-
Notifications
You must be signed in to change notification settings - Fork 22
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Windows Atomic Tests to TTP#3 (#140)
Summary: Pull Request resolved: #140 Converting atomics to ttps in Windows Atomic Red Team Tests This ttp was 3/10 and it performs the follow function: Create and start VirtualBox virtual machine Reviewed By: godlovepenn Differential Revision: D63044729 fbshipit-source-id: b926703bf0a9b8faf77ff6a502c4602fc2442915
- Loading branch information
1 parent
09a0e3f
commit a05ce24
Showing
2 changed files
with
165 additions
and
0 deletions.
There are no files selected for viewing
66 changes: 66 additions & 0 deletions
66
ttps/defense-evasion/windows/create-and-start-virtual-box/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
# Create and Start VirtualBox virtual machine | ||
|
||
![Meta TTP](https://img.shields.io/badge/Meta_TTP-blue) | ||
|
||
This TTP is designed to create a simple VirtualBox VM and start up the machine. The cleanup command stops and deletes the newly created VM, associated files, and uninstalls virtual box if it was installed. Derived from [Atomic Red Team T1564.006](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md#atomic-test-2---create-and-start-virtualbox-virtual-machine) | ||
|
||
## Arguments | ||
- **vm_name**: a string variable specifying the name of the new virtual machine. Default: "TTP VM" | ||
- **vb_exe**: a string variable specifying the path to the VirtualBox executable. Default: "$PWD\bin\VirtualBox\VirtualBox.exe" | ||
- **vb_manage**: a string variable specifying the path to the Path to the executable for VBoxManage, the command-line interface to VirtualBox. Default: "$PWD\bin\VirtualBox\VBoxManage.exe" | ||
- **vb_download**: a string variable specifying the URL of the installer for VirtualBox. Default: "https://download.virtualbox.org/virtualbox/6.1.32/VirtualBox-6.1.32-149290-Win.exe" | ||
- **vb_installer**: a string variable specifying the Executable for the Virtualbox installer. Default: "VirtualBox-6.1.32-149290-Win.exe" | ||
|
||
Other Virtual Box Versions: https://download.virtualbox.org/virtualbox | ||
|
||
## Pre-requisites | ||
- Windows operating system equipped with powershell | ||
|
||
## Examples | ||
You can run the TTP using the following example (after updating the arguments): | ||
```bash | ||
ttpforge run forgearmory//defense-evasion/windows/create-and-start-virtual-box/create-and-start-virtual-box.yaml | ||
``` | ||
```bash | ||
ttpforge run forgearmory//defense-evasion/windows/create-and-start-virtual-box/create-and-start-virtual-box.yaml --arg vm_name="Forge VM" | ||
``` | ||
```bash | ||
ttpforge run forgearmory//defense-evasion/windows/create-and-start-virtual-box/create-and-start-virtual-box.yaml --arg vb_exe=C:\Program Files\Oracle\VirtualBox\VirtualBox.exe --arg vb_manage=C:\Program Files\Oracle\VirtualBox\VBoxManage.exe | ||
``` | ||
```bash | ||
ttpforge run forgearmory//defense-evasion/windows/create-and-start-virtual-box/create-and-start-virtual-box.yaml --arg vb_download="https://download.virtualbox.org/virtualbox/7.0.20/VirtualBox-7.0.20-163906-Win.exe" --arg vb_installer=VirtualBox-7.0.20-163906-Win.exe | ||
``` | ||
## Steps | ||
1. **setup_and_start_virtual_box** : Downloads Virtual Box if not provided and creates and starts a vm | ||
2. **cleanup**: Powers off and unregisters the vm created, uninstall Virtual Box if installed, and deletes files that were downloaded | ||
|
||
## Manual Reproduction | ||
```bash | ||
#Create VM | ||
&"VirtualBox\VBoxManage.exe" createvm --name "TTP VM" --register | ||
|
||
#Register VM | ||
&"VirtualBox\VBoxManage.exe" modifyvm "TTP VM" --firmware efi | ||
|
||
#Start VM | ||
&"VirtualBox\VBoxManage.exe" startvm "TTP VM" | ||
|
||
#Power off VM | ||
&"VirtualBox\VBoxManage.exe" controlvm "TTP VM" poweroff | ||
|
||
#Waiting for VM to power off | ||
Start-Sleep -Seconds 20 | ||
|
||
#Delete VM | ||
&"VirtualBox\VBoxManage.exe" unregistervm "TTP VM" --delete | ||
|
||
``` | ||
|
||
## MITRE ATT&CK Mapping | ||
|
||
- **Tactics**: | ||
