Skip to content

Latest commit

 

History

History
75 lines (60 loc) · 3.04 KB

AF - Ep6 - AtomicTestHarnesses.md

File metadata and controls

75 lines (60 loc) · 3.04 KB
Raw

AF - Ep 6

Topic

On this Atomics on a Friday, Haag is joined by Justin Elze to hang out and chat about the hot topics of technique variations, offensive tradecraft and send AtomicTestHarnesses down range!

Watch here on YouTube to catch up!

References

Infrastructure needed

A lab

Mitigations

Detection:

  • 4104 - Script Block Logging
  • 4688 / Sysmon / EDR
  • 7045 / 4697 New Service installed
  • Track modloads (msi.dll, jscript, vbscript, amsi)

Prevention

  • WDAC + MSI
  • WDAC + Driver blocklist
  • HVCI
  • ASR
  • Any AppControl

Demo

Commands ran during the demo:

First time running ATH? Install with -

[Net.ServicePointManager]::SecurityProtocol = 
            [Net.SecurityProtocolType]::Tls12
Install-Module -Name AtomicTestHarnesses -Scope CurrentUser

First time running Atomic Red Team?

Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force

Install a new service

New-ATHService -ServiceName phymem -DisplayName 'Does driver stuff' -ServiceType KernelDriver -FilePath C:\users\administrator\desktop\mimidrv.sys -StartService

New-ATHService -ServiceName TestService -DisplayName TestService -FilePath filename.exe -Variant sc.exe -StartType AutoStart -ServiceType Win32OwnProcess -StartService

New-ATHService -ServiceName TestService -DisplayName TestService -FilePath filename.exe -Variant WMI -StartType AutoStart -ServiceType Win32OwnProcess -StartService

New-ATHService -ServiceName TestService -DisplayName TestService -FilePath C:\users\administrator\desktop\mimidrv.sys -Variant WMI -StartType AutoStart -ServiceType Win32OwnProcess -StartService

New-ATHService -ServiceName GOHOMEnothere -DisplayName NOTAPTsorry -FilePath C:\users\administrator\desktop\mimidrv.sys -Variant WMI -StartType AutoStart -ServiceType Win32OwnProcess -StartService