Windows Atomic Tests to TTP#3 (#140)

Summary: Pull Request resolved: #140 Converting atomics to ttps in Windows Atomic Red Team Tests This ttp was 3/10 and it performs the follow function: Create and start VirtualBox virtual machine Reviewed By: godlovepenn Differential Revision: D63044729 fbshipit-source-id: b926703bf0a9b8faf77ff6a502c4602fc2442915
facebookincubator · Sep 20, 2024 · a05ce24 · a05ce24
1 parent 09a0e3f
commit a05ce24
Show file tree

Hide file tree

Showing 2 changed files with 165 additions and 0 deletions.
diff --git a/ttps/defense-evasion/windows/create-and-start-virtual-box/README.md b/ttps/defense-evasion/windows/create-and-start-virtual-box/README.md
@@ -0,0 +1,66 @@
+# Create and Start VirtualBox virtual machine
+
+![Meta TTP](https://img.shields.io/badge/Meta_TTP-blue)
+
+This TTP is designed to create a simple VirtualBox VM and start up the machine. The cleanup command stops and deletes the newly created VM, associated files, and uninstalls virtual box if it was installed. Derived from [Atomic Red Team T1564.006](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md#atomic-test-2---create-and-start-virtualbox-virtual-machine)
+
+## Arguments
+- **vm_name**: a string variable specifying the name of the new virtual machine. Default: "TTP VM"
+- **vb_exe**: a string variable specifying the path to the VirtualBox executable. Default: "$PWD\bin\VirtualBox\VirtualBox.exe"
+- **vb_manage**: a string variable specifying the path to the Path to the executable for VBoxManage, the command-line interface to VirtualBox. Default: "$PWD\bin\VirtualBox\VBoxManage.exe"
+- **vb_download**: a string variable specifying the URL of the installer for VirtualBox. Default: "https://download.virtualbox.org/virtualbox/6.1.32/VirtualBox-6.1.32-149290-Win.exe"
+- **vb_installer**: a string variable specifying the Executable for the Virtualbox installer. Default: "VirtualBox-6.1.32-149290-Win.exe"
+
+Other Virtual Box Versions: https://download.virtualbox.org/virtualbox
+
+## Pre-requisites
+- Windows operating system equipped with powershell
+
+## Examples
+You can run the TTP using the following example (after updating the arguments):
+```bash
+ttpforge run forgearmory//defense-evasion/windows/create-and-start-virtual-box/create-and-start-virtual-box.yaml
+```
+```bash
+ttpforge run forgearmory//defense-evasion/windows/create-and-start-virtual-box/create-and-start-virtual-box.yaml --arg vm_name="Forge VM"
+```
+```bash
+ttpforge run forgearmory//defense-evasion/windows/create-and-start-virtual-box/create-and-start-virtual-box.yaml --arg vb_exe=C:\Program Files\Oracle\VirtualBox\VirtualBox.exe --arg vb_manage=C:\Program Files\Oracle\VirtualBox\VBoxManage.exe
+```
+```bash
+ttpforge run forgearmory//defense-evasion/windows/create-and-start-virtual-box/create-and-start-virtual-box.yaml --arg vb_download="https://download.virtualbox.org/virtualbox/7.0.20/VirtualBox-7.0.20-163906-Win.exe" --arg vb_installer=VirtualBox-7.0.20-163906-Win.exe
+```
+## Steps
+1. **setup_and_start_virtual_box** : Downloads Virtual Box if not provided and creates and starts a vm
+2. **cleanup**: Powers off and unregisters the vm created, uninstall Virtual Box if installed, and deletes files that were downloaded
+
+## Manual Reproduction
+```bash
+    #Create VM
+    &"VirtualBox\VBoxManage.exe" createvm --name "TTP VM" --register
+
+    #Register VM
+    &"VirtualBox\VBoxManage.exe" modifyvm "TTP VM" --firmware efi
+
+    #Start VM
+    &"VirtualBox\VBoxManage.exe" startvm "TTP VM"
+
+    #Power off VM
+    &"VirtualBox\VBoxManage.exe" controlvm "TTP VM" poweroff
+
+    #Waiting for VM to power off
+    Start-Sleep -Seconds 20
+
+    #Delete VM
+    &"VirtualBox\VBoxManage.exe" unregistervm "TTP VM" --delete
+
+```
+
+## MITRE ATT&CK Mapping
+
+- **Tactics**:
+    - TA0005 Defense Evasion
+- **Techniques**:
+    - T1564 Hide Artifacts
+- **Subtechniques**:
+    - T1564.006 Run Virtual Instance
