security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1059.003/T1059.003.yaml
T
Atomic Red Team GUID generator 19c71c2a40 Generate GUIDs from job=generate-docs branch=master [skip ci]
2023-10-02 20:45:17 +00:00

154 lines
6.2 KiB
YAML
Raw Permalink Blame History

attack_technique: T1059.003
display_name: 'Command and Scripting Interpreter: Windows Command Shell'
atomic_tests:
- name: Create and Execute Batch Script
auto_generated_guid: 9e8894c0-50bd-4525-a96c-d4ac78ece388
description: |
Creates and executes a simple batch script. Upon execution, CMD will briefly launch to run the batch script then close again.
supported_platforms:
- windows
input_arguments:
command_to_execute:
description: Command to execute within script.
type: string
default: dir
script_path:
description: Script path.
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\T1059.003_script.bat
dependency_executor_name: powershell
dependencies:
- description: |
Batch file must exist on disk at specified location (#{script_path})
prereq_command: |
if (Test-Path "#{script_path}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item "#{script_path}" -Force | Out-Null
Set-Content -Path "#{script_path}" -Value "#{command_to_execute}"
executor:
command: |
Start-Process "#{script_path}"
cleanup_command: |
Remove-Item "#{script_path}" -Force -ErrorAction Ignore
name: powershell
- name: Writes text to a file and displays it.
auto_generated_guid: 127b4afe-2346-4192-815c-69042bec570e
description: |
Writes text to a file and display the results. This test is intended to emulate the dropping of a malicious file to disk.
supported_platforms:
- windows
input_arguments:
file_contents_path:
description: Path to the file that the command prompt will drop.
type: path
default: '%TEMP%\test.bin'
message:
description: Message that will be written to disk and then displayed.
type: string
default: 'Hello from the Windows Command Prompt!'
executor:
command: |
echo "#{message}" > "#{file_contents_path}" & type "#{file_contents_path}"
cleanup_command: |
del "#{file_contents_path}" >nul 2>&1
name: command_prompt
- name: Suspicious Execution via Windows Command Shell
auto_generated_guid: d0eb3597-a1b3-4d65-b33b-2cda8d397f20
description: |
Command line executed via suspicious invocation. Example is from the 2021 Threat Detection Report by Red Canary.
supported_platforms:
- windows
input_arguments:
output_file:
description: File to output to
type: string
default: hello.txt
input_message:
description: Message to write to file
type: string
default: Hello, from CMD!
executor:
command: |
%LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file} & type #{output_file}
name: command_prompt
- name: Simulate BlackByte Ransomware Print Bombing
auto_generated_guid: 6b2903ac-8f36-450d-9ad5-b220e8a2dcb9
description: |
This test attempts to open a file a specified number of times in Wordpad, then prints the contents.
It is designed to mimic BlackByte ransomware's print bombing technique, where tree.dll, which contains the ransom note, is opened in Wordpad 75 times and then printed.
See https://redcanary.com/blog/blackbyte-ransomware/.
supported_platforms:
- windows
input_arguments:
file_to_print:
description: File to be opened/printed by Wordpad.
type: string
default: PathToAtomicsFolder\..\ExternalPayloads\T1059_003note.txt
max_to_print:
description: The maximum number of Wordpad windows the test will open/print.
type: integer
default: 75
dependency_executor_name: powershell
dependencies:
- description: |
File to print must exist on disk at specified location (#{file_to_print})
prereq_command: |
if (test-path "#{file_to_print}"){exit 0} else {exit 1}
get_prereq_command: |
new-item "#{file_to_print}" -value "This file has been created by T1059.003 Test 4" -Force | Out-Null
executor:
command: |
cmd /c "for /l %x in (1,1,#{max_to_print}) do start wordpad.exe /p #{file_to_print}" | out-null
cleanup_command: |
stop-process -name wordpad -force -erroraction silentlycontinue
name: powershell
- name: Command Prompt read contents from CMD file and execute
auto_generated_guid: df81db1b-066c-4802-9bc8-b6d030c3ba8e
description: |
Simulate Raspberry Robin using the "standard-in" command prompt feature cmd `/R <` to read and execute a file via cmd.exe
See https://redcanary.com/blog/raspberry-robin/.
supported_platforms:
- windows
input_arguments:
input_file:
description: CMD file that is read by Command Prompt and execute, which launches calc.exe
type: path
default: PathToAtomicsFolder\T1059.003\src\t1059.003_cmd.cmd
dependency_executor_name: powershell
dependencies:
- description: |
CMD file must exist on disk at specified location (#{input_file})
prereq_command: |
if (Test-Path "#{input_file}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path "#{input_file}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1059.003/src/t1059.003_cmd.cmd" -OutFile "#{input_file}"
executor:
command: |
cmd /r cmd<"#{input_file}"
name: command_prompt
elevation_required: false
- name: Command prompt writing script to file then executes it
auto_generated_guid: 00682c9f-7df4-4df8-950b-6dcaaa3ad9af
description: |2-
Simulate DarkGate malware's second stage by writing a VBscript to disk directly from the command prompt then executing it.
The script will execute 'whoami' then exit.
supported_platforms:
- windows
input_arguments:
script_path:
description: Path in which the script will be written.
type: path
default: '%TEMP%\'
script_name:
description: Script name (without the extension)
type: string
default: AtomicTest
executor:
command: ' c:\windows\system32\cmd.exe /c cd /d #{script_path} & echo Set objShell = CreateObject("WScript.Shell"):Set objExec = objShell.Exec("whoami"):Set objExec = Nothing:Set objShell = Nothing > #{script_name}.vbs & #{script_name}.vbs'
cleanup_command: del "#{script_name}.vbs" >nul 2>&1
name: command_prompt
elevation_required: true
Reference in New Issue View Git Blame Copy Permalink