security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1072/T1072.md
T
Atomic Red Team doc generator 5ede8f21e4 Generated docs from job=generate-docs branch=master [ci skip]
2025-02-13 22:03:40 +00:00

170 lines
6.2 KiB
Markdown
Raw Permalink Blame History

# T1072 - Software Deployment Tools
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1072)
<blockquote>
Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine administration purposes. These systems may also be integrated into CI/CD pipelines. Examples of such solutions include: SCCM, HBSS, Altiris, AWS Systems Manager, Microsoft Intune, Azure Arc, and GCP Deployment Manager.
Access to network-wide or enterprise-wide endpoint management software may enable an adversary to achieve remote code execution on all connected systems. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.
SaaS-based configuration management services may allow for broad [Cloud Administration Command](https://attack.mitre.org/techniques/T1651) on cloud-hosted instances, as well as the execution of arbitrary commands on on-premises endpoints. For example, Microsoft Configuration Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to Entra ID.(Citation: SpecterOps Lateral Movement from Azure to On-Prem AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001) to communicate back to adversary owned infrastructure.(Citation: Mitiga Security Advisory: SSM Agent as Remote Access Trojan)
Network infrastructure devices may also have configuration management tools that can be similarly abused by adversaries.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)
The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to access specific functionality.
</blockquote>
## Atomic Tests
- [Atomic Test #1 - Radmin Viewer Utility](#atomic-test-1---radmin-viewer-utility)
- [Atomic Test #2 - PDQ Deploy RAT](#atomic-test-2---pdq-deploy-rat)
- [Atomic Test #3 - Deploy 7-Zip Using Chocolatey](#atomic-test-3---deploy-7-zip-using-chocolatey)
<br/>
## Atomic Test #1 - Radmin Viewer Utility
An adversary may use Radmin Viewer Utility to remotely control Windows device, this will start the radmin console.
**Supported Platforms:** Windows
**auto_generated_guid:** b4988cad-6ed2-434d-ace5-ea2670782129
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| radmin_installer | Radmin Viewer installer | path | RadminViewer.msi|
| radmin_exe | The radmin.exe executable from RadminViewer.msi | path | Radmin Viewer 3/Radmin.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
"%PROGRAMFILES(x86)%/#{radmin_exe}"
```
#### Dependencies: Run with `powershell`!
##### Description: Radmin Viewer Utility must be installed at specified location (#{radmin_exe})
##### Check Prereq Commands:
```powershell
if (Test-Path "${env:ProgramFiles(x86)}/#{radmin_exe}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Write-Host Downloading radmin installer
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\#{radmin_installer}"
Write-Host Install Radmin
Start-Process msiexec -Wait -ArgumentList /i , "PathToAtomicsFolder\..\ExternalPayloads\#{radmin_installer}", /qn
```
<br/>
<br/>
## Atomic Test #2 - PDQ Deploy RAT
An adversary may use PDQ Deploy Software to deploy the Remote Adminstartion Tool, this will start the PDQ console.
**Supported Platforms:** Windows
**auto_generated_guid:** e447b83b-a698-4feb-bed1-a7aaf45c3443
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| PDQ_Deploy_installer | PDQ Deploy Install | path | PDQDeploysetup.exe|
| PDQ_Deploy_exe | The PDQDeployConsole.exe executable from PDQDeploysetup.exe | path | Admin Arsenal/PDQ Deploy/PDQDeployConsole.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
"%PROGRAMFILES(x86)%/#{PDQ_Deploy_exe}"
```
#### Dependencies: Run with `powershell`!
##### Description: PDQ Deploy will be installed at specified location (#{PDQ_Deploy_exe})
##### Check Prereq Commands:
```powershell
if (Test-Path "${env:ProgramFiles(x86)}/#{PDQ_Deploy_exe}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Write-Host Downloading PDQ Deploy installer
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.pdq.com/release/19/Deploy_19.3.350.0.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\#{PDQ_Deploy_installer}"
Write-Host Install PDQ Deploy
Start-Process "PathToAtomicsFolder\..\ExternalPayloads\#{PDQ_Deploy_installer}" -Wait -ArgumentList "/s"
```
<br/>
<br/>
## Atomic Test #3 - Deploy 7-Zip Using Chocolatey
An adversary may use Chocolatey to remotely deploy the 7-Zip file archiver utility.
**Supported Platforms:** Windows
**auto_generated_guid:** 2169e8b0-2ee7-44cb-8a6e-d816a5db7d8a
#### Attack Commands: Run with `powershell`!
```powershell
# Deploy 7-Zip using Chocolatey
choco install -y 7zip
```
#### Dependencies: Run with `powershell`!
##### Description: Chocolatey must be installed to deploy 7-Zip.
##### Check Prereq Commands:
```powershell
if (Test-Path "${env:ProgramFiles(x86)}\Chocolatey\choco.exe") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Write-Host Downloading Chocolatey installer
Invoke-WebRequest -Uri "https://chocolatey.org/install.ps1" -OutFile "chocolatey-install.ps1"
Write-Host Installing Chocolatey
Start-Process -FilePath "powershell.exe" -ArgumentList "-NoProfile -ExecutionPolicy Bypass -File chocolatey-install.ps1" -Wait
```
<br/>
Reference in New Issue View Git Blame Copy Permalink