Atomic Red Team doc generator
72 lines
3.3 KiB
Markdown
72 lines
3.3 KiB
Markdown
# T1059 - Command and Scripting Interpreter
|
|
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1059)
|
|
<blockquote>
|
|
|
|
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
|
|
|
|
There are also cross-platform interpreters such as [Python](https://attack.mitre.org/techniques/T1059/006), as well as those commonly associated with client applications such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) and [Visual Basic](https://attack.mitre.org/techniques/T1059/005).
|
|
|
|
Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0001) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various [Remote Services](https://attack.mitre.org/techniques/T1021) in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation: Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell Execution in Python)
|
|
|
|
</blockquote>
|
|
|
|
## Atomic Tests
|
|
|
|
- [Atomic Test #1 - AutoIt Script Execution](#atomic-test-1---autoit-script-execution)
|
|
|
|
|
|
<br/>
|
|
|
|
## Atomic Test #1 - AutoIt Script Execution
|
|
An adversary may attempt to execute suspicious or malicious script using AutoIt software instead of regular terminal like powershell or cmd. Calculator will popup when the script is executed successfully.
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
**auto_generated_guid:** a9b93f17-31cb-435d-a462-5e838a2a6026
|
|
|
|
|
|
|
|
|
|
|
|
#### Inputs:
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| script_path | AutoIt Script Path | path | PathToAtomicsFolder\T1059\src\calc.au3|
|
|
| autoit_path | AutoIt Executable File Path | path | C:\Program Files (x86)\AutoIt3\AutoIt3.exe|
|
|
|
|
|
|
#### Attack Commands: Run with `powershell`!
|
|
|
|
|
|
```powershell
|
|
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
|
|
```
|
|
|
|
|
|
|
|
|
|
#### Dependencies: Run with `powershell`!
|
|
##### Description: AutoIt executable file must exist on disk at the specified location (#{autoit_path})
|
|
##### Check Prereq Commands:
|
|
```powershell
|
|
if(Test-Path "#{autoit_path}") {
|
|
exit 0
|
|
} else {
|
|
exit 1
|
|
}
|
|
```
|
|
##### Get Prereq Commands:
|
|
```powershell
|
|
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
|
$AutoItURL = "https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe"
|
|
$InstallerPath = "$PathToAtomicsFolder\..\ExternalPayloads\autoit-v3-setup.exe"
|
|
Invoke-WebRequest -Uri $AutoItURL -OutFile $InstallerPath
|
|
Start-Process -FilePath $InstallerPath -ArgumentList "/S" -Wait
|
|
```
|
|
|
|
|
|
|
|
|
|
<br/>
|