-
Notifications
You must be signed in to change notification settings - Fork 2.7k
/
T1071.001.yaml
82 lines (80 loc) · 3.82 KB
/
T1071.001.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
attack_technique: T1071.001
display_name: 'Application Layer Protocol: Web Protocols'
atomic_tests:
- name: Malicious User Agents - Powershell
auto_generated_guid: 81c13829-f6c9-45b8-85a6-053366d55297
description: |
This test simulates an infected host beaconing to command and control. Upon execution, no output will be displayed.
Use an application such as Wireshark to record the session and observe user agent strings and responses.
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
supported_platforms:
- windows
input_arguments:
domain:
description: Default domain to simulate against
type: string
default: www.google.com
executor:
command: |
Invoke-WebRequest #{domain} -UserAgent "HttpBrowser/1.0" | out-null
Invoke-WebRequest #{domain} -UserAgent "Wget/1.9+cvs-stable (Red Hat modified)" | out-null
Invoke-WebRequest #{domain} -UserAgent "Opera/8.81 (Windows NT 6.0; U; en)" | out-null
Invoke-WebRequest #{domain} -UserAgent "*<|>*" | out-null
name: powershell
- name: Malicious User Agents - CMD
auto_generated_guid: dc3488b0-08c7-4fea-b585-905c83b48180
description: |
This test simulates an infected host beaconing to command and control. Upon execution, no out put will be displayed.
Use an application such as Wireshark to record the session and observe user agent strings and responses.
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
supported_platforms:
- windows
input_arguments:
domain:
description: Default domain to simulate against
type: string
default: www.google.com
curl_path:
description: path to curl.exe
type: path
default: C:\Windows\System32\Curl.exe
dependency_executor_name: powershell
dependencies:
- description: |
Curl must be installed on system
prereq_command: |
if (Test-Path #{curl_path}) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://curl.se/windows/dl-8.6.0_2/curl-8.6.0_2-win32-mingw.zip" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\curl.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\curl"
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\curl\curl-8.6.0_2-win32-mingw\bin\curl.exe" #{curl_path}
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl"
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
executor:
command: |
#{curl_path} -s -A "HttpBrowser/1.0" -m3 #{domain} >nul 2>&1
#{curl_path} -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain} >nul 2>&1
#{curl_path} -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain} >nul 2>&1
#{curl_path} -s -A "*<|>*" -m3 #{domain} >nul 2>&1
name: command_prompt
- name: Malicious User Agents - Nix
auto_generated_guid: 2d7c471a-e887-4b78-b0dc-b0df1f2e0658
description: |
This test simulates an infected host beaconing to command and control.
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
supported_platforms:
- linux
- macos
input_arguments:
domain:
description: Default domain to simulate against
type: string
default: www.google.com
executor:
command: |
curl -s -A "HttpBrowser/1.0" -m3 #{domain}
curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain}
curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain}
curl -s -A "*<|>*" -m3 #{domain}
name: sh