
|
|
Start-Process "c:\Temp\ExternalPayloads\processhacker-2.39-setup.exe" -Wait -ArgumentList "/s"
|
|
executor:
|
|
command: Start-Process -FilePath "$Env:ProgramFiles\Process Hacker 2\#{processhacker_exe}"
|
|
name: powershell
|
|
elevation_required: true
|
|
- name: Process Discovery - PC Hunter
|
|
auto_generated_guid: b4ca838d-d013-4461-bf2c-f7132617b409
|
|
description: PC Hunter is a toolkit with access to hundreds of settings including kernels, kernel modules, processes, network, startup, and more. When abused, this tool can allow threat actors to effectively access sensitive processes, collect system information, and terminate security software.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
pchunter64_exe:
|
|
description: Process hacker installation executables.
|
|
type: string
|
|
default: PChunter64.exe
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: PCHunter must be present in device
|
|
prereq_command: |
|
|
if (Get-ChildItem -Path C:\ -Include *PCHunter64* -File -Recurse -ErrorAction SilentlyContinue) {exit 0} else {exit 1}
|
|
get_prereq_command: |-
|
|
Write-Host Downloading PC Hunter
|
|
New-Item -Type Directory "C:\Temp\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
|
Invoke-WebRequest "https://www.snapfiles.com/directdl/PCHunter_free.zip" -OutFile "C:\Temp\ExternalPayloads\PCHunter_free.zip"
|
|
Expand-Archive -LiteralPath 'C:\Temp\ExternalPayloads\PCHunter_free.zip' -DestinationPath C:\Temp\ExternalPayloads
|
|
Write-Host Unzipping Installing Process Hunter
|
|
executor:
|
|
command: Start-Process -FilePath "C:\Temp\ExternalPayloads\PCHunter_free\#{pchunter64_exe}"
|
|
name: powershell
|
|
elevation_required: true
|
|
- name: Launch Taskmgr from cmd to View running processes
|
|
auto_generated_guid: 4fd35378-39aa-481e-b7c4-e3bf49375c67
|
|
description: |
|
|
An adverary may launch taskmgr.exe with the /7 switch via command prompt to view processes running on the system.
|
|
[Reference](https://github.com/trellix-enterprise/ac3-threat-sightings/blob/main/sightings/Sightings_Conti_Ransomware.yml)
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
taskmgr.exe /7
|
|
name: command_prompt
|
|
elevation_required: false
|