atomic-red-team/atomics/T1071.001/T1071.001.yaml

attack_technique: T1071.001
display_name: 'Application Layer Protocol: Web Protocols'
atomic_tests:
- name: Malicious User Agents - Powershell
  auto_generated_guid: 81c13829-f6c9-45b8-85a6-053366d55297
  description: |
    This test simulates an infected host beaconing to command and control. Upon execution, no output will be displayed. 
    Use an application such as Wireshark to record the session and observe user agent strings and responses.

    Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
  supported_platforms:
  - windows
  input_arguments:
    domain:
      description: Default domain to simulate against
      type: string
      default: www.google.com
  executor:
    command: |
      Invoke-WebRequest #{domain} -UserAgent "HttpBrowser/1.0" | out-null
      Invoke-WebRequest #{domain} -UserAgent "Wget/1.9+cvs-stable (Red Hat modified)" | out-null
      Invoke-WebRequest #{domain} -UserAgent "Opera/8.81 (Windows NT 6.0; U; en)" | out-null
      Invoke-WebRequest #{domain} -UserAgent "*<|>*" | out-null
    name: powershell
- name: Malicious User Agents - CMD
  auto_generated_guid: dc3488b0-08c7-4fea-b585-905c83b48180
  description: |
    This test simulates an infected host beaconing to command and control. Upon execution, no out put will be displayed. 
    Use an application such as Wireshark to record the session and observe user agent strings and responses.

    Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
  supported_platforms:
  - windows
  input_arguments:
    domain:
      description: Default domain to simulate against
      type: string
      default: www.google.com
    curl_path:
      description: path to curl.exe
      type: path
      default: C:\Windows\System32\Curl.exe
  dependency_executor_name: powershell
  dependencies:
  - description: |
      Curl must be installed on system 
    prereq_command: |
      if (Test-Path #{curl_path}) {exit 0} else {exit 1}
    get_prereq_command: |
      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
      Invoke-WebRequest "https://curl.se/windows/dl-8.6.0_2/curl-8.6.0_2-win32-mingw.zip" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
      Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\curl.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\curl"
      Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\curl\curl-8.6.0_2-win32-mingw\bin\curl.exe" #{curl_path}
      Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl"
      Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
  executor:
    command: |
      #{curl_path} -s -A "HttpBrowser/1.0" -m3 #{domain} >nul 2>&1
      #{curl_path} -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain} >nul 2>&1
      #{curl_path} -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain} >nul 2>&1
      #{curl_path} -s -A "*<|>*" -m3 #{domain} >nul 2>&1
    name: command_prompt
- name: Malicious User Agents - Nix
  auto_generated_guid: 2d7c471a-e887-4b78-b0dc-b0df1f2e0658
  description: |
    This test simulates an infected host beaconing to command and control.
    Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
  supported_platforms:
  - linux
  - macos
  input_arguments:
    domain:
      description: Default domain to simulate against
      type: string
      default: www.google.com
  executor:
    command: |
      curl -s -A "HttpBrowser/1.0" -m3 #{domain}
      curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain}
      curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain}
      curl -s -A "*<|>*" -m3 #{domain}
    name: sh