From a05ce2465faad7443995686deb3fbc39f8467f6b Mon Sep 17 00:00:00 2001 From: Jasmine Le Date: Fri, 20 Sep 2024 11:50:27 -0700 Subject: [PATCH] Windows Atomic Tests to TTP#3 (#140) Summary: Pull Request resolved: https://github.com/facebookincubator/ForgeArmory/pull/140 Converting atomics to ttps in Windows Atomic Red Team Tests This ttp was 3/10 and it performs the follow function: Create and start VirtualBox virtual machine Reviewed By: godlovepenn Differential Revision: D63044729 fbshipit-source-id: b926703bf0a9b8faf77ff6a502c4602fc2442915 --- .../create-and-start-virtual-box/README.md | 66 +++++++++++++ .../create-and-start-virtual-box.yaml | 99 +++++++++++++++++++ 2 files changed, 165 insertions(+) create mode 100644 ttps/defense-evasion/windows/create-and-start-virtual-box/README.md create mode 100644 ttps/defense-evasion/windows/create-and-start-virtual-box/create-and-start-virtual-box.yaml diff --git a/ttps/defense-evasion/windows/create-and-start-virtual-box/README.md b/ttps/defense-evasion/windows/create-and-start-virtual-box/README.md new file mode 100644 index 0000000..12d2b7d --- /dev/null +++ b/ttps/defense-evasion/windows/create-and-start-virtual-box/README.md @@ -0,0 +1,66 @@ +# Create and Start VirtualBox virtual machine + +![Meta TTP](https://img.shields.io/badge/Meta_TTP-blue) + +This TTP is designed to create a simple VirtualBox VM and start up the machine. The cleanup command stops and deletes the newly created VM, associated files, and uninstalls virtual box if it was installed. Derived from [Atomic Red Team T1564.006](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md#atomic-test-2---create-and-start-virtualbox-virtual-machine) + +## Arguments +- **vm_name**: a string variable specifying the name of the new virtual machine. Default: "TTP VM" +- **vb_exe**: a string variable specifying the path to the VirtualBox executable. Default: "$PWD\bin\VirtualBox\VirtualBox.exe" +- **vb_manage**: a string variable specifying the path to the Path to the executable for VBoxManage, the command-line interface to VirtualBox. Default: "$PWD\bin\VirtualBox\VBoxManage.exe" +- **vb_download**: a string variable specifying the URL of the installer for VirtualBox. Default: "https://download.virtualbox.org/virtualbox/6.1.32/VirtualBox-6.1.32-149290-Win.exe" +- **vb_installer**: a string variable specifying the Executable for the Virtualbox installer. Default: "VirtualBox-6.1.32-149290-Win.exe" + +Other Virtual Box Versions: https://download.virtualbox.org/virtualbox + +## Pre-requisites +- Windows operating system equipped with powershell + +## Examples +You can run the TTP using the following example (after updating the arguments): +```bash +ttpforge run forgearmory//defense-evasion/windows/create-and-start-virtual-box/create-and-start-virtual-box.yaml +``` +```bash +ttpforge run forgearmory//defense-evasion/windows/create-and-start-virtual-box/create-and-start-virtual-box.yaml --arg vm_name="Forge VM" +``` +```bash +ttpforge run forgearmory//defense-evasion/windows/create-and-start-virtual-box/create-and-start-virtual-box.yaml --arg vb_exe=C:\Program Files\Oracle\VirtualBox\VirtualBox.exe --arg vb_manage=C:\Program Files\Oracle\VirtualBox\VBoxManage.exe +``` +```bash +ttpforge run forgearmory//defense-evasion/windows/create-and-start-virtual-box/create-and-start-virtual-box.yaml --arg vb_download="https://download.virtualbox.org/virtualbox/7.0.20/VirtualBox-7.0.20-163906-Win.exe" --arg vb_installer=VirtualBox-7.0.20-163906-Win.exe +``` +## Steps +1. **setup_and_start_virtual_box** : Downloads Virtual Box if not provided and creates and starts a vm +2. **cleanup**: Powers off and unregisters the vm created, uninstall Virtual Box if installed, and deletes files that were downloaded + +## Manual Reproduction +```bash + #Create VM + &"VirtualBox\VBoxManage.exe" createvm --name "TTP VM" --register + + #Register VM + &"VirtualBox\VBoxManage.exe" modifyvm "TTP VM" --firmware efi + + #Start VM + &"VirtualBox\VBoxManage.exe" startvm "TTP VM" + + #Power off VM + &"VirtualBox\VBoxManage.exe" controlvm "TTP VM" poweroff + + #Waiting for VM to power off + Start-Sleep -Seconds 20 + + #Delete VM + &"VirtualBox\VBoxManage.exe" unregistervm "TTP VM" --delete + +``` + +## MITRE ATT&CK Mapping + +- **Tactics**: + - TA0005 Defense Evasion +- **Techniques**: + - T1564 Hide Artifacts +- **Subtechniques**: + - T1564.006 Run Virtual Instance diff --git a/ttps/defense-evasion/windows/create-and-start-virtual-box/create-and-start-virtual-box.yaml b/ttps/defense-evasion/windows/create-and-start-virtual-box/create-and-start-virtual-box.yaml new file mode 100644 index 0000000..bcea03f --- /dev/null +++ b/ttps/defense-evasion/windows/create-and-start-virtual-box/create-and-start-virtual-box.yaml @@ -0,0 +1,99 @@ +--- +api_version: 2.0 +uuid: 34a6e159-3ce4-4048-bcc9-04cd59ddcdfd +name: Create and start VirtualBox virtual machine +description: | + Create a simple VirtualBox VM and start up the machine + Cleanup command stops and deletes the newly created VM and associated files + https://www.virtualbox.org/manual/ch08.html#vboxmanage-startvm + https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/ + https://attack.mitre.org/techniques/T1564/006/ + Derived from: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md#atomic-test-2---create-and-start-virtualbox-virtual-machine +requirements: + platforms: + - os: windows +mitre: + tactics: + - TA0005 Defense Evasion + techniques: + - T1564 Hide Artifacts + subtechniques: + - T1564.006 Run Virtual Instance + +args: + - name: vm_name + description: Name of the new virtual machine + type: string + default: TTP VM + + - name: vb_exe + description: Path to the VirtualBox executable + type: string + default: $PWD\bin\VirtualBox\VirtualBox.exe + + - name: vb_manage + description: Path to the executable for VBoxManage, the command-line interface to VirtualBox + type: string + default: $PWD\bin\VirtualBox\VBoxManage.exe + + - name: vb_download + description: URL for the current installer for the Windows version of VirtualBox, as of March 2022 + type: string + default: https://download.virtualbox.org/virtualbox/6.1.32/VirtualBox-6.1.32-149290-Win.exe + + - name: vb_installer + description: Executable for the Virtualbox installer + type: string + default: VirtualBox-6.1.32-149290-Win.exe + +steps: + - name: setup_and_start_virtual_box + executor: powershell + inline: | + Write-Host "VirtualBox ({{.Args.vb_exe}}) and VBoxManage ({{.Args.vb_manage}}) must exist on disk at specified locations." + $parent = Split-Path "{{.Args.vb_exe}}" -Parent + if (-Not (Test-Path "{{.Args.vb_exe}}") -or -Not (Test-Path "{{.Args.vb_manage}}")) { + if (Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like "*VirtualBox*" }){ + Write-Host "VirtualBox is already installed. Ensure following args are correct: vb_exe and vb_manage" + exit 1 + } + Write-Host "VirtualBox or VBoxManage does not exist. Installing..." + New-Item -Type Directory $parent -ErrorAction Ignore -Force | Out-Null + + try{ + Invoke-WebRequest "{{.Args.vb_download}}" -OutFile "bin\{{.Args.vb_installer}}" + } catch { + Write-Error "VirtualBox installer download failed." + exit 1 + } + start-process -FilePath "bin\{{.Args.vb_installer}}" -ArgumentList "--silent", "--msiparams INSTALLDIR=$parent" -Wait + } + + &"{{.Args.vb_manage}}" createvm --name "{{.Args.vm_name}}" --register + Write-Host "VM: {{.Args.vm_name}} registered." + &"{{.Args.vb_manage}}" modifyvm "{{.Args.vm_name}}" --firmware efi + Write-Host "Starting VM: {{.Args.vm_name}}." + &"{{.Args.vb_manage}}" startvm "{{.Args.vm_name}}" + + + cleanup: + executor: powershell + inline: | + Write-Host "Powering off VM: {{.Args.vm_name}}." + &"{{.Args.vb_manage}}" controlvm "{{.Args.vm_name}}" poweroff + Start-Sleep -Seconds 20 + Write-Host "Deleting VM: {{.Args.vm_name}}." + &"{{.Args.vb_manage}}" unregistervm "{{.Args.vm_name}}" --delete + + # Uninstalling Virtual Box + $vbID = (Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like "*VirtualBox*" }).IdentifyingNumber + if (-Not $vbID){ + Write-Host "Failed to uninstall VirtualBox. Cannot find VirtualBox." + } else { + Start-Process msiexec -ArgumentList "/x $vbID /passive" -Wait + } + + # # Removing bin + if (Test-Path "bin") { + remove-item -recurse bin + }