Windows Atomic Tests to TTP #7 (#131)

Summary: Pull Request resolved: #131 Converting atomics to ttps in Windows Atomic Red Team Tests This ttp was 7/10 and it performs the follow function: (Tor Proxy Usage - Windows) This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality. Upon successful execution, the tor proxy will be launched, run for 60 seconds, and then exit. Reviewed By: godlovepenn Differential Revision: D62394294 fbshipit-source-id: d7e0aff64134a7811f081ddf0d50acf6babebace
facebookincubator · Sep 12, 2024 · 8b722b7 · 8b722b7
1 parent 8b0045f
commit 8b722b7
Show file tree

Hide file tree

Showing 2 changed files with 113 additions and 0 deletions.
diff --git a/ttps/command-and-control/windows/tor-proxy/README.md b/ttps/command-and-control/windows/tor-proxy/README.md
@@ -0,0 +1,52 @@
+# Tor Proxy Usage - Windows
+
+![Meta TTP](https://img.shields.io/badge/Meta_TTP-blue)
+
+This TTP is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality. Upon successful execution, the tor proxy will be launched, run for 60 seconds, and then exit.
+
+Derived from [Atomic Red Team T1090.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md#atomic-test-2---tor-proxy-usage---windows)
+
+## Arguments
+- **torExe**: a path variable specifying the location of tor.exe (including dependencies). Default is "bin\Tor\tor.exe".
+- **sleepTime** : an int variable specifying the amount in seconds to pause after starting tor
+
+## Pre-requisites
+- Windows operating system equipped with powershell
+
+## Examples
+You can run the TTP using the following example (after updating the arguments):
+```bash
+ttpforge run forgearmory//command-and-control/windows/tor-proxy/tor-proxy.yaml
+```
+```bash
+ttpforge run forgearmory//command-and-control/windows/tor-proxy/tor-proxy.yaml --arg torExe=Tor\tor.exe
+```
+```bash
+ttpforge run forgearmory//command-and-control/windows/tor-proxy/tor-proxy.yaml --arg sleepTime=30
+```
+
+## Steps
+1. **tor_execute** : This step installs tor.exe, if not provided, and executes the binary
+2. **cleanup**: Stops the process for tor.exe then removes bin\Tor if it was downloaded
+
+## Manual Reproduction
+```bash
+#Run bin\Tor\tor.exe
+bin\Tor\tor.exe
+
+#Wait for tor to fully set up
+start-sleep -Seconds 60
+
+#Stop tor process
+stop-process -name "tor" | out-null
+
+```
+
+## MITRE ATT&CK Mapping
+
+- **Tactics**:
+    - TA0011 Command and Control
+- **Techniques**:
+    - T1090 Proxy
+- **Subtechniques**:
+    - T1090.003 Multi-hop Proxy
diff --git a/ttps/command-and-control/windows/tor-proxy/tor-proxy.yaml b/ttps/command-and-control/windows/tor-proxy/tor-proxy.yaml
@@ -0,0 +1,61 @@
+---
+api_version: 2.0
+uuid: dfdada2c-f1f9-4f2a-9a02-241fc1e7393b
+name: Tor Proxy Usage - Windows
+description: |
+  This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality.
+  Upon successful execution, the tor proxy will be launched, run for 60 seconds, and then exit.
+  Derived from https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md#atomic-test-2---tor-proxy-usage---windows
+requirements:
+  platforms:
+    - os: windows
+mitre:
+  tactics:
+    - TA0011 Command and Control
+  techniques:
+    - T1090 Proxy
+  subtechniques:
+    - T1090.003 Multi-hop Proxy
+
+args:
+  - name: torExe
+    description: Location of tor.exe file
+    type: path
+    default: bin\Tor\tor.exe
+  - name: sleepTime
+    description: Amount in seconds to pause after starting tor
+    type: int
+    default: 60
+
+steps:
+  - name: tor_download
+    description: tor.exe must be installed on the machine, checking if tor.exe exists at {{.Args.torExe}}
+    executor: powershell
+    inline: |
+      if (-Not (Test-Path "{{.Args.torExe}}")) {
+        $torZip = New-TemporaryFile
+        $extractPath = Split-Path (Split-Path "{{.Args.torExe}}" -Parent) -Parent
+        Invoke-WebRequest "https://archive.torproject.org/tor-package-archive/torbrowser/11.0.6/tor-win32-0.4.6.9.zip" -OutFile "${torZip}.zip"
+        New-Item -ItemType Directory -Path $extractPath -ErrorAction ignore | Out-Null
+        expand-archive -LiteralPath "${torZip}.zip" -DestinationPath $extractPath
+        New-Item -ItemType File -Path "${extractPath}\.downloaded" -ErrorAction ignore | Out-Null
+        remove-item "${torZip}.zip"
+      }
+  - name: tor_execute
+    description: Starting tor.exe ...
+    executor: powershell
+    inline: |
+      start powershell { &"{{.Args.torExe}}" }
+
+      start-sleep -Seconds {{.Args.sleepTime}}
+
+    cleanup:
+      executor: powershell
+      description: Stopping tor.exe ...
+      inline: |
+        stop-process -name "tor" | out-null
+
+        $parentDir = Split-Path (Split-Path "{{.Args.torExe}}" -Parent) -Parent
+        if (Test-Path "${parentDir}\.downloaded"){
+          remove-item -r $parentDir
+        }