Skip to content

Latest commit

 

History

History
66 lines (43 loc) · 3.2 KB

T1133.md

File metadata and controls

66 lines (43 loc) · 3.2 KB
Raw

T1133 - External Remote Services

Description from ATT&CK

Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) can also be used externally.

Access to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.

Atomic Tests


Atomic Test #1 - Running Chrome VPN Extensions via the Registry 2 vpn extension

Running Chrome VPN Extensions via the Registry install 2 vpn extension, please see "T1133\src\list of vpn extension.txt" to view complete list

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
chrome_url chrome installer download URL url https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD62DDBC-14C6-20BD-706F-C7744738E422%7D%26lang%3Den%26browser%3D3%26usagestats%3D0%26appname%3DGoogle%2520Chrome%26needsadmin%3Dprefers%26ap%3Dx64-stable-statsdef_1%26installdataindex%3Dempty/chrome/install/ChromeStandaloneSetup64.exe
extension_id chrome extension id String "fcfhplploccackoneaefokcmbjfbkenj", "fdcgdnkidjaadafnichfpabhfomcebme"

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

$extList = #{extension_id}
foreach ($extension in $extList) {
  New-Item -Path HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension -Force
  New-ItemProperty -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension" -Name "update_url" -Value "https://clients2.google.com/service/update2/crx" -PropertyType "String" -Force}
Start-Process -FilePath "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
Start-Sleep -Seconds 30
Stop-Process -Name "chrome"

Cleanup Commands:

$extList = #{extension_id}
foreach ($extension in $extList) {
Remove-Item -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension" -ErrorAction Ignore}

Dependencies: Run with powershell!

Description: chrome must be installed
Check Prereq Commands:
if (cmd /c "chrome 2>nul") {exit 0} else {exit 1}
Get Prereq Commands:
Invoke-WebRequest -OutFile $env:temp\ChromeStandaloneSetup64.exe #{chrome_url}
Start-Process $env:temp\ChromeStandaloneSetup64.exe /S