security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
85339c0e48af58a964dcf2e15e1fef554062f4ee
atomic-red-team/atomics/T1559/T1559.yaml
T
Antonio Piazza e3b45b7b30 Added ExternalPayloads dir creation (#2537) 
* Added ExternalPayloads dir creation

* Created ExternaPayloads Dir

Created ExternaPayloads Directory using powershell command

* Added External Payloads Dir

Added External Payloads Directory using a powershell command for all Procedures.

* Fixed ExternalPayload directory creation

Fixed ExternalPayload directory creation.  Got rid of the Split path

* Created External Payloads directory

Created External Payloads directory for procedure 14d55ca0-920e-4b44-8425-37eedd72b173
2023-09-22 13:14:23 -06:00

129 lines
8.7 KiB
YAML
Raw Blame History

attack_technique: T1559
display_name: Inter-Process Communication
atomic_tests:
- name: Cobalt Strike Artifact Kit pipe
auto_generated_guid: bd13b9fc-b758-496a-b81a-397462f82c72
description: |
Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: |
Named pipe executors must exist on disk
prereq_command: |
if ((Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe") -and (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_client.exe") -and (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_server.exe")) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
$zipUrl = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\..\ExternalPayloads"
executor:
command: |
"PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe" --pipe 1
name: command_prompt
- name: Cobalt Strike Lateral Movement (psexec_psh) pipe
auto_generated_guid: 830c8b6c-7a70-4f40-b975-8bbe74558acd
description: |
Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: |
Named pipe executors must exist on disk
prereq_command: |
if ((Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe") -and (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_client.exe") -and (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_server.exe")) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
$zipUrl = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\..\ExternalPayloads"
executor:
command: |
"PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe" --pipe 2
name: command_prompt
- name: Cobalt Strike SSH (postex_ssh) pipe
auto_generated_guid: d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6
description: |
Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: |
Named pipe executors must exist on disk
prereq_command: |
if ((Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe") -and (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_client.exe") -and (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_server.exe")) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
$zipUrl = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\..\ExternalPayloads"
executor:
command: |
"PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe" --pipe 3
name: command_prompt
- name: Cobalt Strike post-exploitation pipe (4.2 and later)
auto_generated_guid: 7a48f482-246f-4aeb-9837-21c271ebf244
description: |
Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: |
Named pipe executors must exist on disk
prereq_command: |
if ((Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe") -and (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_client.exe") -and (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_server.exe")) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
$zipUrl = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\..\ExternalPayloads"
executor:
command: |
"PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe" --pipe 4
name: command_prompt
- name: Cobalt Strike post-exploitation pipe (before 4.2)
auto_generated_guid: 8dbfc15c-527b-4ab0-a272-019f469d367f
description: |
Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: |
Named pipe executors must exist on disk
prereq_command: |
if ((Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe") -and (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_client.exe") -and ("Test-Path PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_server.exe")) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
$zipUrl = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\..\ExternalPayloads"
executor:
command: |
"PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe" --pipe 5
name: command_prompt
Reference in New Issue View Git Blame Copy Permalink