From 4fb54899764542cf335c63822fd6fe2b03f1f966 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 22 Jul 2023 10:11:22 +0200 Subject: [PATCH] Update windows tests (#3) Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> --- .vscode/launch.json | 16 ++++++ Full_tests.csv | 8 +-- missing_tests.csv | 1 + powershell/runtest.ps1 | 60 ++++++++++++++++++++ sigma_rule.csv | 5 ++ yml/290df60e-4b5d-4a5e-b0c7-dc5348ea0c86.yml | 6 +- yml/7a48f482-246f-4aeb-9837-21c271ebf244.yml | 6 +- yml/830c8b6c-7a70-4f40-b975-8bbe74558acd.yml | 6 +- yml/d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6.yml | 6 +- 9 files changed, 102 insertions(+), 12 deletions(-) create mode 100644 .vscode/launch.json create mode 100644 powershell/runtest.ps1 diff --git a/.vscode/launch.json b/.vscode/launch.json new file mode 100644 index 00000000..948a2368 --- /dev/null +++ b/.vscode/launch.json @@ -0,0 +1,16 @@ +{ + // Use IntelliSense to learn about possible attributes. + // Hover to view descriptions of existing attributes. + // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387 + "version": "0.2.0", + "configurations": [ + { + "name": "Python: Current File", + "type": "python", + "request": "launch", + "program": "${file}", + "console": "integratedTerminal", + "justMyCode": true + } + ] +} \ No newline at end of file diff --git a/Full_tests.csv b/Full_tests.csv index 6dcf8806..3dfc8a66 100644 --- a/Full_tests.csv +++ b/Full_tests.csv @@ -803,9 +803,9 @@ execution;T1059.004;bash;['linux'];Change login shell;c7ac59cb-13cc-4622-81dc-6d execution;T1059.004;bash;['linux'];Environment variable scripts;bdaebd56-368b-4970-a523-f905ff4a8a51;False;11 execution;T1059.004;bash;['linux'];Detecting pipe-to-shell;fca246a8-a585-4f28-a2df-6495973976a1;False;12 execution;T1559;command_prompt;['windows'];Cobalt Strike Artifact Kit pipe;bd13b9fc-b758-496a-b81a-397462f82c72;True;1 -execution;T1559;command_prompt;['windows'];Cobalt Strike Lateral Movement (psexec_psh) pipe;830c8b6c-7a70-4f40-b975-8bbe74558acd;False;2 -execution;T1559;command_prompt;['windows'];Cobalt Strike SSH (postex_ssh) pipe;d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6;False;3 -execution;T1559;command_prompt;['windows'];Cobalt Strike post-exploitation pipe (4.2 and later);7a48f482-246f-4aeb-9837-21c271ebf244;False;4 +execution;T1559;command_prompt;['windows'];Cobalt Strike Lateral Movement (psexec_psh) pipe;830c8b6c-7a70-4f40-b975-8bbe74558acd;True;2 +execution;T1559;command_prompt;['windows'];Cobalt Strike SSH (postex_ssh) pipe;d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6;True;3 +execution;T1559;command_prompt;['windows'];Cobalt Strike post-exploitation pipe (4.2 and later);7a48f482-246f-4aeb-9837-21c271ebf244;True;4 execution;T1559;command_prompt;['windows'];Cobalt Strike post-exploitation pipe (before 4.2);8dbfc15c-527b-4ab0-a272-019f469d367f;False;5 execution;T1204.003;powershell;['windows'];Malicious Execution from Mounted ISO Image;e9795c8d-42aa-4ed4-ad80-551ed793d006;False;1 execution;T1059.006;sh;['linux'];Execute shell script via python's command mode arguement;3a95cdb2-c6ea-4761-b24e-02b71889b8bb;False;1 @@ -1266,7 +1266,7 @@ credential-access;T1552.004;powershell;['windows'];ADFS token signing and encryp credential-access;T1552.004;powershell;['windows'];CertUtil ExportPFX;336b25bf-4514-4684-8924-474974f28137;True;8 credential-access;T1552.004;powershell;['windows'];Export Root Certificate with Export-PFXCertificate;7617f689-bbd8-44bc-adcd-6f8968897848;True;9 credential-access;T1552.004;powershell;['windows'];Export Root Certificate with Export-Certificate;78b274f8-acb0-428b-b1f7-7b0d0e73330a;True;10 -credential-access;T1552.004;command_prompt;['windows'];Export Certificates with Mimikatz;290df60e-4b5d-4a5e-b0c7-dc5348ea0c86;False;11 +credential-access;T1552.004;command_prompt;['windows'];Export Certificates with Mimikatz;290df60e-4b5d-4a5e-b0c7-dc5348ea0c86;True;11 credential-access;T1557.001;powershell;['windows'];LLMNR Poisoning with Inveigh (PowerShell);deecd55f-afe0-4a62-9fba-4d1ba2deb321;True;1 credential-access;T1003.001;command_prompt;['windows'];Dump