Replay the Dependencies Merge (redcanaryco#786)

* first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * lowercase url * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * lowercase url * fixing yaml spacing issue * correcting input name * rm to del Co-authored-by: Carrie Roberts <[email protected]>
Andras32 · Jan 21, 2020 · a4c9ee4 · a4c9ee4
1 parent 82bc6fa
commit a4c9ee4
Show file tree

Hide file tree

Showing 202 changed files with 5,227 additions and 5,734 deletions.
diff --git a/atomic_red_team/atomic_doc_template.md.erb b/atomic_red_team/atomic_doc_template.md.erb
@@ -19,15 +19,13 @@
   case p
     when 'macos'
       'macOS'
-    when 'centos'
-      'CentOS'
     else
       p.capitalize
   end
 end.join(', ') %>
 
 <% if test['input_arguments'].to_a.count > 0 %>
-#### Inputs
+#### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
 <% test['input_arguments'].each do |arg_name, arg_options| -%>
@@ -37,21 +35,13 @@ end.join(', ') %>
 
 <%- if test['executor']['name'] == 'manual' -%>
 #### Run it with these steps! <%- if test['executor']['elevation_required'] -%> Elevation Required (e.g. root or admin) <%- end -%>
-
 <%= test['executor']['steps'] %>
-
 <%- else -%>
-#### Run it with `<%= test['executor']['name'] %>`! <%- if test['executor']['elevation_required'] -%> Elevation Required (e.g. root or admin) <%- end -%>
 
-```
-<%= test['executor']['command'].to_s.strip %>
-```
-<%- end -%>
+#### Attack Commands: Run with `<%= test['executor']['name'] %>`! <%- if test['executor']['elevation_required'] -%> Elevation Required (e.g. root or admin) <%- end -%>
 
-<%- if test['executor']['prereq_command'] != nil -%>
-#### Commands to Check Prerequisites:
 ```
-<%= test['executor']['prereq_command'].to_s.strip %>
+<%= test['executor']['command'].to_s.strip %>
 ```
 <%- end -%>
 
