Hare Sudhan
291 lines
9.6 KiB
YAML
291 lines
9.6 KiB
YAML
attack_technique: T1529
|
|
display_name: System Shutdown/Reboot
|
|
atomic_tests:
|
|
- name: Shutdown System - Windows
|
|
auto_generated_guid: ad254fa8-45c0-403b-8c77-e00b3d3e7a64
|
|
description: |
|
|
This test shuts down a Windows system.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
timeout:
|
|
description: Timeout period before shutdown (seconds)
|
|
type: integer
|
|
default: 1
|
|
executor:
|
|
command: |
|
|
shutdown /s /t #{timeout}
|
|
name: command_prompt
|
|
elevation_required: true
|
|
- name: Restart System - Windows
|
|
auto_generated_guid: f4648f0d-bf78-483c-bafc-3ec99cd1c302
|
|
description: |
|
|
This test restarts a Windows system.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
timeout:
|
|
description: Timeout period before restart (seconds)
|
|
type: integer
|
|
default: 1
|
|
executor:
|
|
command: |
|
|
shutdown /r /t #{timeout}
|
|
name: command_prompt
|
|
elevation_required: true
|
|
- name: Restart System via `shutdown` - FreeBSD/macOS/Linux
|
|
auto_generated_guid: 6326dbc4-444b-4c04-88f4-27e94d0327cb
|
|
description: |
|
|
This test restarts a FreeBSD/macOS/Linux system.
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
input_arguments:
|
|
timeout:
|
|
description: Time to restart (can be minutes or specific time)
|
|
type: string
|
|
default: now
|
|
executor:
|
|
command: |
|
|
shutdown -r #{timeout}
|
|
name: sh
|
|
elevation_required: true
|
|
- name: Shutdown System via `shutdown` - FreeBSD/macOS/Linux
|
|
auto_generated_guid: 4963a81e-a3ad-4f02-adda-812343b351de
|
|
description: |
|
|
This test shuts down a FreeBSD/macOS/Linux system using a halt.
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
input_arguments:
|
|
timeout:
|
|
description: Time to shutdown (can be minutes or specific time)
|
|
type: string
|
|
default: now
|
|
executor:
|
|
command: |
|
|
shutdown -h #{timeout}
|
|
name: sh
|
|
elevation_required: true
|
|
- name: Restart System via `reboot` - FreeBSD/macOS/Linux
|
|
auto_generated_guid: 47d0b042-a918-40ab-8cf9-150ffe919027
|
|
description: |
|
|
This test restarts a FreeBSD/macOS/Linux system via `reboot`.
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
executor:
|
|
command: |
|
|
reboot
|
|
name: sh
|
|
elevation_required: true
|
|
- name: Shutdown System via `halt` - FreeBSD/Linux
|
|
auto_generated_guid: 918f70ab-e1ef-49ff-bc57-b27021df84dd
|
|
description: |
|
|
This test shuts down a FreeBSD/Linux system using `halt`.
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
command: |
|
|
halt -p
|
|
name: sh
|
|
elevation_required: true
|
|
- name: Reboot System via `halt` - FreeBSD
|
|
auto_generated_guid: 7b1cee42-320f-4890-b056-d65c8b884ba5
|
|
description: |
|
|
This test restarts a FreeBSD system using `halt`.
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
command: |
|
|
halt -r
|
|
name: sh
|
|
elevation_required: true
|
|
- name: Reboot System via `halt` - Linux
|
|
auto_generated_guid: 78f92e14-f1e9-4446-b3e9-f1b921f2459e
|
|
description: |
|
|
This test restarts a Linux system using `halt`.
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
command: |
|
|
halt --reboot
|
|
name: bash
|
|
elevation_required: true
|
|
- name: Shutdown System via `poweroff` - FreeBSD/Linux
|
|
auto_generated_guid: 73a90cd2-48a2-4ac5-8594-2af35fa909fa
|
|
description: |
|
|
This test shuts down a FreeBSD/Linux system using `poweroff`.
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
command: |
|
|
poweroff
|
|
name: sh
|
|
elevation_required: true
|
|
- name: Reboot System via `poweroff` - FreeBSD
|
|
auto_generated_guid: 5a282e50-86ff-438d-8cef-8ae01c9e62e1
|
|
description: |
|
|
This test restarts a FreeBSD system using `poweroff`.
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
command: |
|
|
poweroff -r 3
|
|
name: sh
|
|
elevation_required: true
|
|
- name: Reboot System via `poweroff` - Linux
|
|
auto_generated_guid: 61303105-ff60-427b-999e-efb90b314e41
|
|
description: |
|
|
This test restarts a Linux system using `poweroff`.