LSASS.exe Memory using ProcDump;0be2230c-9ab3-4ac2-8826-3199b9a0ebf8;True;1 credential-access;T1003.001;powershell;['windows'];Dump LSASS.exe Memory using comsvcs.dll;2536dee2-12fb-459a-8c37-971844fa73be;True;2 diff --git a/missing_tests.csv b/missing_tests.csv index 229f6c3e..155127eb 100644 --- a/missing_tests.csv +++ b/missing_tests.csv @@ -9,6 +9,7 @@ defense-evasion;T1553.002;win_security_susp_sdelete.yml defense-evasion;T1599.001;driver_load_win_windivert.yml defense-evasion;T1550;aws_sts_assumerole_misuse.yml,aws_sts_getsessiontoken_misuse.yml,aws_susp_saml_activity.yml defense-evasion;T1553.003;registry_set_sip_persistence.yml +defense-evasion;T1222;posh_ps_set_acl.yml,posh_ps_set_acl_susp_location.yml defense-evasion;T1548;aws_sts_assumerole_misuse.yml,aws_sts_getsessiontoken_misuse.yml,aws_susp_saml_activity.yml,azure_aad_secops_ca_policy_removedby_bad_actor.yml,azure_aad_secops_ca_policy_updatedby_bad_actor.yml,azure_aad_secops_new_ca_policy_addedby_bad_actor.yml,azure_group_user_addition_ca_modification.yml,azure_group_user_removal_ca_modification.yml,lnx_auditd_capabilities_discovery.yml,file_event_lnx_doas_conf_creation.yml,proc_creation_lnx_doas_execution.yml,win_security_scm_database_privileged_operation.yml,win_system_vul_cve_2020_1472.yml,proc_access_win_svchost_cred_dump.yml,proc_creation_win_regedit_trustedinstaller.yml,proc_creation_win_susp_abusing_debug_privilege.yml,proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml,registry_set_comhijack_sdclt.yml defense-evasion;T1578.003;azure_aadhybridhealth_adfs_service_delete.yml defense-evasion;T1574.005;proc_creation_win_hktl_sharpup.yml diff --git a/powershell/runtest.ps1 b/powershell/runtest.ps1 new file mode 100644 index 00000000..823bcb47 --- /dev/null +++ b/powershell/runtest.ps1 @@ -0,0 +1,60 @@ +write-host " _________________________ " -ForegroundColor red +write-host "(( ))" -ForegroundColor red +write-host " )) Frack113 tests script (( " -ForegroundColor red +write-host "(( ))" -ForegroundColor red +write-host " ------------------------- " -ForegroundColor red +write-host " for the best of my knowledge " + +write-host "Import module" +Import-Module .\Export-WinEvents +Import-Module C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psm1 + +write-host " Open csv" +$csv = Import-Csv -Path .\Full_tests.csv -Delimiter ';' + +$list_channel = ('Application','Security','System','Microsoft-Windows-Sysmon/Operational','Microsoft-Windows-PowerShell/Operational') + +foreach ($info in $csv) +{ + $technique = $info.technique + $nmr = $info.nmr_test + $valid = $info.sigma + $name = $info.name + if ($info.os -like '*windows*'){ + if ($info.executor -ne 'manual'){ + if ($valid -eq 'False') { + write-host "Test $name - $technique test : $nmr" + write-host "Disable Realtime Monitoring" + Set-MpPreference -DisableRealtimeMonitoring 1 + write-host "Make environnement" + Invoke-AtomicTest $technique -TestNumbers $nmr -Cleanup -NoExecutionLog + Invoke-AtomicTest $technique -TestNumbers $nmr -GetPrereqs -TimeoutSeconds 120 -NoExecutionLog + $list_channel | Clear-WinEvents -Verbose + Start-Sleep -s 10 + + write-host "Start Aurora" + Start-Process C:\aurora\aurora-agent-64.exe -WorkingDirectory C:\aurora -ArgumentList "-c agent-config-standard.yml","--minimum-level low","--json","-l c:\Tests\$($technique)_test_$($nmr)_aurora.json" + Start-Sleep -s 30 + + write-host "Start test" + Invoke-AtomicTest $technique -TestNumbers $nmr -TimeoutSeconds 120 -NoExecutionLog + Start-Sleep -s 10 + + write-host "Stop Aurora" + Stop-Process -name aurora-agent-64 + + Start-Sleep -s 10 + foreach ($channel in $list_channel){ + $name = $channel.replace("/","_") + Export-WinEvents -TimeBucket 'Last 5 Minutes' -OutputPath "c:\Tests\$($technique)_test_$($nmr)_channel_$name.json" -Channel $channel + } + + write-host "Cleanup" + Invoke-AtomicTest $technique -TestNumbers $nmr -Cleanup -NoExecutionLog + Start-Sleep -s 10 + + } Else { write-host "$name / $technique test: $nmr / OK" -ForegroundColor green } + } Else { write-host "$name / $technique test: $nmr / manual test :)" -ForegroundColor DarkRed } + } Else { write-host "$name / $technique test: $nmr / not windows :)" -ForegroundColor DarkRed } +} +write-host "Good Hunt..." -ForegroundColor green \ No newline at end of file diff --git a/sigma_rule.csv b/sigma_rule.csv index 2b2be68b..99c2dca0 100644 --- a/sigma_rule.csv +++ b/sigma_rule.csv @@ -1037,6 +1037,7 @@ file_event_win_susp_system_interactive_powershell.yml;False file_event_win_susp_task_write.yml;False file_event_win_susp_teamviewer_remote_session.yml;False file_event_win_susp_vscode_powershell_profile.yml;False +file_event_win_susp_windows_terminal_profile.yml;False file_event_win_susp_winsxs_binary_creation.yml;False file_event_win_sysinternals_livekd_default_dump_name.yml;False file_event_win_sysinternals_livekd_driver.yml;False @@ -1345,6 +1346,8 @@ posh_ps_script_with_upload_capabilities.yml;True posh_ps_security_software_discovery.yml;True posh_ps_send_mailmessage.yml;True posh_ps_sensitive_file_discovery.yml;False +posh_ps_set_acl.yml;False +posh_ps_set_acl_susp_location.yml;False posh_ps_set_policies_to_unsecure_level.yml;True posh_ps_shellcode_b64.yml;False posh_ps_shellintel_malicious_commandlets.yml;True @@ -1955,6 +1958,8 @@ proc_creation_win_powershell_run_script_from_input_stream.yml;False proc_creation_win_powershell_sam_access.yml;True proc_creation_win_powershell_script_engine_parent.yml;True proc_creation_win_powershell_service_dacl_modification_set_service.yml;False +proc_creation_win_powershell_set_acl.yml;False +proc_creation_win_powershell_set_acl_susp_location.yml;False proc_creation_win_powershell_set_policies_to_unsecure_level.yml;True proc_creation_win_powershell_set_service_disabled.yml;False proc_creation_win_powershell_shadowcopy_deletion.yml;False diff --git a/yml/290df60e-4b5d-4a5e-b0c7-dc5348ea0c86.yml b/yml/290df60e-4b5d-4a5e-b0c7-dc5348ea0c86.yml index c954e8e1..c23ddd25 100644 --- a/yml/290df60e-4b5d-4a5e-b0c7-dc5348ea0c86.yml +++ b/yml/290df60e-4b5d-4a5e-b0c7-dc5348ea0c86.yml @@ -20,5 +20,7 @@ description: | The following Atomic test will utilize Mimikatz to extract the certificates from the local system My store. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands. A successful attempt will stdout the certificates and write multiple .pfx and .der files to disk. executor: command_prompt -sigma: false -sigma_rule: [] +sigma: true +sigma_rule: + - id: a642964e-bead-4bed-8910-1bb4d63e3b4d + name: proc_creation_win_hktl_mimikatz_command_line.yml diff --git a/yml/7a48f482-246f-4aeb-9837-21c271ebf244.yml b/yml/7a48f482-246f-4aeb-9837-21c271ebf244.yml index 2b2ef554..f13ff1cf 100644 --- a/yml/7a48f482-246f-4aeb-9837-21c271ebf244.yml +++ b/yml/7a48f482-246f-4aeb-9837-21c271ebf244.yml @@ -19,5 +19,7 @@ description: | The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe. executor: command_prompt -sigma: false -sigma_rule: [] +sigma: true +sigma_rule: + - id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 + name: pipe_created_mal_cobaltstrike.yml diff --git a/yml/830c8b6c-7a70-4f40-b975-8bbe74558acd.yml b/yml/830c8b6c-7a70-4f40-b975-8bbe74558acd.yml index ef79d560..aa52d8b8 100644 --- a/yml/830c8b6c-7a70-4f40-b975-8bbe74558acd.yml +++ b/yml/830c8b6c-7a70-4f40-b975-8bbe74558acd.yml @@ -19,5 +19,7 @@ description: | The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe. executor: command_prompt -sigma: false -sigma_rule: [] +sigma: true +sigma_rule: + - id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 + name: pipe_created_mal_cobaltstrike.yml diff --git a/yml/d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6.yml b/yml/d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6.yml index 77dd29b6..c5da327f 100644 --- a/yml/d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6.yml +++ b/yml/d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6.yml @@ -19,5 +19,7 @@ description: | The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe. executor: command_prompt -sigma: false -sigma_rule: [] +sigma: true +sigma_rule: + - id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 + name: pipe_created_mal_cobaltstrike.yml