Logo Pastebin.fr
Pastebin

Retrouvez, créez et partagez vos snippets en temps réel.

Test

Content 
#Requires -Version 5.1
<#
.SYNOPSIS
    Script de test de détection XDR - Purple Team
.DESCRIPTION
    Simule des techniques MITRE ATT&CK pour tester les capacités de détection.
    AUCUNE donnée n'est réellement exfiltrée. À usage éducatif uniquement.
.NOTES
    Exécuter dans un environnement de test isolé avec autorisation écrite.
#>

param(
    [switch]$DryRun = $false,
    [string]$LogPath = "$env:TEMP\xdr_test_$(Get-Date -Format 'yyyyMMdd_HHmmss').log"
)

# Configuration
$TestResults = @()

function Write-TestLog {
    param([string]$Message, [string]$Technique)
    $entry = "[$(Get-Date -Format 'HH:mm:ss')] [$Technique] $Message"
    Add-Content -Path $LogPath -Value $entry
    Write-Host $entry -ForegroundColor Cyan
}

function Test-Technique {
    param(
        [string]$Name,
        [string]$MitreID,
        [scriptblock]$TestCode
    )
    
    Write-Host "`n[TEST] $Name ($MitreID)" -ForegroundColor Yellow
    Write-Host ("-" * 50) -ForegroundColor DarkGray
    
    try {
        if (-not $DryRun) {
            & $TestCode
        } else {
            Write-Host "  [DRY-RUN] Skipped execution" -ForegroundColor DarkYellow
        }
        $script:TestResults += [PSCustomObject]@{
            Technique = $Name
            MitreID = $MitreID
            Status = "Executed"
            Timestamp = Get-Date
        }
    }
    catch {
        Write-Host "  [ERROR] $($_.Exception.Message)" -ForegroundColor Red
        $script:TestResults += [PSCustomObject]@{
            Technique = $Name
            MitreID = $MitreID
            Status = "Failed: $($_.Exception.Message)"
            Timestamp = Get-Date
        }
    }
}

# ============================================================================
# DISCOVERY TECHNIQUES
# ============================================================================

Test-Technique -Name "System Information Discovery" -MitreID "T1082" -TestCode {
    Write-TestLog "Collecting system information" "T1082"
    
    # Commandes typiques de reconnaissance
    $null = systeminfo
    $null = hostname
    $null = Get-ComputerInfo -Property WindowsVersion, OsArchitecture -ErrorAction SilentlyContinue
    Write-Host "  [+] System enumeration commands executed" -ForegroundColor Green
}

Test-Technique -Name "Account Discovery - Local" -MitreID "T1087.001" -TestCode {
    Write-TestLog "Enumerating local accounts" "T1087.001"
    
    $null = net user
    $null = Get-LocalUser -ErrorAction SilentlyContinue
    $null = Get-LocalGroup -ErrorAction SilentlyContinue
    Write-Host "  [+] Local account enumeration executed" -ForegroundColor Green
}

Test-Technique -Name "Network Configuration Discovery" -MitreID "T1016" -TestCode {
    Write-TestLog "Network reconnaissance" "T1016"
    
    $null = ipconfig /all
    $null = Get-NetIPConfiguration -ErrorAction SilentlyContinue
    $null = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue
    $null = arp -a
    Write-Host "  [+] Network discovery commands executed" -ForegroundColor Green
}

Test-Technique -Name "Security Software Discovery" -MitreID "T1518.001" -TestCode {
    Write-TestLog "Enumerating security software" "T1518.001"
    
    # Détection d'antivirus via WMI
    $null = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct -ErrorAction SilentlyContinue
    $null = Get-Service -Name "WinDefend" -ErrorAction SilentlyContinue
    $null = Get-MpComputerStatus -ErrorAction SilentlyContinue
    Write-Host "  [+] Security software enumeration executed" -ForegroundColor Green
}

# ============================================================================
# EXECUTION TECHNIQUES (LOLBins)
# ============================================================================

Test-Technique -Name "Signed Binary Proxy Execution - Mshta" -MitreID "T1218.005" -TestCode {
    Write-TestLog "Testing mshta.exe execution" "T1218.005"
    
    # Exécution bénigne via mshta - affiche juste une alerte
    $htaContent = @"
<html><head><script>window.close();</script></head></html>
"@
    $htaPath = "$env:TEMP\test_xdr_$([guid]::NewGuid().ToString().Substring(0,8)).hta"
    $htaContent | Out-File -FilePath $htaPath -Encoding ASCII
    
    Start-Process -FilePath "mshta.exe" -ArgumentList $htaPath -Wait -WindowStyle Hidden -ErrorAction SilentlyContinue
    Remove-Item -Path $htaPath -Force -ErrorAction SilentlyContinue
    
    Write-Host "  [+] Mshta execution test completed" -ForegroundColor Green
}

Test-Technique -Name "Signed Binary Proxy Execution - Certutil" -MitreID "T1218.004" -TestCode {
    Write-TestLog "Testing certutil.exe for download simulation" "T1218.004"
    
    # Utilisation de certutil pour encoder/décoder (technique connue)
    $testFile = "$env:TEMP\xdr_test_payload.txt"
    $encodedFile = "$env:TEMP\xdr_test_encoded.txt"
    