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
command: |
|
|
poweroff --reboot
|
|
name: bash
|
|
elevation_required: true
|
|
- name: Logoff System - Windows
|
|
auto_generated_guid: 3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4
|
|
description: |
|
|
This test performs a Windows system logoff as seen in [dcrat backdoor capabilities](https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor)
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
shutdown /l
|
|
name: command_prompt
|
|
elevation_required: true
|
|
- name: ESXi - Terminates VMs using pkill
|
|
auto_generated_guid: 987c9b4d-a637-42db-b1cb-e9e242c3991b
|
|
description: |
|
|
In VMWARE ESXi, process names starting with vmx are associated with running VMs. An adversary can use the pkill command to kill all processes with a prefix vmx.
|
|
[Reference](https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/)
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
vm_host:
|
|
description: Specify the host name of the ESXi Server
|
|
type: string
|
|
default: atomic.local
|
|
vm_user:
|
|
description: Specify the privilege user account on ESXi Server
|
|
type: string
|
|
default: root
|
|
vm_pass:
|
|
description: Specify the privilege user password on ESXi Server
|
|
type: string
|
|
default: pass
|
|
plink_file:
|
|
description: Path to plink
|
|
type: path
|
|
default: 'PathToAtomicsFolder\..\ExternalPayloads\plink.exe'
|
|
cli_script:
|
|
description: Path to text with commands
|
|
type: path
|
|
default: PathToAtomicsFolder\T1529\src\esx_pkill.txt
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
Check if plink is available.
|
|
prereq_command: |
|
|
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
|
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
|
|
executor:
|
|
command: |
|
|
echo "" | "#{plink_file}" "#{vm_host}" -ssh -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
|
|
name: command_prompt
|
|
elevation_required: false
|
|
- name: ESXi - Avoslocker enumerates VMs and forcefully kills VMs
|
|
auto_generated_guid: 189f7d6e-9442-4160-9bc3-5e4104d93ece
|
|
description: |
|
|
Avoslocker malware has inbuilt functionality to enumerate the VM instances and uses the esxcli command to forcefully power off them.
|
|
[Reference](https://blogs.vmware.com/security/2022/02/avoslocker-modern-linux-ransomware-threats.html)
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
vm_host:
|
|
description: Specify the host name of the ESXi Server
|
|
type: string
|
|
default: atomic.local
|
|
vm_user:
|
|
description: Specify the privilege user account on ESXi Server
|
|
type: string
|
|
default: root
|
|
vm_pass:
|
|
description: Specify the privilege user password on ESXi Server
|
|
type: string
|
|
default: pass
|
|
plink_file:
|
|
description: Path to plink
|
|
type: path
|
|
default: 'PathToAtomicsFolder\..\ExternalPayloads\plink.exe'
|
|
cli_script:
|
|
description: Path to text with commands
|
|
type: path
|
|
default: PathToAtomicsFolder\T1529\src\esx_avoslocker_kill_vm.txt
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
Check if plink is available.
|
|
prereq_command: |
|
|
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
|
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
|
|
executor:
|
|
command: |
|
|
echo "" | "#{plink_file}" "#{vm_host}" -ssh -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
|
|
name: command_prompt
|
|
elevation_required: false
|
|
- name: ESXi - vim-cmd Used to Power Off VMs
|
|
auto_generated_guid: 622cc1a0-45e7-428c-aed7-c96dd605fbe6
|
|
description: |
|
|
Adversaries may power off VMs to facilitate the deployment of ransomware payloads.
|
|
[Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#power%20off%20vm)
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
vm_host:
|
|
description: Specify the host name or IP of the ESXi server.
|
|
type: string
|
|
default: atomic.local
|
|
vm_user:
|
|
description: Specify the privilege user account on the ESXi server.
|
|
type: string
|
|
default: root
|
|
vm_pass:
|
|
description: Specify the privileged user's password.
|
|
type: string
|
|
default: password
|
|
plink_file:
|
|
description: Path to Plink
|
|
type: path
|
|
default: 'PathToAtomicsFolder\..\ExternalPayloads\plink.exe'
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
Check if we have plink
|
|
prereq_command: |
|
|
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
|
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
|
|
executor:
|
|
command: |
|
|
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "for i in `vim-cmd vmsvc/getallvms | awk 'NR>1 {print $1}'`; do vim-cmd vmsvc/power.off $i & done"
|
|
name: command_prompt
|
|
elevation_required: false
|
|
- name: Abuse of Linux Magic System Request Key for Reboot
|
|
auto_generated_guid: d2a1f4bc-a064-4223-8281-a086dce5423c
|
|
description: |
|
|
adversaries with root or sufficient privileges to silently manipulate or destabilize a system. By writing to /proc/sysrq-trigger, they can forced to reboot.
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
command: |
|
|
echo "b" > /proc/sysrq-trigger
|
|
name: bash
|
|
elevation_required: true |