Atomic Red Team – A Framework for Threat Emulation: PART II

by
This entry is part 8 of 14 in the series Red Team Engagements

Views: 12

This is the PART II article in the Atomic RED series. Please follow this link to read PART I of the series.

Listing Atomic Techniques

We can use the parameters – ShowDetailsBrief and ShowDetails that provide the details inside an Atomic file. 

PS C:\Users\Admin> Invoke-AtomicTest T1127 -ShowDetailsBrief
PathToAtomicsFolder = C:\AtomicRedTeam\atomics

T1127-1 Lolbin Jsc.exe compile javascript to exe
T1127-2 Lolbin Jsc.exe compile javascript to dll

The output shows that ShowDetailsBrief lists the available tests in the specified Atomic and its corresponding Atomic Test number.

PS C:\Users\Admin> Invoke-AtomicTest T1127 -ShowDetails
PathToAtomicsFolder = C:\AtomicRedTeam\atomics

[********BEGIN TEST*******]
Technique: Trusted Developer Utilities Proxy Execution T1127
Atomic Test Name: Lolbin Jsc.exe compile javascript to exe
Atomic Test Number: 1
Atomic Test GUID: 1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8
Description: Use jsc.exe to compile javascript code stored in scriptfile.js and output scriptfile.exe. https://lolbas-pr
oject.github.io/lolbas/Binaries/Jsc/ https://www.phpied.com/make-your-javascript-a-windows-exe/

Attack Commands:
Executor: command_prompt
ElevationRequired: False
Command:
copy #{filename} %TEMP%\hello.js
#{jscpath}\#{jscname} %TEMP%\hello.js
Command (with inputs):
copy C:\AtomicRedTeam\atomics\T1127\src\hello.js %TEMP%\hello.js
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe %TEMP%\hello.js

Cleanup Commands:
Command:
del %TEMP%\hello.js
del %TEMP%\hello.exe
---- Dependencies section is redacted, and will be discussed in a later section ---

The output above shows that the ShowDetails parameter is the verbose version of ShowDetailsBrief, which only provides the list of tests inside the Atomic T1127. 

It is essential to learn and understand how many tests will be conducted under an Atomic, how it will be performed, and how to clean it up.

Preparing Atomic Prerequisites

Every Atomic test may require some dependencies, such as binaries and files needed for execution. Below is the excerpt of Atomic T1127-1’sdependency section using the ShowDetails parameter.

Dependencies:
Description: JavaScript code file must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1127\src\hel
lo.js)
Check Prereq Command:
if (Test-Path #{filename}) {exit 0} else {exit 1}
Check Prereq Command (with inputs):
if (Test-Path C:\AtomicRedTeam\atomics\T1127\src\hello.js) {exit 0} else {exit 1}
Get Prereq Command:
New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/hello.js" -OutFile "#{fil
ename}"
Get Prereq Command (with inputs):
New-Item -Type Directory (split-path C:\AtomicRedTeam\atomics\T1127\src\hello.js) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/hello.js" -OutFile "C:\To
ols\AtomicRedTeam\atomics\T1127\src\hello.js"
[!!!!!!!!END TEST!!!!!!!]

It is crucial to verify if the dependencies are met before executing the tests, and this can be done by using the CheckPrereqs parameter.n the case of  Atomic T1127-1, the file from C:\Tools\AtomicRedTeam\atomics\T1127\src\hello.js should exist.

CheckPrereqs 
PS C:\Users\Admin> Invoke-AtomicTest T1127 -CheckPrereqs
PathToAtomicsFolder = C:\AtomicRedTeam\atomics

CheckPrereq's for: T1127-1 Lolbin Jsc.exe compile javascript to exe
Prerequisites met: T1127-1 Lolbin Jsc.exe compile javascript to exe
CheckPrereq's for: T1127-2 Lolbin Jsc.exe compile javascript to dll
Prerequisites met: T1127-2 Lolbin Jsc.exe compile javascript to dll

If the required binaries, files or scripts do not exist in the machine, the GetPrereqs parameter can be used. Note: Usage of the GetPrereqs feature requires outbound internet connection.

GetPrereqs 
PS C:\Users\Admin> Invoke-AtomicTest T1127 -GetPrereqs
PathToAtomicsFolder = C:\AtomicRedTeam\atomics

GetPrereq's for: T1127-1 Lolbin Jsc.exe compile javascript to exe
Attempting to satisfy prereq: JavaScript code file must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1127\src\hello.js)
Prereq already met: JavaScript code file must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1127\src\hello.js)
GetPrereq's for: T1127-2 Lolbin Jsc.exe compile javascript to dll
Attempting to satisfy prereq: JavaScript code file must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1127\src\LibHello.js)
Prereq already met: JavaScript code file must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1127\src\LibHello.js)

Execution

There are multiple ways to execute the Atomic tests, which are detailed below.

