adam/atomic-red-team-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2025-09-26 17:21:23 +00:00
parent d641158872
commit 1c32e5d6c7
10 changed files with 115 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+1 -1
View File
@@ -2,7 +2,7 @@
# Atomic Red Team
![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1738-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1739-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
Atomic Red Team™ is a library of tests mapped to the
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/index.csv
+1
View File
@@ -180,6 +180,7 @@ defense-evasion,T1140,Deobfuscate/Decode Files or Information,7,FreeBSD b64encod
defense-evasion,T1140,Deobfuscate/Decode Files or Information,8,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,9,Linux Base64 Encoded Shebang in CLI,3a15c372-67c1-4430-ac8e-ec06d641ce4d,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,10,XOR decoding and command execution using Python,c3b65cd5-ee51-4e98-b6a3-6cbdec138efc,bash
defense-evasion,T1140,Deobfuscate/Decode Files or Information,11,Expand CAB with expand.exe,9f8b1c54-cb76-4d5e-bb1f-2f5c0e8f5a11,command_prompt
defense-evasion,T1562,Impair Defenses,1,Windows Disable LSA Protection,40075d5f-3a70-4c66-9125-f72bee87247d,command_prompt
defense-evasion,T1562,Impair Defenses,2,Disable journal logging via systemctl utility,c3a377f9-1203-4454-aa35-9d391d34768f,sh
defense-evasion,T1562,Impair Defenses,3,Disable journal logging via sed utility,12e5551c-8d5c-408e-b3e4-63f53b03379f,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
180 defense-evasion T1140 Deobfuscate/Decode Files or Information 8 Hex decoding with shell utilities 005943f9-8dd5-4349-8b46-0313c0a9f973 sh
181 defense-evasion T1140 Deobfuscate/Decode Files or Information 9 Linux Base64 Encoded Shebang in CLI 3a15c372-67c1-4430-ac8e-ec06d641ce4d sh
182 defense-evasion T1140 Deobfuscate/Decode Files or Information 10 XOR decoding and command execution using Python c3b65cd5-ee51-4e98-b6a3-6cbdec138efc bash
183 defense-evasion T1140 Deobfuscate/Decode Files or Information 11 Expand CAB with expand.exe 9f8b1c54-cb76-4d5e-bb1f-2f5c0e8f5a11 command_prompt
184 defense-evasion T1562 Impair Defenses 1 Windows Disable LSA Protection 40075d5f-3a70-4c66-9125-f72bee87247d command_prompt
185 defense-evasion T1562 Impair Defenses 2 Disable journal logging via systemctl utility c3a377f9-1203-4454-aa35-9d391d34768f sh
186 defense-evasion T1562 Impair Defenses 3 Disable journal logging via sed utility 12e5551c-8d5c-408e-b3e4-63f53b03379f sh
atomics/Indexes/Indexes-CSV/windows-index.csv
+1
View File
@@ -105,6 +105,7 @@ defense-evasion,T1202,Indirect Command Execution,4,Indirect Command Execution -
defense-evasion,T1202,Indirect Command Execution,5,Indirect Command Execution - RunMRU Dialog,de323a93-2f18-4bd5-ba60-d6fca6aeff76,powershell
defense-evasion,T1140,Deobfuscate/Decode Files or Information,1,Deobfuscate/Decode Files Or Information,dc6fe391-69e6-4506-bd06-ea5eeb4082f8,command_prompt
defense-evasion,T1140,Deobfuscate/Decode Files or Information,2,Certutil Rename and Decode,71abc534-3c05-4d0c-80f7-cbe93cb2aa94,command_prompt
defense-evasion,T1140,Deobfuscate/Decode Files or Information,11,Expand CAB with expand.exe,9f8b1c54-cb76-4d5e-bb1f-2f5c0e8f5a11,command_prompt
defense-evasion,T1562,Impair Defenses,1,Windows Disable LSA Protection,40075d5f-3a70-4c66-9125-f72bee87247d,command_prompt
defense-evasion,T1055.003,Thread Execution Hijacking,1,Thread Execution Hijacking,578025d5-faa9-4f6d-8390-aae527d503e1,powershell
defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
105 defense-evasion T1202 Indirect Command Execution 5 Indirect Command Execution - RunMRU Dialog de323a93-2f18-4bd5-ba60-d6fca6aeff76 powershell
106 defense-evasion T1140 Deobfuscate/Decode Files or Information 1 Deobfuscate/Decode Files Or Information dc6fe391-69e6-4506-bd06-ea5eeb4082f8 command_prompt
107 defense-evasion T1140 Deobfuscate/Decode Files or Information 2 Certutil Rename and Decode 71abc534-3c05-4d0c-80f7-cbe93cb2aa94 command_prompt
108 defense-evasion T1140 Deobfuscate/Decode Files or Information 11 Expand CAB with expand.exe 9f8b1c54-cb76-4d5e-bb1f-2f5c0e8f5a11 command_prompt
109 defense-evasion T1562 Impair Defenses 1 Windows Disable LSA Protection 40075d5f-3a70-4c66-9125-f72bee87247d command_prompt
110 defense-evasion T1055.003 Thread Execution Hijacking 1 Thread Execution Hijacking 578025d5-faa9-4f6d-8390-aae527d503e1 powershell
111 defense-evasion T1036 Masquerading 1 System File Copied to Unusual Location 51005ac7-52e2-45e0-bdab-d17c6d4916cd powershell
atomics/Indexes/Indexes-Markdown/index.md
+1
View File
@@ -229,6 +229,7 @@
- Atomic Test #8: Hex decoding with shell utilities [linux, macos]
- Atomic Test #9: Linux Base64 Encoded Shebang in CLI [linux, macos]
- Atomic Test #10: XOR decoding and command execution using Python [linux, macos]
- Atomic Test #11: Expand CAB with expand.exe [windows]
- [T1562 Impair Defenses](../../T1562/T1562.md)
- Atomic Test #1: Windows Disable LSA Protection [windows]
- Atomic Test #2: Disable journal logging via systemctl utility [linux]
atomics/Indexes/Indexes-Markdown/windows-index.md
+1
View File
@@ -142,6 +142,7 @@
- [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
- Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
- Atomic Test #2: Certutil Rename and Decode [windows]
- Atomic Test #11: Expand CAB with expand.exe [windows]
- [T1562 Impair Defenses](../../T1562/T1562.md)
- Atomic Test #1: Windows Disable LSA Protection [windows]
- [T1055.003 Thread Execution Hijacking](../../T1055.003/T1055.003.md)
atomics/Indexes/index.yaml
+30
View File
@@ -8682,6 +8682,36 @@ defense-evasion:
cleanup_command:
name: bash
elevation_required: false
- name: Expand CAB with expand.exe
auto_generated_guid: 9f8b1c54-cb76-4d5e-bb1f-2f5c0e8f5a11
description: |
Uses expand.exe to extract a file from a CAB created locally. This simulates adversarial use of expand on cabinet archives.