    "XDR_TEST_PAYLOAD_SIMULATION" | Out-File -FilePath $testFile -Encoding ASCII
    
    # Encode en base64 via certutil (comportement suspect)
    $null = certutil -encode $testFile $encodedFile 2>&1
    
    # Nettoyage
    Remove-Item -Path $testFile, $encodedFile -Force -ErrorAction SilentlyContinue
    
    Write-Host "  [+] Certutil encode/decode test completed" -ForegroundColor Green
}

Test-Technique -Name "Signed Binary Proxy Execution - Regsvr32" -MitreID "T1218.010" -TestCode {
    Write-TestLog "Testing regsvr32.exe execution" "T1218.010"
    
    # Appel regsvr32 avec un fichier inexistant (génère une erreur mais devrait être détecté)
    $null = Start-Process -FilePath "regsvr32.exe" -ArgumentList "/s /n /u /i:$env:TEMP\nonexistent.sct scrobj.dll" -Wait -WindowStyle Hidden -ErrorAction SilentlyContinue 2>&1
    
    Write-Host "  [+] Regsvr32 execution test completed" -ForegroundColor Green
}

Test-Technique -Name "Command and Scripting Interpreter - PowerShell" -MitreID "T1059.001" -TestCode {
    Write-TestLog "Testing encoded PowerShell execution" "T1059.001"
    
    # Commande encodée bénigne (juste Get-Date)
    $command = "Get-Date"
    $bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
    $encodedCommand = [Convert]::ToBase64String($bytes)
    
    # Exécution avec -EncodedCommand (technique souvent utilisée par les malwares)
    $null = powershell.exe -NoProfile -NonInteractive -EncodedCommand $encodedCommand
    
    Write-Host "  [+] Encoded PowerShell execution test completed" -ForegroundColor Green
}

Test-Technique -Name "Windows Management Instrumentation" -MitreID "T1047" -TestCode {
    Write-TestLog "Testing WMI execution" "T1047"
    
    # Exécution via WMI (technique de lateral movement simulée localement)
    $null = Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "cmd.exe /c echo XDR_TEST > nul" -ErrorAction SilentlyContinue
    
    # Via wmic.exe
    $null = wmic process call create "cmd.exe /c echo XDR_TEST > nul" 2>&1
    
    Write-Host "  [+] WMI execution test completed" -ForegroundColor Green
}

# ============================================================================
# CREDENTIAL ACCESS SIMULATION
# ============================================================================

Test-Technique -Name "Credential Dumping - Registry" -MitreID "T1003.002" -TestCode {
    Write-TestLog "Simulating registry credential access" "T1003.002"
    
    # Tentative de lecture des clés de registre (nécessite des privilèges élevés)
    # Cette action devrait être détectée même si elle échoue
    
    try {
        # Tentative de sauvegarde SAM (devrait échouer sans privilèges admin, mais l'action est loggée)
        $null = reg save HKLM\SAM "$env:TEMP\sam_test.hiv" 2>&1
    } catch {}
    
    try {
        $null = reg save HKLM\SECURITY "$env:TEMP\security_test.hiv" 2>&1  
    } catch {}
    
    # Nettoyage
    Remove-Item -Path "$env:TEMP\sam_test.hiv", "$env:TEMP\security_test.hiv" -Force -ErrorAction SilentlyContinue
    
    Write-Host "  [+] Registry credential access simulation completed" -ForegroundColor Green
}

Test-Technique -Name "Credential Dumping - LSASS Access" -MitreID "T1003.001" -TestCode {
    Write-TestLog "Simulating LSASS access detection" "T1003.001"
    
    # Tentative d'accès au processus LSASS (devrait déclencher une alerte)
    $lsass = Get-Process -Name lsass -ErrorAction SilentlyContinue
    if ($lsass) {
        try {
            # Tentative d'ouvrir un handle (devrait être bloqué/détecté)
            $null = $lsass.Handle
        } catch {}
    }
    
    Write-Host "  [+] LSASS access simulation completed" -ForegroundColor Green
}

# ============================================================================
# PERSISTENCE SIMULATION
# ============================================================================

Test-Technique -Name "Registry Run Keys" -MitreID "T1547.001" -TestCode {
    Write-TestLog "Testing registry persistence detection" "T1547.001"
    
    $runKeyPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"
    $testValueName = "XDR_Test_Persistence_$([guid]::NewGuid().ToString().Substring(0,8))"
    
    # Création d'une entrée de persistance (bénigne)
    Set-ItemProperty -Path $runKeyPath -Name $testValueName -Value "cmd.exe /c echo test" -ErrorAction SilentlyContinue
    
    Start-Sleep -Seconds 2
    
    # Suppression immédiate
    Remove-ItemProperty -Path $runKeyPath -Name $testValueName -ErrorAction SilentlyContinue
    
    Write-Host "  [+] Registry persistence test completed (entry removed)" -ForegroundColor Green
}

Test-Technique -Name "Scheduled Task Creation" -MitreID "T1053.005" -TestC

Créé il y a 3 semaines.

Rechercher un Pastebin

Aucun paste trouvé.