ParameterExampleDetails
TestNumbersInvoke-AtomicTest T1127 -TestNumbers 1,2Executes tests based on the Atomic test number
TestNamesInvoke-AtomicTest T1127 -TestNames "Lolbin Jsc.exe compile javascript to dll"Executes tests based on the Atomic test names
TestGuidsInvoke-AtomicTest T1127 -TestGuids 3fc9fea2-871d-414d-8ef6-02e85e322b80Executes tests based on the test GUID
N/AInvoke-AtomicTest T1127Executes all tests under Atomic T1127
N/AInvoke-AtomicTest T1127-2Executes Atomic Test #2 of T1127

As an example, let’s now see the tests in action with Atomic T1053.005 – Scheduled Task/Job: Scheduled Task.

PS C:\AtomicRedTeam\atomics> Invoke-AtomicTest T1053.005 -ShowDetailsBrief
PathToAtomicsFolder = C:\AtomicRedTeam\atomics

T1053.005-1 Scheduled Task Startup Script
T1053.005-2 Scheduled task Local
T1053.005-3 Scheduled task Remote
T1053.005-4 Powershell Cmdlet Scheduled Task
T1053.005-5 Task Scheduler via VBA
T1053.005-6 WMI Invoke-CimMethod Scheduled Task
T1053.005-7 Scheduled Task Executing Base64 Encoded Commands From Registry
T1053.005-8 Import XML Schedule Task with Hidden Attribute
T1053.005-9 PowerShell Modify A Scheduled Task
T1053.005-10 Scheduled Task ("Ghost Task") via Registry Key Manipulation
T1053.005-11 Scheduled Task Persistence via CompMgmt.msc
T1053.005-12 Scheduled Task Persistence via Eventviewer.msc

Execution

PS C:\AtomicRedTeam\atomics> Invoke-AtomicTest T1053.005 -TestNumbers 1,2
PathToAtomicsFolder = C:\AtomicRedTeam\atomics
                                                                                                                                                                                                                                             Executing test: T1053.005-1 Scheduled Task Startup Script                                                                                                                                                                                    SUCCESS: The scheduled task "T1053_005_OnLogon" has successfully been created.                                                                                                                                                               SUCCESS: The scheduled task "T1053_005_OnStartup" has successfully been created.                                                                                                                                                             Exit code: 0                                                                                                                                                                                                                                 Done executing test: T1053.005-1 Scheduled Task Startup Script
Executing test: T1053.005-2 Scheduled task Local
SUCCESS: The scheduled task "spawn" has successfully been created.
Exit code: 0
Done executing test: T1053.005-2 Scheduled task Local

You may have observed that only two tests out of nine were executed due to the TestNumbers parameter.

Cleanup

The Invoke-AtomicRedTeam module also has the option to execute the cleanup commands to revert every footprint left by the tests. This can be done by using the Cleanup parameter. After every emulation exercises, cleaning up the mess of emulating different techniques is VERY IMPORTANT.

Before running the cleanup task,

Now, let’s run the command with the Cleanup parameter.

PS C:\AtomicRedTeam\atomics> Invoke-AtomicTest T1053.005 -TestNumbers 1,2 -Cleanup
PathToAtomicsFolder = C:\AtomicRedTeam\atomics

Executing cleanup for test: T1053.005-1 Scheduled Task Startup Script
Done executing cleanup for test: T1053.005-1 Scheduled Task Startup Script
Executing cleanup for test: T1053.005-2 Scheduled task Local
Done executing cleanup for test: T1053.005-2 Scheduled task Local
PS C:\AtomicRedTeam\atomics>

You can see the results of schtasks cmd executed before and after the cleaning up of the scheduled tasks created by the Atomic test T1053.005. This only shows that a scheduled task exists and was cleaned up after using the cleanup parameter. 

Detection with Wazuh (Off-topic)

The Victim machine is already has the Wazuh agent running on it and the Wazuh agent immediately triggered the alerts to the Wazuh Server as soon as the Atomic Red tests were executed on the victim.

We can see the Wazuh agent captured and reported the cleanup task as well.

That’s all for this article and this marks the end of PART II of this series.

Series Navigation<< Atomic Red Team – A Framework for Threat Emulation: PART IInstalling Caldera on ParrotOS: A Smoother Experience Compared to Ubuntu and Kali Linux >>