@@ -62,5 +52,23 @@ end.join(', ') %>
 ```
 <%- end -%>
 
+<% if test['dependencies'].to_a.count > 0 %>
+#### Dependencies:  Run with `<%- if test['dependency_executor_name'] != nil%><%= test['dependency_executor_name'] %><%- else -%><%= test['executor']['name'] %><%- end -%>`!
+<% test['dependencies'].each do | dep | -%>
+##### Description: <%= dep['description'].strip!  %>
+##### Check Prereq Commands:
+```
+<%= dep['prereq_command'].strip! %> 
+```
+##### Get Prereq Commands:
+```
+<%= dep['get_prereq_command'].strip!  %>
+```
+<% end -%>
+<% end -%>
+
+
+
+
 <br/>
 <%- end -%>
diff --git a/atomic_red_team/atomic_red_team.rb b/atomic_red_team/atomic_red_team.rb
@@ -84,7 +84,7 @@ def validate_atomic_yaml!(yaml)
       raise("`atomic_tests[#{i}].supported_platforms` element is required") unless atomic.has_key?('supported_platforms')
       raise("`atomic_tests[#{i}].supported_platforms` element must be an Array (was a #{atomic['supported_platforms'].class.name})") unless atomic['supported_platforms'].is_a?(Array)
 
-      valid_supported_platforms = ['windows', 'centos', 'ubuntu', 'macos', 'linux']
+      valid_supported_platforms = ['windows', 'macos', 'linux']
       atomic['supported_platforms'].each do |platform|
         if !valid_supported_platforms.include?(platform)
           raise("`atomic_tests[#{i}].supported_platforms` '#{platform}' must be one of #{valid_supported_platforms.join(', ')}")

diff --git a/atomic_red_team/atomic_test_template.yaml b/atomic_red_team/atomic_test_template.yaml
@@ -10,8 +10,6 @@ atomic_tests:
   supported_platforms:
     - windows
     - macos
-    - centos
-    - ubuntu
     - linux
 
   input_arguments:
@@ -20,11 +18,18 @@ atomic_tests:
       type: todo
       default: TODO
 
+  dependency_executor_name: powershell # (optional) The executor for the prereq commands, defaults to the same executor used by the attack commands
+  dependencies: # (optional)
+    - description: |
+        TODO
+      prereq_command: | # commands to check if prerequisites for running this test are met. For the "command_prompt" executor, if any command returns a non-zero exit code, the pre-requisites are not met. For the "powershell" executor, all commands are run as a script block and the script block must return 0 for success.
+        TODO
+      get_prereq_command: | # commands to meet this prerequisite or a message describing how to meet this prereq
+        TODO
+
   executor:
     name: command_prompt
     elevation_required: true # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false
-    prereq_command: | # for the "command_prompt" executor, if any command returns a non-zero exit code, the pre-requisites are not met. For the "powershell" executor, all commands are run as a script block and the script block must return 0 for success. You can remove the prereq_command section if there are no pre-req's
-      TODO
     command: | # these are the actaul attack commands, at least one command must be provided
       TODO
     cleanup_command: | # you can remove the cleanup_command section if there are no cleanup commands

diff --git a/atomic_red_team/spec.yaml b/atomic_red_team/spec.yaml
@@ -13,8 +13,8 @@
 #   atomic_red_team/atomics
 #   atomic_red_team/atomics/T1234
 #   atomic_red_team/atomics/T1234/T1234.yaml      <-- this is where all the atomic tests live
-#   atomic_red_team/atomics/T1234/payload1.sct    <-- a payload file needed by one of the T1234 atomics
-#   atomic_red_team/atomics/T1234/payload2.dll    <-- another payload file needed by one of the T1234 atomics
+#   atomic_red_team/atomics/T1234/src/payload1.sct    <-- a payload file needed by one of the T1234 atomics (human readable)
+#   atomic_red_team/atomics/T1234/bin/payload2.dll    <-- another payload file needed by one of the T1234 atomics (binary)
 #
 # In general, a set of atomic tests for a technique should never depend on payloads
 # or supporting files from other atomic directories. We want to keep things nice and close.
@@ -74,7 +74,32 @@ atomic_tests:
       type: Url
       default: 0000:00:30
 
-  # a list of executors that can execute this atomic test. There are almost always going to be one of these
+  dependency_executor_name: powershell # (optional) The executor for the prereq commands, defaults to the same executor used by the attack commands
+  dependencies: # (optional)
+    # a list of dependies that must be met to successfully run this atomic
+    - description: |
+        TODO
+      prereq_command: | # commands to check if prerequisites for running this test are met. For the "command_prompt" executor, if any command returns a non-zero exit code, the pre-requisites are not met. For the "powershell" executor, all commands are run as a script block and the script block must return 0 for success.
+        TODO
+      get_prereq_command: | # commands to meet this prerequisite or a message describing how to meet this prereq
+        TODO
+
+  #example of two dependencies
+  dependencies:
+  - description: |
+      Sysmon executable must be available
+    prereq_command: |
+      where sysmon > nul
+    get_prereq_command: |
+      echo Automated installer not implemented yet, please install Sysmon manually
+  - description: |
+      Sysmon must be installed
+    prereq_command: |
+      sc query sysmon > nul