diff --git a/ttps/defense-evasion/windows/create-and-start-virtual-box/create-and-start-virtual-box.yaml b/ttps/defense-evasion/windows/create-and-start-virtual-box/create-and-start-virtual-box.yaml
@@ -0,0 +1,99 @@
+---
+api_version: 2.0
+uuid: 34a6e159-3ce4-4048-bcc9-04cd59ddcdfd
+name: Create and start VirtualBox virtual machine
+description: |
+  Create a simple VirtualBox VM and start up the machine
+  Cleanup command stops and deletes the newly created VM and associated files
+  https://www.virtualbox.org/manual/ch08.html#vboxmanage-startvm
+  https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/
+  https://attack.mitre.org/techniques/T1564/006/
+  Derived from: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md#atomic-test-2---create-and-start-virtualbox-virtual-machine
+requirements:
+  platforms:
+    - os: windows
+mitre:
+  tactics:
+    - TA0005 Defense Evasion
+  techniques:
+    - T1564 Hide Artifacts
+  subtechniques:
+    - T1564.006 Run Virtual Instance
+
+args:
+  - name: vm_name
+    description: Name of the new virtual machine
+    type: string
+    default: TTP VM
+
+  - name: vb_exe
+    description: Path to the VirtualBox executable
+    type: string
+    default: $PWD\bin\VirtualBox\VirtualBox.exe
+
+  - name: vb_manage
+    description: Path to the executable for VBoxManage, the command-line interface to VirtualBox
+    type: string
+    default: $PWD\bin\VirtualBox\VBoxManage.exe
+
+  - name: vb_download
+    description: URL for the current installer for the Windows version of VirtualBox, as of March 2022
+    type: string
+    default: https://download.virtualbox.org/virtualbox/6.1.32/VirtualBox-6.1.32-149290-Win.exe
+
+  - name: vb_installer
+    description: Executable for the Virtualbox installer
+    type: string
+    default: VirtualBox-6.1.32-149290-Win.exe
+
+steps:
+  - name: setup_and_start_virtual_box
+    executor: powershell
+    inline: |
+      Write-Host "VirtualBox ({{.Args.vb_exe}}) and VBoxManage ({{.Args.vb_manage}}) must exist on disk at specified locations."
+      $parent = Split-Path "{{.Args.vb_exe}}" -Parent
+      if (-Not (Test-Path "{{.Args.vb_exe}}") -or -Not (Test-Path "{{.Args.vb_manage}}")) {
+        if (Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like "*VirtualBox*" }){
+          Write-Host "VirtualBox is already installed. Ensure following args are correct: vb_exe and vb_manage"
+          exit 1
+        }
+        Write-Host "VirtualBox or VBoxManage does not exist. Installing..."
+        New-Item -Type Directory $parent -ErrorAction Ignore -Force | Out-Null
+
+        try{
+          Invoke-WebRequest "{{.Args.vb_download}}" -OutFile "bin\{{.Args.vb_installer}}"
+        } catch {
+          Write-Error "VirtualBox installer download failed."
+          exit 1
+        }
+        start-process -FilePath "bin\{{.Args.vb_installer}}" -ArgumentList "--silent", "--msiparams INSTALLDIR=$parent" -Wait
+      }
+
+      &"{{.Args.vb_manage}}" createvm --name "{{.Args.vm_name}}" --register
+      Write-Host "VM: {{.Args.vm_name}} registered."
+      &"{{.Args.vb_manage}}" modifyvm "{{.Args.vm_name}}" --firmware efi
+      Write-Host "Starting VM: {{.Args.vm_name}}."
+      &"{{.Args.vb_manage}}" startvm "{{.Args.vm_name}}"
+
+
+    cleanup:
+      executor: powershell
+      inline: |
+        Write-Host "Powering off VM: {{.Args.vm_name}}."
+        &"{{.Args.vb_manage}}" controlvm "{{.Args.vm_name}}" poweroff
+        Start-Sleep -Seconds 20
+        Write-Host "Deleting VM: {{.Args.vm_name}}."
+        &"{{.Args.vb_manage}}" unregistervm "{{.Args.vm_name}}" --delete
+
+        # Uninstalling Virtual Box
+        $vbID = (Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like "*VirtualBox*" }).IdentifyingNumber
+        if (-Not $vbID){
+          Write-Host "Failed to uninstall VirtualBox. Cannot find VirtualBox."
+        } else {
+          Start-Process msiexec -ArgumentList "/x $vbID /passive" -Wait
+        }
+
+        # # Removing bin
+        if (Test-Path "bin") {
+          remove-item -recurse bin
+        }