Upon success, art-expand-source.txt is extracted next to the CAB.
supported_platforms:
- windows
input_arguments:
cab_path:
description: Path to the CAB to expand (created if missing)
type: path
default: "%TEMP%\\art-expand-test.cab"
output_dir:
description: Destination directory
type: path
default: "%TEMP%\\art-expand-out"
executor:
name: command_prompt
elevation_required: false
command: |
mkdir "#{output_dir}" >nul 2>&1
echo hello from atomic red team > "PathToAtomicsFolder\T1140\src\art-expand-source.txt"
makecab "PathToAtomicsFolder\T1140\src\art-expand-source.txt" "#{cab_path}"
pushd "#{output_dir}"
expand "#{cab_path}" -F:* .
popd
cleanup_command: |
del "PathToAtomicsFolder\T1140\src\art-expand-source.txt" >nul 2>&1
del "#{cab_path}" >nul 2>&1
rmdir "#{output_dir}" /s /q >nul 2>&1
T1562:
technique:
type: attack-pattern
atomics/Indexes/windows-index.yaml
+30
View File
@@ -6667,6 +6667,36 @@ defense-evasion:
del %temp%\T1140_calc2.txt >nul 2>&1
del %temp%\T1140_calc2_decoded.exe >nul 2>&1
name: command_prompt
- name: Expand CAB with expand.exe
auto_generated_guid: 9f8b1c54-cb76-4d5e-bb1f-2f5c0e8f5a11
description: |
Uses expand.exe to extract a file from a CAB created locally. This simulates adversarial use of expand on cabinet archives.
Upon success, art-expand-source.txt is extracted next to the CAB.
supported_platforms:
- windows
input_arguments:
cab_path:
description: Path to the CAB to expand (created if missing)
type: path
default: "%TEMP%\\art-expand-test.cab"
output_dir:
description: Destination directory
type: path
default: "%TEMP%\\art-expand-out"
executor:
name: command_prompt
elevation_required: false
command: |
mkdir "#{output_dir}" >nul 2>&1
echo hello from atomic red team > "PathToAtomicsFolder\T1140\src\art-expand-source.txt"
makecab "PathToAtomicsFolder\T1140\src\art-expand-source.txt" "#{cab_path}"
pushd "#{output_dir}"
expand "#{cab_path}" -F:* .
popd
cleanup_command: |
del "PathToAtomicsFolder\T1140\src\art-expand-source.txt" >nul 2>&1
del "#{cab_path}" >nul 2>&1
rmdir "#{output_dir}" /s /q >nul 2>&1
T1562:
technique:
type: attack-pattern
atomics/T1140/T1140.md
+48
View File
@@ -32,6 +32,8 @@ Sometimes a user's action may be required to open it for deobfuscation or decryp
- [Atomic Test #10 - XOR decoding and command execution using Python](#atomic-test-10---xor-decoding-and-command-execution-using-python)
- [Atomic Test #11 - Expand CAB with expand.exe](#atomic-test-11---expand-cab-with-expandexe)
<br/>
@@ -498,4 +500,50 @@ echo "Install Python3"
<br/>
<br/>
## Atomic Test #11 - Expand CAB with expand.exe
Uses expand.exe to extract a file from a CAB created locally. This simulates adversarial use of expand on cabinet archives.
Upon success, art-expand-source.txt is extracted next to the CAB.
**Supported Platforms:** Windows
**auto_generated_guid:** 9f8b1c54-cb76-4d5e-bb1f-2f5c0e8f5a11
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| cab_path | Path to the CAB to expand (created if missing) | path | %TEMP%&#92;art-expand-test.cab|
| output_dir | Destination directory | path | %TEMP%&#92;art-expand-out|
#### Attack Commands: Run with `command_prompt`!
```cmd
mkdir "#{output_dir}" >nul 2>&1
echo hello from atomic red team > "PathToAtomicsFolder\T1140\src\art-expand-source.txt"
makecab "PathToAtomicsFolder\T1140\src\art-expand-source.txt" "#{cab_path}"
pushd "#{output_dir}"
expand "#{cab_path}" -F:* .
popd
```
#### Cleanup Commands:
```cmd
del "PathToAtomicsFolder\T1140\src\art-expand-source.txt" >nul 2>&1
del "#{cab_path}" >nul 2>&1
rmdir "#{output_dir}" /s /q >nul 2>&1
```
<br/>