+    get_prereq_command: |
+      sysmon -i -accepteula
+
+  # a list of executors that can execute the attack commands of this atomic test. There are almost always going to be one of these
   # per test, but there are cases where you may have multiple - for example, separate executors for `sh`
   # and `bash` when working on linux OSes.
   executors:
@@ -161,8 +186,8 @@ atomic_tests:
     blah blah blah
   supported_platforms:
     - macos
-    - centos
-    - ubuntu
+    - linux
+
   # in this example we have no input arguments
   input_arguments:
   executors:

diff --git a/atomics/T1002/T1002.md b/atomics/T1002/T1002.md
@@ -23,23 +23,27 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
 **Supported Platforms:** Windows
 
 
-#### Inputs
+#### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
 | input_file | Path that should be compressed into our output file | Path | $env:USERPROFILE|
 | output_file | Path where resulting compressed data should be placed | Path | $env:USERPROFILE\data.zip|
 
-#### Run it with `powershell`! 
+
+#### Attack Commands: Run with `powershell`! 
 ```
 dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
 ```
 
-
 #### Cleanup Commands:
 ```
 Remove-Item -path #{output_file}
 ```
 
+
+
+
+
 <br/>
 <br/>
 
@@ -49,27 +53,43 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
 **Supported Platforms:** Windows
 
 
-#### Inputs
+#### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
 | input_path | Path that should be compressed into our output file | Path | %USERPROFILE%|
 | file_extension | Extension of files to compress | String | .txt|
 | output_file | Path where resulting compressed data should be placed | Path | %USERPROFILE%\data.rar|
+| rar_installer | Winrar installer | Path | %TEMP%\winrar.exe|
+| rar_exe | The RAR executable from Winrar | Path | %programfiles%/WinRAR/Rar.exe|
 
-#### Run it with `command_prompt`! 
+
+#### Attack Commands: Run with `command_prompt`! 
 ```
-rar a -r #{output_file} #{input_path} *#{file_extension}
+"#{rar_exe}" a -r #{output_file} #{input_path} *#{file_extension}
 ```
 
-#### Commands to Check Prerequisites:
+#### Cleanup Commands:
 ```
-rar /?
+del #{output_file}
 ```
 
-#### Cleanup Commands:
+
+#### Dependencies:  Run with `command_prompt`!
+##### Description: Rar tool must be installed at specified location (#{rar_exe})
+##### Check Prereq Commands:
+```
+if not exist "#{rar_exe}" (exit /b 1) 
 ```
-del -f
+##### Get Prereq Commands:
 ```
+echo Downloading Winrar installer
+bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer}
+echo Follow the installer prompts to install Winrar
+#{rar_installer}
+```
+
+
+
 
 <br/>
 <br/>
@@ -80,26 +100,37 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
 **Supported Platforms:** Linux, macOS
 
 
-#### Inputs
+#### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
 | input_files | Path that should be compressed into our output file, may include wildcards | Path | $HOME/*.txt|
 | output_file | Path that should be output as a zip archive | Path | $HOME/data.zip|
 
-#### Run it with `sh`! 
+
+#### Attack Commands: Run with `sh`! 
 ```
 zip #{output_file} #{input_files}
 ```
 
-#### Commands to Check Prerequisites:
+#### Cleanup Commands:
 ```
-ls #{input_file}
+rm -f #{output_file}
 ```
 
-#### Cleanup Commands:
+
+#### Dependencies:  Run with `sh`!
+##### Description: Files to zip must exist (#{input_files})
+##### Check Prereq Commands:
+```
+ls #{input_files} 
 ```
-rm -f
+##### Get Prereq Commands:
 ```
+echo Please set input_files argument to include files that exist
+```
+
+
+
 
 <br/>
 <br/>
@@ -110,23 +141,27 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
 **Supported Platforms:** Linux, macOS
 
 
-#### Inputs
+#### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
 | input_file | Path that should be compressed | Path | $HOME/victim-gzip.txt|
 | input_content | contents of compressed files if file does not already exist. default contains test credit card and social security number | String | confidential! SSN: 078-05-1120 - CCN: 4000 1234 5678 9101|
 
-#### Run it with `sh`! 
+
+#### Attack Commands: Run with `sh`! 
 ```
 test -e #{input_file} && gzip -k #{input_file} || (echo '#{input_content}' >> #{input_file}; gzip -k #{input_file})
 ```
 
-
 #### Cleanup Commands:
 ```
 rm -f #{input_file}.gz
 ```
 
+
+
+
+
 <br/>
 <br/>
 
@@ -136,25 +171,36 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
 **Supported Platforms:** Linux, macOS
 
 
-#### Inputs
+#### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
 | input_file_folder | Path that should be compressed | Path | $HOME/$USERNAME|
 | output_file | File that should be output | Path | $HOME/data.tar.gz|
 
-#### Run it with `sh`! 
+
+#### Attack Commands: Run with `sh`! 
 ```
 tar -cvzf #{output_file} #{input_file_folder}
 ```
 
-#### Commands to Check Prerequisites:
+#### Cleanup Commands:
 ```
-test -e #{input_file_folder}
+rm -f #{output_file}
 ```
 
-#### Cleanup Commands:
+
+#### Dependencies:  Run with `sh`!
+##### Description: Folder to zip must exist (#{input_file_folder})
+##### Check Prereq Commands:
 ```
-rm -f #{output_file}
+test -e #{input_file_folder} 
 ```
+##### Get Prereq Commands:
+```
+echo Please set input_file_folder argument to a folder that exists
+```
+
+
+
 
 <br/>