From f68822b349f49b264dbed35814fa3bdd6bc113ab Mon Sep 17 00:00:00 2001 From: Antonio Piazza Date: Fri, 29 Sep 2023 10:40:27 -0400 Subject: [PATCH] Added ExternalPayloads directory (#2545) * Added ExternalPayloads dir creation * Created ExternaPayloads Dir Created ExternaPayloads Directory using powershell command * Added External Payloads Dir Added External Payloads Directory using a powershell command for all Procedures. * Fixed ExternalPayload directory creation Fixed ExternalPayload directory creation. Got rid of the Split path * Created External Payloads directory Created External Payloads directory for procedure 14d55ca0-920e-4b44-8425-37eedd72b173 * Update T1003.002.yaml Added ExternalPayloads directory creation PowerShell command for procedure 804f28fc-68fc-40da-b5a2-e9d0bce5c193 * Update T1110.004.yaml Added Powershell Command to creat ExternalPayloads dir for the second prereq for procedure 4852c630-87a9-409b-bb5e-5dc12c9ebcde. * Update T1110.001.yaml Added ExrernalPayload directory creation PowerShell command for procedure 59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4 prereq 2 * Added ExternalPayloads Dir Added Powershell command to create new ExternalPayloads dir for procedure fad04df1-5229-4185-b016-fb6010cd87ac * Add ExternalPayloads Dir Added PowerShell Command to create new ExternalPayloads directory for procedure c6f25ec3-6475-47a9-b75d-09ac593c5ecb * Added prereq download directories Added powershell command to create prereq download directories for procedure 6f2c5c87-a4d5-4898-9bd1-47a55ecaf1dd --------- Co-authored-by: Carrie Roberts --- atomics/T1027/T1027.yaml | 1 + atomics/T1110.001/T1110.001.yaml | 1 + atomics/T1110.003/T1110.003.yaml | 1 + atomics/T1555.003/T1555.003.yaml | 7 +++++++ 4 files changed, 10 insertions(+) diff --git a/atomics/T1027/T1027.yaml b/atomics/T1027/T1027.yaml index 636e272162..2205b852ca 100644 --- a/atomics/T1027/T1027.yaml +++ b/atomics/T1027/T1027.yaml @@ -235,6 +235,7 @@ atomic_tests: prereq_command: | if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\temp_T1027js.zip\T1027js.js") {exit 0} else {exit 1} get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "#{url_path}" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\T1027js.zip" Expand-Archive -path "PathToAtomicsFolder\..\ExternalPayloads\T1027js.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\temp_T1027js.zip\" -Force diff --git a/atomics/T1110.001/T1110.001.yaml b/atomics/T1110.001/T1110.001.yaml index 190ca48132..51f8e31e4e 100644 --- a/atomics/T1110.001/T1110.001.yaml +++ b/atomics/T1110.001/T1110.001.yaml @@ -146,6 +146,7 @@ atomic_tests: prereq_command: | if (test-path "PathToAtomicsFolder\..\ExternalPayloads\bruteuser.txt"){exit 0} else {exit 1} get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/src/bruteuser.txt?raw=true" -outfile "PathToAtomicsFolder\..\ExternalPayloads\bruteuser.txt" executor: name: powershell diff --git a/atomics/T1110.003/T1110.003.yaml b/atomics/T1110.003/T1110.003.yaml index 4fdde52ab8..24ccc57cdf 100644 --- a/atomics/T1110.003/T1110.003.yaml +++ b/atomics/T1110.003/T1110.003.yaml @@ -283,6 +283,7 @@ atomic_tests: prereq_command: | if (test-path "PathToAtomicsFolder\..\ExternalPayloads\passwordspray.txt"){exit 0} else {exit 1} get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/src/passwordspray.txt?raw=true" -outfile "PathToAtomicsFolder\..\ExternalPayloads\passwordspray.txt" executor: name: powershell diff --git a/atomics/T1555.003/T1555.003.yaml b/atomics/T1555.003/T1555.003.yaml index 4416bf8a10..af4fb61c75 100644 --- a/atomics/T1555.003/T1555.003.yaml +++ b/atomics/T1555.003/T1555.003.yaml @@ -23,6 +23,7 @@ atomic_tests: prereq_command: | if (Test-Path "#{file_path}\SysInternals") {exit 0} else {exit 1} get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://github.com/mitre-attack/attack-arsenal/raw/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/Modified-SysInternalsSuite.zip" -OutFile "#{file_path}\Modified-SysInternalsSuite.zip" Expand-Archive "#{file_path}\Modified-SysInternalsSuite.zip" "#{file_path}\sysinternals" -Force @@ -225,6 +226,7 @@ atomic_tests: prereq_command: | if (Test-Path "#{Firepwd_Path}") {exit 0} else {exit 1} get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null Invoke-WebRequest "https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py" -outfile "#{Firepwd_Path}" - description: | Firefox profile directory must be present @@ -243,6 +245,7 @@ atomic_tests: prereq_command: | if (Test-Path "#{VS_CMD_Path}") {exit 0} else {exit 1} get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null invoke-webrequest "https://aka.ms/vs/17/release/vs_BuildTools.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\VS_BuildTools.exe" write-host "Visual Studio Build Tools (Desktop Development with C++) must be installed manually. Please run the installer from PathToAtomicsFolder\..\ExternalPayloads\VS_BuildTools.exe." - description: | @@ -250,6 +253,7 @@ atomic_tests: prereq_command: | if (Test-Path "#{Python_Path}") {exit 0} else {exit 1} get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait - description: | @@ -258,6 +262,7 @@ atomic_tests: $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User")) if (pip -v) {exit 0} else {exit 1} get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null invoke-webrequest "https://bootstrap.pypa.io/ez_setup.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py" invoke-webrequest "https://bootstrap.pypa.io/get-pip.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py" cmd /c "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py" @@ -408,6 +413,7 @@ atomic_tests: prereq_command: | if (Test-Path "#{webbrowserpassview_path}") {exit 0} else {exit 1} get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\T1555.003\bin\" -ErrorAction ignore -Force | Out-Null Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1555.003/bin/WebBrowserPassView.exe -OutFile "#{webbrowserpassview_path}" executor: command: | @@ -441,6 +447,7 @@ atomic_tests: prereq_command: | if (Test-Path "PathToAtomicsFolder\T1555.003\bin\BrowserCollector.exe") {exit 0} else {exit 1} get_prereq_command: |- + New-Item -Type Directory "PathToAtomicsFolder\T1555.003\bin\" -ErrorAction Ignore -Force | Out-Null Invoke-WebRequest "https://github.com/SaulBerrenson/BrowserStealer/releases/download/1.0.0.4/BrowserCollector_x64.exe" -Outfile: "PathToAtomicsFolder\T1555.003\bin\BrowserCollector.exe" - description: | Login Data file that is a copy of a chrome Login Data that contains credentials for the tool to "steal." Must exist at the specified path.