- TA0005 Defense Evasion | ||
- **Techniques**: | ||
- T1564 Hide Artifacts | ||
- **Subtechniques**: | ||
- T1564.006 Run Virtual Instance |
99 changes: 99 additions & 0 deletions
99
ttps/defense-evasion/windows/create-and-start-virtual-box/create-and-start-virtual-box.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,99 @@ | ||
--- | ||
api_version: 2.0 | ||
uuid: 34a6e159-3ce4-4048-bcc9-04cd59ddcdfd | ||
name: Create and start VirtualBox virtual machine | ||
description: | | ||
Create a simple VirtualBox VM and start up the machine | ||
Cleanup command stops and deletes the newly created VM and associated files | ||
https://www.virtualbox.org/manual/ch08.html#vboxmanage-startvm | ||
https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/ | ||
https://attack.mitre.org/techniques/T1564/006/ | ||
Derived from: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md#atomic-test-2---create-and-start-virtualbox-virtual-machine | ||
requirements: | ||
platforms: | ||
- os: windows | ||
mitre: | ||
tactics: | ||
- TA0005 Defense Evasion | ||
techniques: | ||
- T1564 Hide Artifacts | ||
subtechniques: | ||
- T1564.006 Run Virtual Instance | ||
|
||
args: | ||
- name: vm_name | ||
description: Name of the new virtual machine | ||
type: string | ||
default: TTP VM | ||
|
||
- name: vb_exe | ||
description: Path to the VirtualBox executable | ||
type: string | ||
default: $PWD\bin\VirtualBox\VirtualBox.exe | ||
|
||
- name: vb_manage | ||
description: Path to the executable for VBoxManage, the command-line interface to VirtualBox | ||
type: string | ||
default: $PWD\bin\VirtualBox\VBoxManage.exe | ||
|
||
- name: vb_download | ||
description: URL for the current installer for the Windows version of VirtualBox, as of March 2022 | ||
type: string | ||
default: https://download.virtualbox.org/virtualbox/6.1.32/VirtualBox-6.1.32-149290-Win.exe | ||
|
||
- name: vb_installer | ||
description: Executable for the Virtualbox installer | ||
type: string | ||
default: VirtualBox-6.1.32-149290-Win.exe | ||
|
||
steps: | ||
- name: setup_and_start_virtual_box | ||
executor: powershell | ||
inline: | | ||
Write-Host "VirtualBox ({{.Args.vb_exe}}) and VBoxManage ({{.Args.vb_manage}}) must exist on disk at specified locations." | ||
$parent = Split-Path "{{.Args.vb_exe}}" -Parent | ||
if (-Not (Test-Path "{{.Args.vb_exe}}") -or -Not (Test-Path "{{.Args.vb_manage}}")) { | ||
if (Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like "*VirtualBox*" }){ | ||
Write-Host "VirtualBox is already installed. Ensure following args are correct: vb_exe and vb_manage" | ||
exit 1 | ||
} | ||
Write-Host "VirtualBox or VBoxManage does not exist. Installing..." | ||
New-Item -Type Directory $parent -ErrorAction Ignore -Force | Out-Null | ||
try{ | ||
Invoke-WebRequest "{{.Args.vb_download}}" -OutFile "bin\{{.Args.vb_installer}}" | ||
} catch { | ||
Write-Error "VirtualBox installer download failed." | ||
exit 1 | ||
} | ||
start-process -FilePath "bin\{{.Args.vb_installer}}" -ArgumentList "--silent", "--msiparams INSTALLDIR=$parent" -Wait | ||
} | ||
&"{{.Args.vb_manage}}" createvm --name "{{.Args.vm_name}}" --register | ||
Write-Host "VM: {{.Args.vm_name}} registered." | ||
&"{{.Args.vb_manage}}" modifyvm "{{.Args.vm_name}}" --firmware efi | ||
Write-Host "Starting VM: {{.Args.vm_name}}." | ||
&"{{.Args.vb_manage}}" startvm "{{.Args.vm_name}}" | ||
cleanup: | ||
executor: powershell | ||
inline: | | ||
Write-Host "Powering off VM: {{.Args.vm_name}}." | ||
&"{{.Args.vb_manage}}" controlvm "{{.Args.vm_name}}" poweroff | ||
Start-Sleep -Seconds 20 | ||
Write-Host "Deleting VM: {{.Args.vm_name}}." | ||
&"{{.Args.vb_manage}}" unregistervm "{{.Args.vm_name}}" --delete | ||
# Uninstalling Virtual Box | ||
$vbID = (Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like "*VirtualBox*" }).IdentifyingNumber | ||
if (-Not $vbID){ | ||
Write-Host "Failed to uninstall VirtualBox. Cannot find VirtualBox." | ||
} else { | ||
Start-Process msiexec -ArgumentList "/x $vbID /passive" -Wait | ||
} | ||
# # Removing bin | ||
if (Test-Path "bin") { | ||
remove-item -recurse bin | ||
} |